前言

本文的文字及圖片來源于網(wǎng)絡(luò),僅供學(xué)習(xí)、交流使用,不具有任何商業(yè)用途,如有問題請(qǐng)及時(shí)聯(lián)系我們以作處理。

PS：如有需要Python學(xué)習(xí)資料的小伙伴可以加下Python快樂交流群：1136201545

一、使用說明：

1.運(yùn)行環(huán)境：

Linux命令行界面+Python2.7

2.程序源碼：

Vim scanner//建立一個(gè)名為scanner的文件

Chmod a+xscanner//修改文件權(quán)限為可執(zhí)行的

3.運(yùn)行程序：

Python scanner//運(yùn)行文件

若沒有攜帶目標(biāo)URL信息，界面輸出幫助信息，提醒可以可輸入的參數(shù)。

參數(shù)包括：

--h 輸出幫助信息

--url 掃描的URL

--data POST請(qǐng)求方法的參數(shù)

--cookie HTTP請(qǐng)求頭Cookie值

--user-agent HTTP請(qǐng)求頭User-Agent值

--random-agent 是否使用瀏覽器偽裝

--referer 目標(biāo)URL的上一層界面

--proxy HTTP請(qǐng)求頭代理值

Python scanner--url="http://127.0.0.1/dvwa/vulnerabilities/sqli/?id=&Submit=Submit"--cookie="security=low;PHPSESSID=menntb9b2isj7qha739ihg9of1"

輸出掃描結(jié)果如下：

結(jié)果顯示：

存在XSS漏洞，漏洞匹配漏洞特征庫“”>.XSS.

存在SQL注入漏洞，目標(biāo)網(wǎng)站服務(wù)器的數(shù)據(jù)庫類型為MySQL。

存在BLIND SQL注入漏洞。

二、源代碼：

代碼驗(yàn)證過可以運(yùn)行，我個(gè)人推薦用DVWA測(cè)試吧。

#!-*-coding:UTF-8-*-

import optparse, random, re, string, urllib, urllib2,difflib,itertools,httplib

NAME = "Scanner for RXSS and SQLI"

AUTHOR = "Lishuze"

PREFIXES = (" ", ") ", "' ", "') ", "\"")

SUFFIXES = ("", "-- -", "#")

BOOLEAN_TESTS = ("AND %d=%d", "OR NOT (%d=%d)")

TAMPER_SQL_CHAR_POOL = ('(', ')', '\'', '"''"')

TAMPER_XSS_CHAR_POOL = ('\'', '"', '>', '

GET, POST = "GET", "POST"

COOKIE, UA, REFERER = "Cookie", "User-Agent", "Referer"

TEXT, HTTPCODE, TITLE, HTML = xrange(4)

_headers = {}

USER_AGENTS = (

"Mozilla/5.0 (X11; Linux i686; rv:38.0) Gecko/20100101 Firefox/38.0",

"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36",

"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_7_0; en-US) AppleWebKit/534.21 (KHTML, like Gecko) Chrome/11.0.678.0 Safari/534.21",

)

XSS_PATTERNS = (

(r"","\"\", inside the comment", None),

(r"(?s)","\"\", enclosed by

(r'(?s)',"'', enclosed by

(r"(?s)","\"\", enclosed by

(r">[^<]*%(chars)s[^<]*(<|\Z)", "\">.xss.<\", outside of tags", r"(?s)|"),

(r"]*'[^>']*%(chars)s[^>']*'[^>]*>", "\"<.>\", inside the tag, inside single-quotes", r"(?s)|"),

(r']*"[^>"]*%(chars)s[^>"]*"[^>]*>', "'<.>', inside the tag, inside double-quotes", r"(?s)|"),

(r"]*%(chars)s[^>]*>", "\"<.xss.>\", inside the tag, outside of quotes", r"(?s)|")

)

DBMS_ERRORS = {

"MySQL": (r"SQL syntax.*MySQL", r"Warning.*mysql_.*", r"valid MySQL result", r"MySqlClient\."),

"Microsoft SQL Server": (r"Driver.* SQL[\-\_\ ]*Server", r"OLE DB.* SQL Server", r"(\W|\A)SQL Server.*Driver", r"Warning.*mssql_.*", r"(\W|\A)SQL Server.*[0-9a-fA-F]{8}", r"(?s)Exception.*\WSystem\.Data\.SqlClient\.", r"(?s)Exception.*\WRoadhouse\.Cms\."),

"Microsoft Access": (r"Microsoft Access Driver", r"JET Database Engine", r"Access Database Engine"),

"Oracle": (r"ORA-[0-9][0-9][0-9][0-9]", r"Oracle error", r"Oracle.*Driver", r"Warning.*\Woci_.*", r"Warning.*\Wora_.*")

}

def _retrieve_content_xss(url, data=None):

surl=""

for i in xrange(len(url)):

if i > url.find('?'):

surl+=surl.join(url[i]).replace(' ',"%20")

else:

surl+=surl.join(url[i])

try:

req = urllib2.Request(surl, data, _headers)

retval = urllib2.urlopen(req, timeout=30).read()

except Exception, ex:

retval = getattr(ex, "message", "")

return retval or ""

def _retrieve_content_sql(url, data=None):

retval = {HTTPCODE: httplib.OK}

surl=""

for i in xrange(len(url)):

if i > url.find('?'):

surl+=surl.join(url[i]).replace(' ',"%20")

else:

surl+=surl.join(url[i])

try:

req = urllib2.Request(surl, data, _headers)

retval[HTML] = urllib2.urlopen(req, timeout=30).read()

except Exception, ex:

retval[HTTPCODE] = getattr(ex, "code", None)

retval[HTML] = getattr(ex, "message", "")

match = re.search(r"

(?P[^", retval[HTML], re.I)

retval[TITLE] = match.group("result") if match else None

retval[TEXT] = re.sub(r"(?si)|||]+>|\s+", " ", retval[HTML])

return retval

def scan_page_xss(url, data=None):

print "Start scanning RXSS:\n"

retval, usable = False, False

url = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url

data=re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data

try:

for phase in (GET, POST):

current = url if phase is GET else (data or "")

for match in re.finditer(r"((\A|[?&])(?P[\w]+)=)(?P[^&]+)", current):

found, usable = False, True

print "Scanning %s parameter '%s'" % (phase, match.group("parameter"))

prefix = ("".join(random.sample(string.ascii_lowercase, 5)))

suffix = ("".join(random.sample(string.ascii_lowercase, 5)))

if not found:

tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("%s%s%s%s" % ("'", prefix, "".join(random.sample(TAMPER_XSS_CHAR_POOL, len(TAMPER_XSS_CHAR_POOL))), suffix))))

content = _retrieve_content_xss(tampered, data) if phase is GET else _retrieve_content_xss(url, tampered)

for sample in re.finditer("%s([^ ]+?)%s" % (prefix, suffix), content, re.I):

#print sample.group()

for regex, info, content_removal_regex in XSS_PATTERNS:

context = re.search(regex % {"chars": re.escape(sample.group(0))}, re.sub(content_removal_regex or "", "", content), re.I)

if context and not found and sample.group(1).strip():

print "!!!%s parameter '%s' appears to be XSS vulnerable (%s)" % (phase, match.group("parameter"), info)

found = retval = True

if not usable:

print " (x) no usable GET/POST parameters found"

except KeyboardInterrupt:

print "\r (x) Ctrl-C pressed"

return retval

def scan_page_sql(url, data=None):

print "Start scanning SQLI:\n"

retval, usable = False, False

url = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url

data=re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data

try:

for phase in (GET, POST):

current = url if phase is GET else (data or "")

for match in re.finditer(r"((\A|[?&])(?P\w+)=)(?P[^&]+)", current):

vulnerable, usable = False, True

original=None

print "Scanning %s parameter '%s'" % (phase, match.group("parameter"))

tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("".join(random.sample(TAMPER_SQL_CHAR_POOL, len(TAMPER_SQL_CHAR_POOL))))))

content = _retrieve_content_sql(tampered, data) if phase is GET else _retrieve_content_sql(url, tampered)

for (dbms, regex) in ((dbms, regex)

總結(jié)

以上是生活随笔為你收集整理的python编写web漏洞扫描器_Python脚本实现Web漏洞扫描工具的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。