def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
if method == "GET":
for k, v in params.items():
if not re.match('^http.+', v, re.I):
ret = is_base64(v)
if not (ret and re.match('^http.+', ret, re.I)):
continue
data = copy.deepcopy(params)
payload = "https://www.baidu.com/?q={}".format(url)
data[k] = payload
r = requests.get(netloc,
params=data,
headers=headers,
allow_redirects=False)
if r.status_code in [301.302]:
out.success(url,
self.name,
payload="{}:{}".format(k, payload),
type="header头跳转")
if r.status_code == 200:
if re.search(
'<meta http-equiv=["\']Refresh["\'] content=["\']\d+;url=.*?["\']>',
r.text, re.I | re.S):
out.success(url,
self.name,
payload="{}:{}".format(k, payload),
type="html meta跳转")
if re.search('window\.location\.(href|replace)', r.text,
re.I | re.S):
out.success(url,
self.name,
payload="{}:{}".format(k, payload),
type="javascript window跳转")
def audit(self):
method = self.requests.command # 请求方式 GET or POST
headers = self.requests.get_headers() # 请求头 dict类型
self.uri = url = self.build_url() # 请求完整URL
resp_data = self.response.get_body_data() # 返回数据 byte类型
resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码
resp_headers = self.response.get_headers() # 返回头 dict类型
p = self.requests.urlparse
params = self.requests.params
netloc = self.requests.netloc
if p.query == '':
return
exi = os.path.splitext(p.path)[1]
if exi not in acceptedExt:
return
if method == "GET":
for k, v in params.items():
if not re.match('^http.+', v, re.I):
ret = is_base64(v)
if not (ret and re.match('^http.+', ret, re.I)):
continue
data = copy.deepcopy(params)
payload = self.test_domain
data[k] = payload
r = requests.get(netloc,
params=data,
headers=headers,
allow_redirects=False)
if self._30x_code_redirect(r):
out.success(url,
self.name,
payload="{}:{}".format(k, payload),
type="header头跳转")
elif self._refresh_redirect(r):
out.success(url,
self.name,
payload="{}:{}".format(k, payload),
type="html meta跳转")
elif self._javascript_redirect(r):
pass
def _check(self, k, v, method, url, data):
ret = is_base64(v)
if ret and len(ret) >= 6:
if method == "GET":
out.success(url,
self.name,
method=method,
parameter=k + ":" + v,
base64decode=ret)
elif method == "POST":
out.success(url,
self.name,
method=method,
parameter=k + ":" + v,
base64decode=ret,
data=str(data))
whats = None
if isJavaObjectDeserialization(v):
whats = "JavaObjectDeserialization"
elif isPHPObjectDeserialization(v):
whats = "PHPObjectDeserialization"
elif isPythonObjectDeserialization(v):
whats = "PythonObjectDeserialization"
if whats:
if method == "GET":
out.success(url,
self.name,
method=method,
parameter=k + ":" + v,
what=whats)
elif method == "POST":
out.success(url,
self.name,
method=method,
parameter=k + ":" + v,
what=whats,
data=str(data))