def execution(self):
try:
if not self.file is None:
self.initislis_file()
if not self.subdomains_queue is None:
self.initialis_subdomain()
if not self.target is None:
self.initis()
while not self.target_url.empty():
target = self.target_url.get()
strike_pre = assault_pre()
strike_pre.payload_provide()
while not target.empty():
original = target.get()
# print(self.target_url.qsize())
# url = regex.URL_PATH.sub("=", original)
"""and self.filter_(url,self.requests_seen)"""
# print("f*****g" + original)
if self.domain in original:
url, data = chambering(original,strike = False)
received_ = requester(url,data,GET = True)
print(f"{blue_green}[+][{time}] Vulnerability scanning is being performed on {original}{end}")
if not received_ is None:
self.url_extrator(received_.text)
else:
pass
if "=" in original:
url, data = chambering(original, strike=False)
received = requester(url, data, GET=True)
for vul_type, category in strike_pre.get_payload_category().items():
for count in range(category[1].qsize()):
payload = category[0]()
url, data = chambering(original,strike = True,payload=payload,type = vul_type)
if vul_type in ["SQLi","file_inclusion","command_injection","ssrf"]:
Poisoned = requester(url,data,GET = True)
code = Poisoned.status_code
if not Poisoned is None and code < 500 and code != 404:
if error_check(Poisoned):
if receive_check(received.text,Poisoned.text,vul_type,payload):
message = vul_message(vul_type,original,payload)
self.logger.critical(message)
else:
pass
else:
pass
except Exception:
pass
def execution(self): # 执行攻击
try:
if not self.file is None: # 加载目标
self.initislis_file()
if not self.subdomains_queue is None:
self.initialis_subdomain()
if not self.target is None:
self.initis()
while not self.target_url.empty():
target = self.target_url.get() #
# strike_pre = assault_pre()
# strike_pre.payload_provide()
while not target.empty():
original = target.get()
# url = regex.URL_PATH.sub("=", original)
"""and self.filter_(url,self.requests_seen)"""
if self.domain in original: # 目标属于传入的域名 baidu.com/a/b/text?a=2&b=21 属于 baidu.com
url, data = chambering(original,strike = False)
received_ = requester(url,data,GET = True,cookie = self.cookie,proxy = self.proxy)
if not received_ is None and received_.status_code == 403: # 如果代理被ban则切换代理
if not self.proxy_queue is None and not self.proxy_queue.empty():
self.proxy = get_proxy(self.proxy_queue)
print(f"{blue_green}[+][{time}] Vulnerability scanning is being performed on {original}{end}")
if not received_ is None:
self.url_extrator(received_.text) # 从这个域名中继续提取URL加入到目标中
else:
pass
if "=" in original: # 如果有参数
url, data = chambering(original, strike=False)
strike_pre = assault_pre() # 实例化payload预处理类
strike_pre.payload_provide() # 加载payload
received = requester(url, data, GET=True,cookie = self.cookie,proxy = self.proxy)
for vul_type, category in strike_pre.get_payload_category().items():
for count in range(category[1].qsize()): # category[1] 为payload队列
payload = category[0]() # category[0] 为遍历攻击队列的方法
url, data = chambering(original,strike = True,payload=payload,type = vul_type)
if vul_type in ["SQLi","XSS","file_inclusion","command_injection","ssrf"]:
Poisoned = requester(url,data,GET = True,cookie = self.cookie,proxy = self.proxy)
if not Poisoned is None and Poisoned.status_code < 400: # 如果攻击有响应
if error_check(Poisoned.text): # 如果页面存在
if attack_check(received.text,Poisoned.text,vul_type,payload): # 如果页面不同
message = vul_message(vul_type,original,payload) # 输出攻击完成
self.logger.critical(message)
else:
pass
else:
pass
except Exception:
pass
def proxy_ip3366(self):
for page in range(1,11):
try:
url, params = chambering(f"http://www.ip3366.net/?stype=1&page={page}", strike=False)
result = requester(url,params,GET=True,timeout=None)
text = regex.Espace_eliminate.sub("",result.text)
proxy_ips, proxy_ports, proxy_types = self.dic['ip3366']['ip'].finditer(text),\
self.dic['ip3366']['port'].finditer(text),\
self.dic['ip3366']['type'].finditer(text)
for ips, ports, types in zip(proxy_ips, proxy_ports, proxy_types):
ip, port, type = self.dic['ip3366']['sub'].sub(" ",ips.group()),\
self.dic['ip3366']['sub'].sub(" ",ports.group()),\
self.dic['ip3366']['sub'].sub(" ",types.group())
proxy = eval(regex.Espace_eliminate.sub("", str((ip,port,type.lower()))))
self.logger.info(f"ip : {proxy[0]} port : {proxy[1]} type : {proxy[2]}")
self.container.put(proxy)
except:
pass
def generator_proxies(self):
for name in self.list_name:
if name in self.dic:
url,params = chambering(origin_proxies[name],strike=False)
result = requester(url,params,GET=True,timeout=None)
response = regex.Espace_eliminate.sub("",result.text)
ips, ports, types = self.dic[name]['ip'].finditer(response),\
self.dic[name]['port'].finditer(response),\
self.dic[name]['type'].finditer(response)
for i, j, k in zip(ips,ports,types):
ip = self.dic[name]['sub'].sub(" ", i.group())
port = self.dic[name]['sub'].sub(" ", j.group())
type = self.dic[name]['sub'].sub(" ", k.group())
# self.count = self.count+1
# print((ip, port, type))
if Filter.filter(ip,self.filter_proxy):
proxy = eval(regex.Espace_eliminate.sub("", str((ip, port, type.lower()))))
self.logger.info(f"ip : {proxy[0]} port : {proxy[1]} type : {proxy[2]}")
self.container.put(proxy)
def generator_proxies(self):
''' 从默认代理池(list_name中定义的)获取可用代理 '''
for name in self.list_name:
if name in self.dic:
url, params = chambering(origin_proxies[name], strike=False)
result = requester(url, params, GET=True, timeout=None)
if result == None:
continue
response = regex.Espace_eliminate.sub("", result.text)
ips, ports, types = self.dic[name]['ip'].finditer(response),\
self.dic[name]['port'].finditer(response),\
self.dic[name]['type'].finditer(response)
for i, j, k in zip(ips, ports, types):
ip = self.dic[name]['sub'].sub(" ", i.group())
port = self.dic[name]['sub'].sub(" ", j.group())
type = self.dic[name]['sub'].sub(" ", k.group())
# self.count = self.count+1
# print((ip, port, type))
if Filter.filter(ip,
self.filter_proxy): # 不是特殊文件链接 就加入到代理集合中
proxy = eval(
regex.Espace_eliminate.sub(
"", str((ip, port, type.lower()))))
# temp=r.replace('(','').replace(')','') # 字符串转元组安全方法
# a=tuple([int(i) for i in temp.split(',')])
self.logger.info(
f"ip : {proxy[0]} port : {proxy[1]} type : {proxy[2]}"
)
self.container.put(proxy)
def proxy_iphuan(self):
url, params = chambering("https://ip.ihuan.me/", strike=False)
url = requester("https://ip.ihuan.me/", params, GET=True, timeout=None)
links = [
link.group()
for link in self.dic['ip_huan']['link'].finditer(url.text)
]
print(links)
for i in range(len(links)):
# print("".join(["https://ip.ihuan.me/",links[i]]))
link = self.dic['ip_huan']['sub'].sub("", links[i])
print(link)
result = requester("".join(["https://ip.ihuan.me/", link]))
text = regex.Espace_eliminate.sub("", result)
proxy_ips, proxy_ports = self.dic['ip_huan']['ip'].finditer(text),\
self.dic['ip_huan']['port'].finditer(text)
for ips, ports in zip(proxy_ips, proxy_ports):
ip, port, type = ips.group(),\
self.dic['ip_huan']['sub'].sub(" ",ports),\
"http"
# print(ip)
self.container.put((ip, port, type))
def check_waf(target, logger_type, proxy = None):
# folder = Path.cwd().parent
# waf_file = str(folder / "data/waf_signature")
waf_file = "data/waf_signature"
logger = factory_logger(logger_type,target,"Waf")
with open(waf_file,'r') as loader:
waf_data = json.load(loader)
waf_match = {0: None}
waf_info = {'company': None,
'waf_type': None,
'bypass_known': None}
for intruder in waf_checker:
try:
target, payload = chambering(target, strike=True, payload=intruder)
response = requester(target, payload, GET=True, timeout=5, proxy=proxy)
if not response is None:
page, code, headers = response.text, response.status_code, response.headers
if code >= 400:
match = 0
for waf_name, waf_signature in waf_data.items():
if re.search(waf_signature['regex'],page,re.I):
match = match + 1
if "code" in waf_signature:
if re.search(waf_signature['code'],code,re.I):
match = match + 1
if "header" in waf_signature:
if re.search(waf_signature["header"],headers,re.I):
match = match +1
if match > max(waf_match,key=waf_match.get):
waf_info['company'] = waf_name
waf_info['waf_type'] = waf_signature['name']
if 'bypass_known' not in waf_signature:
waf_info['bypass_known'] = None
else:
waf_info['bypass_known'] = waf_signature['bypass_known']
waf_match.clear()
waf_match[match] : waf_info
except Exception:
pass
if max(waf_match,key=waf_match.get) > 0:
logger.info(match)
else:
print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
def detect_info(target, logger_type):
logger_middle = factory_logger(logger_type, target, "middleware")
print(f"{red}[!][{time}] Collecting middleware information....{end}")
info = {
'Waf': None,
'CDN': None,
'CMS': None,
'Web Servers': None,
'Web Frameworks': None,
'Operating Systems': None,
'JavaScript Frameworks': None,
'Programming Languages': None
}
keys = [
'Waf', 'CDN', 'Web Servers', 'Web Frameworks', 'Operating Systems',
'JavaScript Frameworks', 'Programming Languages'
]
url, data = chambering(target, strike=False)
try:
response = requester(url, data, GET=True)
whatweb_dict = {
"url": response.url,
"text": response.text,
"headers": dict(response.headers)
}
whatweb_dict = json.dumps(whatweb_dict)
whatweb_dict = whatweb_dict.encode()
whatweb_dict = zlib.compress(whatweb_dict)
data = {"info": whatweb_dict}
result = requests.post("http://whatweb.bugscaner.com/api.go",
files=data)
data_json = result.json()
data = dict(data_json)
except Exception:
pass
if 'error' not in data:
for key in keys:
if key in dict(data):
info[key] = data[key]
logger_middle.info(info)
return info
else:
info.clear()
info['message'] = "Error Message!"
logger_middle.info(info)
def initialis_subdomain(self): # 从子域名队列中提取URL加入到目标
try:
while not self.subdomains_queue.empty():
target = self.subdomains_queue.get()
url, data = chambering(target, strike = False)
received = requester(url, data, GET=True, timeout = 5)
if not received is None:
self.url_extrator(received.text)
else:
pass
except Exception:
pass
def initislis_file(self): # 从文件中提取域名中的URL加入到目标
try:
domains = file_handler(self.file)
while not domains.empty():
target = domains.get()
url, data = chambering(target, strike = False)
received = requester(url, data, GET=True)
if not received is None:
self.url_extrator(received.text)
else:
pass
except Exception:
pass
def proxy_xiladaili(self):
url, params = chambering("http://www.xiladaili.com", strike=False)
result = requester(url,params,GET=True,timeout=None)
text = regex.Espace_eliminate.sub("",result.text)
proxy_ips,proxy_types = self.dic['xiladaili']['ip'].finditer(text),\
self.dic['xiladaili']['type'].finditer(text)
for ips, types in zip(proxy_ips,proxy_types):
ip, type = self.dic['xiladaili']['sub'].sub(" ",ips.group()),\
self.dic['xiladaili']['sub'].sub(" ",types.group())
pro = eval(regex.Espace_eliminate.sub("", str((ip,type.lower()))))
proxy = (pro[0].split(":")[0],pro[0].split(":")[1],pro[1])
self.logger.info(f"ip : {proxy[0]} port : {proxy[1]} type : {proxy[2]}")
self.container.put(proxy)
def initis(self): # 访问原始URL,爬取页面URL加入到目标URL
url, data = chambering(self.target, strike=False)
received = requester(url, data, GET=True)
self.url_extrator(received.text)
def check_waf(target, logger_type, proxy = None):
original_target = target
if "=" not in original_target: # 检验URL是否有效
print(f"{red}[!][{time}] Please provide a url with parameters! {end}")
quit()
# folder = Path.cwd().parent # Debug 使用
# waf_file = str(folder / "data/waf_signature")
waf_file = "data/waf_signature"
logger = factory_logger(logger_type,target,"Waf")
with open(waf_file,'r') as loader: # 加载WAF指纹信息
waf_data = json.load(loader)
waf_match = {0: None}
waf_info = {'company': None,
'waf_type': None,
'bypass_known': None}
for intruder in waf_checker: # 加载fuzz payload , 测试waf
try:
intruder_type = "XSS" if intruder.startswith("<") else "SQLi"
target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type) # ('www.baidu.com', {'a': '1', 'bb': '22'})
response = requester(target, payload, GET=True, timeout=5, proxy=proxy) # 发送payload
print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}")
if not response is None:
page, code, headers = response.text, response.status_code, response.headers
if code >= 400:
match = 0
for waf_name, waf_signature in waf_data.items(): # 返回信息与WAF指纹库匹配 大小写不敏感
if re.search(waf_signature['regex'],page,re.I):
match = match + 1
if "code" in waf_signature:
if re.search(waf_signature['code'],code,re.I):
match = match + 1
if "header" in waf_signature:
if re.search(waf_signature["header"],headers,re.I):
match = match +1
if match > max(waf_match,key=waf_match.get): # 取waf_match字典中的key最大值,做判断 获取到最佳匹配
waf_info['company'] = waf_name
waf_info['waf_type'] = waf_signature['name']
if 'bypass_known' not in waf_signature: # 检测有没有绕过方法
waf_info['bypass_known'] = None
else:
waf_info['bypass_known'] = waf_signature['bypass_known']
waf_match.clear()
waf_match[match] : waf_info
except Exception:
pass
if max(waf_match,key=waf_match.get) > 0: # 输出匹配到的WAF信息
logger.info(match)
else:
print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
def check_waf(target, logger_type, proxy = None):
original_target = target
if "=" not in original_target:
print(f"{red}[!][{time}] Please provide a url with parameters! {end}")
quit()
# folder = Path.cwd().parent
# waf_file = str(folder / "data/waf_signature")
waf_file = "data/waf_signature"
logger = factory_logger(logger_type,target,"Waf")
with open(waf_file,'r') as loader:
waf_data = json.load(loader)
waf_match = {0: None}
waf_info = {'company': None,
'waf_type': None,
'bypass_known': None}
for intruder in waf_checker:
try:
intruder_type = "XSS" if intruder.startswith("<") else "SQLi"
target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type)
response = requester(target, payload, GET=True, timeout=5, proxy=proxy)
print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}")
if code >= 400 and not response is None:
match = 0
page, code, headers = response.text, response.status_code, response.headers
for waf_name, waf_signature in waf_data.items():
if re.search(waf_signature['regex'],page,re.I):
match = match + 1
if "code" in waf_signature:
if re.search(waf_signature['code'],code,re.I):
match = match + 1
if "header" in waf_signature:
if re.search(waf_signature["header"],headers,re.I):
match = match +1
if match > max(waf_match,key=waf_match.get):
waf_info['company'] = waf_name
waf_info['waf_type'] = waf_signature['name']
if 'bypass_known' not in waf_signature:
waf_info['bypass_known'] = None
else:
waf_info['bypass_known'] = waf_signature['bypass_known']
waf_match.clear()
waf_match[match] : waf_info
except Exception:
pass
if max(waf_match,key=waf_match.get) > 0:
logger.info(match)
else:
print(f"{green}[!][{time}] Waf Information : No firewall detected !{end}")
