def hyuga_co(): headers_hyuga = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 'Connection': 'close', 'Accept': '*/*', 'Accept-Language': 'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6' } hyuga_api = "http://api.hyuga.co/v1/users" hyuga_host = globals.get_value("hyuga_domain") hyuga_token = globals.get_value("hyuga_token") try: if r"xxxxxx" in hyuga_host: # 如果没有指定域名和token,就自动获取, 第一次获取token if r"xxxxxx" in hyuga_token: dns = requests.post(hyuga_api, headers=headers_hyuga, timeout=timeout, verify=False) hyuga_host = json.loads(dns.text)["data"]["identity"] dns_host = random_md5() + "." + str(hyuga_host) hyuga_token = json.loads(dns.text)["data"]["token"] globals.set_value("hyuga_token", hyuga_token) globals.set_value("hyuga_domain", hyuga_host) return dns_host else: return "bug" else: dns_host = random_md5() + "." + hyuga_host return dns_host except Exception as e: pass
def dnslog_cn(): headers_dnslog = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 'Host': 'www.dnslog.cn', 'Cookie': 'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548', 'Accept': '*/*', 'Referer': 'http://www.dnslog.cn/', 'Accept-Language': 'zh-CN,zh;q=0.9', 'Connection': 'close' } dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366" d_p = globals.get_value("DNS_DNSLOG_HOST") try: if d_p is None: dns = requests.get(dnslog_api, headers=headers_dnslog, timeout=timeout, verify=False) dns_host = random_md5() + "." + dns.text globals.set_value("DNS_DNSLOG_HOST", dns.text) return dns_host else: dns_host = random_md5() + "." + globals.get_value( "DNS_DNSLOG_HOST") return dns_host except Exception: return "error"
def dismap(line): if "dismap" in line: print( now.timed(de=0) + color.yel_info() + color.green(" The file is dismap Identification results")) globals.set_value("DISMAP", "true") return "######" elif "######" in line: return "######" if globals.get_value("DISMAP") == "true": try: search = re.findall("[{] (.*?) [}]", line) return search[0] except: return else: return line
def config(): header = { 'Accept': 'application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ' 'application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*', 'User-agent': args.ua, 'Content-Type': 'application/x-www-form-urlencoded', 'Connection': 'close' } globals.init() # 初始化全局变量模块 globals.set_value("UA", args.ua) # 设置全局变量UA globals.set_value("VUL", None) # 设置全局变量VULN用于判断是否漏洞利用模式 globals.set_value("CHECK", args.check) # 目标存活检测 globals.set_value("DEBUG", args.debug) # 设置全局变量DEBUG globals.set_value("DELAY", args.delay) # 设置全局变量延时时间DELAY globals.set_value("DNSLOG", args.dnslog) # 用于判断使用哪个dnslog平台 globals.set_value("DISMAP", "flase") # 是否接收dismap识别结果(false/true) globals.set_value("VULMAP", str(0.9)) # 设置全局变量程序版本号 globals.set_value("O_TEXT", args.O_TEXT) # 设置全局变量OUTPUT判断是否输出TEXT globals.set_value("O_JSON", args.O_JSON) # 设置全局变量OUTPUT判断是否输出JSON globals.set_value("HEADERS", header) # 设置全局变量HEADERS globals.set_value("TIMEOUT", args.TIMEOUT) # 设置全局变量超时时间TOMEOUT globals.set_value("THREADNUM", args.thread_num) # 设置全局变量THREADNUM传递线程数量 # 替换自己的 ceye.io 的域名和 token globals.set_value("ceye_domain", "xxxxxxxxxx") globals.set_value("ceye_token", "xxxxxxxxxx") # 替换自己的 http://hyuga.co 的域名和 token # hyuga的域名和token可写可不写,如果不写则自动获得 globals.set_value("hyuga_domain", "xxxxxxxxxx") globals.set_value("hyuga_token", "xxxxxxxxxx") # fofa 邮箱和 key,需要手动修改为自己的 globals.set_value("fofa_email", "xxxxxxxxxx") globals.set_value("fofa_key", "xxxxxxxxxx") # shodan key globals.set_value("shodan_key", "xxxxxxxxxx")
def control_options(args): # 选项控制,用于处理所有选项 delay = globals.get_value("DELAY") # 获取全局变量延时时间DELAY now_warn = now.timed(de=delay) + color.red_warn() if args.socks: proxy_set(args.socks, "socks") # proxy support socks5 http https elif args.http: proxy_set(args.http, "http") # proxy support socks5 http https if args.list is False: # 判断是否显示漏洞列表 print(now.timed(de=0) + color.yel_info() + color.yellow(" List of supported vulnerabilities")) print(vul_list()) if args.thread_num != 10: # 判断是否为默认线程 print(now.timed(de=0) + color.yel_info() + color.yellow(" Custom thread number: " + str(args.thread_num))) if args.vul is not None: # 判断是否-v进行漏洞利用 args.mode = "exp" # 若进行漏洞利用修改模式为exp if args.debug is False: # 判断是否开启--debug功能 print(now.timed(de=delay) + color.yel_info() + color.yellow(" Using debug mode to echo debug information")) globals.set_value("DEBUG", "debug") # 设置全局变量DEBUG #ceye_api() # 测试ceye连接性 if dns_request(): # 初始化dnslog, 并判断是否可用 pass else: print(now_warn + color.red(" Dnslog platform (hyuga.co dnslog.cn ceye.io) is not available")) if args.O_TEXT: # 判断是否text输出 if os.path.isfile(args.O_TEXT): # 判断text输出文件是否冲突 print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_TEXT + "] already exists")) exit(0) if args.O_JSON: # 判断是否json输出 if os.path.isfile(args.O_JSON): # 判断json输出文件是否冲突 print(now.timed(de=delay) + color.red_warn() + color.red(" The json file: [" + args.O_JSON + "] already exists")) exit(0) if args.mode is None or args.mode == "poc": # 判断是否进入poc模式 if args.url is not None and args.file is None: # 判断是否为仅-u扫描单个URL args.url = url_check(args.url) # 处理url格式 if survival_check(args.url) == "f": # 检查目标存活状态 print(now.timed(de=0) + color.red_warn() + color.red(" Survival check failed: " + args.url)) exit(0) # 单个url时存活失败就退出 print(now.timed(de=0) + color.yel_info() + color.cyan(" Start scanning target: " + args.url)) if args.app is None: # 判断是否扫描扫描全部webapps globals.set_value("RUNALLPOC", True) # 扫描单个URL并且所有webapps时RUNALLPOC=True core.control_webapps("url", args.url, args.app, "poc") else: # 否则扫描单个webapps core.control_webapps("url", args.url, args.app, "poc") elif args.file is not None and args.url is None: # 判断是否为仅-f批量扫描文件 if os.path.isfile(args.file): # 判断批量目标文件是否存在 print(now.timed(de=0) + color.yel_info() + color.cyan(" Start batch scanning target: " + args.file)) else: # 没有文件错误并退出 print(now.timed(de=0) + color.red_warn() + color.red(" Not found target file: " + args.file)) exit(0) if args.app is None: # 判断是否扫描扫描全部webapps globals.set_value("RUNALLPOC", "FILE") # 批量扫描URL并且所有webapps时RUNALLPOC="FILE" core.control_webapps("file", args.file, args.app, "poc") else: # 否则批量扫描单个webapps core.control_webapps("file", args.file, args.app, "poc") elif args.url is None and args.file is None and args.fofa is not None: # 调用fofa api print(now.timed(de=0) + color.yel_info() + color.yellow(" Use fofa api to search [" + args.fofa + "] and start scanning")) if r"xxxxxx" in globals.get_value("fofa_key"): # 使用fofa api之前判断fofa信息是否正确 print(now.timed(de=0) + color.red_warn() + color.red(" Check fofa email is xxxxxx Please replace key and email")) print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://fofa.so/user/users/info find key and email")) print(now.timed(de=0) + color.red_warn() + color.red(" How to use key and email reference https://github.com/zhzyker/vulmap")) exit(0) else: print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa email: " + globals.get_value("fofa_email"))) print(now.timed(de=0) + color.yel_info() + color.yellow(" Fofa key: " + globals.get_value("fofa_key"))) fofa_list = fofa(args.fofa, args.size) # 调用fofa api拿到目标数组默认100个 if args.app is None: # 判断是否扫描扫描全部webapps core.control_webapps("fofa", fofa_list, args.app, "poc") else: core.control_webapps("fofa", fofa_list, args.app, "poc") elif args.url is None and args.file is None and args.shodan is not None: # 调用fofa api 或者 shodan api print(now.timed(de=0) + color.yel_info() + color.yellow(" Use shodan api to search [" + args.shodan + "] and start scanning")) if r"xxxxxx" in globals.get_value("shodan_key"): # 使用shodan api之前判断shodan信息是否正确 print(now.timed(de=0) + color.red_warn() + color.red(" Check shodan key is xxxxxx Please replace key")) print(now.timed(de=0) + color.red_warn() + color.red(" Go to https://account.shodan.io/ find key")) print(now.timed(de=0) + color.red_warn() + color.red(" How to use key reference https://github.com/zhzyker/vulmap")) exit(0) else: print(now.timed(de=0) + color.yel_info() + color.yellow(" Shodan key: " + globals.get_value("shodan_key"))) shodan_list = shodan_api(args.shodan) # 调用shodan api拿到目标数组默认100个 if args.app is None: # 判断是否扫描扫描全部webapps core.control_webapps("shodan", shodan_list, args.app, "poc") else: core.control_webapps("shodan", shodan_list, args.app, "poc") if args.O_TEXT: print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result text saved to: " + args.O_TEXT)) if args.O_JSON: print(now.timed(de=delay) + color.yel_info() + color.cyan(" Scan result json saved to: " + args.O_JSON)) elif args.mode == "exp": # 漏洞利用模式参数较少 if args.vul is not None and args.url is not None: # 判断是否进入漏洞利用模式 core.control_webapps("url", args.url, args.vul, "exp") else: print(now_warn + color.red(" Options error, -v must specify -u")) else: print(now_warn + color.red(" Options error ... ..."))
def dns_request(): timeout = globals.get_value("TIMEOUT") # 获取全局变量UA dnslog = globals.get_value("DNSLOG") # 获取全局变量DNSLOG #print(dnslog) def ceye_io(): ceye_host = globals.get_value("ceye_domain") ceye_token = globals.get_value("ceye_token") if r"xxxxxx" not in ceye_host: dns_host = random_md5() + "." + ceye_host return dns_host def dnslog_cn(): headers_dnslog = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 'Host': 'www.dnslog.cn', 'Cookie': 'UM_distinctid=1703200149e449-053d4e8089c385-741a3944-1fa400-1703200149f80a; PHPSESSID=jfhfaj7op8u8i5sif6d4ai30j4; CNZZDATA1278305074=1095383570-1581386830-null%7C1581390548', 'Accept': '*/*', 'Referer': 'http://www.dnslog.cn/', 'Accept-Language': 'zh-CN,zh;q=0.9', 'Connection': 'close' } dnslog_api = "http://www.dnslog.cn/getdomain.php?t=0.08025501698741366" d_p = globals.get_value("DNS_DNSLOG_HOST") try: if d_p is None: dns = requests.get(dnslog_api, headers=headers_dnslog, timeout=timeout, verify=False) dns_host = random_md5() + "." + dns.text globals.set_value("DNS_DNSLOG_HOST", dns.text) return dns_host else: dns_host = random_md5() + "." + globals.get_value( "DNS_DNSLOG_HOST") return dns_host except Exception: return "error" def hyuga_co(): headers_hyuga = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36', 'Connection': 'close', 'Accept': '*/*', 'Accept-Language': 'zh,zh-TW;q=0.9,en-US;q=0.8,en;q=0.7,zh-CN;q=0.6' } hyuga_api = "http://api.hyuga.co/v1/users" hyuga_host = globals.get_value("hyuga_domain") hyuga_token = globals.get_value("hyuga_token") try: if r"xxxxxx" in hyuga_host: # 如果没有指定域名和token,就自动获取, 第一次获取token if r"xxxxxx" in hyuga_token: dns = requests.post(hyuga_api, headers=headers_hyuga, timeout=timeout, verify=False) hyuga_host = json.loads(dns.text)["data"]["identity"] dns_host = random_md5() + "." + str(hyuga_host) hyuga_token = json.loads(dns.text)["data"]["token"] globals.set_value("hyuga_token", hyuga_token) globals.set_value("hyuga_domain", hyuga_host) return dns_host else: return "bug" else: dns_host = random_md5() + "." + hyuga_host return dns_host except Exception as e: pass if dnslog == "auto": if hyuga_co(): # 判断dns平台是否可用时调用一次,仅存活测试 dns_req = hyuga_co() globals.set_value("AUTO_DNSLOG", "hyuga") return dns_req elif dnslog_cn(): # 判断dns平台是否可用时调用一次,仅存活测试 dns_req = dnslog_cn() globals.set_value("AUTO_DNSLOG", "dnslog") return dns_req elif ceye_io(): dns_req = ceye_io() globals.set_value("AUTO_DNSLOG", "ceye") return dns_req else: print( now.timed(de=0) + color.red_warn() + color.red( " The dnslog platform cannot be used, please check the current network" )) return "no dnslog" elif r"hyuga" in dnslog: dns_req = hyuga_co() #globals.set_value("DNSLOG", "hyuga") return str(dns_req) elif r"dnslog" in dnslog: dns_req = dnslog_cn() #globals.set_value("DNSLOG", "dnslog") return dns_req elif r"ceye" in dnslog: ceye_host = globals.get_value("ceye_domain") if r"xxxxxx" in ceye_host: print( now.timed(de=0) + color.red_warn() + color.red( " Ceye.io domain and token are incorrectly configured")) exit(0) dns_req = ceye_io() #globals.set_value("DNSLOG", "ceye") return dns_req else: return "no dnslog"
def config(): header = { 'Accept': 'application/x-shockwave-flash, image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, ' 'application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*', 'User-agent': args.ua, 'Content-Type': 'application/x-www-form-urlencoded' } globals.init() # 初始化全局变量模块 globals.set_value("UA", args.ua) # 设置全局变量UA globals.set_value("VUL", args.vul) # 设置全局变量VULN用于判断是否漏洞利用模式 globals.set_value("DEBUG", args.debug) # 设置全局变量DEBUG globals.set_value("DELAY", args.delay) # 设置全局变量延时时间DELAY globals.set_value("VULMAP", str(0.6)) # 设置全局变量程序版本号 globals.set_value("O_TEXT", args.O_TEXT) # 设置全局变量OUTPUT判断是否输出TEXT globals.set_value("O_JSON", args.O_JSON) # 设置全局变量OUTPUT判断是否输出JSON globals.set_value("HEADERS", header) # 设置全局变量HEADERS globals.set_value("TIMEOUT", args.TIMEOUT) # 设置全局变量超时时间TOMEOUT globals.set_value("THREADNUM", args.thread_num) # 设置全局变量THREADNUM传递线程数量 # 替换自己的 ceye.io 用户名和 token globals.set_value("ceye_domain", "6eb4yw.ceye.io") globals.set_value("ceye_token", "2490ae17e5a04f03def427a596438995") globals.set_value("ceye_api", "http://api.ceye.io/v1/records?type=dns&token=") # fofa 邮箱和 key,需要手动修改为自己的 globals.set_value("fofa_email", "xxxxxxxxxx") globals.set_value("fofa_key", "xxxxxxxxxx") # shodan key globals.set_value("shodan_key", "xxxxxxxxxx")