def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
combine = '^\S+\(\{.*\}\)'
domain = "{}://{}".format(p.scheme, p.netloc) + random_str(
2, string.ascii_lowercase + string.digits) + p.netloc + "/"
if re.match(combine, resp_str, re.I | re.S):
# 判断是否为jsonp
headers["Referer"] = domain
if method == 'GET':
r = requests.get(url, headers=headers)
if GetRatio(resp_str, r.text) >= 0.8:
out.success(url, self.name, raw=r.raw)
elif re.match(JSON_RECOGNITION_REGEX, resp_str,
re.I | re.S) and 'callback' not in url:
# 不是jsonp,是json
headers["Referer"] = domain
params["callback"] = random_str(2)
if method == 'GET':
r = requests.get(netloc, params=params, headers=headers)
if params["callback"] + "({" in r.text:
out.success(r.url, self.name, raw=r.raw)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
combine = '^\S+\(\{.*?\}\)'
domain = "{}://{}".format(p.scheme, p.netloc) + random_str(
4, string.ascii_lowercase + string.digits) + ".com/"
sensitive_params = [
'mail', 'user', 'name', 'ip', 'pass', 'add', 'phone'
]
if re.match(combine, resp_str, re.I | re.S):
# 判断是否为jsonp
headers["Referer"] = domain
if method == 'GET':
r = requests.get(url, headers=headers)
if GetRatio(resp_str, r.text) >= 0.8:
for i in sensitive_params:
if i in r.text.lower():
res = {
"Referer": domain,
"keyword": i,
"Content-Type":
r.headers.get("Content-Type", "")
}
response = self.jsonp_load(r.text)
if response:
res["response"] = response
if len(response) > 500:
res["response"] = "数据太多,自行访问"
out.success(url, self.name, **res)
elif re.match(JSON_RECOGNITION_REGEX, resp_str,
re.I | re.S) and 'callback' not in url:
# 不是jsonp,是json
headers["Referer"] = domain
params["callback"] = random_str(2)
if method == 'GET':
r = requests.get(netloc, params=params, headers=headers)
if r.text.startswith(params["callback"] + "({"):
res = {
"Referer": domain,
"Content-Type": r.headers.get("Content-Type", ""),
"callback": params["callback"],
}
response = self.jsonp_load(r.text)
if response:
res["response"] = response
if len(response) > 500:
res["response"] = "数据太多,自行访问"
out.success(r.url, self.name, **res)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
post_hint = self.requests.post_hint
post_data = self.requests.post_data
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'POST':
if post_hint == POST_HINT.NORMAL:
sql_flag = [
"/**/and'{0}'='{1}'",
"'and'{0}'='{1}",
'"and"{0}"="{1}',
]
for k, v in post_data.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(post_data)
for flag in sql_flag:
# true page
rand_str = random_str(2)
payload1 = v + flag.format(rand_str, rand_str)
data[k] = payload1
r = requests.post(url, data=data, headers=headers)
html1 = r.text
radio = GetRatio(resp_str, html1)
if radio < 0.88:
continue
# false page
payload2 = v + flag.format(random_str(2), random_str(2))
data[k] = payload2
r2 = requests.post(url, data=data, headers=headers)
html2 = r2.text
radio2 = GetRatio(resp_str, html2)
if radio < 0.78:
condition = [
'{k}:{v} 与原页面 {k}:{v1} 的相似度{radio} 页面大小:{size1}'.format(k=k, v=payload1, v1=v,
radio=radio,
size1=len(html1)),
'{k}:{v} 与原页面 {k}:{v1} 的相似度{radio} 页面大小:{size2}'.format(k=k, v=payload2, v1=v,
radio=radio2,
size2=len(html2))
]
# out.log(msg)
out.success(url, self.name, payload=k, condition=condition, data=str(data),
raw=[r.raw, r2.raw])
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
combine = '^\S+\(\{.*\}\)'
if re.match(combine, resp_str, re.I | re.S):
# 判断是否为jsonp
if "Referer" in headers:
headers["Referer"] = "https://www.baidu.com/q=" + url
if method == 'GET':
r = requests.get(url, headers=headers)
if GetRatio(resp_str, r.text) >= 0.8:
out.success(url, self.name)
elif re.match(JSON_RECOGNITION_REGEX, resp_str,
re.I | re.S) and 'callback' not in url:
# 不是jsonp,是json
if "Referer" in headers:
headers["Referer"] = "https://www.baidu.com/q=" + url
params["callback"] = random_str(2)
if method == 'GET':
r = requests.get(netloc, params=params, headers=headers)
if params["callback"] + "({" in r.text:
out.success(r.url, self.name)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
# 从源码中获取更多链接
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
self.init()
# 重新请求一次获取一次网页
r = requests.get(url, headers=headers)
try:
self.seqMatcher.set_seq1(resp_str)
self.seqMatcher.set_seq2(r.text)
radio = self.seqMatcher.quick_ratio()
except MemoryError:
return
if radio <= 0.98:
self.findDynamicContent(resp_str, r.text)
count = 0
while 1:
count += 1
if count > self.retry:
return
r = requests.get(url, headers=headers)
self.findDynamicContent(resp_str,
self.removeDynamicContent(r.text))
sql_flag = [
"/**/and'{0}'='{1}'",
"'and'{0}'='{1}",
'"and"{0}"="{1}',
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for flag in sql_flag:
# false page
is_inject = False
payload2 = v + flag.format(random_str(2), random_str(2))
data[k] = payload2
r2 = requests.get(netloc, params=data, headers=headers)
html1 = self.removeDynamicContent(r2.text)
ratio = 1.0
try:
ratio *= GetRatio(resp_str, html1)
# self.seqMatcher.set_seq1(resp_str or "")
# self.seqMatcher.set_seq2(html1 or "")
# ratio *= self.seqMatcher.quick_ratio() # true false
if ratio == 1.0:
continue
except (MemoryError, OverflowError):
continue
# true page
rand_str = random_str(2)
payload1 = v + flag.format(rand_str, rand_str)
data[k] = payload1
r = requests.get(netloc, params=data, headers=headers)
html2 = self.removeDynamicContent(r.text)
try:
# self.seqMatcher.set_seq1(html2 or "")
# self.seqMatcher.set_seq2(html1 or "")
# ratio2 = self.seqMatcher.quick_ratio() # true false
ratio2 = GetRatio(html1, html2)
except (MemoryError, OverflowError):
continue
try:
# self.seqMatcher.set_seq1(html2 or "")
# self.seqMatcher.set_seq2(resp_str or "")
# ratio3 = self.seqMatcher.quick_ratio() # true true
ratio3 = GetRatio(resp_str, html2)
except (MemoryError, OverflowError):
continue
if (0.1 > ratio - ratio2 > -0.1
) and ratio3 > ratio - 0.05 and ratio3 > ratio2 - 0.5:
is_inject = True
if not is_inject:
originalSet = set(
getFilteredPageContent(resp_str, True,
"\n").split("\n"))
trueSet = set(
getFilteredPageContent(html2, True,
"\n").split("\n"))
falseSet = set(
getFilteredPageContent(html1, True,
"\n").split("\n"))
if originalSet == trueSet and trueSet != falseSet:
candidates = trueSet - falseSet
if candidates:
candidates = sorted(candidates, key=len)
for candidate in candidates:
if re.match(
r"\A[\w.,! ]+\Z", candidate
) and ' ' in candidate and candidate.strip(
) and len(candidate) > 10:
is_inject = True
break
if is_inject:
out.success(url,
self.name,
payload=k,
raw=[r2.raw, r.raw])
break
