Python腳本實(shí)現(xiàn)掃描網(wǎng)站子域名及漏洞

更新時(shí)間：2025年12月03日 08:35:32 作者：宏權(quán)實(shí)驗(yàn)室

這篇文章主要為大家詳細(xì)介紹了如何使用Python編寫一個(gè)域名漏洞掃描腳本,可以實(shí)現(xiàn)子域名枚舉,端口掃描,服務(wù)識別和常見漏洞檢測,感興趣的小伙伴可以了解下

完整代碼如下：

scanner.py

#!/usr/bin/env python3
"""
域名漏洞掃描腳本
功能：子域名枚舉、端口掃描、服務(wù)識別、常見漏洞檢測
"""

import requests
import socket
import threading
import subprocess
import json
import time
from urllib.parse import urljoin
import dns.resolver
import ssl
import argparse
from concurrent.futures import ThreadPoolExecutor


class DomainVulnerabilityScanner:
    def __init__(self, domain, threads=50):
        self.domain = domain
        self.threads = threads
        self.results = {
            'domain': domain,
            'subdomains': [],
            'open_ports': [],
            'vulnerabilities': [],
            'services': [],
            'ssl_info': {}
        }

    def subdomain_enumeration(self):
        """子域名枚舉"""
        print(f"[+] 開始子域名枚舉: {self.domain}")

        # 常見子域名列表
        common_subdomains = [
            'www', 'mail', 'ftp', 'localhost', 'webmail', 'smtp', 'pop', 'ns1', 'webdisk',
            'ns2', 'cpanel', 'whm', 'autodiscover', 'autoconfig', 'm', 'imap', 'test',
            'blog', 'pop3', 'dev', 'www2', 'admin', 'forum', 'news', 'vpn', 'ns3', 'mail2',
            'new', 'mysql', 'old', 'lists', 'support', 'mobile', 'mx', 'static', 'docs',
            'beta', 'shop', 'sql', 'secure', 'demo', 'cp', 'calendar', 'wiki', 'api',
            'media', 'email', 'images', 'img', 'www1', 'intranet', 'portal', 'video',
            'search', 'cdn', 'remote', 'db', 'forums', 'store', 'relay', 'files',
            'newsletter', 'app', 'apps', 'download', 'uploads', 'dns', 'ns4', 'sftp'
        ]

        found_subdomains = []

        def check_subdomain(subdomain):
            full_domain = f"{subdomain}.{self.domain}"
            try:
                socket.gethostbyname(full_domain)
                found_subdomains.append(full_domain)
                print(f"  [+] 發(fā)現(xiàn)子域名: {full_domain}")
            except socket.gaierror:
                pass

        with ThreadPoolExecutor(max_workers=self.threads) as executor:
            executor.map(check_subdomain, common_subdomains)

        self.results['subdomains'] = found_subdomains
        return found_subdomains

    def port_scan(self, host, ports=None):
        """端口掃描"""
        if ports is None:
            ports = [21, 22, 23, 25, 53, 80, 110, 443, 993, 995, 1433, 1521, 3306, 3389, 5432, 5900, 6379, 27017]

        open_ports = []

        def scan_port(port):
            try:
                sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                sock.settimeout(3)
                result = sock.connect_ex((host, port))
                sock.close()
                if result == 0:
                    service = self.get_service_name(port)
                    open_ports.append({'port': port, 'service': service})
                    print(f"  [+] {host}:{port} 開放 - {service}")
            except Exception:
                pass

        print(f"[+] 開始端口掃描: {host}")
        with ThreadPoolExecutor(max_workers=self.threads) as executor:
            executor.map(scan_port, ports)

        return open_ports

    def get_service_name(self, port):
        """獲取服務(wù)名稱"""
        service_map = {
            21: 'FTP', 22: 'SSH', 23: 'Telnet', 25: 'SMTP', 53: 'DNS',
            80: 'HTTP', 110: 'POP3', 443: 'HTTPS', 993: 'IMAPS',
            995: 'POP3S', 1433: 'MSSQL', 1521: 'Oracle', 3306: 'MySQL',
            3389: 'RDP', 5432: 'PostgreSQL', 5900: 'VNC', 6379: 'Redis',
            27017: 'MongoDB'
        }
        return service_map.get(port, 'Unknown')

    def check_ssl_vulnerabilities(self, host):
        """檢查SSL/TLS漏洞"""
        print(f"[+] 檢查SSL/TLS配置: {host}")

        try:
            context = ssl.create_default_context()
            with socket.create_connection((host, 443), timeout=5) as sock:
                with context.wrap_socket(sock, server_hostname=host) as ssock:
                    cert = ssock.getpeercert()
                    cipher = ssock.cipher()

                    ssl_info = {
                        'subject': dict(x[0] for x in cert['subject']),
                        'issuer': dict(x[0] for x in cert['issuer']),
                        'not_before': cert['notBefore'],
                        'not_after': cert['notAfter'],
                        'cipher': cipher
                    }

                    self.results['ssl_info'] = ssl_info

                    # 檢查證書過期
                    import datetime
                    expire_date = datetime.datetime.strptime(cert['notAfter'], '%b %d %H:%M:%S %Y %Z')
                    if expire_date < datetime.datetime.now():
                        self.results['vulnerabilities'].append({
                            'type': 'SSL',
                            'severity': 'HIGH',
                            'description': 'SSL證書已過期',
                            'host': host
                        })

                    print(f"  [+] SSL信息: {ssl_info}")

        except Exception as e:
            print(f"  [-] SSL檢查失敗: {e}")

    def web_vulnerability_scan(self, url):
        """Web應(yīng)用漏洞掃描"""
        print(f"[+] Web漏洞掃描: {url}")

        vulnerabilities = []

        # 檢查常見安全頭
        try:
            response = requests.get(url, timeout=10, verify=False)
            headers = response.headers

            security_headers = {
                'X-Frame-Options': '點(diǎn)擊劫 持保護(hù)',
                'X-Content-Type-Options': 'MIME類型嗅探保護(hù)',
                'X-XSS-Protection': 'XSS保護(hù)',
                'Strict-Transport-Security': 'HSTS',
                'Content-Security-Policy': '內(nèi)容安全策略'
            }

            for header, description in security_headers.items():
                if header not in headers:
                    vulnerabilities.append({
                        'type': 'WEB',
                        'severity': 'MEDIUM',
                        'description': f'缺少安全頭: {header} - {description}',
                        'url': url
                    })

        except Exception as e:
            print(f"  [-] Web掃描失敗: {e}")

        return vulnerabilities

    def run_full_scan(self):
        """執(zhí)行完整掃描"""
        print(f"[*] 開始對 {self.domain} 進(jìn)行漏洞掃描")
        start_time = time.time()

        # 子域名枚舉
        subdomains = self.subdomain_enumeration()

        # 掃描主域名
        targets = [self.domain] + subdomains

        for target in targets:
            # 端口掃描
            open_ports = self.port_scan(target)
            self.results['open_ports'].extend(open_ports)

            # SSL檢查
            if any(port['port'] == 443 for port in open_ports):
                self.check_ssl_vulnerabilities(target)

            # Web漏洞掃描
            for port_info in open_ports:
                if port_info['port'] in [80, 443, 8080, 8443]:
                    scheme = 'https' if port_info['port'] in [443, 8443] else 'http'
                    url = f"{scheme}://{target}:{port_info['port']}"
                    web_vulns = self.web_vulnerability_scan(url)
                    self.results['vulnerabilities'].extend(web_vulns)

        # 生成報(bào)告
        self.generate_report()

        end_time = time.time()
        print(f"\n[*] 掃描完成! 用時(shí): {end_time - start_time:.2f}秒")

        return self.results

    def generate_report(self):
        """生成掃描報(bào)告"""
        report = f"""
域名漏洞掃描報(bào)告
================

目標(biāo)域名: {self.results['domain']}
掃描時(shí)間: {time.strftime('%Y-%m-%d %H:%M:%S')}

發(fā)現(xiàn)子域名 ({len(self.results['subdomains'])}個(gè)):
{chr(10).join(['  - ' + sub for sub in self.results['subdomains']])}

開放端口:
{chr(10).join([f"  - {item['host'] if 'host' in item else self.domain}:{item['port']} ({item['service']})" for item in self.results['open_ports']])}

發(fā)現(xiàn)漏洞 ({len(self.results['vulnerabilities'])}個(gè)):
"""

        for i, vuln in enumerate(self.results['vulnerabilities'], 1):
            report += f"""
{i}. 類型: {vuln['type']}
   嚴(yán)重性: {vuln['severity']}
   描述: {vuln['description']}
   目標(biāo): {vuln.get('host', vuln.get('url', 'N/A'))}
"""

        # 保存報(bào)告
        filename = f"scan_report_{self.domain}_{int(time.time())}.txt"
        with open(filename, 'w', encoding='utf-8') as f:
            f.write(report)

        print(f"[+] 報(bào)告已保存至: {filename}")

        return report


def main():
    parser = argparse.ArgumentParser(description='域名漏洞掃描器')
    parser.add_argument('domain', help='要掃描的域名')
    parser.add_argument('-t', '--threads', type=int, default=50, help='線程數(shù) (默認(rèn): 50)')

    args = parser.parse_args()

    scanner = DomainVulnerabilityScanner(args.domain, args.threads)
    results = scanner.run_full_scan()

    # 輸出摘要
    print(f"\n{'=' * 50}")
    print("掃描摘要:")
    print(f"子域名: {len(results['subdomains'])}個(gè)")
    print(f"開放端口: {len(results['open_ports'])}個(gè)")
    print(f"發(fā)現(xiàn)漏洞: {len(results['vulnerabilities'])}個(gè)")
    print(f"{'=' * 50}")


if __name__ == "__main__":
    main()

掃描效果：