利用 python 实现对web服务器的目录探测

一、python
Python是一种解释型、面向对象、动态数据类型的高级程序设计语言。
python 是一门简单易学的语言，并且功能强大也很灵活,在渗透测试中的应用广泛，让我们一起打造属于自己的渗透测试工具



二、web服务器的目录探测脚本打造


1、在渗透时如果能发现web服务器中的webshell，渗透是不是就可以变的简单一点尼
通常情况下御剑深受大家的喜爱，但是今天在测试的时候webshell不知道为什么御剑扫描不到
仔细查看是webshell有防爬功能，是检测User-Agent头，如果没有就回返回一个自己定义的404页面  

1、先来看看工具效果
 

2、利用python读取扫描的目录字典

def get_url(path): with open(path, "r", encoding='ISO-8859-1') as f: for url in f.readlines(): url_list.append(url.strip()) return url_list

3、利用 python 的 requests 库对web目标服务器进行目录探测

1.  
   def Go_scan(url):
2.  
       while not queue.empty():
3.  
           url_path = queue.get(timeout=1)
4.  
           new_url = url + url_path
5.  
           res = requests.get(new_url, headers=headers, timeout=5)
6.  
           #print(res.status_code)
7.  
           status_code = "[" + str(res.status_code) + "]"
8.  
           if str(res.status_code) != "404":
9.  
               print(get_time(), status_code, new_url)

4、利用 python 的 threading 库对探测进行线程的设置

1.  
   def thread(Number,url):
2.  
       threadlist = []
3.  
       for pwd in url_list:
4.  
           queue.put(pwd)
5.  
    
6.  
       for x in range(Number):
7.  
           t = threading.Thread(target=Go_scan, args=(url,))
8.  
           threadlist.append(t)
9.  
    
10.  
        for t in threadlist:
11.  
            t.start()

5、利用 python 的 argparse 库进行对自己的工具进行封装

1.  
   def main():
2.  
       if len(sys.argv) == 1:
3.  
           print_banner()
4.  
           exit(1)
5.  
    
6.  
       parser = argparse.ArgumentParser(
7.  
           formatter_class=argparse.RawTextHelpFormatter,
8.  
           epilog='''
9.  
   use examples:
10.  
      python dir_scan.py -u [url]http://www.test.com[/url] -d /root/dir.txt
11.  
      python dir_scan.py -u [url]http://www.test.com[/url] -t 30 -d /root/dir.txt
12.  
      ''')
13.  
        parser.add_argument("-u","--url", help="scan target address", dest='url')
14.  
        parser.add_argument("-t","--thread", help="Number of threads", default="20", type=int, dest='thread')
15.  
        parser.add_argument("-d","--Dictionaries", help="Dictionary of Blasting Loading",
16.  
            dest="Dictionaries")

总结
各位大哥有意见或者建议尽管提，文章哪里不对的话会改的，小弟定会虚心学习最后附上全部源码供大佬指教

1.  
   #!/usr/bin/python
2.  
   # -*- coding: utf-8 -*-
3.  
    
4.  
   import requests
5.  
   import threading
6.  
   import argparse,sys
7.  
   import time,os
8.  
   from queue import Queue
9.  
    
10.  
    url_list = []
11.  
    queue = Queue()
12.  
     
13.  
    headers = {
14.  
        'Connection':'keep-alive',
15.  
        'Accept':'*/*',
16.  
        'Accept-Language': 'zh-CN',
17.  
        'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0'
18.  
    }
19.  
     
20.  
    def print_banner():
21.  
        banner = r"""
22.  
        .___.__            __________________     _____    _______  
23.  
      __| _/|__|_______   /   _____/\_   ___    /  _            
24.  
     / __ | |  |\_  __   \_____  /      /  /  /_    /   |  
25.  
    / /_/ | |  | |  | /  /        \     \____/    |    /    |   
26.  
    \____ | |__| |__|    /_______  / \______  /\____|__  /\____|__  /
27.  
         /                      /         /         /         /
28.  
     
29.  
    [*] Very fast directory scanning tool.
30.  
    [*] try to use -h or --help show help message
31.  
        """
32.  
        print(banner)
33.  
     
34.  
    def get_time():
35.  
        return '[' + time.strftime("%H:%M:%S", time.localtime()) + '] '
36.  
     
37.  
    def get_url(path):
38.  
        with open(path, "r", encoding='ISO-8859-1') as f:
39.  
            for url in f.readlines():
40.  
                url_list.append(url.strip())
41.  
            return url_list
42.  
     
43.  
     
44.  
    def Go_scan(url):
45.  
        while not queue.empty():
46.  
            url_path = queue.get(timeout=1)
47.  
            new_url = url + url_path
48.  
            res = requests.get(new_url, headers=headers, timeout=5)
49.  
            #print(res.status_code)
50.  
            status_code = "[" + str(res.status_code) + "]"
51.  
            if str(res.status_code) != "404":
52.  
                print(get_time(), status_code, new_url)
53.  
     
54.  
    def thread(Number,url):
55.  
        threadlist = []
56.  
        for pwd in url_list:
57.  
            queue.put(pwd)
58.  
     
59.  
        for x in range(Number):
60.  
            t = threading.Thread(target=Go_scan, args=(url,))
61.  
            threadlist.append(t)
62.  
     
63.  
        for t in threadlist:
64.  
            t.start()
65.  
     
66.  
     
67.  
    def main():
68.  
        if len(sys.argv) == 1:
69.  
            print_banner()
70.  
            exit(1)
71.  
     
72.  
        parser = argparse.ArgumentParser(
73.  
            formatter_class=argparse.RawTextHelpFormatter,
74.  
            epilog='''
75.  
    use examples:
76.  
      python dir_scan.py -u [url]http://www.test.com[/url] -d /root/dir.txt
77.  
      python dir_scan.py -u [url]http://www.test.com[/url] -t 30 -d /root/dir.txt
78.  
      ''')
79.  
        parser.add_argument("-u","--url", help="scan target address", dest='url')
80.  
        parser.add_argument("-t","--thread", help="Number of threads", default="20", type=int, dest='thread')
81.  
        parser.add_argument("-d","--Dictionaries", help="Dictionary of Blasting Loading",
82.  
            dest="Dictionaries")
83.  
        args = parser.parse_args()
84.  
        Number =args.thread
85.  
        url = args.url
86.  
        url_path = args.Dictionaries
87.  
        print_banner()
88.  
        get_url(url_path)
89.  
        print(get_time(), "[INFO] Start scanning---- ")
90.  
        time.sleep(2)
91.  
        thread(Number,url)
92.  
     
93.  
    if __name__ == '__main__':
94.  
        main()