Ejemplo n.º 1
0
 def run(self, url, html):
     if (not url.find("?")):
         return False
     Downloader = Download.Downloader()
     BOOLEAN_TESTS = (" AND %d=%d", " OR NOT (%d=%d)")
     DBMS_ERRORS = {# regular expressions used for DBMS recognition based on error message response
     "MySQL": (r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient\."),
     "PostgreSQL": (r"PostgreSQL.*ERROR", r"Warning.*\Wpg_.*", r"valid PostgreSQL result", r"Npgsql\."),
     "Microsoft SQL Server": (r"Driver.* SQL[\-\_\ ]*Server", r"OLE DB.* SQL Server", r"(\W|\A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(\W|\A)SQL Server.*[0-9a-fA-F]{8}", r"(?s)Exception.*\WSystem\.Data\.SqlClient\.", r"(?s)Exception.*\WRoadhouse\.Cms\."),
     "Microsoft Access": (r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"),
     "Oracle": (r"\bORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*\Woci_.*", r"Warning.*\Wora_.*"),
     "IBM DB2": (r"CLI Driver.*DB2", r"DB2 SQL error", r"\bdb2_\w+\("),
     "SQLite": (r"SQLite/JDBCDriver", r"SQLite.Exception", r"System.Data.SQLite.SQLiteException", r"Warning.*sqlite_.*", r"Warning.*SQLite3::", r"\[SQLITE_ERROR\]"),
     "Sybase": (r"(?i)Warning.*sybase.*", r"Sybase message", r"Sybase.*Server message.*"),
     }
     _url = url + "%29%28%22%27"  #用)('"进行闭合
     _content = Downloader.get(_url)
     for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS
                           for regex in DBMS_ERRORS[dbms]):
         if (re.search(regex, _content)):
             print "sql fonud: %" % url
             return True
     content = {}
     content["origin"] = Downloader.get(_url)
     for test_payload in BOOLEAN_TESTS:
         RANDINT = random.randint(1, 255)
         _url = url + test_payload % (RANDINT, RANDINT)
         content["true"] = Downloader.get(_url)
         _url = url + test_payload % (RANDINT, RANDINT + 1)
         content["false"] = Downloader.get(_url)
         if content["origin"] == content["true"] != content["false"]:
             print "sql fonud: %" % url
             return True
Ejemplo n.º 2
0
    def run(self, url, html):
        download = Download.Downloader()
        urls = common.urlsplit(url)

        if urls is None:
            return False
        for _urlp in urls:
            for _payload in payload:
                _url = _urlp.replace("my_Payload", _payload)
                print "[xss test]:", _url
                #我们需要对URL每个参数进行拆分,测试
                _str = download.get(_url)
                if _str is None:
                    return False
                if (_str.find(_payload) != -1):
                    print "xss found:%s" % url
        return False
Ejemplo n.º 3
0
    def run(self, url, html):
        if url is None:
            return False
        downloader = Download.Downloader()
        urls = common.urlsplit(url)

        if urls is None:
            return False

        for _urlp in urls:
            for _payload in payload:
                _url = _urlp.replace('my_Payload', _payload)
                print("[xss test]:", url)
                _str = downloader.get(_url)
                if _str is None:
                    return False
                if _str.find(_payload) != -1:
                    return True
        return False
Ejemplo n.º 4
0
    def run(self, url, html):
        download = Download.Downloader()
        urls = common.urlsplit(url)

        if urls is None:
            return False
        for _urlp in urls:
            for _payload in payload:
                _url = _urlp.replace("my_Payload", _payload)
                print("[xss test]:", _url)
                #对URL每个参数进行拆分,测试
                _str = download.get(_url)
                if _str is None:
                    return False
                if (_str.find(_payload) != -1):
                    print("xss found:%s" % url)
                    websec.output.add_list("Xss",
                                           "url:%s payload:%s" % (url, _url))
        return False
Ejemplo n.º 5
0
class webcms(object):
    """
    WebCMS指纹识别类
    """
    workQueue = queue.Queue()
    URL = ""
    threadNum = 0
    NotFound = True
    Downloader = Download.Downloader()
    result = ""

    def __init__(self, url, threadNum=10):
        self.URL = url
        self.threadNum = threadNum
        filename = os.path.join(sys.path[0], 'fuzz', 'cms.json')
        with open(filename, encoding="utf-8") as f:
            webdata = json.load(f, encoding='utf-8')
            for i in webdata:
                self.workQueue.put(i)

    def getmd5(self, body):
        m2 = hashlib.md5()
        m2.update(body)
        return m2.hexdigest()

    def th_whatweb(self):
        if (self.workQueue.empty()):
            self.NotFound = False
            return False

        if (self.NotFound is False):
            return False

        cms = self.workQueue.get()
        _url = self.URL + cms['url']
        html = self.Downloader.get(_url)
        print("[whatweb log] : checking %s" % _url)
        if (html is None):
            return False
        if cms['re']:
            if (html.find(cms['re']) != -1):
                self.result = cms['name']
                self.NotFound = False
                return True

        else:
            md5 = self.getmd5(html)
            if (md5 == cms['md5']):
                self.result = cms['name']
                self.NotFound = False
                return True

    def run(self):
        while (self.NotFound):
            th = []
            for i in range(self.threadNum):
                t = threading.Thread(target=self.th_whatweb)
                t.start()
                th.append(t)
            for t in th:
                t.join()
        if (self.result):
            print("[webcms] : %s cms is %s" % (self.URL, self.result))
        else:
            print("[webcms] : %s cms NotFound!" % self.URL)
Ejemplo n.º 6
0
class webcms(object):
    workQueue = Queue.Queue()
    URL = ""
    threadNum = 0
    NotFound = True
    Downloader = Download.Downloader()
    result = ""

    def __init__(self,url,threadNum = 10):
        self.URL = url
        self.threadNum = threadNum
        filename = os.path.join(sys.path[0], "data", "data.json")
        fp = open(filename)
        webdata = json.load(fp,encoding="utf-8")
        for i in webdata:
            self.workQueue.put(i)
        fp.close()
    
    def getmd5(self, body):
        m2 = hashlib.md5()
        m2.update(body)
        return m2.hexdigest()

    def th_whatweb(self):
        if(self.workQueue.empty()):
            self.NotFound = False
            return False

        if(self.NotFound is False):
            return False
        cms = self.workQueue.get()
        _url = self.URL + cms["url"]
        html = self.Downloader.get(_url)
        print "[whatweb log]:checking %s"%_url
        if(html is None):
            return False
        if cms["re"]:
            if(html.find(cms["re"])!=-1):
                self.result = cms["name"]
                self.NotFound = False
                return True
        else: 
            md5 = self.getmd5(html)
            if(md5==cms["md5"]):
                self.result = cms["name"]
                self.NotFound = False
                return True
    
    def run(self):
        while(self.NotFound):
            th = []
            for i in range(self.threadNum):
                t = threading.Thread(target=self.th_whatweb)
                t.start()
                th.append(t)
            for t in th:
                t.join()
        if(self.result):
            print "[webcms]:%s cms is %s"%(self.URL,self.result)
            output.add("Webcms","[webcms]:%s cms is %s"%(self.URL,self.result))
        else:
            print "[webcms]:%s cms NOTFound!"%self.URL
            output.add("Webcms","[webcms]:%s cms NOTFound!"%self.URL)
Ejemplo n.º 7
0
 def __init__(self, root, threadNum):
     self.urls = UrlManager.UrlManager()
     self.download = Download.Downloader()
     self.root = root
     self.threadNum = threadNum
Ejemplo n.º 8
0
 def __init__(self, root, threadNum):
     self.urls = UrlManager()
     self.download = Download.Downloader()
     self.root = root
     self.threadNum = threadNum
     self.domian = urlparse.urlparse(root).netloc
Ejemplo n.º 9
0
#!/usr/bin/env python
#-*- coding:utf-8 -*-
import re, random
from lib.core import Download
Downloader = Download.Downloader()
url = "http://127.0.0.1/Less-2/?id=1"
content = {}
content["origin"] = Downloader.get(url)

BOOLEAN_TESTS = (" AND %d=%d", " OR NOT (%d=%d)")
for test_payload in BOOLEAN_TESTS:
    RANDINT = random.randint(1, 255)
    _url = url + test_payload % (RANDINT, RANDINT)
    content["true"] = Downloader.get(_url)
    _url = url + test_payload % (RANDINT, RANDINT + 1)
    content["false"] = Downloader.get(_url)
    if content["origin"] == content["true"] != content["false"]:
        print url + "存在数字型SQL注入漏洞"