-
-
[原创]inject fuzz python脚本
-
发表于: 2018-2-23 16:08
-
0x01
最近写了一个sql inject fuzz 测试的python脚本,首先感谢anybaby提供的fuzz txt。
这个脚本的功能其实burp完全可以实现,仅当学习练手。
0x02
先贴一个大概的流程图
代码中用到Python的几个模块:
optparse:用户交互
requests:http请求
re:正则匹配,不过代码里也没用到正则,就用findall做了一个字符串匹配和处理
time:时间戳,代码里用来做计算请求返回时间
0x03
贴一下代码,代码还没做进一步优化可能还有bug,算是抛砖引玉吧,大家有什么好的想法欢迎多交流。
#coding=utf8
import optparse
import requests
import re
import time
def ReadFuzz(dbtype):
if(dbtype == "mysql"):
GenericBlindText = open("fuzztxt/GenericBlind.fuzz.txt", "r")
MysqlText = open("fuzztxt/MySQL.fuzz.txt", "r")
MysqlMssqlText = open("fuzztxt/MySQL_MSSQL.fuzz.txt", "r")
return GenericBlindText.readlines()+MysqlText.readlines()+MysqlMssqlText.readlines()
elif(dbtype == "mssql"):
GenericBlindText = open("fuzztxt/GenericBlind.fuzz.txt", "r")
MssqlText= open("fuzztxt/MSSQL.fuzz.txt", "r")
MssqlBlindText = open("fuzztxt/MSSQL_blind.fuzz.txt", "r")
MysqlMssqlText = open("fuzztxt/MySQL_MSSQL.fuzz.txt", "r")
return GenericBlindText.readlines()+MssqlText.readlines()+MssqlBlindText.readlines()+MysqlMssqlText.readlines()
elif(dbtype == "oracle"):
GenericBlindText = open("fuzztxt/GenericBlind.fuzz.txt", "r")
OracleText = open("fuzztxt/oracle.fuzz.txt", "r")
return GenericBlindText.readlines()+OracleText.readlines()
elif(dbtype == "xplatform"):
GenericBlindText = open("fuzztxt/GenericBlind.fuzz.txt", "r")
XplatformText = open("fuzztxt/xplatform.fuzz.txt", "r")
return GenericBlindText.readlines()+XplatformText.readlines()
else:
GenericBlindText = open("fuzztxt/GenericBlind.fuzz.txt","r")
MssqlText = open("fuzztxt/MSSQL.fuzz.txt","r")
MssqlBlindText = open("fuzztxt/MSSQL_blind.fuzz.txt","r")
MysqlText = open("fuzztxt/MySQL.fuzz.txt","r")
MysqlMssqlText = open("fuzztxt/MySQL_MSSQL.fuzz.txt","r")
OracleText = open("fuzztxt/oracle.fuzz.txt","r")
XplatformText = open("fuzztxt/xplatform.fuzz.txt","r")
return GenericBlindText.readlines() \
+MssqlText.readlines() \
+MssqlBlindText.readlines() \
+MysqlText.readlines() \
+MysqlMssqlText.readlines() \
+OracleText.readlines() \
+XplatformText.readlines()
def UrlRequest(requesttype,url,dbtype,*parameter):
if url is None:
print "[-] URL Error!";
return False
if dbtype is None:
fuzzlist = ReadFuzz("")
else:
fuzzlist = ReadFuzz(dbtype)
if (requesttype == "get"):
#GET 请求处理
#检查url是否包含提交参数
for parameternum in range(len(parameter)):
fuzzurl = re.findall(parameter[parameternum], url)
if (len(fuzzurl) == 0):
print "[-] Parameter Error!"
return False
resultweb = open("result.html", "a")
resultweb.write("<table border='1'><tr><td>Request url</td><td>Use Time</td><td>ResponseLength</td></tr>")
for parameternum in range(len(parameter)):
for fuzzlistnum in range(len(fuzzlist)):
fuzzurl = url.replace(parameter[parameternum],parameter[parameternum]+fuzzlist[fuzzlistnum])
beforeTime = time.time()
print fuzzurl
try:
urlrequesttest = requests.get(fuzzurl)
except:
continue
urlrequest = urlrequesttest.content
print urlrequesttest.status_code
afterTime = time.time()
useTime = afterTime - beforeTime
resultweb.write("<tr><td>"+fuzzurl+"</td><td>"+str(useTime)+"</td><td>"+str(len(urlrequest))+"</td></tr>")
resultweb.write("</table>")
return True
else:
#POST请求处理
resultweb = open("result.html", "a")
resultweb.write("<table border='1'><tr><td>PostData</td><td>Use Time</td><td>ResponseLength</td></tr>")
parameter = re.split("&",parameter[0])
fuzzdata={} #搞一个字典,先把所有post数据放到字典里
for parameternum in range(len(parameter)):
fuzzdata[re.split("=",parameter[parameternum])[0]]=re.split("=",parameter[parameternum])[1]
for parameternum in range(len(parameter)):
for fuzzlistnum in range(len(fuzzlist)):
fuzzdata[re.split("=",parameter[parameternum])[0]] = \
(re.split("=", parameter[parameternum])[1]+fuzzlist[fuzzlistnum]).replace("\n","")
beforeTime = time.time()
urlrequest = requests.post(url,data=fuzzdata).content
afterTime = time.time()
useTime = afterTime-beforeTime
resultweb.write("<tr><td>" + str(fuzzdata) + "</td><td>" + str(useTime) + "</td><td>" + str(len(urlrequest)) + "</td></tr>")
resultweb.write("</table>")
return True
def main():
parser = optparse.OptionParser('usage%prog '\
'-t <requestype> -u <target url> -d <dbtype> -p <getparameter> -n <postparameter> ')
parser.add_option('-t',dest='Requesttype',type='string')
parser.add_option('-u',dest='Targeturl',type='string')
parser.add_option('-d',dest='Dbtype',type='string')
parser.add_option('-p',dest='Getpar',type='string')
parser.add_option('-n',dest='Postpar',type='string')
(options, args)=parser.parse_args()
Requestype = options.Requesttype
Targeturl = options.Targeturl
Dbtype = options.Dbtype
Getpar = options.Getpar
Postpar = options.Postpar
if (Requestype==None)| (Targeturl==None):
print "[-] check url&request type"
if (Getpar==None)&(Postpar==None):
print "[-] check data"
if (Dbtype==None):
Dbtype = " "
if(Getpar!=None):
print UrlRequest(Requestype,Targeturl,Dbtype,Getpar)
elif(Postpar!=None):
print UrlRequest(Requestype,Targeturl,Dbtype,Postpar)
else:
print "[-] error"
if __name__ == '__main__':
main()[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
|
|
|---|---|
|
|
|
|
|
多指导~~ |
|
|
|
|
|
|
|
|
.....发现还在电脑上。。。尴尬。。。 |
|
|
|
|
|
|
|
|
可以,把你邮箱给我吧 |
|
|
|
|
|
给我私信一个邮箱,我发给你 |
