leveryd/gist:334b719e253261ffd0abfd161e499ae7

## gistfile1.txt
# coding:utf-8
""" 管理后台、未授权的管理后台 """
import unittest
from urllib2 import urlparse
from bs4 import BeautifulSoup
from bs4.element import Tag
from poc_common.utils import get_hostname_port_url
from poc_common.utils import c_requests as requests
from scripts.poc_common.misinformation import is_valid


info = {
    "tag": u"web_poc,external_scan,sensitive_file,forbidden_internal_scan",
    "script_desc": u"管理后台",
    "fingerprint_query_condition": "service:http",
    "vuln_version": "",
    "vuln_level": "",
    "vuln_type": "",
    "big_alarmtype": u"应用漏洞",
    "small_alarmtype": u"敏感信息泄漏"
}


def is_in_white_list(hostname, port, white_list):
    """
    :param hostname:
    :param port:
    :param white_list:
    :return:
    """
    e = hostname + ":" + str(port)
    if e in white_list:
        return True
    return False


def bad_location(location):
    """
    跳转的location host是否在白名单中
    :param location:
    :return:
    """
    domain_white_list = [
        "open.weixin.qq.com"
    ]
    host = urlparse.urlparse(location)[1]
    if host in domain_white_list:
        return False
    return True


def poc(args):
    """
    :param args:
    :return:
    """
    manage_word_list = ['admin', 'login', 'manage', 'manager', 'backend', 'monitor']

    (domain, port, base_url) = get_hostname_port_url(args)

    # 无法消除的误报、白名单
    white_list = [

    ]
    if is_in_white_list(domain, port, white_list):
        return False

    # 域名中包含关键词，直接当作后台管理系统
    if any([i in domain for i in manage_word_list]):
        return base_url

    for suffix in ["/"]:
        req_url = base_url + suffix

        r = requests.get("{0}".format(req_url), allow_redirects=False)

        if r.status_code in [301, 302]:
            for keyword in manage_word_list:
                if r.headers.get('Location', '').find(keyword) >= 0:
                    if not bad_location(r.headers.get('Location')):
                        continue

                    if is_valid(r):
                        return req_url

        if r.status_code in [301, 302]:
            r = requests.get("{0}".format(req_url))

        if "<table>" in r.text and str(r.status_code).startswith("2"):
            if is_valid(r):
                return req_url

        # vue框架写的cms
        soup = BeautifulSoup(r.text, 'html.parser')
        if soup.body is not None:

            # https://www.cnblogs.com/yoyoketang/p/6931209.html
            # descendants 孙节点， contents 字节点
            tmp = list(soup.body.descendants)
            tags = [i for i in tmp if isinstance(i, Tag)]

            if len(tags) == 0:
                return False

            # body下所有的元素，只能有script/div/noscript标签，必须有script/div标签
            if all([i.name in ["script", "div", "noscript"] for i in tags]):
                if any([i.name == "script" for i in tags]) and any([i.name == "div" for i in tags]):
                    return req_url

    return False
	# coding:utf-8
	""" 管理后台、未授权的管理后台 """
	import unittest
	from urllib2 import urlparse
	from bs4 import BeautifulSoup
	from bs4.element import Tag
	from poc_common.utils import get_hostname_port_url
	from poc_common.utils import c_requests as requests
	from scripts.poc_common.misinformation import is_valid


	info = {
	"tag": u"web_poc,external_scan,sensitive_file,forbidden_internal_scan",
	"script_desc": u"管理后台",
	"fingerprint_query_condition": "service:http",
	"vuln_version": "",
	"vuln_level": "",
	"vuln_type": "",
	"big_alarmtype": u"应用漏洞",
	"small_alarmtype": u"敏感信息泄漏"
	}


	def is_in_white_list(hostname, port, white_list):
	"""
	:param hostname:
	:param port:
	:param white_list:
	:return:
	"""
	e = hostname + ":" + str(port)
	if e in white_list:
	return True
	return False


	def bad_location(location):
	"""
	跳转的location host是否在白名单中
	:param location:
	:return:
	"""
	domain_white_list = [
	"open.weixin.qq.com"
	]
	host = urlparse.urlparse(location)[1]
	if host in domain_white_list:
	return False
	return True


	def poc(args):
	"""
	:param args:
	:return:
	"""
	manage_word_list = ['admin', 'login', 'manage', 'manager', 'backend', 'monitor']

	(domain, port, base_url) = get_hostname_port_url(args)

	# 无法消除的误报、白名单
	white_list = [

	]
	if is_in_white_list(domain, port, white_list):
	return False

	# 域名中包含关键词，直接当作后台管理系统
	if any([i in domain for i in manage_word_list]):
	return base_url

	for suffix in ["/"]:
	req_url = base_url + suffix

	r = requests.get("{0}".format(req_url), allow_redirects=False)

	if r.status_code in [301, 302]:
	for keyword in manage_word_list:
	if r.headers.get('Location', '').find(keyword) >= 0:
	if not bad_location(r.headers.get('Location')):
	continue

	if is_valid(r):
	return req_url

	if r.status_code in [301, 302]:
	r = requests.get("{0}".format(req_url))

	if "<table>" in r.text and str(r.status_code).startswith("2"):
	if is_valid(r):
	return req_url

	# vue框架写的cms
	soup = BeautifulSoup(r.text, 'html.parser')
	if soup.body is not None:

	# https://www.cnblogs.com/yoyoketang/p/6931209.html
	# descendants 孙节点， contents 字节点
	tmp = list(soup.body.descendants)
	tags = [i for i in tmp if isinstance(i, Tag)]

	if len(tags) == 0:
	return False

	# body下所有的元素，只能有script/div/noscript标签，必须有script/div标签
	if all([i.name in ["script", "div", "noscript"] for i in tags]):
	if any([i.name == "script" for i in tags]) and any([i.name == "div" for i in tags]):
	return req_url

	return False