2022.5.14

Author: taomujian

README.md

@@ -1,4 +1,5 @@
 - [临兵漏洞扫描系统](#临兵漏洞扫描系统)
+  - [使用说明](#使用说明)
   - [修改加密key](#修改加密key)
     - [修改aes key](#修改aes-key)
     - [修改rsa key](#修改rsa-key)
@@ -33,13 +34,18 @@
     - [[v2.7] 2021.10.11](#v27-20211011)
     - [[v2.8] 2021.10.24](#v28-20211024)
     - [[v2.9] 2021.12.26](#v29-20211226)
+    - [[v3.0] 2022.5.14](#v30-2022514)
   - [致谢](#致谢)
   - [免责声明](#免责声明)
   - [License](#license)
 
 # 临兵漏洞扫描系统
 
-> 本系统是对Web中间件和Web框架进行漏洞扫描的一个系统,前端采用vue技术,后端采用python.poc有110多个,包含绝大部分的中间件漏洞,本系统的poc皆来源于网络或在此基础上进行修改
+> 本系统是对Web中间件和Web框架进行自动化渗透的一个系统,根据扫描选项去自动化收集资产,然后进行POC扫描,POC扫描时会根据指纹选择POC插件去扫描,POC插件扫描用异步方式扫描.前端采用vue技术,后端采用python fastapi.
+
+## 使用说明
+
+> 扫描分为指纹探测、子域名爆破、端口扫描、目录扫描、POC扫描.如果选择所有扫描选项,子域名扫出的IP会传给端口扫描,端口扫描中识别指纹,扫描出的资产传给目录扫描和POC扫描,POC扫描会根据资产指纹去加载插件扫描,如果识别不到指纹,则加载所有插件,POC插件分为2种类型,http和port,http类型指发送http请求,port指发送socket请求,扫描出的资产如果是url格式,则加载http类型插件,否则则加载port类型插件.
 
 ## 修改加密key
 
@@ -51,8 +57,7 @@
 
 ### 修改rsa key
 
-> 需要先生成rsa的公私钥(私钥1024位)[参考地址](https://www.jianshu.com/p/d614ba4720ec)
-
+> 需要生成rsa的公私钥(私钥1024位)[参考地址](https://www.jianshu.com/p/d614ba4720ec)
 > 修改python/rsa.py文件中的公钥和私钥信息,vue部分则需要修改vue_src/src/libs/crypto.js文件中第77行的公钥,要和python/rsa.py文件中的公钥保持一致
 
 修改vue部分后要重新打包,然后把打包后的文件夹dist中的内容复制到vue文件夹,vue原有的文件要删除.
@@ -94,7 +99,6 @@
 ## 从dockerhub中获取镜像
 
 > docker pull taomujian/linbing:latest
-
 > docker run -it -d -p 11000:11000 -p 8800:8800 taomujian/linbing
 
 ## 访问
@@ -216,24 +220,25 @@
 
 - 集成dnslog.cn的功能,提供dnslog功能
 
+### [v3.0] 2022.5.14
+
+- POC插件扫描换成异步扫描方式,加快扫描速度
+
 ## 致谢
 
 > 感谢vulhub项目提供的靶机环境:
-
 > <https://github.com/vulhub/vulhub>,
-
 > <https://hub.docker.com/r/2d8ru/struts2>
-
-> POC也参考了很多项目:
 >
+> POC也参考了很多项目:
 > <https://github.com/Xyntax/POC-T>、
 >
 > <https://github.com/ysrc/xunfeng>、
 >
 > <https://github.com/se55i0n/DBScanner>、
 >
 > <https://github.com/vulscanteam/vulscan>
-
+> 
 > 感谢师傅pan带我入门安全,也感谢呆橘同学在vue上对我的指导
 
 ## 免责声明
@@ -242,4 +247,4 @@
 
 ## License
 
-[MIT](https://github.com/taomujian/linbing/blob/master/LICENSE)
+[MIT](https://github.com/taomujian/linbing/blob/master/LICENSE)

centos.dockerfile

@@ -23,8 +23,8 @@ RUN mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backu
 && mkdir /root/python && cd gcc-9.2.0 && ./contrib/download_prerequisites && mkdir build && cd build && ../configure --prefix=/usr/local --disable-multilib --enable-languages=c,c++ && make && make install \
 && ln -sf /usr/local/bin/gcc cc && yum remove -y gcc && sed -i "s|bind 127.0.0.1 ::1|bind 127.0.0.1|" /etc/redis/redis.conf && sed -i "s|# requirepass foobared|requirepass '${REDIS_PASS}'|" /etc/redis/redis.conf
 
-RUN wget https://www.python.org/ftp/python/3.8.1/Python-3.8.1.tgz && tar -zxvf Python-3.8.1.tgz && cd Python-3.8.1 && ./configure prefix=/usr/local/python3.8 --enable-shared --enable-optimizations LDFLAGS="-Wl,--rpath=/usr/local/python3.8/lib" \
-&& make && make install && rm -rf /usr/bin/python3 && rm -rf /usr/bin/pip3 && ln -s /usr/local/python3.8/bin/python3.8 /usr/bin/python3 && ln -s /usr/local/python3.8/bin/pip3.8 /usr/bin/pip3
+RUN wget https://www.python.org/ftp/python/3.10.4/Python-3.10.4.tgz && tar -zxvf Python-3.10.4.tgz && cd Python-3.10.4 && ./configure prefix=/usr/local/python3.10 --enable-shared LDFLAGS="-Wl,--rpath=/usr/local/python3.10/lib" \
+&& make && make install && rm -rf /usr/bin/python3 && rm -rf /usr/bin/pip3 && ln -s /usr/local/python3.10/bin/python3.10 /usr/bin/python3 && ln -s /usr/local/python3.10/bin/pip3.10 /usr/bin/pip3
 
 # 复制本地文件到docker 中
 ADD nginx/vue.conf /etc/nginx/conf.d/vue.conf

python/app/data/db/password.txt

@@ -0,0 +1,39 @@
+ 
+root
+123456
+password
+p@ssw0rd
+1qaz2wsx
+qwer!@#$
+qwer1234
+test
+toor
+1234
+root123
+P@ssw0rd!!
+qwa123
+12345678
+123qwe!@#
+123456789
+123321
+1314520
+666666
+fuckyou
+000000
+1234567890
+8888888
+qwerty
+1qaz2wsx
+abc123
+abc123456
+1q2w3e4r
+123qwe
+159357
+p@ssw0rd
+p@55w0rd
+password!
+p@ssw0rd!
+password1
+r00t
+system
+111111

python/app/data/db/username.txt

@@ -0,0 +1,10 @@
+root
+admin
+guest
+anonymous
+test
+www
+web
+rsync
+db
+ftp

python/app/password.txt renamed to python/app/data/password.txt

@@ -11,7 +11,6 @@ qwer1234
 |$|N|E|X|U|S|$|
 admin888
 glassfish
-vulhub_default_password
 test
 neagrle
 toor

python/app/username.txt renamed to python/app/data/username.txt

@@ -6,12 +6,9 @@ deployment
 test
 www
 web
-rsync
-db
 wwwroot
 data
 tomcat
-ftp
 Admin
 Administrator
 administrator

python/app/lib/crypto/aes.py renamed to python/app/lib/aes.py

@@ -1,16 +1,14 @@
 #!/usr/bin/env python3
 
-import os
 import re
 import shlex
 import random
 import string
 import socket
-import signal
 import tldextract
 from IPy import IP
 from urllib.parse import urlparse
-from app.lib.utils.request import request
+from app.lib.request import request
 
 def get_useragent():
 
@@ -53,7 +51,7 @@ def get_capta():
         capta = capta + random.choice(words)
     return capta
 
-def get_live(url, num):
+async def get_live(url, num):
 
     """
     确认目标是否存活,尝试访问一定次数后确认目标是否存活
@@ -73,16 +71,14 @@ def get_live(url, num):
             # 判断没有http协议类型的网站是http还是https,并判断是否存活
             if not url.startswith("http") and not url.startswith("https"):
                 url = 'http://' + url
-                req = request.get(url, headers = headers, verify = False, allow_redirects = True)
-                return urlparse(req.url).scheme  + '://' + urlparse(req.url).netloc
-            # 并判断目标是否存活
+                req = await request.get(url, headers = headers, allow_redirects = True)
+                return req.real_url
             else:
-                req = request.get(url, headers = headers, verify = False, allow_redirects = True)
-                return urlparse(req.url).scheme  + '://' + urlparse(req.url).netloc
+                req = request.get(url, headers = headers, allow_redirects = True)
+                return req.real_url
         except Exception as e:
-            print(e)
+            # print(e)
             pass
-    return None
 
 def parse_target(target):
 
@@ -121,7 +117,8 @@ def parse_target(target):
             domain_result = domain_regex.findall(url_parse.netloc)
             scan_ip = socket.gethostbyname(url_parse.hostname)
     except Exception as e:
-        print(e)
+        # print(e)
+        pass
     finally:
         pass
 
@@ -173,28 +170,4 @@ def parser_url(url):
     """
     data = urlparse(url)
     parser_url = data.scheme + '://' + data.netloc
-    return parser_url
-
-def check(parameter):
-    
-    """
-    等待指定时间后杀掉指定的进程
-
-    :param str parameter: 要查找的进程名字关键字
-    :return:
-    
-    """
-    
-    try:
-        out = os.popen("ps -ef |grep \'%s\' |grep -v grep | awk '{print $2}'" %(parameter)).read()
-        if out:
-            for line in out.splitlines():
-                try:
-                    os.kill(int(line), signal.SIGKILL)
-                except Exception as e:
-                    print(e)
-                    pass
-    except Exception as e:
-        print(e)
-    finally:
-        pass
+    return parser_url

python/app/lib/utils/common.py renamed to python/app/lib/common.py

@@ -0,0 +1,118 @@
+#!/usr/bin/env python3
+
+import aiohttp
+import configparser
+
+def get_conf():
+
+    """"
+    从配置文件中读取代理地址和超时时间
+
+    :param:
+    :return tuple result: 代理地址和超时时间
+    """
+    
+    config = configparser.ConfigParser()
+    config.read('conf.ini')
+    proxy = config.get('request', 'proxy')
+    if not config.get('request', 'timeout'):
+        timeout = 5
+    else:
+        timeout = int(config.get('request', 'timeout'))
+    if not proxy:
+        proxies = None
+    else:
+        proxies = {
+            'http': '%s' %(proxy),
+            'https': '%s' %(proxy),
+        }
+    return proxies, timeout
+
+class request:
+
+    """
+    封装aiohttp
+    """
+
+    def __init__(self):
+        pass
+        
+    @classmethod
+    async def get(self, url, params = None, data = None, json = None, headers = None, proxy = None, cookies = None, verify_ssl = False, allow_redirects = False):
+        result = get_conf()
+        proxy = result[0]
+        timeout = result[1]
+        async with aiohttp.ClientSession() as session:
+            async with session.get(url, params = params, data = data, json = json, headers = headers, proxy = proxy, cookies = cookies, timeout = timeout, verify_ssl = verify_ssl, allow_redirects = allow_redirects) as response:
+                result = await response.text()
+                return response
+
+    @classmethod
+    async def post(self, url, params = None, data = None, json = None, headers = None, proxy = None, cookies = None, verify_ssl = False, allow_redirects = False):
+        result = get_conf()
+        proxy = result[0]
+        timeout = result[1]
+        async with aiohttp.ClientSession() as session:
+            async with session.post(url, params = params, data = data, json = json, headers = headers, proxy = proxy, cookies = cookies, timeout = timeout, verify_ssl = verify_ssl, allow_redirects = allow_redirects) as response:
+                await response.text()
+                return response
+
+    @classmethod
+    async def put(self, url, params = None, data = None, json = None, headers = None, proxy = None, cookies = None, verify_ssl = False, allow_redirects = False):
+        result = get_conf()
+        proxy = result[0]
+        timeout = result[1]
+        async with aiohttp.ClientSession() as session:
+            async with session.put(url, params = params, data = data, json = json, headers = headers, proxy = proxy, cookies = cookies, timeout = timeout, verify_ssl = verify_ssl, allow_redirects = allow_redirects) as response:
+                await response.text()
+                return response
+
+    @classmethod
+    async def head(self, url, params = None, data = None, json = None, headers = None, proxy = None, cookies = None, verify_ssl = False, allow_redirects = False):
+        result = get_conf()
+        proxy = result[0]
+        timeout = result[1]
+        async with aiohttp.ClientSession() as session:
+            async with session.head(url, params = params, data = data, json = json, headers = headers, proxy = proxy, cookies = cookies, timeout = timeout, verify_ssl = verify_ssl, allow_redirects = allow_redirects) as response:
+                await response.text()
+                return response
+
+    @classmethod
+    async def patch(self, url, params = None, data = None, json = None, headers = None, proxy = None, cookies = None, verify_ssl = False, allow_redirects = False):
+        result = get_conf()
+        proxy = result[0]
+        timeout = result[1]
+        async with aiohttp.ClientSession() as session:
+            async with session.patch(url, params = params, data = data, json = json, headers = headers, proxy = proxy, cookies = cookies, timeout = timeout, verify_ssl = verify_ssl, allow_redirects = allow_redirects) as response:
+                await response.text()
+                return response
+
+    @classmethod
+    async def options(self, url, params = None, data = None, json = None, headers = None, proxy = None, cookies = None, verify_ssl = False, allow_redirects = False):
+        result = get_conf()
+        proxy = result[0]
+        timeout = result[1]
+        async with aiohttp.ClientSession() as session:
+            async with session.options(url, params = params, data = data, json = json, headers = headers, proxy = proxy, cookies = cookies, timeout = timeout, verify_ssl = verify_ssl, allow_redirects = allow_redirects) as response:
+                await response.text()
+                return response
+    
+    @classmethod
+    async def delete(self, url, params = None, data = None, json = None, headers = None, proxy = None, cookies = None, verify_ssl = False, allow_redirects = False):
+        result = get_conf()
+        proxy = result[0]
+        timeout = result[1]
+        async with aiohttp.ClientSession() as session:
+            async with session.delete(url, params = params, data = data, json = json, headers = headers, proxy = proxy, cookies = cookies, timeout = timeout, verify_ssl = verify_ssl, allow_redirects = allow_redirects) as response:
+                await response.text()
+                return response
+
+    @classmethod
+    async def request(self, method, url, params = None, data = None, json = None, headers = None, proxy = None, cookies = None, verify_ssl = False, allow_redirects = False):
+        result = get_conf()
+        proxy = result[0]
+        timeout = result[1]
+        async with aiohttp.ClientSession() as session:
+            async with session.request(url, params = params, data = data, json = json, headers = headers, proxy = proxy, cookies = cookies, timeout = timeout, verify_ssl = verify_ssl, allow_redirects = allow_redirects) as response:
+                await response.text()
+                return response