def deleteTask(types):
types = int(types)
sql_0 = "SELECT target_id FROM target_vulns_stats " #查询有发现任何漏洞的扫描
sql_1 = "SELECT target_id FROM target_vulns_stats where vuln_stats[1]!=0 " #查询所有发现高危的扫描任务
sql_2 = "SELECT target_id FROM target_vulns_stats where vuln_stats[1]=0 and vuln_stats[2]!=0 " #查询高危以下漏洞(不包括高危)
sql_3 = "SELECT target_id FROM target_vulns_stats where vuln_stats[1]=0 and vuln_stats[2]=0 and vuln_stats[2]=0 " #查询中危以下漏洞(不包括中危)
sql = "SELECT address, target_id FROM targets where target_id " #查询url和target_id
sql1 = sql + " not in ({sql_0});".format(sql_0=sql_0) #查询没有发现任何漏洞的扫描
sql2 = sql + " not in ({sql_0})".format(
sql_0=sql_0) + " union " + sql + "in ({sql_3});".format(
sql_3=sql_3) #查询没有发现任何漏洞或者仅仅发现低危漏洞的扫描
sql3 = sql + " not in ({sql_0})".format(
sql_0=sql_0) + " union " + sql + "in ({sql_2});".format(
sql_2=sql_2) #查询没有发现任何漏洞或者仅仅发现中危及以下漏洞的扫描
sql4 = "SELECT address, target_id FROM targets;" #查询所有的url和target_id
global taskInfo, scan_speed, url_awvs
#task_list = tool.content2List(add) #读取存放任务URL和ID的txt文件
#url = "https://49.234.98.25:13443/api/v1/targets/065a2018-293b-4792-b9d8-fbd511b56402"
task_url_id = []
if types == 1:
task_url_id = excuteSQL(sql1)
elif types == 2:
task_url_id = excuteSQL(sql2)
elif types == 3:
task_url_id = excuteSQL(sql3)
elif types == 4:
task_url_id = excuteSQL(sql4)
for task in task_url_id: #数据库中查询URL和ID结果保存在一个数组之中
address = task[0]
id = task[1]
url = host_awvs + str("api/v1/targets/") + str(id)
try:
res = requests.delete(url=url, headers=header_awvs, verify=False)
if 200 == int(res.status_code):
tool.print2sheet(15, address, "URL", 18, id, "ID", 20,
"目标URL已经成功删除!", "Status")
else:
tool.print2sheet(15,
address,
"URL",
18,
id,
"ID",
20,
"目标URL未能成功删除或者已经删除,请手工检查原因!",
"Status",
color='red')
pass
except:
tool.print2sheet(15,
address,
"URL",
18,
id,
"ID",
20,
"目标URL未能成功删除或者已经删除,请手工检查原因!",
"Status",
color='red')
pass
def start_scan(address, level, start_date, speed):
start_time = start_date
# day = time.strftime("%Y-%m-%d",time.localtime()) #类似2019-01-02的时间格式
# s = start_time.split("T")
# s = s[1]
#start_time = " " + str(day) + " " + str(s[0]) + str(s[1]) + str(":") + str(s[2]) + str(s[3]) + str(":") + str(s[4]) + str(s[5]) #转化为标准时间格式 2019-09-01 12:12:11
start_time = awvs2standardTime(start_time) #转化为标准时间格式 2019-09-01 12:12:11
start_time = str(start_time["year"]) + "-" + str(
start_time["month"]) + "-" + str(start_time["day"]) + " " + str(
start_time["hour"]) + ":" + str(start_time["minute"]) + ":" + str(
start_time["second"])
speed_show = scan_speed[speed] #输入的时候是简称,但是显示的时候显全称
level_show = profile_show[level] #输入的时候是简称,但是显示的时候是全称
try:
current_time = time.strftime("%X", time.localtime())
target_id = taskInfo[
address] #此时的target_id是添加任务时的target_id,并不是最终的target_id,但是需要target_id获取最终的target_id
profile_id = profile[level]
url_awvs = str(host_awvs) + "/api/v1/scans" #设定2019-07-12 17-20点开始
data = {
"target_id": target_id,
"profile_id": profile_id,
"schedule": {
"disable": False,
"start_date": start_date,
"time_sensitive": True
}
}
data = json.dumps(data) #
res = requests.post(url=url_awvs,
data=data,
headers=header_awvs,
verify=False)
target_id = res.json()["target_id"] #此时的target_id是最终的target_id,
if add_tasks(address, address, 10, speed) == True: #判断是否添加任务成功
tool.print2sheet(15, address, "URL", 6, start_time, "Start Time",
7, level_show, "Profile", 2, speed_show, "Speed",
20, target_id, "ID")
else:
tool.print2sheet(15,
address,
"URL",
6,
start_time,
"Start Time",
7,
level_show,
"Profile",
2,
speed_show,
"Speed",
20,
"目标URL未能成功添加进AWVS扫描器中,请手工检查原因",
"ID",
color="red")
# msg = "[{current_time}] {address} 成功开始扫描!".format(current_time=current_time,address=address)
# print(msg)
except Exception as e:
tool.print2sheet(15,
address,
"URL",
6,
start_time,
"Start Time",
7,
level_show,
"Profile",
2,
speed_show,
"Speed",
20,
"目标URL未能成功添加进AWVS扫描器中,请手工检查原因",
"ID",
color="red")
def get_src_name(url,page):
index = page.split("-")
index1 = int(index[0]) #抓取开始页
index2 = int(index[1]) #抓取结束页
#获取company_name和company_id时的请求头
headers={
"Accept":"application/json, text/javascript, */*; q=0.01",
'Accept-Encoding': 'gzip,deflate',
"Accept-Language":"zh-CN,zh;q=0.9",
"Connection":"keep-alive",
"Content-Length":"14",
"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8",
"Cookie":"__guid=66782632.3287965366713424400.1557370637004.574; btlc_ba52447ea424004a7da412b344e5e41a=6a5e25bf5c72acfece861fc7be289c9993d9b5da0cb4589e46af2333e47e91c0; PHPSESSID=8okmbhj4elrs2kc3o4c15n9hc3; __DC_monitor_count=31; __DC_sid=66782632.2355515763036458500.1563936908835.0845; __q__=1563936909201; __DC_gid=66782632.539342110.1557370637005.1563936912059.173",
"Host":"www.butian.net",
"Origin":"https://www.butian.net",
"Referer":"https://www.butian.net/Reward/plan",
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36",
"X-Requested-With":"XMLHttpRequest"}
#请求https://www.butian.net/Loo/submit?cid=62111时的请求头
headers_company_url ={
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3",
"Accept-Encoding" : "gzip, deflate, br",
"Accept-Language" : "zh-CN,zh;q=0.9",
"Cache-Control" : "max-age=0",
"Connection" : "keep-alive",
"Cookie" : "__guid=66782632.3287965366713424400.1557370637004.574; btlc_ba52447ea424004a7da412b344e5e41a=6a5e25bf5c72acfece861fc7be289c9993d9b5da0cb4589e46af2333e47e91c0; PHPSESSID=8okmbhj4elrs2kc3o4c15n9hc3; __DC_monitor_count=31; __DC_sid=66782632.2355515763036458500.1563936908835.0845; __q__=1563936909201; __DC_gid=66782632.539342110.1557370637005.1563936912059.173",
"Host" : "www.butian.net",
"Upgrade-Insecure-Requests": "1",
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36"
}
try:
# for p in range(1,int(page)+1):
for p in range(index1,index2+1):
sleep_time1 = random.uniform(1.1,3.4) # 停止请求几秒钟,防止被禁止ip
data = {"s":1,"p":p}
res = requests.post(url=url,data=data,headers=headers)#请求获取cid和名字
content = res.content
# print(type(content))
# print(content)
content=json.loads(content)
msg1="++++++++++++++++++++++++++++++++++第{p}页++++++++++++++++++++++++++++++++++++++++++".format(p=p)
title1 = "Website"
t1_len = 15
title2 = "ID"
t2_len = 2
title3 = "Name"
t3_len = 15
printc.printf(msg1,'yellow')
tool.setSheetTitle(t1_len,title1,t2_len,title2,t3_len,title3) # 打印标题
for i in content['data']["list"]:
company_id = i["company_id"]
company_name = i["company_name"]
try:
url2 = "https://www.butian.net/Loo/submit?cid={company_id}".format(company_id=company_id)
res2 = requests.get(url=url2,headers=headers_company_url)
p = "value=\"((http://|https://|www.|[a-z]+)[.\w-]+\.[a-z]+)\""
company_url = re.findall(p,str(res2.text),re.S)[0][0]
sleep_time2 = random.uniform(1.1,3.2) # 停止请求几秒钟,防止被禁止ip
time.sleep(sleep_time2)
except :
msg = "[-] {url2} 请求失败!请检查原因".format(url2=url2)
printc.printf(msg,'red')
pass
#line0 = tool.setStr2SameLen(8,""," ") + str("企业名字") + tool.setStr2SameLen(8,""," ") + str("|") + tool.setStr2SameLen(8,""," ") + str("企业网站") + tool.setStr2SameLen(8,""," ")
t1 = company_url
t2 = company_id
t3 = company_name
tool.print2sheet(t1_len,t1,title1,t2_len,t2,title2,t3_len,t3,title3)
#title1 = tool.setStr2SameLen(8,"","-")
# msg = "名字:"+str(i["company_name"])+" 公司ID:"+str(i["company_id"]+" 公司网址:"+str(company_url))
# printc.printf(msg,'green')
time.sleep(sleep_time1)
except:
msg3 = "-------------------------------------好像出了一点问题----------------------------------"
msg4 = "[+] 提示1:请您检查一下URL是否正确!现在仅支持公益SRC提取哦!直接在地址栏中复制的URL有可能不是真正的请求URL哦!您可以F12查看请求URL"
msg5 = "[+] 提示2:请您登陆补天,F12,并且复制其中的请求头中的cookie,并且改变../scan/module/butianInfo.py文件中header中的cookie选项"
printc.printf(msg3,'red')
printc.printf(msg4, 'green')
printc.printf(msg5, 'green')
pass
def run(self):
global lock, count
status_code = title = '0'
# domain1=self.domain1 #类似于baidu.com
while not self.urls.empty(): #对用户输入放入资产进行遍历
url = self.urls.get() #类似于baidu.com
# print(url)
# domain=httpOrHttps(domain)+"://" +subdomain+"."+domain
if "http" not in url:
if "www" not in url:
# urls = "http://www." + urls
domain = self.protocol + "://www." + url #拼接成类似于http://www.baidu.com这样的完整域名
else:
domain = self.protocol + "://" + url #拼接成类似于http://www.baidu.com这样的完整域名
else:
domain = url #如果原目标中有指定协议则按原协议地址返回
#domain=httpOrHttps(self.protocol)+str("://") +str(subdomain)
try:
res = requests.get(domain, timeout=4, allow_redirects=True)
status_code = res.status_code
lock.acquire()
result = change2standard(res)
#这里是用用来匹配网站title,后面可以根据自己的需要添加新的规则
if (re.findall(self.p, result)):
title = (re.findall(self.p, result)[0])
elif re.findall(self.p1, result):
title = (re.findall(self.p1, result)[0])
else:
title = ' '
title = title.replace("\n", "") #对title进行去杂
title = title.replace("\r", "")
title = title.replace("\t", "")
title = title.replace(" ", '')
if isVisible(title) == True:
count = count + 1
msg = "[+] " + tools.setStr2SameLen(30, domain) + title
#url status_code title visitable
tools.print2sheet(t1_len=25,
t1=str(url),
title1="URL",
t2_len=2,
t2=" " + str(status_code),
title2="Status",
t3_len=1,
t3=" Yes",
title3="Visitable",
t4_len=20,
t4=title,
title4="Title")
# printc.printf(msg,'green')
else:
#msg = "[-] " + " Yes "+domain
tools.print2sheet(t1_len=25,
t1=str(url),
title1="URL",
t2_len=2,
t2=" " + str(status_code),
title2="Status",
t3_len=1,
t3=" Yes",
title3="Visitable",
t4_len=20,
t4=title,
title4="Title")
# printc.printf(msg,'red')
pass
lock.release()
except:
lock.acquire()
# msg = "[-] " + " No "+domain
# printc.printf(msg,'red')
tools.print2sheet(t1_len=25,
t1=str(url),
title1="URL",
t2_len=2,
t2=" " + str(status_code),
title2="Status",
t3_len=1,
t3=" No",
title3="Visitable",
t4_len=20,
t4=title,
title4="Title")
lock.release()
pass
def menu():
global vulnerable_list
day = time.strftime("%Y-%m-%d",
time.localtime()).replace("-", "") #当前日期20190725
start_time = "{day}T220000+0800".format(day=day) #默认扫描任务是每天晚上10点
profile = "F" #默认是全类型漏洞扫描
speed = 's' #默认是慢扫描
protocol = "http" #默认是http
parser = argparse.ArgumentParser()
#AWVS区
parser.add_argument(
'-add',
dest='add',
help=
'The text file of targets Example: -add url.txt'
)
parser.add_argument(
'-pro',
dest='pro',
help=
'Protocol:https or http Default is http Example: -pro https '
)
parser.add_argument(
'-start',
dest='start',
help=
'The starting time of scanning! Default starting time is now Example: -start {time}'
.format(time=present_awvs_time))
parser.add_argument(
'-speed',
dest='speed',
help=
'Scanning speed(3 options:f,m,s) Default is s Slow scanning Example: -speed f'
)
parser.add_argument(
'-profile',
dest='profile',
help=
'Scaning Profile(6 options:H[High vul],W[Weak Password],C[Crawling],X[XSS],S[SQL],F[Full scan]) Default is F Full scanning'
)
parser.add_argument(
'-delete',
dest='delete',
help=
'Delete targets 4 options:1[NO vuln targets],2[NO vuln targets+low vuln targets],3[NO vuln targets+Medium vuln targets],4[All targets] Example: -delete 1'
)
parser.add_argument('-second',
dest='second',
help='second Example: -second 3600')
#vulnerability
parser.add_argument(
'-weblogic',
dest='weblogic',
help='Example: -weblogic /usrs/targets.txt or -weblogic 127.0.0.1')
parser.add_argument(
'-joomla',
dest='joomla',
help='Example: -joomla /usrs/targets.txt or -joomla 127.0.0.1')
parser.add_argument(
'-exploit',
dest='exploit',
help='Example: -exploit /usrs/targets.txt or -exploit 127.0.0.1')
parser.add_argument(
'-command',
dest='command',
help='Example: -command python2 poc.py -p 3389 -d /web/web.xml ')
parser.add_argument(
'-poc_add',
dest='poc_add',
help='Example: -poc_add="vulnerability,cve-2020-01-01,cve-2020-01-01.py'
)
parser.add_argument('-flag',
dest='flag',
help='Example: -flag="Refused,No Response"')
parser.add_argument('-time_out',
dest='time_out',
help='Example: -time_out 1 Default is 2')
parser.add_argument(
'-vuln_name',
dest='vuln_name',
help='Example: -vuln_name cve-2020-01-01 Default is NULL')
parser.add_argument(
'-ecology',
dest='ecology',
help='Example: -ecology baidu.com or -ecology /usrs/targets.txt')
parser.add_argument('-o', dest='o', help='Example: -o res.txt')
parser.add_argument('-help',
action="store_true",
help='To show help information')
options = parser.parse_args()
#批量添加扫描任务,可以自定义时间,扫描类型,扫描速度,默认是慢速扫描,全漏洞扫描,晚上十点开始扫描
if options.add:
second = seconds_default #默认是每隔10分钟开启一个新的扫描任务,主要是防止扫描器吃不消
add = options.add #存放目标站点的TXT文件
if options.pro:
protocol = options.pro #目标中没有协议时
if options.start:
start_time = options.start #开始扫描的时间,如果没有指定立即扫描
if options.profile:
profile = options.profile #扫描类型,默认扫描类型是全扫描
if options.speed:
speed = options.speed #扫描速度,默认是慢扫描
if options.second:
second = int(options.second)
target = tool.content2List(add) #获取扫描的目标,并将其内容转化为列表
tool.setSheetTitle(15, "URL", 6, "Start Time", 7, "Profile", 2,
"Speed", 20, "ID") #首先打印表格的标题
count = 0 # 每扫描1个任务,后面任务依次类推推迟1200s扫描
for address in target:
url_pattern = "(\w+[:/.\w-]+\.[a-z\d]{2,3}[:\w/]*)" #匹配有效的目标地址形如https://shbxwsb.nbhrss.gov.cn:8080/1212 或者 baidu.com
address = re.findall(url_pattern, address, re.S)
if address:
count = count + 1
address = address[0]
# if "www" not in address:
# address = "www." + address
if re.findall(
"^http", address, re.S
) == []: #对于没有指定http或者https协议的url,默认加http头,当然也可以通过-pro参数来指定
address = protocol + "://" + str(address) #如果目标中没有协议则写入协议
if count != 1:
start_time = awvs.awvs2standardTime(
start_time
) #将awvs时间转化为标准时间 并返回字典的形式{"y":"2019","m":"07","d":"12","h":"12","m":"20","s":"00"}
start_time = awvs.nSecondLatter(
start_time, second) #每扫描1个任务,后面任务依次类推推迟300s扫描
start_time = awvs.time2awvstime(
start_time) #转化为awvs能够识别的时间20190805T123640+0800
# print(count)
awvs.add_tasks(address, address, "10", speed)
awvs.start_scan(address, profile, start_time, speed) #开启扫描
#批量删除没有发现漏洞的目标,-delete参数后面是一个存放url和ID的txt文件
elif options.delete:
types = int(options.delete)
print("\n")
if types == 1:
msg = " 开始删除扫描器中没有发现任何漏洞的扫描任务"
elif types == 2:
msg = " 开始删除扫描器中没有发现任何漏洞或者仅仅发现低危漏洞的扫描任务"
elif types == 3:
msg = " 开始删除扫描器中没有发现任何漏洞或者发现中危以及以下漏洞的扫描"
elif types == 4:
msg = " 开始删除扫描器中的所有扫描任务"
print(msg)
print("\n")
tool.setSheetTitle(15, "URL", 18, "ID", 20, "Status") #设置标题
awvs.deleteTask(types) #开始进行删除任务操作
#vulnerability区域
elif options.weblogic:
msg = address = ''
if options.o:
address = tool.address(options.o)
tool.output(address)
res = tool.input2result(str(options.weblogic))
#指定http协议时
if options.pro:
protocol = str(options.pro)
if type(res) == type([]):
for host in res:
host = tool.setDefaultPro(protocol=protocol, url=host)
weblogic_cve_2019_2729.check(host)
else:
host = tool.setDefaultPro(protocol=protocol, url=res)
weblogic_cve_2019_2729.check(host,
vulnerable_list=vulnerable_list)
#不指定时默认设定http协议
else:
if type(res) == type([]):
for host in res:
host = tool.setDefaultPro(url=host)
msg = "[+] Start detecting if {host} is vulnerable to CVE-2019-2729".format(
host=host)
print(msg)
weblogic_cve_2019_2729.check(host)
else:
host = tool.setDefaultPro(url=res)
msg = "[+] Start detecting if {host} is vulnerable to CVE-2019-2729".format(
host=host)
print(msg)
weblogic_cve_2019_2729.check(host)
# if vulnerable_list:
# msg="************** Below are vulnerable URL:******************"
# printc.printf(msg,'yellow')
# tool.printList(vulnerable_list,"green")
tool.printIfExist(address)
#检查joomla的RCE漏洞
elif options.joomla:
if options.o:
address = tool.address(options.o)
tool.output(address)
res = tool.input2result(str(options.joomla))
#print(res)
#指定http协议时
if options.pro:
protocol = str(options.pro)
if type(res) == type([]):
for host in res:
host = tool.setDefaultPro(protocol=protocol, url=host)
msg = "[+] Starting detecting {target}".format(target=host)
print(msg)
host = tool.setDefaultPro(protocol=protocol, url=host)
command = Joomla_3_4_6_RCE.command(host)
os.system(command)
else:
host = res
host = tool.setDefaultPro(protocol=protocol, url=res)
msg = "[+] Starting detecting {target}".format(target=res)
print(msg)
command = Joomla_3_4_6_RCE.command(res)
os.system(command)
else:
if type(res) == type([]):
for host in res:
host = tool.setDefaultPro(url=host)
msg = "[+] Starting detecting {target}".format(target=host)
print(msg)
host = tool.setDefaultPro(protocol=protocol, url=host)
command = Joomla_3_4_6_RCE.command(host)
os.system(command)
else:
host = res
host = tool.setDefaultPro(url=host)
msg = "[+] Starting detecting {target}".format(target=res)
print(msg)
command = Joomla_3_4_6_RCE.command(res)
os.system(command)
#任何poc只要放进到/find/vulnerability/按照一定规则就可以进行批量检测
elif options.exploit:
dataList = []
if options.o:
address = tool.address(options.o)
tool.output(address)
targets = tool.input2result(str(options.exploit))
if options.command:
command = options.command
else:
msg = "您必须输入原POC的完整验证命令。注意不需要加绝对路径,而且不许要输入目标,目标跟在-exploit参数后面"
print(msg)
if options.flag:
flag = options.flag.split(",")
else:
flag = [
"Operation timed out", "most recent call last",
'NotImplementedError'
]
if options.poc_add:
poc_add = options.poc_add.split(",")
else:
pass
if options.time_out:
time_out = options.time_out
else:
time_out = 2
if options.vuln_name:
vuln_name = options.vuln_name
else:
vuln_name = ""
if type(targets) == type([]):
for host in targets:
dataList.append(
exploit.exploit(target=host,
flag=flag,
poc_add=poc_add,
command=command,
vulnerability=vuln_name,
time_out=time_out))
else:
dataList.append(
exploit.exploit(target=targets,
flag=flag,
poc_add=poc_add,
command=command,
vulnerability=vuln_name,
time_out=time_out))
tool.setSheetTitle(t1_len=30,
title1='Target',
t2_len=8,
title2='Vulnerability',
t3_len=2,
title3='Vulnerable',
t4_len=10,
title4='Response')
for data in dataList:
tool.print2sheet(t1_len=30,
t1=data["target"],
title1='Target',
t2_len=8,
t2=data["vuln"],
title2='Vulnerability',
t3_len=2,
t3=data["isVuln"],
title3='Vulnerable',
t4_len=10,
t4=str(data['response']),
title4='Response')
#检测泛微OA数据库配置信息泄漏
elif options.ecology:
if options.o:
address = tool.address(options.o)
tool.output(address)
url = tool.input2result(str(options.ecology))
#print(res)
#指定http协议时
if options.pro:
protocol = str(options.pro)
ecology_OA_db_conf_leak.run(url, protocol)
else:
helpInfo()