• 利用 python 实现对web服务器的目录探测


    一、python
    Python是一种解释型、面向对象、动态数据类型的高级程序设计语言。
    python 是一门简单易学的语言,并且功能强大也很灵活,在渗透测试中的应用广泛,让我们一起打造属于自己的渗透测试工具



    二、web服务器的目录探测脚本打造


    1、在渗透时如果能发现web服务器中的webshell,渗透是不是就可以变的简单一点尼
    通常情况下御剑深受大家的喜爱,但是今天在测试的时候webshell不知道为什么御剑扫描不到
    仔细查看是webshell有防爬功能,是检测User-Agent头,如果没有就回返回一个自己定义的404页面  

    1、先来看看工具效果
     

    2、利用python读取扫描的目录字典
     
    1
    2
    3
    4
    5
    def get_url(path):
            with open(path, "r", encoding='ISO-8859-1') as f:
                    for url in f.readlines():
                            url_list.append(url.strip())
                    return url_list


    3、利用 python 的 requests 库对web目标服务器进行目录探测
     
    1
    2
    3
    4
    5
    6
    7
    8
    9
    def Go_scan(url):
        while not queue.empty():
            url_path = queue.get(timeout=1)
            new_url = url + url_path
            res = requests.get(new_url, headers=headers, timeout=5)
            #print(res.status_code)
            status_code = "[" + str(res.status_code) + "]"
            if str(res.status_code) != "404":
                print(get_time(), status_code, new_url)


    4、利用 python 的 threading 库对探测进行线程的设置
     
    01
    02
    03
    04
    05
    06
    07
    08
    09
    10
    11
    def thread(Number,url):
        threadlist = []
        for pwd in url_list:
            queue.put(pwd)
     
        for x in range(Number):
            t = threading.Thread(target=Go_scan, args=(url,))
            threadlist.append(t)
     
        for t in threadlist:
            t.start()


    5、利用 python 的 argparse 库进行对自己的工具进行封装
     
    01
    02
    03
    04
    05
    06
    07
    08
    09
    10
    11
    12
    13
    14
    15
    16
    def main():
        if len(sys.argv) == 1:
            print_banner()
            exit(1)
     
        parser = argparse.ArgumentParser(
            formatter_class=argparse.RawTextHelpFormatter,
            epilog='''
    use examples:
      python dir_scan.py -u [url]http://www.test.com[/url] -d /root/dir.txt
      python dir_scan.py -u [url]http://www.test.com[/url] -t 30 -d /root/dir.txt
      ''')
        parser.add_argument("-u","--url", help="scan target address", dest='url')
        parser.add_argument("-t","--thread", help="Number of threads", default="20", type=int, dest='thread')
        parser.add_argument("-d","--Dictionaries", help="Dictionary of Blasting Loading",
            dest="Dictionaries")


    总结
    各位大哥有意见或者建议尽管提,文章哪里不对的话会改的,小弟定会虚心学习最后附上全部源码供大佬指教
     
    01
    02
    03
    04
    05
    06
    07
    08
    09
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    #!/usr/bin/python
    # -*- coding: utf-8 -*-
     
    import requests
    import threading
    import argparse,sys
    import time,os
    from queue import Queue
     
    url_list = []
    queue = Queue()
     
    headers = {
        'Connection':'keep-alive',
        'Accept':'*/*',
        'Accept-Language': 'zh-CN',
        'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0'
    }
     
    def print_banner():
        banner = r"""
        .___.__            __________________     _____    _______  
      __| _/|__|_______   /   _____/\_   ___    /  _            
     / __ | |  |\_  __   \_____  /      /  /  /_    /   |  
    / /_/ | |  | |  | /  /        \     \____/    |    /    |   
    \____ | |__| |__|    /_______  / \______  /\____|__  /\____|__  /
         /                      /         /         /         /
     
    [*] Very fast directory scanning tool.
    [*] try to use -h or --help show help message
        """
        print(banner)
     
    def get_time():
        return '[' + time.strftime("%H:%M:%S", time.localtime()) + '] '
     
    def get_url(path):
        with open(path, "r", encoding='ISO-8859-1') as f:
            for url in f.readlines():
                url_list.append(url.strip())
            return url_list
     
     
    def Go_scan(url):
        while not queue.empty():
            url_path = queue.get(timeout=1)
            new_url = url + url_path
            res = requests.get(new_url, headers=headers, timeout=5)
            #print(res.status_code)
            status_code = "[" + str(res.status_code) + "]"
            if str(res.status_code) != "404":
                print(get_time(), status_code, new_url)
     
    def thread(Number,url):
        threadlist = []
        for pwd in url_list:
            queue.put(pwd)
     
        for x in range(Number):
            t = threading.Thread(target=Go_scan, args=(url,))
            threadlist.append(t)
     
        for t in threadlist:
            t.start()
     
     
    def main():
        if len(sys.argv) == 1:
            print_banner()
            exit(1)
     
        parser = argparse.ArgumentParser(
            formatter_class=argparse.RawTextHelpFormatter,
            epilog='''
    use examples:
      python dir_scan.py -u [url]http://www.test.com[/url] -d /root/dir.txt
      python dir_scan.py -u [url]http://www.test.com[/url] -t 30 -d /root/dir.txt
      ''')
        parser.add_argument("-u","--url", help="scan target address", dest='url')
        parser.add_argument("-t","--thread", help="Number of threads", default="20", type=int, dest='thread')
        parser.add_argument("-d","--Dictionaries", help="Dictionary of Blasting Loading",
            dest="Dictionaries")
        args = parser.parse_args()
        Number =args.thread
        url = args.url
        url_path = args.Dictionaries
        print_banner()
        get_url(url_path)
        print(get_time(), "[INFO] Start scanning---- ")
        time.sleep(2)
        thread(Number,url)
     
    if __name__ == '__main__':
        main()
  • 相关阅读:
    c# datagridview 设置某行不可见解决办法
    MessageBox, MessageBoxBurttons, MessageBoxIcon 详细解析
    c# 项目带皮肤一起打包发布解决办法
    Winform DataGridView CheckBoxColumn c# 单选 解决方案
    机器学习 课程笔记
    机器学习-review-1 线性回归
    Office升级到2013版后无法登录微软账号问题
    Address already in use: make_sock: could not bind to address 0.0.0.0:80
    PHP的数组排序函数
    事件与委托例子
  • 原文地址:https://www.cnblogs.com/ichunqiujishu/p/10218972.html
Copyright © 2020-2023  润新知