def checkDynParam_t(place, url_test, uri, paramDict, parameters, parameter,
value):
dynResult = None
randInt = randomInt()
try:
payload = agent.payload_t(paramDict, parameters, place, parameter,
value, getUnicode(randInt))
if (payload):
url = "%s?%s" % (uri, payload)
firstreponse = proxyqueryPage(url)
dynResult = url_test.comparison(firstreponse.getdata())
if not dynResult:
#生成随机数 拼接成url 尝试两个不同的随机匹配结果
randInt = randomInt()
payload = agent.payload_t(paramDict, parameters, place, parameter,
value, getUnicode(randInt))
if (payload):
url = "%s?%s" % (uri, payload)
secondreponse = proxyqueryPage(url)
dynResult = url_test.comparison(secondreponse.getdata())
except Exception as ex:
print ex
result = None if dynResult is None else not dynResult
return result
def payload_t(self, paramDict, parameters=None, place=None, parameter=None, value=None, newValue=None, where=None):
"""
This method replaces the affected parameter with the SQL
injection statement to request
"""
retVal = ""
paramString = parameters[place]
paramDict = paramDict[place]
origValue = getUnicode(paramDict[parameter])
#如果参数值为空则生成个值
if value is None:
if where == PAYLOAD.WHERE.ORIGINAL:
value = origValue
elif where == PAYLOAD.WHERE.NEGATIVE:
# if conf.invalidLogical:
# match = re.search(r'\A[^ ]+', newValue)
# newValue = newValue[len(match.group() if match else ""):]
# _ = randomInt(2)
# value = "%s%s AND %s=%s" % (origValue, match.group() if match else "", _, _ + 1)
# elif conf.invalidBignum:
# value = randomInt(6)
# elif conf.invalidString:
# value = randomStr(6)
# else:
if newValue.startswith("-"):
value = ""
else:
value = "-%s" % randomInt()
elif where == PAYLOAD.WHERE.REPLACE:
value = ""
else:
value = origValue
newValue = "%s%s" % (value, newValue)
newValue = self.cleanupPayload(newValue, origValue)
#支持修改http中各种请求的参数
if place in (PLACE.URI, PLACE.CUSTOM_POST, PLACE.CUSTOM_HEADER):
pass
elif place in (PLACE.USER_AGENT, PLACE.REFERER, PLACE.HOST):
pass
else:
def _(pattern, repl, string):
retVal = string
match = None
for match in re.finditer(pattern, string):
pass
if match:
while True:
_ = re.search(r"\\g<([^>]+)>", repl)
if _:
try:
repl = repl.replace(_.group(0), match.group(int(_.group(1)) if _.group(1).isdigit() else _.group(1)))
except IndexError:
break
else:
break
retVal = string[:match.start()] + repl + string[match.end():]
return retVal
if origValue:
regex = r"(\A|\b)%s=%s%s" % (re.escape(parameter), re.escape(origValue), r"(\Z|\b)" if origValue[-1].isalnum() else "")
retVal = _(regex, "%s=%s" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
else:
retVal = _(r"(\A|\b)%s=%s(\Z|%s|%s|\s)" % (re.escape(parameter), re.escape(origValue), DEFAULT_GET_POST_DELIMITER, DEFAULT_COOKIE_DELIMITER), "%s=%s\g<2>" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
if retVal == paramString and urlencode(parameter) != parameter:
pass
retVal = _(r"(\A|\b)%s=%s" % (re.escape(urlencode(parameter)), re.escape(origValue)), "%s=%s" % (urlencode(parameter), self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
if retVal:
retVal = retVal.replace(BOUNDARY_BACKSLASH_MARKER, '\\')
return retVal
def escaper(value):
if all(_ < 128 for _ in getOrds(value)):
return "0x%s" % getUnicode(binascii.hexlify(getBytes(value)))
else:
return "CONVERT(0x%s USING utf8)" % getUnicode(
binascii.hexlify(getBytes(value)))
hostname = hostname.strip("[]").replace(CUSTOM_INJECTION_MARK_CHAR, "")
if len(hostnamePort) == 2:
try:
port = int(hostnamePort[1])
except:
errMsg = "invalid target URL"
print errMsg
elif scheme == "https":
port = 443
else:
port = 80
if urlSplit.query:
conf.parameters[PLACE.GET] = urldecode(urlSplit.query) if urlSplit.query and urlencode(DEFAULT_GET_POST_DELIMITER, None) not in urlSplit.query else urlSplit.query
uri = getUnicode("%s://%s:%d%s" % (scheme, ("[%s]" % hostname) if ipv6 else hostname, port, path))
conf.url = uri.replace(URI_QUESTION_MARKER, '?')
def Init():
readCachedFileContent(conf.errorsXML)
for payloadFile in os.listdir(conf.payloadPath):
payloadFilePath = os.path.join(conf.payloadPath, payloadFile)
doc = et.parse(payloadFilePath)
root = doc.getroot()
parseXmlNode(root)
boundaries_doc = et.parse(conf.boundariesXML)
boundaries_root = boundaries_doc.getroot()
parseXmlNode(boundaries_root)