0×01 撸起袖子开干
人生苦短,我用Python!
Python强大的库、简洁语言以及开发迅速等特点,深受广大程序开发者喜爱。那么我们就用Python来开发吧!
0×02 步骤解析
1.登陆Github
登陆这里设置了一个坑,登陆
https://github.com/login
会跳转到
https://github.com/session
,然后提交请求主体。而主体包含了如下参数:
“commit=Sign+in&utf8=%E2%9C%93&authenticity_token=sClUkea9k0GJ%2BTVRKRYsvLKPGPfLDknMWVSd%2FyWvyGAR9Zz09bipesvXUo8ND2870Q2FEVsQWFKScyqtV0w1PA%3D%3D&login=YourUsername&password=YourPassword”
commit、uft8、login和password值相对来说是固定的,我们要做到工具登陆,那么需要获取到authenticity_token这个值,然后一起通过POST方法提交。那应该如何获取该值呢?
我们打开浏览器尝试手动正常登陆,同时按F12打开“开发者工具”,输入用户名和密码可以看到跳转到
https://github.com/session
,而authenticity_token的值就在如下图位置:
虽然是隐藏的,但是我们可以通过Xpath来获取它,然后跟其他参数一起提交登陆Github。看代码:
2.查询关键词及结果呈现
登陆后请求查询的URL,然后获取响应的页面,使用xpath解析节点获取想要的信息。关于xpath的语法请看这里
http://www.runoob.com/xpath/xpath-tutorial.html
我们还要将获取的信息写入表格里面,便于以后查看。详情如下:def hunter(gUser,gPass,keyword,payloads): global sensitive_list global tUrls sensitive_list = [] tUrls = [] try: #创建表格 csv_file = open('leak.csv','w',encoding='utf-8',newline='') writer = csv.writer(csv_file) #写入表头 writer = writerow(['URL','Username','Upload Time','Filename']) #搜索信息 s = login_github(gUser,gPass) print('登陆成功,正在检索泄露信息......') sleep(1) for page in tqdm(range(1,6)): #检索1到6页匹配关键词keyword的结果 search_code = 'https://github.com/search?p=' + str(page) + '&q=' + keyword + '&type=Code' resp = s.get(search_code) results_code = resp.text dom_tree_code = etree.HTML(results_code) #采用lxml提供的etree来解析结果 Urls = dom_tree_code.xpath('//div[@class="d-inline-block col-10"]/a[2]/@href') #获取仓库地址 users = dom_tree_code.xpath('//a[@class="text-blod"]/text()') #获取用户名 datetime = dom_tree_code.xpath('//relative-time/text()') #获取上传时间 filename = dom_tree_code.xpath('//div[@class="d-inline-block col-10"]/a[2]/text()') #获取上传的文件名称 for i in range(len(Urls)): for Url in Urls: Url = 'https://github.com' + Url #获取的URl被截断,所以需要加入前缀便于访问 tUrls.append(Url) writer.writerow([tUrls[i],users[i],datetime[i],filename[i]]) #写入表格文件 ''' 以下部分主要是获取泄露的raw代码,然后在代码中搜索用户自定义的payload,例如 password,username,IP等等,然后把存在敏感关键词的URL存放在sensitvie_list列表中,用于后续的邮件发送预警。 ''' for raw_url in Urls: url = 'https://raw.githubusercontent.com' + raw_url.replace('/blob','') code = requests.get(url).text for payload in payloads: if payload in code: leak_url = '命中的Payload为:' + payload + ' ' + 'https://github.com' + raw_url + ' ' + '代码如下: ' + code + ' ' sensitive_list.append(leak_url) csv_file.close() return sensitive_list except Exception as e: print(e)
以上代码的核心主要是采用xpath解析DOM树,然后根据需要的数据逐一获取然后写入表格中。最后请求raw.githubusercontent.com来获取源代码,根据用户提供的payload进行逐一匹配,如果匹配则记录payload、URL以及代码,然后发送邮件预警。
3.邮件预警
其实邮件发送部分不是工具的重点,但是还是有必要贴上代码部分。请看:
def send_warning(host,username,password,sender,receivers,content) def _format_addr(s): name,addr = parseaddr(s) return formataddr((Header(name,'utf-8').encode(),addr) msg = MIMEMultipart() msg['From'] = _format_addr('Github安全监控' % sender) msg['To'] = ''.join(receivers) Subject = 'Github敏感信息泄露通知' msg['Subject'] = Header(Subject,'utf-8').encode() msg.attach(MIMEText('Dear all 请注意,怀疑Github上已经上传敏感信息!以下是可能存在敏感信息的仓库! '+content+' ')) with open('leak.csv','rb') as f: m = MIMEBase('excel','csv',filename='leak.csv') m.add_header('Content-Disposition','attachment',filename = 'leak.csv' m.add_header('Content-ID','<0>') m.add_header('X-Attachment-ID','0') m.set_payload(f.read()) encoders.encode_base64(m) msg.attach(m) try: server = smtplib.SMTP(host,25) server.login(username,password) server.sendmail(sender,receivers,msg.as_string()) print('邮件发送成功!') except Exception as err: print(err) server.quit()
4.配置文件读取
我们将创建一个.ini的文件,便于工具读取我们想要传入工具的关键词、用户名、密码以及payload等等。ini配置文件定义如下:
[KEYWORD]keyword = your main keyword here[EMAIL]host = Email serveruser = Email Userpassword = Email password[SENDER]sender = The email sender[RECEIVER]receiver1 = Email receiver No.1receiver2 = Email receiver No.2[Github]user = Github Usernamepassword = Github Password[PAYLOADS]p1 = Payload 1p2 = Payload 2p3 = Payload 3p4 = Payload 4p5 = Payload 5p6 = Payload 6
然后我们在main函数中读取它们,然后传入工具中。
