Пример #1
0
 def get_payloads(self, temper_names, use_api, model=LIGHT_MODEL):
     if use_api:
         PayLoads.fuzz_dic_path = FUZZ_API_DIC_PATH
     logger = log.get_logger()
     logger.info('loading default paloads')
     self.init_payloads()
     logger.info('loading default paloads success')
     if temper_names:
         temper_names = [
             temper_name.strip() for temper_name in temper_names.split(",")
         ]
         try:
             logger.setLevel(logging.DEBUG)
             self.load_temper_instances(temper_names)
             temp_payloads = copy.deepcopy(self.payloads)
             # 1.单独编码
             self.encode_payload_single_temper(temp_payloads, temper_names,
                                               model)
             # 2.混合编码
             self.encode_payload_mix_temper(temp_payloads, temper_names,
                                            model)
         except TemperNotFoundError as e:
             traceback.print_exc(file=open(EXCEPTION_LOG_PATH, 'a'))
             exit()
     logger.setLevel(logging.INFO)
     logger.info("{} payloads loaded".format(len(self.payloads)))
     return self.payloads
Пример #2
0
 def check_complete_url_is_alive(self):
     logger = log.get_logger()
     logger.setLevel(logging.DEBUG)
     logger.debug("checking if url is available")
     if TaskSchedule.check_url_is_alive(self._complete_packet.url,
                                        self._complete_packet.cookie,
                                        self._complete_packet.data):
         logger.setLevel(logging.INFO)
         logger.info("url connection success ")
     else:
         logger.setLevel(logging.ERROR)
         logger.error("url connection fail, please check your input ")
         exit()
Пример #3
0
 def notify(self, xss_status, xss_payloads):
     with FuzzTask.working_num_thread_lock:
         FuzzTask.notify_num += 1
         if xss_status is True:
             if FuzzTask.notify_num == 1:
                 logger = log.get_logger()
                 logger.setLevel(logging.CRITICAL)
                 logger.critical("[!] xssfork find XSS Vulnerability")
             try:
                 payload = xss_payloads.pop()
                 print "---"
                 print "    Status: Vulnerable"
                 print "    payload_url: {}".format(payload.get('url'))
                 if payload.get('data') is not None:
                     print "    payload_data: {}".format(payload.get('data'))
                 print "---"
             except Exception:
                 traceback.print_exc(file=open(EXCEPTION_LOG_PATH, 'a'))
Пример #4
0
 def load_temper_instances(self, temper_names):
     logger = log.get_logger()
     for temper_name in temper_names:
         logger.setLevel(logging.DEBUG)
         logger.debug('check temper {} is existed'.format(temper_name))
         temper_path = "%s%s.py" % (TEMPER_PATH, temper_name)
         temper_instance = None
         try:
             temper_instance = imp.load_source('Temper',
                                               temper_path).Temper()
             if temper_instance is not None and not self.temper_instances.has_key(
                     temper_name):
                 self.temper_instances[temper_name] = temper_instance
             logger.setLevel(logging.INFO)
             logger.info('temper {} is existed'.format(temper_name))
         except IOError as e:
             logger.setLevel(logging.ERROR)
             logger.error('temper {} is not existed'.format(temper_name))
             raise TemperNotFoundError(temper_name)
Пример #5
0
 def check_has_params(self):
     logger = log.get_logger()
     logger.setLevel(logging.DEBUG)
     logger.debug("checking if has_params")
     url_payload = ""
     data_payload = ""
     if self._complete_packet.data is not None:
         data_payload = UrlClassification.simplify_url(
             self._complete_packet.data, HTTP_POST_METHOD)
     else:
         url_payload = UrlClassification.simplify_url(
             self._complete_packet.url, HTTP_GET_METHOD)
     if "bsmali4" in data_payload or "bsmali4" in url_payload:
         logger.setLevel(logging.INFO)
         logger.info("there is params, xssfork will work")
     else:
         logger.setLevel(logging.ERROR)
         logger.error("there is no params, please check your input ")
         exit()
Пример #6
0
 def get_payloads(self, temper_names, model=LIGHT_MODEL):
     logger = log.get_logger()
     logger.info('loading default paloads')
     self.init_payloads()
     logger.info('loading default paloads success')
     if temper_names:
         temper_names = [
             temper_name.strip() for temper_name in temper_names.split(",")
         ]
         try:
             logger.setLevel(logging.DEBUG)
             self.load_temper_instances(temper_names)
             temp_payloads = copy.deepcopy(self.payloads)
             self.encode_payload_single_temper(temp_payloads, temper_names,
                                               model)
             self.encode_payload_mix_temper(temp_payloads, temper_names,
                                            model)
         except TemperNotFoundError, e:
             traceback.print_exc(file=open(EXCEPTION_LOG_PATH, 'a'))
             exit()
Пример #7
0
 def notify(self, xss_status, xss_payloads):
     with FuzzTask.working_num_thread_lock:
         FuzzTask.notify_num += 1
         if xss_status is True:
             if FuzzTask.notify_num == 1:
                 logger = log.get_logger()
                 logger.setLevel(logging.CRITICAL)
                 logger.critical("[!] xssfork find XSS Vulnerability")
             try:
                 payload = xss_payloads.pop()
                 print ("---")
                 print ("    Status: Vulnerable")
                 print ("    payload_url: {}".format(payload.get('url')))
                 if payload.get('data') is not None:
                     print ("    payload_data: {}".format(payload.get('data')))
                 print ("---")
                 if self.is_call_xssfork_api():  # 调用api则保存数据到数据
                     xssfork_task = XssforkTask(id=self._complete_packet.id)
                     xssfork_task.change(payload=json.dumps(payload))
             except Exception as e:
                 traceback.print_exc(file=open(EXCEPTION_LOG_PATH, 'a'))
Пример #8
0
 def notify(self, xss_status, xss_payloads):
     if xss_status is False:
         logger = log.get_logger()
         logger.setLevel(logging.WARNING)
         logger.warning("[!] xssfork can not find XSS Vulnerability")