コード例 #1
0
def sqlmap_scan(request, level):
    message = {"request_stat": 0, "message": ""}
    sqlmap_api = config.load_rule()["sqlmap_api"]
    sqlmap_conf = json.load(open(config.rule_read("sqlmap", get_file_handle=True)))
    conf_ban = ["url", "headers", "data", "taskid", "database"]
    for ban in conf_ban:
        if ban in sqlmap_conf.keys():
            del sqlmap_conf[ban]
    sqlmap_conf['url'] = request['url']
    sqlmap_conf['data'] = request['postdata']
    sqlmap_conf['headers'] = ""
    for header in request['headers'].keys():
        sqlmap_conf['headers'] += "%s: %s\r\n" % (header, request['headers'][header])
    json_headers = {"Content-Type": "application/json"}
    taskid = json.loads(requests.get("%s/task/new" % sqlmap_api).content)['taskid']
    data = json.dumps(sqlmap_conf)
    try:
        requests.post("%s/option/%s/set" % (sqlmap_api, taskid), data=json.dumps(sqlmap_conf), headers=json_headers)
        requests.post("%s/scan/%s/start" % (sqlmap_api, taskid), data="{}", headers=json_headers)
        while json.loads(requests.get("%s/scan/%s/status" % (sqlmap_api, taskid)).content)['status'] != "terminated":
            time.sleep(5)
        data = json.loads(requests.get("%s/scan/%s/data" % (sqlmap_api, taskid)).content)['data']
        if data != []:
            message['request_stat'] = 3
            message['message'] += "title: %s|#|payload: %s|#|taskid: %s|,|" % (data[0]['value'][0]['data']['1']['title'], data[0]['value'][0]['data']['1']['payload'], taskid)
    except Exception as e:
        print(e)
    finally:
        return message
コード例 #2
0
def sqlibool_scan(request, config_level):
    message = {"request_stat": 0, "message": ""}
    dom = minidom.parse(config.rule_read("sqlibool", get_file_handle=True)).documentElement
    for node in dom.getElementsByTagName('couple'):
        couple_id = int(node.getAttribute("id"))
        if couple_id <= config_level:
            for compare in node.getElementsByTagName("compare"):
                compare1 = compare.getElementsByTagName("compare1")[0].childNodes[0].nodeValue
                compare11 = compare.getElementsByTagName("compare11")[0].childNodes[0].nodeValue
                compare2 = compare.getElementsByTagName("compare2")[0].childNodes[0].nodeValue
                compare22 = compare.getElementsByTagName("compare22")[0].childNodes[0].nodeValue
                for param_name in urlparse(request['url']).query.split("&"):
                    response1 = request_payload(request, compare1, param_name)
                    response2 = request_payload(request, compare2, param_name)
                    response22 = request_payload(request, compare22, param_name)
                    time.sleep(1)#prevent time stamp in response
                    response11 = request_payload(request, compare11, param_name)
                    if response1 == response11 and response2 == response22 and response1 != response2:
                        message['request_stat'] = 2
                        message['message'] += "payload1: %s|#|payload2: %s|#|param: %s|,|" % (compare1.encode('utf-8'), compare2.encode('utf-8'), param_name.split("=")[0])
                        if config.load()['only_one_match'].lower() == "true":
                            return message
                for param_name in request['postdata'].split("&"):
                    if request['postdata'] == "":
                        break
                    response1 = request_payload(request, compare1, param_name, postdata=True)
                    response11 = request_payload(request, compare11, param_name, postdata=True)
                    response2 = request_payload(request, compare2, param_name, postdata=True)
                    response22 = request_payload(request, compare22, param_name, postdata=True)
                    if response1 == response11 and response2 == response22 and response1 != response2:
                        message['request_stat'] = 2
                        message['message'] += "payload1: %s|#|payload2: %s|#|param: %s|,|" % (compare1.encode('utf-8'), compare2.encode('utf-8'), param_name.split("=")[0])
                        if config.load()['only_one_match'].lower() == "true":
                            return message
    return message
コード例 #3
0
def xss_scan(request, config_level):
    message = {"request_stat": 0, "message": ""}
    dom = minidom.parse(config.rule_read("xss", get_file_handle=True)).documentElement
    for node in dom.getElementsByTagName('couple'):
        couple_id = int(node.getAttribute("id"))
        if couple_id <= config_level:
            payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip()
            for payload in payloads.splitlines():
                for param_name in urlparse(request['url']).query.split("&"):
                    response = request_payload(request, payload.strip(), param_name)
                    if payload.strip().encode("utf-8") in response:
                        message['request_stat'] = 1
                        message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], payload.strip().encode('utf-8'))
                        if config.load()['only_one_match'].lower() == "true":
                            return message
                for param_name in request['postdata'].split("&"):
                    if request['postdata'] == "":
                        break
                    else:
                        response = request_payload(request, payload.strip(), param_name, postdata=True)
                    if payload.strip().encode("utf-8") in response:
                        message['request_stat'] = 1
                        message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], payload.strip().encode('utf-8'))
                        if config.load()['only_one_match'].lower() == "true":
                            return message
    return message
コード例 #4
0
def common_scan(request, config_level, re_test, scan_type):
    message = {"request_stat": 0, "message": ""}
    dom = minidom.parse(config.rule_read(scan_type, get_file_handle=True)).documentElement
    for node in dom.getElementsByTagName('couple'):
        couple_id = int(node.getAttribute("id"))
        if couple_id <= config_level:
            payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip()
            for payload in payloads.splitlines():
                for param_name in urlparse(request['url']).query.split("&"):
                    response = request_payload(request, payload.strip(), param_name)
                    if not isinstance(response,str):
                        response = response.decode("utf8","ignore")
                    for response_rule in node.getElementsByTagName('responses')[0].childNodes[0].nodeValue.strip().splitlines():
                        # print(response_rule)
                        if re_test:
                            if re.search(response_rule.strip(), response):
                                message['request_stat'] = 3
                                message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8'))
                                if config.load()['only_one_match'].lower() == "true":
                                    # print(message)
                                    return message
                        else:
                            if response_rule.strip() in response:
                            #rule format: unicode, it need to be encoded with utf-8
                                message['request_stat'] = 3
                                message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8'))
                                if config.load()['only_one_match'].lower() == "true":
                                    return message
                for param_name in request['postdata'].split("&"):
                    if request['postdata'] == "":
                        break
                    else:
                        response = request_payload(request, payload.strip(), param_name, postdata=True)
                    for response_rule in node.getElementsByTagName('responses')[0].childNodes[0].nodeValue.strip().splitlines():
                        if re_test:
                            if re.search(response_rule.strip().encode("utf-8"), response):
                                message['request_stat'] = 3
                                message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8'))
                                if config.load()['only_one_match'].lower() == "true":
                                    # print(message)
                                    return message
                        else:
                            if response_rule.strip().encode("utf-8") in response:
                            #rule format: unicode, it need to be encoded with utf-8
                                message['request_stat'] = 3
                                message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8'))
                                if config.load()['only_one_match'].lower() == "true":
                                    return message
    # print(message)                                
    return message
コード例 #5
0
 def get(self):
     start = {}
     rule = ["sqlireflect", "sqlitime", "xpath", "xss", "sqlibool"]
     for i in rule:
         start[i + "_true"] = ""
         start[i + "_false"] = "checked"
     for i in config.load_rule()["scan_type"]:
         start[i + "_true"] = "checked"
         start[i + "_false"] = ""
     rules = {}
     for i in rule:
         rules[i] = config.rule_read(i)
     return self.render("scan_config.html",
                        config=config.load(),
                        start=start,
                        rules=rules,
                        scan_stat=config.load()['scan_stat'])
コード例 #6
0
def sqlitime_scan(request, config_level):
    message = {"request_stat": 0, "message": ""}
    dom = minidom.parse(config.rule_read("sqlitime", get_file_handle=True)).documentElement
    for node in dom.getElementsByTagName('couple'):
        couple_id = int(node.getAttribute("id"))
        if couple_id <= config_level:
            payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip()
            for payload in payloads.splitlines():
                if "TIME_VAR" in payload:
                    for param_name in urlparse(request['url']).query.split("&"):
                        response, time0 = request_payload(request, payload.strip().replace("TIME_VAR", "0"), param_name, time_check=True)
                        response, time3 = request_payload(request, payload.strip().replace("TIME_VAR", "3"), param_name, time_check=True)
                        if time3 - time0 >= 2:
                            response, time6 = request_payload(request, payload.strip().replace("TIME_VAR", "6"), param_name, time_check=True)
                            num = (time6 - time0) / (time3 - time0)
                            if num <= 2.3 and num >= 1.7:
                                message['request_stat'] = 3
                                message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("TIME_VAR", '5').encode('utf-8'), param_name.split("=")[0])
                                if config.load()['only_one_match'].lower() == "true":
                                    return message
                    for param_name in request['postdata'].split("&"):
                        if request['postdata'] == "":
                            break
                        response, time0 = request_payload(request, payload.strip().replace("TIME_VAR", "0"), param_name, postdata=True, time_check=True)
                        response, time3 = request_payload(request, payload.strip().replace("TIME_VAR", "3"), param_name, postdata=True, time_check=True)
                        if time3 - time0 >= 2:
                            response, time6 = request_payload(request, payload.strip().replace("TIME_VAR", "6"), param_name, postdata=True, time_check=True)
                            num = (time6 - time0) / (time3 - time0)
                            if num <= 2.3 and num >= 1.7:
                                message['request_stat'] = 3
                                message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("TIME_VAR", '5').encode('utf-8'), param_name.split("=")[0])
                                if config.load()['only_one_match'].lower() == "true":
                                    return message
                elif "NUM_VAR" in payload:
                    for param_name in urlparse(request['url']).query.split("&"):
                        response, time0 = request_payload(request, payload.strip().replace("NUM_VAR", "0"), param_name, time_check=True)
                        VAR = '500000'
                        for NUM_VAR in range(3):
                            VAR += '0'
                            response, time_more = request_payload(request, payload.strip().replace("NUM_VAR", VAR), param_name, time_check=True)
                            if time_more - time0 >= 3:
                                response, time6 = request_payload(request, payload.strip().replace("NUM_VAR", str(int(VAR) * 2)), param_name, time_check=True)
                                num = (time6 - time0) / (time_more - time0)
                                if num <= 2.3 and num >= 1.7:
                                    message['request_stat'] = 3
                                    message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("NUM_VAR", VAR).encode('utf-8'), param_name.split("=")[0])
                                    if config.load()['only_one_match'].lower() == "true":
                                        return message
                                    else:
                                        break
                                else:
                                    break
                    for param_name in request['postdata'].split("&"):
                        if request['postdata'] == "":
                            break
                        response, time0 = request_payload(request, payload.strip().replace("NUM_VAR", "0"), param_name, time_check=True)
                        VAR = '500000'
                        for NUM_VAR in range(3):
                            VAR += '0'
                            response, time_more = request_payload(request, payload.strip().replace("NUM_VAR", VAR), param_name, postdata=True, time_check=True)
                            if time_more - time0 >= 3:
                                response, time6 = request_payload(request, payload.strip().replace("NUM_VAR", str(int(VAR) * 2)), param_name, postdata=True, time_check=True)
                                num = (time6 - time0) / (time_more - time0)
                                if num <= 2.3 and num >= 1.7:
                                    message['request_stat'] = 3
                                    message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("NUM_VAR", VAR).encode('utf-8'), param_name.split("=")[0])
                                    if config.load()['only_one_match'].lower() == "true":
                                        return message
                                    else:
                                        break
                                else:
                                    break
    return message