0x01 杂谈
昨天搞忘打卡了,尴尬 ,今天补上吧,哎,最近考试周,又得突击了,不过打卡也不能断,upup !
朋友说挖src的时候,朋友说挖到几个flash xss ,结果去他github一看,果然star了一个神器(AngelSword),看了一下,各种cms的历史漏洞还比较全面,这里正好新系统配置好了,试一试。
0x02 关于AngelSword
github搜索下载,基本上所有的历史cms漏洞都有,部分截图
0x03 从信息搜集到批量扫描
简单谈一下我这里的信息搜集,用lijiejie 的subdomain去搜集域名和ip
这里取出ip
import re
import sys
path=sys.argv[1]
path2=sys.argv[2]
f=open(path)
c_iplist=[]
#f1=open('newip.txt','a')
line=f.readline()
while line:
line = f.readline()
ip=re.findall('(?<![\.\d])(?:\d{1,3}\.){3}\d{1,3}(?![\.\d])',line)
#print ip[0]
try:
if re.match('^(10|127|172|192)+.\d+.\d+.\d+',ip[0]):
pass
else:
print ip[0]
ip2=ip[0]
print ip2+">>>>>>>>>>>>>>>"
c_iplist.append(ip2)
except:
pass
f=open(path2,'a')
iplist = list(set(c_iplist))
for ip in iplist:
print ip
ip = ip+'\n'
f.write(ip)
f.close取出来过后再生成C段
import re
import sys
path=sys.argv[1]
path2=sys.argv[2]
f=open(path)
c_iplist=[]
#f1=open('newip.txt','a')
line=f.readline()
while line:
line = f.readline()
ip=re.findall('(?<![\.\d])(?:\d{1,3}\.){3}\d{1,3}(?![\.\d])',line)
#print ip[0]
try:
if re.match('^(10|127|172|192)+.\d+.\d+.\d+',ip[0]):
pass
else:
print ip[0]
ip2=ip[0]
print ip2+">>>>>>>>>>>>>>>"
c_iplist.append(ip2)
except:
pass
iplist=[]
iplist1=[]
f=open(path2,'a')
for line in c_iplist:
print line
ip=re.findall(r'\d+.\d+.\d+.',line)
iplist.append(ip[0])
for ip in iplist:
print ip
if ip not in iplist1:
iplist1.append(ip)
for ip in iplist1:
for i in range(1,255):
print ip
ip1=ip+str(i)+'\n'
f.write(ip1)
f.close以刚才说到的flash xss 为例子
root@sp4rk-HP-Notebook:/home/sp4rk/hack/AngelSword# python3 AngelSword.py -s xss搜索结果:
[1]漏洞名: Discuz X3 focus.swf flashxss漏洞=======>discuz_focus_flashxss
[2]漏洞名: phpcms v9 flash xss漏洞=======>phpcms_v9_flash_xss想把这里生成C段的ip放进去,然而必须要http://ip才能识别
import sys
file = open(sys.argv[1],'rw')
header = 'http://'
line = file.readlines()
#print line
a = open(sys.argv[2],'w')
for i in line:
res = header+i
#print res
a.write(res)这里生成新的ip,放进去
这里以某src为例子,扫描其C段,可以发现有flash xss历史漏洞还没有修复
