def runpocwithsysname(self, keyword):
try:
poclist = list()
self.loadmodule()
sql = 'SELECT poc from hostexploit WHERE vulname like "%{}%"'.format(
keyword)
res = db().execute(sql)
for item in res:
poclist.append(item['poc'])
self.queue.put_nowait(item['poc'])
mylog('hostexploit', True).log.info(pyfancy().green(
'[+]针对目标:{0}:{1} 加载{2} hostpoc {3}个'.format(
self.host, self.port, keyword, len(poclist))))
threads = [gevent.spawn(self.Consumer, item) for item in poclist]
gevent.joinall(threads)
for vuln in self.vulns:
sqlstr = 'INSERT INTO hostvulnlist (vulnhost, vulnport, vulnname, isvul, payload, proof, exception) VALUE ("{0}", "{1}", "{2}", "{3}", "{4}", "{5}", "{6}")'.format(
vuln['vulnhost'], vuln['vulnport'],
vuln['vulnname'], vuln['isvul'],
pymysql.escape_string(str(vuln['payload'])), vuln['proof'],
pymysql.escape_string(str(vuln['exception'])))
db().execute(sqlstr)
vuln = json.dumps(vuln, indent=4)
mylog('hostexploit').log.debug(pyfancy().magenta(
'[*] {0}'.format(vuln)))
self.vulns = []
except Exception as e:
mylog('hostexploit').log.critical(pyfancy().red(e))
def runpocwithcmsname(self, keyword):
try:
poclist = list()
pool = Pool(self.threads)
self.loadmodule()
sql = 'SELECT poc FROM webexploit WHERE vulname LIKE "%{}%"'.format(
keyword)
res = db().execute(sql)
for item in res:
poclist.append(item['poc'])
mylog('webexploit', True).log.info(pyfancy().green(
'[+]针对目标:{0} 加载{1} webpoc {2}个'.format(self.url, keyword,
len(poclist))))
threads = [pool.spawn(self.pocexec, item) for item in poclist]
gevent.joinall(threads)
for vuln in self.vulns:
db().execute(
'INSERT INTO webvulnlist (url, vulname, vulnurl, isvul, payload, proof, exception) VALUE ("{0}", "{1}", "{2}", "{3}", "{4}", "{5}", "{6}")'
.format(self.url, vuln['vulnname'],
pymysql.escape_string(str(vuln['vulnurl'])),
vuln['isvul'],
pymysql.escape_string(str(vuln['payload'])),
pymysql.escape_string(str(vuln['proof'])),
pymysql.escape_string(str(vuln['exception']))))
vuln = json.dumps(vuln, indent=4)
mylog('webexploit').log.debug(pyfancy().magenta(
'[*] {}'.format(vuln)))
self.vulns = []
except Exception as e:
mylog('webexploit').log.critical(pyfancy().red(e))
def routineudp(self, port):
service = self.hostrecon.useNmapServUDP(port)
try:
sqlstr = 'INSERT INTO hostrecon (Project, Host, Port, Service) VALUE ("{0}", "{1}", "{2}", "{3}")'.format(
self.project, self.host, port,
pymysql.escape_string(str(service)))
db().execute(sqlstr)
except Exception as e:
mylog('hostprint').log.critical(pyfancy().red(e))
def runexplore(self, url):
mylog('webprint',
True).log.info(pyfancy().green('[+]执行web信息收集: {}'.format(url)))
runApp = explore(url)
cdnheader = runApp.useCDNHeader()
dig = runApp.useDig()
getheaders = runApp.header
whois = runApp.useWhois()
builtwith = runApp.useBuiltwith()
mycdn = runApp.myCdnWaf()
wappalyzer = runApp.useWappalyzer()
whatweb = runApp.useWhatweb()
hsec = runApp.hsecscan()
'''网页版模板
webinfo_html = '{0}{1}{2}{3}{4}{5}{6}{7}{8}{9}{10}{11}'.format(
self.html_start(),
self.webinfo_header(),
self.webinfo_template('通用CDN检测', cdnheader),
self.webinfo_template('Dig CDN', dig),
self.webinfo_template('Get Headers', getheaders),
self.webinfo_template('Whois', whois),
self.webinfo_template('builtwith', builtwith),
self.webinfo_template('CDN/WAF Detect', mycdn),
self.webinfo_template('Wappalyzer', wappalyzer),
self.webinfo_template('Whatweb', whatweb),
self.webinfo_template('headers sec', hsec),
self.html_end())
dirpath = os.path.join(GlobalConf().progpath['location'], 'Heaven_Hell/webrecon')
if not os.path.isdir(dirpath):
os.makedirs(dirpath)
filename = '{0}_{1}.html'.format(urlparse(url)[1], time.strftime('%Y-%m-%d_%H_%M_%S',time.localtime(time.time())))
pathname = os.path.join(dirpath, filename)
with open(pathname, 'w') as f:
f.write(webinfo_html)
mylog('webprint', True).log.info(pyfancy().light_cyan('[+]web信息写入文件: {}'.format(pathname)))
'''
#数据库归并
iprecon = judgement(self.url).iplocation()
sqlstr = 'INSERT INTO webrecon (Project, URL, cdnheader, Dig, Headers, Whois, Builtwith, Mycdn, wappalyzer, Whatweb, Hsec, Iprecon) VALUE ("{0}", "{1}", "{2}", "{3}", "{4}", "{5}", "{6}", "{7}", "{8}", "{9}", "{10}", "{11}")'.format(
self.project, self.url, cdnheader, dig,
pymysql.escape_string(str(getheaders)),
pymysql.escape_string(str(whois)),
pymysql.escape_string(str(builtwith)),
pymysql.escape_string(str(mycdn)),
pymysql.escape_string(str(wappalyzer)),
pymysql.escape_string(str(whatweb)),
pymysql.escape_string(str(hsec)),
pymysql.escape_string(str(iprecon)))
db().execute(sqlstr)
mylog('webprint',
True).log.info(pyfancy().green('[*]结束web信息收集: {}'.format(url)))
def do_show(self, args):
if len(str(args)) == 0:
cprint('[!]命令show用法:\n\tshow [poc] vulname', 'red')
else:
database = db()
type = args.split()[0]
showname = args.split()[1]
if type in r'poc':
sqlstring = 'SELECT poc FROM (SELECT poc FROM webexploit WHERE vulname="{0}") AS t1 UNION ALL SELECT poc FROM (SELECT poc FROM hostexploit WHERE vulname="{1}") AS t2'.format(
showname, showname)
show_result = database.execute(sqlstring)
sourcecode = show_result[0]['poc']
if sourcecode is None:
cprint('[!] Wooo! 没有poc代码!!!', 'red')
else:
print('\n')
runhighlighting(sourcecode)
print('\n')
elif type in r'vuldb':
sqlstring = 'SELECT filed FROM exploitdb WHERE id={0}'.format(showname)
show_result = database.execute(sqlstring)
exploitcode = show_result[0]['filed']
print('\n')
try:
runhighlighting(exploitcode)
except:
runhighlighting('"""\n{0}\n"""'.format(exploitcode))
print('\n')
else:
cprint('[!]命令show用法:\n\tshow [poc/vuldb] vulname', 'red')
def do_status(self, instance=None):
tb = pt.PrettyTable()
tb.field_names = ['实例类型', '实例状态', '实例值']
database = db()
# MYSQL状态
if database.connectdb():
dbstatus = '已连接'
else:
dbstatus = '未连接'
dbsize = database.execute(
'SELECT CONCAT(ROUND(SUM(INDEX_LENGTH)+SUM(DATA_LENGTH)/(1024*1024),2),"MB") AS "数据库容量" FROM information_schema.tables WHERE table_schema="SatanSword"')[
0]
tb.add_row(['MySQL', dbstatus, dbsize])
# CMS模块状态
table_status = \
database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="cmsprint"')[0]
if table_status['TABLE_NAME'] == 'cmsprint':
table_status = '已加载'
else:
table_status = '未加载'
count = database.execute('SELECT COUNT(DISTINCT(cmsname)) AS "cms种类" FROM cmsprint')[0]
checksum_num = database.execute('SELECT count(*) AS "Md5指纹" FROM cmsprint WHERE checksum !=""')[0]
keyword_num = database.execute('SELECT count(*) AS "正则指纹" FROM cmsprint WHERE keyword !=""')[0]
tb.add_row(['CMS指纹识别模块', table_status, dict(**count, **checksum_num, **keyword_num)])
# CDN/WAF模块状态
cdnwafdict = cdnwafidentity().cdnwafdb
cdnwafcount = len(cdnwafdict)
printcount = 0
for item in cdnwafdict.values():
printcount += len(item)
tb.add_row(['CDN/WAF模块', '已加载', dict(**{"cdn/waf种类": cdnwafcount}, **{"cdn/waf指纹": printcount})])
# WEB POC模块状态
table_status = \
database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="webexploit"')[0]
if table_status['TABLE_NAME'] == 'webexploit':
table_status = '已加载'
else:
table_status = '未加载'
poccount = database.execute('SELECT COUNT(DISTINCT(vulname)) AS "可利用poc数" FROM webexploit')[0]
tb.add_row(['CMS漏洞验证模块', table_status, dict(**poccount)])
# HOST POC模块状态
table_status = \
database.execute('SELECT table_name FROM information_schema.TABLES WHERE table_name ="hostexploit"')[0]
if table_status['TABLE_NAME'] == 'hostexploit':
table_status = '已加载'
else:
table_status = '未加载'
poccount = database.execute('SELECT COUNT(DISTINCT(vulname)) AS "可利用poc数" FROM hostexploit')[0]
expcount = database.execute('SELECT COUNT(DISTINCT(exp)) AS "可利用exp数" FROM hostexploit')[0]
tb.add_row(['HOST漏洞验证模块', table_status, dict(**poccount, **expcount)])
cprint(tb, 'yellow')
def webexeccheck(self, url):
if isinstance(url, list):
sqlstring = 'SELECT * FROM webvulnlist WHERE isvul="True" AND url in ({})'.format(
','.join(["'%s'" % x for x in url]))
else:
sqlstring = 'SELECT * FROM webvulnlist WHERE isvul="True" AND url="{}"'.format(url)
show_result = db().execute(sqlstring)
tb = pt.PrettyTable()
tb.field_names = ['URL', 'VULNAME', 'VURL', 'ISVUL', 'PAYLOAD', 'PROOF', 'EXCEPTION']
for item in show_result:
tb.add_row([item['url'], item['vulname'], item['vulnurl'], item['isvul'], item['payload'], item['proof'],
item['exception']])
cprint(tb, 'red')
def hostexeccheck(self, host):
if isinstance(host, list):
sqlstring = 'SELECT * FROM hostvulnlist WHERE isvul="True" AND vulnhost in ({})'.format(
','.join(["'%s'" % x for x in host]))
else:
sqlstring = 'SELECT * FROM hostvulnlist WHERE isvul="True" AND vulnhost="{}"'.format(host)
show_result = db().execute(sqlstring)
tb = pt.PrettyTable()
tb.field_names = ['HOST', 'PORT', 'VULNAME', 'ISVUL', 'PAYLOAD', 'PROOF', 'EXCEPTION']
for item in show_result:
tb.add_row(
[item['vulnhost'], item['vulnport'], item['vulnname'], item['isvul'], item['payload'], item['proof'],
item['exception']])
cprint(tb, 'red')
def do_search(self, args):
if len(str(args)) == 0:
cprint('[!]命令search用法:\n\tsearch keyword', 'red')
else:
database = db()
keyword = args.split()[0]
# 查询webexploit和hostexploit做表连接
sqlstring = 'SELECT vulname, description, level, param FROM (SELECT vulname, description, level, param FROM webexploit WHERE vulname LIKE "%{0}%") AS t1 UNION ALL SELECT vulname, description, level, param FROM (SELECT vulname, description, level, param FROM hostexploit WHERE vulname LIKE "%{1}%") AS t2'.format(
keyword, keyword)
search_result = database.execute(sqlstring)
tb = pt.PrettyTable()
tb.field_names = ['漏洞名称', '漏洞描述', '漏洞等级', '传递参数']
for item in search_result:
tb.add_row([item['vulname'], item['description'], item['level'], item['param']])
cprint(tb, 'magenta', attrs=['bold'])
cprint("[+]"+"="*20+"| 搜索到{0}个POC |".format(len(search_result))+"="*20, "green")
def useScript(self, port):
self.tport = port
mylog('hostprint', True).log.info(pyfancy().green('[+]执行自定义脚本探测系统服务: {}'.format(self.host)))
pool = Pool(20)
servlist = list()
self.loadmodule()
poclist = list()
try:
sqlstring = 'SELECT servicepoc FROM hostprint'
res = db().execute(sqlstring)
for item in res:
poclist.append(item['servicepoc'])
threads = [pool.spawn(self.pocexec, item) for item in poclist]
gevent.joinall(threads)
for servprint in self.prints:
if servprint['isService']:
servlist.append(servprint)
print(servlist)
except Exception as e:
mylog('hostprint').log.critical(e)
def useCmsprint(self, proxy):
mylog('webprint', True).log.info(pyfancy().green(
'[+]执行cms识别通用系统信息: {}'.format(self.url)))
urls = list()
prefix_urls = list()
cmsname = list()
"""
提取静态文件md5方式
"""
sql = "SELECT staticurl FROM cmsprint"
for item in db().execute(sql):
prefix_urls.append(item['staticurl'])
# 去除空元素和重复元素
prefix_urls = list(set(filter(None, prefix_urls)))
# 组合url
for item in prefix_urls:
urls.append(self.url + item)
# 设置并发协程
pool = Pool(30)
if proxy:
proxyclass = findProxy()
proxyclass.search()
proxyclass.connectest(self.url)
self.proxies = proxyclass.proxylist
if self.check404(self.url):
checksumlist = list(
set(filter(None, pool.map(self.sendproxyrequesthead,
urls))))
else:
self.get404length(self.url)
checksumlist = list(
set(filter(None, pool.map(self.sendproxyrequestget,
urls))))
else:
if self.check404(self.url):
checksumlist = list(
set(filter(None, pool.map(self.sendrequesthead, urls))))
else:
self.get404length(self.url)
checksumlist = list(
set(filter(None, pool.map(self.sendrequestget, urls))))
if checksumlist:
# 重新置空
prefix_urls = []
for item in checksumlist:
prefix_urls.append(urlparse(item)[2])
cms_set = db().execute(
'SELECT cmsname, staticurl, checksum FROM cmsprint WHERE staticurl!=""'
)
for text in prefix_urls:
md5sum = self.getchecksum(text)
for item in cms_set:
if md5sum in item['checksum']:
cmsname.append(item['cmsname'])
mylog('cmsprint').log.debug(pyfancy().blue(
'匹配到cms: {0} {1}'.format(item['cmsname'],
item['checksum'])))
"""
搜索页面关键字方式
"""
urls = []
prefix_urls = []
sql = "SELECT homeurl FROM cmsprint"
for item in db().execute(sql):
prefix_urls.append(item['homeurl'])
# 去除空元素和重复元素
prefix_urls = list(set(filter(None, prefix_urls)))
# 组合url
for item in prefix_urls:
urls.append(self.url + item)
pool = Pool(30)
if proxy:
if self.check404(self.url):
preglist = list(
set(filter(None, pool.map(self.sendproxyrequesthead,
urls))))
else:
self.get404length(self.url)
preglist = list(
set(filter(None, pool.map(self.sendproxyrequestget,
urls))))
else:
if self.check404(self.url):
preglist = list(
set(filter(None, pool.map(self.sendrequesthead, urls))))
else:
self.get404length(self.url)
preglist = list(
set(filter(None, pool.map(self.sendrequestget, urls))))
if preglist:
# 重新置空
prefix_urls = []
for item in preglist:
prefix_urls.append(urlparse(item)[2])
cms_set = db().execute(
'SELECT cmsname, homeurl, keyword FROM cmsprint WHERE homeurl!=""'
)
for text in prefix_urls:
for item in cms_set:
if item['homeurl'] in text:
if self.pregmatch(text, item['keyword']):
cmsname.append(item['cmsname'])
mylog('cmsprint').log.debug(pyfancy().blue(
'匹配到cms: {0} {1} {2}'.format(
item['cmsname'], item['homeurl'],
item['keyword'])))
# 去重cmsname
cmsname = list(set(cmsname))
return cmsname
