def gen_payload_seq(self):
"""
生成32位随机字符串
Returns:
str
"""
return common.random_str(32)
def _gen_xxe_mutant(self):
"""
生成一个payload为xxe类型的RequestData实例的列表和对应的checker
Returns:
dict, 格式为:
{
"request_data_list": [request_data_1 , ...] # item为RequestData实例,
"checker": request_data_list对应的checker
}
当无实例可以生成(payload用尽)时, 返回None
"""
if not self.gen_init:
raise exceptions.MutantNotInitError
if self.end:
return None
if len(self.payload_list) == self.payload_index:
try:
self.cur_param = self.test_params.pop()
except IndexError:
self.end = True
return None
else:
self.payload_index = 0
self.payload_seq = common.random_str(32)
param_name = self.cur_param[0]
param_type = self.cur_param[1]
payload = self.payload_list[self.payload_index]
request_data_ins = request_data.RequestData(self.rasp_result_ins,
self.payload_seq,
payload[1])
self.payload_index += 1
request_data_ins.set_param(param_type, param_name, payload[0])
if param_type == "files":
param_name[1] = "content_type"
request_data_ins.set_param(param_type, param_name,
"application/xml")
request_data_list = [request_data_ins]
check_config = {
"type": "xxe",
"check_type": self.mutant_config["check_type"]
}
result = {
"request_data_list": request_data_list,
"checker": self.checker_cls(request_data_list, check_config)
}
return result
def set_vuln_hook(self, hook_item):
"""
设置当前请求的漏洞信息
Parameters:
hook_item - dict, 取自请求的hook_info
"""
try:
hook_stack_str = "".join(hook_item["stack"]).encode("latin-1")
stack_hash = hashlib.md5(hook_stack_str).hexdigest()
except KeyError:
stack_hash = "random-" + common.random_str(32)
self.rasp_result_dict["vuln_hook"] = {
"hook_info": hook_item,
"stack_hash": stack_hash
}
def _init_xxe_mutant(self):
"""
初始化xxe类型payload生成器, 当没有请求需要生成时返回False
Reuters:
boolean, 当没有请求需要生成时返回False
"""
# 初始化
self.end = False
self.payload_index = 0
self.test_params = []
# 获取所有待测试参数
request_data_ins = request_data.RequestData(self.rasp_result_ins)
all_param = request_data_ins.get_all_param(
self.mutant_config["param_type_list"])
for param_type in all_param:
if param_type == "json":
json_params = self._get_json_test_params(all_param["json"])
for item in json_params:
if item["value"] is None:
continue
if item["value"].find("<?xml", 0, 20) >= 0:
self.test_params.append((item["json_path"], "json"))
elif param_type == "files":
for i in range(len(all_param["files"])):
if all_param["files"][i]["content"].find(b"<?xml", 0,
20) >= 0:
self.test_params.append([i, "content"], "files")
else:
for param_name in all_param[param_type]:
if all_param[param_type][param_name].find("<?xml", 0,
20) >= 0:
self.test_params.append((param_name, param_type))
# 初始化当前参数
try:
self.cur_param = self.test_params.pop()
self.payload_seq = common.random_str(32)
except IndexError:
self.end = True
return False
else:
return True
