', s1)
160 | # print(s1)
161 |
162 | with open(os.path.join(REPORT_PATH, '{}-tools.html'.format(self.batch_num)), 'w', encoding='utf8') as f1:
163 | f1.write(s1)
164 |
165 |
--------------------------------------------------------------------------------
/lib/bannerscan.py:
--------------------------------------------------------------------------------
1 | # coding=utf-8
2 | __author__ = 'DM_'
3 | # Modifed by le4f
4 |
5 | '''
6 | 该脚本来源于 https://github.com/x0day/bannerscan
7 | 原脚本为python2型, 此处手动改为python3型直接集成了
8 | '''
9 |
10 | import threading
11 | import requests
12 | import argparse
13 | import time
14 | import re
15 |
16 | PORTS = (80,
17 | 81,
18 | 82,
19 | 443,
20 | 4848,
21 | 7001,
22 | 8080,
23 | 8090,
24 | 8000,
25 | 8082,
26 | 8888,
27 | 9043,
28 | 8443,
29 | 9200,
30 | 9000,
31 | 9060,
32 | 9440,
33 | 9090,
34 | 8081,
35 | 9043,
36 | 41080,
37 | 9080,
38 | 18100,
39 | 9956,
40 | 8886,
41 | 7778
42 | )
43 |
44 |
45 | PATHS = ('/robots.txt',
46 | '/admin/',
47 | '/manager/html/',
48 | '/jmx-console/',
49 | '/web-console/',
50 | '/jonasAdmin/',
51 | '/manager/',
52 | '/install/',
53 | '/ibm/console/logon.jsp',
54 | '/axis2/axis2-admin/',
55 | '/CFIDE/administrator/index.cfm',
56 | '/FCKeditor/',
57 | '/fckeditor/',
58 | '/fck/',
59 | '/FCK/',
60 | '/HFM/',
61 | '/WEB-INF/',
62 | '/ckeditor/',
63 | '/console/',
64 | '/phpMyAdmin/',
65 | '/Struts2/index.action',
66 | '/index.action',
67 | '/phpinfo.php',
68 | '/info.php',
69 | '/1.php',
70 | '/CHANGELOG.txt',
71 | '/LICENSE.txt',
72 | '/readme.html',
73 | '/cgi-bin/',
74 | '/invoker/',
75 | '/.svn/',
76 | '/test/',
77 | '/CFIDE/',
78 | '/.htaccess',
79 | '/.git/'
80 | )
81 |
82 | HTML_LOG_TEMPLATE="""
83 |
84 |
85 |
86 |
87 |
Bannerscan Report
88 |
91 |
92 |
93 |
%s
94 |
95 | %s
96 |
97 |
98 |
99 | """
100 | css = """
101 | body{background-color:#FFF;color:#444;font-family:"Droid Serif",Georgia,"Times New Roman",STHeiti,serif;font-size:100%;}
102 | a{color:#3354AA;text-decoration:none;}
103 | a:hover,a:active{color:#444;}
104 | pre,code{background:#F3F3F0;font-family:Menlo,Monaco,Consolas,"Lucida Console","Courier New",monospace;font-size:.92857em;padding:2px 4px;}
105 | code{color:#B94A48;}
106 | pre{overflow:auto;max-height:400px;padding:8px;}
107 | pre code{color:#444;padding:0;}
108 | h1,h2,h3{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;}
109 | textarea{resize:vertical;}.report-meta a,.report-content a,.widget a,a{border-bottom:1px solid#EEE;}.report-meta a:hover,.report-content a:hover,.widget a:hover,a{border-bottom-color:transparent;}#header{padding-top:35px;border-bottom:1px solid#EEE;}#logo{color:#333;font-size:2.5em;}.description{color:#999;font-style:italic;margin:.5em 0 0;}.report{border-bottom:1px solid#EEE;padding:15px 0 20px;}.report-title{font-size:1.4em;margin:.83em 0;}.report-meta{margin-top:-.5em;color:#999;font-size:.92857em;padding:0;}.report-meta li{display:inline-block;padding-left:12px;border-left:1px solid#EEE;margin:0 8px 0 0;}.report-meta li:first-child{margin-left:0;padding-left:0;border:none;}.report-content{line-height:1.5;}.report-content hr,hr{margin:2em auto;width:100px;border:1px solid#E9E9E9;border-width:2px 0 0 0;}
110 | """
111 |
112 | ipPattern = "^([1]?\d\d?|2[0-4]\d|25[0-5])\." \
113 | "([1]?\d\d?|2[0-4]\d|25[0-5])\." \
114 | "([1]?\d\d?|2[0-4]\d|25[0-5])\." \
115 | "([1]?\d\d?|2[0-4]\d|25[0-5])$"
116 |
117 | iprangePattern = "^([1]?\d\d?|2[0-4]\d|25[0-5])\." \
118 | "([1]?\d\d?|2[0-4]\d|25[0-5])\." \
119 | "([1]?\d\d?|2[0-4]\d|25[0-5])\." \
120 | "([1]?\d\d?|2[0-4]\d|25[0-5])-([1]?\d\d?|2[0-4]\d|25[0-5])$"
121 |
122 | ua = "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6"
123 |
124 | headers = dict()
125 | result = dict()
126 |
127 |
128 | class bannerscan(threading.Thread):
129 | def __init__(self, ip, timeout, headers):
130 | self.ip = ip
131 | self.req = requests
132 | self.timeout = timeout
133 | self.headers = headers
134 | self.per = 0
135 | threading.Thread.__init__(self)
136 |
137 | def run(self):
138 | result[self.ip] = dict()
139 | for port in PORTS:
140 | url_pre = "https://" if port == 443 else "http://"
141 | site = url_pre + self.ip + ":" + str(port)
142 | try:
143 | print ("[*] %s\r" % (site[0:60].ljust(60, " "))),
144 | resp = requests.head(site,
145 | allow_redirects = False,
146 | timeout=self.timeout,
147 | headers=self.headers
148 | )
149 | result[self.ip][port] = dict()
150 |
151 | except Exception as e:
152 | pass
153 |
154 | else:
155 | result[self.ip][port]["headers"] = resp.headers
156 | result[self.ip][port]["available"] = list()
157 |
158 | for path in PATHS:
159 | try:
160 | url = site + path
161 | print ("[*] %s\r" % (url[0:60].ljust(60, " "))),
162 | resp = self.req.get(url,
163 | allow_redirects = False,
164 | timeout=self.timeout,
165 | headers=self.headers
166 | )
167 |
168 | except Exception as e:
169 | pass
170 | else:
171 | if resp.status_code in [200, 406, 401, 403, 500]:
172 | r = re.findall("
([\s\S]+?)", resp.content)
173 | title = lambda r : r and r[0] or ""
174 | result[self.ip][port]["available"].append((title(r), url, resp.status_code))
175 |
176 | def getiplst(host, start=1, end=255):
177 | iplst = []
178 | ip_pre = ""
179 | for pre in host.split('.')[0:3]:
180 | ip_pre = ip_pre + pre + '.'
181 | for i in range(start, end):
182 | iplst.append(ip_pre + str(i))
183 | return iplst
184 |
185 | def retiplst(ip):
186 | iplst = []
187 | if ip:
188 | if re.match(ipPattern, ip):
189 | print("[*] job: {} \r".format(ip))
190 | iplst = getiplst(ip)
191 | return iplst
192 | else:
193 | print("[!] not a valid ip given.")
194 | exit()
195 |
196 | def retiprangelst(iprange):
197 | iplst = []
198 | if re.match(iprangePattern, iprange):
199 | ips = re.findall(iprangePattern, iprange)[0]
200 | ip = ips[0] + "." + ips[1] + "." + ips[2] + "." + "1"
201 | ipstart = int(ips[3])
202 | ipend = int(ips[4]) + 1
203 | # print("[*] job: %s.%s - %s" % (ips[0] + "." + ips[1] + "." + ips[2], ipstart, ipend))
204 | print("[*] job: {}.{} - {}{}{}".format(ips[0], ips[1], ips[2], ipstart, ipend))
205 | iplst = getiplst(ip, ipstart, ipend)
206 | return iplst
207 | else:
208 | print("[!] not a valid ip range given.")
209 | exit()
210 |
211 | def ip2int(s):
212 | l = [int(i) for i in s.split('.')]
213 | return (l[0] << 24) | (l[1] << 16) | (l[2] << 8) | l[3]
214 |
215 | def log(out, path):
216 | logcnt = ""
217 | centerhtml = lambda ips: len(ips)>1 and str(ips[0]) + " - " + str(ips[-1]) or str(ips[0])
218 | titlehtml = lambda x : x and "
" + str(x) + "" or ""
219 | ips = out.keys()
220 | ips.sort(lambda x, y: cmp(ip2int(x), ip2int(y)))
221 | for ip in ips:
222 | titled = False
223 | if type(out[ip]) == type(dict()):
224 | for port in out[ip].keys():
225 | if not titled:
226 | if len(out[ip][port]['headers']):
227 | logcnt += "
%s
" % ip
228 | logcnt += "
"
229 | titled = True
230 | logcnt += "PORT: %s
" % port
231 | logcnt += "Response Headers:
"
232 | for key in out[ip][port]["headers"].keys():
233 | logcnt += key + ":" + out[ip][port]["headers"][key] + "\n"
234 | logcnt += "
"
235 | for title, url, status_code in out[ip][port]["available"]:
236 | logcnt += titlehtml(title) + \
237 | "
" + url + " "+ \
238 | "Status Code:
" + str(status_code) + ""
239 | logcnt += "
"
240 | center = centerhtml(ips)
241 | logcnt = HTML_LOG_TEMPLATE % ( css, center, logcnt)
242 | outfile = open(path, "a")
243 | outfile.write(logcnt)
244 | outfile.close()
245 |
246 | def scan(iplst, timeout, headers, savepath):
247 | global result
248 | start = time.time()
249 | threads = []
250 |
251 | for ip in iplst:
252 | t = bannerscan(ip,timeout,headers)
253 | threads.append(t)
254 |
255 | for t in threads:
256 | t.start()
257 |
258 | for t in threads:
259 | t.join()
260 |
261 | log(result, savepath)
262 | result = dict()
263 | print
264 |
265 | def main():
266 | parser = argparse.ArgumentParser(description='banner scanner. by DM_ http://x0day.me')
267 | group = parser.add_mutually_exclusive_group()
268 |
269 | group.add_argument('-i',
270 | action="store",
271 | dest="ip",
272 | )
273 | group.add_argument('-r',
274 | action="store",
275 | dest="iprange",
276 | type=str,
277 | )
278 | group.add_argument('-f',
279 | action="store",
280 | dest="ipfile",
281 | type=argparse.FileType('r')
282 | )
283 | parser.add_argument('-s',
284 | action="store",
285 | required=True,
286 | dest="savepath",
287 | type=str,
288 | )
289 | parser.add_argument('-t',
290 | action="store",
291 | required=False,
292 | type = int,
293 | dest="timeout",
294 | default=5
295 | )
296 |
297 | args = parser.parse_args()
298 | savepath = args.savepath
299 | timeout = args.timeout
300 | iprange = args.iprange
301 | ipfile = args.ipfile
302 | ip = args.ip
303 |
304 | headers['user-agent'] = ua
305 |
306 | print("[*] starting at %s" % time.ctime())
307 |
308 | if ip:
309 | iplst = retiplst(ip)
310 | scan(iplst, timeout, headers, savepath)
311 |
312 | elif iprange:
313 | iplst = retiprangelst(iprange)
314 | scan(iplst, timeout, headers, savepath)
315 |
316 | elif ipfile:
317 | lines = ipfile.readlines()
318 | for line in lines:
319 | if re.match(ipPattern, line):
320 | iplst = retiplst(line)
321 | scan(iplst, timeout, headers, savepath)
322 | elif re.match(iprangePattern, line):
323 | iplst = retiprangelst(line)
324 | scan(iplst, timeout, headers, savepath)
325 |
326 | else:
327 | parser.print_help()
328 | exit()
329 |
330 | if __name__ == '__main__':
331 | main()
332 |
--------------------------------------------------------------------------------
/lib/template.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
21 |
22 |
26 |
27 |
28 |
157 |
350 |
356 |
357 |
358 |
362 |
431 |
432 |
--------------------------------------------------------------------------------
/lib/Tools.py:
--------------------------------------------------------------------------------
1 | # coding:utf8
2 |
3 | import os
4 | import re
5 | import csv
6 | import itertools
7 | import simplejson
8 | import subprocess
9 | import requests
10 | import tempfile
11 | import threading
12 | import configparser
13 | import sqlite3
14 | import time
15 | from loguru import logger
16 | from selenium import webdriver
17 | from selenium.webdriver.chrome.options import Options
18 | from lib.db import db_update
19 | from bs4 import BeautifulSoup
20 |
21 | config = configparser.RawConfigParser()
22 | now_time = time.strftime("%Y%m%d%H%M%S", time.localtime(time.time()))
23 | main_path = os.path.split(os.path.dirname(os.path.realpath(__file__)))[0]
24 |
25 | config.read(os.path.join(main_path, 'config', 'config.ini'))
26 | # log_path = config.get('Tools_logfile', 'path')
27 | # logfile = config.get('Tools_logfile', 'file').format(date=time.strftime(config.get('Tools_logfile', 'date'), time.localtime(time.time())))
28 |
29 | tool_path = os.path.join(main_path, 'tools')
30 | XRAY_LISTEN_PORT = int(config.get('XRAY', 'XRAY_LISTEN_PORT'))
31 | ZOOM_API_KEY = config.get('ZOOMEYE', 'API_KEY')
32 | timeout = config.get('Tools_timeout', 'timeout')
33 |
34 |
35 | '''
36 | 所有工具类的模板
37 | run_logfile 是有些工具会直接输出报告文件的,需要对报告文件操作,如oneforall、dirsearch
38 | archive_logfile 是
39 | '''
40 | class Tools:
41 | def __init__(self, cmd='', domain='', verbose=False, logfile=None):
42 | self.cmd = cmd
43 | self.domain = domain
44 | self.verbose = verbose
45 | self.logfile = logfile # 存放工具默认需要生成文件的,如dirsearch
46 | self.run_log = None # 存放工具运行日志
47 | self.data = None # 存放自定义删选后的数据
48 |
49 | logger.info('{} - {} - start scanning'.format(self.domain, self.__class__.__name__))
50 | self.scan()
51 | self.filter_log()
52 | self.db_update()
53 |
54 | if self.verbose:
55 | print(self.run_log)
56 | logger.info('{} - {} - over'.format(self.domain, self.__class__.__name__))
57 |
58 | def scan(self):
59 | try:
60 | _ = subprocess.run(self.cmd, shell=True, timeout=int(timeout), cwd=tool_path, stdout=subprocess.PIPE)
61 | self.run_log = str(_.stdout, encoding='utf8')
62 | if self.logfile:
63 | self.read_report_file()
64 | except subprocess.TimeoutExpired as e:
65 | self.run_log = 'Timed Out'
66 | logger.error('{} - {} - \n{}'.format(self.domain, self.__class__.__name__, e))
67 | except Exception as e:
68 | logger.error('{} - {} - \n{}'.format(self.domain, self.__class__.__name__, e))
69 | finally:
70 | self.kill_process()
71 |
72 | def read_report_file(self):
73 | if self.logfile and os.path.exists(self.logfile):
74 | with open(self.logfile) as f:
75 | self.run_log = f.read()
76 |
77 | def filter_log(self):
78 | pass
79 |
80 | def kill_process(self):
81 | _ = "ps aux | grep '{name}'|grep -v 'color' | awk '{{print $2}}'".format(name=self.__class__.__name__.lower())
82 | process = os.popen(_).read()
83 | print(process)
84 | if process:
85 | os.popen('nohup kill -9 {} 2>&1 &'.format(process.replace('\n', ' ')))
86 |
87 | # 需要在main.py中创建列,在controller中调用
88 | # 默认记录url扫描的工具日志,其他如端口日志需要重构
89 | def db_update(self):
90 | if self.run_log:
91 | db_update('scanned_info', self.__class__.__name__.lower(), self.run_log)
92 |
93 | # with sqlite3.connect(os.path.join(main_path, 'scanned_info.db')) as conn:
94 | # sql = 'update scanned_info set {}=? order by id desc limit 1;'.format(self.__class__.__name__.lower())
95 | # conn.execute(sql, (self.log,)) # 插入时必须是str
96 |
97 |
98 | '''
99 | oneforall
100 | 扫描所有子域名并筛选去重出所有子域名
101 | '''
102 | class Oneforall(Tools):
103 | def filter_log(self):
104 | try:
105 | if self.logfile:
106 | self.logfile = self.logfile.replace('www.', '')
107 |
108 | if self.logfile and os.path.exists(self.logfile):
109 | with open(self.logfile, 'r') as csvfile:
110 | reader = csv.reader(csvfile)
111 | column = [row[5] for row in reader]
112 | del column[0]
113 | self.data = list(set(column))
114 | print(self.data)
115 | self.run_log = '\n'.join(self.data)
116 | except Exception as e:
117 | logger.error('{} - {} - \n{}'.format(self.domain, self.__class__.__name__, e))
118 |
119 | def db_update(self):
120 | if self.run_log:
121 | db_update('target_info', self.__class__.__name__.lower(), self.run_log)
122 |
123 |
124 | class Zoomeye(Tools): # need domain
125 | def check_run(self):
126 | if ZOOM_API_KEY :
127 | try:
128 | os.popen('zoomeye init -apikey "{}"'.format(ZOOM_API_KEY))
129 | except Exception as e:
130 | logger.error('{} - {} - \n{}'.format(self.domain, self.__class__.__name__, e))
131 | else:
132 | logger.error('zoomeye工具需要api_key, 本次将跳过zoomeye扫描,在config.ini中输入后再次开启扫描')
133 | time.sleep(5)
134 |
135 | def scan(self):
136 | self.check_run()
137 | self.data = []
138 | for page in itertools.count(1, 1):
139 | try:
140 | cmd = 'python3 zoomeye/zoomeye/cli.py domain -page {p} {d} 1'.format(p=page, d=self.domain)
141 | _ = subprocess.run(cmd, shell=True, timeout=int(timeout), cwd=tool_path, stdout=subprocess.PIPE)
142 | r = str(_.stdout, encoding='gbk')
143 | for line in r.splitlines():
144 | line = re.sub('\x1b.*?m', '', line)
145 | line = [_ for _ in line.split(' ') if _]
146 | # print(line)
147 |
148 | if line and 'name' in line and 'timestamp' in line:
149 | continue
150 | if line:
151 | if line[0].startswith('total'):
152 | if line[1] and int(int(line[1].split('/')[1])/int(line[1].split('/')[0]))+1 == i:
153 | return # scan over
154 | else:
155 | self.data.append(line[0])
156 | except BrokenPipeError:
157 | pass
158 | except Exception as e:
159 | logger.error('{} - {} - \n{}'.format(self.domain, self.__class__.__name__, e))
160 | self.run_log = '\n'.join(self.data)
161 |
162 | def db_update(self):
163 | if self.run_log:
164 | db_update('target_info', self.__class__.__name__.lower(), self.run_log)
165 |
166 |
167 | '''
168 | nslookup , 查看是否有cdn
169 | '''
170 | class Nslookup(Tools):
171 | def scan(self):
172 | # IBM 阿里云 中国互联网络信息中心
173 | dns = ['9.9.9.9', '223.5.5.5', '1.2.4.8']
174 | self.run_log = ''
175 | for _dns in dns:
176 | r = os.popen('nslookup {domain} {d}'.format(domain=self.domain, d=_dns)).read()
177 | r = r.split('\n')[4:]
178 | self.run_log += ('\n'.join(r))
179 |
180 | def filter_log(self):
181 | cdns = ['cdn', 'kunlun', 'bsclink.cn', 'ccgslb.com.cn', 'dwion.com', 'dnsv1.com', 'wsdvs.com', 'wsglb0.com',
182 | 'lxdns.com', 'chinacache.net.', 'ccgslb.com.cn',]
183 | for cdn in cdns:
184 | if cdn in self.run_log:
185 | logger.warning("{} may be is cdn, scan will be skipped")
186 | self.run_log += '可能存在cdn:{} ~ 将跳过masscan与nmap扫描'.format(cdn)
187 |
188 | def db_update(self):
189 | if self.run_log:
190 | db_update('host_info', self.__class__.__name__.lower(), self.run_log)
191 |
192 |
193 | '''
194 | 查询ip定位 主要看是不是云服务器
195 | '''
196 | class IpLocation(Tools):
197 | def scan(self):
198 | # 此处IP和域名都行
199 | url = 'http://demo.ip-api.com/json/{ip}'.format(ip=self.domain)
200 | resp = Request().get(url)
201 | if resp and resp.json():
202 | self.run_log = ''
203 | r = resp.json()
204 | l = ['status', 'country', 'city', 'isp', 'org', 'asname', 'mobile']
205 | for k, v in r.items():
206 | if k in l:
207 | self.run_log += '{}: {}'.format(k, r[k]) + '\n'
208 |
209 | def db_update(self):
210 | if self.run_log:
211 | db_update('host_info', self.__class__.__name__.lower(), self.run_log)
212 |
213 |
214 | '''
215 | masscan
216 | 调用self.data获取返回的ports list
217 | masscan 只接收ip作为target
218 | '''
219 | class Masscan(Tools):
220 | def filter_log(self):
221 | if self.run_log:
222 | ports = re.findall('\d{1,5}/tcp', self.run_log)
223 | self.data = [x[:-4] for x in ports]
224 |
225 | def db_update(self):
226 | if self.run_log:
227 | db_update('host_info', self.__class__.__name__.lower(), self.run_log)
228 |
229 |
230 | '''
231 | nmap
232 | 遍历所有http https端口
233 | '''
234 | class Nmap(Tools):
235 | def filter_log(self):
236 | if self.run_log:
237 | http_ports = re.findall('\d{1,5}/tcp\s{1,}open\s{1,}[ssl/]*http', self.run_log)
238 | http_ports = [int(x.split("/")[0]) for x in http_ports]
239 | self.data = http_ports
240 |
241 | def db_update(self):
242 | if self.run_log:
243 | db_update('host_info', self.__class__.__name__.lower(), self.run_log)
244 |
245 |
246 | class Bugscanner(Tools): # need domain
247 | def scan(self):
248 | try:
249 | data = ''
250 | domains = []
251 | url = "http://dns.bugscaner.com/{}.html".format(self.domain)
252 | headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36 Edg/98.0.1108.43'}
253 | resp = requests.get(url=url, headers=headers)
254 | soup = BeautifulSoup(resp.text, 'html.parser')
255 | title = soup.title.string
256 | data += title + '\n'
257 | # print(title)
258 | # description =soup.find(attrs={"name": "description"})['content']
259 | # print(description)
260 | tables = soup.find_all('table', class_="table table-bordered")
261 | trs = tables[0].find_all('tr')
262 | for tr in trs:
263 | row = []
264 | cells = tr.find_all('th')
265 | if not cells:
266 | cells = tr.find_all('td')
267 | for cell in cells:
268 | row.append(cell.get_text())
269 | data += '{:>2}\t{:>30}\t{:>5}\t{:>10}\t{:>10}\n'.format(row[0], row[1], row[2], row[3], row[4])
270 | if row[1]:
271 | domains.append(row[1].strip())
272 | # self.data = [data]
273 | self.data = domains
274 | self.run_log = data # 在写入时候需要转换成''.join(data)形式,不然不会换行
275 | except requests.exceptions.ConnectionError:
276 | self.run_log = 'Time out'
277 | except Exception as e:
278 | pass
279 |
280 | def db_update(self):
281 | if self.run_log:
282 | db_update('host_info', self.__class__.__name__.lower(), self.run_log)
283 |
284 | '''
285 | whatweb
286 | '''
287 | class Whatweb(Tools):
288 | def filter_log(self):
289 | if self.run_log:
290 | # 有些时候会报80端口无法访问错误
291 | if 'The plain HTTP request was sent to HTTPS port]' in self.run_log:
292 | self.cmd.replace('http', 'https')
293 | self.scan()
294 |
295 | log = []
296 | if '\n' in self.run_log.strip('\n'):
297 | self.run_log = self.run_log.split('\n')[0]
298 |
299 | keys = ['IP', 'Title', 'PoweredBy', 'HTTPServer', 'X-Powered-By', 'Meta-Refresh-Redirect', 'Cookies']
300 | for _ in self.run_log.split(','):
301 | for key in keys:
302 | if _.strip().startswith(key):
303 | log.append(_)
304 | self.run_log = '\n'.join(log)
305 |
306 |
307 | '''
308 | nuclei
309 | nuclei -u http://192.168.64.128:8080/ -t `pwd`/nuclei-templates-master/ -o xx.log
310 |
311 | controller中调用Nuclei之前要先使用curl http://192.168.64.128:8080判断端口是否开放,没开放的会nuclei会卡那。
312 | curl: (7) Failed to connect to 192.168.64.128 port 80: Connection refused
313 | '''
314 | class Nuclei(Tools):
315 | pass
316 |
317 |
318 | '''
319 | crawlergo
320 | 发现的子域名将在controller模块中动态去重添加进入扫描
321 | '''
322 | class Crawlergo(Tools):
323 | def scan(self):
324 | try:
325 | rsp = subprocess.run(self.cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, timeout=int(timeout), shell=True, cwd=tool_path)
326 | output = str(rsp.stdout, encoding='utf-8')
327 | result = simplejson.loads(output.split("--[Mission Complete]--")[1])
328 | req_list = result["req_list"]
329 | urls = []
330 | for req in req_list:
331 | urls.append(req['url'] + ' ' + req['data'])
332 | subdomains = result["sub_domain_list"]
333 | #domain = self.cmd.split()[-1]
334 | domain = self.domain
335 | self.data = self.filter_domain(domain, subdomains)
336 | self.run_log = urls + ['\n'*2 + 'crawlergo扫描的域名:'] + subdomains
337 | self.run_log = '\n'.join(self.run_log)
338 | # print(self.run_log)
339 | except Exception as e:
340 | logger.error(self.__class__.__name__ + ' - ' + str(e))
341 | finally:
342 | self.kill_process() # 可能还会余留chrome进程,为了避免杀掉用户的chrome,暂时保留
343 |
344 | # crawlergo 在获取sub_domain_list时 在获取xx.com.cn这种3级域名时会默认com.cn为base域名
345 | @staticmethod
346 | def filter_domain(domain, domains):
347 | if domains:
348 | if domain.count('.') > 2:
349 | domain = domain.split('.', 1)[1]
350 | for _ in domains:
351 | if domain not in _:
352 | domains.remove(_)
353 | return domains
354 |
355 | def db_update(self):
356 | if self.run_log:
357 | db_update('target_info', self.__class__.__name__.lower(), ','.join(self.data))
358 | db_update('scanned_info', self.__class__.__name__.lower(), self.run_log)
359 |
360 |
361 | class Xray:
362 | def __init__(self):
363 | self.logfile = os.path.join(main_path, 'report/{}-xray.html'.format(now_time))
364 | self.backup_file = tempfile.NamedTemporaryFile(delete=False).name
365 | self.proxy = '127.0.0.1:{}'.format(XRAY_LISTEN_PORT)
366 | self.kill_exists_process()
367 | self.xray_wait_time = 0
368 |
369 | def passive_scan(self):
370 | def xray_passive():
371 | cmd = "{path}/tools/xray_linux_amd64/xray_linux_amd64 webscan --listen {proxy} --html-output {logfile} | tee -a {backup_file}"\
372 | .format(path=main_path, proxy=self.proxy, logfile=self.logfile, backup_file=self.backup_file)
373 | os.system(cmd)
374 |
375 | t = threading.Thread(target=xray_passive, daemon=True)
376 | t.start()
377 |
378 | def initiative_scan(self, url):
379 | def xray_initiative(u):
380 | cmd = "{path}/tools/xray_linux_amd64 webscan --basic-crawler {url} --html-output {logfile}.html" \
381 | .format(path=main_path, url=u, logfile=self.logfile)
382 | os.system(cmd)
383 |
384 | t = threading.Thread(target=xray_initiative, args=(url,), daemon=True)
385 | t.start()
386 |
387 | def wait_xray_ok(self):
388 | cmd = '''
389 | wc {0} | awk '{{print $1}}';
390 | sleep 5;
391 | wc {0} | awk '{{print $1}}';
392 | '''.format(self.backup_file)
393 | result = os.popen(cmd).read()
394 |
395 | if result.split('\n')[0] == result.split('\n')[1]:
396 | cmd = "tail -n 10 {}".format(self.backup_file)
397 | s = os.popen(cmd).read()
398 |
399 | if "All pending requests have been scanned" in s:
400 | os.system('echo "" > {}'.format(self.backup_file))
401 | return True
402 |
403 | if self.xray_wait_time == 2:
404 | return True
405 | else:
406 | self.xray_wait_time += 1
407 | return False
408 |
409 | def kill_exists_process(self):
410 | process = os.popen("ps aux | grep 'xray'|grep -v 'color' | awk '{print $2}'").read()
411 | if process:
412 | os.popen('nohup kill -9 {} 2>&1 &'.format(process.replace('\n', ' ')))
413 |
414 |
415 | '''
416 | dirsearch v0.4.1
417 | '''
418 | class Dirsearch(Tools):
419 | def read_report_file(self):
420 | self.run_log, self.data = [], []
421 | with open(self.logfile, 'r') as f:
422 | lines = [line.strip() for line in f.readlines()]
423 | if lines:
424 | lines.pop(0)
425 |
426 | for line in lines:
427 | line = line.split(',')
428 | try:
429 | s = "{:<} - {:>5}B - {:<5}".format(line[2], line[3], line[1])
430 | self.run_log.append(s)
431 | self.data.append(line[1])
432 | except Exception as e:
433 | logger.error('{} - {} - \n{}'.format(self.domain, self.__class__.__name__, e))
434 | continue
435 | self.run_log = '\n'.join(self.run_log)
436 |
437 |
438 | '''
439 | requests请求,将dirsearch扫描出的url推到xray
440 | '''
441 | class Request:
442 | def __init__(self,):
443 | self.proxy = {'http': 'http://127.0.0.1:{}'.format(XRAY_LISTEN_PORT),
444 | 'https': 'http://127.0.0.1:{}'.format(XRAY_LISTEN_PORT)}
445 | self.headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0)',
446 | }
447 |
448 | def repeat(self, url):
449 | try:
450 | response = requests.get(url=url, headers=self.headers, proxies=self.proxy, verify=False, timeout=20)
451 | # print(response)
452 | return response
453 | except Exception as e:
454 | print(e)
455 |
456 | def get(self, url):
457 | try:
458 | response = requests.get(url=url, headers=self.headers, verify=False, timeout=20)
459 | return response
460 | except Exception as e:
461 | print(e)
462 |
463 |
464 | '''
465 | 截图, 考虑base64加到html里整个报告太大了,所以只能保存到本地,然后使用img src
466 | 暂时不写入db
467 | '''
468 | class Snapshot(Tools):
469 | def scan(self):
470 | option = Options()
471 | option.add_argument('--headless')
472 | option.add_argument('--no-sandbox')
473 | option.add_argument('--start-maximized')
474 |
475 | try:
476 | driver = webdriver.Chrome(chrome_options=option)
477 | driver.set_window_size(1366, 768)
478 | driver.implicitly_wait(4)
479 | driver.get(self.domain)
480 | time.sleep(1)
481 | driver.get_screenshot_as_file(os.path.join(main_path, 'report/img/{}.png'.format(self.format_img_name(self.domain))))
482 | driver.quit()
483 | except Exception as e:
484 | pass
485 |
486 | @staticmethod
487 | def format_img_name(url):
488 | if url.startswith('http'):
489 | url = url.split('/')[2]
490 | if ':' in url:
491 | url = url.replace(':', '_')
492 | return url
493 |
494 |
--------------------------------------------------------------------------------
