def httpauth(target,
userfile='./wordlists/user.txt',
passwdfile='./wordlists/passwd.txt'):
'''
HTTP 认证缺陷检测
:param target:
:param user: 用户名
:param passwd: 密码
:return: 0
'''
up = []
userfile = open(userfile, 'r').read().split('\n')
passwdfile = open(passwdfile, 'r').read().split('\n')
for i in userfile:
for j in passwdfile:
try:
r = requests.get(target)
if r.status_code == 200:
return 0
r = requests.get(target, auth=HTTPBasicAuth(i, j))
if r.status_code == 200:
print(
"\033[1;32;1m[+]目标存在HTTP认证弱密钥漏洞!user:{},password:{}\033[0m"
.format(i, j))
vulnsum.addMedium()
up.append('user:'******'password:'******'HTTP Authentication Defects', up)
def mwcs(target):
'''
明文传输检测
:param target:
:return:
'''
profile = webdriver.FirefoxProfile()
profile.accept_untrusted_certs = True
opt = webdriver.FirefoxOptions()
opt.add_argument('--headless')
browser = webdriver.Firefox(firefox_profile=profile, options=opt)
try:
browser.get(target)
sour = browser.page_source
# print(sour)
soup = BeautifulSoup(sour, "html.parser")
pwd = soup('input', type="password")
if pwd == []:
return 0
da = os.popen("./bin/snf.py")
ipt = soup('input')
for i in range(len(ipt)):
if "用户名" in str(ipt[i]) or "User" in str(ipt[i]) or "user" in str(
ipt[i]) or "loginID" in str(ipt[i]):
if pwd[0] != ipt[i]:
pwd.append(ipt[i])
for i in range(len(pwd)):
#print(pwd[i])
pwd[i] = re.findall(r'name="[a-zA-Z0-9_=+\-/]+"',
str(pwd[i]))[0][6:-1]
except:
print("\033[1;31;1m[!]登录失败\033[0m")
return 0
browser.refresh()
for i in pwd:
browser.find_element_by_name(i).send_keys("Admin123")
try:
browser.find_element_by_name(pwd[0]).send_keys(Keys.ENTER)
except IndexError:
pass
browser.close()
da.read()
da = open('/tmp/snf.txt', 'r').read()
try:
if pwd[0] + "=" + "Admin123" in da:
print("\033[1;32;1m[+]存在密码明文传输漏洞!\033[0m")
vulnsum.addMedium()
report.whtml('User name and password plaintext transmission', da)
os.system('rm /tmp/snf.txt')
except:
pass
def httpHead(target):
'''
HTTP 头信息泄漏
:param target:目标url
:return: 服务器banner信息
'''
try:
r = requests.get(target, headers=head)
print("\033[1;32;1m[+]发现HTTP头泄露了服务器信息:",
r.headers['Server'] + '\033[0m')
vulnsum.addLow()
report.whtml('HTTP Header Information Leakage', r.headers['Server'])
except:
pass
def options(target):
'''
HTTP OPTIONS Method Detect
:param target: target url
:return:0
'''
try:
r = requests.options(target, headers=head)
print("\033[1;32;1m[+]发现服务器启用了OPTIONS方法:",
r.headers['Allow'] + '\033[0m')
vulnsum.addLow()
report.whtml('HTTP OPTIONS method is active', r.headers['Allow'])
except:
pass
def ms17_010(target):
"""
MS17-010漏洞检测及验证
:param target: IP或IP段
:return:
"""
f = open('/tmp/smb.rc', 'w')
f.write('use auxiliary/scanner/smb/smb_ms17_010\n')
f.write('set RHOSTS ' + target + '\n')
f.write('exploit\n')
f.write('exit\n')
f.close()
rst = os.popen('msfconsole -r /tmp/smb.rc').read()
#print(rst)
if 'Host is likely VULNERABLE' in rst:
print("\033[1;32;1m[+]存在MS-17-010漏洞\033[0m")
vulnsum.addHigh()
report.whtml(
'MS17-010 Vulnerability',
'Metasploit EXP:\nexploit/windows/smb/ms17_010_eternalblue\n')
os.system('rm /tmp/smb.rc')
def robots(target):
'''
robots文件泄漏敏感信息
:param target: target url
:return: 0
'''
try:
r = requests.get(target + "/robots.txt", headers=head)
if 'admin' in r.text:
print("\033[1;32;1m[+]发现目标robots.txt泄露了admin目录!\033[0m")
vulnsum.addLow()
report.whtml('Robots.txt File Information Leakage',
re.findall(r'admin', r.text))
if 'management' in r.text:
print("\033[1;32;1m[+]发现目标robots.txt泄露了manage目录!\033[0m")
vulnsum.addLow()
report.whtml('Robots.txt File Information Leakage',
re.findall(r'management', r.text))
if 'manage' in r.text:
print("\033[1;32;1m[+]发现目标robots.txt泄露了manage目录!\033[0m")
vulnsum.addLow()
report.whtml('Robots.txt File Information Leakage',
re.findall(r'manage', r.text))
except:
pass
def ipLkg(target):
'''
IP地址泄漏
:param target:target url
:return: IP information
'''
ip = []
try:
r = requests.get(target, headers=head)
#url = re.findall(r'http://[a-zA-Z0-9./]*|https://[a-zA-Z0-9./]*', r.text)
fip = re.findall(
r'(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)\.(25[0-5]|2[0-4]\d|[0-1]\d{2}|[1-9]?\d)',
r.text)
if fip != []:
vulnsum.addLow()
for i in range(len(fip)):
print("\033[1;32;1m[+]发现源码中泄露了IP地址:",
".".join(fip[i]) + '\033[0m')
ip.append(".".join(fip[i]))
report.whtml('Source Leakage IP Address', ip)
except:
pass
def py_nmap(target, flag, user, passwd, ufile, pfile):
global h_q
global d_rt
"""
:param target: target url
:param flag: Full ports scan
:return:
"""
#target url -> target ip
target = urltoip(target)
if flag:
get_nmap = os.popen("nmap -T4 -A -sV -p0-65535 " + target).read()
if 'Host seems down' in get_nmap:
get_nmap = os.popen('nmap -T4 -A -sV -Pn -p0-65535 ' +
target).read()
else:
get_nmap = os.popen("nmap " + target).read()
if 'Host seems down' in get_nmap:
get_nmap = os.popen('nmap -T4 -A -sV -Pn ' + target).read()
#原始数据rt
rt = re.findall(r'\d+/tcp[ ]*open[ ]*[a-zA-Z0-9_/?\-]*', get_nmap)
if rt == []:
print("\033[1;31;1m[!]目标未开放任何端口或网络不可达\033[0m")
return 0
#result list type
#print(rt)
if rt != []:
report.wnmap('Nmap Scan Result', 'Port/Protocal', 'State', 'Service',
rt)
for i in range(len(rt)):
print('\033[1;32;1m[+]' + rt[i] + '\033[0m')
rt[i] = rt[i].replace(' ', '')
rt[i] = rt[i].replace('/tcp', '')
rt[i] = rt[i].replace('open', ' ')
rt[i] = rt[i].replace('netbios-ssn', 'samba')
rt[i] = rt[i].replace('microsoft-ds', 'smb')
rt[i] = rt[i].replace('exec', 'rexec')
rt[i] = rt[i].replace('login', 'rlogin')
rt[i] = rt[i].replace('shell', 'rlogin')
rt[i] = rt[i].replace('nfs', 'pcnfs')
rt[i] = rt[i].replace('ccproxy-ftp', 'ftp')
rt[i] = rt[i].replace('postgresql', 'postgres')
rt[i] = rt[i].replace('vnc-1', 'vnc')
rt[i] = rt[i].replace('vnc-2', 'vnc')
rt[i] = rt[i].replace('vnc-3', 'vnc')
rt[i] = rt[i].replace('ms-wbt-server', 'rdp')
rt[i] = rt[i].split(' ')
rt[i] = {rt[i][1]: rt[i][0]}
#字典类型:{'services':'port'}:
#print(rt)
#将services和port加入d_rt
for i in range(len(rt)):
for j in rt[i]:
d_rt.setdefault(j, []).append(rt[i][j])
for i in list(d_rt.keys()):
if i == 'irc' or i == 'unknown' or i == 'X11' or i == 'samba' or i == 'ajp13' or i == 'msrpc' or i == 'IIS' or i == 'iad1' or i == 'ms-lsa' or i == 'NFS-or-IIS' or i == 'LSA-or-nterm' or i == 'http':
continue
brute(d_rt, i, target, user, passwd, usfile=ufile, pdfile=pfile)
while h_q.qsize():
# print(h_q.empty())
#if h_q.empty():
# break
# 注意.get()
h = h_q.get()
# print(h)
if h != '\x00':
# print(h_q.get())
h = h.read()
#print(h)
rst = re.findall(
r'\[\d+\]\[[a-zA-Z0-9]+\]\s*host:\s*\d+\.\d+\.\d+\.\d+\s*login:\s*[a-zA-Z0-9\-_]+\s*password:\s*[a-zA-Z0-9\-_!@#$%]+',
h)
# 输出存在的弱口令
for i in rst:
print('\033[1;32;1m' + '[+]' + i + '\033[0m')
vulnsum.addHigh()
if rst != []:
report.whtml('Port weak password', rst)
if '445' in list(d_rt.values()):
ms17_010(target)
def nikto(target):
"""
发现Web服务器的配置错误,插件和网页漏洞,配置检查,版本扫描,目录遍历
:param target: 目标url
:return:
"""
rst = os.popen("nikto -h " + target).read()
if 'The X-XSS-Protection header is not defined' in rst:
print("\033[1;32;1m[+]HTTP Header中未使用XSS保护\033[0m")
vulnsum.addLow()
report.whtml('X-XSS-Protection',
'The X-XSS-Protection header is not defined')
if 'The X-Content-Type-Options header is not set' in rst:
print("\033[1;32;1m[+]未设置x-content-type-options头\033[0m")
vulnsum.addLow()
report.whtml('X-Content-Type-Options',
'The X-Content-Type-Options header is not set')
if 'Apache mod_negotiation is enabled' in rst:
print("\033[1;32;1m[+]Apache mod_negotiation启用\033[0m")
vulnsum.addLow()
report.whtml('Apache mod_negotiation',
'Apache mod_negotiation is enabled')
apa = re.findall(r'Apache/[\d.]* appears to be outdated', rst)
if apa != []:
print("\033[1;32;1m[+]Apache版本较低", apa[0] + '\033[0m')
vulnsum.addLow()
report.whtml('Apache version is lower', apa[0])
php = re.findall(r'PHP/[\d.a-zA-Z\-_]* appears to be outdated', rst)
if php != []:
print("\033[1;32;1m[+]PHP版本较低", php[0] + '\033[0m')
vulnsum.addLow()
report.whtml('PHP version is lower', php[0])
if 'X-Frame-Options header' in rst:
print("\033[1;32;1m[+]存在点击劫持漏洞\033[0m")
vulnsum.addLow()
report.whtml('Click hijack', 'X-Frame-Options header is not defined')
py = re.findall(r'Python/2[\d.]* appears to be outdated', rst)
if py != []:
print("\033[1;32;1m[+]Python版本较低", py[0] + '\033[0m')
vulnsum.addLow()
report.whtml('Python version is lower', py[0])
ssl = re.findall(r'mod_ssl/[\d.]* appears to be outdated', rst)
if ssl != []:
print("\033[1;32;1m[+]ssl版本较低", ssl[0] + '\033[0m')
vulnsum.addLow()
report.whtml('ssl version is lower', ssl[0])
ops = re.findall(r'OpenSSL/[\d.a-zA-Z]* appears to be outdated', rst)
if ops != []:
print("\033[1;32;1m[+]OpenSSL版本较低", ops[0] + '\033[0m')
vulnsum.addLow()
report.whtml('OpenSSL version is lower', ops[0])
phu = re.findall(r'Phusion_Passenger/[\d.]* appears to be outdated', rst)
if phu != []:
print("\033[1;32;1m[+]Phusion_Passenger版本较低", phu[0] + '\033[0m')
vulnsum.addLow()
report.whtml('Phusion Passenger version is lower', phu[0])
mono = re.findall(r'mod_mono/[\d.]* appears to be outdated', rst)
if mono != []:
print("\033[1;32;1m[+]mono版本较低", mono[0] + '\033[0m')
vulnsum.addLow()
report.whtml('mono version is lower', mono[0])
hpro = re.findall(r'proxy_html/[\d.]* appears to be outdated', rst)
if hpro != []:
print("\033[1;32;1m[+]HTTP Proxy版本较低", hpro[0] + '\033[0m')
vulnsum.addLow()
report.whtml('HTTP Proxy version is lower', hpro[0])
per = re.findall(r'mod_perl/[\d.]* appears to be outdated', rst)
if per != []:
print("\033[1;32;1m[+]Perl版本较低", per[0] + '\033[0m')
vulnsum.addLow()
report.whtml('Perl version is lower', per[0])
if 'HTTP TRACE method is active' in rst:
print("\033[1;32;1m[+]启用了TRACE方法\033[0m")
vulnsum.addMedium()
report.whtml('HTTP TRACE method is active', re.findall(r'TRACE', rst))
if 'phpMyAdmin directory found' in rst:
print("\033[1;32;1m[+]发现phpmyadmin目录\033[0m")
vulnsum.addLow()
report.whtml('phpMyAdmin directory found',
'curl ' + target + '/phpmyadmin')
if 'phpmyadmin/Documentation.html' in rst:
print("\033[1;32;1m[+]存在可访问的/phpmyadmin/Documentation.html页面\033[0m")
vulnsum.addMedium()
report.whtml(
'There are accessible /phpMyAdmin/Documentation.html pages',
'curl ' + target + '/phpmyadmin/Documentation.html')
if 'Apache default file found' in rst:
print("\033[1;32;1m[+]发现Apache默认文件/icons/README\033[0m")
vulnsum.addLow()
report.whtml('Apache default file found', '/icons/README')
if '/Admin/: Directory indexing found' in rst:
print("\033[1;32;1m[+]发现Admin路径/Admin/\033[0m")
vulnsum.addLow()
report.whtml('Admin Directory indexing found', '/Admin/')
if '/admin/: Directory indexing found' in rst:
print("\033[1;32;1m[+]发现admin路径/admin/\033[0m")
vulnsum.addMedium()
report.whtml('admin Directory indexing found', '/admin/')
