This is done last year, a web vulnerability scanning gadget, mainly for simple SQL injection vulnerabilities, SQL blind and XSS vulnerabilities, the code is seen GitHub foreign great God (heard to be one of the writers of SMAP) two small tools source code, according to the idea of their own wrote. Here is the instructions and source code.
first, the use of instructions:
1. Operating Environment:
Linux command line interface +python2.7
2. Program Source:
Vim scanner//Create a file called scanner
Chmod a+x scanner//Modify file permissions as executable
3. Run the program:
Python scanner//Run files
If you do not carry the target URL information, the interface output Help information, reminders can be input parameters.
Parameters include:
--h Output Help information
--url-Scanned URLs
--data the parameters of the POST request method
--cookie HTTP request Header Cookie value
--user-agent HTTP request Header User-agent value
--random-agent whether to use browser camouflage
--referer the previous layer of the target URL
--proxy HTTP request Header proxy value
For example, scan "Http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=&Submit=Submit"
Python scanner--url= "Http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=&Submit=Submit"--cookie= "security=low; Phpsessid=menntb9b2isj7qha739ihg9of1 "
The output scan results are as follows:
The results show:
There is an XSS vulnerability, vulnerability Matching vulnerability feature Library "". xss.< "", belonging to a type outside the embedded label.
There is a SQL injection vulnerability where the target Web server's database type is mysql.
There is a blind SQL injection vulnerability.
Second, the source code:
Code verification can run, I personally recommend using DVWA test it.
#!-*-coding:utf-8-*-import Optparse, random, Re, string, Urllib, urllib2,difflib,itertools,httplib NAME = "Scanner fo
R RXSS and sqli "AUTHOR =" Lishuze "prefixes = (" ",") "," ' "," ') "," \ "") Suffixes = ("", "---", "#")
Boolean_tests = ("and%d=%d", "OR Not (%d=%d)") Tamper_sql_char_pool = (' (', ') ', ' \ ', ' ', ' "')
Tamper_xss_char_pool = (' \ ', ' "', ' > ', ' < ', '; ')
Get, post = ' get ', ' post ' cookie, UA, REFERER = ' cookie ', ' user-agent ', ' REFERER '
TEXT, Httpcode, TITLE, HTML = xrange (4) _headers = {} User_agents = ("mozilla/5.0" (X11; Linux i686; rv:38.0) gecko/20100101 firefox/38.0 "," mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/45.0.2454.101 safari/537.36 "," mozilla/5.0 (Macintosh; U Intel Mac OS X 10_7_0; En-US) Applewebkit/534.21 (khtml, like Gecko) chrome/11.0.678.0 safari/534.21 "," Xss_patterns = (R <!--[^>]*% (chars) s |%( Chars) s[^<]*--> "," \ "<!--.". XSS. '. -->\ ", Inside the comment", None), (R? s) <script[^>]*>[^<]*? ' [^< ']*% (chars) s|% ( chars) s[^< ']* ' [^<]*</script> ', ' <script> '. XSS. '. </script>\ ", enclosed by <script> tags, inside single-quotes", None), (R ' s) <script[^>]*>[^<] *?" [^< "]*% (chars) s|% ( Chars) s[^< "]*" [^<]*</script> ', ' <script>.\ '. xss.\ ".</script>", enclosed by <script> tags, inside double-quotes ", None), (R" (s) <script[^>]*>[^<]*?% ( Chars) s|% ( Chars) s[^<]*</script> "," \ <script>.xss.</script>\ ", enclosed by <script> tags", None), (R ">[^<]*% (chars) s[^<]* (<|\z)", ">.xss.<\", outside of tags ", r" (s) <script.+?</script>| <!--. *?--> "), (r" <[^>]* ' [^> ']*% (chars) s[^> ']* ' "[^>]*≫ "," \ ". XSS. '. >\ ", inside the tag, inside Single-quotes", R "(s) <script.+?</script>|<!--. *?-->), (R ' <[^>]* "[^>"]*% (chars) s[^> "]*", "[^>]*>" <.\ "xss.\", .> the tag, inside inside ", R" (s) < script.+?</script>|<!--. *?--> "), (R" <[^>]*% (chars) s[^>]*> "," \ <.xss.>\ ", inside the tag, outside of quotes ", R" (s) <script.+?</script>|<!--. *?-->)) dbms_errors = {"MySQL": (r "SQL Synt Ax.*mysql ", R" warning.*mysql_.* ", r" valid MySQL result ", R" mysqlclient\. ")," Microsoft SQL Server ": (r" Driver.* sql[\ -\_\]*server ", r" OLE db.* SQL Server, R "(\w|\a) SQL Server.*driver", r "warning.*mssql_.*", R "(\w|\a) SQL server.*[ 0-9a-fa-f]{8} ", R" (s) exception.*\wsystem\. Data\. Sqlclient\. ", R" (s) exception.*\wroadhouse\. Cms\. ")," Microsoft Access ": (r" Microsoft Access Driver ", r" JET Database Engine ", r" Access database Engine ")," O Racle ": (r" Ora-[0-9][0-9][0-9][0-9] ", r" Oracle erRor ", R" Oracle.*driver ", R" warning.*\woci_.* ", R" warning.*\wora_.* ")} def _retrieve_content_xss (URL, data=none): su Rl= "" For I in Xrange (len (URL)): If I > Url.find ('? '): Surl+=surl.join (Url[i]). Replace (","%20 ") Else:surl+=surl.join (url[i]) Try:req = Urllib2. Request (sURL, data, _headers) retval = Urllib2.urlopen (req, timeout=30). Read () except Exception, Ex:ret val = GetAttr (ex, "message", "") return retval or "def _retrieve_content_sql (URL, data=none): retval = {Httpco De:httplib. OK} surl= "" For I in Xrange (len (URL)): If I > Url.find ('? '): Surl+=surl.join (Url[i)). Replac E (', "%20") Else:surl+=surl.join (url[i]) Try:req = Urllib2.
Request (sURL, data, _headers) retval[html] = Urllib2.urlopen (req, timeout=30). Read () except Exception, ex: Retval[httpcode] = GetAttr (ex, "Code", None) retval[html] = GetAttr (ex,"Message", "" "Match = Re.search (r) <title> (?) p<result>[^<]+) </title> ", retval[html], re. I) Retval[title] = Match.group ("result") if match else None retval[text] = re.sub (? si) <script.+?</script& gt;|<!--. +?-->|<style.+?</style>|<[^>]+>|\s+ "," ", retval[html]) return retval def scan_page _XSS (URL, data=none): print "Start scanning rxss:\n" retval, usable = false, false URL = re.sub (r "= (&|\z)"
, "=1\g<1>", url) if URL else url data=re.sub (r "= (&|\z)", "=1\g<1>", data) if data else data try: For phase in (GET, POST): current = URL If phase are get else (data or "") for the match in Re.findit ER (r) (\a|[? /;]) (? p<parameter>[\w]+) =) (? p<value>[^&]+) ", current): found, usable = False, True print" scanning%s parame ter '%s '% (phase, Match.group ("parameter")) prefix = ("". Join (Random.sample_lowercase, 5)) suffix = ("". Join (Random.sample (String.ascii_lowercase, 5)) if not found : tampered = current.replace (match.group (0), "%s%s"% (Match.group (0), Urllib.quote ("%s%s%s%s"% (""), Prefix, "". Join (Random.sample (Tamper_xss_char_pool, Len (tamper_xss_char_pool)), suffix)) content = _RETRIEVE_CONTENT_XSS (tampered, data) if phase is get else _retrieve_content_xss (URL, tampered) for Sample in Re.finditer ("%s" ([^]+?) %s "% (prefix, suffix), content, re.
I): #print Sample.group () for Regex, info, Content_removal_regex in Xss_patterns: context = Re.search (regex% {"chars": Re.escape (Sample.group (0))}, Re.sub (Content_removal_regex or "", " ", content), re. I) If context and not found and Sample.group (1). Strip (): Print "!!! %s parameter '%s ' appears to be XSS vulnerable (%s)% (Phase, Match.group ("parameter"), info) found = RetVal = True if not usable:
Print "(x) no usable get/post parameters found" except Keyboardinterrupt:print "\ r (x) ctrl-c pressed" return retval def scan_page_sql (URL, data=none): print "Start scanning sqli:\n" retval, usable = False, Fals E url = re.sub (r "= (&|\z)", "=1\g<1>", url) if URL else url data=re.sub (r "= (&|\z)", "=1\g<1>",
Data) If data else data try:for phase in (GET, POST): current = URL If phase be get else (data or "") For the match in Re.finditer (R) (\a|[? /;]) (? p<parameter>\w+) =) (?
p<value>[^&]+) ", current): vulnerable, usable = False, True original=none print ' scanning%s parameter '%s '% (phase, Match.group ("parameter")) tampered = Current.replac E (match.group (0), "%s%s"% (Match.group (0), Urllib.quote ("". Join (RANdom.sample (Tamper_sql_char_pool, Len (tamper_sql_char_pool))) content = _retrieve_content_sql (tampered, Data) If phase is get else _retrieve_content_sql (URL, tampered) for (DBMS, Regex) in ((DBMS, regex) for DBMS in Dbms_er Rors for regex in Dbms_errors[dbms]): If not vulnerable and re.search (regex, content[html), re. I): PRINT "!!! %s parameter '%s ' could be error sqli vulnerable (%s)% (phase, Match.group ("parameter"), DBMS) r Etval = vulnerable = True Vulnerable = False Original = original or (_retrieve_content_sql (current, data If phase is get else _retrieve_content_sql (URL, current) to Prefix,boolean,suffix in Itertools.product (prefixes,boolean_tests,suffixes): if not vulnerable:template = "%s%s%s"% (p Refix,boolean, suffix) payloads = Dict ((_, Current.replace (Match.group (0), "%s%s"% (match.Group (0), urllib.quote (template% (1 if _ Else 2, 1), safe= '% "))" for _ In (True, False)) content s = Dict ((_, _retrieve_content_sql (Payloads[_], data) If phase are get else _retrieve_content_sql (URL, payloads[_)) for _ In (False, True) if all (_[httpcode] for _ In (original, contents[true), Contents[false)) and (a Y (original[_] = = Contents[true][_]!= Contents[false][_] for _ In (Httpcode, TITLE)): Vulnera ble = True Else:ratios = Dict (_, Difflib.
Sequencematcher (None, Original[text], Contents[_][text]). Quick_ratio ()) for _ In (True, False) Vulnerable = All (Ratios.values ()) and ratios[true] > 0.95 and Ratios[false] < 0.95 if vuln Erable:print "!!! %s parameter '%s ' could be error blind sqli vulnerable "% (phase, Match.group (" parameter ")) re Tval= True If not Usable:print "(x) no usable get/post parameters found" except Keyboardinterrupt:
print "\ r (x) ctrl-c pressed" return retval def init_options (Proxy=none, Cookie=none, Ua=none, Referer=none):
Global _headers _headers = dict (Filter (lambda _: _[1), ((Cookie, Cookie), (UA, UA or NAME), (REFERER, REFERER)) Urllib2.install_opener (Urllib2.build_opener) (urllib2. Proxyhandler ({' HTTP ': proxy})) if proxy else None) if __name__ = = "__main__": Print-------------------------------- --------------------------------------------------"print"%s\nby:%s "% (NAME, AUTHOR) print"-------------------- --------------------------------------------------------------"parser = Optparse. Optionparser () parser.add_option ("--url", dest= "url", help= "Target url") parser.add_option ("--data", dest= "data", help= "POST data") parser.add_option ("--cookie", dest= "Cookie", help= "HTTP Cookie Header Value") Parser.add_option ( "--User-agent ", dest=" UA ", help=" HTTP user-agent Header Value ") parser.add_option ("--random-agent ", dest=" Randomagent ", a Ction= "Store_true", help= "use randomly selected HTTP user-agent header value") parser.add_option ("--referer", dest= "re Ferer ", help=" http Referer header Value ") parser.add_option ("--proxy ", dest=" proxy ", help=" HTTP proxy address ") op tions, _ = Parser.parse_args () if Options.url:init_options (Options.proxy, Options.cookie, options.ua if not O Ptions.randomagent Else Random.choice (user_agents), options.referer) result_xss= SCAN_PAGE_XSS (Options.url if Opti Ons.url.startswith ("http") Else "http://%s"% Options.url, options.data) print "\nscan results:%s vulnerabilities Found "% (" possible "if RESULT_XSS else" no ") print"------------------------------------------------------------ ----------------------"Result_sql = Scan_page_sql (Options.url if Options.url.startswith (" http ") Else" http://%s " % Options.url, OPTIONS.DATA) print "\nscan results:%s vulnerabilities found"% ("possible" if result_sql else "no") print------ ----------------------------------------------------------------------------"Else:parser.print_help ()