• 闲的无聊时候就手动写第一个漏洞扫描工具吧!


    上课太无聊了,今天就用python写个漏洞扫描器玩玩,原理是先检测漏洞,在扫描备份,文件结果自动保存在当前目录

    主要就是:信息获取、模拟攻击。

    网络漏洞扫描对目标系统进行漏洞检测时,首先探测目标系统的存活主机,对存活主机进行端口扫描,确定系统开放的端口,同时根据协议指纹技术识别出主机的操作系统类型。然后扫描器对开放的端口进行网络服务类型的识别,确定其提供的网络服务。漏洞扫描器根据目标系统的操作系统平台和提供的网络服务,调用漏洞资料库中已知的各种漏洞进行逐一检测,通过对探测响应数据包的分析判断是否存在漏洞。

    因此,只要我们认真研究各种漏洞,知道它们的探测特征码和响应特征码就可以利用软件来实现对各种已知漏洞的模拟。

    由于漏洞模拟系统实际上是分析扫描器发出的探测包中的是否含有探测特征码并返回具有相应响应特征码的数据包。因此,对每一个漏洞,探测特征码和响应特征码是两项必需的描述。

    采用数据库技术可以方便地向漏洞资料库中添加新发现的漏洞,使漏洞模拟软件能够不断地更新漏洞资料库,可以更加有效地测试扫描器对安全漏洞的检测能力。(我在这里,由于技术原因没有建立数据库而是用文本文件保存的特征码。)

    config.txt是配置文件

    url.txt是要扫描的url

    内部配置相关的常见编辑器漏洞和svn源码泄露漏洞

    多线程运行

    程序的思路是

    附上config.txt

    /a.zip
    /web.zip
    /web.rar
    /1.rar
    /bbs.rar
    /www.root.rar
    /123.rar
    /data.rar
    /bak.rar
    /oa.rar
    /admin.rar
    /www.rar
    /2014.rar
    /2015.rar
    /2016.rar
    /2014.zip
    /2015.zip
    /2016.zip
    /1.zip
    /1.gz
    /1.tar.gz 
    /2.zip
    /2.rar
    /123.rar 
    /123.zip
    /a.rar  
    /a.zip  
    /admin.rar 
    /back.rar 
    /backup.rar 
    /bak.rar   
    /bbs.rar   
    /bbs.zip
    /beifen.rar 
    /beifen.zip
    /beian.rar
    /data.rar   
    /data.zip   
    /db.rar      
    /db.zip
    /flashfxp.rar  
    /flashfxp.zip  
    /fdsa.rar
    /ftp.rar   
    /gg.rar
    /hdocs.rar
    /hdocs.zip
    /HYTop.mdb
    /root.rar 
    /Release.rar
    /Release.zip
    /sql.rar 
    /test.rar
    /template.rar
    /template.zip
    /upfile.rar  
    /vip.rar 
    /wangzhan.rar
    /wangzhan.zip
    /web.rar    
    /web.zip    
    /website.rar  
    /www.rar    
    /www.zip       
    /wwwroot.rar   
    /wwwroot.zip   
    /wz.rar         
    /备份.rar      
    /网站.rar       
    /新建文件夹.rar  
    /新建文件夹.zip

    漏洞扫描工具.py

    # -*- coding:utf-8 -*-
    import requests
    import time
    import Queue
    import threading
    import urllib2
    import socket
    timeout=3
    socket.setdefaulttimeout(timeout)
    q = Queue.Queue()
    time.sleep(5)
    headers={'User-Agent':'Mozilla/5.0 (Windows NT 6.3; WOW64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102Safari/537.36'}
    f1 = open('url.txt','r')
    f2 = f1.readlines()
    f1.close()
    f3 = open('result.txt','a+')
    f9 = open('config.txt','r')  #配置文件载入
    f4 = f9.readlines()
    f9.close()
    
    def rarzip():       #开始构建扫描函数
        try:    #域名rarzip扫描
            print yumingrar
            reqryumingrar = urllib2.Request(url=yumingrar,headers=headers)
            ryumingrar = urllib2.urlopen(reqryumingrar)
            if ryumingrar.code == 200:
                metarar = ryumingrar.info()
                sizerar = str(metarar.getheaders("Content-Length")[0])  #文件大小
                sizerar1 = int(metarar.getheaders("Content-Length")[0])
                if sizerar1 > 8888:
                    print '★★★★★Found A Success Url Maybe backups★★★★★'
                    print yumingrar
                    print 'Size:' + sizerar + 'Kbs'
                    f3.write(yumingrar + '----------' + sizerar + 'Kbs' + '
    ')
                else:
                    print '888 Safe Dog I Fuck You 888'
            else:
                print '[+]Pass.........................'
        except:
            pass
        try:
            print yumingzip
            reqryumingzip = urllib2.Request(url=yumingzip,headers=headers)
            ryumingzip = urllib2.urlopen(reqryumingrar)
            if ryumingzip.code == 200:
                metazip = ryumingrar.info()
                sizezip = str(metazip.getheaders("Content-Length")[0])
                sizezip1 = int(metazip.getheaders("Content-Length")[0])
                if sizezip1 > 8888:
                    print '★★★★★Found A Success Url Maybe backups★★★★★'
                    print yumingzip
                    print 'Size:' + sizezip + 'Kbs' 
                    f3.write(yumingzip + '----------' + sizezip + 'Kbs' + '
    ')
                else:
                    print '888 Safe Dog I Fuck You 888'
            else:
                print '[+]Pass.........................'
        except:
            pass
    
    def svn():  
        try:    #svn漏洞扫描
            print yumingsvn
            ryumingsvn = requests.get(url=yumingsvn,headers=headers,allow_redirects=False,timeout=3)
            if ryumingsvn_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(yumingsvn + '      【SVN源码泄露漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
    
    def eweb():
        try:    #ewebeditor漏洞扫描
            print '---------------Ewebeditor Vulnerability Scan---------------'
            print eweb1
            reweb1 = requests.get(url=eweb1,headers=headers,allow_redirects=False,timeout=3)
            if reweb1_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(eweb1 + '      【Ewebeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print eweb2
            reweb2 = requests.get(url=eweb2,headers=headers,allow_redirects=False,timeout=3)
            if reweb2_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(eweb2 + '      【Ewebeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print eweb3
            reweb3 = requests.get(url=eweb3,headers=headers,allow_redirects=False,timeout=3)
            if reweb3_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(eweb3 + '      【Ewebeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print eweb4
            reweb4 = requests.get(url=eweb4,headers=headers,allow_redirects=False,timeout=3)
            if reweb4_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(eweb4 + '      【Ewebeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print eweb5
            reweb5 = requests.get(url=eweb5,headers=headers,allow_redirects=False,timeout=3)
            if reweb5_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(eweb5 + '      【Ewebeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print eweb6
            reweb6 = requests.get(url=eweb6,headers=headers,allow_redirects=False,timeout=3)
            if reweb6_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(eweb6 + '      【Ewebeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
    
    #fckeditor漏洞扫描
    def fck():
        try:
            print '---------------Fckeditor Vulnerability Scan---------------'
            print fck1
            rfck1 = requests.get(url=fck1,headers=headers,allow_redirects=False,timeout=3)
            if rfck1_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(fck1 + '      【Fckeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print fck2
            rfck2 = requests.get(url=fck2,headers=headers,allow_redirects=False,timeout=3)
            if rfck2_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(fck2 + '      【Fckeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print fck3
            rfck3 = requests.get(url=fck3,headers=headers,allow_redirects=False,timeout=3)
            if rfck3_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(fck3 + '      【Fckeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print fck4
            rfck4 = requests.get(url=fck4,headers=headers,allow_redirects=False,timeout=3)
            if rfck4_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(fck4 + '      【Fckeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print fck5
            rfck5 = requests.get(url=fck5,headers=headers,allow_redirects=False,timeout=3)
            if rfck5_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(fck5 + '      【Fckeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
        try:
            print fck6
            rfck6 = requests.get(url=fck6,headers=headers,allow_redirects=False,timeout=3)
            if rfck6_status == 200:
                print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
                f3.write(fck6 + '      【Fckeditor编辑器漏洞】' + '
    ')
            else:
                print '[+]Pass.........................'
        except:
            print "[+]Can not connect url"
            pass
    for i in f2:
        c = i.strip('
    ')
        print c
        try:
            ceshi = requests.get(url=c,headers=headers,allow_redirects=False,timeout=3)
            if ceshi.status_code == 200:
                a = c.split(".",2)[1]  #获取主域名
                yumingrar = c + '/' + a + '.rar'  #构造域名 + zip 的备份
                yumingzip = c + '/' + a + '.zip'
                rarzip()
                #开始对一系列特殊漏洞后缀构造url
                yumingsvn = c + '/.svn/entries'  #svn漏洞
                svn()
                eweb1 = c + '/editor/editor/filemanager/browser/default/connectors/test.html'   #ewebeditor编辑器漏洞
                eweb2 = c + '/editor/editor/filemanager/connectors/test.html'
                eweb3 = c + '/editor/editor/filemanager/connectors/uploadtest.html'
                eweb4 = c + '/html/db/ewebeditor.mdb'
                eweb5 = c + '/db/ewebeditor.mdb'
                eweb6 = c + '/db/ewebeditor.asp'
                eweb()
                fck1 = c + '/fckeditor/editor/filemanager/browser/default/connectors/test.html'  #fckeditor编辑器漏洞
                fck2 = c + '/fckeditor/editor/filemanager/connectors/test.html'
                fck3 = c + '/FCKeditor/editor/filemanager/connectors/uploadtest.html'
                fck4 = c + '/FCKeditor/editor/filemanager/upload/test.html'
                fck5 = c + '/fckeditor/editor/filemanager/browser/default/browser.html'
                fck6 = c + '/FCKeditor/editor/fckeditor.html'
                fck()
            else:
                pass
        except:
            print "NO USE URL WHAT FUCK A BIG URL"
            pass
    
    for i in f2:
        c = i.strip('
    ')
        try:
            ce = requests.get(url=c,headers=headers,allow_redirects=False,timeout=3)
            if ce.status_code == 200:
                q.put(c)
            else:
                pass
        except:
            print "NO USE URL WHAT FUCK A BIG URL"
            pass
    def starta():
        print '---------------Start Backups Scan---------------'    #开始从字典载入了~
        while not q.empty():
                zhaohan = q.get()  #url网址载入队列了
                for f5 in f4:
                    f6 = f5.strip('
    ')  #正确的备份内容     
                    urlx = zhaohan + f6  #正确的网址 + 备份
                    print urlx
                    try:
                        req = urllib2.Request(url=urlx,headers=headers)
                        response = urllib2.urlopen(req)
                        if response.code == 200:
                            meta = response.info()
                            sizes = str(meta.getheaders("Content-Length")[0])
                            sizess = int(meta.getheaders("Content-Length")[0])
                            if sizess < 8888:
                                print '888  Safe Dog I Fuck You  888'
                            else:
                                print '★★★★★Found A Success Url Maybe backups★★★★★'
                                print 'Size:' + sizes + 'Kbs'
                                f3.write(urlx + '----------' + sizes + '
    ')
                        else:
                            print '[+]Pass.........................'
                    except:
                        pass
    thread1 = threading.Thread(target = starta())
    thread1.start()
    f3.close()
    print '--------------------------------------------------------------------'
    print '--------------------------------OVER--------------------------------'
    print '--------------------------------------------------------------------'
    time.sleep(10)
    exit() 

    看样子效果还是挺明显的:

    然后看了看大神们写的,发现了一种比较精简的写法:

    把目标的域名收集全就可以自动化刷src。
     
    根据规则来扫描一些路径,比如Tomcat,Jboss,weblogic,svn,Jenkins,备份文件等等,跟一般的后台目录扫描不一样。所以后面如果想要指定扫描的类型可以自由添加。
     
    如果rule规则有需要增加的,麻烦再帖子后面评论+规则,代码需要修改完善的请私我。
     
    dirFinder.py 是扫描脚本
    rule.txt 是规则,可以自由添加。打开的时候用editplus、notepad++等,如果用自带记事本会没有换行。
    url.txt 是需要扫描的URL地址
    扫描结果会自动生成到vulurl.txt文件中
    rule.txt如下:
    /wls-wsat/CoordinatorPortType
    /wls-wsat/CoordinatorPortType11
    :9443/wls-wsat/CoordinatorPortType
    :9443/wls-wsat/CoordinatorPortType11
    :8470/wls-wsat/CoordinatorPortType
    :8470/wls-wsat/CoordinatorPortType11
    :8447/wls-wsat/CoordinatorPortType
    :8447/wls-wsat/CoordinatorPortType11
    :8080
    :8007
    /asynchPeople
    /manage
    /script
    :8080/jenkins
    :8007/jenkins
    /jenkins
    /.svn/entries
    /.svn
    /console/
    /manager
    :8080/manager
    :8080/manager/html
    /manager/html
    /invoker/JMXInvokerServlet
    /invoker
    :8080/jmx-console/
    /jmx-console/
    /robots.txt
    /system
    /wls-wsat/CoordinatorPortType
    /wsat/CoordinatorPortType
    /wls-wsat/CoordinatorPortType11
    /wsat/CoordinatorPortType11
    /examples/
    /examples/servlets/servlet/SessionExample
    /solr/
    /.git/config
    /.git/index
    /.git/HEAD
    /WEB-INF/
    /core
    /old.zip
    /old.rar
    /old.tar.gz
    /old.tar.bz2
    /old.tgz
    /old.7z
    /temp.zip
    /temp.rar
    /temp.tar.gz
    /temp.tgz
    /temp.tar.bz2
    /package.zip
    /package.rar
    /package.tar.gz
    /package.tgz
    /package.tar.bz2
    /tmp.zip
    /tmp.rar
    /tmp.tar.gz
    /tmp.tgz
    /tmp.tar.bz2
    /test.zip
    /test.rar
    /test.tar.gz
    /test.tgz
    /test.tar.bz2
    /backup.zip
    /backup.rar
    /backup.tar.gz
    /backup.tgz
    /back.tar.bz2
    /db.zip
    /db.rar
    /db.tar.gz
    /db.tgz
    /db.tar.bz2
    /db.log
    /db.inc
    /db.sqlite
    /db.sql.gz
    /dump.sql.gz
    /database.sql.gz
    /backup.sql.gz
    /data.zip
    /data.rar
    /data.tar.gz
    /data.tgz
    /data.tar.bz2
    /database.zip
    /database.rar
    /database.tar.gz
    /database.tgz
    /database.tar.bz2
    /ftp.zip
    /ftp.rar
    /ftp.tar.gz
    /ftp.tgz
    /ftp.tar.bz2
    /log.txt
    /log.tar.gz
    /log.rar
    /log.zip
    /log.tgz
    /log.tar.bz2
    /log.7z
    /logs.txt
    /logs.tar.gz
    /logs.rar
    /logs.zip
    /logs.tgz
    /logs.tar.bz2
    /logs.7z
    /web.zip
    /web.rar
    /web.tar.gz
    /web.tgz
    /web.tar.bz2
    /www.log
    /www.zip
    /www.rar
    /www.tar.gz
    /www.tgz
    /www.tar.bz2
    /wwwroot.zip
    /wwwroot.rar
    /wwwroot.tar.gz
    /wwwroot.tgz
    /wwwroot.tar.bz2
    /output.zip
    /output.rar
    /output.tar.gz
    /output.tgz
    /output.tar.bz2
    /admin.zip
    /admin.rar
    /admin.tar.gz
    /admin.tgz
    /admin.tar.bz2
    /upload.zip
    /upload.rar
    /upload.tar.gz
    /upload.tgz
    /upload.tar.bz2
    /website.zip
    /website.rar
    /website.tar.gz
    /website.tgz
    /website.tar.bz2
    /package.zip
    /package.rar
    /package.tar.gz
    /package.tgz
    /package.tar.bz2
    /sql.log
    /sql.zip
    /sql.rar
    /sql.tar.gz
    /sql.tgz
    /sql.tar.bz2
    /sql.7z
    /sql.inc
    /data.sql
    /qq.sql
    /tencent.sql
    /database.sql
    /db.sql
    /test.sql
    /admin.sql
    /backup.sql
    /user.sql
    /sql.sql
    /index.zip
    /index.7z
    /index.bak
    /index.rar
    /index.tar.tz
    /index.tar.bz2
    /index.tar.gz
    /dump.sql
    /old.zip
    /old.rar
    /old.tar.gz
    /old.tar.bz2
    /old.tgz
    /old.7z
    /1.tar.gz
    /a.tar.gz
    /x.tar.gz
    /o.tar.gz
    /conf/conf.zip
    /conf.tar.gz
    /qq.pac
    /tencent.pac
    /server.cfg
    /deploy.tar.gz
    /build.tar.gz
    /install.tar.gz
    /secu-tcs-agent-mon-safe.sh
    /password.tar.gz
    /site.tar.gz
    /tenpay.tar.gz
    /rsync_log.sh
    /rsync.sh
    /webroot.zip
    /tools.tar.gz
    /users.tar.gz
    /webserver.tar.gz
    /htdocs.tar.gz
    /admin/
    /admin.php
    /admin.do
    /login.php
    /login.do
    /admin.html
    /manage/
    /server-status
    /login/
    /fckeditor/_samples/default.html
    /ckeditor/samples/
    /fck/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
    /fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
    /app/config/database.yml
    /database.yml
    /sqlnet.log
    /database.log
    /db.log
    /db.conf
    /db.ini
    /logs.ini
    /upload.do
    /upload.jsp
    /upload.php
    /upfile.php
    /upload.html
    /upload.cgi
    /jmx-console/HtmlAdaptor
    /cacti/
    /zabbix/
    /jira/
    /jenkins/static/f3a41d2f/css/style.css
    /static/f3a41d2f/css/style.css
    /exit
    /memadmin/index.php
    /phpmyadmin/index.php
    /pma/index.php
    /ganglia/
    /_phpmyadmin/index.php
    /pmadmin/index.php
    /config/config_ucenter.php.bak
    /config/.config_ucenter.php.swp
    /config/.config_global.php.swp
    /config/config_global.php.1
    /uc_server/data/config.inc.php.bak
    /config/config_global.php.bak
    /include/config.inc.php.tmp
    /access.log
    /error.log
    /log/access.log
    /log/error.log
    /log/log.log
    /logs/error.log
    /logs/access.log
    /error.log
    /errors.log
    /debug.log
    /log
    /logs
    /debug.txt
    /debug.out
    /.bash_history
    /.rediscli_history
    /.bashrc
    /.bash_profile
    /.bash_logout
    /.vimrc
    /.DS_Store
    /.history
    /.htaccess
    /htaccess.bak
    /.htpasswd
    /.htpasswd.bak
    /htpasswd.bak
    /nohup.out
    /.idea/workspace.xml
    /.mysql_history
    /httpd.conf
    /web.config
    /shell.php
    /1.php
    /spy.php
    /phpspy.php
    /webshell.php
    /angle.php
    /resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/profile
    /resin-doc/viewfile/?contextpath=/&servletpath=&file=index.jsp
    /application/configs/application.ini
    /wp-login.php
    /wp-config.inc
    /wp-config.bak
    /wp-config.php~
    /.wp-config.php.swp
    /wp-config.php.bak
    /.ssh/known_hosts
    /.ssh/known_hosts
    /.ssh/id_rsa
    /id_rsa
    /.ssh/id_rsa.pub
    /.ssh/id_dsa
    /id_dsa
    /.ssh/id_dsa.pub
    /.ssh/authorized_keys
    /owa/
    /ews/
    /readme
    /README
    /readme.md
    /readme.html
    /changelog.txt
    /data.txt
    /CHANGELOG.txt
    /CHANGELOG.TXT
    /install.txt
    /install.log
    /install.sh
    /deploy.sh
    /install.txt
    /INSTALL.TXT
    /config.php
    /config/config.php
    /config.inc
    /config.inc.php
    /config.inc.php.1
    /config.php.bak
    /db.php.bak
    /conf/config.ini
    /config.ini
    /config/config.ini
    /configuration.ini
    /configs/application.ini
    /settings.ini
    /application.ini
    /conf.ini
    /app.ini
    /config.json
    /output
    /a.out
    /test
    /tmp
    /temp
    /user.txt
    /users.txt
    /key
    /keys
    /key.txt
    /keys.txt
    /pass.txt
    /passwd.txt
    /password.txt
    /pwd.txt
    /php.ini
    /sftp-config.json
    /index.php.bak
    /.index.php.swp
    /index.cgi.bak
    /config.inc.php.bak
    /.config.inc.php.swp
    /config/.config.php.swp
    /.config.php.swp
    /app.cfg
    /setup.sh
    /../../../../../../../../../../../../../etc/passwd
    /../../../../../../../../../../../../../etc/hosts
    /../../../../../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1
    /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/hosts
    /..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
    /..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd
    /%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
    //././././././././././././././././././././././././../../../../../../../../etc/passwd
    /etc/passwd
    /file:///etc/passwd
    /etc/hosts
    /aa/../../cc/../../bb/../../dd/../../aa/../../cc/../../bb/../../dd/../../bb/../../dd/../../bb/../../dd/../../bb/../../dd/../../ee/../../etc/hosts
    /proc/meminfo
    /etc/profile
    /resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd
    /WEB-INF/web.xml
    /WEB-INF/web.xml.bak
    /WEB-INF/applicationContext.xml
    /WEB-INF/applicationContext-slave.xml
    /WEB-INF/config.xml
    /WEB-INF/spring.xml
    /WEB-INF/struts-config.xml
    /WEB-INF/struts-front-config.xml
    /WEB-INF/struts/struts-config.xml
    /WEB-INF/classes/spring.xml
    /WEB-INF/classes/struts.xml
    /WEB-INF/classes/struts_manager.xml
    /WEB-INF/classes/conf/datasource.xml
    /WEB-INF/classes/data.xml
    /WEB-INF/classes/config/applicationContext.xml
    /WEB-INF/classes/applicationContext.xml
    /WEB-INF/classes/conf/spring/applicationContext-datasource.xml
    /WEB-INF/config/db/dataSource.xml
    /WEB-INF/spring-cfg/applicationContext.xml
    /WEB-INF/dwr.xml
    /WEB-INF/classes/hibernate.cfg.xml
    /WEB-INF/classes/rabbitmq.xml
    /WEB-INF/database.properties
    /WEB-INF/web.properties
    /WEB-INF/log4j.properties
    /WEB-INF/classes/dataBase.properties
    /WEB-INF/classes/application.properties
    /WEB-INF/classes/jdbc.properties
    /WEB-INF/classes/db.properties
    /WEB-INF/classes/conf/jdbc.properties
    /WEB-INF/classes/security.properties
    /WEB-INF/conf/database_config.properties
    /WEB-INF/config/dbconfig
    /WEB-INF/conf/activemq.xml
    /server.xml
    /config/database.yml
    /configprops
    /phpinfo.php
    /phpinfo.php5
    /info.php
    /php.php
    /pi.php
    /mysql.php
    /sql.php
    /shell.php
    /apc.php
    /test.sh
    /logs.sh
    /test/
    /test.php
    /temp.php
    /tmp.php
    /test2.php
    /test2.php
    /test.html
    /test2.html
    /test.txt
    /test2.txt
    /debug.php
    /a.php
    /b.php
    /t.php
    /i.php
    /x.php
    /1.php
    /123.php
    /test.cgi
    /test-cgi
    /cgi-bin/test-cgi
    /cgi-bin/test
    /cgi-bin/test.cgi
    /zabbix/jsrpc.php
    /jsrpc.php

    dirFinder.py

    #!/usr/bin/env python
    # -*- coding:utf-8 -*-
    
    #from flask import Flask, request, json, Response, jsonify
    import json
    import threading
    import requests
    import urllib2
    import sys
    import threading
    from time import ctime,sleep
    import threadpool
    
    #app = Flask(__name__)
    
    #@app.route('/', methods = ['GET','POST'])
    def main():
        #if request.method == 'GET':
            #geturl = request.args.get('geturl')
        f = open("url.txt")
        line = f.readlines()
        global g_list
        g_list = []
        urllist = []
        list1 = []
        for u in line:
            u = u.rstrip()
            #dir = ['/admin','/t/344205']
            dir = open("rule.txt")
            dirline = dir.readlines()
            for d in dirline:
                d = d.rstrip()
                scheme = ['http://','https://']
                for s in scheme:
                    #print type(s)
                    #print type(geturl)
                    #print type(d)
                    url = s + u + d
                    list1.append(url)
        thread_requestor(list1)
        #return json.dumps(g_list)
        f = open('vulurl.txt','w')
        f.write(json.dumps(g_list))
        f.close()
    
    
    def res_printer(res1,res2):
        if res2:
            g_list.append(res2)
        else:
            pass
    
    def thread_requestor(urllist):
        pool =  threadpool.ThreadPool(200)
        reqs =  threadpool.makeRequests(getScan,urllist,res_printer)
        [pool.putRequest(req) for req in reqs]
        pool.wait()
    
    def getScan(url):
        try:
            requests.packages.urllib3.disable_warnings()
            status = requests.get(url, allow_redirects=False, timeout=3,verify=False).status_code
            print "scanning " + url
            if status == 200:
                return url
            else:
                pass
        except:
            pass
    
    if __name__ == "__main__":
        main()

    扫描结果如下:

    总结一点,功能还是挺强大的,互相学习~~~

  • 相关阅读:
    sklearn linear_model,svm,tree,naive bayes,ensemble
    便利过滤
    js下载
    小程序修改radio的大小
    el-tree 问题与需求
    jsp页面用html引入vue.js注意问题
    WebPack
    yarn
    vue-cli 4以上 vue.config.js
    Cannot find module 'core-js/modules/es6.regexp.constructor'
  • 原文地址:https://www.cnblogs.com/ECJTUACM-873284962/p/8576595.html
Copyright © 2020-2023  润新知