IDscan

本文最后更新于:12 天前

一个针对URL的简单敏感信息扫描器

此工具可以类似于dirsearch,如果字典足够大,完全可以达到相同的效果

环境

python3

使用的库: threadpool

pip install requests threadpool

主要文件

  • IDscan
    • get_ip_list.py
      • 讲IP段转换成ip列表,再进行扫描
    • IDscan.py
      • threadpool 使用多线程加快扫描速度
      • random User-Agent 随机使用代理防止被封
    • rules.txt
      • 漏洞规则
    • url_list.txt
      • 将被检测内容填入其中

技术实现

该脚本可以实现三种类型的扫描,关键在于网端测试,将网端转换为ip列表,再对每一个ip进行扫描

  • 网段
  • 单个或多个网址
  • 某个网站的特殊端口

探测原理

将rule.txt中可能存在泄露的url与待检测的网址拼接后,进行访问,之后查看状态码,若为200则可能存在敏感信息泄露。

def verify(target):
    headers_list = [
    'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36',
    'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0',
    'Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16',
    'Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X) AppleWebKit/602.4.6 (KHTML, like Gecko) Version/10.0 Mobile/14D27 Safari/602.1',
    'Mozilla/5.0 (iPhone; CPU iPhone OS 10_2_1 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/14D27 UCBrowser/11.6.1.1003 Mobile  AliApp(TUnionSDK/0.1.20)',
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1062.0 Safari/536.3",
    "Mozilla/5.0 (Windows NT 6.2) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.3 (KHTML, like Gecko) Chrome/19.0.1061.1 Safari/536.3",
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24",
    "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.24 (KHTML, like Gecko) Chrome/19.0.1055.1 Safari/535.24"
    ]
    headers = { 'User-Agent': random.choice(headers_list) }
    f = open('rules.txt','r',encoding='utf-8')
    txt = f.readlines()
    for x in txt:
        u,j,w = x.strip().split('|')
        url = target + u
        try:
            r = requests.get(url,headers=headers,timeout=3,verify=False) # http
            html = r.text
            if r.status_code == 200:
                if j in html:
                    print('Find: ' + url +' is Leak !!! Leak is '+ w)
                else:
                    print('Find: ' + url +' is Exist !!!')
        except Exception as e:
            pass

网端测试

将ip网端转换为ip列表

import os,sys

base = [str(x) for x in range(10)] + [ chr(x) for x in range(ord('A'),ord('A')+6)]

#十进制0~255转化为二进制,补0到8位
def dec2bin80(string_num):
    num = int(string_num)
    mid = []
    while True:
        if num == 0: break
        num,rem = divmod(num, 2)
        mid.append(base[rem])

    result = ''.join([str(x) for x in mid[::-1]])
    length = len(result)
    if length < 8:
        result = '0' * (8 - length) + result
    return result


#十进制0~255转化为二进制,补0到32位
def dec2bin320(string_num):
    num = int(string_num)
    mid = []
    while True:
        if num == 0: break
        num,rem = divmod(num, 2)
        mid.append(base[rem])

    result = ''.join([str(x) for x in mid[::-1]])
    length = len(result)
    if length < 32:
        result = '0' * (32 - length) + result
    return result


#十进制0~255转化为二进制,不补零
def dec2bin(string_num):
    num = int(string_num)
    mid = []
    while True:
        if num == 0: break
        num,rem = divmod(num, 2)
        mid.append(base[rem])

    return ''.join([str(x) for x in mid[::-1]])


#二进制转换为十进制
def bin2dec(string_num):
    return str(int(string_num, 2))

#ip列表生成
def iplist(string_startip,string_endip):

    #分割IP,然后将其转化为8位的二进制代码
    start = string_startip.split('.')
    start_a = dec2bin80(start[0])
    start_b = dec2bin80(start[1])
    start_c = dec2bin80(start[2])
    start_d = dec2bin80(start[3])
    start_bin = start_a + start_b + start_c + start_d
    #将二进制代码转化为十进制
    start_dec = bin2dec(start_bin)

    end = string_endip.split('.')
    end_a = dec2bin80(end[0])
    end_b = dec2bin80(end[1])
    end_c = dec2bin80(end[2])
    end_d = dec2bin80(end[3])
    end_bin = end_a + end_b + end_c + end_d
    #将二进制代码转化为十进制
    end_dec = bin2dec(end_bin)

    #十进制相减,获取两个IP之间有多少个IP
    count = int(end_dec) - int(start_dec)

    ip_list = []
    #生成IP列表
    for i in range(0,count + 1):
        #将十进制IP加一,再转化为二进制(32位补齐)
        plusone_dec = int(start_dec) + i
        plusone_dec = str(plusone_dec)
        address_bin = dec2bin320(plusone_dec)
        #分割IP,转化为十进制
        address_a = bin2dec(address_bin[0:8])
        address_b = bin2dec(address_bin[8:16])
        address_c = bin2dec(address_bin[16:24])
        address_d = bin2dec(address_bin[24:32])
        address = address_a + '.'+ address_b +'.'+ address_c +'.'+ address_d
        ip_list.append(address)
    return ip_list

扫描规则

这里定义了一些常见的敏感信息的url,主函数通过一行一行读取该文件中的内容,然后与网址拼接后访问

/.svn/entries|dir|SVN信息泄露
/.git/config|[core]|Git信息泄露
/.git/config|repositoryformatversion|Git信息泄露
.git/refs/stash||git stash 泄露
/CVS/Root||cvs信息泄露
/CVS/Entries||cvs信息泄露
/.hg/||.hg源码泄漏
/.bzr/||.bzr信息泄露
/.DS_Store||DS_Store文件泄露
/htaccess.txt||访问控制文件泄露
/.index.php.swp||vim交换文件名
/.index.php.swn||vim交换文件名
/.index.php.swo||vim交换文件名
/WEB-INF/web.xml|<?xml version=|初始化工程配置信息泄露
/WEB-INF/web.xml|<web-app|初始化工程配置信息泄露
/crossdomin.xml|cross-domain-policy|跨域策略文件
/icons/|Index of|目录遍历路径
/robots.txt|Disallow|爬虫配置文件
/uddiexplorer/SearchPublicRegistries.jsp|Search public registries|Weblogic 服务器请求伪造漏洞
/ws_utc/config.do|tc_container|Oracle WebLogic ws-utc 任意文件上传漏洞
:8080/manage||Jenkins未授权访问可执行命令
:8080/script||Jenkins未授权访问可执行命令
:9200/||build_hashElasticsearch未授权访问
:9200/_cat/indices|_river|Elasticsearch未授权访问
:9200/_river/_search|node|Elasticsearch未授权访问
:5984/_config/|httpd_design_handlers|CouchDB未授权访问
:2375/containers/json|[|Docker未授权访问
:8161/admin/||ActiveMQ未授权访问
:7001/_async/AsyncResponseService||AsyncResponseService RCE
/test.php||测试页面
/test.cgi||测试页面
/info.php||测试页面
/login.php||管理后台地址泄露
/admin.php||管理后台地址泄露
/manager.php||管理后台地址泄露
/admin_login.php||管理后台地址泄露
/.test.php.swp||编辑器备份文件泄露
/test.php.bak||编辑器备份文件泄露
/test.jsp.old||编辑器备份文件泄露
/cgi~||编辑器备份文件泄露
/phpmyadmin||phpmyadmin后台泄露
/phpinfo.php||phpinfo页面泄露
/basic/index.php||HTTP认证泄露漏洞
/www.rar||网站备份文件
/web.zip||网站备份文件
/www.zip||网站备份文件 
/sitename.tar.gz||网站备份文件
/_vti_inf.html||Frontpage 信息泄漏
/_vti_pvt/service.pwd||FrontPage pwd 文件可读
/.bashrc||bashrc 信息泄漏
/.bash_profile||profile 信息泄露
/.zshrc||zsh 信息泄露

主函数

def main():
    print('*'*35+'''\nIDscan V3.0\n
Information disclosure Check.\n'''+'*'*35)
    with open('url_list.txt','r',encoding='utf-8') as f:
        url_l = f.readlines()
    pool = threadpool.ThreadPool(255)
    ipl = []
    for i in url_l:
        if 'http' in i: # website url
            ipl.append(i.strip())
        elif '-' in i: # network segment
            start_ip,end_ip = i.split('-')
            ipl.extend(get_ip_list.iplist(start_ip,end_ip))
        elif checkip(i):
            ipl.append(i.strip())
        else:
            print('Unknown form IP:'+i)
    print('Start...')
    
    rethr = threadpool.makeRequests(verify, ipl) # connect rules
    [pool.putRequest(req) for req in rethr]
    pool.wait()

    print('End...')

url_list.txt 使用方法

  • 如果你想扫描网段

    192.168.0.0-192.168.0.255
    192.167.36.24-192.168.39.255
  • if you want to scan special port | 如果你想扫描特殊端口

    192.168.0.1:8081
  • if you wang to scan website url| 如果你想扫描网站地址

    http://www.baidu.com
    https://www.baidu.com
    http://www.baidu.com:81

扫描百度的结果

image-20210728175634955

参考:

https://github.com/zhaijiahui/IDscan


本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!

 目录

Copyright © 2020 my blog
载入天数... 载入时分秒...