forked from lietdai/doom
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsqli_check.py
executable file
·101 lines (69 loc) · 2.47 KB
/
sqli_check.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/env python
# encoding: utf-8
# mail: [email protected]
import json
import sys
import base64
import os
from time import sleep
from libnmap.process import NmapProcess
from libnmap.reportjson import ReportDecoder, ReportEncoder
from libnmap.parser import NmapParser, NmapParserException
from libnmap.plugins.backendpluginFactory import BackendPluginFactory
from util.req import Req
global_sqlmap = "/usr/bin/sqlmap"
global_options = " --batch --smart "
global_notify = "--alert='python "+sys.path[0]+"/"+sys.argv[0]+" notify "
global_flag = "sqli_vul"
global_dbcoon = 'mysql+mysqldb://root:[email protected]:3306/wscan'
def sqliCheck(request, platform = None):
reqObj = Req(request)
#method filiter
if reqObj.method != "GET" and reqObj.method != "POST":
return None
#后缀删除
ext = getExtByUri(reqObj.uri)
if ext in ["gif","js","jpg","css","png","ico"]:
return None
#无参数 filter
if reqObj.method != "POST" and len(reqObj.url.split('=')) == 1:
return None
my_services_backend = BackendPluginFactory.create(plugin_name='backend_permission', url=global_dbcoon, echo=False, encoding='utf-8', pool_timeout=3600)
reqFile = req2file(reqObj.hash,request)
notify = global_notify + reqFile + "\'"
cmd = global_sqlmap+ " -r "+reqFile + global_options + notify
print cmd
outPut = os.popen(cmd)
return outPut.read()
def getExtByUri(uri):
ext = uri.split('?')[0].split('.')
if len(ext) > 1 :
return ext[-1]
return None
def req2file(code, request):
fileName = "/tmp/"+code+".tmp"
fh = file(fileName, "wb")
fh.write(request)
fh.close()
return fileName
if __name__ == "__main__":
if len(sys.argv) == 2:
argv1 = base64.b64decode(sys.argv[1])
print sqliCheck(argv1)
elif len(sys.argv) == 3:
fh = open(sys.argv[2],'rb')
try:
data = fh.read( )
finally:
fh.close( )
my_services_backend = BackendPluginFactory.create(plugin_name='backend_permission', url=global_dbcoon, echo=False, encoding='utf-8', pool_timeout=3600)
reqObj = Req(data)
target = reqObj.host
vul_type = global_flag
vul_detail ="SQLi Vul:\n"+data
my_services_backend.add(target,vul_type,vul_detail)
#print "VUL" if permissionCheck(reqStr) else "SAFE"
sys.exit(0)
else:
print ("usage: %s base64(request)" % sys.argv[0])
sys.exit(-1)