swisskyrepo
/
DamnWebScanner
mirror of https://github.com/swisskyrepo/DamnWebScanner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

POST scan LFI

master
swisskyrepo 2016-12-30 14:36:37 +01:00
parent 8bd736e294
commit d46a0edb79
2 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -50,7 +50,7 @@ You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App
## TODO - Work in progress ## TODO - Work in progress
- Should detect target in source code.. (list of targets, then launch scan) - Should detect target in source code.. (list of targets, then launch scan)
- Do scan_rce/xss/bsqli/lfi for POST with data dict - Do scan_rce/xss for POST with data dict
## Thanks ## Thanks
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/) - Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)

23
Server/scans.py
View File

@ -64,7 +64,7 @@ def scan_sql_error(method, vulns, url, fuzz, cookie, useragent, data):
print "\t\t\033[94mSQLi Failed \033[0m for ", fuzz, " with the payload :", payload print "\t\t\033[94mSQLi Failed \033[0m for ", fuzz, " with the payload :", payload
"""scan_sql_blind_time /!\ TODO : POST request (check method, data) """scan_sql_blind_time
Description: use a polyglot vector to detect a SQL injection based on the response time Description: use a polyglot vector to detect a SQL injection based on the response time
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
""" """
@ -110,21 +110,34 @@ def scan_sql_blind_time(method, vulns, url, fuzz, cookie, useragent, data):
print "\t\t\033[94mTime Based SQLi (", name ,") Failed \033[0m for ", fuzz, " with the payload :", payload print "\t\t\033[94mTime Based SQLi (", name ,") Failed \033[0m for ", fuzz, " with the payload :", payload
"""scan_lfi /!\ TODO : POST request (check method, data) """scan_lfi
Description: will scan every parameter for LFI, checking for the common root:x:0:0 Description: will scan every parameter for LFI, checking for the common root:x:0:0
Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify Parameters: vulns - list of vulnerabilities, url - address of the target, fuzz - parameter we modify
""" """
def scan_lfi(method, vulns, url, fuzz, cookie, useragent, data): def scan_lfi(method, vulns, url, fuzz, cookie, useragent, data):
payload = "/etc/passwd" payload = "/etc/passwd"
inject = re.sub(fuzz+"="+"(.[^&]*)", fuzz+"="+payload , url)
content = requests.get(inject, cookies=cookie, headers={'user-agent': useragent} ).text
# POST
if (method == 'POST'):
inject = dict(data)
inject[fuzz] = payload
content = requests.post(url, data=inject ,cookies=cookie, headers={'user-agent': useragent} ).text
# Change the inject to have a nice display in the plugin
inject = url + ":" + fuzz + ":" + inject[fuzz]
# GET
else:
inject = re.sub(fuzz+"="+"(.[^&]*)", fuzz+"="+payload , url)
content = requests.get(inject, cookies=cookie, headers={'user-agent': useragent} ).text
# Check for a common string in /etc/passwd
if "root:x:0:0:root:/root:/bin/bash" in content: if "root:x:0:0:root:/root:/bin/bash" in content:
print "\t\t\033[93mLFI Detected \033[0m for ", fuzz, " with the payload :", payload print "\t\t\033[93mLFI Detected \033[0m for ", fuzz, " with the payload :", payload
vulns['lfi'] += 1 vulns['lfi'] += 1
vulns['list'] += 'LFI|TYPE|'+inject+'|DELIMITER|' vulns['list'] += 'LFI|TYPE|'+inject+'|DELIMITER|'
else: else:
print "\t\t\033[94mLFI Failed \033[0m for ", fuzz, " with the payload :", payload, inject print "\t\t\033[94mLFI Failed \033[0m for ", fuzz, " with the payload :", payload
"""scan_rce /!\ TODO : POST request (check method, data) """scan_rce /!\ TODO : POST request (check method, data)