如何使用Python快速编写批量POC/EXP脚本(无脑版)
关注本公众号,长期推送技术文章
免责声明:请勿利用文章内的相关技术从事非法测试,由于传播、利用此文所提供的信息或者工具而造成的任何直接或者间接的后果及损失,均由使用者本人负责,所产生的一切不良后果与文章作者无关。该文章仅供学习用途使用!!!
前言
本文描写如何使用requests进行批量编写POC以及EXP,文末并附模板,大家过一遍直接更改即可
在学习本文之前最好是有一些python基础,如果无python基础,直接从文末框架更改即可。
基础知识
首先知道什么是requests模块?
requests模块是python中的基于网络请求的模块,其主要作用是用来模拟浏览器发起请求。
我们平时在进行发包POC测试本质上也就是发送http请求
首先,我们先认识三种存在的状态
发送请求成功-存在漏洞
发送请求成功-不存在漏洞
发送请求失败-打不开目标网站
直接分析代码,进行大概了解
def check_vulnerability(target): headers = { "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" }
try: # print(target) res = requests.post(fr"{target}/index.php",data={"username":"admin","pass":"admin"}, timeout=5) if "window.location" in res.text : print(f"[+]{target}漏洞存在") with open("attack.txt",'a') as fw: fw.write(f"{target}\n") else: print(f"[-]{target}漏洞不存在") except Exception as e: print(f"[-]{target}访问错误")代码分析
def check_vulnerability(target):
这一个是定义一个check_vulnerability函数,传参target,就是在我们使用这个函数的时候就传入target,也就是目标。
headers = {
"User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"
}
这里是设置我们的header头,平时设置一些cookie或者User-Agent之类的。
try和下面的except 对应,这里转化成白话文就是:尝试xxx如果出错则进行xxx
res=requests.post(url=fr"{target}/index.php",headers=headers, data={"username":"admin","pass":"admin"}, timeout=5)
res为变量,接收请求的返回内容
后面的是发送一个get请求,url为请求地址,headers=headers为定义header头。data为postdata,timeout为请求超时时间。
if "window.location" in res.text :这句话的意思是http返回响应中包含字符串"window.location",那么输出漏洞存在,并且写入文件。
知道这些以后,我们就知道通过模板改哪些东西了
data的值
url
header的值
判断漏洞存在的特征
通过线程池实现批量测试
with concurrent.futures.ThreadPoolExecutor(max_workers=5) as executor: executor.map(check_vulnerability, targets)更改max_workers即可更改线程数量
结合起来
import requestsimport concurrent.futures
def check_vulnerability(target): headers = { "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)" }
try: # print(target) res = requests.post(fr"{target}/index.php",data={"username":"admin","pass":"admin"}, headers=headers, timeout=5) if "window.location" in res.text : print(f"[+]{target}漏洞存在") with open("attack.txt",'a') as fw: fw.write(f"{target}\n") else: print(f"[-]{target}漏洞不存在") except Exception as e: print(f"[-]{target}访问错误")
if __name__ == "__main__":
print("按回车继续") import os os.system("pause") f = open("target.txt", 'r') targets = f.read().splitlines() print(targets)
# 使用线程池并发执行检查漏洞 with concurrent.futures.ThreadPoolExecutor(max_workers=5) as executor: executor.map(check_vulnerability, targets)即可实现:target.txt存放目标,经过检测漏洞后自动生成attack.txt
常用模板
模板1(get请求)
import requestsimport concurrent.futures
def check_vulnerability(target): headers = { "User-Agent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)", }
try: # print(target) res = requests.get(f"{target}/", headers=headers, timeout=5) if "admin"in res.text: print(f"[+]{target}漏洞存在") with open("attack.txt",'a') as fw: fw.write(f"{target}\n") else: print(f"[-]{target}漏洞不存在") except Exception as e: print(f"[-]{target}访问错误")
if __name__ == "__main__": print("------------------------") print("微信公众号:知攻善防实验室") print("------------------------") print("target.txt存放目标文件") print("attack.txt存放检测结果") print("------------------------")
print("按回车继续") import os os.system("pause") f = open("target.txt", 'r') targets = f.read().splitlines() print(targets)
# 使用线程池并发执行检查漏洞 with concurrent.futures.ThreadPoolExecutor(max_workers=1) as executor: executor.map(check_vulnerability, targets)
模板2(post请求)
import requestsimport concurrent.futures
def check_vulnerability(target):
headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0", } data = '<% out.print("test");%>' try: res = requests.post(f"{target}/index.jsp", headers=headers,data=data,timeout=5,verify=False) if "test" in res.text: print(f"{target}漏洞存在") with open("attack.txt","a") as f: f.write(f"{target}\n") else: print(f"{target} 漏洞不存在") except: print(f"{target} 访问错误")
if __name__ == "__main__": f = open("target.txt", 'r') targets = f.read().splitlines()
# 使用线程池并发执行检查漏洞 with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor: executor.map(check_vulnerability, targets)
下载地址:关注公众号"知攻善防实验室"后台回复"poc模板"