Пример #1
0
    def delete(self):
        """
        删除exploit服务关联模块信息(软删除)
        ---
        tags:
        - POC漏洞检测
        parameters:
        - name: exploit_id
          in: query
          description: Exploit ID
          required: true
          type: string
        responses:
          '200':
            description: SUCCESS
            schema:
              type: dto.public_string_data_output
              $ref: '#/definitions/dto.public_string_data_output'
        """
        exploit_id = request.args.get('exploit_id')

        connectiondb(exploit_db).update({'_id': ObjectId(exploit_id)},
                                        {"$set": {
                                            "is_delete": 1
                                        }},
                                        multi=True)
        response_data = self.wrap_json_response(data='success',
                                                code=ReturnCode.SUCCESS)
        return jsonify(response_data)
Пример #2
0
 def _save_pocvul_result(self, portinfo_id, data):
     if data:
         # self.vul_type = 'exploit'
         self.vul_type = 'pocsuite'
     connectiondb(portinfo_db).update_one(
         {"_id": ObjectId(portinfo_id)},
         {"$set": {
             "vul_type": self.vul_type,
             "vulnerabilities": data
         }})
Пример #3
0
def _save_result(portinfo_id, app_name):
    portinfo_db = db_name_conf()['portinfo_db']
    # 看看是自定义任务还是自动化探测任务
    if not portinfo_id:
        return
    # 自动化任务需要更新端口应用版本
    connectiondb(portinfo_db).update_one({'_id': ObjectId(portinfo_id)},
                                         {'$set': {
                                             'product': app_name
                                         }})
Пример #4
0
 def _save_webvul_result(self, portinfo_id, data):
     connectiondb(portinfo_db).update_one(
         {"_id": ObjectId(portinfo_id)},
         {
             "$set": {
                 "vul_type":
                 "web",
                 "target_id":
                 data['target_id'],  # awvs的target_id
                 "scan_id":
                 data['scan_id'],  # awvs的sacn_id
                 "create_at":
                 time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
             }
         })
Пример #5
0
 def _get_portinfo(self):
     print "PocScanner._get_portinfo"
     array = connectiondb(portinfo_db).find(
         {"instance_id": self.instance_id})
     for item in array:
         item['_id'] = "%s" % item['_id']
         self.info_list.append(item)
Пример #6
0
    def _start_poc(self):
        print "VulScanner._start_poc"
        for info in self.info_list:
            print "info => name:{}; port:{}; state:{}".format(
                info['name'], info['port'], info['state'])

            # info['name']=http/https/null,进行web指纹判断
            # 情况1: 这个就很奇怪了, 能扫到但是状态为closed???
            if 'closed' == info['state']:
                continue

            # 用poc脚本打、内置多线程
            pocuite = PocsuiteScan(ip=self.instance_info['host'],
                                   service=info['name'],
                                   port=info['port'],
                                   app=info['product'],
                                   version=info['version'])
            result = pocuite.run()
            self._save_pocvul_result(info['_id'], result)

            # 情况2: Web直接提交AWVS任务,获取target_id、scan_id、session_id即可。后续聚合通过这三个查询对应的web漏洞详情。
            # 提交任务即返回,无需使用多线程
            # Poc扫描无结果的情况下再执行
            # if 'http' in info['name'] and not result:
            #     print "[+] http"
            #     awvs = AwvsScan(info['name'], self.instance_info['target'], info['port'])
            #     result = awvs.run()
            #     self._save_webvul_result(info['_id'], result)
            #     continue

        connectiondb(instance_db).update_one(
            {"_id": ObjectId(self.instance_id)}, {
                "$set": {
                    "status":
                    'Completed',
                    "update_at":
                    time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
                }
            })
Пример #7
0
def local_install():
    print("[*]Processing...")
    # connectiondb(plugin_db).drop()
    path = os.getcwd() + '/aquaman/modules/poc_vul/pocsuite_plugin/'
    files = os.listdir(path)

    for file_name in files:
        if 'JBoss' not in file_name:
            continue
        plugin_info = parse_plugin(path + file_name.strip())
        print plugin_info
        if not plugin_info:
            continue
        else:
            # print plugin_info
            db_insert = connectiondb(plugin_db).insert_one(
                plugin_info).inserted_id
            print db_insert
    print("[*]Processing Completed!")
Пример #8
0
 def _match_require(self):
     """
     [+] 匹配Mongo数据库的动作关联库
     [-] 输出攻击的所有的require准备
     """
     result = []
     array = self._match_exploit()
     for item in array:
         resp = connectiondb(exploit_db).find_one(
             {"exploit": re.compile(item)})
         if not resp:
             continue
         print "resp,", resp
         result.append({
             "vt_name": resp['vt_name'],
             "exploit": resp['exploit'],
             "payload": resp['payload'],
             "cmd": resp['cmd'],
             "desc": resp['desc']
         })
     return result
Пример #9
0
 def __init__(self, instance_id):
     self.instance_id = instance_id
     self.instance_info = connectiondb(instance_db).find_one(
         {"_id": ObjectId(self.instance_id)})
     self.info_list = []
     self.vul_type = ''
Пример #10
0
def verify_poc(scan_info):
    frequency = connectiondb(config_db).find_one(
        {'config_name': settings.CONFIG_NAME})['poc_frequency']
    plugin_name = scan_info['plugin_name']
    plugin_filename = scan_info['plugin_filename']
    target = scan_info['target']
    info = {
        "pocname": plugin_name,
        "pocstring": open(plugin_filename, 'r').read(),
        "mode": 'verify'
    }
    invoker = Cannon(target, info)
    log.info("[PocScanner] {}({}) verify poc({})  all_times: {}".format(
        scan_info['task_name'], scan_info['target'], plugin_name, frequency))
    for i in range(50):
        try:
            result = invoker.run()
            if i > frequency:  # 超过指定次数
                log.info(
                    "[PocScanner] {}({}) verify poc({}) more than {} times, result: {}"
                    .format(scan_info['task_name'], scan_info['target'],
                            plugin_name, frequency, result))
                return
            if not result or result[-3][0] != 1:
                time.sleep(1)
                continue
            log.info(
                "[PocScanner] {}({}) verify poc({}) in {} times, result: {}".
                format(scan_info['task_name'], scan_info['target'],
                       plugin_name, i + 1, result[-1]))
            connectiondb(vul_db).insert({
                "plugin_id":
                scan_info['plugin_id'],
                "plugin_filename":
                scan_info['plugin_filename'],
                "plugin_name":
                scan_info['plugin_name'],
                "plugin_type":
                scan_info['plugin_type'],
                "plugin_app":
                scan_info['plugin_app'],
                "plugin_version":
                scan_info['plugin_version'],
                "plugin_desc":
                scan_info['plugin_desc'],
                "target":
                scan_info[
                    'target'],  # 非端口必须是172.31.50.222:8080, 如果只有IP会使用脚本里的默认端口
                "task_id":
                scan_info['task_id'],
                "task_name":
                scan_info['task_name'],
                "scan_result":
                result[-1],
                "date":
                int(time.time()),
            })
            _save_result(scan_info['portinfo_id'], scan_info['plugin_app'])
            return
        except Exception as e:
            log.error(
                "[PocScanner] {}({}) verify poc({}) in {} times, info: {}".
                format(scan_info['task_name'], scan_info['target'],
                       plugin_name, i + 1, e))
            time.sleep(1)
            continue
        except FunctionTimedOut as e:
            log.error(
                "[PocScanner] {}({}) verify poc({}) in {} times with timeout, info: {}"
                .format(scan_info['task_name'], scan_info['target'],
                        plugin_name, i + 1, e))
            time.sleep(1)
            continue
Пример #11
0
    def post(self):
        """
        创建exploit服务关联模块信息
        ---
        tags:
        - POC漏洞检测
        definitions:
        - schema:
            id: dto.exploit_create_input
            properties:
              vt_name:
                type: string
              service:
                type: string
              app:
                type: string
              version:
                type: string
              exploit:
                type: string
              payload:
                type: string
              cmd:
                type: string
        parameters:
        - name: body
          in: body
          required: true
          schema:
            type: dto.exploit_create_input
            $ref: '#/definitions/dto.exploit_create_input'
        responses:
          '200':
            description: SUCCESS
            schema:
              id: dto.exploit_create_output
              properties:
                data:
                  type: object
                  description: response_data
                  properties:
                    exploit_id:
                      type: string
                      description: Exploit ID
                errmsg:
                  type: string
                  description: errno
                errno:
                  type: integer
                  description: errno
                  default: 0
        """
        body_data = json.loads(request.get_data().decode())
        try:
            desc = MsfScanner().get_desc(body_data['exploit'])
        except Exception as e:
            return jsonify(
                self.wrap_json_response(errmsg=e,
                                        code=ReturnCode.WRONG_PARAMS))

        req_data = {
            "vt_name": body_data['vt_name'],
            "service": body_data['service'],
            "version": body_data['version'],
            "exploit": body_data['exploit'],
            "payload": body_data['payload'],
            "app": body_data['app'],
            "cmd": body_data['cmd'],
            "desc": desc,
            "create_at": time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()),
            "update_at": time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()),
            "is_delete": 0,
        }
        exploit_id = connectiondb(exploit_db).insert_one(req_data).inserted_id
        if not exploit_id:
            response_data = self.wrap_json_response(code=ReturnCode.FAILED)
            return jsonify(response_data)

        data = {'exploit_id': '%s' % exploit_id}
        response_data = self.wrap_json_response(data=data,
                                                code=ReturnCode.SUCCESS)
        return jsonify(response_data)
Пример #12
0
    def get(self):
        """
        模块服务数据记录列表
        ---
        tags:
        - POC漏洞检测
        definitions:
        - schema:
            id: dto.exploit_list_output
            properties:
              data:
                type: object
                description: 模块服务数据记录列表
                properties:
                  list:
                    type: array
                    items:
                      type: dao.exploit_info
                      $ref: '#/definitions/dao.exploit_info'
                  total:
                    type: integer
              errmsg:
                type: string
                description: errno
              errno:
                type: integer
                description: errno
                default: 0
        parameters:
        - name: info
          in: query
          description: 模块名
          required: false
          type: string
        - name: page_size
          in: query
          description: 记录数
          required: true
          type: integer
        - name: page_no
          in: query
          description: 页码
          required: true
          type: integer
        responses:
          '200':
            description: SUCCESS
            schema:
              type: dto.exploit_list_output
              $ref: '#/definitions/dto.exploit_list_output'
        """
        page_size = request.args.get('page_size', 10, int)
        page_no = request.args.get('page_no', 1, int)
        info = request.args.get('info', '', str)
        skip = page_size * (page_no - 1)
        # total = connectiondb(vul_db).find().count()
        # aa = connectiondb(exploit_db).find()
        # for a in aa:
        #     print a
        total = connectiondb(exploit_db).find({
            "is_delete": {
                "$ne": 1
            },
            "exploit": re.compile(info)
        }).count()
        dict_resp = connectiondb(exploit_db).find({
            "is_delete": {
                "$ne": 1
            },
            "exploit": re.compile(info)
        }).limit(page_size).skip(skip).sort('update_at', -1)
        data = []
        for item in dict_resp:
            item['_id'] = "%s" % item['_id']
            data.append(item)

        response_data = self.wrap_json_response(data={
            'list': data,
            'total': total
        },
                                                code=ReturnCode.SUCCESS)
        return jsonify(response_data)
Пример #13
0
    def put(self):
        """
        更新exploit服务关联模块信息
        ---
        tags:
        - POC漏洞检测
        definitions:
        - schema:
            id: dto.exploit_put_input
            properties:
              exploit_id:
                type: string
              app:
                type: string
              vt_name:
                type: string
              service:
                type: string
              version:
                type: string
              exploit:
                type: string
              payload:
                type: string
              cmd:
                type: string
        parameters:
        - name: body
          in: body
          required: true
          schema:
            type: dto.exploit_put_input
            $ref: '#/definitions/dto.exploit_put_input'
        responses:
          '200':
            description: SUCCESS
            schema:
              type: dto.public_string_data_output
              $ref: '#/definitions/dto.public_string_data_output'
        """
        body_data = json.loads(request.get_data().decode())
        _id = body_data['exploit_id']
        if not _id:
            response_data = self.wrap_json_response(
                errmsg="Lost Params.", code=ReturnCode.WRONG_PARAMS)
            return jsonify(response_data)

        try:
            desc = MsfScanner().get_desc(body_data['exploit'])
        except Exception as e:
            return jsonify(
                self.wrap_json_response(errmsg="%s" % e,
                                        code=ReturnCode.WRONG_PARAMS))

        connectiondb(exploit_db).update_one({"_id": ObjectId(_id)}, {
            "$set": {
                "vt_name": body_data['vt_name'],
                "service": body_data['service'],
                "app": body_data['app'],
                "version": body_data['version'],
                "exploit": body_data['exploit'],
                "payload": body_data['payload'],
                "cmd": body_data['cmd'],
                "desc": desc,
                "update_at": time.strftime("%Y-%m-%d %H:%M:%S",
                                           time.localtime()),
            }
        })
        response_data = self.wrap_json_response(data="success",
                                                code=ReturnCode.SUCCESS)
        return jsonify(response_data)
Пример #14
0
 def get(self):
     """
     获取exploit模块信息
     ---
     tags:
     - POC漏洞检测
     definitions:
     - schema:
         id: dao.exploit_info
         properties:
           _id:
             type: string
           service:
             type: string
           app:
             type: string
           vt_name:
             type: string
           version:
             type: string
           exploit:
             type: string
           payload:
             type: string
           cmd:
             type: string
           desc:
             type: string
           create_at:
             type: string
           update_at:
             type: string
           is_delete:
             type: integer
     - schema:
         id: dto.exploit_info_output
         properties:
           data:
             type: dao.exploit_info
             $ref: '#/definitions/dao.exploit_info'
             description: response_data
           errmsg:
             type: string
             description: errno
           errno:
             type: integer
             description: errno
             default: 0
     parameters:
     - name: id
       in: query
       description: Exploit ID
       required: true
       type: string
     responses:
       '200':
         description: SUCCESS
         schema:
           type: dto.exploit_info_output
           $ref: '#/definitions/dto.exploit_info_output'
     """
     exploit_id = request.args.get('id')
     resp = connectiondb(exploit_db).find_one({"_id": ObjectId(exploit_id)})
     resp['_id'] = "%s" % resp['_id']
     response_data = self.wrap_json_response(data=resp,
                                             code=ReturnCode.SUCCESS)
     return jsonify(response_data)