/
scan.py
162 lines (140 loc) · 6.09 KB
/
scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name : scan.py
# Author : Podalirius (@podalirius_)
# Date created : 29 Jul 2022
import base64
import datetime
import time
import traceback
import re
from apachetomcatscanner.utils.network import is_port_open, is_http_accessible
import requests
# Disable warnings of insecure connection for invalid certificates
requests.packages.urllib3.disable_warnings()
# Allow use of deprecated and weak cipher methods
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
try:
requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL'
except AttributeError:
pass
def is_tomcat_manager_accessible(target, port, path, config, scheme="http"):
url = "%s://%s:%d%s" % (scheme, target, port, path)
try:
r = requests.get(
url,
timeout=config.request_timeout,
proxies=config.request_proxies,
verify=(not (config.request_no_check_certificate))
)
if r.status_code in [401]:
return True
else:
return False
except Exception as e:
config.debug("Error in is_tomcat_manager_accessible('%s', %d, '%s'): %s " % (target, port, scheme, e))
return False
def get_version_from_malformed_http_request(target, port, config, scheme="http"):
url = "%s://%s:%d/{}" % (scheme, target, port)
try:
r = requests.get(
url,
timeout=config.request_timeout,
proxies=config.request_proxies,
verify=(not (config.request_no_check_certificate))
)
except Exception as e:
config.debug("Error in get_version_from_malformed_http_request('%s', %d, '%s'): %s " % (target, port, scheme, e))
return None
if r.status_code in [400, 404, 500]:
# Bug triggered
matched = re.search(b"(<h3>)Apache Tomcat(/)?([^<]+)(</h3>)", r.content)
if matched is not None:
_, _, version, _ = matched.groups()
version = version.decode('utf-8')
return version
def try_default_credentials(target, port, config, scheme="http"):
found_credentials = []
url = "%s://%s:%d/manager/html" % (scheme, target, port)
try:
for credentials in config.credentials:
auth_string = bytes(credentials["username"] + ':' + credentials["password"], 'utf-8')
r = requests.post(
url,
headers={
"Authorization": "Basic " + base64.b64encode(auth_string).decode('utf-8')
},
timeout=config.request_timeout,
proxies=config.request_proxies,
verify=(not (config.request_no_check_certificate))
)
if r.status_code in [200, 403]:
found_credentials.append((r.status_code, credentials))
return found_credentials
except Exception as e:
config.debug("Error in get_version_from_malformed_http_request('%s', %d, '%s'): %s " % (target, port, scheme, e))
return found_credentials
def scan_worker(target, port, reporter, config, monitor_data):
manager_access_paths = [
"/manager/html",
"/..;/manager/html"
]
try:
result = {"target": target}
if is_port_open(target, port):
for scheme in config.get_request_available_schemes():
if is_http_accessible(target, port, config, scheme):
result["scheme"] = scheme
result["version"] = get_version_from_malformed_http_request(target, port, config, scheme)
if result["version"] is not None:
config.debug("Found version %s" % result["version"])
result["manager_accessible"] = False
result["manager_path"] = ""
for urlpath in manager_access_paths:
if is_tomcat_manager_accessible(target, port, urlpath, config, scheme):
result["manager_accessible"] = True
result["manager_path"] = urlpath
result["manager_url"] = "%s://%s:%d%s" % (scheme, target, port, urlpath)
break
if result["manager_accessible"]:
credentials_found = []
if result["manager_accessible"]:
config.debug("Manager is accessible")
# Test for default credentials
credentials_found = try_default_credentials(target, port, config, scheme)
reporter.report_result(
target,
port,
result,
credentials_found
)
monitor_data["lock"].acquire()
monitor_data["actions_performed"] = monitor_data["actions_performed"] + 1
monitor_data["lock"].release()
except Exception as e:
if config.debug_mode:
print("[Error in %s] %s" % (__name__, e))
traceback.print_exc()
def monitor_thread(reporter, config, monitor_data):
time.sleep(1)
last_check, monitoring = 0, True
while monitoring:
new_check = monitor_data["actions_performed"]
rate = (new_check - last_check)
if not config.debug_mode:
print("\r", end="")
reporter.print_new_results()
print("[%s] Status (%d/%d) %5.2f %% | Rate %d tests/s " % (
datetime.datetime.now().strftime("%Y/%m/%d %Hh%Mm%Ss"),
new_check, monitor_data["total"], (new_check/monitor_data["total"])*100,
rate
),
end=("" if not config.debug_mode else "\n")
)
last_check = new_check
time.sleep(1)
if rate == 0 and monitor_data["actions_performed"] == monitor_data["total"]:
monitoring = False
if len(reporter._new_results) != 0:
reporter.print_new_results()
print()