106 lines
3.0 KiB
Python
106 lines
3.0 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
from flask import Flask, request, jsonify
|
|
from ghost import Ghost
|
|
from scans import *
|
|
import requests
|
|
import datetime
|
|
import re
|
|
|
|
app = Flask(__name__)
|
|
firefox = Ghost()
|
|
|
|
""" Route /ping
|
|
Description: Simple ping implementation to check if the server is up via the extension
|
|
"""
|
|
@app.route('/ping',methods=['GET'])
|
|
def ping():
|
|
return "pong"
|
|
|
|
|
|
""" Route /
|
|
Description: main route for the flask application, every scan is launched from here
|
|
"""
|
|
@app.route('/',methods=['GET'])
|
|
def index():
|
|
vulns = {'rce': 0, 'xss': 0, 'sql': 0, 'lfi': 0, 'list':''}
|
|
|
|
# Parse requests - extract arguments
|
|
args = request.args
|
|
url = args['url']
|
|
useragent = args['useragent']
|
|
methods = args['method']
|
|
data = args['data']
|
|
method = ''
|
|
matches = []
|
|
data_requests = {}
|
|
|
|
# Parse args for GET
|
|
if "?" in url:
|
|
method = 'GET'
|
|
|
|
# Parse cookies strings - string like name:username|value:admin
|
|
cookies_requests = {}
|
|
cookies_ghost = ""
|
|
for cookie in args['cookies'].split('\n'):
|
|
|
|
c = cookie.split('|')
|
|
if c != '' and c != None:
|
|
if len(c) != 1:
|
|
name = str(c[0]).replace('name:','')
|
|
value = str(c[1]).replace('value:','')
|
|
cookies_requests[name] = value
|
|
cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";"
|
|
|
|
# Parse GET data (in url)
|
|
params = url.split('?')[1]
|
|
regex = re.compile('([a-zA-Z0-9\-_]*?)=')
|
|
matches = regex.findall(params)
|
|
|
|
|
|
# Parse args for POST
|
|
if data != '':
|
|
method = 'POST'
|
|
|
|
# Parse document.cookie for Ghost and Requests
|
|
cookies_requests = {} #dict
|
|
cookies_ghost = "" #string header
|
|
for cookie in args['cookies'].split(';'):
|
|
c = cookie.split('=')
|
|
if c != '' and c != None:
|
|
if len(c) != 1:
|
|
name = c[0]
|
|
value = c[1]
|
|
cookies_requests[name] = value
|
|
cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";"
|
|
|
|
|
|
# Parse POST data (in data parameter)
|
|
data_requests = {}
|
|
for post_data in data.split('|'):
|
|
d = post_data.split(':')
|
|
if d != '' and d != None:
|
|
if len(d) != 1:
|
|
name = str(d[0])
|
|
value = str(d[1])
|
|
data_requests[name] = value
|
|
|
|
# Convert dict(data_requests) to list(matches)
|
|
matches = data_requests.keys()
|
|
|
|
|
|
# Launch scans - iterate through all parameters
|
|
for fuzz in matches:
|
|
print "\n---[ " + method + " - New parameter " + fuzz + " for url: " + url + " ]---"
|
|
scan_xss(method, vulns, url, fuzz, cookies_ghost, useragent, firefox, data_requests)
|
|
scan_lfi(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
|
|
scan_sql_error(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
|
|
scan_sql_blind_time(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
|
|
scan_rce(method, vulns, url, fuzz, cookies_requests, useragent, data_requests)
|
|
|
|
|
|
# Display results as a json
|
|
return jsonify(vulns)
|
|
|
|
if __name__ == '__main__':
|
|
app.run(host='0.0.0.0', port=8000, threaded=True, passthrough_errors=False) |