这是去年毕设做的一个web漏洞扫描小工具,主要针对简单的sql注入漏洞、sql盲注和xss漏洞,代码是看过github外国大神(听说是smap的编写者之一)的两个小工具源码,根据里面的思路自己写的。以下是使用说明和源代码。
一、使用说明:
1.运行环境:
Linux命令行界面+Python2.7
2.程序源码:
立即学习“Python免费学习笔记(深入)”;
Vim scanner//建立一个名为scanner的文件
Chmod a+xscanner//修改文件权限为可执行的
3.运行程序:
Python scanner//运行文件
若没有携带目标URL信息,界面输出帮助信息,提醒可以可输入的参数。
参数包括:
–h 输出帮助信息
–url 扫描的URL
–data POST请求方法的参数
–cookie HTTP请求头Cookie值
–user-agent HTTP请求头User-Agent值
–random-agent 是否使用浏览器伪装
–referer 目标URL的上一层界面
–proxy HTTP请求头代理值
例如扫描“http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=&Submit=Submit”
Python scanner–url=”http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=&Submit=Submit”–cookie=”security=low;PHPSESSID=menntb9b2isj7qha739ihg9of1″
输出扫描结果如下:
结果显示:
存在XSS漏洞,漏洞匹配漏洞特征库“”>.XSS.
存在SQL注入漏洞,目标网站服务器的数据库类型为MySQL。
存在BLIND SQL注入漏洞。
二、源代码:
代码验证过可以运行,我个人推荐用DVWA测试吧。
#!-*-coding:UTF-8-*- import optparse, random, re, string, urllib, urllib2,difflib,itertools,httplib NAME = "Scanner for RXSS and SQLI"AUTHOR = "Lishuze"PREFIXES = (" ", ") ", "' ", "') ", """) SUFFIXES = ("", "-- -", "#") BOOLEAN_TESTS = ("AND %d=%d", "OR NOT (%d=%d)") TAMPER_SQL_CHAR_POOL = ('(', ')', ''', '"''"') TAMPER_XSS_CHAR_POOL = (''', '"', '>', ']*%(chars)s|%(chars)s[^",""", inside the comment", None), (r"(?s)]*>[^<]*?'[^<']*%(chars)s|%(chars)s[^<']*'[^<]*","".'.xss.'.", enclosed by tags, inside single-quotes", None), (r'(?s)]*>[^<]*?"[^<"]*%(chars)s|%(chars)s[^<"]*"[^<]*',"'.".xss.".', enclosed by tags, inside double-quotes", None), (r"(?s)]*>[^<]*?%(chars)s|%(chars)s[^<]*","".xss.", enclosed by tags", None), (r">[^<]*%(chars)s[^<]*(.xss.<", outside of tags", r"(?s)<script.+?|"), (r"]*'[^>']*%(chars)s[^>']*'[^>]*>", """, inside the tag, inside single-quotes", r"(?s)|"), (r']*"[^>"]*%(chars)s[^>"]*"[^>]*>', "'', inside the tag, inside double-quotes", r"(?s)|"), (r"]*%(chars)s[^>]*>", """, inside the tag, outside of quotes", r"(?s)|") ) DBMS_ERRORS = { "MySQL": (r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient."), "Microsoft SQL Server": (r"Driver.* SQL[-_ ]*Server", r"OLE DB.* SQL Server", r"(W|A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(W|A)SQL Server.*[0-9a-fA-F]{8}", r"(?s)Exception.*WSystem.Data.SqlClient.", r"(?s)Exception.*WRoadhouse.Cms."), "Microsoft Access": (r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"), "Oracle": (r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*Woci_.*", r"Warning.*Wora_.*") } def _retrieve_content_xss(url, data=None): surl="" for i in xrange(len(url)): if i > url.find('?'): surl+=surl.join(url[i]).replace(' ',"%20") else: surl+=surl.join(url[i]) try: req = urllib2.Request(surl, data, _headers) retval = urllib2.urlopen(req, timeout=30).read() except Exception, ex: retval = getattr(ex, "message", "") return retval or "" def _retrieve_content_sql(url, data=None): retval = {HTTPCODE: httplib.OK} surl="" for i in xrange(len(url)): if i > url.find('?'): surl+=surl.join(url[i]).replace(' ',"%20") else: surl+=surl.join(url[i]) try: req = urllib2.Request(surl, data, _headers) retval[HTML] = urllib2.urlopen(req, timeout=30).read() except Exception, ex: retval[HTTPCODE] = getattr(ex, "code", None) retval[HTML] = getattr(ex, "message", "") match = re.search(r"(?P[^", retval[HTML], re.I) retval[TITLE] = match.group("result") if match else Noneretval[TEXT] = re.sub(r"(?si)|<!--.+?-->||]+>|s+", " ", retval[HTML]) return retval def scan_page_xss(url, data=None): print "Start scanning RXSS:"retval, usable = False, Falseurl = re.sub(r"=(&|Z)", "=1g", url) if url else url data=re.sub(r"=(&|Z)", "=1g", data) if data else data try: for phase in (GET, POST): current = url if phase is GET else (data or "") for match in re.finditer(r"((A|[?&])(?P[w]+)=)(?P[^&]+)", current): found, usable = False, Trueprint "Scanning %s parameter '%s'" % (phase, match.group("parameter")) prefix = ("".join(random.sample(string.ascii_lowercase, 5))) suffix = ("".join(random.sample(string.ascii_lowercase, 5))) if not found: tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("%s%s%s%s" % ("'", prefix, "".join(random.sample(TAMPER_XSS_CHAR_POOL, len(TAMPER_XSS_CHAR_POOL))), suffix)))) content = _retrieve_content_xss(tampered, data) if phase is GET else _retrieve_content_xss(url, tampered) for sample in re.finditer("%s([^ ]+?)%s" % (prefix, suffix), content, re.I): #print sample.group() for regex, info, content_removal_regex in XSS_PATTERNS: context = re.search(regex % {"chars": re.escape(sample.group(0))}, re.sub(content_removal_regex or "", "", content), re.I) if context and not found and sample.group(1).strip(): print "!!!%s parameter '%s' appears to be XSS vulnerable (%s)" % (phase, match.group("parameter"), info) found = retval = Trueif not usable: print " (x) no usable GET/POST parameters found"except KeyboardInterrupt: print " (x) Ctrl-C pressed"return retval def scan_page_sql(url, data=None): print "Start scanning SQLI:"retval, usable = False, Falseurl = re.sub(r"=(&|Z)", "=1g", url) if url else url data=re.sub(r"=(&|Z)", "=1g", data) if data else data try: for phase in (GET, POST): current = url if phase is GET else (data or "") for match in re.finditer(r"((A|[?&])(?Pw+)=)(?P[^&]+)", current): vulnerable, usable = False, Trueoriginal=Noneprint "Scanning %s parameter '%s'" % (phase, match.group("parameter")) tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL)))))) content = _retrieve_content_sql(tampered, data) if phase is GET else _retrieve_content_sql(url, tampered) for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS for regex in DBMS_ERRORS[dbms]): if not vulnerable and re.search(regex, content[HTML], re.I): print "!!!%s parameter '%s' could be error SQLi vulnerable (%s)" % (phase, match.group("parameter"), dbms) retval = vulnerable = Truevulnerable = Falseoriginal = original or (_retrieve_content_sql(current, data) if phase is GET else _retrieve_content_sql(url, current)) for prefix,boolean,suffix in itertools.product(PREFIXES,BOOLEAN_TESTS,SUFFIXES): if not vulnerable: template = "%s%s%s" % (prefix,boolean, suffix) payloads = dict((_, current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote(template % (1 if _ else 2, 1), safe='%')))) for _ in (True, False)) contents = dict((_, _retrieve_content_sql(payloads[_], data) if phase is GET else _retrieve_content_sql(url, payloads[_])) for _ in (False, True)) if all(_[HTTPCODE] for _ in (original, contents[True], contents[False])) and (any(original[_] == contents[True][_] != contents[False][_] for _ in (HTTPCODE, TITLE))): vulnerable = Trueelse: ratios = dict((_, difflib.SequenceMatcher(None, original[TEXT], contents[_][TEXT]).quick_ratio()) for _ in (True, False)) vulnerable = all(ratios.values()) and ratios[True] > 0.95 and ratios[False] <p>以上所述是小编给大家介绍的Python脚本实现Web漏洞扫描工具,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对PHP中文网的支持!</p><p>更多Python脚本实现Web漏洞扫描工具相关文章请关注PHP中文网!</p>
登录后复制
版权声明:本文内容由互联网用户自发贡献,该文观点仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容, 请发送邮件至253000106@qq.com举报,一经查实,本站将立刻删除。
发布者:PHP中文网,转转请注明出处:https://www.chuangxiangniao.com/p/2280176.html
