请点击文末#Bug Bounty Bootcamp标签查看合集或关注公众号点击底部【漏洞书籍】子菜单,如果对您有帮助还请点赞、在看、评论、转发、关注、打赏哦,您的互动就是我更新最大的动力!
-
分析结果
grep password file.txt
$ grep 80 TARGET_DIRECTORY/nmap
80/tcp open http
grep -E "^S+s+S+s+S+$" DIRECTORY/nmap > DIRECTORY/nmap_cleaned
-
正则表达式
d 匹配任何数字digital
w 匹配任何字符word
s 匹配任何空白space
S 并匹配任何非空白
与任何单个字符相匹配
转义了一个特殊的字符
与字符串或行的开头相匹配
匹配字符串或行的末尾
* 与前面字符匹配零或多次
+ 匹配前一个字符一个或多次
{3} 匹配前面的字符三次
{1,3} 匹配前面的字符一到三次
{1、} 匹配前面的字符一次或多次
[ ] 匹配方括号内的其中一个字符
[ ] 匹配a-z范围内的其中一个字符
(a|b|c) 匹配a或b或c
"^S+s+S+s+S+$"
过滤后的输出结果如下:
"^s*S+s+S+s+S+s*$"
https://www.rexegg.com/regex-quickstart.html
-
构建主报告
-
解析json数据+添加日期
https://crt.sh/?q=google.com&output=json
[
{
"issuer_ca_id": 12254,
"issuer_name": "C=NL, O=DigiNotar, CN=DigiNotar Public CA 2025, [email protected]",
"common_name": "*.google.com",
"name_value": "[email protected]*.google.com",
"id": 3144337544,
"entry_timestamp": "2020-07-26T13:26:21.356",
"not_before": "2011-07-10T19:06:30",
"not_after": "2013-07-09T19:06:30",
"serial_number": "05e2e6a4cd09ea54d665b075fe22a256",
"result_count": 2
},
{
"issuer_ca_id": 4,
"issuer_name": "C=US, O=Google Inc, CN=Google Internet Authority",
"common_name": "*.mail.google.com",
"name_value": "*.docs.google.comn*.mail.google.comn*.plus.google.comn*.sites.google.comn*.talkgadget.google.com",
"id": 2381394777,
"entry_timestamp": "2020-01-27T02:30:30.549",
"not_before": "2011-07-13T05:53:39",
"not_after": "2012-07-13T06:03:39",
"serial_number": "3e554a12000300002c7f",
"result_count": 6
}
]
这个命令就像这样:
".[] | .name_value" $DOMAIN/crt jq -r
https://stedolan.github.io/jq/manual/
PATH_TO_DIRSEARCH="/Users/vickieli/tools/dirsearch"
DOMAIN=$1
DIRECTORY=${DOMAIN}_recon
echo "Creating directory $DIRECTORY."
mkdir $DIRECTORY
nmap_scan()
{
nmap $DOMAIN > $DIRECTORY/nmap
echo "The results of nmap scan are stored in $DIRECTORY/nmap."
}
dirsearch_scan()
{
$PATH_TO_DIRSEARCH/dirsearch.py -u $DOMAIN -e php --simple-report=$DIRECTORY/dirsearch
echo "The results of dirsearch scan are stored in $DIRECTORY/dirsearch."
}
crt_scan()
{
curl "https://crt.sh/?q=$DOMAIN&output=json" -o $DIRECTORY/crt
echo "The results of cert parsing is stored in $DIRECTORY/crt."
}
case $2 in
nmap-only)
nmap_scan
;;
dirsearch-only)
dirsearch_scan
;;
crt-only)
crt_scan
;;
*)
nmap_scan
dirsearch_scan
crt_scan
;;
esac
echo "Generating recon report from output files..."
TODAY=$(date)
echo "This scan was created on $TODAY" > $DIRECTORY/report 【1】
echo "Results for Nmap:" >> $DIRECTORY/report
grep -E "^s*S+s+S+s+S+s*$" $DIRECTORY/nmap >> $DIRECTORY/report 【2】
echo "Results for Dirsearch:" >> $DIRECTORY/report
cat $DIRECTORY/dirsearch >> $DIRECTORY/report 【3】
echo "Results for crt.sh:" >> $DIRECTORY/report
jq -r ".[] | .name_value" $DIRECTORY/crt >> $DIRECTORY/report 【4】
-
扫描多个域
./recon.sh facebook.com fbcdn.net nmap-only
-
getopts 命令行工具用法
getopts工具从命令行中解析单字符选项,如-m。
-u http://127.0.0.1
选项变量名为u
选项变量值为http://127.0.0.1
在命令ls -l /home中
-l 是一个修改命令行为的选项
/home 是一个向命令提供特定数据(要列出的目录)的参数值
getopts OPTSTRING<要识别的选项标志> NAME<存储当前正在处理的选项的变量>
我们可以将$OPTARG存储到一个名为MODE的变量中:
getopts "m:" OPTION
MODE=$OPTARG
例子为译者自行添加,为了帮助读者更好的理解getopts命令
例一:
OPTSTRING=":ab"
while getopts ${OPTSTRING} opt; do
case ${opt} in
a)
echo "Option -a was triggered."
;;
b)
echo "Option -b was triggered."
;;
?)
echo "Invalid option: -${OPTARG}."
exit 1
;;
esac
done
让我们分解一下这个脚本:
例二:
OPTSTRING=":a:b"
while getopts ${OPTSTRING} opt; do
case ${opt} in
a)
echo "Option -a was ${OPTARG}."
;;
b)
echo "Option -b was triggered."
;;
?)
echo "Invalid option: -${OPTARG}."
exit 1
;;
esac
done
例三:
while getopts "a:b:" opt; do
case $opt in
a) echo "$OPTARG" ;;
b) echo "$OPTARG" ;;
?) echo "Invalid option -$OPTARG" >&2 ;;
esac
done
# $OPTIND现在指向第一个非选项参数
shift $((OPTIND-1))
# 现在$@只包含未被getopts处理的参数(如果有)
for file in "$@"; do
echo "Processing file: $file"
done
-
多域扫描的shell脚本
./recon.sh -m nmap-only facebook.com fbcdn.net
for i in LIST_OF_VALUES
do
DO SOMETHING
done
现在,让我们通过使用一个for循环来实现我们的功能
for i in "${@:$OPTIND:$#}"
do
# Do the scans for $i
done
"${INPUT_ARRAY:START_INDEX:END_INDEX}"
PATH_TO_DIRSEARCH="/Users/vickieli/tools/dirsearch"
nmap_scan()
{
nmap $DOMAIN > $DIRECTORY/nmap
echo "The results of nmap scan are stored in $DIRECTORY/nmap."
}
dirsearch_scan()
{
$PATH_TO_DIRSEARCH/dirsearch.py -u $DOMAIN -e php --simple-report=$DIRECTORY/dirsearch
echo "The results of dirsearch scan are stored in $DIRECTORY/dirsearch."
}
crt_scan()
{
curl "https://crt.sh/?q=$DOMAIN&output=json" -o $DIRECTORY/crt
echo "The results of cert parsing is stored in $DIRECTORY/crt."
}
getopts "m:" OPTION
MODE=$OPTARG
for i in "${@:$OPTIND:$#}" 【1】
do
DOMAIN=$i
DIRECTORY=${DOMAIN}_recon
echo "Creating directory $DIRECTORY."
mkdir $DIRECTORY
case $MODE in
nmap-only)
nmap_scan
;;
dirsearch-only)
dirsearch_scan
;;
crt-only)
crt_scan
;;
*)
nmap_scan
dirsearch_scan
crt_scan
;;
esac
echo "Generating recon report for $DOMAIN..."
TODAY=$(date)
echo "This scan was created on $TODAY" > $DIRECTORY/report
if [ -f $DIRECTORY/nmap ];then 【2】
echo "Results for Nmap:" >> $DIRECTORY/report
grep -E "^s*S+s+S+s+S+s*$" $DIRECTORY/nmap >> $DIRECTORY/report
fi
if [ -f $DIRECTORY/dirsearch ];then 【3】
echo "Results for Dirsearch:" >> $DIRECTORY/report
cat $DIRECTORY/dirsearch >> $DIRECTORY/report
fi
if [ -f $DIRECTORY/crt ];then 【4】
echo "Results for crt.sh:" >> $DIRECTORY/report
jq -r ".[] | .name_value" $DIRECTORY/crt >> $DIRECTORY/report
fi
done 【5】
原文始发于微信公众号(SecurityBug):侦察脚本编写(正则+getopts)2
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论