def dbquery(request):
targetValue = request.GET.get('targetValue')
action = request.GET.get('action')
if targetValue != None:
print(targetValue)
if action == "dbquery":
result = execute_sql_in_db(targetValue, db_name)
result = str(result)
return HttpResponse(result.replace("\n", "<br>"))
else:
return render_to_response("dbquery.html", {})
def targets(request):
targetValue = request.GET.get('targetValue')
action = request.GET.get('action')
if targetValue != None:
print(targetValue)
if action == "query":
result1 = execute_sql_in_db(
"select http_domain from %s" % first_targets_table_name, db_name)
RESULT1 = ""
if len(result1) != 0:
for each in result1:
RESULT1 += each[0] + "\n"
else:
RESULT1 = "None\n"
result2 = execute_sql_in_db(
"select http_domain from %s" % targets_table_name, db_name)
RESULT2 = ""
if len(result2) != 0:
for each in result2:
RESULT2 += each[0] + "\n"
else:
RESULT2 = "None\n"
string = "first targets:\n" + RESULT1 + "\n" + "targets:\n" + RESULT2
string = string.replace("\n", "<br>")
return HttpResponse(string)
elif action == "add":
targetValue = get_http_domain_from_url(targetValue)
execute_sql_in_db(
"insert into %s(http_domain,domain) values('%s','%s')" %
(targets_table_name, targetValue, targetValue.split("/")[-1]),
db_name)
string = "add new target %s for scan successully:D" % targetValue
return HttpResponse(string)
elif action == "delete":
targetValue = get_http_domain_from_url(targetValue)
execute_sql_in_db(
"DELETE FROM `%s` WHERE http_domain='%s'" %
(targets_table_name, targetValue), db_name)
string = "delete target %s from db successully:D" % targetValue
return HttpResponse(string)
else:
print("normal visit without action request to targets.html")
pass
# 下面这句不能少,下面这句是作为没有action[query/add/delete]查询时的正常情况下的显示页面的处理情况
return render(request, "targets.html", {})
# This debug.py is for developers.Do not run it if you just want to run 3xp10it but not develop it.
import os
import re
import sys
exp10it_module_path = os.path.expanduser("~") + "/mypypi"
sys.path.insert(0, exp10it_module_path)
from exp10it import execute_sql_in_db
from exp10it import get_string_from_command
from exp10it import CONFIG_INI_PATH
if os.path.exists(CONFIG_INI_PATH):
db_name = "exp10itdb"
a = input("1.删除config.ini和exp10itdb\n2....\n>")
if a == '1':
result = get_string_from_command("mysql")
if re.search(r"Can't connect", result, re.I):
os.system("service mysql start")
execute_sql_in_db("drop database %s" % db_name)
os.system("rm %s" % CONFIG_INI_PATH)
else:
print("%s not exist" % CONFIG_INI_PATH)
def process_item(self, item, spider):
current_url = item['current_url']
parsed = urlparse(current_url)
hostname = parsed.hostname
code = item['code']
title = item['title']
content = item['content']
if "^" in current_url:
pure_url = current_url.split("^")[0]
else:
pure_url = current_url
http_domain = get_http_domain_from_url(current_url)
main_target_domain = get_url_belong_main_target_domain(pure_url)
pang_table_name = main_target_domain.replace(".", "_") + "_pang"
sub_table_name = main_target_domain.replace(".", "_") + "_sub"
target_table_info = get_target_table_name_info(current_url)
if not target_table_info['target_is_pang_or_sub']:
url_start_url = get_url_start_url(pure_url)
url_table_name = get_start_url_urls_table(url_start_url)
else:
url_table_name = get_http_domain_from_url(pure_url).split(
"/")[-1].replace(".", "_") + "_urls"
# 1.write [current_url],[code],[title],[content],[like_admin_login_url],[like_webshell_url] to database
primary_key = "url"
primary_value = current_url
if primary_key == "http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=":
input(44444444444444444444444)
write_string_to_sql(str(code), DB_NAME, url_table_name, 'code',
primary_key, primary_value)
write_string_to_sql(title, DB_NAME, url_table_name, 'title',
primary_key, primary_value)
write_string_to_sql(content, DB_NAME, url_table_name, 'content',
primary_key, primary_value)
if item['like_admin_login_url']:
write_string_to_sql('1', DB_NAME, url_table_name,
'like_admin_login_url', primary_key,
primary_value)
if item['like_webshell_url']:
write_string_to_sql('1', DB_NAME, url_table_name,
'like_webshell_url', primary_key,
primary_value)
# 2.write [resources_file_list],[like_admin_login_urls] && [like_webshell_urls],[sub_domains_list] to database
# write [resources_file_list]
if target_table_info['target_is_pang_or_sub'] and not target_table_info[
'target_is_pang_and_sub']:
_table_name = pang_table_name if target_table_info[
'target_is_only_pang'] else sub_table_name
_table_name_list = [_table_name]
primary_key = 'http_domain'
primary_value = http_domain
elif target_table_info['target_is_pang_and_sub']:
_table_name_list = [pang_table_name, sub_table_name]
primary_key = 'http_domain'
primary_value = http_domain
elif target_table_info['target_is_main_and_table_is_targets']:
_table_name_list = [TARGETS_TABLE_NAME]
primary_key = 'start_url'
primary_value = url_start_url
elif target_table_info['target_is_main_and_table_is_first_targets']:
_table_name_list = [FIRST_TARGETS_TABLE_NAME]
primary_key = 'start_url'
primary_value = url_start_url
for each in item['resources_file_list']:
for each_table in _table_name_list:
auto_write_string_to_sql(each, DB_NAME, each_table,
"resource_files", primary_key,
primary_value)
# write [like_admin_login_urls] and [like_webshell_urls]
for each_table in _table_name_list:
if item['like_admin_login_url']:
auto_write_string_to_sql(current_url, DB_NAME, each_table,
"like_admin_login_urls", primary_key,
primary_value)
if item['like_webshell_url']:
auto_write_string_to_sql(current_url, DB_NAME, each_table,
"like_webshell_urls", primary_key,
primary_value)
# write [sub_domains_list] to database
if target_table_info['target_is_main']:
if not re.match(r"(\d+\.){3}\d+", hostname):
_result = execute_sql_in_db(
"select http_domain from %s" % sub_table_name, DB_NAME)
exist_sub_domains_list = []
for each in _result:
exist_sub_domains_list.append(each[0])
for each in item['sub_domains_list']:
if each not in exist_sub_domains_list:
# write to database
sql = "insert ignore into `%s`(http_domain,domain) values('%s','%s')" % (
sub_table_name, each, each.split("/")[-1])
execute_sql_in_db(sql, DB_NAME)
# write to config.ini
if not os.path.exists(LOG_FOLDER_PATH):
os.system("mkdir %s" % LOG_FOLDER_PATH)
if not os.path.exists("%s/sub" % LOG_FOLDER_PATH):
os.system("cd %s && mkdir sub" % LOG_FOLDER_PATH)
os.system("echo %s >> %s" %
(each.split("/")[-1], LOG_FOLDER_PATH +
"/sub/" + sub_table_name + ".txt"))
else:
pass
return item
def result(request):
targetValue = request.GET.get('targetValue')
action = request.GET.get('action')
if targetValue != None:
print(targetValue)
if action == "result" and targetValue == "initShowResult":
firstTargets = execute_sql_in_db("select http_domain from %s" % first_targets_table_name, db_name)
targets = execute_sql_in_db("select http_domain from %s" % targets_table_name, db_name)
returnString = ""
firstTargetsValue = "firstTargets,"
targetsValue = "targets,"
if len(firstTargets) == 0:
pass
else:
for eachTarget in firstTargets:
eachHttpDomain = eachTarget[0]
firstTargetsValue += eachHttpDomain + ","
firstTargetsValue = firstTargetsValue[:-1] + ";"
if len(targets) == 0:
pass
else:
for eachTarget in targets:
eachHttpDomain = eachTarget[0]
targetsValue += eachHttpDomain + ","
targetsValue = targetsValue[:-1]
# eg.返回为
# firstTargets,http://www.baidu.com,http://www.nihao.com;targets,http://www.wohao.com,http://www.dajiahao.com
returnString = firstTargetsValue + targetsValue
print(returnString)
return HttpResponse(returnString)
elif action == "result" and targetValue != "initShowResult":
# targetValue不为initShowResult时通过targetValue参数传递的内容是http_domain格式的目标,这种情况返回与该目
# 标相关的所有扫描结果,(如果在扫描范围内)包括子域和旁站
http_domain = targetValue
print(http_domain)
tableNameList = get_target_table_name_list(http_domain)
# 下面的tableName是targets或first_targets
tableName = tableNameList[0]
#原来这里也显示urls和resource_files字段,后来决定不显示这两个字段
resultColumns = ["risk_scan_info", "script_type", "dirb_info", "sqlis", "robots_and_sitemap", "cms_value", "cms_scan_info", "like_admin_login_urls",
"cracked_admin_login_urls_info", "like_webshell_urls", "cracked_webshell_urls_info",
"whois_info", "pang_domains", "sub_domains"]
returnValue = ""
for columnName in resultColumns:
result = execute_sql_in_db("select %s from %s where http_domain='%s'" %
(columnName, tableName, http_domain), db_name)
if len(result[0][0]) == 0:
columnNameResult = ""
else:
columnNameResult = "%s:\n    " % columnName.replace(
"_", " ") + result[0][0] + "\n\n"
returnValue += columnNameResult
# 如果有旁站则加上旁站扫描结果
targetPangTableName = http_domain.split("/")[-1].replace(".", "_") + "_pang"
if exist_table_in_db(targetPangTableName, db_name) == True:
pangDoamins = execute_sql_in_db("select http_domain from %s" % targetPangTableName, db_name)
pangDoaminsList = []
for each in pangDoamins:
pangDoaminsList.append(each[0])
# 下面加上旁站扫描结果
returnValue += "下面是旁站扫描结果:\n\n"
for eachPangDomain in pangDoaminsList:
for columnName in resultColumns:
if columnName not in ["pang_domains", "sub_domains"]:
result = execute_sql_in_db("select %s from %s where http_domain='%s'" %
(columnName, targetPangTableName, eachPangDomain), db_name)
if len(result[0][0]) == 0:
columnNameResult = ""
else:
columnNameResult = "%s:\n    " % columnName.replace(
"_", " ") + result[0][0] + "\n\n"
returnValue += columnNameResult
# 如果有子站则加上子站扫描结果
targetSubTableName = http_domain.split("/")[-1].replace(".", "_") + "_sub"
if exist_table_in_db(targetSubTableName, db_name) == True:
SubDoamins = execute_sql_in_db("select http_domain from %s" % targetSubTableName, db_name)
SubDoaminsList = []
for each in SubDoamins:
SubDoaminsList.append(each[0])
# 下面加上子站扫描结果
returnValue += "下面是子站扫描结果:\n\n"
for eachSubDomain in SubDoaminsList:
for columnName in resultColumns:
if columnName not in ["pang_domains", "sub_domains"]:
result = execute_sql_in_db("select %s from %s where http_domain='%s'" %
(columnName, targetSubTableName, eachSubDomain), db_name)
if len(result[0][0]) == 0:
columnNameResult = ""
else:
columnNameResult = "%s:\n    " % columnName.replace(
"_", " ") + result[0][0] + "\n\n"
returnValue += columnNameResult
if returnValue == "":
returnValue += "there is no result about %s" % http_domain
return HttpResponse(returnValue.replace("\n", "<br>"))
else:
return render_to_response("result.html", {})
</object>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>
'''
# 判断漏洞是否存在
target = sys.argv[1]
print("checking weblogic vul for " + target)
# 传入的target是http://www.baidu.com格式(不带端口 )
target_table_name = get_target_table_name_list(target)[0]
result = execute_sql_in_db(
"select port_scan_info from %s where http_domain='%s'" %
(target_table_name, target), "exp10itdb")
testUrlList = []
cms_url = get_cms_entry_from_start_url(target)
parsed = urlparse(target)
testUrlList.append(cms_url)
open_port_list = get_target_open_port_list(target)
for port in open_port_list:
if port not in COMMON_NOT_WEB_PORT_LIST:
testUrlList.append(parsed.scheme + "://" + parsed.hostname + ":" +
port)