def check_url(task_id, task_access_key):
"""
接收来自浏览器的流量,对流量进行解析分类之后,存放到redis中,支持多个用户同时协作对一个任务进行测试
:param task_id:
:param task_access_key:
:return:
"""
from common.config_util import get_system_config
try:
post_data = request.get_json(force=True)
current_user_name = session["user_name"]
if TaskService.count(where=(Task.id == task_id,
Task.access_key == task_access_key)) == 0:
return jsonify(status=403,
message="发送失败",
data={
"extra_info":
"taskid或者accesskey不正确,插件请同步一次最新任务",
"site":
get_system_config()['front_end']['index']
})
tasks = TaskService.get_fields_by_where(
where=(Task.id == task_id, Task.access_key == task_access_key))
if tasks[0].task_status in [TaskStatus.DONE, TaskStatus.KILLED]:
return jsonify(status=400,
message="发送失败",
data={
"extra_info": "该任务已经结束,客户端请重新同步或者创建最新任务",
"site":
get_system_config()['front_end']['index']
})
if post_data is not None and "data" in post_data and RedisService.create_urlclassifications(
task_id, post_data):
raw_request_data = post_data.get('data', '{}')
scan_celery.delay(raw_request_data, task_id, current_user_name,
TaskStatus.NONE)
return jsonify(status=200,
message="发送成功",
data={"extra_info": "发送到后端扫描引擎成功"})
return jsonify(status=200,
message="发送失败",
data={"extra_info": "发送到后端引擎的数据不符合格式或者已经发送过"})
except Exception as e:
logger.exception("check_url exception")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "创建任务时出现未知异常,请联系管理员查看异常日志"})
def generate_report(self, task_id):
"""
生成邮件发送报告
:param cls:
:param task_id:
:return:
"""
current_task = TaskService.get_fields_by_where(where=(Task.id == task_id))[0]
vulns_info = VulnerabilityService.get_fields_by_where(where=(Vulnerability.task_id == task_id))
users = UserService.get_users(task_id=task_id)
if len(vulns_info) <= 0:
content = """<br>你好,欢迎使用Hunter,本次扫描结束,扫描到你有0个漏洞。详情请可登录{}查看<br>""".format(
get_system_config()['front_end']['index'])
else:
content = """<br>你好,欢迎使用Hunter,本次扫描结束,扫描到你有{}个漏洞。任务预览如下,详情请登录{}查看<br>""".format(len(vulns_info),
get_system_config()[
'front_end'][
'index'])
content += """
<table frame='border' cellpadding='15' cellspacing='0' align='center' style='border: 1px solid #d6d3d3;'>
<tr style='background: #e6e6e6;'>
<th style="border-right: 1px solid #bfbfbf;">序号</th>
<th style="border-right: 1px solid #bfbfbf;">漏洞等级</th>
<th style="border-right: 1px solid #bfbfbf;">漏洞类型</th>
<th style="border-right: 1px solid #bfbfbf;">漏洞详情</th>
</tr>
"""
index = 0
for vuln_info in vulns_info:
index += 1
vuln_detail_url = '<a href="{}">{}</a>'.format(
get_system_config()['front_end']['vuln_route'] + str(task_id),
vuln_info.info)
content += """
<tr>
<td style="border-right: 1px solid #bfbfbf;">{}</td>
<td style="border-right: 1px solid #bfbfbf;">{}</td>
<td style="border-right: 1px solid #bfbfbf;">{}</td>
<td style="border-right: 1px solid #bfbfbf;">{}</td>
</tr>
""".format(index, vuln_info.level, vuln_info.chinese_type, vuln_detail_url)
content += """</table>"""
return content, ",".join([user.email for user in users if user.email])
def download_newest_checkers():
"""
第一次启动时同步插件,从服务端下载最新的插件,
:return:
"""
logger.info("download newest checkers when the system starts up")
try:
master_checkers_url = get_system_config()["front_end"]["master_checkers_url"]
download_file(url=master_checkers_url, save_fp=PLUGIN_ZIP_PATH)
unzip_file(origin_file=PLUGIN_ZIP_PATH, target_folder=PLUGIN_PATH)
logger.info("download newest checkers successfully, it still using newest checkers")
except Exception as e:
if isinstance(e, requests.exceptions.ConnectTimeout):
logger.warn("sorry,download newest checkers timeout, it still using old checkers")
else:
logger.warn("sorry,download newest checkers error, it still using old checkers")
finally:
load_default_checkers(True)
modify_default_checkers()
def get_redis_pool(cls):
"""
获取redis连接池
:return:
"""
redis_config = get_system_config()["redis"]
redis_host = redis_config["host"]
redis_port = redis_config["port"]
redis_password = redis_config["password"]
max_connections = redis_config["max_connections"]
if not hasattr(RedisManage,
"__redis_pool") or not RedisManage.__redis_pool:
RedisManage.__redis_pool = redis.ConnectionPool(
host=redis_host,
port=redis_port,
password=redis_password,
decode_responses=True,
max_connections=max_connections)
return RedisManage.__redis_pool
def get_redis_pool(cls):
"""
获取redis连接池
:return:
"""
redis_config = get_system_config()["redis"]
redis_host = redis_config["host"]
redis_port = redis_config["port"]
redis_password = redis_config["password"]
max_connections = redis_config["max_connections"]
if not RedisManage.initialized():
with RedisManage._instance_lock:
if not RedisManage.initialized():
RedisManage.__redis_pool = redis.ConnectionPool(
host=redis_host,
port=redis_port,
password=redis_password,
decode_responses=True,
max_connections=max_connections)
return RedisManage.__redis_pool
def get_database(cls, refresh=False):
"""
单例多线程模式获取db对象
:param refresh:
:return:
"""
with MysqlManage._instance_lock:
mysql_config = get_system_config()['mysql']
if refresh or MysqlManage.__database is None: # or MysqlManage.__database.is_closed():
# 老方法
"""MysqlManage.__database = MySQLDatabase(database=mysql_config["database"], host=mysql_config['host'],
port=int(mysql_config['port']),
user=mysql_config['user'],
passwd=mysql_config['password'])
"""
MysqlManage.__database = PooledMySQLDatabase(database=mysql_config["database"],
host=mysql_config['host'],
port=int(mysql_config['port']), user=mysql_config['user'],
passwd=mysql_config['password'],
max_connections=mysql_config["max_connections"],
stale_timeout=mysql_config["stale_timeout"])
return MysqlManage.__database
def authorize_route():
"""
基础账号密码认证体系
:return:
"""
try:
post_data = request.get_json(force=True)
post_user_name = post_data.get("user_name")
post_pass_word = post_data.get("pass_word")
if UserService.count(
where=(User.user_name == post_user_name,
User.pass_word == post_pass_word)) <= 0:
return jsonify(status=403,
message="认证出错",
data={
"extra_info": "账号密码登录出错",
"site": "/login"
})
db_user = UserService.get_fields_by_where(
where=(User.user_name == post_user_name,
User.pass_word == post_pass_word))[0]
BaseAuthModule.modify_user_info_cache_session(
user_name=db_user.user_name, db_user=db_user)
return jsonify(status=200,
message="认证成功",
data={
"extra_info": "稍后自动跳转首页,请耐心等待",
"site":
get_system_config()['front_end']['index']
})
except Exception as e:
logger.exception("auth_account raise error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})
def authorize_route():
"""
ldap认证账号体系
:return:
"""
try:
post_data = request.get_json(force=True)
post_user_name = post_data.get("user_name")
post_pass_word = post_data.get("pass_word")
ldap_config = LdapConfigService.get_single_instance()
if ldap_config.ldap_switch is False:
return jsonify(status=500,
message="登录失败",
data={"extra_info": "不支持ldap认证,请后台配置并开启ldap模块"})
status, result_dict = ldap_auth(post_user_name, post_pass_word)
if status:
user_name = result_dict["user_name"]
# 保存更新数据库和Redis
if UserService.count(where=(User.user_name == user_name)) <= 0:
UserService.save(user_name=result_dict["user_name"],
full_name=result_dict["full_name"],
dept_name=result_dict["dept_name"],
email=result_dict["email"],
mobile_phone=result_dict["mobile"])
else:
UserService.update(fields=({
User.full_name:
result_dict["full_name"],
User.dept_name:
result_dict["dept_name"],
User.email:
result_dict["email"],
User.mobile_phone:
result_dict["mobile"]
}),
where=(User.user_name == user_name))
db_user = UserService.get_fields_by_where(
where=(User.user_name == user_name))[0]
BaseAuthModule.modify_user_info_cache_session(
user_name=db_user.user_name, db_user=db_user)
return jsonify(status=200,
message="认证成功",
data={
"extra_info":
"稍后自动跳转首页,请耐心等待",
"site":
get_system_config()['front_end']['index']
})
return jsonify(status=403,
message="认证出错",
data={
"extra_info": "账号密码登录出错",
"site": "/login"
})
except Exception as e:
logger.exception("auth_account raise error")
return jsonify(status=500,
message="未知异常",
data={"extra_info": "发生未知异常,请联系管理员查看异常日志"})