242 lines
9.0 KiB
Python
242 lines
9.0 KiB
Python
# -*- coding:utf-8 -*-
|
|
# __author__:langzi
|
|
# __blog__:www.langzi.fun
|
|
import requests
|
|
import re
|
|
|
|
|
|
def scan_waf(uul):
|
|
urls = uul + '/list.php?k=1?aspx?id=1?"download.asp=manage.mdb" and 1=1 union select user from admin%23' if uul.startswith(
|
|
'http') else 'http://' + uul + '/list.php?k=1" manage.mdb" and 1=1 union select user from admin%23'
|
|
print('检测WAF:{}'.format(urls))
|
|
try:
|
|
r = requests.get(url=urls, timeout=5)
|
|
# encoding = requests.utils.get_encodings_from_content(r.text)[0]
|
|
# page_get = r.content.decode(encoding, 'replace')
|
|
page_get = r.content
|
|
headers_get = str(r.headers)
|
|
except Exception as e:
|
|
print(e)
|
|
waf_dic = {'360': [
|
|
're.search(b"wangzhan\.360\.cn", headers_get, re.I)',
|
|
'"/wzws-waf-cgi/" in (page_get)',
|
|
'"360.cn" in (page_get)',
|
|
'"360.cn" in headers_get'
|
|
],
|
|
'airlock': [
|
|
're.search(b"\AAL[_-]?(SESS|LB)=",headers_get, re.I)'
|
|
],
|
|
'anquanbao': [
|
|
're.search(b"MISS", headers_get, re.I)',
|
|
'"/aqb_cc/error/" in (page_get)'
|
|
],
|
|
'armor': [
|
|
'"This request has been blocked by website protection from Armo" in (page_get)'
|
|
],
|
|
'aws': [
|
|
're.search(b"\bAWS", headers_get,re.I)'
|
|
],
|
|
'baidu': [
|
|
're.search(b"fhl", headers_get, re.I)',
|
|
're.search(b"yunjiasu-nginx", headers_get,re.I)'
|
|
],
|
|
'barracuda': [
|
|
're.search(b"\Abarra_counter_session=",headers_get, re.I)',
|
|
're.search(b"(\A|\b)barracuda_",headers_get, re.I)'
|
|
],
|
|
'bigip': [
|
|
're.search(b"\ATS\w{4,}=",headers_get, re.I)',
|
|
're.search(b"BigIP|BIGipServe",headers_get, re.I)',
|
|
're.search(b"BigIP|BIGipServe", headers_get,re.I)',
|
|
're.search(b"\AF5\Z", headers_get,re.I)'
|
|
],
|
|
'binarysec': [
|
|
're.search(b"BinarySec", headers_get,re.I)'
|
|
],
|
|
'blockdos': [
|
|
're.search(b"BlockDos\.net", headers_get,re.I)'
|
|
],
|
|
'ciscoacexml': [
|
|
're.search(b"ACE XML Gateway", headers_get,re.I)'
|
|
],
|
|
'cloudflare': [
|
|
're.search(b"cloudflare-nginx", headers_get,re.I)',
|
|
're.search(b"\A__cfduid=",headers_get, re.I)',
|
|
're.search(b"CloudFlare Ray ID:|var CloudFlare=", page_get)'
|
|
],
|
|
'cloudfront': [
|
|
're.search(b"cloudfront", headers_get,re.I)',
|
|
're.search(b"cloudfront", headers_get,re.I)'
|
|
],
|
|
'comodo': [
|
|
're.search(b"Protected by COMODO WAF", headers_get,re.I)'
|
|
],
|
|
'datapower': [
|
|
're.search(b"\A(OK|FAIL)", headers_get, re.I)'
|
|
],
|
|
'denyall': [
|
|
're.search(b"\Asessioncookie=",headers_get, re.I)',
|
|
're.search(b"\ACondition Intercepted", page_get, re.I)'
|
|
],
|
|
'dotdefender': [
|
|
'"dotDefender Blocked Your Request" in (page_get)'
|
|
],
|
|
'edgecast': [
|
|
're.search(b"\AECDF", headers_get,re.I)'
|
|
],
|
|
'expressionengine': [
|
|
'"Invalid GET Data" in (page_get)'
|
|
],
|
|
'fortiweb': [
|
|
're.search(b"\AFORTIWAFSID=",headers_get, re.I)'
|
|
],
|
|
'hyperguard': [
|
|
're.search(b"\AODSESSION=",headers_get, re.I)'
|
|
],
|
|
'incapsula': [
|
|
're.search(b"incap_ses|visid_incap",headers_get, re.I)',
|
|
're.search(b"Incapsula", headers_get, re.I)',
|
|
'"Incapsula incident ID" in (page_get)'
|
|
],
|
|
'isaserver': [
|
|
'"The server denied the specified Uniform Resource Locator (URL). Contact the server administrator." in (page_get)',
|
|
'"The ISA Server denied the specified Uniform Resource Locator (URL)" in (page_get)'
|
|
],
|
|
'jiasule': [
|
|
're.search(b"jiasule-WAF", headers_get,re.I)',
|
|
're.search(b"__jsluid=",headers_get, re.I)',
|
|
're.search(b"jsl_tracking",headers_get, re.I)',
|
|
're.search(b"static\.jiasule\.com/static/js/http_error\.js", page_get, re.I)',
|
|
'"notice-jiasule" in (page_get)'
|
|
],
|
|
'kona': [
|
|
're.search(b"Reference #[0-9a-f.]+", page_get, re.I)',
|
|
're.search(b"AkamaiGHost", headers_get,re.I)'
|
|
],
|
|
'modsecurity': [
|
|
're.search(b"Mod_Security|NOYB", headers_get,re.I)',
|
|
'"This error was generated by Mod_Security" in (page_get)'
|
|
],
|
|
'netcontinuum': [
|
|
're.search(b"\ANCI__SessionId=",headers_get, re.I)'
|
|
],
|
|
'netscaler': [
|
|
're.search(b"\Aclose", headers_get,re.I)',
|
|
're.search(b"\A(ns_af=|citrix_ns_id|NSC_)",headers_get, re.I)',
|
|
're.search(b"\ANS-CACHE",headers_get,re.I)'
|
|
],
|
|
'newdefend': [
|
|
're.search(b"newdefend", headers_get,re.I)'
|
|
],
|
|
'nsfocus': [
|
|
're.search(b"NSFocus", headers_get,re.I)'
|
|
],
|
|
'paloalto': [
|
|
're.search(b"Access[^<]+has been blocked in accordance with company policy", page_get, re.I)'
|
|
],
|
|
'profense': [
|
|
're.search(b"\APLBSID=",headers_get, re.I)',
|
|
're.search(b"Profense", headers_get,re.I)'
|
|
],
|
|
'radware': [
|
|
're.search(b"Unauthorized Activity Has Been Detected.+Case Number:", page_get, re.I | re.S)'
|
|
],
|
|
'requestvalidationmode': [
|
|
'"ASP.NET has detected data in the request that is potentially dangerous" in (page_get)',
|
|
'"Request Validation has detected a potentially dangerous client input value" in (page_get)'
|
|
],
|
|
'safe3': [
|
|
're.search(b"Safe3WAF",headers_get, re.I)',
|
|
're.search(b"Safe3 Web Firewall", headers_get,re.I)'
|
|
],
|
|
'safedog': [
|
|
're.search(b"WAF/2\.0",headers_get, re.I)',
|
|
're.search(b"Safedog", headers_get,re.I)',
|
|
're.search(b"safedog",page_get, re.I)',
|
|
'"safedog.cn" in (page_get)'
|
|
],
|
|
'secureiis': [
|
|
're.search(b"SecureIIS[^<]+Web Server Protection", page_get)',
|
|
'"http://www.eeye.com/SecureIIS/" in (page_get)',
|
|
're.search(b"\?subject=[^>]*SecureIIS Erro", page_get)'
|
|
],
|
|
'senginx': [
|
|
'"SENGINX-ROBOT-MITIGATION" in (page_get)',
|
|
],
|
|
'sitelock': [
|
|
'"SiteLock Incident ID" in (page_get)'
|
|
],
|
|
'sonicwall': [
|
|
'"This request is blocked by the SonicWALL" in (page_get)',
|
|
're.search(b"Web Site Blocked.+\bnsa_banne", page_get, re.I)',
|
|
're.search(b"SonicWALL", headers_get,re.I)'
|
|
],
|
|
'sophos': [
|
|
'"Powered by UTM Web Protection" in (page_get)'
|
|
],
|
|
'stingray': [
|
|
're.search(b"\AX-Mapping-",headers_get, re.I)'
|
|
],
|
|
'sucuri': [
|
|
're.search(b"Sucuri/Cloudproxy", headers_get,re.I)',
|
|
'"Sucuri WebSite Firewall - CloudProxy - Access Denied" in (page_get)',
|
|
're.search(b"Questions\?.+cloudproxy@sucuri\.net", (page_get))'
|
|
],
|
|
'tencent': [
|
|
'"waf.tencent-cloud.com" in (page_get)'
|
|
],
|
|
'teros': [
|
|
're.search(b"\Ast8(id|_wat|_wlf)",headers_get, re.I)'
|
|
],
|
|
'trafficshield': [
|
|
're.search(b"F5-TrafficShield", headers_get,re.I)',
|
|
're.search(b"\AASINFO=",headers_get, re.I)'
|
|
],
|
|
'urlscan': [
|
|
're.search(b"Rejected-By-UrlScan",headers_get, re.I)',
|
|
're.search(b"/Rejected-By-UrlScan", page_get, re.I)'
|
|
],
|
|
'uspses': [
|
|
're.search(b"Secure Entry Serve", headers_get,re.I)'
|
|
],
|
|
'varnish': [
|
|
're.search(b"varnish\Z",headers_get,re.I)',
|
|
're.search(b"varnish", headers_get,re.I)',
|
|
're.search(b"\bXID: \d+", page_get)'
|
|
],
|
|
'wallarm': [
|
|
're.search(b"nginx-wallarm", headers_get,re.I)'
|
|
],
|
|
'webknight': [
|
|
're.search(b"WebKnight", headers_get,re.I)'
|
|
],
|
|
'yundun': [
|
|
're.search(b"YUNDUN", headers_get,re.I)',
|
|
're.search(b"YUNDUN", headers_get,re.I)'
|
|
],
|
|
'yunsuo': [
|
|
're.search(b"<img class=\"yunsuologo\"", page_get, re.I)',
|
|
're.search(b"yunsuo_session",headers_get, re.I)'
|
|
|
|
],
|
|
'存在未识别WAF': [
|
|
'"您所提交的请求含有".encode("utf-8") in (page_get)',
|
|
'"如果您是网站管理员点击这里查看详情".encode("utf-8") in (page_get)',
|
|
'"已被网站管理员设置拦截!".encode("utf-8") in (page_get)',
|
|
'"注入拦截".encode("utf-8") in (page_get)',
|
|
'"您的请求带有".encode("utf-8") in (page_get)'
|
|
'"包含危险的攻击请求".encode("utf-8") in (page_get)'
|
|
]}
|
|
for k, v in waf_dic.items():
|
|
for x in v:
|
|
try:
|
|
res = eval(x)
|
|
if res:
|
|
return k
|
|
except:
|
|
pass
|
|
if __name__ == '__main__':
|
|
print(scan_waf('http://www.laoyushu.net'))
|
|
|
|
|