Esempio n. 1
0
    def audit(self):
        method = self.requests.command  # 请求方式 GET or POST
        headers = self.requests.get_headers()  # 请求头 dict类型
        url = self.build_url()  # 请求完整URL
        data = self.requests.get_body_data().decode()  # POST 数据

        resp_data = self.response.get_body_data()  # 返回数据 byte类型
        resp_str = self.response.get_body_str()  # 返回数据 str类型 自动解码
        resp_headers = self.response.get_headers()  # 返回头 dict类型

        path1 = get_parent_paths(url)
        urls = set(path1)
        for link in get_links(resp_str, url, True):
            path1 = get_parent_paths(link)
            urls |= set(path1)

        flag = {
            "/.svn/all-wcprops": "svn:wc:ra_dav:version-url",
            "/.git/config": 'repositoryformatversion'
        }
        for p in urls:
            for f in flag.keys():
                _ = p.rstrip('/') + f
                if not Share.in_url(_):
                    Share.add_url(_)
                    try:
                        r = requests.get(_, headers=headers)
                        # out.log(_)
                        if flag[f] in r.text:
                            out.success(_, self.name)
                    except Exception as e:
                        pass
Esempio n. 2
0
    def audit(self):
        method = self.requests.command  # 请求方式 GET or POST
        headers = self.requests.get_headers()  # 请求头 dict类型
        url = self.build_url()  # 请求完整URL
        data = self.requests.get_body_data().decode()  # POST 数据

        resp_data = self.response.get_body_data()  # 返回数据 byte类型
        resp_str = self.response.get_body_str()  # 返回数据 str类型 自动解码
        resp_headers = self.response.get_headers()  # 返回头 dict类型

        path1 = get_parent_paths(url)
        urls = set(path1)
        for link in get_links(resp_str, url, True):
            path1 = get_parent_paths(link)
            urls |= set(path1)

        flag_list = [
            "directory listing for",
            "<title>directory",
            "<head><title>index of",
            '<table summary="directory listing"',
            'last modified</a>',
        ]
        for p in urls:
            if not Share.in_url(p):
                Share.add_url(p)
                try:
                    r = requests.get(p, headers=headers)
                    for i in flag_list:
                        if i in r.text.lower():
                            out.success(p, self.name)
                            break
                except Exception as e:
                    pass
Esempio n. 3
0
    def audit(self):
        method = self.requests.command  # 请求方式 GET or POST
        headers = self.requests.get_headers()  # 请求头 dict类型
        url = self.build_url()  # 请求完整URL
        data = self.requests.get_body_data().decode()  # POST 数据

        resp_data = self.response.get_body_data()  # 返回数据 byte类型
        resp_str = self.response.get_body_str()  # 返回数据 str类型 自动解码
        resp_headers = self.response.get_headers()  # 返回头 dict类型

        if method == 'GET':
            # 从源码中获取更多链接
            links = [url]
            for link in set(links):
                # 只接收指定类型的SQL注入
                p = urlparse(link)
                if p.query == '':
                    continue
                exi = os.path.splitext(p.path)[1]
                if exi not in acceptedExt:
                    continue
                params = dict()
                for i in p.query.split("&"):
                    try:
                        key, value = i.split("=")
                        params[key] = value
                    except ValueError:
                        pass
                netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)

                for k, v in params.items():
                    if k.lower() in ignoreParams:
                        continue
                    if not re.search('^-?\d+(\.\d+)?$', v):
                        continue
                    data = copy.deepcopy(params)
                    # 判断条件:
                    # 1. -randint !== origin
                    # 2. +randint-randint == origin
                    payload1 = "{0}+{1}".format(v, random.randint(10, 100))
                    data[k] = payload1
                    url1 = prepare_url(netloc, params=data)
                    if Share.in_url(url1):
                        continue
                    Share.add_url(url1)
                    r = requests.get(url1, headers=headers)
                    html1 = r.text
                    if fuzzy_equal(resp_str, html1, 0.97):
                        continue
                    payload2 = "{0}+{1}-{1}".format(v, random.randint(10, 100))
                    data[k] = payload2
                    r2 = requests.get(netloc, params=data, headers=headers)
                    html2 = r2.text
                    if fuzzy_equal(resp_str, html2, 0.8):
                        msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(
                            k=k, v=v, v1=payload1, v2=payload2)
                        # out.log(msg)
                        out.success(link, self.name, payload=k, condition=msg)
                        break
Esempio n. 4
0
    def audit(self):
        method = self.requests.command  # 请求方式 GET or POST
        headers = self.requests.get_headers()  # 请求头 dict类型
        url = self.build_url()  # 请求完整URL
        data = self.requests.get_body_data().decode()  # POST 数据

        resp_data = self.response.get_body_data()  # 返回数据 byte类型
        resp_str = self.response.get_body_str()  # 返回数据 str类型 自动解码
        resp_headers = self.response.get_headers()  # 返回头 dict类型

        if method == 'GET':
            # 从源码中获取更多链接
            links = get_links(resp_str, url, True)
            links.append(url)
            for link in set(links):
                # 只接收指定类型的SQL注入
                p = urlparse(link)
                if p.query == '':
                    continue
                exi = os.path.splitext(p.path)[1]
                if exi not in acceptedExt:
                    continue
                params = dict()
                for i in p.query.split("&"):
                    try:
                        key, value = i.split("=")
                        params[key] = value
                    except ValueError:
                        pass
                netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)

                sql_flag = '鎈\'"\('
                for k, v in params.items():
                    if k.lower() in ignoreParams:
                        continue
                    data = copy.deepcopy(params)
                    data[k] = v + sql_flag
                    url1 = prepare_url(netloc, params=data)
                    if Share.in_url(url1):
                        continue
                    Share.add_url(url1)
                    r = requests.get(url1, headers=headers)
                    html = r.text
                    for sql_regex, dbms_type in Get_sql_errors():
                        match = sql_regex.search(html)
                        if match:
                            out.success(link,
                                        self.name,
                                        payload="{}={}".format(k, data[k]))
                            break
Esempio n. 5
0
    def audit(self):
        method = self.requests.command  # 请求方式 GET or POST
        headers = self.requests.get_headers()  # 请求头 dict类型
        url = self.build_url()  # 请求完整URL
        data = self.requests.get_body_data().decode()  # POST 数据

        resp_data = self.response.get_body_data()  # 返回数据 byte类型
        resp_str = self.response.get_body_str()  # 返回数据 str类型 自动解码
        resp_headers = self.response.get_headers()  # 返回头 dict类型

        path1 = get_parent_paths(url)
        urls = set(path1)
        for link in get_links(resp_str, url, True):
            path1 = get_parent_paths(link)
            urls |= set(path1)

        for p in urls:
            filename = self.file()
            success = []
            for f in filename:
                _ = p.rstrip('/') + f
                if not Share.in_url(_):
                    Share.add_url(_)
                    try:
                        r = requests.get(_, headers=headers)
                        # out.log(_)
                        if r.status_code == 200:
                            success.append({"url": _, "code": len(r.text)})
                            # print(self.name)
                    except Exception as e:
                        pass
            if len(success) < 5:
                for i in success:
                    out.success(i["url"], self.name)
            else:
                result = {}
                for item in success:
                    length = item.get("len", 0)
                    if length not in result:
                        result[length] = list()
                    result[length].append(item["url"])

                for k, v in result.items():
                    if len(v) > 3:
                        continue

                    for i in v:
                        out.success(i, self.name)
Esempio n. 6
0
    def audit(self):
        method = self.requests.command  # 请求方式 GET or POST
        headers = self.requests.get_headers()  # 请求头 dict类型
        url = self.build_url()  # 请求完整URL
        data = self.requests.get_body_data().decode()  # POST 数据

        resp_data = self.response.get_body_data()  # 返回数据 byte类型
        resp_str = self.response.get_body_str()  # 返回数据 str类型 自动解码
        resp_headers = self.response.get_headers()  # 返回头 dict类型

        p = urlparse(url)
        # 判断带有php或无后缀的
        basepath = os.path.basename(p.path)
        if "." in basepath and ".php" not in basepath:
            return

        if "Warning" in resp_str and "array given" in resp_str:
            out.success(url, self.name)

        params = dict()
        for i in p.query.split("&"):
            try:
                key, value = i.split("=")
                params[key] = value
            except ValueError:
                pass
        netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
        for k, v in params.items():
            if k.lower() in ignoreParams:
                continue
            data = copy.deepcopy(params)
            del data[k]
            data[k + "[]"] = v
            try:
                _ = prepare_url(netloc, params=data)
                if Share.in_url(_):
                    continue
                Share.add_url(_)
                r = requests.get(_, headers=headers)
                if "Warning" in r.text and "array given" in r.text:
                    out.success(_, self.name)
            except:
                pass
Esempio n. 7
0
    def audit(self):
        method = self.requests.command  # 请求方式 GET or POST
        headers = self.requests.get_headers()  # 请求头 dict类型
        url = self.build_url()  # 请求完整URL
        data = self.requests.get_body_data().decode()  # POST 数据

        resp_data = self.response.get_body_data()  # 返回数据 byte类型
        resp_str = self.response.get_body_str()  # 返回数据 str类型 自动解码
        resp_headers = self.response.get_headers()  # 返回头 dict类型

        if method == 'GET':
            # 从源码中获取更多链接
            links = [url]
            for link in set(links):
                # 只接收指定类型的SQL注入
                p = urlparse(link)
                if p.query == '':
                    continue
                exi = os.path.splitext(p.path)[1]
                if exi not in acceptedExt:
                    continue
                params = dict()
                for i in p.query.split("&"):
                    try:
                        key, value = i.split("=")
                        params[key] = value
                    except ValueError:
                        pass
                netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)

                sql_flag = [
                    "'and'{0}'='{1}",
                    '"and"{0}"="{1}'
                ]
                for k, v in params.items():
                    if k.lower() in ignoreParams:
                        continue
                    data = copy.deepcopy(params)
                    for flag in sql_flag:
                        # true page
                        rand_str = random_str(2)
                        payload1 = flag.format(rand_str, rand_str)
                        data[k] = v + payload1
                        url1 = prepare_url(netloc, params=data)
                        if Share.in_url(url1):
                            continue
                        Share.add_url(url1)
                        r = requests.get(url1, headers=headers)
                        html1 = r.text
                        radio = GetRatio(resp_str, html1)
                        if radio < 0.88:  # 相似度随手一设~
                            continue

                        # false page
                        payload2 = flag.format(random_str(2), random_str(2))
                        data[k] = v + payload2
                        r2 = requests.get(netloc, params=data, headers=headers)
                        html2 = r2.text
                        radio = GetRatio(resp_str, html2)
                        if radio < 0.68:  # 相似度随手设置
                            msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(k=k, v=v, v1=payload1,
                                                                                          v2=payload2)
                            # out.log(msg)
                            out.success(link, self.name, payload=k, condition=msg)
                            break