def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc combine = '^\S+\(\{.*\}\)' domain = "{}://{}".format(p.scheme, p.netloc) + random_str( 2, string.ascii_lowercase + string.digits) + p.netloc + "/" if re.match(combine, resp_str, re.I | re.S): # 判断是否为jsonp headers["Referer"] = domain if method == 'GET': r = requests.get(url, headers=headers) if GetRatio(resp_str, r.text) >= 0.8: out.success(url, self.name, raw=r.raw) elif re.match(JSON_RECOGNITION_REGEX, resp_str, re.I | re.S) and 'callback' not in url: # 不是jsonp,是json headers["Referer"] = domain params["callback"] = random_str(2) if method == 'GET': r = requests.get(netloc, params=params, headers=headers) if params["callback"] + "({" in r.text: out.success(r.url, self.name, raw=r.raw)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc combine = '^\S+\(\{.*?\}\)' domain = "{}://{}".format(p.scheme, p.netloc) + random_str( 4, string.ascii_lowercase + string.digits) + ".com/" sensitive_params = [ 'mail', 'user', 'name', 'ip', 'pass', 'add', 'phone' ] if re.match(combine, resp_str, re.I | re.S): # 判断是否为jsonp headers["Referer"] = domain if method == 'GET': r = requests.get(url, headers=headers) if GetRatio(resp_str, r.text) >= 0.8: for i in sensitive_params: if i in r.text.lower(): res = { "Referer": domain, "keyword": i, "Content-Type": r.headers.get("Content-Type", "") } response = self.jsonp_load(r.text) if response: res["response"] = response if len(response) > 500: res["response"] = "数据太多,自行访问" out.success(url, self.name, **res) elif re.match(JSON_RECOGNITION_REGEX, resp_str, re.I | re.S) and 'callback' not in url: # 不是jsonp,是json headers["Referer"] = domain params["callback"] = random_str(2) if method == 'GET': r = requests.get(netloc, params=params, headers=headers) if r.text.startswith(params["callback"] + "({"): res = { "Referer": domain, "Content-Type": r.headers.get("Content-Type", ""), "callback": params["callback"], } response = self.jsonp_load(r.text) if response: res["response"] = response if len(response) > 500: res["response"] = "数据太多,自行访问" out.success(r.url, self.name, **res)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 post_hint = self.requests.post_hint post_data = self.requests.post_data p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'POST': if post_hint == POST_HINT.NORMAL: sql_flag = [ "/**/and'{0}'='{1}'", "'and'{0}'='{1}", '"and"{0}"="{1}', ] for k, v in post_data.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(post_data) for flag in sql_flag: # true page rand_str = random_str(2) payload1 = v + flag.format(rand_str, rand_str) data[k] = payload1 r = requests.post(url, data=data, headers=headers) html1 = r.text radio = GetRatio(resp_str, html1) if radio < 0.88: continue # false page payload2 = v + flag.format(random_str(2), random_str(2)) data[k] = payload2 r2 = requests.post(url, data=data, headers=headers) html2 = r2.text radio2 = GetRatio(resp_str, html2) if radio < 0.78: condition = [ '{k}:{v} 与原页面 {k}:{v1} 的相似度{radio} 页面大小:{size1}'.format(k=k, v=payload1, v1=v, radio=radio, size1=len(html1)), '{k}:{v} 与原页面 {k}:{v1} 的相似度{radio} 页面大小:{size2}'.format(k=k, v=payload2, v1=v, radio=radio2, size2=len(html2)) ] # out.log(msg) out.success(url, self.name, payload=k, condition=condition, data=str(data), raw=[r.raw, r2.raw]) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc combine = '^\S+\(\{.*\}\)' if re.match(combine, resp_str, re.I | re.S): # 判断是否为jsonp if "Referer" in headers: headers["Referer"] = "https://www.baidu.com/q=" + url if method == 'GET': r = requests.get(url, headers=headers) if GetRatio(resp_str, r.text) >= 0.8: out.success(url, self.name) elif re.match(JSON_RECOGNITION_REGEX, resp_str, re.I | re.S) and 'callback' not in url: # 不是jsonp,是json if "Referer" in headers: headers["Referer"] = "https://www.baidu.com/q=" + url params["callback"] = random_str(2) if method == 'GET': r = requests.get(netloc, params=params, headers=headers) if params["callback"] + "({" in r.text: out.success(r.url, self.name)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': # 从源码中获取更多链接 if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return self.init() # 重新请求一次获取一次网页 r = requests.get(url, headers=headers) try: self.seqMatcher.set_seq1(resp_str) self.seqMatcher.set_seq2(r.text) radio = self.seqMatcher.quick_ratio() except MemoryError: return if radio <= 0.98: self.findDynamicContent(resp_str, r.text) count = 0 while 1: count += 1 if count > self.retry: return r = requests.get(url, headers=headers) self.findDynamicContent(resp_str, self.removeDynamicContent(r.text)) sql_flag = [ "/**/and'{0}'='{1}'", "'and'{0}'='{1}", '"and"{0}"="{1}', ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for flag in sql_flag: # false page is_inject = False payload2 = v + flag.format(random_str(2), random_str(2)) data[k] = payload2 r2 = requests.get(netloc, params=data, headers=headers) html1 = self.removeDynamicContent(r2.text) ratio = 1.0 try: ratio *= GetRatio(resp_str, html1) # self.seqMatcher.set_seq1(resp_str or "") # self.seqMatcher.set_seq2(html1 or "") # ratio *= self.seqMatcher.quick_ratio() # true false if ratio == 1.0: continue except (MemoryError, OverflowError): continue # true page rand_str = random_str(2) payload1 = v + flag.format(rand_str, rand_str) data[k] = payload1 r = requests.get(netloc, params=data, headers=headers) html2 = self.removeDynamicContent(r.text) try: # self.seqMatcher.set_seq1(html2 or "") # self.seqMatcher.set_seq2(html1 or "") # ratio2 = self.seqMatcher.quick_ratio() # true false ratio2 = GetRatio(html1, html2) except (MemoryError, OverflowError): continue try: # self.seqMatcher.set_seq1(html2 or "") # self.seqMatcher.set_seq2(resp_str or "") # ratio3 = self.seqMatcher.quick_ratio() # true true ratio3 = GetRatio(resp_str, html2) except (MemoryError, OverflowError): continue if (0.1 > ratio - ratio2 > -0.1 ) and ratio3 > ratio - 0.05 and ratio3 > ratio2 - 0.5: is_inject = True if not is_inject: originalSet = set( getFilteredPageContent(resp_str, True, "\n").split("\n")) trueSet = set( getFilteredPageContent(html2, True, "\n").split("\n")) falseSet = set( getFilteredPageContent(html1, True, "\n").split("\n")) if originalSet == trueSet and trueSet != falseSet: candidates = trueSet - falseSet if candidates: candidates = sorted(candidates, key=len) for candidate in candidates: if re.match( r"\A[\w.,! ]+\Z", candidate ) and ' ' in candidate and candidate.strip( ) and len(candidate) > 10: is_inject = True break if is_inject: out.success(url, self.name, payload=k, raw=[r2.raw, r.raw]) break