def domain_has_cdn(self): # 检测domain是否有cdn # 有cdn时,返回一个字典,如果cdn是cloudflare,返回{'has_cdn':1,'is_cloud_flare':1} # 否则返回{'has_cdn':1,'is_cloud_flare':0}或{'has_cdn':0,'is_cloud_flare':0} import re CLIOutput().good_print("现在检测domain:%s是否有cdn" % self.domain) has_cdn = 0 # ns记录和mx记录一样,都要查顶级域名,eg.dig +short www.baidu.com ns VS dig +short baidu.com ns result = get_string_from_command("dig ns %s +short" % get_root_domain(self.domain)) pattern = re.compile( r"(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)", re.I) cloudflare_pattern = re.compile(r"cloudflare", re.I) if re.search(pattern, result): if re.search(cloudflare_pattern, result): print("has_cdn=1 from ns,and cdn is cloudflare") return {'has_cdn': 1, 'is_cloud_flare': 1} else: print("has_cdn=1 from ns") return {'has_cdn': 1, 'is_cloud_flare': 0} else: # 下面通过a记录个数来判断,如果a记录个数>1个,认为有cdn result = get_string_from_command("dig a %s +short" % self.domain) find_a_record_pattern = re.findall(r"((\d{1,3}\.){3}\d{1,3})", result) if find_a_record_pattern: ip_count = 0 for each in find_a_record_pattern: ip_count += 1 if ip_count > 1: has_cdn = 1 return {'has_cdn': 1, 'is_cloud_flare': 0} return {'has_cdn': 0, 'is_cloud_flare': 0}
def get_ip_from_mx_record(self): # 从mx记录中得到ip列表,尝试从mx记录中的c段中找真实ip print("[*]尝试从mx记录中找和%s顶级域名相同的mx主机" % self.domain) import socket # domain.eg:www.baidu.com from exp10it import get_root_domain root_domain = get_root_domain(self.domain) from exp10it import get_string_from_command popen = subprocess.Popen("nslookup -type=mx %s" % root_domain, stdout=subprocess.PIPE, shell=True, close_fds=True) result, drr = popen.communicate() result = result.decode('utf-8', 'ignore') print(result) #result = get_string_from_command("nslookup -type=mx %s" % root_domain) sub_domains_list = re.findall( "(mail exchanger = )(.*\\.%s)" % root_domain.replace(".", "\\."), result) ip_list = [] #print(sub_domains_list) for each in sub_domains_list: #print(each) ip = socket.gethostbyname_ex(each[1])[2] #print(ip) if ip[0] not in ip_list: ip_list.append(ip[0]) return ip_list
def get_ip_from_mx_record(self): # 从mx记录中得到ip列表,尝试从mx记录中的c段中找真实ip print("尝试从mx记录中找和%s顶级域名相同的mx主机" % self.domain) import socket # domain.eg:www.baidu.com from exp10it import get_root_domain root_domain = get_root_domain(self.domain) from exp10it import get_string_from_command result = get_string_from_command("dig %s +short mx" % root_domain) sub_domains_list = re.findall(r"\d{1,} (.*\.%s)\." % root_domain.replace(".", "\."), result) ip_list = [] for each in sub_domains_list: print(each) ip = socket.gethostbyname_ex(each)[2] if ip[0] not in ip_list: ip_list.append(ip[0]) return ip_list
def get_ip_value_from_ip138(self): print("3)尝试通过顶级域名寻找真实IP") #print('https://site.ip138.com/{}'.format(self.domain)) headers = { 'Connection': 'close', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36' } domain = get_root_domain(self.domain) rep_test = requests.get('https://site.ip138.com/{}'.format(domain), timeout=15, verify=False, headers=headers).text allIP = re.findall("((\\d{1,3}\\.){3}\\d{1,3})", rep_test) ipList = [] index = 1 for each in allIP: if index < 6: ipList.append(each[0]) else: break index = index + 1 ipList = list(set(ipList)) #去重处理 print(ipList) for each_ip in ipList: try: if True == self.check_if_ip_is_actual_ip_of_domain(each_ip): print(each_ip) return each_ip except Exception as e: print("[-]访问 %s 失败,跳过该IP测试" % each_ip) continue return 0
def get_sub_domains(target, use_tool="Sublist3r"): # target为http开头+domain # 注意target(http://www.baidu.com)要换成如baidu.com的结果,然后再当作参数传入下面可能用的工具中 # www.baidu.com--->baidu.com,baidu.com是下面工具的参数 # use_tool为子站获取工具选择 # Sublist3r工具详情如下 # 获取子站列表,domain为域名格式,不含http # https://github.com/aboul3la/Sublist3r # works in python2,use os.system get the execute output if target[:4] == "http": domain = target.split("/")[-1] else: print( "make sure your para in get_sub_domains func has scheme like http or https" ) return figlet2file("geting sub domains", 0, True) root_domain = get_root_domain(domain) if os.path.exists(logFolderPath) == False: os.system("mkdir %s" % logFolderPath) if os.path.exists("%s/sub" % logFolderPath) == False: os.system("cd %s && mkdir sub" % logFolderPath) store_file = logFolderPath + "/sub/" + domain.replace(".", "_") + "_sub.txt" Sublist3r_store_file = "Sublist3r.out.txt" subDomainsBrute_store_file = "subDomainsBrute.out.txt" def Sublist3r(domain): # 用Sublist3r方式获取子站 if os.path.exists(ModulePath + "Sublist3r") == False: os.system( "git clone https://github.com/aboul3la/Sublist3r.git %sSublist3r" % ModulePath) # 下面的cd到一个目录只在一句代码中有效,执行完就不在Sublist3r目录里了 os.system("cd %sSublist3r && pip install -r requirements.txt" % ModulePath) # 下面的命令执行不受上面的cd到一个目录影响 os.system("cd %sSublist3r && python sublist3r.py -v -d %s -o %s" % (ModulePath, root_domain, Sublist3r_store_file)) else: os.system("cd %sSublist3r && python sublist3r.py -v -d %s -o %s" % (ModulePath, root_domain, Sublist3r_store_file)) def subDomainsBrute(domain): # 用subDomainsBrute方式获取子站 # https://github.com/lijiejie/subDomainsBrute.git if os.path.exists(ModulePath + "subDomainsBrute") == False: os.system( "git clone https://github.com/lijiejie/subDomainsBrute.git %ssubDomainsBrute" % ModulePath) os.system("pip install dnspython") os.system( "cd %ssubDomainsBrute && python subDomainsBrute.py -i -o %s %s" % (ModulePath, subDomainsBrute_store_file, root_domain)) else: os.system( "cd %ssubDomainsBrute && python subDomainsBrute.py -i -o %s %s" % (ModulePath, subDomainsBrute_store_file, root_domain)) if os.path.exists(store_file) == False: if use_tool == "all": Sublist3r(root_domain) os.system("cat %sSublist3r/%s >> %s" % (ModulePath, Sublist3r_store_file, store_file)) os.system("rm %sSublist3r/%s" % (ModulePath, Sublist3r_store_file)) subDomainsBrute(root_domain) with open( "%ssubDomainsBrute/%s" % (ModulePath, subDomainsBrute_store_file), "r+") as f: with open(store_file, "a+") as outfile: for each in f: if each not in outfile.readlines(): outfile.write(each) os.system("rm %ssubDomainsBrute/%s" % (ModulePath, subDomainsBrute_store_file)) if use_tool == "Sublist3r": Sublist3r(domain) os.system("cat %sSublist3r/%s >> %s" % (ModulePath, Sublist3r_store_file, store_file)) os.system("rm %sSublist3r/%s" % (ModulePath, Sublist3r_store_file)) if use_tool == "subDomainsBrute": subDomainsBrute(domain) os.system("cat %ssubDomainsBrute/%s >> %s" % (ModulePath, subDomainsBrute_store_file, store_file)) os.system("rm %ssubDomainsBrute/%s" % (ModulePath, subDomainsBrute_store_file)) else: # 文件存在说明上次已经获取sub domains print("you have got the sub domains last time") with open(store_file, "r+") as f: string = f.read() return string
def domain_has_cdn(self): # 检测domain是否有cdn # 有cdn时,返回一个字典,如果cdn是cloudflare,返回{'has_cdn':1,'is_cloud_flare':1} # 否则返回{'has_cdn':1,'is_cloud_flare':0}或{'has_cdn':0,'is_cloud_flare':0} import re print("[*]现在检测domain:%s是否有cdn" % self.domain) has_cdn = 0 # ns记录和mx记录一样,都要查顶级域名,eg.dig +short www.baidu.com ns VS dig +short baidu.com ns popen = subprocess.Popen("nslookup -type=ns %s" % get_root_domain(self.domain), stdout=subprocess.PIPE, shell=True, close_fds=True) #result = get_string_from_command("nslookup -type=ns %s" % get_root_domain(self.domain)) result, drr = popen.communicate() result = result.decode("utf-8", "ignore") pattern = re.compile( "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" "(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)" r"(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)", re.I) cloudflare_pattern = re.compile( "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" "cloudflare" r"cloudflare", re.I) if re.search(pattern, result): if re.search(cloudflare_pattern, result): print("has_cdn=1 from ns,and cdn is cloudflare") return {'has_cdn': 1, 'is_cloud_flare': 1} else: print("has_cdn=1 from ns") return {'has_cdn': 1, 'is_cloud_flare': 0} else: # 下面通过a记录个数来判断,如果a记录个数>1个,认为有cdn result = get_string_from_command("nslookup -type=a %s" % self.domain) find_a_record_pattern = re.findall("((\\d{1,3}\\.){3}\\d{1,3})", result) #print(find_a_record_pattern) if find_a_record_pattern: ip_count = 0 for each in find_a_record_pattern: ip_count += 1 if ip_count > 1: has_cdn = 1 return {'has_cdn': 1, 'is_cloud_flare': 0} return {'has_cdn': 0, 'is_cloud_flare': 0}