![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiIwIjNx8CX39CXy8CXycXZpZVZnFWbp9zZlBnaucTZ4ADOhRTYzMWO4IjZjZTOyQGZiNGOmNTOkFjY1gjMvwVO0QDO2ITMtUGall3LcVmdhNXLwRHdo9CXt92YucWbpRWdvx2Yx5yazF2Lc9CX6MHc0RHaiojIsJye.jpeg)
關于Kiterunner
長期以來,跟“内容搜尋”相關的技術一直都是基于檔案和檔案夾查找來實作的。雖然這種方法對于托管靜态檔案或響應檔案路徑的Web伺服器來說是有效的,但對于現代Web應用程式來說,這種方法的有效性就沒那麼高了,尤其是那些使用了API來實作功能的Web應用程式。
随着時間的推移,越來越多的研究人員開始投身于加快内容發現工具的開發上,以便使用更大型的字典,但這種方式仍然沒有本質上的革新。
Kiterunner這款工具不僅能夠以閃電般的速度執行傳統的内容掃描技術,而且還能夠在現代應用程式中爆破路由或節點。
現代應用程式架構,例如Flask、Rails、Express、Django等,都遵循顯式定義路由的範式,路由需要特定的HTTP方法、頭、參數和值。當使用傳統的内容發現工具時,這樣的路由常常會被遺漏,而且很難被發現。
通過整理Swagger規範的資料集并将其壓縮到我們自己的模式中,Kiterunner可以使用此資料集,并通過為它發送的每個請求發送正确的HTTP方法、頭、路徑、參數和值來爆破API節點。
工具安裝
下載下傳Release版本
廣大研究人員可以直接點選【https://github.com/assetnote/kiterunner/releases】下載下傳該工具的預編譯拷貝。
源碼建構
首先,我們需要使用下列指令将該項目源碼克隆至本地:
git clone https://github.com/assetnote/kiterunner.git
複制
接下來,建構源碼:
make build
複制
設定代碼符号連結:
ln -s $(pwd)/dist/kr /usr/local/bin/kr
複制
編譯字典:
kr kb compile routes.json routes.kite
複制
執行掃描:
kr scan hosts.txt -w routes.kite -x 20 -j 100 --ignore-length=1053
複制
JSON格式資料集
-rootes-large.json(壓縮後118MB,解壓後2.6GB)
-rootes-small.json(壓縮後14MB,解壓後228MB)
或者,我們也可以直接下載下傳.kite檔案:
-routes-large.kite(壓縮後40MB,解壓後182MB)
-routes-small.kite(壓縮後2MB,解壓後35MB)
工具使用
快速掃描
其中的可以是一個檔案、域名或者URI:
kr [scan|brute] <input> [flags]
複制
有一個待掃描主機的清單,但是沒有字典:
kr scan hosts.txt -A=apiroutes-210328:20000 -x 5 -j 100 --fail-status-codes 400,401,404,403,501,502,426,411
複制
有自己的字典:
kr scan target.com -w routes.kite -A=apiroutes-210328:20000 -x 20 -j 1 --fail-status-codes 400,401,404,403,501,502,426,411
複制
使用前20000個單詞進行正常爆破:
kr brute https://target.com/subapp/ -A=aspx-210328:20000 -x 20 -j 1
複制
使用目錄搜尋風格的字典和%EXT%結合掃描:
kr brute https://target.com/subapp/ -w dirsearch.txt -x 20 -j 1 -exml,asp,aspx,ashx -D
複制
指令行選項
Usage:
kite scan [flags]
Flags:
-A, --assetnote-wordlist strings use the wordlists from wordlist.assetnote.io. specify the type/name to use, e.g. apiroutes-210228\. You can specify an additional maxlength to use only the first N values in the wordlist, e.g. apiroutes-210228;20000 will only use the first 20000 lines in that wordlist
--blacklist-domain strings domains that are blacklisted for redirects. We will not follow redirects to these domains
--delay duration delay to place inbetween requests to a single host
--disable-precheck whether to skip host discovery
--fail-status-codes ints which status codes blacklist as fail. if this is set, this will override success-status-codes
--filter-api strings only scan apis matching this ksuid
--force-method string whether to ignore the methods specified in the ogl file and force this method
-H, --header strings headers to add to requests (default [x-forwarded-for: 127.0.0.1])
-h, --help help for scan
--ignore-length strings a range of content length bytes to ignore. you can have multiple. e.g. 100-105 or 1234 or 123,34-53\. This is inclusive on both ends
--kitebuilder-full-scan perform a full scan without first performing a phase scan.
-w, --kitebuilder-list strings ogl wordlist to use for scanning
-x, --max-connection-per-host int max connections to a single host (default 3)
-j, --max-parallel-hosts int max number of concurrent hosts to scan at once (default 50)
--max-redirects int maximum number of redirects to follow (default 3)
-d, --preflight-depth int when performing preflight checks, what directory depth do we attempt to check. 0 means that only the docroot is checked (default 1)
--profile-name string name for profile output file
--progress a progress bar while scanning. by default enabled only on Stderr (default true)
--quarantine-threshold int if the host return N consecutive hits, we quarantine the host as wildcard. Set to 0 to disable (default 10)
--success-status-codes ints which status codes whitelist as success. this is the default mode
-t, --timeout duration timeout to use on all requests (default 3s)
--user-agent string user agent to use for requests (default "Chrome. Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36")
--wildcard-detection can be set to false to disable wildcard redirect detection (default true)
Global Flags:
--config string config file (default is $HOME/.kiterunner.yaml)
-o, --output string output format. can be json,text,pretty (default "pretty")
-q, --quiet quiet mode. will mute unecessarry pretty text
-v, --verbose string level of logging verbosity. can be error,info,debug,trace (default "info")
爆破選項
bruteforce flags (all the flags above +)
-D, --dirsearch-compat this will replace %EXT% with the extensions provided. backwards compat with dirsearch because shubs loves him some dirsearch
-e, --extensions strings extensions to append while scanning
-w, --wordlist strings normal wordlist to use for scanning
複制
API掃描
掃描單個目标:
kr scan https://target.com:8443/ -w routes.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34
複制
掃描單個目标,并嘗試http和https:
kr scan target.com -w routes.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34
複制
掃描目标清單:
kr scan targets.txt -w routes.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34
複制
項目位址
Kiterunner:【點選底部閱讀原文擷取】