def httpauth(target, userfile='./wordlists/user.txt', passwdfile='./wordlists/passwd.txt'): ''' HTTP 认证缺陷检测 :param target: :param user: 用户名 :param passwd: 密码 :return: 0 ''' up = [] userfile = open(userfile, 'r').read().split('\n') passwdfile = open(passwdfile, 'r').read().split('\n') for i in userfile: for j in passwdfile: try: r = requests.get(target) if r.status_code == 200: return 0 r = requests.get(target, auth=HTTPBasicAuth(i, j)) if r.status_code == 200: print( "\033[1;32;1m[+]目标存在HTTP认证弱密钥漏洞!user:{},password:{}\033[0m" .format(i, j)) vulnsum.addMedium() up.append('user:'******'password:'******'HTTP Authentication Defects', up)
def mwcs(target): ''' 明文传输检测 :param target: :return: ''' profile = webdriver.FirefoxProfile() profile.accept_untrusted_certs = True opt = webdriver.FirefoxOptions() opt.add_argument('--headless') browser = webdriver.Firefox(firefox_profile=profile, options=opt) try: browser.get(target) sour = browser.page_source # print(sour) soup = BeautifulSoup(sour, "html.parser") pwd = soup('input', type="password") if pwd == []: return 0 da = os.popen("./bin/snf.py") ipt = soup('input') for i in range(len(ipt)): if "用户名" in str(ipt[i]) or "User" in str(ipt[i]) or "user" in str( ipt[i]) or "loginID" in str(ipt[i]): if pwd[0] != ipt[i]: pwd.append(ipt[i]) for i in range(len(pwd)): #print(pwd[i]) pwd[i] = re.findall(r'name="[a-zA-Z0-9_=+\-/]+"', str(pwd[i]))[0][6:-1] except: print("\033[1;31;1m[!]登录失败\033[0m") return 0 browser.refresh() for i in pwd: browser.find_element_by_name(i).send_keys("Admin123") try: browser.find_element_by_name(pwd[0]).send_keys(Keys.ENTER) except IndexError: pass browser.close() da.read() da = open('/tmp/snf.txt', 'r').read() try: if pwd[0] + "=" + "Admin123" in da: print("\033[1;32;1m[+]存在密码明文传输漏洞!\033[0m") vulnsum.addMedium() report.whtml('User name and password plaintext transmission', da) os.system('rm /tmp/snf.txt') except: pass
def httpHead(target): ''' HTTP 头信息泄漏 :param target:目标url :return: 服务器banner信息 ''' try: r = requests.get(target, headers=head) print("\033[1;32;1m[+]发现HTTP头泄露了服务器信息:", r.headers['Server'] + '\033[0m') vulnsum.addLow() report.whtml('HTTP Header Information Leakage', r.headers['Server']) except: pass
def options(target): ''' HTTP OPTIONS Method Detect :param target: target url :return:0 ''' try: r = requests.options(target, headers=head) print("\033[1;32;1m[+]发现服务器启用了OPTIONS方法:", r.headers['Allow'] + '\033[0m') vulnsum.addLow() report.whtml('HTTP OPTIONS method is active', r.headers['Allow']) except: pass
def ms17_010(target): """ MS17-010漏洞检测及验证 :param target: IP或IP段 :return: """ f = open('/tmp/smb.rc', 'w') f.write('use auxiliary/scanner/smb/smb_ms17_010\n') f.write('set RHOSTS ' + target + '\n') f.write('exploit\n') f.write('exit\n') f.close() rst = os.popen('msfconsole -r /tmp/smb.rc').read() #print(rst) if 'Host is likely VULNERABLE' in rst: print("\033[1;32;1m[+]存在MS-17-010漏洞\033[0m") vulnsum.addHigh() report.whtml( 'MS17-010 Vulnerability', 'Metasploit EXP:\nexploit/windows/smb/ms17_010_eternalblue\n') os.system('rm /tmp/smb.rc')
def robots(target): ''' robots文件泄漏敏感信息 :param target: target url :return: 0 ''' try: r = requests.get(target + "/robots.txt", headers=head) if 'admin' in r.text: print("\033[1;32;1m[+]发现目标robots.txt泄露了admin目录!\033[0m") vulnsum.addLow() report.whtml('Robots.txt File Information Leakage', re.findall(r'admin', r.text)) if 'management' in r.text: print("\033[1;32;1m[+]发现目标robots.txt泄露了manage目录!\033[0m") vulnsum.addLow() report.whtml('Robots.txt File Information Leakage', re.findall(r'management', r.text)) if 'manage' in r.text: print("\033[1;32;1m[+]发现目标robots.txt泄露了manage目录!\033[0m") vulnsum.addLow() report.whtml('Robots.txt File Information Leakage', re.findall(r'manage', r.text)) except: pass
def ipLkg(target): ''' IP地址泄漏 :param target:target url :return: IP information ''' ip = [] try: r = requests.get(target, headers=head) #url = re.findall(r'http://[a-zA-Z0-9./]*|https://[a-zA-Z0-9./]*', r.text) fip = re.findall( r'(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)', r.text) if fip != []: vulnsum.addLow() for i in range(len(fip)): print("\033[1;32;1m[+]发现源码中泄露了IP地址:", ".".join(fip[i]) + '\033[0m') ip.append(".".join(fip[i])) report.whtml('Source Leakage IP Address', ip) except: pass
def py_nmap(target, flag, user, passwd, ufile, pfile): global h_q global d_rt """ :param target: target url :param flag: Full ports scan :return: """ #target url -> target ip target = urltoip(target) if flag: get_nmap = os.popen("nmap -T4 -A -sV -p0-65535 " + target).read() if 'Host seems down' in get_nmap: get_nmap = os.popen('nmap -T4 -A -sV -Pn -p0-65535 ' + target).read() else: get_nmap = os.popen("nmap " + target).read() if 'Host seems down' in get_nmap: get_nmap = os.popen('nmap -T4 -A -sV -Pn ' + target).read() #原始数据rt rt = re.findall(r'\d+/tcp[ ]*open[ ]*[a-zA-Z0-9_/?\-]*', get_nmap) if rt == []: print("\033[1;31;1m[!]目标未开放任何端口或网络不可达\033[0m") return 0 #result list type #print(rt) if rt != []: report.wnmap('Nmap Scan Result', 'Port/Protocal', 'State', 'Service', rt) for i in range(len(rt)): print('\033[1;32;1m[+]' + rt[i] + '\033[0m') rt[i] = rt[i].replace(' ', '') rt[i] = rt[i].replace('/tcp', '') rt[i] = rt[i].replace('open', ' ') rt[i] = rt[i].replace('netbios-ssn', 'samba') rt[i] = rt[i].replace('microsoft-ds', 'smb') rt[i] = rt[i].replace('exec', 'rexec') rt[i] = rt[i].replace('login', 'rlogin') rt[i] = rt[i].replace('shell', 'rlogin') rt[i] = rt[i].replace('nfs', 'pcnfs') rt[i] = rt[i].replace('ccproxy-ftp', 'ftp') rt[i] = rt[i].replace('postgresql', 'postgres') rt[i] = rt[i].replace('vnc-1', 'vnc') rt[i] = rt[i].replace('vnc-2', 'vnc') rt[i] = rt[i].replace('vnc-3', 'vnc') rt[i] = rt[i].replace('ms-wbt-server', 'rdp') rt[i] = rt[i].split(' ') rt[i] = {rt[i][1]: rt[i][0]} #字典类型:{'services':'port'}: #print(rt) #将services和port加入d_rt for i in range(len(rt)): for j in rt[i]: d_rt.setdefault(j, []).append(rt[i][j]) for i in list(d_rt.keys()): if i == 'irc' or i == 'unknown' or i == 'X11' or i == 'samba' or i == 'ajp13' or i == 'msrpc' or i == 'IIS' or i == 'iad1' or i == 'ms-lsa' or i == 'NFS-or-IIS' or i == 'LSA-or-nterm' or i == 'http': continue brute(d_rt, i, target, user, passwd, usfile=ufile, pdfile=pfile) while h_q.qsize(): # print(h_q.empty()) #if h_q.empty(): # break # 注意.get() h = h_q.get() # print(h) if h != '\x00': # print(h_q.get()) h = h.read() #print(h) rst = re.findall( r'\[\d+\]\[[a-zA-Z0-9]+\]\s*host:\s*\d+\.\d+\.\d+\.\d+\s*login:\s*[a-zA-Z0-9\-_]+\s*password:\s*[a-zA-Z0-9\-_!@#$%]+', h) # 输出存在的弱口令 for i in rst: print('\033[1;32;1m' + '[+]' + i + '\033[0m') vulnsum.addHigh() if rst != []: report.whtml('Port weak password', rst) if '445' in list(d_rt.values()): ms17_010(target)
def nikto(target): """ 发现Web服务器的配置错误,插件和网页漏洞,配置检查,版本扫描,目录遍历 :param target: 目标url :return: """ rst = os.popen("nikto -h " + target).read() if 'The X-XSS-Protection header is not defined' in rst: print("\033[1;32;1m[+]HTTP Header中未使用XSS保护\033[0m") vulnsum.addLow() report.whtml('X-XSS-Protection', 'The X-XSS-Protection header is not defined') if 'The X-Content-Type-Options header is not set' in rst: print("\033[1;32;1m[+]未设置x-content-type-options头\033[0m") vulnsum.addLow() report.whtml('X-Content-Type-Options', 'The X-Content-Type-Options header is not set') if 'Apache mod_negotiation is enabled' in rst: print("\033[1;32;1m[+]Apache mod_negotiation启用\033[0m") vulnsum.addLow() report.whtml('Apache mod_negotiation', 'Apache mod_negotiation is enabled') apa = re.findall(r'Apache/[\d.]* appears to be outdated', rst) if apa != []: print("\033[1;32;1m[+]Apache版本较低", apa[0] + '\033[0m') vulnsum.addLow() report.whtml('Apache version is lower', apa[0]) php = re.findall(r'PHP/[\d.a-zA-Z\-_]* appears to be outdated', rst) if php != []: print("\033[1;32;1m[+]PHP版本较低", php[0] + '\033[0m') vulnsum.addLow() report.whtml('PHP version is lower', php[0]) if 'X-Frame-Options header' in rst: print("\033[1;32;1m[+]存在点击劫持漏洞\033[0m") vulnsum.addLow() report.whtml('Click hijack', 'X-Frame-Options header is not defined') py = re.findall(r'Python/2[\d.]* appears to be outdated', rst) if py != []: print("\033[1;32;1m[+]Python版本较低", py[0] + '\033[0m') vulnsum.addLow() report.whtml('Python version is lower', py[0]) ssl = re.findall(r'mod_ssl/[\d.]* appears to be outdated', rst) if ssl != []: print("\033[1;32;1m[+]ssl版本较低", ssl[0] + '\033[0m') vulnsum.addLow() report.whtml('ssl version is lower', ssl[0]) ops = re.findall(r'OpenSSL/[\d.a-zA-Z]* appears to be outdated', rst) if ops != []: print("\033[1;32;1m[+]OpenSSL版本较低", ops[0] + '\033[0m') vulnsum.addLow() report.whtml('OpenSSL version is lower', ops[0]) phu = re.findall(r'Phusion_Passenger/[\d.]* appears to be outdated', rst) if phu != []: print("\033[1;32;1m[+]Phusion_Passenger版本较低", phu[0] + '\033[0m') vulnsum.addLow() report.whtml('Phusion Passenger version is lower', phu[0]) mono = re.findall(r'mod_mono/[\d.]* appears to be outdated', rst) if mono != []: print("\033[1;32;1m[+]mono版本较低", mono[0] + '\033[0m') vulnsum.addLow() report.whtml('mono version is lower', mono[0]) hpro = re.findall(r'proxy_html/[\d.]* appears to be outdated', rst) if hpro != []: print("\033[1;32;1m[+]HTTP Proxy版本较低", hpro[0] + '\033[0m') vulnsum.addLow() report.whtml('HTTP Proxy version is lower', hpro[0]) per = re.findall(r'mod_perl/[\d.]* appears to be outdated', rst) if per != []: print("\033[1;32;1m[+]Perl版本较低", per[0] + '\033[0m') vulnsum.addLow() report.whtml('Perl version is lower', per[0]) if 'HTTP TRACE method is active' in rst: print("\033[1;32;1m[+]启用了TRACE方法\033[0m") vulnsum.addMedium() report.whtml('HTTP TRACE method is active', re.findall(r'TRACE', rst)) if 'phpMyAdmin directory found' in rst: print("\033[1;32;1m[+]发现phpmyadmin目录\033[0m") vulnsum.addLow() report.whtml('phpMyAdmin directory found', 'curl ' + target + '/phpmyadmin') if 'phpmyadmin/Documentation.html' in rst: print("\033[1;32;1m[+]存在可访问的/phpmyadmin/Documentation.html页面\033[0m") vulnsum.addMedium() report.whtml( 'There are accessible /phpMyAdmin/Documentation.html pages', 'curl ' + target + '/phpmyadmin/Documentation.html') if 'Apache default file found' in rst: print("\033[1;32;1m[+]发现Apache默认文件/icons/README\033[0m") vulnsum.addLow() report.whtml('Apache default file found', '/icons/README') if '/Admin/: Directory indexing found' in rst: print("\033[1;32;1m[+]发现Admin路径/Admin/\033[0m") vulnsum.addLow() report.whtml('Admin Directory indexing found', '/Admin/') if '/admin/: Directory indexing found' in rst: print("\033[1;32;1m[+]发现admin路径/admin/\033[0m") vulnsum.addMedium() report.whtml('admin Directory indexing found', '/admin/')