企业web网站很多直接对internet提供服务,往往会被黑客作为恶意攻击的突破口,web的安全和企业的信息安全高度相连。
现实的管理中,在安全制度不完善的情况下,网站开发人员和维护人员经常因为业务紧急上线或者bug修复,私自上线新的内容或变更,安全人员往往在出现问题后追查时才发现,之前的安全环境或者代码已经都变更了。
今天介绍如何利用githut上的simpleautoburp项目,利用python脚本实现网站的定时的自动扫描,这样能够在更短的时间发现web系统的漏洞。github上的脚本针对linux平台,本文将脚本修改为在windows平台上运行。
一、工作原理:
利用crontab(linux平台)或任务计划程序(windows平台)定期执行simpleautoburp.py,该脚本利用burpsuitepro的restapi和配置文件config.json对目标主机进行web扫描。
二、脚本文件 simpleautoburp+config.json
simpleautoburp.py 是调用burp suite api的脚本,config.json是其配置文件。
simpleautoburp.py
from os import strerror
from subprocess import popen
import requests
import time
import subprocess
import logging
import os
import signal
import json
import sys
from datetime import datetime
#将configfile指向你的config.json文件
configfile = r"f:/pythoncode/simpleautoburp/simpleautoburp-main/config.json"
try:
with open(configfile) as json_data:
config=json.load(json_data)
except:
print("missing config.json file. make sure the configuration file is in the same folder")
sys.exit()
burpconfigs=config["burpconfigs"][0]
siteconfigs=config["sites"]
def set_logging():
global rootlogger
logformatter = logging.formatter("%(asctime)s [%(levelname)-5.5s] %(message)s")
rootlogger = logging.getlogger()
numericlevel = getattr(logging, burpconfigs["loglevel"].upper(), 10)
rootlogger.setlevel(numericlevel)
filehandler = logging.filehandler("{0}/{1}.log".format(burpconfigs["logpath"], burpconfigs["logfilename"]))
filehandler.setformatter(logformatter)
rootlogger.addhandler(filehandler)
consolehandler = logging.streamhandler()
consolehandler.setformatter(logformatter)
rootlogger.addhandler(consolehandler)
def execute_burp(site):
cmd = burpconfigs["java"] + " -jar -xmx" + burpconfigs["memory"] + " -djava.awt.headless="
+ str(burpconfigs["headless"]) + " " + burpconfigs["burpjar"] + " --project-file=" + site["project"] + " --unpause-spider-and-scanner"
try:
rootlogger.debug("executing burp: " + str(cmd))
p = popen(cmd, shell=true, stdout=subprocess.devnull, stderr=subprocess.devnull)
return p.pid
except:
rootlogger.error("burp suite failed to execute.")
exit()
def check_burp(site):
count = 0
url = "http://127.0.0.1:1337/"+ site["apikey"] +"/v0.1/"
time.sleep(10)
while true:
if count > burpconfigs["retry"]:
rootlogger.error("too many attempts to connect to burp")
exit()
else:
rootlogger.debug("cheking api: " + str(url))
init = requests.get(url)
if init.status_code == 200:
rootlogger.debug("api running, response code: " + str(init.status_code))
# let brup time to load extensions
time.sleep(30)
break
else:
rootlogger.debug("burp is not ready yet, response code: " + str(init.status_code))
time.sleep(10)
def execute_scan(site):
data = '{"urls":["'+ site["scanurl"] + '"]}'
url="http://127.0.0.1:1337/" + site["apikey"] + "/v0.1/scan"
rootlogger.info("starting scan to: " + str(site["scanurl"]))
scan = requests.post(url, data=data)
rootlogger.debug("task id: " + scan.headers["location"])
while true:
url="http://127.0.0.1:1337/" + site["apikey"] + "/v0.1/scan/" + scan.headers["location"]
scanresults = requests.get(url)
data = scanresults.json()
rootlogger.info("current status: " + data["scan_status"])
if data["scan_status"] == "failed":
rootlogger.error("scan failed")
kill_burp()
exit()
elif data["scan_status"] == "succeeded":
rootlogger.info("scan competed")
return data
else:
rootlogger.debug("waiting 60 before cheking the status again")
time.sleep(60)
def kill_burp(child_pid):
rootlogger.info("killing burp.")
try:
os.kill(child_pid, signal.sigterm)
rootlogger.debug("burp killed")
except:
rootlogger.error("failed to stop burp")
def get_data(data, site):
for issue in data["issue_events"]:
rootlogger.info("vulnerability - name: " + issue["issue"]["name"] + " path: " + issue["issue"]["path"] + " severity: " + issue["issue"]["severity"])
token=site["scanurl"].split('/')[2]
top_level=token.split('.')[-2]+'.'+token.split('.')[-1]
file = top_level + "-" + datetime.now().strftime("%y_%m_%d-%i_%m_%s_%p") + ".txt"
file = burpconfigs["scanoutput"] + file
rootlogger.info("writing full results to: "+ file)
with open(file, "w") as f:
f.write(str(data["issue_events"]))
def main():
set_logging()
for site in config["sites"]:
# execute burpsuite pro
child_pid = execute_burp(site)
# check if api burp is up
check_burp(site)
# execute scan
data = execute_scan(site)
# get vulnerability data
get_data(data, site)
# stop burp
rootlogger.info("scan finished, killing burp.")
kill_burp(child_pid)
if __name__ == '__main__':
main() config.json(这里面配置要扫描的站点, apikey在burpsuite里面生成)
{
"sites" : [{
"scanurl" : "http://192.168.168.180/",
"project" : "d:/temp/metasploitable2.burp",
"apikey" : "s44zgkwixsga8ewiasfdz7u5d2czsbhm"
}],
"burpconfigs" : [{
"memory" : "2048m",
"headless" : "true",
"java" : "c:/program files/java/jdk-11.0.11/bin/java.exe",
"burpjar" : "f:/download/burpsuite_pro_v2021.6.1.jar",
"retry" : 5,
"logpath" : "d:/temp/scanoutput/",
"logfilename" : "simpleautoburp",
"loglevel" : "debug",
"scanoutput" : "d:/temp/scanoutput/"
}]
}三、burp suite pro rest api服务开启方法
burp suite pro 开启rest api 界面
四、使用任务计划程序(taskschd.msc)自动执行脚本,这里不再啰嗦如何利用windows任务计划程序执行脚本,可以参考windows相关帮助文件。
使用simpleautoburp脚本来及时发现网站的安全漏洞是一种补救措施,我们更应该建立和遵循安全的软件发布流程,标准的软件发布流程我们可以参考itil中的发布,部署流程,也可以参考microsoft的sdl流程。
