Skip to content

Commit 3df7cca

Browse files
authoredMay 26, 2019
上传文件后缀白名单fuzz字典
1 parent 24b178a commit 3df7cca

File tree

1 file changed

+296
-0
lines changed

1 file changed

+296
-0
lines changed
 
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,296 @@
1+
#coding=utf-8
2+
'''
3+
author: c0ny1<root@gv7.me>
4+
github: https://github.com/c0ny1/upload-fuzz-dic-builder
5+
date: 2018-11-04 23:16
6+
description: 生成符合漏洞实际场景fuzz字典的脚本
7+
'''
8+
9+
import argparse
10+
import copy
11+
import urllib
12+
13+
## 各类语言可解析的后缀
14+
html_parse_suffix = ['html','htm','phtml','pht','Html','Htm','pHtml']
15+
asp_parse_suffix = ['asp','aspx','asa','asax','ascx','ashx','asmx','cer','aSp','aSpx','aSa','aSax','aScx','aShx','aSmx','cEr']
16+
php_parse_suffix = ['php','php5','php4','php3','php2','pHp','pHp5','pHp4','pHp3','pHp2']
17+
jsp_parse_suffix = ['jsp','jspa','jspx','jsw','jsv','jspf','jtml','jSp','jSpx','jSpa','jSw','jSv','jSpf','jHtml']
18+
19+
20+
## web中间件解析漏洞
21+
def iis_suffix_creater(suffix):
22+
res = []
23+
for l in suffix:
24+
str ='%s;.%s' % (l,allow_suffix)
25+
res.append(str)
26+
return res
27+
28+
def apache_suffix_creater(suffix):
29+
res = []
30+
for l in suffix:
31+
str = '%s.xxx' % l
32+
res.append(str)
33+
str = '%s%s' % (l,urllib.unquote('%0a')) #CVE-2017-15715
34+
res.append(str)
35+
return res
36+
37+
win_tomcat = ['%20','::$DATA','/']
38+
def tomcat_suffix_creater(suffix):
39+
res = []
40+
for l in suffix:
41+
for t in win_tomcat:
42+
str = '%s%s' % (l,t)
43+
res.append(str)
44+
return res
45+
46+
## 系统特性
47+
def str_81_to_ff():
48+
res = []
49+
for i in range(129,256):
50+
str = '%x' % i
51+
str = '%' + str
52+
str = urllib.unquote(str)
53+
res.append(str)
54+
return res
55+
56+
windows_os = [' ','.','/','::$DATA','<','>','>>>','%20','%00'] + str_81_to_ff()
57+
58+
def windows_suffix_creater(suffix):
59+
res = []
60+
for s in suffix:
61+
for w in windows_os:
62+
str = '%s%s' % (s,w)
63+
res.append(str)
64+
return res
65+
66+
## 脚本语言漏洞(00截断)
67+
def str_00_truncation(suffix,allow_suffix):
68+
res = []
69+
for i in suffix:
70+
str = '%s%s.%s' % (i,'%00',allow_suffix)
71+
res.append(str)
72+
str = '%s%s.%s' % (i,urllib.unquote('%00'),allow_suffix)
73+
res.append(str)
74+
return res
75+
76+
## 返回字符串所有大写可能
77+
def str_case_mixing(word):
78+
str_list = []
79+
word = word.lower()
80+
tempWord = copy.deepcopy(word)
81+
plist = []
82+
redict = {}
83+
for char in range( len( tempWord ) ):
84+
char = word[char]
85+
plist.append(char)
86+
num = len( plist )
87+
for i in range( num ):
88+
for j in range( i , num + 1 ):
89+
sContent = ''.join( plist[0:i] )
90+
mContent = ''.join( plist[i:j] )
91+
mContent = mContent.upper()
92+
eContent = ''.join( plist[j:] )
93+
content = '''%s%s%s''' % (sContent,mContent,eContent)
94+
redict[content] = None
95+
96+
for i in redict.keys():
97+
str_list.append(i)
98+
99+
return str_list
100+
101+
## list大小写混合
102+
def list_case_mixing(li):
103+
res = []
104+
for l in li:
105+
res += str_case_mixing(l)
106+
return res
107+
108+
## 双后缀生成
109+
def str_double_suffix_creater(suffix):
110+
res = []
111+
for i in range(1,len(suffix)):
112+
str = list(suffix)
113+
str.insert(i,suffix)
114+
res.append("".join(str))
115+
return res
116+
117+
def list_double_suffix_creater(list_suffix):
118+
res = []
119+
for l in list_suffix:
120+
res += str_double_suffix_creater(l)
121+
return duplicate_removal(res)
122+
123+
#list 去重
124+
def duplicate_removal(li):
125+
return list(set(li))
126+
127+
#list 去空行
128+
def clear_list(li):
129+
rmstr = ['',' ',None]
130+
for l in li:
131+
for r in rmstr:
132+
if l == r:
133+
li.remove(r)
134+
return li
135+
136+
def parse_args():
137+
parser = argparse.ArgumentParser(prog='upload-fuzz-dic-builder',
138+
formatter_class=argparse.RawTextHelpFormatter,
139+
description='')
140+
141+
parser.add_argument('-n','--upload-filename',metavar='',dest='upload_file_name', type=str, default='test',
142+
help=u'Upload file name')
143+
144+
parser.add_argument('-a','--allow-suffix',metavar='',dest='allow_suffix', type=str, default='jpg',
145+
help=u'Allowable upload suffix')
146+
147+
parser.add_argument('-l','--language',metavar='',dest='language',choices=['asp','php','jsp','all'], type=str, default='all',
148+
help='Uploaded script language')
149+
150+
parser.add_argument('-m','--middleware',metavar='',dest='middleware',choices=['iis','apache','tomcat','all'],type=str, default='all',
151+
help='Middleware used in Web System')
152+
parser.add_argument('--os',metavar='',dest='os', choices=['win','linux','all'],type=str, default='all',
153+
help='Target operating system type')
154+
155+
parser.add_argument('-d','--double-suffix',dest='double_suffix', default=False,action='store_true',
156+
help='Is it possible to generate double suffix?')
157+
parser.add_argument('-o','--output',metavar='',dest='output_filename', type=str, default='upload_fuzz_dic.txt',
158+
help='Output file')
159+
160+
args = parser.parse_args()
161+
return args
162+
163+
if __name__ == '__main__':
164+
165+
args = parse_args()
166+
upload_file_name = args.upload_file_name
167+
allow_suffix = args.allow_suffix
168+
output_filename =args.output_filename
169+
170+
language = args.language
171+
middleware = args.middleware
172+
os = args.os
173+
double_suffix =args.double_suffix
174+
175+
if middleware == 'iis':
176+
os = 'win'
177+
178+
###################################
179+
180+
f = open(output_filename,'w')
181+
parse_suffix = []
182+
case_parse_suffix = []
183+
middleware_parse_suffix = []
184+
htaccess_suffix = []
185+
os_parse_suffix = []
186+
double_parse_suffix = []
187+
188+
189+
# 可解析后缀
190+
if language == 'asp':
191+
html_parse_suffix = []
192+
php_parse_suffix = []
193+
jsp_parse_suffix = []
194+
parse_suffix = asp_parse_suffix
195+
elif language == 'php':
196+
asp_parse_suffix = []
197+
jsp_parse_suffix = []
198+
parse_suffix = html_parse_suffix + php_parse_suffix
199+
elif language == 'jsp':
200+
html_parse_suffix = []
201+
asp_parse_suffix = []
202+
php_parse_suffix = []
203+
parse_suffix = jsp_parse_suffix
204+
else: # language == 'all'
205+
parse_suffix = html_parse_suffix + asp_parse_suffix + php_parse_suffix + jsp_parse_suffix
206+
print u'[+] 收集%d条可解析后缀完毕!' % len(parse_suffix)
207+
208+
# 可解析后缀 + 大小写混合
209+
if os == 'win' or os == 'all':
210+
case_html_parse_suffix = list_case_mixing(html_parse_suffix)
211+
case_asp_parse_suffix = list_case_mixing(asp_parse_suffix)
212+
case_php_parse_suffix = list_case_mixing(php_parse_suffix)
213+
case_jsp_parse_suffix = list_case_mixing(jsp_parse_suffix)
214+
case_parse_suffix = list_case_mixing(parse_suffix)
215+
print u'[+] 加入%d条可解析后缀大小写混合完毕!' % len(case_parse_suffix)
216+
else: # os == 'linux'
217+
case_html_parse_suffix = html_parse_suffix
218+
case_asp_parse_suffix = asp_parse_suffix
219+
case_php_parse_suffix = php_parse_suffix
220+
case_jsp_parse_suffix = jsp_parse_suffix
221+
case_parse_suffix = parse_suffix
222+
223+
# 中间件漏洞
224+
if middleware == 'iis':
225+
case_asp_php_jsp_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_jsp_parse_suffix
226+
middleware_parse_suffix = iis_suffix_creater(case_asp_php_jsp_parse_suffix)
227+
elif middleware == 'apache':
228+
case_asp_php_html_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_html_parse_suffix
229+
middleware_parse_suffix = apache_suffix_creater(case_asp_php_html_parse_suffix)
230+
elif middleware == 'tomcat' and os == 'linux':
231+
middleware_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix
232+
elif middleware == 'tomcat' and (os == 'win' or os == 'all'):
233+
case_php_jsp_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix
234+
middleware_parse_suffix = tomcat_suffix_creater(case_php_jsp_parse_suffix)
235+
else:
236+
case_asp_php_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix
237+
iis_parse_suffix = iis_suffix_creater(case_asp_php_parse_suffix)
238+
case_asp_php_html_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_html_parse_suffix
239+
apache_parse_suffix = apache_suffix_creater(case_asp_php_html_parse_suffix)
240+
case_php_jsp_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix
241+
tomcat_parse_suffix = tomcat_suffix_creater(case_php_jsp_parse_suffix)
242+
middleware_parse_suffix = iis_parse_suffix + apache_parse_suffix + tomcat_parse_suffix
243+
244+
middleware_parse_suffix = duplicate_removal(middleware_parse_suffix)
245+
print u'[+] 加入%d条中间件漏洞完毕!' % len(middleware_parse_suffix)
246+
247+
# .htaccess
248+
if (middleware == 'apache' or middleware == 'all') and (os == 'win' or os == 'all'):
249+
htaccess_suffix = str_case_mixing(".htaccess")
250+
print u'[+] 加入%d条.htaccess完毕!' % len(htaccess_suffix)
251+
elif (middleware == 'apache' or middleware == 'all') and os == 'linux':
252+
htaccess_suffix = ['.htaccess']
253+
print u'[+] 加入1条.htaccess'
254+
else:
255+
htaccess_suffix = []
256+
257+
# 系统特性
258+
if os == 'win':
259+
os_parse_suffix = windows_suffix_creater(case_parse_suffix)
260+
elif os == 'linux':
261+
os_parse_suffix = parse_suffix
262+
else:
263+
win_suffix = windows_suffix_creater(case_parse_suffix)
264+
linux_suffix = parse_suffix
265+
os_parse_suffix = win_suffix + linux_suffix
266+
267+
os_parse_suffix = duplicate_removal(os_parse_suffix)
268+
print u'[+] 加入%d条系统特性完毕!' % len(os_parse_suffix)
269+
270+
# 语言漏洞
271+
272+
language_parse_suffux = str_00_truncation(case_parse_suffix,allow_suffix)
273+
274+
# 双后缀 + 大小写混合
275+
if double_suffix:
276+
double_parse_suffix = list_double_suffix_creater(case_parse_suffix)
277+
print u'[+] 加入%d条双后缀完毕!' % len(double_parse_suffix)
278+
else:
279+
double_parse_suffix = []
280+
281+
all_parse_suffix = case_parse_suffix + middleware_parse_suffix + os_parse_suffix + language_parse_suffux + double_parse_suffix
282+
all_parse_suffix = duplicate_removal(all_parse_suffix)
283+
all_parse_suffix = clear_list(all_parse_suffix)
284+
# 写文件
285+
num = len(all_parse_suffix)
286+
for i in all_parse_suffix:
287+
str = '%s.%s' % (upload_file_name,i)
288+
#print '[+] '+type(str)
289+
f.write(str)
290+
f.write('\n')
291+
num += len(htaccess_suffix)
292+
for i in htaccess_suffix:
293+
f.write(i)
294+
f.write('\n')
295+
f.close()
296+
print u'[+] 去重后共%s条数据写入%s文件' % (num,output_filename)

0 commit comments

Comments
 (0)
Please sign in to comment.