oneforall-kjl 0.1.1__py3-none-any.whl

OneForAll/modules/altdns.py

@@ -0,0 +1,216 @@
+"""
+Reference: https://github.com/ProjectAnte/dnsgen
+"""
+import re
+import time
+import itertools
+
+from config import settings
+
+from modules import wildcard
+from common import utils
+from common import resolve
+from common import request
+from common.domain import Domain
+from common.module import Module
+from config.log import logger
+
+
+def split_domain(domain):
+    """
+    Split domain base on subdomain levels
+    Root+TLD is taken as one part, regardless of its levels
+    """
+
+    # test.1.foo.example.com -> [test, 1, foo, example.com]
+    # test.2.foo.example.com.cn -> [test, 2, foo, example.com.cn]
+    # test.example.co.uk -> [test, example.co.uk]
+
+    ext = Domain(domain).extract()
+    subname = ext.subdomain
+    parts = ext.subdomain.split('.') + [ext.registered_domain]
+    return subname, parts
+
+
+class Altdns(Module):
+    def __init__(self, domain):
+        Module.__init__(self)
+        self.module = 'Altdns'
+        self.source = 'Altdns'
+        self.start = time.time()
+        self.domain = domain
+        self.words = set()
+        self.now_subdomains = set()
+        self.new_subdomains = set()
+        self.wordlen = 6  # Min length of custom words extracted from domains
+        self.num_count = 3
+
+    def get_words(self):
+        path = settings.data_storage_dir.joinpath('altdns_wordlist.txt')
+        with open(path) as fd:
+            for line in fd:
+                word = line.lower().strip()
+                if word:
+                    self.words.add(word)
+
+    def extract_words(self):
+        """
+        Extend the dictionary based on target's domain naming conventions
+        """
+
+        for subdomain in self.now_subdomains:
+            _, parts = split_domain(subdomain)
+            tokens = set(itertools.chain(*[word.lower().split('-') for word in parts]))
+            tokens = tokens.union({word.lower() for word in parts})
+            for token in tokens:
+                if len(token) >= self.wordlen:
+                    self.words.add(token)
+
+    def increase_num(self, subname):
+        """
+        If number is found in existing subdomain,
+        increase this number without any other alteration.
+        """
+
+        # test.1.foo.example.com -> test.2.foo.example.com, test.3.foo.example.com, ...
+        # test1.example.com -> test2.example.com, test3.example.com, ...
+        # test01.example.com -> test02.example.com, test03.example.com, ...
+
+        count = 0
+        digits = re.findall(r'\d{1,3}', subname)
+        for d in digits:
+            for m in range(self.num_count):
+                replacement = str(int(d) + 1 + m).zfill(len(d))
+                tmp_domain = subname.replace(d, replacement)
+                new_domain = f'{tmp_domain}.{self.domain}'
+                self.new_subdomains.add(new_domain)
+                count += 1
+        logger.log('DEBUG', f'The increase_num generated {count} subdomains')
+
+    def decrease_num(self, subname):
+        """
+        If number is found in existing subdomain,
+        decrease this number without any other alteration.
+        """
+
+        # test.4.foo.example.com -> test.3.foo.example.com, test.2.foo.example.com, ...
+        # test4.example.com -> test3.example.com, test2.example.com, ...
+        # test04.example.com -> test03.example.com, test02.example.com, ...
+
+        count = 0
+        digits = re.findall(r'\d{1,3}', subname)
+        for d in digits:
+            for m in range(self.num_count):
+                new_digit = (int(d) - 1 - m)
+                if new_digit < 0:
+                    break
+
+                replacement = str(new_digit).zfill(len(d))
+                tmp_domain = subname.replace(d, replacement)
+                new_domain = f'{tmp_domain}.{self.domain}'
+                self.new_subdomains.add(new_domain)
+                count += 1
+        logger.log('DEBUG', f'The decrease_num generated {count} subdomains')
+
+    def insert_word(self, parts):
+        """
+        Create new subdomain levels by inserting the words between existing levels
+        """
+
+        # test.1.foo.example.com -> WORD.test.1.foo.example.com,
+        #                           test.WORD.1.foo.example.com,
+        #                           test.1.WORD.foo.example.com,
+        #                           test.1.foo.WORD.example.com,
+        #                           ...
+
+        count = 0
+        for word in self.words:
+            for index in range(len(parts)):
+                tmp_parts = parts.copy()
+                tmp_parts.insert(index, word)
+                new_domain = '.'.join(tmp_parts)
+                self.new_subdomains.add(new_domain)
+                count += 1
+        logger.log('DEBUG', f'The insert_word generated {count} subdomains')
+
+    def add_word(self, subnames):
+        """
+        On every subdomain level, prepend existing content with WORD-`,
+        append existing content with `-WORD`
+        """
+
+        count = 0
+        for word in self.words:
+            for index, name in enumerate(subnames):
+                # Prepend with `-`
+                # test.1.foo.example.com -> WORD-test.1.foo.example.com
+                tmp_subnames = subnames.copy()
+                tmp_subnames[index] = f'{word}-{name}'
+                new_subname = '.'.join(tmp_subnames + [self.domain])
+                self.new_subdomains.add(new_subname)
+
+                # Prepend with `-`
+                # test.1.foo.example.com -> test-WORD.1.foo.example.com
+                tmp_subnames = subnames.copy()
+                tmp_subnames[index] = f'{name}-{word}'
+                new_subname = '.'.join(tmp_subnames + [self.domain])
+                self.new_subdomains.add(new_subname)
+                count += 1
+        logger.log('DEBUG', f'The add_word generated {count} subdomains')
+
+    def replace_word(self, subname):
+        """
+        If word longer than 3 is found in existing subdomain,
+        replace it with other words from the dictionary
+        """
+
+        # WORD1.1.foo.example.com -> WORD2.1.foo.example.com,
+        #                            WORD3.1.foo.example.com,
+        #                            WORD4.1.foo.example.com,
+        #                            ..
+
+        count = 0
+        for word in self.words:
+            if word not in subname:
+                continue
+            for word_alt in self.words:
+                if word == word_alt:
+                    continue
+                new_subname = subname.replace(word, word_alt)
+                new_subdomain = f'{new_subname}.{self.domain}'
+                self.new_subdomains.add(new_subdomain)
+                count += 1
+        logger.log('DEBUG', f'The replace_word generated {count} subdomains')
+
+    def gen_new_subdomains(self):
+        for subdomain in self.now_subdomains:
+            subname, parts = split_domain(subdomain)
+            subnames = subname.split('.')
+            if settings.altdns_increase_num:
+                self.increase_num(subname)
+            if settings.altdns_decrease_num:
+                self.decrease_num(subname)
+            if settings.altdns_replace_word:
+                self.replace_word(subname)
+            if settings.altdns_insert_word:
+                self.insert_word(parts)
+            if settings.altdns_add_word:
+                self.add_word(subnames)
+        count = len(self.new_subdomains)
+        logger.log('DEBUG', f'The altdns module generated {count} subdomains')
+
+    def run(self, data, port):
+        logger.log('INFOR', f'Start altdns module')
+        self.now_subdomains = utils.get_subdomains(data)
+        self.get_words()
+        self.extract_words()
+        self.gen_new_subdomains()
+        self.subdomains = self.new_subdomains - self.now_subdomains
+        count = len(self.subdomains)
+        logger.log('INFOR', f'The altdns module generated {count} new subdomains')
+        self.end = time.time()
+        self.elapse = round(self.end - self.start, 1)
+        self.gen_result()
+        resolved_data = resolve.run_resolve(self.domain, self.results)
+        valid_data = wildcard.deal_wildcard(resolved_data)  # 强制开启泛解析处理
+        request.run_request(self.domain, valid_data, port)

OneForAll/modules/autotake/github.py

@@ -0,0 +1,105 @@
+#!/usr/bin/env python3
+# coding=utf-8
+
+"""
+github自动接管
+"""
+
+import json
+import base64
+import requests
+from config import settings
+
+HEADERS = {
+    "Accept": "application/json, text/javascript, */*; q=0.01",
+    "Accept-Language": "zh-CN,zh;q=0.9",
+    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) "
+                  "AppleWebKit/537.36 (KHTML, like Gecko) "
+                  "Chrome/63.0.3239.84 Safari/537.36",
+}
+
+
+def github_takeover(url):
+    # 读取config配置文件
+    repo_name = url
+    print('[*]正在读取配置文件')
+    user = settings.github_api_user
+    token = settings.github_api_token
+    headers = {
+        "Authorization": 'token ' + token,
+        "Accept": "application/vnd.github.switcheroo-preview+json"
+    }
+    repos_url = 'https://api.github.com/repos/' + user + '/' + repo_name
+    repos_r = requests.get(url=repos_url, headers=headers)
+    # 验证token是否正确
+    if 'message' in repos_r.json():
+        if repos_r.json()['message'] == 'Bad credentials':
+            print('[*]请检查Token是否正确')
+        elif repos_r.json()['message'] == 'Not Found':
+            print('[*]正在生成接管库')  # 生成接管库
+            creat_repo_dict = {
+                "name": repo_name,
+                "description": "This is a subdomain takeover Repository",
+            }
+            creat_repo_url = 'https://api.github.com/user/repos'
+            creat_repo_r = requests.post(url=creat_repo_url,
+                                         headers=headers,
+                                         data=json.dumps(creat_repo_dict))
+            creat_repo_status = creat_repo_r.status_code
+            if creat_repo_status == 201:
+                print('[*]创建接管库' + repo_name + '成功，正在进行自动接管')
+                # 接管文件生成
+                # index.html文件
+                html = b'''
+                <html>
+                    <p>Subdomain Takerover Test!</>
+                </html>
+                '''
+                html64 = base64.b64encode(html).decode('utf-8')
+                html_dict = {
+                    "message": "my commit message",
+                    "committer": {
+                        "name": "user",  # 提交id，非必改项
+                        "email": "user@163.com"  # 同上
+                    },
+                    "content": html64
+                }
+                # CNAME文件
+                cname_url = bytes(url, encoding='utf-8')
+                cname_url64 = base64.b64encode(cname_url).decode('utf-8')
+                url_dict = {
+                    "message": "my commit message",
+                    "committer": {
+                        "name": "user",
+                        "email": "user@163.com"
+                    },
+                    "content": cname_url64
+                }
+                base_url = 'https://api.github.com/repos/'
+                html_url = base_url + user + '/' + repo_name + '/contents/index.html'
+                url_url = base_url + user + '/' + repo_name + '/contents/CNAME'
+                html_r = requests.put(url=html_url, data=json.dumps(html_dict),
+                                      headers=headers)  # 上传index.html
+                cname_r = requests.put(url=url_url, data=json.dumps(url_dict),
+                                       headers=headers)  # 上传CNAME
+                rs = cname_r.status_code
+                if rs == 201:
+                    print('[*]生成接管库成功，正在开启Github pages')
+                    page_url = "https://api.github.com/repos/" + user + "/" + url + "/pages"
+                    page_dict = {
+                        "source": {
+                            "branch": "master"
+                        }
+                    }
+                    page_r = requests.post(url=page_url,
+                                           data=json.dumps(page_dict),
+                                           headers=headers)  # 开启page
+                    if page_r.status_code == 201:
+                        print('[+]自动接管成功，请稍后访问http://' + str(url) + '查看结果')
+                    else:
+                        print('[+]开启Github pages失败，请检查网络或稍后重试')
+                else:
+                    print('[+]生成接管库失败，请检查网络或稍后重试')
+    elif url in repos_r.json()['name']:
+        print('[*]生成接管库失败，请检查https://github.com/' + user +
+              '?tab=repositories是否存在同名接管库')

OneForAll/modules/certificates/censys_api.py

@@ -0,0 +1,73 @@
+from config import settings
+from common.query import Query
+from config.log import logger
+
+
+class CensysAPI(Query):
+    def __init__(self, domain):
+        Query.__init__(self)
+        self.domain = domain
+        self.module = 'Certificate'
+        self.source = "CensysAPIQuery"
+        self.addr = 'https://search.censys.io/api/v2/certificates/search'
+        self.id = settings.censys_api_id
+        self.secret = settings.censys_api_secret
+        self.delay = 3.0  # Censys 接口查询速率限制 最快2.5秒查1次
+
+    def query(self):
+        """
+        向接口查询子域并做子域匹配
+        """
+        self.header = self.get_header()
+        self.proxy = self.get_proxy(self.source)
+        params = {
+            'q': f'names: {self.domain}',
+            'per_page': 100,
+        }
+        resp = self.get(self.addr, params=params, auth=(self.id, self.secret))
+        if not resp:
+            return
+        json = resp.json()
+        status = json.get('status')
+        if status != 'OK':
+            logger.log('ALERT', f'{self.source} module {status}')
+            return
+        subdomains = self.match_subdomains(resp.text)
+        self.subdomains.update(subdomains)
+        next_cursor = json.get("result").get("links").get("next")
+        while next_cursor:
+            tmp_params = {
+                'q': f'names: {self.domain}',
+                'per_page': 100,
+                "cursor": next_cursor
+            }
+            tmp_resp = self.get(self.addr, params=tmp_params, auth=(self.id, self.secret))
+            self.subdomains = self.collect_subdomains(tmp_resp)
+            next_cursor = tmp_resp.json().get("result").get("links").get("next")
+
+    def run(self):
+        """
+        类执行入口
+        """
+        if not self.have_api(self.id, self.secret):
+            return
+        self.begin()
+        self.query()
+        self.finish()
+        self.save_json()
+        self.gen_result()
+        self.save_db()
+
+
+def run(domain):
+    """
+    类统一调用入口
+
+    :param str domain: 域名
+    """
+    query = CensysAPI(domain)
+    query.run()
+
+
+if __name__ == '__main__':
+    run('example.com')

OneForAll/modules/certificates/certspotter.py

@@ -0,0 +1,48 @@
+from common.query import Query
+
+
+class CertSpotter(Query):
+    def __init__(self, domain):
+        Query.__init__(self)
+        self.domain = domain
+        self.module = 'Certificate'
+        self.source = 'CertSpotterQuery'
+        self.addr = 'https://api.certspotter.com/v1/issuances'
+
+    def query(self):
+        """
+        向接口查询子域并做子域匹配
+        """
+        self.header = self.get_header()
+        self.proxy = self.get_proxy(self.source)
+        params = {'domain': self.domain,
+                  'include_subdomains': 'true',
+                  'expand': 'dns_names'}
+        resp = self.get(self.addr, params)
+        self.subdomains = self.collect_subdomains(resp)
+
+    def run(self):
+        """
+        类执行入口
+        """
+        self.begin()
+        self.query()
+        self.finish()
+        self.save_json()
+        self.gen_result()
+        self.save_db()
+
+
+def run(domain):
+    """
+    类统一调用入口
+
+    :param str domain: 域名
+
+    """
+    query = CertSpotter(domain)
+    query.run()
+
+
+if __name__ == '__main__':
+    run('example.com')

OneForAll/modules/certificates/crtsh.py

@@ -0,0 +1,84 @@
+from common.query import Query
+import json
+import os
+
+
+class Crtsh(Query):
+    def __init__(self, domain):
+        Query.__init__(self)
+        self.domain = domain
+        self.module = 'Certificate'
+        self.source = 'CrtshQuery'
+        self.addr = 'https://crt.sh/'
+
+    def query(self):
+        """
+        向接口查询子域并做子域匹配
+        """
+        self.header = self.get_header()
+        self.proxy = self.get_proxy(self.source)
+        self.timeout = 120
+        params = {'q': f'%.{self.domain}', 'output': 'json'}
+        resp = self.get(self.addr, params)
+        if not resp:
+            return
+        text = resp.text.replace(r'\n', ' ')
+        """
+        * > altdns
+        """
+        subDomains = set()
+        try:
+            jsonData = json.loads(text)
+        except Exception as e:
+            pass
+        for i in range(len(jsonData)):
+            try:
+                name_value = str(jsonData[i]['name_value'])
+            except Exception as e:
+                pass
+            if '*' in name_value:
+                try:
+                    if 'certificates' in os.path.dirname(os.path.abspath(__file__)):
+                        dictFile = open("../../data/altdns_wordlist.txt", "r", encoding='utf8')
+                    else:
+                        dictFile = open("./data/altdns_wordlist.txt", "r", encoding='utf8')
+                    for line in dictFile.readlines():
+                        altdns = line.strip()
+                        result = name_value.replace('*', altdns)
+                        if self.domain in result:
+                            subDomains.add(result)
+                except Exception as e:
+                    pass
+        if len(subDomains) > 0:
+            for x in subDomains:
+                text = text + ',' + x + ','
+        """
+        * > altdns end
+        """
+        subdomains = self.match_subdomains(text)
+        self.subdomains.update(subdomains)
+
+    def run(self):
+        """
+        类执行入口
+        """
+        self.begin()
+        self.query()
+        self.finish()
+        self.save_json()
+        self.gen_result()
+        self.save_db()
+
+
+def run(domain):
+    """
+    类统一调用入口
+
+    :param str domain: 域名
+    """
+    query = Crtsh(domain)
+    query.run()
+
+
+if __name__ == '__main__':
+    run('163.com')

OneForAll/modules/certificates/google.py

@@ -0,0 +1,48 @@
+from common.query import Query
+
+
+class Google(Query):
+    def __init__(self, domain):
+        Query.__init__(self)
+        self.domain = domain
+        self.module = 'Certificate'
+        self.source = 'GoogleQuery'
+        self.addr = 'https://transparencyreport.google.com/' \
+                    'transparencyreport/api/v3/httpsreport/ct/certsearch'
+
+    def query(self):
+        """
+        向接口查询子域并做子域匹配
+        """
+        self.header = self.get_header()
+        self.proxy = self.get_proxy(self.source)
+        params = {'include_expired': 'true',
+                  'include_subdomains': 'true',
+                  'domain': self.domain}
+        resp = self.get(self.addr, params)
+        self.subdomains = self.collect_subdomains(resp)
+
+    def run(self):
+        """
+        类执行入口
+        """
+        self.begin()
+        self.query()
+        self.finish()
+        self.save_json()
+        self.gen_result()
+        self.save_db()
+
+
+def run(domain):
+    """
+    类统一调用入口
+
+    :param str domain: 域名
+    """
+    query = Google(domain)
+    query.run()
+
+
+if __name__ == '__main__':
+    run('example.com')

OneForAll/modules/certificates/myssl.py

@@ -0,0 +1,46 @@
+from common.query import Query
+
+
+class MySSL(Query):
+    def __init__(self, domain):
+        Query.__init__(self)
+        self.domain = domain
+        self.module = 'Certificate'
+        self.source = 'MySSLQuery'
+        self.addr = 'https://myssl.com/api/v1/discover_sub_domain'
+
+    def query(self):
+        """
+        向接口查询子域并做子域匹配
+        """
+        self.header = self.get_header()
+        self.proxy = self.get_proxy(self.source)
+        params = {'domain': self.domain}
+        resp = self.get(self.addr, params)
+        self.subdomains = self.collect_subdomains(resp)
+
+    def run(self):
+        """
+        类执行入口
+        """
+        self.begin()
+        self.query()
+        self.finish()
+        self.save_json()
+        self.gen_result()
+        self.save_db()
+
+
+def run(domain):
+    """
+    类统一调用入口
+
+    :param str domain: 域名
+
+    """
+    query = MySSL(domain)
+    query.run()
+
+
+if __name__ == '__main__':
+    run('freebuf.com')

OneForAll/modules/certificates/racent.py

@@ -0,0 +1,49 @@
+from config import settings
+from common.query import Query
+
+
+class Racent(Query):
+    def __init__(self, domain):
+        Query.__init__(self)
+        self.domain = domain
+        self.module = 'Certificate'
+        self.source = 'RacentQuery'
+        self.addr = 'https://face.racent.com/tool/query_ctlog'
+        self.api = settings.racent_api_token
+
+    def query(self):
+        """
+        向接口查询子域并做子域匹配
+        """
+        self.header = self.get_header()
+        self.proxy = self.get_proxy(self.source)
+        params = {'token': self.api, 'keyword': self.domain}
+        resp = self.get(self.addr, params)
+        self.subdomains = self.collect_subdomains(resp)
+
+    def run(self):
+        """
+        类执行入口
+        """
+        if not self.have_api(self.api):
+            return
+        self.begin()
+        self.query()
+        self.finish()
+        self.save_json()
+        self.gen_result()
+        self.save_db()
+
+
+def run(domain):
+    """
+    类统一调用入口
+
+    :param str domain: 域名
+    """
+    query = Racent(domain)
+    query.run()
+
+
+if __name__ == '__main__':
+    run('example.com')