├── README.md
├── findSQL.py
└── sql.py
/README.md:
--------------------------------------------------------------------------------
1 | # findSQL
2 | 在日常渗透中,手工检测注入点变得繁琐,用过sqlmap4burp++.0.2这个插件,很好用,但是要人工去识别是否可能存在注入点然后右键发送到sqlmap中进行检测,还是有点不方便
3 |
4 | 于是乎就想着节省时间写了这个,目前还是不是很完善,大佬轻喷
5 |
6 | # 功能
7 | burp开启代理模式,对流量进行检测,联动sqlmapapi自动查找可能存在注入的点,目前只支持get类型的注入检测
8 | # 用法
9 | 注意:路径中不要有中文字符,否则会报错
10 | ### 安装Jython
11 |
12 | 需要先在burp中安装Jython
13 | Jython下载地址: https://www.jython.org/download.html
14 |
15 | 在下载页面选择Jython Standalone 将jython的jar包下载下来
16 |
17 | 
18 |
19 | 打开Burp Suite-->Extender-->选中Option-->Python Environment的配置项-->点击Select file-->选中下载的jython-standalone-2.7.1.jar文件
20 |
21 | 
22 |
23 | ### 导入findSQL.py
24 |
25 | 打开Burp Suite-->Extender-->Burp Extensions-->add-->Extension Details(Extension type:python)-->select file(选择findSQL.py)-->打开-->next
26 |
27 | 
28 |
29 | ### python运行sqlmapapi.py
30 |
31 | 找到sqlmap目录,在该目录下使用python运行sqlmapapi.py服务端
32 |
33 | ```python3 sqlmapapi.py -s```
34 |
35 | 
36 |
37 | ### 运行sql.py
38 |
39 | ```python3 sql.py```
40 |
41 | # 使用效果
42 | 这里使用SQLi-LABS进行演示
43 |
44 | 
45 |
46 | 检测出存在注入
47 |
--------------------------------------------------------------------------------
/findSQL.py:
--------------------------------------------------------------------------------
1 | #coding=utf-8
2 | import os
3 | import time
4 | from burp import IBurpExtender
5 | from burp import IProxyListener
6 | import sys
7 | import socket
8 |
9 | if sys.version[0] == '2':
10 | reload(sys)
11 | sys.setdefaultencoding("utf-8")
12 | sql_dict=['?id=','?page=','?dir=','?search=','?category=','?file=','?class=','?url=','?news=','?item=','?menu=','?lang=','?name=','?ref=','?title=','?view=','?topic=','?thread=','?type=','?date=','?form=','?join=','?main=','?nav=','?region=']
13 |
14 | class BurpExtender(IBurpExtender,IProxyListener):
15 | def registerExtenderCallbacks(self,callbacks):
16 | self._helpers = callbacks.getHelpers()
17 | callbacks.setExtensionName("FindSQL v1.0")
18 | print('''
19 | [+] findSQL scan is loaded
20 | [+] ^_^
21 | [+] #####################################
22 | [+] findSQL v1.0
23 | [+] author:刘一手
24 | [+] team:鹏组安全
25 | [+] By T00ls.Com
26 | [+] github:https://github.com/lemonlove7/findSQL
27 | [+] #####################################
28 | [+] Please enjoy it
29 | ''')
30 | callbacks.registerProxyListener(self)
31 | def processProxyMessage(self,messageIsRequest,message):
32 | if not messageIsRequest:
33 | RepReq = message.getMessageInfo()
34 | url=RepReq.getUrl()
35 | Rep_B = RepReq.getResponse()
36 | Rep = self._helpers.analyzeResponse(Rep_B)
37 | for i in sql_dict:
38 | if i in str(url):
39 | if 'baidu.com' in str(url):
40 | break
41 | if 'csdn.net' in str(url):
42 | break
43 | Status_code=Rep.getStatusCode()
44 | Length=Rep.getHeaders()
45 | Lengths = "".join(Length)
46 | if 'Content-Length' in Lengths and str(Status_code)=='200':
47 | tcp_client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
48 | tcp_client_socket.connect(('127.0.0.1', 6666))
49 | send = str(url)
50 | tcp_client_socket.send(send.encode("utf-8"))
51 | feedback = tcp_client_socket.recv(1024)
52 | feedback.decode('utf-8')
53 | tcp_client_socket.close()
54 | break
55 |
--------------------------------------------------------------------------------
/sql.py:
--------------------------------------------------------------------------------
1 | import os,time
2 | import socket
3 | import time
4 | import json
5 | import requests
6 | import threading
7 |
8 |
9 | def test():
10 | while True:
11 | tcp_server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
12 | tcp_server_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
13 | tcp_server_socket.bind(('127.0.0.1', 6666))
14 | tcp_server_socket.listen(64)
15 | client_socket, clientAddr = tcp_server_socket.accept()
16 | recv_data = client_socket.recv(1024)
17 | u = recv_data.decode('utf-8')
18 | client_socket.close()
19 | payload = {'url': u}
20 |
21 | resp = requests.get('http://127.0.0.1:8775/task/new')
22 | taskid = resp.json()['taskid']
23 |
24 | headers = {'Content-Type': 'application/json'}
25 | if resp.json()['success']:
26 | url = "http://127.0.0.1:8775/option/%s/set" % taskid
27 | resp = requests.post(url, data=json.dumps(payload), headers=headers)
28 | if resp.json()['success']:
29 | url = "http://127.0.0.1:8775/scan/%s/start" % taskid
30 | resp = requests.post(url, data=json.dumps(payload), headers=headers)
31 | if resp.json()['success']:
32 | taskids.append(taskid)
33 | else:
34 | print("new task error")
35 |
36 |
37 | def st():
38 | while True:
39 | for taskid in taskids:
40 | time.sleep(1)
41 | url = "http://127.0.0.1:8775/scan/%s/status" % taskid
42 | resp = requests.get(url)
43 | if resp.json()['status'] != 'terminated':
44 | pass
45 | else:
46 | url = "http://127.0.0.1:8775/scan/%s/data" % taskid
47 | data = requests.get(url)
48 | if data.json()['data']:
49 | member = [members.get('value') for members in data.json().get('data')]
50 | hh=member[0]
51 | existence_url=hh.get('url')
52 | existence_query=hh.get('query')
53 | print('[+] 存在注入 url:'+existence_url+' 参数:'+existence_query)
54 | url = "http://127.0.0.1:8775/task/%s/delete" % taskid
55 | requests.get(url)
56 | taskids.remove(taskid)
57 | time.sleep(3)
58 |
59 |
60 |
61 | if __name__ == '__main__':
62 | print("author:刘一手\nteam:鹏组安全\nBy T00ls.Com")
63 | taskids=[]
64 | threads=[]
65 | threads.append(threading.Thread(target=test))
66 | threads.append(threading.Thread(target=st))
67 | for t in threads:
68 | t.start()
69 |
70 |
71 |
72 |
--------------------------------------------------------------------------------