打造全自动漏洞赏金扫描工具
0x01 说明
本次用到的平台是:https://chaos.projectdiscovery.io/,该平台收集国外各大漏洞赏金平台,目前拥有资产规模大概在1600 0000~1800 0000,很可怕的数量 ,并且每小时都在增加或减少,对接非常多的第三方自建赏金平台,这比我们自己去收集某个平台会来的多,挖到的概率也更大。
0x02 自动化方案流程
- 使用脚本去获取projectdiscovery平台的所有资产,资产侦察与收集就交给projectdiscovery了
- 把下载的资产对比上次Master domain数据,判断当前是否有新增资产出现,如果没有就结束 ,就等待下一次循环
- 如果有,就把新增的资产提取出来,创建临时文件,并把新资产加入到Masterdomain
- 把新增资产使用naabu 进行端口扫描,把开放的端口使用httpx来验证,提取http存活资产
- 把http存活资产送往nuclei进行漏洞扫描,同时也送往Xray,默认使用Xray的基础爬虫功能扫描常见漏洞
- Xray的扫描结果保存成xray-new-$(date +%F-%T).html,也可以同时添加webhook模式推送
- nuclei漏洞扫描结果用notify实时推送、 nuclei与xray都扫描结束后 ,等待下一次循环,这一切都是自动去执行
0x03 准备工作
先安装这些工具,并设置好软链接,能全局使用,这些工具安装很简单,不再阐述,github也有 安装教程
- Centos7+ 64 位 配置 4H 4G起 【服务器一台】
- chaospy【资产侦查、资产下载】 https://github.com/PhotonBolt/chaospy
- unzip 【解压】
- anew 【过滤重复】 https://github.com/tomnomnom/anew
- naabu【端口扫描】 https://github.com/projectdiscovery/naabu
- httpx 【存活检测】 https://github.com/projectdiscovery/httpx
- nuclei 【漏洞扫描】 https://nuclei.projectdiscovery.io/
- Xray 【漏洞扫描】 https://download.xray.cool/
- python 【微信通知】
- notify 【漏洞通知】 notify比较成熟的推送方案
服务器推荐vultr,可以用我的推荐链接:https://www.vultr.com/?ref=9059107-8H
0x04 关于notify通知相关配置
notify安装与配置:https://github.com/projectdiscovery/notify
配置文件(没有就创建这个文件):/root/.config/notify/provider-config.yaml
修改通知配置 即可,比如我使用的通知是电报 和 邮件(配置任意一个即可)
测试效果
subfinder -d hackerone.com | notify -provider telegram
我这是设置是电报通知,执行结束后,如果能收到结果,那通知这块就没问题,可以下一步了
0x05 部署过程
请确保上面提到的工具都已安装好,现在我们来构造一个sh脚本文件,这个脚本就把上面说的流 程都做了一遍
命名为: wadong.sh , 添加执行权限: chmod +x wadong.sh
wadong.sh 脚本主要 完成 资产侦察资产收集、端口扫描,去重检测,存活探测,漏洞扫描,结果通知的功能
脚本:
#!/bin/bash
# 使用chaospy,只下载有赏金资产数据
#python3 chaospy.py --download-hackerone
#python3 chaospy.py --download-rewards #下载所有赏金资产
#./chaospy.py --download-bugcrowd 下载 BugCrowd 资产
#./chaospy.py --download-hackerone 下载 Hackerone 资产
#./chaospy.py --download-intigriti 下载 Intigriti 资产
#./chaospy.py --download-external 下载自托管资产
#./chaospy.py --download-swags 下载程序 Swags 资产
#./chaospy.py --download-rewards 下载有奖励的资产
#./chaospy.py --download-norewards 下载没有奖励的资产
#对下载的进行解压,使用awk把结果与上次的做对比,检测是否有新增
if ls | grep ".zip" &> /dev/null; then
unzip '*.zip' &> /dev/null
cat *.txt >> newdomains.md
rm -f *.txt
awk 'NR==FNR{lines[$0];next} !($0 in lines)' alltargets.txtls newdomains.md >> domains.txtls
rm -f newdomains.md
################################################################################## 发送新增资产手机通知
echo "资产侦察结束 $(date +%F-%T)" | notify -silent -provider telegram
echo "找到新域 $(wc -l < domains.txtls) 个" | notify -silent -provider telegram
################################################################################## 更新nuclei漏洞扫描模板
nuclei -silent -update
nuclei -silent -ut
rm -f *.zip
else
echo "没有找到新程序" | notify -silent -provider telegram
fi
if [ -s domains.txtls ];then
echo "开始使用 naabu 对新增资产端口扫描" | notify -silent -provider telegram
fine_line=$(cat domains.txtls | wc -l )
num=1
K=10000
j=true
F=0
while $j
do
echo $fine_line
if [ $num -lt $fine_line ];then
m=$(($num+$K))
sed -n ''$num','$m'p' domains.txtls >> domaint.txtls
((num=num+$m))
naabu -stats -l domaint.txtls -p 80,443,8080,2053,2087,2096,8443,2083,2086,2095,8880,2052,2082,3443,8791,8887,8888,444,9443,2443,10000,10001,8082,8444,20000,8081,8445,8446,8447 -silent -o open-domain.txtls &> /dev/null | echo "端口扫描"
echo "端口扫描结束,开始使用httpx探测存活" | notify -silent -provider telegram
httpx -silent -stats -l open-domain.txtls -fl 0 -mc 200,302,403,404,204,303,400,401 -o newurls.txtls &> /dev/null
echo "httpx共找到存活资产 $(wc -l < newurls.txtls) 个" | notify -silent -provider telegram
cat newurls.txtls >new-active-$(date +%F-%T).txt #保存新增资产记录
cat domaint.txtls >> alltargets.txtls
echo "已将存活资产存在加入到历史缓存 $(date +%F-%T)" | notify -silent -provider telegram
echo "开始使用 nuclei 对新增资产进行漏洞扫描" | notify -silent -provider telegram
cat newurls.txtls | nuclei -rl 300 -bs 35 -c 30 -mhe 10 -ni -o res-all-vulnerability-results.txt -stats -silent -severity critical,medium,high,low | notify -silent -provider telegram
echo "nuclei 漏洞扫描结束" | notify -silent -provider telegram
#使用xray扫描,记得配好webhook,不配就删掉这项,保存成文件也可以
#echo "开始使用 xray 对新增资产进行漏洞扫描" | notify -silent -provider telegram
#xray_linux_amd64 webscan --url-file newurls.txtls --webhook-output http://www.qq.com/webhook --html-output xray-new-$(date +%F-%T).html
#echo "xray 漏洞扫描结束,xray漏洞报告请上服务器查看" | notify -silent -provider telegram
rm -f open-domain.txtls
rm -f domaint.txtls
rm -f newurls.txtls
else
echo "ssss"
j = false
sed -n ''$num','$find_line'p' domains.txtls domaint.txtls
naabu -stats -l domaint.txtls -p 80,443,8080,2053,2087,2096,8443,2083,2086,2095,8880,2052,2082,3443,8791,8887,8888,444,9443,2443,10000,10001,8082,8444,20000,8081,8445,8446,8447 -silent -o open-domain.txtls &> /dev/null | echo "端口扫描"
echo "端口扫描结束,开始使用httpx探测存活" | notify -silent -provider telegram
httpx -silent -stats -l open-domain.txtls -fl 0 -mc 200,302,403,404,204,303,400,401 -o newurls.txtls &> /dev/null
echo "httpx共找到存活资产 $(wc -l < newurls.txtls) 个" | notify -silent -provider telegram
cat newurls.txtls >new-active-$(date +%F-%T).txt #保存新增资产记录
cat domaint.txtls >> alltargets.txtls
echo "已将存活资产存在加入到历史缓存 $(date +%F-%T)" | notify -silent -provider telegram
echo "开始使用 nuclei 对新增资产进行漏洞扫描" | notify -silent -provider telegram
cat newurls.txtls | nuclei -rl 300 -bs 35 -c 30 -mhe 10 -ni -o res-all-vulnerability-results.txt -stats -silent -severity critical,medium,high,low | notify -silent -provider telegram
echo "nuclei 漏洞扫描结束" | notify -silent -provider telegram
#使用xray扫描,记得配好webhook,不配就删掉这项,保存成文件也可以
#echo "开始使用 xray 对新增资产进行漏洞扫描" | notify -silent -provider telegram
#xray_linux_amd64 webscan --url-file newurls.txtls --webhook-output http://www.qq.com/webhook --html-output xray-new-$(date +%F-%T).html
#echo "xray 漏洞扫描结束,xray漏洞报告请上服务器查看" | notify -silent -provider telegram
rm -f open-domain.txtls
rm -f domaint.txtls
rm -f newurls.txtls
fi
done
rm -f domains.txtls
else
################################################################################## Send result to notify if no new domains found
echo "没有新域 $(date +%F-%T)" | notify -silent -provider telegram
fi
再构建一个first.sh文件,这个脚本只执行一次就行,后续也就用不到了, 主要用于第一次产生历 史缓存域,标记为旧资产
添加执行权限: chmod +x first.sh
#!/bin/bash # 使用chaospy,只下载有赏金资产数据 ./chaospy.py --download-new ./chaospy.py --download-rewards #对下载的进行解压, if ls | grep ".zip" &> /dev/null; then unzip '*.zip' &> /dev/null rm -f alltargets.txtls cat *.txt >> alltargets.txtls rm -f *.txt rm -f *.zip echo "找到域 $(wc -l < alltargets.txtls) 个,已保存成缓存文件alltargets.txt" fi
0x06 开始赏金自动化
在确保以上工具都安装好的情况下
1、执行 first.sh 脚本,让本地产生足够多的缓存域名,标记为旧资产
./first.sh2、循环执行bbautomation.sh脚本,sleep 3600秒 就是每小时一次,也就是脚本
xunhuan.sh:
#!/bin/bash
while true; do ./wadong.sh;sleep 3600; done3.chaospy脚本已做了大概修改,优化延迟扫描时间和报错#!/usr/bin/python3import requestsimport time,os,argparse
#ColorsBlack = "\033[30m"Red = "\033[31m"Green = "\033[32m"Yellow = "\033[33m"Blue = "\033[34m"Magenta = "\033[35m"Cyan = "\033[36m"LightGray = "\033[37m"DarkGray = "\033[90m"LightRed = "\033[91m"LightGreen = "\033[92m"LightYellow = "\033[93m"LightBlue = "\033[94m"LightMagenta = "\033[95m"LightCyan = "\033[96m"White = "\033[97m"Default = '\033[0m'
banner= """
%s ________ ____ / ____/ /_ ____ _____ _____/ __ \__ __ / / / __ \/ __ `/ __ \/ ___/ /_/ / / / / / /___/ / / / /_/ / /_/ (__ ) ____/ /_/ / \____/_/ /_/\__,_/\____/____/_/ \__, / /____/ %s Small Tool written based on chaos from projectdiscovery.io %s https://chaos.projectdiscovery.io/ %s *Author -> Moaaz (https://twitter.com/photonbo1t)*
%s \n """%(LightGreen,Yellow,DarkGray,DarkGray,Default)
parser = argparse.ArgumentParser(description='ChaosPY Tool')
parser.add_argument('-list',dest='list',help='List all programs',action='store_true')parser.add_argument('--list-bugcrowd',dest='list_bugcrowd',help='List BugCrowd programs',action='store_true')parser.add_argument('--list-hackerone',dest='list_hackerone',help='List Hackerone programs',action='store_true')parser.add_argument('--list-intigriti',dest='list_intigriti',help='List Intigriti programs',action='store_true')parser.add_argument('--list-external',dest='list_external',help='List Self Hosted programs',action='store_true')parser.add_argument('--list-swags',dest='list_swags',help='List programs Swags Offers',action='store_true')parser.add_argument('--list-rewards',dest='list_rewards',help='List programs with rewards',action='store_true')parser.add_argument('--list-norewards',dest='list_norewards',help='List programs with no rewards',action='store_true')parser.add_argument('--list-new',dest='list_new',help='List new programs',action='store_true')parser.add_argument('--list-updated',dest='list_updated',help='List updated programs',action='store_true')
parser.add_argument('-download',dest='download',help='Download Specific Program')
parser.add_argument('--download-all',dest='download_all',help='Download all programs',action='store_true')parser.add_argument('--download-bugcrowd',dest='download_bugcrowd',help='Download BugCrowd programs',action='store_true')parser.add_argument('--download-hackerone',dest='download_hackerone',help='Download Hackerone programs',action='store_true')parser.add_argument('--download-intigriti',dest='download_intigriti',help='Download intigriti programs',action='store_true')parser.add_argument('--download-external',dest='download_external',help='Download external programs',action='store_true')parser.add_argument('--download-swags',dest='download_swags',help='Download programs Swags Offers',action='store_true')parser.add_argument('--download-rewards',dest='download_rewards',help='Download programs with rewards',action='store_true')parser.add_argument('--download-norewards',dest='download_norewards',help='Download programs with no rewards',action='store_true')parser.add_argument('--download-new',dest='download_new',help='Download new programs',action='store_true')parser.add_argument('--download-updated',dest='download_updated',help='Download updated programs',action='store_true')
args = parser.parse_args()
os.system('clear')ls = args.listlist_bugcrowd = args.list_bugcrowdlist_hackerone=args.list_hackeronelist_intigriti=args.list_intigritilist_external=args.list_externallist_swags=args.list_swagslist_rewards=args.list_rewardslist_norewards=args.list_norewardslist_new=args.list_newlist_updated=args.list_updated
download = args.download
download_all= args.download_alldownload_bugcrowd = args.download_bugcrowddownload_hackerone=args.download_hackeronedownload_intigriti=args.download_intigritidownload_external=args.download_externaldownload_swags=args.download_swagsdownload_rewards=args.download_rewardsdownload_norewards=args.download_norewardsdownload_new=args.download_newdownload_updated=args.download_updated
print (banner)
def getdata(): url = "https://chaos-data.projectdiscovery.io/index.json" insuer = True while insuer: try: source= requests.get(url) print("爬取完毕!") insuer = False except: print("存在延迟!") time.sleep(10)
return source.json()
def info(): new = 0 hackerone = 0 bugcrowd= 0 intigriti = 0 external = 0 changed = 0 subdomains = 0 rewards= 0 norewards= 0 swags= 0
for item in getdata(): if item['is_new'] is True: new += 1 if item['platform'] == "hackerone": hackerone +=1 if item['platform'] == "bugcrowd": bugcrowd += 1 if item['platform'] == "intigriti": intigriti += 1 else: external += 1 if item['change'] != 0: changed +=1 subdomains = subdomains +item['count'] if item['bounty'] is True: rewards += 1 else: norewards += 1 if 'swag' in item: swags +=1
print(White+"[!] Programs Last Updated {}".format(item['last_updated'][:10])) print(LightGreen+"[!] {} Subdomains.".format(subdomains)) print(Green+"[!] {} Programs.".format(len(getdata()))+Default) print(LightCyan+"[!] {} Programs changed.".format(changed)+Default) print(Blue+"[!] {} New programs.".format(new)+Default) print(LightGray+"[!] {} HackerOne programs.".format(hackerone)+Default) print(Magenta+"[!] {} Intigriti programs.".format(intigriti)+Default) print(Yellow+"[!] {} BugCrowd programs.".format(bugcrowd)+Default) print(LightGreen+"[!] {} Self hosted programs.".format(external)+Default) print(Cyan+"[!] {} Programs With Rewards.".format(rewards)+Default) print(Yellow+"[!] {} Programs Offers Swags.".format(swags)+Default) print(LightRed+"[!] {} No Rewards programs.".format(norewards)+Default)
def down(): print(download) for item in getdata(): if item['name'] == download: print(LightGreen+"[!] Program Found."+Default) print(Cyan+"[!] Downloading",download, "..."+Default) url = item['URL'] resp = requests.get(url) zname= download+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] {} File successfully downloaded.".format(zname)+Default)
def list_all(): print(White+"[!] Listing all Programs. \n"+Default) for item in getdata(): print (Blue+item['name']+Default)
def bugcrowd(): print(Yellow+"[!] Listing Bugcrowd Programs."+Default) for item in getdata(): if item['platform'] == "bugcrowd": print (Yellow+item['name']+Default)
def hackerone(): print(White+"[!] Listing HackerOne Programs."+Default) for item in getdata(): if item['platform'] == "hackerone": print (White+item['name']+Default)
def intigriti(): print(Magenta+"[!] Listing intigriti Programs."+Default) for item in getdata(): if item['platform'] == "hackerone": print (Magenta+item['name']+Default)
def external(): print(Cyan+"[!] Listing External Programs."+Default) for item in getdata(): if item['platform'] == "": print (Cyan+item['name']+Default)
def swags(): print(LightGreen+"[!] Listing Swag Programs."+Default) for item in getdata(): if 'swag' in item: print (LightGreen+item['name']+Default)
def rewards(): print(Cyan+"[!] Listing Rewards Programs."+Default) for item in getdata(): if item['bounty'] == True: print (Cyan+item['name']+Default)
def norewards(): print(Red+"[!] Listing NORewards Programs."+Default) for item in getdata(): if item['bounty'] == False: print (Red+item['name']+Default)
def new(): print(LightGreen+"[!] Listing New Programs."+Default) for item in getdata(): if item['is_new'] == True: print (LightGreen+item['name']+Default)
def changed(): print(Cyan+"[!] Listing Updated Programs."+Default) for item in getdata(): if item['change'] != 0: print (Cyan+item['name']+Default)
def all_down(): for item in getdata(): print(Blue+"[!] Downloading {} ".format(item['name']),end="\r"+Default) resp = requests.get(item['URL']) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All Programs successfully downloaded."+Default)
def bc_down(): for item in getdata(): if item['platform'] == "bugcrowd": print(Yellow+"[!] Downloading {} ".format(item['name']),end="\r"+Default) resp = requests.get(item['URL']) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All BugCrowd programs successfully downloaded."+Default)
def h1_down(): for item in getdata(): if item['platform'] == "hackerone": print(White+"[!] Downloading {} ".format(item['name']),end="\r"+Default) resp = requests.get(item['URL']) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All HackerOne programs successfully downloaded."+Default)
def intigriti_down(): for item in getdata(): if item['platform'] == "intigriti": print(Magenta+"[!] Downloading {} ".format(item['name']),end="\r"+Default) resp = requests.get(item['URL']) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All intigriti programs successfully downloaded."+Default)
def external_down(): for item in getdata(): if item['platform'] == "": print(White+"[!] Downloading {} ".format(item['name']),end="\r"+Default) resp = requests.get(item['URL']) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All External programs successfully downloaded."+Default)
def new_down(): for item in getdata(): if item['is_new'] is True: print(Cyan+"[!] Downloading {} ".format(item['name']),end="\r"+Default) insuer = True while insuer: try: resp = requests.get(item['URL']) print("爬取完毕") insuer = False except: print("存在延时!") time.sleep(5) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All New programs successfully downloaded."+Default)
def updated_down(): for item in getdata(): if item['change'] != 0: print(Blue+"[!] Downloading {} ".format(item['name']),end="\r"+Default) resp = requests.get(item['URL']) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All Updated programs successfully downloaded."+Default)
def swags_down(): for item in getdata(): if 'swag' in item: print(LightYellow+"[!] Downloading {} ".format(item['name']),end="\r"+Default) resp = requests.get(item['URL']) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All Swags programs successfully downloaded."+Default)
def rewards_down(): for item in getdata(): if item['bounty'] is True: print(Cyan+"[!] Downloading {} ".format(item['name']),end="\r"+Default) insuer = True while insuer: try: resp = requests.get(item['URL']) print("爬取完毕") insuer = False except: print("存在延时!") time.sleep(5)
zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All Bounty programs successfully downloaded."+Default)
def norewards_down(): for item in getdata(): if item['bounty'] is False: print(LightRed+"[!] Downloading {} ".format(item['name']),end="\r"+Default) resp = requests.get(item['URL']) zname= item['name']+".zip" zfile = open(zname, 'wb') zfile.write(resp.content) zfile.close() print(LightGreen+"[!] All Norewards programs successfully downloaded."+Default)
def main(): info() if download is not None: down() if download_all : all_down() if ls : list_all() if list_bugcrowd: bugcrowd() if list_hackerone: hackerone() if list_external: external() if list_swags: swags() if list_rewards: rewards() if list_norewards: norewards() if list_new: new() if list_updated: changed() if download_bugcrowd: bc_down() if download_hackerone: h1_down() if download_intigriti: intigriti_down() if download_external: external_down() if download_swags: swags_down() if download_rewards: rewards_down() if download_norewards: norewards_down() if download_new: new_down() if download_updated: updated_down()
if __name__ == '__main__': main()0x07 最后
建议在 Digital Ocean 或 vultr 等 VPS 系统上运行这些程序,启一个后台线程即可,建议使用tmux的后台功能
这样扫描到重复漏洞会非常少的,也会更加容易获取赏金,将更多的关注新资产漏洞
资产侦察 资产收集、端口扫描,去重检测,存活探测,漏洞扫描,全自动化,结果通知,全部自动化了,即使睡觉也在挖洞
