Table of contents
0x01 Tools used in the process
0x00 Introduction
SRC Vulnerability Platform: Security Response Center (SRC, Security Response Center) is a site used by enterprises to receive product security vulnerabilities discovered and reported by users. To put it bluntly, it is a platform that connects white hats and enterprises. You submit vulnerabilities to them legally, and they will give you a bounty. At present, there are two platforms in China, one is the vulnerability reporting platform, and the other is the enterprise SRC. Here I also want to emphasize to everyone that you must not dig holes illegally, and pay attention to the scale and target of the digging to be authorized! Be a law-abiding citizen!
Due to special reasons, I need to submit some vulnerabilities to the CNVD National Security Vulnerability Sharing Platform every week. Recently, I found that the site does not accept small business vulnerabilities, and none of the submissions have been approved. After some inquiries, I learned that CNVD currently accepts government, medical, and SRC loopholes in schools, some groups and state-owned enterprises, etc., undoubtedly increase the difficulty for us to dig holes.
Here's my current digging idea:
- Finding a Burrowing Target
- Use handy digging tools
- digging time
- Vulnerability verification
- Submit a bug
0x01 Tools used in the process
The knowledge areas involved in this article and the tools used mainly include:
- Basic use of python
- Use of vulnerability scanning tools
- Vulnerability Verification Capability
- Cyberspace surveying and mapping platform, Qichacha, Aiqicha
- Chaitin's xray vulnerability scanning tool
- 360's dynamic crawler tool crawlergo
- SRC Vulnerability Submission Platform
The scripts used in this article mainly include (python scripts):
- fofa API call script
- Target URL Survival Verification Script
- xray and crawlergo linkage script
Note: The blogger is a Mac system. If there are window users who need to modify the script provided during the process, the blogger will also prompt in the code
0x02 detailed process
1. Find the target of digging
1.1 Tool introduction
- Cyberspace surveying and mapping platforms: fofa, Qi Anxin cyberspace surveying and mapping Hunter, 360 cyberspace surveying and mapping Quake (membership required);
- API script;
- Qichacha and Aiqicha (membership is required).
1.2 Target retrieval process
This time we take fofa as an example to retrieve the required target addresses in batches, use fofa syntax to retrieve the target, and then download the corresponding data through the API script.
Organize the query syntax in advance. This time we search by domain name. The domain name is ".gov.cn" and the region is China and the status code is 200. We can find that there are many assets, because members limit us to withdraw only 10,000 per day A goal, so it is necessary to continue to optimize the search syntax used:
host=".gov.cn" && country="CN" && status_code="200"
By subdividing the regions, the data can be screened again, and it can be found that most regions are within 30,000, so that they can be retrieved and downloaded in batches:
host=".gov.cn" && country="CN" && status_code="200" && region="Beijing"
Then use the fofa API to extract data. During the process, you need to use the python script to extract the fofa API data code as follows (before running the code, you need to know the fofa email and api_key in advance to check in the personal center):
# 申明:此工具仅供学习使用,不负有相关法律责任
# window用户和Linux用户均可直接使用,无需进行修改
import base64
import csv
import requests
# 查询函数
def Inquire(email, api_key, gammer):
qbase64 = base64.b64encode(gammer.encode()).decode()
api = 'https://fofa.info/api/v1/search/all?email={}&key={}&qbase64={}&size=10000'.format(email, api_key, qbase64)
print("正在请求页面查询{}".format(gammer))
response = requests.get(api)
data_result = response.json()["results"]
count = len(data_result)
print("总共可获取数量为{}条数据\n".format(count))
# print(data_result)
count_range = GetNumber()
write_file(gammer, data_result, count_range)
# 下载次数函数
def GetNumber():
count_range = input('请输入获取数据的数量(最大限制10000条):')
# count_range = 10000 #若使用批量查询,默认下载数可以直接设置
return int(count_range)
# 写入函数
def write_file(gammer, data, count_range):
filename = gammer + '.csv'
with open(filename, 'a', newline="") as f:
writer = csv.writer(f)
writer.writerow(["URL", "IP地址", "访问端口号"])
for result in data:
list_data = [result[0].strip(), result[1].strip(), result[2].strip()]
writer.writerow(list_data)
count_range -= 1
if count_range == 0:
break
# 交互界面
def GUI_Communication():
print("\n\t FOFA——API接口工具\n")
email = input('Email:')
api_key = input('api_key:')
num = int(input('是否为单量查询(是1/否0):'))
if num == 1:
gammer = input('查询语法:')
Inquire(email, api_key, gammer)
elif num == 0:
with open("gammers.txt", 'r') as f:
for gammer_data in f.readlines():
gammer = gammer_data.replace('\n', '')
Inquire(email, api_key, gammer)
else:
print("只能输入0或1!")
if __name__ == '__main__':
GUI_Communication()
After the script runs, enter the correct email address and api_key, enter the syntax organized above, fill in the download quantity and download the data, and a form document with syntax commands will be generated in the script directory, and opening it is the target address we need;
Next, we need to verify the survivability of the target, and output it as a formatted URL: http://ip or domain name: port, which is convenient for vulnerability mining. This time we still use the python script for survival verification, and we need to change the url in the table in advance Save to the text with one target URL per line, and just place it in the same folder as the code. After the script runs, a url_ok.txt file will be generated in the same directory. This file is the final target URL. The script is as follows:
# 申明:此工具仅供学习使用,不负有相关法律责任
# windows用户需将代码中的./url.txt的./去掉即可
import requests
def foo():
for url in open("./url.txt"):
url = url.strip()
if 'http' in url or 'https' in url:
url1 = url
url2 = None
else:
url1 = f'http://{url}'
url2 = f'https://{url}'
try:
ok = requests.get(url1, timeout=(5, 8))
if ok.status_code == 200:
print(url1, ok.status_code)
with open("./url_ok.txt", 'a+') as url_ok:
url_ok.write(url1 + "\n")
url_ok.close()
else:
ok_1 = requests.get(url2, timeout=(5, 8))
if ok_1.status_code == 200:
print(url2, ok_1.status_code)
with open("./url_ok.txt", 'a+') as url_ok:
url_ok.write(url2 + "\n")
url_ok.close()
else:
print(url2, ok.status_code)
except:
try:
ok2 = requests.get(url2, timeout=(5, 8))
if ok2.status_code == 200:
print(url2, ok2.status_code)
with open("./url_ok.txt", 'a+') as url_ok:
url_ok.write(url1 + "\n")
url_ok.close()
else:
print(url2, ok2.status_code)
except:
print(f"{url2} URL无效")
if __name__ == "__main__":
foo()
2. Handy digging tools
There are actually many tools, and you can use them easily.
2.1 Tool introduction
- xray: a community version vulnerability scanning artifact extracted from the core engine of Changting Dongjian;
- 360-crawlergo: The 360 security team has developed a dynamic crawler tool that uses chrome headless mode to collect URL entries.
- Xray and 360-crawlergo linkage script
This time we use xray and crawlergo to link and dig out the vulnerabilities of the targets just sorted out. For specific usage, you can also refer to the official xray tutorial, or follow the blogger's ideas;
2.2 Tool download link
xray: Directly visit the official website to download, the github version is not updated in time, it is recommended to download directly through the official website:
- Official Website: CT Stack Security Community
- github:https://github.com/chaitin/xray/releases
360-crawlergo:
Linkage script:
2.3 Tool usage
Download the tools suitable for your operating system type (the blogger is Mac arm64, download the darwin_arm64 version), and then place them in a folder:
Place the downloaded crawlergo and xray in the linkage script program, and then delete the crawlergo and xray folders of the linkage script program. Note that you need to modify the crawlergo_darwin_arm64 file name to crawlergo, and modify the main program launcher.py and launcher_new.py part of the code, mainly chrome Change the path to a local path. The location of the blogger’s chrome browser is: /Applications/Google Chrome.app/Contents/MacOS/Google Chrome. Just change the following code:
placed in the same folder;
Modify the browser file directories of the main program launcher.py and launcher_new.py. The modification locations of the two files are basically the same. It is recommended to use the main program launcher.py, which has a crawling display;
Place the target obtained in the first step in the targets.txt file, pay attention to the need to separate it line by line, and then start using xray to monitor 127.0.0.1:7777 locally, and the script is written to monitor port 7777 by default. The essence of the linkage is to crawl the crawlergo through the script The target data is sent to the listening xray, and then the target's vulnerability check is realized;
The target is placed in the targets.txt file;
Start xray monitoring, if you don’t understand the monitoring command, you can go to the xray official website to inquire;
./xray_darwin_arm64 webscan --listen 127.0.0.1:7777 --html-output proxy.html
Start the linkage main program to crawl the target, wait for a while, you can find that the crawler has crawled the data and send it to xray through the local loopback port 7777, and then just wait quietly for the output report;
3. Digging time
The digging time is not sure, it depends on luck, but since everyone is mining SRC, it is not easy to dig now, it is recommended to run the computer before going to bed, or directly run the entire virtual machine.
4. Vulnerability verification
Vulnerability verification is also a skill that we must master in web security. This is actually very simple. If you don’t understand, just ask. Du Niang will always give you a satisfactory answer. However, there are also some tips. Generally, the corresponding verification script and verification ideas are given in the report. Everyone Validation directly from the report is generally fine.
5. Submitting Vulnerabilities
There are many platforms for submitting SRC vulnerabilities. I mainly submit them on the CNVD National Information Security Vulnerability Sharing Platform. Of course, there are many other platforms. I will list some of them below for your reference. It should be more detailed.
A
阿里巴巴 (ASRC)
https://security.alibaba.com/
阿里云先知
https://xianzhi.aliyun.com/
爱奇艺 (71SRC)
https://security.iqiyi.com/
安恒
https://security.dbappsecurity.com.cn/
B
BIGO (BSRC)
https://security.bigo.sg/
BOSS直聘 (BSSRC)
https://src.zhipin.com/
百度 (BSRC)
https://bsrc.baidu.com/
百合 (BHSRC)
https://src.baihe.com/
贝贝 (BBSRC)
https://src.beibei.com.cn/
贝壳 (BKSRC)
https://security.ke.com/
本木医疗 (BMSRC)
https://security.benmu-health.com/src/
哔哩哔哩 (BILISRC)
https://security.bilibili.com/
C
菜鸟网络 (CNSRC)
https://sec.cainiao.com/
D
DHgate (DHSRC)
http://dhsrc.dhgate.com/
大疆 (DJISRC)
https://security.dji.com/
滴滴出行 (DSRC)
https://sec.didichuxing.com/
东方财富 (EMSRC)
https://security.eastmoney.com/
斗米 (DMSRC)
https://security.doumi.com/
斗鱼 (DYSRC)
https://security.douyu.com/
度小满 (DXMSRC)
https://security.duxiaoman.com/
F
法大大 (FSRC)
https://sec.fadada.com/
富友 (FSRC)
https://fsrc.fuiou.com/
G
瓜子 (GZSRC)
https://security.guazi.com/
H
好未来 (100TALSRC)
https://src.100tal.com/
合合 (ISRC)
https://security.intsig.com/
恒昌 (HCSRC)
http://src.credithc.com/
虎牙 (HSRC)
https://src.huya.com/
华为 (HBP)
https://bugbounty.huawei.com/
华住 (HSRC)
https://sec.huazhu.com/
欢聚时代 (YSRC)
https://security.yy.com/
货拉拉 (LLSRC)
https://llsrc.huolala.cn/
火线
https://www.huoxian.cn/project/detail?pid ref
J
焦点 (FSRC)
https://security.focuschina.com/
金山办公 (WPSSRC)
https://security.wps.cn/
金山云 (KYSRC)
https://kysrc.vulbox.com/
京东 (JSRC)
https://security.jd.com/
竞技世界 (JJSRC)
https://security.jj.cn/
K
酷狗 (KGSRC)
https://security.kugou.com/
快手 (KwaiSRC)
https://security.kuaishou.com/
旷视 (MSRC)
https://megvii.huoxian.cn/
L
老虎证券 (TigerSRC)
https://security.itiger.com/
乐信 (LXSRC)
http://security.lexinfintech.com/
理想
https://security.lixiang.com/
联想 (LSRC)
https://lsrc.vulbox.com/
猎聘 (LPSRC)
https://security.liepin.com/
M
MYSRC
https://mysrc.group/
马蜂窝 (MFWSRC)
https://security.mafengwo.cn/
蚂蚁集团 (AntSRC)
https://security.alipay.com/
美丽联合 (MLSRC)
https://security.mogu.com/
美团 (MTSRC)
https://security.meituan.com/
魅族 (MEIXZUSRC)
https://sec.meizu.com/
陌陌 (MMSRC)
https://security.immomo.com/
N
你我贷 (NSRC)
http://www.niwodai.com/sec/index.htm
O
OPPO (OSRC)
https://security.oppo.com/
P
平安 (PSRC)
https://security.pingan.com/
平安汇聚 (ISRC)
https://isrc.pingan.com/
Q
千米 (QMSRC)
https://security.qianmi.com/
去哪儿 (QSRC)
https://security.qunar.com/
R
融360 (Rong360SRC)
https://security.rong360.com/
S
SHEIN
https://security.shein.com/
SOUL
https://security.soulapp.cn/
360 (360SRC)
https://security.360.cn/
深信服 (SSRC)
https://security.sangfor.com.cn/
世纪佳缘 (JYSRC)
https://src.jiayuan.com/
水滴安全 (SDSRC)
https://security.shuidihuzhu.com/
顺丰 (SFSRC)
http://sfsrc.sf-express.com/
苏宁 (SNSRC)
https://security.suning.com/
T
T3出行 (T3SRC)
https://security.t3go.cn/
TCL (TCLSRC)
https://src.tcl.com/
腾讯 (TSRC)
https://security.tencent.com/
同程旅行 (LYSRC)
https://sec.ly.com/
同程数科 (TJSRC)
https://securitytcjf.com/
统信(USRC)
https://src.uniontech.com/
同舟共测
https://tz.alipay.com/
途虎 (THSRC)
https://security.tuhu.cn/
途牛 (TNSRC)
https://sec.tuniu.com/
U
UCLOUD (USRC)
https://sec.ucloud.cn/
V
VIPKID (VKSRC)
https://security.vipkid.com.cn/
VIVO (vivoSRC)
https://security.vivo.com.cn/
W
WiFi万能钥匙 (WIFISRC)
https://sec.wifi.com/
挖财 (WACSRC)
https://sec.wacai.com/
完美世界 (PWSRC)
https://security.wanmei.com/
网易 (NSRC)
https://aq.163.com/
唯品会 (VSRC)
https://sec.vip.com/
微博 (WSRC)
https://wsrc.weibo.com/
微众 (WSRC)
https://security.webank.com/
58 (58SRC)
https://security.58.com/
伍林堂 (WSRC)
https://www.wulintang.net/
X
喜马拉雅 (XMSRC)
https://security.ximalaya.com/
享道出行 (SDSRC)
https://src.saicmobility.com/
小米 (MISRC)
https://sec.xiaomi.com/
小赢 (XYSRC)
https://security.xiaoying.com/
携程 (CSRC)
https://sec.ctrip.com/
新浪 (SSRC)
https://sec.sina.com.cn/
讯飞 (XFSRC)
https://security.iflytek.com/
Y
易宠 (ESRC)
https://sec.epet.com/
一加 (ONESRC
https://security.oneplus.com/
一起教育 (17SRC)
https://security.17zuoye.com/
宜信 (CESRC)
https://security.creditease.cn/
银联 (USRC)
https://security.unionpay.com/
萤石 (YSCR)
https://ysrc.ys7.com/
有赞 (YZSRC)
https://src.youzan.com/0x03 Precautions
- During the vulnerability mining process, everyone must authorize it, and do not dig holes illegally, and pay attention to the size of the holes;
- There are many ways to retrieve the target URL, not necessarily only those methods introduced above;
- For the python script introduced in this article, if it is a window client, some code needs to be modified;
- If the python script in the article reports an error when it is running, there is a high probability that the python package is not installed, and pip install is required to install it;
- If the xray downloaded from the official website reports an error, it is because the latest version of xray will not generate a new configuration file by default, and will find the old configuration file, which is the config.yaml file, so if you have not used this tool before, you need to first Download the old version and generate a copy of the configuration file for the new version to use;
- The xray and 360-crawlergo linkage script needs to modify the browser directory configuration, and modify it according to its own system path;
- If there is a crawling target sent to xray, xray does not scan, and the blogger does not know what the problem is for the time being. If you change another target, there will be no such problem. It feels like a problem with the target;
- Then, if you have better tools, you can also comment and share. Let's learn together and make progress together. Finally, I wish everyone can become a big boss in the security industry as soon as possible.