コード例 #1
0
    def hand_domain(self, serviceType):
        target = serviceType["target"]
        logger.info(target)
        # 添加这条记录
        collector.add_domain(target)
        # 发起请求
        try:
            r = requests.get(target,
                             timeout=30,
                             verify=False,
                             allow_redirects=False)
            collector.add_domain_info(target, {
                "headers": r.headers,
                "body": r.text,
                "status_code": r.status_code
            })
        except Exception as e:
            logger.error("request url error:" + str(e))
            collector.del_domain(target)
            return
        logger.debug("target:{} over,start to scan".format(target))

        # Get hostname
        hostname = urlparse(target).netloc.split(":")[0]
        if not is_ip_address_format(hostname):
            try:
                _ip = socket.gethostbyname(hostname)
                collector.add_domain_info(target, {"ip": _ip})
            except:
                pass
        else:
            collector.add_domain_info(target, {"ip": hostname})

        work_list = [
            webeye.poc, webtitle.poc, wappalyzer.poc, password_found.poc
        ]

        if IS_START_PLUGINS:
            work_list.append(crossdomain.poc)
            work_list.append(directory_browse.poc)
            work_list.append(gitleak.poc)
            work_list.append(iis_parse.poc)
            work_list.append(phpinfo.poc)
            work_list.append(svnleak.poc)
            work_list.append(tomcat_leak.poc)
            work_list.append(whatcms.poc)

        # WorkList.append(bakfile.poc) # 去除备份文件扫描模块,原因:太费时

        # th = []
        # try:
        #     for func in work_list:
        #         i = threading.Thread(target=func, args=(target,))
        #         i.start()
        #         th.append(i)
        #     for thi in th:
        #         thi.join()
        # except Exception as e:
        #     logger.error("domain plugin threading error {}:{}".format(repr(Exception), str(e)))
        for func in work_list:
            try:
                func(target)
            except Exception as e:
                logger.error("domain plugin threading error {}:{}".format(
                    repr(Exception), str(e)))

        logger.debug("target:{} End of scan".format(target))
        infos = collector.get_domain(target)
        _pocs = []
        temp = {}
        if IS_START_PLUGINS and "CMS" in infos:
            if infos.get("app"):
                temp["app"] = []
                temp["app"].append(infos["CMS"])
            else:
                temp["app"] = [infos["CMS"]]
            # update domain app
            collector.add_domain_info(target, temp)

        if temp.get("app"):
            keywords = temp["app"]
            # 远程读取插件
            pocs = load_remote_poc()

            for poc in pocs:
                for keyword in keywords:
                    if poc["name"] == keyword:
                        webfile = poc["webfile"]
                        logger.debug("load {0} poc:{1} poc_time:{2}".format(
                            poc["type"], webfile, poc["time"]))
                        # 加载插件
                        code = requests.get(webfile).text
                        obj = load_string_to_module(code, webfile)
                        _pocs.append(obj)

        # 并发执行插件
        if _pocs:
            executor = futures.ThreadPoolExecutor(len(_pocs))
            fs = []
            for f in _pocs:
                taks = executor.submit(f.poc, target)
                fs.append(taks)
            for f in futures.as_completed(fs):
                try:
                    res = f.result()
                except Exception as e:
                    res = None
                    logger.error("load poc error:{} error:{}".format(
                        target, str(e)))
                if res:
                    name = res.get("name") or "scan_" + str(time.time())
                    collector.add_domain_bug(target, {name: res})

        collector.send_ok(target)
コード例 #2
0
    def hand_domain(self, serviceType):
        target = serviceType["target"]
        logger.info(target)
        # 添加这条记录
        collector.add_domain(target)
        # 发起请求
        try:
            r = requests.get(target,
                             timeout=30,
                             verify=False,
                             allow_redirects=False)
            collector.add_domain_info(target, {
                "headers": r.headers,
                "body": r.text,
                "status_code": r.status_code
            })
        except Exception as e:
            logger.error("request url error:" + str(e))
            collector.del_domain(target)
            return
        logger.debug("target:{} over,start to scan".format(target))

        # Get hostname
        # ???????????WDNMD
        hostname = urlparse(target).netloc.split(":")[0]
        if not is_ip_address_format(hostname):
            try:
                # return the host from socket
                _ip = socket.gethostbyname(hostname)
                collector.add_domain_info(target, {"ip": _ip})
            except:
                pass
        else:
            collector.add_domain_info(target, {"ip": hostname})
        # 需要启动那些poc进行目标信息扫描
        work_list = [webeye.poc, webtitle.poc, wappalyzer.poc]
        # password_found.poc

        if IS_START_PLUGINS:
            pass
            work_list.append(crossdomain.poc)
            # work_list.append(directory_browse.poc)
            work_list.append(gitleak.poc)
            work_list.append(iis_parse.poc)
            work_list.append(phpinfo.poc)
            work_list.append(svnleak.poc)
            work_list.append(tomcat_leak.poc)
            # work_list.append(whatcms.poc)

        # 信息直接从函数的内部利用collector进行存储

        for func in work_list:
            try:
                func(target)
            except Exception as e:
                logger.error("domain plugin threading error {}:{}".format(
                    repr(Exception), str(e)))
                pass
        logger.debug("target:{} End of scan".format(target))
        collector.print_domains()
        infos = collector.get_domain(target)
        _pocs = []
        temp = {}
        if IS_START_PLUGINS and "CMS" in infos:
            if infos.get("app"):
                temp["app"] = []
                temp["app"].append(infos["CMS"])
            else:
                temp["app"] = [infos["CMS"]]
            # update domain app
            collector.add_domain_info(target, temp)

        if temp.get("app"):
            keywords = temp["app"]
            # 远程读取插件
            pocs = load_remote_poc()

            for poc in pocs:
                for keyword in keywords:
                    webfile = poc["webfile"]
                    logger.debug("load {0} poc:{1} poc_time:{2}".format(
                        poc["type"], webfile, poc["time"]))

                    # 加载插件 加载远程文件目录 将其转换成实体

                    code = requests.get(webfile).text
                    obj = load_string_to_moudle(code, webfile)
                    # 在模块对象列表中加入远程模块
                    _pocs.append(obj)
        # 并发执行插件
        if _pocs:
            executor = futures.ThreadPoolExecutor(len(_pocs))
            fs = []
            for f in _pocs:
                taks = executor.submit(f.poc, target)
                # 这儿返回的是啥子鸡巴啊  每个线程的控制类?
                fs.append(taks)
            for f in futures.as_completed(fs):
                try:
                    res = f.result()
                except Exception as e:
                    res = None
                    logger.error("load poc error:{} error:{}".format(
                        target, str(e)))
                if res:
                    name = res.get("name") or "scan_" + str(time.time())
                    collector.add_domain_bug(target, {name: res})
        # 通过异步调用插件得到返回结果,并且通过collector返送结果
        collector.send_ok(target)
        print("print collector")
        print(collector.collect_domains)