def run_domain(http, config): ''' 重写run_url函数,实现检测SQL注入的功能 有异常时,直接输出异常 无异常时,以list类型返回检测结果记录 ''' # 重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['Host'] = scanInfo['domain'] headers['Accept'] = 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' headers['Accept-Language'] = 'en-US,en;q=0.5' headers['User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] try: # 使用单引号测试是否存在SQL报错,有则存在漏洞 payload = "'" if source_ip: urlBase = scanInfo['scheme'] + "://" + source_ip else: urlBase = scanInfo['scheme'] + "://" + scanInfo['domain'] urlTrue = urlBase + '/admin.php?adminjob=hack&hackset=rate&typeid=100&job=ajax' urlFalse = urlBase + "/admin.php?adminjob=hack&hackset=rate&typeid=100&job=testerfileinclude" responseTrue = request(url=urlTrue, headers=headers) responseFalse = request(url=urlFalse, headers=headers) if responseTrue['httpcode'] == 200 and responseFalse['httpcode'] == 200: if responseTrue['response_body'].find("ajax") != -1 and responseTrue['response_body'].find( "adminjob=hack") != -1 and responseFalse['response_body'] == '': injectInfo = returnInjectResult(url=urlFalse, confirm=1, detail="PHPWind7.5 的 hack/rate/admin.php 任何包含文件漏洞", response=responseFalse) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception, e: logger.error("File:PHPWind75_fileinclude_admin.py:" + str(e))
def run_url(http, config, item): ''' 重写run_url函数,实现检测SQL注入的功能 有异常时,直接输出异常 无异常时,以list类型返回检测结果记录 ''' try: #重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] url = item['url'] url_parse = urlparse.urlparse(url) scheme = url_parse.scheme domain = url_parse.netloc path = url_parse.path query = url_parse.query if source_ip: domain = source_ip if query: new_url = "%s://%s%s?%s" % (scheme, domain, path, query) else: new_url = "%s://%s%s" % (scheme, domain, path) if item['method'].lower() == 'get': #get url = "%s?%s" % (new_url, item['params']) bodyDict={} else: #post url = new_url bodyDict = db_params2dict(item['params']) urlBase, queryDict = post_all_query2dict(item['url']) response = request(url=url, body=dict2query(bodyDict), headers=headers, method=item['method']) pattern = r'<iframe.*?src="(.*?)"' matches = re.findall(pattern, response['response_body']) for row in matches: parse = urlparse.urlparse(row) if scanInfo['domain'] != parse.netloc: injectInfo = returnInjectResult(url=url, confirm=0, detail='点击劫持,iframe连接到了外站', response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList else: print scanInfo['domain'], parse.netloc except Exception,e: logger.error("File:ClickJacking_iframe.py, run_url function :%s" % (str(e))) return []
def run_domain(http, config): # 重新组织请求的参数 server = config.get('server') if server in ['nginx', 'iis']: return [] scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] try: # 使用单引号测试是否存在SQL报错,有则存在漏洞 payload = "'" if source_ip: url = scanInfo['scheme'] + "://" + source_ip else: url = scanInfo['scheme'] + "://" + scanInfo['domain'] response = request(url=url, headers=headers, method="GET") if response['httpcode'] == 200: server = '' if response['response_headers'].has_key('server'): server = response['response_headers']['server'] if response['response_headers'].has_key('Server'): server = response['response_headers']['Server'] server = server.lower() if server and server.find("apache") != -1: version = server.split(' ')[0].split('/')[1] if version > '2.2.0' and version < '2.3.0' and version != '2.2.15': injectInfo = returnInjectResult( url=url, confirm=1, detail="Apache mod_isapi模块悬挂指针漏洞", response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception, e: logger.exception(e)
def run_url(http, config, item): ''' 有异常时,直接输出异常 无异常时,以list类型返回检测结果记录 ''' # 重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] try: url = item['url'] url_parse = urlparse.urlparse(url) scheme = url_parse.scheme domain = url_parse.netloc path = url_parse.path query = url_parse.query if source_ip: domain = source_ip if query: new_url = "%s://%s%s?%s" % (scheme, domain, path, query) else: new_url = "%s://%s%s" % (scheme, domain, path) # path = urlparse.urlparse(url)[2] if path[-3:] == '.js': response = request(url=new_url, headers=headers, method="GET") if response['httpcode'] == 200: if response['response_body'].find('hdwiki'): injectInfo = returnInjectResult(url=new_url, confirm=1, detail="检测到HDWiki建站系统", response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception, e: logger.exception(e)
def run_domain(http, config): ''' 重写run_domain函数,实现检测资源文件是否存在 有异常时,直接输出异常 无异常时,以list类型返回检测结果记录 ''' try: #重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] accessPaths = resourceDict['access']['list'] if source_ip: urlBase = scanInfo['scheme'] + "://" + source_ip else: urlBase = scanInfo['scheme'] + "://" + scanInfo['domain'] for path in accessPaths: currentUrl = urlBase + path print currentUrl response = request(url=currentUrl) if response['httpcode'] == 200: injectInfo = returnInjectResult(url=currentUrl, confirm=1, detail=resourceDict['access']['detail'], response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception,e: logger.error("File:resource_access.py, run_domain function :%s" % (str(e))) return []
def run_domain(http, config): # 重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] try: # 使用单引号测试是否存在SQL报错,有则存在漏洞 payload = "'" if source_ip: url = scanInfo['scheme'] + "://" + source_ip else: url = scanInfo['scheme'] + "://" + scanInfo['domain'] response = request(url=url, headers=headers, method="GET") if response['httpcode'] == 200: xPoweredBy = '' for key, value in response['response_headers'].iteritems(): if key.lower() == 'x-powered-by': xPoweredBy = value.lower() if xPoweredBy and xPoweredBy.find("php") != -1: version = xPoweredBy.split(' ')[0].split('/')[1] if (version >= '5.3.0' and version <= '5.3.5') or (version >= '5.2.0' and version <= '5.2.17'): injectInfo = returnInjectResult(url=url, confirm=1, detail="PHP浮点数解析挂起漏洞", response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception, e: logger.exception(e)
def run_domain(http, config): ''' 重写run_url函数,实现检测SQL注入的功能 有异常时,直接输出异常 无异常时,以list类型返回检测结果记录 ''' #重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] try: #使用单引号测试是否存在SQL报错,有则存在漏洞 payload = "'" if source_ip: urlBase = scanInfo['scheme'] + "://" + source_ip else: urlBase = scanInfo['scheme'] + "://" + scanInfo['domain'] url = urlBase + '/admin/index1.asp' response = request(url=url, headers=headers, method="GET") if response['httpcode'] == 200: injectInfo = returnInjectResult(url=urlBase, confirm=1, detail="仙游旅行社管理系统后台越权访问", response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception,e: logger.exception(e)
def run_domain(http, config): # 重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] try: # 使用单引号测试是否存在SQL报错,有则存在漏洞 payload = "'" if source_ip: urlBase = scanInfo['scheme'] + "://" + source_ip else: urlBase = scanInfo['scheme'] + "://" + scanInfo['domain'] url = urlBase + '/eccredit.php?action=list&uid="><script>alert(/hacking-xss_eccredit/);</script>' response = request(url=url, headers=headers, method="GET") if response['httpcode'] == 200: if response['response_body'].find("hacking-xss_eccredit") != -1: injectInfo = returnInjectResult( url=urlBase, confirm=1, detail="Discuz 6.0 的 eccredit 中的 uid 未做严格过滤导致 xss漏洞", response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception, e: logger.exception(e)
def run_url(http, config, item): ''' 有异常时,直接输出异常 无异常时,以list类型返回检测结果记录 ''' # 重新组织请求的参数 scanInfo = {} scanInfo['siteId'] = config['siteId'] scanInfo['ip'] = config['ip'] scanInfo['scheme'] = config['scheme'] scanInfo['domain'] = config['domain'] scanInfo['level'] = config['level'] scanInfo['vulId'] = config['vulId'] headers = headerDictDefault headers['cookie'] = config['cookie'] headers['Host'] = config['domain'] source_ip = config.get('source_ip') responseList = [] try: # 使用单引号测试是否存在SQL报错,有则存在漏洞 url = item['url'] url_parse = urlparse.urlparse(url) scheme = url_parse.scheme domain = url_parse.netloc path = url_parse.path query = url_parse.query if source_ip: domain = source_ip if query: new_url = "%s://%s%s?%s" % (scheme, domain, path, query) else: new_url = "%s://%s%s" % (scheme, domain, path) path = urlparse.urlparse(url)[2] if path[-3:] == '.js': response = request(url=new_url, headers=headers, method="GET") if response['httpcode'] == 200: patternCompress = re.compile( r'jQuery\s*v(\d{1,2}\.\d{1,2}\.\d{1,2})\s') patternUncompress = re.compile( r'jQuery\sJavaScript\sLibrary\sv(\d{1,2}\.\d{1,2}\.\d{1,2})' ) matchesCompress = patternCompress.findall( response['response_body']) matchesUncompress = patternUncompress.findall( response['response_body']) version = None if matchesCompress: version = matchesCompress[0] if matchesUncompress: version = matchesUncompress[0] # if version and version < '1.119.0': if version and version < '1.11.3': injectInfo = returnInjectResult( url=url, confirm=1, detail="jquery 低版本易导致xss攻击", response=response) responseList.append(getRecord2(scanInfo, injectInfo)) return responseList except Exception, e: logger.exception(e)