cdn 뒤의 실제 ip 가 져 오기
64530 단어 python-hack
0x01 requirement
1.use masscan but not nmap,code will install it if doesn’t exist 2.linux,ubuntu best,flushdns func test on ubuntu only 3.usage:
eg.python3 xcdn.py www.baidu.com
4.need on[some domain will be blocked by GFW,and this will make the result wrong]
0x02 pycode
download:xcdn.py
#############################################################
###
### ▄▄▄▄ ▄▄▄ ▄▄▄▄ ▀ ▄
### ▀ ▀█ ▄ ▄ ▄▄▄▄ █ ▄▀ ▀▄ ▄▄▄ ▄▄█▄▄
### ▄▄▄▀ █▄█ █▀ ▀█ █ █ ▄ █ █ █
### ▀█ ▄█▄ █ █ █ █ █ █ █
### ▀▄▄▄█▀ ▄▀ ▀▄ ██▄█▀ ▄▄█▄▄ █▄▄█ ▄▄█▄▄ ▀▄▄
### █
### ▀
###
### name: xcdn.py
### function: try to get the actual ip behind cdn
### date: 2016-11-05
### author: quanyechavshuo
### blog: https://3xp10it.cc
#############################################################
import time
import os
os.system("pip3 install exp10it -U --no-cache")
from exp10it import figlet2file
figlet2file("3xp10it",0,True)
time.sleep(1)
from exp10it import CLIOutput
from exp10it import get_root_domain
from exp10it import get_string_from_command
from exp10it import get_http_or_https
from exp10it import post_request
from exp10it import get_request
from exp10it import check
import sys
import re
class Xcdn(object):
def __init__(self,domain):
# , ping google , domain GFW
# ,check ping google 1
while 1:
if check()==1:
break
else:
time.sleep(1)
print(" is off,connect first")
# hosts domain ,
domainPattern=domain.replace(".","\.")
# sed
,sed
#http://stackoverflow.com/questions/1251999/how-can-i-replace-a-newline-n-using-sed
command="sed -ri 's/.*\s+%s//' /etc/hosts" % domainPattern
os.system(command)
self.domain=domain
self.http_or_https=get_http_or_https(self.domain)
print('domain http https :%s' % self.http_or_https)
result=get_request(self.http_or_https+"://"+self.domain,'seleniumPhantomJS')
self.domain_title=result['title']
# main get_actual_ip_from_domain
actual_ip = self.get_actual_ip_from_domain()
if actual_ip != 0:
print(" ,%s ip %s" % (self.domain, actual_ip))
#
self.return_value=actual_ip
def domain_has_cdn(self):
# domain cdn
# cdn , , cdn cloudflare, {'has_cdn':1,'is_cloud_flare':1}
# {'has_cdn':1,'is_cloud_flare':0} {'has_cdn':0,'is_cloud_flare':0}
import re
CLIOutput().good_print(" domain:%s cdn" % self.domain)
has_cdn = 0
# ns mx , ,eg.dig +short www.baidu.com ns VS dig +short baidu.com ns
result = get_string_from_command("dig ns %s +short" % get_root_domain(self.domain))
pattern = re.compile(
r"(cloudflare)|(cdn)|(cloud)|(fast)|(incapsula)|(photon)|(cachefly)|(wppronto)|(softlayer)|(incapsula)|(jsdelivr)|(akamai)", re.I)
cloudflare_pattern = re.compile(r"cloudflare", re.I)
if re.search(pattern, result):
if re.search(cloudflare_pattern, result):
print("has_cdn=1 from ns,and cdn is cloudflare")
return {'has_cdn': 1, 'is_cloud_flare': 1}
else:
print("has_cdn=1 from ns")
return {'has_cdn': 1, 'is_cloud_flare': 0}
else:
# a , a >1 , cdn
result = get_string_from_command("dig a %s +short" % self.domain)
find_a_record_pattern = re.findall(r"((\d{1,3}\.){3}\d{1,3})", result)
if find_a_record_pattern:
ip_count = 0
for each in find_a_record_pattern:
ip_count += 1
if ip_count > 1:
has_cdn = 1
return {'has_cdn': 1, 'is_cloud_flare': 0}
return {'has_cdn': 0, 'is_cloud_flare': 0}
def get_domain_actual_ip_from_phpinfo(self):
# phpinfo ip
CLIOutput().good_print(" domain:%s phpinfo ip" % self.domain)
phpinfo_page_list = ["info.php", "phpinfo.php", "test.php", "l.php"]
for each in phpinfo_page_list:
url = self.http_or_https + "://" + self.domain + "/" + each
CLIOutput().good_print(" %s" % url)
visit = get_request(url,'seleniumPhantomJS')
code = visit['code']
content = visit['content']
pattern = re.compile(r"remote_addr", re.I)
if code == 200 and re.search(pattern, content):
print(each)
actual_ip = re.search(r"REMOTE_ADDR[^\.\d]+([\d\.]{7,15})[^\.\d]+", content).group(1)
return actual_ip
# return 0 phpinfo ip
return 0
def flush_dns(self):
# dns cache
# dns cache hosts
CLIOutput().good_print(" dns cache")
command = "/etc/init.d/dns-clean start && /etc/init.d/networking force-reload"
os.system(command)
import time
time.sleep(3)
def modify_hosts_file_with_ip_and_domain(self,ip):
# hosts
CLIOutput().good_print(" hosts ")
exists_domain_line = False
with open("/etc/hosts", "r+") as f:
file_content = f.read()
if re.search(r"%s" % domain.replace(".", "\."), file_content):
exists_domain_line = True
if exists_domain_line == True:
os.system("sed -ri 's/.*%s.*/%s %s/' %s" % (self.domain.replace(".", "\."), ip, self.domain, "/etc/hosts"))
else:
os.system("echo %s %s >> /etc/hosts" % (ip, self.domain))
def check_if_ip_is_actual_ip_of_domain(self,ip):
# hosts ip domain ip
# True, False
CLIOutput().good_print(" hosts dns ip:%s domain:%s ip" % (ip,
self.domain))
os.system("cp /etc/hosts /etc/hosts.bak")
self.modify_hosts_file_with_ip_and_domain(ip)
self.flush_dns()
hosts_changed_domain_title= get_request(self.http_or_https + "://%s" % self.domain,'seleniumPhantomJS')['title']
os.system("rm /etc/hosts && mv /etc/hosts.bak /etc/hosts")
# title ,html ,title
if self.domain_title== hosts_changed_domain_title:
print(" !!!!!!!!!!!!")
return True
else:
print(" !!!!!!!!!!!!")
return False
def get_c_80_or_443_list(self,ip):
# ip c 80 443 ip
if "not found" in get_string_from_command("masscan"):
# nmap ,nmap
os.system("apt-get install masscan")
if self.http_or_https=="http":
scanPort=80
CLIOutput().good_print(" %s c 80 " % ip)
if self.http_or_https=="https":
scanPort=443
CLIOutput().good_print(" %s c 443 " % ip)
masscan_command = "masscan -p%d %s/24 > /tmp/masscan.out" % (scanPort,ip)
os.system(masscan_command)
with open("/tmp/masscan.out", "r+") as f:
strings = f.read()
#os.system("rm /tmp/masscan.out")
import re
allIP=re.findall(r"((\d{1,3}\.){3}\d{1,3})",strings)
ipList=[]
for each in allIP:
ipList.append(each[0])
print(ipList)
return ipList
def check_if_ip_c_machines_has_actual_ip_of_domain(self,ip):
# ip c domain ip, ip, 0
CLIOutput().good_print(" ip %s c %s ip" % (ip,self.domain))
target_list=self.get_c_80_or_443_list(ip)
for each_ip in target_list:
if True == self.check_if_ip_is_actual_ip_of_domain(each_ip):
return each_ip
return 0
def get_ip_from_mx_record(self):
# mx ip , mx c ip
print(" mx %s mx " % self.domain)
import socket
# domain.eg:www.baidu.com
from exp10it import get_root_domain
root_domain = get_root_domain(self.domain)
from exp10it import get_string_from_command
result = get_string_from_command("dig %s +short mx" % root_domain)
sub_domains_list = re.findall(r"\d{1,} (.*\.%s)\." % root_domain.replace(".", "\."), result)
ip_list = []
for each in sub_domains_list:
print(each)
ip = socket.gethostbyname_ex(each)[2]
if ip[0] not in ip_list:
ip_list.append(ip[0])
return ip_list
def check_if_mx_c_machines_has_actual_ip_of_domain(self):
# domain mx ip[ ip ] c domain ip
# ip, 0
CLIOutput().good_print(" mx c %s ip" % self.domain)
ip_list = self.get_ip_from_mx_record()
if ip_list != []:
for each_ip in ip_list:
result = self.check_if_ip_c_machines_has_actual_ip_of_domain(each_ip)
if result != 0:
return result
else:
continue
return 0
def get_ip_value_from_online_cloudflare_interface(self):
# cloudflare ip ip
# ip ip , 0
CLIOutput().good_print(" cloudflare cdn ip ip")
url = "http://www.crimeflare.com/cgi-bin/cfsearch.cgi"
post_data = 'cfS=%s' % self.domain
content = post_request(url, post_data)
findIp = re.search(r"((\d{1,3}\.){3}\d{1,3})", content)
if findIp:
return findIp.group(1)
return 0
def get_actual_ip_from_domain(self):
# domain ip, domain cdn
# ip, 0
CLIOutput().good_print(" ip , domain cdn ")
import socket
has_cdn_value = self.domain_has_cdn()
if has_cdn_value['has_cdn'] == 1:
CLIOutput().good_print(" domain:%s A , cdn" % self.domain)
pass
else:
CLIOutput().good_print("Attention...!!! Domain doesn't have cdn,I will return the only one ip")
true_ip = socket.gethostbyname_ex(self.domain)[2][0]
return true_ip
# cloudflare ip ip
if has_cdn_value['is_cloud_flare'] == 1:
ip_value = self.get_ip_value_from_online_cloudflare_interface()
if ip_value != 0:
return ip_value
else:
pass
# phpinfo ip
ip_from_phpinfo = self.get_domain_actual_ip_from_phpinfo()
if ip_from_phpinfo == 0:
pass
else:
return ip_from_phpinfo
# mx ip
result = self.check_if_mx_c_machines_has_actual_ip_of_domain()
if result == 0:
pass
else:
return result
print(" , %s cdn, ip, 0" % self.domain)
return 0
if __name__ == '__main__':
import sys
domain=sys.argv[1]
Xcdn(domain)
cdn, python
I feedback.
Let me know what you think of this article on twitter @quanyechavshuo!
최신
댓 글 2 개 hxxh
안녕하세요, py 를 배 운 적 이 없습니다. 이 스 크 립 트 를 실행 한 후에 from: too many arguments. / xcdn. py: 행 19: 예상 치 못 한 기호 '3xp10it', 0, True '근처에 문법 오류 가 있 습 니 다. / xcdn. py: 행 19:' figlet2file '(' 3xp10it ', 0, True)' 어떻게 된 일 인지 물 어보 세 요.
2016 년 11 월 18 일
대답 하 다
꼭대기.
전달 하 다
「&」
hxxh: figlet2file ("3xp10it", 0, True) 줄 코드 를 주석 할 수 있 습 니 다. 즉, \ # figlet2file ("3xp10it", 0, True) [이 줄 코드 는 인쇄 기능 입 니 다. 코드 기능 에 있어 서 는 중요 하지 않 습 니 다. 시스템 이 ubuntu 가 아니라면 오류 가 발생 할 수 있 습 니 다]
2016 년 11 월 25 일
대답 하 다
꼭대기.
전달 하 다
좋은 웹페이지 즐겨찾기
