sqlsus上传自动搜索可写目录的实现代码分析
2011-11-29 21:33
295 查看
转载:http://www.52harry.com/program/python/2011-11-08/493.html
sqlsus是一个比较不错的mysql注射工具,感觉最好用的两点就是注射获取数据速度非常快,另外一个最大的特点就是自动搜索可写目录,上传webshell,我们找到他的功能实现代码进行分析
# TODO handle src tags rather than just img src
sub upload_uploader {
if (@conf::upload_directories) {
for my $dir (@conf::upload_directories) {
if (&try_to_upload_uploader($dir)) {
return 1;
}
}
} else {
my @urls;
push @urls, $conf::url_start, $conf::url_start, $conf::url_base;
# without script
$urls[0] =~ s#/[^/]+$##;
print STDERR "[+] Crawling the website for candidate directories at max depth $conf::max_depthn";
my $depth = 0;
my $mech = WWW::Mechanize->new();
my @fetched_urls = ();
my @directories = qw(/);
while ($depth != $conf::max_depth) {
$depth++;
for my $url (@urls, @directories) {
return 0 if $main::interrupt;
next if grep {$_ eq $url} @fetched_urls;
push @fetched_urls, $url;
next if $url =~ /.(gif|jpg|jpeg|png|bmp|css)$/i;
if ($conf::debug) { print STDERR "[$depth] Fetching $url : " }
$mech->get( "$url" );
sleep($conf::sleep_between_hits);
if ($conf::debug) { print STDERR $mech->response()->code . " (" . $mech->response()->message . ")n" }
if (not $mech->response()->is_success) {
next;
}
# parse all links / add them to the download queue if not seen yet
for my $link ($mech->find_all_links()) {
my $url = $link->url_abs()->abs;
# only consider local links
next unless ($url =~ /^$conf::url_base/);
my $url_without_args = $url;
$url_without_args =~ s/?.*//;
# if the url has not been fecthed yet, and is not in the "to fetch" list
push(@urls, "$url") unless grep(/^$url_without_args/, @urls);
# extract absolute directory
$url =~ s/^$conf::url_base///;
$url =~ s#/[^/]*$#/#;
# and stack "new" directories
while ($url =~ m#/.+$#) {
if (not grep($_ eq $url, @directories)) {
if (&try_to_upload_uploader($url)) {
return 1;
} else {
push(@directories, $url);
}
}
$url =~ s#/[^/]+(/?)$#$1#;
}
}
# parse all images to get more directories
#TODO parse src='' SRC="" etc.. to get directories from javascript, movies..
for my $image ($mech->find_all_images) {
my $url = $image->url_abs();
# print "[IMG] $urln";
# only consider local links
next unless ($url =~ /^$conf::url_base/);
# remove everything after last /
$url =~ s//[^/]+$///;
# remove $conf::url_base
$url =~ s/^$conf::url_base///;
$url =~ s#/[^/]*$#/#;
# and stack "new" directories
while ($url =~ m#/.+$#) {
if (not grep($_ eq $url, @directories)) {
if (&try_to_upload_uploader($url)) {
return 1;
} else {
push(@directories, $url);
}
}
$url =~ s#/[^/]+(/?)$#$1#;
}
}
}
}
}
}
上面是功能实现的核心代码,我们逐步进行拆解分析
恼火…………,吃槟榔吃high了,具体分析再说,简单的说一下,
就是搜集所有的链接地址,然后分析文件夹的深度,查找所有的图片文件所在的文件夹,然后去掉http://这样的协议头,对比本地的根目录文件夹,确定图片文件夹在服务器上的实际目录。这个是确定服务器的根目录的可写目录途径*
sqlsus是一个比较不错的mysql注射工具,感觉最好用的两点就是注射获取数据速度非常快,另外一个最大的特点就是自动搜索可写目录,上传webshell,我们找到他的功能实现代码进行分析
# TODO handle src tags rather than just img src
sub upload_uploader {
if (@conf::upload_directories) {
for my $dir (@conf::upload_directories) {
if (&try_to_upload_uploader($dir)) {
return 1;
}
}
} else {
my @urls;
push @urls, $conf::url_start, $conf::url_start, $conf::url_base;
# without script
$urls[0] =~ s#/[^/]+$##;
print STDERR "[+] Crawling the website for candidate directories at max depth $conf::max_depthn";
my $depth = 0;
my $mech = WWW::Mechanize->new();
my @fetched_urls = ();
my @directories = qw(/);
while ($depth != $conf::max_depth) {
$depth++;
for my $url (@urls, @directories) {
return 0 if $main::interrupt;
next if grep {$_ eq $url} @fetched_urls;
push @fetched_urls, $url;
next if $url =~ /.(gif|jpg|jpeg|png|bmp|css)$/i;
if ($conf::debug) { print STDERR "[$depth] Fetching $url : " }
$mech->get( "$url" );
sleep($conf::sleep_between_hits);
if ($conf::debug) { print STDERR $mech->response()->code . " (" . $mech->response()->message . ")n" }
if (not $mech->response()->is_success) {
next;
}
# parse all links / add them to the download queue if not seen yet
for my $link ($mech->find_all_links()) {
my $url = $link->url_abs()->abs;
# only consider local links
next unless ($url =~ /^$conf::url_base/);
my $url_without_args = $url;
$url_without_args =~ s/?.*//;
# if the url has not been fecthed yet, and is not in the "to fetch" list
push(@urls, "$url") unless grep(/^$url_without_args/, @urls);
# extract absolute directory
$url =~ s/^$conf::url_base///;
$url =~ s#/[^/]*$#/#;
# and stack "new" directories
while ($url =~ m#/.+$#) {
if (not grep($_ eq $url, @directories)) {
if (&try_to_upload_uploader($url)) {
return 1;
} else {
push(@directories, $url);
}
}
$url =~ s#/[^/]+(/?)$#$1#;
}
}
# parse all images to get more directories
#TODO parse src='' SRC="" etc.. to get directories from javascript, movies..
for my $image ($mech->find_all_images) {
my $url = $image->url_abs();
# print "[IMG] $urln";
# only consider local links
next unless ($url =~ /^$conf::url_base/);
# remove everything after last /
$url =~ s//[^/]+$///;
# remove $conf::url_base
$url =~ s/^$conf::url_base///;
$url =~ s#/[^/]*$#/#;
# and stack "new" directories
while ($url =~ m#/.+$#) {
if (not grep($_ eq $url, @directories)) {
if (&try_to_upload_uploader($url)) {
return 1;
} else {
push(@directories, $url);
}
}
$url =~ s#/[^/]+(/?)$#$1#;
}
}
}
}
}
}
上面是功能实现的核心代码,我们逐步进行拆解分析
恼火…………,吃槟榔吃high了,具体分析再说,简单的说一下,
就是搜集所有的链接地址,然后分析文件夹的深度,查找所有的图片文件所在的文件夹,然后去掉http://这样的协议头,对比本地的根目录文件夹,确定图片文件夹在服务器上的实际目录。这个是确定服务器的根目录的可写目录途径*
相关文章推荐
- 使用IO技术,创建一个目录,然后复制一个文件到该目录!实现复制的功能。(在博客园上传的第一份代码)
- Linux下使用Shell脚本实现ftp的自动上传下载的代码小结 【转】
- 数据SQL脚本自动转换成javaBean代码的实现
- python实现的ftp自动上传下载程序(支持目录递归操作)----转
- 通过Dos命令行实现ftp按照目录下载存储,并且按照目录自动更新sql脚本
- easyUI实现类似搜索框关键词自动提示功能示例代码
- 实现SQL intellisense,sql代码自动填充----转载
- Linux CentOS SVN 设置钩子hooks/post-commit来同步更新服务器web目录,实现代码自动部署
- .Net/C# 封装磁盘目录文件搜索功能的工具类 (实现了与搜索相关的事件,以便插入客户处理代码)
- java通过ftp和sftp上传war包上传到Linux服务器实现自动重启tomcat的脚本代码
- 基于visual c++之windows核心编程代码分析(60)实现系统盘定制与软件自动安装
- 如何实现简单的自动提示(autocomplete)填充搜索功能java代码。
- 基于visual c++之windows核心编程代码分析(60)实现系统盘定制与软件自动安装
- .Net/C# 封装磁盘目录文件搜索功能的工具类 (实现了与搜索相关的事件,以便插入客户处理代码)
- python ftp 按目录结构上传下载的实现代码
- 基于Visual C++之Windows核心编程代码分析(3)实现程序自动安装
- 使用python代码实现三叉搜索树高效率”自动输入提示”功能
- 实现自动清除日期目录shell脚本实例代码
- PHP实现类似百度搜索自动完成(代码简单)
- 基于Visual C++之Windows核心编程代码分析(3)实现程序自动安装