dnrops
/
swagger-scan
mirror of https://github.com/godzeo/swagger-scan
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags 41 MiB
Python 98.3%
C 0.6%
Shell 0.6%
HTML 0.3%
Perl 0.1%
Go to file
godzeo d8df5a8354
Delete .DS_Store 		2022-10-05 12:22:50 +08:00
lib lib 2022-09-22 15:49:41 +08:00
.gitignore first commit 2022-09-22 15:48:53 +08:00
README.md first commit 2022-09-22 15:46:19 +08:00
findJson.py first commit 2022-09-22 15:46:19 +08:00
sqli.py first commit 2022-09-22 15:46:19 +08:00
swagger.csv first commit 2022-09-22 15:46:19 +08:00
swagger.py first commit 2022-09-22 15:46:19 +08:00
url.txt first commit 2022-09-22 15:46:19 +08:00

README.md

swagger-scan

主要是对在测试中常见的swagger页面泄露 ,进行批量的测试

  • 自动爬取所有接口,配置好传参发包访问
  • 可以代理到 Xray或者sqlmap 被动扫描

流程:

  1. 抓取 html 页面利用chromedriver去解析
  2. 找到具体存放数据的json文件
  3. 数据进行解析,构造请求包,获取响应
  4. 记录发包、参数、加入被动的漏洞扫描

python findJson.py 自动把url.txt的地址批量找到json文件

python swagger.py -u http://www.baidu.com/openapi.json python swagger.py -f /xxxx/xxx/targert.txt

参考借鉴代码修改了一些实际测试的bug

https://github.com/jayus0821/swagger-hack https://github.com/lijiejie/swagger-exp