def output(target): if hasattr(target, 'mail'): print_color('whois same mail %s domain ...' % target.mail, 2) threadl = [] threads = 5 queue = Queue.Queue() try: code, content = get('whois.aizhan.com', '/reverse-whois/?q=%s&t=email' % target.mail) domain_list = findall(r'_blank">(.*?)</a></td>', content) if len(domain_list): [ queue.put(domain) for domain in domain_list if domain != target.n_domain ] threadl = [tPing(queue, target.ip) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] except: log.exception('exception') print_color(__name__ + ' faild', 0) print('')
def output(target): if hasattr(target,'iscdn') and not target.iscdn and target.f_domain: threadl = jsons = []; threads = 5 # 线程数 queue=Queue.Queue() print_color('find domain in same IP for %s..'%target.ip, 2) code,content = get('dns.aizhan.com','/index.php?r=index/pages&q=%s' % target.f_domain) match = re.search('1/(\d{1,})', content) page = int(match.group(1)) if match else 1 # 多线程翻页获取同IP域名, [queue.put('/index.php?r=index/getress&q=%s&page=%d' % (target.f_domain,i)) for i in xrange(1,page+1)] threadl = [tThread(queue,jsons) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] #Ping IP [queue.put(json['domain']) for json in jsons] threadl = [tPing(queue,target.ip) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] print('')
def output(target): if target.n_domain: target.axfr = False print_color('Test AXFR request for %s' % target.n_domain, 2) try: # get dns domain r = DNS.DnsRequest(target.n_domain, qtype="NS", server=['223.5.5.5'], protocol='udp', timeout=10) res = r.req().answers for r in res: dns = r['data'] print_color('Test DNS %s' % dns, 2) r = DNS.DnsRequest(target.n_domain, qtype="AXFR", server=[dns], protocol='tcp', timeout=10) res = r.req() if len(res.answers) > 0: target.axfr = True parse_record(res.answers, target.ip) break except: log.exception('exception') print('')
def output(target): if query_yes_no('subnet port scan requires a lot of time.'): Ports = [80, 8000, 8080, 88] threadl = [] threads = 20 queue = Queue.Queue() print_color('scan port for subnet %s..' % target.ip, 2) subnet = [ '%s.%d' % (target.ip[0:target.ip.rfind('.')], i) for i in range(1, 255) ] for port in Ports: for sub in subnet: queue.put({'ip': sub, 'port': port}) threadl = [tPort(queue) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] print('')
def output(target): if hasattr(target, 'iscdn') and not target.iscdn and target.f_domain: threadl = jsons = [] threads = 5 # 线程数 queue = Queue.Queue() print_color('find domain in same IP for %s..' % target.ip, 2) code, content = get('dns.aizhan.com', '/index.php?r=index/pages&q=%s' % target.f_domain) match = re.search('1/(\d{1,})', content) page = int(match.group(1)) if match else 1 # 多线程翻页获取同IP域名, [ queue.put('/index.php?r=index/getress&q=%s&page=%d' % (target.f_domain, i)) for i in xrange(1, page + 1) ] threadl = [tThread(queue, jsons) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] #Ping IP [queue.put(json['domain']) for json in jsons] threadl = [tPing(queue, target.ip) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] print('')
def parse_record(records, ip): for record in records: if type(record) is dict\ and type(record['data']) is str\ and valid_ip(record['data']): if record['data'] == ip: print_color('%s *' % (record['name']), 1) else: print_color('%s %s' % (record['name'], record['data']), 1)
def parse_record(records,ip): for record in records: if type(record) is dict\ and type(record['data']) is str\ and valid_ip(record['data']): if record['data'] == ip: print_color('%s *'%(record['name']), 1) else: print_color('%s %s'%(record['name'],record['data']), 1)
def output(target): if hasattr(target,'iscdn') and not target.iscdn: Ports=[21,22,23,25,80,81,110,135,139,389,443,445,873,1433,1434,1521,2433,3306,3307,3366,3336,3380,3389,3968,5800,5900,7755,8000,8001,8002,8080,8650,8888,8800,9999,12580,22222,22022,27017,28017,33089,34567,43958,50001] print_color('scan port for IP %s..'%target.ip, 2) threadl = []; threads = 20 queue=Queue.Queue() [queue.put({'ip':target.ip,'port':port}) for port in Ports] threadl = [tPort(queue) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] print('')
def output(target): customHeaders = [ 'x-powered-by-360wzb', 'x-powered-by-anquanbao', 'x-cache', 'webluker-edge', 'powered-by-chinacache' ] cnames = ['360wzb', 'incapdns', 'aqb.so'] target.iscdn = False print_color('Test CDN for %s' % target.ip, 2) print_color('Test CDN for %s with HTTP header' % target.f_domain, 2) if any('cdn' in header for header in target.header): target.iscdn = True if not target.iscdn: flag = set(target.header).intersection(set(customHeaders)) target.iscdn = True if len(flag) else None if not target.iscdn and target.f_domain: try: print_color('Test CDN for %s with CNAME' % target.f_domain, 2) r = DNS.DnsRequest(target.f_domain, qtype="CNAME", server=['8.8.8.8'], protocol='tcp', timeout=10) res = r.req() if len(res.answers) > 0: cname = res.answers[0]['data'] # 值得学习 if any(cname_str in cname for cname_str in cnames): target.iscdn = True except: log.exception('exception') print_color(__name__ + ' faild', 0) if target.iscdn: print_color(target.iscdn, 1) print('')
def output(target): if query_yes_no('subnet port scan requires a lot of time.'): Ports=[80,8000,8080,88] threadl = [];threads = 20 queue=Queue.Queue() print_color('scan port for subnet %s..'%target.ip, 2) subnet = ['%s.%d' % (target.ip[0:target.ip.rfind('.')],i) for i in range(1,255)] for port in Ports: for sub in subnet: queue.put({'ip':sub,'port':port}) threadl = [tPort(queue) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] print('')
def output(target): if hasattr(target,'mail'): print_color('whois same mail %s domain ...' % target.mail, 2) threadl = []; threads = 5 queue = Queue.Queue() try: code,content = get('whois.aizhan.com', '/reverse-whois/?q=%s&t=email' % target.mail) domain_list = findall(r'_blank">(.*?)</a></td>', content) if len(domain_list): [queue.put(domain) for domain in domain_list if domain != target.n_domain] threadl = [tPing(queue,target.ip) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] except: log.exception('exception') print_color(__name__+' faild', 0) print('')
def output(target): print_color('Test server exploit %s...'%target.ip, 2) paths = ['/robots.txt/.php', '/robots.txt/1.php'] if 'server' in target.header: server = target.header['server'].lower() if 'nginx' in server: target.server = 'Nginx' print_color('Test server nginx Parsing Vulnerabilities',2) domain = '%s:%d' % (target.f_domain, target.port) if target.f_domain else '%s:%d' % (target.ip, target.port) code,content = get(domain, '/') match = re.search(r'src="(http.+?\.jpg)"', content) if match: paths.append('%s/.php' % match.group(1)) paths.append('%s/1.php' % match.group(1)) for p in paths: code,header = head(domain,p) if code == 200 and header['content-type'].find('text/html') > -1: print_color('the server has nginx parsing vulnerabilities',1) break elif 'apache' in server: target.server = 'Apache' elif 'iis' in server: target.server = 'IIS' print('')
def output(target): if hasattr(target, 'iscdn') and not target.iscdn: Ports = [ 21, 22, 23, 25, 80, 81, 110, 135, 139, 389, 443, 445, 873, 1433, 1434, 1521, 2433, 3306, 3307, 3366, 3336, 3380, 3389, 3968, 5800, 5900, 7755, 8000, 8001, 8002, 8080, 8650, 8888, 8800, 9999, 12580, 22222, 22022, 27017, 28017, 33089, 34567, 43958, 50001 ] print_color('scan port for IP %s..' % target.ip, 2) threadl = [] threads = 20 queue = Queue.Queue() [queue.put({'ip': target.ip, 'port': port}) for port in Ports] threadl = [tPort(queue) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] print('')
def output(target): if hasattr(target, "axfr") and not target.axfr and target.n_domain: threadl = [] threads = 5 queue = Queue.Queue() apis = [ { "domain": "www.baidu.com", "path": "/s?wd=site:%s&pn=0&ie=utf-8" % target.n_domain, "method": "get", "regex": '"g">(.*?)%s' % target.n_domain, }, { "domain": "i.links.cn", "path": "/subdomain/", "method": "post", "regex": "target=_blank>http://(.*)%s", "data": {"domain": target.n_domain, "b2": "1", "b3": "1", "b4": "1"}, }, { "domain": "www.alexa.com", "path": "/siteinfo/%s" % target.n_domain, "method": "get", "regex": "word-wrap'>(.*?)%s" % target.n_domain, }, ] print_color("find subdomain for %s.." % target.n_domain, 2) pix_list = [] try: for api in apis: try: if api["method"] == "get": code, content = get(api["domain"], api["path"]) pix_list += findall(api["regex"], content) elif api["method"] == "post": code, content = post(api["domain"], api["path"], api["data"]) pix_list += findall(api["regex"], content) except: print_color(api["domain"] + " Faild", 0) pix_list = {}.fromkeys(pix_list).keys() for pix in pix_list: queue.put("%s%s" % (pix, target.n_domain)) threadl = [tPing(queue, target.ip) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] except: log.exception("exception") print_color(__name__ + " faild", 0) print("")
def output(target): customHeaders = ['x-powered-by-360wzb', 'x-powered-by-anquanbao','x-cache','webluker-edge', 'powered-by-chinacache'] cnames = ['360wzb','incapdns','aqb.so'] target.iscdn = False print_color('Test CDN for %s'%target.ip, 2) print_color('Test CDN for %s with HTTP header'%target.f_domain, 2) if any('cdn' in header for header in target.header): target.iscdn = True if not target.iscdn: flag = set(target.header).intersection(set(customHeaders)) target.iscdn = True if len(flag) else None if not target.iscdn and target.f_domain: try: print_color('Test CDN for %s with CNAME'%target.f_domain, 2) r = DNS.DnsRequest(target.f_domain, qtype="CNAME", server=['8.8.8.8'], protocol='tcp', timeout=10) res = r.req() if len(res.answers) > 0: cname = res.answers[0]['data'] # 值得学习 if any(cname_str in cname for cname_str in cnames): target.iscdn = True except: log.exception('exception') print_color(__name__+' faild', 0) if target.iscdn: print_color(target.iscdn, 1) print('')
def output(target): if target.n_domain: target.axfr = False print_color('Test AXFR request for %s' % target.n_domain, 2) try: # get dns domain r = DNS.DnsRequest(target.n_domain, qtype="NS", server=['223.5.5.5'], protocol='udp', timeout=10) res = r.req().answers for r in res: dns = r['data'] print_color('Test DNS %s' % dns, 2) r = DNS.DnsRequest(target.n_domain, qtype="AXFR", server=[dns], protocol='tcp', timeout=10) res = r.req() if len(res.answers) > 0: target.axfr = True parse_record(res.answers,target.ip) break except: log.exception('exception') print('')
def output(target): print_color('get location for IP %s' % target.ip, 2) try: code,content = get('ip.taobao.com', '/service/getIpInfo.php?ip=%s' % target.ip) jsons = json.loads(content) print_color('%s %s %s %s'%(jsons['data']['country'].encode('gbk'), jsons['data']['region'].encode('gbk'), jsons['data']['city'].encode('gbk'), jsons['data']['isp'].encode('gbk')), 1) except: log.exception('exception') print_color(__name__+' faild', 0) print('')
def output(target): print_color('get location for IP %s' % target.ip, 2) try: code, content = get('ip.taobao.com', '/service/getIpInfo.php?ip=%s' % target.ip) jsons = json.loads(content) print_color( '%s %s %s %s' % (jsons['data']['country'].encode('gbk'), jsons['data']['region'].encode('gbk'), jsons['data']['city'].encode('gbk'), jsons['data']['isp'].encode('gbk')), 1) except: log.exception('exception') print_color(__name__ + ' faild', 0) print('')
def output(target): if target.n_domain: print_color('whois %s.'%target.n_domain, 2) # 当超时或者出现错误时,重试3次 for i in range(1,4): try: data = get_whois(target.n_domain)['raw'][0] mails = findall(r'[\w\.-]+@[\w-]+\.[\w\.-]+', data) mails = filter(filter_mail, mails) if mails else None if mails: target.mail = mails[0].lower() break except: print_color('re-whois %s %d number of times' % (target.n_domain, i), 2) if hasattr(target,'mail'): print_color(target.mail, 1) print('')
def output(target): print_color('Test server exploit %s...' % target.ip, 2) paths = ['/robots.txt/.php', '/robots.txt/1.php'] if 'server' in target.header: server = target.header['server'].lower() if 'nginx' in server: target.server = 'Nginx' print_color('Test server nginx Parsing Vulnerabilities', 2) domain = '%s:%d' % ( target.f_domain, target.port) if target.f_domain else '%s:%d' % (target.ip, target.port) code, content = get(domain, '/') match = re.search(r'src="(http.+?\.jpg)"', content) if match: paths.append('%s/.php' % match.group(1)) paths.append('%s/1.php' % match.group(1)) for p in paths: code, header = head(domain, p) if code == 200 and header['content-type'].find( 'text/html') > -1: print_color('the server has nginx parsing vulnerabilities', 1) break elif 'apache' in server: target.server = 'Apache' elif 'iis' in server: target.server = 'IIS' print('')
def output(target): if hasattr(target, 'axfr') and not target.axfr and target.n_domain: threadl = [] threads = 5 queue = Queue.Queue() apis = [{ 'domain': 'www.baidu.com', 'path': '/s?wd=site:%s&pn=0&ie=utf-8' % target.n_domain, 'method': 'get', 'regex': '"g">(.*?)%s' % target.n_domain }, { 'domain': 'i.links.cn', 'path': '/subdomain/', 'method': 'post', 'regex': 'target=_blank>http://(.*)%s', 'data': { 'domain': target.n_domain, 'b2': '1', 'b3': '1', 'b4': '1' } }, { 'domain': 'www.alexa.com', 'path': '/siteinfo/%s' % target.n_domain, 'method': 'get', 'regex': "word-wrap'>(.*?)%s" % target.n_domain }] print_color('find subdomain for %s..' % target.n_domain, 2) pix_list = [] try: for api in apis: try: if api['method'] == 'get': code, content = get(api['domain'], api['path']) pix_list += findall(api['regex'], content) elif api['method'] == 'post': code, content = post(api['domain'], api['path'], api['data']) pix_list += findall(api['regex'], content) except: print_color(api['domain'] + ' Faild', 0) pix_list = {}.fromkeys(pix_list).keys() for pix in pix_list: queue.put('%s%s' % (pix, target.n_domain)) threadl = [tPing(queue, target.ip) for x in xrange(0, threads)] [t.start() for t in threadl] [t.join() for t in threadl] except: log.exception('exception') print_color(__name__ + ' faild', 0) print('')
def output(target): powereds = [{'type':'ASP/ASPX','str':'ASP.NET'}, {'type':'PHP','str':'PHP/'}] scripts = [ {'type':'ASP','path':'/index.asp'}, {'type':'ASPX','path':'/index.aspx'}, {'type':'PHP','path':'/index.php'} ] searchs = [ {'type':'ASP','path':'/search?q=site:%s+inurl:asp'}, {'type':'ASPX','path':'/search?q=site:%s+inurl:aspx'}, {'type':'PHP','path':'/search?q=site:%s+inurl:php'} ] domain = '%s:%d' % (target.f_domain, target.port) if target.f_domain else '%s:%d' % (target.ip, target.port) print_color('Probe website %s script...'%domain, 2) target.script = 'unknown' if 'x-powered-by' in target.header: print_color('Test Script for %s with X-Powered-By'%target.f_domain, 2) for item in powereds: if item['str'] in target.header['x-powered-by']: target.script = item['type'] break try: if target.script == 'unknown': print_color('Test script for %s with HTTP header'%target.f_domain, 2) for item in scripts: code,header = head(domain,item['path'],target.protocol) if code == 200: target.script = item['type'] break if target.script == 'unknown': print_color('Test script for %s with search engine'%target.f_domain, 2) for item in searchs: path = item['path'] % target.f_domain if target.f_domain else item['path'] % target.ip code,content = get('www.google.com.hk',path) match = search(r'resultStats">(.*?)<nobr>', content) if match: target.script = item['type'] except: log.exception('exception') print_color(__name__+' faild', 0) print_color(target.script, 1) print('')
def output(target): powereds = [{ 'type': 'ASP/ASPX', 'str': 'ASP.NET' }, { 'type': 'PHP', 'str': 'PHP/' }] scripts = [{ 'type': 'ASP', 'path': '/index.asp' }, { 'type': 'ASPX', 'path': '/index.aspx' }, { 'type': 'PHP', 'path': '/index.php' }] searchs = [{ 'type': 'ASP', 'path': '/search?q=site:%s+inurl:asp' }, { 'type': 'ASPX', 'path': '/search?q=site:%s+inurl:aspx' }, { 'type': 'PHP', 'path': '/search?q=site:%s+inurl:php' }] domain = '%s:%d' % (target.f_domain, target.port) if target.f_domain else '%s:%d' % ( target.ip, target.port) print_color('Probe website %s script...' % domain, 2) target.script = 'unknown' if 'x-powered-by' in target.header: print_color('Test Script for %s with X-Powered-By' % target.f_domain, 2) for item in powereds: if item['str'] in target.header['x-powered-by']: target.script = item['type'] break try: if target.script == 'unknown': print_color( 'Test script for %s with HTTP header' % target.f_domain, 2) for item in scripts: code, header = head(domain, item['path'], target.protocol) if code == 200: target.script = item['type'] break if target.script == 'unknown': print_color( 'Test script for %s with search engine' % target.f_domain, 2) for item in searchs: path = item[ 'path'] % target.f_domain if target.f_domain else item[ 'path'] % target.ip code, content = get('www.google.com.hk', path) match = search(r'resultStats">(.*?)<nobr>', content) if match: target.script = item['type'] except: log.exception('exception') print_color(__name__ + ' faild', 0) print_color(target.script, 1) print('')