def log_request(self, handler, request):
domain = request.q.qname.__str__()
h = domain.split('.')[0]
if domain.endswith(config.DNS_DOMAIN + '.'):
if h and re.match(config.hash_pattern, h):
#update database
config.dbconn().update('result', {'result': "vul"},
{'hash': h})
config.dbconn().insert('hashlog', {'hash': h})
def check_hash(hash):
if config.dbconn().fetch_rows('hashlog',
condition={'hash': hash},
limit="1",
fetchone=True):
return True
else:
return False
def exploit(request, response, method, key, is_array=False):
if config.dbconn().fetch_rows('result', condition="exploit='%s' and result != 'continue' and `host`='%s'" % (os.path.basename(__file__)[:-3], request['host']), order="id asc", limit="1", fetchone=True): return
allow = requests.options(request['uri']).headers.get('Allow', '')
if allow.find('PUT') != -1 or allow.find('PATCH') != -1:
return {'result': 'vul', 'info': "Server support put/patch method", 'hash': None, 'level': "middle"}
else:
return {'result': 'safe', 'info': "Server does not support put/patch method", 'hash': None, 'level': "middle"}
def report_log():
url = request.form.get('url', '')
method = request.form.get('method', '')
info = request.form.get('info', '')
print url
if url and method and info:
#h = hashlib.md5(url+method+info).hexdigest()
host = urlparse.urlparse(url).netloc
h = hashlib.md5(host + method + info).hexdigest()
config.dbconn().insert('detector', {
'hash': h,
'url': url,
'method': method,
'info': info
})
rst = make_response('')
rst.headers['Access-Control-Allow-Origin'] = '*'
return rst
def catch_all(path):
h = request.args.get('hash', '')
host = request.headers.get('host', '').split('.')[0]
if h and re.match(config.hash_pattern, h):
#update database
config.dbconn().update('payload', {'status': "vul"}, {'hash': h})
config.dbconn().insert('hashlog', {'hash': h})
if host and re.match(config.hash_pattern, host):
config.dbconn().update('payload', {'status': "vul"}, {'hash': host})
config.dbconn().insert('hashlog', {'hash': host})
return ''
def process(obj):
st = """<a href="%s" target="_blank">%s</a>""" % (obj['url'],
obj['url'])
obj['url'] = st
request = json.loads(config.dbconn().fetch_rows(
'http', condition={'id': obj['requestid']}, fetchone=True)['req'])
obj['request'] = render_template('modal_style.html',
content=build_request(request),
target_hash=obj['id'])
return obj
def callback(self, ret):
if not ret: return
result = ret.get('result', 'unknown')
info = ret.get('info', 'unknown')
level = ret.get('level', 'low')
hash = ret.get('hash', None)
if check_hash(hash) and result == 'unknown':
result = 'vul'
result = {
'requestid': self.requestid,
'method': self.method,
'key': self.key,
'host': self.host,
'url': self.url,
'level': level,
'hash': hash,
'info': info,
'result': result,
'exploit': self.module_name
}
config.dbconn().insert(table='result', data=result)
def get_detector():
def process(obj):
st = """<a href="%s" target="_blank">%s</a>""" % (obj['url'],
obj['url'])
obj['url'] = st
obj['info'] = render_template('modal_style.html',
content=obj['info'],
target_hash=obj['hash'])
return obj
return json.dumps(
map(
process,
config.dbconn().fetch_rows('detector',
condition={'show': 1},
order="id DESC")))
def get_vul():
def process(obj):
st = """<a href="%s" target="_blank">%s</a>""" % (obj['url'],
obj['url'])
obj['url'] = st
request = json.loads(config.dbconn().fetch_rows(
'http', condition={'id': obj['requestid']}, fetchone=True)['req'])
obj['request'] = render_template('modal_style.html',
content=build_request(request),
target_hash=obj['id'])
return obj
return json.dumps(
map(
process,
config.dbconn().fetch_rows('result',
condition="`show`=1 and result='vul'",
order="id DESC")))
def newgidtype(self, req, res):
# 如果是ajax请求,合并到上一个group
last = config.dbconn().fetch_rows('http',
'*', {'type': 1},
order='time desc',
limit=1,
fetchone=True)
if not last: return 1, 1
if req.headers.get(
'x-requested-with',
'').lower() == 'xmlhttprequest' or 'xml' in res.headers.get(
'content-type', '') or 'json' in res.headers.get(
'content-type', ''):
return last['gid'], 2
elif 'html' in res.headers.get('content-type',
'') and time.time() - last['time'] > 3:
return last['gid'] + 1, 1
else:
return last['gid'], 3
def get_one():
return config.dbconn().fetch_rows('http',
condition={'checked': 0},
order="id asc",
limit="1",
fetchone=True)
pass
return 'str'
while True:
http = get_one()
if not http:
time.sleep(3)
continue
req = json.loads(http['req'])
if req['rtype'] not in ['qs', 'rewrite']:
config.dbconn().insert(
'requests', {
'requestid': http['id'],
'method': req['method'],
'key': '',
'type': 'special|' + req['rtype']
})
else:
# support array like a[]=1&a[]=2
parsed = urlparse.urlparse(req['uri'])
get_parts = urlparse.parse_qs(parsed.query)
if get_parts:
for k, v in get_parts.items():
v = v[0] if len(v) == 1 else v
vtype = get_type(k, v)
if check_key(k) and check_value(v, vtype):
config.dbconn().insert(
'requests', {
'requestid': http['id'],
# -*- coding: utf-8 -*-
import multiprocessing
import time
import sys
import imp
from os import listdir, path
import config
import os, signal
import json
import traceback
conn = config.dbconn()
def AttackTargets(module_name, request, response, method, key, is_array=False):
signal.signal(signal.SIGALRM, timeout_handler)
try:
module = imp.load_source(
module_name, config.EXPLOITS_PATH + os.sep + module_name + '.py')
timeout = module.timeout if module.timeout else config.EXPLOIT_TIMEOUT
signal.alarm(timeout)
ret = module.exploit(request, response, method, key, is_array)
signal.alarm(0)
return ret
except TimeoutError:
print '%s timeout' % module_name
except Exception as e:
traceback.print_exc()
print('`%s`: %s' % (module_name, e))
signal.alarm(0)
def del_detector():
h = request.args.get('hash', '')
if h:
config.dbconn().update('detector', {'show': 0}, {'hash': h})
return ''
def del_vul():
h = request.args.get('id', '')
if h:
config.dbconn().update('result', {'show': 0}, {'id': h})
return ''
def save_handler(self, request, response, response_body):
#check res.status
#if re.match(config.filter_code, str(res.status)): return
reqtype = 'qs'
raw_response_body = ''
if request.body:
request.body = request.body.decode('utf-8', 'ignore')
if response_body:
raw_response_body = response_body
response_body = response_body.decode('utf-8', 'ignore')
request.uri = makeFullUri(request.uri, request.host, request.protocol)
parsed = urlparse.urlparse(request.uri)
#check host
if config.included_host and not len(
[h for h in config.included_host if request.host.endswith(h)]):
return
if len([h for h in config.excluded_host if request.host.endswith(h)]):
return
#check fileext
if len([h for h in config.filter_file if parsed.path.endswith(h)]):
return
path = os.path.normpath(parsed.path)
#check query string
if request.method == 'GET' and not parsed.query:
if os.path.splitext(path)[1]: return
if len(path.split('/')) < 3: return
reqtype = 'rewrite'
#don' save response body into database
save_body = True
#check query, get must have query string or url-rewrited
#GET method, have ext and do not have query string
#if os.uri.splitext(request.uri)[1] and request.method == 'GET' and not urlparse.urlparse(request.uri).query: save_body = False
#only some content-type save to database
if config.filter_content_type and not len([
h for h in config.filter_content_type
if h in response.headers.get('content-type', '')
]):
save_body = False
conn = config.dbconn()
separator = None
args = {}
if 'multipart/form-data;' in request.headers.get('content-type', ''):
separator = request.headers.get('content-type').split("=")[-1]
if request.method == 'POST':
reqtype, args, files = process_post_body(request.body, separator)
signature = mark_unique(request.uri, args)
if conn.fetch_rows('http',
condition={'signature': signature},
fetchone=True):
return
# site basic info
siteinfo = conn.fetch_rows('siteinfo',
'*', {
'host': request.host,
'key': 'lang'
},
fetchone=True)
if not siteinfo:
lang, framework = check_lang(request, response)
conn.insert('siteinfo', {
'host': request.host,
'key': 'lang',
'value': lang
})
conn.insert('siteinfo', {
'host': request.host,
'key': 'framework',
'value': framework
})
if siteinfo and siteinfo.get('value', '') == 'unkonwn':
lang = check_lang(request.uri)
conn.update('siteinfo', {'value': lang},
condition={
'host': request.host,
'key': 'lang'
})
req = parseReq(request, reqtype)
rsp = parseRsp(response, response_body, save_body, raw_response_body)
gid, rtype = self.newgidtype(request, response)
data = {
'gid': gid,
'host': request.host,
'req': json.dumps(req),
'rsp': json.dumps(rsp),
'time': time.time(),
'type': rtype,
'signature': signature
}
conn.insert('http', data)
detector = [i for i in dir(lib.detector) if i.startswith('detect_')]
for d in detector:
try:
c = getattr(lib.detector, d)
c(req, rsp)
except Exception as e:
print e