優雅地尋找網站源碼(一)0x0 前言滲透過程中如果能獲取到網站的源代碼,那麼無疑開啟瞭上帝視角。雖然之前出現過不少通過搜索引擎查找同類網站,然後批量掃備份的思路,但是卻沒人分享其具體過程,這裡筆者便整理瞭自己開發分佈式掃描器的目錄掃描模塊的一些嘗試的思路,同時分享一些尋找源碼的其他手段,希望能給讀者帶來一些新的體驗。0x1 搜索技巧0x1.1 代碼托管平臺國外的github和國內的gitee都是第三方代碼托管平臺,通過一些搜索技巧,我們可以從中發現很多泄露的敏感信息,其中就包括一些程序的源代碼。這裡筆者對碼雲平時用得不多,故對此隻是簡單提提,下面,則重點介紹github的用法:學習這個用法就我個人而言最大的好處是,遇到返回大量數據的時候,可以根據一些特點來過濾掉一些垃圾數據。Github的搜索頁面:https://github.com/search(1) quick cheat sheet基礎查詢:搜索倉庫:搜索代碼:搜索用戶:(2)個人查詢Dorkfilename:config.php dbpasswdfilename:.bashrc passwordshodan\_api\_key language:pythonpath:sites datab ases password"baidu.com" ssh language:yamlfilename:file.php admin in:pathorg:companyname "AWS\_ACCESS\_KEY_ID:"
(3)針對某個關鍵詞查詢用雙引號括起來,如"qq.com"(4)可以使用GitDorker來自定義dork,實現自動化查詢。git clone https://github.com/obheda12/GitDorker.gitcd GitDorkerdocker build -t gitdorker .docker run -it gitdorkerdocker run -it -v $(pwd)/tf:/tf gitdorker -tf tf/TOKENSFILE -q tesla.com -d dorks/DORKFILE -o tesladocker run -it -v $(pwd)/tf:/tf xshuden/gitdorker -tf tf/TOKENSFILE -q tesla.com -d dorks/DORKFILE -o tesla
免安裝使用:python3 GitDorker.py -tf ./TF/TOKENSFILE -q ximalaya.com -d ./Dorks/alldorksv3 -o x mly
參考:https://github.com/techgaun/github-dorkshttps://infosecwriteups.com/github-dork-553b7b84bcf40x1.2 搜索引擎Google:XX源碼XX完整包xx安裝程序xx備份xx代碼xx開源xx源程序xx框架xx ext:rar | ext:tar.gz |ext:zip
0x1.3 網盤搜索https://www.feifeipan.com/https://www.dalipan.com/https://www.chaonengsou.com/ 這個網站做瞭個集合,比較全。0x2 曲線思路如果如0x1所述,依然沒辦法找到源碼,說明目標系統是那種小眾或者商業類型的,導致沒有在互聯網流傳廣泛,故沒辦法搜索到。這個時候,我們便可以采用曲線思路,通過尋找本網站根目錄下的備份文件,源代碼包進行下載,如果仍然沒有找到,則去尋找同套系統的其他網站,掃描這些網站目錄下的備份文件和源代碼包,從而獲取到系統源碼。我們不能做思想上的巨人,行動上的矮子,那麼如何高效地完成這一過程呢? 可以劃分為下面幾個步驟來完成。0x2.1 提取特征關於特征,重點收集主頁特征,即直接訪問域名顯示的頁面,因為主頁是最容易被搜索引擎爬蟲爬到的,次之,則是收集主頁可訪問到的其他標志性頁面特征。(1) logo 特征請求favicon.ico獲取hash(2) 關鍵詞特征網站title、網站版權信息、j avas cript關鍵字信息、html源碼結構信息、http返回頭特征。0x2.2 資產收集關於資產收集,除瞭調度自己寫的腳本集成fofa,shodan,zoomeye三個平臺之外,我還很喜歡使用一個工具,因為它的功能比較豐富且運行也較為穩定——-fofaviewer。下載地址:https://github.com/wgpsec/fofa_viewer0x2.3 簡單fuzz收集到資產之後,前期,我喜歡用httpx進行一些路徑的簡單探測cat targets.xt|deduplicate|httpx -path '/wwwroot.zip' -status-code相當於做一層簡單的過濾,來幫助nuclei減少請求的量。0x2.4 編寫nuclei插件閱讀和學習編寫插件的官方文檔:Guide可知:編寫插件第一步: 插件信息新建back-up-files.yaml文件,寫入如下內容參考:https://nuclei.projectdiscovery.io/templating-guide/#template-detail 可知id是必須的,不能包含空格,一般與文件名相同info區域是動態的,除瞭name, author, des cription, severity and tags,也可以添加其他key:value,tags是支持用於nuclei檢索調用的,可參照同類插件來寫。id: back-up-filesinfo: name: Find Resource Code Of Target Template author: xq17 severity: medium tags: exposure,backup
編寫插件的第二步:發送請求參考:https://nuclei.projectdiscovery.io/templating-guide/protocols/http/ 可知1.HTTP Requests start with a request block which specifies the start of the requests for the template.2.Request method can be GET, POST, PUT, DELETE, etc depending on the needs.3.Redirection conditions can be specified per each template. By default, redirects are not followed. However, if desired, they can be enabled with redirects: true in request d etails.4.The next part of the requests is the path of the request path. Dynamic variables can be placed in the path to modify its behavior on runtime.Variables start with {{ and end with }} and are case-sensitive.{{b aseURL}} – This will replace on runtime in the request by the original URL as specified in the target file.{{Hostname}} – Hostname variable is replaced by the hostname of the target on runtime.5.Headers can also be specified to be sent along with the requests. Headers are placed in form of key/value pairs. An example header configuration looks like this:# headers contains the headers for the requestheaders: # Custom user-agent header User-Agent: Some-Random-User-Agent # Custom request origin Origin: https://google.com6.Body specifies a body to be sent along with the request. (發送POST包需要用到)7.To maintain cookie b ased browser like session between multiple requests, you can simply use cookie-reuse: true in your template, Useful in cases where you want to maintain session between series of request to complete the exploit chain and to perform authenticated scans.(Session重用,作用是串聯攻擊鏈,實現登錄驗證再攻擊)# cookie-reuse accepts boolean input and false as defaultcookie-reuse: true8.Request condition allows to check for condition between multiple requests for writing complex checks and exploits involving multiple HTTP request to complete the exploit chain.with DSL matcher, it can be utilized by adding req-condition: true and numbers as suffix with respective attributes, status_code_1, status_code_3, andbody_2 for example.(編寫復雜攻擊鏈)req-condition: true matchers: – type: dsl dsl: – "status\_code\_1 == 404 && status\_code\_2 == 200 && contains((body\_2), 'secret\_string')"…還有許多高級用法比如支持raw http,race之類的,但是這裡用不上,文檔這個東西,夠用就行。requests: – method: GET path: – "{{b aseURL}}/wwwroot.zip" – "{{b aseURL}}/www.zip"
編寫插件的第三步: 判斷返回內容參考:https://nuclei.projectdiscovery.io/templating-guide/operators/matchers/ 知Multiple matchers can be specified in a request. There are basically 6 types of matchers:status(狀態碼) size(返回包大小) word(字符串) regex(正則匹配) binary(二進制文件)還有一個dsl,高度自定義驗證返回內容,可以對返回內容做一些操作(這裡暫時用不上)可用的輔助函數: https://nuclei.projectdiscovery.io/templating-guide/helper-functions/,對於words and regexes,可以對返回內容的多個匹配條件用AND或OR進行組合。Multiple words and regexes can be specified in a single matcher and can be configured with different conditions like AND and OR可以對返回的包,選定match的區域,默認是body,也支持選擇header等任意地方。Multiple parts of the response can also be matched for the request, default matched part is body if not defined.支持對條件取反,這個就是反證法的妙處瞭。All types of matchers also support negative conditions, mostly useful when you look for a match with an exclusions. This can be used by adding negative: true in the matchers block.支持使用多個matchersMultiple matchers can be used in a single template to fingerprint multiple conditions with a single request.支持matchers-conditionWhile using multiple matchers the default condition is to follow OR operation in between all the matchers, AND operation can be used to make sure return the result if all matchers returns true.結合上面文檔的介紹,可以寫入如下的判斷。 matchers-condition: and matchers: – type: binary binary: – "504B0304" # zip part: body – type: dsl dsl: – "len(body)>0" – type: status status: – 200
編寫插件的第四步: 鏈接起各個部分上面的代碼內容按順序鏈接起來,則是如下:id: back-up-filesinfo: name: Find Resource Code Of Target Template author: xq17 severity: medium tags: exposure,backuprequests: – method: GET path: – "{{b aseURL}}/wwwroot.zip" – "{{b aseURL}}/www.zip" matchers-condition: and matchers: – type: binary binary: – "504B0304" # zip part: body – type: dsl dsl: – "len(body)>0" – type: status status: – 200
0x2.5 測試插件本地起一個靶機,進行調試:python3 -m http.server 9091
然後調試:echo 'http://127.0.0.1:9091' | nuclei -t back-up-files.yaml -debug -timeout 2 -stats -proxy-url http://127.0.0.1:8080/
發包過程:可以看到nuclei應用上插件之後,可以快速Fuzz出網站備份文件。0x3 總結第一篇主要是介紹瞭一些思路和nuclei插件編寫簡單思路,用於幫助新手快速入門,第二篇則是關於如何增強該插件,增加掃描目錄列表,更精確的判斷返回值等內容(這裡建議讀者,可以先自行閱讀下nuclei-template的文檔,這樣學習效果更佳!),第三篇則是運用前兩篇的知識點和增強型插件,來完成一次真實地尋找網站源碼之旅。
本文出自快速备案,转载时请注明出处及相应链接。