NSE代码生成器 | Nmap 脚本

意大利的猫

发布于 2020-08-20 14:48:14

6230

发布于 2020-08-20 14:48:14

文章被收录于专栏：漫流砂漫流砂

这一段时间总是出现各种漏洞，我一般用Nmap写的都是渗透测试脚本，基本上都是http请求，每次写都要去修修改改，比较烦，所以我用 Python 写了一个"代码生成器"

"""
    想写一个nmap的脚本http包生成器， Python3里似乎没有能够解析http请求包的库，自己写吧
    http 请求包似乎可以分为三个部分，请求头、中间的配置项、post的数据
    可以使用readlines 的第一个元素来获取请求头

"""
import sys


# 定义一些全局变量
HTTP_METHOD = None
HTTP_PATH = None
HTTP_VERSION = None
HTTP_OPTIONS = []
HTTP_DATA = ""


def make_data(http_req):
    global HTTP_METHOD
    global HTTP_PATH
    global HTTP_VERSION
    global HTTP_OPTIONS
    global HTTP_DATA

    HTTP_METHOD = http_req[0].split()[0]
    HTTP_PATH = http_req[0].split()[1]
    HTTP_VERSION = http_req[0].split()[2]

    # 定位http包的头与数据之间的空行
    blank_flag = 100000
    for i in range(1, len(http_req)):
        if i < blank_flag and http_req[i] != '\n':
            HTTP_OPTIONS.append("".join(http_req[i]))
        elif i < blank_flag and http_req[i] == '\n':
            blank_flag = i
        else:
            HTTP_DATA = HTTP_DATA + http_req[i]


def make_options():
    options_code = """
    local options = {header = {}, content = {}}
    """
    for i in HTTP_OPTIONS:
        key = i.strip().split(':')[0]
        val = i.strip().split(':')[1][1:]
        if key != "Host" and key != "Content-Length":
            options_code = options_code + """options["header"]["{0}"] = "{1}"
        """.format(key, val)
    options_code = options_code + """options["content"] = postdatas"""
    return options_code


# 这个函数用来输出lua格式的代码
def output_lua():
    lua_codes = """
local stdnse = require "stdnse"
local shortport = require "shortport"
local http = require "http"

description = "sth"
author = "test94"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {{"default"}}


prerule = function()
    print("-----------------------------------")
    print("[+] start ... ")
    print("[-] (if port is filtered, nothing will be checked)")
    print("")
end

portrule = shortport.service({{"http", "https", "afs3-callback", "http-proxy"}})

local postdatas = [[
{0}
]]

action = function(host, port)
    local output = stdnse.output_table()
    output.result = "not vulnerable"
    {1}
    
    local req = http.generic_request(host, port, "{2}", "{3}", options)
    return output
end
"""
    # print(lua_codes.format(HTTP_DATA, "header", HTTP_METHOD, HTTP_PATH))
    global HTTP_OPTIONS
    HTTP_OPTIONS = make_options()
    print(lua_codes.format(HTTP_DATA, HTTP_OPTIONS, HTTP_METHOD, HTTP_PATH))


def main(filename):
    f = open(filename, 'r')
    http_req = f.readlines()
    f.close()
    make_data(http_req)
    output_lua()


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 nmap_helper.py http_req.txt")
    else:
        main(sys.argv[1])

使用如下：