Automatically Discovering Vulnerabilities Using the Vulnerability Scanner

1. Modify the run_scanner method in the scanner class.

#!/usr/bin/env python

import requests

import re

from bs4 import BeautifulSoup

from urllib.parse import urljoin

class Scanner:

    def __init__(self, url, ignore_links):

        self.session = requests.Session()

        self.target_url = url

        self.target_links = []

        self.links_to_ignore = ignore_links

    def extract_links_from(self, url):

        response = self.session.get(url)

        return re.findall('(?:href=")(.*?)"', response.content.decode(errors='ignore'))

    def crawl(self, url=None):

        if url == None:

            url = self.target_url

        href_links = self.extract_links_from(url)

        for link in href_links:

            link = urljoin(url, link)

            if "#" in link:

                link = link.split("#")[0]

            if self.target_url in link and link not in self.target_links and link not in self.links_to_ignore:

                self.target_links.append(link)

                print(link)

                self.crawl(link)

    def extract_forms(self, url):

        response = self.session.get(url)

        parsed_html = BeautifulSoup(response.content, features="lxml")

        return parsed_html.findAll("form")

    def submit_form(self, form, value, url):

        action = form.get("action")

        post_url = urljoin(url, action)

        method = form.get("method")

        inputs_list = form.findAll("input")

        post_data = {}

        for input in inputs_list:

            input_name = input.get("name")

            input_type = input.get("type")

            input_value = input.get("value")

            if input_type == "text":

                input_value = value

            post_data[input_name] = input_value

        if method == "post":

            return requests.post(post_url, data=post_data)

        return self.session.get(post_url, params=post_data)

    def run_scanner(self):

        for link in self.target_links:

            forms = self.extract_forms(link)

            for form in forms:

                print("[+] Testing form in " + link)

                is_vulnerable_to_xss = self.test_xss_in_form(form, link)

                if is_vulnerable_to_xss:

                    print("\n\n[***] XSS discovered in " + link + " in the following from")

                    print(form)

            if "=" in link:

                print("\n\n[+] Testing " + link)

                is_vulnerable_to_xss = self.test_xss_in_link(link)

                if is_vulnerable_to_xss:

                    print("[***] Discovered XSS in " + link)

    def test_xss_in_link(self, url):

        xss_test_script = "<sCript>alert('test')</scriPt>"

        url = url.replace("=", "=" + xss_test_script)

        response = self.session.get(url)

        return xss_test_script in response.content.decode()

    def test_xss_in_form(self, form, url):

        xss_test_script = "<sCript>alert('test')</scriPt>"

        response = self.submit_form(form, xss_test_script, url)

        return xss_test_script in response.content.decode()

2. Test this new automatically vulnerability scanner.

#!/usr/bin/env python

import scanner

target_url = "http://10.0.0.45/dvwa/"

links_to_ignore = "http://10.0.0.45/dvwa/logout.php"

data_dict = {"username": "admin", "password": "password", "Login": "submit"}

vuln_scanner = scanner.Scanner(target_url, links_to_ignore)

vuln_scanner.session.post("http://10.0.0.45/dvwa/login.php", data=data_dict)

vuln_scanner.crawl()

vuln_scanner.run_scanner()

Following is the full test result.

root@kali:~/PycharmProjects/vulnerability_scanner# python3 vulnerability_scanner.py

http://10.0.0.45/dvwa/dvwa/css/main.css

http://10.0.0.45/dvwa/favicon.ico

http://10.0.0.45/dvwa/instructions.php

http://10.0.0.45/dvwa/setup.php

http://10.0.0.45/dvwa/vulnerabilities/brute/

http://10.0.0.45/dvwa/vulnerabilities/exec/

http://10.0.0.45/dvwa/vulnerabilities/csrf/

http://10.0.0.45/dvwa/vulnerabilities/fi/?page=include.php

http://10.0.0.45/dvwa/vulnerabilities/sqli/

http://10.0.0.45/dvwa/vulnerabilities/sqli_blind/

http://10.0.0.45/dvwa/vulnerabilities/upload/

http://10.0.0.45/dvwa/vulnerabilities/xss_r/

http://10.0.0.45/dvwa/vulnerabilities/xss_s/

http://10.0.0.45/dvwa/security.php

http://10.0.0.45/dvwa/phpinfo.php

http://10.0.0.45/dvwa/phpinfo.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

http://10.0.0.45/dvwa/about.php

http://10.0.0.45/dvwa/instructions.php?doc=PHPIDS-license

http://10.0.0.45/dvwa/instructions.php?doc=readme

http://10.0.0.45/dvwa/instructions.php?doc=changelog

http://10.0.0.45/dvwa/instructions.php?doc=copying

http://10.0.0.45/dvwa/security.php?phpids=on

http://10.0.0.45/dvwa/security.php?phpids=off

http://10.0.0.45/dvwa/security.php?test=%22><script>eval(window.name)</script>

http://10.0.0.45/dvwa/ids_log.php

[+] Testing form in http://10.0.0.45/dvwa/setup.php

[+] Testing form in http://10.0.0.45/dvwa/vulnerabilities/brute/

[+] Testing form in http://10.0.0.45/dvwa/vulnerabilities/exec/

[+] Testing form in http://10.0.0.45/dvwa/vulnerabilities/csrf/

[+] Testing http://10.0.0.45/dvwa/vulnerabilities/fi/?page=include.php

[+] Testing form in http://10.0.0.45/dvwa/vulnerabilities/sqli/

[+] Testing form in http://10.0.0.45/dvwa/vulnerabilities/sqli_blind/

[+] Testing form in http://10.0.0.45/dvwa/vulnerabilities/upload/

[+] Testing form in http://10.0.0.45/dvwa/vulnerabilities/xss_r/

[***] XSS discovered in http://10.0.0.45/dvwa/vulnerabilities/xss_r/ in the following from

<form action="#" method="GET" name="XSS">

<p>What's your name?</p>

<input name="name" type="text"/>

<input type="submit" value="Submit"/>

</form>

[+] Testing form in http://10.0.0.45/dvwa/vulnerabilities/xss_s/

[+] Testing form in http://10.0.0.45/dvwa/security.php

[+] Testing http://10.0.0.45/dvwa/phpinfo.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

[+] Testing http://10.0.0.45/dvwa/instructions.php?doc=PHPIDS-license

[+] Testing http://10.0.0.45/dvwa/instructions.php?doc=readme

[+] Testing http://10.0.0.45/dvwa/instructions.php?doc=changelog

[+] Testing http://10.0.0.45/dvwa/instructions.php?doc=copying

[+] Testing form in http://10.0.0.45/dvwa/security.php?phpids=on

[+] Testing http://10.0.0.45/dvwa/security.php?phpids=on

[+] Testing form in http://10.0.0.45/dvwa/security.php?phpids=off

[+] Testing http://10.0.0.45/dvwa/security.php?phpids=off

[+] Testing form in http://10.0.0.45/dvwa/security.php?test=%22><script>eval(window.name)</script>

[+] Testing http://10.0.0.45/dvwa/security.php?test=%22><script>eval(window.name)</script>

[+] Testing form in http://10.0.0.45/dvwa/ids_log.php

You can add new methods in the scanner class to find more vulnerabilities.

Python Ethical Hacking - VULNERABILITY SCANNER(9)的更多相关文章

  1. Python Ethical Hacking - VULNERABILITY SCANNER(7)

    VULNERABILITY_SCANNER How to discover a vulnerability in a web application? 1. Go into every possibl ...

  2. Python Ethical Hacking - VULNERABILITY SCANNER(4)

    Extracting & Submitting Forms Automatically Target website:http://10.0.0.45/dvwa/vulnerabilities ...

  3. Python Ethical Hacking - VULNERABILITY SCANNER(2)

    VULNERABILITY_SCANNER How to discover a vulnerability in a web application? 1. Go into every possibl ...

  4. Python Ethical Hacking - VULNERABILITY SCANNER(8)

    Implementing Code To Discover XSS in Parameters 1. Watch the URL of the XSS reflected page carefully ...

  5. Python Ethical Hacking - VULNERABILITY SCANNER(3)

    Polish the Python code using sending requests in a session Class Scanner. #!/usr/bin/env python impo ...

  6. Python Ethical Hacking - VULNERABILITY SCANNER(1)

    HTTP REQUESTS BASIC INFORMATION FLOW The user clicks on a link. HTML website generates a request(cli ...

  7. Python Ethical Hacking - VULNERABILITY SCANNER(6)

    EXPLOITATION - XSS VULNS EXPLOITING XSS Run any javascript code. Beef framework can be used to hook ...

  8. Python Ethical Hacking - VULNERABILITY SCANNER(5)

    EXPLOITATION - XSS VULNS XSS - CROSS SITE SCRIPTING VULNS Allow an attacker to inject javascript cod ...

  9. Python Ethical Hacking - BACKDOORS(8)

    Cross-platform hacking All programs we wrote are pure python programs They do not rely on OS-specifi ...

随机推荐

  1. 使用vscode 开发go项目的最新姿势. go版本1.14.2

    使用了go 1.14.2. 版本, 再也不用建src, pkg, bin 目录了,   以及再也不用强制配置GOPATH了 前提条件: 必须是 go mod 项目. 在工程目录下, 执行这样的命令生成 ...

  2. cb37a-_c++_STL_算法_复制元素copy_copy_backward

    cb37a-_c++_STL_算法_复制元素copy_copy_backward copy(),同一个容器内部区间的拷贝,或者容器与容器之间的拷贝copy_backward()//向后copy 注意: ...

  3. [白话解析] 通过实例来梳理概念 :准确率 (Accuracy)、精准率(Precision)、召回率(Recall)和F值(F-Measure)

    [白话解析] 通过实例来梳理概念 :准确率 (Accuracy).精准率(Precision).召回率(Recall)和F值(F-Measure) 目录 [白话解析] 通过实例来梳理概念 :准确率 ( ...

  4. 如何解决jeecgBoot前端运行项目之后无法获取验证码的问题

    我也是第一次接触这个开源项目,拿到项目之后,安装完环境和依赖,当我启动项目的时候,验证码却刷新不出来. 然后公司后端告诉我需要改两个接口,一个是public目录下的index.html和vue.con ...

  5. java SSM框架单元测试最佳实战代码

    具体的代码参考链接:https://pan.baidu.com/s/1e9UTyidi4OMBwYydhwH-0g 密码:rmvs 本教程采用的是对单元测试的dao层.service层.control ...

  6. Spring学习笔记下载

    动力节点的spring视频教程相当的经典:下载地址 https://pan.baidu.com/s/1eTSOaae

  7. Python3-内置类型-集合类型

    Python3中的集合类型主要有两种 set 可变集合 可添加和删除元素,它是不可哈希的,因此set对象不能用作字典的键或另一个元素的集合 forzenset 不可变集合 正好与set相反,其内容创建 ...

  8. Python 简明教程 --- 9,Python 编码

    微信公众号:码农充电站pro 个人主页:https://codeshellme.github.io 当你选择了一种语言,意味着你还选择了一组技术.一个社区. -- Joshua Bloch 目录 1, ...

  9. Redis系列之简介和Linux部署教程

    ##Redis介绍##Redis如今已经成为Web开发社区最火热的内存数据库之一,随着Web2.0的快速发展,再加上半结构数据比重加大,网站对高效性能的需求也越来越多.而且大型网站一般都有几百台或者更 ...

  10. 【Spring】原来SpringBoot是这样玩的

    菜瓜:我自己去调Mvc的源码差点没给Spring的逻辑秀死...难受 水稻:那今天咱们看一个简单易用的SpringBoot吧 菜瓜:可以,这个我熟悉 水稻:熟悉? 菜瓜:当我没说,请开始你的表演 水稻 ...