前言:
信息收集是渗透测试重要的一部分
这次我总结了前几次写的经验,将其
进化了一下
正文:
信息收集脚本的功能:
1.端口扫描
2.子域名挖掘
3.DNS查询
4.whois查询
5.旁站查询
CMS识别脚本功能:
1.MD5识别CMS
2.URL识别CMS
原理:cms识别CMS将网站加一些CMS特有的路径获取到的源码
加密成md5与data.json对比如果是就是此种CMS。
URL+上CMS特有的路径,获取源码从中寻找data.json里的
re标签。如果有就是此种CMS
信息收集脚本代码:
import requests
import re
import socket
from bs4 import BeautifulSoup
import optparse def main():
parser=optparse.OptionParser()
parser.add_option('-p',dest='host',help='ip port scanner')
parser.add_option('-w',dest='whois',help='Whois query')
parser.add_option('-d',dest='dns',help='dns query')
parser.add_option('-z',dest='domain',help='Domain name query')
parser.add_option('-f',dest='fw',help='Bypass query')
(options,args)=parser.parse_args()
if options.host:
ip=options.host
portscanner(ip)
elif options.whois:
ws=options.whois
whois(ws)
elif options.dns:
dn=options.dns
dnsquery(dn)
elif options.domain:
domain=options.domain
domains(domain)
elif options.fw:
pz=options.fw
bypass(pz)
else:
parser.print_help()
exit()
def portscanner(ip):
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
socket.setdefaulttimeout(1)
for port in range(1,65535):
try:
s.connect((ip,port))
print('[+]',ip,':',port,'open')
except:
pass def whois(ws):
url = "http://whoissoft.com/{}".format(ws)
rest = requests.get(url=url)
csd = rest.content.decode('utf-8')
fsd = BeautifulSoup(csd, 'html.parser')
wsd = fsd.get_text()
comp = re.compile(
r'a:link, a:visited {.*? }|a:hover {.*?}|white-space: .*?;|font-family:.*?;|function\s+s|window.location.href\s+=\s+".*?"|return\s+false;| var _sedoq\s+=\s+_sedoq|_sedoq.partnerid\s+=\s+'''';| _sedoq.locale\s+=\s+''zh-cn'';|var\s+s\s+=\s+document.createElement|s.type\s+=\s+''text/javascript'';|s.async\s+=\s+true;|s.src\s+=\s+''.*?'';|var\s+f\s+=\s+document.getElementsByTagName|f.parentNode.insertBefore|/.*?/|pre\s+{|word-wrap:\s+break-word;|}|\s*\(str1\){|\s+\+\s+str1;|\s+\|\s+\|\|\s+{;|\s+\|\|\s+{;|_sedoq.partnerid|\s+=|''''|\s+'';|\s+enter\s+your\s+partner\s+id|_sedoq.locale\s+=\s+|zh-cn|language\s+locale|\(function\(\)\s+{|\[0\];|s.type|text/javascript|script|s,\s+f|document.getElementById\(.*?\)|.style.marginLeft|=window|\|\||\s+{|;|en-us,|en-uk,|de-de,|es-er-fr,|pt-br,|\s+.innerWidth2|es-|er-|fr|.innerWidth2|er|-,')
tih = re.sub(comp, "", wsd)
wrs = open('whois.txt', 'w')
wrs.write(tih)
wrs.close()
wrr = open('whois.txt', 'r')
rr = wrr.read()
xin = rr.replace("''", '')
xin2 = xin.replace("(", '')
xin3 = xin2.replace(")", '')
xin4 = xin3.replace("er-,", '')
xin5 = xin4.replace('.innWidth2+"px"', '')
xin6 = xin5.replace('window.onresize=function{', '')
xin7 = xin6.replace('.innWidth2+"px"', '')
print(xin7, end='')
def dnsquery(dn):
url = "https://jiexifenxi.51240.com/web_system/51240_com_www/system/file/jiexifenxi/get/?ajaxtimestamp=1526175925753"
headers = {
'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'}
params = {'q': '{}'.format(dn), 'type': 'a'}
reqst = requests.post(url=url, headers=headers, params=params)
content = reqst.content.decode('utf-8')
bd = BeautifulSoup(content, 'html.parser') print('---[+]A record---')
print(bd.get_text()) print('---[+]MX record---')
params2 = {'q': '{}'.format(dn), 'type': 'mx'}
rest = requests.post(url=url, headers=headers, params=params2)
content2 = BeautifulSoup(rest.content.decode('utf-8'), 'html.parser')
print(content2.get_text()) print('---[+]CNAME record---')
params3 = {'q': '{}'.format(dn), 'type': 'cname'}
rest2 = requests.post(url=url, headers=headers, params=params3)
content3 = BeautifulSoup(rest2.content.decode('utf-8'), 'html.parser')
print(content3.get_text()) print('---[+]NS record---')
params4 = {'q': '{}'.format(dn), 'type': 'ns'}
rest3 = requests.post(url=url, headers=headers, params=params4)
content4 = BeautifulSoup(rest3.content.decode('utf-8'), 'html.parser')
print(content4.get_text()) print('---[+]TXT record---')
params5 = {'q': '{}'.format(dn), 'type': 'txt'}
rest4 = requests.post(url=url, headers=headers, params=params5)
content5 = BeautifulSoup(rest4.content.decode('utf-8'), 'html.parser')
print(content5.get_text()) def domains(domain):
print('---[+]Domain name query---')
url = "http://i.links.cn/subdomain/"
headers = {'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'}
params = {'domain': '{}'.format(domain), 'b2': '', 'b3': '', 'b4': ''}
reqst = requests.post(url=url, headers=headers, params=params)
vd = reqst.content.decode('gbk')
rw = re.findall('<div class=domain><input type=hidden name=.*? id=.*? value=".*?">', vd)
rw2 = "".join(str(rw))
bwdw = BeautifulSoup(str(rw2), 'html.parser')
pw = bwdw.find_all('input')
for l in pw:
isd = l.get("value")
print(isd) def bypass(pz):
url = "http://www.webscan.cc/?action=query&ip={}".format(pz)
headers = {
'user-agent': 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16'}
wd = requests.get(url=url, headers=headers)
rcy = wd.content.decode('utf-8')
res = re.findall('"domain":".*?"', str(rcy))
lis = "".join(res)
rmm = lis.replace('"', '')
rmm2 = rmm.replace(':', '')
rmm3 = rmm2.replace('/', '')
rmm4 = rmm3.replace('domain', '')
rmm5 = rmm4.replace('http', '')
print(rmm5) if __name__ == '__main__':
main()
运行测试:
CMS脚本代码:
import requests
import json
import hashlib
import os
import optparse
def main():
usage="[-q MD5DE-CMS] " \
"[- p URL gets CMS]"
parser=optparse.OptionParser(usage)
parser.add_option('-q',dest='md5',help='md5 cms')
parser.add_option('-p',dest='url',help='url cms')
(options,args)=parser.parse_args()
if options.md5:
log=options.md5
panduan(log)
elif options.url:
log2=options.url
panduan2(log2)
else:
parser.print_help() def op():
global lr
if os.path.exists('data.json'):
print('[+]Existing data.json file')
js=open('data.json','r')
lr=json.load(js,encoding='utf-8')
else:
print('[-]Not data.json')
exit() op() def panduan(log):
global headers
headers={'user-agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36'}
for b in lr:
url = log.rstrip('/') + b["url"]
rest = requests.get(url=url, headers=headers, timeout=5)
text = rest.text
if rest.status_code != 200:
print('[-]Not Found 200', rest.url)
md5=hashlib.md5()
md5.update(text.encode('utf-8'))
g=md5.hexdigest()
print(g)
if g == b["md5"]:
print("[+]CMS:",b["name"],"url:",b["url"])
print("[+]CMS:",b["name"],"url:",b["url"],file=open('cms.txt','w'))
else:
print('[-]not md5:',b["md5"]) def panduan2(log2):
for w in lr:
headers = {'user-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36'}
url = log2.rstrip('/') + w["url"]
rest=requests.get(url=url,headers=headers,timeout=5)
text=rest.text
if rest.status_code !=200:
pass
if w["re"]:
if(text.find(w["re"]) != -1):
print('[+]CMS:',w["name"],"url:",w["url"])
print('[+]CMS:', w["name"], "url:", w["url"],file=open('cms.txt','w')) if __name__ == '__main__':
main()
识别测试: