def list(loadpath=None):
all_modules_config = Xcache.list_moduleconfigs()
if all_modules_config is None:
PostModuleConfig.load_all_modules_config()
all_modules_config = Xcache.list_moduleconfigs()
# 删除内部模块
for one in all_modules_config[:]:
if one.get('MODULETYPE') == TAG2CH.internal:
all_modules_config.remove(one)
if loadpath is None:
for one in all_modules_config:
one['OPTIONS'] = []
context = data_return(200, CODE_MSG.get(200), all_modules_config)
return context
else:
for one_module_config in all_modules_config:
if one_module_config.get('loadpath') == loadpath:
# 动态处理handler和凭证选项
new_module_config = PostModuleConfig._deal_dynamic_option(
one_module_config=one_module_config)
context = data_return(200, CODE_MSG.get(200),
new_module_config)
return context
# 没有找到模块
context = data_return(200, CODE_MSG.get(200), {})
return context
def destroy(sessionid=None):
if sessionid is None or sessionid <= 0:
context = data_return(304, Session_MSG.get(304), {})
return context
else:
params = [sessionid]
try:
result = RpcClient.call(Method.SessionStop, params, timeout=12)
if result is None: # 删除超时
Notice.send_success(
f"{Session_MSG.get(202)} SID: {sessionid}")
context = data_return(202, Session_MSG.get(202), {})
return context
elif result.get('result') == 'success':
Notice.send_success(
f"{Session_MSG.get(201)} SID: {sessionid}")
context = data_return(201, Session_MSG.get(201), {})
return context
else:
Notice.send_warning(
f"{Session_MSG.get(301)} SID: {sessionid}")
context = data_return(301, Session_MSG.get(301), {})
return context
except Exception as E:
logger.error(E)
Notice.send_warning(f"{Session_MSG.get(301)} SID: {sessionid}")
context = data_return(301, Session_MSG.get(301), {})
return context
def destory(subnet=None, netmask=None, sessionid=None):
opts = {
'CMD': 'delete',
'SUBNET': subnet,
'NETMASK': netmask,
'SESSION': sessionid
}
result = MSFModule.run(module_type="post",
mname="multi/manage/routeapi",
opts=opts)
if result is None:
context = data_return(505, CODE_MSG.get(505), [])
return context
try:
result_dict = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(306, Route_MSG.get(306), {})
return context
if result_dict.get('status') is True:
Notice.send_info(f"删除路由,SID:{sessionid} {subnet}/{netmask}")
context = data_return(204, Route_MSG.get(204), {})
return context
else:
context = data_return(304, Route_MSG.get(304), {})
return context
def list(self, request, **kwargs):
"""查询数据库中的信息"""
try:
enfilename = request.query_params.get('en', None)
filename = FileMsf.decrypt_file_name(enfilename)
if filename is None:
context = data_return(500, CODE_MSG.get(500), {})
return Response(context)
binary_data = FileMsf.read_msf_file(filename)
if binary_data is None:
context = data_return(304, HostFile_MSG.get(304), {})
return context
response = HttpResponse(binary_data)
response['Content-Type'] = 'application/octet-stream'
response['Content-Disposition'] = f'attachment;filename="{filename}"'
response['Code'] = 200
response['Message'] = quote(FileMsf_MSG.get(203))
remote_client = request.META.get("HTTP_X_REAL_IP")
Notice.send_info(f"IP: {remote_client} 下载文件 : {filename}")
return response
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return Response(context)
def create(file=None):
result = FileMsf.upload_file_to_msf(file)
if result is True:
context = data_return(201, FileMsf_MSG.get(201), {})
else:
context = data_return(302, FileMsf_MSG.get(302), {})
return context
def list(engine, querystr, page=1, size=100):
if engine == "FOFA":
client = FOFAClient()
flag = client.init_conf_from_cache()
if flag is not True:
context = data_return(301, NetworkSearch_MSG.get(301), {})
return context
else:
context = data_return(304, NetworkSearch_MSG.get(304), {})
return context
try:
flag, data = client.get_data(query_str=querystr,
page=page,
size=size)
if flag is not True:
context = data_return(303, NetworkSearch_MSG.get(303),
{"errmsg": data})
else:
context = data_return(200, CODE_MSG.get(200), data)
return context
except Exception as E:
logger.exception(E)
context = data_return(303, NetworkSearch_MSG.get(303),
{"errmsg": NetworkSearch_MSG.get(303)})
return context
def create(self, request, **kwargs):
moduletype = request.data.get('moduletype', None)
if moduletype is None: # 默认模块
try:
sessionid = int(request.data.get('sessionid', None))
ipaddress = request.data.get('ipaddress', None)
loadpath = str(request.data.get('loadpath', None))
custom_param = str(request.data.get('custom_param', None))
context = PostModuleActuator.create_post(
loadpath=loadpath,
sessionid=sessionid,
ipaddress=ipaddress,
custom_param=custom_param)
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return Response(context)
elif moduletype == "Bot":
try:
ipportlist = request.data.get('ipportlist', None)
loadpath = str(request.data.get('loadpath', None))
custom_param = str(request.data.get('custom_param', None))
context = PostModuleActuator.create_bot(
ipportlist=ipportlist,
loadpath=loadpath,
custom_param=custom_param)
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return Response(context)
else:
context = data_return(500, CODE_MSG.get(500), {})
return Response(context)
def destory(query_params):
opts = {
"uuid": None,
"transport": None,
"lhost": None,
"lport": None,
"ua": None,
"proxy_host": None,
"proxy_port": None,
"proxy_type": None,
"proxy_user": None,
"proxy_pass": None,
"comm_timeout": None,
"session_exp": None,
"retry_total": None,
"retry_wait": None,
"cert": None,
"luri": None,
}
sessionid = query_params.get("sessionid")
opts["url"] = query_params.get("url")
result_flag = RpcClient.call(Method.SessionMeterpreterTransportRemove,
[sessionid, opts])
if result_flag:
Notice.send_info(f"删除传输 SID:{sessionid}")
context = data_return(204, TRANSPORT_MSG.get(204), {})
return context
else:
context = data_return(304, TRANSPORT_MSG.get(304), [])
return context
def destory_single(hid=-1):
hid_flag = Host.destory_host(hid)
if hid_flag:
context = data_return(202, Host_MSG.get(202), {})
else:
context = data_return(301, Host_MSG.get(301), {})
return context
def update(sessionid=None, action=None, sleep=0):
if sessionid is None or sessionid <= 0:
context = data_return(306, TRANSPORT_MSG.get(306), {})
return context
if action == "next":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportNext, [sessionid])
elif action == "prev":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportPrev, [sessionid])
elif action == "sleep":
result_flag = RpcClient.call(
Method.SessionMeterpreterTransportSleep, [sessionid, sleep])
if result_flag:
reconnect_time = time.time() + sleep
Notice.send_warn(
f'切换Session到休眠 SID:{sessionid} 重连时间: {time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(reconnect_time))}'
)
context = data_return(203, TRANSPORT_MSG.get(203), {})
return context
else:
context = data_return(305, TRANSPORT_MSG.get(305), [])
return context
else:
result_flag = False
if result_flag:
Notice.send_info(f"切换传输完成 SID:{sessionid}")
context = data_return(202, TRANSPORT_MSG.get(202), {})
return context
else:
context = data_return(302, TRANSPORT_MSG.get(302), [])
return context
def destory_single(ipaddress=None):
flag = Host.destory_host(ipaddress)
if flag:
context = data_return(202, Host_MSG.get(202), {})
else:
context = data_return(301, Host_MSG.get(301), {})
return context
def create(portfwdtype=None, lhost=None, lport=None, rhost=None, rport=None, sessionid=None):
# 获取不同转发的默认参数
flag, context = PortFwd._check_host_port(portfwdtype, lhost, lport, rhost, rport)
if flag is not True:
return context
# flag, lportsstr = is_empty_ports(lportint)
# if flag is not True:
# # 端口已占用
# context = dict_data_return(CODE, CODE_MSG.get(CODE), {})
# return context
opts = {'TYPE': portfwdtype,
'LHOST': lhost, 'LPORT': lport, 'RHOST': rhost, 'RPORT': rport,
'SESSION': sessionid, 'CMD': 'add'}
result = MSFModule.run(module_type="post", mname="multi/manage/portfwd_api", opts=opts)
if result is None:
context = data_return(308, PORTFWD_MSG.get(308), {})
return context
try:
result_dict = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(301, PORTFWD_MSG.get(301), [])
return context
if result_dict.get('status') is True:
Notice.send_success(f"新增端口转发 SID:{sessionid} {portfwdtype} {lhost}/{lport} {rhost}/{rport}")
context = data_return(201, PORTFWD_MSG.get(201), result_dict.get('data'))
return context
else:
context = data_return(301, PORTFWD_MSG.get(301), [])
return context
def destroy(self, request, pk=None, **kwargs):
try:
Notice.clean_notices()
context = data_return(201, Notice_MSG.get(201), {})
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return Response(context)
def destory(hid=None, port=None):
try:
PortServiceModel.objects.filter(hid=hid, port=port).delete()
context = data_return(204, PortService_MSG.get(204), {})
except Exception as E:
logger.error(E)
context = data_return(304, PortService_MSG.get(304), {})
return context
def destory(vid=None):
try:
VulnerabilityModel.objects.filter(id=vid).delete()
context = data_return(204, Vulnerability_MSG.get(204), {})
except Exception as E:
logger.error(E)
context = data_return(304, Vulnerability_MSG.get(304), {})
return context
def destory(cid=None):
try:
CredentialModel.objects.filter(id=cid).delete()
context = data_return(204, Credential_MSG.get(204), {})
except Exception as E:
logger.error(E)
context = data_return(304, Credential_MSG.get(304), {})
return context
def update(hid=None, tag=None, comment=None):
"""更新主机标签,说明"""
host_update = Host.update_host(hid, tag, comment)
if host_update is None:
context = data_return(304, Host_MSG.get(304), host_update)
else:
context = data_return(201, Host_MSG.get(201), host_update)
return context
def list(self, request, **kwargs):
try:
context = Notice.list_notices()
context = data_return(200, CODE_MSG.get(200), context)
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return Response(context)
def create_bot(ipportlist=None, custom_param=None, loadpath=None):
module_config = Xcache.get_moduleconfig(loadpath)
# 获取模块配置
if module_config is None:
context = data_return(305, PostModuleActuator_MSG.get(305), {})
return context
# 处理模块参数
try:
custom_param = json.loads(custom_param)
except Exception as E:
logger.warning(E)
custom_param = {}
# 获取模块实例
group_uuid = str(uuid.uuid1()).replace('-', "")
class_intent = importlib.import_module(loadpath)
for ipport in ipportlist:
post_module_intent = class_intent.PostModule(
ip=ipport.get("ip"),
port=ipport.get("port"),
protocol=ipport.get("protocol"),
custom_param=custom_param)
# 格式化固定字段
try:
post_module_intent.AUTHOR = module_config.get("AUTHOR")
except Exception as E:
logger.warning(E)
# 模块前序检查,调用check函数
try:
flag, msg = post_module_intent.check()
if flag is not True:
# 如果检查未通过,返回未通过原因(msg)
Notice.send_warning(
f"模块:{post_module_intent.NAME} IP:{ipport.get('ip')} 检查未通过,原因:{msg}"
)
continue
except Exception as E:
logger.warning(E)
Notice.send_warning(
f"模块:{post_module_intent.NAME} IP:{ipport.get('ip')} 检查函数执行异常"
)
continue
tmp_self_uuid = str(uuid.uuid1())
req = {
'uuid': tmp_self_uuid,
'group_uuid': group_uuid,
'broker': post_module_intent.MODULE_BROKER,
'module': post_module_intent,
'time': int(time.time()),
}
Xcache.putin_bot_wait(req)
context = data_return(201, PostModuleActuator_MSG.get(201), {})
return context
def update(sessionid, filepath, filedata):
opts = {'OPERATION': 'update_file', 'SESSION': sessionid, 'SESSION_FILE': filepath, 'FILE_DATA': filedata}
result = MSFModule.run('post', 'multi/manage/file_system_operation_api', opts, runasjob=True, timeout=12)
if result is None:
context = data_return(301, FileSession_MSG.get(301), {})
return context
else:
context = data_return(204, FileSession_MSG.get(204), result)
return context
def list(sessionid=None):
if sessionid is None or sessionid == -1:
context = data_return(306, TRANSPORT_MSG.get(306), {})
return context
else:
result_list = Transport.list_transport(sessionid)
context = data_return(200, CODE_MSG.get(200), result_list)
return context
def create(self, request, pk=None, **kwargs):
try:
content = str(request.data.get('content', None))
userkey = str(request.data.get('userkey', "0"))
context = Notice.send_userinput(content=content, userkey=userkey)
context = data_return(200, Notice_MSG.get(200), context)
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return Response(context)
def destory(filename=None):
result = FileMsf.destory_msf_file(filename)
if result is True:
context = data_return(202, FileMsf_MSG.get(202), {})
return context
else:
context = data_return(301, FileMsf_MSG.get(301), {})
return context
def list(sessionid=None):
if sessionid is None or sessionid <= 0:
context = data_return(304, Session_MSG.get(304), {})
return context
session_interface = SessionLib(sessionid,
rightinfo=True,
uacinfo=True,
pinfo=True)
result = SessionLibSerializer(session_interface).data
context = data_return(200, CODE_MSG.get(200), result)
return context
def update(sessionid=None):
if sessionid is None or sessionid <= 0:
context = data_return(304, Session_MSG.get(304), {})
return context
Xcache.set_session_info(sessionid, None)
session_lib = SessionLib(sessionid,
rightinfo=True,
uacinfo=True,
pinfo=True)
result = SessionLibSerializer(session_lib).data
context = data_return(203, Session_MSG.get(203), result)
return context
def destory(sessionid=None, filepath=None, dirpath=None, operation=None):
if operation == 'destory_file' and sessionid is not None and filepath is not None:
opts = {
'OPERATION': 'destory_file',
'SESSION': sessionid,
'SESSION_FILE': filepath
}
result = MSFModule.run('post',
'multi/manage/file_system_operation_api',
opts,
runasjob=False,
timeout=12)
if result is None:
context = data_return(301, FileSession_MSG.get(301), [])
return context
try:
result = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(302, FileSession_MSG.get(302), {})
return context
if result.get('status') is not True:
context = data_return(303, FileSession_MSG.get(303), [])
return context
else:
context = data_return(201, FileSession_MSG.get(201), [])
return context
elif operation == 'destory_dir':
formatdir = FileSession.deal_path(dirpath)
opts = {
'OPERATION': 'destory_dir',
'SESSION': sessionid,
'SESSION_DIR': formatdir
}
result = MSFModule.run('post',
'multi/manage/file_system_operation_api',
opts,
runasjob=False,
timeout=12)
if result is None:
context = data_return(301, FileSession_MSG.get(301), [])
return context
try:
result = json.loads(result)
except Exception as E:
logger.warning(E)
context = data_return(302, FileSession_MSG.get(302), {})
return context
if result.get('status') is not True:
context = data_return(303, FileSession_MSG.get(303), [])
return context
else:
context = data_return(201, FileSession_MSG.get(201), [])
return context
else:
context = data_return(306, FileSession_MSG.get(306), {})
return context
def update(cid=None, desc=None):
try:
orm_model = CredentialModel.objects.get(id=cid)
except Exception as E:
logger.exception(E)
context = data_return(404, Credential_MSG.get(404), {})
return context
orm_model.desc = desc
orm_model.save()
data = CredentialSerializer(orm_model).data
context = data_return(202, Credential_MSG.get(202), data)
return context
def create(self, request, pk=None, **kwargs):
null_response = {
"status": "error",
"type": "account",
"currentAuthority": "guest",
"token": "forguest"
}
# 检查是否为diypassword
password = request.data.get('password', None)
if password == "diypassword":
context = data_return(302, BASEAUTH_MSG.get(302), null_response)
return Response(context)
try:
serializer = AuthTokenSerializer(data=request.data)
if serializer.is_valid():
token, created = Token.objects.get_or_create(
user=serializer.validated_data['user'])
time_now = datetime.datetime.now()
if created or token.created < time_now - datetime.timedelta(
minutes=EXPIRE_MINUTES):
# 更新创建时间,保持token有效
token.delete()
token = Token.objects.create(
user=serializer.validated_data['user'])
token.created = time_now
token.save()
null_response['status'] = 'ok'
null_response[
'currentAuthority'] = 'admin' # 当前为单用户模式,默认为admin
null_response['token'] = token.key
# 成功登录通知
Notice.send_info(f"{serializer.validated_data['user']} 成功登录")
context = data_return(201, BASEAUTH_MSG.get(201),
null_response)
return Response(context)
else:
if Xcache.login_fail_count():
Notice.send_alert("Viper遭到暴力破解,服务器地址可能已经暴露")
context = data_return(301, BASEAUTH_MSG.get(301),
null_response)
return Response(context)
except Exception as E:
logger.error(E)
context = data_return(301, BASEAUTH_MSG.get(301), null_response)
return Response(context)
def destroy_adv_job(task_uuid=None, job_id=None, broker=None):
try:
if broker == BROKER.post_python_job:
flag = aps_module.delete_job_by_uuid(task_uuid)
if flag is not True:
context = data_return(304, Job_MSG.get(304), {})
return context
else:
context = data_return(204, Job_MSG.get(204), {
"uuid": task_uuid,
"job_id": job_id
})
return context
elif broker == BROKER.post_msf_job:
req = Xcache.get_module_task_by_uuid(task_uuid=task_uuid)
common_module_instance = req.get("module")
Xcache.del_module_task_by_uuid(task_uuid)
params = [job_id]
result = RpcClient.call(Method.JobStop, params)
if result is None:
context = data_return(305, Job_MSG.get(305), {})
return context
if result.get('result') == 'success':
# 发送通知
Notice.send_info("模块: {} {} 手动删除完成".format(
common_module_instance.NAME,
common_module_instance.target_str))
context = data_return(204, Job_MSG.get(204), {
"uuid": task_uuid,
"job_id": job_id
})
return context
else:
context = data_return(304, Job_MSG.get(304), {})
return context
elif broker == BROKER.bot_msf_job:
flag = Xcache.del_bot_wait_by_group_uuid(task_uuid)
if flag is not True:
context = data_return(304, Job_MSG.get(304), {})
return context
else:
context = data_return(204, Job_MSG.get(204),
{"uuid": task_uuid})
return context
else:
context = data_return(304, Job_MSG.get(304), {})
return context
except Exception as E:
logger.error(E)
context = data_return(500, CODE_MSG.get(500), {})
return context
def create_post(loadpath=None,
sessionid=None,
hid=None,
custom_param=None):
module_config = Xcache.get_moduleconfig(loadpath)
# 获取模块配置
if module_config is None:
context = data_return(305, PostModuleActuator_MSG.get(305), {})
return context
# 处理模块参数
try:
custom_param = json.loads(custom_param)
except Exception as E:
logger.warning(E)
custom_param = {}
# 获取模块实例
class_intent = importlib.import_module(loadpath)
post_module_intent = class_intent.PostModule(sessionid, hid,
custom_param)
# 模块前序检查,调用check函数
try:
flag, msg = post_module_intent.check()
if flag is not True:
# 如果检查未通过,返回未通过原因(msg)
context = data_return(405, msg, {})
return context
except Exception as E:
logger.warning(E)
context = data_return(301, PostModuleActuator_MSG.get(301), {})
return context
try:
broker = post_module_intent.MODULE_BROKER
except Exception as E:
logger.warning(E)
context = data_return(305, PostModuleActuator_MSG.get(305), {})
return context
if broker == BROKER.post_python_job:
# 放入多模块队列
if aps_module.putin_post_python_module_queue(post_module_intent):
context = data_return(201, PostModuleActuator_MSG.get(201), {})
return context
else:
context = data_return(306, PostModuleActuator_MSG.get(306), {})
return context
elif broker == BROKER.post_msf_job:
# 放入后台运行队列
if MSFModule.putin_post_msf_module_queue(post_module_intent):
context = data_return(201, PostModuleActuator_MSG.get(201), {})
return context
else:
context = data_return(306, PostModuleActuator_MSG.get(306), {})
return context
else:
logger.warning("错误的broker")