本文最后更新于 474 天前,其中的信息可能已经有所发展或是发生改变。
:::info
💘渗透全流程:
信息👣收集 – 漏洞发现 – 漏洞利用 – 权限提升 – 隧道搭建 – 内网渗透 – 横向移动 – 后渗透
:::
目录扫描
思路分析:
完整的 URL,由域名、目录、文件名组成
实现步骤:
- 指定域名
- 整理目录字典,例:按照后缀名整理将字典分类。遍历目录&文件名
- 识别返回包
V1.0
基本功能实现
#! usr/bin/env python3 ''' 1. 打开 dirpath 字典 2. 构造完整 url,发起请求 优化:多线程 ''' from multiprocessing import Queue from collections.abc import Callable, Iterator, Mapping import requests import threading class DirScan(threading.Thread): def __init__(self, queue): threading.Thread.__init__(self) self.queue = queue def run(self): # 获取队列中的 url while not self.queue.empty(): url = self.queue.get() try: r = requests.get(url) if r.status_code == 200: print(f'[*] {url} ') else: print(f'[-] {url} not fount ') except: print(f'[-] {url} exception ') # 多线程扫描。 def start(url, ext, count): queue = Queue() f = open('./02.dirpathscaner/%s.txt' % ext, 'r', encoding='utf-8') for i in f: queue.put(url + i.rstrip('\n')) threads = [] thread_count = int(count) for i in range(thread_count): threads.append(DirScan(queue)) for t in threads: t.start() for t in threads: t.join() if __name__ == '__main__': url = 'https://www.baidu.com/' ext = 'asp' count = 16 start(url, ext, count)
示例目录字典:
/admin/index.asp /dede/index.asp /edit/index.asp /login.asp /database/index.asp /tmp/ /manager/ /manage/ /web/login.asp
V2.0
功能优化。
- 伪造请求头(fake_useragent 模块)通过以下两行代码获取
from fake_useragent import UserAgentUserAgent().random
#! usr/bin/env python3 ''' 1. 打开 dirpath 字典 2. 构造完整 url,发起请求 优化:多线程 优化:伪造随机请求头 ''' from multiprocessing import Queue from collections.abc import Callable, Iterator, Mapping import requests import threading from fake_useragent import UserAgent ua = UserAgent() class DirScan(threading.Thread): def __init__(self, queue): threading.Thread.__init__(self) self.queue = queue def run(self): # 获取队列中的 url while not self.queue.empty(): url = self.queue.get() try: # 伪造随机 UA headers = { 'User-Agent': ua.random } print(ua.random) r = requests.get(url=url, headers=headers, timeout=2) if r.status_code == 200: print(f'[*] {url} \n') else: print(f'[-] {url} not fount \n') except: print(f'[-] {url} exception \n') # 多线程扫描。 def start(url, ext, count): queue = Queue() f = open('./02.dirpathscaner/%s.txt' % ext, 'r', encoding='utf-8') for i in f: queue.put(url + i.rstrip('\n')) threads = [] thread_count = int(count) for i in range(thread_count): threads.append(DirScan(queue)) for t in threads: t.start() for t in threads: t.join() if __name__ == '__main__': url = 'https://www.baidu.com/' ext = 'asp' count = 16 start(url, ext, count)
