preface
We often encounter the following problems in actual combat:
1, encountered a very tedious use of the steps of the loophole, the middle of the wrong step can not be used
2, dug a general vulnerability, want to batch brush hole to earn a small wave, but manually to test each site workload is too large
Writing a POC script at this point would have saved us a lot of work. This article will learn some of the python basics necessary to write an efficient and versatile POC script. This week is also a good week to learn how to resist being a tool kid
Tips for using the Requests module
Requests is a Python HTTP request library. It’s easy to use the Requests library for network Requests. Here are a few tips for using the Requests module
Cancel redirection
Requests handles all redirects automatically, but sometimes we don’t need redirects and can disable redirects with the allow_redirects parameter:
r = requests.get('http://github.com', allow_redirects=False)
Copy the codeSSL Certificate Verification
Request for Requests for SSL certificates in Requests for HTTPS. For sites that do not have certificates, verify=False and request for InsecureRequestWarning are ignored. Finally, you can access a certificateless HTTPS site without warning messages as follows:
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
requests.get('https://github.com', verify=False)
Copy the codeThe agent
The purpose of using proxies is not mentioned, but as follows:
HTTP Proxies = {" HTTP ": "http://127.0.0.1:8080", "HTTPS ": "http://127.0.0.1:1080",} # socks5 Proxies = {' HTTP ': 'socks5://user:pass@host:port', 'HTTPS ': 'socks5://user:pass@host:port' } requests.get("http://example.org", proxies=proxies)Copy the codeA useful tip is to proxy into burp and check python packages. If I have locally captured the requests package as follows, we can find that the characteristics are very obvious, so we try to modify user-Agent in actual use
Keep the cookies
Using the session object, multiple requests are sent to the same host. The underlying TCP connection is reused to improve performance and preserve cookies
s = requests.Session()
s.get('http://httpbin.org/cookies/set/sessioncookie/123456789')
r = s.get("http://httpbin.org/cookies")
Copy the codeWhen writing a POC script, we just need to use the Requests module to send data with payload. Using these tips can be a better experience
The verification results
After sending a request with payload, you need to analyze the response packet to determine whether there is a vulnerability. Often the response package with vulnerability has some special value, we only need to find such special value in the response package to prove the existence of vulnerability, so we usually have two ways to write here
The member operator -in
If 'XXX' in r.ext: print(' there is a bug ') else: print(' there is a bug ')Copy the codeRegular match -re.search ()
If re.search(' XXX ', r.ext): print(' XXX ') else: print(' XXX ')Copy the codeThe two approaches are similar, but re.search() has the advantage of being able to use regular expressions to capture vulnerabilities even when they are dynamic
Single-threaded POC scripts
At this point, we can write a single-threaded POC script. My requirements for a single-threaded POC script are very simple. Simply change a few lines of code in the face of different vulnerabilities. Here is a single threaded POC script I wrote myself, which basically means something like this
import requests import re from requests.packages.urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def Poc(url): The proxy = {' HTTP: 'http://127.0.0.1:8080', 'HTTPS ':'http://127.0.0.1:8080'} headers = {' user-agent ':'Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36', 'Connection':'close' } data = {'name':'xxxx','value':'xxxx'} try: response = requests.post(url=url,headers=headers,data=data,verify=False,proxies=proxy,timeout=10) if 'baidu' in Else: print('none') except Exception as e: print(f' request failed :{e}') if __name__ == '__main__': url = 'https://www.baidu.com' Poc(url)Copy the codeUsing multiple threads
When we want to batch verify whether several sites have vulnerabilities, we need multithreading to improve efficiency. Detailed knowledge of Python multithreading is not the focus here. Here we are going to do a multi-threaded POC script using Threading and Queue. The flow I have planned is as follows
Put all destination urls in queue;
Start multiple threads to fetch the target from the queue and execute it;
Save the result.
The code will be given at the end
Color tag
I encountered a problem when using multithreading, because multithreading processes a lot of data, the terminal will output a lot of information instantly, it is easy to ignore some key information
Then I wanted to use color to distinguish the different information, using the format \033[display mode; foreground color; background color M on a Linux terminal to output the font for each color
Colorama is a third-party library that displays different color characters and backgrounds across multiple terminals. On Linux terminals, ANSI escape characters are used to output color fonts. On Windows terminals, this is done by wrapping STdout. There are different implementations on Windows and Linux to achieve cross-platform effect
Install third-party library command you should be able to bar
pip install colorama
Copy the codePlease refer to the official document pypi.org/project/col…
My usage habit is to use red font for error information and green font for vulnerability detection. At this time, part of the code is as follows:
From colorama import init,Fore init(autoreset=True) print(Fore.GREEN + '[+] ') print(Fore.RED + '[!] Connection error ')Copy the codeThe terminal output after using the color is as follows. Now the experience is obviously better. You can also set it according to your preferences
Adding a Progress bar
The purpose of multithreading is to process more urls faster, but with too many targets, we still have to wait longer. We often hang scripts and run and wait. Then I want to make a progress bar. According to the progress bar, I can roughly estimate the time, and then arrange my own work to improve the work efficiency. Isn’t that the meaning of using scripts
The first thing I found was a third-party library recommended by many: TQDM, which allows manual progress updates when used in multithreading
import time from tqdm import tqdm with tqdm(total=200) as pbar: pbar.set_description('Processing:') for i in range(20): Pbar time. Sleep (0.1). The update (10)Copy the codeHowever, I have encountered a problem here. Many people only output one Progress bar when using TQDM, but our requirement is to output both the result of vulnerability detection and the task bar at the same time, which will lead to the confusion displayed in the terminal, as shown in the figure below
Is there a way to keep the taskbar stuck at the end of the terminal so that both messages can be clearly displayed
I’ve been looking for a solution for a long time, but the authorities seem to say that without finding a way to use TQDM equally across multiple platforms, there will be no such feature. However, I finally found an official tqdm.write() method that seems to solve this problem by replacing all print() methods in the script with tqdm.write() methods
So here we have a progress bar
1, Network security learning route 2, electronic books (white hat) 3, security factory internal video 4, 100 SRC documents 5, common security comprehensive questions 6, CTF contest classic topic analysis 7, full kit 8, emergency response notes
Multithreaded POC scripts
I finally wrote a multithreaded POC script as follows, there are a lot of optimization in the middle, I hope to get your advice
import requests from requests.packages.urllib3.exceptions import InsecureRequestWarning import threading import queue from colorama import init,Fore from tqdm import tqdm init(autoreset=True) requests.packages.urllib3.disable_warnings(InsecureRequestWarning) global_file_target_url = 'url.txt' global_file_result Queue() global_list_result = [] # Global_request_proxy = {' HTTP ':'socks5://127.0.0.1:8080', 'HTTPS ':'socks5://127.0.0.1:8080'} global_request_headers = {' user-agent ':'Mozilla/5.0 (Windows NT 10.0; Win64; X64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36', 'cookie':' XXXXXXXXXXXXXX ', Global_request_data = {'name':' XXXX ','value':' XXXX '} #POST global_error = 0 def req(url): global global_error i = 0 while i<3: if i>0: #print(f'[!] Write (f'[!]) tqdm.write(f'[!]) Request {url}') try: response = requests.get(url=url,headers=global_request_headers,verify=False,timeout=10) response.encoding = response.apparent_encoding text = response.text if global_payload in text: return True else: return False except Exception as e: if i==0: global_error +=1 i = i+1 #print(Fore.RED+f'[!] {url} request failed ') tqdm.write(Fore.RED+f'[!] ') def poc(pbar): while not global_q.empty(): target_url = global_q.get() url = target_url+global_where if req(url): #print(Fore.GREEN+'[+]) tqdm.write(Fore.GREEN+'[+]) '+target_url) global_list_result.append(target_url) else: # print (' [-] found no holes) TQDM. Write (' [-] found no holes) pbar. Update def (1) the main () : With open(global_file_target_url,'r') as f: urls = f.readlines() for url in urls: url = url.strip() global_q.put(url) num_url = global_q.qsize() pbar = tqdm(total=num_url) Pbar.set_description ('Processing:') tqdm.write(' Total number of urls: '+ STR (num_url) # 2, threads = [] for _in range(global_threads_num): t = threading.Thread(target=poc,args=(pbar,)) threads.append(t) t.start() for t in threads: Global_file_result if global_list_result: file = open(global_file_result,'w') for res in global_list_result: + "\ n" file. Write (res) file. The close () TQDM. Write (f 'number of failed requests {global_error}') if __name__ = = "__main__ ': the main ()Copy the codeReference:
Mp.weixin.qq.com/s/aWbPUANyg… Mp.weixin.qq.com/s/Dwec68-RO… ~ ~ ~ ~