Skip to content

对乌云漏洞库的分析

字数
2735 字
阅读时间
16 分钟
更新日期
11/10/2019

漏洞都是相似的,但挖洞姿势却各有各的不同。

最近收集了很多src的资产域名,正在琢磨怎么用自动化扫描器来扫描,于是有了这个想法。乌云漏洞库有很多样本案例,网络上好像还没有人公开整理过乌云漏洞库中的payload,所以来分析一下吸取乌云前辈们的经验吧。

过程

过程很容易,爬取了乌云镜像库,并将所有出现过的漏洞链接存储起来。但网页中展示的格式都不太一致,在通过手工测试三四十个样本后,才终于将提取规则完善。

存储格式类似

image-20191110104157336

最后保存的json格式大概有30M大小。

结论

出现漏洞的端口Top100

端口号出现次数
80806710
802458
811345
8081925
7001885
8000882
8088740
8888735
9090578
8090477
88446
8001406
82401
9080350
8082301
8089265
9000225
8443206
9999185
8002162
89160
8083142
8200141
8008135
90135
8086129
801127
8011120
8085120
9001118
9200117
8100111
8012108
85105
8084102
8070101
700299
809194
800392
9991
777784
801078
44373
802872
808771
8370
700370
1000068
80864
3888864
818164
80063
1808063
809962
889962
8662
836058
830057
880052
818052
350549
700049
900247
805343
100042
708040
898938
2801738
906036
88834
300034
800634
4151634
88034
848434
667733
801632
8432
720031
908530
555530
828029
700529
198029
816128
909127
789027
806027
608027
888026
802026
707026
88926
888124
908124
800924
700724
800423
3850123
101023

最后得到的端口数量在1104,说明在端口扫描时,只需要扫描这一千端口就行,很大节省了效率。

对路径的统计

ASP Top100

路径出现次数
/news_show.asp233
/about.asp205
/news.asp201
/login.asp173
/index.asp167
/admin/login.asp141
/list.asp130
/show.asp112
/shownews.asp88
/search.asp85
/News_show.asp85
/product.asp83
/news_list.asp70
/article.asp67
/view.asp59
/default_standard.asp59
/info.asp58
/news_more.asp57
/newshow.asp54
/news_detail.asp48
/news_view.asp47
/admin/index.asp46
/products.asp46
/nzcms_list_news.asp46
/read.asp44
/index1.asp44
/detail.asp43
/contact.asp42
/tt/inc/login.asp41
/default.asp41
/readnews.asp40
/mucc/about.asp39
/doc/page/main.asp38
/About.asp37
/onews.asp37
/cp.asp37
/News.asp36
/content.asp36
/doc/page/login.asp36
/productshow.asp35
/view_n.asp34
/new.asp33
/pic.asp33
/newsDetail.asp33
/job.asp33
/_JBRCMS/Manager/jbr_UploadConfig.asp33
/newsinfo.asp32
/newsbrow.asp30
/newsview.asp29
/admin/admin_login.asp29
/class.asp28
/ProductShow.asp28
/productview.asp28
/Article_Print.asp27
/newsshow.asp27
/LstInfo.asp27
/page.asp25
/jiannya/default.asp25
/CompHonorBig.asp24
/adminqibo5/Edit/editor/resurm_upfile.asp24
/feedback.asp23
/viewnews.asp22
/manage/login.asp22
/ShowNews.asp22
/more.asp22
/hn_type.asp22
/1.asp21
/service.asp20
/admin/Login.asp20
/readpro.asp20
/sbweb/nameedit.asp20
/Body.asp20
/opensoft.asp20
/main.asp19
/showcareer.asp19
/company.asp19
/Pro_shcn.asp19
/jjweb/nameedit.asp19
/cpinfo.asp19
/Htmledit/admin/login.asp19
//liuyan.asp19
/showfwly.asp19
/MoralsView.asp18
/user/reg.asp18
/product_show.asp18
/fuwu_list.asp18
/lesiure/up.asp18
/shell.asp17
/admin.asp17
/admin/admin.asp17
/showservices.asp17
/manage/html/ewebeditor/admin_login.asp17
/Newsview.asp17
/admin/Admin_Login.asp16
/down.asp16
/info_Print.asp16
/person/mailbox.asp16
/jieshao.asp16
/type.asp16
/product_cate.asp16

ASPX Top100

路径出现次数
/Default.aspx349
/login.aspx341
/UIFrameWork/login.aspx307
/Login.aspx288
/Detail.aspx209
/admin/login.aspx157
/index.aspx127
/default.aspx124
/OT.OA.WEB/UIFrameWork/login.aspx76
/search.aspx58
/userlogin.aspx57
/list.aspx54
/Admin/login.aspx48
/custom/GroupNewsList.aspx45
//SubCategory.aspx42
/manage/login.aspx38
/aspx/gqxx.aspx38
/newsView.aspx38
/news.aspx37
/Search.aspx34
/admin/index.aspx31
/Web/Login/PSCP01001.aspx30
/city_index.aspx30
/main.aspx29
/newslist.aspx29
/admin/Login.aspx28
/show.aspx28
/Admin/Index.aspx27
/SubCategory.aspx26
/G2S/AdminSpace/QE/AddCustomForm.aspx26
/NewsList.aspx25
/Index.aspx24
/about.aspx23
/gmis/leftmenu.aspx23
/Permission/Application_Query_List.aspx22
/test.aspx22
/site/ajax/WebSiteAjax.aspx22
/select_e.aspx22
/ExhibitionCenter.aspx22
/system/stu_user_regist.aspx21
/News.aspx21
/workplate/xzsp/gxxt/tjfx/spsl.aspx21
/manager/member/admin_add.aspx20
/workplate/xzsp/tjfx/grbjtj/list.aspx20
/zfmllist.aspx20
/workplate/base/person/listbyorgsel.aspx20
/NewsDetail.aspx19
/Supplylist.aspx19
/Product/ProductList.aspx19
/Web/Login.aspx18
/articleview.aspx18
/model/TwoGradePage/equipmentlist.aspx18
/json_db/other_report.aspx18
/json_db/flight_return.aspx18
//bos/desktop/RequestOrResponse.aspx18
/Broadcast/Broadcast.aspx18
/json_db/meb_list.aspx18
/searchbargain.aspx18
/json_db/air_company.aspx18
/RiskInfo.aspx18
/owa/auth/logon.aspx17
/WebDefault3.aspx17
/article.aspx17
/G2S//AdminSpace/PublicClass/AddCourseWare.aspx17
/news_view.aspx16
/info.aspx16
/CommonPage.aspx16
/DownLoadPage.aspx16
/fckeditor/editor/filemanager/connectors/aspx/connector.aspx16
/support/minisite/thinkpad/htmls/advancedsearch.aspx16
/emlib4/format/release/aspx/eml_homepage.aspx16
/Gmis/Byyxwgl/xls_lwdbxxedit.aspx16
/CMSUploadFile.aspx16
/Main.aspx15
/OrderDetail.aspx15
/webSchool/list.aspx15
/Magazine/NewMagazine.aspx15
/k4/list.aspx15
/k1/preview.aspx15
/MoreIndex.aspx15
/sysadmin/Login.aspx15
/persondh/urgent.aspx15
/OnlineQuery/QueryList.aspx15
/Broadcast/displayNewsPic.aspx15
/Web/News.aspx15
/ModifyPassWord.aspx15
/ftb.imagegallery.aspx14
/TableDataManage/BaseInforQueryContent.aspx14
/presellbuild.aspx14
/tabid/2159/Default.aspx14
/cart.aspx14
/G2S/AdminSpace/PublicClass/AddCathedraWare.aspx14
/admin/course/uploaddemo.aspx14
/searchLines.aspx14
/help/pendantShow.aspx14
/BsGuide.aspx13
/NewsView.aspx13
/Admin/fileManage.aspx13
/ShowNews.aspx13
/Web_Site/Search.aspx13

Jsp Top100

路径出现次数
/login.jsp317
/index.jsp176
/kingdee/login/loginpage.jsp160
/get_pwd.jsp126
/zecmd/zecmd.jsp109
/console/login/LoginForm.jsp103
/login/Login.jsp88
/customer.jsp87
/is/index.jsp81
/uddiexplorer/SearchPublicRegistries.jsp79
/yyoa/common/js/menu/test.jsp74
/jcms/interface/user/out_userinfo.jsp59
/seeyon/index.jsp53
/download.jsp53
/yyoa/checkWaitdo.jsp50
/admin/login.jsp49
/list.jsp46
/defaultroot/login.jsp45
/upload5warn/shell.jsp45
/search.jsp43
/myname/wooyun.jsp40
/web/epublic/upload.jsp39
/yyoa/indexPass.jsp39
/yyoa/common/selectPersonNew/initData.jsp37
/bak.jsp35
/yyoa/index.jsp35
/postAjax.jsp35
/cK/foot.jsp34
/tools/SWFUpload/upload.jsp32
/nei.jsp32
/1.jsp31
/wooyun.jsp31
/is/cmd.jsp30
/download/download.jsp29
/cmd.jsp29
/webschool/News/news_list.jsp28
/chopper/chopper.jsp27
/business/notifyView.jsp27
/sofpro/gecs/consulmanage/wsts/bbs_title_list1.jsp27
/live800/downlog.jsp26
/Silic.jsp26
/edoas2/oa.jsp26
/wooyun/wooyun.jsp25
/jmxroot/jmxroot.jsp25
/manage/content/docmanage/download.jsp25
/ConInfoParticular.jsp24
/uddiexplorer/out.jsp23
/1/sx/login.jsp23
/templates/index/hrlogon.jsp23
/comm_front/tzzx/uploadImageFile_do.jsp23
/yyoa/ext/https/getSessionList.jsp22
/admin/index.jsp22
/shell.jsp22
/admin/upload.jsp22
/detail.jsp22
/1/sjleader/login.jsp22
/admin/select.jsp22
/admin/fxx.jsp22
/jbossass/jbossass.jsp21
/yyoa/HJ/iSignatureHtmlServer.jsp21
/eol/homepage/common/index.jsp21
/a/pwn.jsp21
/web/common/getfile.jsp21
/upload.jsp20
/test.jsp20
/homepage/LoginHomepage.jsp20
/page/maint/common/UserResourceUpload.jsp20
/zpsys/index.jsp20
/vc/vc/para/opr_initvc.jsp20
/pages/manager/managerAddNManager.jsp20
/hdcy/zxzx_show.jsp20
/yyoa/assess/js/initDataAssess.jsp19
/upload5warn/wooyun.jsp19
/cms/weblawcase/impList.jsp19
/nicknamelogin.jsp19
/ca/ma3.jsp19
/gkznInfo.jsp19
/myname/index.jsp18
/df/index.jsp18
/guige.jsp18
/coremail/index.jsp18
/syfile/swfUpload.jsp18
/admin/protected/index.jsp17
/2/sjtj/login.jsp17
/news.jsp17
/site/law_artile.jsp17
/zwdtSjgl/Directory/lastDirList_iframe.jsp17
/content/topicdeal.jsp17
/webschool/Book/news_list.jsp17
//web/careerapply/HrmCareerApplyPerView.jsp16
/cms/web/downloadFiles.jsp16
/TSPB/web/xzzx/xzzx.jsp16
/prosec.jsp16
/adminroot/common/downLoadFile.jsp16
/uddiexplorer/SetupUDDIExplorer.jsp15
/kingdee/login/loginpage2.jsp15
/wui/theme/ecology7/page/login.jsp15
/f1print/F1PrintKernelJ1.jsp15
/login/login.jsp15
/eln3_asp/public/cscec8b/bulletin.jsp15

PHP Top100

路径出现次数
/index.php2456
/admin.php278
/login.php243
/forum.php240
/share/share.php227
/news.php208
/info.php191
/phpinfo.php181
/plus/search.php173
/test.php162
/admin/login.php162
/src/system/login.php146
/article.php140
/plus/recommend.php138
/search.php136
/list.php132
/api.php117
/admin/index.php117
/CmxDownload.php113
/about.php109
/news_show.php98
/download.php97
/home.php81
/login/login.php80
/user.php79
/show.php76
/page.php71
/product.php68
/wp-login.php67
/main.php67
/detail.php65
/news_detail.php64
/faq.php64
/default.php60
/content.php59
//plus/recommend.php58
/news_display.php57
/up/UploadTemp/eval.php57
/down.php55
/www/index.php55
/user/storage_explore.php54
/abouts.php53
/uc_server/admin.php50
/rss.php49
/wescms/index.php49
/1.php45
/news_info.php43
/products_display.php42
/newsdetail.php41
/phpmyadmin/index.php39
/class.php39
/more.php38
//index.php38
/userlist.php37
/plugin.php36
/*.php36
/products.php35
/pics_list.php34
/plus/mytag_js.php34
/news_list.php34
/newsinfo.php34
/smenu.php33
/include/web_content.php31
/batch.common.php31
/space.php30
/modules.php30
/view.php30
/read.php30
/job.php30
/do.php29
/link.php29
/displaynews.php29
/viewthread.php28
/m.php28
/web/index.php28
/member/index.php28
/ajax.php27
/impl/rpc_company_info_minkh.php27
//plus/search.php27
/thi.php27
/i.php26
/member.php25
/webmail/login.php25
/admincp.php25
/download_list.php25
/cmxlogin.php25
/auto_reg.php25
/register.php24
/news/class/index.php24
/prog/index.php24
/thi_details.php23
/topic.php23
/shopadmin/index.php23
/cp.php23
/phpsso_server/index.php23
/common/web_meeting/index.php23
/cn/products.php23
/Customize/Audit/MessageMonitor/groupSearch.php23
/new/client.php23
/notice.php22

Action Top100

路径出现次数
/root/chat.action429
/login.action291
/index.action227
/homeLogin.action46
/portal/login_init.action46
/stardy/Login.action40
/login_login.action24
/license!getExpireDateOfDays.action23
/indexAction.action23
/index/downLoadFile.action22
/common/common_info.action21
/pages/xxfb/editor/uploadAction.action21
/accountlossList.action21
/ggxxfb.action21
/ivhs/ajax_updateUserInfo.action20
/download.action19
/Login.action19
/syfile/imageCompress.action18
/managerOneGgxxfb.action18
/user/login.action17
/loginAction!login.action16
/index!index.action15
/login/login.action15
/managerNManager.action15
/home.action14
/indexmanagerLogin.action14
/ahsffyww/Default3.action14
/DRP/login.action12
/spam/system/index.action12
/user/gotoLoginPage.action12
/ecp/announcement/announcement_view2.action12
/managerAddNManager.action12
/managerEditNManager.action12
/main.action11
/system/login_login.action11
/login!login.action10
/loginAction.action10
/login/index.action10
/logout.action10
/register.action10
/security/loginInit.action10
/bgxz/bgxzAction_executeBack.action10
/nFixcardAllList.action10
/beian/login_login.action10
//opac_two/mylibrary/comment/queryAllComment.action10
/module/newzwgk/getmainById.action10
/index/index.action9
/shop/member!passwordRecover.action9
/mail/login.action9
/admin/login.action9
/htweixin/InsuranceDownload.action9
//admin/user_logon.action9
/BSBM/loginedLogin.action9
/robot/check-login.action8
/website/dflz/dflzSiteAction!sjList.action8
/module/newzwgk/viewquan.action8
/hbwz/wcms/searchAll.action8
/ahsffyww/Default2.action8
/wfvideo/login.action8
/website-rank/addVoteRecord.action8
/module/newzwgk/viewZwxxQianMore.action8
/superadmin/index.action7
/mall/ui/giftIndex.action7
/userlogin.action7
/cms/admin/login.action7
/szxy/logon.action7
/virtual/shouye.action7
/feedback/buyIntention!saveBuyIntentionInfo.action7
/superadmin/adminLogin.action7
/Index.action7
/security/login.action7
/MemberToLoginIgnore.action7
/rdms/satisfyaid/actions/cstContactAction!register.action7
/regmail/download.action7
/IndexAction.action6
/publish/query/indexFirst.action6
/manage/login.action6
/home/index.action6
/eeoaftp/downloadFile.action6
/eis/index.action6
/gzwl/visit/renewBusinessOrder/renewBusinessOrderDetail.action6
/css/myquery/queryWQSBill.action6
/LoginAction.action6
/detail.action6
/index/index!list.action6
/auth/login.action6
/server/spreq/attachment!download.action6
/lmsv5/user!editUserInfo.action6
/5clib/bookWeb.action6
/otomc/user/loginUI.action6
/im-client/imclient/selfHelp.action6
/ahsffyww/ZXDefault2.action6
/user!login.action6
/Dzsw/Shky/hwky.wai/index.action6
/aic/webnz/welcome-web-home!welcome.action6
/ess/Homepage.action6
/skypearl/cn/toPrintCard.action6
/spdt/spdt_listSp.action6
/xxsearch.action6
/web/Info!list.action6

目录Top100

路径出现次数
/admin2639
/user848
/.svn825
/.git670
/login615
/plus550
/news533
/web517
/upload495
/manager469
/xxgk/services465
/root437
/manage411
/ftp/com1/html409
/cgi-bin406
/servlet348
/content333
/api331
/share329
/member315
/UIFrameWork309
/cn277
/bbs275
/jmx-console273
/index245
/invoker244
/s231
/phpmyadmin222
/search220
/Admin211
/papers208
/yyoa207
/common206
/system202
/opac196
/account196
/uddiexplorer195
/ajax190
/cms188
/2001187
/kingdee/login178
/Gmis/xw173
/1999168
/include164
/portal161
/back/ticket161
/oa159
/Gmis/Byyxwgl158
/home156
/data155
/src/system148
/WEB-INF141
/main140
/Chinese134
/order132
/gov/services132
/wap131
/console130
/app130
/is129
/Web127
/resin-doc/resource/tutorial/jndi-appconfig126
/seeyon124
/config123
/images121
/download120
/view118
/public117
/product117
/model/TwoGradePage117
/knowledge/ClassShow115
/en114
/zecmd114
/m114
/soap/envelope112
/about111
/install110
/tushu107
/ckq107
/poweb106
/tips105
/resin-doc/viewfile104
/www104
/console/login103
/html103
/bbs/topic103
/data/admin103
/wscgs102
/sys102
/test99
/list99
/v_show98
/p97
/fckeditor/editor/filemanager/browser/default97
/User96
/uc_server96
//plus96
/site95
/detail95
/index.php94

参数分析

因为无法通过自动化程序把存在漏洞的参数提取出来,所以只是暴力的把所有url的参数都提取了出来,所以这些top参数不一定有代表性,但作为字典应该是不错的。

get参数Top100

参数出现次数
id6845
action1643
type1503
m1013
a992
c855
act829
page813
uid616
url585
method545
cid545
ID528
mod521
aid490
keyword474
key449
t449
q444
callback427
sid426
s421
name407
tid399
pid392
code354
r316
p307
file301
Type294
do294
redirect292
username291
_278
op259
filename252
path251
from230
classid227
f222
fid221
app213
cmd213
typeid203
_FILES201
ac194
title192
fileName191
userid190
v189
flag176
catid170
Connector166
bid158
order150
wd150
mid150
lang145
nid143
city142
CurrentFolder139
newsid138
Command137
password131
d128
source127
sort126
user125
token122
module120
class118
userId115
dir113
ie111
Id108
pwd107
num106
email103
appid102
u102
mobile102
i102
keywords100
version100
status99
gid99
typeArr96
g96
service95
o95
ArticleID94
query94
filePath94
orderId94
redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D93
category92
word92
user_id92
k91
channel90

post参数Top100

参数出现次数
password457
__VIEWSTATE430
__EVENTVALIDATION315
username313
__EVENTTARGET210
__EVENTARGUMENT210
type145
name113
id111
Submit109
__VIEWSTATEGENERATOR103
action98
email97
mobile87
page86
submit85
pwd67
uid66
act64
phone59
code54
userName54
keyword52
__LASTFOCUS50
city50
<a href47
userid47
content43
account42
y42
address41
x41
UserName40
title39
button39
token38
Password37
Button137
passwd37
province36
tel36
sex35
pageSize33
txtPassword29
userId29
version29
txtUserName29
url28
sort28
key27
ImageButton1.y27
ImageButton1.x27
user27
pageNo25
method25
status24
login22
sid22
channel22
qq21
flag21
TextBox120
btnSearch20
pass20
user_id20
domain20
rows20
?>19
from19
sign19
uname19
order19
txtPwd19
pid18
btnLogin18
pageIndex18
search18
keywords18
loginName18
lang17
user_name17
timestamp17
imei17
PassWord17
captcha16
number16
language16
B116
appid16
area15
hash15
}15
(b)((‘\43context[\’xwork.MethodAccessor.denyMethodExecution\’]\75false’)(b))14
(‘\43c’)((‘\43_memberAccess.excludeProperties<a href14
imageField.y14
imageField.x14
limit14
loginname14
txtName14
cmd14

Cookie参数Top100

参数出现次数
__utma226
__utmz221
__utmc169
__utmb142
HMACCOUNT126
bdshare_firstime100
pgv_pvi99
_ga91
BAIDUID80
__utmt71
pgv_si69
AJSTAT_ok_times56
ci_session55
_gat49
uid37
CheckCode33
safedog-flow-item33
SERVERID31
lzstat_uv27
username23
IESESSION23
vjuids23
ECS_ID22
ECS[display]21
ECS[history]21
AJSTAT_ok_pages21
ECS[visit_times]18
pgv_pvid18
SUV18
vjlast18
city17
iweb_hisgoods[15]16
IPLOC15
cck_count15
cck_lasttime15
lvsessionid14
LXB_REFER14
iweb_hisgoods[26]13
cookie13
CoreID613
NTKF_T2D_CLIENTID13
userName12
loginName12
BAIDU_DUP_lcr12
td_cookie12
ECSCP_ID12
_jzqx12
userid12
hd_sid11
real_ipd11
password11
route11
vary11
nTalk_CACHE_DATA11
token11
WT_FPC10
ADMINCONSOLESESSION10
pgv_info10
nickname10
guid10
jiathis_rdc10
HMVT10
tma10
tmd10
s10
S[CART_TOTAL_PRICE]10
S[CART_COUNT]10
S[CART_NUMBER]10
sessionid10
_jzqa10
looyu_id10
dyh_lastactivity9
SESSIONID9
s_cc9
s_sq9
.ASPXAUTH9
DedeUserID9
DedeUserID__ckMd59
sid9
user9
clientlanguage9
_jzqc9
lang9
wordpress_test_cookie8
__qc_wId8
language8
hasshown8
cityid8
myie8
s_nr8
__RequestVerificationToken8
8
DedeUsername8
DedeUsername__ckMd58
loginState8
ip_ck8
vn8
lv8
pageReferrInSession8
__cfduid8

历史漏洞参数API

上面的top记录说实话我也看不出什么来,在整理了相关字典后,又有了这样一个想法。之前国外有大神通过深度学习了大量开源软件的源码及结构后做出来一款辅助编程的程序,当你输入代码前半段的时候会自动猜测意图并匹配出代码后半段,效果还不错。

所以,通过分析了这些样本后,我也能做出一个API,只需要一段url或从burpsuite中截取的请求包,api会分析域名,返回该域名的历史漏洞以及漏洞类型,通过分析参数(get,post,cookie),从历史漏洞库中匹配出该参数的历史漏洞以及漏洞类型。

如果把这个api集成到一些扫描器或burpsuite中,也不失为一个好的辅助手段~

2019.12.22 更新

将Burpsuite插件完成了:https://github.com/boy-hack/wooyun-payload

撰写