[dry goods] four tools linkage of automated batch hole digging process

【 From majestic lollipop submission 】

0X00 Preface ：

My own script boy , The fighter in the spicy chicken . But fortunately , I'm still digging , You can still absorb a lot of new knowledge every time . Now there are many tools , Dare to have some experience and ideas , In fact, I want to learn more from you . This article is not about communication , No reference , Not to mention coaching .

0X01 Ideas ：

First, use Google syntax to search the web address , Get subdomains or on tides C paragraph , Then the tool runs C Segment port web page , Screening 200 Normal package page to TXT, Go on vulmap Batch run , Command linkage burp, The plug-in can detect individual unknown vulnerabilities , Then we will link up later xray Look for vulnerabilities in more detail .

It means , When I am webfinder、vulmap、burp、xray When used together , Can form 4 The effect of tool automation linkage to quickly dig holes , The flow chart is as follows ：

0X02 The process ：

（1） Google

Using Google grammar , Find the government you want to dig | Enterprise .

for example ：

Find government pages intitle:login inurl:gov.us

Find enterprise web pages login site:baidu.com

wait ......

（2） The tides

When you find a specific station , Put the domain name on the tide , Look for a domain name or c paragraph ip.（ It seems that such a check also bypasses CND？ I don't know , Let's try it ourselves .） Generally, the government or a large factory will contract for more than one c Section of the website , There will be assets with different functions , There may also be abandoned or forgotten assets .

（3）webfinder

Determine the subdomain name or IP after , Put it in webfinder In the new scan of , Run the whole c Full port page of the segment .

Run away c After the segment port page , Sort it out 200 Page of status code , Select all copy and paste to 123.txt In the document .

（4）vulmap

Save the page ip Of 123.txt Put it in vulmap Under the folder directory of

Open... In the directory cmd, Enter the command

python3 vulmap.py-f url.txt --proxy-http 127.0.0.1:8080

Put it on hold , Wait for enter to start

（5）Burp

open burp Tools , First set up two places . The first is the listening port , Is the port where the data packet comes in , I'm here by default 8080 port

The second is the proxy port , It is the port where the data packets go out , What I have here is 7777 port

Then check your burp Plug in set , Is there any active detection 、 Easy to ignore 、 The leak of the bias gate 、 All plug-ins for logic vulnerabilities are installed , Sometimes there are some unexpected surprises .（ps： There are many examples , For example, I tried to have a station before fastjson A loophole in the , but vulmap and xray Not detected , By me burp Of BurpFastJsonScan-1.0.7 The plug-in has been checked out , Fight to the end get To shell...）

（6）xray

Xray This tool is the last word for me . The advantage is that it is relatively , It will be more detailed than the above tools , Every one of them url Links will go through the rules of the tool itself ; But the downside is clear , It drives like a big one ddos The scene . Of course , It's ok if you lower the thread properly , But not too slow , Because it will be difficult to keep up with the previous packets , To me, , The speed of digging holes will not achieve the desired effect of rapid batch inspection .

About xray The linkage of , First in xray Under the directory of cmd, Enter the command ：

.\xray_windows_amd64_protected.exewebscan --listen 127.0.0.1:7777 --html-output proxy1.html

Then go back and run . Now it belongs to monitoring 7777 Port operation .

（7） Linkage operation

Finally arrived “ Pull one hair and move the whole body ” Operating the . I wasn't just vulmap Wait for the carriage return to start , We can start now .

When vulmap One start , And start running txt Inside ip Webpage , Then, under the guidance of proxy parameters , The packet came burp in . after Burp Plug in baptism , Continue to the next proxy port . Continue to xray Under the comprehensive embrace of the agent , Instantly screened batch after batch of websites that could not be visited ... But in fact, vulnerabilities are also being quickly recorded in the text specified by various tools , When it's over, we'll switch to the public network ip, The vulnerability can be verified again .

0X03 Conclusion ：

The process of digging a hole is very boring , It's easy to get bored when you don't find a loophole . Want to improve yourself , Not just learning at work , More spare time to practice accumulation , Need more interest and more persistence . I can tell you , I spent 80% of my holiday looking for bugs in front of my computer , Not because of boredom , But because of that little interest .

I used to be very comfortable in the project site operation and maintenance , User friendly , I'm not too busy at work. I can paddle everyday , From time to time, I go out to buy food and drink during work . Breakfast at work 1 There are cereal and bottled milk and two packages of bread for $1 , lunch 3 Three dishes, one soup and sugar water . Although every month 3、4 thousand , But close to home , Walk 10 Minutes to . The monthly salary doesn't need to be spent , Can you say uneasy ？

however , What is the meaning of young ease , Obviously, you can see the end at a glance .

I remember someone said something in the group before ：“ If problems don't excite you , Just muddle along every day , Then your work will be done .”

Now? , In fact, I have already jumped out of the field , Come out and dig a hole 2 More than years , But I have never neglected myself in these years . Because I know , In fact, on a new day , I can still make a little progress , Even if it is insignificant .

Last , I hope whoever it is , You should have a goal , aim high . Time will smooth your will , Hard work doesn't always pay off , But if you don't work hard, you will be eliminated .

Mutual encouragement .

0X04 Reference link ：

No reference links , It's all my own thoughts .