Burp辅助插件之WooyunSearch 乌云漏洞库payload

下载地址①: https://www.lanzous.com/i89g4vi
下载地址②:https://github.com/boy-hack/wooyun-payload/releases
项目地址:github

插件安装方式参考下面的页面

Burp辅助插件之WooyunSearch 乌云漏洞库payload
Burp辅助插件之WooyunSearch 乌云漏洞库payload
Burp辅助插件之WooyunSearch 乌云漏洞库payload
Burp辅助插件之WooyunSearch 乌云漏洞库payload

来自于一个小的想法,我们能否从一个http数据包获取一些历史漏洞来辅助?例如获得该域名的历史漏洞,获得URL相同路径的历史漏洞,以及URL各个参数的历史漏洞。于是爬了下乌云镜像,通过正则收集链接,又整理了其他各种信息,原本想存到数据库,但最后数据也不大,汇总到了一个json文件中。ps:正则收集的链接数据很重要,有的网页并不是直接给出了一个url,有的是一个http请求包,有的是sqlmap的信息,所以用了多个正则来处理,大概手动确定能处理100来个网页,才将全部的链接整理出来了。

burp插件

然后写了一个burp插件,用来辅助寻找http请求包中域名,路径,参数等获取乌云历史漏洞中类似的数据。

Payload排名Top

既然已经将wooyun中的一些url抓取出来,不如来统计一些常用的字典来丰富一下字典?

出现漏洞的端口Top100

端口号出现次数
80806710
802458
811345
8081925
7001885
8000882
8088740
8888735
9090578
8090477
88446
8001406
82401
9080350
8082301
8089265
9000225
8443206
9999185
8002162
89160
8083142
8200141
8008135
90135
8086129
801127
8011120
8085120
9001118
9200117
8100111
8012108
85105
8084102
8070101
700299
809194
800392
9991
777784
801078
44373
802872
808771
8370
700370
1000068
80864
3888864
818164
80063
1808063
809962
889962
8662
836058
830057
880052
818052
350549
700049
900247
805343
100042
708040
898938
2801738
906036
88834
300034
800634
4151634
88034
848434
667733
801632
8432
720031
908530
555530
828029
700529
198029
816128
909127
789027
806027
608027
888026
802026
707026
88926
888124
908124
800924
700724
800423
3850123
101023

最后得到的端口数量在1104,说明在端口扫描时,只需要扫描这一千端口就行,很大节省了效率。

ASP Top100

路径出现次数
/news_show.asp233
/about.asp205
/news.asp201
/login.asp173
/index.asp167
/admin/login.asp141
/list.asp130
/show.asp112
/shownews.asp88
/search.asp85
/News_show.asp85
/product.asp83
/news_list.asp70
/article.asp67
/view.asp59
/default_standard.asp59
/info.asp58
/news_more.asp57
/newshow.asp54
/news_detail.asp48
/news_view.asp47
/admin/index.asp46
/products.asp46
/nzcmslistnews.asp46
/read.asp44
/index1.asp44
/detail.asp43
/contact.asp42
/tt/inc/login.asp41
/default.asp41
/readnews.asp40
/mucc/about.asp39
/doc/page/main.asp38
/About.asp37
/onews.asp37
/cp.asp37
/News.asp36
/content.asp36
/doc/page/login.asp36
/productshow.asp35
/view_n.asp34
/new.asp33
/pic.asp33
/newsDetail.asp33
/job.asp33
/JBRCMS/Manager/jbrUploadConfig.asp33
/newsinfo.asp32
/newsbrow.asp30
/newsview.asp29
/admin/admin_login.asp29
/class.asp28
/ProductShow.asp28
/productview.asp28
/Article_Print.asp27
/newsshow.asp27
/LstInfo.asp27
/page.asp25
/jiannya/default.asp25
/CompHonorBig.asp24
/adminqibo5/Edit/editor/resurm_upfile.asp24
/feedback.asp23
/viewnews.asp22
/manage/login.asp22
/ShowNews.asp22
/more.asp22
/hn_type.asp22
/1.asp21
/service.asp20
/admin/Login.asp20
/readpro.asp20
/sbweb/nameedit.asp20
/Body.asp20
/opensoft.asp20
/main.asp19
/showcareer.asp19
/company.asp19
/Pro_shcn.asp19
/jjweb/nameedit.asp19
/cpinfo.asp19
/Htmledit/admin/login.asp19
//liuyan.asp19
/showfwly.asp19
/MoralsView.asp18
/user/reg.asp18
/product_show.asp18
/fuwu_list.asp18
/lesiure/up.asp18
/shell.asp17
/admin.asp17
/admin/admin.asp17
/showservices.asp17
/manage/html/ewebeditor/admin_login.asp17
/Newsview.asp17
/admin/Admin_Login.asp16
/down.asp16
/info_Print.asp16
/person/mailbox.asp16
/jieshao.asp16
/type.asp16
/product_cate.asp16

ASPX Top100

路径出现次数
/Default.aspx349
/login.aspx341
/UIFrameWork/login.aspx307
/Login.aspx288
/Detail.aspx209
/admin/login.aspx157
/index.aspx127
/default.aspx124
/OT.OA.WEB/UIFrameWork/login.aspx76
/search.aspx58
/userlogin.aspx57
/list.aspx54
/Admin/login.aspx48
/custom/GroupNewsList.aspx45
//SubCategory.aspx42
/manage/login.aspx38
/aspx/gqxx.aspx38
/newsView.aspx38
/news.aspx37
/Search.aspx34
/admin/index.aspx31
/Web/Login/PSCP01001.aspx30
/city_index.aspx30
/main.aspx29
/newslist.aspx29
/admin/Login.aspx28
/show.aspx28
/Admin/Index.aspx27
/SubCategory.aspx26
/G2S/AdminSpace/QE/AddCustomForm.aspx26
/NewsList.aspx25
/Index.aspx24
/about.aspx23
/gmis/leftmenu.aspx23
/Permission/ApplicationQueryList.aspx22
/test.aspx22
/site/ajax/WebSiteAjax.aspx22
/select_e.aspx22
/ExhibitionCenter.aspx22
/system/stuuserregist.aspx21
/News.aspx21
/workplate/xzsp/gxxt/tjfx/spsl.aspx21
/manager/member/admin_add.aspx20
/workplate/xzsp/tjfx/grbjtj/list.aspx20
/zfmllist.aspx20
/workplate/base/person/listbyorgsel.aspx20
/NewsDetail.aspx19
/Supplylist.aspx19
/Product/ProductList.aspx19
/Web/Login.aspx18
/articleview.aspx18
/model/TwoGradePage/equipmentlist.aspx18
/jsondb/otherreport.aspx18
/jsondb/flightreturn.aspx18
//bos/desktop/RequestOrResponse.aspx18
/Broadcast/Broadcast.aspx18
/jsondb/meblist.aspx18
/searchbargain.aspx18
/jsondb/aircompany.aspx18
/RiskInfo.aspx18
/owa/auth/logon.aspx17
/WebDefault3.aspx17
/article.aspx17
/G2S//AdminSpace/PublicClass/AddCourseWare.aspx17
/news_view.aspx16
/info.aspx16
/CommonPage.aspx16
/DownLoadPage.aspx16
/fckeditor/editor/filemanager/connectors/aspx/connector.aspx16
/support/minisite/thinkpad/htmls/advancedsearch.aspx16
/emlib4/format/release/aspx/eml_homepage.aspx16
/Gmis/Byyxwgl/xls_lwdbxxedit.aspx16
/CMSUploadFile.aspx16
/Main.aspx15
/OrderDetail.aspx15
/webSchool/list.aspx15
/Magazine/NewMagazine.aspx15
/k4/list.aspx15
/k1/preview.aspx15
/MoreIndex.aspx15
/sysadmin/Login.aspx15
/persondh/urgent.aspx15
/OnlineQuery/QueryList.aspx15
/Broadcast/displayNewsPic.aspx15
/Web/News.aspx15
/ModifyPassWord.aspx15
/ftb.imagegallery.aspx14
/TableDataManage/BaseInforQueryContent.aspx14
/presellbuild.aspx14
/tabid/2159/Default.aspx14
/cart.aspx14
/G2S/AdminSpace/PublicClass/AddCathedraWare.aspx14
/admin/course/uploaddemo.aspx14
/searchLines.aspx14
/help/pendantShow.aspx14
/BsGuide.aspx13
/NewsView.aspx13
/Admin/fileManage.aspx13
/ShowNews.aspx13
/Web_Site/Search.aspx13

Jsp Top100

路径出现次数
/login.jsp317
/index.jsp176
/kingdee/login/loginpage.jsp160
/get_pwd.jsp126
/zecmd/zecmd.jsp109
/console/login/LoginForm.jsp103
/login/Login.jsp88
/customer.jsp87
/is/index.jsp81
/uddiexplorer/SearchPublicRegistries.jsp79
/yyoa/common/js/menu/test.jsp74
/jcms/interface/user/out_userinfo.jsp59
/seeyon/index.jsp53
/download.jsp53
/yyoa/checkWaitdo.jsp50
/admin/login.jsp49
/list.jsp46
/defaultroot/login.jsp45
/upload5warn/shell.jsp45
/search.jsp43
/myname/wooyun.jsp40
/web/epublic/upload.jsp39
/yyoa/indexPass.jsp39
/yyoa/common/selectPersonNew/initData.jsp37
/bak.jsp35
/yyoa/index.jsp35
/postAjax.jsp35
/cK/foot.jsp34
/tools/SWFUpload/upload.jsp32
/nei.jsp32
/1.jsp31
/wooyun.jsp31
/is/cmd.jsp30
/download/download.jsp29
/cmd.jsp29
/webschool/News/news_list.jsp28
/chopper/chopper.jsp27
/business/notifyView.jsp27
/sofpro/gecs/consulmanage/wsts/bbstitlelist1.jsp27
/live800/downlog.jsp26
/Silic.jsp26
/edoas2/oa.jsp26
/wooyun/wooyun.jsp25
/jmxroot/jmxroot.jsp25
/manage/content/docmanage/download.jsp25
/ConInfoParticular.jsp24
/uddiexplorer/out.jsp23
/1/sx/login.jsp23
/templates/index/hrlogon.jsp23
/commfront/tzzx/uploadImageFiledo.jsp23
/yyoa/ext/https/getSessionList.jsp22
/admin/index.jsp22
/shell.jsp22
/admin/upload.jsp22
/detail.jsp22
/1/sjleader/login.jsp22
/admin/select.jsp22
/admin/fxx.jsp22
/jbossass/jbossass.jsp21
/yyoa/HJ/iSignatureHtmlServer.jsp21
/eol/homepage/common/index.jsp21
/a/pwn.jsp21
/web/common/getfile.jsp21
/upload.jsp20
/test.jsp20
/homepage/LoginHomepage.jsp20
/page/maint/common/UserResourceUpload.jsp20
/zpsys/index.jsp20
/vc/vc/para/opr_initvc.jsp20
/pages/manager/managerAddNManager.jsp20
/hdcy/zxzx_show.jsp20
/yyoa/assess/js/initDataAssess.jsp19
/upload5warn/wooyun.jsp19
/cms/weblawcase/impList.jsp19
/nicknamelogin.jsp19
/ca/ma3.jsp19
/gkznInfo.jsp19
/myname/index.jsp18
/df/index.jsp18
/guige.jsp18
/coremail/index.jsp18
/syfile/swfUpload.jsp18
/admin/protected/index.jsp17
/2/sjtj/login.jsp17
/news.jsp17
/site/law_artile.jsp17
/zwdtSjgl/Directory/lastDirList_iframe.jsp17
/content/topicdeal.jsp17
/webschool/Book/news_list.jsp17
//web/careerapply/HrmCareerApplyPerView.jsp16
/cms/web/downloadFiles.jsp16
/TSPB/web/xzzx/xzzx.jsp16
/prosec.jsp16
/adminroot/common/downLoadFile.jsp16
/uddiexplorer/SetupUDDIExplorer.jsp15
/kingdee/login/loginpage2.jsp15
/wui/theme/ecology7/page/login.jsp15
/f1print/F1PrintKernelJ1.jsp15
/login/login.jsp15
/eln3_asp/public/cscec8b/bulletin.jsp15

PHP Top100

路径出现次数
/index.php2456
/admin.php278
/login.php243
/forum.php240
/share/share.php227
/news.php208
/info.php191
/phpinfo.php181
/plus/search.php173
/test.php162
/admin/login.php162
/src/system/login.php146
/article.php140
/plus/recommend.php138
/search.php136
/list.php132
/api.php117
/admin/index.php117
/CmxDownload.php113
/about.php109
/news_show.php98
/download.php97
/home.php81
/login/login.php80
/user.php79
/show.php76
/page.php71
/product.php68
/wp-login.php67
/main.php67
/detail.php65
/news_detail.php64
/faq.php64
/default.php60
/content.php59
//plus/recommend.php58
/news_display.php57
/up/UploadTemp/eval.php57
/down.php55
/www/index.php55
/user/storage_explore.php54
/abouts.php53
/uc_server/admin.php50
/rss.php49
/wescms/index.php49
/1.php45
/news_info.php43
/products_display.php42
/newsdetail.php41
/phpmyadmin/index.php39
/class.php39
/more.php38
//index.php38
/userlist.php37
/plugin.php36
/*.php36
/products.php35
/pics_list.php34
/plus/mytag_js.php34
/news_list.php34
/newsinfo.php34
/smenu.php33
/include/web_content.php31
/batch.common.php31
/space.php30
/modules.php30
/view.php30
/read.php30
/job.php30
/do.php29
/link.php29
/displaynews.php29
/viewthread.php28
/m.php28
/web/index.php28
/member/index.php28
/ajax.php27
/impl/rpccompanyinfo_minkh.php27
//plus/search.php27
/thi.php27
/i.php26
/member.php25
/webmail/login.php25
/admincp.php25
/download_list.php25
/cmxlogin.php25
/auto_reg.php25
/register.php24
/news/class/index.php24
/prog/index.php24
/thi_details.php23
/topic.php23
/shopadmin/index.php23
/cp.php23
/phpsso_server/index.php23
/common/web_meeting/index.php23
/cn/products.php23
/Customize/Audit/MessageMonitor/groupSearch.php23
/new/client.php23
/notice.php22

Action Top100

路径出现次数
/root/chat.action429
/login.action291
/index.action227
/homeLogin.action46
/portal/login_init.action46
/stardy/Login.action40
/login_login.action24
/license!getExpireDateOfDays.action23
/indexAction.action23
/index/downLoadFile.action22
/common/common_info.action21
/pages/xxfb/editor/uploadAction.action21
/accountlossList.action21
/ggxxfb.action21
/ivhs/ajax_updateUserInfo.action20
/download.action19
/Login.action19
/syfile/imageCompress.action18
/managerOneGgxxfb.action18
/user/login.action17
/loginAction!login.action16
/index!index.action15
/login/login.action15
/managerNManager.action15
/home.action14
/indexmanagerLogin.action14
/ahsffyww/Default3.action14
/DRP/login.action12
/spam/system/index.action12
/user/gotoLoginPage.action12
/ecp/announcement/announcement_view2.action12
/managerAddNManager.action12
/managerEditNManager.action12
/main.action11
/system/login_login.action11
/login!login.action10
/loginAction.action10
/login/index.action10
/logout.action10
/register.action10
/security/loginInit.action10
/bgxz/bgxzAction_executeBack.action10
/nFixcardAllList.action10
/beian/login_login.action10
//opac_two/mylibrary/comment/queryAllComment.action10
/module/newzwgk/getmainById.action10
/index/index.action9
/shop/member!passwordRecover.action9
/mail/login.action9
/admin/login.action9
/htweixin/InsuranceDownload.action9
//admin/user_logon.action9
/BSBM/loginedLogin.action9
/robot/check-login.action8
/website/dflz/dflzSiteAction!sjList.action8
/module/newzwgk/viewquan.action8
/hbwz/wcms/searchAll.action8
/ahsffyww/Default2.action8
/wfvideo/login.action8
/website-rank/addVoteRecord.action8
/module/newzwgk/viewZwxxQianMore.action8
/superadmin/index.action7
/mall/ui/giftIndex.action7
/userlogin.action7
/cms/admin/login.action7
/szxy/logon.action7
/virtual/shouye.action7
/feedback/buyIntention!saveBuyIntentionInfo.action7
/superadmin/adminLogin.action7
/Index.action7
/security/login.action7
/MemberToLoginIgnore.action7
/rdms/satisfyaid/actions/cstContactAction!register.action7
/regmail/download.action7
/IndexAction.action6
/publish/query/indexFirst.action6
/manage/login.action6
/home/index.action6
/eeoaftp/downloadFile.action6
/eis/index.action6
/gzwl/visit/renewBusinessOrder/renewBusinessOrderDetail.action6
/css/myquery/queryWQSBill.action6
/LoginAction.action6
/detail.action6
/index/index!list.action6
/auth/login.action6
/server/spreq/attachment!download.action6
/lmsv5/user!editUserInfo.action6
/5clib/bookWeb.action6
/otomc/user/loginUI.action6
/im-client/imclient/selfHelp.action6
/ahsffyww/ZXDefault2.action6
/user!login.action6
/Dzsw/Shky/hwky.wai/index.action6
/aic/webnz/welcome-web-home!welcome.action6
/ess/Homepage.action6
/skypearl/cn/toPrintCard.action6
/spdt/spdt_listSp.action6
/xxsearch.action6
/web/Info!list.action6

目录Top100

路径出现次数
/admin2639
/user848
/.svn825
/.git670
/login615
/plus550
/news533
/web517
/upload495
/manager469
/xxgk/services465
/root437
/manage411
/ftp/com1/html409
/cgi-bin406
/servlet348
/content333
/api331
/share329
/member315
/UIFrameWork309
/cn277
/bbs275
/jmx-console273
/index245
/invoker244
/s231
/phpmyadmin222
/search220
/Admin211
/papers208
/yyoa207
/common206
/system202
/opac196
/account196
/uddiexplorer195
/ajax190
/cms188
/2001187
/kingdee/login178
/Gmis/xw173
/1999168
/include164
/portal161
/back/ticket161
/oa159
/Gmis/Byyxwgl158
/home156
/data155
/src/system148
/WEB-INF141
/main140
/Chinese134
/order132
/gov/services132
/wap131
/console130
/app130
/is129
/Web127
/resin-doc/resource/tutorial/jndi-appconfig126
/seeyon124
/config123
/images121
/download120
/view118
/public117
/product117
/model/TwoGradePage117
/knowledge/ClassShow115
/en114
/zecmd114
/m114
/soap/envelope112
/about111
/install110
/tushu107
/ckq107
/poweb106
/tips105
/resin-doc/viewfile104
/www104
/console/login103
/html103
/bbs/topic103
/data/admin103
/wscgs102
/sys102
/test99
/list99
/v_show98
/p97
/fckeditor/editor/filemanager/browser/default97
/User96
/uc_server96
//plus96
/site95
/detail95
/index.php94

get参数Top100

因为无法通过自动化程序把存在漏洞的参数提取出来,所以只是暴力的把所有url的参数都提取了出来,所以这些top参数不一定有代表性,但作为字典应该是不错的。


参数	出现次数
id	6845
action	1643
type	1503
m	1013
a	992
c	855
act	829
page	813
uid	616
url	585
method	545
cid	545
ID	528
mod	521
aid	490
keyword	474
key	449
t	449
q	444
callback	427
sid	426
s	421
name	407
tid	399
pid	392
code	354
r	316
p	307
file	301
Type	294
do	294
redirect	292
username	291
_	278
op	259
filename	252
path	251
from	230
classid	227
f	222
fid	221
app	213
cmd	213
typeid	203
_FILES	201
ac	194
title	192
fileName	191
userid	190
v	189
flag	176
catid	170
Connector	166
bid	158
order	150
wd	150
mid	150
lang	145
nid	143
city	142
CurrentFolder	139
newsid	138
Command	137
password	131
d	128
source	127
sort	126
user	125
token	122
module	120
class	118
userId	115
dir	113
ie	111
Id	108
pwd	107
num	106
email	103
appid	102
u	102
mobile	102
i	102
keywords	100
version	100
status	99
gid	99
typeArr	96
g	96
service	95
o	95
ArticleID	94
query	94
filePath	94
orderId	94
redirect%3A%24%7B%23req%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletRequest%27%29%2C%23a%3D%23req.getSession%28%29%2C%23b%3D%23a.getServletContext%28%29%2C%23c%3D%23b.getRealPath%28%22%2F%22%29%2C%23matt%3D%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29%2C%23matt.getWriter%28%29.println%28%23c%29%2C%23matt.getWriter%28%29.flush%28%29%2C%23matt.getWriter%28%29.close%28%29%7D	93
category	92
word	92
user_id	92
k	91
channel	90

post参数Top100

参数出现次数
password457
__VIEWSTATE430
__EVENTVALIDATION315
username313
__EVENTTARGET210
__EVENTARGUMENT210
type145
name113
id111
Submit109
__VIEWSTATEGENERATOR103
action98
email97
mobile87
page86
submit85
pwd67
uid66
act64
phone59
code54
userName54
keyword52
__LASTFOCUS50
city50
<a href<=”” td=”” style=”box-sizing: border-box; color: rgb(30, 107, 184); font-size: 15px !important; word-break: break-all !important;”>47
userid47
content43
account42
y42
address41
x41
UserName40
title39
button39
token38
Password37
Button137
passwd37
province36
tel36
sex35
pageSize33
txtPassword29
userId29
version29
txtUserName29
url28
sort28
key27
ImageButton1.y27
ImageButton1.x27
user27
pageNo25
method25
status24
login22
sid22
channel22
qq21
flag21
TextBox120
btnSearch20
pass20
user_id20
domain20
rows20
?>19
from19
sign19
uname19
order19
txtPwd19
pid18
btnLogin18
pageIndex18
search18
keywords18
loginName18
lang17
user_name17
timestamp17
imei17
PassWord17
captcha16
number16
language16
B116
appid16
area15
hash15
}15
(b)((‘\43context[\’xwork.MethodAccessor.denyMethodExecution\’]\75false’)(b))14
(‘\43c’)((‘\43_memberAccess.excludeProperties\<a href<=”” td=”” style=”box-sizing: border-box; color: rgb(30, 107, 184); font-size: 15px !important; word-break: break-all !important;”>14
imageField.y14
imageField.x14
limit14
loginname14
txtName14
cmd14

Cookie参数Top100

参数出现次数
__utma226
__utmz221
__utmc169
__utmb142
HMACCOUNT126
bdshare_firstime100
pgv_pvi99
_ga91
BAIDUID80
__utmt71
pgv_si69
AJSTAToktimes56
ci_session55
_gat49
uid37
CheckCode33
safedog-flow-item33
SERVERID31
lzstat_uv27
username23
IESESSION23
vjuids23
ECS_ID22
ECS[display]21
ECS[history]21
AJSTATokpages21
ECS[visit_times]18
pgv_pvid18
SUV18
vjlast18
city17
iweb_hisgoods[15]16
IPLOC15
cck_count15
cck_lasttime15
lvsessionid14
LXB_REFER14
iweb_hisgoods[26]13
cookie13
CoreID613
NTKFT2DCLIENTID13
userName12
loginName12
BAIDUDUPlcr12
td_cookie12
ECSCP_ID12
_jzqx12
userid12
hd_sid11
real_ipd11
password11
route11
vary11
nTalkCACHEDATA11
token11
WT_FPC10
ADMINCONSOLESESSION10
pgv_info10
nickname10
guid10
jiathis_rdc10
HMVT10
tma10
tmd10
s10
S[CARTTOTALPRICE]10
S[CART_COUNT]10
S[CART_NUMBER]10
sessionid10
_jzqa10
looyu_id10
dyh_lastactivity9
SESSIONID9
s_cc9
s_sq9
.ASPXAUTH9
DedeUserID9
DedeUserID__ckMd59
sid9
user9
clientlanguage9
_jzqc9
lang9
wordpresstestcookie8
_qcwId8
language8
hasshown8
cityid8
myie8
s_nr8
__RequestVerificationToken8
8
DedeUsername8
DedeUsername__ckMd58
loginState8
ip_ck8
vn8
lv8
pageReferrInSession8
__cfduid8

下载地址①: https://www.lanzous.com/i89g4vi
下载地址②:https://github.com/boy-hack/wooyun-payload/releases
项目地址:github