def do_check(self, url): if url != '/': return port = 27017 if self.scheme == 'mongodb' and self.port != 27017: # 非标准端口 port = self.port elif 27017 not in self.ports_open: return try: conn = pymongo.MongoClient(host=self.host, port=port, connectTimeoutMS=5000, socketTimeoutMS=5000) database_list = conn.list_database_names() if not database_list: conn.close() return detail = "%s MongoDB Unauthorized Access : %s" % ( self.host, ",".join(database_list)) conn.close() save_script_result(self, '', 'mongodb://%s:%s' % (self.host, port), detail) except Exception as e: pass
def do_check(self, url): if not self.session: return extensions = [ '.zip', '.rar', '.tar.gz', '.tar.bz2', '.tgz', '.7z', '.log', '.sql' ] if url == '/' and self.domain_sub: file_names = [self.host.split(':')[0], self.domain_sub] for name in file_names: for ext in extensions: status, headers, html_doc = self.http_request('/' + name + ext) if status == 206 and \ (self._404_status == 404 or headers.get('content-type', '').find('application/') >= 0) or \ (ext == '.sql' and html_doc.find("CREATE TABLE") >= 0): save_script_result(self, status, self.base_url + '/' + name + ext, '', 'Compressed File') elif url != '/': # sub folders like /aaa/bbb/ folder_name = url.split('/')[-2] if len(folder_name) >= 4: url_prefix = url[:-len(folder_name) - 1] for ext in extensions: status, headers, html_doc = self.http_request(url_prefix + folder_name + ext) if status == 206 and headers.get('content-type', '').find('application/') >= 0: save_script_result( self, status, self.base_url + url_prefix + folder_name + ext, '', 'Compressed File')
def do_check(self, url): if url != '/': return port = 30000 if self.scheme == 'docker api' and self.port != 30000: # 非标准端口 port = self.port elif 30000 not in self.ports_open: return try: r0 = requests.get(f"http://{self.host}:{port}/v2/_catalog", timeout=5, verify=False) if "repositories" in r0.text: save_script_result(self, '', 'http://%s:%s/v2/_catalog' % (self.host, port), 'docker registry api Unauthorized Accesss') return r = requests.get(f"http://{self.host}:{port}/v1/_catalog", timeout=5, verify=False) if "repositories" in r.text: save_script_result(self, '', 'http://%s:%s/v1/_catalog' % (self.host, port), 'docker registry api Unauthorized Accesss') return except Exception as e: pass
def do_check(self, url): if url == '/' and self.session: if self.index_status == 301 and self.index_headers.get('location', '').find('forum.php') >= 0 or \ str(self.index_headers).find('_saltkey=') > 0: url_lst = [ '/config/config_ucenter.php.bak', '/config/.config_ucenter.php.swp', '/config/.config_global.php.swp', '/config/config_global.php.1', '/uc_server/data/config.inc.php.bak', '/config/config_global.php.bak', '/include/config.inc.php.tmp' ] for _url in url_lst: status, headers, html_doc = self.http_request(_url) if status == 200 or status == 206: if html_doc.find('<?php') >= 0: save_script_result(self, status, self.base_url + _url, 'Discuz Backup File Found') # getcolor DOM XSS status, headers, html_doc = self.http_request( '/static/image/admincp/getcolor.htm') if html_doc.find("if(fun) eval('parent.'+fun+'") > 0: save_script_result( self, status, self.base_url + '/static/image/admincp/getcolor.htm', '', 'Discuz getcolor DOM XSS')
def do_check(self, url): if url == '/': if self.session and self.index_status in (301, 302): for keyword in ['admin', 'login', 'manage', 'backend']: if self.index_headers.get('location', '').find(keyword) >= 0: save_script_result(self, self.index_status, self.base_url + '/', 'Admin Site') break
def do_check(self, url): if url == '/' and self.session: if self.index_status == 302 and self.index_headers.get( 'location', '').lower() == 'https://%s/owa' % self.host: save_script_result(self, 302, 'https://%s' % self.host, 'OutLook Web APP Found') return status, headers, html_doc = self.http_request('/ews/') if status == 302: redirect_url = headers.get('location', '') if redirect_url == 'https://%shttp://%s/ews/' % (self.host, self.host): save_script_result(self, 302, 'https://%s' % self.host, 'OutLook Web APP Found') return if redirect_url == 'https://%s/ews/' % self.host: try: conn = http.client.HTTPSConnection(self.host) conn.request('HEAD', '/ews') if conn.getresponse().status == 401: save_script_result(self, 401, redirect_url, 'OutLook Web APP Found') conn.close() except Exception as e: pass return elif status == 401: if headers.get('Server', '').find('Microsoft-IIS') >= 0: save_script_result(self, 401, self.base_url + '/ews/', 'OutLook Web APP Found') return
def do_check(self, url): if url == '/' and self.session: if self.index_html_doc.find('/wp-content/themes/') >= 0: url_lst = ['/wp-config.php.inc', '/wp-config.inc', '/wp-config.bak', '/wp-config.php~', '/.wp-config.php.swp', '/wp-config.php.bak'] for _url in url_lst: status, headers, html_doc = self.http_request(_url) if status == 200 or status == 206: if html_doc.find('<?php') >= 0: save_script_result(self, status, self.base_url + _url, '', 'WordPress Backup File Found')
def do_check(self, url): if url != '/': return port = 8080 if self.scheme == 'jenkins' and self.port != 8080: # 非标准端口 port = self.port elif 8080 not in self.ports_open: return try: url = 'http://' + self.host + ':' + str(port) + '/systemInfo' r = requests.get(url, timeout=5) if 'jenkins.war' in r.content.decode() and 'JENKINS_HOME' in r.content.decode(): save_script_result(self, '', 'http://%s:%s/systemInfo' % (self.host, port), 'jenkins Unauthorized Accesss') except Exception as e: pass
def do_check(self, url): if url != '/': return port = 3306 if self.scheme == 'mysql' and self.port != 3306: # 非标准端口 port = self.port elif 3306 not in self.ports_open: return try: conn = pymysql.connect(host=self.host, user='******', password='', charset='utf8', autocommit=True) conn.close() save_script_result(self, '', 'mysql://%s:%s' % (self.host, port), '', 'Mysql empty password') except Exception as e: pass
def do_check(self, url): if url != '/': return port = 50070 if self.scheme == 'Hadoop' and self.port != 50070: # 非标准端口 port = self.port elif 50070 not in self.ports_open: return try: url = 'http://' + self.host + ':' + str(port) + '/dfshealth.html' r = requests.get(url, timeout=5, verify=False, headers = default_headers) if 'hadoop.css' in r.content.decode(): save_script_result(self, '', 'http://%s:%s/dfshealth.html' % (self.host, port), 'Hadoop Unauthorized Accesss') except Exception as e: pass
def do_check(self, url): if url != '/': return port = 2375 if self.scheme == 'docker api' and self.port != 2375: # 非标准端口 port = self.port elif 2375 not in self.ports_open: return try: url = 'http://' + self.host + ':' + str(port) + '/version' r = requests.get(url, timeout=5, verify=False, headers = default_headers) if 'ApiVersion' in r.content.decode(): save_script_result(self, '', 'http://%s:%s/version' % (self.host, port), 'docker api Unauthorized Accesss') except Exception as e: pass
def do_check(self, url): if url != '/': return port = 21 if self.scheme == 'ftp' and self.port != 21: # 非标准端口 port = self.port elif 21 not in self.ports_open: return try: ftp = ftplib.FTP() ftp.connect(self.host, port, timeout=5) # 连接的ftp sever和端口 ftp.login('anonymous', 'Aa@12345678') save_script_result(self, '', 'ftp://%s:%s/' % (self.host, port), 'FTP Unauthorized Accesss') except Exception as e: pass
def do_check(self, url): if url != '/': return port = 5984 if self.scheme == 'CouchDB' and self.port != 5984: # 非标准端口 port = self.port elif 5984 not in self.ports_open: return try: url = 'http://' + self.host + ':' + str(port) + '/_utils/' r = requests.get(url, timeout=5, verify=False, headers=default_headers) if 'couchdb-logo' in r.content.decode(): save_script_result(self, '', 'http://%s:%s/_utils/' % (self.host, port), 'CouchDB Unauthorized Accesss') except Exception as e: pass
def do_check(self, url): if url != '/': return port = 5432 if self.scheme == 'PostgreSQL' and self.port != 5432: # 非标准端口 port = self.port elif 5432 not in self.ports_open: return try: conn = psycopg2.connect(database="postgres", user="******", password="", host=self.host, port=port) save_script_result(self, '', 'mysql://%s:%s' % (self.host, port), '', 'PostgreSQL empty password') except Exception as e: pass
def do_check(self, url): if url != '/': return port = 8088 if self.scheme == 'Hadoop yarn' and self.port != 8088: # 非标准端口 port = self.port elif 8088 not in self.ports_open: return try: url = 'http://' + self.host + ':' + str(port) + '/ws/v1/cluster/info' r = requests.get(url, timeout=5, verify=False, headers=default_headers) if 'resourceManagerVersionBuiltOn' in r.content.decode( ) or 'hadoopVersion' in r.content.decode(): save_script_result( self, '', 'http://%s:%s/ws/v1/cluster/info' % (self.host, port), 'Hadoop yarn Unauthorized Accesss') except Exception as e: pass
def do_check(self, url): if url != '/': return port = 873 # 非标准端口,不需要检查端口是否开放 if self.scheme == 'rsync' and self.port != 873: port = self.port elif 873 not in self.ports_open: return try: socket.setdefaulttimeout(5) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.host, port)) s.send(bytes("", 'UTF-8')) result = s.recv(1024).decode() if "RSYNCD" in result: save_script_result(self, '', 'rsync://%s:%s' % (self.host, port), 'Rsync Unauthorized Access') except Exception as e: s.close()
def do_check(self, url): if url != '/': return if self.session and self.index_headers.get('Server', '').startswith('kong/'): save_script_result(self, '200', self.base_url, 'Kong Admin Rest API') if self.port == 8001: # 如果已经维护了 8001 端口的 HTTP连接池,上面的逻辑已经完成扫描 return if 8001 not in self.ports_open: # 如果8001端口不开放 return # 如果输入的是一个非标准端口的HTTP服务 # 那么,需要单独对8001端口进行检测 status, headers, html_doc = self.http_request('http://%s:8001/' % self.host) if headers.get('Server', '').startswith('kong/'): save_script_result(self, status, 'http://%s:8001' % self.host, 'Kong Admin Rest API')
def do_check(self, url): if url != '/': return port = 11211 if self.scheme == 'memcached' and self.port != 11211: # 非标准端口 port = self.port elif 11211 not in self.ports_open: return try: socket.setdefaulttimeout(5) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.host, port)) s.send(bytes('stats\r\n', 'UTF-8')) if 'version' in s.recv(1024).decode(): save_script_result(self, '', 'memcached://%s:%s' % (self.host, port), 'Memcached Unauthorized Accesss') s.close() except Exception as e: pass finally: s.close()
def do_check(self, url): if url != '/': return port = 6379 # 非标准端口,不需要检查6379端口是否开放 # 支持用户传入目标 redis://test.ip:16379 来扫描非标准端口上的Redis服务 if self.scheme == 'redis' and self.port != 6379: port = self.port elif 6379 not in self.ports_open: return s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(3) try: s.connect((self.host, port)) # payload = '\x2a\x31\x0d\x0a\x24\x34\x0d\x0a\x69\x6e\x66\x6f\x0d\x0a' # s.send(payload) s.send(bytes("INFO\r\n", 'UTF-8')) data = s.recv(1024).decode() s.close() if "redis_version" in data: save_script_result(self, '', 'redis://%s:%s' % (self.host, port), 'Redis Unauthorized Access') except Exception as e: s.close()
def do_check(self, url): if url != '/': return port = 2181 if self.scheme == ' zookeeper' and self.port != 2181: # 非标准端口 port = self.port elif 2181 not in self.ports_open: return try: socket.setdefaulttimeout(5) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((self.host, port)) s.send(bytes('envi', 'UTF-8')) data = s.recv(1024).decode() if 'Environment' in data: save_script_result(self, '', 'zookeeper://%s:%s' % (self.host, port), '', 'Zookeeper Unauthorized Access') except Exception as e: pass finally: s.close()
def do_check(self, url): if url != '/' or not self.session or self._404_status == 301: return _folders = folders.split() for _url in _folders: if not _url: continue status, headers, html_doc = self.http_request(_url) if status in (301, 302): location = headers.get('location', '') if location.startswith(self.base_url + _url + '/') or location.startswith(_url + '/'): # save_user_script_result(self, status, self.base_url + _url, # '', 'Possible Sensitive Folder Found') self.enqueue(_url + '/') self.crawl(_url + '/') if status == 206 and self._404_status != 206: save_script_result(self, status, self.base_url + _url, '', 'Possible Sensitive File Found')
def do_check(self, url): if url == '/' and self.session: folders = [''] for log_folder in ['log', 'logs', '_log', '_logs', 'accesslog', 'errorlog']: status, headers, html_doc = self.http_request('/' + log_folder) if status in (301, 302): location = headers.get('location', '') if location.startswith(self.base_url + '/' + log_folder + '/') or \ location.startswith('/' + log_folder + '/'): folders.append(log_folder) self.enqueue(log_folder) self.crawl('/' + log_folder + '/') if status == 206 and self._404_status != 206: save_script_result(self, status, self.base_url + '/' + log_folder, '', 'Log File Found') url_lst = ['access.log', 'www.log', 'error.log', 'log.log', 'sql.log', 'errors.log', 'debug.log', 'db.log', 'install.log', 'server.log', 'sqlnet.log', 'WS_FTP.log', 'database.log', 'data.log', 'app.log', 'log.tar.gz', 'log.rar', 'log.zip', 'log.tgz', 'log.tar.bz2', 'log.7z'] for log_folder in folders: for _url in url_lst: url_prefix = '/' + log_folder if log_folder else '' status, headers, html_doc = self.http_request(url_prefix + '/' + _url) # print '/' + log_folder + '/' + _url if status == 206 and \ (self._404_status == 404 or headers.get('content-type', '').find('application/') >= 0): save_script_result(self, status, self.base_url + url_prefix + '/' + _url, '', 'Log File') for log_folder in folders: for _url in ['log.txt', 'logs.txt']: url_prefix = '/' + log_folder if log_folder else '' status, headers, html_doc = self.http_request(url_prefix + '/' + _url) # print '/' + log_folder + '/' + _url if status == 206 and headers.get('content-type', '').find('text/plain') >= 0: save_script_result(self, status, self.base_url + url_prefix + '/' + _url, '', 'Log File')