本文介绍了一种方法,通过解析公开资源来识别网站上的潜在远程文件包含漏洞,包括使用Burp Suite的Intruder工具进行验证。同时,提到了如何从OSVDB数据库中提取相关信息,并进行了初步的数据清理。
First of all, get Robert @RSnake Hansen’s RFI list here:
http://ha.ckers.org/blog/20100129/large-list-of-rfis-1000/
it’s a great list, but as soon as I saw it, I was like.. hmm.. how can I use that? Well, being that I am a Burp fan, I parsed the .dat with the following line:
cat rfi-locations.dat | grep -v "^#" | awk -F '?' '{print $1}' | sort -u > rsnake_list.txt
This pulls his list down to 906 entries which you can load in to Burp and hammer away with Intruder. If it pops any of them, not only have you better identified what is running on the site, but you might have just found RFI.
But I wanted to take this a step further:
The OSVDB archive allows you to download their entire database of vulnerabilities (after signing up for an account). I downloaded the CSV version so that I could parse it similar to how I did RSnakes. However, it definitely wasn’t that easy.
I downloaded osvd-csv.latest.tar.gz, extracted it and ran the following:
cat * | grep -i "remote file inclusion" | grep -v "/,0$" | awk -F "," '{print $13}' | sed ‘s/^/”//’ | set ‘s//”$//’ | sort –u > osvdb_rfi.txt
Which got me close. About 3 hours of manual editing after that and I had another list of ~1750 possible remote file inclusions. Is this a full proof way of getting every possibility from the database? Definitely not, but it’s close, and I’d love to see some one modify and tweak my bash line to get it even closer. (Or find a completely different way)
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
