def SenFileScan(domain, url):
"""
敏感文件、目录扫描
字典:dict\SEN_scan.txt
:param domain:
:param
:return:
"""
pools = 20
urlList = []
for i in range(0, redispool.llen("SenScan")):
suffix = redispool.lindex("SenScan", i)
senurl = "{}/{}".format(url, suffix)
urlList.append(senurl)
pool = ThreadPool(pools)
SenFileMessage = pool.map(UrlRequest, urlList)
SenFileMessage2 = ""
pool.close()
pool.join()
url404 = "{}/springbird404page".format(url)
try:
rep404 = requests.get(url404,
headers=core.GetHeaders(),
timeout=3,
verify=False).text
except Exception as e:
print("超时")
rep404 = str(e)
pass
if len(SenFileMessage) != 0:
with app.app_context():
print("Sen file and dir : \n")
for url in SenFileMessage:
try:
if url is None:
continue
rep = requests.get(url,
headers=core.GetHeaders(),
timeout=1,
verify=False)
#添加404界面的判断,避免过多杂乱信息
if not core.is_similar_page(rep404, rep.text, radio=0.85):
print(url)
bug = BugList(oldurl=domain,
bugurl=url,
bugname="SenDir",
buggrade=redispool.hget(
'bugtype', "SenDir"),
payload=url,
bugdetail=rep.text)
SenFileMessage2 += url + "\n"
redispool.pfadd(redispool.hget('bugtype', "SenDir"),
url)
redispool.pfadd("SenDir", url)
db.session.add(bug)
except Exception as e:
# print(e)
pass
db.session.commit()
return SenFileMessage2
def SenFileScan(domain, redispool):
"""
敏感文件、目录扫描
字典:dict\SEN_scan.txt
:param domain:
:param
:return:
"""
pools = 20
urlList = []
for i in range(0, redispool.llen("SenScan")):
url="http://{}/{}".format(domain, redispool.lindex("SenScan", i))
urlList.append(url)
pool = ThreadPool(pools)
SenFileMessage = pool.map(UrlRequest, urlList)
pool.close()
pool.join()
if len(SenFileMessage)!=0:
with app.app_context():
for url in SenFileMessage:
try:
rep = requests.get(url, headers=core.GetHeaders(), timeout=3, verify=False)
bug = BugList(oldurl=domain, bugurl=url, bugname="SenDir",buggrade=redispool.hget('bugtype', "SenDir"),payload=url, bugdetail=rep.text)
db.session.add(bug)
except Exception as e:
print(e)
pass
db.session.commit()
return "\n".join(list(filter(None, SenFileMessage)))
def SubDomainBurst(true_domain,redispool):
"""
子域名爆破
从字典读取子域名构造新的url进行访问,若返回状态码为200,则返回可攻击列表attack_list
:param true_domain:
:return:
"""
pools = 20
urlList = []
for i in range(0, redispool.llen("SubScan")):
url="http://{}.{}".format(redispool.lindex("SubScan", i),true_domain)
urlList.append(url)
pool = ThreadPool(pools)
SubDomain = pool.map(UrlRequest, urlList)
pool.close()
pool.join()
return "\n".join(list(filter(None, SubDomain)))
def GetXSS(url):
domain = url.split("?")[0]
queries = urlparse.urlparse(url).query.split("&")
if not any(queries):
return False, None, None
else:
for payloadindex in range(redispool.llen("XSSpayloads") - 1, -1, -1):
payload = redispool.lindex("XSSpayloads", payloadindex)
website = domain + "?" + ("&".join(
[param + payload for param in queries]))
source = core.gethtml(website)
if payload in source:
# print("(+)this url have xss bug {},payload is {}".format(url,payload))
return True, website, source
# print("(-)this url haven't xss bug {}".format(url))
return False, None, None
# if __name__=='__main__':
# redispool = redis.Redis(connection_pool=ImportToRedis.redisPool)
# GetXSS("http://leettime.net/xsslab1/chalg1.php?name=1",redispool)
# GetXSS("http://testphp.vulnweb.com/listproducts.php?cat=1",redispool)
# GetXSS("http://www.yuebooemt.com/about.php?id=37",redispool)
def GetHeaders():
index = random.randint(0, redispool.llen('useragents'))
useragent = redispool.lindex('useragents', index)
return {'User-Agent': useragent}