def industrial_check(oldurl, industrialurl): poc_class = pocdb_pocs(industrialurl) poc_dict = poc_class.industrialpocdict cprint( ">>>工控漏洞扫描URL: " + industrialurl + "\t可用POC个数[" + str(len(poc_dict)) + "]", "magenta") print("\r") results = [] for value in poc_dict.values(): results.append(value.run()) with app.app_context(): for result in results: try: vulnerable, bugurl, bugname, payload, bugdetail = result if vulnerable: bug = BugList(oldurl=oldurl, bugurl=bugurl, bugname=bugname, buggrade=redispool.hget('bugtype', bugname), payload=payload, bugdetail=bugdetail) redispool.pfadd(redispool.hget('bugtype', bugname), bugurl) redispool.pfadd(bugname, bugurl) db.session.add(bug) db.session.commit() except Exception as e: print(e) pass
def SenFileScan(domain, url): """ 敏感文件、目录扫描 字典:dict\SEN_scan.txt :param domain: :param :return: """ pools = 20 urlList = [] for i in range(0, redispool.llen("SenScan")): suffix = redispool.lindex("SenScan", i) senurl = "{}/{}".format(url, suffix) urlList.append(senurl) pool = ThreadPool(pools) SenFileMessage = pool.map(UrlRequest, urlList) SenFileMessage2 = "" pool.close() pool.join() url404 = "{}/springbird404page".format(url) try: rep404 = requests.get(url404, headers=core.GetHeaders(), timeout=3, verify=False).text except Exception as e: print("超时") rep404 = str(e) pass if len(SenFileMessage) != 0: with app.app_context(): print("Sen file and dir : \n") for url in SenFileMessage: try: if url is None: continue rep = requests.get(url, headers=core.GetHeaders(), timeout=1, verify=False) #添加404界面的判断,避免过多杂乱信息 if not core.is_similar_page(rep404, rep.text, radio=0.85): print(url) bug = BugList(oldurl=domain, bugurl=url, bugname="SenDir", buggrade=redispool.hget( 'bugtype', "SenDir"), payload=url, bugdetail=rep.text) SenFileMessage2 += url + "\n" redispool.pfadd(redispool.hget('bugtype', "SenDir"), url) redispool.pfadd("SenDir", url) db.session.add(bug) except Exception as e: # print(e) pass db.session.commit() return SenFileMessage2
def cmspoc_check(oldurl, cmsurl): poc_class = pocdb_pocs(cmsurl) poc_dict = poc_class.cmspocdict cprint( ">>>CMS漏洞扫描URL: " + cmsurl + "\t可用POC个数[" + str(len(poc_dict)) + "]", "magenta") cmspool.map(cmsprint, poc_dict.keys()) print("\r") results = cmspool.map(cmscheck, poc_dict.values()) cmspool.close() cmspool.join() try: with app.app_context(): for result in results: vulnerable, bugurl, bugname, payload, bugdetail = result if vulnerable: bug = BugList(oldurl=oldurl, bugurl=bugurl, bugname=bugname, buggrade=redispool.hget('bugtype', bugname), payload=payload, bugdetail=bugdetail) db.session.add(bug) redispool.pfadd(redispool.hget('bugtype', bugname), bugurl) redispool.pfadd(bugname, bugurl) db.session.commit() except Exception as e: print(e) pass
def GetTargetCount(): target = { "sumcount": redispool.pfcount("domain") + redispool.pfcount("ip"), "waitcount": redispool.hget('targetscan', 'waitcount'), "nowscan": redispool.hget("targetscan", "nowscan") } return target
def BugScanConsole(attackurl): ''' 动态调用类方法,减少冗余代码 将存在bug的url存在buglist表中,同时根据漏洞类型的不同,指向bugtype表中对应的漏洞类型 ''' try: while redispool.scard(attackurl) != 0: url = redispool.spop(attackurl) Bug = BugScan(attackurl, url) with app.app_context(): for value in Bugs: vulnerable, payload, bugdetail = getattr(Bug, value)() if vulnerable: bug = BugList(oldurl=attackurl, bugurl=url, bugname=value, buggrade=redispool.hget( 'bugtype', value), payload=payload, bugdetail=bugdetail) redispool.pfadd(redispool.hget('bugtype', value), url) redispool.pfadd(value, url) db.session.add(bug) db.session.commit() print("进行自添加POC扫描") Bug.POCScan() # time.sleep(0.5) except Exception as e: print(e) pass
def user(): if 'name' in session or 'urls' in session: redispool.hset('assets', session['name'], session['urls']) session.pop('name') session.pop('urls') allcode = InvitationCode.query.order_by( InvitationCode.id.desc()).limit(10).all() user_id = session.get('user_id') nowuser = User.query.filter(User.id == user_id).first() username = nowuser.username photoname = redispool.hget('imagename', nowuser.email) if not photoname: photoname = 'springbird.jpg' profile = Profile.query.filter(Profile.userid == user_id).first() assetname = redispool.hkeys('assets') followlist = redispool.hgetall('FollowList') if request.method == 'GET': return render_template('user-center.html', allcode=allcode, username=username, profile=profile, assetname=assetname, followlist=followlist, photoname=photoname) else: session['name'] = request.form.get('asset') session['urls'] = request.form.get('assets') return redirect(url_for('user'))
def inputfilter(url): ''' 入口过滤函数 输入源的格式可多变: 127.0.0.1 http://127.0.0.1 www.baidu.com https://www.baidu.com 等 返回格式为 : return www.baidu.com,https://www.baidu.com,baidu.rep :param url: :return: ''' rep,rep1,rep2=None,None,None if url.endswith("/"): url=url[:-1] if not url.startswith("http://") and not url.startswith("https://"): attackurl1="http://"+url attackurl2="https://"+url try: rep1=requests.get(attackurl1, headers=core.GetHeaders(), timeout=4, verify=False) except Exception as e: pass try: rep2=requests.get(attackurl2, headers=core.GetHeaders(), timeout=4, verify=False) except Exception as e: pass if rep1: return url,attackurl1,rep1 elif rep2: return url,attackurl2,rep2 else: print("None data") try: count=redispool.hget('targetscan', 'waitcount') if 'str' in str(type(count)): waitcount=int(count)-1 redispool.hset("targetscan", "waitcount", str(waitcount)) else: redispool.hset("targetscan", "waitcount", "0") redispool.hdel("targetscan", "nowscan") except Exception as e: print(e) pass return None,None,None else: attackurl=url try: rep=requests.get(attackurl, headers=core.GetHeaders(), timeout=4, verify=False) except: pass if rep: if "http://" in url: return url.replace("http://",""),attackurl,rep else: return url.replace("https://",""),attackurl,rep else: print("{}访问超时".format(attackurl)) return None,None,None
def assetdetail(name=None): if not name: return redirect(url_for('index')) else: assetdetail = redispool.hget('assets', name) return render_template('assetDetail.html', name=name, assetdetail=assetdetail)
def WebLogicScan(self): print("正在进行weblogic漏洞检测!") try: results=WebLogicScan.run(self.domain) with app.app_context(): for result in results: vulnerable, bugurl, bugname, bugdetail = result if vulnerable: bug = BugList(oldurl=self.domain, bugurl=bugurl, bugname=bugname, buggrade=redispool.hget('bugtype', bugname), payload=bugurl, bugdetail=bugdetail) redispool.pfadd(redispool.hget('bugtype', bugname), bugurl) redispool.pfadd(bugname, bugurl) db.session.add(bug) db.session.commit() except Exception as e: print(e) pass
def POCScanConsole(attackurl, url): try: allpoc = POC.query.all() with app.app_context(): for poc in allpoc: rep = requests.get(url + poc.rule, headers=core.GetHeaders(), timeout=2) if rep.status_code != 404 and poc.expression in rep.text: bug = BugList(oldurl=attackurl, bugurl=url, bugname=poc.name, buggrade=redispool.hget('bugtype', poc.name), payload=url + poc, bugdetail=rep.text) redispool.pfadd(redispool.hget('bugtype', poc.name), url) redispool.pfadd(poc.name, url) db.session.add(bug) db.session.commit() except Exception as e: print(e) pass
def WebLogicScan(self): results = WebLogicScan.run(self.domain) with app.app_context(): for result in results: vulnerable, bugurl, bugname, bugdetail = result if vulnerable: bug = BugList(oldurl=self.domain, bugurl=bugurl, bugname=bugname, buggrade=redispool.hget('bugtype', bugname), payload=bugurl, bugdetail=bugdetail) db.session.add(bug) db.session.commit()
def photo(): user_id = session.get('user_id') nowuser = User.query.filter(User.id == user_id).first() photoname = redispool.hget('imagename', nowuser.email) if request.method == 'GET': return render_template('photo.html', photoname=photoname) else: img = request.files['photo'] if img and core.allowed_file(img.filename): ext = img.filename.rsplit('.', 1)[1] email = nowuser.email photoname = email.split('@')[0] + "." + ext img.save(os.path.join(os.getcwd() + "/static/photo", photoname)) redispool.hset('imagename', email, photoname) return redirect(url_for('user')) return '<p> 上传失败</p>'
def GenInvitationCode(): user_id = session.get('user_id') nowuser = User.query.filter(User.id == user_id).first() profile = Profile.query.filter(Profile.userid == user_id).first() assetname = redispool.hkeys('assets') followlist = redispool.hgetall('FollowList') photoname = redispool.hget('imagename', nowuser.email) if not photoname: photoname='springbird.jpg' code = str(uuid.uuid1()) Code = InvitationCode(code=code) db.session.add(Code) db.session.commit() allcode = InvitationCode.query.order_by(InvitationCode.id.desc()).limit(10).all() return render_template('user-center.html', allcode=allcode, username=nowuser.username, profile=profile, assetname=assetname, followlist=followlist, photoname=photoname)
def informationpoc_check(oldurl, informationurl): poc_class = pocdb_pocs(informationurl) poc_dict = poc_class.informationpocdict cprint( ">>>Information漏洞扫描URL: " + informationurl + "\t可用POC个数[" + str(len(poc_dict)) + "]", "magenta") informationpool.map(informationprint, poc_dict.keys()) print("\r") results = informationpool.map(informationcheck, poc_dict.values()) informationpool.close() informationpool.join() with app.app_context(): for result in results: vulnerable, bugurl, bugname, payload, bugdetail = result if vulnerable: bug = BugList(oldurl=oldurl, bugurl=bugurl, bugname=bugname, buggrade=redispool.hget('bugtype', bugname), payload=payload, bugdetail=bugdetail) db.session.add(bug) db.session.commit()
def SZheScan(url): try: #输入入口进行过滤 url, attackurl, rep = inputfilter(url) #若过滤后无url,即url无效或响应时间过长,退出对该url的扫描 if not url: return redispool.hset("targetscan", "nowscan", attackurl) with app.app_context(): # 对该url基础信息进行搜集,实例化GetBaseMessage对象 baseinfo = GetBaseMessage(url, attackurl, rep) #正则表达式判断其为IP或是域名,并且实例化相应的深度信息搜集对象 pattern = re.compile('^\d+\.\d+\.\d+\.\d+(:(\d+))?$') #判断IP是否存在端口 if pattern.findall(url) and ":" in url: infourl = url.split(":")[0] else: infourl = url if pattern.findall(url): boolcheck = True ipinfo = IPMessage(infourl) else: boolcheck = False domaininfo = DomainMessage(url) info = BaseInfo(url=url, boolcheck=boolcheck, status=baseinfo.GetStatus(), title=baseinfo.GetTitle(), date=baseinfo.GetDate(), responseheader=baseinfo.GetResponseHeader(), Server=baseinfo.GetFinger(), portserver=baseinfo.PortScan(), sendir=baseinfo.SenDir()) db.session.add(info) db.session.flush() infoid = info.id db.session.commit() baseinfo.WebLogicScan() baseinfo.AngelSwordMain() if boolcheck: redispool.pfadd("ip", infourl) ipinfo = IPInfo(baseinfoid=infoid, bindingdomain=ipinfo.GetBindingIP(), sitestation=ipinfo.GetSiteStation(), CMessage=ipinfo.CScanConsole(), ipaddr=ipinfo.FindIpAdd()) db.session.add(ipinfo) else: redispool.pfadd("domain", infourl) domaininfo = DomainInfo( baseinfoid=infoid, subdomain=domaininfo.GetSubDomain(), whois=domaininfo.GetWhoisMessage(), bindingip=domaininfo.GetBindingIP(), sitestation=domaininfo.GetSiteStation(), recordinfo=domaininfo.GetRecordInfo(), domainaddr=domaininfo.FindDomainAdd()) db.session.add(domaininfo) db.session.commit() #默认url深度爬取为 2 ,避免大站链接过多,可在设置中进行修改 SpiderGetUrl2(attackurl, deepth=2) print("对该网站爬取到的url进行常规漏扫 :D") BugScanConsole(url) try: count = redispool.hget('targetscan', 'waitcount') if 'str' in str(type(count)): waitcount = int(count) - 1 redispool.hset("targetscan", "waitcount", str(waitcount)) else: redispool.hset("targetscan", "waitcount", "0") redispool.hdel("targetscan", "nowscan") except Exception as e: print(e) pass #漏洞列表中存在该url的漏洞,证明该url是受到影响的,将redis havebugpc受影响主机加一 firstbugurl = BugList.query.order_by( BugList.id.desc()).first().oldurl if firstbugurl == url: redispool.pfadd("havebugpc", url) print("{} scan end !".format(url)) except Exception as e: print("2") print(e) pass
def SenFileScan(domain, redispool): """ 敏感文件、目录扫描 字典:dict\SEN_scan.txt :param domain: :param :return: """ pools = 20 urlList = [] for i in range(0, redispool.llen("SenScan")): url="http://{}/{}".format(domain, redispool.lindex("SenScan", i)) urlList.append(url) pool = ThreadPool(pools) SenFileMessage = pool.map(UrlRequest, urlList) pool.close() pool.join() if len(SenFileMessage)!=0: with app.app_context(): for url in SenFileMessage: try: rep = requests.get(url, headers=core.GetHeaders(), timeout=3, verify=False) bug = BugList(oldurl=domain, bugurl=url, bugname="SenDir",buggrade=redispool.hget('bugtype', "SenDir"),payload=url, bugdetail=rep.text) db.session.add(bug) except Exception as e: print(e) pass db.session.commit() return "\n".join(list(filter(None, SenFileMessage)))