python 简易版的CMS识别

发布时间:May 4, 2015 // 分类:工作日志,代码学习,python // No Comments

早上朋友发给我这么一组数据,说是关于CMS识别的。问我是不是可以搞一个类似的出来

/member/images/dzh_logo.gif|dedecms|412f80bbedc1e3c62b7f5a5038a550e6
/images/share.gif|dedecms|cff38608748e421961c19818146241d4
/images/enums.js|dedecms|802e864c70aa6cfd766607a09ef0adf2
/include/demo_log.gif|instant|477efd7284722d6c7d311771389db162
/images/icon_shopping.gif|instant|acc33a6562f545f3d452b8ec33a09092
/js/prototype.js|mangallam|db88937debcf1dcdc1bb7a5d6ff05c39
/images/spacer.gif|mangallam|7236915534503a1c5a27f067b9e0c7a4
/images/admincp/cpicon.gif|mvmmall|5fa5b82e54ccc2be2e66dde9ef3cce0
/admin/css/bootstrap-slider/slider.css|codoforum|5bcd1306020b53f85fa77b2652783254
/admin/css/iCheck/flat/yellow.png|codoforum|334d87b0b6c68d804a7294563ce79791
/images/pay/chinabank.gif|mvmmall|36e82497e38131f07fdd5a6921452ebc
/language/cn/admin/lang.js|mvmmall|7f4afedaf683174cbb502fda58ffa93
/templets/default/images/ico-3.gif|dedecms|fc8945eb46b32113ad0ae510668f115a
/include/dedeajax2.js|dedecms|4479ffed41b6118bdbb9f05fe3e02bb2
/include/dedeajax2.js|dedecms|4479ffed41b6118bdbb9f05fe3e02bb2

早上没空,下午我仔细一看,是按照url |cms |md5hash 这样子来排列的。应该比较简单,但是最后一串的md5值还是不清楚怎么获取的。

#!/usr/bin/python
#-*- coding: utf-8 -*-
import hashlib
import httplib
import sys

def wahtcms(domain):
    f=open(r'cms1.txt','r')
    #open cms.txt to have some CMS
    urls = f.readlines()
    f.close()
    for url in urls:
        ur1,service,hashs = url.split('|',2)
        connection = httplib.HTTPConnection(domain,80,timeout=10)
        connection.request("GET",ur1)
        response = connection.getresponse()
        server = response.msg['Server']
        #X-Powered-By: WAF/2.0  .msg['X-Powered-By']
        #因为现在的WAF会造成误报
        data=response.reason
        if "OK" in data:
            if hashlib.md5(response.read()).hexdigest()!='04c89e24302940c24f55301c2257b2e9':
        #   这里04c89e24302940c24f55301c2257b2e9是404错误的
        #   这里的md5值计算了和给出的没有一个是相同的。
                print domain + " is " + service +" and Server is " + server
        connection.close()


if __name__ == "__main__":
    commandargs = sys.argv[1:]
    domain = "".join(commandargs)
    wahtcms(domain)

由于不知道最后一串的md5是计算的什么地方的。所以误报就很多很多了。(PS:反过来看到自己是拿status状态码来判断也是醉了。)

这个误报都吧自己给弄哭了~但是这个思路是可以用在目录扫描上倒是真的。

#!/usr/bin/python
#-*- coding: utf-8 -*-
import hashlib
import httplib
import sys

def wahtcms(domain):
    f=open(r'cms1.txt','r')
    #open cms.txt to have some CMS
    urls = f.readlines()
    f.close()
    for url in urls:
        ur1,service,hashs = url.split('|',2)
        connection = httplib.HTTPConnection(domain,80,timeout=2)
        connection.request("GET",ur1)
        response = connection.getresponse()
        server = response.msg['Server']
        #X-Powered-By: WAF/2.0  .msg['X-Powered-By']
        #因为现在的WAF会造成误报
        data=response.reason
        if "OK" in data:
            if hashlib.md5(response.read()).hexdigest()!='04c89e24302940c24f55301c2257b2e9':
        #   这里04c89e24302940c24f55301c2257b2e9是404错误的
        #   这里的md5值计算了和给出的没有一个是相同的。
                print domain + " is " + service +" and Server is " + server
        connection.close()

def scan(domain):
    s = open(r'dict/dir.txt','r')
    urls = s.readlines()
    s.close()
    for url in urls:
        connection = httplib.HTTPConnection(domain,80,timeout=2)
        connection.request("GET","/"+url)
        response = connection.getresponse()
        data = response.reason
        if "OK" in data or "Forbidden" in data:
            print "Found http://"+domain + "/"+url
        connection.close()


if __name__ == "__main__":
    commandargs = sys.argv[1:]
    domain = "".join(commandargs)
    scan(domain)

 

更新。使用https://github.com/chuhades/CMS-Exploit-Framework/blob/master/plugins/multi/whatweb.py进行修改

#!/usr/bin/env python
# coding=utf-8
import os
import re
import json
import random
import hashlib
import requests

domain = '0cx.cc'

'''
def finger(domain):
    with open('whatweb.json') as f:
        c = f.read()
        b = json.loads(c)
        for cms in b:
            #print cms
            for rule in b[cms]:
                print rule['url']

'''
class WhatWeb(object):
    """
    CMS 识别
    """
    def get_user_agent(self):
        user_agents = [
            "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)",
            "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; AcooBrowser; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
            "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Acoo Browser; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)",
            "Mozilla/4.0 (compatible; MSIE 7.0; AOL 9.5; AOLBuild 4337.35; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)",
            "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US)",
            "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 2.0.50727; Media Center PC 6.0)",
            "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET CLR 1.0.3705; .NET CLR 1.1.4322)",
            "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.2; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.04506.30)",
            "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN) AppleWebKit/523.15 (KHTML, like Gecko, Safari/419.3) Arora/0.3 (Change: 287 c9dfb30)",
            "Mozilla/5.0 (X11; U; Linux; en-US) AppleWebKit/527+ (KHTML, like Gecko, Safari/419.3) Arora/0.6",
            "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2pre) Gecko/20070215 K-Ninja/2.1.1",
            "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9) Gecko/20080705 Firefox/3.0 Kapiko/3.0",
            "Mozilla/5.0 (X11; Linux i686; U;) Gecko/20070322 Kazehakase/0.4.5",
            "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6",
            "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11",
            "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.20 (KHTML, like Gecko) Chrome/19.0.1036.7 Safari/535.20",
            "Opera/9.80 (Macintosh; Intel Mac OS X 10.6.8; U; fr) Presto/2.9.168 Version/11.52",]
        return random.choice(user_agents)

    def __init__(self, url):
        self.cms = []
        with open("whatweb.json") as f:
            self.rules = json.load(f)
            for cms in self.rules:
                self.cms.append(cms)
        self.url = url
        self.result = ""

    def run(self):
        """
        识别 CMS
        :param cms: str, CMS 名称
        :return: str, CMS 名称
        """
        headers = {'User-Agent': self.get_user_agent()}
        for cms in self.cms:
            for rule in self.rules[cms]:
                try:
                    #print (self.url + rule["url"] + cms)
                    r = requests.get(self.url + rule["url"], timeout=15, headers=headers, verify=False)
                    r.encoding = r.apparent_encoding
                    r.close()
                    if ("md5" in rule
                        and hashlib.md5(r.content).hexdigest() == rule["md5"]) \
                            or ("field" in rule and rule["field"] in r.headers
                                and rule["value"] in r.headers[rule["field"]]) \
                            or ("text" in rule and rule["text"] in r.text) \
                            or ("regexp" in rule
                                and re.search(rule["regexp"], r.text)):
                        return cms

                except Exception:
                    pass

if __name__ == '__main__':
    URL = 'http://0day5.com'
    w = WhatWeb(URL)
    result = w.run()
    print result

标签:none

添加新评论 »

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...