def filterParams(self): """ handle repeat params,base on method GET => id=68(\d) == id = 86(\d) attention key and value type POST => name=skycrab&age=10 == name=10&age=skycrab only attention key """ if self.method.upper() == DEFAULT_METHOD: _ = PARAMS_PATTERN.findall(self.params) _.sort() self.orderParams = "&".join(["%s=%s" %(k,self.paramsType(v)) for k,v in _ ]) else: _ = [ m.group('key') for m in PARAMS_PATTERN.finditer(self.params)] _.sort() self.orderParams = "&".join(_)
def filterParams(self): """ handle repeat params,base on method GET => id=68(\d) == id = 86(\d) attention key and value type POST => name=skycrab&age=10 == name=10&age=skycrab only attention key """ if self.method.upper() == DEFAULT_METHOD: _ = PARAMS_PATTERN.findall(self.params) _.sort() self.orderParams = "&".join( ["%s=%s" % (k, self.paramsType(v)) for k, v in _]) else: _ = [m.group('key') for m in PARAMS_PATTERN.finditer(self.params)] _.sort() self.orderParams = "&".join(_)
def run_url(req, rule): def _contains(content, chars): content = re.sub(r"\\[%s]" % "".join(chars), "", content, re.S) if chars else content return all(char in content for char in chars) details = [] response = None params = req.params for match in PARAMS_PATTERN.finditer(params): found = False prefix, suffix = [ "".join(random.sample(string.ascii_lowercase, PREFIX_SUFFIX_LENGTH)) for i in xrange(2) ] for pool in (LARGER_CHAR_POOL, SMALLER_CHAR_POOL): if not found: tampered = params.replace( match.group('value'), "%s%s%s%s" % (match.group('value'), prefix, "".join( random.sample(pool, len(pool))), suffix)) res = requestUrl(req, tampered) if not res: continue content = res.text for sample in re.finditer("%s(.+?)%s" % (prefix, suffix), content, re.I | re.S): for regex, condition, info in XSS_PATTERNS: context = re.search( regex % dict((("chars", reduce( lambda filtered, char: filtered. replace(char, "\\%s" % char), REGEX_SPECIAL_CHARS, sample.group(0))), )), content, re.I | re.S) if context and not found and sample.group(1).strip(): #print sample.group(1),condition if _contains(sample.group(1), condition): msg = info % dict((("filtering", "no" if all( char in sample.group(1) for char in LARGER_CHAR_POOL) else "some"), )) DEBUG(msg) found = True if response is None: response = res details.append(u"漏洞参数:%s" % match.group('key')) break #end for #end for #end for if response is not None: return Result(response, details)
def run_url(req,rule): vulnerable = False details = [] response = None params = req.params for match in PARAMS_PATTERN.finditer(params): # sql error tampered = params.replace(match.group('value'), "%s%s" % (match.group('value'), "".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL))))) content = retrieve_content(req,tampered) if content is not None: dbms = sql_error_check(content[HTML]) if dbms: details.append(u"错误模式注入,数据库类型:%s,注入参数:%s" % (dbms, match.group('key'))) if response is None: response = content[RESPONSE] continue # cookie inject # referer inject # blind sql inject original = retrieve_content(req) if original is None: continue left, right = random.sample(xrange(256), 2) vulnerable = False for prefix, boolean, suffix in itertools.product(PREFIXES, BOOLEAN_TESTS, SUFFIXES): if not vulnerable: template = "%s%s%s" % (prefix, boolean, suffix) payloads = dict((x, params.replace(match.group('value'), "%s%s" % (match.group('value'), (template % (left, left if x else right))))) for x in (True, False)) contents = dict((x, retrieve_content(req, payloads[x])) for x in (True, False)) if any(contents[x] is None for x in (True, False)): continue if any(original[x] == contents[True][x] != contents[False][x] for x in (HTTPCODE, TITLE)) or len(original[TEXT]) == len(contents[True][TEXT]) != len(contents[False][TEXT]): vulnerable = True else: ratios = dict((x, difflib.SequenceMatcher(None, original[TEXT], contents[x][TEXT]).quick_ratio()) for x in (True, False)) vulnerable = ratios[True] > FUZZY_THRESHOLD and ratios[False] < FUZZY_THRESHOLD if vulnerable: details.append(u"盲注,注入参数:%s" % match.group('key')) if response is None: response = contents[False][RESPONSE] #end for #end for if response is not None: return Result(response,details)
def run_url(req, rule): def _contains(content, chars): content = re.sub(r"\\[%s]" % "".join(chars), "", content, re.S) if chars else content return all(char in content for char in chars) details = [] response = None params = req.params for match in PARAMS_PATTERN.finditer(params): found = False prefix, suffix = ["".join(random.sample(string.ascii_lowercase, PREFIX_SUFFIX_LENGTH)) for i in xrange(2)] for pool in (LARGER_CHAR_POOL, SMALLER_CHAR_POOL): if not found: tampered = params.replace(match.group('value'), "%s%s%s%s" % (match.group('value'), prefix, "".join(random.sample(pool, len(pool))), suffix)) res = requestUrl(req,tampered) if not res: continue content = res.text for sample in re.finditer("%s(.+?)%s" % (prefix, suffix), content, re.I|re.S): for regex, condition, info in XSS_PATTERNS: context = re.search(regex % dict((("chars",reduce(lambda filtered, char: filtered.replace(char, "\\%s" % char), REGEX_SPECIAL_CHARS, sample.group(0))),)), content, re.I|re.S) if context and not found and sample.group(1).strip(): #print sample.group(1),condition if _contains(sample.group(1), condition): msg = info % dict((("filtering", "no" if all(char in sample.group(1) for char in LARGER_CHAR_POOL) else "some"),)) DEBUG(msg) found = True if response is None: response = res details.append(u"漏洞参数:%s" % match.group('key')) break #end for #end for #end for if response is not None: return Result(response,details)
def run_url(req, rule): vulnerable = False details = [] response = None params = req.params for match in PARAMS_PATTERN.finditer(params): # sql error tampered = params.replace( match.group('value'), "%s%s" % (match.group('value'), "".join( random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL))))) content = retrieve_content(req, tampered) if content is not None: dbms = sql_error_check(content[HTML]) if dbms: details.append(u"错误模式注入,数据库类型:%s,注入参数:%s" % (dbms, match.group('key'))) if response is None: response = content[RESPONSE] continue # cookie inject # referer inject # blind sql inject original = retrieve_content(req) if original is None: continue left, right = random.sample(xrange(256), 2) vulnerable = False for prefix, boolean, suffix in itertools.product( PREFIXES, BOOLEAN_TESTS, SUFFIXES): if not vulnerable: template = "%s%s%s" % (prefix, boolean, suffix) payloads = dict( (x, params.replace( match.group('value'), "%s%s" % (match.group('value'), (template % (left, left if x else right))))) for x in (True, False)) contents = dict((x, retrieve_content(req, payloads[x])) for x in (True, False)) if any(contents[x] is None for x in (True, False)): continue if any(original[x] == contents[True][x] != contents[False][x] for x in (HTTPCODE, TITLE)) or len( original[TEXT]) == len(contents[True][TEXT]) != len( contents[False][TEXT]): vulnerable = True else: ratios = dict((x, difflib.SequenceMatcher( None, original[TEXT], contents[x] [TEXT]).quick_ratio()) for x in (True, False)) vulnerable = ratios[True] > FUZZY_THRESHOLD and ratios[ False] < FUZZY_THRESHOLD if vulnerable: details.append(u"盲注,注入参数:%s" % match.group('key')) if response is None: response = contents[False][RESPONSE] #end for #end for if response is not None: return Result(response, details)