这一段时间总是出现各种漏洞,我一般用Nmap写的都是渗透测试脚本,基本上都是http请求,每次写都要去修修改改,比较烦,所以我用 Python 写了一个"代码生成器"
"""
想写一个nmap的脚本http包生成器, Python3里似乎没有能够解析http请求包的库,自己写吧
http 请求包似乎可以分为三个部分,请求头、中间的配置项、post的数据
可以使用readlines 的第一个元素来获取请求头
"""
import sys
# 定义一些全局变量
HTTP_METHOD = None
HTTP_PATH = None
HTTP_VERSION = None
HTTP_OPTIONS = []
HTTP_DATA = ""
def make_data(http_req):
global HTTP_METHOD
global HTTP_PATH
global HTTP_VERSION
global HTTP_OPTIONS
global HTTP_DATA
HTTP_METHOD = http_req[0].split()[0]
HTTP_PATH = http_req[0].split()[1]
HTTP_VERSION = http_req[0].split()[2]
# 定位http包的头与数据之间的空行
blank_flag = 100000
for i in range(1, len(http_req)):
if i < blank_flag and http_req[i] != '\n':
HTTP_OPTIONS.append("".join(http_req[i]))
elif i < blank_flag and http_req[i] == '\n':
blank_flag = i
else:
HTTP_DATA = HTTP_DATA + http_req[i]
def make_options():
options_code = """
local options = {header = {}, content = {}}
"""
for i in HTTP_OPTIONS:
key = i.strip().split(':')[0]
val = i.strip().split(':')[1][1:]
if key != "Host" and key != "Content-Length":
options_code = options_code + """options["header"]["{0}"] = "{1}"
""".format(key, val)
options_code = options_code + """options["content"] = postdatas"""
return options_code
# 这个函数用来输出lua格式的代码
def output_lua():
lua_codes = """
local stdnse = require "stdnse"
local shortport = require "shortport"
local http = require "http"
description = "sth"
author = "test94"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {{"default"}}
prerule = function()
print("-----------------------------------")
print("[+] start ... ")
print("[-] (if port is filtered, nothing will be checked)")
print("")
end
portrule = shortport.service({{"http", "https", "afs3-callback", "http-proxy"}})
local postdatas = [[
{0}
]]
action = function(host, port)
local output = stdnse.output_table()
output.result = "not vulnerable"
{1}
local req = http.generic_request(host, port, "{2}", "{3}", options)
return output
end
"""
# print(lua_codes.format(HTTP_DATA, "header", HTTP_METHOD, HTTP_PATH))
global HTTP_OPTIONS
HTTP_OPTIONS = make_options()
print(lua_codes.format(HTTP_DATA, HTTP_OPTIONS, HTTP_METHOD, HTTP_PATH))
def main(filename):
f = open(filename, 'r')
http_req = f.readlines()
f.close()
make_data(http_req)
output_lua()
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: python3 nmap_helper.py http_req.txt")
else:
main(sys.argv[1])
使用如下:
这是之前通达OA的PoC,就用这个来做测试
python3 nmap_helper.py http_req.txt
可以看到直接生成了发送这个 http 请求的Nmap NSE代码,至于要如何处理返回包,如何判断是否存在漏洞那就是你的事了
如果你希望直接生成文件,执行 python3 nmap_helper.py http_req.txt > poc.nse
追踪一下这个包
很好,没有问题
脚本下载地址:
http://www.my-synology.cn:37980/sharing/ioRM045GX
密码: helper