def modify_base_config():
"""
修改设置,包含黑白名单,系统通知等
:return:
"""
try:
put_data = request.get_json(force=True)
notice_message = put_data.get("notice_message")
white_ips = put_data.get("white_ips")
if str(notice_message).strip() == "" or str(white_ips).strip() == "":
return jsonify(
status=400,
message="更新失败",
data={"extra_info": "请确保notice_message,white_ips三个参数不能为空"})
else:
SystemConfigService.update(
fields=({
SystemConfig.notice_message: notice_message
}))
return jsonify(status=200, message="更新成功", data={})
except Exception as e:
logger.exception("modify_base_setting raise error")
if isinstance(e, KeyError):
return jsonify(
status=400,
message="查询失败",
data={"extra_info": "请确保notice_message,white_ips三个参数不能为空"})
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def modify_hunter_socket_log_config():
"""
修改hunter Log Socket模块信息
:return:
"""
try:
put_data = request.get_json(force=True)
param_list = [
"hunter_log_socket_host", "hunter_log_socket_port",
"hunter_log_socket_switch"
]
if has_dict_value_blank(put_data, param_list):
return jsonify(
status=400,
message="更新失败",
data={"extra_info": "请保证%s任一参数值不为空" % ','.join(param_list)})
hunter_log_socket_host = put_data.get("hunter_log_socket_host")
hunter_log_socket_port = put_data.get("hunter_log_socket_port")
hunter_log_socket_switch = put_data.get("hunter_log_socket_switch")
SystemConfigService.update(fields=(
{
SystemConfig.hunter_log_socket_host: hunter_log_socket_host,
SystemConfig.hunter_log_socket_port: hunter_log_socket_port,
SystemConfig.hunter_log_socket_switch: hunter_log_socket_switch
}))
return jsonify(status=200, message="更新成功", data={})
except Exception as e:
logger.exception("modify_hunter_log_socket raise error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def get_email_config(self):
"""
获得邮件配置
:return:
"""
system_config = SystemConfigService.get_single_instance(refresh=True)
return system_config
def modify_email_config():
"""
修改发件邮箱基本信息
:return:
"""
try:
put_data = request.get_json(force=True)
param_list = [
"smtp_host", "smtp_port", "sender_email", "sender_password"
]
if has_dict_value_blank(put_data, param_list):
return jsonify(
status=400,
message="更新失败",
data={"extra_info": "请保证%s任一参数值不为空" % ','.join(param_list)})
smtp_host = put_data.get("smtp_host")
smtp_port = put_data.get("smtp_port")
sender_email = put_data.get("sender_email")
sender_password = put_data.get("sender_password")
email_content_template = put_data.get("content_template")
SystemConfigService.update(
fields=({
SystemConfig.smtp_host: smtp_host,
SystemConfig.smtp_port: smtp_port,
SystemConfig.sender_email: sender_email,
SystemConfig.sender_password: sender_password,
SystemConfig.email_content_template: email_content_template
}))
return jsonify(status=200, message="更新成功", data={})
except Exception as e:
logger.exception("modify_email_setting raise error")
if isinstance(e, KeyError):
return jsonify(
status=400,
message="更新失败",
data={
"extra_info":
"请确保传递参数smtp_host,smtp_port,sender_email,sender_password"
})
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def modify_hunter_dns_log_config():
"""
修改hunter Log Socket模块信息
:return:
"""
try:
put_data = request.get_json(force=True)
param_list = [
"hunter_log_dns_fake_root_domain", "hunter_log_dns_switch",
"hunter_api_url"
]
if has_dict_value_blank(put_data, param_list):
return jsonify(
status=400,
message="更新失败",
data={"extra_info": "请保证%s任一参数值不为空" % ','.join(param_list)})
hunter_log_dns_fake_root_domain = put_data.get(
"hunter_log_dns_fake_root_domain")
hunter_log_dns_switch = put_data.get("hunter_log_dns_switch")
hunter_api_url = put_data.get("hunter_api_url")
SystemConfigService.update(
fields=({
SystemConfig.hunter_log_dns_fake_root_domain:
hunter_log_dns_fake_root_domain,
SystemConfig.hunter_log_dns_switch: hunter_log_dns_switch,
SystemConfig.hunter_api_url: hunter_api_url
}))
return jsonify(
status=200,
message="更新成功,开启开关之前一定要确认dnslog功能正常使用,否则将会跳过socketlog回显检测逻辑,导致插件漏报",
data={})
except Exception as e:
logger.exception("modify_hunter_log_dns raise error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def show_system_notice():
"""
显示系统最新通知
v2.5.2 新增接口
:return:
"""
try:
notice_message = SystemConfigService.get_single_instance(
).notice_message
return jsonify(status=200, message="查询成功", data=notice_message)
except Exception as e:
logger.exception("show_system_notice error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "创建任务时出现未知异常,请联系管理员查看异常日志"})
def list_hunter_socket_log_config():
"""
显示hunterlog socket模块的基本配置信息
:return:
"""
try:
system_config = SystemConfigService.get_single_instance()
response_data = {
"hunter_log_socket_host": system_config.hunter_log_socket_host,
"hunter_log_socket_port": system_config.hunter_log_socket_port,
"hunter_log_socket_switch": system_config.hunter_log_socket_switch
}
return jsonify(status=200, message="查询成功", data=response_data)
except Exception:
logger.exception("list_hunter_log_socket raise error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def init_data():
"""
根据运行模式填充不同的数据,主要是认证KEY不同,注意task_access_private_key和task_access_public_key必须为16位
:param model:
:return:
"""
if SystemConfigService.count() <= 0:
SystemConfig.create(
hunter_log_token="hunter-log-token",
hunter_api_url="http://*****:*****@xx",
sender_password="******",
hunter_log_socket_switch=True)
if LdapConfigService.count() <= 0:
LdapConfigService.save(ldap_host="ldap://ldap.xx.com:389",
bind_dn="",
bind_dn_password="",
base_dn="",
search_filter="",
user_name_field="",
full_name_field="displayName",
email_field="mail",
mobile_field="mobile")
if NetWorkProxyConfigService.count() <= 0:
NetWorkProxyConfigService.save(
ca_country_name="CN",
ca_province="shanghai",
ca_locality_name="shanghai",
ca_organization_name="ZtoSec",
ca_organizational_unit_name="ZtoSec Technology Co., Ltd",
ca_common_name="HunterProxy",
white_host_list="127.0.0.1:3000,sec.zto.com,127.0.0.1:15672")
init_plugin_info()
create_admin_user()
def list_hunter_dns_log_config():
"""
显示hunterlog dns模块和hunter_api_url地址
:return:
"""
try:
system_config = SystemConfigService.get_single_instance()
response_data = {
"hunter_log_dns_fake_root_domain":
system_config.hunter_log_dns_fake_root_domain,
"hunter_log_dns_switch": system_config.hunter_log_dns_switch,
"hunter_api_url": system_config.hunter_api_url
}
return jsonify(status=200, message="查询成功", data=response_data)
except Exception:
logger.exception("list_hunter_log_dns raise error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def list_email_config():
"""
显示邮箱设置信息
:return:
"""
try:
system_config = SystemConfigService.get_single_instance()
response_data = {
"sender_email": system_config.sender_email,
"sender_password": system_config.sender_password,
"smtp_host": system_config.smtp_host,
"smtp_port": system_config.smtp_port,
"content_template": system_config.email_content_template
}
return jsonify(status=200, message="查询成功", data=response_data)
except Exception:
logger.exception("list_email_setting raise error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def list_base_config():
"""
显示基本设置,包含黑白名单,系统通知等
:return:
"""
try:
system_config = SystemConfigService.get_single_instance()
return jsonify(status=200,
message="查询成功",
data={
'notice_message': system_config.notice_message,
"socket_log_host":
system_config.hunter_log_socket_host
})
except Exception:
logger.exception("list_base_setting raise error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def generate_access_key(task_id, username):
"""
将 其他三个参数组合成 {"task_id":"1", "username":"******", "create_time":"2018-12992"} 后用ase加密
:param private_key:
:param task_id:
:param username:
:param create_time:
:return:
"""
import datetime
from model.system_config import SystemConfigService
create_time = str(datetime.datetime.now())
private_key = SystemConfigService.get_single_instance(
).task_access_private_key
clear_data = {
"task_id": task_id,
"username": username,
"create_time": create_time
}
return prpcrypt.get_single_instance(private_key,
False).encrypt(json.dumps(clear_data))
def generate_blind_poc(self):
"""
生成poc,生成无回显poc ,根据选择的是Dns模块还是Socket模块,选择规则如下:
1.Dns模块单独开启了,优先使用Dns模块
2.Socket模块单独开启了,使用Socket模块
3.Dns模块和Socket模块开启了,使用Dns模块
4.都没开启则不调用
根据Dns或者Socket模块开关获取poc 如下代码为检测命令执行
Simple example usage code:
blind_poc, check_bilnd_poc_url, hunter_log_api_token = self.generate_blind_poc()
if not blind_poc["data"]:
return
if blind_poc["type"] == "dns":
attack_payload = "http://%s" % (blind_poc["data"]) # 得到的是一个域名,域名前缀为uuid
elif blind_poc["type"] == "socket":
attack_payload = "http://%s:%s/%s" % (blind_poc["data"]["host"], blind_poc["data"]["port"], blind_poc["data"]["uuid"])
# 情况1 和情况2
if http_method == HttpMethod.GET or (http_method == HttpMethod.POST and content_type is None):
payload = UrlDataClassification.add_poc_data(url=temp_url, http_method=http_method, content_type=content_type, poc="|wget %s" % (attack_payload))
self.request(method=http_method, url=payload, data=temp_data, headers=temp_headers)
elif http_method == HttpMethod.POST and content_type is not None and temp_data is not None:
payload = UrlDataClassification.add_poc_data(url=temp_data, http_method=http_method, content_type=content_type, poc="|wget %s" % (attack_payload))
self.request(method=http_method, url=temp_url, json=json.loads(payload), headers=temp_headers)
req = requests.get(check_bilnd_poc_url, headers={"token": hunter_log_api_token})
response = req.json()
if "status" in response and response["status"] == 200:
self.result['status'] = True
self.result['info'] = '%s 存在一个命令执行漏洞' % request_raw['url']
self.result['payload'] = payload
:return:
"""
system_config_single = SystemConfigService.get_single_instance(
refresh=True)
hunter_log_socket_switch = system_config_single.hunter_log_socket_switch
hunter_log_dns_switch = system_config_single.hunter_log_dns_switch
plugin_uuid = self.generate_uuid()
# 生成poc , hunetr log平台查询api url,和 hunter_log 平台api 的查询token
blind_poc = {"type": "dns", "data": None, "uuid": plugin_uuid}
check_bilnd_poc_url = self.generate_check_bilnd_poc_url(
system_config_single, plugin_uuid)
hunter_log_api_token = system_config_single.hunter_log_token
data = None
if hunter_log_dns_switch:
blind_poc["type"] = "dns"
data = "%s.%s" % (plugin_uuid, system_config_single.
hunter_log_dns_fake_root_domain)
elif not hunter_log_dns_switch and hunter_log_socket_switch:
blind_poc["type"] = "socket"
data = {
"host": system_config_single.hunter_log_socket_host,
"port": system_config_single.hunter_log_socket_port,
"uuid": plugin_uuid
}
blind_poc["data"] = data
return blind_poc, check_bilnd_poc_url, hunter_log_api_token