def start(target): host = parse_ip(target) url = verify_https(target) if url: isopen = True else: isopen = False if isopen: data, apps = web_info(url) else: data = '' apps = {} if iscdn(host): open_port = ScanPort(url).pool() else: open_port = ['CDN:0'] Vuln(url, host, open_port, apps).run() if isopen: if CRAWL: crawl(url).pool() if SCANDIR: dirscan = DirScan('result', apps) dirscan.pool(url) if data: web_save(data)
def reverse_domain(host): # 查询旁站 if iscdn(host): result = [] data = {"remoteAddress": "{0}".format(host), "key": ""} header = get_ua() header.update({'Referer': 'https://www.yougetsignal.com/tools/web-sites-on-web-server/'}) header.update({'origin': 'https://www.yougetsignal.com'}) try: r = requests.post('https://domains.yougetsignal.com/domains.php', headers=header, data=data, timeout=5) text = json.loads(r.text) domain = tldextract.extract(host) for i in text.get('domainArray'): url = i[0] if url != host: if tldextract.extract(url).domain == domain.domain: result.append(url) elif re.search(r'\d+\.\d+\.\d+\.\d+', url): result.append(url) except: try: r = requests.get('http://api.hackertarget.com/reverseiplookup/?q={}'.format(host), headers=get_ua(), timeout=4) if '<html>' not in r.text: text = r.text for _ in text.split('\n'): if _: result.append(_) else: result = [] except: pass return result
def virustotal(host): # VT接口,主要用来查询PDNS,绕过CDN pdns = [] history_ip = [] # sys.stdout.write(bcolors.RED + "\nPDNS:\n" + bcolors.ENDC) if VIRUSTOTAL_API: try: vtotal = Virustotal(VIRUSTOTAL_API) if re.search(r'\d+\.\d+\.\d+\.\d+', host): return None resp = vtotal.domain_report(host) if resp.get('status_code') != 403: for i in resp.get('json_resp').get('resolutions'): address = i.get('ip_address') timeout = i.get('last_resolved') if iscdn(address): history_ip.append(address + ' : ' + timeout) pdns = history_ip[10:] except: pass pdns.extend(ipinfo(host)) if pdns: for i in pdns[:10]: console('PDNS', host, i + '\n') else: console('PDNS', host, 'None\n') return pdns
def start(target, dbname='result'): if dbname != 'result': dbname = re.sub(r'.db', '', dbname) title = 'test' host = parse_ip(target) url = verify_https(target) if url: isopen = True else: isopen = False if isopen: data, apps, title = web_info(url) else: data = '' apps = {} if iscdn(host): open_port = ScanPort(url, dbname).pool() else: open_port = ['CDN:0'] # 调用POC Vuln(url, host, open_port, apps, dbname).run() if isopen: if CRAWL: Crawl(url, dbname).pool() if SCANDIR: dirscan = DirScan(dbname, apps, url, title) dirscan.pool() if data: web_save(data, dbname)
def reverse_domain(host): # 查询旁站 sys.stdout.write(Bcolors.RED + "\nReverse IP Domain Check:\n" + Bcolors.ENDC) if iscdn(host): result = [] data = {"remoteAddress": "{0}".format(host), "key": ""} header = get_ua() try: r = requests.post('https://domains.yougetsignal.com/domains.php', headers=header, data=data, timeout=5, verify=False) text = json.loads(r.text) domain = tldextract.extract(host) for i in text.get('domainArray'): url = i[0] if url != host: if tldextract.extract(url).domain == domain.domain: result.append(url) elif re.search(r'\d+\.\d+\.\d+\.\d+', url): result.append(url) except: try: r = requests.get( 'http://api.hackertarget.com/reverseiplookup/?q={}'.format( host), headers=get_ua(), timeout=4, verify=False) if '<html>' not in r.text and 'No DNS A records found for' not in r.text: text = r.text for _ in text.split('\n'): if _: result.append(_) else: result = [] except: pass if len(result) < 20: if result: for i in result: console('reverse_domain', host, i + '\n') else: console('reverse_domain', host, 'None\n') return result else: console('reverse_domain', host, 'The maximum number of domain names exceeded (20)\n') # sys.stdout.write(Bcolors.OKGREEN + 'The maximum number of domain names exceeded (20)\n' + Bcolors.ENDC) return ['The maximum number of domain names exceeded (20)']
def virustotal(host): # VT接口,主要用来查询PDNS,绕过CDN vtotal = Virustotal(virustotal_api) if re.search(r'\d+\.\d+\.\d+\.\d+', host): return ['None'] resp = vtotal.domain_report(host) history_ip = [] if resp.get('status_code') != 403: for i in resp.get('json_resp').get('resolutions'): address = i.get('ip_address') timeout = i.get('last_resolved') if iscdn(address): history_ip.append(address + ' : ' + timeout) return history_ip[-10:] else: return ['None']
def ipinfo(host): out = [] if not re.search(r'\d+\.\d+\.\d+\.\d+', host): req = Requests() try: r = req.get( 'https://viewdns.info/iphistory/?domain={}'.format(host)) result = re.findall( r'(?<=<tr><td>)\d+\.\d+\.\d+\.\d+(?=</td><td>)', r.text, re.S | re.I) if result: for i in result: if iscdn(i): out.append(i) except: pass return out
def web_info(url): host = parse_host(url) ipaddr = parse_ip(host) url = url.strip('/') address = geoip(ipaddr) wafresult = checkwaf(url) req = Requests() # noinspection PyBroadException try: r = req.get(url) coding = chardet.detect(r.content).get('encoding') r.encoding = coding webinfo = WebPage(r.url, r.text, r.headers).info() except Exception as e: logging.exception(e) webinfo = {} if webinfo: console('Webinfo', host, 'title: {}\n'.format(webinfo.get('title'))) console('Webinfo', host, 'Fingerprint: {}\n'.format(webinfo.get('apps'))) console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server'))) console('Webinfo', host, 'WAF: {}\n'.format(wafresult)) else: webinfo = {} wafresult = 'None' if iscdn(host): osname = osdetect(host) else: osname = None data = { host: { 'WAF': wafresult, 'Ipaddr': ipaddr, 'Address': address, 'Webinfo': webinfo, 'OS': osname, } } return data, webinfo.get('apps'), webinfo.get('title')
def checkwaf(url): try: req = Requests() r = req.get(url) result = verify(r.headers, r.text[:10000]) if result == 'NoWAF': for i in payload: r = req.get(url + i) result = verify(r.headers, r.text[:10000]) if result != 'NoWAF': return result except UnboundLocalError: pass except Exception as e: logging.exception(e) host = parse_host(url) if not iscdn(host): return 'CDN IP' return 'NoWAF'
def web_info(url): host = parse_host(url) ipaddr = parse_ip(host) url = url.strip('/') address = geoip(ipaddr) wafresult = checkwaf(url) req = Requests() try: r = req.get(url) coding = chardet.detect(r.content).get('encoding') r.encoding = coding webinfo = WebPage(r.url, r.text, r.headers).info() except Exception as e: webinfo = {} if webinfo: console('Webinfo', host, 'Title: {}\n'.format(webinfo.get('title'))) console('Webinfo', host, 'Fingerprint: {}\n'.format(webinfo.get('apps'))) console('Webinfo', host, 'Server: {}\n'.format(webinfo.get('server'))) console('Webinfo', host, 'WAF: {}\n'.format(wafresult)) else: webinfo = {} wafresult = 'None' if iscdn(host): osname = osdetect(host) else: osname = None pdns = virustotal(host) reverseip = reverse_domain(host) webinfo.update({"pdns": pdns}) webinfo.update({"reverseip": reverseip}) data = { host: { 'WAF': wafresult, 'Ipaddr': ipaddr, 'Address': address, 'Webinfo': webinfo, 'OS': osname, } } return data, webinfo.get('apps')
def checkwaf(url): result = 'NoWAF' host = parse_host(url) if not iscdn(host): return 'CDN IP' try: req = Requests() r = req.get(url) result = verify(r.headers, r.text) if result == 'NoWAF': for i in payload: r = req.get(url + i) result = verify(r.headers, r.text) if result != 'NoWAF': return result else: return result except (UnboundLocalError, AttributeError): pass except Exception as e: logging.exception(e)
def start(url): host = parse_host(url) ipaddr = parse_ip(host) url = url.strip('/') sys.stdout.write(bcolors.RED + '-' * 100 + '\n' + bcolors.ENDC) sys.stdout.write(bcolors.RED + 'Host: ' + host + '\n' + bcolors.ENDC) sys.stdout.write(bcolors.RED + '-' * 100 + '\n' + bcolors.ENDC) address = geoip(ipaddr) try: # 判断主域名是否开放 req = Requests() r = req.get(url) except Exception as e: pass if 'r' in locals().keys(): wafresult = checkwaf(host) try: coding = chardet.detect(r.content).get('encoding') r.encoding = coding webinfo = (WebPage(r.url, r.text, r.headers).info()) except Exception as e: webinfo = {} if webinfo: sys.stdout.write(bcolors.RED + "Webinfo:\n" + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] Title: {}\n'.format(webinfo.get('title')) + bcolors.ENDC) sys.stdout.write( bcolors.OKGREEN + '[+] Fingerprint: {}\n'.format(webinfo.get('apps')) + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] Server: {}\n'.format(webinfo.get('server')) + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] WAF: {}\n'.format(wafresult) + bcolors.ENDC) else: webinfo = {} wafresult = 'None' pdns = virustotal(host) reverseip = reverse_domain(host) webinfo.update({"pdns": pdns}) webinfo.update({"reverseip": reverseip}) if iscdn(host): open_port = ScanPort(url).pool() else: open_port = ['CDN:0'] osname = osdetect(host) data = { host: { 'WAF': wafresult, 'Ipaddr': ipaddr, 'Address': address, 'Webinfo': webinfo, 'OS': osname, } } web_save(data) Vuln(host, open_port, webinfo.get('apps')).run() if 'r' in locals().keys() and not SCANDIR: dirscan = DirScan('result') dirscan.pool(url)
def start(url): try: result = 'NoWAF' if (not parse.urlparse(url).path) and (parse.urlparse(url).path != '/'): host = url.replace('http://', '').replace('https://', '').rstrip('/') else: host = url.replace('http://', '').replace('https://', '').rstrip('/') host = re.sub('/\w+', '', host) if ':' in host: host = re.sub(r':\d+', '', host) socket.setdefaulttimeout(1) ipaddr = socket.gethostbyname(host) address = geoip(ipaddr) sys.stdout.write(bcolors.RED + '-' * 100 + '\n' + bcolors.ENDC) sys.stdout.write(bcolors.RED + 'Host: ' + host + '\n' + bcolors.ENDC) sys.stdout.write(bcolors.RED + '-' * 100 + '\n' + bcolors.ENDC) sys.stdout.write(bcolors.RED + "GeoIP:\n" + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] Address: {}\n'.format(address) + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] Ipaddr: {}\n'.format(ipaddr) + bcolors.ENDC) r = requests.get(url, headers=get_ua(), timeout=TIMEOUT, verify=False) except Exception as e: pass sql = '' if 'r' in locals().keys(): try: webinfo = (WebPage(r.url, r.content.decode('utf8'), r.headers).info()) result = checkwaf(r.headers, r.text[:10000]) if result == 'NoWAF': r = requests.get( url + '/index.php?id=1 ' + payload, headers=get_ua(), timeout=TIMEOUT, verify=False) result = checkwaf(r.headers, r.text[:10000]) except Exception as e: webinfo = {} traceback.print_exc() if webinfo: sys.stdout.write(bcolors.RED + "Webinfo:\n" + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] Title: {}\n'.format(webinfo.get('title')) + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] Fingerprint: {}\n'.format(webinfo.get('apps')) + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] Server: {}\n'.format(webinfo.get('server')) + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] WAF: {}\n'.format(result) + bcolors.ENDC) pdns = virustotal(host) reverseip = reverse_domain(host) sys.stdout.write(bcolors.RED + "VT PDNS:\n" + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + "\n".join("[+] " + str(i) for i in pdns) + "\n" + bcolors.ENDC) if reverseip: sys.stdout.write(bcolors.RED + "Reverse IP Domain Check:\n" + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + "\n".join("[+] " + str(i) for i in reverseip) + "\n" + bcolors.ENDC) jsparse = JsParse(url).jsparse() sql = sql_check(url) webinfo.update({"pdns": pdns}) webinfo.update({"reverseip": reverseip}) else: webinfo = {} jsparse = '' if iscdn(host): open_port = ScanPort(url).pool() else: open_port = ['CDN:0'] sys.stdout.write(bcolors.RED + "PortScan:\n" + bcolors.ENDC) for _ in open_port: sys.stdout.write(bcolors.OKGREEN + '[+] {}\n'.format(_) + bcolors.ENDC) if POC: vuln = Vuln(url, open_port, webinfo.get('apps')).run() else: vuln = [] if jsparse: jsparse = list(map(lambda x: 'Leaks: ' + x, jsparse)) vuln.extend(jsparse) if sql: vuln.extend(sql) vuln = list(filter(None, vuln)) if not (len(vuln) == 1 and ('' in vuln)): sys.stdout.write(bcolors.RED + "Vuln:\n" + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + "\n".join("[+] " + str(i) for i in vuln) + "\n" + bcolors.ENDC) url = parse.urlparse(url) osname = osdetect(url.netloc) if not osname: osname = 'None' sys.stdout.write(bcolors.RED + "OS:\n" + bcolors.ENDC) sys.stdout.write(bcolors.OKGREEN + '[+] {}\n'.format(osname) + bcolors.ENDC) data = { url.netloc: { 'WAF': result, 'Ipaddr': ipaddr, 'Address': address, 'Webinfo': webinfo, 'Ports': open_port, 'OS': osname, 'Vuln': vuln } } return data, result