def axfr(self, server): """ 执行域传送 :param server: 域名服务器 """ logger.log('DEBUG', f'尝试对{self.domain}的域名服务器{server}进行域传送') try: xfr = dns.query.xfr(where=server, zone=self.domain, timeout=5.0, lifetime=10.0) zone = dns.zone.from_xfr(xfr) except Exception as e: logger.log('DEBUG', e.args) logger.log('DEBUG', f'对{self.domain}的域名服务器{server}进行域传送失败') return names = zone.nodes.keys() for name in names: full_domain = str(name) + '.' + self.domain subdomain = utils.match_subdomain(self.domain, full_domain) self.subdomains = self.subdomains.union(subdomain) record = zone[name].to_text(name) self.results.append(record) if self.results: logger.log('DEBUG', f'发现{self.domain}在{server}上的域传送记录') logger.log('DEBUG', '\n'.join(self.results)) self.results = []
def check(self): """ 正则匹配域名的sitemap文件中的子域 """ urls = [ f'http://{self.domain}/sitemap.xml', f'https://{self.domain}/sitemap.xml', f'http://www.{self.domain}/sitemap.xml', f'https://www.{self.domain}/sitemap.xml', f'http://{self.domain}/sitemap.txt', f'https://{self.domain}/sitemap.txt', f'http://www.{self.domain}/sitemap.txt', f'https://www.{self.domain}/sitemap.txt', f'http://{self.domain}/sitemap.html', f'https://{self.domain}/sitemap.html', f'http://www.{self.domain}/sitemap.html', f'https://www.{self.domain}/sitemap.html', f'http://{self.domain}/sitemap_index.xml', f'https://{self.domain}/sitemap_index.xml', f'http://www.{self.domain}/sitemap_index.xml', f'https://www.{self.domain}/sitemap_index.xml' ] for url in urls: self.header = self.get_header() self.proxy = self.get_proxy(self.source) self.timeout = 10 response = self.get(url, check=False, allow_redirects=False) if not response: return if response and len(response.content): self.subdomains = utils.match_subdomain( self.domain, response.text)
def query(self): """ 向接口查询子域并做子域匹配 """ page_num = 1 while True: self.header = self.get_header() self.proxy = self.get_proxy(self.source) params = { 'domain': self.domain, 'api_token': self.token, 'page': page_num } resp = self.get(self.addr, params) if not resp: return json = resp.json() subdomains = utils.match_subdomain(self.domain, str(json)) if not subdomains: # 搜索没有发现子域名则停止搜索 break # 合并搜索子域名搜索结果 self.subdomains = self.subdomains.union(subdomains) page_num += 1 # 默认每次查询最多返回30条 当前条数小于30条说明已经查完 if json.get('count') < 30: break
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.proxy = self.get_proxy(self.source) params = {'q': f'%.{self.domain}', 'output': 'json'} resp = self.get(self.addr, params) if not resp: return subdomains = utils.match_subdomain(self.domain, str(resp.json())) self.subdomains = self.subdomains.union(subdomains)
def check(self): """ 正则匹配响应头中的内容安全策略字段以发现子域名 """ if not self.csp_header: self.csp_header = self.grab_header() csp = self.header.get('Content-Security-Policy') if not self.csp_header: logger.log('DEBUG', f'获取{self.domain}域的请求头失败') return if not csp: logger.log('DEBUG', f'{self.domain}域的响应头不存在内容安全策略字段') return self.subdomains = utils.match_subdomain(self.domain, csp)
def query(self): """ 查询域名的TXT记录 :return: 查询结果 """ answer = utils.dns_query(self.domain, self.type) if answer is None: return None for item in answer: record = item.to_text() subdomains = utils.match_subdomain(self.domain, record) self.subdomains = self.subdomains.union(subdomains) self.gen_record(subdomains, record) return self.subdomains
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.proxy = self.get_proxy(self.source) url = f'http://rapiddns.io/subdomain/{self.domain}' params = {'full': '1'} resp = self.get(url, params) if not resp: return subdomains = utils.match_subdomain(self.domain, resp.text) # 合并搜索子域名搜索结果 self.subdomains = self.subdomains.union(subdomains)
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.header.update({'X-API-Key': self.api}) self.proxy = self.get_proxy(self.source) url = f'{self.addr}*.{self.domain}' resp = self.get(url) if not resp: return subdomains = utils.match_subdomain(self.domain, resp.text) # 合并搜索子域名搜索结果 self.subdomains = self.subdomains.union(subdomains)
def check(self): """ 获取域名证书并匹配证书中的子域名 """ try: ctx = ssl.create_default_context() sock = ctx.wrap_socket(socket.socket(), server_hostname=self.domain) sock.connect((self.domain, self.port)) cert_dict = sock.getpeercert() except Exception as e: logger.log('DEBUG', e.args) return subdomains = utils.match_subdomain(self.domain, str(cert_dict)) self.subdomains = self.subdomains.union(subdomains)
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.proxy = self.get_proxy(self.source) params = {'q': self.domain} resp = self.get(self.addr, params) if not resp: return if resp.status_code == 200: subdomains = utils.match_subdomain(self.domain, resp.text) if subdomains: # 合并搜索子域名搜索结果 self.subdomains = self.subdomains.union(subdomains)
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.proxy = self.get_proxy(self.source) params = { 'fields': 'subjectDN', 'domain': self.domain, 'includeExpired': 'true' } resp = self.get(self.addr, params) if not resp: return subdomains = utils.match_subdomain(self.domain, str(resp.json())) self.subdomains = self.subdomains.union(subdomains)
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.proxy = self.get_proxy(self.source) # 绕过主页前端JS验证 self.cookie = {'pa_id': str(random.randint(0, 1000000000))} params = {'label': self.domain, 'date': 'ALL'} resp = self.get(self.addr, params) if not resp: return if resp.status_code == 200: subdomains = utils.match_subdomain(self.domain, resp.text) if subdomains: # 合并搜索子域名搜索结果 self.subdomains = self.subdomains.union(subdomains)
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.proxy = self.get_proxy(self.source) params = { 'domain': self.domain, 'include_subdomains': 'true', 'expand': 'dns_names' } resp = self.get(self.addr, params) if not resp: return subdomains = utils.match_subdomain(self.domain, str(resp.json())) # 合并搜索子域名搜索结果 self.subdomains = self.subdomains.union(subdomains)
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.proxy = self.get_proxy(self.source) params = { 'include_expired': 'true', 'include_subdomains': 'true', 'domain': self.domain } resp = self.get(self.addr, params) if not resp: return subdomains = utils.match_subdomain(self.domain, resp.text) # 合并搜索子域名搜索结果 self.subdomains = self.subdomains.union(subdomains)
def check(self): """ 检查crossdomain.xml收集子域名 """ urls = [ f'http://{self.domain}/crossdomain.xml', f'https://{self.domain}/crossdomain.xml', f'http://www.{self.domain}/crossdomain.xml', f'https://www.{self.domain}/crossdomain.xml' ] for url in urls: self.header = self.get_header() self.proxy = self.get_proxy(self.source) response = self.get(url, check=False) if not response: return if response and len(response.content): self.subdomains = utils.match_subdomain( self.domain, response.text)
def check(self): """ 正则匹配域名的robots.txt文件中的子域 """ urls = [ f'http://{self.domain}/robots.txt', f'https://{self.domain}/robots.txt', f'http://www.{self.domain}/robots.txt', f'https://www.{self.domain}/robots.txt' ] for url in urls: self.header = self.get_header() self.proxy = self.get_proxy(self.source) response = self.get(url, check=False, allow_redirects=False) if not response: return if response and len(response.content): self.subdomains = utils.match_subdomain( self.domain, response.text)
def search(self): """ 向接口查询子域并做子域匹配 """ self.session.headers = self.get_header() self.session.proxies = self.get_proxy(self.source) self.session.verify = self.verify self.session.headers.update( {'Accept': 'application/vnd.github.v3.text-match+json'}) if not self.auth_github(): logger.log('ERROR', f'{self.source}模块登录失败') return page = 1 while True: params = {'q': self.domain, 'per_page': 100, 'page': page, 'sort': 'indexed'} try: resp = self.session.get(self.addr, params=params) except Exception as e: logger.log('ERROR', e.args) break if resp.status_code != 200: logger.log('ERROR', f'{self.source}模块搜索出错') break subdomains = match_subdomain(self.domain, resp.text) if not subdomains: break self.subdomains = self.subdomains.union(subdomains) page += 1 try: resp_json = resp.json() except Exception as e: logger.log('ERROR', e.args) break total_count = resp_json.get('total_count') if not isinstance(total_count, int): break if page * 100 > total_count: break if page * 100 > 1000: break
def brute(self): """ 枚举域名的SRV记录 """ self.gen_names() for i in range(self.thread_num): thread = BruteThread(self.names_que, self.answers_que) thread.daemon = True thread.start() self.names_que.join() while not self.answers_que.empty(): answer = self.answers_que.get() if answer is None: continue for item in answer: record = str(item) subdomains = utils.match_subdomain(self.domain, record) self.subdomains = self.subdomains.union(subdomains) self.gen_record(subdomains, record)
def query(self): """ 向接口查询子域并做子域匹配 """ self.header = self.get_header() self.header.update({'Referer': 'https://dnsdumpster.com'}) self.proxy = self.get_proxy(self.source) resp = self.get(self.addr) if not resp: return self.cookie = resp.cookies data = { 'csrfmiddlewaretoken': self.cookie.get('csrftoken'), 'targetip': self.domain } resp = self.post(self.addr, data) if not resp: return subdomains = utils.match_subdomain(self.domain, resp.text) if subdomains: # 合并搜索子域名搜索结果 self.subdomains = self.subdomains.union(subdomains)