python 信息收集器和CMS识别脚本
Posted 东京$
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了python 信息收集器和CMS识别脚本相关的知识,希望对你有一定的参考价值。
前言:
信息收集是渗透测试重要的一部分
这次我总结了前几次写的经验,将其
进化了一下
正文:
信息收集脚本的功能:
1.端口扫描
2.子域名挖掘
3.DNS查询
4.whois查询
5.旁站查询
CMS识别脚本功能:
1.MD5识别CMS
2.URL识别CMS
原理:cms识别CMS将网站加一些CMS特有的路径获取到的源码
加密成md5与data.json对比如果是就是此种CMS。
URL+上CMS特有的路径,获取源码从中寻找data.json里的
re标签。如果有就是此种CMS
信息收集脚本代码:
import requests import re import socket from bs4 import BeautifulSoup import optparse def main(): parser=optparse.OptionParser() parser.add_option(\'-p\',dest=\'host\',help=\'ip port scanner\') parser.add_option(\'-w\',dest=\'whois\',help=\'Whois query\') parser.add_option(\'-d\',dest=\'dns\',help=\'dns query\') parser.add_option(\'-z\',dest=\'domain\',help=\'Domain name query\') parser.add_option(\'-f\',dest=\'fw\',help=\'Bypass query\') (options,args)=parser.parse_args() if options.host: ip=options.host portscanner(ip) elif options.whois: ws=options.whois whois(ws) elif options.dns: dn=options.dns dnsquery(dn) elif options.domain: domain=options.domain domains(domain) elif options.fw: pz=options.fw bypass(pz) else: parser.print_help() exit() def portscanner(ip): s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) socket.setdefaulttimeout(1) for port in range(1,65535): try: s.connect((ip,port)) print(\'[+]\',ip,\':\',port,\'open\') except: pass def whois(ws): url = "http://whoissoft.com/{}".format(ws) rest = requests.get(url=url) csd = rest.content.decode(\'utf-8\') fsd = BeautifulSoup(csd, \'html.parser\') wsd = fsd.get_text() comp = re.compile( r\'a:link, a:visited {.*? }|a:hover {.*?}|white-space: .*?;|font-family:.*?;|function\\s+s|window.location.href\\s+=\\s+".*?"|return\\s+false;| var _sedoq\\s+=\\s+_sedoq|_sedoq.partnerid\\s+=\\s+\'\'316085\'\';| _sedoq.locale\\s+=\\s+\'\'zh-cn\'\';|var\\s+s\\s+=\\s+document.createElement|s.type\\s+=\\s+\'\'text/javascript\'\';|s.async\\s+=\\s+true;|s.src\\s+=\\s+\'\'.*?\'\';|var\\s+f\\s+=\\s+document.getElementsByTagName|f.parentNode.insertBefore|/.*?/|pre\\s+{|word-wrap:\\s+break-word;|}|\\s*\\(str1\\){|\\s+\\+\\s+str1;|\\s+\\|\\s+\\|\\|\\s+{;|\\s+\\|\\|\\s+{;|_sedoq.partnerid|\\s+=|\'\'316085\'\'|\\s+\'\';|\\s+enter\\s+your\\s+partner\\s+id|_sedoq.locale\\s+=\\s+|zh-cn|language\\s+locale|\\(function\\(\\)\\s+{|\\[0\\];|s.type|text/javascript|script|s,\\s+f|document.getElementById\\(.*?\\)|.style.marginLeft|=window|\\|\\||\\s+{|;|en-us,|en-uk,|de-de,|es-er-fr,|pt-br,|\\s+.innerWidth2|es-|er-|fr|.innerWidth2|er|-,\') tih = re.sub(comp, "", wsd) wrs = open(\'whois.txt\', \'w\') wrs.write(tih) wrs.close() wrr = open(\'whois.txt\', \'r\') rr = wrr.read() xin = rr.replace("\'\'", \'\') xin2 = xin.replace("(", \'\') xin3 = xin2.replace(")", \'\') xin4 = xin3.replace("er-,", \'\') xin5 = xin4.replace(\'.innWidth2+"px"\', \'\') xin6 = xin5.replace(\'window.onresize=function{\', \'\') xin7 = xin6.replace(\'.innWidth2+"px"\', \'\') print(xin7, end=\'\') def dnsquery(dn): url = "https://jiexifenxi.51240.com/web_system/51240_com_www/system/file/jiexifenxi/get/?ajaxtimestamp=1526175925753" headers = { \'user-agent\': \'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16\'} params = {\'q\': \'{}\'.format(dn), \'type\': \'a\'} reqst = requests.post(url=url, headers=headers, params=params) content = reqst.content.decode(\'utf-8\') bd = BeautifulSoup(content, \'html.parser\') print(\'---[+]A record---\') print(bd.get_text()) print(\'---[+]MX record---\') params2 = {\'q\': \'{}\'.format(dn), \'type\': \'mx\'} rest = requests.post(url=url, headers=headers, params=params2) content2 = BeautifulSoup(rest.content.decode(\'utf-8\'), \'html.parser\') print(content2.get_text()) print(\'---[+]CNAME record---\') params3 = {\'q\': \'{}\'.format(dn), \'type\': \'cname\'} rest2 = requests.post(url=url, headers=headers, params=params3) content3 = BeautifulSoup(rest2.content.decode(\'utf-8\'), \'html.parser\') print(content3.get_text()) print(\'---[+]NS record---\') params4 = {\'q\': \'{}\'.format(dn), \'type\': \'ns\'} rest3 = requests.post(url=url, headers=headers, params=params4) content4 = BeautifulSoup(rest3.content.decode(\'utf-8\'), \'html.parser\') print(content4.get_text()) print(\'---[+]TXT record---\') params5 = {\'q\': \'{}\'.format(dn), \'type\': \'txt\'} rest4 = requests.post(url=url, headers=headers, params=params5) content5 = BeautifulSoup(rest4.content.decode(\'utf-8\'), \'html.parser\') print(content5.get_text()) def domains(domain): print(\'---[+]Domain name query---\') url = "http://i.links.cn/subdomain/" headers = {\'user-agent\': \'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16\'} params = {\'domain\': \'{}\'.format(domain), \'b2\': \'1\', \'b3\': \'1\', \'b4\': \'1\'} reqst = requests.post(url=url, headers=headers, params=params) vd = reqst.content.decode(\'gbk\') rw = re.findall(\'<div class=domain><input type=hidden name=.*? id=.*? value=".*?">\', vd) rw2 = "".join(str(rw)) bwdw = BeautifulSoup(str(rw2), \'html.parser\') pw = bwdw.find_all(\'input\') for l in pw: isd = l.get("value") print(isd) def bypass(pz): url = "http://www.webscan.cc/?action=query&ip={}".format(pz) headers = { \'user-agent\': \'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16\'} wd = requests.get(url=url, headers=headers) rcy = wd.content.decode(\'utf-8\') res = re.findall(\'"domain":".*?"\', str(rcy)) lis = "".join(res) rmm = lis.replace(\'"\', \'\') rmm2 = rmm.replace(\':\', \'\') rmm3 = rmm2.replace(\'/\', \'\') rmm4 = rmm3.replace(\'domain\', \'\') rmm5 = rmm4.replace(\'http\', \'\') print(rmm5) if __name__ == \'__main__\': main()
运行测试:
CMS脚本代码:
import requests import json import hashlib import os import optparse def main(): usage="[-q MD5DE-CMS] " \\ "[- p URL gets CMS]" parser=optparse.OptionParser(usage) parser.add_option(\'-q\',dest=\'md5\',help=\'md5 cms\') parser.add_option(\'-p\',dest=\'url\',help=\'url cms\') (options,args)=parser.parse_args() if options.md5: log=options.md5 panduan(log) elif options.url: log2=options.url panduan2(log2) else: parser.print_help() def op(): global lr if os.path.exists(\'data.json\'): print(\'[+]Existing data.json file\') js=open(\'data.json\',\'r\') lr=json.load(js,encoding=\'utf-8\') else: print(\'[-]Not data.json\') exit() op() def panduan(log): global headers headers={\'user-agent\':\'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36\'} for b in lr: url = log.rstrip(\'/\') + b["url"] rest = requests.get(url=url, headers=headers, timeout=5) text = rest.text if rest.status_code != 200: print(\'[-]Not Found 200\', rest.url) md5=hashlib.md5() md5.update(text.encode(\'utf-8\')) g=md5.hexdigest() print(g) if g == b["md5"]: print("[+]CMS:",b["name"],"url:",b["url"]) print("[+]CMS:",b["name"],"url:",b["url"],file=open(\'cms.txt\',\'w\')) else: print(\'[-]not md5:\',b["md5"]) def panduan2(log2): for w in lr: headers = {\'user-agent\': \'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36\'} url = log2.rstrip(\'/\') + w["url"] rest=requests.get(url=url,headers=headers,timeout=5) text=rest.text if rest.status_code !=200: pass if w["re"]: if(text.find(w["re"]) != -1): print(\'[+]CMS:\',w["name"],"url:",w["url"]) print(\'[+]CMS:\', w["name"], "url:", w["url"],file=open(\'cms.txt\',\'w\')) if __name__ == \'__main__\': main()
识别测试:
以上是关于python 信息收集器和CMS识别脚本的主要内容,如果未能解决你的问题,请参考以下文章