-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscan_log.py
357 lines (315 loc) · 14.6 KB
/
scan_log.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
#!/usr/bin/python
# Attention: Tool is far away from being perfect, so don't rely a 100 percent on it.
# A BIG "Thank you!" to all who publish their awesome Python
# scripts online and help other ppl learning this language.
-file
# Modify, distribute, share and copy this code in any way you like!
# Power to the cows!
import sys, string, re, time
from time import strftime, localtime
def print_usage():
print ""
print ""
print "________________________________________________"
print "Simple Log File Analyzer"
print "by Valentin Hoebel ([email protected])"
print ""
print "Version 1.0 (6th June 2010) ^__^" -file
print " (oo)\________"
print " (__)\ )\/\ "
print " ||----w |"
print "Power to teh cows! || ||"
print "________________________________________________"
print ""
print "[!] Use parameter --help for help!"
print ""
print ""
return
def print_help():
print ""
print ""
print "________________________________________________"
print "Simple Log File Analyzer"
print "by Valentin Hoebel ([email protected])"
print ""
print "Version 1.0 (6th June 2010) ^__^"
print " (oo)\________"
print " (__)\ )\/\ "
print " ||----w |"
print "Power to teh cows! || ||"
print "________________________________________________"
print ""
print "The Simple Log File Analyzer helps you to find"
print "common hack attempts within your webserver log."
print ""
print "Supported attacks:"
print " - SQL Injection"
print " - Local File Inclusion"
print " - Remote File Inclusion"
print " - Cross-Site Scripting"
print ""
print "This scanner doesn't find everything so don't"
print "rely on it!"
print ""
print "Usage example:"
print "scan_log.py -file vhost_access.log"
print ""
print "Options:"
print " -file <file> (starts the main analyzing function"
print " --help (displays this text)"
print ""
print "Features:"
print " - Error handling"
print " - Scan a log file for four different attack types"
print " - Display a short scan report"
print " - Write scan results to a new log file"
print " - Easy to use (everything is simple and automated)"
print ""
print "Additional information:"
print "I only tested this tool with Apache2 log files (up to 2000 lines)."
print "It may happen that the tool crashes when the provided log"
print "file is too big or contains too many lines/characters."
print "Scanning a 4000 lines log file only takes one second."
print ""
print "Hint: The XSS discovery feature is a little bit buggy."
print ""
print ""
return
def print_banner():
print ""
print ""
print "________________________________________________"
print "Simple Log File Analyzer"
print "by Valentin Hoebel ([email protected])"
print ""
print "Version 1.0 (6th June 2010) ^__^"
print " (oo)\________"
print " (__)\ )\/\ "
print " ||----w |"
print "Power to teh cows! || ||"
print "________________________________________________"
return
# Define the function for analyzing log files
def analyze_log_file(provided_file):
# Defining some important vars
sqli_found_list = {}
lfi_found_list = {}
rfi_found_list = {}
xss_found_list = {}
# I know, there are better methods for doing/defining this...
sql_injection_1 = "UNION"
sql_injection_2 = "ORDER"
sql_injection_3 = "GROUP"
local_file_inclusion_1 = "/etc/passwd"
local_file_inclusion_2 = "/etc/passwd%20"
local_file_inclusion_3 = "=../"
remote_file_inclusion_1 = "c99"
remote_file_inclusion_2 = "=http://"
cross_site_scripting_1 = "XSS"
cross_site_scripting_2 = "alert"
cross_site_scripting_3 = "String.fromCharCode"
cross_site_scripting_4 = "iframe"
cross_site_scripting_5 = "javascript"
print "[i] >>", provided_file
print "[i] Assuming you provided a readable log file."
print "[i] Trying to open the log file now."
print ""
# Opening the log file
try:
f = open(provided_file, "r")
except IOError:
print "[!] The file doesn't exist."
print "[!] Exiting now!"
print ""
sys.exit(1)
print "[i] Opening the log file was successfull."
print "[i] Moving on now..."
print ""
# Storing every single line in a list
line_list = [line for line in f]
max_lines = len(line_list)
print "[i] The file contains", max_lines, "lines."
print "[i] Now looking for possible hack attempts..."
# Viewing every single line
for x in xrange(1, max_lines):
current_line = line_list[x:x+1]
# For some strange list behaviour we convert the list into a string
current_line_string = "".join(current_line)
# Search for SQL injections
find_sql_injection_1 = re.findall(sql_injection_1, current_line_string)
if len(find_sql_injection_1) != 0:
sqli_found_list[x+1] = current_line_string
else:
find_sql_injection_2 = re.findall(sql_injection_2, current_line_string)
if len(find_sql_injection_2) != 0:
sqli_found_list[x+1] = current_line_string
else:
find_sql_injection_3 = re.findall(sql_injection_3, current_line_string)
if len(find_sql_injection_3) != 0:
sqli_found_list[x+1] = current_line_string
# Search for local file inclusions
find_local_file_inclusion_1 = re.findall(local_file_inclusion_1, current_line_string)
if len(find_local_file_inclusion_1) != 0:
lfi_found_list[x+1] = current_line_string
else:
find_local_file_inclusion_2 = re.findall(local_file_inclusion_2, current_line_string)
if len(find_local_file_inclusion_2) != 0:
lfi_found_list[x+1] = current_line_string
else:
find_local_file_inclusion_3 = re.findall(local_file_inclusion_3, current_line_string)
if len(find_local_file_inclusion_3) != 0:
lfi_found_list[x+1] = current_line_string
# Search for remote file inclusions
find_remote_file_inclusion_1 = re.findall(remote_file_inclusion_1, current_line_string)
if len(find_remote_file_inclusion_1) != 0:
rfi_found_list[x+1] = current_line_string
else:
find_remote_file_inclusion_2 = re.findall(remote_file_inclusion_2, current_line_string)
if len(find_remote_file_inclusion_2) != 0:
rfi_found_list[x+1] = current_line_string
# Search for cross-site scripting attempts
find_cross_site_scripting_1 = re.findall(cross_site_scripting_1, current_line_string)
if len(find_cross_site_scripting_1) != 0:
xss_found_list[x+1] = current_line_string
else:
find_cross_site_scripting_2 = re.findall(cross_site_scripting_2, current_line_string)
if len(find_cross_site_scripting_2) != 0:
xss_found_list[x+1] = current_line_string
else:
find_cross_site_scripting_3 = re.findall(cross_site_scripting_3, current_line_string)
if len(find_cross_site_scripting_3) != 0:
xss_found_list[x+1] = current_line_string
else:
find_cross_site_scripting_4= re.findall(cross_site_scripting_4, current_line_string)
if len(find_cross_site_scripting_4) != 0:
xss_found_list[x+1] = current_line_string
else:
find_cross_site_scripting_5 = re.findall(cross_site_scripting_5, current_line_string)
if len(find_cross_site_scripting_5) != 0:
xss_found_list[x+1] = current_line_string
# Close the file we opened recently
f.close()
# Generating a short report
print "[i] Done."
print ""
print "[#] Simple report for analyzed log file"
check_for_sqli_attempts = len(sqli_found_list)
if check_for_sqli_attempts > 0:
print "[!]", check_for_sqli_attempts, "SQL injection attempt(s) was/were found."
else:
print "[+] No SQL injection attempt was found."
check_for_lfi_attempts = len(lfi_found_list)
if check_for_lfi_attempts > 0:
print "[!]", check_for_lfi_attempts, "local file inclusion attempt(s) was/were found."
else:
print "[+] No local file inclusion attempt was found."
check_for_rfi_attempts = len(rfi_found_list)
if check_for_rfi_attempts > 0:
print "[!]", check_for_rfi_attempts, "remote file inclusion attempt(s) was/were found."
else:
print "[+] No remote file inclusion attempt was found."
check_for_xss_attempts = len(xss_found_list)
if check_for_xss_attempts > 0:
print "[!]", check_for_xss_attempts, "cross-site scripting attempt(s) was/were found."
else:
print "[+] No crosse-site scripting attempt was found."
# Now generate the report
print ""
print "[i] Generating report..."
# Define variables for the report name
time_string = strftime("%a_%d_%b_%Y_%H_%M_%S", localtime())
time_string_for_report = strftime("%a the %d %b %Y, %H:%M:%S", localtime())
name_of_report_file = provided_file + "_scan_report_from_" + time_string
# Convert the ints to strings
sqli_numbers = str(check_for_sqli_attempts)
lfi_numbers = str(check_for_lfi_attempts)
rfi_numbers = str(check_for_rfi_attempts)
xss_numbers = str(check_for_xss_attempts)
# Create the file
generated_report = open(name_of_report_file, "w")
# Write the content
generated_report.write("\n")
generated_report.write("Simple Log File Analyzer\n")
generated_report.write("by Valentin Hoebel ([email protected])\n")
generated_report.write("\n")
generated_report.write("Version 1.0 (6th June 2010) ^__^\n")
generated_report.write(" (oo)\________\n")
generated_report.write(" (__)\ )\/\ \n")
generated_report.write(" ||----w |\n")
generated_report.write("Power to teh cows! || ||\n")
generated_report.write("________________________________________________\n")
generated_report.write("\n")
generated_report.write("Scan report for " +provided_file + " on " + time_string_for_report + "\n")
generated_report.write("Hint: XSS attempt discovery feature might be a little bit buggy.\n")
generated_report.write("\n")
generated_report.write("\n")
generated_report.write("Number of possible SQL injection attempts found: " + sqli_numbers + "\n")
generated_report.write("Number of possible local file inclusion attempts found: " + lfi_numbers + "\n")
generated_report.write("Number of possible remote file inclusion attempts found: " + rfi_numbers + "\n")
generated_report.write("Number of possible cross-site scripting attempts found: " + xss_numbers + "\n")
generated_report.write("\n")
generated_report.write("\n")
if len(sqli_found_list) != 0:
sqli_found_list_string = ""
sqli_found_list_string = "".join(str(sqli_found_list))
generated_report.write("Details for the SQL injection attempts (line, log entry)\n")
generated_report.write("------------------------------------------------\n")
generated_report.write(sqli_found_list_string)
generated_report.write("\n")
generated_report.write("\n")
generated_report.write("\n")
if len(lfi_found_list) != 0:
lfi_found_list_string = ""
lfi_found_list_string = "".join(str(lfi_found_list))
generated_report.write("Details for the local file inclusion attempts (line, log entry)\n")
generated_report.write("------------------------------------------------\n")
generated_report.write(lfi_found_list_string)
generated_report.write("\n")
generated_report.write("\n")
generated_report.write("\n")
if len(rfi_found_list) != 0:
rfi_found_list_string = ""
rfi_found_list_string = "".join(str(rfi_found_list))
generated_report.write("Details for the remote file inclusion attempts (line, log entry)\n")
generated_report.write("------------------------------------------------\n")
generated_report.write(rfi_found_list_string)
generated_report.write("\n")
generated_report.write("\n")
generated_report.write("\n")
if len(xss_found_list) != 0:
xss_found_list_string = ""
xss_found_list_string = "".join(str(xss_found_list))
generated_report.write("Details for the cross-site scripting attempts (line, log entry)\n")
generated_report.write("------------------------------------------------\n")
generated_report.write(xss_found_list_string)
generated_report.write("\n")
generated_report.write("\n")
generated_report.write("\n")
# Close the file
generated_report.close()
print "[i] Finished writing the report."
print "[i] Hint: The report file can become quite large."
print "[i] Hint: The XSS attempt discovery feature might be a little bit buggy."
print ""
print "[i] That's it, bye!"
print ""
print ""
return
# End of the log file function
# Checking if argument was provided
if len(sys.argv) <=1:
print_usage()
sys.exit(1)
for arg in sys.argv:
# Checking if help was called
if arg == "--help":
print_help()
sys.exit(1)
# Checking if a log file was provided, if yes -> go!
if arg == "-file":
provided_file = sys.argv[2]
print_banner()
# Start the main analyze function
analyze_log_file(provided_file)
sys.exit(1)
### EOF ###