Python PARAMS_PATTERN示例

示例#1

文件： crawler.py 项目： 0ps/leakScan

 def filterParams(self):
     """
     handle repeat params,base on method
     GET  => id=68(\d) == id = 86(\d)
          attention key and value type
     POST => name=skycrab&age=10 == name=10&age=skycrab
          only attention key
     """
     if self.method.upper() == DEFAULT_METHOD:
         _ = PARAMS_PATTERN.findall(self.params)
         _.sort()
         self.orderParams = "&".join(["%s=%s" %(k,self.paramsType(v)) for k,v in _ ])
     else:
         _ = [ m.group('key') for m in PARAMS_PATTERN.finditer(self.params)]
         _.sort()
         self.orderParams = "&".join(_)

示例#2

 def filterParams(self):
     """
     handle repeat params,base on method
     GET  => id=68(\d) == id = 86(\d)
          attention key and value type
     POST => name=skycrab&age=10 == name=10&age=skycrab
          only attention key
     """
     if self.method.upper() == DEFAULT_METHOD:
         _ = PARAMS_PATTERN.findall(self.params)
         _.sort()
         self.orderParams = "&".join(
             ["%s=%s" % (k, self.paramsType(v)) for k, v in _])
     else:
         _ = [m.group('key') for m in PARAMS_PATTERN.finditer(self.params)]
         _.sort()
         self.orderParams = "&".join(_)

示例#3

def run_url(req, rule):
    def _contains(content, chars):
        content = re.sub(r"\\[%s]" % "".join(chars), "", content,
                         re.S) if chars else content
        return all(char in content for char in chars)

    details = []
    response = None
    params = req.params
    for match in PARAMS_PATTERN.finditer(params):
        found = False
        prefix, suffix = [
            "".join(random.sample(string.ascii_lowercase,
                                  PREFIX_SUFFIX_LENGTH)) for i in xrange(2)
        ]
        for pool in (LARGER_CHAR_POOL, SMALLER_CHAR_POOL):
            if not found:
                tampered = params.replace(
                    match.group('value'),
                    "%s%s%s%s" % (match.group('value'), prefix, "".join(
                        random.sample(pool, len(pool))), suffix))
                res = requestUrl(req, tampered)
                if not res:
                    continue
                content = res.text
                for sample in re.finditer("%s(.+?)%s" % (prefix, suffix),
                                          content, re.I | re.S):
                    for regex, condition, info in XSS_PATTERNS:
                        context = re.search(
                            regex % dict((("chars",
                                           reduce(
                                               lambda filtered, char: filtered.
                                               replace(char, "\\%s" % char),
                                               REGEX_SPECIAL_CHARS,
                                               sample.group(0))), )), content,
                            re.I | re.S)
                        if context and not found and sample.group(1).strip():
                            #print sample.group(1),condition
                            if _contains(sample.group(1), condition):
                                msg = info % dict((("filtering", "no" if all(
                                    char in sample.group(1)
                                    for char in LARGER_CHAR_POOL) else
                                                    "some"), ))
                                DEBUG(msg)
                                found = True
                                if response is None:
                                    response = res
                                details.append(u"漏洞参数：%s" % match.group('key'))
                                break
                #end for
        #end for
    #end for
    if response is not None:
        return Result(response, details)

示例#4

文件： sql_inject.py 项目： 0ps/leakScan

def run_url(req,rule):
    vulnerable = False
    details = []
    response = None
    params = req.params
    for match in PARAMS_PATTERN.finditer(params):
        # sql error 
        tampered = params.replace(match.group('value'), "%s%s" % (match.group('value'), "".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL)))))
        content = retrieve_content(req,tampered)
        if content is not None:
            dbms = sql_error_check(content[HTML])
            if dbms:
                details.append(u"错误模式注入，数据库类型：%s，注入参数：%s" % (dbms, match.group('key')))
                if response is None:
                    response = content[RESPONSE]
                continue

        # cookie inject 

        # referer inject

        # blind sql inject
        original = retrieve_content(req)
        if original is None:
            continue
        left, right = random.sample(xrange(256), 2)
        vulnerable = False
        for prefix, boolean, suffix in itertools.product(PREFIXES, BOOLEAN_TESTS, SUFFIXES):
            if not vulnerable:
                template = "%s%s%s" % (prefix, boolean, suffix)
                payloads = dict((x, params.replace(match.group('value'), "%s%s" % (match.group('value'), (template % (left, left if x else right))))) for x in (True, False))
                contents = dict((x, retrieve_content(req, payloads[x])) for x in (True, False))

                if any(contents[x] is None for x in (True, False)):
                    continue

                if any(original[x] == contents[True][x] != contents[False][x] for x in (HTTPCODE, TITLE)) or len(original[TEXT]) == len(contents[True][TEXT]) != len(contents[False][TEXT]):
                    vulnerable = True
                else:
                    ratios = dict((x, difflib.SequenceMatcher(None, original[TEXT], contents[x][TEXT]).quick_ratio()) for x in (True, False))
                    vulnerable = ratios[True] > FUZZY_THRESHOLD and ratios[False] < FUZZY_THRESHOLD
                if vulnerable:
                    details.append(u"盲注,注入参数：%s" % match.group('key'))
                    if response is None:
                        response = contents[False][RESPONSE]
        #end for
    #end for

    if response is not None:
        return Result(response,details)

示例#5

文件： xss.py 项目： 0ps/leakScan

def run_url(req, rule):
    def _contains(content, chars):
        content = re.sub(r"\\[%s]" % "".join(chars), "", content, re.S) if chars else content
        return all(char in content for char in chars)

    details = []
    response = None
    params = req.params
    for match in PARAMS_PATTERN.finditer(params):
        found = False
        prefix, suffix = ["".join(random.sample(string.ascii_lowercase, PREFIX_SUFFIX_LENGTH)) for i in xrange(2)]
        for pool in (LARGER_CHAR_POOL, SMALLER_CHAR_POOL):
            if not found:
                tampered = params.replace(match.group('value'), "%s%s%s%s" % (match.group('value'), prefix, "".join(random.sample(pool, len(pool))), suffix))
                res = requestUrl(req,tampered)
                if not res:
                    continue
                content = res.text
                for sample in re.finditer("%s(.+?)%s" % (prefix, suffix), content, re.I|re.S):
                    for regex, condition, info in XSS_PATTERNS:
                        context = re.search(regex % dict((("chars",reduce(lambda filtered, char: filtered.replace(char, "\\%s" % char), REGEX_SPECIAL_CHARS, sample.group(0))),)), content, re.I|re.S)
                        if context and not found and sample.group(1).strip():
                            #print sample.group(1),condition
                            if _contains(sample.group(1), condition):
                                msg = info % dict((("filtering", "no" if all(char in sample.group(1) for char in LARGER_CHAR_POOL) else "some"),))
                                DEBUG(msg)
                                found = True
                                if response is None:
                                    response = res
                                details.append(u"漏洞参数：%s" % match.group('key'))
                                break
                #end for
        #end for
    #end for
    if response is not None:
        return Result(response,details)

示例#6

文件： sql_inject.py 项目： v1cker/scanner-1

def run_url(req, rule):
    vulnerable = False
    details = []
    response = None
    params = req.params
    for match in PARAMS_PATTERN.finditer(params):
        # sql error
        tampered = params.replace(
            match.group('value'), "%s%s" % (match.group('value'), "".join(
                random.sample(TAMPER_SQL_CHAR_POOL,
                              len(TAMPER_SQL_CHAR_POOL)))))
        content = retrieve_content(req, tampered)
        if content is not None:
            dbms = sql_error_check(content[HTML])
            if dbms:
                details.append(u"错误模式注入，数据库类型：%s，注入参数：%s" %
                               (dbms, match.group('key')))
                if response is None:
                    response = content[RESPONSE]
                continue

        # cookie inject

        # referer inject

        # blind sql inject
        original = retrieve_content(req)
        if original is None:
            continue
        left, right = random.sample(xrange(256), 2)
        vulnerable = False
        for prefix, boolean, suffix in itertools.product(
                PREFIXES, BOOLEAN_TESTS, SUFFIXES):
            if not vulnerable:
                template = "%s%s%s" % (prefix, boolean, suffix)
                payloads = dict(
                    (x,
                     params.replace(
                         match.group('value'), "%s%s" %
                         (match.group('value'),
                          (template % (left, left if x else right)))))
                    for x in (True, False))
                contents = dict((x, retrieve_content(req, payloads[x]))
                                for x in (True, False))

                if any(contents[x] is None for x in (True, False)):
                    continue

                if any(original[x] == contents[True][x] != contents[False][x]
                       for x in (HTTPCODE, TITLE)) or len(
                           original[TEXT]) == len(contents[True][TEXT]) != len(
                               contents[False][TEXT]):
                    vulnerable = True
                else:
                    ratios = dict((x,
                                   difflib.SequenceMatcher(
                                       None, original[TEXT], contents[x]
                                       [TEXT]).quick_ratio())
                                  for x in (True, False))
                    vulnerable = ratios[True] > FUZZY_THRESHOLD and ratios[
                        False] < FUZZY_THRESHOLD
                if vulnerable:
                    details.append(u"盲注,注入参数：%s" % match.group('key'))
                    if response is None:
                        response = contents[False][RESPONSE]
        #end for
    #end for

    if response is not None:
        return Result(response, details)