def check(self, t_request):
'''
'''
log.info(u"正在检测目标是否存在XSS跨站漏洞...")
http_request = copy.deepcopy(t_request)
if http_request.get_method() == "GET":
param_dict = http_request.get_get_param()
if http_request.get_method() == "POST":
param_dict = http_request.get_post_param()
xss_payload_list = self._get_payload_list(param_dict)
for name, poc_info in xss_payload_list:
if name.lower() in self._white_param:
continue
# print "Fuzz Name:"+ name
if http_request.get_method() == "GET":
url_obj = http_request.get_url()
res = wcurl.get(url_obj.get_uri_string(), params=poc_info)
if self._find_vuln(res):
v = vuln()
url = res.get_url()
v.set_url(url.get_uri_string() + "?" + str(poc_info))
v.set_method("GET")
v.set_param(name)
v.set_name("XSS Vuln")
v.set_rank(severity.M)
vm.append(self, url.get_host(), "xss", v)
log.info("XSS Vuln")
print u"XSS Vuln 漏洞URL:%s,漏洞参数%s" % (url, name)
if http_request.get_method() == "POST":
url_obj = http_request.get_url()
res = wcurl.post(url_obj.get_uri_string(), data=poc_info)
if self._find_vuln(res):
v = vuln()
url = res.get_url()
v.set_url(url.get_uri_string() + ";" + str(poc_info))
v.set_method("POST")
v.set_param(name)
v.set_name("XSS Vuln")
v.set_rank(severity.M)
vm.append(self, url.get_host(), "xss", v)
log.info("XSS Vuln")
print u"XSS Vuln 漏洞URL:%s,漏洞参数%s" % (url, name)
def check(self, t_request):
'''
'''
log.info(u"正在检测目标是否存在命令执行漏洞...")
http_request = copy.deepcopy(t_request)
if http_request.get_method() == "GET":
param_dict = http_request.get_get_param()
if http_request.get_method() == "POST":
param_dict = http_request.get_post_param()
cmd_payload_list = self._get_payload_list(param_dict)
for name, poc_info, pattern in cmd_payload_list:
if http_request.get_method() == "GET":
res = wcurl.get(http_request.get_url().get_uri_string(),
params=poc_info)
if self._find_vuln(res, pattern):
v = vuln()
url = res.get_url()
v.set_url(url.get_uri_string() + "?" + str(poc_info))
v.set_method("GET")
v.set_param(name)
v.set_name("CMD Vuln")
v.set_rank(severity.H)
vm.append(self, url.get_host(), "cmd", v)
log.info("CMD Vuln")
print u"CMD Vuln 漏洞URL:%s,漏洞参数:%s" % (url, name)
def check(self, t_request):
'''
'''
log.info(u"正在检测目标是否存在文件包含漏洞...")
http_request = copy.deepcopy(t_request)
if http_request.get_method() == "GET":
param_dict = http_request.get_get_param()
if http_request.get_method() == "POST":
param_dict = http_request.get_post_param()
lfi_payload_list = self._get_payload_list(param_dict)
vuln_name = set()
for name, poc_info, pattern in lfi_payload_list:
res = wcurl.get(http_request.get_url().get_uri_string(),
params=poc_info)
if self._find_vuln(res, pattern):
if name in vuln_name:
continue
vuln_name.add(name)
v = vuln()
url = res.get_url()
v.set_url(url.get_uri_string() + "?" + str(poc_info))
v.set_method("GET")
v.set_param(name)
v.set_name("LFI Vuln")
v.set_rank(severity.H)
vm.append(self, url.get_host(), "lfi", v)
log.info("LFI Vuln")
print u"LFI Vuln 漏洞URL:%s,漏洞参数:%s" % (url, name)
def check(self, t_request):
'''
'''
log.info(u"正在检测目标是否存在Directory目录列举漏洞...")
http_request = copy.deepcopy(t_request)
url_obj = http_request.get_url()
dir_list = url_obj.get_dirs()
for item in dir_list:
if item in self._already_dir_urls:
return
self._already_dir_urls.append(item)
req_url = item.get_uri_string()
res = wcurl.get(req_url)
if self._find_vuln(res):
v = vuln()
v.set_url(req_url)
v.set_method("GET")
v.set_param("")
v.set_name("Directory List Vuln")
v.set_rank(severity.M)
vm.append(self,
http_request.get_url().get_host(), "directory", v)
log.info("Directory List Vuln")
print "----------Directory List Vuln"
break
def check(self, t_request):
'''
'''
http_request = copy.deepcopy(t_request)
url_obj = http_request.get_url()
domain = url_obj.get_domain()
if self._already_flag:
return
if domain not in self._already_check_domain:
self._already_check_domain.append(domain)
self._already_flag = True
log.info(u"正在检测目标是否存在版本文件漏洞...")
uri_string = url_obj.get_uri_string()
for item in self._ver_file:
ver_url = URL(uri_string).urljoin(item)
res = requests.head(ver_url)
ver_ct = res.headers["content-type"].lower()
# ("wc.db|entries|index","application/octet-stream")
if ver_ct == self._ver_content_type:
v = vuln()
v.set_url(ver_url)
v.set_method("GET")
v.set_param("")
v.set_name("Ver Vuln")
v.set_rank(severity.H)
vm.append(self, http_request.get_url().get_host(), "ver", v)
log.info("Ver Vuln")
print "Ver Vuln 漏洞URL:%s" % (ver_url)
def security_hole(self, url):
'''
'''
if isinstance(url, URL):
url = url.url_string
else:
url = url
name = self._poc_info['w_vul']['title']
method = self._poc_info['w_vul']['method']
link_info = self._poc_info['w_vul']['info']
rank = self._poc_info['w_vul']['rank']
v = vuln()
v.set_url(url)
v.set_name(name)
v.set_rank(rank)
v.set_method(method)
v.set_link_info(link_info)
site = URL(v.get_url()).get_host()
vm.append(self, site, v.get_name(), v)
def check(self, t_request):
'''
压缩文件,www.baidu.com,www.zip,wwwroot,w,
'''
if self._report_num > self._bak_max_num:
return
log.info(u"正在检测目标是否存在文件备份漏洞...")
http_request = copy.deepcopy(t_request)
url_obj = http_request.get_url()
scheme = url_obj.get_scheme()
domain = url_obj.get_domain()
uri_string = url_obj.get_uri_string()
zip_file_list = gen_zip_name(domain)
for fname in zip_file_list:
for item in self._zip_ext:
zip_file = fname + "." + item
zip_url = URL(uri_string).urljoin(zip_file)
res = requests.head(zip_url)
ct = res.headers["content-type"].lower()
if ct in self._res_zip_type:
v = vuln()
v.set_url(zip_url)
v.set_method("GET")
v.set_param("")
v.set_name("Bak Vuln")
v.set_rank(severity.H)
vm.append(self, http_request.get_url().get_host(), "bak", v)
log.info("Bak Vuln")
print "Bak Vuln 漏洞URL:%s" % (zip_url)
self._report_num += 1
url_ext = url_obj.get_ext()
url_file = url_obj.get_filename()
if url_file == "":
return
if url_ext not in self._key_ext.keys():
return
for bak_ext in self._bak_ext:
if bak_ext == ".swp":
bak_file = "." + url_file + bak_ext
bak_url = URL(uri_string).urljoin(bak_file)
res = requests.head(bak_url)
bak_ct = res.headers["content-type"]
# (".swp","application/octet-stream")
if bak_ct == "application/octet-stream":
v = vuln()
v.set_url(bak_url)
v.set_method("GET")
v.set_param("")
v.set_name("Bak Vuln")
v.set_rank(severity.H)
vm.append(self, http_request.get_url().get_host(), "bak", v)
log.info("Bak Vuln")
print "Bak Vuln 漏洞URL:%s" % (bak_url)
self._report_num += 1
else:
bak_url = uri_string + bak_ext
res = wcurl.get(bak_url)
if self._find_vuln(res, url_ext):
v = vuln()
v.set_url(bak_url)
v.set_method("GET")
v.set_param("")
v.set_name("Bak Vuln")
v.set_rank(severity.H)
vm.append(self, http_request.get_url().get_host(), "bak", v)
log.info("Bak Vuln")
print u"Bak Vuln 漏洞URL:%s" % (bak_url)
self._report_num += 1
def check(self, t_request):
'''
'''
log.info(u"正在检测目标是否存在SQL注入漏洞...")
http_request = copy.deepcopy(t_request)
# param {"id":"d","tp":"ttt","name":""}
if http_request.get_method() == "GET":
param_dict = http_request.get_get_param()
if http_request.get_method() == "POST":
param_dict = http_request.get_post_param()
sql_payload_list = self._get_payload_list(param_dict)
error_param_list = []
for name, poc_true, poc_false, poc_type in sql_payload_list:
if name.lower() in self._white_param:
continue
# print "Fuzz Name:" + name +" Fuzz Type:" + poc_type
if http_request.get_method() == "GET":
url_obj = http_request.get_url()
normal_resp = wcurl.get(url_obj.get_url_string())
true_resp = wcurl.get(url_obj.get_uri_string(), params=poc_true)
false_resp = wcurl.get(url_obj.get_uri_string(), params=poc_false)
if name not in error_param_list:
error_param_list.append(name)
# 404_resp
temp_dict = copy.deepcopy(param_dict)
temp_dict[name] = "'\")(wat)'\"%27"
error_param = temp_dict
error_resp = wcurl.get(url_obj.get_uri_string(), params=error_param)
if self._find_sql_error(error_resp.body):
v = vuln()
url = error_resp.get_url()
v.set_url(url.get_uri_string() + "?" + str(error_param))
v.set_method("GET")
v.set_param(name)
v.set_name("数据库运行错误")
v.set_rank(severity.M)
vm.append(self, url.get_host(), "dberror", v)
log.info("DB Error Vuln")
print "----------DB Error Vuln"
if self._verify_sql_vuln(http_request, v, name, poc_type):
v = vuln()
url = error_resp.get_url()
v.set_url(url.get_uri_string() + "?" + str(poc_true))
v.set_method("GET")
v.set_param(name)
v.set_name("SQL注入漏洞")
v.set_rank(severity.H)
vm.append(self, url.get_host(), "sql", v)
log.info("SQL Vuln")
print u"SQL Vuln 漏洞URL:%s,漏洞参数:%s" % (url, name)
break
if true_resp.body == false_resp.body:
continue
if self._get_diff_ratio(false_resp.body, normal_resp.body) > self._false_threshold:
continue
if self._get_diff_ratio(normal_resp.body, true_resp.body) > self._true_threshold:
# security_hole()
v = vuln()
url = true_resp.get_url()
v.set_url(url.get_uri_string() + "?" + str(poc_true))
v.set_method("GET")
v.set_param(name)
v.set_name("SQL注入漏洞")
v.set_rank(severity.H)
if self._scan_mode == 0:
vm.append(self, url.get_host(), "sql", v)
log.info("SQL Vuln")
print u"SQL Vuln 漏洞URL:%s,漏洞参数:%s" % (url, name)
break
else:
if self._verify_sql_vuln(http_request, v, name, poc_type):
vm.append(self, url.get_host(), "sql", v)
log.info("SQL Vuln")
print u"SQL Vuln 漏洞URL:%s,漏洞参数:%s" % (url, name)
break
if http_request.get_method() == "POST":
url_obj = http_request.get_url()
normal_resp = wcurl.post(url_obj.get_url_string())
true_resp = wcurl.post(url_obj.get_uri_string(), data=poc_true)
false_resp = wcurl.post(url_obj.get_uri_string(), data=poc_false)
if name not in error_param_list:
error_param_list.append(name)
# 404_resp
temp_dict = copy.deepcopy(param_dict)
temp_dict[name] = "'\")(wat)'\"%27"
error_param = temp_dict
error_resp = wcurl.post(url_obj.get_uri_string(), data=error_param)
if self._find_sql_error(error_resp.body):
v = vuln()
url = error_resp.get_url()
v.set_url(url.get_uri_string() + "?" + str(error_param))
v.set_method("POST")
v.set_param(name)
v.set_name(u"数据库运行错误")
v.set_rank(severity.H)
vm.append(self, url.get_host(), "dberror", v)
log.info("DB Error Vuln")
print "----------DB Error Vuln"
if self._verify_sql_vuln(http_request, v, name, poc_type):
v = vuln()
url = error_resp.get_url()
v.set_url(url.get_uri_string() + "?" + str(poc_true))
v.set_method("POST")
v.set_param(name)
v.set_name("SQL注入漏洞")
v.set_rank(severity.H)
vm.append(self, url.get_host(), "sql", v)
log.info("SQL Vuln")
print u"SQL Vuln 漏洞URL:%s,漏洞参数:%s" % (url, name)
break
if true_resp.body == false_resp.body:
continue
if self._get_diff_ratio(false_resp.body, normal_resp.body) > self._false_threshold:
continue
if self._get_diff_ratio(normal_resp.body, true_resp.body) > self._true_threshold:
# security_hole()
v = vuln()
url = true_resp.get_url()
v.set_url(url.get_uri_string() + "," + str(poc_true))
v.set_method("POST")
v.set_param(name)
v.set_name("SQL注入漏洞")
v.set_rank(severity.H)
if self._verify_sql_vuln(http_request, v, name, poc_type):
vm.append(self, url.get_host(), "sql", v)
log.info("SQL Vuln")
print u"SQL Vuln 漏洞URL:%s,漏洞参数:%s" % (url, name)
break