这是去年毕设做的一个Web漏洞扫描小工具,主要针对简单的SQL注入漏洞、SQL盲注和XSS漏洞,代码是看过github外国大神(听说是SMAP的编写者之一)的两个小工具源码,根据里面的思路自己写的。以下是使用说明和源代码。
一、使用说明:
1.运行环境:
Linux命令行界面+Python2.7
2.程序源码:
Vim scanner//建立一个名为scanner的文件
Chmod a+xscanner//修改文件权限为可执行的
3.运行程序:
Python scanner//运行文件
若没有携带目标URL信息,界面输出帮助信息,提醒可以可输入的参数。
参数包括:
--h 输出帮助信息
--url 扫描的URL
--data POST请求方法的参数
--COOKIE HTTP请求头COOKIE值
--user-agent HTTP请求头User-Agent值
--random-agent 是否使用浏览器伪装
--referer 目标URL的上一层界面
--proxy HTTP请求头代理值
例如扫描“http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=&Submit=Submit”
Python scanner--url="http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=&Submit=Submit"--COOKIE="security=low;PHPSESSID=menntb9b2isj7qha739ihg9of1"
输出扫描结果如下:
结果显示:
存在XSS漏洞,漏洞匹配漏洞特征库“”>.XSS.
存在SQL注入漏洞,目标网站服务器的数据库类型为MySQL。
存在BLIND SQL注入漏洞。
二、源代码:
代码验证过可以运行,我个人推荐用DVWA测试吧。#!-*-coding:UTF-8-*-
import optparse, random, re, string, urllib, urllib2,difflib,itertools,httplib
NAME = "Scanner for RXSS and SQLI"
AUTHOR = "Lishuze"
PREFIXES = (" ", ") ", "' ", "') ", "\"")
SUFFIXES = ("", "-- -", "#")
BOOLEAN_TESTS = ("AND %d=%d", "OR NOT (%d=%d)")
TAMPER_SQL_CHAR_POOL = ('(', ')', '\'', '"''"')
TAMPER_XSS_CHAR_POOL = ('\'', '"', '>', '
GET, POST = "GET", "POST"
COOKIE, UA, REFERER = "COOKIE", "User-Agent", "Referer"
TEXT, HTTPCODE, TITLE, HTML = xrange(4)
_headers = {}
USER_AGENTS = (
"Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36",
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0; en-US) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.678.0 Safari/534.21",
)
XSS_PATTERNS = (
(r"","\"\", inside the comment", None),
(r"(?s)","\"\", enclosed by
(r'(?s)',"'', enclosed by
(r"(?s)","\"\", enclosed by
(r">[^<]*%(chars)s[^<]*(<|\Z)", "\">.xss.<\", outside of tags", r"(?s)|"),
(r"]*&#39;[^>&#39;]*%(chars)s[^>&#39;]*&#39;[^>]*>", "\"<.>\", inside the tag, inside single-quotes", r"(?s)|"),
(r&#39;]*"[^>"]*%(chars)s[^>"]*"[^>]*>&#39;, "&#39;<.>&#39;, inside the tag, inside double-quotes", r"(?s)|"),
(r"]*%(chars)s[^>]*>", "\"<.xss.>\", inside the tag, outside of quotes", r"(?s)|")
)
DBMS_ERRORS &#61; {
"MySQL": (r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient\."),
"Microsoft SQL Server": (r"Driver.* SQL[\-\_\ ]*Server", r"OLE DB.* SQL Server", r"(\W|\A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(\W|\A)SQL Server.*[0-9a-fA-F]{8}", r"(?s)Exception.*\WSystem\.Data\.SqlClient\.", r"(?s)Exception.*\WRoadhouse\.Cms\."),
"Microsoft Access": (r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"),
"Oracle": (r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*\Woci_.*", r"Warning.*\Wora_.*")
}
def _retrieve_content_xss(url, data&#61;None):
surl&#61;""
for i in xrange(len(url)):
if i > url.find(&#39;?&#39;):
surl&#43;&#61;surl.join(url[i]).replace(&#39; &#39;,"%20")
else:
surl&#43;&#61;surl.join(url[i])
try:
req &#61; urllib2.Request(surl, data, _headers)
retval &#61; urllib2.urlopen(req, timeout&#61;30).read()
except Exception, ex:
retval &#61; getattr(ex, "message", "")
return retval or ""
def _retrieve_content_sql(url, data&#61;None):
retval &#61; {HTTPCODE: httplib.OK}
surl&#61;""
for i in xrange(len(url)):
if i > url.find(&#39;?&#39;):
surl&#43;&#61;surl.join(url[i]).replace(&#39; &#39;,"%20")
else:
surl&#43;&#61;surl.join(url[i])
try:
req &#61; urllib2.Request(surl, data, _headers)
retval[HTML] &#61; urllib2.urlopen(req, timeout&#61;30).read()
except Exception, ex:
retval[HTTPCODE] &#61; getattr(ex, "code", None)
retval[HTML] &#61; getattr(ex, "message", "")
match &#61; re.search(r"
(?P[^", retval[HTML], re.I)retval[TITLE] &#61; match.group("result") if match else None
retval[TEXT] &#61; re.sub(r"(?si)|||]&#43;>|\s&#43;", " ", retval[HTML])
return retval
def scan_page_xss(url, data&#61;None):
print "Start scanning RXSS:\n"
retval, usable &#61; False, False
url &#61; re.sub(r"&#61;(&|\Z)", "&#61;1\g<1>", url) if url else url
data&#61;re.sub(r"&#61;(&|\Z)", "&#61;1\g<1>", data) if data else data
try:
for phase in (GET, POST):
current &#61; url if phase is GET else (data or "")
for match in re.finditer(r"((\A|[?&])(?P[\w]&#43;)&#61;)(?P[^&]&#43;)", current):
found, usable &#61; False, True
print "Scanning %s parameter &#39;%s&#39;" % (phase, match.group("parameter"))
prefix &#61; ("".join(random.sample(string.ascii_lowercase, 5)))
suffix &#61; ("".join(random.sample(string.ascii_lowercase, 5)))
if not found:
tampered &#61; current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("%s%s%s%s" % ("&#39;", prefix, "".join(random.sample(TAMPER_XSS_CHAR_POOL, len(TAMPER_XSS_CHAR_POOL))), suffix))))
content &#61; _retrieve_content_xss(tampered, data) if phase is GET else _retrieve_content_xss(url, tampered)
for sample in re.finditer("%s([^ ]&#43;?)%s" % (prefix, suffix), content, re.I):
#print sample.group()
for regex, info, content_removal_regex in XSS_PATTERNS:
context &#61; re.search(regex % {"chars": re.escape(sample.group(0))}, re.sub(content_removal_regex or "", "", content), re.I)
if context and not found and sample.group(1).strip():
print "!!!%s parameter &#39;%s&#39; appears to be XSS vulnerable (%s)" % (phase, match.group("parameter"), info)
found &#61; retval &#61; True
if not usable:
print " (x) no usable GET/POST parameters found"
except KeyboardInterrupt:
print "\r (x) Ctrl-C pressed"
return retval
def scan_page_sql(url, data&#61;None):
print "Start scanning SQLI:\n"
retval, usable &#61; False, False
url &#61; re.sub(r"&#61;(&|\Z)", "&#61;1\g<1>", url) if url else url
data&#61;re.sub(r"&#61;(&|\Z)", "&#61;1\g<1>", data) if data else data
try:
for phase in (GET, POST):
current &#61; url if phase is GET else (data or "")
for match in re.finditer(r"((\A|[?&])(?P\w&#43;)&#61;)(?P[^&]&#43;)", current):
vulnerable, usable &#61; False, True
original&#61;None
print "Scanning %s parameter &#39;%s&#39;" % (phase, match.group("parameter"))
tampered &#61; current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL))))))
content &#61; _retrieve_content_sql(tampered, data) if phase is GET else _retrieve_content_sql(url, tampered)
for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS for regex in DBMS_ERRORS[dbms]):
if not vulnerable and re.search(regex, content[HTML], re.I):
print "!!!%s parameter &#39;%s&#39; could be error SQLi vulnerable (%s)" % (phase, match.group("parameter"), dbms)
retval &#61; vulnerable &#61; True
vulnerable &#61; False
original &#61; original or (_retrieve_content_sql(current, data) if phase is GET else _retrieve_content_sql(url, current))
for prefix,boolean,suffix in itertools.product(PREFIXES,BOOLEAN_TESTS,SUFFIXES):
if not vulnerable:
template &#61; "%s%s%s" % (prefix,boolean, suffix)
payloads &#61; dict((_, current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote(template % (1 if _ else 2, 1), safe&#61;&#39;%&#39;)))) for _ in (True, False))
contents &#61; dict((_, _retrieve_content_sql(payloads[_], data) if phase is GET else _retrieve_content_sql(url, payloads[_])) for _ in (False, True))
if all(_[HTTPCODE] for _ in (original, contents[True], contents[False])) and (any(original[_] &#61;&#61; contents[True][_] !&#61; contents[False][_] for _ in (HTTPCODE, TITLE))):
vulnerable &#61; True
else:
ratios &#61; dict((_, difflib.SequenceMatcher(None, original[TEXT], contents[_][TEXT]).quick_ratio()) for _ in (True, False))
vulnerable &#61; all(ratios.values()) and ratios[True] > 0.95 and ratios[False] <0.95
if vulnerable:
print "!!!%s parameter &#39;%s&#39; could be error Blind SQLi vulnerable" % (phase, match.group("parameter"))
retval &#61; True
if not usable:
print " (x) no usable GET/POST parameters found"
except KeyboardInterrupt:
print "\r (x) Ctrl-C pressed"
return retval
def init_options(proxy&#61;None, COOKIE&#61;None, ua&#61;None, referer&#61;None):
global _headers
_headers &#61; dict(filter(lambda _: _[1], ((COOKIE, COOKIE), (UA, ua or NAME), (REFERER, referer))))
urllib2.install_opener(urllib2.build_opener(urllib2.ProxyHandler({&#39;http&#39;: proxy})) if proxy else None)
if __name__ &#61;&#61; "__main__":
print "----------------------------------------------------------------------------------"
print "%s\nBy:%s" % (NAME, AUTHOR)
print "----------------------------------------------------------------------------------"
parser &#61; optparse.OptionParser()
parser.add_option("--url", dest&#61;"url", help&#61;"Target URL")
parser.add_option("--data", dest&#61;"data", help&#61;"POST data")
parser.add_option("--COOKIE", dest&#61;"COOKIE", help&#61;"HTTP COOKIE header value")
parser.add_option("--user-agent", dest&#61;"ua", help&#61;"HTTP User-Agent header value")
parser.add_option("--random-agent", dest&#61;"randomAgent", action&#61;"store_true", help&#61;"Use randomly selected HTTP User-Agent header value")
parser.add_option("--referer", dest&#61;"referer", help&#61;"HTTP Referer header value")
parser.add_option("--proxy", dest&#61;"proxy", help&#61;"HTTP proxy address")
options, _ &#61; parser.parse_args()
if options.url:
init_options(options.proxy, options.COOKIE, options.ua if not options.randomAgent else random.choice(USER_AGENTS), options.referer)
result_xss&#61; scan_page_xss(options.url if options.url.startswith("http") else "http://%s" % options.url, options.data)
print "\nScan results: %s vulnerabilities found" % ("possible" if result_xss else "no")
print "----------------------------------------------------------------------------------"
result_sql &#61; scan_page_sql(options.url if options.url.startswith("http") else "http://%s" % options.url, options.data)
print "\nScan results: %s vulnerabilities found" % ("possible" if result_sql else "no")
print "----------------------------------------------------------------------------------"
else:
parser.print_help()
以上所述是小编给大家介绍的Python脚本实现Web漏洞扫描工具&#xff0c;希望对大家有所帮助&#xff0c;如果大家有任何疑问请给我留言&#xff0c;小编会及时回复大家的。在此也非常感谢大家对PHP中文网的支持&#xff01;
更多Python脚本实现Web漏洞扫描工具相关文章请关注PHP中文网&#xff01;
本文原创发布php中文网&#xff0c;转载请注明出处&#xff0c;感谢您的尊重&#xff01;
京公网安备 11010802041100号 | 京ICP备19059560号-4 | PHP1.CN 第一PHP社区 版权所有