def dbquery(request): targetValue = request.GET.get('targetValue') action = request.GET.get('action') if targetValue != None: print(targetValue) if action == "dbquery": result = execute_sql_in_db(targetValue, db_name) result = str(result) return HttpResponse(result.replace("\n", "<br>")) else: return render_to_response("dbquery.html", {})
def targets(request): targetValue = request.GET.get('targetValue') action = request.GET.get('action') if targetValue != None: print(targetValue) if action == "query": result1 = execute_sql_in_db( "select http_domain from %s" % first_targets_table_name, db_name) RESULT1 = "" if len(result1) != 0: for each in result1: RESULT1 += each[0] + "\n" else: RESULT1 = "None\n" result2 = execute_sql_in_db( "select http_domain from %s" % targets_table_name, db_name) RESULT2 = "" if len(result2) != 0: for each in result2: RESULT2 += each[0] + "\n" else: RESULT2 = "None\n" string = "first targets:\n" + RESULT1 + "\n" + "targets:\n" + RESULT2 string = string.replace("\n", "<br>") return HttpResponse(string) elif action == "add": targetValue = get_http_domain_from_url(targetValue) execute_sql_in_db( "insert into %s(http_domain,domain) values('%s','%s')" % (targets_table_name, targetValue, targetValue.split("/")[-1]), db_name) string = "add new target %s for scan successully:D" % targetValue return HttpResponse(string) elif action == "delete": targetValue = get_http_domain_from_url(targetValue) execute_sql_in_db( "DELETE FROM `%s` WHERE http_domain='%s'" % (targets_table_name, targetValue), db_name) string = "delete target %s from db successully:D" % targetValue return HttpResponse(string) else: print("normal visit without action request to targets.html") pass # 下面这句不能少,下面这句是作为没有action[query/add/delete]查询时的正常情况下的显示页面的处理情况 return render(request, "targets.html", {})
# This debug.py is for developers.Do not run it if you just want to run 3xp10it but not develop it. import os import re import sys exp10it_module_path = os.path.expanduser("~") + "/mypypi" sys.path.insert(0, exp10it_module_path) from exp10it import execute_sql_in_db from exp10it import get_string_from_command from exp10it import CONFIG_INI_PATH if os.path.exists(CONFIG_INI_PATH): db_name = "exp10itdb" a = input("1.删除config.ini和exp10itdb\n2....\n>") if a == '1': result = get_string_from_command("mysql") if re.search(r"Can't connect", result, re.I): os.system("service mysql start") execute_sql_in_db("drop database %s" % db_name) os.system("rm %s" % CONFIG_INI_PATH) else: print("%s not exist" % CONFIG_INI_PATH)
def process_item(self, item, spider): current_url = item['current_url'] parsed = urlparse(current_url) hostname = parsed.hostname code = item['code'] title = item['title'] content = item['content'] if "^" in current_url: pure_url = current_url.split("^")[0] else: pure_url = current_url http_domain = get_http_domain_from_url(current_url) main_target_domain = get_url_belong_main_target_domain(pure_url) pang_table_name = main_target_domain.replace(".", "_") + "_pang" sub_table_name = main_target_domain.replace(".", "_") + "_sub" target_table_info = get_target_table_name_info(current_url) if not target_table_info['target_is_pang_or_sub']: url_start_url = get_url_start_url(pure_url) url_table_name = get_start_url_urls_table(url_start_url) else: url_table_name = get_http_domain_from_url(pure_url).split( "/")[-1].replace(".", "_") + "_urls" # 1.write [current_url],[code],[title],[content],[like_admin_login_url],[like_webshell_url] to database primary_key = "url" primary_value = current_url if primary_key == "http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=": input(44444444444444444444444) write_string_to_sql(str(code), DB_NAME, url_table_name, 'code', primary_key, primary_value) write_string_to_sql(title, DB_NAME, url_table_name, 'title', primary_key, primary_value) write_string_to_sql(content, DB_NAME, url_table_name, 'content', primary_key, primary_value) if item['like_admin_login_url']: write_string_to_sql('1', DB_NAME, url_table_name, 'like_admin_login_url', primary_key, primary_value) if item['like_webshell_url']: write_string_to_sql('1', DB_NAME, url_table_name, 'like_webshell_url', primary_key, primary_value) # 2.write [resources_file_list],[like_admin_login_urls] && [like_webshell_urls],[sub_domains_list] to database # write [resources_file_list] if target_table_info['target_is_pang_or_sub'] and not target_table_info[ 'target_is_pang_and_sub']: _table_name = pang_table_name if target_table_info[ 'target_is_only_pang'] else sub_table_name _table_name_list = [_table_name] primary_key = 'http_domain' primary_value = http_domain elif target_table_info['target_is_pang_and_sub']: _table_name_list = [pang_table_name, sub_table_name] primary_key = 'http_domain' primary_value = http_domain elif target_table_info['target_is_main_and_table_is_targets']: _table_name_list = [TARGETS_TABLE_NAME] primary_key = 'start_url' primary_value = url_start_url elif target_table_info['target_is_main_and_table_is_first_targets']: _table_name_list = [FIRST_TARGETS_TABLE_NAME] primary_key = 'start_url' primary_value = url_start_url for each in item['resources_file_list']: for each_table in _table_name_list: auto_write_string_to_sql(each, DB_NAME, each_table, "resource_files", primary_key, primary_value) # write [like_admin_login_urls] and [like_webshell_urls] for each_table in _table_name_list: if item['like_admin_login_url']: auto_write_string_to_sql(current_url, DB_NAME, each_table, "like_admin_login_urls", primary_key, primary_value) if item['like_webshell_url']: auto_write_string_to_sql(current_url, DB_NAME, each_table, "like_webshell_urls", primary_key, primary_value) # write [sub_domains_list] to database if target_table_info['target_is_main']: if not re.match(r"(\d+\.){3}\d+", hostname): _result = execute_sql_in_db( "select http_domain from %s" % sub_table_name, DB_NAME) exist_sub_domains_list = [] for each in _result: exist_sub_domains_list.append(each[0]) for each in item['sub_domains_list']: if each not in exist_sub_domains_list: # write to database sql = "insert ignore into `%s`(http_domain,domain) values('%s','%s')" % ( sub_table_name, each, each.split("/")[-1]) execute_sql_in_db(sql, DB_NAME) # write to config.ini if not os.path.exists(LOG_FOLDER_PATH): os.system("mkdir %s" % LOG_FOLDER_PATH) if not os.path.exists("%s/sub" % LOG_FOLDER_PATH): os.system("cd %s && mkdir sub" % LOG_FOLDER_PATH) os.system("echo %s >> %s" % (each.split("/")[-1], LOG_FOLDER_PATH + "/sub/" + sub_table_name + ".txt")) else: pass return item
def result(request): targetValue = request.GET.get('targetValue') action = request.GET.get('action') if targetValue != None: print(targetValue) if action == "result" and targetValue == "initShowResult": firstTargets = execute_sql_in_db("select http_domain from %s" % first_targets_table_name, db_name) targets = execute_sql_in_db("select http_domain from %s" % targets_table_name, db_name) returnString = "" firstTargetsValue = "firstTargets," targetsValue = "targets," if len(firstTargets) == 0: pass else: for eachTarget in firstTargets: eachHttpDomain = eachTarget[0] firstTargetsValue += eachHttpDomain + "," firstTargetsValue = firstTargetsValue[:-1] + ";" if len(targets) == 0: pass else: for eachTarget in targets: eachHttpDomain = eachTarget[0] targetsValue += eachHttpDomain + "," targetsValue = targetsValue[:-1] # eg.返回为 # firstTargets,http://www.baidu.com,http://www.nihao.com;targets,http://www.wohao.com,http://www.dajiahao.com returnString = firstTargetsValue + targetsValue print(returnString) return HttpResponse(returnString) elif action == "result" and targetValue != "initShowResult": # targetValue不为initShowResult时通过targetValue参数传递的内容是http_domain格式的目标,这种情况返回与该目 # 标相关的所有扫描结果,(如果在扫描范围内)包括子域和旁站 http_domain = targetValue print(http_domain) tableNameList = get_target_table_name_list(http_domain) # 下面的tableName是targets或first_targets tableName = tableNameList[0] #原来这里也显示urls和resource_files字段,后来决定不显示这两个字段 resultColumns = ["risk_scan_info", "script_type", "dirb_info", "sqlis", "robots_and_sitemap", "cms_value", "cms_scan_info", "like_admin_login_urls", "cracked_admin_login_urls_info", "like_webshell_urls", "cracked_webshell_urls_info", "whois_info", "pang_domains", "sub_domains"] returnValue = "" for columnName in resultColumns: result = execute_sql_in_db("select %s from %s where http_domain='%s'" % (columnName, tableName, http_domain), db_name) if len(result[0][0]) == 0: columnNameResult = "" else: columnNameResult = "%s:\n    " % columnName.replace( "_", " ") + result[0][0] + "\n\n" returnValue += columnNameResult # 如果有旁站则加上旁站扫描结果 targetPangTableName = http_domain.split("/")[-1].replace(".", "_") + "_pang" if exist_table_in_db(targetPangTableName, db_name) == True: pangDoamins = execute_sql_in_db("select http_domain from %s" % targetPangTableName, db_name) pangDoaminsList = [] for each in pangDoamins: pangDoaminsList.append(each[0]) # 下面加上旁站扫描结果 returnValue += "下面是旁站扫描结果:\n\n" for eachPangDomain in pangDoaminsList: for columnName in resultColumns: if columnName not in ["pang_domains", "sub_domains"]: result = execute_sql_in_db("select %s from %s where http_domain='%s'" % (columnName, targetPangTableName, eachPangDomain), db_name) if len(result[0][0]) == 0: columnNameResult = "" else: columnNameResult = "%s:\n    " % columnName.replace( "_", " ") + result[0][0] + "\n\n" returnValue += columnNameResult # 如果有子站则加上子站扫描结果 targetSubTableName = http_domain.split("/")[-1].replace(".", "_") + "_sub" if exist_table_in_db(targetSubTableName, db_name) == True: SubDoamins = execute_sql_in_db("select http_domain from %s" % targetSubTableName, db_name) SubDoaminsList = [] for each in SubDoamins: SubDoaminsList.append(each[0]) # 下面加上子站扫描结果 returnValue += "下面是子站扫描结果:\n\n" for eachSubDomain in SubDoaminsList: for columnName in resultColumns: if columnName not in ["pang_domains", "sub_domains"]: result = execute_sql_in_db("select %s from %s where http_domain='%s'" % (columnName, targetSubTableName, eachSubDomain), db_name) if len(result[0][0]) == 0: columnNameResult = "" else: columnNameResult = "%s:\n    " % columnName.replace( "_", " ") + result[0][0] + "\n\n" returnValue += columnNameResult if returnValue == "": returnValue += "there is no result about %s" % http_domain return HttpResponse(returnValue.replace("\n", "<br>")) else: return render_to_response("result.html", {})
</object> </java> </work:WorkContext> </soapenv:Header> <soapenv:Body/> </soapenv:Envelope> ''' # 判断漏洞是否存在 target = sys.argv[1] print("checking weblogic vul for " + target) # 传入的target是http://www.baidu.com格式(不带端口 ) target_table_name = get_target_table_name_list(target)[0] result = execute_sql_in_db( "select port_scan_info from %s where http_domain='%s'" % (target_table_name, target), "exp10itdb") testUrlList = [] cms_url = get_cms_entry_from_start_url(target) parsed = urlparse(target) testUrlList.append(cms_url) open_port_list = get_target_open_port_list(target) for port in open_port_list: if port not in COMMON_NOT_WEB_PORT_LIST: testUrlList.append(parsed.scheme + "://" + parsed.hostname + ":" + port)