def updaterequest(reqhash, taskid, sqlmapapi, sqlidata):
oldrequest = json.loads(ds(r.hget("request", reqhash)))
oldrequest["taskid"] = taskid
oldrequest["sqlmapapi"] = sqlmapapi
oldrequest["dbms"] = sqlidata[0]['value'][0]['dbms']
oldrequest["os"] = sqlidata[0]['value'][0]['os']
oldrequest["parameter"] = sqlidata[0]['value'][0]['parameter']
oldrequest["sqlititle"] = sqlidata[0]['value'][0]['data']['1']['title']
b64req = es(json.dumps(oldrequest))
r.hset("request", reqhash, b64req)
def Start_Scan(nothing):
'''
Main function of the scan worker, including xss,sqli,xpath,ldap,lfi,sqli_time scan rule. if USESQLMAPAPI= True, user sqlmapapi.
sqli: post all the data to sqlmapapi or rule, if is vulun, update taskid to redis server.
'''
while True:
reqhash = r.rpoplpush("waiting", "running")
reqed = r.hget("request", reqhash)
if not reqed:
continue
request = json.loads(ds(reqed))
rules = ['sqli', 'xss', 'xpath', 'ldap', 'lfi'
] #rrules=['xss','sqli','xpath','ldap','lfi','sqli_time']
for rule in rules:
try:
if rule == 'sqli' and USESQLMAPAPI:
newsql = isqlmap() #here wrong!
if request.get("uri"):
uri = request.get("uri")
else:
uri = "http://" + request['host'] + request['url']
taskid, api = newsql.extract_request(
uri, request['method'], request['headers'],
request['postdata'])
print taskid, api
while not check_status(taskid, api):
sleep(7)
sqlilen, sqlidata = isvulun(taskid, api)
if sqlilen:
r.lpush("sqli", reqhash)
updaterequest(reqhash, taskid, api, sqlidata)
else:
scan_obj = general(request['url'], request['host'],
request['postdata'], request['headers'],
request['method'], request.get('uri'))
if 'time' in rule:
scan_obj.timecheck = True
scan_obj.setname(rule)
scan_obj.loadrule()
scan_obj.run()
if scan_obj.bingo_payload != '':
r.lpush(rule, reqhash)
r.hset("bingo_payload", reqhash,
scan_obj.bingo_payload)
except:
pass
r.lpush("finish", reqhash)