def do_check(self, url):
if url != '/':
return
port = 27017
if self.scheme == 'mongodb' and self.port != 27017: # 非标准端口
port = self.port
elif 27017 not in self.ports_open:
return
try:
conn = pymongo.MongoClient(host=self.host,
port=port,
connectTimeoutMS=5000,
socketTimeoutMS=5000)
database_list = conn.list_database_names()
if not database_list:
conn.close()
return
detail = "%s MongoDB Unauthorized Access : %s" % (
self.host, ",".join(database_list))
conn.close()
save_script_result(self, '', 'mongodb://%s:%s' % (self.host, port),
detail)
except Exception as e:
pass
def do_check(self, url):
if not self.session:
return
extensions = [
'.zip', '.rar', '.tar.gz', '.tar.bz2', '.tgz', '.7z', '.log', '.sql'
]
if url == '/' and self.domain_sub:
file_names = [self.host.split(':')[0], self.domain_sub]
for name in file_names:
for ext in extensions:
status, headers, html_doc = self.http_request('/' + name + ext)
if status == 206 and \
(self._404_status == 404 or headers.get('content-type', '').find('application/') >= 0) or \
(ext == '.sql' and html_doc.find("CREATE TABLE") >= 0):
save_script_result(self, status,
self.base_url + '/' + name + ext, '',
'Compressed File')
elif url != '/':
# sub folders like /aaa/bbb/
folder_name = url.split('/')[-2]
if len(folder_name) >= 4:
url_prefix = url[:-len(folder_name) - 1]
for ext in extensions:
status, headers, html_doc = self.http_request(url_prefix +
folder_name +
ext)
if status == 206 and headers.get('content-type',
'').find('application/') >= 0:
save_script_result(
self, status,
self.base_url + url_prefix + folder_name + ext, '',
'Compressed File')
def do_check(self, url):
if url != '/':
return
port = 30000
if self.scheme == 'docker api' and self.port != 30000: # 非标准端口
port = self.port
elif 30000 not in self.ports_open:
return
try:
r0 = requests.get(f"http://{self.host}:{port}/v2/_catalog",
timeout=5,
verify=False)
if "repositories" in r0.text:
save_script_result(self, '',
'http://%s:%s/v2/_catalog' % (self.host, port),
'docker registry api Unauthorized Accesss')
return
r = requests.get(f"http://{self.host}:{port}/v1/_catalog",
timeout=5,
verify=False)
if "repositories" in r.text:
save_script_result(self, '',
'http://%s:%s/v1/_catalog' % (self.host, port),
'docker registry api Unauthorized Accesss')
return
except Exception as e:
pass
def do_check(self, url):
if url == '/' and self.session:
if self.index_status == 301 and self.index_headers.get('location', '').find('forum.php') >= 0 or \
str(self.index_headers).find('_saltkey=') > 0:
url_lst = [
'/config/config_ucenter.php.bak',
'/config/.config_ucenter.php.swp',
'/config/.config_global.php.swp',
'/config/config_global.php.1',
'/uc_server/data/config.inc.php.bak',
'/config/config_global.php.bak', '/include/config.inc.php.tmp'
]
for _url in url_lst:
status, headers, html_doc = self.http_request(_url)
if status == 200 or status == 206:
if html_doc.find('<?php') >= 0:
save_script_result(self, status, self.base_url + _url,
'Discuz Backup File Found')
# getcolor DOM XSS
status, headers, html_doc = self.http_request(
'/static/image/admincp/getcolor.htm')
if html_doc.find("if(fun) eval('parent.'+fun+'") > 0:
save_script_result(
self, status,
self.base_url + '/static/image/admincp/getcolor.htm', '',
'Discuz getcolor DOM XSS')
def do_check(self, url):
if url == '/':
if self.session and self.index_status in (301, 302):
for keyword in ['admin', 'login', 'manage', 'backend']:
if self.index_headers.get('location', '').find(keyword) >= 0:
save_script_result(self, self.index_status,
self.base_url + '/', 'Admin Site')
break
def do_check(self, url):
if url == '/' and self.session:
if self.index_status == 302 and self.index_headers.get(
'location', '').lower() == 'https://%s/owa' % self.host:
save_script_result(self, 302, 'https://%s' % self.host,
'OutLook Web APP Found')
return
status, headers, html_doc = self.http_request('/ews/')
if status == 302:
redirect_url = headers.get('location', '')
if redirect_url == 'https://%shttp://%s/ews/' % (self.host,
self.host):
save_script_result(self, 302, 'https://%s' % self.host,
'OutLook Web APP Found')
return
if redirect_url == 'https://%s/ews/' % self.host:
try:
conn = http.client.HTTPSConnection(self.host)
conn.request('HEAD', '/ews')
if conn.getresponse().status == 401:
save_script_result(self, 401, redirect_url,
'OutLook Web APP Found')
conn.close()
except Exception as e:
pass
return
elif status == 401:
if headers.get('Server', '').find('Microsoft-IIS') >= 0:
save_script_result(self, 401, self.base_url + '/ews/',
'OutLook Web APP Found')
return
def do_check(self, url):
if url == '/' and self.session:
if self.index_html_doc.find('/wp-content/themes/') >= 0:
url_lst = ['/wp-config.php.inc',
'/wp-config.inc',
'/wp-config.bak',
'/wp-config.php~',
'/.wp-config.php.swp',
'/wp-config.php.bak']
for _url in url_lst:
status, headers, html_doc = self.http_request(_url)
if status == 200 or status == 206:
if html_doc.find('<?php') >= 0:
save_script_result(self, status, self.base_url + _url, '', 'WordPress Backup File Found')
def do_check(self, url):
if url != '/':
return
port = 8080
if self.scheme == 'jenkins' and self.port != 8080: # 非标准端口
port = self.port
elif 8080 not in self.ports_open:
return
try:
url = 'http://' + self.host + ':' + str(port) + '/systemInfo'
r = requests.get(url, timeout=5)
if 'jenkins.war' in r.content.decode() and 'JENKINS_HOME' in r.content.decode():
save_script_result(self, '', 'http://%s:%s/systemInfo' % (self.host, port), 'jenkins Unauthorized Accesss')
except Exception as e:
pass
def do_check(self, url):
if url != '/':
return
port = 3306
if self.scheme == 'mysql' and self.port != 3306: # 非标准端口
port = self.port
elif 3306 not in self.ports_open:
return
try:
conn = pymysql.connect(host=self.host, user='******', password='', charset='utf8', autocommit=True)
conn.close()
save_script_result(self, '', 'mysql://%s:%s' % (self.host, port), '', 'Mysql empty password')
except Exception as e:
pass
def do_check(self, url):
if url != '/':
return
port = 50070
if self.scheme == 'Hadoop' and self.port != 50070: # 非标准端口
port = self.port
elif 50070 not in self.ports_open:
return
try:
url = 'http://' + self.host + ':' + str(port) + '/dfshealth.html'
r = requests.get(url, timeout=5, verify=False, headers = default_headers)
if 'hadoop.css' in r.content.decode():
save_script_result(self, '', 'http://%s:%s/dfshealth.html' % (self.host, port), 'Hadoop Unauthorized Accesss')
except Exception as e:
pass
def do_check(self, url):
if url != '/':
return
port = 2375
if self.scheme == 'docker api' and self.port != 2375: # 非标准端口
port = self.port
elif 2375 not in self.ports_open:
return
try:
url = 'http://' + self.host + ':' + str(port) + '/version'
r = requests.get(url, timeout=5, verify=False, headers = default_headers)
if 'ApiVersion' in r.content.decode():
save_script_result(self, '', 'http://%s:%s/version' % (self.host, port), 'docker api Unauthorized Accesss')
except Exception as e:
pass
def do_check(self, url):
if url != '/':
return
port = 21
if self.scheme == 'ftp' and self.port != 21: # 非标准端口
port = self.port
elif 21 not in self.ports_open:
return
try:
ftp = ftplib.FTP()
ftp.connect(self.host, port, timeout=5) # 连接的ftp sever和端口
ftp.login('anonymous', 'Aa@12345678')
save_script_result(self, '', 'ftp://%s:%s/' % (self.host, port),
'FTP Unauthorized Accesss')
except Exception as e:
pass
def do_check(self, url):
if url != '/':
return
port = 5984
if self.scheme == 'CouchDB' and self.port != 5984: # 非标准端口
port = self.port
elif 5984 not in self.ports_open:
return
try:
url = 'http://' + self.host + ':' + str(port) + '/_utils/'
r = requests.get(url, timeout=5, verify=False, headers=default_headers)
if 'couchdb-logo' in r.content.decode():
save_script_result(self, '',
'http://%s:%s/_utils/' % (self.host, port),
'CouchDB Unauthorized Accesss')
except Exception as e:
pass
def do_check(self, url):
if url != '/':
return
port = 5432
if self.scheme == 'PostgreSQL' and self.port != 5432: # 非标准端口
port = self.port
elif 5432 not in self.ports_open:
return
try:
conn = psycopg2.connect(database="postgres",
user="******",
password="",
host=self.host,
port=port)
save_script_result(self, '', 'mysql://%s:%s' % (self.host, port), '',
'PostgreSQL empty password')
except Exception as e:
pass
def do_check(self, url):
if url != '/':
return
port = 8088
if self.scheme == 'Hadoop yarn' and self.port != 8088: # 非标准端口
port = self.port
elif 8088 not in self.ports_open:
return
try:
url = 'http://' + self.host + ':' + str(port) + '/ws/v1/cluster/info'
r = requests.get(url, timeout=5, verify=False, headers=default_headers)
if 'resourceManagerVersionBuiltOn' in r.content.decode(
) or 'hadoopVersion' in r.content.decode():
save_script_result(
self, '',
'http://%s:%s/ws/v1/cluster/info' % (self.host, port),
'Hadoop yarn Unauthorized Accesss')
except Exception as e:
pass
def do_check(self, url):
if url != '/':
return
port = 873
# 非标准端口,不需要检查端口是否开放
if self.scheme == 'rsync' and self.port != 873:
port = self.port
elif 873 not in self.ports_open:
return
try:
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.host, port))
s.send(bytes("", 'UTF-8'))
result = s.recv(1024).decode()
if "RSYNCD" in result:
save_script_result(self, '', 'rsync://%s:%s' % (self.host, port),
'Rsync Unauthorized Access')
except Exception as e:
s.close()
def do_check(self, url):
if url != '/':
return
if self.session and self.index_headers.get('Server',
'').startswith('kong/'):
save_script_result(self, '200', self.base_url, 'Kong Admin Rest API')
if self.port == 8001: # 如果已经维护了 8001 端口的 HTTP连接池,上面的逻辑已经完成扫描
return
if 8001 not in self.ports_open: # 如果8001端口不开放
return
# 如果输入的是一个非标准端口的HTTP服务
# 那么,需要单独对8001端口进行检测
status, headers, html_doc = self.http_request('http://%s:8001/' %
self.host)
if headers.get('Server', '').startswith('kong/'):
save_script_result(self, status, 'http://%s:8001' % self.host,
'Kong Admin Rest API')
def do_check(self, url):
if url != '/':
return
port = 11211
if self.scheme == 'memcached' and self.port != 11211: # 非标准端口
port = self.port
elif 11211 not in self.ports_open:
return
try:
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.host, port))
s.send(bytes('stats\r\n', 'UTF-8'))
if 'version' in s.recv(1024).decode():
save_script_result(self, '',
'memcached://%s:%s' % (self.host, port),
'Memcached Unauthorized Accesss')
s.close()
except Exception as e:
pass
finally:
s.close()
def do_check(self, url):
if url != '/':
return
port = 6379
# 非标准端口,不需要检查6379端口是否开放
# 支持用户传入目标 redis://test.ip:16379 来扫描非标准端口上的Redis服务
if self.scheme == 'redis' and self.port != 6379:
port = self.port
elif 6379 not in self.ports_open:
return
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(3)
try:
s.connect((self.host, port))
# payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
# s.send(payload)
s.send(bytes("INFO\r\n", 'UTF-8'))
data = s.recv(1024).decode()
s.close()
if "redis_version" in data:
save_script_result(self, '', 'redis://%s:%s' % (self.host, port), 'Redis Unauthorized Access')
except Exception as e:
s.close()
def do_check(self, url):
if url != '/':
return
port = 2181
if self.scheme == ' zookeeper' and self.port != 2181: # 非标准端口
port = self.port
elif 2181 not in self.ports_open:
return
try:
socket.setdefaulttimeout(5)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((self.host, port))
s.send(bytes('envi', 'UTF-8'))
data = s.recv(1024).decode()
if 'Environment' in data:
save_script_result(self, '',
'zookeeper://%s:%s' % (self.host, port), '',
'Zookeeper Unauthorized Access')
except Exception as e:
pass
finally:
s.close()
def do_check(self, url):
if url != '/' or not self.session or self._404_status == 301:
return
_folders = folders.split()
for _url in _folders:
if not _url:
continue
status, headers, html_doc = self.http_request(_url)
if status in (301, 302):
location = headers.get('location', '')
if location.startswith(self.base_url + _url +
'/') or location.startswith(_url + '/'):
# save_user_script_result(self, status, self.base_url + _url,
# '', 'Possible Sensitive Folder Found')
self.enqueue(_url + '/')
self.crawl(_url + '/')
if status == 206 and self._404_status != 206:
save_script_result(self, status, self.base_url + _url, '',
'Possible Sensitive File Found')
def do_check(self, url):
if url == '/' and self.session:
folders = ['']
for log_folder in ['log', 'logs', '_log', '_logs', 'accesslog', 'errorlog']:
status, headers, html_doc = self.http_request('/' + log_folder)
if status in (301, 302):
location = headers.get('location', '')
if location.startswith(self.base_url + '/' + log_folder + '/') or \
location.startswith('/' + log_folder + '/'):
folders.append(log_folder)
self.enqueue(log_folder)
self.crawl('/' + log_folder + '/')
if status == 206 and self._404_status != 206:
save_script_result(self, status, self.base_url + '/' + log_folder, '',
'Log File Found')
url_lst = ['access.log', 'www.log', 'error.log', 'log.log', 'sql.log',
'errors.log', 'debug.log', 'db.log', 'install.log',
'server.log', 'sqlnet.log', 'WS_FTP.log', 'database.log', 'data.log', 'app.log',
'log.tar.gz', 'log.rar', 'log.zip',
'log.tgz', 'log.tar.bz2', 'log.7z']
for log_folder in folders:
for _url in url_lst:
url_prefix = '/' + log_folder if log_folder else ''
status, headers, html_doc = self.http_request(url_prefix + '/' + _url)
# print '/' + log_folder + '/' + _url
if status == 206 and \
(self._404_status == 404 or headers.get('content-type', '').find('application/') >= 0):
save_script_result(self, status, self.base_url + url_prefix + '/' + _url,
'', 'Log File')
for log_folder in folders:
for _url in ['log.txt', 'logs.txt']:
url_prefix = '/' + log_folder if log_folder else ''
status, headers, html_doc = self.http_request(url_prefix + '/' + _url)
# print '/' + log_folder + '/' + _url
if status == 206 and headers.get('content-type', '').find('text/plain') >= 0:
save_script_result(self, status, self.base_url + url_prefix + '/' + _url,
'', 'Log File')