def sqlmap_scan(request, level): message = {"request_stat": 0, "message": ""} sqlmap_api = config.load_rule()["sqlmap_api"] sqlmap_conf = json.load(open(config.rule_read("sqlmap", get_file_handle=True))) conf_ban = ["url", "headers", "data", "taskid", "database"] for ban in conf_ban: if ban in sqlmap_conf.keys(): del sqlmap_conf[ban] sqlmap_conf['url'] = request['url'] sqlmap_conf['data'] = request['postdata'] sqlmap_conf['headers'] = "" for header in request['headers'].keys(): sqlmap_conf['headers'] += "%s: %s\r\n" % (header, request['headers'][header]) json_headers = {"Content-Type": "application/json"} taskid = json.loads(requests.get("%s/task/new" % sqlmap_api).content)['taskid'] data = json.dumps(sqlmap_conf) try: requests.post("%s/option/%s/set" % (sqlmap_api, taskid), data=json.dumps(sqlmap_conf), headers=json_headers) requests.post("%s/scan/%s/start" % (sqlmap_api, taskid), data="{}", headers=json_headers) while json.loads(requests.get("%s/scan/%s/status" % (sqlmap_api, taskid)).content)['status'] != "terminated": time.sleep(5) data = json.loads(requests.get("%s/scan/%s/data" % (sqlmap_api, taskid)).content)['data'] if data != []: message['request_stat'] = 3 message['message'] += "title: %s|#|payload: %s|#|taskid: %s|,|" % (data[0]['value'][0]['data']['1']['title'], data[0]['value'][0]['data']['1']['payload'], taskid) except Exception as e: print(e) finally: return message
def sqlibool_scan(request, config_level): message = {"request_stat": 0, "message": ""} dom = minidom.parse(config.rule_read("sqlibool", get_file_handle=True)).documentElement for node in dom.getElementsByTagName('couple'): couple_id = int(node.getAttribute("id")) if couple_id <= config_level: for compare in node.getElementsByTagName("compare"): compare1 = compare.getElementsByTagName("compare1")[0].childNodes[0].nodeValue compare11 = compare.getElementsByTagName("compare11")[0].childNodes[0].nodeValue compare2 = compare.getElementsByTagName("compare2")[0].childNodes[0].nodeValue compare22 = compare.getElementsByTagName("compare22")[0].childNodes[0].nodeValue for param_name in urlparse(request['url']).query.split("&"): response1 = request_payload(request, compare1, param_name) response2 = request_payload(request, compare2, param_name) response22 = request_payload(request, compare22, param_name) time.sleep(1)#prevent time stamp in response response11 = request_payload(request, compare11, param_name) if response1 == response11 and response2 == response22 and response1 != response2: message['request_stat'] = 2 message['message'] += "payload1: %s|#|payload2: %s|#|param: %s|,|" % (compare1.encode('utf-8'), compare2.encode('utf-8'), param_name.split("=")[0]) if config.load()['only_one_match'].lower() == "true": return message for param_name in request['postdata'].split("&"): if request['postdata'] == "": break response1 = request_payload(request, compare1, param_name, postdata=True) response11 = request_payload(request, compare11, param_name, postdata=True) response2 = request_payload(request, compare2, param_name, postdata=True) response22 = request_payload(request, compare22, param_name, postdata=True) if response1 == response11 and response2 == response22 and response1 != response2: message['request_stat'] = 2 message['message'] += "payload1: %s|#|payload2: %s|#|param: %s|,|" % (compare1.encode('utf-8'), compare2.encode('utf-8'), param_name.split("=")[0]) if config.load()['only_one_match'].lower() == "true": return message return message
def xss_scan(request, config_level): message = {"request_stat": 0, "message": ""} dom = minidom.parse(config.rule_read("xss", get_file_handle=True)).documentElement for node in dom.getElementsByTagName('couple'): couple_id = int(node.getAttribute("id")) if couple_id <= config_level: payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip() for payload in payloads.splitlines(): for param_name in urlparse(request['url']).query.split("&"): response = request_payload(request, payload.strip(), param_name) if payload.strip().encode("utf-8") in response: message['request_stat'] = 1 message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], payload.strip().encode('utf-8')) if config.load()['only_one_match'].lower() == "true": return message for param_name in request['postdata'].split("&"): if request['postdata'] == "": break else: response = request_payload(request, payload.strip(), param_name, postdata=True) if payload.strip().encode("utf-8") in response: message['request_stat'] = 1 message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], payload.strip().encode('utf-8')) if config.load()['only_one_match'].lower() == "true": return message return message
def common_scan(request, config_level, re_test, scan_type): message = {"request_stat": 0, "message": ""} dom = minidom.parse(config.rule_read(scan_type, get_file_handle=True)).documentElement for node in dom.getElementsByTagName('couple'): couple_id = int(node.getAttribute("id")) if couple_id <= config_level: payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip() for payload in payloads.splitlines(): for param_name in urlparse(request['url']).query.split("&"): response = request_payload(request, payload.strip(), param_name) if not isinstance(response,str): response = response.decode("utf8","ignore") for response_rule in node.getElementsByTagName('responses')[0].childNodes[0].nodeValue.strip().splitlines(): # print(response_rule) if re_test: if re.search(response_rule.strip(), response): message['request_stat'] = 3 message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8')) if config.load()['only_one_match'].lower() == "true": # print(message) return message else: if response_rule.strip() in response: #rule format: unicode, it need to be encoded with utf-8 message['request_stat'] = 3 message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8')) if config.load()['only_one_match'].lower() == "true": return message for param_name in request['postdata'].split("&"): if request['postdata'] == "": break else: response = request_payload(request, payload.strip(), param_name, postdata=True) for response_rule in node.getElementsByTagName('responses')[0].childNodes[0].nodeValue.strip().splitlines(): if re_test: if re.search(response_rule.strip().encode("utf-8"), response): message['request_stat'] = 3 message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8')) if config.load()['only_one_match'].lower() == "true": # print(message) return message else: if response_rule.strip().encode("utf-8") in response: #rule format: unicode, it need to be encoded with utf-8 message['request_stat'] = 3 message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8')) if config.load()['only_one_match'].lower() == "true": return message # print(message) return message
def get(self): start = {} rule = ["sqlireflect", "sqlitime", "xpath", "xss", "sqlibool"] for i in rule: start[i + "_true"] = "" start[i + "_false"] = "checked" for i in config.load_rule()["scan_type"]: start[i + "_true"] = "checked" start[i + "_false"] = "" rules = {} for i in rule: rules[i] = config.rule_read(i) return self.render("scan_config.html", config=config.load(), start=start, rules=rules, scan_stat=config.load()['scan_stat'])
def sqlitime_scan(request, config_level): message = {"request_stat": 0, "message": ""} dom = minidom.parse(config.rule_read("sqlitime", get_file_handle=True)).documentElement for node in dom.getElementsByTagName('couple'): couple_id = int(node.getAttribute("id")) if couple_id <= config_level: payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip() for payload in payloads.splitlines(): if "TIME_VAR" in payload: for param_name in urlparse(request['url']).query.split("&"): response, time0 = request_payload(request, payload.strip().replace("TIME_VAR", "0"), param_name, time_check=True) response, time3 = request_payload(request, payload.strip().replace("TIME_VAR", "3"), param_name, time_check=True) if time3 - time0 >= 2: response, time6 = request_payload(request, payload.strip().replace("TIME_VAR", "6"), param_name, time_check=True) num = (time6 - time0) / (time3 - time0) if num <= 2.3 and num >= 1.7: message['request_stat'] = 3 message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("TIME_VAR", '5').encode('utf-8'), param_name.split("=")[0]) if config.load()['only_one_match'].lower() == "true": return message for param_name in request['postdata'].split("&"): if request['postdata'] == "": break response, time0 = request_payload(request, payload.strip().replace("TIME_VAR", "0"), param_name, postdata=True, time_check=True) response, time3 = request_payload(request, payload.strip().replace("TIME_VAR", "3"), param_name, postdata=True, time_check=True) if time3 - time0 >= 2: response, time6 = request_payload(request, payload.strip().replace("TIME_VAR", "6"), param_name, postdata=True, time_check=True) num = (time6 - time0) / (time3 - time0) if num <= 2.3 and num >= 1.7: message['request_stat'] = 3 message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("TIME_VAR", '5').encode('utf-8'), param_name.split("=")[0]) if config.load()['only_one_match'].lower() == "true": return message elif "NUM_VAR" in payload: for param_name in urlparse(request['url']).query.split("&"): response, time0 = request_payload(request, payload.strip().replace("NUM_VAR", "0"), param_name, time_check=True) VAR = '500000' for NUM_VAR in range(3): VAR += '0' response, time_more = request_payload(request, payload.strip().replace("NUM_VAR", VAR), param_name, time_check=True) if time_more - time0 >= 3: response, time6 = request_payload(request, payload.strip().replace("NUM_VAR", str(int(VAR) * 2)), param_name, time_check=True) num = (time6 - time0) / (time_more - time0) if num <= 2.3 and num >= 1.7: message['request_stat'] = 3 message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("NUM_VAR", VAR).encode('utf-8'), param_name.split("=")[0]) if config.load()['only_one_match'].lower() == "true": return message else: break else: break for param_name in request['postdata'].split("&"): if request['postdata'] == "": break response, time0 = request_payload(request, payload.strip().replace("NUM_VAR", "0"), param_name, time_check=True) VAR = '500000' for NUM_VAR in range(3): VAR += '0' response, time_more = request_payload(request, payload.strip().replace("NUM_VAR", VAR), param_name, postdata=True, time_check=True) if time_more - time0 >= 3: response, time6 = request_payload(request, payload.strip().replace("NUM_VAR", str(int(VAR) * 2)), param_name, postdata=True, time_check=True) num = (time6 - time0) / (time_more - time0) if num <= 2.3 and num >= 1.7: message['request_stat'] = 3 message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("NUM_VAR", VAR).encode('utf-8'), param_name.split("=")[0]) if config.load()['only_one_match'].lower() == "true": return message else: break else: break return message