mosuan / filescan: filescan: sensitive file scanning / secondary judgment to reduce false alarm rate / scan content regularization / multi directory scanning

Filescan: sensitive file scanning / secondary judgment to reduce false alarm rate / scan content regularization / multi directory scanning

The program is only for communication, please do not use it for illegal purposes, otherwise all consequences will be borne by yourself!! !

rely on

pip install requests

Operation mode

python filescan.py http://www.0aa.me
python filescan.py http://www.0aa.me/0aa/index.php

structure

Request.py requests
Filescan.py entry file, scan results related
Rule_parse.py parsing rule
Backup rule.py scan rule

Verification mode

Return status code
Return content regular judgment
Return to header
Return content size

If you just want to use and don't want to add rules, then you don't need to read the following.

rule

# 规则名字，可以随便写
    "url_backup": {
        # 是否每个目录都扫描 目前这个功能没有，后面会写
        "dir": True,
        # 是否需要拼接文件后缀名，dict有写filename的时候为True
        "suffix": True,
        # 规则
        "name":[{
            # 真规则的文件名
            "rule_true":[
                # zip rar
                "[DOMAIN]", "[HOST]", "[HOSTNAME]", "[TIME]", "[DOMAIN]1", "[HOST]1", "[HOSTNAME]1", "[TIME]1",
                "web", "webroot", "WebRoot", "website", "bin", "bbs", "shop", "www", "wwww",
                1, 2, 3, 4, 5, 6, 7, 8, 9,
                "www1", "www2", "www3", "www4", "default", "log", "logo", "kibana", "elk", "weblog",
                "mysql", "ftp", "FTP", "MySQL", "redis", "Redis",
                "cgi", "php", "jsp",
                "access", "error", "logs", "other_vhosts_access",
                "database", "sql",
            ],
            # 假规则的文件名，当一个漏洞真规则被判断存在的时候，就要用假规则去二次验证是否存在了
            "rule_false": "fuckcar10240x4d53"
        }],
        # 文件后缀名
        "filename": [
            "rar", "zip", "tar.gz", "tar.gtar", "tar", "tgz", "tar.bz", "tar.bz2", "bz", "bz2", "boz", "3gp", "gz2"
        ],
        # 判断是否存在
        "result": {
            # 返回页面大小
            "length": 50,
            # 返回状态码
            "status_code": [200],
            # 返回header
            "header":{
                # 返回header里面的字段名
                "Content-Type":[
                    # 字段值 可用正则
                    "application\/x-gzip", "text\/plain", "application\/x-bzip", "application\/bacnet-xdd+zip", "application\/x-gtar","application\/x-compressed", "application\/x-rar-compressed", "application\/x-tar", "application\/zip", "application\/force-download","application\/.*file", "application\/.*zip", "application\/.*rar", "application\/.*tar", "application\/.*down"
                ]
            }
        }
    }

It may seem a little complicated. Take it seriously. It's not difficult. I think it's easy to understand.

The meaning of several substitutions in the rule ﹣ true field in the rule is as follows: the program will parse the URL you passed in to the host using the urlparse library. The general meaning is as follows: for example, URL: http://www.0aa.me

rule_true urlparse

[DOMAIN] == 0aa.me
[HOST] == www.0aa.me
[HOSTNAME] == 0aa
[time] this is a special point. According to the date you scan, get the date of the previous days (the first two days by default). For example, today's 20170809 will generate three formats:

2017—08-09 / 2017—08-08 / 2017—08-07

2017_08_09 / 2017_08_08 / 2017_08_07

20170809 / 20170808 / 20170807

Configuration correlation

If you want to scan for earlier dates, you can configure:

rule_parse.py 里面的 self.timenum 变量

Speed limit:

filescan.py 里面的 self.sleep_time 变量

Request timeout time:

reque.py 里面的 self.timeout 变量

Effect

Note: the URL in the figure is the host I bind

Last but not least: the program is only for communication, please do not use it for illegal purposes, otherwise all the consequences will be borne by yourself!! !

Thank you at last: all excavators engineers of Beidou team, big cousin of saline, master redfree

Aquaboutic | Focus Security Research | Vulnerability Exploit | POC