def get_domain_type(domain):
if is_ip(domain):
return 'ip'
elif is_url(domain):
domain = Domain.url_format(domain)
root_domain = Domain.get_root_domain(domain)
if root_domain == domain:
return 'root_domain'
else:
return 'domain'
else:
return False
def get_domain_type(domain):
if is_ip(domain):
return 'ip'
elif is_url(domain):
domain = Domain.url_format(domain)
root_domain = Domain.get_root_domain(domain)
if root_domain == domain:
return 'root_domain'
else:
return 'domain'
else:
return False
def get_rootdomains_by_domain(cls, domain):
"""
function to get others rootdomain by a known rootdomain
"""
domain = Domain.get_domain(domain)
zt_name = cls().query_zt_by_domain(domain)
domains = cls().query_domains_by_zt(zt_name)
root_domain = Domain.get_root_domain(domain)
if root_domain:
domains.append(domain)
# todo: Judge the domain/ip format
return domains
def get_domain_type(domain):
if is_ip(domain):
return "ip"
elif is_url(domain):
domain = Domain.url_format(domain)
root_domain = Domain.get_root_domain(domain)
if root_domain == domain:
return "root_domain"
else:
return "domain"
else:
return False
def get_rootdomains_by_domain(cls, domain):
"""
function to get others rootdomain by a known rootdomain
"""
domain = Domain.get_domain(domain)
zt_name = cls().query_zt_by_domain(domain)
domains = cls().query_domains_by_zt(zt_name)
root_domain = Domain.get_root_domain(domain)
if root_domain:
domains.append(domain)
# todo: Judge the domain/ip format
return domains
def start(args):
global output_file
global output_format
global domain
global plugin_controller
domain = args.target
domain_type = get_domain_type(domain)
if domain_type in settings.ALLOW_INPUTS:
domain = Domain.url_format(domain)
# 初始化日志
log_level = get_log_level(args.log_level)
init_logger(log_file_path=args.log_file, log_level=log_level)
logger.info('system init...')
# 初始化配置
conf.settings = settings
conf.max_level = args.max_level
output_file = args.output_file
output_format = args.output_format
# 初始化爬虫
proxy_list = get_proxy_list_by_file(args.proxy_file)
api.request = Req(args.timeout, proxy_list, args.verify_proxy)
plugin_controller = PluginController()
plugin_controller.plugin_init()
logger.info('Loaded plugins: %s' % ','.join(conf.plugins.keys()))
# 绑定信号事件
signal.signal(signal.SIGUSR1, on_signal)
signal.signal(signal.SIGTERM, on_signal)
signal.signal(signal.SIGINT, on_signal)
logger.info('start target...')
# 首个目标
first_target = {
'result': {
'root_domain': [],
'domain': [],
'ip': []
},
'module': '',
'level': 0,
'parent_domain': ''
}
first_target['result'][domain_type].append(domain)
plugin_controller.wp.result.put(first_target)
# 开启任务监控
logger.info('start task monitor and plugin...')
kwargs = {'pc': plugin_controller}
monitor = threading.Thread(target=task_monitor, kwargs=kwargs)
monitor.start()
# 开启插件执行
plugin_controller.start()
complate()
else:
logger.error('Please input a target in the correct'
' format(domain/root_domain/ip)!')
def add_task_and_save(pc, one_result):
level = one_result.get('level', -1) + 1
if level <= conf.max_level:
if level > kb.status.level:
kb.status.level = level
print_task_status(True)
module = one_result.get('module')
for task_type in one_result.get('result', {}).keys():
for domain in one_result.get('result', {}).get(task_type, []):
domain = Domain.url_format(domain)
if task_type == 'ip' and is_intra_ip(domain):
continue
if domain not in result[task_type]:
target = {
'level': level,
'domain_type': task_type,
'domain': domain,
'parent_module': module
}
pc.wp.target_queue.put(target)
save_result(one_result, domain, task_type)
print_task_status()
def start():
conf.domain = options.target
domain_type = get_domain_type(conf.domain)
if domain_type in settings.ALLOW_INPUTS:
conf.domain = Domain.url_format(conf.domain)
# 初始化日志
log_level = get_log_level(options.log_level)
init_logger(log_file_path=options.log_file, log_level=log_level)
api.logger.info('System init at %s' % time.strftime("%X"))
# 初始化配置
conf.settings = settings
# 初始化爬虫
proxy_list = get_proxy_list_by_file(options.proxy_file)
api.request = Req(options.timeout, proxy_list, options.verify_proxy)
conf.plugin_controller = PluginController()
conf.plugin_controller.plugin_init(options.plugins_specific)
api.logger.info('Loaded plugins: %s' % ', '.join(conf.plugins_load.keys()))
# 绑定信号事件
if hasattr(signal, 'SIGUSR1'):
signal.signal(signal.SIGUSR1, on_signal)
signal.signal(signal.SIGTERM, on_signal)
signal.signal(signal.SIGINT, on_signal)
api.logger.info('Start target [%s]' % conf.domain)
# 首个目标
first_target = {
'result': {'root_domain': [], 'domain': [], 'ip': []},
'module': '',
'level': 0,
'parent_domain': ''
}
first_target['result'][domain_type].append(conf.domain)
conf.plugin_controller.wp.result.put(first_target)
# 开启任务监控
api.logger.info('Start task monitor and plugin...')
kwargs = {'pc': conf.plugin_controller}
monitor = threading.Thread(target=task_monitor, kwargs=kwargs)
monitor.start()
# 开启插件执行
conf.plugin_controller.start()
if options.alive_check:
alivecheck = AliveCheck()
print '\n'
api.logger.info('Start alive check...')
alivecheck.start()
api.logger.info('Alive check completed')
complete()
else:
api.logger.error(
'Please input a target in the correct'
' format(domain/root_domain/ip)!'
)
def start(args):
global output_file
global output_format
global domain
global plugin_controller
domain = args.target
domain_type = get_domain_type(domain)
if domain_type in settings.ALLOW_INPUTS:
domain = Domain.url_format(domain)
# 初始化日志
log_level = get_log_level(args.log_level)
init_logger(log_file_path=args.log_file, log_level=log_level)
logger.info('system init...')
# 初始化配置
conf.settings = settings
conf.max_level = args.max_level
output_file = args.output_file
output_format = args.output_format
# 初始化爬虫
proxy_list = get_proxy_list_by_file(args.proxy_file)
api.request = Req(args.timeout, proxy_list, args.verify_proxy)
plugin_controller = PluginController()
plugin_controller.plugin_init()
logger.info('Loaded plugins: %s' % ','.join(conf.plugins.keys()))
# 绑定信号事件
signal.signal(signal.SIGUSR1, on_signal)
signal.signal(signal.SIGTERM, on_signal)
signal.signal(signal.SIGINT, on_signal)
logger.info('start target...')
# 首个目标
first_target = {
'result': {'root_domain': [], 'domain': [], 'ip': []},
'module': '',
'level': 0,
'parent_domain': ''
}
first_target['result'][domain_type].append(domain)
plugin_controller.wp.result.put(first_target)
# 开启任务监控
logger.info('start task monitor and plugin...')
kwargs = {'pc': plugin_controller}
monitor = threading.Thread(target=task_monitor, kwargs=kwargs)
monitor.start()
# 开启插件执行
plugin_controller.start()
complate()
else:
logger.error(
'Please input a target in the correct'
' format(domain/root_domain/ip)!'
)
def start():
parse()
print_status('Get input...')
print_status('Fuzzing take turns...')
while task.domains or task.ips or task.rootdomains:
if task.domains:
domain = task.domains.pop()
level = get_level(domain)
print_status('Fuzzing %s domains[level:%s]...' % (domain, str(level+1)))
if level < control.max_level:
print_status('[domain2ip]Get ip by domain...')
ip = Domain2Ip().get_value(domain)
if ip:
add_ip_task(ip, level+1, 'domain2ip', remark='')
print_good('Get ip %s' % ip)
print_status('[rootdomain]Get rootdomain by domain...')
root_domain = Domain.get_root_domain(domain)
if root_domain:
add_rootdomain_task(root_domain, level+1, 'rootdomain', remark='')
print_good('Get root_domain %s' % root_domain)
result.domains.add(domain)
if task.rootdomains:
root_domain = task.rootdomains.pop()
level = get_level(root_domain)
print_status('Fuzzing %s rootdomains[level:%s]...' % (root_domain, str(level+1)))
if level < control.max_level:
ip = Domain2Ip().get_value(root_domain)
print_status('[domain2ip]Get ip by domain...')
if ip:
add_ip_task(ip, level+1, 'domain2ip', remark='')
print_good('Get ip %s' % ip)
print_status('[icp]Get rootdomains by rootdomains...')
root_domains = ICP.get_rootdomains_by_domain(root_domain)
print_good('Get root_domain num:%s' % str(len(root_domains)))
for rd in root_domains:
add_rootdomain_task(rd, level+1, 'icp', remark='')
print_status('[subdomain]Get domains by rootdomain...')
domains = SubDomain().get_subdomain_by_links(root_domain)
print_good('Get domains num:%s' % str(len(domains)))
for domain in domains:
add_domain_task(domain, level+1, 'subdomain', remark='')
result.rootdomains.add(root_domain)
if task.ips:
ip = task.ips.pop()
level = get_level(ip)
print_status('Fuzzing %s ips[level:%s]...' % (ip, str(level+1)))
if level < control.max_level:
print_status('[ip2domain]Get domains by ip...')
domains = Ip2Domain().get_domains_by_ip(ip)
print_good('Get domains num:%s' % str(len(domains)))
for domain in domains:
add_domain_task(domain, level+1, 'ip2domain', remark='')
result.ips.add(ip)
output()
print_status('Complete Fuzzing!')
def parse(args=None):
parser = argparse.ArgumentParser(
usage=USAGE, formatter_class=argparse.RawTextHelpFormatter,
add_help=False
)
parser.add_argument(
'-h', '--help', action='help',
help='show this help message and exit'
)
parser.add_argument('-V', '--version', action='version',
version=VERSION_INFO)
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument(
'-d', '--domain', dest='domain',
help='Target domain/rootdomain'
)
group.add_argument(
'-i', '--ip', dest='ip',
help='Target ip'
)
parser.add_argument(
'-l', '--max_level', dest='max_level', default=3,
type=int, help='max level to get domain/ip/rootdomain, default:3'
)
args = parser.parse_args(args)
try:
if args.domain:
domain = args.domain
root_domain = Domain.get_root_domain(domain)
new_target = deepcopy(target)
new_target.value = domain
new_target.source = 'input'
if root_domain != domain:
domain_type = 'domain'
else:
domain_type = 'rootdomain'
new_target.type = domain_type
task['%ss' % domain_type].add(domain)
all_target[domain.replace('.', '_')] = new_target
if args.ip:
ip = args.ip
new_target = deepcopy(target)
new_target.value = ip
new_target.source = 'input'
new_target.type = 'ip'
task.ips.add(ip)
all_target[ip.replace('.', '_')] = new_target
control.max_level = args.max_level
except Exception, e:
print_error(str(e))
def __classify_result(self, domain_list):
domains = []
root_domains = []
ips = []
for domain in domain_list:
domain = Domain.get_domain(domain)
domain_type = get_domain_type(domain)
if domain_type == "ip" and domain not in ips:
ips.append(domain)
elif domain_type == "root_domain" and domain not in root_domains:
root_domains.append(domain)
elif domain_type == "domain" and domain not in domains:
domains.append(domain)
return domains, root_domains, ips
def __classify_result(self, domain_list):
domains = []
root_domains = []
ips = []
for domain in domain_list:
domain = Domain.get_domain(domain)
domain_type = get_domain_type(domain)
if domain_type == 'ip' and domain not in ips:
ips.append(domain)
elif domain_type == 'root_domain' and domain not in root_domains:
root_domains.append(domain)
elif domain_type == 'domain' and domain not in domains:
domains.append(domain)
return domains, root_domains, ips
def start(self, domain, domain_type, level):
super(domain2root, self).start(domain, domain_type, level)
try:
root_domain = Domain.get_root_domain(domain)
except:
root_domain = None
if root_domain:
self.result = {
'root_domain': [root_domain],
'ip': [],
'domain': []
}
super(domain2root, self).end()
return self.result
def start(self, domain, domain_type, level):
super(domain2root, self).start(domain, domain_type, level)
try:
root_domain = Domain.get_root_domain(domain)
except:
root_domain = None
if root_domain:
self.result = {
'root_domain': [root_domain],
'ip': [],
'domain': []
}
super(domain2root, self).end()
return self.result
def get_domains_by_ip(self, ip):
print_status('Start get domain by ip through bing...')
url = 'http://cn.bing.com/search?q=ip:%s&first=999999991&FORM=PERE' % ip
html = request(url, 'GET')
domain_regx = r'''
<h2><a\shref="https?://([^"]*?)"\starget="_blank"\sh="ID=[^"]*?">[^<]*?</a></h2>
'''
domain_list = re.findall(domain_regx, html, re.X)
total_page_regx = r'''<span\sclass="sb_count">\d*?\s-\s\d*?\s[^\(]*?\([^\s]*?\s(\d*?)\s[^\)]*?\)</span>'''
result = re.search(total_page_regx, html)
try:
total_num = int(result.group(1).replace(',', ''))
except:
total_num = 9
page_count = total_num / 9
if total_num % 9 > 0:
page_count += 1
print_status('Total pages: %s, Total domains:%s' % (page_count, total_num))
if page_count > 0:
for n in range(total_num-1):
print_status('Get page %s domains...' % str(n+1))
url = 'http://cn.bing.com/search?q=ip:%s&first=%s1&FORM=PERE3' % (ip, n)
html = request(url, 'GET')
new_domain_list = re.findall(domain_regx, html, re.X)
domain_list.extend(new_domain_list)
time.sleep(20)
domain_list = [
Domain.get_domain(domain)
for domain in domain_list
if Domain.get_domain(domain)
]
return list(set(domain_list))
def start(self, domain, domain_type, level):
super(icp, self).start(domain, domain_type, level)
target_domain = Domain.get_domain(domain)
zt_name = self.query_zt_by_domain(target_domain)
domains = self.query_domains_by_zt(zt_name)
domains.append(target_domain)
ips = []
root_domains = []
for domain in domains:
if is_ip(domain) and domain not in ips:
ips.append(domain)
elif is_url(domain) and domain not in root_domains:
root_domains.append(domain)
self.result = {'root_domain': root_domains, 'ip': ips, 'domain': []}
super(icp, self).end()
return self.result
def get_subdomain_by_links(self, domain, level=4):
domain = Domain.get_domain(domain)
url = 'http://i.links.cn/subdomain/'
data = {
'domain': domain,
'b2': 1,
'b3': 1 if level >= 3 else 0,
'b4': 1 if level >= 4 else 0,
}
html = request(url, 'POST', data=data)
regex = '''<a\shref="http://[^"]*?"\srel=nofollow\starget=_blank>http://([^"]*?)</a></div>'''
try:
result = re.findall(regex, html)
except:
result = []
time.sleep(3)
result.append(domain)
return list(set(result))
def get_subdomain_by_links(self, domain, level=4):
domain = Domain.get_domain(domain)
url = 'http://i.links.cn/subdomain/'
data = {
'domain': domain,
'b2': 1,
'b3': 1 if level>=3 else 0,
'b4': 1 if level>=4 else 0,
}
html = request(url, 'POST', data=data)
regex = '''<a\shref="http://[^"]*?"\srel=nofollow\starget=_blank>http://([^"]*?)</a></div>'''
try:
result = re.findall(regex, html)
except:
result = []
time.sleep(3)
result.append(domain)
return list(set(result))
def start(self, domain, domain_type, level):
super(icp, self).start(domain, domain_type, level)
target_domain = Domain.get_domain(domain)
zt_name = self.query_zt_by_domain(target_domain)
domains = self.query_domains_by_zt(zt_name)
domains.append(target_domain)
ips = []
root_domains = []
for domain in domains:
if is_ip(domain) and domain not in ips:
ips.append(domain)
elif is_url(domain) and domain not in root_domains:
root_domains.append(domain)
self.result = {
'root_domain': root_domains,
'ip': ips,
'domain': []
}
super(icp, self).end()
return self.result
def start():
conf.domain = options.target
domain_type = get_domain_type(conf.domain)
if domain_type in settings.ALLOW_INPUTS:
conf.domain = Domain.url_format(conf.domain)
# 初始化日志
log_level = get_log_level(options.log_level)
init_logger(log_file_path=options.log_file, log_level=log_level)
api.logger.info('System init at %s' % time.strftime("%X"))
# 初始化配置
conf.settings = settings
# 初始化爬虫
proxy_list = get_proxy_list_by_file(options.proxy_file)
api.request = Req(options.timeout, proxy_list, options.verify_proxy)
conf.plugin_controller = PluginController()
conf.plugin_controller.plugin_init(options.plugins_specific)
api.logger.info('Loaded plugins: %s' %
', '.join(conf.plugins_load.keys()))
# 绑定信号事件
if hasattr(signal, 'SIGUSR1'):
signal.signal(signal.SIGUSR1, on_signal)
signal.signal(signal.SIGTERM, on_signal)
signal.signal(signal.SIGINT, on_signal)
api.logger.info('Start target [%s]' % conf.domain)
# 首个目标
first_target = {
'result': {
'root_domain': [],
'domain': [],
'ip': []
},
'module': '',
'level': 0,
'parent_domain': ''
}
first_target['result'][domain_type].append(conf.domain)
conf.plugin_controller.wp.result.put(first_target)
# 开启任务监控
api.logger.info('Start task monitor and plugin...')
kwargs = {'pc': conf.plugin_controller}
monitor = threading.Thread(target=task_monitor, kwargs=kwargs)
monitor.start()
# 开启插件执行
conf.plugin_controller.start()
if options.alive_check:
alivecheck = AliveCheck()
print '\n'
api.logger.info('Init alive check...')
alivecheck.start()
api.logger.info('Alive check completed')
complete()
else:
api.logger.error('Please input a target in the correct'
' format(domain/root_domain/ip)!')
def start():
parse()
print_status('Get input...')
print_status('Fuzzing take turns...')
while task.domains or task.ips or task.rootdomains:
if task.domains:
domain = task.domains.pop()
level = get_level(domain)
print_status('Fuzzing %s domains[level:%s]...' %
(domain, str(level + 1)))
if level < control.max_level:
print_status('[domain2ip]Get ip by domain...')
ip = Domain2Ip().get_value(domain)
if ip:
add_ip_task(ip, level + 1, 'domain2ip', remark='')
print_good('Get ip %s' % ip)
print_status('[rootdomain]Get rootdomain by domain...')
root_domain = Domain.get_root_domain(domain)
if root_domain:
add_rootdomain_task(root_domain,
level + 1,
'rootdomain',
remark='')
print_good('Get root_domain %s' % root_domain)
result.domains.add(domain)
if task.rootdomains:
root_domain = task.rootdomains.pop()
level = get_level(root_domain)
print_status('Fuzzing %s rootdomains[level:%s]...' %
(root_domain, str(level + 1)))
if level < control.max_level:
ip = Domain2Ip().get_value(root_domain)
print_status('[domain2ip]Get ip by domain...')
if ip:
add_ip_task(ip, level + 1, 'domain2ip', remark='')
print_good('Get ip %s' % ip)
print_status('[icp]Get rootdomains by rootdomains...')
root_domains = ICP.get_rootdomains_by_domain(root_domain)
print_good('Get root_domain num:%s' % str(len(root_domains)))
for rd in root_domains:
add_rootdomain_task(rd, level + 1, 'icp', remark='')
print_status('[subdomain]Get domains by rootdomain...')
domains = SubDomain().get_subdomain_by_links(root_domain)
print_good('Get domains num:%s' % str(len(domains)))
for domain in domains:
add_domain_task(domain, level + 1, 'subdomain', remark='')
result.rootdomains.add(root_domain)
if task.ips:
ip = task.ips.pop()
level = get_level(ip)
print_status('Fuzzing %s ips[level:%s]...' % (ip, str(level + 1)))
if level < control.max_level:
print_status('[ip2domain]Get domains by ip...')
domains = Ip2Domain().get_domains_by_ip(ip)
print_good('Get domains num:%s' % str(len(domains)))
for domain in domains:
add_domain_task(domain, level + 1, 'ip2domain', remark='')
result.ips.add(ip)
output()
print_status('Complete Fuzzing!')