def atask(): form = AddTaskFoem(request.form) if form.validate(): url = form.url1.data # TODO:改成前端验证 if not match_url(url=url): return field.params_error(message='URL格式不正确!') cycle = form.cycle.data number = form.number.data task = Task(url=url, cycle=IntToString(cycle), number=number, user_id=g.cms_user.id, referer='WEB') db.session.add(task) db.session.commit() if unabletouch(url=url): #检测url是否可以访问 if number == 1: task.state = 'State.ING_SCAN' web_scan.delay(url=url, taskid=task.task_id) host_scan.delay(url=url, taskid=task.task_id) return field.success(message='添加任务成功!') else:#如果不能访问直接返回结果 task.state = 'State.FINISH_SCAN' task.result = str({'status': 'finish','reason':'URL不可达,无法进行扫描'}) return field.success(message='添加任务完成!') else: message = form.get_error() return field.params_error(message=message)
def get(self): type = request.args.get('type') user = g.cms_user if type: # 生成key if type == '1': user.secret_key = str(uuid.uuid4()) db.session.add(user) db.session.commit() return field.success(message='生成密钥成功!') # 删除key elif type == '2': user.secret_key = '' db.session.add(user) db.session.commit() return field.success(message='删除密钥成功!') # 更新密钥 elif type == '3': user.secret_key = str(uuid.uuid4()) db.session.add(user) db.session.commit() return field.success(message='更新密钥成功!') else: return field.params_error(message='没有接收到请求!')
def addzc(): flag = request.args.get('flag') if flag == '1': tasks = Task.query.filter_by(state='State.FINISH_SCAN', is_add=1).all() number = 0 db_url_list = [] to_url_list = [] assets = Asset.query.all() for asset in assets: db_url_list.append(asset.url) for task in tasks: cms = task.cms_result web = task.result host = task.host_result if task.result or task.host_result or task.cms_result: result = field.result_parse(cms,web,host) if result: try: if task.url not in db_url_list and task.url not in to_url_list: import pymysql asert = Asset(url=task.url, ip=result.get('ip'), title=result.get('title'), cms=result.get('cms'),operating_systems=str(result.get('os')) , web_servers=str(result.get('web_server')), programming_languages=str(result.get('programming_languages')),web_frameworks=str(result.get('web_frameworks')),javascript_frameworks=str(result.get('js')), ports=str(result.get( 'port')) , upgrade_time=datetime.datetime.now(), header=pymysql.escape_string(str(result.get('header'))), body=pymysql.escape_string(str(result.get('body')))) db.session.add(asert) db.session.commit() number += 1 to_url_list.append(task.url) except Exception as e: pass return field.success(message='成功更新{}条资产!'.format(number)) else: return field.params_error(message='没有接受到参数!')
def uzc(): form = UpgradeZcForm(request.form) if form.validate(): zc_id = form.zc_id.data type = form.type.data text = form.text.data asset = Asset.query.get(zc_id) if asset: if type == '1': asset.title=text elif type == '2': asset.ip = text elif type == '3': asset.cms = text elif type == '4': asset.operating_systems = text elif type == '5': asset.programming_languages = text elif type == '6': asset.web_servers = text elif type == '7': asset.web_frameworks = text elif type == '8': asset.javascript_frameworks = text else: asset.ports = text asset.upgrade_time = datetime.datetime.now() db.session.add(asset) db.session.commit() return field.success('更新成功!') return field.params_error(message='没有该资产信息') else: message = form.get_error() return field.params_error(message=message)
def updateuser(): form = UpdateUserForm(request.form) if form.validate(): username = form.username.data user_id = form.user_id.data email = form.email.data role = form.role.data user = User.query.get(user_id) pre_role = user.roles[0].name # 原有的角色 if user: user.username = username user.email = email db.session.add(user) db.session.commit() Role = CMSRole.query.filter_by(name=role).first() Pre_Role = CMSRole.query.filter_by(name=pre_role).first() if Role: Pre_Role.users.remove(user) # 删除原有的角色 Role.users.append(user) # 增加新角色 db.session.commit() return field.success(message='修改信息成功') else: return field.params_error(message='没有该用户!') else: message = form.get_error() return field.params_error(message=message)
def post(self): form = LoginForm(request.form) if form.validate(): email = form.email.data # 邮箱或者用户名 password = form.password.data remember = form.remember.data user = User.query.filter_by(email=email).first() or User.query.filter_by(username=email).first() if user: if user.is_use == 'UseEnum.UNUSE': return field.unauth_error(message='该用户已经被禁用,请联系超级管理员解决!') if user and user.check_password(password): session[config['development'].CMS_USER_ID] = user.id # 保存用户登录信息 if remember: # 如果设置session.permanent = True,那么过期时间为31天 session.permanent = True user.last_login_time = datetime.datetime.now() user.is_activate = IntToStatus(1) db.session.add(user) db.session.commit() return field.success(message='登陆成功!') else: return field.params_error(message='邮箱或者密码错误') else: message = form.get_error() return field.params_error(message=message)
def post(self): form = ResetEmailForm(request.form) if form.validate(): email = form.email.data g.cms_user.email = email db.session.commit() return field.success() else: return field.params_error(form.get_error())
def deletezc(): zc_id = request.form.get('zc_id') if zc_id: asset = Asset.query.get(zc_id) if asset: db.session.delete(asset) db.session.commit() return field.success(message='删除成功!') else: return field.params_error(message='没有该条资产信息!') return field.params_error(message='没有接受到参数!')
def uusername(): form = UusernameForm(request.form) if form.validate(): username = form.username.data user = g.cms_user user.username = username db.session.add(user) db.session.commit() return field.success() else: message = form.get_error() return field.params_error(message=message)
def queryuser(): name = request.args.get('role') is_activate = request.args.get('or') print(is_activate, type(is_activate)) user_list = [] if name: role = CMSRole.query.filter_by(name=name).first() if is_activate == '1': for user in role.users: if user.is_activate == 'LoginEnum.UP': user_list.append(user) if len(user_list) ==0: return field.success(message='没有找到符合条件的用户!') return field.success(message='查询成功!', data={'user': user_list}) else: return field.success(message='查询成功!', data={'user': role.users}) else: if is_activate == '1': user = User.query.filter_by(is_activate='LoginEnum.UP').all() else: user = User.query.filter_by(is_activate='LoginEnum.DOWN').all() g.user = user return field.success(message='查询成功!')
def dcms(): form = DeleteCmsForm(request.form) if form.validate(): cms_id = form.cms_id.data cms = Cms_fingerprint.query.get(cms_id) if cms: db.session.delete(cms) db.session.commit() return field.success(message='删除成功!') else: return field.params_error(message='没有改CMS!') else: message = form.get_error() return field.params_error(message=message)
def acms(): form = AddCmsForm(request.form) if form.validate(): url = form.url.data name = form.name.data re = form.re.data md5 = form.md5.data cms = Cms_fingerprint(url=url, name=name, re=re, md5=md5) db.session.add(cms) db.session.commit() return field.success(message='增加成功!') else: message = form.get_error() return field.params_error(message=message)
def email_captcha(): from tasks import send_mail email = request.args.get('email') if not email: return field.params_error('请传递邮箱参数!') user = User.query.filter_by(email=email).first() if user: return field.params_error('该邮箱已经注册,请更换邮箱!') source = list(string.ascii_letters) source.extend(map(lambda x: str(x), range(0, 10))) captcha = "".join(random.sample(source, 6)) print(captcha) send_mail.delay('牧羊人邮箱验证码', [email], '您的验证码是:{}'.format(captcha)) zlcache.set(email, captcha) return field.success()
def tresult(): task_id = request.args.get('task_id') if not task_id: return field.params_error(message='没有传任务ID') task = Task.query.get(task_id) if task: web_data = task.result cms_data = task.cms_result host_data = task.host_result result = field.result_parse(cms_data, web_data, host_data) print(result) return field.success(message='查询成功', data={'task_id': task.task_id, 'result_id': task.result_id, 'result': result}) else: return field.params_error(message='没有该任务!')
def post(self): form = ResetpwdForm(request.form) if form.validate(): oldpwd = form.oldpwd.data newpwd = form.newpwd.data user = g.cms_user if user.check_password(oldpwd): user.password = newpwd db.session.commit() return field.success() else: return field.params_error('旧密码错误!') else: message = form.get_error() return field.unauth_error(message=message)
def iskey(): user_id = request.form.get('user_id') key = request.form.get('key') user = User.query.get(user_id) print(user_id, key) if user: if key == 'down': user.is_api = 'ApiEnum.DOWN' else: user.is_api = 'ApiEnum.UP' db.session.add(user) db.session.commit() return field.success() else: return field.params_error(message='没有改用户!')
def stopuser(): user_id = request.form.get('user_id') status = request.form.get('status') if status == 'down': is_use = 'UseEnum.UNUSE' else: is_use = 'UseEnum.USE' user = User.query.get(user_id) if user: user.is_use = is_use db.session.add(user) db.session.commit() return field.success() else: return field.params_error(message='没有该用户!')
def dadmintask(): form = DeleteAdminTaskForm(request.form) if form.validate(): task_id = form.task_id.data task = Task.query.get(task_id) if task: if task.state == 'State.ING_SCAN': return field.params_error(message='任务正在进行中,无法删除!') db.session.delete(task) db.session.commit() return field.success(message='删除任务成功') else: return field.params_error(message='未找到该任务!') else: message = form.get_error() return field.params_error(message=message)
def post(self): file = request.files['avatar_upload'] base_path = './static/cms/img/user/' filename = str(g.cms_user.email) + '.' + file.filename.rsplit('.', 1)[1] if not allowd_file(file.filename): return field.params_error('上传的文件格式不合法,请选择图片格式文件上传!') file_path = os.path.join(base_path, filename) print(file_path) for i in config['development'].ALLOWED_EXTENSIONS: try: print(os.path.join(base_path,g.cms_user.email)+'.'+ i) os.remove(os.path.join(base_path,g.cms_user.email)+'.'+i) except: pass file.save(file_path) user = g.cms_user user.avatar_path = '/static/cms/img/user/' + filename db.session.add(user) db.session.commit() return field.success('修改头像成功!')
def utask(): form = UpgradeTaskForm(request.form) if form.validate(): task_id = form.task_id.data cycle = form.cycle.data number = form.number.data url = form.url1.data if not match_url(url=url): return field.params_error(message='URL格式不正确!') task = Task.query.get(task_id) if task: ''' TODO: 代码优化 ''' if number == 1: web_scan.delay(url=url, taskid=task_id) host_scan.delay(url=url, taskid=task_id) task.next_time = None else: if number > 1: task.next_time = '' for i in range(1, number+1): a = (datetime.datetime.now() + datetime.timedelta( days=(int((cycle) or 1) * i))).strftime( '%Y-%m-%d %H:%M:%S') if i != number: task.next_time += str(a) + ',' else: task.next_time += str(a) task.cycle = IntToString(cycle) task.url = url task.number = number task.referer = 'WEB' db.session.add(task) db.session.commit() return field.success(message='更新任务成功') else: return field.params_error(message='未找到该任务') else: message = form.get_error() return field.params_error(message=message)
def adduser(): form = AddUserForm(request.form) if form.validate(): username = form.username.data password = form.password.data email = form.email.data role = form.role.data avatar = user_avatar.GithubAvatarGenerator() path = '../static/cms/img/user/' + email + '.png' avatar.save_avatar(filepath='./static/cms/img/user/' + email + '.png') user = User(username=username, password=password, email=email, avatar_path=path) db.session.add(user) db.session.commit() Role = CMSRole.query.filter_by(name=role).first() if Role: Role.users.append(user) db.session.commit() return field.success(message='添加用户成功!') else: message = form.get_error() return field.params_error(message=message)
def ucms(): form = UpgradeCmsForm(request.form) if form.validate(): cms_id = form.cms_id.data name = form.name.data re = form.re.data md5 = form.md5.data url = form.url.data create_time = datetime.datetime.now() cms = Cms_fingerprint.query.get(cms_id) if cms: cms.name = name cms.re = re cms.md5 = md5 cms.url = url cms.create_time = create_time db.session.add(cms) db.session.commit() return field.success(message='修改成功!') else: return field.params_error(message='没有改CMS!') else: message = form.get_error() return field.params_error(message=message)
def post(self): result_list = [] search = request.form.get('search') print(search) if search: if match_url(search): asert = Asset.query.filter( Asset.url.contains(urlTodomain(search))).all() elif search.lower().startswith('title='): context = re.search(r"title=\"(.*?)\"", search, re.I).groups()[0] asert = Asset.query.filter( Asset.title.contains(context)).order_by( Asset.upgrade_time).all() elif search.lower().startswith('server='): context = re.search(r"server=\"(.*?)\"", search, re.I).groups()[0] asert = Asset.query.filter( func.lower(Asset.web_servers).contains( func.lower(context))).order_by( Asset.upgrade_time).all() elif search.lower().startswith('os'): context = re.search(r"os=\"(.*?)\"", search, re.I).groups()[0] asert = Asset.query.filter( func.lower(Asset.operating_systems).contains( func.lower(context))).order_by( Asset.upgrade_time).all() elif search.lower().startswith('ip'): context = re.search(r"ip=\"(.*?)\"", search, re.I).groups()[0] asert = Asset.query.filter_by(ip=context).order_by( Asset.upgrade_time).all() else: return field.params_error(message='不支持查询类型!') if asert: for i in asert: result = { 'url': '', 'ip': '', 'web_server': '', 'jsf': '', 'pj': '', 'wf': '', 'os': '', 'cms': '', 'title': '', 'ports': '', 'ut': '' } result['url'] = i.url result['ip'] = i.ip result['web_server'] = i.web_servers result['jsf'] = i.javascript_frameworks result['pj'] = i.programming_languages result['wf'] = i.web_frameworks result['os'] = i.operating_systems result['cms'] = i.cms result['title'] = i.title result['ports'] = i.ports result['ut'] = str(i.upgrade_time) result_list.append(result) return field.success(data=result_list, message='查询成功!') else: return field.params_error(message='没有查到相关信息!')