def testPushFastJsonRceTrafficMessage(self):
"""
测试向消息队列中推送大量的流量数据,测试fastjson漏洞
:return:
"""
from hunter_celery import scan_celery
from model.default_value import TaskStatus
num = 0
fastjson_raw_data = {
'type':
'xmlhttprequest',
'url':
'http://10.211.55.2:8080/product/buy',
'method':
'post',
'data':
'"{\\"id\\":\\"0\\",\\"productId\\":\\"1\\",\\"description\\":\\"2\\",\\"price\\":\\"3\\",\\"imageUrl\\":\\"4\\"}"',
'data_type':
'raw',
'parser':
'chrome-plugin',
'headers':
'{"Accept":"*/*","Origin":"http://10.211.55.2:8080","X-Requested-With":"XMLHttpRequest","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36","content-type":"application/json","Referer":"http://10.211.55.2:8080/product/new","Accept-Encoding":"gzip, deflate","Accept-Language":"zh-CN,zh;q=0.9","Cookie":"session=eyJ1c2VyX25hbWUiOiJtaW5nY2hlbiJ9.EFeQ4A.ivmaggQMMMCkNmch9u0UL_CB2gE"}'
}
while num < 100:
task_id = 2567
current_user_name = 'mingchen'
scan_celery.delay(fastjson_raw_data, task_id, current_user_name,
TaskStatus.DONE)
num += 1
def create_task():
"""
创建任务,可以由浏览器插件或者直接在平台上创建,redis缓存查询用户信息
:return:
"""
try:
post_data = request.get_json(force=True)
if json_utils.has_dict_value_blank(
post_data, ['hook_rule', 'read_agreement', 'task_name']):
return jsonify(status=400,
message="创建任务失败",
data={"extra_info": "新建任务时没有设置网址正则或任务名称"})
if not post_data.get("read_agreement"):
return jsonify(status=400,
message="创建任务失败",
data={"extra_info": "请阅读用户协议并点击同意"})
current_user_name = session["user_name"]
post_hook_rule = post_data.get("hook_rule")
post_task_name = post_data.get("task_name")
current_user = RedisService.get_user(user_name=current_user_name)
receivers_email = current_user[
"email"] if "email" in current_user else None
task = TaskService.save(create_user_id=current_user["id"],
task_name=post_task_name,
receivers_email=receivers_email,
hook_rule=post_hook_rule)
#if UserTaskService.count(where=(UserTask.task_id == task.id, UserTask.user_id == current_user["id"])) == 0:
UserTaskService.save(task_id=task.id, user_id=current_user["id"])
RedisService.create_task(task.id, post_hook_rule, current_user_name,
TaskStatus.WORKING)
RedisService.update_user_field(current_user_name, "current_task_id",
task.id)
UserService.update(fields=({
User.recent_operation_time:
datetime.datetime.now()
}),
where=(User.user_name == current_user_name))
task_access_key = generate_access_key(
task.id, current_user_name).decode("utf-8")
TaskService.update(fields=({
Task.access_key: task_access_key
}),
where=(Task.id == task.id))
scan_celery.delay(post_data, task.id, current_user_name,
TaskStatus.WORKING)
return jsonify(status=200,
message="创建任务成功",
data={
"task_id": task.id,
"full_name": current_user["full_name"],
"create_time": get_current_time(),
"task_access_key": task_access_key
})
except Exception as e:
logger.exception("create_task exception")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "创建任务时出现未知异常,请联系管理员查看异常日志"})
def testCommandExecuteTrafficMessage(self):
"""
测试命令执行
:return:
"""
from hunter_celery import scan_celery
from model.default_value import TaskStatus
num = 0
command_execute_raw_data = {
'type':
'main_frame',
'url':
'http://10.211.55.2:65412/?domain=1',
'method':
'get',
'headers':
'{"Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","Accept-Encoding":"gzip, deflate","Accept-Language":"zh-CN,zh;q=0.9"}'
}
while num < 9:
task_id = 2
current_user_name = 'mingchen'
scan_celery.delay(command_execute_raw_data, task_id,
current_user_name, TaskStatus.DONE)
num += 1
def check_url(task_id, task_access_key):
"""
接收来自浏览器的流量,对流量进行解析分类之后,存放到redis中,支持多个用户同时协作对一个任务进行测试
:param task_id:
:param task_access_key:
:return:
"""
from common.config_util import get_system_config
try:
post_data = request.get_json(force=True)
current_user_name = session["user_name"]
if TaskService.count(where=(Task.id == task_id,
Task.access_key == task_access_key)) == 0:
return jsonify(status=403,
message="发送失败",
data={
"extra_info":
"taskid或者accesskey不正确,插件请同步一次最新任务",
"site":
get_system_config()['front_end']['index']
})
tasks = TaskService.get_fields_by_where(
where=(Task.id == task_id, Task.access_key == task_access_key))
if tasks[0].task_status in [TaskStatus.DONE, TaskStatus.KILLED]:
return jsonify(status=400,
message="发送失败",
data={
"extra_info": "该任务已经结束,客户端请重新同步或者创建最新任务",
"site":
get_system_config()['front_end']['index']
})
if post_data is not None and "data" in post_data and RedisService.create_urlclassifications(
task_id, post_data):
raw_request_data = post_data.get('data', '{}')
scan_celery.delay(raw_request_data, task_id, current_user_name,
TaskStatus.NONE)
return jsonify(status=200,
message="发送成功",
data={"extra_info": "发送到后端扫描引擎成功"})
return jsonify(status=200,
message="发送失败",
data={"extra_info": "发送到后端引擎的数据不符合格式或者已经发送过"})
except Exception as e:
logger.exception("check_url exception")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "创建任务时出现未知异常,请联系管理员查看异常日志"})
def testPushRawTrafficMessageAndSendEmail(self):
"""
测试向消息队列中推送大量的流量数据,发现任务完成之后是否能发送邮件
:return:
"""
from hunter_celery import scan_celery
from model.default_value import TaskStatus
from model.task import Task, TaskService
from model.url import Url, UrlService
from model.vulnerability import Vulnerability, VulnerabilityService
task_id = 2563
current_user_name = 'mingchen'
scan_celery.delay(None, task_id, current_user_name, TaskStatus.WORKING)
num = 0
xssfork_raw_data = {
'type':
'main_frame',
'url':
'http://10.211.55.2:65412/?path=',
'method':
'get',
'headers':
'{"Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","Accept-Encoding":"gzip, deflate","Accept-Language":"zh-CN,zh;q=0.9"}'
}
while num < 1:
current_user_name = 'mingchen'
scan_celery.delay(xssfork_raw_data, task_id, current_user_name,
TaskStatus.DONE)
num += 1
scan_celery.delay(None, task_id, current_user_name, TaskStatus.KILLED)
def request_handler(self, request, user_info):
"""
将请求发送到MQ中
:param request:
:return:
Simple example code:
print(request.body_arguments)
print(request.headers)
print(request.body)
print(request.cookies)
print(request.version)
print(request.protocol)
print(request.host_name)
print(request.uri)
print(request.method)
"""
if not user_info:
return
task_id = user_info.current_task_id
current_user_name = user_info.user_name
raw_request_data = self.wrap_request(request, user_info)
# 是否为满足条件的请求
current_task = RedisService.get_task(task_id)
if current_task and "hook_rule" in current_task:
# *.xx.com
hook_rule = str(current_task.hook_rule).replace("*", ".*")
if not str(raw_request_data["data"]
["url"]).startswith(hook_rule) and re.match(
r'' + hook_rule, raw_request_data["data"]["url"],
re.S) is None:
return
if RedisService.create_urlclassifications(task_id, raw_request_data):
logger.info("满足正则条件,发送流量到MQ中")
scan_celery.delay(raw_request_data["data"], task_id,
current_user_name, TaskStatus.NONE)
def testPushHunterRawTrafficMessage(self):
"""
测试向消息队列中推送大量的流量数据
:return:
"""
from hunter_celery import scan_celery
from model.default_value import TaskStatus
num = 0
post_data = {
"requestid":
"117723",
"type":
"main_frame",
"url":
"http://10.211.55.2:65412/?id=",
"method":
"get",
"parser":
"chrome-plugin",
"headers":
"{\"Upgrade-Insecure-Requests\":\"1\",\"User-Agent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.100 Safari/537.36\",\"Accept\":\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\",\"Referer\":\"http://10.211.55.2:65412/\",\"Accept-Encoding\":\"gzip, deflate\",\"Accept-Language\":\"zh-CN,zh;q=0.9\",\"Cookie\":\"session=eyJ1c2VyX25hbWUiOiJtaW5nY2hlbiJ9.EEysIw.e8YSvUTd3A51RNLuU2FymcJnjyY\"}"
}
weak_pass_wprd_raw_data = {
'type':
'main_frame',
'url':
'http://10.211.55.4/xml/example1.php?user=admin&password=123456',
'method':
'get',
'headers':
'{"Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","Accept-Encoding":"gzip, deflate","Accept-Language":"zh-CN,zh;q=0.9"}'
}
sql_inject_raw_data = {
'type':
'main_frame',
'url':
'http://10.211.55.2:65412/?id=2',
'method':
'get',
'headers':
'{"Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","Accept-Encoding":"gzip, deflate","Accept-Language":"zh-CN,zh;q=0.9"}'
}
while num < 10:
task_id = 2
current_user_name = 'mingchen'
scan_celery.delay(sql_inject_raw_data, task_id, current_user_name,
TaskStatus.DONE)
num += 1
exit()
while num < 20000:
task_id = 3
current_user_name = 'test'
post_data["url"] = "http://10.211.55.2:65412/?id=" + str(num)
scan_celery.delay(post_data, task_id, current_user_name,
TaskStatus.DONE)
num += 1
def stop_task():
"""
关闭任务,关闭任务之后将用户任务信息进行持久化到数据库,包括结束任务时间
:return:
"""
post_data = request.get_json(force=True)
if json_utils.has_dict_value_blank(post_data, ["task_id"]):
return jsonify(status=400,
message="结束任务失败",
data={"extra_info": "task_id缺失,无法结束任务"})
post_task_id = int(post_data.get("task_id"))
current_user_name = session["user_name"]
try:
user = RedisService.get_user(current_user_name)
if UserTaskService.count(
where=(UserTask.user_id == user["id"],
UserTask.task_id == post_task_id)) == 0:
return jsonify(status=403,
message="结束任务失败",
data={"extra_info": "请勿尝试非法关闭非自己权限任务"})
task = TaskService.get_fields_by_where(
fields=(Task.task_status), where=(Task.id == post_task_id))[0]
if task.task_status in [TaskStatus.DONE, TaskStatus.KILLED]:
return jsonify(status=200,
message="结束任务成功",
data={
"fullname": user["full_name"],
"extra_info": "该任务早已经结束,请登录后台查看扫描结果",
"stop_time": get_current_time()
})
TaskService.update(fields=({
Task.task_status: TaskStatus.KILLED,
Task.killed_time: datetime.datetime.now()
}),
where=(Task.id == post_task_id))
UserService.update(fields=({
User.recent_operation_time:
datetime.datetime.now()
}),
where=(User.user_name == current_user_name))
scan_celery.delay(post_data, post_task_id, current_user_name,
TaskStatus.KILLED)
RedisService.stop_task(post_task_id)
RedisService.clean_urlclassifications(post_task_id)
return jsonify(status=200,
message="结束任务成功",
data={
"full_name":
user["full_name"],
"extra_info":
"请登录后台查看扫描结果",
"stop_time":
datetime.datetime.now().strftime("%Y-%m-%d %H:%M")
})
except Exception as e:
logger.exception("stop_task exception")
if isinstance(e, UserNotFoundInRedisException):
return jsonify(status=403,
message="结束任务失败",
data={
"extra_info": "认证失败,请重新登录进行授权",
"auth_site": ""
})
return jsonify(status=500,
message="未知异常",
data={"extra_info": "创建任务时出现未知异常,请联系管理员查看异常日志"})