Compile php fuzzer for automatic WEB vulnerability Mining

Source: Internet
Author: User

Vulnerability.
"% U5c00 % u2700 ","/",".. /",". /... /. /","/% 2e/"," % 2e "," % 5C "," % s ","","",""",
"% ","!!!!!!!!!!!!!!!!!! "," # "," % 5C27 "," % 5C % 56 "," "," \ ",;,"; a "," | ",
"?> "," % A0 ");
"<Script> alert (cookies, y + document. cookie); </script> ");
To open stream: "," internal server error "," there was an error when processing
This directive. "," http/1.1 400 "," http/1.1 403 "," http/1.1 500 "," gateway
Error "," command not found "," file not found ");
$ Flags [1] = array ("[obdc", "mysql error", "you have an error in your SQL
Syntax "," odbc drivers error "," [microsoft SQL ",);
$ Flags [2] = array ("javascript: alert (string. fromcharcode (65,66, 67 ))",
"<Script> alert (cookies, y + document. cookie); </script> ");
Now that we know what requests should be constructed and the returned output results, we can write a PHP code used to construct malicious requests to query the HTTP server. In this example, we only construct GET requests, but it is easy to modify if you want to construct other HTTP request methods.
Function MakeRequest ($ url, $ method = "GET "){
$ Url = str_replace ("", "% 20", $ url );
If ($ method = "GET "){
$ Host = substr ($ url, strpos ($ url, ": //") + 3); $ host = substr ($ host,
0, strpos ($ host ,"/"));
$ Request = substr ($ url, strpos ($ host ,"/"));
If (! $ Fp ){
Echo "ERROR. $ url $ errstr ($ errno) $ newline ";
} Else {
$ Out = "GET $ request HTTP/1.1 ";
$ Out. = "Host: $ host ";
$ Out. = "Connection: Close ";
Fwrite ($ fp, $ out );
While (! Feof ($ fp )){
$ Buf. = fgets ($ fp );
}
Fclose ($ fp );
}
}
Return $ buf;
}
By maliciously constructing requests, we can get the results returned by the HTTP server. Next we need to use a function to scan the error code in the list above. If the variable $ result contains content that matches the $ flags array element, the following function returns true.
Function TestResult ($ result ){
Global $ flags;
$ Result = strtolower ($ result );
For ($ I = 0; $ I <count ($ flags); $ I ++ ){
For ($ o = 0; $ o <count ($ flags); $ o ++ ){
If (! (Strpos ($ result, $ flags [$ I] [$ o]) === false )){
Return 1;
}
}
}
Return 0;
}
Everything is ready! Now it's time for us to write code so that we can connect everything. The following code uses the $ lists array to include all URL addresses used for detection.
If ($ localonly = true AND (substr ($ list [$ inc], 0, 17 )! =
"Http: // localhost/" AND substr ($ list [$ inc], 0, 17 )! = "Http: // 127.0.0.1 /"))
Die ("Sorry, this script can only be tested against localhost .");
// SetUpParameters is used to analyze each GET parameter in the URL address and store it in the array $ get and $ getvalues
If (trim ($ url )! = ""){
Echo "$ newline $ url $ newline ";
// Test each possible Vulnerability
For ($ vulni = 0; $ vulni <count ($ vulnchars); $ vulni ++ ){
Switch ($ vulni ){
Case 0: echo "* General web vulnerabilities $ newline"; break;
Case 1: echo "* SQL vulnerabilities $ newline"; break;
Case 2: echo "* XSS vulnerabilities $ newline"; break;
}
// Check every GET parameter in the URL
For ($ o = 0; $ o <count ($ get); $ o ++ ){
For ($ I = 0; $ I <count ($ vulnchars [$ vulni]); $ I ++ ){
// Construct URL addresses through the Vulnerability Detection table
$ Whichparam = $ get [$ o];
$ Testing = $ url ."? ";
// Default values of all other parameters in the combined script
If ($ get [$ z]! = $ Whichparam)
$ Testing. = "&". $ get [$ z]. "=". $ getvalue [$ z];
}
$ Testing. = "&". $ whichparam. "=". $ vulnchars [$ vulni] [$ I];

$ Fun = MakeRequest ($ testing );
If ($ parseforlinks = true) ParseForLinks ($ fun );
$ Error = TestResult ($ fun );
If ($ error! = 0)
Echo "FLAG! ... $ Testing $ newline ";
If ($ error = 0 and $ verbose = true)
Echo "OK .. $ testing $ newline ";
}
}
}
}
}
 
Add the http: // $ host/"> flag to the $ list array. You can also add other request methods, such as POST, SSL, cookie, and file upload vulnerabilities. Writing a web fuzzer is a worthwhile programming task, but it may be an endless task.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.