word转换pdf格式软件免费版（电脑pdf转word软件推荐）

企业web网站很多直接对internet提供服务，往往会被黑客作为恶意攻击的突破口，web的安全和企业的信息安全高度相连。

现实的管理中，在安全制度不完善的情况下，网站开发人员和维护人员经常因为业务紧急上线或者bug修复，私自上线新的内容或变更，安全人员往往在出现问题后追查时才发现，之前的安全环境或者代码已经都变更了。

今天介绍如何利用githut上的simpleautoburp项目，利用python脚本实现网站的定时的自动扫描，这样能够在更短的时间发现web系统的漏洞。github上的脚本针对linux平台，本文将脚本修改为在windows平台上运行。

一、工作原理：

利用crontab（linux平台）或任务计划程序（windows平台）定期执行simpleautoburp.py，该脚本利用burpsuitepro的restapi和配置文件config.json对目标主机进行web扫描。

二、脚本文件 simpleautoburp+config.json

simpleautoburp.py 是调用burp suite api的脚本，config.json是其配置文件。

simpleautoburp.py

from os import strerrorfrom subprocess import popenimport requestsimport timeimport subprocessimport loggingimport osimport signalimport jsonimport sysfrom datetime import datetime#将configfile指向你的config.json文件configfile = r"f:/pythoncode/simpleautoburp/simpleautoburp-main/config.json"try:    with open(configfile) as json_data:        config=json.load(json_data)except:    print("missing config.json file. make sure the configuration file is in the same folder")    sys.exit()burpconfigs=config["burpconfigs"][0]siteconfigs=config["sites"]def t_logging():    global rootlogger    logformatter = logging.formatter("%(asctime)s [%(levelname)-5.5s]  %(message)s")    rootlogger = logging.getlogger()    numericlevel = getattr(logging, burpconfigs["loglevel"].upper(), 10)    rootlogger.tlevel(numericlevel)    filehandler = logging.filehandler("{0}/{1}.log".format(burpconfigs["logpath"], burpconfigs["logfilename"]))    filehandler.tformatter(logformatter)    rootlogger.addhandler(filehandler)     consolehandler = logging.streamhandler()    consolehandler.tformatter(logformatter)    rootlogger.addhandler(consolehandler)def execute_burp(site):    cmd = burpconfigs["java"] + " -jar -xmx" + burpconfigs["memory"] + " -djava.awt.headless="         + str(burpconfigs["headless"]) + " " + burpconfigs["burpjar"] + " --project-file=" + site["project"] + " --unpau-spider-and-scanner"    try:        rootlogger.debug("executing burp: " + str(cmd))        p = popen(cmd, shell=true, stdout=subprocess.devnull, stderr=subprocess.devnull)        return p.pid    except:        rootlogger.error("burp suite failed to execute.")        exit()def check_burp(site):    count = 0     url = "http://127.0.0.1:1337/"+ site["apikey"] +"/v0.1/"    time.sleep(10)    while true:        if count > burpconfigs["retry"]:            rootlogger.error("too many attempts to connect to burp")            exit()        el:            rootlogger.debug("cheking api: " + str(url))            init = requests.get(url)            if init.status_code == 200:                rootlogger.debug("api running, respon code: " + str(init.status_code))                难忘的一天作文# let brup time to load extensions                time.sleep(30)                break            el:                rootlogger.debug("burp is not ready yet, respon code: " + str(init.status_code))                time.sleep(10)def execute_scan(site):    data = '{"urls":["'+ site["scanurl"] + '"]}'    url="http://127.0.0.1:1337/" + site["apikey"] + "/v0.1/scan"    rootlogger.info("starting scan to: " + str(site["scanurl"]))    scan = requests.post(url, data=data)    rootlogger.debug("task id: " + scan.headers["location"])    while true:        url="http://127.0.0.1:1337/" + site["ap中国古典建筑ikey"] + "/v0.1/scan/" + scan.headers["location"]        scanresults = requests.get(url)        data = scanresults.json()        rootlogger.info("current status: " + data["scan_status"])        if data["scan_status"] == "failed":            rootlogger.error("scan failed")            kill_burp()            exit()        elif data["scan_status"] == "succeeded":            rootlogger.info("scan competed")            return data        el:            rootlogger.debug("waiting 60 before cheking the status again")            time.sleep(60)def kill_burp(child_pid):    rootlogger.info("killing burp.")    try:            os.kill(child_pid, signal.sigterm)            rootlogger.debug("burp killed")    except:            rootlogger.error("failed to stop burp")def get_data(data, site):    for issue in data["issue_events"]:        rootlogger.info("vulnerability - name: " + issue["issue"]["name"] + " path: " + issue["issue"]["path"] + " verity: " + issue["issue"][眼保健操第三节"verity"])    tok楚乔传剧情介绍en=site["scanurl"].split('/')[2]    top_level=token.split('.')[-2]+'.'+token.split('.')[-1]    file = top_level + "-" + datetime.now().strftime("%y_%m_%d-%i_%m_%s_%p") + ".txt"    file = burpconfigs["scanoutput"] + file    rootlogger.info("writing full results to: "+ file)    with open(file, "w") as f:        f.write(str(data["issue_events"]))def main():    t_logging()    for 工程热力学site in config["sites"]:        # execute burpsuite pro        child_pid = execute_burp(site)        # check if api burp is up        check_burp(site)        # execute scan        data = execute_scan(site)        # get vulnerability data        get_data(data, site)        # stop burp        rootlogger.info("scan finished, killing burp.")        kill_burp(child_pid)if __name__ == '__main__':    main() 

config.json（这里面配置要扫描的站点， apikey在burpsuite里面生成）

{    "sites" : [{    "scanurl" : "http://192.168.168.180/",    "project" : "d:/temp/metasploitable2.burp",    "apikey" : "s44zgkwixsga8ewiasfdz7u5d2czsbhm"    }],    "burpconfigs" : [{    "memory" : "2048m",    "headless" : "true",    "java" : "c:/program files/java/jdk-11.0.11/bin/java.exe",    "burpjar" : "f:/download/burpsuite_pro_v2021.6.1.jar",    "retry" : 5,    "logpath" : "d:/temp/scanoutput/",    "logfilename" : "simpleautoburp",    "loglevel" : "debug",    "scanoutput" : "d:/temp/scanoutput/"    }]}

三、burp suite pro rest api服务开启方法

burp suite pro 开启rest api 界面

四、使用任务计划程序（taskschd.msc）自动执行脚本，这里不再啰嗦如何利用windows任务计划程序执行脚本，可以参考windows相关帮助文件。

使用simpleautoburp脚本来及时发现网站的安全漏洞是一种补救措施，我们更应该建立和遵循安全的软件发布流程，标准的软件发布流程我们可以参考itil中的发布，部署流程，也可以参考microsoft的sdl流程。