예제 #1
0
def output(target):
    if hasattr(target, 'mail'):
        print_color('whois same mail %s domain ...' % target.mail, 2)

        threadl = []
        threads = 5

        queue = Queue.Queue()
        try:
            code, content = get('whois.aizhan.com',
                                '/reverse-whois/?q=%s&t=email' % target.mail)
            domain_list = findall(r'_blank">(.*?)</a></td>', content)
            if len(domain_list):
                [
                    queue.put(domain) for domain in domain_list
                    if domain != target.n_domain
                ]
                threadl = [tPing(queue, target.ip) for x in xrange(0, threads)]
                [t.start() for t in threadl]
                [t.join() for t in threadl]
        except:
            log.exception('exception')
            print_color(__name__ + ' faild', 0)

        print('')
예제 #2
0
def output(target):
    if hasattr(target,'iscdn') and not target.iscdn and target.f_domain:

        threadl = jsons = []; threads = 5   # 线程数

        queue=Queue.Queue()

        print_color('find domain in same IP for %s..'%target.ip, 2)

        code,content = get('dns.aizhan.com','/index.php?r=index/pages&q=%s' % target.f_domain)
        match = re.search('1/(\d{1,})', content)

        page = int(match.group(1)) if match else 1
        # 多线程翻页获取同IP域名,
        [queue.put('/index.php?r=index/getress&q=%s&page=%d' % (target.f_domain,i)) for i in xrange(1,page+1)]
        threadl = [tThread(queue,jsons) for x in xrange(0, threads)]
        [t.start() for t in threadl]
        [t.join() for t in threadl]

        #Ping IP
        [queue.put(json['domain']) for json in jsons]
        threadl = [tPing(queue,target.ip) for x in xrange(0, threads)]
        [t.start() for t in threadl]
        [t.join() for t in threadl]
       
        print('')
예제 #3
0
def output(target):
    if target.n_domain:

        target.axfr = False
        print_color('Test AXFR request for %s' % target.n_domain, 2)

        try:
            # get dns domain
            r = DNS.DnsRequest(target.n_domain,
                               qtype="NS",
                               server=['223.5.5.5'],
                               protocol='udp',
                               timeout=10)
            res = r.req().answers
            for r in res:
                dns = r['data']
                print_color('Test DNS %s' % dns, 2)
                r = DNS.DnsRequest(target.n_domain,
                                   qtype="AXFR",
                                   server=[dns],
                                   protocol='tcp',
                                   timeout=10)
                res = r.req()
                if len(res.answers) > 0:
                    target.axfr = True
                    parse_record(res.answers, target.ip)
                    break
        except:
            log.exception('exception')

        print('')
예제 #4
0
def output(target):

    if query_yes_no('subnet port scan requires a lot of time.'):

        Ports = [80, 8000, 8080, 88]
        threadl = []
        threads = 20
        queue = Queue.Queue()

        print_color('scan port for subnet %s..' % target.ip, 2)

        subnet = [
            '%s.%d' % (target.ip[0:target.ip.rfind('.')], i)
            for i in range(1, 255)
        ]

        for port in Ports:
            for sub in subnet:
                queue.put({'ip': sub, 'port': port})

        threadl = [tPort(queue) for x in xrange(0, threads)]
        [t.start() for t in threadl]
        [t.join() for t in threadl]

    print('')
예제 #5
0
def output(target):
    if hasattr(target, 'iscdn') and not target.iscdn and target.f_domain:

        threadl = jsons = []
        threads = 5  # 线程数

        queue = Queue.Queue()

        print_color('find domain in same IP for %s..' % target.ip, 2)

        code, content = get('dns.aizhan.com',
                            '/index.php?r=index/pages&q=%s' % target.f_domain)
        match = re.search('1/(\d{1,})', content)

        page = int(match.group(1)) if match else 1
        # 多线程翻页获取同IP域名,
        [
            queue.put('/index.php?r=index/getress&q=%s&page=%d' %
                      (target.f_domain, i)) for i in xrange(1, page + 1)
        ]
        threadl = [tThread(queue, jsons) for x in xrange(0, threads)]
        [t.start() for t in threadl]
        [t.join() for t in threadl]

        #Ping IP
        [queue.put(json['domain']) for json in jsons]
        threadl = [tPing(queue, target.ip) for x in xrange(0, threads)]
        [t.start() for t in threadl]
        [t.join() for t in threadl]

        print('')
예제 #6
0
def parse_record(records, ip):
    for record in records:
        if type(record) is dict\
        and type(record['data']) is str\
        and valid_ip(record['data']):
            if record['data'] == ip:
                print_color('%s *' % (record['name']), 1)
            else:
                print_color('%s %s' % (record['name'], record['data']), 1)
예제 #7
0
def parse_record(records,ip):
    for record in records:
        if type(record) is dict\
        and type(record['data']) is str\
        and valid_ip(record['data']):
            if record['data'] == ip:
                print_color('%s *'%(record['name']), 1)
            else:
                print_color('%s %s'%(record['name'],record['data']), 1)
예제 #8
0
def output(target):
    if hasattr(target,'iscdn') and not target.iscdn:

        Ports=[21,22,23,25,80,81,110,135,139,389,443,445,873,1433,1434,1521,2433,3306,3307,3366,3336,3380,3389,3968,5800,5900,7755,8000,8001,8002,8080,8650,8888,8800,9999,12580,22222,22022,27017,28017,33089,34567,43958,50001]

        print_color('scan port for IP %s..'%target.ip, 2)

        threadl = []; threads = 20
        queue=Queue.Queue()

        [queue.put({'ip':target.ip,'port':port}) for port in Ports]
        threadl = [tPort(queue) for x in xrange(0, threads)]
        [t.start() for t in threadl]
        [t.join() for t in threadl]
        
        print('')
예제 #9
0
def output(target):
    customHeaders = [
        'x-powered-by-360wzb', 'x-powered-by-anquanbao', 'x-cache',
        'webluker-edge', 'powered-by-chinacache'
    ]

    cnames = ['360wzb', 'incapdns', 'aqb.so']

    target.iscdn = False

    print_color('Test CDN for %s' % target.ip, 2)
    print_color('Test CDN for %s with HTTP header' % target.f_domain, 2)

    if any('cdn' in header for header in target.header):
        target.iscdn = True

    if not target.iscdn:
        flag = set(target.header).intersection(set(customHeaders))
        target.iscdn = True if len(flag) else None

    if not target.iscdn and target.f_domain:
        try:
            print_color('Test CDN for %s with CNAME' % target.f_domain, 2)
            r = DNS.DnsRequest(target.f_domain,
                               qtype="CNAME",
                               server=['8.8.8.8'],
                               protocol='tcp',
                               timeout=10)
            res = r.req()
            if len(res.answers) > 0:
                cname = res.answers[0]['data']
                # 值得学习
                if any(cname_str in cname for cname_str in cnames):
                    target.iscdn = True
        except:
            log.exception('exception')
            print_color(__name__ + ' faild', 0)

    if target.iscdn:
        print_color(target.iscdn, 1)

    print('')
예제 #10
0
def output(target):

    if query_yes_no('subnet port scan requires a lot of time.'):

        Ports=[80,8000,8080,88]
        threadl = [];threads = 20
        queue=Queue.Queue()

        print_color('scan port for subnet %s..'%target.ip, 2)

        subnet = ['%s.%d' % (target.ip[0:target.ip.rfind('.')],i) for i in range(1,255)]

        for port in Ports:
            for sub in subnet:
                queue.put({'ip':sub,'port':port})

        threadl = [tPort(queue) for x in xrange(0, threads)]
        [t.start() for t in threadl]
        [t.join() for t in threadl]
    
    print('')
예제 #11
0
def output(target):
    if hasattr(target,'mail'):
        print_color('whois same mail %s domain ...' % target.mail, 2)

        threadl = []; threads = 5

        queue = Queue.Queue()
        try:
            code,content = get('whois.aizhan.com',
                               '/reverse-whois/?q=%s&t=email' % target.mail)
            domain_list = findall(r'_blank">(.*?)</a></td>', content)
            if len(domain_list):
                [queue.put(domain) for domain in domain_list if domain != target.n_domain]
                threadl = [tPing(queue,target.ip) for x in xrange(0, threads)]
                [t.start() for t in threadl]
                [t.join() for t in threadl]
        except:
            log.exception('exception')
            print_color(__name__+' faild', 0)

        print('')
예제 #12
0
def output(target):
    print_color('Test server exploit %s...'%target.ip, 2)

    paths = ['/robots.txt/.php', '/robots.txt/1.php']

    if 'server' in target.header:
        server = target.header['server'].lower()
        if 'nginx' in server:

            target.server = 'Nginx'

            print_color('Test server nginx Parsing Vulnerabilities',2)

            domain = '%s:%d' % (target.f_domain, target.port) if target.f_domain else '%s:%d' % (target.ip, target.port)

            code,content = get(domain, '/')
            match = re.search(r'src="(http.+?\.jpg)"', content)

            if match:
                paths.append('%s/.php' % match.group(1))
                paths.append('%s/1.php' % match.group(1))
            for p in paths:
                code,header = head(domain,p)

                if code == 200 and header['content-type'].find('text/html') > -1:
                    print_color('the server has nginx parsing vulnerabilities',1)
                    break

        elif 'apache' in server:
            target.server = 'Apache'
        elif 'iis' in server:
            target.server = 'IIS'

    print('')
예제 #13
0
def output(target):
    if hasattr(target, 'iscdn') and not target.iscdn:

        Ports = [
            21, 22, 23, 25, 80, 81, 110, 135, 139, 389, 443, 445, 873, 1433,
            1434, 1521, 2433, 3306, 3307, 3366, 3336, 3380, 3389, 3968, 5800,
            5900, 7755, 8000, 8001, 8002, 8080, 8650, 8888, 8800, 9999, 12580,
            22222, 22022, 27017, 28017, 33089, 34567, 43958, 50001
        ]

        print_color('scan port for IP %s..' % target.ip, 2)

        threadl = []
        threads = 20
        queue = Queue.Queue()

        [queue.put({'ip': target.ip, 'port': port}) for port in Ports]
        threadl = [tPort(queue) for x in xrange(0, threads)]
        [t.start() for t in threadl]
        [t.join() for t in threadl]

        print('')
예제 #14
0
def output(target):
    if hasattr(target, "axfr") and not target.axfr and target.n_domain:

        threadl = []
        threads = 5

        queue = Queue.Queue()

        apis = [
            {
                "domain": "www.baidu.com",
                "path": "/s?wd=site:%s&pn=0&ie=utf-8" % target.n_domain,
                "method": "get",
                "regex": '"g">(.*?)%s' % target.n_domain,
            },
            {
                "domain": "i.links.cn",
                "path": "/subdomain/",
                "method": "post",
                "regex": "target=_blank>http://(.*)%s",
                "data": {"domain": target.n_domain, "b2": "1", "b3": "1", "b4": "1"},
            },
            {
                "domain": "www.alexa.com",
                "path": "/siteinfo/%s" % target.n_domain,
                "method": "get",
                "regex": "word-wrap'>(.*?)%s" % target.n_domain,
            },
        ]

        print_color("find subdomain for %s.." % target.n_domain, 2)

        pix_list = []

        try:
            for api in apis:
                try:
                    if api["method"] == "get":
                        code, content = get(api["domain"], api["path"])
                        pix_list += findall(api["regex"], content)
                    elif api["method"] == "post":
                        code, content = post(api["domain"], api["path"], api["data"])
                        pix_list += findall(api["regex"], content)
                except:
                    print_color(api["domain"] + " Faild", 0)

            pix_list = {}.fromkeys(pix_list).keys()

            for pix in pix_list:
                queue.put("%s%s" % (pix, target.n_domain))

            threadl = [tPing(queue, target.ip) for x in xrange(0, threads)]
            [t.start() for t in threadl]
            [t.join() for t in threadl]
        except:
            log.exception("exception")
            print_color(__name__ + " faild", 0)

        print("")
예제 #15
0
파일: hostcdn.py 프로젝트: R00tAK/pr0bescan 
def output(target):
    customHeaders = ['x-powered-by-360wzb',
            'x-powered-by-anquanbao','x-cache','webluker-edge',
            'powered-by-chinacache']

    cnames = ['360wzb','incapdns','aqb.so']

    target.iscdn = False

    print_color('Test CDN for %s'%target.ip, 2)
    print_color('Test CDN for %s with HTTP header'%target.f_domain, 2)

    if any('cdn' in header for header in target.header):
        target.iscdn = True

    if not target.iscdn:
        flag = set(target.header).intersection(set(customHeaders))
        target.iscdn = True if len(flag) else None

    if not target.iscdn and target.f_domain:
        try:
            print_color('Test CDN for %s with CNAME'%target.f_domain, 2)
            r = DNS.DnsRequest(target.f_domain, qtype="CNAME", 
                    server=['8.8.8.8'], protocol='tcp', timeout=10)
            res = r.req()
            if len(res.answers) > 0:
                cname = res.answers[0]['data']
                # 值得学习
                if any(cname_str in cname for cname_str in cnames):
                    target.iscdn = True
        except:
            log.exception('exception')
            print_color(__name__+' faild', 0)

    if target.iscdn:
        print_color(target.iscdn, 1)
    
    print('')
예제 #16
0
def output(target):
    if target.n_domain:

        target.axfr = False
        print_color('Test AXFR request for %s' % target.n_domain, 2)

        try:
            # get dns domain
            r = DNS.DnsRequest(target.n_domain, qtype="NS", server=['223.5.5.5'], protocol='udp', timeout=10)
            res = r.req().answers
            for r in res:
                dns = r['data']
                print_color('Test DNS %s' % dns, 2)
                r = DNS.DnsRequest(target.n_domain, qtype="AXFR", server=[dns], protocol='tcp', timeout=10)
                res = r.req()
                if len(res.answers) > 0:
                    target.axfr = True
                    parse_record(res.answers,target.ip)
                    break
        except:
            log.exception('exception')
        
        print('')
예제 #17
0
def output(target):
    print_color('get location for IP %s' % target.ip, 2)
    try:
        code,content = get('ip.taobao.com', '/service/getIpInfo.php?ip=%s' % target.ip)
        jsons = json.loads(content)
        print_color('%s %s %s %s'%(jsons['data']['country'].encode('gbk'),
            jsons['data']['region'].encode('gbk'),
            jsons['data']['city'].encode('gbk'),
            jsons['data']['isp'].encode('gbk')), 1)
    except:
        log.exception('exception')
        print_color(__name__+' faild', 0)

    print('')
예제 #18
0
def output(target):
    print_color('get location for IP %s' % target.ip, 2)
    try:
        code, content = get('ip.taobao.com',
                            '/service/getIpInfo.php?ip=%s' % target.ip)
        jsons = json.loads(content)
        print_color(
            '%s %s %s %s' % (jsons['data']['country'].encode('gbk'),
                             jsons['data']['region'].encode('gbk'),
                             jsons['data']['city'].encode('gbk'),
                             jsons['data']['isp'].encode('gbk')), 1)
    except:
        log.exception('exception')
        print_color(__name__ + ' faild', 0)

    print('')
예제 #19
0
def output(target):
    if target.n_domain:

        print_color('whois %s.'%target.n_domain, 2)

        # 当超时或者出现错误时,重试3次
        for i in range(1,4):
            try:
                data = get_whois(target.n_domain)['raw'][0]
                mails = findall(r'[\w\.-]+@[\w-]+\.[\w\.-]+', data)
                mails = filter(filter_mail, mails) if mails else None
                if mails:
                    target.mail = mails[0].lower()
                    break
            except:
                print_color('re-whois %s %d number of times' % (target.n_domain, i), 2)

        if hasattr(target,'mail'):
            print_color(target.mail, 1)

        print('')
예제 #20
0
def output(target):
    print_color('Test server exploit %s...' % target.ip, 2)

    paths = ['/robots.txt/.php', '/robots.txt/1.php']

    if 'server' in target.header:
        server = target.header['server'].lower()
        if 'nginx' in server:

            target.server = 'Nginx'

            print_color('Test server nginx Parsing Vulnerabilities', 2)

            domain = '%s:%d' % (
                target.f_domain,
                target.port) if target.f_domain else '%s:%d' % (target.ip,
                                                                target.port)

            code, content = get(domain, '/')
            match = re.search(r'src="(http.+?\.jpg)"', content)

            if match:
                paths.append('%s/.php' % match.group(1))
                paths.append('%s/1.php' % match.group(1))
            for p in paths:
                code, header = head(domain, p)

                if code == 200 and header['content-type'].find(
                        'text/html') > -1:
                    print_color('the server has nginx parsing vulnerabilities',
                                1)
                    break

        elif 'apache' in server:
            target.server = 'Apache'
        elif 'iis' in server:
            target.server = 'IIS'

    print('')
예제 #21
0
def output(target):
    if hasattr(target, 'axfr') and not target.axfr and target.n_domain:

        threadl = []
        threads = 5

        queue = Queue.Queue()

        apis = [{
            'domain': 'www.baidu.com',
            'path': '/s?wd=site:%s&pn=0&ie=utf-8' % target.n_domain,
            'method': 'get',
            'regex': '"g">(.*?)%s' % target.n_domain
        }, {
            'domain': 'i.links.cn',
            'path': '/subdomain/',
            'method': 'post',
            'regex': 'target=_blank>http://(.*)%s',
            'data': {
                'domain': target.n_domain,
                'b2': '1',
                'b3': '1',
                'b4': '1'
            }
        }, {
            'domain': 'www.alexa.com',
            'path': '/siteinfo/%s' % target.n_domain,
            'method': 'get',
            'regex': "word-wrap'>(.*?)%s" % target.n_domain
        }]

        print_color('find subdomain for %s..' % target.n_domain, 2)

        pix_list = []

        try:
            for api in apis:
                try:
                    if api['method'] == 'get':
                        code, content = get(api['domain'], api['path'])
                        pix_list += findall(api['regex'], content)
                    elif api['method'] == 'post':
                        code, content = post(api['domain'], api['path'],
                                             api['data'])
                        pix_list += findall(api['regex'], content)
                except:
                    print_color(api['domain'] + ' Faild', 0)

            pix_list = {}.fromkeys(pix_list).keys()

            for pix in pix_list:
                queue.put('%s%s' % (pix, target.n_domain))

            threadl = [tPing(queue, target.ip) for x in xrange(0, threads)]
            [t.start() for t in threadl]
            [t.join() for t in threadl]
        except:
            log.exception('exception')
            print_color(__name__ + ' faild', 0)

        print('')
예제 #22
0
def output(target):
    powereds = [{'type':'ASP/ASPX','str':'ASP.NET'}, {'type':'PHP','str':'PHP/'}]

    scripts = [
                {'type':'ASP','path':'/index.asp'}, 
                {'type':'ASPX','path':'/index.aspx'},
                {'type':'PHP','path':'/index.php'}
            ]

    searchs = [
                {'type':'ASP','path':'/search?q=site:%s+inurl:asp'},
                {'type':'ASPX','path':'/search?q=site:%s+inurl:aspx'},
                {'type':'PHP','path':'/search?q=site:%s+inurl:php'}
            ]

    domain = '%s:%d' % (target.f_domain, target.port) if target.f_domain else '%s:%d' % (target.ip, target.port)
    print_color('Probe website %s script...'%domain, 2)
    target.script = 'unknown'

    if 'x-powered-by' in target.header:
        print_color('Test Script for %s with X-Powered-By'%target.f_domain, 2)
        for item in powereds:
            if item['str'] in target.header['x-powered-by']:
                target.script = item['type']
                break

    try:
        if target.script == 'unknown':
            print_color('Test script for %s with HTTP header'%target.f_domain, 2)
            for item in scripts:
                code,header = head(domain,item['path'],target.protocol)
                if code == 200:
                    target.script = item['type']
                    break


        if target.script == 'unknown':
            print_color('Test script for %s with search engine'%target.f_domain, 2)
            for item in searchs:
                path = item['path'] % target.f_domain if target.f_domain else item['path'] % target.ip
                code,content = get('www.google.com.hk',path)
                match = search(r'resultStats">(.*?)<nobr>', content)
                if match:
                    target.script = item['type']
    except:
        log.exception('exception')
        print_color(__name__+' faild', 0)
    
    print_color(target.script, 1)
    print('')
예제 #23
0
def output(target):
    powereds = [{
        'type': 'ASP/ASPX',
        'str': 'ASP.NET'
    }, {
        'type': 'PHP',
        'str': 'PHP/'
    }]

    scripts = [{
        'type': 'ASP',
        'path': '/index.asp'
    }, {
        'type': 'ASPX',
        'path': '/index.aspx'
    }, {
        'type': 'PHP',
        'path': '/index.php'
    }]

    searchs = [{
        'type': 'ASP',
        'path': '/search?q=site:%s+inurl:asp'
    }, {
        'type': 'ASPX',
        'path': '/search?q=site:%s+inurl:aspx'
    }, {
        'type': 'PHP',
        'path': '/search?q=site:%s+inurl:php'
    }]

    domain = '%s:%d' % (target.f_domain,
                        target.port) if target.f_domain else '%s:%d' % (
                            target.ip, target.port)
    print_color('Probe website %s script...' % domain, 2)
    target.script = 'unknown'

    if 'x-powered-by' in target.header:
        print_color('Test Script for %s with X-Powered-By' % target.f_domain,
                    2)
        for item in powereds:
            if item['str'] in target.header['x-powered-by']:
                target.script = item['type']
                break

    try:
        if target.script == 'unknown':
            print_color(
                'Test script for %s with HTTP header' % target.f_domain, 2)
            for item in scripts:
                code, header = head(domain, item['path'], target.protocol)
                if code == 200:
                    target.script = item['type']
                    break

        if target.script == 'unknown':
            print_color(
                'Test script for %s with search engine' % target.f_domain, 2)
            for item in searchs:
                path = item[
                    'path'] % target.f_domain if target.f_domain else item[
                        'path'] % target.ip
                code, content = get('www.google.com.hk', path)
                match = search(r'resultStats">(.*?)<nobr>', content)
                if match:
                    target.script = item['type']
    except:
        log.exception('exception')
        print_color(__name__ + ' faild', 0)

    print_color(target.script, 1)
    print('')