class Scanner():
def __init__(self):
self.sqli_bool = self.load('sqli_bool')
self.sqli_error = self.load('sqli_error')
self.form_pattern = re.compile(r"(?i)<form .+?>.+?</form>".encode())
self.action_pattern = re.compile(r'''(?i)<form .*?action=["']([^\s"'<>]+)'''.encode())
self.method_pattern = re.compile(r'''(?i)<form .*?method=["']([^\s"'<>]+)'''.encode())
self.input_pattern = re.compile(r'''(?i)<input .*?type=["']([^\s"'<>]+).*?name=["']([^\s"'<>]+).*?value=["']([^\s"'<>]+)'''.encode())
self.input_types = [b'',b'text',b'hidden',b'password']
self.posted = BloomFilter()
def load(self,tp):
tree = ET.parse("payloads/"+tp+".xml")
root = tree.getroot()
payloads = []
for x in root.findall('payload'):
payloads.append((x[0].text,x[1].text))
return payloads
async def get_forms(self,url,session):
response = None
Forms = []
try:
response = await session.get(url)
response.headers = myfunc.tolower(response.headers)
content_type = response.headers.get('content-type','').split(';')[0]
if content_type in ['text/html', 'application/xml']:
body = await response.read()
forms = self.form_pattern.findall(body)
for form in forms:
Form = dict()
tmp = self.action_pattern.search(form)
action = tmp.group(1) if tmp else b''
tmp = self.method_pattern.search(form)
method = tmp.group(1) if tmp else b'get'
inputs = self.input_pattern.findall(form)
params = dict()
for ip in inputs:
if ip[0] in self.input_types:
params[myfunc.decode(ip[1])] = myfunc.decode(ip[2])
Form['action'] = urljoin(url,action.decode())
Form['method'] = method.decode()
Form['params'] = params
Forms.append(Form)
except Exception as e:
print(e)
finally:
await response.release()
return Forms
async def scan(self,url,session):
#get型
parse = urlparse(url)
query = list(map(lambda x:x.split('='),parse.query.split('&')))
for i in range(len(query)):
if len(query[0])<2:
break
#bool盲注
for payload in self.sqli_bool:
q1 = dict()
q2 = dict()
for x in query:
q1[x[0]] = x[1]
q2[x[0]] = x[1]
q1[query[i][0]] = query[i][1]+payload[0]
q2[query[i][0]] = query[i][1]+payload[1]
body1 = body2 = ''
try:
q1 = urlunparse((parse.scheme,parse.netloc,parse.path,parse.params,urlencode(q1),parse.fragment))
q2 = urlunparse((parse.scheme,parse.netloc,parse.path,parse.params,urlencode(q2),parse.fragment))
resp1 = await session.get(q1)
body1 = await resp1.read()
resp2 = await session.get(q2)
body2 = await resp2.read()
except:
pass
if abs(1-len(body1)/len(body2))>0.98:
print(abs(1-len(body1)/len(body2)))
print("Type: Bool_Sqli[GET]")
print("Url: "+q1)
print("Payload: "+payload[0])
print("Param: "+query[i][0])
break
#post型
Forms = await self.get_forms(url,session)
for Form in Forms:
Form_json = json.dumps(Form)
if self.posted.isContain(Form_json):
continue
self.posted.insert(Form_json)
for param_key in Form['params'].keys():
for payload in self.sqli_bool:
new_params1 = new_params2 = Form['params']
new_params1[param_key] = new_params1[param_key]+payload[0]
new_params2[param_key] = new_params2[param_key]+payload[1]
response1 = response2 = None
try:
if Form['method'].lower()=='get':
response1 = await session.get(Form['action'],params=new_params1)
body1 = await response1.read()
response2 = await session.get(Form['action'],params=new_params2)
body2 = await response2.read()
if Form['method'].lower()=='post':
response1 = await session.post(Form['action'],data=new_params1)
body1 = await response1.read()
response2 = await session.post(Form['action'],data=new_params2)
body2 = await response2.read()
finally:
body1 = await response1.read()
await response1.release()
body2 = await response2.read()
await response2.release()
if abs(1-len(body1)/len(body2))>0.98:
print(abs(1-len(body1)/len(body2)))
print("Type: Bool_Sqli[POST]")
print("Url: "+url)
print("Payload: "+payload[0])
print("Param: "+param_key)
break
