def main():
global SCRIPT, TASK, RESULT
banner() #显示banner信息
register() #向Queue注册
while True:
if GetTaskAndScript(): #获取脚本及任务
SCRIPT = load_string_to_module(SCRIPT) #加载脚本
worker = WorkeBee(SCRIPT, TASK) #WorkeBee初始化
worker.run() #WorkeBee运行
RESULT = worker.get_result() #获取结果
# print(RESULT)
submission()
time.sleep(1)
def init(config: dict):
#print("[*] target:{}".format(config["url"]))
patch_session()
# 加载poc,首先遍历出路径
_pocs = []
for root, dirs, files in os.walk(PATHS_POCS):
files = filter(lambda x: not x.startswith("__") and x.endswith(
".py") and x not in config.get("poc", []),
files) # 过滤掉__init__.py文件以及指定poc文件
_pocs.extend(map(lambda x: os.path.join(root, x), files))
# 根据路径加载PoC
for poc in _pocs:
with open(poc, 'r') as f:
model = load_string_to_module(f.read())
POCS.append(model)
def hand_domain(self, serviceType):
target = serviceType["target"]
logger.info(target)
# 添加这条记录
collector.add_domain(target)
# 发起请求
try:
r = requests.get(target,
timeout=30,
verify=False,
allow_redirects=False)
collector.add_domain_info(target, {
"headers": r.headers,
"body": r.text,
"status_code": r.status_code
})
except Exception as e:
logger.error("request url error:" + str(e))
collector.del_domain(target)
return
logger.debug("target:{} over,start to scan".format(target))
# Get hostname
hostname = urlparse(target).netloc.split(":")[0]
if not is_ip_address_format(hostname):
try:
_ip = socket.gethostbyname(hostname)
collector.add_domain_info(target, {"ip": _ip})
except:
pass
else:
collector.add_domain_info(target, {"ip": hostname})
work_list = [
webeye.poc, webtitle.poc, wappalyzer.poc, password_found.poc
]
if IS_START_PLUGINS:
work_list.append(crossdomain.poc)
work_list.append(directory_browse.poc)
work_list.append(gitleak.poc)
work_list.append(iis_parse.poc)
work_list.append(phpinfo.poc)
work_list.append(svnleak.poc)
work_list.append(tomcat_leak.poc)
work_list.append(whatcms.poc)
# WorkList.append(bakfile.poc) # 去除备份文件扫描模块,原因:太费时
# th = []
# try:
# for func in work_list:
# i = threading.Thread(target=func, args=(target,))
# i.start()
# th.append(i)
# for thi in th:
# thi.join()
# except Exception as e:
# logger.error("domain plugin threading error {}:{}".format(repr(Exception), str(e)))
for func in work_list:
try:
func(target)
except Exception as e:
logger.error("domain plugin threading error {}:{}".format(
repr(Exception), str(e)))
logger.debug("target:{} End of scan".format(target))
infos = collector.get_domain(target)
_pocs = []
temp = {}
if IS_START_PLUGINS and "CMS" in infos:
if infos.get("app"):
temp["app"] = []
temp["app"].append(infos["CMS"])
else:
temp["app"] = [infos["CMS"]]
# update domain app
collector.add_domain_info(target, temp)
if temp.get("app"):
keywords = temp["app"]
# 远程读取插件
pocs = load_remote_poc()
for poc in pocs:
for keyword in keywords:
if poc["name"] == keyword:
webfile = poc["webfile"]
logger.debug("load {0} poc:{1} poc_time:{2}".format(
poc["type"], webfile, poc["time"]))
# 加载插件
code = requests.get(webfile).text
obj = load_string_to_module(code, webfile)
_pocs.append(obj)
# 并发执行插件
if _pocs:
executor = futures.ThreadPoolExecutor(len(_pocs))
fs = []
for f in _pocs:
taks = executor.submit(f.poc, target)
fs.append(taks)
for f in futures.as_completed(fs):
try:
res = f.result()
except Exception as e:
res = None
logger.error("load poc error:{} error:{}".format(
target, str(e)))
if res:
name = res.get("name") or "scan_" + str(time.time())
collector.add_domain_bug(target, {name: res})
collector.send_ok(target)