def run_url(req, rule): def _contains(content, chars): content = re.sub(r"\\[%s]" % "".join(chars), "", content, re.S) if chars else content return all(char in content for char in chars) details = [] response = None params = req.params for match in PARAMS_PATTERN.finditer(params): found = False prefix, suffix = [ "".join(random.sample(string.ascii_lowercase, PREFIX_SUFFIX_LENGTH)) for i in xrange(2) ] for pool in (LARGER_CHAR_POOL, SMALLER_CHAR_POOL): if not found: tampered = params.replace( match.group('value'), "%s%s%s%s" % (match.group('value'), prefix, "".join( random.sample(pool, len(pool))), suffix)) res = requestUrl(req, tampered) if not res: continue content = res.text for sample in re.finditer("%s(.+?)%s" % (prefix, suffix), content, re.I | re.S): for regex, condition, info in XSS_PATTERNS: context = re.search( regex % dict((("chars", reduce( lambda filtered, char: filtered. replace(char, "\\%s" % char), REGEX_SPECIAL_CHARS, sample.group(0))), )), content, re.I | re.S) if context and not found and sample.group(1).strip(): #print sample.group(1),condition if _contains(sample.group(1), condition): msg = info % dict((("filtering", "no" if all( char in sample.group(1) for char in LARGER_CHAR_POOL) else "some"), )) DEBUG(msg) found = True if response is None: response = res details.append(u"漏洞参数:%s" % match.group('key')) break #end for #end for #end for if response is not None: return Result(response, details)
def retrieve_content(req, payloads=None, **kwargs): retval = None res = requestUrl(req, payloads, **kwargs) if res: retval = {} retval[RESPONSE] = res retval[HTTPCODE] = res.status_code retval[HTML] = res.text match = TITLE_PATTERN.search(retval[HTML]) retval[TITLE] = match.group('title') if match else None retval[TEXT] = TEXT_PATTERN.sub(" ", retval[HTML]) return retval
def run_url(req,rule): """ req: url: http://www.example.com method: get/post params: name=skycrab&age24 referer: http://www.example.com/refer.html rule: domain: http://www.example.com/ (scheme+host+basepath) """ req = requestUrl(req) if req: details = [match.group(1) for line in req.iter_lines() for match in _INNER_IPADDR.finditer(line) if all(0<=int(x)<=255 for x in match.group(1).split('.'))] if details: return Result(req, details)
def run_url(req, rule): """ req: url: http://www.example.com method: get/post params: name=skycrab&age24 referer: http://www.example.com/refer.html rule: domain: http://www.example.com/ (scheme+host+basepath) """ req = requestUrl(req) if req: details = [ match.group(1) for line in req.iter_lines() for match in _INNER_IPADDR.finditer(line) if all(0 <= int(x) <= 255 for x in match.group(1).split('.')) ] if details: return Result(req, details)
def run_url(req, rule): def _contains(content, chars): content = re.sub(r"\\[%s]" % "".join(chars), "", content, re.S) if chars else content return all(char in content for char in chars) details = [] response = None params = req.params for match in PARAMS_PATTERN.finditer(params): found = False prefix, suffix = ["".join(random.sample(string.ascii_lowercase, PREFIX_SUFFIX_LENGTH)) for i in xrange(2)] for pool in (LARGER_CHAR_POOL, SMALLER_CHAR_POOL): if not found: tampered = params.replace(match.group('value'), "%s%s%s%s" % (match.group('value'), prefix, "".join(random.sample(pool, len(pool))), suffix)) res = requestUrl(req,tampered) if not res: continue content = res.text for sample in re.finditer("%s(.+?)%s" % (prefix, suffix), content, re.I|re.S): for regex, condition, info in XSS_PATTERNS: context = re.search(regex % dict((("chars",reduce(lambda filtered, char: filtered.replace(char, "\\%s" % char), REGEX_SPECIAL_CHARS, sample.group(0))),)), content, re.I|re.S) if context and not found and sample.group(1).strip(): #print sample.group(1),condition if _contains(sample.group(1), condition): msg = info % dict((("filtering", "no" if all(char in sample.group(1) for char in LARGER_CHAR_POOL) else "some"),)) DEBUG(msg) found = True if response is None: response = res details.append(u"漏洞参数:%s" % match.group('key')) break #end for #end for #end for if response is not None: return Result(response,details)
def run_url(req, rule): req = requestUrl(req) if req and _FILE_UPLOAD.search(req.text): #print '--------------_FILE_UPLOAD------------------' return Result(req, '')
def run_url(req,rule): req = requestUrl(req) if req and _FILE_UPLOAD.search(req.text): #print '--------------_FILE_UPLOAD------------------' return Result(req,'')