Web


记录下最近学的

信息搜集

脚本

xray批量

#!/usr/bin/python3
import os
import hashlib
import re

# 扫描
def get_url():
    f = open("xray_url.txt")
    lines = f.readlines()
    # 匹配http | https请求头
    pattern = re.compile(r'^(https|http)://')
    for line in lines:
        try:
            if not pattern.match(line.strip()):
                targeturl="http://"+line.strip()
            else:
                targeturl=line.strip()
            # print(targeturl.strip())
            outputfilename=hashlib.md5(targeturl.encode("utf-8"))
            do_scan(targeturl.strip(), outputfilename.hexdigest())
        except Exception as e:
            print(e)
            pass
    f.close()
    print("Xray Scan End~")
    return

# 报告
def do_scan(targeturl,outputfilename="test"):
    scan_command=" /home/happi0/xray_linux_amd64/xray_linux_amd64 webscan --basic-crawler {} --plugins=sqldet --html-output {}.html".format(targeturl,outputfilename)
    # scan_command = "ping 943ogg.dnslog.cn"
    # print(scan_command)
    os.system(scan_command)
    return

if __name__ == '__main__':
    get_url()

sqlmap乱扫

sqlmap + google 乱扫

莫名其妙找到了好些洞, 但这样不好, 容易出事

sqlmap -g "inurl:php?id=" --threads 5 --batch --answer "extending=N,follow=N,keep=N,exploit=n" --smart -vvv --proxy "http://127.0.0.1:20172"

源代码在lib\utils\search.py

有两个重要的

  • num: 搜索的数量
  • start: 开始的页面, 一般改大点好, 前面的都应该被别人扫过了

不知道哪里抄的手册, 记录下

可随意组合

变换 php asp jsp

变量后面加参数 "php?idf=123"

加地区词 行业词  "intitle:重庆学校" "intitle:山西汽车" "intitle:金融"

加域名 "site:.com.cn"

inurl:Offer.php?idf=
inurl:Opinions.php?id=
inurl:Page.php?id=
inurl:Pop.php?id=
inurl:Post.php?id=
inurl:Prod_info.php?id=
inurl:Product-item.php?id=
inurl:Product.php?id=
inurl:Product_ranges_view.php?ID=
inurl:Productdetail.php?id=
inurl:Productinfo.php?id=
inurl:Produit.php?id=
inurl:Profile_view.php?id=
inurl:Publications.php?id=
inurl:Stray-Questions-View.php?num=
inurl:aboutbook.php?id=
inurl:ages.php?id=
inurl:announce.php?id=
inurl:art.php?idm=
inurl:article.php?ID=
inurl:articleshow.asp?articleid=任意数字
inurl:artikelinfo.php?id=
inurl:asp
inurl:asp?id=
inurl:avd_start.php?avd=
inurl:band_info.php?id=
inurl:buy.php?category=
inurl:category.php?id=
inurl:channel_id=
inurl:chappies.php?id=
inurl:clanek.php4?id=
inurl:clubpage.php?id=
inurl:collectionitem.php?id=
inurl:communique_detail.php?id=
inurl:curriculum.php?id=
inurl:declaration_more.php?decl_id=
inurl:detail.php?ID=
inurl:download.php?id=
inurl:downloads_info.php?id=
inurl:event.php?id=
inurl:faq2.php?id=
inurl:fellows.php?id=
inurl:fiche_spectacle.php?id=
inurl:forum_bds.php?num=
inurl:galeri_info.php?l=
inurl:gallery.php?id=
inurl:game.php?id=
inurl:games.php?id=
inurl:historialeer.php?num=
inurl:hosting_info.php?id=
inurl:humor.php?id=
inurl:index.php?=
inurl:index.php?id=
inurl:index2.php?option=
inurl:iniziativa.php?in=
inurl:item_id=
inurl:kategorie.php4?id=
inurl:labels.php?id=
inurl:loadpsb.php?id=
inurl:look.php?ID=
inurl:main.php?id=
inurl:material.php?id=
inurl:memberInfo.php?id=
inurl:news-full.php?id=
inurl:news.php?id=
inurl:newsDetail.php?id=
inurl:news_Article.asp?Class_ID=
inurl:news_display.php?getid=
inurl:news_view.php?id=
inurl:newscat.php?id=
inurl:newsid=
inurl:newsitem.php?num=
inurl:newsone.php?id=
inurl:newsticker_info.php?idn=
inurl:ray.php?id=
inurl:read.php?id=
inurl:readnews.php?id=
inurl:reagir.php?num=
inurl:releases.php?id=
inurl:review.php?id=
inurl:rub.php?idr=
inurl:rubp.php?idr=
inurl:rubrika.php?idr=
inurl:section.php?id=
inurl:select_biblio.php?id=
inurl:sem.php3?id=
inurl:shop.php?do=part&id=
inurl:shop_category.php?id=
inurl:shopping.php?id=
inurl:show.php?id=
inurl:show_an.php?id=
inurl:showimg.php?id=
inurl:shredder-categories.php?id=
inurl:spr.php?id=
inurl:staff_id=
inurl:story.php?id=
inurl:sw_comment.php?id=
inurl:tekst.php?idt=
inurl:theme.php?id=
inurl:title.php?id=
inurl:top10.php?cat=
inurl:tradeCategory.php?id=
inurl:trainers.php?id=
inurl:transcript.php?id=
inurl:view.php?id=
inurl:view_faq.php?id=
inurl:view_product.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:viewshowdetail.php?id=
inurl:website.php?id=
inurlage.php?file=
inurlageid=
inurlages.php?id=
inurlarticipant.php?id=
inurlerson.php?id=
inurllay_old.php?id=
inurlreview.php?id=
inurlrod_detail.php?id=
inurlroduct-item.php?id=
inurlroductinfo.php?id=
inurl:news_Article.asp?Class_ID=
showproduct.asp?id=
showproduct.asp?id=随便加个数字
--tamper
apostrophemask            #将单引号 url 编码
apostrophenullencode    #将单引号替换为宽字节 unicode 字符
base64encode            #base64 编码
between            #将大于符号和等号用 between 语句替换,用于过滤了大于符号和等号的情况
bluecoat        #用随机的空白字符代替空格,并且将等号替换为 like ,用于过滤了空格和等号的情况
charencode                #用 url 编码一次你的 payload
charunicodeencode        #用 unicode 编码 payload ,只编码非编码字符

思路

由于我太菜了, 只写知道的

目标 --> 子域名 --> 敏感点

敏感点:

  • 登录处
  • 注册
  • 修改密码
  • 教务处

登录、注册

主要测试sql注入, 但几乎找不到

注册后进去再看看有没有什么其他的洞, 储存的xss什么的

修改密码

逻辑漏洞, 越权什么的

教务处

通知里面会给默认密码

有些默认密码就是帐号或者很简单的密码


  TOC