Compare commits
10 Commits
8203f2a66c
...
7933d801b9
| Author | SHA1 | Date | |
|---|---|---|---|
|
7933d801b9 | ||
|
|
e6705e1d81 | ||
|
|
ac4b1e9081 | ||
|
|
8e9d279fe3 | ||
|
|
14da0fdc8f | ||
|
|
dc6f187fe5 | ||
|
|
2bc49d5bd4 | ||
|
|
731121b07e | ||
|
|
8fbbb25d14 | ||
|
|
bab4a0a117 |
@@ -55,7 +55,9 @@
|
|||||||
|
|
||||||
国内外100+款waf信息,强大的指纹库,包括安全狗,云锁,阿里云,云盾,腾讯云等,提供部分已知waf bypass 方案
|
国内外100+款waf信息,强大的指纹库,包括安全狗,云锁,阿里云,云盾,腾讯云等,提供部分已知waf bypass 方案
|
||||||
|
|
||||||
`python3 cerberus.py -target www.qq.com -waf`
|
请务必提供带有参数的URL进行WAF测试!
|
||||||
|
|
||||||
|
`python3 cerberus.py -target https://open.weixin.qq.com/frame?t=home/web_tmpl&lang=zh_CN -waf`
|
||||||
|
|
||||||
- :see_no_evil:中间件信息收集
|
- :see_no_evil:中间件信息收集
|
||||||
|
|
||||||
@@ -114,9 +116,6 @@
|
|||||||
`python3 cerberus.py -outfile`
|
`python3 cerberus.py -outfile`
|
||||||
|
|
||||||
|
|
||||||
## :monkey: 维护与完善
|
|
||||||
|
|
||||||
这个项目是个不完全版,最近要准备期末考试和找实习,之前原本设计一些强大并且很具有创新力功能因为时间原因取消了。原本设计的功能包括先对目标进行FUZZ,根据结果决策出bypass方案,并且根据结果自动生成payload,更加精准的有效率的攻击,以及能识别验证码的弱口令爆破功能,以后我会慢慢完善。
|
|
||||||
|
|
||||||
## :rabbit: Praise me!
|
## :rabbit: Praise me!
|
||||||
|
|
||||||
|
|||||||
@@ -74,11 +74,7 @@ if target:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
logger_type = "StreamLogger"
|
logger_type = "FileLogger" if outfile else "StreamLogger"
|
||||||
|
|
||||||
|
|
||||||
if outfile:
|
|
||||||
logger_type = "FileLogger"
|
|
||||||
|
|
||||||
|
|
||||||
if mail:
|
if mail:
|
||||||
|
|||||||
@@ -1,10 +1,10 @@
|
|||||||
from concurrent.futures import ThreadPoolExecutor, ProcessPoolExecutor, as_completed
|
from concurrent.futures import ThreadPoolExecutor, ProcessPoolExecutor, as_completed
|
||||||
from core.requester import requester
|
|
||||||
|
|
||||||
|
|
||||||
def quicksliver(func,number_process):
|
def quicksliver(func,number_process):
|
||||||
|
"""fixed a big bug on 12.24 Merry Christmas"""
|
||||||
|
|
||||||
with ThreadPoolExecutor(max_workers = number_process) as executor:
|
with ThreadPoolExecutor(max_workers = number_process) as executor:
|
||||||
futures = [executor.submit(func) for count in range(number_process)]
|
futures = [executor.submit(func) for count in range(number_process)]
|
||||||
for future in as_completed(futures):
|
|
||||||
future.result()
|
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ from urllib3.exceptions import ConnectTimeoutError
|
|||||||
|
|
||||||
def chambering(url,strike,payload = None,type = None):
|
def chambering(url,strike,payload = None,type = None):
|
||||||
|
|
||||||
if "=" in url:
|
if "=" in url and "?" in url:
|
||||||
data = url.split("?")[1].split("&")
|
data = url.split("?")[1].split("&")
|
||||||
params_extractor = tuple((i.split('=')[0],i.split('=')[1]) for i in data)
|
params_extractor = tuple((i.split('=')[0],i.split('=')[1]) for i in data)
|
||||||
params = {i:j for i, j in params_extractor}
|
params = {i:j for i, j in params_extractor}
|
||||||
@@ -144,5 +144,7 @@ def load_queue(subdomain):
|
|||||||
return subdomain_queue
|
return subdomain_queue
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
# chambering(url, strike, payload=None, type=None):
|
||||||
|
url = "https://plus.jd.com/indexf?low_system=appicon&flow_entrance=appicon11&flow_channel=pc"
|
||||||
|
chambering(url,strike=False)
|
||||||
|
|||||||
@@ -26,8 +26,8 @@ class Filter:
|
|||||||
md5.update(item.encode('utf-8'))
|
md5.update(item.encode('utf-8'))
|
||||||
if md5.hexdigest() not in container:
|
if md5.hexdigest() not in container:
|
||||||
container.add(md5.hexdigest())
|
container.add(md5.hexdigest())
|
||||||
# print(item)
|
|
||||||
return True
|
return True
|
||||||
|
return False
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,12 +1,13 @@
|
|||||||
waf_checker = [ "'",
|
waf_checker = [ " '",
|
||||||
# "1 AND 1",
|
" AND 1",
|
||||||
# "1/**/AND/**/1",
|
" /**/AND/**/1",
|
||||||
# "1 AND 1=1",
|
" AND 1=1",
|
||||||
"1 AND 1 LIKE 1",
|
" AND 1 LIKE 1",
|
||||||
|
" ' AND '1'='1",
|
||||||
"<img src=x onerror=alert('XSS')>",
|
"<img src=x onerror=alert('XSS')>",
|
||||||
# "<img onfoo=f()>",
|
"<img onfoo=f()>",
|
||||||
"<script>alert('intrusion')</script>",
|
"<script>alert('intrusion')</script>"
|
||||||
" ' AND '1'='1"]
|
]
|
||||||
|
|
||||||
Sql_injection = {
|
Sql_injection = {
|
||||||
|
|
||||||
|
|||||||
BIN
images/nana.jpg
BIN
images/nana.jpg
Binary file not shown.
|
Before Width: | Height: | Size: 133 KiB |
@@ -88,15 +88,16 @@ class Attack:
|
|||||||
if not self.target is None:
|
if not self.target is None:
|
||||||
self.initis()
|
self.initis()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
while not self.target_url.empty():
|
while not self.target_url.empty():
|
||||||
target = self.target_url.get()
|
target = self.target_url.get()
|
||||||
strike_pre = assault_pre()
|
# strike_pre = assault_pre()
|
||||||
strike_pre.payload_provide()
|
# strike_pre.payload_provide()
|
||||||
|
|
||||||
|
|
||||||
while not target.empty():
|
while not target.empty():
|
||||||
original = target.get()
|
original = target.get()
|
||||||
# print(self.target_url.qsize())
|
|
||||||
# url = regex.URL_PATH.sub("=", original)
|
# url = regex.URL_PATH.sub("=", original)
|
||||||
"""and self.filter_(url,self.requests_seen)"""
|
"""and self.filter_(url,self.requests_seen)"""
|
||||||
# print("fucking" + original)
|
# print("fucking" + original)
|
||||||
@@ -104,7 +105,7 @@ class Attack:
|
|||||||
if self.domain in original:
|
if self.domain in original:
|
||||||
url, data = chambering(original,strike = False)
|
url, data = chambering(original,strike = False)
|
||||||
received_ = requester(url,data,GET = True,cookie = self.cookie,proxy = self.proxy)
|
received_ = requester(url,data,GET = True,cookie = self.cookie,proxy = self.proxy)
|
||||||
if received_.status_code == 403:
|
if not received_ is None and received_.status_code == 403:
|
||||||
if not self.proxy_queue is None and not self.proxy_queue.empty():
|
if not self.proxy_queue is None and not self.proxy_queue.empty():
|
||||||
self.proxy = get_proxy(self.proxy_queue)
|
self.proxy = get_proxy(self.proxy_queue)
|
||||||
print(f"{blue_green}[+][{time}] Vulnerability scanning is being performed on {original}{end}")
|
print(f"{blue_green}[+][{time}] Vulnerability scanning is being performed on {original}{end}")
|
||||||
@@ -117,6 +118,8 @@ class Attack:
|
|||||||
|
|
||||||
if "=" in original:
|
if "=" in original:
|
||||||
url, data = chambering(original, strike=False)
|
url, data = chambering(original, strike=False)
|
||||||
|
strike_pre = assault_pre()
|
||||||
|
strike_pre.payload_provide()
|
||||||
received = requester(url, data, GET=True,cookie = self.cookie,proxy = self.proxy)
|
received = requester(url, data, GET=True,cookie = self.cookie,proxy = self.proxy)
|
||||||
|
|
||||||
for vul_type, category in strike_pre.get_payload_category().items():
|
for vul_type, category in strike_pre.get_payload_category().items():
|
||||||
@@ -126,10 +129,9 @@ class Attack:
|
|||||||
|
|
||||||
if vul_type in ["SQLi","file_inclusion","command_injection","ssrf"]:
|
if vul_type in ["SQLi","file_inclusion","command_injection","ssrf"]:
|
||||||
Poisoned = requester(url,data,GET = True,cookie = self.cookie,proxy = self.proxy)
|
Poisoned = requester(url,data,GET = True,cookie = self.cookie,proxy = self.proxy)
|
||||||
code = Poisoned.status_code
|
|
||||||
|
|
||||||
if not Poisoned is None and code < 400:
|
if not Poisoned is None and Poisoned.status_code < 400:
|
||||||
if error_check(Poisoned):
|
if error_check(Poisoned.text):
|
||||||
if receive_check(received.text,Poisoned.text,vul_type,payload):
|
if receive_check(received.text,Poisoned.text,vul_type,payload):
|
||||||
message = vul_message(vul_type,original,payload)
|
message = vul_message(vul_type,original,payload)
|
||||||
self.logger.critical(message)
|
self.logger.critical(message)
|
||||||
@@ -144,15 +146,4 @@ class Attack:
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
cerberus = Attack("http://www.ztcc.com","StreamLogger")
|
|
||||||
# target = requester("http://www.weibo.com",None,GET = True)
|
|
||||||
# cerberus.url_extrator(target.text)
|
|
||||||
|
|
||||||
|
|
||||||
execut = cerberus.execution
|
|
||||||
# execut()
|
|
||||||
quicksliver(execut,7)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -1,17 +1,23 @@
|
|||||||
import re
|
import re
|
||||||
import json
|
import json
|
||||||
import time
|
import time
|
||||||
from core.colors import green,end
|
from core.colors import red,green,purple,end
|
||||||
from core.log import factory_logger
|
|
||||||
from core.auxiliary import chambering
|
from core.auxiliary import chambering
|
||||||
from core.requester import requester
|
from core.requester import requester
|
||||||
from data.payloads import waf_checker
|
from data.payloads import waf_checker
|
||||||
|
from core.log import factory_logger,time
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
time = time.strftime('%Y-%m-%d %H:%M:%S')
|
|
||||||
|
|
||||||
def check_waf(target, logger_type, proxy = None):
|
def check_waf(target, logger_type, proxy = None):
|
||||||
|
|
||||||
|
original_target = target
|
||||||
|
if "=" not in original_target:
|
||||||
|
print(f"{red}[!][{time}] Please provide a url with parameters! {end}")
|
||||||
|
quit()
|
||||||
|
|
||||||
|
|
||||||
# folder = Path.cwd().parent
|
# folder = Path.cwd().parent
|
||||||
# waf_file = str(folder / "data/waf_signature")
|
# waf_file = str(folder / "data/waf_signature")
|
||||||
waf_file = "data/waf_signature"
|
waf_file = "data/waf_signature"
|
||||||
@@ -28,35 +34,40 @@ def check_waf(target, logger_type, proxy = None):
|
|||||||
|
|
||||||
for intruder in waf_checker:
|
for intruder in waf_checker:
|
||||||
try:
|
try:
|
||||||
target, payload = chambering(target, strike=True, payload=intruder)
|
intruder_type = "XSS" if intruder.startswith("<") else "SQLi"
|
||||||
|
|
||||||
|
target, payload = chambering(original_target, strike=True, payload=intruder,type = intruder_type)
|
||||||
response = requester(target, payload, GET=True, timeout=5, proxy=proxy)
|
response = requester(target, payload, GET=True, timeout=5, proxy=proxy)
|
||||||
page, code, headers = response.text, response.status_code, response.headers
|
print(f"{purple}[~][{time}] using {intruder} to detect WAF !{end}")
|
||||||
|
|
||||||
if int(code) >= 400:
|
|
||||||
match = 0
|
|
||||||
|
|
||||||
for waf_name, waf_signature in waf_data.items():
|
if not response is None:
|
||||||
|
page, code, headers = response.text, response.status_code, response.headers
|
||||||
|
if code >= 400:
|
||||||
|
match = 0
|
||||||
|
|
||||||
if re.search(waf_signature['regex'],page,re.I):
|
for waf_name, waf_signature in waf_data.items():
|
||||||
match = match + 1
|
|
||||||
|
|
||||||
if "code" in waf_signature:
|
if re.search(waf_signature['regex'],page,re.I):
|
||||||
if re.search(waf_signature['code'],code,re.I):
|
|
||||||
match = match + 1
|
match = match + 1
|
||||||
|
|
||||||
if "header" in waf_signature:
|
if "code" in waf_signature:
|
||||||
if re.search(waf_signature["header"],headers,re.I):
|
if re.search(waf_signature['code'],code,re.I):
|
||||||
match = match +1
|
match = match + 1
|
||||||
|
|
||||||
if match > max(waf_match,key=waf_match.get):
|
if "header" in waf_signature:
|
||||||
waf_info['company'] = waf_name
|
if re.search(waf_signature["header"],headers,re.I):
|
||||||
waf_info['waf_type'] = waf_signature['name']
|
match = match +1
|
||||||
if 'bypass_known' not in waf_signature:
|
|
||||||
waf_info['bypass_known'] = None
|
if match > max(waf_match,key=waf_match.get):
|
||||||
else:
|
waf_info['company'] = waf_name
|
||||||
waf_info['bypass_known'] = waf_signature['bypass_known']
|
waf_info['waf_type'] = waf_signature['name']
|
||||||
waf_match.clear()
|
if 'bypass_known' not in waf_signature:
|
||||||
waf_match[match] : waf_info
|
waf_info['bypass_known'] = None
|
||||||
|
else:
|
||||||
|
waf_info['bypass_known'] = waf_signature['bypass_known']
|
||||||
|
waf_match.clear()
|
||||||
|
waf_match[match] : waf_info
|
||||||
except Exception:
|
except Exception:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@@ -69,5 +80,4 @@ def check_waf(target, logger_type, proxy = None):
|
|||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
|
|
||||||
r = check_waf("http://www.qq.com")
|
check_waf("http://www.qq.com","StreamLogger")
|
||||||
print(r)
|
|
||||||
|
|||||||
Reference in New Issue
Block a user