一、设计思想
用到 可能泄露风险的目录指纹库 infoleak.json ,将后台传入的待查web网址与库中的指纹进行拼接成payload,对payload进行请求。若请求返回码为 [200, 206, 401, 305, 407] 中之一,代表此地址存在,有可能是网站的 登录入口、后台入口、数据库下载地址、敏感文件下载地址、网站目录架构、GIT/SVN泄露、代码泄露 等较为危险接口,即此payload有可能造成信息泄露。
二、设计代码
catalogue.py:
import json
import os
import requests
def leak(domain):
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36'
}
file_path = os.path.dirname(__file__) + '/infoleak.json' # 存疑目录字典 /infoleak.json
fp = open(file_path, 'r', encoding='utf-8')
json_data = json.load(fp)
fp.close()
payload_list = [] # 存放可疑地址
RESULT = [] # 存放泄露页面结果
STATUS_CODES = [200, 206, 401, 305, 407] # HTTP响应状态码,判断认为存在风险链接的状态码
for key in json_data['data'][0]:
payloads = json_data['data'][0][key]
for payload in payloads:
# 开始尝试访问
url_payload = domain + payload
payload_list.append([key, url_payload])
# print(payload_list)
try:
for i in payload_list:
response = requests.get(i[1], headers=headers, timeout=3, allow_redirects=False, verify=False)
if response.status_code in STATUS_CODES:
# print(i)
RESULT.append(i)
print(RESULT)
except Exception as e:
pass
if __name__ == '__main__':
leak('http://192.168.137.129/')
infoleak.json:
{
"data": [
{
"编辑器信息泄漏": [
"/fckeditor/_samples/default.html",
"/ckeditor/samples/",
"/editor/ckeditor/samples/",
"/ckeditor/samples/sample_posteddata.php",
"/editor/ckeditor/samples/sample_posteddata.php",
"/fck/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php",
"/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellcheckder.php",
"/ueditor/ueditor.config.js",
"/ueditor/php/getRemoteImage.php"
],
"Tomcat Manager": [
"/manager/html",
"/examples/servlets/servlet/SessionExample",
"/examples/",
"/docs/setup.html",
"/examples/servlets/servlet/SessionExample"
],
"测试网页": [
"/test.php",
"/test2.php",
"/test.html",
"/test2.html",
"/test.jsp",
"/test.txt",
"/test2.txt",
"/debug.php",
"/a.php",
"/1.php",
"/test.cgi",
"/test-cgi",
"/cgi-bin/test-cgi",
"/sql.php"
],
"代码变更记录": [
"/readme",
"/README",
"/README.md",
"/readme.md",
"/README.en.md",
"/requirements.txt",
"/readme.html",
"/changelog.txt",
"/使用说明.txt"
],
"配置文件": [
"/config.inc",
"/config.php.bak",
"/db.php.bak",
"/conf/config.ini",
"/config.ini",
"/config/config.ini",
"/configuration.ini",
"/configs/application.ini",
"/settings.ini",
"/application.ini",
"/conf.ini",
"/app.ini",
"/config.json",
"/application/configs/application.ini",
"/.idea/workspace.xml",
"/.idea/modules.xml",
"/app.cfg",
"/sftp-config.json",
"/config/database.yml",
"/database.yml",
"/db.conf",
"/db.ini",
"/WEB-INF/config/dbconfig",
"/WEB-INF/conf/database_config.properties",
"/WEB-INF/classes/security.properties",
"/WEB-INF/classes/jdbc.properties",
"/WEB-INF/web.properties",
"/WEB-INF/database.properties",
"/server.xml",
"/WEB-INF/dwr.xml",
"/WEB-INF/spring-cfg/applicationContext.xml",
"/WEB-INF/classes/conf/datasource.xml",
"/WEB-INF/web.xml",
"/WEB-INF/classes/struts_manager.xml",
"/WEB-INF/classes/conf/datasource.xml"
],
"目录穿越": [
"/../../../../../../../../../../../../../etc/shells",
"/../../../../../../../../../../../../../etc/profile",
"//././././././././././././././././././././././././../../../../../../../../etc/profile",
"/aa/../../cc/../../bb/../../dd/../../aa/../../cc/../../bb/../../dd/../../bb/../../dd/../../bb/../../dd/../../bb/../../dd/../../ee/../../etc/shells",
"/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/shells",
"/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fshells",
"/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fshells",
"/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fshells",
"/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd"
],
"Robots.txt": [
"/robots.txt"
],
"Sitemap": [
"/sitemap.html",
"/sitemap.xml"
],
"SVN/Git": [
"/.svn/entries",
"/.git/config",
"/.git/index",
"/.git/HEAD"
],
"java server faces": [
"/javax.faces.resource.../WEB-INF/web.xml.jsf"
],
"PHPINFO": [
"/phpinfo.php",
"/info.php",
"/i.php",
"/php.php",
"/apc.php"
],
"PHPMyadmin": [
"/phpmyadmin/index.php",
"/phpMyAdmin/index.php",
"/_phpmyadmin/index.php",
"/pma/index.php"
],
"Resin Doc Admin": [
"/resin-admin/",
"/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/profile"
],
"Sensitive File": [
"/core",
"/debug.txt",
"/.bash_history",
"/.rediscli_history",
"/.bashrc",
"/.bash_profile",
"/.bash_logout",
"/.DS_Store",
"/.history",
"/.htpasswd",
"/htpasswd.bak",
"/.htpasswd.bak",
"/nohup.out",
"/.mysql_history",
"/httpd.conf",
"/server-status",
"/solr/",
"/jmx-console/HtmlAdaptor",
"/cacti/",
"/zabbix/",
"/memadmin/index.php",
"/ganglia/",
"/data.txt",
"/install.txt",
"/INSTALL.TXT",
"/a.out",
"/key",
"/key.txt",
"/php.ini",
"/info.txt",
"/backup.txt",
"/密码.txt"
],
"Shell Scripts": [
"/install.sh",
"/deploy.sh",
"/upload.sh",
"/setup.sh",
"/backup.sh",
"/rsync.sh",
"/sync.sh",
"/test.sh",
"/run.sh"
],
"Source Code Disclosure": [
"/index.php.bak",
"/.index.php.swp",
"/config.inc.php.bak",
"/config.php.bak",
"/.config.inc.php.swp",
"/config/.config.php.swp",
"/.config.php.swp",
"/.settings.php.swp",
"/.database.php.swp",
"/.db.php.swp",
"/.mysql.php.swp"
],
"SSH Info": [
"/.ssh/known_hosts",
"/.ssh/id_rsa",
"/id_rsa",
"/.ssh/id_rsa.pub",
"/.ssh/id_dsa",
"/id_dsa",
"/.ssh/id_dsa.pub",
"/.ssh/authorized_keys"
],
"备份文件": [
"/temp.zip",
"/temp.rar",
"/temp.tar.gz",
"/temp.tgz",
"/temp.tar.bz2",
"/package.zip",
"/package.rar",
"/package.tar.gz",
"/package.tgz",
"/package.tar.bz2",
"/test.zip",
"/test.rar",
"/test.tar.gz",
"/test.tgz",
"/test.tar.bz2",
"/backup.zip",
"/backup.rar",
"/backup.tar.gz",
"/backup.tgz",
"/back.tar.bz2",
"test.sql",
"/db.zip",
"/db.rar",
"/db.tar.gz",
"/db.tgz",
"/db.tar.bz2",
"/db.inc",
"/db.sqlite",
"/db.sqlite3",
"/db.sql.gz",
"/dump.sql.gz",
"/database.sql.gz",
"/backup.sql.gz",
"/data.sql.gz",
"/data.zip",
"/data.tar.gz",
"/database.zip",
"/database.rar",
"/database.tar.gz",
"/ftp.zip",
"/ftp.rar",
"/ftp.tar.gz",
"/web.zip",
"/web.rar",
"/web.tar.gz",
"/www.zip",
"/www.rar",
"/www.tar.gz",
"/www.tgz",
"/www.tar.bz2",
"/wwwroot.zip",
"/wwwroot.rar",
"/wwwroot.tar.gz",
"/wwwroot.tgz",
"/wwwroot.tar.bz2",
"/output.tar.gz",
"/admin.zip",
"/admin.rar",
"/admin.tar.gz",
"/admin.tgz",
"/admin.tar.bz2",
"/upload.zip",
"/upload.rar",
"/upload.tar.gz",
"/upload.tgz",
"/upload.tar.bz2",
"/website.zip",
"/website.rar",
"/website.tar.gz",
"/website.tgz",
"/website.tar.bz2",
"/sql.zip",
"/sql.rar",
"/sql.tar.gz",
"/sql.tgz",
"/sql.tar.bz2",
"/sql.7z",
"/data.sql",
"/database.sql",
"/db.sql",
"/test.sql",
"/admin.sql",
"/backup.sql",
"/dump.sql",
"/{sub}.sql",
"/index.zip",
"/index.7z",
"/index.bak",
"/index.rar",
"/index.tar.tz",
"/index.tar.bz2",
"/index.tar.gz",
"/old.zip",
"/old.rar",
"/old.tar.gz",
"/old.tar.bz2",
"/old.tgz",
"/old.7z",
"/1.tar.gz",
"/a.tar.gz",
"/conf/conf.zip",
"/conf.tar.gz",
"/config.tar.gz",
"/proxy.pac",
"/server.cfg",
"/deploy.tar.gz",
"/build.tar.gz",
"/install.tar.gz",
"/site.tar.gz",
"/webroot.zip",
"/tools.tar.gz",
"/webserver.tar.gz",
"/htdocs.tar.gz",
"/src.tar.gz",
"/code.tar.gz"
]
}
]
}
返回结果:
[['PHPINFO', 'http://192.168.137.129//phpinfo.php'], ['PHPMyadmin', 'http://192.168.137.129//phpMyAdmin/index.php']]
三、御剑扫描python实现
3.1 设计思想
思想同上一个python工程:payload=传入domain+指纹,只不过指纹库换成了御剑自带指纹库。
2.2 代码
import requests
def yujian(domain):
headers = {
'user-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36'
}
file = open('PHP.txt', 'r').read().split('\n')
RESULT = [] # 存放泄露页面结果
STATUS_CODES = [200, 206, 401, 305, 407] # HTTP响应状态码,判断认为存在风险链接的状态码
for i in file:
payload = domain + i
try:
response = requests.get(payload, headers=headers, timeout=3, allow_redirects=False, verify=False)
if response.status_code in STATUS_CODES:
RESULT.append(payload)
except Exception as e:
pass
print(RESULT)
if __name__ == '__main__':
yujian('http://192.168.137.129/')
返回结果:
['http://192.168.137.129//index.php', 'http://192.168.137.129/']