一个人的安全,总会有点力不从心,又不能完全信任业务能做到安全,说不得此时此刻没有安全问题,保不准哪一波更新就会导致问题出现,而且最可怕的并不是什么SQL注入、命令执行类漏洞,因为这些一般都会很快被定位锁死,反而是一些未授权访问漏洞最为致命,悄无声息的。
目录结构很简单,存放核心API的targets.json文件,以及脚本文件。这个脚本比较简单,就是一个单纯的request请求。
整体思路也很简单,仅安全人员自看,比如在下。思路大致是:github action定期触发->脚本运行扫描API->将未授权的API通过dingtalk发送给安全人员(在下)。
脚本代码如下。
import requests import json import time from concurrent.futures import ThreadPoolExecutor, as_completed DINGTALK_WEBHOOK = "https://oapi.dingtalk.com/robot/send?access_token=?" unauthorized_apis = [] def load_targets(filename = "targets.json"): with open(filename, "r") as f: # print(json.load(f)) return json.load(f) # 发送钉钉告警 def send_to_dingtalk(message): headers = {"Content-Type": "application/json"} data = { "msgtype": "text", "text": { "content": message } } try: resp = requests.post(DINGTALK_WEBHOOK, headers=headers, data=json.dumps(data)) print(f"[🔔] 已发送钉钉告警,响应: {resp.status_code}") except Exception as e: print(f"[❌] 钉钉推送失败: {e}") def report_unauthorized(apis): print("=== 开始发送dingtalk ===") if not apis: print("无未授权接口") return msg = "🚨 以下 API 存在未授权访问风险:\n" for item in apis: msg += f"- {item['method']} {item['url']},状态码: {item['status']}\n" send_to_dingtalk(msg) def make_request(target): method = target.get("method", "GET").upper() url = target["url"] headers = target.get("headers", {}) body = target.get("body", {}) try: if method == "GET": resp = requests.get(url, headers = headers, timeout = 10) elif method == "POST": resp = requests.post(url, json = body, headers = headers, timeout = 10) elif method == "PUT": resp = requests.put(url, json = body, headers = headers, timeout = 10) elif method == "DELETE": resp = requests.delete(url, headers = headers, timeout = 10) elif method == "PATCH": resp = requests.patch(url, headers = headers, timeout = 10) else: print(f"[⚠️] 不支持的方法: {method}") return print(f"[{resp.status_code}] {method} {url}") if resp.status_code not in [401, 403, 405]: unauthorized_apis.append({ "method": method, "url": url, "status": resp.status_code }) except Exception as e: print(f"[❌] 请求失败 {method} {url}: {e}") def main(): print("=== 多方法 API 未授权访问检测脚本 ===") targets = load_targets() thread_count = 5 max_threads = min(thread_count, len(targets)) with ThreadPoolExecutor(max_workers=max_threads) as executor: future_to_target = { executor.submit(make_request, target): target for target in targets } for future in as_completed(future_to_target): target = future_to_target[future] try: future.result() except Exception as e: print(f"{target} 执行失败: {e}") print("=== 所有未授权扫描任务完成 ===") report_unauthorized(unauthorized_apis) if __name__ == "__main__": main()
targets.json api样式如下。
[
{
"method": "POST",
"url": "https://xxxx/xxxx",
"headers": {
"Content-Type": "application/json"
},
"body": {
}
}
]
原文始发于微信公众号(安全无界):瞎捣鼓之核心API未授权监控
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论