def _verify(self):
        log = Log("exploit-discuz_brutefile")
        result = Result(self)

        dctype = self.args.get("type","discuz").lower()
        if dctype not in ['discuz','discuzx']:
            dctype = "discuz"
        date = self.args.get("date","15-01-01")
        days = self.args.get("days","10")
        days = int(days)
        dirs = self.args.get("dirs","1")
        dirs = int(dirs)

        url = self.baseURL if ".php" in self.url else self.url
        url = url.rstrip("/")
        alives = []
        for path in self.genPath(dctype,date,days,dirs):
            try:
                log.debug("request url {0}".format(url+path))
                response = self.http.get(url+path)
            except self.http.ConnectionError:
                pass

            if response.status_code == 200:
                log.debug("got alives {0}".format(url+path))
                alives.append(url+path)

        if alives:
            result['vulinfo'] = str(alives)

        return result
    def _verify(self):
        log = Log("exploit_douphp_backupbrute")
        result = Result(self)

        sqlList = ['D20160~1.sql','D20150~1.sql','D20151~1.sql','D20140~1.sql','D20141~1.sql','D20131~1.sql']

        vulURLs = []
        for sqlfile in sqlList:
            url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile

            log.debug("getting '{0}'".format(url))
            response = self.http.get(url,allow_redirects=False)

            if response.status_code == 200:
                log.debug("got alive'{0}'".format(url))
                vulURLs.append(url)

        if vulURLs:
            result['vulinfo'] = str(vulURLs)

        return result
Ejemplo n.º 3
0
    def _verify(self):
        log = Log("exploit-discuz_brutefile")
        result = Result(self)

        dctype = self.args.get("type", "discuz").lower()
        if dctype not in ['discuz', 'discuzx']:
            dctype = "discuz"
        date = self.args.get("date", "15-01-01")
        days = self.args.get("days", "10")
        days = int(days)
        dirs = self.args.get("dirs", "1")
        dirs = int(dirs)

        url = self.baseURL if ".php" in self.url else self.url
        url = url.rstrip("/")
        alives = []
        for path in self.genPath(dctype, date, days, dirs):
            try:
                log.debug("request url {0}".format(url + path))
                response = self.http.get(url + path)
            except self.http.ConnectionError:
                pass

            if response.status_code == 200:
                log.debug("got alives {0}".format(url + path))
                alives.append(url + path)

        if alives:
            result['vulinfo'] = str(alives)

        return result
Ejemplo n.º 4
0
    def _verify(self):
        log = Log("exploit_douphp_backupbrute")
        result = Result(self)

        sqlList = [
            'D20160~1.sql', 'D20150~1.sql', 'D20151~1.sql', 'D20140~1.sql',
            'D20141~1.sql', 'D20131~1.sql'
        ]

        vulURLs = []
        for sqlfile in sqlList:
            url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile

            log.debug("getting '{0}'".format(url))
            response = self.http.get(url, allow_redirects=False)

            if response.status_code == 200:
                log.debug("got alive'{0}'".format(url))
                vulURLs.append(url)

        if vulURLs:
            result['vulinfo'] = str(vulURLs)

        return result
Ejemplo n.º 5
0
def doSubDomainScan(args, out):
    '''
    子域名爆破
    '''
    out.init("子域名爆破", tofile=args.output)
    log = Log("subdomain")
    if args.output:
        outHtml = True if args.output.endswith("html") else False
    else:
        outHtml = False

    techniques = []
    if not args.technique:
        techniques = ['z', 'd', 'g']
    else:
        if len(args.technique) <= 3:
            for t in args.technique:
                if t in "zdg":
                    techniques.append(t)
                else:
                    techniques = []
        if not techniques:
            out.error(u"不支持--techniques {0}".format(args.technique))
            return False

    dictfile = args.dict if args.dict else None
    topdomainBrute = True if args.topdomain else False
    size = args.size if args.size else 200
    if args.engine:
        if args.engine in Query.allowEngines:
            engine = args.engine
        else:
            out.error(u"不支持 --engine {0},支持{1}".format(
                args.engine, str(Query.allowEngines)))
            return False
    else:
        engine = 'bing'
    domain = URL.getHost(args.domain)

    result = set()

    dnsresolver = DnsResolver(domain)
    records = dnsresolver.getZoneRecords()
    if "z" in techniques:
        log.debug(">>>>>checking if dns zonetrans vulnerable")
        for record in records:
            log.debug("dns zonetrans vulnerable, got '{0}'".format(
                str(record)))
            result.add(record[0])

    if "d" in techniques:
        log.debug(">>>>>dns brutefroce")
        for item in DnsBruter(domain, dictfile, topdomainBrute):
            log.debug("dns bruteforce, got '{0}'".format(str(item)))
            result.add(item.domain)

    if "g" in techniques:
        log.debug(">>>>>google hacking")
        query = Query(site=domain) | -Query(site="www." + domain)
        for item in query.doSearch(engine=engine, size=size):
            log.debug("google hacking, got '{0}'".format(item.url))
            host = URL.getHost(item.url)
            result.add(host)

    out.warnning(u"子域名爆破结果:")
    for d in result:
        out.info(d)
        if not outHtml:
            out.writeLine(d)
        else:
            out.writeLine(d, _htmlLink)

    return True
Ejemplo n.º 6
0
def doSubDomainScan(args, out):
    '''
    子域名爆破
    '''
    out.init("子域名爆破", tofile=args.output)
    log = Log("subdomain")
    if args.output:
        outHtml = True if args.output.endswith("html") else False
    else:
        outHtml = False

    techniques = []
    if not args.technique:
        techniques = ['z','d','g']
    else:
        if len(args.technique) <= 3:
            for t in args.technique:
                if t in "zdg":
                    techniques.append(t)
                else:
                    techniques = []
        if not techniques:
            out.error(u"不支持--techniques {0}".format(args.technique))
            return False

    dictfile = args.dict if args.dict else None
    topdomainBrute = True if args.topdomain else False
    size = args.size if args.size else 200
    if args.engine:
        if args.engine in Query.allowEngines:
            engine = args.engine
        else:
            out.error(u"不支持 --engine {0},支持{1}".format(args.engine, str(Query.allowEngines)))
            return False
    else:
        engine = 'baidu'
    domain = URL.getHost(args.domain)

    result = set()

    dnsresolver = DnsResolver(domain)
    records = dnsresolver.getZoneRecords()
    if "z" in techniques:
        log.debug(">>>>>checking if dns zonetrans vulnerable")
        for record in records:
            log.debug("dns zonetrans vulnerable, got '{0}'".format(str(record)))
            result.add(record[0])

    if "d" in techniques:
        log.debug(">>>>>dns brutefroce")
        for item in DnsBruter(domain, dictfile, topdomainBrute):
            log.debug("dns bruteforce, got '{0}'".format(str(item)))
            result.add(item.domain)

    if "g" in techniques:
        log.debug(">>>>>google hacking")
        query = Query(site=domain) | -Query(site="www."+domain)
        for item in query.doSearch(engine=engine, size=size):
            log.debug("google hacking, got '{0}'".format(item.url))
            host = URL.getHost(item.url)
            result.add(host)

    out.warnning(u"子域名爆破结果:")
    for d in result:
        out.info(d)
        if not outHtml:
            out.writeLine(d)
        else:
            out.writeLine(d, _htmlLink)

    return True