def run_domain(http, config):
'''
重写run_url函数,实现检测SQL注入的功能
有异常时,直接输出异常
无异常时,以list类型返回检测结果记录
'''
# 重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['Host'] = scanInfo['domain']
headers['Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
headers['Accept-Language'] = 'en-US,en;q=0.5'
headers['User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0'
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
try:
# 使用单引号测试是否存在SQL报错,有则存在漏洞
payload = "'"
if source_ip:
urlBase = scanInfo['scheme'] + "://" + source_ip
else:
urlBase = scanInfo['scheme'] + "://" + scanInfo['domain']
urlTrue = urlBase + '/admin.php?adminjob=hack&hackset=rate&typeid=100&job=ajax'
urlFalse = urlBase + "/admin.php?adminjob=hack&hackset=rate&typeid=100&job=testerfileinclude"
responseTrue = request(url=urlTrue, headers=headers)
responseFalse = request(url=urlFalse, headers=headers)
if responseTrue['httpcode'] == 200 and responseFalse['httpcode'] == 200:
if responseTrue['response_body'].find("ajax") != -1 and responseTrue['response_body'].find(
"adminjob=hack") != -1 and responseFalse['response_body'] == '':
injectInfo = returnInjectResult(url=urlFalse, confirm=1,
detail="PHPWind7.5 的 hack/rate/admin.php 任何包含文件漏洞",
response=responseFalse)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception, e:
logger.error("File:PHPWind75_fileinclude_admin.py:" + str(e))
def run_url(http, config, item):
'''
重写run_url函数,实现检测SQL注入的功能
有异常时,直接输出异常
无异常时,以list类型返回检测结果记录
'''
try:
#重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
url = item['url']
url_parse = urlparse.urlparse(url)
scheme = url_parse.scheme
domain = url_parse.netloc
path = url_parse.path
query = url_parse.query
if source_ip:
domain = source_ip
if query:
new_url = "%s://%s%s?%s" % (scheme, domain, path, query)
else:
new_url = "%s://%s%s" % (scheme, domain, path)
if item['method'].lower() == 'get': #get
url = "%s?%s" % (new_url, item['params'])
bodyDict={}
else: #post
url = new_url
bodyDict = db_params2dict(item['params'])
urlBase, queryDict = post_all_query2dict(item['url'])
response = request(url=url, body=dict2query(bodyDict), headers=headers, method=item['method'])
pattern = r'<iframe.*?src="(.*?)"'
matches = re.findall(pattern, response['response_body'])
for row in matches:
parse = urlparse.urlparse(row)
if scanInfo['domain'] != parse.netloc:
injectInfo = returnInjectResult(url=url, confirm=0, detail='点击劫持,iframe连接到了外站', response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
else:
print scanInfo['domain'], parse.netloc
except Exception,e:
logger.error("File:ClickJacking_iframe.py, run_url function :%s" % (str(e)))
return []
def run_domain(http, config):
# 重新组织请求的参数
server = config.get('server')
if server in ['nginx', 'iis']:
return []
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
try:
# 使用单引号测试是否存在SQL报错,有则存在漏洞
payload = "'"
if source_ip:
url = scanInfo['scheme'] + "://" + source_ip
else:
url = scanInfo['scheme'] + "://" + scanInfo['domain']
response = request(url=url, headers=headers, method="GET")
if response['httpcode'] == 200:
server = ''
if response['response_headers'].has_key('server'):
server = response['response_headers']['server']
if response['response_headers'].has_key('Server'):
server = response['response_headers']['Server']
server = server.lower()
if server and server.find("apache") != -1:
version = server.split(' ')[0].split('/')[1]
if version > '2.2.0' and version < '2.3.0' and version != '2.2.15':
injectInfo = returnInjectResult(
url=url,
confirm=1,
detail="Apache mod_isapi模块悬挂指针漏洞",
response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception, e:
logger.exception(e)
def run_url(http, config, item):
'''
有异常时,直接输出异常
无异常时,以list类型返回检测结果记录
'''
# 重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
try:
url = item['url']
url_parse = urlparse.urlparse(url)
scheme = url_parse.scheme
domain = url_parse.netloc
path = url_parse.path
query = url_parse.query
if source_ip:
domain = source_ip
if query:
new_url = "%s://%s%s?%s" % (scheme, domain, path, query)
else:
new_url = "%s://%s%s" % (scheme, domain, path)
# path = urlparse.urlparse(url)[2]
if path[-3:] == '.js':
response = request(url=new_url, headers=headers, method="GET")
if response['httpcode'] == 200:
if response['response_body'].find('hdwiki'):
injectInfo = returnInjectResult(url=new_url, confirm=1, detail="检测到HDWiki建站系统", response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception, e:
logger.exception(e)
def run_domain(http, config):
'''
重写run_domain函数,实现检测资源文件是否存在
有异常时,直接输出异常
无异常时,以list类型返回检测结果记录
'''
try:
#重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
accessPaths = resourceDict['access']['list']
if source_ip:
urlBase = scanInfo['scheme'] + "://" + source_ip
else:
urlBase = scanInfo['scheme'] + "://" + scanInfo['domain']
for path in accessPaths:
currentUrl = urlBase + path
print currentUrl
response = request(url=currentUrl)
if response['httpcode'] == 200:
injectInfo = returnInjectResult(url=currentUrl, confirm=1, detail=resourceDict['access']['detail'], response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception,e:
logger.error("File:resource_access.py, run_domain function :%s" % (str(e)))
return []
def run_domain(http, config):
# 重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
try:
# 使用单引号测试是否存在SQL报错,有则存在漏洞
payload = "'"
if source_ip:
url = scanInfo['scheme'] + "://" + source_ip
else:
url = scanInfo['scheme'] + "://" + scanInfo['domain']
response = request(url=url, headers=headers, method="GET")
if response['httpcode'] == 200:
xPoweredBy = ''
for key, value in response['response_headers'].iteritems():
if key.lower() == 'x-powered-by':
xPoweredBy = value.lower()
if xPoweredBy and xPoweredBy.find("php") != -1:
version = xPoweredBy.split(' ')[0].split('/')[1]
if (version >= '5.3.0' and version <= '5.3.5') or (version >= '5.2.0' and version <= '5.2.17'):
injectInfo = returnInjectResult(url=url, confirm=1, detail="PHP浮点数解析挂起漏洞", response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception, e:
logger.exception(e)
def run_domain(http, config):
'''
重写run_url函数,实现检测SQL注入的功能
有异常时,直接输出异常
无异常时,以list类型返回检测结果记录
'''
#重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
try:
#使用单引号测试是否存在SQL报错,有则存在漏洞
payload = "'"
if source_ip:
urlBase = scanInfo['scheme'] + "://" + source_ip
else:
urlBase = scanInfo['scheme'] + "://" + scanInfo['domain']
url = urlBase + '/admin/index1.asp'
response = request(url=url, headers=headers, method="GET")
if response['httpcode'] == 200:
injectInfo = returnInjectResult(url=urlBase, confirm=1, detail="仙游旅行社管理系统后台越权访问", response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception,e:
logger.exception(e)
def run_domain(http, config):
# 重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
try:
# 使用单引号测试是否存在SQL报错,有则存在漏洞
payload = "'"
if source_ip:
urlBase = scanInfo['scheme'] + "://" + source_ip
else:
urlBase = scanInfo['scheme'] + "://" + scanInfo['domain']
url = urlBase + '/eccredit.php?action=list&uid="><script>alert(/hacking-xss_eccredit/);</script>'
response = request(url=url, headers=headers, method="GET")
if response['httpcode'] == 200:
if response['response_body'].find("hacking-xss_eccredit") != -1:
injectInfo = returnInjectResult(
url=urlBase,
confirm=1,
detail="Discuz 6.0 的 eccredit 中的 uid 未做严格过滤导致 xss漏洞",
response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception, e:
logger.exception(e)
def run_url(http, config, item):
'''
有异常时,直接输出异常
无异常时,以list类型返回检测结果记录
'''
# 重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
try:
# 使用单引号测试是否存在SQL报错,有则存在漏洞
url = item['url']
url_parse = urlparse.urlparse(url)
scheme = url_parse.scheme
domain = url_parse.netloc
path = url_parse.path
query = url_parse.query
if source_ip:
domain = source_ip
if query:
new_url = "%s://%s%s?%s" % (scheme, domain, path, query)
else:
new_url = "%s://%s%s" % (scheme, domain, path)
path = urlparse.urlparse(url)[2]
if path[-3:] == '.js':
response = request(url=new_url, headers=headers, method="GET")
if response['httpcode'] == 200:
patternCompress = re.compile(
r'jQuery\s*v(\d{1,2}\.\d{1,2}\.\d{1,2})\s')
patternUncompress = re.compile(
r'jQuery\sJavaScript\sLibrary\sv(\d{1,2}\.\d{1,2}\.\d{1,2})'
)
matchesCompress = patternCompress.findall(
response['response_body'])
matchesUncompress = patternUncompress.findall(
response['response_body'])
version = None
if matchesCompress:
version = matchesCompress[0]
if matchesUncompress:
version = matchesUncompress[0]
# if version and version < '1.119.0':
if version and version < '1.11.3':
injectInfo = returnInjectResult(
url=url,
confirm=1,
detail="jquery 低版本易导致xss攻击",
response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception, e:
logger.exception(e)