def subdomain_scan(uid):
"""
添加域名扫描任务
:param domain: example.com
:param uid: c2385a01-bb0a-40a3-8694-05a31a440ba6
:return:
"""
# 有任务在执行的时候先暂停
while True:
task = mongo.db.tasks.find_one({'id': uid})
if task is None:
return True
if mongo.db.tasks.find({'status': "Running", "hack_type": "域名扫描"}).count() > 0:
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'status': 'Waiting',
}
}
)
time.sleep(5)
else:
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'status': 'Running',
}
}
)
break
contain = DOCKER_CLIENT.containers.run("ap0llo/oneforall:0.0.9", [uid], remove=True, detach=True,
auto_remove=True,
network="host")
mongo.db.tasks.update_one({"id": uid}, {"$set": {"contain_id": contain.id}})
# 心跳线程用来更新任务状态
while True:
task_dir = mongo.db.tasks.find_one({"id": uid})
if task_dir is None:
return True
process_json = ast.literal_eval(task_dir["hidden_host"])
if len(process_json) == 0:
time.sleep(10)
tasks_num = task_dir["live_host"]
now_progress = 0
# 统计总任务进度
for k, v in process_json.items():
progress_ = formatnum(v)
now_progress = now_progress + progress_
progress = '{0:.2f}%'.format(now_progress / tasks_num)
if progress == "100.00%":
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'progress': "100.00%",
'status': 'Finished',
'end_time': datetime.datetime.now(),
'total_host': mongo.db.subdomains.find({'pid': uid}).count(),
}
}
)
return True
else:
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'progress': progress
}
}
)
time.sleep(3)
def create_attack_task(self, target_list):
"""
该函数用来进行POC扫描
:param target_list:
:return:
"""
attack_list_xunfeng = []
attack_list_s1riu5 = []
attack_list_kunpeng = []
attack_list_bugscan = []
pocs = mongo.db.pocs.find({})
pocs_list = list()
for i in pocs:
pocs_list.append(i)
for m in pocs_list:
for n in target_list:
if m["flag"] == "xunfeng":
if n["service"] == m["vul_service"]:
new_dict = dict()
new_dict["ip"] = n["address"]
new_dict["port"] = n["port"]
new_dict["poc"] = m["poc_name"]
new_dict["keyword"] = m["vul_service"]
new_dict["type_file"] = m["file_type"]
new_dict["project_name"] = self.project
attack_list_xunfeng.append(new_dict)
if "tag" in n:
if n["tag"] == m["vul_service"]:
new_dict = dict()
new_dict["ip"] = n["address"]
new_dict["port"] = n["port"]
new_dict["poc"] = m["poc_name"]
new_dict["keyword"] = m["vul_service"]
new_dict["type_file"] = m["file_type"]
new_dict["project_name"] = self.project
attack_list_xunfeng.append(new_dict)
elif m["flag"] == "kunpeng":
if "subdomain_name" in n:
attack_dict = {
'type': 'web',
'target': "web",
'netloc': n["http_address"],
"parent_name": self.project
}
if attack_dict not in attack_list_kunpeng:
attack_list_kunpeng.append(attack_dict)
else:
if n["service"] in ["http", "ssl", "https"]:
if 'http' in n["service"]:
scheme = 'http'
if n["service"] in ['https', 'ssl'
] or n["port"] == 443:
scheme = 'https'
ip_url = '{}://{}:{}'.format(
scheme, n["address"], n["port"])
attack_dict = {
'type': 'web',
'target': "web",
'netloc': ip_url,
"parent_name": self.project
}
if attack_dict not in attack_list_kunpeng:
attack_list_kunpeng.append(attack_dict)
else:
attack_dict = {
'type': 'service',
'target': n["service"],
'netloc': n["address"] + ':' + str(n["port"]),
"parent_name": self.project
}
if attack_dict not in attack_list_kunpeng:
attack_list_kunpeng.append(attack_dict)
elif m["flag"] == "bugscan":
"""
m: {'_id': ObjectId('5e2858f3a5c1fe4f0152e6c3'), 'cretae_date': datetime.datetime(2020, 1, 22, 22, 15, 15, 693000), 'vul_type': 'Null', 'file_type': 'py', 'vul_service': 'php168', 'flag': 'bugscan', 'id': '2acda09e-0964-4c52-b06f-c4188f5eeaf5', 'vul_name': 'Null', 'vul_info': 'Null', 'poc_name': 'exp_1170.py', 'vul_level': 'Null'}
n: {'_id': ObjectId('5e28ef328cd7cf0e4b791990'), 'id': '12adf194-e1ef-46ee-b552-645733f31e16', 'address': '127.0.0.1', 'mac': 'Null', 'vendor': 'Null', 'port': 8080, 'hostname': 'Null', 'create_date': datetime.datetime(2020, 1, 23, 8, 56, 18, 322000), 'end_time': datetime.datetime(2020, 1, 23, 8, 56, 18, 322000), 'parent_name': ' 测试项目', 'pid': '15ddb1f9-7792-4471-a084-2e6bfd3cc821', 'http_address': 'http://127.0.0.1', 'fofa': 'phpmyadmin,jquery,jquery-ui', 'category': 'phpmyadmin', 'service': 'http'}
"""
if m.get("vul_service", "") is not None and n.get(
"service", "") is not None:
if m.get("vul_service", "") in n.get("service", ""):
if n.get("service",
"") in ["http", "ssl", "https"]:
if 'http' in n.get("service"):
scheme = 'http'
if n.get("service") in [
'https', 'ssl'
] or n.get("port") == 443:
scheme = 'https'
target_url = '{}://{}:{}'.format(
scheme, n["address"], n["port"])
attack_dict = {
'netloc': target_url,
"poc": m["poc_name"],
"keyword": n["service"],
"parent_name": self.project
}
if attack_dict not in attack_list_bugscan:
attack_list_bugscan.append(attack_dict)
else:
target_url = '{}:{}'.format(
n["address"], n["port"])
attack_dict = {
'netloc': target_url,
"poc": m["poc_name"],
"keyword": n["service"],
"parent_name": self.project
}
if attack_dict not in attack_list_bugscan:
attack_list_bugscan.append(attack_dict)
else:
print(m, n, "service")
if m.get("vul_service") is not None and n.get(
"category") is not None:
if m.get("vul_service") in n.get("category"):
if n.get("category") in ["http", "ssl", "https"]:
if 'http' in n.get("category"):
scheme = 'http'
if n.get("category") in [
'https', 'ssl'
] or n.get("port") == 443:
scheme = 'https'
target_url = '{}://{}:{}'.format(
scheme, n["address"], n["port"])
attack_dict = {
'netloc': target_url,
"poc": m["poc_name"],
"keyword": n["service"],
"parent_name": self.project
}
if attack_dict not in attack_list_bugscan:
attack_list_bugscan.append(attack_dict)
else:
target_url = '{}:{}'.format(
n["address"], n["port"])
attack_dict = {
'netloc': target_url,
"poc": m["poc_name"],
"keyword": n["service"],
"parent_name": self.project
}
if attack_dict not in attack_list_bugscan:
attack_list_bugscan.append(attack_dict)
else:
print(m, n, "category")
# if m["vul_service"] in n["service"]:
#
# attack_dict = {'netloc': n["http_address"], "poc": m["poc_name"], "keyword": n["service"],
# "parent_name": self.project}
# if attack_dict not in attack_list_bugscan:
# attack_list_bugscan.append(attack_dict)
#
# if m["vul_service"] in n["category"]:
#
# attack_dict = {'netloc': n["http_address"], "poc": m["poc_name"], "keyword": n["category"],
# "parent_name": self.project}
# if attack_dict not in attack_list_bugscan:
# attack_list_bugscan.append(attack_dict)
poc_num = attack_list_xunfeng + attack_list_kunpeng + attack_list_bugscan
print(poc_num)
sess = mongo.db.tasks.find_one({"id": self.pid})
# 项目被删除的时候
if sess is None:
return True
if len(poc_num) == 0:
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'progress': "100.00%",
'status': 'Finished',
'end_time': datetime.datetime.now(),
'total_host': 0,
}
})
return True
target_dict = dict()
target_dict["xunfeng"] = attack_list_xunfeng
target_dict["kunpeng"] = attack_list_kunpeng
target_dict["bugscan"] = attack_list_bugscan
for i in target_dict.items():
if len(i[1]) != 0:
vul_id = get_uuid()
vul = {
"id": vul_id,
"parent_name": self.project,
"progress": "0.00%",
"total_num": len(i[1]),
"create_date": datetime.datetime.now(),
"end_time": "Null",
"status": "Running",
"target": json.dumps(i[1], ensure_ascii=False),
"flag": i[0],
"pid": self.pid
}
mongo.db.vuldocker.insert_one(vul)
contain = DOCKER_CLIENT.containers.run(f"ap0llo/poc:{i[0]}",
["attack", vul_id],
detach=True,
network="host",
auto_remove=True)
mongo.db.vuldocker.update_one(
{"id": self.pid}, {'$set': {
"contain_id": contain.id
}})
while True:
count = mongo.db.vuldocker.find({"pid": self.pid}).count()
now_progress = 0
for i in mongo.db.vuldocker.find({"pid": self.pid}):
progress_ = formatnum(i["progress"])
now_progress = now_progress + progress_
progress = now_progress / count
progress = '%.2f' % progress
percent = f"{progress}%"
if percent == "100.00%":
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'progress':
"100.00%",
'status':
'Finished',
'end_time':
datetime.datetime.now(),
'total_host':
mongo.db.vuls.find({
'pid': self.pid
}).count(),
}
})
return True
else:
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'progress':
percent,
"total_host":
mongo.db.vuls.find({
'pid': self.pid
}).count(),
}
})
time.sleep(3)
def dir_scan(self, info):
sess = mongo.db.tasks.find_one({"id": self.pid})
# 项目被删除的时候
if sess is None:
return True
if len(info) == 0:
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'progress': "100.00%",
'status': 'Finished',
'end_time': datetime.datetime.now(),
'live_host': 0,
}
})
return True
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'target': json.dumps(info, ensure_ascii=False),
'hidden_host': len(info),
}
})
contain = DOCKER_CLIENT.containers.run("ap0llo/dirsearch:0.3.9",
[self.pid],
detach=True,
network="host",
auto_remove=True)
mongo.db.tasks.update_one({"id": self.pid},
{'$set': {
'contain_id': contain.id
}})
# 心跳线程用来更新任务状态
while True:
task_dir = mongo.db.tasks.find_one({"id": self.pid})
if task_dir is None:
return "flag"
process_json = ast.literal_eval(task_dir["total_host"])
if len(process_json) == 0:
time.sleep(10)
tasks_num = task_dir["hidden_host"]
now_progress = 0
# 统计总任务进度
for k, v in process_json.items():
progress_ = formatnum(v)
now_progress = now_progress + progress_
progress = '{0:.2f}%'.format(now_progress / tasks_num)
if progress == "100.00%":
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'progress':
"100.00%",
'status':
'Finished',
'end_time':
datetime.datetime.now(),
'live_host':
mongo.db.dir_vuls.find({
'pid': self.pid
}).count(),
}
})
return True
else:
mongo.db.tasks.update_one({"id": self.pid},
{'$set': {
'progress': progress
}})
time.sleep(3)
def dir_scan(self, info):
sess = mongo.db.tasks.find_one({"id": self.pid})
# 项目被删除的时候
if sess is None:
return True
if len(info) == 0:
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'progress': "100.00%",
'status': 'Finished',
'end_time': datetime.datetime.now(),
'live_host': 0,
}
})
return True
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'target': json.dumps(info, ensure_ascii=False),
'hidden_host': len(info),
}
})
for i in info:
target = str(json.dumps(i, ensure_ascii=False))
contain = DOCKER_CLIENT.containers.run("ap0llo/dirsearch:test",
[target],
detach=True,
remove=True,
auto_remove=True,
network="host")
mongo.db.tasks.update_one({"id": self.pid},
{'$set': {
'contain_id': contain.id
}})
# 心跳线程用来更新任务状态
while True:
time.sleep(3)
task_dir = mongo.db.tasks.find_one({"id": self.pid})
if task_dir is None:
return
process_json = json.loads(task_dir["total_host"])
if len(process_json) == 0:
time.sleep(10)
tasks_num = task_dir["hidden_host"]
now_progress = 0
# 统计总任务进度
for k, v in process_json.items():
progress_ = formatnum(v)
now_progress = now_progress + progress_
progress = '{0:.2f}%'.format(now_progress / tasks_num)
if progress == "100.00%":
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'progress':
"100.00%",
'status':
"Finished",
"end_time":
datetime.datetime.now(),
"live_host":
mongo.db.dir_vuls.find({
"pid": self.pid
}).count(),
"contain_id":
"Null",
}
})
return
else:
mongo.db.tasks.update_one(
{"id": self.pid}, {'$set': {
'progress': progress,
}})
task_collection = mongo.db.tasks.find_one({"id": self.pid})
# 如果任务不存在了,直接结束任务。
if task_collection is None:
return True
json_target = json.loads(task_collection.get("total_host"))
if json_target[i.get("http_address")] == "100.00%":
break
#
# if DOCKER_CLIENT.containers.get(contain.id).status == "running":
# mongo.db.tasks.update_one(
# {"id": self.pid},
# {'$set': {
# 'progress': progress,
#
# }
# }
# )
#
# else:
#
# task_collection = mongo.db.tasks.find_one({"id": self.pid})
#
# # 如果任务不存在了,直接结束任务。
# if task_collection is None:
# return True
#
# json_target = json.loads(task_collection.get("total_host", "{}"))
#
# json_target[i.get("http_address")] = "100.00%"
#
# mongo.db.tasks.update_one(
# {"id": self.pid},
# {'$set': {
# 'total_host': json.dumps(json_target, ensure_ascii=False),
#
# }
# }
# )
#
# # 用来判断任务没有开始就结束的逻辑
# new_task_dir = mongo.db.tasks.find_one({"id": self.pid})
# if task_dir is None:
# return
#
# tasks_num = new_task_dir["hidden_host"]
#
# json_process = json.loads(new_task_dir["total_host"])
#
# now_progress = 0
# # 统计总任务进度
# for k, v in json_process.items():
# progress_ = formatnum(v)
# now_progress = now_progress + progress_
#
# progress = '{0:.2f}%'.format(now_progress / tasks_num)
#
# if progress == "100.00%":
# mongo.db.tasks.update_one(
# {"id": self.pid},
# {'$set': {
# 'progress': "100.00%",
# 'status': "Finished",
# "end_time": datetime.datetime.now()
# }
# }
# )
# return
#
# break
mongo.db.tasks.update_one({"id": self.pid}, {
'$set': {
'progress': "100.00%",
'status': "Finished",
"end_time": datetime.datetime.now(),
"contain_id": "Null",
"live_host": mongo.db.dir_vuls.find({
"pid": self.pid
}).count(),
}
})
def subdomain_scan(uid):
"""
添加域名扫描任务
:param domain: example.com
:param uid: c2385a01-bb0a-40a3-8694-05a31a440ba6
:return:
"""
# 有任务在执行的时候先暂停
while True:
time.sleep(3)
task = mongo.db.tasks.find_one({'id': uid})
if task is None:
return True
if mongo.db.tasks.find({'status': "Running", "hack_type": "域名扫描"}).count() > 0:
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'status': 'Waiting',
}
}
)
time.sleep(5)
else:
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'status': 'Running',
}
}
)
break
taskCollection = mongo.db.tasks.find_one({"id": uid})
if taskCollection is None:
return True
targetList = taskCollection["target"].split(",")
parentName = taskCollection["parent_name"]
tasks_num = taskCollection["live_host"]
for t in targetList:
newTarget = dict()
newTarget["Purpose"] = t
newTarget["parentName"] = parentName
newTarget["pid"] = uid
infoString = str(json.dumps(newTarget, ensure_ascii=False))
contain = DOCKER_CLIENT.containers.run("ap0llo/oneforall:0.1.0", [infoString], detach=True, remove=True,
auto_remove=True,
network="host")
newTaskCollection = mongo.db.tasks.find_one({"id": uid})
json_target = json.loads(newTaskCollection.get("hidden_host"))
json_target[t] = "0.00%"
mongo.db.tasks.update_one({"id": uid}, {
"$set": {"contain_id": contain.id, 'hidden_host': json.dumps(json_target, ensure_ascii=False)}})
# 心跳线程用来更新任务状态
while True:
time.sleep(3)
task_dir = mongo.db.tasks.find_one({"id": uid})
if task_dir is None:
return True
process_json = json.loads(task_dir.get("hidden_host"))
if len(process_json) == 0:
time.sleep(10)
now_progress = 0
# 统计总任务进度
for k, v in process_json.items():
progress_ = formatnum(v)
now_progress = now_progress + progress_
progress = '{0:.2f}%'.format(now_progress / tasks_num)
if progress == "100.00%":
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'progress': "100.00%",
'status': "Finished",
"end_time": datetime.datetime.now()
}
}
)
return
else:
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'progress': progress,
}
}
)
task_collection = mongo.db.tasks.find_one({"id": uid})
# 如果任务不存在了,直接结束任务。
if task_collection is None:
return True
json_target = json.loads(task_collection.get("hidden_host"))
if json_target[t] == "100.00%":
break
mongo.db.tasks.update_one(
{"id": uid},
{'$set': {
'progress': "100.00%",
'status': "Finished",
"end_time": datetime.datetime.now(),
"contain_id": "Null",
}
}
)
