Shulou(Shulou.com)06/01 Report--

0x00 requirements for website backup file scanning

In the process of security testing, the first step is to collect information. When collecting information, we need to scan whether there are backup files in the root directory of the website.

0x01 code writing

It is necessary to initiate a http request to scan whether a backup file exists in the root directory of the website. The get request of the requests module is used for the first time. When testing, it is found that the script will be stuck. Through analysis, when get has a backup file, it is equivalent to downloading. If the backup file is very large, it will take a long time to wait. Therefore, by looking up the data, it is found that the problems encountered above can be solved when using the head method of requests module.

Introduction to head method:

The behavior of the HEAD method is similar to that of the GET method, but the server returns only the body part of the entity in the response. This allows the client to check the header of the resource without getting the actual resource. Using HEAD, we can do the following work more efficiently:

Without getting the resource, know some information about the resource, such as the resource type; by looking at the status code in the response, you can determine whether the resource exists; by looking at the header, test whether the resource has been modified. 0x02 code #! / usr/bin/env python#-*-coding: utf-8-*-# Command line from pocsuite import pocsuite_cli# verification module from pocsuite import pocsuite_verify# × × × module from pocsuite import pocsuite_attack# console mode from pocsuite import pocsuite_console#requests from pocsuite.api.request import req#registerfrom pocsuite.api.poc import register#reportfrom pocsuite.api.poc import Output POCBase#url conversion hostfrom pocsuite.lib.utils.funs import url2ipclass webBackPOC (POCBase): vulID ='1' # ssvid ID if the vulnerability is submitted at the same time as PoC, it is written as 0 version ='1' # default is 1 vulDate = '2018-07-12' # the time when the vulnerability was exposed If you don't know, write today's author = 'xiaohuihui1' # PoC author's name createDate =' 2018-07-12 PoC # date updateDate = '2018-07-12 weeks # PoC update time. Default is the same as writing time references = [''] # source of vulnerability address 0day does not need to write name = 'website back' # PoC name appPowerLink = [''] # vulnerability vendor home address appName = 'website backup file download' # vulnerability application name appVersion = 'all versions'# vulnerability impact version vulType =' information leakage'# vulnerability type For type reference, please see the vulnerability type specification table desc =''website backup file download''# brief description of the vulnerability samples = [] # test sample column, that is, the website install_requires = [] # PoC third-party module dependency that has been successfully tested with PoC Please try not to use third-party modules If necessary, please refer to "PoC third-party module dependency instructions" and fill in cvss = u "serious" # severe, high-risk, medium-risk Low risk # fingerprint method def _ fingerprint (self): pass # verification module pocsuite-r 1-redis.py-u 10.1.5.26-- verify def _ verify (self): import requests import hashlib result = {} vul_url ='% s'% self.url if (vul_url.endswith ("/")): test_url = Vul_url+ "aswe2sda2323ra2.html" else: test_url = vul_url+ "/ aswe2sda2323ra2.html" vul_url+= "/" test_html = requests.head (test_url Timeout=5) .text # MD5 value hl = hashlib.md5 () test_html.replace ("aswe2sda2323ra2.html", ") hl.update (test_html.encode (encoding='utf-8')) test_md5 = hl.hexdigest () domain=vul_url.split (". ") [1] .split (". ") [0] fileName = ['www','admin','wwwroot','web','data'" 'ftp','flashfxp',domain] suffix = [' zip','tar.gz','rar'] # suffix list result2= [] for fn in fileName: for s in suffix: try: tmp = requests.head (vul_url+fn+ "." + s Timeout=5) if (tmp.status_code = = 200): result2.append (fn+ "." + s) except Exception as e: print e pass if (len (result2)! = 0): result ['VerifyInfo'] = {} result [' VerifyInfo '] [' URL'] = vul_url result ['VerifyInfo'] [' Payload'] = result2 return self.save_output (result) # × × × module def _ attack (self): pass # output report def save_output (self Result): # judge whether there is a result or not and output output = Output (self) if result: output.success (result) else: output.fail () return output# registered class register (webBackPOC)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.