def dbquery(request):
targetValue = request.GET.get('targetValue')
action = request.GET.get('action')
if targetValue != None:
print(targetValue)
if action == "dbquery":
result = execute_sql_in_db(targetValue, db_name)
result = str(result)
return HttpResponse(result.replace("\n", "<br>"))
else:
return render_to_response("dbquery.html", {})
def targets(request):
targetValue = request.GET.get('targetValue')
action = request.GET.get('action')
if targetValue != None:
print(targetValue)
if action == "query":
result1 = execute_sql_in_db(
"select http_domain from %s" % first_targets_table_name, db_name)
RESULT1 = ""
if len(result1) != 0:
for each in result1:
RESULT1 += each[0] + "\n"
else:
RESULT1 = "None\n"
result2 = execute_sql_in_db(
"select http_domain from %s" % targets_table_name, db_name)
RESULT2 = ""
if len(result2) != 0:
for each in result2:
RESULT2 += each[0] + "\n"
else:
RESULT2 = "None\n"
string = "first targets:\n" + RESULT1 + "\n" + "targets:\n" + RESULT2
string = string.replace("\n", "<br>")
return HttpResponse(string)
elif action == "add":
targetValue = get_http_domain_from_url(targetValue)
execute_sql_in_db(
"insert into %s(http_domain,domain) values('%s','%s')" %
(targets_table_name, targetValue, targetValue.split("/")[-1]),
db_name)
string = "add new target %s for scan successully:D" % targetValue
return HttpResponse(string)
elif action == "delete":
targetValue = get_http_domain_from_url(targetValue)
execute_sql_in_db(
"DELETE FROM `%s` WHERE http_domain='%s'" %
(targets_table_name, targetValue), db_name)
string = "delete target %s from db successully:D" % targetValue
return HttpResponse(string)
else:
print("normal visit without action request to targets.html")
pass
# 下面这句不能少,下面这句是作为没有action[query/add/delete]查询时的正常情况下的显示页面的处理情况
return render(request, "targets.html", {})
import os
import re
from exp10it import get_string_from_command
from exploit import execute_sql_in_db
from exploit import CONFIG_INI_PATH
if os.path.exists(CONFIG_INI_PATH):
db_name = "exploitdb"
result = get_string_from_command("mysql")
if re.search(r"Can't connect", result, re.I):
os.system("service mysql start")
execute_sql_in_db("drop database %s" % db_name)
os.system("rm %s" % CONFIG_INI_PATH)
else:
print("%s not exist" % CONFIG_INI_PATH)
print(("请手动删除数据库exp10itdb"))
#os.system("echo y | pip3 uninstall exp10it")
os.system("rm %s" % CONFIG_INI_PATH)
current_dir = os.path.split(os.path.realpath(__file__))[0]
os.system("cd ~ && rm -r %s" % current_dir)
print("uninstall finished")
def result(request):
targetValue = request.GET.get('targetValue')
action = request.GET.get('action')
if targetValue != None:
print(targetValue)
if action == "result" and targetValue == "initShowResult":
firstTargets = execute_sql_in_db(
"select http_domain from %s" % first_targets_table_name, db_name)
targets = execute_sql_in_db(
"select http_domain from %s" % targets_table_name, db_name)
returnString = ""
firstTargetsValue = "firstTargets,"
targetsValue = "targets,"
if len(firstTargets) == 0:
pass
else:
for eachTarget in firstTargets:
eachHttpDomain = eachTarget[0]
firstTargetsValue += eachHttpDomain + ","
firstTargetsValue = firstTargetsValue[:-1] + ";"
if len(targets) == 0:
pass
else:
for eachTarget in targets:
eachHttpDomain = eachTarget[0]
targetsValue += eachHttpDomain + ","
targetsValue = targetsValue[:-1]
# eg.返回为
# firstTargets,http://www.baidu.com,http://www.nihao.com;targets,http://www.wohao.com,http://www.dajiahao.com
returnString = firstTargetsValue + targetsValue
print(returnString)
return HttpResponse(returnString)
elif action == "result" and targetValue != "initShowResult":
# targetValue不为initShowResult时通过targetValue参数传递的内容是http_domain格式的目标,这种情况返回与该目
# 标相关的所有扫描结果,(如果在扫描范围内)包括子域和旁站
http_domain = targetValue
print(http_domain)
tableNameList = get_target_table_name_list(http_domain)
# 下面的tableName是targets或first_targets
tableName = tableNameList[0]
#原来这里也显示urls和resource_files字段,后来决定不显示这两个字段
resultColumns = [
"risk_scan_info", "script_type", "dirb_info", "sqlis",
"robots_and_sitemap", "cms_value", "cms_scan_info",
"like_admin_login_urls", "cracked_admin_login_urls_info",
"like_webshell_urls", "cracked_webshell_urls_info", "whois_info",
"pang_domains", "sub_domains"
]
returnValue = ""
for columnName in resultColumns:
result = execute_sql_in_db(
"select %s from %s where http_domain='%s'" %
(columnName, tableName, http_domain), db_name)
if len(result[0][0]) == 0:
columnNameResult = ""
else:
columnNameResult = "%s:\n    " % columnName.replace(
"_", " ") + result[0][0] + "\n\n"
returnValue += columnNameResult
# 如果有旁站则加上旁站扫描结果
targetPangTableName = http_domain.split("/")[-1].replace(".",
"_") + "_pang"
if exist_table_in_db(targetPangTableName, db_name) == True:
pangDoamins = execute_sql_in_db(
"select http_domain from %s" % targetPangTableName, db_name)
pangDoaminsList = []
for each in pangDoamins:
pangDoaminsList.append(each[0])
# 下面加上旁站扫描结果
returnValue += "下面是旁站扫描结果:\n\n"
for eachPangDomain in pangDoaminsList:
for columnName in resultColumns:
if columnName not in ["pang_domains", "sub_domains"]:
result = execute_sql_in_db(
"select %s from %s where http_domain='%s'" %
(columnName, targetPangTableName, eachPangDomain),
db_name)
if len(result[0][0]) == 0:
columnNameResult = ""
else:
columnNameResult = "%s:\n    " % columnName.replace(
"_", " ") + result[0][0] + "\n\n"
returnValue += columnNameResult
# 如果有子站则加上子站扫描结果
targetSubTableName = http_domain.split("/")[-1].replace(".",
"_") + "_sub"
if exist_table_in_db(targetSubTableName, db_name) == True:
SubDoamins = execute_sql_in_db(
"select http_domain from %s" % targetSubTableName, db_name)
SubDoaminsList = []
for each in SubDoamins:
SubDoaminsList.append(each[0])
# 下面加上子站扫描结果
returnValue += "下面是子站扫描结果:\n\n"
for eachSubDomain in SubDoaminsList:
for columnName in resultColumns:
if columnName not in ["pang_domains", "sub_domains"]:
result = execute_sql_in_db(
"select %s from %s where http_domain='%s'" %
(columnName, targetSubTableName, eachSubDomain),
db_name)
if len(result[0][0]) == 0:
columnNameResult = ""
else:
columnNameResult = "%s:\n    " % columnName.replace(
"_", " ") + result[0][0] + "\n\n"
returnValue += columnNameResult
if returnValue == "":
returnValue += "there is no result about %s" % http_domain
return HttpResponse(returnValue.replace("\n", "<br>"))
else:
return render_to_response("result.html", {})
<void method="start"/>
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
# 判断漏洞是否存在
target = sys.argv[1]
print("checking weblogic vul for "+target)
# 传入的target是http://www.baidu.com格式(不带端口 )
target_table_name = get_target_table_name_list(target)[0]
result = execute_sql_in_db("select port_scan_info from %s where http_domain='%s'" %
(target_table_name, target), "exp10itdb")
test_url_list = []
cms_url = get_cms_entry_from_start_url(target)
parsed = urlparse(target)
test_url_list.append(cms_url)
open_port_list = get_target_open_port_list(target)
for port in open_port_list:
if port not in COMMON_NOT_WEB_PORT_LIST:
test_url_list.append(parsed.scheme + "://" +
parsed.hostname + ":" + port)
def check(url):
