def sqlmap_scan(request, level):
message = {"request_stat": 0, "message": ""}
sqlmap_api = config.load_rule()["sqlmap_api"]
sqlmap_conf = json.load(open(config.rule_read("sqlmap", get_file_handle=True)))
conf_ban = ["url", "headers", "data", "taskid", "database"]
for ban in conf_ban:
if ban in sqlmap_conf.keys():
del sqlmap_conf[ban]
sqlmap_conf['url'] = request['url']
sqlmap_conf['data'] = request['postdata']
sqlmap_conf['headers'] = ""
for header in request['headers'].keys():
sqlmap_conf['headers'] += "%s: %s\r\n" % (header, request['headers'][header])
json_headers = {"Content-Type": "application/json"}
taskid = json.loads(requests.get("%s/task/new" % sqlmap_api).content)['taskid']
data = json.dumps(sqlmap_conf)
try:
requests.post("%s/option/%s/set" % (sqlmap_api, taskid), data=json.dumps(sqlmap_conf), headers=json_headers)
requests.post("%s/scan/%s/start" % (sqlmap_api, taskid), data="{}", headers=json_headers)
while json.loads(requests.get("%s/scan/%s/status" % (sqlmap_api, taskid)).content)['status'] != "terminated":
time.sleep(5)
data = json.loads(requests.get("%s/scan/%s/data" % (sqlmap_api, taskid)).content)['data']
if data != []:
message['request_stat'] = 3
message['message'] += "title: %s|#|payload: %s|#|taskid: %s|,|" % (data[0]['value'][0]['data']['1']['title'], data[0]['value'][0]['data']['1']['payload'], taskid)
except Exception as e:
print(e)
finally:
return message
def sqlibool_scan(request, config_level):
message = {"request_stat": 0, "message": ""}
dom = minidom.parse(config.rule_read("sqlibool", get_file_handle=True)).documentElement
for node in dom.getElementsByTagName('couple'):
couple_id = int(node.getAttribute("id"))
if couple_id <= config_level:
for compare in node.getElementsByTagName("compare"):
compare1 = compare.getElementsByTagName("compare1")[0].childNodes[0].nodeValue
compare11 = compare.getElementsByTagName("compare11")[0].childNodes[0].nodeValue
compare2 = compare.getElementsByTagName("compare2")[0].childNodes[0].nodeValue
compare22 = compare.getElementsByTagName("compare22")[0].childNodes[0].nodeValue
for param_name in urlparse(request['url']).query.split("&"):
response1 = request_payload(request, compare1, param_name)
response2 = request_payload(request, compare2, param_name)
response22 = request_payload(request, compare22, param_name)
time.sleep(1)#prevent time stamp in response
response11 = request_payload(request, compare11, param_name)
if response1 == response11 and response2 == response22 and response1 != response2:
message['request_stat'] = 2
message['message'] += "payload1: %s|#|payload2: %s|#|param: %s|,|" % (compare1.encode('utf-8'), compare2.encode('utf-8'), param_name.split("=")[0])
if config.load()['only_one_match'].lower() == "true":
return message
for param_name in request['postdata'].split("&"):
if request['postdata'] == "":
break
response1 = request_payload(request, compare1, param_name, postdata=True)
response11 = request_payload(request, compare11, param_name, postdata=True)
response2 = request_payload(request, compare2, param_name, postdata=True)
response22 = request_payload(request, compare22, param_name, postdata=True)
if response1 == response11 and response2 == response22 and response1 != response2:
message['request_stat'] = 2
message['message'] += "payload1: %s|#|payload2: %s|#|param: %s|,|" % (compare1.encode('utf-8'), compare2.encode('utf-8'), param_name.split("=")[0])
if config.load()['only_one_match'].lower() == "true":
return message
return message
def xss_scan(request, config_level):
message = {"request_stat": 0, "message": ""}
dom = minidom.parse(config.rule_read("xss", get_file_handle=True)).documentElement
for node in dom.getElementsByTagName('couple'):
couple_id = int(node.getAttribute("id"))
if couple_id <= config_level:
payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip()
for payload in payloads.splitlines():
for param_name in urlparse(request['url']).query.split("&"):
response = request_payload(request, payload.strip(), param_name)
if payload.strip().encode("utf-8") in response:
message['request_stat'] = 1
message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], payload.strip().encode('utf-8'))
if config.load()['only_one_match'].lower() == "true":
return message
for param_name in request['postdata'].split("&"):
if request['postdata'] == "":
break
else:
response = request_payload(request, payload.strip(), param_name, postdata=True)
if payload.strip().encode("utf-8") in response:
message['request_stat'] = 1
message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], payload.strip().encode('utf-8'))
if config.load()['only_one_match'].lower() == "true":
return message
return message
def common_scan(request, config_level, re_test, scan_type):
message = {"request_stat": 0, "message": ""}
dom = minidom.parse(config.rule_read(scan_type, get_file_handle=True)).documentElement
for node in dom.getElementsByTagName('couple'):
couple_id = int(node.getAttribute("id"))
if couple_id <= config_level:
payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip()
for payload in payloads.splitlines():
for param_name in urlparse(request['url']).query.split("&"):
response = request_payload(request, payload.strip(), param_name)
if not isinstance(response,str):
response = response.decode("utf8","ignore")
for response_rule in node.getElementsByTagName('responses')[0].childNodes[0].nodeValue.strip().splitlines():
# print(response_rule)
if re_test:
if re.search(response_rule.strip(), response):
message['request_stat'] = 3
message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8'))
if config.load()['only_one_match'].lower() == "true":
# print(message)
return message
else:
if response_rule.strip() in response:
#rule format: unicode, it need to be encoded with utf-8
message['request_stat'] = 3
message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8'))
if config.load()['only_one_match'].lower() == "true":
return message
for param_name in request['postdata'].split("&"):
if request['postdata'] == "":
break
else:
response = request_payload(request, payload.strip(), param_name, postdata=True)
for response_rule in node.getElementsByTagName('responses')[0].childNodes[0].nodeValue.strip().splitlines():
if re_test:
if re.search(response_rule.strip().encode("utf-8"), response):
message['request_stat'] = 3
message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8'))
if config.load()['only_one_match'].lower() == "true":
# print(message)
return message
else:
if response_rule.strip().encode("utf-8") in response:
#rule format: unicode, it need to be encoded with utf-8
message['request_stat'] = 3
message['message'] += "payload: %s|#|param: %s|#|findstr: %s|,|" % (payload.strip().encode('utf-8'), param_name.split("=")[0], response_rule.strip().encode('utf-8'))
if config.load()['only_one_match'].lower() == "true":
return message
# print(message)
return message
def get(self):
start = {}
rule = ["sqlireflect", "sqlitime", "xpath", "xss", "sqlibool"]
for i in rule:
start[i + "_true"] = ""
start[i + "_false"] = "checked"
for i in config.load_rule()["scan_type"]:
start[i + "_true"] = "checked"
start[i + "_false"] = ""
rules = {}
for i in rule:
rules[i] = config.rule_read(i)
return self.render("scan_config.html",
config=config.load(),
start=start,
rules=rules,
scan_stat=config.load()['scan_stat'])
def sqlitime_scan(request, config_level):
message = {"request_stat": 0, "message": ""}
dom = minidom.parse(config.rule_read("sqlitime", get_file_handle=True)).documentElement
for node in dom.getElementsByTagName('couple'):
couple_id = int(node.getAttribute("id"))
if couple_id <= config_level:
payloads = node.getElementsByTagName('requests')[0].childNodes[0].nodeValue.strip()
for payload in payloads.splitlines():
if "TIME_VAR" in payload:
for param_name in urlparse(request['url']).query.split("&"):
response, time0 = request_payload(request, payload.strip().replace("TIME_VAR", "0"), param_name, time_check=True)
response, time3 = request_payload(request, payload.strip().replace("TIME_VAR", "3"), param_name, time_check=True)
if time3 - time0 >= 2:
response, time6 = request_payload(request, payload.strip().replace("TIME_VAR", "6"), param_name, time_check=True)
num = (time6 - time0) / (time3 - time0)
if num <= 2.3 and num >= 1.7:
message['request_stat'] = 3
message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("TIME_VAR", '5').encode('utf-8'), param_name.split("=")[0])
if config.load()['only_one_match'].lower() == "true":
return message
for param_name in request['postdata'].split("&"):
if request['postdata'] == "":
break
response, time0 = request_payload(request, payload.strip().replace("TIME_VAR", "0"), param_name, postdata=True, time_check=True)
response, time3 = request_payload(request, payload.strip().replace("TIME_VAR", "3"), param_name, postdata=True, time_check=True)
if time3 - time0 >= 2:
response, time6 = request_payload(request, payload.strip().replace("TIME_VAR", "6"), param_name, postdata=True, time_check=True)
num = (time6 - time0) / (time3 - time0)
if num <= 2.3 and num >= 1.7:
message['request_stat'] = 3
message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("TIME_VAR", '5').encode('utf-8'), param_name.split("=")[0])
if config.load()['only_one_match'].lower() == "true":
return message
elif "NUM_VAR" in payload:
for param_name in urlparse(request['url']).query.split("&"):
response, time0 = request_payload(request, payload.strip().replace("NUM_VAR", "0"), param_name, time_check=True)
VAR = '500000'
for NUM_VAR in range(3):
VAR += '0'
response, time_more = request_payload(request, payload.strip().replace("NUM_VAR", VAR), param_name, time_check=True)
if time_more - time0 >= 3:
response, time6 = request_payload(request, payload.strip().replace("NUM_VAR", str(int(VAR) * 2)), param_name, time_check=True)
num = (time6 - time0) / (time_more - time0)
if num <= 2.3 and num >= 1.7:
message['request_stat'] = 3
message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("NUM_VAR", VAR).encode('utf-8'), param_name.split("=")[0])
if config.load()['only_one_match'].lower() == "true":
return message
else:
break
else:
break
for param_name in request['postdata'].split("&"):
if request['postdata'] == "":
break
response, time0 = request_payload(request, payload.strip().replace("NUM_VAR", "0"), param_name, time_check=True)
VAR = '500000'
for NUM_VAR in range(3):
VAR += '0'
response, time_more = request_payload(request, payload.strip().replace("NUM_VAR", VAR), param_name, postdata=True, time_check=True)
if time_more - time0 >= 3:
response, time6 = request_payload(request, payload.strip().replace("NUM_VAR", str(int(VAR) * 2)), param_name, postdata=True, time_check=True)
num = (time6 - time0) / (time_more - time0)
if num <= 2.3 and num >= 1.7:
message['request_stat'] = 3
message['message'] += "payload: %s|#|param: %s|,|" % (payload.strip().replace("NUM_VAR", VAR).encode('utf-8'), param_name.split("=")[0])
if config.load()['only_one_match'].lower() == "true":
return message
else:
break
else:
break
return message
