def findcard(data_log):
if data_log['response']['body'] != None:
idcardre = r'[1-9]\d{5}[1-3]\d{3}[0-1][0-9][0-3]\d{4}[0-9Xx]' #身份证号
idcardreb = r'[0-9][1-9]\d{5}[1-3]\d{3}[0-1][0-9][0-3]\d{4}[0-9Xx]' #身份证前
idcardrea = r'[1-9]\d{5}[1-3]\d{3}[0-1][0-9][0-3]\d{4}[0-9Xx][0-9]' #身份证后
res = re.findall(idcardre, data_log['response']['body'])
idtmpb = re.findall(idcardreb, data_log['response']['body'])
idtmpa = re.findall(idcardrea, data_log['response']['body'])
for card in res:
if judgeCard(card, idtmpb) != False and judgeCard(card,
idtmpa) != False:
show.output(data_log, "页面发现身份证号" + card, crayons.cyan)
def findmobile(data_log):
if data_log['response']['body'] != None:
mobilere = "[1][3,4,5,7,8][0-9]{9}" #正常手机号
notmobilere = "[1][3,4,5,7,8][0-9]{10}" #手机号后面有没有数字
beforemobiere = "[0-9][1][3,4,5,7,8][0-9]{9}" #手机号前面有没有数字
res = re.findall(mobilere, data_log['response']['body'])
tmp = re.findall(notmobilere, data_log['response']['body'])
beforetmp = re.findall(beforemobiere, data_log['response']['body'])
for mobile in res:
if judgeMobile(mobile, tmp) != False and judgeMobile(
mobile, beforetmp) != False:
if len(mobile) == 11:
show.output(data_log, "页面发现手机号" + mobile, crayons.cyan)
return 1
def scan_print(vul_info):
try:
delay = globals.get_value("DELAY") # 获取全局变量DELAY
debug = globals.get_value("DEBUG") # 获取全局变量DEBUG
result = vul_info["prt_resu"]
prt_name = vul_info["prt_name"]
vul_name = vul_info["vul_name"]
vul_type = vul_info["vul_type"]
vul_numb = vul_info["vul_numb"]
info = vul_info["prt_info"]
if result == "PoCSuCCeSS": # 存在漏洞时候输出以下内容
print(now.timed(de=delay) + color.green("[+] The target is " + prt_name + " " + info))
# 丢给output模块判断是否输出文件
output("json", vul_info)
output("text", "--> [名称:" + vul_name + "] [编号:" + vul_numb + "] [类型:" + vul_type + "] " + info)
elif result == "PoC_MaYbE":
print(now.timed(de=delay) + color.green("[?] The target maybe " + prt_name + " " + info))
# 丢给output模块判断是否输出文件
output("json", vul_info)
output("text", "--> [名称:" + vul_name + "] [编号:" + vul_numb + "] [类型:" + vul_type + "] " + info)
else: # 否则就是没有洞
if debug == "debug":
print(now.timed(de=delay) + color.magenta("[-] The target no " + color.magenta(prt_name)))
else:
print("\r{0}{1}{2}".format(now.timed(de=delay),
color.magenta("[-] The target no "),
color.magenta(prt_name)), end=" \r", flush=True)
except IndexError as error:
print(now.timed(de=0) + color.red("[ERROR] " + error.__traceback__.tb_frame.f_globals['__file__']
+ " " + str(error.__traceback__.tb_lineno)))
def check_relect_xss_step_2(data_log):
header_data = data_log["request"]["headers"].split("\n")
headers = {}
for i in range(1, len(header_data) - 1):
key = header_data[i].split(": ")[0]
value = header_data[i].split(": ")[1]
headers[key] = value
url_path = h.unescape(data_log["request"]["path"])
if url_path == None:
url_path = ""
if url_path.split("p")[0] == "htt": #judge Url_path is path or url path
url = url_path
else:
url = data_log['protocol'] + "://" + data_log['hostname'] + url_path
if h.unescape(data_log["request"]["path"]).find("?") > -1:
keyworlds = {
'&jsonpcallback=<95272333>', '&jsoncallback=<95272333>',
'&callback=<95272333>'
}
else:
keyworlds = {
'?jsonpcallback=<95272333>', '?jsoncallback=<95272333>',
'?callback=<95272333>'
}
check_domain = 0
for keyworld in keyworlds:
try:
if data_log['hostname'].split(".")[-2] in config.use_proxy_domain:
check_domain = 1
if config.proxy_value == 1 and check_domain == 1:
r = requests.get(url + keyworld,
headers=headers,
proxies=config.proxies,
timeout=2)
else:
r = requests.get(url + keyworld, headers=headers, timeout=2)
html = r.text
if len(html) != 0:
if html.find("<95272333>") > -1:
show.output(data_log, "存在反射型xss,poc:" + keyworld,
crayons.yellow)
except Exception as e:
pass
def SecureSymbol(data_log):
if data_log['protocol'] != 'https':
p1 = r'Referer:(.*?)\n'
referer = re.findall(p1, data_log['request']['headers'])
if len(referer) > 0:
referer = referer[0]
else:
referer = '0'
f = open('poc/tmp/Http_secure_symbol_tmp.txt',
'r+') # 避免多余的输出,并记录http没有标记的网页
referers = f.readlines()
if referer + "\n" not in referers:
try:
f.write(referer + "\n")
except:
pass
show.output(data_log, "页面来源没有浏览器标记的安全小锁", crayons.red)
f.close()
def control_webapps(target_type, target, webapps, mode):
t_num = globals.get_value("THREADNUM") # 线程数量
thread_poc = [] # 多线程字典,用于添加线程任务
gevent_pool = [] # 协程字段,用于添加协程任务
thread_pool = ThreadPoolExecutor(t_num) # 多线程池数量t_num由选项控制,默认10线程
webapps_identify = [] # 定义目标类型字典,用于目标类型识别并记录,为跑所有poc时进行类型识别
if mode == "poc": # poc漏洞扫描模式
if target_type == "url": # ========================================================= 第一种扫描仅扫描单个URL
output("text", "[*] " + target) # 丢给output模块判断是否输出文件
if webapps is None: # 判断是否进行指纹识别
Identify.start(target, webapps_identify) # 第一种情况需要进行指纹识别
elif r"all" in webapps: # 判断是否扫描所有类型poc
print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify to scan all vulnerabilities"))
webapps_identify.append("all") # 指定扫描所有时,需要将指纹全部指定为all
else:
webapps_identify = webapps # 指定但不是all,也可以指定多个类型,比如-a solr struts2
print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify scan vulnerabilities for: "), end='')
count = 0 # 用于判断类型的数量,一个还是多个
for w_i in webapps_identify:
print(color.cyan(w_i), end=' ')
count += 1
if count % len(webapps_identify) == 0:
print(end='\n')
core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, target) # 调用scan开始扫描
joinall(gevent_pool) # 运行协程池
wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完
print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended "))
elif target_type == "file": # ========================= 第二种扫描情况,批量扫描文件不指定webapps时需要做指纹识别
count_line = -1 # 用于判断行数
count_null = 0
for line in open(target).readlines(): # 判断文件里有多少空行
line = line.strip() # 读取目标时过滤杂质
if line == "":
count_null += 1
for count_line, line in enumerate(open(target, 'rU')): # 判断文件的行数
pass
count_line += 1 # 行数加1
target_num = count_line - count_null
now_num = 0 # 当前数量
target_list = [] # 批量扫描需要读取的字典
with open(target, 'r') as _: # 打开目标文件
for line in _: # 用for循环读取文件
line = line.strip() # 过滤杂质
if line: # 判断是否结束
target_list.append(line) # 读取到的目标加入字典准备扫描
now_num += 1 # 读取到之后当前数量+1
furl = line
furl = url_check(furl) # url格式检测
output("text", "[*] " + furl) # 丢给output模块判断是否输出文件
if survival_check(furl) == "f": # 如果存活检测失败就跳过
print(now.timed(de=0) + color.red_warn() + color.red(
" Current:[" + str(now_num) + "] Total:[" + str(
target_num) + "] Survival check failed: " + furl))
continue
else: # 存活不失败就正常显示
print(now.timed(de=0) + color.yel_info() + color.yellow(
" Current:[" + str(now_num) + "] Total:[" + str(
target_num) + "] Scanning target: " + furl))
if webapps is None: # 判断是否要进行指纹识别
webapps_identify.clear() # 可能跟单个url冲突需要清理字典
Identify.start(furl, webapps_identify) # 识别指纹
# print(webapps_identify)
elif r"all" in webapps: # 不识别指纹运行所有
print(now.timed(de=0) + color.yel_info() + color.yellow(
" Specify to scan all vulnerabilities"))
webapps_identify.append("all")
else:
webapps_identify = webapps
print(now.timed(de=0) + color.yel_info() + color.yellow(
" Specify scan vulnerabilities for: "),
end='')
count = 0
for w_i in webapps_identify:
print(color.cyan(w_i), end=' ')
count += 1
if count % len(webapps_identify) == 0:
print(end='\n')
core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, furl) # 开扫
joinall(gevent_pool) # 运行协程池
wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完
print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended "))
elif target_type == "fofa" or target_type == "shodan": # ======================================================= 第三种调用fofa api
total = len(target) # fofa api的总数,不出意外100个
if webapps is not None:
if r"all" in webapps: # 不识别直接扫描所有类型
print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify to scan all vulnerabilities"))
webapps_identify.append("all")
else:
webapps_identify = webapps # 扫描指定的类型
print(now.timed(de=0) + color.yel_info() + color.yellow(" Specify scan vulnerabilities for: "), end='')
count = 0
for w_i in webapps_identify:
print(color.cyan(w_i), end=' ')
count += 1
if count % len(webapps_identify) == 0:
print(end='\n')
now_num = 0 # 当前第几个
for f_target in target:
fofa_target = url_check(f_target)
output("text", "[*] " + fofa_target) # 丢给output模块判断是否输出文件
now_num += 1
if survival_check(fofa_target) == "f":
print(now.timed(de=0) + color.red_warn() + color.red(
" Current:[" + str(now_num) + "] Total:[" + str(
total) + "] Survival check failed: " + fofa_target))
continue
else:
print(now.timed(de=0) + color.yel_info() + color.yellow(
" Current:[" + str(now_num) + "] Total:[" + str(
total) + "] Scanning target: " + fofa_target))
if webapps is None: # 需要指纹识别
Identify.start(target, webapps_identify) # 是否需要进行指纹识别
core.scan_webapps(webapps_identify, thread_poc, thread_pool, gevent_pool, fofa_target)
joinall(gevent_pool) # 运行协程池
wait(thread_poc, return_when=ALL_COMPLETED) # 等待所有多线程任务运行完
print(now.timed(de=0) + color.yel_info() + color.yellow(" Scan completed and ended "))
elif mode == "exp": # 漏洞利用
vul_num = webapps
exploit(target, vul_num) # 调用core中的exploit
def check_sensitive_info(data_log):
for i in config.sensitive_info:
if data_log['response']['body'] != None:
if data_log['response']['body'].find(i) > -1:
show.output(data_log, "页面存在敏感信息:" + i, crayons.white)
continue