简介
时隔许久,已经很久没有写过关于web渗透的东西了,闲暇之余自学,希望以后有机会能往这方面发展,但愿现实不要那么残酷,会开发,又会运维看起来是一种非常牛批的双修大神。
whois查询
web域名查询网址
ICP备案信息查询
使用Kali自带的脚本查询
子域名爆破
关于查询子域名的方法有很多,比如使用第三方网站,第三方工具
下面演示常用的方法
1.
子域名查询网
子域名查询网
子域名查询网
2.使用第三方工具
wydomain下载
在仓库下方有相关使用文档的介绍
演示:
查看官方文档进行文件配置
配置成功信息
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (2.21.0)
Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (1.16.0)
安装好之后需要对脚本进行shell提权,绿色脚本即为提权脚本
pip install -r requirements.txt
如果电脑上没有配置pip的话,这个命令是无法执行的
解决办法:
在终端当中执行下面三条命令,命令执行完之后,再去执行安装wydomain命令一般就没有什么问题了。
wget https://bootstrap.pypa.io/get-pip.py
python3 get-pip.py
pip3 -V
爆破命令:
./dnsburte.py -d aliyun.com -f dnspod.csv -o message.txt
查看:
cat message.txt
使用API查询目标的子域名:
./wydomain.py -d ahdy.top -o andy.log
显示样例
oot@kali:~/Desktop/wydomain# ./wydomain.py -d baidu.com -o andy.log
2019-12-17 00:44:49,894 [INFO] starting alexa fetcher...
2019-12-17 00:44:50,322 [INFO] sign_fetch_is_failed
2019-12-17 00:44:50,323 [INFO] alexa fetcher subdomains(22) successfully...
2019-12-17 00:44:50,323 [INFO] starting threatminer fetcher...
2019-12-17 00:44:53,139 [INFO] threatminer fetcher subdomains(0) successfully...
2019-12-17 00:44:53,139 [INFO] starting threatcrowd fetcher...
2019-12-17 00:44:55,187 [INFO] No JSON object could be decoded
2019-12-17 00:44:55,187 [INFO] threatcrowd fetcher subdomains(0) successfully...
2019-12-17 00:44:55,188 [INFO] starting sitedossier fetcher...
2019-12-17 00:44:55,188 [INFO] request: http://www.sitedossier.com/parentdomain/baidu.com
2019-12-17 00:44:57,185 [INFO] request: http://www.sitedossier.com/parentdomain/baidu.com/101
2019-12-17 00:44:57,795 [INFO] request: http://www.sitedossier.com/parentdomain/baidu.com/201
2019-12-17 00:45:00,199 [INFO] request: http://www.sitedossier.com/parentdomain/baidu.com/301
2019-12-17 00:45:05,813 [INFO] sitedossier fetcher subdomains(300) successfully...
2019-12-17 00:45:05,813 [INFO] starting netcraft fetcher...
2019-12-17 00:45:17,687 [INFO] netcraft fetcher subdomains(0) successfully...
2019-12-17 00:45:17,687 [INFO] starting ilinks fetcher...
2019-12-17 00:45:22,707 [INFO] ilinks fetcher subdomains(0) successfully...
2019-12-17 00:45:22,707 [INFO] starting chaxunla fetcher...
2019-12-17 00:45:37,737 [INFO] HTTPConnectionPool(host=\'api.chaxun.la\', port=80): Max retries exceeded with url: /toolsAPI/getDomain/?0.1576561522.71&callback=&k=baidu.com&page=1&order=default&sort=desc&action=moreson&_=1576561522.71&verify= (Caused by NewConnectionError(\'<urllib3.connection.HTTPConnection object at 0x7f044169d9d0>: Failed to establish a new connection: [Errno -2] Name or service not known\',))
2019-12-17 00:45:37,738 [INFO] chaxunla fetcher subdomains(0) successfully...
2019-12-17 00:45:37,738 [INFO] starting google TransparencyReport fetcher...
2019-12-17 00:45:42,760 [INFO] \'NoneType\' object has no attribute \'__getitem__\'
2019-12-17 00:45:42,761 [INFO] google TransparencyReport fetcher subdomains(0) successfully...
2019-12-17 00:45:42,765 [INFO] baidu.com 485 subdomains save to /root/Desktop/wydomain/andy.log
root@kali:~/Desktop/wydomain# cat message.txt
[
"0.baidu.com",
"1.baidu.com",
"01.baidu.com",
"11.baidu.com",
"1111.baidu.com",
"123.baidu.com",
"2012.baidu.com",
"2014.baidu.com",
"360.baidu.com",
"3g.baidu.com",
"8.baidu.com",
"IN.baidu.com",
"a.baidu.com",
"ab.baidu.com",
"abc.baidu.com",
"act.baidu.com",
"activity.baidu.com",
"ac.baidu.com",
"access.baidu.com",
"ad.baidu.com",
"admin.baidu.com",
"ads.baidu.com",
"ag.baidu.com",
"adm.baidu.com",
"ai.baidu.com",
"api.baidu.com",
"ap.baidu.com",
"app.baidu.com",
"ar.baidu.com",
"aq.baidu.com",
"as.baidu.com",
"ask.baidu.com",
"auth.baidu.com",
"auto.baidu.com",
"avatar.baidu.com",
"asp.baidu.com",
"b.baidu.com",
"b2b.baidu.com",
"bai.baidu.com",
"backup.baidu.com",
"baike.baidu.com",
"bao.baidu.com",
"bbs.baidu.com",
"bc.baidu.com",
"beian.baidu.com",
"beta.baidu.com",
"bh.baidu.com",
"bit.baidu.com",
"bk.baidu.com",
"box.baidu.com",
"book.baidu.com",
"brand.baidu.com",
"bx.baidu.com",
"cache.baidu.com",
"ca.baidu.com",
"cas.baidu.com",
"cb.baidu.com",
"ce.baidu.com",
"cdn.baidu.com",
"cc.baidu.com",
"ceshi.baidu.com",
"cf.baidu.com",
"cha.baidu.com",
"check.baidu.com",
"ci.baidu.com",
"city.baidu.com",
"ck.baidu.com",
"cloud.baidu.com",
"autodiscover.baidu.com",
"client.baidu.com",
"cm.baidu.com",
"code.baidu.com",
"com.baidu.com",
"company.baidu.com",
"credit.baidu.com",
"cs.baidu.com",
"cp.baidu.com",
"crm.baidu.com",
"d.baidu.com",
"daohang.baidu.com",
"db.baidu.com",
"dc.baidu.com",
"demo.baidu.com",
"desk.baidu.com",
"dev.baidu.com",
"df.baidu.com",
"dh.baidu.com",
"diy.baidu.com",
"disk.baidu.com",
"dj.baidu.com",
"dm.baidu.com",
"dns1.baidu.com",
"dn.baidu.com",
"doc.baidu.com",
"docs.baidu.com",
"dp.baidu.com",
"dq.baidu.com",
"ds.baidu.com",
"dx.baidu.com",
"du.baidu.com",
"dy.baidu.com",
"edm.baidu.com",
"e.baidu.com",
"edu.baidu.com",
"ee.baidu.com",
"em.baidu.com",
"email.baidu.com",
"ent.baidu.com",
"er.baidu.com",
"fang.baidu.com",
"f.baidu.com",
"fb.baidu.com",
"fashion.baidu.com",
"fc.baidu.com",
"feed.baidu.com",
"fff.baidu.com",
"file.baidu.com",
"finance.baidu.com",
"flash.baidu.com",
"fk.baidu.com",
"fm.baidu.com",
"focus.baidu.com",
"forum.baidu.com",
"fun.baidu.com",
"fund.baidu.com",
"g.baidu.com",
"g1.baidu.com",
"fz.baidu.com",
"g2.baidu.com",
"g3.baidu.com",
"g5.baidu.com",
"game.baidu.com",
"games.baidu.com",
"gb.baidu.com",
"gd.baidu.com",
"gh.baidu.com",
"git.baidu.com",
"gitlab.baidu.com",
"gl.baidu.com",
"gk.baidu.com",
"gongyi.baidu.com",
"go.baidu.com",
"gp.baidu.com",
"gps.baidu.com",
"gx.baidu.com",
"gy.baidu.com",
"h5.baidu.com",
"hao123.baidu.com",
"hao.baidu.com",
"health.baidu.com",
"hb.baidu.com",
"hd.baidu.com",
"help.baidu.com",
"hf.baidu.com",
"hi.baidu.com",
"hk.baidu.com",
"history.baidu.com",
"hm.baidu.com",
"home.baidu.com",
"house.baidu.com",
"hotel.baidu.com",
"houtai.baidu.com",
"hr.baidu.com",
"hot.baidu.com",
"ht.baidu.com",
"huodong.baidu.com",
"i.baidu.com",
"i1.baidu.com",
"hx.baidu.com",
"i2.baidu.com",
"hz.baidu.com",
"hy.baidu.com",
"id.baidu.com",
"im.baidu.com",
"global.baidu.com",
"images.baidu.com",
"ie.baidu.com",
"image.baidu.com",
"img.baidu.com",
"index.baidu.com",
"info.baidu.com",
"ip.baidu.com",
"ipv6.baidu.com",
"j.baidu.com",
"item.baidu.com",
"jia.baidu.com",
"jian.baidu.com",
"jiankang.baidu.com",
"jira.baidu.com",
"jj.baidu.com",
"job.baidu.com",
"jn.baidu.com",
"jq.baidu.com",
"js.baidu.com",
"ka.baidu.com",
"kb.baidu.com",
"kefu.baidu.com",
"kk.baidu.com",
"kl.baidu.com",
"km.baidu.com",
"ks.baidu.com",
"kr.baidu.com",
"lab.baidu.com",
"la.baidu.com",
"l.baidu.com"
关于文中shell脚本的解释
使用shell 命令对脚本提权
chmod +x 加上脚本名称(或者脚本的绝对路径)
进行提权后脚本会在目录当中以绿色显示
cd 目录
ls 显示当前文件夹路径
注意,一定要写成 ./test.sh,而不是 test.sh,运行其它二进制的程序也一样,直接写 test.sh,linux 系统会去 PATH 里寻找有没有叫 test.sh 的,而只有 /bin, /sbin, /usr/bin,/usr/sbin 等在 PATH 里,你的当前目录通常不在 PATH 里,所以写成 test.sh 是会找不到命令的,要用 ./test.sh 告诉系统说,就在当前目录找。
2、作为解释器参数
这种运行方式是,直接运行解释器,其参数就是 shell 脚本的文件名,如:
/bin/sh test.sh
/bin/php test.php