def delete(self):
"""
删除exploit服务关联模块信息(软删除)
---
tags:
- POC漏洞检测
parameters:
- name: exploit_id
in: query
description: Exploit ID
required: true
type: string
responses:
'200':
description: SUCCESS
schema:
type: dto.public_string_data_output
$ref: '#/definitions/dto.public_string_data_output'
"""
exploit_id = request.args.get('exploit_id')
connectiondb(exploit_db).update({'_id': ObjectId(exploit_id)},
{"$set": {
"is_delete": 1
}},
multi=True)
response_data = self.wrap_json_response(data='success',
code=ReturnCode.SUCCESS)
return jsonify(response_data)
def _save_pocvul_result(self, portinfo_id, data):
if data:
# self.vul_type = 'exploit'
self.vul_type = 'pocsuite'
connectiondb(portinfo_db).update_one(
{"_id": ObjectId(portinfo_id)},
{"$set": {
"vul_type": self.vul_type,
"vulnerabilities": data
}})
def _save_result(portinfo_id, app_name):
portinfo_db = db_name_conf()['portinfo_db']
# 看看是自定义任务还是自动化探测任务
if not portinfo_id:
return
# 自动化任务需要更新端口应用版本
connectiondb(portinfo_db).update_one({'_id': ObjectId(portinfo_id)},
{'$set': {
'product': app_name
}})
def _save_webvul_result(self, portinfo_id, data):
connectiondb(portinfo_db).update_one(
{"_id": ObjectId(portinfo_id)},
{
"$set": {
"vul_type":
"web",
"target_id":
data['target_id'], # awvs的target_id
"scan_id":
data['scan_id'], # awvs的sacn_id
"create_at":
time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
}
})
def _get_portinfo(self):
print "PocScanner._get_portinfo"
array = connectiondb(portinfo_db).find(
{"instance_id": self.instance_id})
for item in array:
item['_id'] = "%s" % item['_id']
self.info_list.append(item)
def _start_poc(self):
print "VulScanner._start_poc"
for info in self.info_list:
print "info => name:{}; port:{}; state:{}".format(
info['name'], info['port'], info['state'])
# info['name']=http/https/null,进行web指纹判断
# 情况1: 这个就很奇怪了, 能扫到但是状态为closed???
if 'closed' == info['state']:
continue
# 用poc脚本打、内置多线程
pocuite = PocsuiteScan(ip=self.instance_info['host'],
service=info['name'],
port=info['port'],
app=info['product'],
version=info['version'])
result = pocuite.run()
self._save_pocvul_result(info['_id'], result)
# 情况2: Web直接提交AWVS任务,获取target_id、scan_id、session_id即可。后续聚合通过这三个查询对应的web漏洞详情。
# 提交任务即返回,无需使用多线程
# Poc扫描无结果的情况下再执行
# if 'http' in info['name'] and not result:
# print "[+] http"
# awvs = AwvsScan(info['name'], self.instance_info['target'], info['port'])
# result = awvs.run()
# self._save_webvul_result(info['_id'], result)
# continue
connectiondb(instance_db).update_one(
{"_id": ObjectId(self.instance_id)}, {
"$set": {
"status":
'Completed',
"update_at":
time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
}
})
def local_install():
print("[*]Processing...")
# connectiondb(plugin_db).drop()
path = os.getcwd() + '/aquaman/modules/poc_vul/pocsuite_plugin/'
files = os.listdir(path)
for file_name in files:
if 'JBoss' not in file_name:
continue
plugin_info = parse_plugin(path + file_name.strip())
print plugin_info
if not plugin_info:
continue
else:
# print plugin_info
db_insert = connectiondb(plugin_db).insert_one(
plugin_info).inserted_id
print db_insert
print("[*]Processing Completed!")
def _match_require(self):
"""
[+] 匹配Mongo数据库的动作关联库
[-] 输出攻击的所有的require准备
"""
result = []
array = self._match_exploit()
for item in array:
resp = connectiondb(exploit_db).find_one(
{"exploit": re.compile(item)})
if not resp:
continue
print "resp,", resp
result.append({
"vt_name": resp['vt_name'],
"exploit": resp['exploit'],
"payload": resp['payload'],
"cmd": resp['cmd'],
"desc": resp['desc']
})
return result
def __init__(self, instance_id):
self.instance_id = instance_id
self.instance_info = connectiondb(instance_db).find_one(
{"_id": ObjectId(self.instance_id)})
self.info_list = []
self.vul_type = ''
def verify_poc(scan_info):
frequency = connectiondb(config_db).find_one(
{'config_name': settings.CONFIG_NAME})['poc_frequency']
plugin_name = scan_info['plugin_name']
plugin_filename = scan_info['plugin_filename']
target = scan_info['target']
info = {
"pocname": plugin_name,
"pocstring": open(plugin_filename, 'r').read(),
"mode": 'verify'
}
invoker = Cannon(target, info)
log.info("[PocScanner] {}({}) verify poc({}) all_times: {}".format(
scan_info['task_name'], scan_info['target'], plugin_name, frequency))
for i in range(50):
try:
result = invoker.run()
if i > frequency: # 超过指定次数
log.info(
"[PocScanner] {}({}) verify poc({}) more than {} times, result: {}"
.format(scan_info['task_name'], scan_info['target'],
plugin_name, frequency, result))
return
if not result or result[-3][0] != 1:
time.sleep(1)
continue
log.info(
"[PocScanner] {}({}) verify poc({}) in {} times, result: {}".
format(scan_info['task_name'], scan_info['target'],
plugin_name, i + 1, result[-1]))
connectiondb(vul_db).insert({
"plugin_id":
scan_info['plugin_id'],
"plugin_filename":
scan_info['plugin_filename'],
"plugin_name":
scan_info['plugin_name'],
"plugin_type":
scan_info['plugin_type'],
"plugin_app":
scan_info['plugin_app'],
"plugin_version":
scan_info['plugin_version'],
"plugin_desc":
scan_info['plugin_desc'],
"target":
scan_info[
'target'], # 非端口必须是172.31.50.222:8080, 如果只有IP会使用脚本里的默认端口
"task_id":
scan_info['task_id'],
"task_name":
scan_info['task_name'],
"scan_result":
result[-1],
"date":
int(time.time()),
})
_save_result(scan_info['portinfo_id'], scan_info['plugin_app'])
return
except Exception as e:
log.error(
"[PocScanner] {}({}) verify poc({}) in {} times, info: {}".
format(scan_info['task_name'], scan_info['target'],
plugin_name, i + 1, e))
time.sleep(1)
continue
except FunctionTimedOut as e:
log.error(
"[PocScanner] {}({}) verify poc({}) in {} times with timeout, info: {}"
.format(scan_info['task_name'], scan_info['target'],
plugin_name, i + 1, e))
time.sleep(1)
continue
def post(self):
"""
创建exploit服务关联模块信息
---
tags:
- POC漏洞检测
definitions:
- schema:
id: dto.exploit_create_input
properties:
vt_name:
type: string
service:
type: string
app:
type: string
version:
type: string
exploit:
type: string
payload:
type: string
cmd:
type: string
parameters:
- name: body
in: body
required: true
schema:
type: dto.exploit_create_input
$ref: '#/definitions/dto.exploit_create_input'
responses:
'200':
description: SUCCESS
schema:
id: dto.exploit_create_output
properties:
data:
type: object
description: response_data
properties:
exploit_id:
type: string
description: Exploit ID
errmsg:
type: string
description: errno
errno:
type: integer
description: errno
default: 0
"""
body_data = json.loads(request.get_data().decode())
try:
desc = MsfScanner().get_desc(body_data['exploit'])
except Exception as e:
return jsonify(
self.wrap_json_response(errmsg=e,
code=ReturnCode.WRONG_PARAMS))
req_data = {
"vt_name": body_data['vt_name'],
"service": body_data['service'],
"version": body_data['version'],
"exploit": body_data['exploit'],
"payload": body_data['payload'],
"app": body_data['app'],
"cmd": body_data['cmd'],
"desc": desc,
"create_at": time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()),
"update_at": time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()),
"is_delete": 0,
}
exploit_id = connectiondb(exploit_db).insert_one(req_data).inserted_id
if not exploit_id:
response_data = self.wrap_json_response(code=ReturnCode.FAILED)
return jsonify(response_data)
data = {'exploit_id': '%s' % exploit_id}
response_data = self.wrap_json_response(data=data,
code=ReturnCode.SUCCESS)
return jsonify(response_data)
def get(self):
"""
模块服务数据记录列表
---
tags:
- POC漏洞检测
definitions:
- schema:
id: dto.exploit_list_output
properties:
data:
type: object
description: 模块服务数据记录列表
properties:
list:
type: array
items:
type: dao.exploit_info
$ref: '#/definitions/dao.exploit_info'
total:
type: integer
errmsg:
type: string
description: errno
errno:
type: integer
description: errno
default: 0
parameters:
- name: info
in: query
description: 模块名
required: false
type: string
- name: page_size
in: query
description: 记录数
required: true
type: integer
- name: page_no
in: query
description: 页码
required: true
type: integer
responses:
'200':
description: SUCCESS
schema:
type: dto.exploit_list_output
$ref: '#/definitions/dto.exploit_list_output'
"""
page_size = request.args.get('page_size', 10, int)
page_no = request.args.get('page_no', 1, int)
info = request.args.get('info', '', str)
skip = page_size * (page_no - 1)
# total = connectiondb(vul_db).find().count()
# aa = connectiondb(exploit_db).find()
# for a in aa:
# print a
total = connectiondb(exploit_db).find({
"is_delete": {
"$ne": 1
},
"exploit": re.compile(info)
}).count()
dict_resp = connectiondb(exploit_db).find({
"is_delete": {
"$ne": 1
},
"exploit": re.compile(info)
}).limit(page_size).skip(skip).sort('update_at', -1)
data = []
for item in dict_resp:
item['_id'] = "%s" % item['_id']
data.append(item)
response_data = self.wrap_json_response(data={
'list': data,
'total': total
},
code=ReturnCode.SUCCESS)
return jsonify(response_data)
def put(self):
"""
更新exploit服务关联模块信息
---
tags:
- POC漏洞检测
definitions:
- schema:
id: dto.exploit_put_input
properties:
exploit_id:
type: string
app:
type: string
vt_name:
type: string
service:
type: string
version:
type: string
exploit:
type: string
payload:
type: string
cmd:
type: string
parameters:
- name: body
in: body
required: true
schema:
type: dto.exploit_put_input
$ref: '#/definitions/dto.exploit_put_input'
responses:
'200':
description: SUCCESS
schema:
type: dto.public_string_data_output
$ref: '#/definitions/dto.public_string_data_output'
"""
body_data = json.loads(request.get_data().decode())
_id = body_data['exploit_id']
if not _id:
response_data = self.wrap_json_response(
errmsg="Lost Params.", code=ReturnCode.WRONG_PARAMS)
return jsonify(response_data)
try:
desc = MsfScanner().get_desc(body_data['exploit'])
except Exception as e:
return jsonify(
self.wrap_json_response(errmsg="%s" % e,
code=ReturnCode.WRONG_PARAMS))
connectiondb(exploit_db).update_one({"_id": ObjectId(_id)}, {
"$set": {
"vt_name": body_data['vt_name'],
"service": body_data['service'],
"app": body_data['app'],
"version": body_data['version'],
"exploit": body_data['exploit'],
"payload": body_data['payload'],
"cmd": body_data['cmd'],
"desc": desc,
"update_at": time.strftime("%Y-%m-%d %H:%M:%S",
time.localtime()),
}
})
response_data = self.wrap_json_response(data="success",
code=ReturnCode.SUCCESS)
return jsonify(response_data)
def get(self):
"""
获取exploit模块信息
---
tags:
- POC漏洞检测
definitions:
- schema:
id: dao.exploit_info
properties:
_id:
type: string
service:
type: string
app:
type: string
vt_name:
type: string
version:
type: string
exploit:
type: string
payload:
type: string
cmd:
type: string
desc:
type: string
create_at:
type: string
update_at:
type: string
is_delete:
type: integer
- schema:
id: dto.exploit_info_output
properties:
data:
type: dao.exploit_info
$ref: '#/definitions/dao.exploit_info'
description: response_data
errmsg:
type: string
description: errno
errno:
type: integer
description: errno
default: 0
parameters:
- name: id
in: query
description: Exploit ID
required: true
type: string
responses:
'200':
description: SUCCESS
schema:
type: dto.exploit_info_output
$ref: '#/definitions/dto.exploit_info_output'
"""
exploit_id = request.args.get('id')
resp = connectiondb(exploit_db).find_one({"_id": ObjectId(exploit_id)})
resp['_id'] = "%s" % resp['_id']
response_data = self.wrap_json_response(data=resp,
code=ReturnCode.SUCCESS)
return jsonify(response_data)