def api_edit_scan(type, id):
check_admin()
if type == "sqlmap":
sqlmap = Sqlmap.find_by('where id = ?', content_escape(id))
return dict(type=content_escape(type), id=content_escape(id), sqlmap=content_escape(sqlmap))
else:
raise notfound()
def api_edit_scan(type, id):
check_admin()
if type == "sqlmap":
sqlmap = Sqlmap.find_by('where id = ?', content_escape(id))
return dict(type=content_escape(type), id=content_escape(id), sqlmap=content_escape(sqlmap))
else:
raise notfound()
def api_list_vulns(type):
check_admin()
if type == "xss":
total = Request.count_by('where result_xss = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by(
'where result_xss = ? order by id desc limit ?,?', 'vulnerable',
page.offset, page.limit)
elif type == "sqli":
total = Request.count_by('where result_sqli = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by(
'where result_sqli = ? order by id desc limit ?,?', 'vulnerable',
page.offset, page.limit)
elif type == "fi":
total = Request.count_by('where result_fi = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by(
'where result_fi = ? order by id desc limit ?,?', 'vulnerable',
page.offset, page.limit)
else:
raise notfound()
return dict(type=content_escape(type),
requests=content_escape(requests),
page=page)
def api_view_scan(type):
check_admin()
if type == "sqlmap":
total = Sqlmap.count_all()
page = Page(total, _get_page_index())
sqlmaps = Sqlmap.find_by('order by update_time desc limit ?,?', page.offset, page.limit)
return dict(type=content_escape(type), sqlmaps=content_escape(sqlmaps), page=page)
else:
raise notfound()
def api_view_scan(type):
check_admin()
if type == "sqlmap":
total = Sqlmap.count_all()
page = Page(total, _get_page_index())
sqlmaps = Sqlmap.find_by('order by update_time desc limit ?,?', page.offset, page.limit)
return dict(type=content_escape(type), sqlmaps=content_escape(sqlmaps), page=page)
else:
raise notfound()
def api_view_exclusion(type):
check_admin()
if type == "parse":
exclusion = ExclusionParse.find_all()[0]
elif type == "xss":
exclusion = ExclusionScan.find_by('where type=0')[0]
elif type == "sqli":
exclusion = ExclusionScan.find_by('where type=1')[0]
elif type == "fi":
exclusion = ExclusionScan.find_by('where type=2')[0]
elif type == "cookie":
exclusion = ExclusionCookie.find_all()[0]
else:
raise notfound()
return dict(type=content_escape(type), exclusion=content_escape(exclusion))
def api_view_exclusion(type):
check_admin()
if type == "parse":
exclusion = ExclusionParse.find_all()[0]
elif type == "xss":
exclusion = ExclusionScan.find_by('where type=0')[0]
elif type == "sqli":
exclusion = ExclusionScan.find_by('where type=1')[0]
elif type == "fi":
exclusion = ExclusionScan.find_by('where type=2')[0]
elif type == "cookie":
exclusion = ExclusionCookie.find_all()[0]
else:
raise notfound()
return dict(type=content_escape(type), exclusion=content_escape(exclusion))
def api_view_request(request_rid):
check_admin()
request = Request.find_by('where rid = ?', request_rid)
response = Response.find_by('where rid = ?', request_rid)
if request is None or response is None:
raise notfound()
return dict(request=content_escape(request), response=html_encode(response))
def api_view_request(request_rid):
check_admin()
request = Request.find_by('where rid = ?', request_rid)
response = Response.find_by('where rid = ?', request_rid)
if request is None or response is None:
raise notfound()
return dict(request=content_escape(request), response=html_encode(response))
def api_list_vulns(type):
check_admin()
if type == "xss":
total = Request.count_by('where result_xss = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by('where result_xss = ? order by id desc limit ?,?', 'vulnerable', page.offset, page.limit)
elif type == "sqli":
total = Request.count_by('where result_sqli = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by('where result_sqli = ? order by id desc limit ?,?', 'vulnerable', page.offset, page.limit)
elif type == "fi":
total = Request.count_by('where result_fi = ?', 'vulnerable')
page = Page(total, _get_page_index())
requests = Request.find_by('where result_fi = ? order by id desc limit ?,?', 'vulnerable', page.offset, page.limit)
else:
raise notfound()
return dict(type=content_escape(type), requests=content_escape(requests), page=page)
def api_delete_scan(type, id):
check_admin()
if type == "sqlmap":
sqlmap = Sqlmap(id=content_escape(id))
sqlmap.delete()
else:
return dict(result='failed', error='unknown scan type!')
return dict(result='success')
def api_delete_scan(type, id):
check_admin()
if type == "sqlmap":
sqlmap = Sqlmap(id=content_escape(id))
sqlmap.delete()
else:
return dict(result='failed', error='unknown scan type!')
return dict(result='success')
def api_add_scan(type):
check_admin()
now = str(time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time())))
i = ctx.request.input()
if type == "sqlmap":
sqlmap = Sqlmap()
sqlmap.ip = content_escape(i.ip.strip().lower())
sqlmap.port = content_escape(i.port.strip().lower())
sqlmap.status = i.status.strip().lower()
sqlmap.update_time = now
res = sqlmap_validate(sqlmap)
if res == 'success':
sqlmap.insert()
else:
return dict(result='failed', error=res)
else:
return dict(result='failed', error='unknown scan type!')
return dict(result='success')
def api_add_scan(type):
check_admin()
now = str(time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time())))
i = ctx.request.input()
if type == "sqlmap":
sqlmap = Sqlmap()
sqlmap.ip = content_escape(i.ip.strip().lower())
sqlmap.port = content_escape(i.port.strip().lower())
sqlmap.status = i.status.strip().lower()
sqlmap.update_time = now
res = sqlmap_validate(sqlmap)
if res == 'success':
sqlmap.insert()
else:
return dict(result='failed', error=res)
else:
return dict(result='failed', error='unknown scan type!')
return dict(result='success')
def manage_exclusion_view(type):
return dict(type=content_escape(type), user=ctx.request.user)
def manage_scan_view(type):
return dict(page_index=_get_page_index(), type=content_escape(type), user=ctx.request.user)
def api_update_exclusion(type):
check_admin()
now = str(time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time())))
i = ctx.request.input()
if type == "parse":
exclusion_parse = ExclusionParse.find_all()[0]
exclusion_parse.exclusion = content_escape(i.exclusion.strip().lower())
exclusion_parse.update_time = now
res = exclusion_validate(exclusion_parse)
if res == 'success':
exclusion_parse.update()
else:
return dict(result='failed', error=res)
elif type == "cookie":
exclusion_cookie = ExclusionCookie.find_all()[0]
exclusion_cookie.exclusion = content_escape(i.exclusion.strip().lower())
exclusion_cookie.update_time = now
res = exclusion_validate(exclusion_cookie)
if res == 'success':
exclusion_cookie.update()
else:
return dict(result='failed', error=res)
elif type == "xss":
exclusion_scan = ExclusionScan.find_by('where type=0')[0]
exclusion_scan.method = content_escape(i.method.strip().lower())
exclusion_scan.protocol = content_escape(i.protocol.strip().lower())
exclusion_scan.host = content_escape(i.host.strip().lower())
exclusion_scan.ip = content_escape(i.ip.strip().lower())
exclusion_scan.port = content_escape(i.port.strip().lower())
exclusion_scan.path = content_escape(i.path.strip().lower())
exclusion_scan.accept = content_escape(i.accept.strip().lower())
exclusion_scan.accept_language = content_escape(i.accept_language.strip().lower())
exclusion_scan.accept_encoding = content_escape(i.accept_encoding.strip().lower())
exclusion_scan.referer = content_escape(i.referer.strip().lower())
exclusion_scan.user_agent = content_escape(i.user_agent.strip().lower())
exclusion_scan.cookie = content_escape(i.cookie.strip().lower())
exclusion_scan.content_type = content_escape(i.content_type.strip().lower())
exclusion_scan.post_data = content_escape(i.post_data.strip().lower())
exclusion_scan.update_time = now
res = exclusion_validate(exclusion_scan)
if res == 'success':
exclusion_scan.update()
else:
return dict(result='failed', error=res)
elif type == "sqli":
exclusion_scan = ExclusionScan.find_by('where type=1')[0]
exclusion_scan.method = content_escape(i.method.strip().lower())
exclusion_scan.protocol = content_escape(i.protocol.strip().lower())
exclusion_scan.host = content_escape(i.host.strip().lower())
exclusion_scan.ip = content_escape(i.ip.strip().lower())
exclusion_scan.port = content_escape(i.port.strip().lower())
exclusion_scan.path = content_escape(i.path.strip().lower())
exclusion_scan.accept = content_escape(i.accept.strip().lower())
exclusion_scan.accept_language = content_escape(i.accept_language.strip().lower())
exclusion_scan.accept_encoding = content_escape(i.accept_encoding.strip().lower())
exclusion_scan.referer = content_escape(i.referer.strip().lower())
exclusion_scan.user_agent = content_escape(i.user_agent.strip().lower())
exclusion_scan.cookie = content_escape(i.cookie.strip().lower())
exclusion_scan.content_type = content_escape(i.content_type.strip().lower())
exclusion_scan.post_data = content_escape(i.post_data.strip().lower())
exclusion_scan.update_time = now
res = exclusion_validate(exclusion_scan)
if res == 'success':
exclusion_scan.update()
else:
return dict(result='failed', error=res)
elif type == "fi":
exclusion_scan = ExclusionScan.find_by('where type=2')[0]
exclusion_scan.method = content_escape(i.method.strip().lower())
exclusion_scan.protocol = content_escape(i.protocol.strip().lower())
exclusion_scan.host = content_escape(i.host.strip().lower())
exclusion_scan.ip = content_escape(i.ip.strip().lower())
exclusion_scan.port = content_escape(i.port.strip().lower())
exclusion_scan.path = content_escape(i.path.strip().lower())
exclusion_scan.accept = content_escape(i.accept.strip().lower())
exclusion_scan.accept_language = content_escape(i.accept_language.strip().lower())
exclusion_scan.accept_encoding = content_escape(i.accept_encoding.strip().lower())
exclusion_scan.referer = content_escape(i.referer.strip().lower())
exclusion_scan.user_agent = content_escape(i.user_agent.strip().lower())
exclusion_scan.cookie = content_escape(i.cookie.strip().lower())
exclusion_scan.content_type = content_escape(i.content_type.strip().lower())
exclusion_scan.post_data = content_escape(i.post_data.strip().lower())
exclusion_scan.update_time = now
res = exclusion_validate(exclusion_scan)
if res == 'success':
exclusion_scan.update()
else:
return dict(result='failed', error=res)
else:
return dict(result='failed', error='unknown scan type!')
return dict(result='success')
def manage_scan_edit(type, id):
return dict(url='/api/scan/%s/%s/edit' % (content_escape(type), content_escape(id)), user=ctx.request.user)
def manage_scan_add(type):
return dict(url='/api/scan/%s/add' % content_escape(type), type=content_escape(type), user=ctx.request.user)
def api_get_requests():
total = Request.count_all()
page = Page(total, _get_page_index())
requests = Request.find_by('order by id desc limit ?,?', page.offset, page.limit)
return dict(requests=content_escape(requests), page=page)
def api_get_requests():
total = Request.count_all()
page = Page(total, _get_page_index())
requests = Request.find_by('order by id desc limit ?,?', page.offset, page.limit)
return dict(requests=content_escape(requests), page=page)
def manage_scan_edit(type, id):
return dict(url='/api/scan/%s/%s/edit' % (content_escape(type), content_escape(id)), user=ctx.request.user)
def manage_scan_view(type):
return dict(page_index=_get_page_index(), type=content_escape(type), user=ctx.request.user)
def manage_exclusion_view(type):
return dict(type=content_escape(type), user=ctx.request.user)
def manage_vulns_list(type):
return dict(type=content_escape(type), page_index=_get_page_index(), user=ctx.request.user)
def manage_vulns_list(type):
return dict(type=content_escape(type), page_index=_get_page_index(), user=ctx.request.user)
def manage_scan_add(type):
return dict(url='/api/scan/%s/add' % content_escape(type), type=content_escape(type), user=ctx.request.user)
def api_update_exclusion(type):
check_admin()
now = str(time.strftime('%Y-%m-%d %H:%M:%S',time.localtime(time.time())))
i = ctx.request.input()
if type == "parse":
exclusion_parse = ExclusionParse.find_all()[0]
exclusion_parse.exclusion = content_escape(i.exclusion.strip().lower())
exclusion_parse.update_time = now
res = exclusion_validate(exclusion_parse)
if res == 'success':
exclusion_parse.update()
else:
return dict(result='failed', error=res)
elif type == "cookie":
exclusion_cookie = ExclusionCookie.find_all()[0]
exclusion_cookie.exclusion = content_escape(i.exclusion.strip().lower())
exclusion_cookie.update_time = now
res = exclusion_validate(exclusion_cookie)
if res == 'success':
exclusion_cookie.update()
else:
return dict(result='failed', error=res)
elif type == "xss":
exclusion_scan = ExclusionScan.find_by('where type=0')[0]
exclusion_scan.method = content_escape(i.method.strip().lower())
exclusion_scan.protocol = content_escape(i.protocol.strip().lower())
exclusion_scan.host = content_escape(i.host.strip().lower())
exclusion_scan.ip = content_escape(i.ip.strip().lower())
exclusion_scan.port = content_escape(i.port.strip().lower())
exclusion_scan.path = content_escape(i.path.strip().lower())
exclusion_scan.accept = content_escape(i.accept.strip().lower())
exclusion_scan.accept_language = content_escape(i.accept_language.strip().lower())
exclusion_scan.accept_encoding = content_escape(i.accept_encoding.strip().lower())
exclusion_scan.referer = content_escape(i.referer.strip().lower())
exclusion_scan.user_agent = content_escape(i.user_agent.strip().lower())
exclusion_scan.cookie = content_escape(i.cookie.strip().lower())
exclusion_scan.content_type = content_escape(i.content_type.strip().lower())
exclusion_scan.post_data = content_escape(i.post_data.strip().lower())
exclusion_scan.update_time = now
res = exclusion_validate(exclusion_scan)
if res == 'success':
exclusion_scan.update()
else:
return dict(result='failed', error=res)
elif type == "sqli":
exclusion_scan = ExclusionScan.find_by('where type=1')[0]
exclusion_scan.method = content_escape(i.method.strip().lower())
exclusion_scan.protocol = content_escape(i.protocol.strip().lower())
exclusion_scan.host = content_escape(i.host.strip().lower())
exclusion_scan.ip = content_escape(i.ip.strip().lower())
exclusion_scan.port = content_escape(i.port.strip().lower())
exclusion_scan.path = content_escape(i.path.strip().lower())
exclusion_scan.accept = content_escape(i.accept.strip().lower())
exclusion_scan.accept_language = content_escape(i.accept_language.strip().lower())
exclusion_scan.accept_encoding = content_escape(i.accept_encoding.strip().lower())
exclusion_scan.referer = content_escape(i.referer.strip().lower())
exclusion_scan.user_agent = content_escape(i.user_agent.strip().lower())
exclusion_scan.cookie = content_escape(i.cookie.strip().lower())
exclusion_scan.content_type = content_escape(i.content_type.strip().lower())
exclusion_scan.post_data = content_escape(i.post_data.strip().lower())
exclusion_scan.update_time = now
res = exclusion_validate(exclusion_scan)
if res == 'success':
exclusion_scan.update()
else:
return dict(result='failed', error=res)
elif type == "fi":
exclusion_scan = ExclusionScan.find_by('where type=2')[0]
exclusion_scan.method = content_escape(i.method.strip().lower())
exclusion_scan.protocol = content_escape(i.protocol.strip().lower())
exclusion_scan.host = content_escape(i.host.strip().lower())
exclusion_scan.ip = content_escape(i.ip.strip().lower())
exclusion_scan.port = content_escape(i.port.strip().lower())
exclusion_scan.path = content_escape(i.path.strip().lower())
exclusion_scan.accept = content_escape(i.accept.strip().lower())
exclusion_scan.accept_language = content_escape(i.accept_language.strip().lower())
exclusion_scan.accept_encoding = content_escape(i.accept_encoding.strip().lower())
exclusion_scan.referer = content_escape(i.referer.strip().lower())
exclusion_scan.user_agent = content_escape(i.user_agent.strip().lower())
exclusion_scan.cookie = content_escape(i.cookie.strip().lower())
exclusion_scan.content_type = content_escape(i.content_type.strip().lower())
exclusion_scan.post_data = content_escape(i.post_data.strip().lower())
exclusion_scan.update_time = now
res = exclusion_validate(exclusion_scan)
if res == 'success':
exclusion_scan.update()
else:
return dict(result='failed', error=res)
else:
return dict(result='failed', error='unknown scan type!')
return dict(result='success')
