def ms17_010(target): """ MS17-010漏洞检测及验证 :param target: IP或IP段 :return: """ f = open('/tmp/smb.rc', 'w') f.write('use auxiliary/scanner/smb/smb_ms17_010\n') f.write('set RHOSTS ' + target + '\n') f.write('exploit\n') f.write('exit\n') f.close() rst = os.popen('msfconsole -r /tmp/smb.rc').read() #print(rst) if 'Host is likely VULNERABLE' in rst: print("\033[1;32;1m[+]存在MS-17-010漏洞\033[0m") vulnsum.addHigh() report.whtml( 'MS17-010 Vulnerability', 'Metasploit EXP:\nexploit/windows/smb/ms17_010_eternalblue\n') os.system('rm /tmp/smb.rc')
def py_nmap(target, flag, user, passwd, ufile, pfile): global h_q global d_rt """ :param target: target url :param flag: Full ports scan :return: """ #target url -> target ip target = urltoip(target) if flag: get_nmap = os.popen("nmap -T4 -A -sV -p0-65535 " + target).read() if 'Host seems down' in get_nmap: get_nmap = os.popen('nmap -T4 -A -sV -Pn -p0-65535 ' + target).read() else: get_nmap = os.popen("nmap " + target).read() if 'Host seems down' in get_nmap: get_nmap = os.popen('nmap -T4 -A -sV -Pn ' + target).read() #原始数据rt rt = re.findall(r'\d+/tcp[ ]*open[ ]*[a-zA-Z0-9_/?\-]*', get_nmap) if rt == []: print("\033[1;31;1m[!]目标未开放任何端口或网络不可达\033[0m") return 0 #result list type #print(rt) if rt != []: report.wnmap('Nmap Scan Result', 'Port/Protocal', 'State', 'Service', rt) for i in range(len(rt)): print('\033[1;32;1m[+]' + rt[i] + '\033[0m') rt[i] = rt[i].replace(' ', '') rt[i] = rt[i].replace('/tcp', '') rt[i] = rt[i].replace('open', ' ') rt[i] = rt[i].replace('netbios-ssn', 'samba') rt[i] = rt[i].replace('microsoft-ds', 'smb') rt[i] = rt[i].replace('exec', 'rexec') rt[i] = rt[i].replace('login', 'rlogin') rt[i] = rt[i].replace('shell', 'rlogin') rt[i] = rt[i].replace('nfs', 'pcnfs') rt[i] = rt[i].replace('ccproxy-ftp', 'ftp') rt[i] = rt[i].replace('postgresql', 'postgres') rt[i] = rt[i].replace('vnc-1', 'vnc') rt[i] = rt[i].replace('vnc-2', 'vnc') rt[i] = rt[i].replace('vnc-3', 'vnc') rt[i] = rt[i].replace('ms-wbt-server', 'rdp') rt[i] = rt[i].split(' ') rt[i] = {rt[i][1]: rt[i][0]} #字典类型:{'services':'port'}: #print(rt) #将services和port加入d_rt for i in range(len(rt)): for j in rt[i]: d_rt.setdefault(j, []).append(rt[i][j]) for i in list(d_rt.keys()): if i == 'irc' or i == 'unknown' or i == 'X11' or i == 'samba' or i == 'ajp13' or i == 'msrpc' or i == 'IIS' or i == 'iad1' or i == 'ms-lsa' or i == 'NFS-or-IIS' or i == 'LSA-or-nterm' or i == 'http': continue brute(d_rt, i, target, user, passwd, usfile=ufile, pdfile=pfile) while h_q.qsize(): # print(h_q.empty()) #if h_q.empty(): # break # 注意.get() h = h_q.get() # print(h) if h != '\x00': # print(h_q.get()) h = h.read() #print(h) rst = re.findall( r'\[\d+\]\[[a-zA-Z0-9]+\]\s*host:\s*\d+\.\d+\.\d+\.\d+\s*login:\s*[a-zA-Z0-9\-_]+\s*password:\s*[a-zA-Z0-9\-_!@#$%]+', h) # 输出存在的弱口令 for i in rst: print('\033[1;32;1m' + '[+]' + i + '\033[0m') vulnsum.addHigh() if rst != []: report.whtml('Port weak password', rst) if '445' in list(d_rt.values()): ms17_010(target)
def wapiti(target): """ 检测并验证XSS,SQL注入,SSRF,EXEC等高危漏洞 :param target:目标 url :return: """ uri = target.split('/')[2] rst = os.popen("wapiti -u " + target + '/').read() rst = re.findall( r'/[a-zA-Z0-9_\-]*/.wapiti/generated_report/' + uri + r'[a-zA-Z\d._]*.html', rst) #print("wapiti report:",rst) try: f = open(rst[0], 'r').read() soup = BeautifulSoup(f, 'html.parser') tr = soup('td', 'small .text-centered') if int(tr[0].string) > 0: print('\033[1;32;1m[+]SQL Injection', tr[0].string + '\033[0m') vulnsum.addHigh() if int(tr[1].string) > 0: print('\033[1;32;1m[+]Blind SQL Injection', tr[1].string + '\033[0m') vulnsum.addHigh() if int(tr[2].string) > 0: print('\033[1;32;1m[+]File Handling', tr[2].string + '\033[0m') vulnsum.addHigh() if int(tr[3].string) > 0: print('\033[1;32;1m[+]Cross Site Scripting', tr[3].string + '\033[0m') vulnsum.addHigh() if int(tr[4].string) > 0: print('\033[1;32;1m[+]CRLF Injection', tr[4].string + '\033[0m') vulnsum.addHigh() if int(tr[5].string) > 0: print('\033[1;32;1m[+]Commands execution', tr[5].string + '\033[0m') vulnsum.addHigh() if int(tr[6].string) > 0: print('\033[1;32;1m[+]Htaccess Bypass', tr[6].string + '\033[0m') vulnsum.addHigh() if int(tr[7].string) > 0: print('\033[1;32;1m[+]Backup file', tr[7].string + '\033[0m') vulnsum.addHigh() if int(tr[8].string) > 0: print('\033[1;32;1m[+]Potentially dangerous file', tr[8].string + '\033[0m') vulnsum.addHigh() if int(tr[9].string) > 0: print('\033[1;32;1m[+]Server Side Request Forgery', tr[9].string + '\033[0m') vulnsum.addHigh() if int(tr[10].string) > 0: print('\033[1;32;1m[+]Internal Server Error', tr[10].string + '\033[0m') vulnsum.addHigh() if int(tr[11].string) > 0: print('\033[1;32;1m[+]Resource consumption', tr[11].string + '\033[0m') vulnsum.addHigh() #print(type(tr[11].string)) page = soup('tbody') if page != []: report.tbody(page[0]) detail = soup('div', id='details') if soup != []: report.wdiv(detail[0]) except FileNotFoundError: pass if rst != []: os.system('rm ' + rst[0]) report.wvuln()