-
Notifications
You must be signed in to change notification settings - Fork 5
/
webmap.py
executable file
·333 lines (292 loc) · 11.3 KB
/
webmap.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
#!/usr/bin/env python3
from collections import OrderedDict
from pathlib import Path
from socket import gethostbyname
from urllib.parse import urlparse
from fire import Fire
from requests.exceptions import SSLError
from requests.sessions import Session
from urllib3 import disable_warnings
from urllib3.exceptions import InsecureRequestWarning
from lib.colors import CEND, CEND, CGREY, CGREY, CDGREY, CEND, found, nfound, info, err
from lib.parse import get_analytics, get_social, get_contacts, get_linked_domains
from lib.utils import get_domains_from_cert, reverse_dns
disable_warnings(InsecureRequestWarning)
BANNER = r"""
%s__ _____| |__ _ __ ___ __ _ _ __
%s\ \ /\ / / _ \ '_ \| '_ ` _ \ / _` | '_ \
%s \ V V / __/ |_) | | | | | | (_| | |_) |
%s \_/\_/ \___|_.__/|_| |_| |_|\__,_| .__/
%s by fagci |_|%s""" % (
CEND,
CEND,
CGREY,
CGREY,
CDGREY,
CEND
)
class WebMap(Session):
techs = []
cmses = []
DIR = Path(__file__).resolve().parent
__slots__ = ('target', 'fuzz', 'subdomains', 'allow_redirects', 'scheme',
'hostname', 'netloc', 'port', 'path', 'ip', 'response', 'html', 'interesting_headers')
def __init__(self, target, fuzz=False, subdomains=False, allow_redirects=False, resolve_ip=True):
super().__init__()
self.headers['User-Agent'] = 'Mozilla/5.0'
# initial data
self.target = target
self.fuzz = fuzz
self.subdomains = subdomains
self.allow_redirects = allow_redirects
# all defined checks
self.checks = OrderedDict(
# base info
headers=self.check_headers,
domains=self.check_domains,
# parse source
linked_domains=self.check_linked_domains,
robots_disallow=self.check_robots,
cms=self.check_cms,
techs=self.check_techs,
analytics=self.check_analytics,
contacts=self.check_contacts,
social=self.check_social,
# fuzz
fuzz=self.check_fuzz,
extra=self.check_bigfuzz,
subdomains=self.check_subdomains,
)
self.interesting_headers = {
'access-control-allow-origin',
'content-security-policy', # for additional domains. Deprecated?
'last-modified',
'server',
'set-cookie',
'via',
'x-backend-server',
'x-powered-by',
}
# target url parts
pu = urlparse(target)
self.scheme = pu.scheme
self.hostname = pu.hostname
self.netloc = pu.netloc
self.port = pu.port or {'http': 80, 'https': 443}.get(self.scheme)
self.path = pu.path
if resolve_ip and self.hostname:
self.ip = gethostbyname(self.hostname)
info(f'Target: {self.target}')
info('IP:', self.ip or 'not resolved')
print('-'*42)
self.prepare()
def prepare(self):
'''Make initial request'''
info('Get initial response...')
try:
self.response = self.get(
self.target, allow_redirects=self.allow_redirects)
except SSLError as e:
err('SSL error', e)
self.response = self.get(
self.target, allow_redirects=self.allow_redirects, verify=False)
if not self.response.ok:
raise Exception(f'Status: {self.response.status_code}')
info(f'[{self.response.status_code}]')
if self.response.is_redirect:
info('Location:', self.response.headers.get('location'))
self.html = self.response.text
def check(self, checks=None):
'''Run checks, or provided in param'''
for check_name, check in self.checks.items():
if check and (checks is None or check_name in checks):
if check_name == 'fuzz' and not (self.fuzz or checks):
continue
if (
check_name == 'subdomains'
and not self.subdomains
and not checks
):
continue
print(f'\n{check_name.upper()}')
res = check()
if not res:
nfound('no data')
continue
if isinstance(res, dict):
for n, r in res.items():
if isinstance(r, str):
found(f'{n}:', r)
else:
found(f'{n}:', ', '.join(r))
elif isinstance(res, list):
found(', '.join(res))
elif isinstance(res, set):
for r in res:
found(r)
elif not isinstance(res, bool):
found(res)
else:
info('found')
def check_domains(self):
'''Get available domains'''
res = {}
if self.scheme == 'https':
domains = get_domains_from_cert(self.hostname, self.port or 443)
if domains:
res['cert'] = domains
domain = reverse_dns(self.ip)
if domain:
res['rDNS'] = [domain]
return res
def check_techs(self):
'''Get used techs'''
if not WebMap.techs:
with (self.DIR / 'data/tech.txt').open() as f:
WebMap.techs = f.read().splitlines()
res = filter(lambda x: x in self.html, self.techs)
return list(res)
def check_cms(self):
'''Get used CMS from HTML'''
if not WebMap.cmses:
with (self.DIR / 'data/cms.txt').open() as f:
WebMap.cmses = f.read().splitlines()
res = filter(lambda x: x in self.html, self.cmses)
return list(res)
def check_fuzz(self):
'''Fuzz paths to find misconfigs'''
from concurrent.futures import ThreadPoolExecutor
from random import randrange
from lib.progress import Progress
# First, try to check if random path exists.
# If it is, we potentially cant find misconfigs,
# coz it is SPA
random_path = ''.join(chr(randrange(ord('a'), ord('z')+1))
for _ in range(8))
ok, path, *_ = self._check_path(f'/{random_path}')
if ok:
info(path, 'possible SPA')
return False
paths = (
self.DIR / 'data/fuzz_common.txt',
)
status = False
for p in paths:
with p.open() as f:
progress = Progress(sum(1 for _ in f))
f.seek(0)
with ThreadPoolExecutor() as ex:
r = ex.map(self._check_path, f.read().splitlines())
for res, path, code, c_len in r:
if res:
print(end='\r')
found(f'[{code}] {path} ({c_len} B)')
status = True
progress(path)
return status
def check_bigfuzz(self):
'''Fuzz paths to find misconfigs'''
from concurrent.futures import ThreadPoolExecutor
from random import randrange
from lib.progress import Progress
# First, try to check if random path exists.
# If it is, we potentially cant find misconfigs,
# coz it is SPA
random_path = ''.join(chr(randrange(ord('a'), ord('z')+1))
for _ in range(8))
ok, path, *_ = self._check_path(f'/{random_path}')
if ok:
info(path, 'possible SPA')
return False
paths = (
self.DIR / 'data/fuzz_large.txt',
)
status = False
for p in paths:
with p.open() as f:
progress = Progress(sum(1 for _ in f))
f.seek(0)
with ThreadPoolExecutor() as ex:
r = ex.map(self._check_path, f.read().splitlines())
for res, path, code, c_len in r:
if res:
print(end='\r')
found(f'[{code}] {path} ({c_len} B)')
status = True
progress(path)
return status
def check_subdomains(self):
'''Fuzz paths to find misconfigs'''
from concurrent.futures import ThreadPoolExecutor
from lib.progress import Progress
paths = (
self.DIR / 'data/fuzz_subdomain.txt',
)
status = False
for p in paths:
with p.open() as f:
progress = Progress(sum(1 for _ in f))
f.seek(0)
with ThreadPoolExecutor() as ex:
r = ex.map(self._check_subdomain, f.read().splitlines())
for _, sd, code, c_len in r:
if code // 100 == 2:
print(end='\r')
found(f'[{code}] {sd} ({c_len} B)')
status = True
progress(sd)
return status
def check_linked_domains(self):
'''Get linked domains from HTML'''
return get_linked_domains(self.html, self.hostname)
def check_headers(self):
'''Get interesting headers'''
return {k: v for k, v in self.response.headers.lower_items() if k in self.interesting_headers}
def check_analytics(self):
'''Get analytics IDs'''
return get_analytics(self.html)
def check_social(self):
'''Get social links'''
return get_social(self.html)
def check_contacts(self):
'''Get contact information'''
return get_contacts(self.html)
def check_robots(self):
response = self.get(
f'{self.scheme}://{self.netloc}/robots.txt', verify=False, allow_redirects=False)
if response.status_code // 100 == 2:
return {l.split(None, 1)[1] for l in response.text.splitlines() if l.startswith('Disallow: ')}
def _check_path(self, path) -> tuple:
'''Check path for statuses < 400 without verification'''
# NOTE: all paths fuzzed from target root
url = f'{self.target}{path}'
response = self.get(url, verify=False, timeout=5,
stream=True, allow_redirects=False)
return response.status_code//100 == 2, path, response.status_code, len(response.content)
def _check_subdomain(self, subdomain) -> tuple:
'''Check path for statuses < 400 without verification'''
try:
url = f'{self.scheme}://{subdomain}.{self.netloc}'
response = self.get(url, verify=False, timeout=5,
stream=True, allow_redirects=False)
return response.status_code//100 == 2, subdomain, response.status_code, len(response.content)
except:
return False, subdomain, 999, 0
def main(target, checks=None, n=False, fuzz=False, subdomains=False, r=False, full=False):
print('='*42)
print(BANNER.strip())
print('='*42)
if full:
fuzz = True
subdomains = True
checks = None # all
WebMap(target, resolve_ip=not n, fuzz=fuzz,
subdomains=subdomains,
allow_redirects=r).check(checks)
if __name__ == '__main__':
try:
Fire(main)
except KeyboardInterrupt:
exit(130)
except Exception as e:
err(repr(e))