def vuln_judge(self): vuln_judges = [] vuln_h_num = [0,6] vuln_m_num = [0,2] vuln_l_num = [0,1] projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from vuln" cursor.execute(sql) vuln_infos = cursor.fetchall() for vuln_info in vuln_infos: if vuln_info[3] == "INFO": vuln_m_num[0] = vuln_m_num[0] + 1 if vuln_info[3] == "unAuth" and vuln_info[4] == 1: vuln_m_num[0] = vuln_m_num[0] + 1 if vuln_info[3] == "CORS": vuln_l_num[0] = vuln_l_num[0] + 1 if vuln_info[3] == "unAuth" and vuln_info[4] == 2: vuln_l_num[0] = vuln_l_num[0] + 1 if vuln_info[3] == "passWord": vuln_h_num[0] = vuln_h_num[0] + 1 if vuln_info[3] == "BAC": vuln_m_num[0] = vuln_m_num[0] + 1 if vuln_info[3] == "upLoad": vuln_h_num[0] = vuln_h_num[0] + 1 vuln_score = vuln_h_num[0]*vuln_h_num[1] + vuln_m_num[0]*vuln_m_num[1] + vuln_l_num[0]*vuln_l_num[1] vuln_judges.append(vuln_score) vuln_judges.append(vuln_h_num[0]) vuln_judges.append(vuln_m_num[0]) vuln_judges.append(vuln_l_num[0]) return vuln_judges
def bacTest(self): try: whole_list = [] projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree where success = 1 or success = 2" cursor.execute(sql) apiTreeInfo = cursor.fetchall() for apiInfo in apiTreeInfo: name_list=[] api_option = apiInfo[3] api_path = apiInfo[1] if api_option: json_strs = json.loads(api_option) if json_strs["type"] == "post": json_strs = json.loads(api_option)["post"] else: json_strs = json.loads(api_option)["get"] # 循环遍历 for json_str in json_strs: json_default = json_str["default"] # 获取default参数的数值 # 如果是数字 if json_default.isdigit(): # for json_str in json_strs: # print(json_str["name"]) name_list.append(json_str["name"]) # BacTest(self.projectTag).startTest(name_list,api_path,api_option) self.startTest(name_list,api_path,api_option) break except Exception as e: self.log.error("[Err] %s" % e)
def sqlTest(self): whole_list = [] projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None # success=1 的情况是get的情况 success=2的情况是post的情况 sql = "select * from api_tree where success = 1 or success = 2" cursor.execute(sql) apiTreeInfo = cursor.fetchall() for apiInfo in apiTreeInfo: name_list = [] api_option = apiInfo[3] api_path = apiInfo[1] json_strs = json.loads(api_option) if json_strs["type"] == "post": json_strs = json.loads(api_option)["post"] else: json_strs = json.loads(api_option)["get"] for json_str in json_strs: json_default = json_str["default"] if json_default.isdigit(): for json_str in json_strs: name_list.append(json_str["name"]) self.startTest(name_list, api_path, api_option) break
def apiComplete(self): self.baseUrlPaths = list(set(self.baseUrlPaths)) # list去重 self.apiPaths = list(set(self.apiPaths)) url = DatabaseType(self.projectTag).getURLfromDB() if "#" in url: # 帮我检测下此处逻辑 url = url.split("#")[0] res = urlparse(url) tmpUrl = res.path.split("/") if "." in tmpUrl[-1]: del tmpUrl[-1] hostURL = res.scheme + "://" + res.netloc + "/" url = res.scheme + "://" + res.netloc + "/".join(tmpUrl) if url[-1:] != "/": url = url + "/" for baseurl in self.baseUrlPaths: for apiPath in self.apiPaths: if baseurl == "/": completeUrl1 = url + apiPath completeUrl2 = hostURL + apiPath self.completeUrls.append(completeUrl1) self.completeUrls.append(completeUrl2) else: completeUrl1 = url + baseurl + apiPath completeUrl2 = hostURL + baseurl + apiPath self.completeUrls.append(completeUrl1) self.completeUrls.append(completeUrl2) self.completeUrls = list(set(self.completeUrls)) for completeUrl in self.completeUrls: if "//" in completeUrl.split("//", 1)[1]: completeUrl = completeUrl.split("//", 1)[0] + "//" + completeUrl.split("//", 1)[1].replace("//", "/") completeApiPath = completeUrl.split("§§§")[0] filePath = completeUrl.split("§§§")[1] DatabaseType(self.projectTag).apiRecordToDB(filePath, completeApiPath) self.log.info(Utils().tellTime() + Utils().getMyWord("{total_api_num}") + str(len(self.completeUrls)))
def checkSpiltingTwice(self, projectPath): self.log.info(Utils().tellTime() + Utils().getMyWord("{check_codesplit_twice}")) for parent, dirnames, filenames in os.walk(projectPath, followlinks=True): for filename in filenames: if filename != self.projectTag + ".db": tmpName = filename.split(".") if len(tmpName) == 4: localFileName = "." + tmpName[-2] + ".js" self.localFileNames.append(localFileName) remotePath = DatabaseType( self.projectTag).getJsUrlFromDB( filename, projectPath) tmpRemotePath = remotePath.split("/") del tmpRemotePath[-1] newRemotePath = "/".join(tmpRemotePath) + "/" self.remotePaths.append(newRemotePath) self.remotePaths = list(set(self.remotePaths)) if len(self.localFileNames) > 3: # 一切随缘 localFileName = self.localFileNames[0] for baseurl in self.remotePaths: tmpRemoteFileURLs = [] res = urlparse(baseurl) i = 0 while i < 500: remoteFileURL = baseurl + str(i) + localFileName i = i + 1 tmpRemoteFileURLs.append(remoteFileURL) GroupBy(tmpRemoteFileURLs, self.options).stat() tmpRemoteFileURLs = GroupBy(tmpRemoteFileURLs, self.options).start() for remoteFileURL in tmpRemoteFileURLs: self.remoteFileURLs.append(remoteFileURL) else: for localFileName in self.localFileNames: for baseurl in self.remotePaths: tmpRemoteFileURLs = [] res = urlparse(baseurl) i = 0 while i < 500: remoteFileURL = baseurl + str(i) + localFileName i = i + 1 tmpRemoteFileURLs.append(remoteFileURL) GroupBy(tmpRemoteFileURLs, self.options).stat() tmpRemoteFileURLs = GroupBy(tmpRemoteFileURLs, self.options).start() for remoteFileURL in tmpRemoteFileURLs: self.remoteFileURLs.append(remoteFileURL) if self.remoteFileURLs != []: self.remoteFileURLs = list(set(self.remoteFileURLs)) # 其实不会重复 self.log.info(Utils().tellTime() + Utils().getMyWord("{check_codesplit_twice_fini_1}") + str(len(self.remoteFileURLs)) + Utils().getMyWord("{check_codesplit_twice_fini_2}")) DownloadJs(self.remoteFileURLs, self.options).downloadJs(self.projectTag, res.netloc, 999) # 999表示爆破
def jsCodeCompile(self, jsCode, jsFilePath): try: self.log.info(Utils().tellTime() + Utils().getMyWord("{get_codesplit}")) variable = re.findall(r'\[.\]', jsCode) if "[" and "]" in variable[0]: variable = variable[0].replace("[", "").replace("]", "") jsCodeFunc = "function js_compile(%s){js_url=" % ( variable) + jsCode + "\nreturn js_url}" pattern_jscode = re.compile(r"\(\{\}\[(.*?)\]\|\|.\)", re.DOTALL) flag_code = pattern_jscode.findall(jsCodeFunc) if flag_code: jsCodeFunc = jsCodeFunc.replace( "({}[%s]||%s)" % (flag_code[0], flag_code[0]), flag_code[0]) pattern1 = re.compile(r"\{(.*?)\:") pattern2 = re.compile(r"\,(.*?)\:") nameList1 = pattern1.findall(jsCode) nameList2 = pattern2.findall(jsCode) nameList = nameList1 + nameList2 nameList = list(set(nameList)) projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None localFile = jsFilePath.split(os.sep)[-1] sql = "insert into js_split_tree(jsCode,js_name) values('%s','%s')" % ( jsCode, localFile) cursor.execute(sql) connect.commit() cursor.execute("select id from js_split_tree where js_name='%s'" % (localFile)) jsSplitId = cursor.fetchone()[0] cursor.execute("select path from js_file where local='%s'" % (localFile)) jsUrlPath = cursor.fetchone()[0] connect.close() if "exec" not in jsCode and "spawn" not in jsCode: # 防止黑吃黑被命令执行 jsCompileResult = execjs.compile(jsCodeFunc) for name in nameList: if "\"" in name: name = name.replace("\"", "") if "undefined" not in jsCompileResult.call( "js_compile", name): jsFileName = jsCompileResult.call("js_compile", name) self.jsFileNames.append(jsFileName) self.log.info(Utils().tellTime() + Utils().getMyWord("{run_codesplit_s}") + str(len(self.jsFileNames))) self.getRealFilePath(jsSplitId, self.jsFileNames, jsUrlPath) self.log.debug("jscodecomplie模块正常") except Exception as e: self.log.error("[Err] %s" % e) # 这块有问题,逻辑要改进 return 0
def collect_api_str(self): whole_post_str = "" whole_get_str = "" projectPath = DatabaseType(self.projectTag).getPathfromDB() for parent, dirnames, filenames in os.walk(projectPath, followlinks=True): projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree where success = 1 or success = 2" cursor.execute(sql) api_list = cursor.fetchall() for api in api_list: api_post_list = "" api_get_list = "" api_id = "§§§" + str(api[0]) + "§§§\n" for filename in filenames: if filename != self.projectTag + ".db": filePath = os.path.join(parent, filename) with open(filePath, "r", encoding="utf-8", errors="ignore") as f: js_strs = f.readlines() count = 0 for js_str in js_strs: count = count + 1 locationInfo = re.search(api[2], js_str) if locationInfo != None: startInfoEnds = js_strs[count - 5:count + 5] startstring = "" for startInfoEnd in startInfoEnds: startstring = startstring + startInfoEnd if "post" in startstring: api_post_list = api_post_list + startstring else: api_get_list = api_get_list + startstring if api_post_list: whole_post_str = whole_post_str + api_post_list + api_id if api_get_list: whole_get_str = whole_get_str + api_get_list + api_id whole_str = [] whole_str.append(whole_post_str) # with open("post.js","w",encoding="utf-8") as f: # f.write(whole_post_str) # f.close() whole_str.append(whole_get_str) # with open("get.js","w",encoding="utf-8") as f: # f.write(whole_get_str) # f.close() return whole_str
def tree_list(self, document): projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select path from api_tree where success = 1 or success = 2" cursor.execute(sql) apinfo = cursor.fetchall() sql = "select path from js_file" cursor.execute(sql) jsInfo = cursor.fetchall() jsInfo = jsInfo + apinfo list1 = [[] for i in range(len(jsInfo))] k = 0 for js in jsInfo: js = js[0] path = js.split("/")[3:] list1[k].append(path) k = k + 1 for i in range(len(list1)): for j in range(len(list1[i][0])): if not j == 0: list1[i][0][j] = list1[i][0][j - 1] + "-->" * j + list1[i][0][j] list_max = [] for i in range(len(list1)): for j in range(len(list1[i])): maxlen = len(list1[i][j]) list_max.append(maxlen) maxlen = max(list_max) level_list = [[] for i in range(maxlen)] for i in range(len(list1)): for j in range(maxlen): if list1[i][0][j:j + 1] != []: level_list[j].append(list1[i][0][j:j + 1][0]) new_level_list = [] for i in level_list: param = list(set(i)) new_level_list.append(param) level_add = 1 main_url = DatabaseType(self.projectTag).getURLfromDB() parse_url = urlparse(main_url) host = parse_url.netloc self.treeStr = self.treeStr + host + "\n" for trunk in new_level_list[0]: self.treeStr = self.treeStr + ("|----" + trunk) + "\n" self.loop_branch(new_level_list, level_add, trunk) para1 = Creat_tree(self.projectTag).locat_suggest(document) para2 = para1.insert_paragraph_before("") run2 = para2.add_run("当前网站资源树如下:") run2.font.name = "Arial" run2.font.size = Pt(11) run2.font.bold = True Creat_tree(self.projectTag).creat_table(document, self.treeStr, para2)
def startInfoTest(self): projectPath = DatabaseType(self.projectTag).getPathfromDB() for parent, dirnames, filenames in os.walk(projectPath, followlinks=True): for filename in filenames: if filename != self.projectTag + ".db": filePath = os.path.join(parent, filename) with open(filePath, "r", encoding="utf-8", errors="ignore") as jsPath: js_str = jsPath.read() for infoTest in self.info_Test.split(","): info_re = infoTest.split("§§§")[0] infoTest_re = info_re + r"\:\s?\"(.*?)\"" info_strs = re.findall(infoTest_re, js_str) location_info = re.search(infoTest_re, js_str) infoRe = infoTest.split("§§§")[0] infoTestRe = infoRe + r"\:\s?\"(.*?)\"" infoLast = infoTest.split("§§§")[1] infoStr = re.findall(infoTestRe, js_str) locationInfo = re.search(infoTestRe, js_str) if locationInfo != None: startInfo = locationInfo.span()[0] startInfoEnd = js_str[startInfo - 77:startInfo + 77].replace("\'", "\"") projectDBPath = DatabaseType( self.projectTag).getPathfromDB( ) + self.projectTag + ".db" connect = sqlite3.connect( os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None if infoStr[0]: try: jsId = DatabaseType( self.projectTag).getJsIDFromDB( filename, projectPath) sql = "insert into vuln(api_id,js_id,response_b,response_h,sure,type,des) values ('" + str( 7777777 ) + "','" + str(jsId) + "','" + str( infoStr[0]) + "','" + str( startInfoEnd ) + "','" + str( 1 ) + "','" + "INFO" + "','" + str( infoLast) + "')" cursor.execute(sql) connect.close() except Exception as e: self.log.error("[Err] %s" % e) jsPath.close()
def getIDFromDB(self): projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select id,from_js from api_tree where path=\"" + self.path + "\"" cursor.execute(sql) apiTreeInfo = cursor.fetchall() if len(apiTreeInfo) != 0: try: self.api_id = int(apiTreeInfo[0][0]) # 对应路径的api_id self.from_js = int(apiTreeInfo[0][1]) # 对应路径的from_js except Exception as e: self.log.error("[Err] %s" % e)
def vulntestStart(self,options): # 获取from_js 和api_id projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select id,from_js from api_tree where path=\"" + self.path + "\"" cursor.execute(sql) apiTreeInfo = cursor.fetchall() if len(apiTreeInfo) != 0: api_id = int(apiTreeInfo[0][0]) # 对应路径的api_id from_js = int(apiTreeInfo[0][1]) # 对应路径的from_js message = str(readConfig.ReadConfig().getValue('vulnTest', 'login')[0]).split(',') # get类型返回的数据列表 getdatas = self.getdatas # post类型返回的数据列表 postdatas = self.postdatas jsonpostdata = self.jsonposts # post请求 if len(getdatas) == 0: postobj = PostsDataText(self.path, options) # 传入post的数据和json的数据 线程池跑 # postobj.res.items 是返回的结果 postobj.run(postdatas, jsonpostdata) for key, value in postobj.res.items(): #print(key + ": " + value) for flag in message: if flag in str(value): # 进行数据裤的插入 try: DatabaseType(self.projectTag).insertWeakPassInfoIntoDB(api_id,from_js,str(key), str(value)) except Exception as e: self.log.error("[Err] %s" % e) # get请求 if len(postdatas) == 0: getobj = ApiText(getdatas, options) getobj.run() for key, value in getobj.res.items(): for flag in message: if flag in str(value): # 进行数据裤的插入 try: DatabaseType(self.projectTag).insertWeakPassInfoIntoDB(api_id,from_js,str(key), str(value)) except Exception as e: self.log.error("[Err] %s" % e)
def uploadTest(self): try: for uploadtest in self.uploadtest_list.split(","): projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree where name = '%s'"%(uploadtest) cursor.execute(sql) apiTreeInfo = cursor.fetchall() for apiInfo in apiTreeInfo: up_list = [] api_path = apiInfo[1] up_list.append(api_path) #print(up_list[0]) self.startTest(up_list[0]) except Exception as e: self.log.error("[Err] %s" % e)
def apiUnAuthTest(self): try: projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree where success = 1 or success = 2" cursor.execute(sql) apiTreeInfo = cursor.fetchall() for apiInfo in apiTreeInfo: for resultFilter in self.resultFilters.split(","): try: if resultFilter not in apiInfo[4]: flag = 1 else: flag = 0 break except: flag = 0 if flag: # print(apiInfo[4]) self.api_UnAuth_result.append(apiInfo[4]) sql = "select from_js from api_tree where id=('%s')" % apiInfo[ 0] cursor.execute(sql) js_id = cursor.fetchone() for unauth_not_sure in self.unauth_not_sure.split(","): if unauth_not_sure not in apiInfo[4]: flag = 1 else: flag = 0 break if flag: sql = "insert into vuln(api_id,js_id,response_b,sure,type) values ('%s','%s','%s','%s','unAuth')" % ( apiInfo[0], js_id[0], apiInfo[4], 1) else: sql = "insert into vuln(api_id,js_id,response_b,sure,type) values ('%s','%s','%s','%s','unAuth')" % ( apiInfo[0], js_id[0], apiInfo[4], 2) cursor.execute(sql) connect.close() except Exception as e: self.log.error("[Err] %s" % e)
def passwordTest(self): for passwordtests in self.passwordtest_list.split(","): projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree where name = '%s'"%(passwordtests) cursor.execute(sql) apiTreeInfo = cursor.fetchall() for apiInfo in apiTreeInfo: pass_list = [] api_path = apiInfo[1] pass_list.append(api_path) api_option = apiInfo[3] if api_option: pass_list.append(api_option) for passwordusers in self.passworduser_list.split(","): if passwordusers in api_option: pass_list.append(passwordusers) flag = 1 break else: flag = 0 pass_list.append("none") if flag: for passwordpass in self.passwordpass_list.split(","): if passwordpass in api_option: pass_list.append(passwordpass) flag = 1 break else: flag = 0 pass_list.append("none") # PasswordTest(self.projectTag).startTest(pass_list[0],pass_list[1],pass_list[2],pass_list[3]) if (pass_list[3] != "none") and (pass_list[2] != "none"): self.startTest(pass_list[0],pass_list[1],pass_list[2],pass_list[3])
def startTest(self,name,path,option): try: self.path = path # 数据库读取 name = "".join(name) # 处理完成后的get请求 get_param = [] get_burp = [] # 爆破参数集合 # {"type":"get","get":[{"name":"id","default":"1"}]} datas = json.loads(option) method = datas["type"] data = datas[method] # get 请求部分参数 if method == "get": domain = self.path.split("?")[0] # 获取主域名 for value in data: get_name = value["name"] # get 请求的参数 get_default = value["default"] # get 请求的参数值 if get_name == name: # 如果参数等于name for value in range(1,6): get_req = str("".join(name)) + "=" + str(value) # 进行拼姐 get_burp.append(get_req) # 遍历后的参数 # 筛选出来 只有一个还是说 有多个 elif get_name!=None: param = get_name + "=" + get_default get_param.append(param) if len(get_param) == 0: for value in get_burp: get_result = domain + "?" + value self.get_results.append(get_result) else: for value in get_burp: get_result = domain + "?" + value +"&"+ "&".join(get_param) self.get_results.append(get_result) # 返回数据包比较大小功能 """ 数据库 """ # get 请求 测试 get_resp_lens = {} try: get_obj = ApiText(self.get_results,self.options) get_obj.run() get_texts = get_obj.res except Exception as e: self.log.error("[Err] %s" % e) # 遍历字典中的元素 for req,resp in get_texts.items(): # 返回数据大小 resp_body = len(resp) get_resp_lens[req] = resp_body # 筛选 get_select_list = set() get_all_list = [] for value in get_resp_lens.values(): get_select_list.add(int(value)) get_all_list.append(value) get_resp_data1 = "" get_resp_data2 = "" get_req_data1 = "" get_req_data2 = "" # 页面返回包数据 {10496, 7588, 7246,7738} # 只要有三个不同 # get_select_list = list(get_select_list) get_repeat_nums = dict(Counter(get_all_list)) get_repeat_num = int("".join([str(key) for key, value in get_repeat_nums.items() if value > 1])) # 获取到我们重复的数据 if len(get_select_list) >=3: # 需要写入到数据库中 for key,value in get_resp_lens.items(): value = int(value) # if value in get_select_list: # 如果数值在set中说明是不同的 if value != get_repeat_num: get_resp_data1 = get_texts[key] get_req_data1 = str(key) # if value not in get_select_list: if value == get_repeat_num: get_resp_data2 = get_texts[key] get_req_data2 = str(key) # 写入数据库的data get_data = str(get_resp_data1) + "§§§" + str(get_resp_data2) get_req = get_req_data1 + "§§§" + get_req_data2 # 写入数据库 # 数据库连接 projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select id,from_js from api_tree where path=\"" + self.path + "\"" cursor.execute(sql) apiTreeInfo = cursor.fetchall() if len(apiTreeInfo) != 0: api_id = int(apiTreeInfo[0][0]) # 对应路径的api_id from_js = int(apiTreeInfo[0][1]) # 对应路径的from_js # 数据库连接 try: DatabaseType(self.projectTag).insertBacInfoIntoDB(api_id,from_js,get_req,quote(get_data)) except Exception as e: self.log.error("[Err] %s" % e) post_json_burp = [] post_json_prama = {} post_json = {} post_burp = [] post_param = [] # post 请求参数部分 if method == "post": for value in data: post_name = value["name"] # post 请求的参数 post_default = value["default"] # post 请求的参数值 if post_name == name: post_num = int(post_default) # 对参数做一个循环遍历 for value in range(1,6): post_json[name] = value post_req = str("".join(name)) + "=" + str(value) post_burp.append(post_req) # json加入列表需要使用copy方法 post_json_burp.append(post_json.copy()) else: param = post_name + "=" + post_default post_param.append(param) # 存储json类型 post_json_prama[post_name] = post_default for data in post_json_burp: for key,value in data.items(): post_json_prama[key] = value self.post_json_results.append(post_json_prama.copy()) for value in post_burp: post_result = value + "&" + "&".join(post_param) self.post_data_results.append(post_result) # post请求测试 post_resp_data1 = "" post_resp_data2 = "" post_req_data1 = "" post_req_data2 = "" post_resp_lens = {} try: post_obj = PostsDataText(self.path,self.options) post_obj.run(self.post_data_results,self.post_json_results) post_texts = post_obj.res except Exception as e: self.log.error("[Err] %s" % e) # key对应的是传输过去的data value 对应的是返回数值 # 获取 返回数据包的五个数值 for req_data,resp in post_texts.items(): resp_body = len(resp) # 存入字典 建立键值对 post_resp_lens[req_data] = resp_body post_select_list = set() post_all_list = [] for value in post_resp_lens.values(): post_select_list.add(int(value)) post_all_list.append(value) post_repeat_nums = dict(Counter(post_all_list)) post_repeat_num = int("".join([str(key) for key, value in post_repeat_nums.items() if value > 1])) # 获取到我们重复的数据 if len(post_select_list) >= 3: # 需要写入到数据库中 for key,value in post_resp_lens.items(): value = int(value) if value != post_repeat_num: post_resp_data1 = post_texts[key] post_req_data1 = str(key) if value == post_repeat_num: post_resp_data2 = post_texts[key] post_req_data2 = str(key) # 写入数据库的data post_data = str(post_resp_data1) + "§§§" + str(post_resp_data2) post_req = post_req_data1 + "§§§" + post_req_data2 projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select id,from_js from api_tree where path=\"" + self.path + "\"" cursor.execute(sql) apiTreeInfo = cursor.fetchall() if len(apiTreeInfo) != 0: api_id = int(apiTreeInfo[0][0]) # 对应路径的api_id from_js = int(apiTreeInfo[0][1]) # 对应路径的from_js try: DatabaseType(self.projectTag).insertBacInfoIntoDB(api_id,from_js,post_req,post_data) except Exception as e: self.log.error("[Err] %s" % e) except Exception as e: self.log.error("[Err] %s" % e)
def creat_api(self, document): para1 = Creat_api(self.projectTag).locat_api(document) projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree" cursor.execute(sql) api_infos = cursor.fetchall() for api_info in api_infos: if api_info[5] == 1 or api_info[5] == 2: para2 = para1.insert_paragraph_before("") api_path = api_info[1] sql = "select path from js_file where id='%s'" % (api_info[6]) cursor.execute(sql) js_paths = cursor.fetchall() for js_path in js_paths: run2 = para2.add_run(Utils().getMyWord("{r_api_addr}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(11) run2.font.bold = True run3 = para2.add_run(api_path) run3.font.name = "Arial" run3.font.size = Pt(11) run4 = para2.add_run("\n" + Utils().getMyWord("{r_api_r_js}") + "\n") run4.font.name = "Arial" run4.font.size = Pt(11) run4.font.bold = True run5 = para2.add_run(js_path[0]) run5.font.name = "Arial" run5.font.size = Pt(11) run6 = para2.add_run("\n" + Utils().getMyWord("{r_api_res}") + "") run6.font.name = "Arial" run6.font.size = Pt(11) run6.font.bold = True try: if api_info[4] == None: api_info1 = "\" \"" api_info_unicode = json.dumps( json.loads(api_info1), sort_keys=True, indent=4, ensure_ascii=False) Creat_api(self.projectTag).creat_table( document, api_info_unicode, para2) else: api_info_unicode = json.dumps(json.loads( api_info[4]), sort_keys=True, indent=4, ensure_ascii=False) Creat_api(self.projectTag).creat_table( document, api_info_unicode, para2) self.log.debug("api_info正常") except Exception as e: if api_info[4] == None: api_info1 = "\" \"" Creat_api(self.projectTag).creat_table( document, api_info1, para2) else: Creat_api(self.projectTag).creat_table( document, api_info[4], para2) self.log.error("[Err] %s" % e)
def docxReplace(self, document): cmd = CommandLines().cmd() ipAddr = testProxy(cmd,0) end_time = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime()) report_time = time.strftime("%Y-%m-%d %H:%M", time.localtime()) main_url = DatabaseType(self.projectTag).getURLfromDB() parse_url = urlparse(main_url) host = parse_url.netloc projectDBPath = DatabaseType(self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select id from js_file" cursor.execute(sql) js_all_files = cursor.fetchall() js_num = len(js_all_files) sql = "select path from js_file" cursor.execute(sql) jsfilelist = cursor.fetchall() js_paths='' for js in jsfilelist: jspath = "◆ " + js[0] + "\n" js_paths = js_paths + jspath sql ="select id from api_tree where success = 1 or success = 2" cursor.execute(sql) api_list = cursor.fetchall() api_num = len(api_list) vuln_infos = Docx_replace(self.projectTag).vuln_judge() vuln_h_num = vuln_infos[1] vuln_m_num = vuln_infos[2] vuln_l_num = vuln_infos[3] vuln_num = vuln_h_num + vuln_m_num + vuln_l_num vuln_score = vuln_infos[0] if vuln_score >= 18: sec_lv = Utils().getMyWord("{risk_h}") elif vuln_score < 18 and vuln_score >= 10: sec_lv = Utils().getMyWord("{risk_m}") elif vuln_score < 10 and vuln_score >= 5: sec_lv = Utils().getMyWord("{risk_l}") else: sec_lv = Utils().getMyWord("{risk_n}") sql = "select vaule from info where name='time'" cursor.execute(sql) time_in_info = cursor.fetchone() timeArray = time.localtime(int(time_in_info[0])) start_time = time.strftime("%Y-%m-%d %H:%M:%S", timeArray) type = CommandLines().cmd().type if type == "simple": scan_type = Utils().getMyWord("{mode_simple}") else: scan_type = Utils().getMyWord("{mode_adv}") scan_min = int(end_time.split(":")[-2]) - int(start_time.split(":")[-2]) if int(scan_min) >= 1: end_time_one = int(end_time.split(":")[-1]) + int(scan_min) * 60 scan_time = int(end_time_one) - int(start_time.split(":")[-1]) else: scan_time = int(end_time.split(":")[-1]) - int(start_time.split(":")[-1]) vuln_list = '' sql = "select id from vuln where type='unAuth'" cursor.execute(sql) num_auth = cursor.fetchall() if len(num_auth) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_unauth_num}") + str(len(num_auth)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='CORS'" cursor.execute(sql) num_cors = cursor.fetchall() if len(num_cors) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_cors_num}") + str(len(num_cors)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='INFO'" cursor.execute(sql) num_info = cursor.fetchall() if len(num_info) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_info_num}") + str(len(num_info)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='passWord'" cursor.execute(sql) num_passWord = cursor.fetchall() if len(num_passWord) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_passWord_num}") + str(len(num_passWord)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='BAC'" cursor.execute(sql) num_BAC = cursor.fetchall() if len(num_BAC) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_BAC_num}") + str(len(num_BAC)) + Utils().getMyWord("{ge}") + "\n" sql = "select id from vuln where type='upLoad'" cursor.execute(sql) num_upload = cursor.fetchall() if len(num_upload) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_upload_num}") + str( len(num_upload)) + Utils().getMyWord( "{ge}") + "\n" sql = "select id from vuln where type='SQL'" cursor.execute(sql) num_sql = cursor.fetchall() if len(num_sql) != 0: vuln_list = vuln_list + "◆ " + Utils().getMyWord("{vuln_sql_num}") + str( len(num_sql)) + Utils().getMyWord( "{ge}") + "\n" cookies = CommandLines().cmd().cookie if cookies: extra_cookies = cookies else: extra_cookies = Utils().getMyWord("{no_extra_cookies}") head = CommandLines().cmd().head if head != "Cache-Control:no-cache": extra_head = head else: extra_head = Utils().getMyWord("{no_extra_head}") try: DICT = { "{report_number}": "PF-API-" + self.projectTag, "{report_date}": "%s" % (report_time), "{target_host}": "%s" % (host), "{target_url}": "%s" % (main_url), "{js_num}": "%s" % (js_num), "{start_time}": "%s" % (start_time), "{scan_time}" :"%s" % (scan_time), "{scan_type}": "%s" % (scan_type), "{api_num}": "%s" % (api_num), "{vuln_num}": "%s" % (vuln_num), "{vuln_h_num}": "%s" % (vuln_h_num), "{vuln_m_num}": "%s" % (vuln_m_num), "{vuln_l_num}": "%s" % (vuln_l_num), "{unauth_vuln}": "%s" % ("unauth_vuln"), "{vuln_list}": "%s" % (vuln_list), "{scan_ip}": "%s" % (ipAddr), "{extra_cookies}": "%s" % (extra_cookies), "{extra_head}": "%s" % (extra_head) } self.log.debug("word—report正常替换") except Exception as e: self.log.error("[Err] %s" % e) for table in document.tables: for row in range(len(table.rows)): for col in range(len(table.columns)): for key, value in DICT.items(): if key in table.cell(row, col).text: table.cell(row, col).text = table.cell(row, col).text.replace(key, value) for para in document.paragraphs: for i in range(len(para.runs)): for key, value in DICT.items(): if key in para.runs[i].text: para.runs[i].text = para.runs[i].text.replace(key, value) for para in document.paragraphs: for i in range(len(para.runs)): if "{js_list}" in para.runs[i].text: para.runs[i].text = para.runs[i].text.replace("{js_list}", "%s" % (js_paths)) para.runs[i].font.size = Pt(10) para.runs[i].font.name = "Arial" for para in document.paragraphs: for i in range(len(para.runs)): if "{end_time}" in para.runs[i].text: para.runs[i].text = para.runs[i].text.replace("{end_time}", "%s" % (end_time)) for para in document.paragraphs: for i in range(len(para.runs)): if "{sec_lv}" in para.runs[i].text: para.runs[i].text = para.runs[i].text.replace("{sec_lv}", "%s" % (sec_lv)) para.runs[i].font.size = Pt(14) if sec_lv == Utils().getMyWord("{risk_n}"): para.runs[i].font.color.rgb = RGBColor(139,137,137) elif sec_lv == Utils().getMyWord("{risk_l}"): para.runs[i].font.color.rgb = RGBColor(46, 139,87) elif sec_lv == Utils().getMyWord("{risk_m}"): para.runs[i].font.color.rgb = RGBColor(205, 55, 0) elif sec_lv == Utils().getMyWord("{risk_h}"): para.runs[i].font.color.rgb = RGBColor(238, 0, 0) try: Creat_vuln_detail(self.projectTag).creat_detail(document) self.log.debug("正确获取vuln_detail替换内容") except Exception as e: self.log.error("[Err] %s" % e) try: Creat_api(self.projectTag).creat_api(document) self.log.debug("正确获取api替换内容") except Exception as e: self.log.error("[Err] %s" % e) try: Creat_suggest(self.projectTag).creat_suggest(document) self.log.debug("正确获取suggest替换内容") except Exception as e: self.log.error("[Err] %s" % e) return document
def creat_suggest(self, document): para1 = Creat_suggest(self.projectTag).locat_suggest(document) projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from vuln" cursor.execute(sql) vuln_infos = cursor.fetchall() flag1 = flag2 = flag3 = flag4 = flag5 = flag6 = flag7 = 0 for vuln_info in vuln_infos: if vuln_info[3] == "unAuth": flag1 = 1 elif vuln_info[3] == "INFO": flag2 = 1 elif vuln_info[3] == "CORS": flag3 = 1 elif vuln_info[3] == "SQL": flag4 = 1 elif vuln_info[3] == "upLoad": flag5 = 1 elif vuln_info[3] == "passWord": flag6 = 1 elif vuln_info[3] == "BAC": flag7 = 1 para2 = para1.insert_paragraph_before("") if flag1 == 1: run = para2.add_run("4." + str(self.creat_num) + Utils().getMyWord("{r_sug_unauth_1}") + "\n") run.font.name = "Arial" run.font.size = Pt(14) run.font.bold = True run2 = para2.add_run("◆ " + Utils().getMyWord("{r_sug_unauth_2}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_unauth_3}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(10) self.creat_num = self.creat_num + 1 if flag2 == 1: run = para2.add_run("4." + str(self.creat_num) + Utils().getMyWord("{r_sug_info_1}") + "\n") run.font.name = "Arial" run.font.size = Pt(14) run.font.bold = True run2 = para2.add_run("◆ " + Utils().getMyWord("{r_sug_info_2}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(10) self.creat_num = self.creat_num + 1 if flag3 == 1: run = para2.add_run("4." + str(self.creat_num) + Utils().getMyWord("{r_sug_cors_1}") + "\n") run.font.name = "Arial" run.font.size = Pt(14) run.font.bold = True run2 = para2.add_run("◆ " + Utils().getMyWord("{r_sug_cors_2}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(10) self.creat_num = self.creat_num + 1 if flag4 == 1: run = para2.add_run("4." + str(self.creat_num) + Utils().getMyWord("{r_sug_sqli_1}") + "\n") run.font.name = "Arial" run.font.size = Pt(14) run.font.bold = True run2 = para2.add_run("◆ " + Utils().getMyWord("{r_sug_sqli_2}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_sqli_3}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(10) self.creat_num = self.creat_num + 1 if flag5 == 1: run = para2.add_run("4." + str(self.creat_num) + Utils().getMyWord("{r_sug_upload_1}") + "\n") run.font.name = "Arial" run.font.size = Pt(14) run.font.bold = True run2 = para2.add_run("◆ " + Utils().getMyWord("{r_sug_upload_2}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_upload_2}") + "\n" + Utils().getMyWord("{r_sug_upload_3}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(10) self.creat_num = self.creat_num + 1 if flag6 == 1: run = para2.add_run("4." + str(self.creat_num) + Utils().getMyWord("{r_sug_password_1}") + "\n") run.font.name = "Arial" run.font.size = Pt(14) run.font.bold = True run2 = para2.add_run("◆ " + Utils().getMyWord("{r_sug_password_2}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_password_3}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(10) self.creat_num = self.creat_num + 1 if flag7 == 1: run = para2.add_run("4." + str(self.creat_num) + Utils().getMyWord("{r_sug_bac_1}") + "\n") run.font.name = "Arial" run.font.size = Pt(14) run.font.bold = True run2 = para2.add_run("◆ " + Utils().getMyWord("{r_sug_bac_2}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_bac_3}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(10) self.creat_num = self.creat_num + 1 run = para2.add_run("4." + str(self.creat_num) + Utils().getMyWord("{r_sug_g_1}") + "\n") run.font.name = "Arial" run.font.size = Pt(14) run.font.bold = True run2 = para2.add_run("◆ " + Utils().getMyWord("{r_sug_g_2}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_g_3}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_g_4}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_g_5}") + "\n" + "◆ " + Utils().getMyWord("{r_sug_g_6}") + "\n") run2.font.name = "Arial" run2.font.size = Pt(10)
def startTest(self, path): if self.options.cookie != None: self.header = { 'User-Agent': random.choice(self.UserAgent), 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Cookie': self.options.cookie, self.options.head.split(':')[0]: self.options.head.split(':')[1] } else: self.header = { 'User-Agent': random.choice(self.UserAgent), 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', self.options.head.split(':')[0]: self.options.head.split(':')[1] } data = "".join(str(time.time()).split(".")) #print(data) rands = bytes().fromhex(data) ext_fuzz = tqdm([ 'asp;.jpg', 'asp.jpg', 'asp;jpg', 'asp/1.jpg', 'asp{}.jpg'.format( quote('%00')), 'asp .jpg', 'asp_.jpg', 'asa', 'cer', 'cdx', 'ashx', 'asmx', 'xml', 'htr', 'asax', 'asaspp', 'asp;+2.jpg', 'asp;.jpg', 'asp.jpg', 'asp;jpg', 'asp/1.jpg', 'asp{}.jpg'.format( quote('%00')), 'asp .jpg', 'asp_.jpg', 'asa', 'cer', 'cdx', 'ashx', 'asmx', 'xml', 'htr', 'asax', 'asaspp', 'asp;+2.jpg', 'asPx', 'aspx .jpg', 'aspx_.jpg', 'aspx;+2.jpg', 'asaspxpx', 'php1', 'php2', 'php3', 'php4', 'php5', 'pHp', 'php .jpg', 'php_.jpg', 'php.jpg', 'php. .jpg', 'jpg/.php', 'php.123', 'jpg/php', 'jpg/1.php', 'jpg{}.php'.format(quote('%00')), 'php{}.jpg'.format(quote('%00')), 'php:1.jpg', 'php::$DATA', 'php::$DATA......', 'ph\np', '.jsp.jpg.jsp', 'jspa', 'jsps', 'jspx', 'jspf', 'jsp .jpg', 'jsp_.jpg' ]) flag = 0 try: # python3 随机生成字符串 sslFlag = int(self.options.ssl_flag) for ext in ext_fuzz: # 进度条 ext_fuzz.set_description("Processing %s" % ext) files = { "file": ("{}.{}".format(random.randint(1, 100), ext), (b"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\xD7" + rands)) } if sslFlag == 1: resp = requests.post(path, files=files, headers=self.header, proxies=self.proxy_data, verify=False) else: resp = requests.post(path, files=files, headers=self.header, proxies=self.proxy_data) # 如果上传失败了就继续上传 # 全部走一遍报错 for fail in str(self.upload_fail).split(","): # 如果返回的信息有失败的 if fail in resp.text: flag = 1 if flag == 0: for success in str(self.upload_success).split(","): if success in resp.text: #print("文件上传成功") req_body = resp.request.body resp_text = resp.text # 写入数据库 #print(req_body) #print(resp_text) projectDBPath = DatabaseType( self.projectTag).getPathfromDB( ) + self.projectTag + ".db" connect = sqlite3.connect( os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select id,from_js from api_tree where path=\"" + path + "\"" cursor.execute(sql) apiTreeInfo = cursor.fetchall() if len(apiTreeInfo) != 0: #print(apiTreeInfo) try: api_id = int( apiTreeInfo[0][0]) # 对应路径的api_id from_js = int( apiTreeInfo[0][1]) # 对应路径的from_js # 数据库连接 DatabaseType(self.projectTag ).insertUploadInfoIntoDB( api_id, from_js, quote(req_body), resp_text) except Exception as e: self.log.error("[Err] %s" % e) raise getoutofloop() except getoutofloop: pass
def FuzzerCollect(self): templates_post_str = """ { "type": "post", "post": [ {result_post} ], "get": [ {result_get} ] }""" try: whole_str = FuzzerParam(self.projectTag).collect_api_str() self.log.debug("collect_api_str模块正常") except Exception as e: self.log.error("[Err] %s" % e) j = 0 k = 1 for i in range(int((len(whole_str[0].split('§§§')) - 1) / 2)): sleep(0.1) result_id = whole_str[0].split('§§§')[k] result_post = FuzzerParam(self.projectTag).result_method_1( whole_str[0].split('§§§')[j]) j = j + 2 k = k + 2 if result_post[0]: replace_str_post = "" for c in range(len(result_post[0])): if "\"" not in result_post[1][c]: default_value = FuzzerParam( self.projectTag).creatAlpha(3) else: default_value = result_post[1][c] default_value = default_value.replace("\"", "") for default_judge in self.default_judges.split(","): if default_judge in default_value: flag = 1 break else: flag = 0 if flag: default_value = FuzzerParam( self.projectTag).creatNum(3) str = "\t{\n\t\t\"name\":\"" + result_post[0][ c] + "\",\n" + "\t\t\"default\":\"" + default_value + "\"\n\t}\n\t,\n" replace_str_post = replace_str_post + str templates_post_str = templates_post_str.replace( "{result_post}", replace_str_post[:-2]) projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join( projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "UPDATE api_tree set option='%s' where id='%s'" % ( templates_post_str, result_id) cursor.execute(sql) l = 0 m = 1 for i in range(int((len(whole_str[1].split('§§§')) - 1) / 2)): result_id = whole_str[1].split('§§§')[m] try: result_get = FuzzerParam(self.projectTag).result_method_1( whole_str[1].split('§§§')[l]) self.log.debug("result_method_1正常") except Exception as e: self.log.error("[Err] %s" % e) l = l + 2 m = m + 2 if result_get[0]: replace_str_get = "" for c in range(len(result_get[0])): if "\"" not in result_get[1][c]: default_value = FuzzerParam( self.projectTag).creatAlpha(3) else: default_value = result_get[1][c] default_value = default_value.replace("\"", "") for default_judge in self.default_judges.split(","): if default_judge in default_value: flag = 1 break else: flag = 0 if flag: default_value = FuzzerParam( self.projectTag).creatNum(3) str = "\t{\n\t\t\"name\":\"" + result_get[0][ c] + "\",\n" + "\t\t\"default\":\"" + default_value + "\"\n\t}\n\t,\n" replace_str_get = replace_str_get + str projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join( projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select option from api_tree where id='%s'" % (result_id) cursor.execute(sql) options = cursor.fetchall() for option in options: if option[0]: templates_get_str = option[0] templates_get_str = templates_get_str.replace( "{result_get}", replace_str_get[:-2]) sql = "UPDATE api_tree set option='%s' where id='%s'" % ( templates_get_str, result_id) else: templates_get_str = """ { "type": "get", "post": [ ], "get": [ {result_get} ] }""" templates_get_str = templates_get_str.replace( "{result_get}", replace_str_get[:-2]) sql = "UPDATE api_tree set option='%s' where id='%s'" % ( templates_get_str, result_id) cursor.execute(sql) else: for option in options: if option[0]: templates_get_str = option[0] templates_get_str = templates_get_str.replace( "{result_get}", "") sql = "UPDATE api_tree set option='%s' where id='%s'" % ( templates_get_str, result_id) cursor.execute(sql) projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree where success = 1 or success = 2" cursor.execute(sql) api_list = cursor.fetchall() templates_post_new_str = """ { "type": "post", "post": [ ], "get": [ ] } """ for api in api_list: if api[3]: option = api[3] option = option.replace("{result_get}", "") sql = "UPDATE api_tree set option='%s' where id='%s'" % ( option, api[0]) cursor.execute(sql) else: sql = "UPDATE api_tree set option='%s' where id='%s'" % ( templates_post_new_str, api[0]) cursor.execute(sql) sql = "select * from api_tree where success = 1 or success = 2" cursor.execute(sql) api_list = cursor.fetchall() sql = "select * from api_tree where option='%s'" % ( templates_post_new_str) cursor.execute(sql) #总共需要暴力提取的数量,可以用这快做进度条 num_vio = cursor.fetchall() # print(len(num_vio)) num = len(num_vio) for n in trange(num): time.sleep(1) a = 0 for api in api_list: option = api[3] if option == templates_post_new_str: a = a + 1 templates_post_str = """ { "type": "post", "post": [ {result_post} ], "get": [ {result_get} ] }""" whole_str = FuzzerParam(self.projectTag).collect_api_str() j = 0 k = 1 for i in range(int((len(whole_str[0].split('§§§')) - 1) / 2)): result_id = int(whole_str[0].split('§§§')[k]) try: result_post = FuzzerParam( self.projectTag).violent_method( whole_str[0].split('§§§')[j]) self.log.debug("暴力提取模块正常——post") except Exception as e: self.log.error("[Err] %s" % e) j = j + 2 k = k + 2 if result_id == int(api[0]): if result_post[0]: replace_str_post = "" for j in range(len(result_post[0])): default_value = result_post[1][j] str = "\t{\n\t\t\"name\":\"" + result_post[0][ j] + "\",\n" + "\t\t\"default\":\"" + default_value + "\"\n\t}\n\t,\n" replace_str_post = replace_str_post + str templates_post_str = templates_post_str.replace( "{result_post}", replace_str_post[:-2]) projectDBPath = DatabaseType( self.projectTag).getPathfromDB( ) + self.projectTag + ".db" connect = sqlite3.connect( os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "UPDATE api_tree set option='%s' where id='%s'" % ( templates_post_str, result_id) cursor.execute(sql) break l = 0 m = 1 for i in range(int((len(whole_str[1].split('§§§')) - 1) / 2)): result_id = int(whole_str[1].split('§§§')[m]) try: result_get = FuzzerParam( self.projectTag).violent_method( whole_str[1].split('§§§')[l]) self.log.debug("暴力提取模块正常——get") except Exception as e: self.log.error("[Err] %s" % e) l = l + 2 m = m + 2 if result_id == int(api[0]): if result_get[0]: replace_str_get = "" for j in range(len(result_get[0])): default_value = result_get[1][j] str = "\t{\n\t\t\"name\":\"" + result_get[0][ j] + "\",\n" + "\t\t\"default\":\"" + default_value + "\"\n\t}\n\t,\n" replace_str_get = replace_str_get + str projectDBPath = DatabaseType( self.projectTag).getPathfromDB( ) + self.projectTag + ".db" connect = sqlite3.connect( os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select option from api_tree where id='%s'" % ( result_id) cursor.execute(sql) options = cursor.fetchall() for option in options: new_str = json.loads(option[0].replace( "{result_get}", "").replace("\'", "\"")) if new_str["post"]: templates_get_str = option[0] templates_get_str = templates_get_str.replace( "{result_get}", replace_str_get[:-2]) sql = "UPDATE api_tree set option='%s' where id='%s'" % ( templates_get_str, result_id) else: templates_get_str = """ { "type": "get", "post": [ ], "get": [ {result_get} ] }""" templates_get_str = templates_get_str.replace( "{result_get}", replace_str_get[:-2]) sql = "UPDATE api_tree set option='%s' where id='%s'" % ( templates_get_str, result_id) cursor.execute(sql) else: for option in options: new_str = json.loads(option[0].replace( "{result_get}", "").replace("\'", "\"")) sql = "UPDATE api_tree set option='%s' where id='%s'" % ( new_str, result_id) cursor.execute(sql) break projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from api_tree where success = 1 or success = 2" cursor.execute(sql) api_list = cursor.fetchall() for api in api_list: option = api[3] option = option.replace("{result_get}", "").replace("{result_post}", "") sql = "UPDATE api_tree set option='%s' where id='%s'" % (option, api[0]) cursor.execute(sql)
def creat_detail(self, document): para1 = Creat_vuln_detail(self.projectTag).locat_detail(document) projectDBPath = DatabaseType( self.projectTag).getPathfromDB() + self.projectTag + ".db" connect = sqlite3.connect(os.sep.join(projectDBPath.split('/'))) cursor = connect.cursor() connect.isolation_level = None sql = "select * from vuln" cursor.execute(sql) vuln_infos = cursor.fetchall() k = len(vuln_infos) try: for vuln_info in vuln_infos: if vuln_info[3] == "unAuth" and vuln_info[4] == 1: sql = "select * from api_tree where id='%s'" % ( vuln_info[1]) cursor.execute(sql) api_infos = cursor.fetchall() for api_info in api_infos: para2 = para1.insert_paragraph_before("") UserLogin = api_info[2] api_path = api_info[1] run = para2.add_run( "2." + str(self.creat_num) + " " + str(UserLogin) + Utils().getMyWord("{r_vuln_unauth}") + "\n") run.font.name = "Arial" run.font.size = Pt(16) run.font.bold = True sql = "select path from js_file where id='%s'" % ( vuln_info[2]) cursor.execute(sql) js_paths = cursor.fetchall() for js_path in js_paths: run2 = para2.add_run( Utils().getMyWord("{r_api_addr}")) run2.font.name = "Arial" run2.font.size = Pt(10) run2.font.bold = True run3 = para2.add_run(api_path) run3.font.name = "Arial" run3.font.size = Pt(10) run4 = para2.add_run( "\n" + Utils().getMyWord("{r_api_js}")) run4.font.name = "Arial" run4.font.size = Pt(10) run4.font.bold = True run5 = para2.add_run(js_path[0]) run5.font.name = "Arial" run5.font.size = Pt(10) run5 = para2.add_run( "\n" + Utils().getMyWord("{r_api_res}")) run5.font.name = "Arial" run5.font.size = Pt(10) run5.font.bold = True self.creat_num = self.creat_num + 1 vuln_info_js_unicode = json.dumps( json.loads(vuln_info[6]), sort_keys=True, indent=4, ensure_ascii=False) Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info_js_unicode, para2) elif vuln_info[3] == "unAuth" and vuln_info[4] == 2: sql = "select * from api_tree where id='%s'" % ( vuln_info[1]) cursor.execute(sql) api_infos = cursor.fetchall() for api_info in api_infos: para2 = para1.insert_paragraph_before("") UserLogin = api_info[2] api_path = api_info[1] run = para2.add_run( "2." + str(self.creat_num) + " " + str(UserLogin) + Utils().getMyWord("{r_vuln_unauth_maybe}") + "\n") run.font.name = "Arial" run.font.size = Pt(16) run.font.bold = True sql = "select path from js_file where id='%s'" % ( vuln_info[2]) cursor.execute(sql) js_paths = cursor.fetchall() for js_path in js_paths: run2 = para2.add_run( Utils().getMyWord("{r_api_addr}")) run2.font.name = "Arial" run2.font.size = Pt(10) run2.font.bold = True run3 = para2.add_run(api_path) run3.font.name = "Arial" run3.font.size = Pt(10) run4 = para2.add_run( "\n" + Utils().getMyWord("{r_api_js}")) run4.font.name = "Arial" run4.font.size = Pt(10) run4.font.bold = True run5 = para2.add_run(js_path[0]) run5.font.name = "Arial" run5.font.size = Pt(10) run5 = para2.add_run( "\n" + Utils().getMyWord("{r_api_res}")) run5.font.name = "Arial" run5.font.size = Pt(10) run5.font.bold = True self.creat_num = self.creat_num + 1 vuln_info_js_unicode = json.dumps( json.loads(vuln_info[6]), sort_keys=True, indent=4, ensure_ascii=False) Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info_js_unicode, para2) elif vuln_info[3] == "INFO": sql = "select * from js_file where id='%s'" % ( vuln_info[2]) cursor.execute(sql) js_infos = cursor.fetchall() for js_info in js_infos: js_name = js_info[1] js_path = js_info[2] para2 = para1.insert_paragraph_before("") run = para2.add_run( "2." + str(self.creat_num) + " " + str(js_name) + Utils().getMyWord("{r_vuln_info}") + "\n") run.font.name = "Arial" run.font.size = Pt(16) run.font.bold = True run2 = para2.add_run(Utils().getMyWord("{r_js_path}")) run2.font.name = "Arial" run2.font.size = Pt(10) run2.font.bold = True run3 = para2.add_run(js_path) run3.font.name = "Arial" run3.font.size = Pt(10) run4 = para2.add_run("\n" + Utils().getMyWord("{r_js_des}")) run4.font.name = "Arial" run4.font.size = Pt(10) run4.font.bold = True run5 = para2.add_run(vuln_info[8]) run5.font.name = "Arial" run5.font.size = Pt(10) run6 = para2.add_run( "\n" + Utils().getMyWord("{r_js_detial}")) run6.font.name = "Arial" run6.font.size = Pt(10) run6.font.bold = True self.creat_num = self.creat_num + 1 Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info[7], para2) elif vuln_info[3] == "CORS": sql = "select vaule from info where name='%s'" % ("host") cursor.execute(sql) infos = cursor.fetchall() for info in infos: api_path = info[0] para2 = Creat_vuln_detail( self.projectTag).insert_paragraph_after(para1) para3 = para2.insert_paragraph_before("") run5 = para3.add_run("2." + str(self.creat_num) + " " + str(api_path) + Utils().getMyWord("{r_vuln_CORS}") + "\n") run5.font.name = "Arial" run5.font.size = Pt(16) run5.font.bold = True run6 = para3.add_run("网址:") run6.font.name = "Arial" run6.font.size = Pt(10) run6.font.bold = True run7 = para3.add_run(api_path) run7.font.name = "Arial" run7.font.size = Pt(10) run8 = para3.add_run("\n" + "{response_head}") run8.font.name = "Arial" run8.font.size = Pt(10) run8.font.bold = True Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info[7], para2) run9 = para2.add_run("\n" + "{request_head}") run9.font.name = "Arial" run9.font.size = Pt(10) run9.font.bold = True Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info[5], para3) for vuln_info in vuln_infos: if vuln_info[3] == "passWord": sql = "select * from api_tree where id='%s'" % ( vuln_info[1]) cursor.execute(sql) api_infos = cursor.fetchall() for api_info in api_infos: para2 = Creat_vuln_detail( self.projectTag).insert_paragraph_after(para1) para3 = para2.insert_paragraph_before("") UserLogin = api_info[2] api_path = api_info[1] run = para3.add_run( "2." + str(k - self.creat_num1 + 1) + " " + str(UserLogin) + Utils().getMyWord("{r_vuln_passWord}") + "\n") run.font.name = "Arial" run.font.size = Pt(16) run.font.bold = True sql = "select path from js_file where id='%s'" % ( vuln_info[2]) cursor.execute(sql) js_paths = cursor.fetchall() for js_path in js_paths: run2 = para3.add_run( Utils().getMyWord("{r_api_addr}")) run2.font.name = "Arial" run2.font.size = Pt(10) run2.font.bold = True run3 = para3.add_run(api_path) run3.font.name = "Arial" run3.font.size = Pt(10) run4 = para3.add_run( "\n" + Utils().getMyWord("{r_api_js}")) run4.font.name = "Arial" run4.font.size = Pt(10) run4.font.bold = True run5 = para3.add_run(js_path[0]) run5.font.name = "Arial" run5.font.size = Pt(10) run5 = para3.add_run( "\n" + Utils().getMyWord("{r_api_res}")) run5.font.name = "Arial" run5.font.size = Pt(10) run5.font.bold = True self.creat_num1 = self.creat_num1 + 1 vuln_info_js_unicode = json.dumps( json.loads(vuln_info[6]), sort_keys=True, indent=4, ensure_ascii=False) Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info_js_unicode, para2) run6 = para2.add_run( Utils().getMyWord("{request_info}")) run6.font.name = "Arial" run6.font.size = Pt(10) run6.font.bold = True vuln_info_js_unicode = json.dumps( json.loads(vuln_info[5]), sort_keys=True, indent=4, ensure_ascii=False) Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info_js_unicode, para3) # sql = "select vaule from info where name='%s'" % ("url") # cursor.execute(sql) # infos = cursor.fetchall() # for info in infos: # para2 = para1.insert_paragraph_before("") # api_path = info[0] # run = para2.add_run("2." + str(self.creat_num1) + " " + str(api_path) + Utils().getMyWord("{r_vuln_CORS}") + "\n") # run.font.name = "Arial" # run.font.size = Pt(16) # run.font.bold = True # run2 = para2.add_run("网址:") # run2.font.name = "Arial" # run2.font.size = Pt(10) # run2.font.bold = True # run3 = para2.add_run(api_path) # run3.font.name = "Arial" # run3.font.size = Pt(10) # run4 = para2.add_run("\n" + "请求头:") # run4.font.name = "Arial" # run4.font.size = Pt(10) # run4.font.bold = True # self.creat_num1 = self.creat_num1 + 1 # Creat_vuln_detail(self.projectTag).creat_table(document, vuln_info[5], para2) # para4 = para2.insert_paragraph_before("") # run5 = para4.add_run("\n" + "响应头:") # run5.font.name = "Arial" # run5.font.size = Pt(10) # run5.font.bold = True # Creat_vuln_detail(self.projectTag).creat_table(document, vuln_info[7], para4) elif vuln_info[3] == "BAC": sql = "select * from api_tree where id='%s'" % ( vuln_info[1]) cursor.execute(sql) api_infos = cursor.fetchall() for api_info in api_infos: para2 = Creat_vuln_detail( self.projectTag).insert_paragraph_after(para1) para3 = para2.insert_paragraph_before("") UserLogin = api_info[2] api_path = api_info[1] run = para3.add_run("2." + str(k - self.creat_num1 + 1) + " " + str(UserLogin) + Utils().getMyWord("{r_vuln_bac}") + "\n") run.font.name = "Arial" run.font.size = Pt(16) run.font.bold = True sql = "select path from js_file where id='%s'" % ( vuln_info[2]) cursor.execute(sql) js_paths = cursor.fetchall() for js_path in js_paths: run2 = para3.add_run( Utils().getMyWord("{r_api_addr}")) run2.font.name = "Arial" run2.font.size = Pt(10) run2.font.bold = True run3 = para3.add_run(api_path) run3.font.name = "Arial" run3.font.size = Pt(10) run4 = para3.add_run( "\n" + Utils().getMyWord("{r_api_js}")) run4.font.name = "Arial" run4.font.size = Pt(10) run4.font.bold = True run5 = para3.add_run(js_path[0]) run5.font.name = "Arial" run5.font.size = Pt(10) run5 = para3.add_run( "\n" + Utils().getMyWord("{request_info}")) run5.font.name = "Arial" run5.font.size = Pt(10) run5.font.bold = True self.creat_num1 = self.creat_num1 + 1 info1 = "请求内容1: " + vuln_info[5].split("§§§")[ 0] + "\n\n" + "请求内容2: " + vuln_info[5].split( "§§§")[1] info2 = "响应内容1: " + vuln_info[6].split("§§§")[ 0] + "\n\n" + "响应内容2: " + vuln_info[6].split( "§§§")[1] Creat_vuln_detail(self.projectTag).creat_table( document, info2, para2) run6 = para2.add_run( "\n" + Utils().getMyWord("{r_api_res}")) run6.font.name = "Arial" run6.font.size = Pt(10) run6.font.bold = True Creat_vuln_detail(self.projectTag).creat_table( document, info1, para3) elif vuln_info[3] == "upLoad": sql = "select * from api_tree where id='%s'" % ( vuln_info[1]) cursor.execute(sql) api_infos = cursor.fetchall() for api_info in api_infos: para2 = Creat_vuln_detail( self.projectTag).insert_paragraph_after(para1) para3 = para2.insert_paragraph_before("") UserLogin = api_info[2] api_path = api_info[1] run = para3.add_run( "2." + str(k - self.creat_num1 + 1) + " " + str(UserLogin) + Utils().getMyWord("{r_vuln_upload}") + "\n") run.font.name = "Arial" run.font.size = Pt(16) run.font.bold = True sql = "select path from js_file where id='%s'" % ( vuln_info[2]) cursor.execute(sql) js_paths = cursor.fetchall() for js_path in js_paths: run2 = para3.add_run( Utils().getMyWord("{r_api_addr}")) run2.font.name = "Arial" run2.font.size = Pt(10) run2.font.bold = True run3 = para3.add_run(api_path) run3.font.name = "Arial" run3.font.size = Pt(10) run4 = para3.add_run( "\n" + Utils().getMyWord("{r_api_js}")) run4.font.name = "Arial" run4.font.size = Pt(10) run4.font.bold = True run5 = para3.add_run(js_path[0]) run5.font.name = "Arial" run5.font.size = Pt(10) run5 = para3.add_run( "\n" + Utils().getMyWord("{request_info}")) run5.font.name = "Arial" run5.font.size = Pt(10) run5.font.bold = True self.creat_num1 = self.creat_num1 + 1 Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info[6], para2) run6 = para2.add_run( "\n" + Utils().getMyWord("{r_api_res}")) run6.font.name = "Arial" run6.font.size = Pt(10) run6.font.bold = True Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info[5], para3) elif vuln_info[3] == "SQL": para2 = Creat_vuln_detail( self.projectTag).insert_paragraph_after(para1) para3 = para2.insert_paragraph_before("") UserLogin = api_info[2] api_path = api_info[1] run = para3.add_run("2." + str(k - self.creat_num1 + 1) + " " + str(UserLogin) + Utils().getMyWord("{r_vuln_sql}") + "\n") run.font.name = "Arial" run.font.size = Pt(16) run.font.bold = True sql = "select path from js_file where id='%s'" % ( vuln_info[2]) cursor.execute(sql) js_paths = cursor.fetchall() for js_path in js_paths: run2 = para3.add_run(Utils().getMyWord("{r_api_addr}")) run2.font.name = "Arial" run2.font.size = Pt(10) run2.font.bold = True run3 = para3.add_run(api_path) run3.font.name = "Arial" run3.font.size = Pt(10) run4 = para3.add_run("\n" + Utils().getMyWord("{r_api_js}")) run4.font.name = "Arial" run4.font.size = Pt(10) run4.font.bold = True run5 = para3.add_run(js_path[0]) run5.font.name = "Arial" run5.font.size = Pt(10) run5 = para3.add_run( "\n" + Utils().getMyWord("{request_info}")) run5.font.name = "Arial" run5.font.size = Pt(10) run5.font.bold = True self.creat_num1 = self.creat_num1 + 1 Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info[6], para2) run6 = para2.add_run("\n" + Utils().getMyWord("{r_api_res}")) run6.font.name = "Arial" run6.font.size = Pt(10) run6.font.bold = True Creat_vuln_detail(self.projectTag).creat_table( document, vuln_info[5], para3) self.log.debug("vuln_detail模块正常") except Exception as e: self.log.error("[Err] %s" % e)