def do_check(self, url): if not self.conn_pool: return extensions = [ '.zip', '.rar', '.tar.gz', '.tar.bz2', '.tgz', '.7z', '.log', '.sql' ] if url == '/' and self.domain_sub: file_names = [self.host.split(':')[0], self.domain_sub] for name in file_names: for ext in extensions: status, headers, html_doc = self.http_request('/' + name + ext) if status == 206 and \ (self._404_status == 404 or headers.get('content-type', '').find('application/') >= 0) or \ (ext == '.sql' and html_doc.find("CREATE TABLE") >= 0): save_script_result(self, status, self.base_url + '/' + name + ext, '', 'Compressed File') elif url != '/': # sub folders like /aaa/bbb/ folder_name = url.split('/')[-2] if len(folder_name) >= 4: url_prefix = url[:-len(folder_name) - 1] for ext in extensions: status, headers, html_doc = self.http_request(url_prefix + folder_name + ext) if status == 206 and headers.get('content-type', '').find('application/') >= 0: save_script_result( self, status, self.base_url + url_prefix + folder_name + ext, '', 'Compressed File')
def do_check(self, url): if url == '/' and self.conn_pool: if self.index_status == 301 and self.index_headers.get('location', '').find('forum.php') >= 0 or \ str(self.index_headers).find('_saltkey=') > 0: url_lst = [ '/config/config_ucenter.php.bak', '/config/.config_ucenter.php.swp', '/config/.config_global.php.swp', '/config/config_global.php.1', '/uc_server/data/config.inc.php.bak', '/config/config_global.php.bak', '/include/config.inc.php.tmp' ] for _url in url_lst: status, headers, html_doc = self.http_request(_url) if status == 200 or status == 206: if html_doc.find('<?php') >= 0: save_script_result(self, status, self.base_url + _url, 'Discuz Backup File Found') # getcolor DOM XSS status, headers, html_doc = self.http_request( '/static/image/admincp/getcolor.htm') if html_doc.find("if(fun) eval('parent.'+fun+'") > 0: save_script_result( self, status, self.base_url + '/static/image/admincp/getcolor.htm', '', 'Discuz getcolor DOM XSS')
def do_check(self, url): if url == '/': if self.conn_pool and self.index_status in (301, 302): for keyword in ['admin', 'login', 'manage', 'backend']: if self.index_headers.get('location', '').find(keyword) >= 0: save_script_result(self, self.index_status, self.base_url + '/', 'Admin Site') break
def do_check(self, url): if url == '/': # echo "456F5628-59FC-01C8-08BE-5CBCD4114DC3"; poc = { "Accept-Charset": "ZWNobyAiNDU2RjU2MjgtNTlGQy0wMUM4LTA4QkUtNUNCQ0Q0MTE0REMzIjs=", "Accept-Encoding": "gzip,deflate" } status, headers, pocRequest = self.http_request('', headers=poc) if "456F5628-59FC-01C8-08BE-5CBCD4114DC3" in pocRequest: save_script_result(self, status, self.base_url, 'phpstudy back door')
def do_check(self, url): if url == '/' and self.conn_pool: if self.index_html_doc.find('/wp-content/themes/') >= 0: url_lst = [ '/wp-config.php.inc', '/wp-config.inc', '/wp-config.bak', '/wp-config.php~', '/.wp-config.php.swp', '/wp-config.php.bak' ] for _url in url_lst: status, headers, html_doc = self.http_request(_url) if status == 200 or status == 206: if html_doc.find('<?php') >= 0: save_script_result(self, status, self.base_url + _url, '', 'WordPress Backup File Found')
def do_check(self, url): if url == '/' and self.conn_pool: if self.index_status == 302 and self.index_headers.get( 'location', '').lower() == 'https://%s/owa' % self.host: save_script_result(self, 302, 'https://%s' % self.host, 'OutLook Web APP Found') return status, headers, html_doc = self.http_request('/ews/') if status == 302: redirect_url = headers.get('location', '') if redirect_url == 'https://%shttp://%s/ews/' % (self.host, self.host): save_script_result(self, 302, 'https://%s' % self.host, 'OutLook Web APP Found') return if redirect_url == 'https://%s/ews/' % self.host: try: conn = httplib.HTTPSConnection(self.host) conn.request('HEAD', '/ews') if conn.getresponse().status == 401: save_script_result(self, 401, redirect_url, 'OutLook Web APP Found') conn.close() except Exception as e: pass return elif status == 401: if headers.get('Server', '').find('Microsoft-IIS') >= 0: save_script_result(self, 401, self.base_url + '/ews/', 'OutLook Web APP Found') return
def do_check(self, url): if url != '/': return port = 27017 if self.scheme == 'mongodb' and self.port != 27017: # 非标准端口 port = self.port elif 27017 not in self.ports_open: return try: conn = pymongo.MongoClient(host=self.host, port=port, connectTimeoutMS=5000, socketTimeoutMS=5000) database_list = conn.database_names() if not database_list: conn.close() return detail = "%s MongoDB Unauthorized Access : %s" % (self.host, ",".join(database_list)) conn.close() save_script_result(self, '', 'mongodb://%s:%s' % (self.host, port), detail) except Exception as e: pass
def do_check(self, url): if url != '/': return if self.conn_pool and self.index_headers.get('Server', '').startswith('kong/'): save_script_result(self, '200', self.base_url, 'Kong Admin Rest API') if self.port == 8001: # 如果已经维护了 8001 端口的 HTTP连接池,上面的逻辑已经完成扫描 return if 8001 not in self.ports_open: # 如果8001端口不开放 return # 如果输入的是一个非标准端口的HTTP服务 # 那么,需要单独对8001端口进行检测 resp = requests.get('http://%s:8001/' % self.host) headers = resp.headers if headers.get('Server', '').startswith('kong/'): save_script_result(self, resp.status_code, 'http://%s:8001' % self.host, 'Kong Admin Rest API')
def do_check(self, url): if url != '/' or not self.conn_pool or self._404_status == 301: return _folders = folders.split() for _url in _folders: if not _url: continue status, headers, html_doc = self.http_request(_url) if status in (301, 302): location = headers.get('location', '') if location.startswith(self.base_url + _url + '/') or location.startswith(_url + '/'): # save_user_script_result(self, status, self.base_url + _url, # '', 'Possible Sensitive Folder Found') self.enqueue(_url + '/') self.crawl(_url + '/') if status == 206 and self._404_status != 206: save_script_result(self, status, self.base_url + _url, '', 'Possible Sensitive File Found')
def do_check(self, url): if url != '/': return port = 2181 if self.scheme == ' zookeeper' and self.port != 2181: # 非标准端口 port = self.port elif 2181 not in self.ports_open: return try: socket.setdefaulttimeout(5) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.host, port)) s.send('envi') data = s.recv(1024) if 'Environment' in data: save_script_result(self, '', 'zookeeper://%s:%s' % (self.host, port), '', 'Zookeeper Unauthorized Access') except Exception as e: pass finally: s.close()
def do_check(self, url): if url != '/': return port = 16379 # 非标准端口,不需要检查6379端口是否开放 # 支持用户传入目标 redis://test.ip:16379 来扫描非标准端口上的Redis服务 if self.scheme == 'redis' and self.port != 6379: port = self.port elif 6379 not in self.ports_open: return s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(3) try: host = self.host.split(':')[0] s.connect((host, port)) payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a' s.send(payload) data = s.recv(1024) s.close() if "redis_version" in data: save_script_result(self, '', 'redis://%s:%s' % (host, port), 'Redis Unauthorized Access') except Exception as e: s.close()
def do_check(self, url): if url == '/' and self.conn_pool: folders = [''] for log_folder in [ 'log', 'logs', '_log', '_logs', 'accesslog', 'errorlog' ]: status, headers, html_doc = self.http_request('/' + log_folder) if status in (301, 302): location = headers.get('location', '') if location.startswith(self.base_url + '/' + log_folder + '/') or \ location.startswith('/' + log_folder + '/'): folders.append(log_folder) self.enqueue(log_folder) self.crawl('/' + log_folder + '/') if status == 206 and self._404_status != 206: save_script_result(self, status, self.base_url + '/' + log_folder, '', 'Log File Found') url_lst = [ 'access.log', 'www.log', 'error.log', 'log.log', 'sql.log', 'errors.log', 'debug.log', 'db.log', 'install.log', 'server.log', 'sqlnet.log', 'WS_FTP.log', 'database.log', 'data.log', 'app.log', 'log.tar.gz', 'log.rar', 'log.zip', 'log.tgz', 'log.tar.bz2', 'log.7z' ] for log_folder in folders: for _url in url_lst: url_prefix = '/' + log_folder if log_folder else '' status, headers, html_doc = self.http_request(url_prefix + '/' + _url) # print '/' + log_folder + '/' + _url if status == 206 and \ (self._404_status == 404 or headers.get('content-type', '').find('application/') >= 0): save_script_result(self, status, self.base_url + url_prefix + '/' + _url, '', 'Log File') for log_folder in folders: for _url in ['log.txt', 'logs.txt']: url_prefix = '/' + log_folder if log_folder else '' status, headers, html_doc = self.http_request(url_prefix + '/' + _url) # print '/' + log_folder + '/' + _url if status == 206 and headers.get('content-type', '').find('text/plain') >= 0: save_script_result(self, status, self.base_url + url_prefix + '/' + _url, '', 'Log File')
def do_check(self, url): if url != '/' or 445 not in self.ports_open: return ip = self.host.split(':')[0] port = 445 timeout = 5 negotiate_protocol_request = binascii.unhexlify( "00000054ff534d4272000000001801280000000000000000000000000000729c0000c4e1003100024c414e4d414e312e3000024c4d312" "e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200") session_setup_request = binascii.unhexlify( "0000008fff534d4273000000001801280000000000000000000000000000729c0000c4e10cff000000dfff02000100000000003100000" "00000d400008054004e544c4d5353500001000000050208a2010001002000000010001000210000002e3431426c7441314e5059746249" "55473057696e646f7773203230303020323139350057696e646f7773203230303020352e3000" ) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(timeout) s.connect((ip, port)) s.send(negotiate_protocol_request) s.recv(1024) s.send(session_setup_request) data = s.recv(1024) user_id = data[32:34] session_setup_request_2 = binascii.unhexlify( "00000150ff534d4273000000001801280000000000000000000000000000729c" + binascii.hexlify(user_id) + "c4e10cff000000dfff0200010000000000f200000000005cd0008015014e544c4d535350000300000018001800" "40000000780078005800000002000200d000000000000000d200000020002000d200000000000000f200000005" "0208a2ec893eacfc70bba9afefe94ef78908d37597e0202fd6177c0dfa65ed233b731faf86b02110137dc50101" "000000000000004724eed7b8d2017597e0202fd6177c0000000002000a0056004b002d005000430001000a0056" "004b002d005000430004000a0056004b002d005000430003000a0056004b002d00500043000700080036494bf1" "d7b8d20100000000000000002e003400310042006c007400410031004e00500059007400620049005500470030" "0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000" ) s.send(session_setup_request_2) s.recv(1024) session_setup_request_3 = binascii.unhexlify( "00000063ff534d4273000000001801200000000000000000000000000000729c0000c4e10dff000000dfff0200010000000000000" "0000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000" ) s.send(session_setup_request_3) data = s.recv(1024) tree_id = data[32:34] smb = get_tree_connect_request(ip, tree_id) s.send(smb) s.recv(1024) poc = binascii.unhexlify( "0000004aff534d422500000000180128000000000000000000000000" + binascii.hexlify(user_id) + "729c" + binascii.hexlify(tree_id) + "c4e11000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00" ) s.send(poc) data = s.recv(1024) s.close() if "\x05\x02\x00\xc0" in data: save_script_result(self, '', ip + ':445', '', 'MS17010 SMB Remote Code Execution') except Exception as e: return False