目录遍历利用

0x00 目录遍历

一个同事说有一些目录遍历,想着能不能搞个脚本啥的,以后利用也方便,自己没有写出来,说让我看看

一般来说存在目录遍历的话就是翻文件,看看有没有一些敏感信息、未授权接口之类的,一个个翻的话也确实比较麻烦

而且 eWebEditor、FCKeditor 这种编辑器有些版本也存在目录遍历漏洞,能找的一些未授权访问也是好的

以前写过一个爬网站链接的脚本,感觉可以在那个脚本的基础上改一下,改过后确实大致能用

0x01 脚本

#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@Author: reber
@Mail: reber0ask@qq.com
@Date: 2019-08-05 15:58:38
@LastEditTime: 2019-12-16 17:07:09
'''

import asyncio
import aiohttp
from lxml import etree
from urllib.parse import urljoin
from urllib.parse import urlparse
from urllib.parse import urlunsplit
from pybloom_live import BloomFilter


bf = BloomFilter(100000, 0.01)

def is_repeat(ele):
    if ele in bf:
        return True #元素不一定在集合中
    else:
        bf.add(ele)
        return False #元素一定不在集合中

class GetAllLink(object):
    """docstring for GetAllLink"""
    def __init__(self, target, crawl_deepth, rate):
        super(GetAllLink, self).__init__()
        self.target = target if ("://" in target) else "http://{}/".format(target)
        self.crawl_deepth = crawl_deepth
        self.current_url_path = self.target

        self.sem = asyncio.Semaphore(rate) # 限制并发量
        self.loop = asyncio.get_event_loop()

        self.url_links = {
            "a": [self.target],
            "img": [],
            "link": [],
            "script": [],
            "external": [],
        }
        self.unvisited = []
        self.unvisited.append(self.target)
        self.visited = []

    async def async_get_page(self, url):
        async with self.sem:
            async with aiohttp.ClientSession() as session:
                try:
                    async with session.get(url, timeout=10) as resp:
                        code = resp.status
                        url = str(resp.url)
                        html = await resp.text()
                        return (code, url, html)
                except aiohttp.client_exceptions.ClientConnectorError:
                    return (000, url, "Cannot connect to host")

    def callback(self, future):
        status_code, url, html = future.result()
        print("get url: ==> "+url)
        self.visited.append(url)
        if status_code == 200:
            self.extract_links(url, html)
        elif status_code == 404 or status_code == 403:
            print(status_code, url)
        else:
            print(status_code, url, html)

    def extract_links(self, url, html):
        import re
        url = url.replace("%5C","/")
        dir_m = re.findall(r'<Folder name="(.*?)" />', html, re.S|re.M)
        file_m = re.findall(r'<File name="(.*?)" size=".*?" />', html, re.S|re.M)
        for dir in dir_m:
            new_url = url+"/"+dir
            print(new_url.split("=")[-1])
            self.unvisited.append(new_url)
        for file in file_m:
            new_url = url+"/"+file
            print(new_url.split("=")[-1])
            self.visited.append(new_url)

    # def extract_links(self, url, html):
    #     """
    #     提取 url
    #     """
    #     o = urlparse(url)
    #     self.current_url_path = urlunsplit((o.scheme,o.netloc,o.path,'',''))

    #     selector = etree.HTML(html)
    #     a_list = selector.xpath("//a/@href")
    #     img_list = selector.xpath("//img/@src")
    #     link_list = selector.xpath("//link/@href")
    #     script_list = selector.xpath("//script/@src")

    #     for a in a_list:
    #         self.parse_link("a",a)
    #     for img in img_list:
    #         self.parse_link("img",img)
    #     for link in link_list:
    #         self.parse_link("link",link)
    #     for script in script_list:
    #         self.parse_link("script", script)

    # def parse_link(self, link_type, link):
    #     url = None
    #     if link.startswith("//"):
    #         link = "http:"+link

    #     if link.startswith("/") or link.startswith("."): #相对路径,肯定是本域
    #         url = urljoin(self.current_url_path, link)
    #     elif link.startswith(self.target): #完整url,且为本域
    #         url = link
    #     elif link.startswith('http') or link.startswith('https'): # url为http开头且domain不在url中,肯定为外域
    #         url = link
    #         link_type = "external"

    #     if url and (not is_repeat(url)):
    #         if link_type == "a":
    #             print("match url: "+url)
    #             self.unvisited.append(url)
    #             self.url_links[link_type].append(url)
    #         else:
    #             print("match url: "+url)
    #             self.url_links[link_type].append(url)

    def run(self):
        current_deepth=0
        while current_deepth < self.crawl_deepth:
            print("*"*130)
            if len(self.unvisited) == 0:
                break
            else:
                tasks = list()
                while len(self.unvisited) > 0:
                    url = self.unvisited.pop()
                    task = asyncio.ensure_future(self.async_get_page(url))
                    task.add_done_callback(self.callback)
                    tasks.append(task)
                self.loop.run_until_complete(asyncio.wait(tasks))
            current_deepth += 1


if __name__ == "__main__":
    import optparse
    parser = optparse.OptionParser(usage='Usage: %prog [options] domaion',
                                    version='%prog 1.0')
    parser.add_option('-u', dest='target',default=None, type='string',help='target domain')
    parser.add_option('-d', dest='deepth',default=3, type='int',help='crawl deepth')
    parser.add_option('-r', dest='rate', default=10, type='int', help='the rate, default is 10')

    (options, args) = parser.parse_args()

    if options.target:
        gal = GetAllLink(target=options.target, crawl_deepth=options.deepth, rate=options.rate)
        gal.run()
        # print("-"*130)
        # print("\n".join(gal.url_links["a"]))
        # print("\n".join(gal.url_links["img"]))
        # print("\n".join(gal.url_links["link"]))
        # print("\n".join(gal.url_links["script"]))
        # print("\n".join(gal.url_links["external"]))
        domain = urlparse(options.target).netloc
        with open("{}.txt".format(domain),"a+") as f:
            for url in gal.visited:
                print(url)
                f.write(url+"\n")
            for url in gal.unvisited:
                f.write(url+"\n")
    else:
        parser.print_help()

0x02 结果

其实也就是在原来脚本的基础上注释了 parse_link(),重写了 extract_links(),把结果输出那里改下

这个脚本是基于 FCKeditor 的目录遍历写的,常见的那种目录遍历的话改下 extract_links() 中的正则就行了

若未作声明则文章版权归本人(@reber)所有,转载请注明原文链接:

可以返回顶部