闲的无聊时候就手动写第一个漏洞扫描工具吧!

上课太无聊了,今天就用python写个漏洞扫描器玩玩,原理是先检测漏洞,在扫描备份,文件结果自动保存在当前目录

主要就是:信息获取、模拟攻击。

网络漏洞扫描对目标系统进行漏洞检测时,首先探测目标系统的存活主机,对存活主机进行端口扫描,确定系统开放的端口,同时根据协议指纹技术识别出主机的操作系统类型。然后扫描器对开放的端口进行网络服务类型的识别,确定其提供的网络服务。漏洞扫描器根据目标系统的操作系统平台和提供的网络服务,调用漏洞资料库中已知的各种漏洞进行逐一检测,通过对探测响应数据包的分析判断是否存在漏洞。

因此,只要我们认真研究各种漏洞,知道它们的探测特征码和响应特征码就可以利用软件来实现对各种已知漏洞的模拟。

由于漏洞模拟系统实际上是分析扫描器发出的探测包中的是否含有探测特征码并返回具有相应响应特征码的数据包。因此,对每一个漏洞,探测特征码和响应特征码是两项必需的描述。

采用数据库技术可以方便地向漏洞资料库中添加新发现的漏洞,使漏洞模拟软件能够不断地更新漏洞资料库,可以更加有效地测试扫描器对安全漏洞的检测能力。(我在这里,由于技术原因没有建立数据库而是用文本文件保存的特征码。)

config.txt是配置文件

url.txt是要扫描的url

内部配置相关的常见编辑器漏洞和svn源码泄露漏洞

多线程运行

程序的思路是

附上config.txt

/a.zip
/web.zip
/web.rar
/1.rar
/bbs.rar
/www.root.rar
/123.rar
/data.rar
/bak.rar
/oa.rar
/admin.rar
/www.rar
/2014.rar
/2015.rar
/2016.rar
/2014.zip
/2015.zip
/2016.zip
/1.zip
/1.gz
/1.tar.gz 
/2.zip
/2.rar
/123.rar 
/123.zip
/a.rar  
/a.zip  
/admin.rar 
/back.rar 
/backup.rar 
/bak.rar   
/bbs.rar   
/bbs.zip
/beifen.rar 
/beifen.zip
/beian.rar
/data.rar   
/data.zip   
/db.rar      
/db.zip
/flashfxp.rar  
/flashfxp.zip  
/fdsa.rar
/ftp.rar   
/gg.rar
/hdocs.rar
/hdocs.zip
/HYTop.mdb
/root.rar 
/Release.rar
/Release.zip
/sql.rar 
/test.rar
/template.rar
/template.zip
/upfile.rar  
/vip.rar 
/wangzhan.rar
/wangzhan.zip
/web.rar    
/web.zip    
/website.rar  
/www.rar    
/www.zip       
/wwwroot.rar   
/wwwroot.zip   
/wz.rar         
/备份.rar      
/网站.rar       
/新建文件夹.rar  
/新建文件夹.zip

漏洞扫描工具.py

# -*- coding:utf-8 -*-
import requests
import time
import Queue
import threading
import urllib2
import socket
timeout=3
socket.setdefaulttimeout(timeout)
q = Queue.Queue()
time.sleep(5)
headers={'User-Agent':'Mozilla/5.0 (Windows NT 6.3; WOW64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102Safari/537.36'}
f1 = open('url.txt','r')
f2 = f1.readlines()
f1.close()
f3 = open('result.txt','a+')
f9 = open('config.txt','r')  #配置文件载入
f4 = f9.readlines()
f9.close()

def rarzip():       #开始构建扫描函数
    try:    #域名rarzip扫描
        print yumingrar
        reqryumingrar = urllib2.Request(url=yumingrar,headers=headers)
        ryumingrar = urllib2.urlopen(reqryumingrar)
        if ryumingrar.code == 200:
            metarar = ryumingrar.info()
            sizerar = str(metarar.getheaders("Content-Length")[0])  #文件大小
            sizerar1 = int(metarar.getheaders("Content-Length")[0])
            if sizerar1 > 8888:
                print '★★★★★Found A Success Url Maybe backups★★★★★'
                print yumingrar
                print 'Size:' + sizerar + 'Kbs'
                f3.write(yumingrar + '----------' + sizerar + 'Kbs' + '\n')
            else:
                print '888 Safe Dog I Fuck You 888'
        else:
            print '[+]Pass.........................'
    except:
        pass
    try:
        print yumingzip
        reqryumingzip = urllib2.Request(url=yumingzip,headers=headers)
        ryumingzip = urllib2.urlopen(reqryumingrar)
        if ryumingzip.code == 200:
            metazip = ryumingrar.info()
            sizezip = str(metazip.getheaders("Content-Length")[0])
            sizezip1 = int(metazip.getheaders("Content-Length")[0])
            if sizezip1 > 8888:
                print '★★★★★Found A Success Url Maybe backups★★★★★'
                print yumingzip
                print 'Size:' + sizezip + 'Kbs' 
                f3.write(yumingzip + '----------' + sizezip + 'Kbs' + '\n')
            else:
                print '888 Safe Dog I Fuck You 888'
        else:
            print '[+]Pass.........................'
    except:
        pass

def svn():  
    try:    #svn漏洞扫描
        print yumingsvn
        ryumingsvn = requests.get(url=yumingsvn,headers=headers,allow_redirects=False,timeout=3)
        if ryumingsvn_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(yumingsvn + '      【SVN源码泄露漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass

def eweb():
    try:    #ewebeditor漏洞扫描
        print '---------------Ewebeditor Vulnerability Scan---------------'
        print eweb1
        reweb1 = requests.get(url=eweb1,headers=headers,allow_redirects=False,timeout=3)
        if reweb1_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(eweb1 + '      【Ewebeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print eweb2
        reweb2 = requests.get(url=eweb2,headers=headers,allow_redirects=False,timeout=3)
        if reweb2_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(eweb2 + '      【Ewebeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print eweb3
        reweb3 = requests.get(url=eweb3,headers=headers,allow_redirects=False,timeout=3)
        if reweb3_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(eweb3 + '      【Ewebeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print eweb4
        reweb4 = requests.get(url=eweb4,headers=headers,allow_redirects=False,timeout=3)
        if reweb4_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(eweb4 + '      【Ewebeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print eweb5
        reweb5 = requests.get(url=eweb5,headers=headers,allow_redirects=False,timeout=3)
        if reweb5_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(eweb5 + '      【Ewebeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print eweb6
        reweb6 = requests.get(url=eweb6,headers=headers,allow_redirects=False,timeout=3)
        if reweb6_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(eweb6 + '      【Ewebeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass

#fckeditor漏洞扫描
def fck():
    try:
        print '---------------Fckeditor Vulnerability Scan---------------'
        print fck1
        rfck1 = requests.get(url=fck1,headers=headers,allow_redirects=False,timeout=3)
        if rfck1_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(fck1 + '      【Fckeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print fck2
        rfck2 = requests.get(url=fck2,headers=headers,allow_redirects=False,timeout=3)
        if rfck2_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(fck2 + '      【Fckeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print fck3
        rfck3 = requests.get(url=fck3,headers=headers,allow_redirects=False,timeout=3)
        if rfck3_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(fck3 + '      【Fckeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print fck4
        rfck4 = requests.get(url=fck4,headers=headers,allow_redirects=False,timeout=3)
        if rfck4_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(fck4 + '      【Fckeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print fck5
        rfck5 = requests.get(url=fck5,headers=headers,allow_redirects=False,timeout=3)
        if rfck5_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(fck5 + '      【Fckeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
    try:
        print fck6
        rfck6 = requests.get(url=fck6,headers=headers,allow_redirects=False,timeout=3)
        if rfck6_status == 200:
            print '★★★★★Found A Success Url Maybe Vulnerability★★★★★'
            f3.write(fck6 + '      【Fckeditor编辑器漏洞】' + '\n')
        else:
            print '[+]Pass.........................'
    except:
        print "[+]Can not connect url"
        pass
for i in f2:
    c = i.strip('\n')
    print c
    try:
        ceshi = requests.get(url=c,headers=headers,allow_redirects=False,timeout=3)
        if ceshi.status_code == 200:
            a = c.split(".",2)[1]  #获取主域名
            yumingrar = c + '/' + a + '.rar'  #构造域名 + zip 的备份
            yumingzip = c + '/' + a + '.zip'
            rarzip()
            #开始对一系列特殊漏洞后缀构造url
            yumingsvn = c + '/.svn/entries'  #svn漏洞
            svn()
            eweb1 = c + '/editor/editor/filemanager/browser/default/connectors/test.html'   #ewebeditor编辑器漏洞
            eweb2 = c + '/editor/editor/filemanager/connectors/test.html'
            eweb3 = c + '/editor/editor/filemanager/connectors/uploadtest.html'
            eweb4 = c + '/html/db/ewebeditor.mdb'
            eweb5 = c + '/db/ewebeditor.mdb'
            eweb6 = c + '/db/ewebeditor.asp'
            eweb()
            fck1 = c + '/fckeditor/editor/filemanager/browser/default/connectors/test.html'  #fckeditor编辑器漏洞
            fck2 = c + '/fckeditor/editor/filemanager/connectors/test.html'
            fck3 = c + '/FCKeditor/editor/filemanager/connectors/uploadtest.html'
            fck4 = c + '/FCKeditor/editor/filemanager/upload/test.html'
            fck5 = c + '/fckeditor/editor/filemanager/browser/default/browser.html'
            fck6 = c + '/FCKeditor/editor/fckeditor.html'
            fck()
        else:
            pass
    except:
        print "NO USE URL WHAT FUCK A BIG URL"
        pass

for i in f2:
    c = i.strip('\n')
    try:
        ce = requests.get(url=c,headers=headers,allow_redirects=False,timeout=3)
        if ce.status_code == 200:
            q.put(c)
        else:
            pass
    except:
        print "NO USE URL WHAT FUCK A BIG URL"
        pass
def starta():
    print '---------------Start Backups Scan---------------'    #开始从字典载入了~
    while not q.empty():
            zhaohan = q.get()  #url网址载入队列了
            for f5 in f4:
                f6 = f5.strip('\n')  #正确的备份内容     
                urlx = zhaohan + f6  #正确的网址 + 备份
                print urlx
                try:
                    req = urllib2.Request(url=urlx,headers=headers)
                    response = urllib2.urlopen(req)
                    if response.code == 200:
                        meta = response.info()
                        sizes = str(meta.getheaders("Content-Length")[0])
                        sizess = int(meta.getheaders("Content-Length")[0])
                        if sizess < 8888:
                            print '888  Safe Dog I Fuck You  888'
                        else:
                            print '★★★★★Found A Success Url Maybe backups★★★★★'
                            print 'Size:' + sizes + 'Kbs'
                            f3.write(urlx + '----------' + sizes + '\n')
                    else:
                        print '[+]Pass.........................'
                except:
                    pass
thread1 = threading.Thread(target = starta())
thread1.start()
f3.close()
print '--------------------------------------------------------------------'
print '--------------------------------OVER--------------------------------'
print '--------------------------------------------------------------------'
time.sleep(10)
exit() 

看样子效果还是挺明显的:

然后看了看大神们写的,发现了一种比较精简的写法:

把目标的域名收集全就可以自动化刷src。

根据规则来扫描一些路径,比如Tomcat,Jboss,weblogic,svn,Jenkins,备份文件等等,跟一般的后台目录扫描不一样。所以后面如果想要指定扫描的类型可以自由添加。

如果rule规则有需要增加的,麻烦再帖子后面评论+规则,代码需要修改完善的请私我。

dirFinder.py 是扫描脚本

rule.txt 是规则,可以自由添加。打开的时候用editplus、notepad++等,如果用自带记事本会没有换行。

url.txt 是需要扫描的URL地址

扫描结果会自动生成到vulurl.txt文件中

rule.txt如下:

/wls-wsat/CoordinatorPortType
/wls-wsat/CoordinatorPortType11
:9443/wls-wsat/CoordinatorPortType
:9443/wls-wsat/CoordinatorPortType11
:8470/wls-wsat/CoordinatorPortType
:8470/wls-wsat/CoordinatorPortType11
:8447/wls-wsat/CoordinatorPortType
:8447/wls-wsat/CoordinatorPortType11
:8080
:8007
/asynchPeople
/manage
/script
:8080/jenkins
:8007/jenkins
/jenkins
/.svn/entries
/.svn
/console/
/manager
:8080/manager
:8080/manager/html
/manager/html
/invoker/JMXInvokerServlet
/invoker
:8080/jmx-console/
/jmx-console/
/robots.txt
/system
/wls-wsat/CoordinatorPortType
/wsat/CoordinatorPortType
/wls-wsat/CoordinatorPortType11
/wsat/CoordinatorPortType11
/examples/
/examples/servlets/servlet/SessionExample
/solr/
/.git/config
/.git/index
/.git/HEAD
/WEB-INF/
/core
/old.zip
/old.rar
/old.tar.gz
/old.tar.bz2
/old.tgz
/old.7z
/temp.zip
/temp.rar
/temp.tar.gz
/temp.tgz
/temp.tar.bz2
/package.zip
/package.rar
/package.tar.gz
/package.tgz
/package.tar.bz2
/tmp.zip
/tmp.rar
/tmp.tar.gz
/tmp.tgz
/tmp.tar.bz2
/test.zip
/test.rar
/test.tar.gz
/test.tgz
/test.tar.bz2
/backup.zip
/backup.rar
/backup.tar.gz
/backup.tgz
/back.tar.bz2
/db.zip
/db.rar
/db.tar.gz
/db.tgz
/db.tar.bz2
/db.log
/db.inc
/db.sqlite
/db.sql.gz
/dump.sql.gz
/database.sql.gz
/backup.sql.gz
/data.zip
/data.rar
/data.tar.gz
/data.tgz
/data.tar.bz2
/database.zip
/database.rar
/database.tar.gz
/database.tgz
/database.tar.bz2
/ftp.zip
/ftp.rar
/ftp.tar.gz
/ftp.tgz
/ftp.tar.bz2
/log.txt
/log.tar.gz
/log.rar
/log.zip
/log.tgz
/log.tar.bz2
/log.7z
/logs.txt
/logs.tar.gz
/logs.rar
/logs.zip
/logs.tgz
/logs.tar.bz2
/logs.7z
/web.zip
/web.rar
/web.tar.gz
/web.tgz
/web.tar.bz2
/www.log
/www.zip
/www.rar
/www.tar.gz
/www.tgz
/www.tar.bz2
/wwwroot.zip
/wwwroot.rar
/wwwroot.tar.gz
/wwwroot.tgz
/wwwroot.tar.bz2
/output.zip
/output.rar
/output.tar.gz
/output.tgz
/output.tar.bz2
/admin.zip
/admin.rar
/admin.tar.gz
/admin.tgz
/admin.tar.bz2
/upload.zip
/upload.rar
/upload.tar.gz
/upload.tgz
/upload.tar.bz2
/website.zip
/website.rar
/website.tar.gz
/website.tgz
/website.tar.bz2
/package.zip
/package.rar
/package.tar.gz
/package.tgz
/package.tar.bz2
/sql.log
/sql.zip
/sql.rar
/sql.tar.gz
/sql.tgz
/sql.tar.bz2
/sql.7z
/sql.inc
/data.sql
/qq.sql
/tencent.sql
/database.sql
/db.sql
/test.sql
/admin.sql
/backup.sql
/user.sql
/sql.sql
/index.zip
/index.7z
/index.bak
/index.rar
/index.tar.tz
/index.tar.bz2
/index.tar.gz
/dump.sql
/old.zip
/old.rar
/old.tar.gz
/old.tar.bz2
/old.tgz
/old.7z
/1.tar.gz
/a.tar.gz
/x.tar.gz
/o.tar.gz
/conf/conf.zip
/conf.tar.gz
/qq.pac
/tencent.pac
/server.cfg
/deploy.tar.gz
/build.tar.gz
/install.tar.gz
/secu-tcs-agent-mon-safe.sh
/password.tar.gz
/site.tar.gz
/tenpay.tar.gz
/rsync_log.sh
/rsync.sh
/webroot.zip
/tools.tar.gz
/users.tar.gz
/webserver.tar.gz
/htdocs.tar.gz
/admin/
/admin.php
/admin.do
/login.php
/login.do
/admin.html
/manage/
/server-status
/login/
/fckeditor/_samples/default.html
/ckeditor/samples/
/fck/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php
/app/config/database.yml
/database.yml
/sqlnet.log
/database.log
/db.log
/db.conf
/db.ini
/logs.ini
/upload.do
/upload.jsp
/upload.php
/upfile.php
/upload.html
/upload.cgi
/jmx-console/HtmlAdaptor
/cacti/
/zabbix/
/jira/
/jenkins/static/f3a41d2f/css/style.css
/static/f3a41d2f/css/style.css
/exit
/memadmin/index.php
/phpmyadmin/index.php
/pma/index.php
/ganglia/
/_phpmyadmin/index.php
/pmadmin/index.php
/config/config_ucenter.php.bak
/config/.config_ucenter.php.swp
/config/.config_global.php.swp
/config/config_global.php.1
/uc_server/data/config.inc.php.bak
/config/config_global.php.bak
/include/config.inc.php.tmp
/access.log
/error.log
/log/access.log
/log/error.log
/log/log.log
/logs/error.log
/logs/access.log
/error.log
/errors.log
/debug.log
/log
/logs
/debug.txt
/debug.out
/.bash_history
/.rediscli_history
/.bashrc
/.bash_profile
/.bash_logout
/.vimrc
/.DS_Store
/.history
/.htaccess
/htaccess.bak
/.htpasswd
/.htpasswd.bak
/htpasswd.bak
/nohup.out
/.idea/workspace.xml
/.mysql_history
/httpd.conf
/web.config
/shell.php
/1.php
/spy.php
/phpspy.php
/webshell.php
/angle.php
/resin-doc/resource/tutorial/jndi-appconfig/test?inputFile=/etc/profile
/resin-doc/viewfile/?contextpath=/&servletpath=&file=index.jsp
/application/configs/application.ini
/wp-login.php
/wp-config.inc
/wp-config.bak
/wp-config.php~
/.wp-config.php.swp
/wp-config.php.bak
/.ssh/known_hosts
/.ssh/known_hosts
/.ssh/id_rsa
/id_rsa
/.ssh/id_rsa.pub
/.ssh/id_dsa
/id_dsa
/.ssh/id_dsa.pub
/.ssh/authorized_keys
/owa/
/ews/
/readme
/README
/readme.md
/readme.html
/changelog.txt
/data.txt
/CHANGELOG.txt
/CHANGELOG.TXT
/install.txt
/install.log
/install.sh
/deploy.sh
/install.txt
/INSTALL.TXT
/config.php
/config/config.php
/config.inc
/config.inc.php
/config.inc.php.1
/config.php.bak
/db.php.bak
/conf/config.ini
/config.ini
/config/config.ini
/configuration.ini
/configs/application.ini
/settings.ini
/application.ini
/conf.ini
/app.ini
/config.json
/output
/a.out
/test
/tmp
/temp
/user.txt
/users.txt
/key
/keys
/key.txt
/keys.txt
/pass.txt
/passwd.txt
/password.txt
/pwd.txt
/php.ini
/sftp-config.json
/index.php.bak
/.index.php.swp
/index.cgi.bak
/config.inc.php.bak
/.config.inc.php.swp
/config/.config.php.swp
/.config.php.swp
/app.cfg
/setup.sh
/../../../../../../../../../../../../../etc/passwd
/../../../../../../../../../../../../../etc/hosts
/../../../../../../../../../../../../../etc/sysconfig/network-scripts/ifcfg-eth1
/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/hosts
/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
/..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252F..%252Fetc%252Fpasswd
/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
//././././././././././././././././././././././././../../../../../../../../etc/passwd
/etc/passwd
/file:///etc/passwd
/etc/hosts
/aa/../../cc/../../bb/../../dd/../../aa/../../cc/../../bb/../../dd/../../bb/../../dd/../../bb/../../dd/../../bb/../../dd/../../ee/../../etc/hosts
/proc/meminfo
/etc/profile
/resource/tutorial/jndi-appconfig/test?inputFile=/etc/passwd
/WEB-INF/web.xml
/WEB-INF/web.xml.bak
/WEB-INF/applicationContext.xml
/WEB-INF/applicationContext-slave.xml
/WEB-INF/config.xml
/WEB-INF/spring.xml
/WEB-INF/struts-config.xml
/WEB-INF/struts-front-config.xml
/WEB-INF/struts/struts-config.xml
/WEB-INF/classes/spring.xml
/WEB-INF/classes/struts.xml
/WEB-INF/classes/struts_manager.xml
/WEB-INF/classes/conf/datasource.xml
/WEB-INF/classes/data.xml
/WEB-INF/classes/config/applicationContext.xml
/WEB-INF/classes/applicationContext.xml
/WEB-INF/classes/conf/spring/applicationContext-datasource.xml
/WEB-INF/config/db/dataSource.xml
/WEB-INF/spring-cfg/applicationContext.xml
/WEB-INF/dwr.xml
/WEB-INF/classes/hibernate.cfg.xml
/WEB-INF/classes/rabbitmq.xml
/WEB-INF/database.properties
/WEB-INF/web.properties
/WEB-INF/log4j.properties
/WEB-INF/classes/dataBase.properties
/WEB-INF/classes/application.properties
/WEB-INF/classes/jdbc.properties
/WEB-INF/classes/db.properties
/WEB-INF/classes/conf/jdbc.properties
/WEB-INF/classes/security.properties
/WEB-INF/conf/database_config.properties
/WEB-INF/config/dbconfig
/WEB-INF/conf/activemq.xml
/server.xml
/config/database.yml
/configprops
/phpinfo.php
/phpinfo.php5
/info.php
/php.php
/pi.php
/mysql.php
/sql.php
/shell.php
/apc.php
/test.sh
/logs.sh
/test/
/test.php
/temp.php
/tmp.php
/test2.php
/test2.php
/test.html
/test2.html
/test.txt
/test2.txt
/debug.php
/a.php
/b.php
/t.php
/i.php
/x.php
/1.php
/123.php
/test.cgi
/test-cgi
/cgi-bin/test-cgi
/cgi-bin/test
/cgi-bin/test.cgi
/zabbix/jsrpc.php
/jsrpc.php

dirFinder.py

#!/usr/bin/env python
# -*- coding:utf-8 -*-

#from flask import Flask, request, json, Response, jsonify
import json
import threading
import requests
import urllib2
import sys
import threading
from time import ctime,sleep
import threadpool

#app = Flask(__name__)

#@app.route('/', methods = ['GET','POST'])
def main():
    #if request.method == 'GET':
        #geturl = request.args.get('geturl')
    f = open("url.txt")
    line = f.readlines()
    global g_list
    g_list = []
    urllist = []
    list1 = []
    for u in line:
        u = u.rstrip()
        #dir = ['/admin','/t/344205']
        dir = open("rule.txt")
        dirline = dir.readlines()
        for d in dirline:
            d = d.rstrip()
            scheme = ['http://','https://']
            for s in scheme:
                #print type(s)
                #print type(geturl)
                #print type(d)
                url = s + u + d
                list1.append(url)
    thread_requestor(list1)
    #return json.dumps(g_list)
    f = open('vulurl.txt','w')
    f.write(json.dumps(g_list))
    f.close()


def res_printer(res1,res2):
    if res2:
        g_list.append(res2)
    else:
        pass

def thread_requestor(urllist):
    pool =  threadpool.ThreadPool(200)
    reqs =  threadpool.makeRequests(getScan,urllist,res_printer)
    [pool.putRequest(req) for req in reqs]
    pool.wait()

def getScan(url):
    try:
        requests.packages.urllib3.disable_warnings()
        status = requests.get(url, allow_redirects=False, timeout=3,verify=False).status_code
        print "scanning " + url
        if status == 200:
            return url
        else:
            pass
    except:
        pass

if __name__ == "__main__":
    main()

扫描结果如下:

总结一点,功能还是挺强大的,互相学习~~~

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏开发之途

Android 模拟登陆网站实现移动客户端

5798
来自专栏阿杜的世界

Java Web技术经验总结(十七)

872
来自专栏分布式系统和大数据处理

HttpHandler介绍

在 Http请求处理流程 一文中,我们了解了Http请求的处理过程以及其它一些运作原理。我们知道Http管道中有两个可用接口,一个是IHttpHandler,一...

1342
来自专栏前端黑板报

HTTP2基础教程-读书笔记(四)

? 记录一下HTTP/2的底层原理,帮助理解协议实现细节。 连接 每个端点都需要发送一个连接作为最终确认使用的协议,并建立http/2连接的初始设置。客户端和...

3536
来自专栏恰童鞋骚年

自己动手写工具:百度图片批量下载器

开篇:在某些场景下,我们想要对百度图片搜出来的东东进行保存,但是一个一个得下载保存不仅耗时而且费劲,有木有一种方法能够简化我们的工作量呢,让我们在离线模式下也能...

4721
来自专栏程序猿DD

新年彩蛋:Spring Boot自定义Banner

在2016年的最后一天,借用Spring Boot的Banner向各位程序猿同仁们问候一声:Happy New Year。 ? 接下来我们就来介绍一下这个轻松愉...

2357
来自专栏小樱的经验随笔

一文让你完全弄懂Stegosaurus

国内关于 Stegosaurus 的介绍少之又少,一般只是单纯的工具使用的讲解之类的,并且本人在学习过程中也是遇到了很多的问题,基于此种情况下写下此文,也是为我...

1112
来自专栏码农阿宇

国内开源社区巨作AspectCore-Framework入门

在软件业,AOP为Aspect Oriented Programming的缩写,意为:面向切面编程,通过预编译方式和运行期动态代理实现程序功能的统一维护的一种技...

2811
来自专栏我和PYTHON有个约会

Django来敲门~第一部分【5.1.项目配置settings.py详解】

我们创建好了一个Python项目(mysite/)之后,需要在项目中添加模块应用(polls/),在模块应用中添加处理功能逻辑,如添加模块中的视图处理函数(po...

1063
来自专栏大内老A

Enterprise Library深入解析与灵活应用(2): 通过SqlDependency实现Cache和Database的同步

对于一个真正的企业级的应用来说,Caching肯定是一个不得不考虑的因素,合理、有效地利用Caching对于增强应用的Performance(减少对基于Pers...

2307

扫码关注云+社区

领取腾讯云代金券