前言:
信息收集是渗透测试重要的一部分
这次我总结了前几次写的经验,将其
进化了一下
正文:
信息收集脚本的功能:
1.端口扫描
2.子域名挖掘
3.DNS查询
4.whois查询
5.旁站查询
CMS识别脚本功能:
1.MD5识别CMS
2.URL识别CMS
原理:cms识别CMS将网站加一些CMS特有的路径获取到的源码
加密成md5与data.json对比如果是就是此种CMS。
URL+上CMS特有的路径,获取源码从中寻找data.json里的
re标签。如果有就是此种CMS
信息收集脚本代码:
import requests import re import socket from bs4 import BeautifulSoup import optparse def main(): parser=optparse.OptionParser() parser.add_option('-p',dest='host',help='ip port scanner') parser.add_option('-w',dest='whois',help='Whois query') parser.add_option('-d',dest='dns',help='dns query') parser.add_option('-z',dest='domain',help='Domain name query') parser.add_option('-f',dest='fw',help='Bypass query') (options,args)=parser.parse_args() if options.host: ip=options.host portscanner(ip) elif options.whois: ws=options.whois whois(ws) elif options.dns: dn=options.dns dnsquery(dn) elif options.domain: domain=options.domain domains(domain) elif options.fw: pz=options.fw bypass(pz) else: parser.print_help() exit() def portscanner(ip): s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) socket.setdefaulttimeout(1) for port in range(1,65535): try: s.connect((ip,port)) print('[+]',ip,':',port,'open') except: pass def whois(ws): url = "http://whoissoft.com/{}".format(ws) rest = requests.get(url=url) csd = rest.content.decode('utf-8') fsd = BeautifulSoup(csd, 'html.parser') wsd = fsd.get_text() comp = re.compile( r'a:link, a:visited {.*? }|a:hover {.*?}|white-space: .*?;|font-family:.*?;|functions+s|window.location.hrefs+=s+".*?"|returns+false;| var _sedoqs+=s+_sedoq|_sedoq.partnerids+=s+''316085'';| _sedoq.locales+=s+''zh-cn'';|vars+ss+=s+document.createElement|s.types+=s+''text/javascript'';|s.asyncs+=s+true;|s.srcs+=s+''.*?'';|vars+fs+=s+document.getElementsByTagName|f.parentNode.insertBefore|/.*?/|pres+{|word-wrap:s+break-word;|}|s*(str1){|s++s+str1;|s+|s+||s+{;|s+||s+{;|_sedoq.partnerid|s+=|''316085''|s+'';|s+enters+yours+partners+id|_sedoq.locales+=s+|zh-cn|languages+locale|(function()s+{|[0];|s.type|text/javascript|script|s,s+f|document.getElementById(.*?)|.style.marginLeft|=window||||s+{|;|en-us,|en-uk,|de-de,|es-er-fr,|pt-br,|s+.innerWidth2|es-|er-|fr|.innerWidth2|er|-,') tih = re.sub(comp, "", wsd) wrs = open('whois.txt', 'w') wrs.write(tih) wrs.close() wrr = open('whois.txt', 'r') rr = wrr.read() xin = rr.replace("''", '') xin2 = xin.replace("(", '') xin3 = xin2.replace(")", '') xin4 = xin3.replace("er-,", '') xin5 = xin4.replace('.innWidth2+"px"', '') xin6 = xin5.replace('window.onresize=function{', '') xin7 = xin6.replace('.innWidth2+"px"', '') print(xin7, end='') def dnsquery(dn): url = "https://jiexifenxi.51240.com/web_system/51240_com_www/system/file/jiexifenxi/get/?ajaxtimestamp=1526175925753" headers = { 'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'} params = {'q': '{}'.format(dn), 'type': 'a'} reqst = requests.post(url=url, headers=headers, params=params) content = reqst.content.decode('utf-8') bd = BeautifulSoup(content, 'html.parser') print('---[+]A record---') print(bd.get_text()) print('---[+]MX record---') params2 = {'q': '{}'.format(dn), 'type': 'mx'} rest = requests.post(url=url, headers=headers, params=params2) content2 = BeautifulSoup(rest.content.decode('utf-8'), 'html.parser') print(content2.get_text()) print('---[+]CNAME record---') params3 = {'q': '{}'.format(dn), 'type': 'cname'} rest2 = requests.post(url=url, headers=headers, params=params3) content3 = BeautifulSoup(rest2.content.decode('utf-8'), 'html.parser') print(content3.get_text()) print('---[+]NS record---') params4 = {'q': '{}'.format(dn), 'type': 'ns'} rest3 = requests.post(url=url, headers=headers, params=params4) content4 = BeautifulSoup(rest3.content.decode('utf-8'), 'html.parser') print(content4.get_text()) print('---[+]TXT record---') params5 = {'q': '{}'.format(dn), 'type': 'txt'} rest4 = requests.post(url=url, headers=headers, params=params5) content5 = BeautifulSoup(rest4.content.decode('utf-8'), 'html.parser') print(content5.get_text()) def domains(domain): print('---[+]Domain name query---') url = "http://i.links.cn/subdomain/" headers = {'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'} params = {'domain': '{}'.format(domain), 'b2': '1', 'b3': '1', 'b4': '1'} reqst = requests.post(url=url, headers=headers, params=params) vd = reqst.content.decode('gbk') rw = re.findall('<div class=domain><input type=hidden name=.*? id=.*? value=".*?">', vd) rw2 = "".join(str(rw)) bwdw = BeautifulSoup(str(rw2), 'html.parser') pw = bwdw.find_all('input') for l in pw: isd = l.get("value") print(isd) def bypass(pz): url = "http://www.webscan.cc/?action=query&ip={}".format(pz) headers = { 'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'} wd = requests.get(url=url, headers=headers) rcy = wd.content.decode('utf-8') res = re.findall('"domain":".*?"', str(rcy)) lis = "".join(res) rmm = lis.replace('"', '') rmm2 = rmm.replace(':', '') rmm3 = rmm2.replace('/', '') rmm4 = rmm3.replace('domain', '') rmm5 = rmm4.replace('http', '') print(rmm5) if __name__ == '__main__': main()
运行测试:
CMS脚本代码:
import requests import json import hashlib import os import optparse def main(): usage="[-q MD5DE-CMS] " "[- p URL gets CMS]" parser=optparse.OptionParser(usage) parser.add_option('-q',dest='md5',help='md5 cms') parser.add_option('-p',dest='url',help='url cms') (options,args)=parser.parse_args() if options.md5: log=options.md5 panduan(log) elif options.url: log2=options.url panduan2(log2) else: parser.print_help() def op(): global lr if os.path.exists('data.json'): print('[+]Existing data.json file') js=open('data.json','r') lr=json.load(js,encoding='utf-8') else: print('[-]Not data.json') exit() op() def panduan(log): global headers headers={'user-agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36'} for b in lr: url = log.rstrip('/') + b["url"] rest = requests.get(url=url, headers=headers, timeout=5) text = rest.text if rest.status_code != 200: print('[-]Not Found 200', rest.url) md5=hashlib.md5() md5.update(text.encode('utf-8')) g=md5.hexdigest() print(g) if g == b["md5"]: print("[+]CMS:",b["name"],"url:",b["url"]) print("[+]CMS:",b["name"],"url:",b["url"],file=open('cms.txt','w')) else: print('[-]not md5:',b["md5"]) def panduan2(log2): for w in lr: headers = {'user-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36'} url = log2.rstrip('/') + w["url"] rest=requests.get(url=url,headers=headers,timeout=5) text=rest.text if rest.status_code !=200: pass if w["re"]: if(text.find(w["re"]) != -1): print('[+]CMS:',w["name"],"url:",w["url"]) print('[+]CMS:', w["name"], "url:", w["url"],file=open('cms.txt','w')) if __name__ == '__main__': main()
识别测试:
