博客

web中间件日志分析脚本2.0(shell脚本)

  • Post author:
  • Post category:其他




旧版本


web中间件日志分析脚本1.0


一堆bug



新版本2.0



1.代码补全,特殊键不会乱码,使用起来更加丝滑

在这里插入图片描述



2.webshell检测

匹配条件是POST请求、请求的URL和referer的URL为同一个页面,则判定为文件上传,至于上传的是否为webshell还要另外去查看日志分析

在这里插入图片描述



3.手动指定查看的IP数

当日志数量非常庞大的时候会用到

在这里插入图片描述



4.自动创建一个新目录

分析的结果都放在里面

在这里插入图片描述



代码

#!/bin/bash

# 字体颜色
Green_font_prefix="\033[32m"
Red_font_prefix="\033[31m"
Font_color_suffix="\033[0m"

# 分割线
line(){
for i in {1..100};do
  if [ $i -ne 100 ];then
    echo -ne "-"
  else
    echo -e "-"
  fi
  done
}

# 选项一
diffip(){
    line
    echo "查看排名前(数字):"
    read -e -p "(默认:全部)" num
    [[ -z $num ]] && cut -d- -f 1 "$logfile"|sort| uniq -c | sort -rn || cut -d- -f 1 "$logfile"|sort| uniq -c | sort -rn | head -n $num
}

# 选项二
oneip(){
    while true;do
    echo "请输入需要分析的IP:" 
    read -e ip
    line
    if [ "$(grep ^$ip $logfile |wc -l)" -ne 0 ];then
        grep ^$ip $logfile| awk '{print $4."]",$1,$7,$9}'
        break
    else
        echo -e "${Red_font_prefix}未找到该IP!请重新输入!!${Font_color_suffix}"
        line
        continue
    fi
    done
}

# 保存文件
savefile(){
    
    echo "是否保存到文件中(Y/n):" 
    read -e -p  "(默认:保存)" choose
    [[ -z $choose ]] || [[ $choose == [Yy] ]] && grep ^$ip $logfile| awk '{print $4."]",$1,$7,$9}' > "$path$ip.txt"  && echo -e "${Red_font_prefix}已保存到$path$ip.txt中${Font_color_suffix}"

}

# 选项三
howmanyip(){
    line
    awk '{print $1}' $logfile|sort|uniq|wc -l
}

# 选项四
keyword(){
    while true;do
        line
        read -e -p "请输入关键词(q为退出):" key
        if [ $key == "q" ];then
            break
        fi
        more "$logfile" | grep "$key" | awk '{print $4."]",$1,$7,$9}'
    done
}

# 选项五
webshell(){
    line
    echo "请输入文件上传的URI(如upload.php):"
    read -e -p  "(默认:退出)" upload
    [[ -z $upload ]] || cat $logfile |grep -nP "POST.*$upload.*$upload" > ""$path$filename"_webshell.txt"
    echo -e "检测完毕!!"
    echo -e "检测结果保存在"$path$filename"_"webshell.txt""
}

# 选项六
dirscan(){
    line
        echo "[+] 正在检测目录扫描中。。。"
    for i in $(awk '{print $1}' $logfile|sort|uniq);do
        time=$(cat $logfile | grep -P "^$i.*\b404\b" | wc -l)
        [[ time -gt 20 ]] && echo "$i 可能存在目录扫描行为,共请求失败$time次" && echo "$i 可能存在目录扫描行为,共请求失败$time次" > "$path$filename"_"DirScan.txt"
    done
        echo -e "检测完毕!!"
        echo -e "检测结果保存在"$path$filename"_"DirScan.txt""
}

# 选项七
sqlicheck(){
    line
    echo "[+] 正在检测sql注入中。。。"
    word="%20select%20|%20and%20|%20or%20|%20exec|%27exec| information_schema.tables|%20information_schema.tables|%20where%20|%20union%20|%20SELECT%20|%2ctable_name%20|cmdshell|%20table_schema"
    grep -E "$word" $logfile | awk '{print $4."]",$1,$7,$9}'> ""$path$filename"_sqli.txt"
    time=$(cat ""$path$filename"_sqli.txt" |wc -l )
    echo -e "检测完毕!!共检测出$time条日志"
    echo -e "检测结果保存在"$path$filename"_sqli.txt"
}

xsscheck(){
    line
    echo "[+] 正在检测xss中。。。"
    grep -E "alert|script|<|>|%3C|%3c|%3e|%3E|console" $logfile | awk '{print $4."]",$1,$7,$9}' > ""$path$filename"_xss.txt"
    time=$(cat ""$path$filename"_xss.txt" | wc -l )
    echo -e "检测完毕!!共检测出$time条日志"
    echo -e "检测结果保存在"$path$filename"_xss.txt"
}

# 列出当前路径的文件
echo "当前路径下的文件" && ls 
# 选择需要分析的日志
while true;do
    read -e -p "请输入需要分析的日志:" logfile
    find "$logfile" &>/dev/null
    if [ $? -ne 0 ];then
        echo -e "${Red_font_prefix}未找到日志,请输入文件名或绝对路径!!(家目录要写全称而不是~)${Font_color_suffix}"
        line
    else
        break
    fi
done


filename=$(echo "$logfile"| awk -F '/' '{print $NF}')  # bbb.log
if [[ $logfile == */* ]];then          # logfile=aaa/bbb.log
# 1.绝对路径
path=$(echo "$logfile"|grep -o '.*/')  # aaa/bbb.log  -> aaa/
dirName=$(echo "$filename"| awk -F '.' '{print $2}')   # log (dir)
[[ -d $dirName ]] || mkdir $path$dirName   #aaa/log
path="$path$dirName/"  # aaa/log/
# 2.相对路径                            # logfile=bbb.log
else
dirName=$(echo "$logfile"| awk -F '.' '{print $2}')  # log
[[ -d $dirName ]] || mkdir $path$dirName
path="$dirName/"    # log/
fi
# *****************************************
# ************** 主  面  板****************
# *****************************************
line
while true; do
echo -e "web中间件日志分析脚本 ${Red_font_prefix}[v1.0]${Font_color_suffix}

${Green_font_prefix}1.${Font_color_suffix} 不同IP访问次数
${Green_font_prefix}2.${Font_color_suffix} 单IP访问内容
${Green_font_prefix}3.${Font_color_suffix} IP访问数统计
${Green_font_prefix}4.${Font_color_suffix} 关键词筛选
${Green_font_prefix}5.${Font_color_suffix} 上传webshell检测
${Green_font_prefix}6.${Font_color_suffix} 目录扫描检测
${Green_font_prefix}7.${Font_color_suffix} 常规漏洞检测(sqli、xss)
${Green_font_prefix}8.${Font_color_suffix} 退出脚本
"
read -e -p "请输入数字 [1-8]:" num

if [ "$num" == "1" ];then
    diffip

elif [ "$num" == "2" ];then
    oneip
    savefile

elif [ "$num" == "3" ];then
    howmanyip

elif [ "$num" == "4" ];then
    keyword

elif [ "$num" == "5" ];then
    webshell

elif [ "$num" == "6" ];then
    dirscan

elif [ "$num" == "7" ];then
    sqlicheck
    xsscheck

elif [ "$num" == "8" ];then
    echo ""
    echo -e "${Green_font_prefix}
    *****************************************
    *********** 谢谢您的使用,再见************
    *****************************************
 ${Font_color_suffix}"
    exit 0

else
    echo -e "${Red_font_prefix}请输入正确数字!!${Font_color_suffix}"
    line
    continue
fi
line
done


版权声明:本文为weixin_43623271原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。