Exemple #1
0
def industrial_check(oldurl, industrialurl):
    poc_class = pocdb_pocs(industrialurl)
    poc_dict = poc_class.industrialpocdict
    cprint(
        ">>>工控漏洞扫描URL: " + industrialurl + "\t可用POC个数[" + str(len(poc_dict)) +
        "]", "magenta")
    print("\r")
    results = []
    for value in poc_dict.values():
        results.append(value.run())
    with app.app_context():
        for result in results:
            try:
                vulnerable, bugurl, bugname, payload, bugdetail = result
                if vulnerable:
                    bug = BugList(oldurl=oldurl,
                                  bugurl=bugurl,
                                  bugname=bugname,
                                  buggrade=redispool.hget('bugtype', bugname),
                                  payload=payload,
                                  bugdetail=bugdetail)
                    redispool.pfadd(redispool.hget('bugtype', bugname), bugurl)
                    redispool.pfadd(bugname, bugurl)
                    db.session.add(bug)
                    db.session.commit()
            except Exception as e:
                print(e)
                pass
Exemple #2
0
def SenFileScan(domain, url):
    """
    敏感文件、目录扫描
    字典:dict\SEN_scan.txt
    :param domain:
    :param
    :return:
    """
    pools = 20
    urlList = []
    for i in range(0, redispool.llen("SenScan")):
        suffix = redispool.lindex("SenScan", i)
        senurl = "{}/{}".format(url, suffix)
        urlList.append(senurl)
    pool = ThreadPool(pools)
    SenFileMessage = pool.map(UrlRequest, urlList)
    SenFileMessage2 = ""
    pool.close()
    pool.join()
    url404 = "{}/springbird404page".format(url)
    try:
        rep404 = requests.get(url404,
                              headers=core.GetHeaders(),
                              timeout=3,
                              verify=False).text
    except Exception as e:
        print("超时")
        rep404 = str(e)
        pass
    if len(SenFileMessage) != 0:
        with app.app_context():
            print("Sen file and dir : \n")
            for url in SenFileMessage:
                try:
                    if url is None:
                        continue
                    rep = requests.get(url,
                                       headers=core.GetHeaders(),
                                       timeout=1,
                                       verify=False)
                    #添加404界面的判断,避免过多杂乱信息
                    if not core.is_similar_page(rep404, rep.text, radio=0.85):
                        print(url)
                        bug = BugList(oldurl=domain,
                                      bugurl=url,
                                      bugname="SenDir",
                                      buggrade=redispool.hget(
                                          'bugtype', "SenDir"),
                                      payload=url,
                                      bugdetail=rep.text)
                        SenFileMessage2 += url + "\n"
                        redispool.pfadd(redispool.hget('bugtype', "SenDir"),
                                        url)
                        redispool.pfadd("SenDir", url)
                        db.session.add(bug)
                except Exception as e:
                    # print(e)
                    pass
            db.session.commit()
    return SenFileMessage2
Exemple #3
0
def cmspoc_check(oldurl, cmsurl):
    poc_class = pocdb_pocs(cmsurl)
    poc_dict = poc_class.cmspocdict
    cprint(
        ">>>CMS漏洞扫描URL: " + cmsurl + "\t可用POC个数[" + str(len(poc_dict)) + "]",
        "magenta")
    cmspool.map(cmsprint, poc_dict.keys())
    print("\r")
    results = cmspool.map(cmscheck, poc_dict.values())
    cmspool.close()
    cmspool.join()
    try:
        with app.app_context():
            for result in results:
                vulnerable, bugurl, bugname, payload, bugdetail = result
                if vulnerable:
                    bug = BugList(oldurl=oldurl,
                                  bugurl=bugurl,
                                  bugname=bugname,
                                  buggrade=redispool.hget('bugtype', bugname),
                                  payload=payload,
                                  bugdetail=bugdetail)
                    db.session.add(bug)
                    redispool.pfadd(redispool.hget('bugtype', bugname), bugurl)
                    redispool.pfadd(bugname, bugurl)
            db.session.commit()
    except Exception as e:
        print(e)
        pass
Exemple #4
0
def GetTargetCount():
    target = {
        "sumcount": redispool.pfcount("domain") + redispool.pfcount("ip"),
        "waitcount": redispool.hget('targetscan', 'waitcount'),
        "nowscan": redispool.hget("targetscan", "nowscan")
    }
    return target
Exemple #5
0
def BugScanConsole(attackurl):
    '''
    动态调用类方法,减少冗余代码
    将存在bug的url存在buglist表中,同时根据漏洞类型的不同,指向bugtype表中对应的漏洞类型
    '''
    try:
        while redispool.scard(attackurl) != 0:
            url = redispool.spop(attackurl)
            Bug = BugScan(attackurl, url)
            with app.app_context():
                for value in Bugs:
                    vulnerable, payload, bugdetail = getattr(Bug, value)()
                    if vulnerable:
                        bug = BugList(oldurl=attackurl,
                                      bugurl=url,
                                      bugname=value,
                                      buggrade=redispool.hget(
                                          'bugtype', value),
                                      payload=payload,
                                      bugdetail=bugdetail)
                        redispool.pfadd(redispool.hget('bugtype', value), url)
                        redispool.pfadd(value, url)
                        db.session.add(bug)
                db.session.commit()
            print("进行自添加POC扫描")
            Bug.POCScan()
        # time.sleep(0.5)
    except Exception as e:
        print(e)
        pass
Exemple #6
0
def user():
    if 'name' in session or 'urls' in session:
        redispool.hset('assets', session['name'], session['urls'])
        session.pop('name')
        session.pop('urls')
    allcode = InvitationCode.query.order_by(
        InvitationCode.id.desc()).limit(10).all()
    user_id = session.get('user_id')
    nowuser = User.query.filter(User.id == user_id).first()
    username = nowuser.username
    photoname = redispool.hget('imagename', nowuser.email)
    if not photoname:
        photoname = 'springbird.jpg'
    profile = Profile.query.filter(Profile.userid == user_id).first()
    assetname = redispool.hkeys('assets')
    followlist = redispool.hgetall('FollowList')
    if request.method == 'GET':
        return render_template('user-center.html',
                               allcode=allcode,
                               username=username,
                               profile=profile,
                               assetname=assetname,
                               followlist=followlist,
                               photoname=photoname)
    else:
        session['name'] = request.form.get('asset')
        session['urls'] = request.form.get('assets')
        return redirect(url_for('user'))
Exemple #7
0
def inputfilter(url):
    '''
    入口过滤函数
    输入源的格式可多变:
    127.0.0.1
    http://127.0.0.1
    www.baidu.com
    https://www.baidu.com
    等
    返回格式为 : return www.baidu.com,https://www.baidu.com,baidu.rep
    :param url:
    :return:
    '''
    rep,rep1,rep2=None,None,None
    if url.endswith("/"):
        url=url[:-1]
    if not url.startswith("http://") and not url.startswith("https://"):
        attackurl1="http://"+url
        attackurl2="https://"+url
        try:
            rep1=requests.get(attackurl1, headers=core.GetHeaders(), timeout=4, verify=False)
        except Exception as e:
            pass
        try:
            rep2=requests.get(attackurl2, headers=core.GetHeaders(), timeout=4, verify=False)
        except Exception as e:
            pass
        if rep1:
            return url,attackurl1,rep1
        elif rep2:
            return url,attackurl2,rep2
        else:
            print("None data")
            try:
                count=redispool.hget('targetscan', 'waitcount')
                if 'str' in str(type(count)):
                    waitcount=int(count)-1
                    redispool.hset("targetscan", "waitcount", str(waitcount))
                else:
                    redispool.hset("targetscan", "waitcount", "0")
                redispool.hdel("targetscan", "nowscan")
            except Exception as e:
                print(e)
                pass
            return None,None,None
    else:
        attackurl=url
        try:
            rep=requests.get(attackurl, headers=core.GetHeaders(), timeout=4, verify=False)
        except:
            pass
        if rep:
            if "http://" in url:
                return url.replace("http://",""),attackurl,rep
            else:
                return url.replace("https://",""),attackurl,rep
        else:
            print("{}访问超时".format(attackurl))
            return None,None,None
Exemple #8
0
def assetdetail(name=None):
    if not name:
        return redirect(url_for('index'))
    else:
        assetdetail = redispool.hget('assets', name)
        return render_template('assetDetail.html',
                               name=name,
                               assetdetail=assetdetail)
Exemple #9
0
 def WebLogicScan(self):
     print("正在进行weblogic漏洞检测!")
     try:
         results=WebLogicScan.run(self.domain)
         with app.app_context():
             for result in results:
                 vulnerable, bugurl, bugname, bugdetail = result
                 if vulnerable:
                     bug = BugList(oldurl=self.domain, bugurl=bugurl, bugname=bugname,
                                   buggrade=redispool.hget('bugtype', bugname),
                                   payload=bugurl, bugdetail=bugdetail)
                     redispool.pfadd(redispool.hget('bugtype', bugname), bugurl)
                     redispool.pfadd(bugname, bugurl)
                     db.session.add(bug)
             db.session.commit()
     except Exception as e:
         print(e)
         pass
Exemple #10
0
def POCScanConsole(attackurl, url):
    try:
        allpoc = POC.query.all()
        with app.app_context():
            for poc in allpoc:
                rep = requests.get(url + poc.rule,
                                   headers=core.GetHeaders(),
                                   timeout=2)
                if rep.status_code != 404 and poc.expression in rep.text:
                    bug = BugList(oldurl=attackurl,
                                  bugurl=url,
                                  bugname=poc.name,
                                  buggrade=redispool.hget('bugtype', poc.name),
                                  payload=url + poc,
                                  bugdetail=rep.text)
                    redispool.pfadd(redispool.hget('bugtype', poc.name), url)
                    redispool.pfadd(poc.name, url)
                    db.session.add(bug)
            db.session.commit()
    except Exception as e:
        print(e)
        pass
Exemple #11
0
 def WebLogicScan(self):
     results = WebLogicScan.run(self.domain)
     with app.app_context():
         for result in results:
             vulnerable, bugurl, bugname, bugdetail = result
             if vulnerable:
                 bug = BugList(oldurl=self.domain,
                               bugurl=bugurl,
                               bugname=bugname,
                               buggrade=redispool.hget('bugtype', bugname),
                               payload=bugurl,
                               bugdetail=bugdetail)
                 db.session.add(bug)
         db.session.commit()
Exemple #12
0
def photo():
    user_id = session.get('user_id')
    nowuser = User.query.filter(User.id == user_id).first()
    photoname = redispool.hget('imagename', nowuser.email)
    if request.method == 'GET':
        return render_template('photo.html', photoname=photoname)
    else:
        img = request.files['photo']
        if img and core.allowed_file(img.filename):
            ext = img.filename.rsplit('.', 1)[1]
            email = nowuser.email
            photoname = email.split('@')[0] + "." + ext
            img.save(os.path.join(os.getcwd() + "/static/photo", photoname))
            redispool.hset('imagename', email, photoname)
            return redirect(url_for('user'))
        return '<p> 上传失败</p>'
Exemple #13
0
def GenInvitationCode():
    user_id = session.get('user_id')
    nowuser = User.query.filter(User.id == user_id).first()
    profile = Profile.query.filter(Profile.userid == user_id).first()
    assetname = redispool.hkeys('assets')
    followlist = redispool.hgetall('FollowList')
    photoname = redispool.hget('imagename', nowuser.email)
    if not photoname:
        photoname='springbird.jpg'
    code = str(uuid.uuid1())
    Code = InvitationCode(code=code)
    db.session.add(Code)
    db.session.commit()
    allcode = InvitationCode.query.order_by(InvitationCode.id.desc()).limit(10).all()
    return render_template('user-center.html', allcode=allcode, username=nowuser.username, profile=profile,
                           assetname=assetname, followlist=followlist, photoname=photoname)
Exemple #14
0
def informationpoc_check(oldurl, informationurl):
    poc_class = pocdb_pocs(informationurl)
    poc_dict = poc_class.informationpocdict
    cprint(
        ">>>Information漏洞扫描URL: " + informationurl + "\t可用POC个数[" +
        str(len(poc_dict)) + "]", "magenta")
    informationpool.map(informationprint, poc_dict.keys())
    print("\r")
    results = informationpool.map(informationcheck, poc_dict.values())
    informationpool.close()
    informationpool.join()
    with app.app_context():
        for result in results:
            vulnerable, bugurl, bugname, payload, bugdetail = result
            if vulnerable:
                bug = BugList(oldurl=oldurl,
                              bugurl=bugurl,
                              bugname=bugname,
                              buggrade=redispool.hget('bugtype', bugname),
                              payload=payload,
                              bugdetail=bugdetail)
                db.session.add(bug)
        db.session.commit()
Exemple #15
0
def SZheScan(url):
    try:
        #输入入口进行过滤
        url, attackurl, rep = inputfilter(url)

        #若过滤后无url,即url无效或响应时间过长,退出对该url的扫描
        if not url:
            return
        redispool.hset("targetscan", "nowscan", attackurl)
        with app.app_context():
            # 对该url基础信息进行搜集,实例化GetBaseMessage对象
            baseinfo = GetBaseMessage(url, attackurl, rep)
            #正则表达式判断其为IP或是域名,并且实例化相应的深度信息搜集对象
            pattern = re.compile('^\d+\.\d+\.\d+\.\d+(:(\d+))?$')
            #判断IP是否存在端口
            if pattern.findall(url) and ":" in url:
                infourl = url.split(":")[0]
            else:
                infourl = url
            if pattern.findall(url):
                boolcheck = True
                ipinfo = IPMessage(infourl)
            else:
                boolcheck = False
                domaininfo = DomainMessage(url)
            info = BaseInfo(url=url,
                            boolcheck=boolcheck,
                            status=baseinfo.GetStatus(),
                            title=baseinfo.GetTitle(),
                            date=baseinfo.GetDate(),
                            responseheader=baseinfo.GetResponseHeader(),
                            Server=baseinfo.GetFinger(),
                            portserver=baseinfo.PortScan(),
                            sendir=baseinfo.SenDir())
            db.session.add(info)
            db.session.flush()
            infoid = info.id
            db.session.commit()
            baseinfo.WebLogicScan()
            baseinfo.AngelSwordMain()
            if boolcheck:
                redispool.pfadd("ip", infourl)
                ipinfo = IPInfo(baseinfoid=infoid,
                                bindingdomain=ipinfo.GetBindingIP(),
                                sitestation=ipinfo.GetSiteStation(),
                                CMessage=ipinfo.CScanConsole(),
                                ipaddr=ipinfo.FindIpAdd())
                db.session.add(ipinfo)
            else:
                redispool.pfadd("domain", infourl)
                domaininfo = DomainInfo(
                    baseinfoid=infoid,
                    subdomain=domaininfo.GetSubDomain(),
                    whois=domaininfo.GetWhoisMessage(),
                    bindingip=domaininfo.GetBindingIP(),
                    sitestation=domaininfo.GetSiteStation(),
                    recordinfo=domaininfo.GetRecordInfo(),
                    domainaddr=domaininfo.FindDomainAdd())
                db.session.add(domaininfo)
            db.session.commit()
            #默认url深度爬取为 2 ,避免大站链接过多,可在设置中进行修改
            SpiderGetUrl2(attackurl, deepth=2)
            print("对该网站爬取到的url进行常规漏扫 :D")
            BugScanConsole(url)
            try:
                count = redispool.hget('targetscan', 'waitcount')
                if 'str' in str(type(count)):
                    waitcount = int(count) - 1
                    redispool.hset("targetscan", "waitcount", str(waitcount))
                else:
                    redispool.hset("targetscan", "waitcount", "0")
                redispool.hdel("targetscan", "nowscan")
            except Exception as e:
                print(e)
                pass
            #漏洞列表中存在该url的漏洞,证明该url是受到影响的,将redis havebugpc受影响主机加一
            firstbugurl = BugList.query.order_by(
                BugList.id.desc()).first().oldurl
            if firstbugurl == url:
                redispool.pfadd("havebugpc", url)
            print("{} scan end !".format(url))
    except Exception as e:
        print("2")
        print(e)
        pass
Exemple #16
0
def SenFileScan(domain, redispool):
    """
    敏感文件、目录扫描
    字典:dict\SEN_scan.txt
    :param domain:
    :param
    :return:
    """
    pools = 20
    urlList = []
    for i in range(0, redispool.llen("SenScan")):
        url="http://{}/{}".format(domain, redispool.lindex("SenScan", i))
        urlList.append(url)
    pool = ThreadPool(pools)
    SenFileMessage = pool.map(UrlRequest, urlList)
    pool.close()
    pool.join()
    if len(SenFileMessage)!=0:
        with app.app_context():
            for url in SenFileMessage:
                try:
                    rep = requests.get(url, headers=core.GetHeaders(), timeout=3, verify=False)
                    bug = BugList(oldurl=domain, bugurl=url, bugname="SenDir",buggrade=redispool.hget('bugtype', "SenDir"),payload=url, bugdetail=rep.text)
                    db.session.add(bug)
                except Exception as e:
                    print(e)
                    pass
            db.session.commit()
    return "\n".join(list(filter(None, SenFileMessage)))