一、扫描器概述
御剑后台扫描器是一款专门针对网站后台漏洞扫描的工具,旨在通过扫描目标网站的后台管理页面,检测出其中存在的漏洞隐患,帮助站长及时发现并修复漏洞,保障网站的安全。
御剑后台扫描器支持多种扫描方式,包括目录扫描、文件扫描、参数扫描等方式,其内置的漏洞库及Payload库能够检测出目前主流的后台漏洞,同时也支持自定义Payload进行扫描。
在使用御剑后台扫描器时,我们需要配置待扫描的目标URL,根据需要选择合适的扫描方式和Payload库,然后点击扫描按钮即可启动扫描过程。
二、目录扫描
目录扫描是御剑后台扫描器的一种常用扫描方式,该方式通过递归访问目标URL下的所有页面及子目录,寻找隐藏的后台管理入口。目录扫描的优点是能够快速检测出所有的后台管理入口,缺点是通常需要耗费较多的时间和资源。
使用御剑后台扫描器进行目录扫描的示例代码如下:
import urllib.request
import urllib.parse
import re
class WebScan:
def __init__(self):
self.baseurl = ''
self.directory = []
self.passfile = ''
self.opener = ''
def getbaseurl(self):
url = input('Please Input The Target URL(Example:http://www.target.com/):')
self.baseurl = url
def getdirectory(self):
with open('directory.txt') as f:
for line in f:
self.directory.append(line.strip())
def getpassfile(self):
passfile = input('Please Input The Passfile(Example:pass.txt):')
self.passfile = passfile
def getopener(self):
user_agent = 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36'
headers = {'User-Agent':user_agent}
self.opener = urllib.request.build_opener()
self.opener.addheaders = headers.items()
def checklogin(self, url):
data = {'username':'admin', 'password':'admin'}
data = urllib.parse.urlencode(data).encode('utf-8')
response = self.opener.open(url, data)
content = response.read().decode()
pattern = re.compile(r'Login Failed')
result = pattern.search(content)
if result is None:
return True
else:
return False
def rscan(self):
for dir in self.directory:
url = self.baseurl + dir
try:
response = self.opener.open(url)
content = response.read().decode()
pattern = re.compile(r'Login Page ')
result = pattern.search(content)
if result is None:
print('Directory Not Exists:{0}'.format(url))
else:
print('Trying Login:{0}'.format(url))
if self.checklogin(url):
print('Login Success:{0}'.format(url))
break
else:
print('Login Failed:{0}'.format(url))
except Exception as e:
print(e)
continue
三、文件扫描
文件扫描是御剑后台扫描器的另一种扫描方式,该方式通过对目标网站整个文件目录进行扫描,寻找包含特定后台文件名的文件或目录。文件扫描的优点是能够快速检测出已知的后台文件名,缺点是无法检测出使用自定义后台文件名的情况。
使用御剑后台扫描器进行文件扫描的示例代码如下:
import requests
class WebScan:
def __init__(self):
self.headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36'
}
self.baseurl = ''
self.filelist = ['admin.php', 'admin.asp', 'admin.aspx', 'admin.jhtml']
def getbaseurl(self):
url = input('Please Input The Target URL(Example:http://www.target.com/):')
self.baseurl = url
def scanfile(self):
for filename in self.filelist:
url = self.baseurl + '/' + filename
response = requests.get(url, headers=self.headers)
if response.status_code == 200:
print('Admin Page Found:{0}'.format(url))
else:
print('Not Found:{0}'.format(url))
四、参数扫描
参数扫描是御剑后台扫描器的另一种扫描方式,该方式通过对目标网站的所有参数进行扫描,寻找存在注入漏洞的参数。参数扫描的优点是能够快速检测出所有的参数注入漏洞,缺点是可能会对目标网站造成较大的负担。
使用御剑后台扫描器进行参数扫描的示例代码如下:
import urllib.request
import urllib.parse
class WebScan:
def __init__(self):
self.baseurl = ''
self.payloadlist = []
self.opener = ''
def getbaseurl(self):
url = input('Please Input The Target URL(Example:http://www.target.com/):')
self.baseurl = url
def getpayloadlist(self):
with open('payload.txt') as f:
for line in f:
self.payloadlist.append(line.strip())
def getopener(self):
user_agent = 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36'
headers = {'User-Agent':user_agent}
self.opener = urllib.request.build_opener()
self.opener.addheaders = headers.items()
def checkinject(self, url, param):
for payload in self.payloadlist:
data = {param:payload}
data = urllib.parse.urlencode(data).encode('utf-8')
newurl = url + '?' + data.decode()
response = self.opener.open(newurl)
content = response.read().decode()
if payload in content:
print('Inject Success:{0}'.format(newurl))
def pscan(self):
response = self.opener.open(self.baseurl)
content = response.read().decode()
pattern = re.compile(r'')
results = pattern.finditer(content)
for result in results:
line = result.group()
pattern = re.compile(r'name="(.*?)"')
result = pattern.search(line)
if result is not None:
param = result.group(1)
print('Trying Inject:{0}'.format(param))
self.checkinject(self.baseurl, param)
原创文章,作者:小蓝,如若转载,请注明出处:https://www.506064.com/n/233690.html
微信扫一扫 
支付宝扫一扫 