NSE代码生成器 | Nmap 脚本

时间:2022-07-23
本文章向大家介绍NSE代码生成器 | Nmap 脚本,主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

这一段时间总是出现各种漏洞,我一般用Nmap写的都是渗透测试脚本,基本上都是http请求,每次写都要去修修改改,比较烦,所以我用 Python 写了一个"代码生成器"

"""
    想写一个nmap的脚本http包生成器, Python3里似乎没有能够解析http请求包的库,自己写吧
    http 请求包似乎可以分为三个部分,请求头、中间的配置项、post的数据
    可以使用readlines 的第一个元素来获取请求头

"""
import sys


# 定义一些全局变量
HTTP_METHOD = None
HTTP_PATH = None
HTTP_VERSION = None
HTTP_OPTIONS = []
HTTP_DATA = ""


def make_data(http_req):
    global HTTP_METHOD
    global HTTP_PATH
    global HTTP_VERSION
    global HTTP_OPTIONS
    global HTTP_DATA

    HTTP_METHOD = http_req[0].split()[0]
    HTTP_PATH = http_req[0].split()[1]
    HTTP_VERSION = http_req[0].split()[2]

    # 定位http包的头与数据之间的空行
    blank_flag = 100000
    for i in range(1, len(http_req)):
        if i < blank_flag and http_req[i] != 'n':
            HTTP_OPTIONS.append("".join(http_req[i]))
        elif i < blank_flag and http_req[i] == 'n':
            blank_flag = i
        else:
            HTTP_DATA = HTTP_DATA + http_req[i]


def make_options():
    options_code = """
    local options = {header = {}, content = {}}
    """
    for i in HTTP_OPTIONS:
        key = i.strip().split(':')[0]
        val = i.strip().split(':')[1][1:]
        if key != "Host" and key != "Content-Length":
            options_code = options_code + """options["header"]["{0}"] = "{1}"
        """.format(key, val)
    options_code = options_code + """options["content"] = postdatas"""
    return options_code


# 这个函数用来输出lua格式的代码
def output_lua():
    lua_codes = """
local stdnse = require "stdnse"
local shortport = require "shortport"
local http = require "http"

description = "sth"
author = "test94"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {{"default"}}


prerule = function()
    print("-----------------------------------")
    print("[+] start ... ")
    print("[-] (if port is filtered, nothing will be checked)")
    print("")
end

portrule = shortport.service({{"http", "https", "afs3-callback", "http-proxy"}})

local postdatas = [[
{0}
]]

action = function(host, port)
    local output = stdnse.output_table()
    output.result = "not vulnerable"
    {1}
    
    local req = http.generic_request(host, port, "{2}", "{3}", options)
    return output
end
"""
    # print(lua_codes.format(HTTP_DATA, "header", HTTP_METHOD, HTTP_PATH))
    global HTTP_OPTIONS
    HTTP_OPTIONS = make_options()
    print(lua_codes.format(HTTP_DATA, HTTP_OPTIONS, HTTP_METHOD, HTTP_PATH))


def main(filename):
    f = open(filename, 'r')
    http_req = f.readlines()
    f.close()
    make_data(http_req)
    output_lua()


if __name__ == "__main__":
    if len(sys.argv) != 2:
        print("Usage: python3 nmap_helper.py http_req.txt")
    else:
        main(sys.argv[1])

使用如下:

  • 把载有 Payload 的http包写入一个文件中,如下:

这是之前通达OA的PoC,就用这个来做测试

  • 执行 python3 nmap_helper.py http_req.txt

可以看到直接生成了发送这个 http 请求的Nmap NSE代码,至于要如何处理返回包,如何判断是否存在漏洞那就是你的事了

如果你希望直接生成文件,执行 python3 nmap_helper.py http_req.txt > poc.nse

  • 我们抓包看一下是否能够发送数据包

追踪一下这个包

很好,没有问题

脚本下载地址:

http://www.my-synology.cn:37980/sharing/ioRM045GX

密码: helper

随机文章
本站知识点必读
最近更新