「这是我参与2022首次更文挑战的第9天,活动详情查看:2022首次更文挑战」
潮汐开源版本是利用了fofa的banner
首先,潮汐定义了一个cms_finger_list的cms列表,这个列表和sqllite数据表中的数据是一样的。
然后又当以了下面的东西,暂时没看懂是干啥的
self.W = '\033[0m'
self.G = '\033[1;32m'
self.R = '\033[1;31m'
self.O = '\033[1;33m'
self.B = '\033[1;34m'
而且这个潮汐指纹识别是基于http协议的识别,而不是说针对主机端口的扫描。虽然现在分析的代码是我改写了一遍的,但是基本上没啥变化,现在来进行分析。
cms = Cmsscanner(target_url, self.request_timeout, self.pwd)
fofa_finger = cms.run()
来看看Cmsscanner
def __init__(self, *params):
self.target, self.request_timeout, self.pwd = params
self.start = time.time()
self.finger = []
self.agent = {'UserAgent': 'Mozilla/5.0 (Windows; U; MSIE 9.0; WIndows NT 9.0; en-US))'}
self.rtitle = re.compile(r'title="(.*)"')
self.rheader = re.compile(r'header="(.*)"')
self.rbody = re.compile(r'body="(.*)"')
self.rbracket = re.compile(r'\((.*)\)')
调用的run方法如下
def run(self):
try:
header, body, title = self.get_info()
for _id in range(1, int(self.count())):
try:
self.handle(_id, header, body, title)
except Exception as e:
pass
except Exception as e:
print(e)
finally:
return self.finger
里面调用了git_info方法,我们来看看它都做了啥
def get_info(self):
"""获取web的信息"""
try:
r = requests.get(url=self.target, headers=self.agent,
timeout=self.request_timeout, verify=False)
content = r.text
try:
title = BS(content, 'lxml').title.text.strip()
return str(r.headers), content, title.strip('\n')
except:
return str(r.headers), content, ''
except Exception as e:
pass
利用get方法,向目标发起普通的请求,得到结果,主要包含内容,title和响应头。然后run方法中再遍历数据库中每个指纹,进行处理。详细看看handle方法
def handle(self, _id, header, body, title):
"""取出数据库的key进行匹配"""
name, key = self.check(_id)
# 满足一个条件即可的情况
if '||' in key and '&&' not in key and '(' not in key:
for rule in key.split('||'):
if self.check_rule(rule, header, body, title):
self.finger.append(name)
# print '%s[+] %s %s%s' % (G, self.target, name, W)
break
# 只有一个条件的情况
elif '||' not in key and '&&' not in key and '(' not in key:
if self.check_rule(key, header, body, title):
self.finger.append(name)
# print '%s[+] %s %s%s' % (G, self.target, name, W)
# 需要同时满足条件的情况
elif '&&' in key and '||' not in key and '(' not in key:
num = 0
for rule in key.split('&&'):
if self.check_rule(rule, header, body, title):
num += 1
if num == len(key.split('&&')):
self.finger.append(name)
# print '%s[+] %s %s%s' % (G, self.target, name, W)
else:
# 与条件下存在并条件: 1||2||(3&&4)
if '&&' in re.findall(self.rbracket, key)[0]:
for rule in key.split('||'):
if '&&' in rule:
num = 0
for _rule in rule.split('&&'):
if self.check_rule(_rule, header, body, title):
num += 1
if num == len(rule.split('&&')):
self.finger.append(name)
# print '%s[+] %s %s%s' % (G, self.target, name, W)
break
else:
if self.check_rule(rule, header, body, title):
self.finger.append(name)
# print '%s[+] %s %s%s' % (G, self.target, name, W)
break
else:
# 并条件下存在与条件: 1&&2&&(3||4)
for rule in key.split('&&'):
num = 0
if '||' in rule:
for _rule in rule.split('||'):
if self.check_rule(_rule, title, body, header):
num += 1
break
else:
if self.check_rule(rule, title, body, header):
num += 1
if num == len(key.split('&&')):
self.finger.append(name)
# print '%s[+] %s %s%s' % (G, self.target, name, W)
再来看看针对每个规则是怎么处理的check_rule函数
def check_rule(self, key, header, body, title):
"""指纹识别"""
try:
if 'title="' in key:
if re.findall(self.rtitle, key)[0].lower() in title.lower():
return True
elif 'body="' in key:
if re.findall(self.rbody, key)[0] in body: return True
else:
if re.findall(self.rheader, key)[0] in header: return True
except Exception as e:
pass
也就是说,本质上就是在首页的title/header和body中找有没有符合的正则表达式规则,如果有,就找到一个。