Example #1
0
def SenFileScan(domain, url):
    """
    敏感文件、目录扫描
    字典:dict\SEN_scan.txt
    :param domain:
    :param
    :return:
    """
    pools = 20
    urlList = []
    for i in range(0, redispool.llen("SenScan")):
        suffix = redispool.lindex("SenScan", i)
        senurl = "{}/{}".format(url, suffix)
        urlList.append(senurl)
    pool = ThreadPool(pools)
    SenFileMessage = pool.map(UrlRequest, urlList)
    SenFileMessage2 = ""
    pool.close()
    pool.join()
    url404 = "{}/springbird404page".format(url)
    try:
        rep404 = requests.get(url404,
                              headers=core.GetHeaders(),
                              timeout=3,
                              verify=False).text
    except Exception as e:
        print("超时")
        rep404 = str(e)
        pass
    if len(SenFileMessage) != 0:
        with app.app_context():
            print("Sen file and dir : \n")
            for url in SenFileMessage:
                try:
                    if url is None:
                        continue
                    rep = requests.get(url,
                                       headers=core.GetHeaders(),
                                       timeout=1,
                                       verify=False)
                    #添加404界面的判断,避免过多杂乱信息
                    if not core.is_similar_page(rep404, rep.text, radio=0.85):
                        print(url)
                        bug = BugList(oldurl=domain,
                                      bugurl=url,
                                      bugname="SenDir",
                                      buggrade=redispool.hget(
                                          'bugtype', "SenDir"),
                                      payload=url,
                                      bugdetail=rep.text)
                        SenFileMessage2 += url + "\n"
                        redispool.pfadd(redispool.hget('bugtype', "SenDir"),
                                        url)
                        redispool.pfadd("SenDir", url)
                        db.session.add(bug)
                except Exception as e:
                    # print(e)
                    pass
            db.session.commit()
    return SenFileMessage2
Example #2
0
def SenFileScan(domain, redispool):
    """
    敏感文件、目录扫描
    字典:dict\SEN_scan.txt
    :param domain:
    :param
    :return:
    """
    pools = 20
    urlList = []
    for i in range(0, redispool.llen("SenScan")):
        url="http://{}/{}".format(domain, redispool.lindex("SenScan", i))
        urlList.append(url)
    pool = ThreadPool(pools)
    SenFileMessage = pool.map(UrlRequest, urlList)
    pool.close()
    pool.join()
    if len(SenFileMessage)!=0:
        with app.app_context():
            for url in SenFileMessage:
                try:
                    rep = requests.get(url, headers=core.GetHeaders(), timeout=3, verify=False)
                    bug = BugList(oldurl=domain, bugurl=url, bugname="SenDir",buggrade=redispool.hget('bugtype', "SenDir"),payload=url, bugdetail=rep.text)
                    db.session.add(bug)
                except Exception as e:
                    print(e)
                    pass
            db.session.commit()
    return "\n".join(list(filter(None, SenFileMessage)))
Example #3
0
def SubDomainBurst(true_domain,redispool):
    """
    子域名爆破
    从字典读取子域名构造新的url进行访问,若返回状态码为200,则返回可攻击列表attack_list
    :param true_domain:
    :return:
    """
    pools = 20
    urlList = []
    for i in range(0, redispool.llen("SubScan")):
        url="http://{}.{}".format(redispool.lindex("SubScan", i),true_domain)
        urlList.append(url)
    pool = ThreadPool(pools)
    SubDomain = pool.map(UrlRequest, urlList)
    pool.close()
    pool.join()
    return "\n".join(list(filter(None, SubDomain)))
Example #4
0
def GetXSS(url):
    domain = url.split("?")[0]
    queries = urlparse.urlparse(url).query.split("&")
    if not any(queries):
        return False, None, None
    else:
        for payloadindex in range(redispool.llen("XSSpayloads") - 1, -1, -1):
            payload = redispool.lindex("XSSpayloads", payloadindex)
            website = domain + "?" + ("&".join(
                [param + payload for param in queries]))
            source = core.gethtml(website)
            if payload in source:
                # print("(+)this url have xss bug {},payload is {}".format(url,payload))
                return True, website, source
    # print("(-)this url haven't xss bug {}".format(url))
    return False, None, None


# if __name__=='__main__':
#     redispool = redis.Redis(connection_pool=ImportToRedis.redisPool)
#     GetXSS("http://leettime.net/xsslab1/chalg1.php?name=1",redispool)
#     GetXSS("http://testphp.vulnweb.com/listproducts.php?cat=1",redispool)
#     GetXSS("http://www.yuebooemt.com/about.php?id=37",redispool)
Example #5
0
def GetHeaders():
    index = random.randint(0, redispool.llen('useragents'))
    useragent = redispool.lindex('useragents', index)
    return {'User-Agent': useragent}