def _verify(self): log = Log("exploit-discuz_brutefile") result = Result(self) dctype = self.args.get("type","discuz").lower() if dctype not in ['discuz','discuzx']: dctype = "discuz" date = self.args.get("date","15-01-01") days = self.args.get("days","10") days = int(days) dirs = self.args.get("dirs","1") dirs = int(dirs) url = self.baseURL if ".php" in self.url else self.url url = url.rstrip("/") alives = [] for path in self.genPath(dctype,date,days,dirs): try: log.debug("request url {0}".format(url+path)) response = self.http.get(url+path) except self.http.ConnectionError: pass if response.status_code == 200: log.debug("got alives {0}".format(url+path)) alives.append(url+path) if alives: result['vulinfo'] = str(alives) return result
def _verify(self): log = Log("exploit_douphp_backupbrute") result = Result(self) sqlList = ['D20160~1.sql','D20150~1.sql','D20151~1.sql','D20140~1.sql','D20141~1.sql','D20131~1.sql'] vulURLs = [] for sqlfile in sqlList: url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile log.debug("getting '{0}'".format(url)) response = self.http.get(url,allow_redirects=False) if response.status_code == 200: log.debug("got alive'{0}'".format(url)) vulURLs.append(url) if vulURLs: result['vulinfo'] = str(vulURLs) return result
def _verify(self): log = Log("exploit-discuz_brutefile") result = Result(self) dctype = self.args.get("type", "discuz").lower() if dctype not in ['discuz', 'discuzx']: dctype = "discuz" date = self.args.get("date", "15-01-01") days = self.args.get("days", "10") days = int(days) dirs = self.args.get("dirs", "1") dirs = int(dirs) url = self.baseURL if ".php" in self.url else self.url url = url.rstrip("/") alives = [] for path in self.genPath(dctype, date, days, dirs): try: log.debug("request url {0}".format(url + path)) response = self.http.get(url + path) except self.http.ConnectionError: pass if response.status_code == 200: log.debug("got alives {0}".format(url + path)) alives.append(url + path) if alives: result['vulinfo'] = str(alives) return result
def _verify(self): log = Log("exploit_douphp_backupbrute") result = Result(self) sqlList = [ 'D20160~1.sql', 'D20150~1.sql', 'D20151~1.sql', 'D20140~1.sql', 'D20141~1.sql', 'D20131~1.sql' ] vulURLs = [] for sqlfile in sqlList: url = self.baseURL.rstrip("/") + "/data/backup/" + sqlfile log.debug("getting '{0}'".format(url)) response = self.http.get(url, allow_redirects=False) if response.status_code == 200: log.debug("got alive'{0}'".format(url)) vulURLs.append(url) if vulURLs: result['vulinfo'] = str(vulURLs) return result
def doSubDomainScan(args, out): ''' 子域名爆破 ''' out.init("子域名爆破", tofile=args.output) log = Log("subdomain") if args.output: outHtml = True if args.output.endswith("html") else False else: outHtml = False techniques = [] if not args.technique: techniques = ['z', 'd', 'g'] else: if len(args.technique) <= 3: for t in args.technique: if t in "zdg": techniques.append(t) else: techniques = [] if not techniques: out.error(u"不支持--techniques {0}".format(args.technique)) return False dictfile = args.dict if args.dict else None topdomainBrute = True if args.topdomain else False size = args.size if args.size else 200 if args.engine: if args.engine in Query.allowEngines: engine = args.engine else: out.error(u"不支持 --engine {0},支持{1}".format( args.engine, str(Query.allowEngines))) return False else: engine = 'bing' domain = URL.getHost(args.domain) result = set() dnsresolver = DnsResolver(domain) records = dnsresolver.getZoneRecords() if "z" in techniques: log.debug(">>>>>checking if dns zonetrans vulnerable") for record in records: log.debug("dns zonetrans vulnerable, got '{0}'".format( str(record))) result.add(record[0]) if "d" in techniques: log.debug(">>>>>dns brutefroce") for item in DnsBruter(domain, dictfile, topdomainBrute): log.debug("dns bruteforce, got '{0}'".format(str(item))) result.add(item.domain) if "g" in techniques: log.debug(">>>>>google hacking") query = Query(site=domain) | -Query(site="www." + domain) for item in query.doSearch(engine=engine, size=size): log.debug("google hacking, got '{0}'".format(item.url)) host = URL.getHost(item.url) result.add(host) out.warnning(u"子域名爆破结果:") for d in result: out.info(d) if not outHtml: out.writeLine(d) else: out.writeLine(d, _htmlLink) return True
def doSubDomainScan(args, out): ''' 子域名爆破 ''' out.init("子域名爆破", tofile=args.output) log = Log("subdomain") if args.output: outHtml = True if args.output.endswith("html") else False else: outHtml = False techniques = [] if not args.technique: techniques = ['z','d','g'] else: if len(args.technique) <= 3: for t in args.technique: if t in "zdg": techniques.append(t) else: techniques = [] if not techniques: out.error(u"不支持--techniques {0}".format(args.technique)) return False dictfile = args.dict if args.dict else None topdomainBrute = True if args.topdomain else False size = args.size if args.size else 200 if args.engine: if args.engine in Query.allowEngines: engine = args.engine else: out.error(u"不支持 --engine {0},支持{1}".format(args.engine, str(Query.allowEngines))) return False else: engine = 'baidu' domain = URL.getHost(args.domain) result = set() dnsresolver = DnsResolver(domain) records = dnsresolver.getZoneRecords() if "z" in techniques: log.debug(">>>>>checking if dns zonetrans vulnerable") for record in records: log.debug("dns zonetrans vulnerable, got '{0}'".format(str(record))) result.add(record[0]) if "d" in techniques: log.debug(">>>>>dns brutefroce") for item in DnsBruter(domain, dictfile, topdomainBrute): log.debug("dns bruteforce, got '{0}'".format(str(item))) result.add(item.domain) if "g" in techniques: log.debug(">>>>>google hacking") query = Query(site=domain) | -Query(site="www."+domain) for item in query.doSearch(engine=engine, size=size): log.debug("google hacking, got '{0}'".format(item.url)) host = URL.getHost(item.url) result.add(host) out.warnning(u"子域名爆破结果:") for d in result: out.info(d) if not outHtml: out.writeLine(d) else: out.writeLine(d, _htmlLink) return True