Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
'''
Gets possible Great Cannon injections from UrlScan
'''
import requests
import json
# Insert your urlscan API Key
api_key = ''
seen_ids = []
def getTaskIds(hostname):
js = requests.get( 'https://urlscan.io/api/v1/search/?size=10000&q=domain:' + hostname).content
result = json.loads(js)
for task in result['results']:
task_id = task['_id']
checkTask(task_id)
def checkTask(task_id):
try:
global seen_ids
if task_id not in seen_ids:
seen_ids.append(task_id)
js = requests.get( 'https://urlscan.io/api/v1/result/' + task_id + '/').content
result = json.loads(js)
for request in result['data']['requests']:
filename = request['request']['request']['url']
response_length = request['response']['dataLength']
# Bad http://push.zhanzhang.baidu.com/push.js
if 'push.js' in filename and response_length > 1000:
print ('Suspicious push.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
# Bad http://js.passport.qihucdn.com/11.0.1.js
if '11.0.1.js' in filename and response_length > 1000:
print ('Suspicious 11.0.1.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
# Bad http://hm.baidu.com/hm.js
if 'hm.js' in filename and response_length < 15000 and response_length > 2000:
print ('Suspicious hm.js at https://urlscan.io/result/' + task_id + '/#transactions size: ' + str(response_length))
except Exception as ex:
pass
getTaskIds('push.zhanzhang.baidu.com')
getTaskIds('js.passport.qihucdn.com')
getTaskIds('hm.baidu.com')
# checkTask('3fd5a719-24d9-42cd-ae10-87129ad87fd1')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.