v1.3.4 添加目标页面中的script内容处理功能，修复了一系列致命缺陷

rtcatc · Sep 6, 2021 · e5ac19c · e5ac19c
1 parent 4dacb2b
commit e5ac19c
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 11 deletions.
diff --git a/config.ini b/config.ini
@@ -5,7 +5,7 @@ apiExts = *,+,=,{,},[,],(,),<,>,@,#,",',@,:,?,!, ,^,\,（,）,.docx,.xlsx,.jpeg,
 
 [vulnTest]
 resultFilter = 未登录,请登录,重新登录,登录失效,权限鉴定失败,未授权,鉴权失败,unauth,状态失效,没有登录,会话超时,token???,login_failure,token can not be null,need token,Need Access Token,Access Token Is Null,have not Access-Token,token is empty,登录失败,凭证失效,未认证,认证失败,未发现认证,登录无效
-unauth_not_sure = 系统繁忙,系统错误,系统异常,服务器繁忙,参数错误,异常错误,服务端发生异常,服务端异常,安全异常,cookie错误,参数为空
+unauth_not_sure = 系统繁忙,系统错误,系统异常,服务器繁忙,参数错误,异常错误,服务端发生异常,服务端异常,安全异常,cookie错误,参数为空,拒绝访问,执行错误
 login = 登录成功,login success,密码正确,成功登录
 
 [infoTest]

diff --git a/lib/DownloadJs.py b/lib/DownloadJs.py
@@ -10,7 +10,7 @@
 
 class DownloadJs():
 
-    def __init__(self, jsRealPaths,options):
+    def __init__(self, jsRealPaths, options):
         # 传入的js文件的路径
         warnings.filterwarnings('ignore')
         self.jsRealPaths = jsRealPaths
@@ -76,8 +76,7 @@ def downloadJs(self, tag, host, spiltId):  # 下载js文件
                 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
                 self.options.head.split(':')[0]: self.options.head.split(':')[1]
             }
-
-        self.jsRealPaths = list(set(self.jsRealPaths))# list清单去重
+        self.jsRealPaths = list(set(self.jsRealPaths)) # list清单去重
         try:
             self.jsRealPaths = self.jsBlacklist()  # 不能放for循环内
             self.log.debug("js黑名单函数正常")
@@ -105,8 +104,6 @@ def downloadJs(self, tag, host, spiltId):  # 下载js文件
             else:
                 cursor.execute(sql)
                 conn.commit()
-                # headers = {
-                #     "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0"}
                 self.log.info(Utils().tellTime() + Utils().getMyWord("{downloading}") + jsFilename)
                 sslFlag = int(self.options.ssl_flag)
                 if sslFlag == 1:
@@ -119,3 +116,26 @@ def downloadJs(self, tag, host, spiltId):  # 下载js文件
                     cursor.execute("UPDATE js_file SET success = 1 WHERE local='%s';" % (jsTag + "." + jsFilename))
                     conn.commit()
                 conn.close()
+
+    def creatInsideJs(self, tag, host, scriptInside, url):  # 生成html的script的文件
+        try:
+            jsRealPath = url
+            jsFilename = "7777777.script.inside.html.js" #随便来一个
+            jsTag = Utils().creatTag(6)
+            PATH = "tmp/" + tag + "_" + host + "/" + tag + ".db"
+            conn = sqlite3.connect(os.sep.join(PATH.split('/')))
+            cursor = conn.cursor()
+            conn.isolation_level = None
+            sql = "insert into js_file(name,path,local) values('%s','%s','%s')" % (
+                        jsFilename, jsRealPath, jsTag + "." + jsFilename)
+            cursor.execute(sql)
+            conn.commit()
+            self.log.info(Utils().tellTime() + Utils().getMyWord("{downloading}") + jsFilename)
+            with open("tmp" + os.sep + tag + "_" + host + os.sep + jsTag + "." + jsFilename, "wb") as js_file:
+                js_file.write(str.encode(scriptInside))
+                js_file.close()
+                cursor.execute("UPDATE js_file SET success = 1 WHERE local='%s';" % (jsTag + "." + jsFilename))
+                conn.commit()
+            conn.close()
+        except Exception as e:
+            self.log.error("[Err] %s" % e)
diff --git a/lib/ParseJs.py b/lib/ParseJs.py
@@ -142,21 +142,30 @@ def dealJs(self, js_paths):  # 生成js绝对路径
         self.log.info(Utils().tellTime() + Utils().getMyWord("{pares_js_fini_1}") + str(len(self.jsRealPaths)) + Utils().getMyWord("{pares_js_fini_2}"))
         domain = res.netloc
         if ":" in domain:
-            domain = str(domain).replace(":", "_")
+            domain = str(domain).replace(":", "_") #处理端口号
         DownloadJs(self.jsRealPaths,self.options).downloadJs(self.projectTag, domain, 0)
         extJS = CommandLines().cmd().js
         if extJS != None:
             extJSs = extJS.split(',')
-            DownloadJs(extJSs,self.options).downloadJs(self.projectTag, res.netloc, 0)
+            DownloadJs(extJSs,self.options).downloadJs(self.projectTag, domain, 0)
 
-    def scriptCrawling(self, demo):  # 处理动态生成的js内容
+    def scriptCrawling(self, demo):  # 处理动态生成的js内容及html内的script
+        res = urlparse(self.url)  # 处理url多余部分
+        domain = res.netloc
+        if ":" in domain:
+            domain = str(domain).replace(":", "_") #处理端口号
+        scriptInside = "" #初始为空
         soup = BeautifulSoup(demo, "html.parser")
         for item in soup.find_all("script"):
             scriptString = str(item.string)  # 防止特殊情况报错
             listSrc = re.findall(r'src=\"(.*?)\.js', scriptString)
             if not listSrc == []:
                 for jsPath in listSrc:
                     self.jsPathList.append(jsPath)
+            if scriptString != "None": #None被转成字符串了
+                scriptInside = scriptInside + scriptString
+        if scriptInside != "":
+            DownloadJs(self.jsRealPaths,self.options).creatInsideJs(self.projectTag, domain, scriptInside, self.url)
         return self.jsPathList
 
     def parseJsStart(self):

diff --git a/lib/Recoverspilt.py b/lib/Recoverspilt.py
@@ -105,7 +105,10 @@ def getRealFilePath(self, jsSplitId, jsFileNames, jsUrlpath):
                 jsFileName = base_url + jsFileName
                 jsRealPaths.append(jsFileName)
         try:
-            DownloadJs(jsRealPaths,self.options).downloadJs(self.projectTag, res.netloc, jsSplitId)
+            domain = res.netloc
+            if ":" in domain:
+                domain = str(domain).replace(":", "_") #处理端口号
+            DownloadJs(jsRealPaths,self.options).downloadJs(self.projectTag, domain, jsSplitId)
             self.log.debug("downjs功能正常")
         except Exception as e:
             self.log.error("[Err] %s" % e)
@@ -154,9 +157,12 @@ def checkSpiltingTwice(self, projectPath):
                     for remoteFileURL in tmpRemoteFileURLs:
                         self.remoteFileURLs.append(remoteFileURL)
         if self.remoteFileURLs != []:
+            domain = res.netloc
+            if ":" in domain:
+                domain = str(domain).replace(":", "_") #处理端口号
             self.remoteFileURLs = list(set(self.remoteFileURLs))  # 其实不会重复
             self.log.info(Utils().tellTime() + Utils().getMyWord("{check_codesplit_twice_fini_1}") + str(len(self.remoteFileURLs)) + Utils().getMyWord("{check_codesplit_twice_fini_2}"))
-            DownloadJs(self.remoteFileURLs,self.options).downloadJs(self.projectTag, res.netloc, 999)  # 999表示爆破
+            DownloadJs(self.remoteFileURLs,self.options).downloadJs(self.projectTag, domain, 999)  # 999表示爆破
 
     def recoverStart(self):
         projectPath = DatabaseType(self.projectTag).getPathfromDB()