def _verify(self):
log = Log("exploit-discuz_brutefile")
result = Result(self)
dctype = self.args.get("type","discuz").lower()
if dctype not in ['discuz','discuzx']:
dctype = "discuz"
date = self.args.get("date","15-01-01")
days = self.args.get("days","10")
days = int(days)
dirs = self.args.get("dirs","1")
dirs = int(dirs)
url = self.baseURL if ".php" in self.url else self.url
url = url.rstrip("/")
alives = []
for path in self.genPath(dctype,date,days,dirs):
try:
log.debug("request url {0}".format(url+path))
response = self.http.get(url+path)
except self.http.ConnectionError:
pass
if response.status_code == 200:
log.debug("got alives {0}".format(url+path))
alives.append(url+path)
if alives:
result['vulinfo'] = str(alives)
return result
def _verify(self):
log = Log("exploit_douphp_backupbrute")
result = Result(self)
sqlList = ['D20160~1.sql','D20150~1.sql','D20151~1.sql','D20140~1.sql','D20141~1.sql','D20131~1.sql']
vulURLs = []
for sqlfile in sqlList:
url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile
log.debug("getting '{0}'".format(url))
response = self.http.get(url,allow_redirects=False)
if response.status_code == 200:
log.debug("got alive'{0}'".format(url))
vulURLs.append(url)
if vulURLs:
result['vulinfo'] = str(vulURLs)
return result
def _verify(self):
log = Log("exploit-discuz_brutefile")
result = Result(self)
dctype = self.args.get("type", "discuz").lower()
if dctype not in ['discuz', 'discuzx']:
dctype = "discuz"
date = self.args.get("date", "15-01-01")
days = self.args.get("days", "10")
days = int(days)
dirs = self.args.get("dirs", "1")
dirs = int(dirs)
url = self.baseURL if ".php" in self.url else self.url
url = url.rstrip("/")
alives = []
for path in self.genPath(dctype, date, days, dirs):
try:
log.debug("request url {0}".format(url + path))
response = self.http.get(url + path)
except self.http.ConnectionError:
pass
if response.status_code == 200:
log.debug("got alives {0}".format(url + path))
alives.append(url + path)
if alives:
result['vulinfo'] = str(alives)
return result
def _verify(self):
log = Log("exploit_douphp_backupbrute")
result = Result(self)
sqlList = [
'D20160~1.sql', 'D20150~1.sql', 'D20151~1.sql', 'D20140~1.sql',
'D20141~1.sql', 'D20131~1.sql'
]
vulURLs = []
for sqlfile in sqlList:
url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile
log.debug("getting '{0}'".format(url))
response = self.http.get(url, allow_redirects=False)
if response.status_code == 200:
log.debug("got alive'{0}'".format(url))
vulURLs.append(url)
if vulURLs:
result['vulinfo'] = str(vulURLs)
return result
def doSubDomainScan(args, out):
'''
子域名爆破
'''
out.init("子域名爆破", tofile=args.output)
log = Log("subdomain")
if args.output:
outHtml = True if args.output.endswith("html") else False
else:
outHtml = False
techniques = []
if not args.technique:
techniques = ['z', 'd', 'g']
else:
if len(args.technique) <= 3:
for t in args.technique:
if t in "zdg":
techniques.append(t)
else:
techniques = []
if not techniques:
out.error(u"不支持--techniques {0}".format(args.technique))
return False
dictfile = args.dict if args.dict else None
topdomainBrute = True if args.topdomain else False
size = args.size if args.size else 200
if args.engine:
if args.engine in Query.allowEngines:
engine = args.engine
else:
out.error(u"不支持 --engine {0},支持{1}".format(
args.engine, str(Query.allowEngines)))
return False
else:
engine = 'bing'
domain = URL.getHost(args.domain)
result = set()
dnsresolver = DnsResolver(domain)
records = dnsresolver.getZoneRecords()
if "z" in techniques:
log.debug(">>>>>checking if dns zonetrans vulnerable")
for record in records:
log.debug("dns zonetrans vulnerable, got '{0}'".format(
str(record)))
result.add(record[0])
if "d" in techniques:
log.debug(">>>>>dns brutefroce")
for item in DnsBruter(domain, dictfile, topdomainBrute):
log.debug("dns bruteforce, got '{0}'".format(str(item)))
result.add(item.domain)
if "g" in techniques:
log.debug(">>>>>google hacking")
query = Query(site=domain) | -Query(site="www." + domain)
for item in query.doSearch(engine=engine, size=size):
log.debug("google hacking, got '{0}'".format(item.url))
host = URL.getHost(item.url)
result.add(host)
out.warnning(u"子域名爆破结果:")
for d in result:
out.info(d)
if not outHtml:
out.writeLine(d)
else:
out.writeLine(d, _htmlLink)
return True
def doSubDomainScan(args, out):
'''
子域名爆破
'''
out.init("子域名爆破", tofile=args.output)
log = Log("subdomain")
if args.output:
outHtml = True if args.output.endswith("html") else False
else:
outHtml = False
techniques = []
if not args.technique:
techniques = ['z','d','g']
else:
if len(args.technique) <= 3:
for t in args.technique:
if t in "zdg":
techniques.append(t)
else:
techniques = []
if not techniques:
out.error(u"不支持--techniques {0}".format(args.technique))
return False
dictfile = args.dict if args.dict else None
topdomainBrute = True if args.topdomain else False
size = args.size if args.size else 200
if args.engine:
if args.engine in Query.allowEngines:
engine = args.engine
else:
out.error(u"不支持 --engine {0},支持{1}".format(args.engine, str(Query.allowEngines)))
return False
else:
engine = 'baidu'
domain = URL.getHost(args.domain)
result = set()
dnsresolver = DnsResolver(domain)
records = dnsresolver.getZoneRecords()
if "z" in techniques:
log.debug(">>>>>checking if dns zonetrans vulnerable")
for record in records:
log.debug("dns zonetrans vulnerable, got '{0}'".format(str(record)))
result.add(record[0])
if "d" in techniques:
log.debug(">>>>>dns brutefroce")
for item in DnsBruter(domain, dictfile, topdomainBrute):
log.debug("dns bruteforce, got '{0}'".format(str(item)))
result.add(item.domain)
if "g" in techniques:
log.debug(">>>>>google hacking")
query = Query(site=domain) | -Query(site="www."+domain)
for item in query.doSearch(engine=engine, size=size):
log.debug("google hacking, got '{0}'".format(item.url))
host = URL.getHost(item.url)
result.add(host)
out.warnning(u"子域名爆破结果:")
for d in result:
out.info(d)
if not outHtml:
out.writeLine(d)
else:
out.writeLine(d, _htmlLink)
return True
