Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to improve the Python penetration test detector. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

Improve the results of the detector

In this 0.1 version, we just print the URL and its response status code to the terminal, and the white word on the black background on the command line seems to be very ugly and it is not easy to find the key information. Is there any way to improve it?

We can use a module-termcolor, a tool for color formatting the output.

Let's take a look at an official example of termcolor:

Run the code, and the characters with colors are output at the terminal:

We can see from the above example that using the colored () method of termcolor, ordinary characters can be formatted as colored characters, while the cprint () method can print out characters of a specific color directly.

Termcolor comes with eight colors for us to use, which are:

Grey: Gray

Red: red

Green: green

Yellow: yellow

Blue: blue

Magenta: magenta

Cyan: cyan

White: White

In the detector, we use the colored () method to color the status code. In addition to adding color display, it seems a bit monotonous to display only the status code of URL in the results. Let's add a few more results to show:

Number of lines of text on a web page

Number of characters in the text of the web page

The number of words in a web page

Hash value of web page content

Next, we add the color formatting and the new result display to the request_performer () class:

We set the status code greater than or equal to 200 less than 300 as green, greater than or equal to 400 less than 500 as red, greater than or equal to 300 less than 400 as blue.

Run the command in the terminal:

You can see that the results shown are much clearer:

Add new feature options

In the above example, we optimize the display of the detector to make it more beautiful. However, there is another problem-- the handling of 404 pages.

In the case of small dictionary files and few dictionary entries, even if our detector detects a lot of 404 pages, it is easy to exclude from the results. But if there are many entries in the dictionary, there will be a lot of 404 pages detected, masking the successful response in the command line interface. We need to remove the 404 page from the results.

Extending from the 404 page problem, the requirement of our function is to remove the display result of a response status code by specifying the command line keyword parameter.

In the request_performer () class, add a new property, hidecode:

Then exclude the request result with a status code of hidecode in the request_performer () class:

If the response status code is not equal to the specified culling status code, the result is printed.

Then set the command line parameters for the new feature in the startup function start ():

Next, perfect the launcher_thread () function:

All the functions are modified.

Test new features

Now that the code has been changed, let's test the new features. The target site also chooses the target machine http://www.scruffybank.com/ journal common.txt in the virtual machine environment as the dictionary file.

Because we set the default value of hidecode to 000 in the start () function, our new-c option can be run without adding it.

Let's take a look at the results without the-c option:

It is consistent with the program effect of the second edition:

Let's add the-c option to exclude the 404 page:

All pages with a status code of 404 are not displayed:

Let's open one of the websites and take a look at:

There are four characters, one line of text, and one word in three letters plus a newline character, which is the same as the result returned by the detector.

In this way, our detector is updated to the third edition, and the function is more and more abundant.

The above is the editor for you to share how to improve the Python penetration test detector, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.