Skip to content

Commit 6444983

Browse files
trmxvibstrmxvibs
authored
Refactor scanner_engine.py with new features
1 parent 600c6d7 commit 6444983

1 file changed

Lines changed: 68 additions & 53 deletions

File tree

scanner_engine.py

Lines changed: 68 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
1+
#lokesh kumar
2+
#github.com/trmxvibs
13
import subprocess
24
import socket
35
import requests
@@ -14,7 +16,7 @@
1416
from bs4 import BeautifulSoup
1517
from concurrent.futures import ThreadPoolExecutor
1618

17-
# --- 1. UTILITIES & STEALTH ---
19+
# --- 1. UTILITIES ---
1820
def clean_target(target):
1921
target = target.strip()
2022
if "://" in target: return urlparse(target).hostname
@@ -78,7 +80,7 @@ def consult_oracle(domain):
7880
vulns = data.get('vulns', [])
7981
if vulns:
8082
report.append(f" [☠️] KNOWN VULNS: {len(vulns)} FOUND!")
81-
for v in vulns[:3]: report.append(f" > {v}")
83+
for v in vulns: report.append(f" > {v}") # UNRESTRICTED
8284
else: report.append(" [✓] Clean record.")
8385
except: pass
8486
return "\n".join(report)
@@ -94,6 +96,9 @@ def check_zone_transfer(domain):
9496
z = dns.zone.from_xfr(dns.query.xfr(ns_ip, domain, timeout=2))
9597
if z:
9698
report.append(f" [!!!] CRITICAL: ZONE TRANSFER OPEN on {ns}")
99+
report.append(" [+] Dumping Records:")
100+
for name, node in z.nodes.items(): # UNRESTRICTED
101+
report.append(f" > {name}.{domain}")
97102
vuln = True; break
98103
except: continue
99104
if not vuln: report.append(" [✓] DNS Secure.")
@@ -129,11 +134,25 @@ def analyze_ssl_cert(domain):
129134
extras = [d for d in sans if d != domain]
130135
if extras:
131136
report.append(f" [SCOPE] Found {len(extras)} hidden domains:")
132-
for d in extras[:5]: report.append(f" > {d}")
137+
for d in extras: report.append(f" > {d}") # UNRESTRICTED
133138
except: report.append(" [-] SSL Handshake Failed.")
134139
return "\n".join(report)
135140

136-
# --- 4. OFFENSE & VULNERABILITY ---
141+
def find_subdomains(domain):
142+
report = ["\n[*] PASSIVE SUBDOMAINS:"]
143+
try:
144+
url = f"https://crt.sh/?q=%.{domain}&output=json"
145+
data = requests.get(url, timeout=10).json()
146+
subs = set(entry['name_value'].split('\n')[0] for entry in data)
147+
valid = [s for s in subs if domain in s]
148+
if valid:
149+
report.append(f" [+] Found {len(valid)} subdomains (FULL LIST):")
150+
for s in sorted(list(valid)): report.append(f" > {s}") # UNRESTRICTED
151+
else: report.append(" [-] No subdomains found.")
152+
except: report.append(" [-] Passive recon failed.")
153+
return "\n".join(report)
154+
155+
# --- 4. OFFENSE ---
137156
def run_nmap_scan(domain, mode, custom_flags):
138157
if shutil.which("nmap") is None: return "[-] CRITICAL: Nmap not installed."
139158
try: ip = socket.gethostbyname(domain)
@@ -151,62 +170,37 @@ def run_nmap_scan(domain, mode, custom_flags):
151170
return process.stdout
152171
except Exception as e: return f"[-] Nmap Error: {e}"
153172

154-
# --- NEW: DEEP VULNERABILITY SCANNER ---
155173
def deep_vuln_scanner(domain):
156174
report = ["\n[*] DEEP VULNERABILITY SCAN (LFI/CONFIG):"]
157175
base_url = f"http://{domain}"
158176

159-
# 1. CONFIG & BACKUP FILES (High Impact)
160-
critical_files = [
161-
".env", ".git/config", ".vscode/sftp.json", "docker-compose.yml",
162-
"wp-config.php.bak", "config.php.bak", "id_rsa", "backup.sql"
163-
]
164-
165-
found_config = False
177+
critical_files = [".env", ".git/config", ".vscode/sftp.json", "docker-compose.yml", "wp-config.php.bak"]
178+
found = False
166179
for f in critical_files:
167180
try:
168-
url = f"{base_url}/{f}"
169-
r = requests.get(url, headers=get_bypass_headers(), timeout=2)
170-
if r.status_code == 200 and len(r.text) > 0:
171-
# Verify it's not a fake 200 page
172-
if "html" not in r.text.lower():
173-
report.append(f" [☠️] CRITICAL LEAK: {f} FOUND!")
174-
report.append(f" > Content Snippet: {r.text[:50]}...")
175-
found_config = True
181+
r = requests.get(f"{base_url}/{f}", headers=get_bypass_headers(), timeout=2)
182+
if r.status_code == 200 and "html" not in r.text.lower():
183+
report.append(f" [☠️] CRITICAL LEAK: {f} FOUND!")
184+
found = True
176185
except: pass
177-
178-
if not found_config: report.append(" [✓] No config backups exposed.")
186+
if not found: report.append(" [✓] No config backups exposed.")
179187

180-
# 2. LFI (Local File Inclusion) CHECK
181-
# Look for URL params and fuzz them
182188
try:
183189
r = requests.get(base_url, headers=get_bypass_headers(), timeout=3)
184190
soup = BeautifulSoup(r.text, 'html.parser')
185-
lfi_payloads = ["../../../../etc/passwd", "c:/windows/win.ini"]
186-
187191
vuln_lfi = False
188192
for a in soup.find_all('a', href=True):
189193
if "=" in a['href']:
190-
target_param_url = urljoin(base_url, a['href'])
191-
# Replace param value with payload
192-
# Simple check: assume param is at the end
193-
base, param = target_param_url.split('=', 1)
194-
195-
for pay in lfi_payloads:
196-
fuzz_url = f"{base}={pay}"
197-
try:
198-
fr = requests.get(fuzz_url, timeout=3)
199-
if "root:x:0:0" in fr.text or "[extensions]" in fr.text:
200-
report.append(f" [☠️] LFI VULNERABILITY DETECTED!")
201-
report.append(f" > URL: {fuzz_url}")
202-
vuln_lfi = True
203-
break
204-
except: pass
205-
if vuln_lfi: break
206-
194+
base, param = urljoin(base_url, a['href']).split('=', 1)
195+
fuzz_url = f"{base}=../../../../etc/passwd"
196+
try:
197+
fr = requests.get(fuzz_url, timeout=3)
198+
if "root:x:0:0" in fr.text:
199+
report.append(f" [☠️] LFI DETECTED: {fuzz_url}")
200+
vuln_lfi = True; break
201+
except: pass
207202
if not vuln_lfi: report.append(" [✓] LFI check passed.")
208203
except: pass
209-
210204
return "\n".join(report)
211205

212206
def crawl_website_data(domain):
@@ -227,21 +221,43 @@ def crawl_website_data(domain):
227221
if s.get('src'): scripts.append(s.get('src'))
228222
elif s.get('data-src'): scripts.append(s.get('data-src'))
229223

230-
report.append(f" [i] Analyzing {len(scripts)} JavaScript files...")
224+
report.append(f" [i] Analyzing {len(scripts)} JavaScript files (FULL SCAN)...")
231225

232-
for script in scripts[:5]:
226+
endpoints = set()
227+
# UNRESTRICTED: Scan up to 50 scripts now
228+
for script in scripts[:50]:
233229
if not script.startswith("http"):
234230
if script.startswith("//"): script = "https:" + script
235231
else: script = urljoin(url, script)
236232
try:
237233
js_code = requests.get(script, headers=get_bypass_headers(), timeout=5).text
234+
235+
paths = re.findall(r"['\"](\/[a-zA-Z0-9_/-]+)['\"]", js_code)
236+
for p in paths:
237+
if len(p) > 4 and "//" not in p: endpoints.add(p)
238+
238239
for name, pat in secrets.items():
239240
keys = re.findall(pat, js_code)
240241
for k in keys: report.append(f" [$$$] KEY LEAK ({name}) in JS: {k}")
241242
except: pass
243+
244+
if endpoints:
245+
report.append(f" [+] Found {len(endpoints)} hidden API endpoints (FULL LIST):")
246+
for ep in sorted(list(endpoints)): report.append(f" > {ep}") # UNRESTRICTED
242247
except: report.append(" [-] Spider failed.")
243248
return "\n".join(report)
244249

250+
def check_cve_vulnerabilities(text):
251+
report = ["\n[*] CVE CHECK:"]
252+
exploits = {"vsftpd 2.3.4": "CVE-2011-2523", "Apache 2.4.49": "CVE-2021-41773"}
253+
found = False
254+
for soft, cve in exploits.items():
255+
if soft in text:
256+
report.append(f" [☠️] VULNERABLE: {soft} -> {cve}")
257+
found = True
258+
if not found: report.append(" [✓] No signature match.")
259+
return "\n".join(report)
260+
245261
def detect_tech_stack(domain):
246262
report = ["\n[*] TECH STACK:"]
247263
detected = []
@@ -275,9 +291,8 @@ def calculate_risk_score(scan_result):
275291
score += len(re.findall(r"\d+/tcp\s+open", scan_result)) * 5
276292
if "[☠️]" in scan_result: score += 50
277293
if "[$$$]" in scan_result: score += 40
278-
if "CRITICAL LEAK" in scan_result: score += 60 # High impact
279-
if "LFI VULNERABILITY" in scan_result: score += 70 # Critical
280-
if "WAF DETECTED" in scan_result: score -= 10
294+
if "403 BYPASSED" in scan_result: score += 30
295+
if "hidden API endpoints" in scan_result: score += 15
281296
if score > 100: score = 100
282297
return score
283298

@@ -297,8 +312,8 @@ def scan_target(domain, mode="basic", custom_flags="", previous_result=None, web
297312
if mode != "basic":
298313
futures["spider"] = executor.submit(crawl_website_data, clean_host)
299314
futures["tech"] = executor.submit(detect_tech_stack, clean_host)
300-
# NEW VULN SCANNER (Runs in all modes except basic)
301315
futures["vuln"] = executor.submit(deep_vuln_scanner, clean_host)
316+
futures["subdomain"] = executor.submit(find_subdomains, clean_host) # Added explicit call
302317

303318
if mode == "advance":
304319
futures["zone"] = executor.submit(check_zone_transfer, clean_host)
@@ -315,14 +330,14 @@ def scan_target(domain, mode="basic", custom_flags="", previous_result=None, web
315330
final.append(results_dict.get("oracle",""))
316331
final.append(results_dict.get("waf",""))
317332
final.append(results_dict.get("ssl",""))
333+
if "subdomain" in results_dict: final.append(results_dict["subdomain"])
334+
if "zone" in results_dict: final.append(results_dict["zone"])
318335

319336
scan_out = results_dict.get("nmap","")
320337
final.append(scan_out)
321338

322-
# Vuln Results
323339
if "vuln" in results_dict: final.append(results_dict["vuln"])
324340
if "spider" in results_dict: final.append(results_dict["spider"])
325-
if "zone" in results_dict: final.append(results_dict["zone"])
326341

327342
tech_res = results_dict.get("tech", ("", []))
328343
if isinstance(tech_res, tuple): final.append(tech_res[0])
@@ -334,4 +349,4 @@ def scan_target(domain, mode="basic", custom_flags="", previous_result=None, web
334349
score = calculate_risk_score(full_text)
335350
label = "CRITICAL" if score > 70 else "MEDIUM" if score > 30 else "LOW"
336351

337-
return f"\n[★] RISK SCORE: {score}/100 ({label})\n" + "-"*40 + "\n" + full_text
352+
return f"\n[★] RISK SCORE: {score}/100 ({label})\n" + "-"*40 + "\n" + full_text

0 commit comments

Comments
 (0)