Vulnerability Bulk Use scanning framework

 0x00 Preface

After each leak, many people are eager to find batches, thinking can brush a few more holes to submit to the clouds. In fact, some of the detection steps of the vulnerability can be a unified extraction of the framework. Today, I'm going to share one of my own vulnerabilities. The framework of the bulk utilization, using this framework, can be easily carried out by a number of vulnerabilities in bulk scanning.

the principle of 0x01 frame

Vulnerability scans are generally URL link mount a POC or someone more malicious directly on exp to try to access, if the server returned to the page there are some characteristics of the string, then the site to determine the vulnerability. Take a chestnut, such as a ecshop injection vulnerability, after submitting payload, the site returns to the following page:

We are in the automated scanning, will be based on this page, such as "Duplicate entry" words to determine, this string is due to the submission of the payload in the MySQL error injection caused. A regular scan_rule is needed to determine the results of the scan.

At the same time, some people do not meet just scan whether there is a loophole, they want to be able to get some information from the page, such as the screenshot above appeared in the admin and password hash, scan out the vulnerability site, we want to extract this string, then also need to have a crawl regular res_rule.

In addition, the framework does not provide the list of IP lists or domain names to be scanned, and these things need to be done in batches of buddies to collect them with some URL collectors. The framework itself provides only functions such as loading, scanning, and result crawling. And it supports multithreading detection.

use of the 0x02 framework

This framework only needs to be ready to scan the IP or domain name list, and a reliable exp or POC can be. Finally you just need to configure the configuration file for this framework, and then execute the script to run it.

The various options for the configuration file are as follows:

For detailed usage information, you can access the reading readme.md.

Https://github.com/OneSourceCat/scan-framework

It should be noted that the IP or domain name list should be taken with the http://protocol header, as follows:

0x03 use case

For s2-016 scans, the configuration file is consistent with the above, because it is a URL pattern, so the raw_file in the configuration item does not have to fill in, run the Python cli.py-m URL to run the script directly:

The result set file is logged:

In addition, the framework supports post-mode submission of vulnerability detection packets and the use of native HTTP request messages for probing.

Because the framework was written yesterday, so there will be more rough place without processing, if there is a bug, please dms me.

Project Address: Https://github.com/OneSourceCat/scan-framework