def request(self, flow: mitmproxy.http.HTTPFlow): raw_request = bytes(makeRequest(flow.request), encoding="utf8") parser = RequestParser(raw_request) points = GetInsertPoints(parser) for request in points.requests: response = send(request, flow.request.scheme) # 检测注入测试用例后的响应报文中是否存在测试用例字样 if TEST_CASE in response.text: print("\n[*]Test case is found in", request.insert_place) checker = ResponseChecker(response.text, TEST_CASE) result = checker.get_check_result() # 如果响应中存在测试用例字样,则根据字样出现的位置替换成相应的payload来进行XSS攻击 payload_list = [] for context in result["contexts"]: print(context) payloads = payload_generate(context['type']) for payload in payloads: xss_request = copy.deepcopy(request) xss_request.replace(TEST_CASE, payload['payload']) response = send(xss_request, "http") # 不对3xx、4xx、5xx进行处理 if response.status_code == 200: page_html_tree = html.fromstring(response.text) count = page_html_tree.xpath(payload['find']) if len(count): payload_list.append(payload['payload']) else: print("[-]Response status code wrong.") # 如果检测到XSS payload在响应报文中,则判定存在漏洞 if len(payload_list) > 0: with open("./result/result.txt", "a+") as f: print("[+]Found a Reflection XSS:", flow.request.url) if request.insert_place == 'query': print("[+]Inject Point in URL Query Parameter:", request.insert_param) else: print("[+]Inject Point in Body Parameter:", request.insert_param) # 保存结果到./result/result.txt中 f.write(request.method + " " + flow.request.url + "\n") f.write("Vulnerable Param: " + request.insert_param + "\n") f.write("Payload:\n") print("[+]Payload:") for payload in payload_list: print(" ", payload) f.write(" " + payload + "\n") f.write("\n") print()
def run(self): while not self.work_queue.empty() and self.found is False: data = self.work_queue.get() if data["staticurl"]: cms_url = self.url + data["staticurl"] response = send(cms_url) if response is None or response.text is None: continue response_text_md5 = get_md5(response.text) if response_text_md5 == data["checksum"]: print("[+]Found CMS:", data["cmsname"]) logger.info("found cms [" + data["cmsname"] + "]") self.found = True elif data["keyword"]: cms_url = self.url + data["homeurl"] response = send(cms_url) if response is None or response.text is None: continue if response.text.find(data["keyword"]) != -1: print("[+]Found CMS:", data["cmsname"]) logger.info("found cms [" + data["cmsname"] + "]") self.found = True
def run(self): while not self.work_queue.empty() and self.found is False: data = self.work_queue.get() cms_url = self.url + data["path"] response = send(cms_url) if response is None or response.text is None: continue if data["type"] == "md5": response_text_md5 = get_md5(response.text) if response_text_md5 == data["match_pattern"]: print("[+]Found CMS:", data["cms"]) logger.info("found cms [" + data["cms"] + "]") self.found = True else: continue
def thread(self): response = send(self.url) if response is None: return False else: self.title = BS(response.text, "lxml").title.text.strip().strip('\n') self.body = response.text self.header = response.headers thread_pool = concurrent.futures.ThreadPoolExecutor( max_workers=self.thread_count) futures = (thread_pool.submit(self.match, id) for id in range(0, int(self.count()))) for i in concurrent.futures.as_completed(futures): pass return True
def run(self): while not self.work_queue.empty() and self.found is False: data = self.work_queue.get() cms_url = self.url + data["url"] response = send(cms_url) if response is None or response.text is None: continue if data["re"]: if response.text.find(data["re"]) != -1: print("[+]Found CMS:", data["name"]) logger.info("found cms [" + data["name"] + "]") self.found = True else: response_text_md5 = get_md5(response.text) if response_text_md5 == data["md5"]: print("[+]Found CMS:", data["name"]) logger.info("found cms [" + data["name"] + "]") self.found = True
def run(self): while not self.work_queue.empty(): if not event.is_set(): exit(0) data = self.work_queue.get() cms_url = self.url + data["url"] print("[*]Start to check URL:", cms_url) response = send(cms_url) if response is None or response.text is None: continue if data["re"]: if response.text.find(data["re"]) != -1: print("[*]Found CMS:", data["name"]) event.clear() else: response_text_md5 = get_md5(response.text) if response_text_md5 == data["md5"]: print("[*]Found CMS:", data["name"]) event.clear()