def hand_domain(self, serviceType): target = serviceType["target"] logger.info(target) # 添加这条记录 collector.add_domain(target) # 发起请求 try: r = requests.get(target, timeout=30, verify=False, allow_redirects=False) collector.add_domain_info(target, { "headers": r.headers, "body": r.text, "status_code": r.status_code }) except Exception as e: logger.error("request url error:" + str(e)) collector.del_domain(target) return logger.debug("target:{} over,start to scan".format(target)) # Get hostname hostname = urlparse(target).netloc.split(":")[0] if not is_ip_address_format(hostname): try: _ip = socket.gethostbyname(hostname) collector.add_domain_info(target, {"ip": _ip}) except: pass else: collector.add_domain_info(target, {"ip": hostname}) work_list = [ webeye.poc, webtitle.poc, wappalyzer.poc, password_found.poc ] if IS_START_PLUGINS: work_list.append(crossdomain.poc) work_list.append(directory_browse.poc) work_list.append(gitleak.poc) work_list.append(iis_parse.poc) work_list.append(phpinfo.poc) work_list.append(svnleak.poc) work_list.append(tomcat_leak.poc) work_list.append(whatcms.poc) # WorkList.append(bakfile.poc) # 去除备份文件扫描模块,原因:太费时 # th = [] # try: # for func in work_list: # i = threading.Thread(target=func, args=(target,)) # i.start() # th.append(i) # for thi in th: # thi.join() # except Exception as e: # logger.error("domain plugin threading error {}:{}".format(repr(Exception), str(e))) for func in work_list: try: func(target) except Exception as e: logger.error("domain plugin threading error {}:{}".format( repr(Exception), str(e))) logger.debug("target:{} End of scan".format(target)) infos = collector.get_domain(target) _pocs = [] temp = {} if IS_START_PLUGINS and "CMS" in infos: if infos.get("app"): temp["app"] = [] temp["app"].append(infos["CMS"]) else: temp["app"] = [infos["CMS"]] # update domain app collector.add_domain_info(target, temp) if temp.get("app"): keywords = temp["app"] # 远程读取插件 pocs = load_remote_poc() for poc in pocs: for keyword in keywords: if poc["name"] == keyword: webfile = poc["webfile"] logger.debug("load {0} poc:{1} poc_time:{2}".format( poc["type"], webfile, poc["time"])) # 加载插件 code = requests.get(webfile).text obj = load_string_to_module(code, webfile) _pocs.append(obj) # 并发执行插件 if _pocs: executor = futures.ThreadPoolExecutor(len(_pocs)) fs = [] for f in _pocs: taks = executor.submit(f.poc, target) fs.append(taks) for f in futures.as_completed(fs): try: res = f.result() except Exception as e: res = None logger.error("load poc error:{} error:{}".format( target, str(e))) if res: name = res.get("name") or "scan_" + str(time.time()) collector.add_domain_bug(target, {name: res}) collector.send_ok(target)
def hand_domain(self, serviceType): target = serviceType["target"] logger.info(target) # 添加这条记录 collector.add_domain(target) # 发起请求 try: r = requests.get(target, timeout=30, verify=False, allow_redirects=False) collector.add_domain_info(target, { "headers": r.headers, "body": r.text, "status_code": r.status_code }) except Exception as e: logger.error("request url error:" + str(e)) collector.del_domain(target) return logger.debug("target:{} over,start to scan".format(target)) # Get hostname # ???????????WDNMD hostname = urlparse(target).netloc.split(":")[0] if not is_ip_address_format(hostname): try: # return the host from socket _ip = socket.gethostbyname(hostname) collector.add_domain_info(target, {"ip": _ip}) except: pass else: collector.add_domain_info(target, {"ip": hostname}) # 需要启动那些poc进行目标信息扫描 work_list = [webeye.poc, webtitle.poc, wappalyzer.poc] # password_found.poc if IS_START_PLUGINS: pass work_list.append(crossdomain.poc) # work_list.append(directory_browse.poc) work_list.append(gitleak.poc) work_list.append(iis_parse.poc) work_list.append(phpinfo.poc) work_list.append(svnleak.poc) work_list.append(tomcat_leak.poc) # work_list.append(whatcms.poc) # 信息直接从函数的内部利用collector进行存储 for func in work_list: try: func(target) except Exception as e: logger.error("domain plugin threading error {}:{}".format( repr(Exception), str(e))) pass logger.debug("target:{} End of scan".format(target)) collector.print_domains() infos = collector.get_domain(target) _pocs = [] temp = {} if IS_START_PLUGINS and "CMS" in infos: if infos.get("app"): temp["app"] = [] temp["app"].append(infos["CMS"]) else: temp["app"] = [infos["CMS"]] # update domain app collector.add_domain_info(target, temp) if temp.get("app"): keywords = temp["app"] # 远程读取插件 pocs = load_remote_poc() for poc in pocs: for keyword in keywords: webfile = poc["webfile"] logger.debug("load {0} poc:{1} poc_time:{2}".format( poc["type"], webfile, poc["time"])) # 加载插件 加载远程文件目录 将其转换成实体 code = requests.get(webfile).text obj = load_string_to_moudle(code, webfile) # 在模块对象列表中加入远程模块 _pocs.append(obj) # 并发执行插件 if _pocs: executor = futures.ThreadPoolExecutor(len(_pocs)) fs = [] for f in _pocs: taks = executor.submit(f.poc, target) # 这儿返回的是啥子鸡巴啊 每个线程的控制类? fs.append(taks) for f in futures.as_completed(fs): try: res = f.result() except Exception as e: res = None logger.error("load poc error:{} error:{}".format( target, str(e))) if res: name = res.get("name") or "scan_" + str(time.time()) collector.add_domain_bug(target, {name: res}) # 通过异步调用插件得到返回结果,并且通过collector返送结果 collector.send_ok(target) print("print collector") print(collector.collect_domains)