├── .gitignore
├── 1.txt
├── README.md
├── dic.txt
├── dir.txt
└── main.py


/.gitignore:
--------------------------------------------------------------------------------
1 | .vscode/*
2 | 


--------------------------------------------------------------------------------
/1.txt:
--------------------------------------------------------------------------------
1 | http://172.16.10.104:80/
2 | http://172.16.10.111:80/
3 | http://172.16.10.112:80/
4 | http://172.16.10.113:8233/


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # ctf web scan
 2 | 
 3 | CTF中web源码泄露扫描
 4 | 
 5 | ## Description
 6 | 
 7 | 使用python的requests，功能比较简单，字典有待完善。
 8 | 目前只支持php。
 9 | 
10 | ## Features
11 | 
12 | ### 支持扫描类型
13 | 
14 | - 源码包 - `www.zip` `code.tar.gz` ...
15 | - 敏感文件 - `admin.php` `flag.php` ...
16 | - 敏感目录 - `/admin` `/upload` ...
17 | - 编辑器源码备份 - `xxx.php~` `xxx.php.bak` `.xxx.php.swp` `.xxx.php.swo`
18 | 
19 | ### 扫描过程
20 | 
21 | - 对源码包进行扫描
22 | - 对敏感文件进行扫描
23 | - 对已知敏感文件进行源码备份扫描
24 | - 对敏感目录进行扫描
25 | - 对已知目录下的敏感文件进行扫描
26 | - 再进行源码备份扫描
27 | 
28 | ## Usage
29 | 
30 | **所有url必须以`/`结尾**
31 | 
32 | ``` bash
33 | python main.py -u [url] 独立
34 | python main.py -f [file] 批量
35 | ```
36 | 
37 | Vim意外退出时会产生交换文件`.swp` `.swo` `.swn` 等; `vim -r`可恢复Vim交换文件
38 | 
39 | 其他备份文件直接改后缀还原
40 | 
41 | `.git`泄露可以用[GitHack](https://github.com/BugScanTeam/GitHack)还原
42 | 
43 | ## Bugs
44 | 
45 | All known bugs:
46 | 
47 | - 批量扫描中，如果某一个网站请求错误，会直接exit


--------------------------------------------------------------------------------
/dic.txt:
--------------------------------------------------------------------------------
 1 | 1.zip
 2 | 1.rar
 3 | tar.zip
 4 | tar.rar
 5 | web.zip
 6 | web.rar
 7 | web.tgz
 8 | web1.zip
 9 | web1.rar
10 | 123.zip
11 | 123.rar
12 | code.zip
13 | code.rar
14 | www.zip
15 | www.rar
16 | root.zip
17 | root.rar
18 | wwwroot.zip
19 | wwwroot.rar
20 | backup.zip
21 | backup.rar
22 | .svn/entries
23 | .git/config
24 | .ds_store
25 | index.php
26 | flag.php
27 | fl4g.php
28 | f1ag.php
29 | f14g.php
30 | admin.php
31 | 4dmin.php
32 | adm1n.php
33 | 4dm1n.php
34 | admin1.php
35 | admin2.php
36 | adminlogin.php
37 | administrator.php
38 | login.php
39 | register.php
40 | upload.php
41 | home.php
42 | test.php
43 | log.php
44 | logs.php
45 | config.php
46 | member.php
47 | user.php
48 | users.php
49 | robots.php
50 | info.php
51 | phpinfo.php
52 | backdoor.php
53 | fm.php
54 | example.php
55 | mysql.bak
56 | a.sql
57 | b.sql
58 | db.sql
59 | bdb.sql
60 | ddb.sql
61 | users.sql
62 | mysql.sql
63 | dump.sql
64 | data.sql
65 | backup.sql
66 | backup.sql.gz
67 | backup.sql.bz2
68 | backup.zip
69 | rss.xml
70 | crossdomain.xml
71 | robots.txt
72 | 1.txt
73 | flag.txt


--------------------------------------------------------------------------------
/dir.txt:
--------------------------------------------------------------------------------
 1 | user/
 2 | users/
 3 | admin/
 4 | home/
 5 | test/
 6 | administrator/
 7 | houtai/
 8 | backdoor/
 9 | flag/
10 | upload/
11 | uploads/
12 | download/
13 | downloads/
14 | manager/
15 | phpmyadmin/
16 | 


--------------------------------------------------------------------------------
/main.py:
--------------------------------------------------------------------------------
  1 | #coding:utf-8
  2 | #!/usr/bin/python3
  3 | """ctf web scan
  4 | Author: D4rk
  5 | TODO: 针对某些全站200的情况，分析返回数据包匹配"404 not found 未找到页面"字样
  6 | """
  7 | 
  8 | import sys
  9 | import argparse
 10 | import requests
 11 | 
 12 | class bcolors:
 13 |     """terminal colors"""
 14 |     BLACK = '\033[30m'
 15 |     RED = '\033[31m'
 16 |     GREEN = '\033[32m'
 17 |     YELLOW = '\033[33m'
 18 |     BLUE = '\033[34m'
 19 |     PURPLE = '\033[35m'
 20 |     SKY = '\033[36m'
 21 |     WHITE = '\033[37m'
 22 |     ENDC = '\033[0m'
 23 | 
 24 | def dir_scan(url):
 25 |     """扫描web敏感目录"""
 26 |     with open('dir.txt') as f:
 27 |         lines = f.read().splitlines()
 28 |     f.close()
 29 |     for line in lines:
 30 |         try:
 31 |             r = requests.get(url+line, timeout=1)
 32 |             if r.status_code == 200 or r.status_code == 403:
 33 |                 print(bcolors.GREEN + str(r.status_code) + ' ' + bcolors.ENDC + url + line)
 34 |                 # 如果扫描到存在的目录会进行敏感文件扫描
 35 |                 file_scan(url+line)
 36 |         except requests.exceptions.ConnectionError:
 37 |             print("Error connecting to site \"%s\"" % url)
 38 |             sys.exit(1)
 39 | 
 40 | def file_scan(url):
 41 |     """扫描web敏感文件"""
 42 |     with open('dic.txt') as f:
 43 |         lines = f.read().splitlines()
 44 |     f.close()
 45 |     for line in lines:
 46 |         try:
 47 |             r = requests.get(url+line, timeout=1)
 48 |             if r.status_code == 200:
 49 |                 print(bcolors.GREEN + str(r.status_code) + ' ' + bcolors.ENDC + url + line)
 50 |                 # 如果扫描到存在敏感文件会进行编辑器源码泄露扫描
 51 |                 source_scan(url, line)
 52 |         except requests.exceptions.ConnectionError:
 53 |             print("Error connecting to site \"%s\"" % url)
 54 |             sys.exit(1)
 55 | 
 56 | def source_scan(url, filename):
 57 |     """扫描编辑器源码泄露"""
 58 |     leaks = ['.%s.swp' % filename,
 59 |              '.%s.swo' % filename,
 60 |              '%s.bak' % filename,
 61 |              '%s~' % filename]
 62 |     for leak in leaks:
 63 |         try:
 64 |             r = requests.get(url+leak, timeout=1)
 65 |             if r.status_code == 200:
 66 |                 print(bcolors.GREEN + str(r.status_code) + ' ' + bcolors.ENDC + url + leak)
 67 |         except requests.exceptions.ConnectionError:
 68 |             print("Error connecting to site \"%s\"" % url)
 69 |             sys.exit(1)
 70 | 
 71 | def main():
 72 |     """主函数"""
 73 |     parser = argparse.ArgumentParser(description="CTF Web Scan")
 74 |     group = parser.add_mutually_exclusive_group()
 75 |     group.add_argument("-f", "--file", help="Specify file name")
 76 |     group.add_argument("-u", "--url", help="Specify target url")
 77 |     if len(sys.argv) == 1:
 78 |         parser.print_usage(sys.stderr)
 79 |         sys.exit(1)
 80 |     args = parser.parse_args()
 81 |     if args.url:
 82 |         url = args.url
 83 |         file_scan(url)
 84 |         dir_scan(url)
 85 |         print(bcolors.GREEN + 'Scan Complete: %s'%url + bcolors.ENDC)
 86 |     elif args.file:
 87 |         with open(args.file) as f1:
 88 |             urls = f1.read().splitlines()
 89 |         f1.close()
 90 |         for url in urls:
 91 |             file_scan(url)
 92 |             dir_scan(url)
 93 |             print(bcolors.GREEN + 'Scan Complete: %s'%url + bcolors.ENDC)
 94 |         sys.exit(1)
 95 |     else:
 96 |         parser.print_usage(sys.stderr)
 97 |         sys.exit(1)
 98 | 
 99 | if __name__ == '__main__':
100 |     main()
101 | 


--------------------------------------------------------------------------------