def start(target):
host = parse_ip(target)
url = verify_https(target)
if url:
isopen = True
else:
isopen = False
if isopen:
data, apps = web_info(url)
else:
data = ''
apps = {}
if iscdn(host):
open_port = ScanPort(url).pool()
else:
open_port = ['CDN:0']
Vuln(url, host, open_port, apps).run()
if isopen:
if CRAWL:
crawl(url).pool()
if SCANDIR:
dirscan = DirScan('result', apps)
dirscan.pool(url)
if data:
web_save(data)
def reverse_domain(host):
# 查询旁站
if iscdn(host):
result = []
data = {"remoteAddress": "{0}".format(host), "key": ""}
header = get_ua()
header.update({'Referer': 'https://www.yougetsignal.com/tools/web-sites-on-web-server/'})
header.update({'origin': 'https://www.yougetsignal.com'})
try:
r = requests.post('https://domains.yougetsignal.com/domains.php', headers=header, data=data, timeout=5)
text = json.loads(r.text)
domain = tldextract.extract(host)
for i in text.get('domainArray'):
url = i[0]
if url != host:
if tldextract.extract(url).domain == domain.domain:
result.append(url)
elif re.search(r'\d+\.\d+\.\d+\.\d+', url):
result.append(url)
except:
try:
r = requests.get('http://api.hackertarget.com/reverseiplookup/?q={}'.format(host), headers=get_ua(),
timeout=4)
if '<html>' not in r.text:
text = r.text
for _ in text.split('\n'):
if _:
result.append(_)
else:
result = []
except:
pass
return result
def virustotal(host):
# VT接口,主要用来查询PDNS,绕过CDN
pdns = []
history_ip = []
# sys.stdout.write(bcolors.RED + "\nPDNS:\n" + bcolors.ENDC)
if VIRUSTOTAL_API:
try:
vtotal = Virustotal(VIRUSTOTAL_API)
if re.search(r'\d+\.\d+\.\d+\.\d+', host):
return None
resp = vtotal.domain_report(host)
if resp.get('status_code') != 403:
for i in resp.get('json_resp').get('resolutions'):
address = i.get('ip_address')
timeout = i.get('last_resolved')
if iscdn(address):
history_ip.append(address + ' : ' + timeout)
pdns = history_ip[10:]
except:
pass
pdns.extend(ipinfo(host))
if pdns:
for i in pdns[:10]:
console('PDNS', host, i + '\n')
else:
console('PDNS', host, 'None\n')
return pdns
def start(target, dbname='result'):
if dbname != 'result':
dbname = re.sub(r'.db', '', dbname)
title = 'test'
host = parse_ip(target)
url = verify_https(target)
if url:
isopen = True
else:
isopen = False
if isopen:
data, apps, title = web_info(url)
else:
data = ''
apps = {}
if iscdn(host):
open_port = ScanPort(url, dbname).pool()
else:
open_port = ['CDN:0']
# 调用POC
Vuln(url, host, open_port, apps, dbname).run()
if isopen:
if CRAWL:
Crawl(url, dbname).pool()
if SCANDIR:
dirscan = DirScan(dbname, apps, url, title)
dirscan.pool()
if data:
web_save(data, dbname)
def reverse_domain(host):
# 查询旁站
sys.stdout.write(Bcolors.RED + "\nReverse IP Domain Check:\n" +
Bcolors.ENDC)
if iscdn(host):
result = []
data = {"remoteAddress": "{0}".format(host), "key": ""}
header = get_ua()
try:
r = requests.post('https://domains.yougetsignal.com/domains.php',
headers=header,
data=data,
timeout=5,
verify=False)
text = json.loads(r.text)
domain = tldextract.extract(host)
for i in text.get('domainArray'):
url = i[0]
if url != host:
if tldextract.extract(url).domain == domain.domain:
result.append(url)
elif re.search(r'\d+\.\d+\.\d+\.\d+', url):
result.append(url)
except:
try:
r = requests.get(
'http://api.hackertarget.com/reverseiplookup/?q={}'.format(
host),
headers=get_ua(),
timeout=4,
verify=False)
if '<html>' not in r.text and 'No DNS A records found for' not in r.text:
text = r.text
for _ in text.split('\n'):
if _:
result.append(_)
else:
result = []
except:
pass
if len(result) < 20:
if result:
for i in result:
console('reverse_domain', host, i + '\n')
else:
console('reverse_domain', host, 'None\n')
return result
else:
console('reverse_domain', host,
'The maximum number of domain names exceeded (20)\n')
# sys.stdout.write(Bcolors.OKGREEN + 'The maximum number of domain names exceeded (20)\n' + Bcolors.ENDC)
return ['The maximum number of domain names exceeded (20)']
def virustotal(host):
# VT接口,主要用来查询PDNS,绕过CDN
vtotal = Virustotal(virustotal_api)
if re.search(r'\d+\.\d+\.\d+\.\d+', host):
return ['None']
resp = vtotal.domain_report(host)
history_ip = []
if resp.get('status_code') != 403:
for i in resp.get('json_resp').get('resolutions'):
address = i.get('ip_address')
timeout = i.get('last_resolved')
if iscdn(address):
history_ip.append(address + ' : ' + timeout)
return history_ip[-10:]
else:
return ['None']
def ipinfo(host):
out = []
if not re.search(r'\d+\.\d+\.\d+\.\d+', host):
req = Requests()
try:
r = req.get(
'https://viewdns.info/iphistory/?domain={}'.format(host))
result = re.findall(
r'(?<=<tr><td>)\d+\.\d+\.\d+\.\d+(?=</td><td>)', r.text,
re.S | re.I)
if result:
for i in result:
if iscdn(i):
out.append(i)
except:
pass
return out
def web_info(url):
host = parse_host(url)
ipaddr = parse_ip(host)
url = url.strip('/')
address = geoip(ipaddr)
wafresult = checkwaf(url)
req = Requests()
# noinspection PyBroadException
try:
r = req.get(url)
coding = chardet.detect(r.content).get('encoding')
r.encoding = coding
webinfo = WebPage(r.url, r.text, r.headers).info()
except Exception as e:
logging.exception(e)
webinfo = {}
if webinfo:
console('Webinfo', host, 'title: {}\n'.format(webinfo.get('title')))
console('Webinfo', host,
'Fingerprint: {}\n'.format(webinfo.get('apps')))
console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server')))
console('Webinfo', host, 'WAF: {}\n'.format(wafresult))
else:
webinfo = {}
wafresult = 'None'
if iscdn(host):
osname = osdetect(host)
else:
osname = None
data = {
host: {
'WAF': wafresult,
'Ipaddr': ipaddr,
'Address': address,
'Webinfo': webinfo,
'OS': osname,
}
}
return data, webinfo.get('apps'), webinfo.get('title')
def checkwaf(url):
try:
req = Requests()
r = req.get(url)
result = verify(r.headers, r.text[:10000])
if result == 'NoWAF':
for i in payload:
r = req.get(url + i)
result = verify(r.headers, r.text[:10000])
if result != 'NoWAF':
return result
except UnboundLocalError:
pass
except Exception as e:
logging.exception(e)
host = parse_host(url)
if not iscdn(host):
return 'CDN IP'
return 'NoWAF'
def web_info(url):
host = parse_host(url)
ipaddr = parse_ip(host)
url = url.strip('/')
address = geoip(ipaddr)
wafresult = checkwaf(url)
req = Requests()
try:
r = req.get(url)
coding = chardet.detect(r.content).get('encoding')
r.encoding = coding
webinfo = WebPage(r.url, r.text, r.headers).info()
except Exception as e:
webinfo = {}
if webinfo:
console('Webinfo', host, 'Title: {}\n'.format(webinfo.get('title')))
console('Webinfo', host, 'Fingerprint: {}\n'.format(webinfo.get('apps')))
console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server')))
console('Webinfo', host, 'WAF: {}\n'.format(wafresult))
else:
webinfo = {}
wafresult = 'None'
if iscdn(host):
osname = osdetect(host)
else:
osname = None
pdns = virustotal(host)
reverseip = reverse_domain(host)
webinfo.update({"pdns": pdns})
webinfo.update({"reverseip": reverseip})
data = {
host: {
'WAF': wafresult,
'Ipaddr': ipaddr,
'Address': address,
'Webinfo': webinfo,
'OS': osname,
}
}
return data, webinfo.get('apps')
def checkwaf(url):
result = 'NoWAF'
host = parse_host(url)
if not iscdn(host):
return 'CDN IP'
try:
req = Requests()
r = req.get(url)
result = verify(r.headers, r.text)
if result == 'NoWAF':
for i in payload:
r = req.get(url + i)
result = verify(r.headers, r.text)
if result != 'NoWAF':
return result
else:
return result
except (UnboundLocalError, AttributeError):
pass
except Exception as e:
logging.exception(e)
def start(url):
host = parse_host(url)
ipaddr = parse_ip(host)
url = url.strip('/')
sys.stdout.write(bcolors.RED + '-' * 100 + '\n' + bcolors.ENDC)
sys.stdout.write(bcolors.RED + 'Host: ' + host + '\n' + bcolors.ENDC)
sys.stdout.write(bcolors.RED + '-' * 100 + '\n' + bcolors.ENDC)
address = geoip(ipaddr)
try:
# 判断主域名是否开放
req = Requests()
r = req.get(url)
except Exception as e:
pass
if 'r' in locals().keys():
wafresult = checkwaf(host)
try:
coding = chardet.detect(r.content).get('encoding')
r.encoding = coding
webinfo = (WebPage(r.url, r.text, r.headers).info())
except Exception as e:
webinfo = {}
if webinfo:
sys.stdout.write(bcolors.RED + "Webinfo:\n" + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN +
'[+] Title: {}\n'.format(webinfo.get('title')) +
bcolors.ENDC)
sys.stdout.write(
bcolors.OKGREEN +
'[+] Fingerprint: {}\n'.format(webinfo.get('apps')) +
bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN +
'[+] Server: {}\n'.format(webinfo.get('server')) +
bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN +
'[+] WAF: {}\n'.format(wafresult) + bcolors.ENDC)
else:
webinfo = {}
wafresult = 'None'
pdns = virustotal(host)
reverseip = reverse_domain(host)
webinfo.update({"pdns": pdns})
webinfo.update({"reverseip": reverseip})
if iscdn(host):
open_port = ScanPort(url).pool()
else:
open_port = ['CDN:0']
osname = osdetect(host)
data = {
host: {
'WAF': wafresult,
'Ipaddr': ipaddr,
'Address': address,
'Webinfo': webinfo,
'OS': osname,
}
}
web_save(data)
Vuln(host, open_port, webinfo.get('apps')).run()
if 'r' in locals().keys() and not SCANDIR:
dirscan = DirScan('result')
dirscan.pool(url)
def start(url):
try:
result = 'NoWAF'
if (not parse.urlparse(url).path) and (parse.urlparse(url).path != '/'):
host = url.replace('http://', '').replace('https://', '').rstrip('/')
else:
host = url.replace('http://', '').replace('https://', '').rstrip('/')
host = re.sub('/\w+', '', host)
if ':' in host:
host = re.sub(r':\d+', '', host)
socket.setdefaulttimeout(1)
ipaddr = socket.gethostbyname(host)
address = geoip(ipaddr)
sys.stdout.write(bcolors.RED + '-' * 100 + '\n' + bcolors.ENDC)
sys.stdout.write(bcolors.RED + 'Host: ' + host + '\n' + bcolors.ENDC)
sys.stdout.write(bcolors.RED + '-' * 100 + '\n' + bcolors.ENDC)
sys.stdout.write(bcolors.RED + "GeoIP:\n" + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + '[+] Address: {}\n'.format(address) + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + '[+] Ipaddr: {}\n'.format(ipaddr) + bcolors.ENDC)
r = requests.get(url, headers=get_ua(), timeout=TIMEOUT, verify=False)
except Exception as e:
pass
sql = ''
if 'r' in locals().keys():
try:
webinfo = (WebPage(r.url, r.content.decode('utf8'), r.headers).info())
result = checkwaf(r.headers, r.text[:10000])
if result == 'NoWAF':
r = requests.get(
url + '/index.php?id=1 ' + payload, headers=get_ua(), timeout=TIMEOUT, verify=False)
result = checkwaf(r.headers, r.text[:10000])
except Exception as e:
webinfo = {}
traceback.print_exc()
if webinfo:
sys.stdout.write(bcolors.RED + "Webinfo:\n" + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + '[+] Title: {}\n'.format(webinfo.get('title')) + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + '[+] Fingerprint: {}\n'.format(webinfo.get('apps')) + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + '[+] Server: {}\n'.format(webinfo.get('server')) + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + '[+] WAF: {}\n'.format(result) + bcolors.ENDC)
pdns = virustotal(host)
reverseip = reverse_domain(host)
sys.stdout.write(bcolors.RED + "VT PDNS:\n" + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + "\n".join("[+] " + str(i) for i in pdns) + "\n" + bcolors.ENDC)
if reverseip:
sys.stdout.write(bcolors.RED + "Reverse IP Domain Check:\n" + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + "\n".join("[+] " + str(i) for i in reverseip) + "\n" + bcolors.ENDC)
jsparse = JsParse(url).jsparse()
sql = sql_check(url)
webinfo.update({"pdns": pdns})
webinfo.update({"reverseip": reverseip})
else:
webinfo = {}
jsparse = ''
if iscdn(host):
open_port = ScanPort(url).pool()
else:
open_port = ['CDN:0']
sys.stdout.write(bcolors.RED + "PortScan:\n" + bcolors.ENDC)
for _ in open_port:
sys.stdout.write(bcolors.OKGREEN + '[+] {}\n'.format(_) + bcolors.ENDC)
if POC:
vuln = Vuln(url, open_port, webinfo.get('apps')).run()
else:
vuln = []
if jsparse:
jsparse = list(map(lambda x: 'Leaks: ' + x, jsparse))
vuln.extend(jsparse)
if sql:
vuln.extend(sql)
vuln = list(filter(None, vuln))
if not (len(vuln) == 1 and ('' in vuln)):
sys.stdout.write(bcolors.RED + "Vuln:\n" + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + "\n".join("[+] " + str(i) for i in vuln) + "\n" + bcolors.ENDC)
url = parse.urlparse(url)
osname = osdetect(url.netloc)
if not osname:
osname = 'None'
sys.stdout.write(bcolors.RED + "OS:\n" + bcolors.ENDC)
sys.stdout.write(bcolors.OKGREEN + '[+] {}\n'.format(osname) + bcolors.ENDC)
data = {
url.netloc: {
'WAF': result,
'Ipaddr': ipaddr,
'Address': address,
'Webinfo': webinfo,
'Ports': open_port,
'OS': osname,
'Vuln': vuln
}
}
return data, result
