"%u5c00%u2700","/","../","./..././","/%2e/", "%2e","%5C","%s", "'","'''''","\"",
"%%%%%%","!!!!!!!!!!!!!!!!!!","#", "%5C27","%%5C%56" , "\'", "
\\",';',";a", "|",
"\?>", "%a0");
"<script>alert('cookies, y ' + document.cookie);</script>");
to open stream:", "
internal server error", "there was an error when processing
this directive.", "http/1.1 400", "http/1.1 403", "http/1.1 500", "gateway
error", "command not found", "file not found");
$flags[1] = array("[obdc", "mysql error", "you have an error in your sql
syntax", "odbc drivers error", "[microsoft sql", );
$flags[2] = array("
javascript:alert(string.fromcharcode(65,66,67))",
"<script>alert('cookies, y ' + document.cookie);</script>");
既然我们已经知道了应该构造何种请求以及返回的输出结果,那么我们就可以编写一份用于构造恶意请求的PHP代码来查询HTTP服务器了。在本例中,我们只构造了GET请求,但你若想构造其它的HTTP请求方式也是很容易修改得到的。
function MakeRequest($url, $method="GET") {
$url = str_replace(" ", "%20", $url);
if ($method=="GET") {
$host = substr($url, strpos($url, "://") + 3);$host=substr($host,
0,strpos($host, "/"));
$request = substr($url, strpos($host, "/"));
if (!$fp) {
echo " ERROR . $url $errstr ($errno)$newline";
} else {
$out = "GET $request HTTP/1.1\r\n";
$out .= "Host: $host\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$buf.= fgets($fp);
}
fclose($fp);
}
}
return $buf;
}
通过恶意构造的请求,我们就可以获取HTTP服务器返回的结果,接下来我们就需要利用一个函数来
扫描上面列表中的错误代码了。如果变量$result中有与$flags数组元素相符合的内容,则下列函数返回结果为真。
function TestResult ($result) {
global $flags;
$result = strtolower($result);
for ($i=0;$i < count($flags);$i++) {
for ($o=0;$o < count($flags);$o++) {
if (!(strpos($result, $flags[$i][$o]) === false)) {
return 1;
}
}
}
return 0;
}
万事俱备,只欠东风!现在该是我们编写代码的时候了,以便将这一切都联系起来。下列代码使用$lists数组来包含所有用于检测的URL地址。
if ($localonly == true AND (substr($list[$inc], 0, 17) !=
"
http://localhost/" AND substr($list[$inc], 0, 17) != "
http://127.0.0.1/"))
die("Sorry, this script can only be tested against localhost.");
// SetUpParameters用于分析URL地址中的每个GET参数,并将其存储在数组$get和$getvalues中
if (trim($url) != "") {
echo "$newline$url$newline";
// 测试每一种可能的
漏洞 for ($vulni=0;$vulni<count($vulnchars);$vulni++) {
switch ($vulni) {
case 0: echo " * General
web vulnerabilities$newline"; break;
case 1: echo " * SQL vulnerabilities$newline"; break;
case 2: echo " * XSS vulnerabilities$newline"; break;
}
// 检测URL地址中的每一个GET参数
for ($o=0;$o < count($get);$o++) {
for ($i=0;$i<count($vulnchars[$vulni]);$i++) {
// 通过
漏洞字符表构造各个URL地址
$whichparam = $get[$o];
$testing = $url . "?";
// 组合脚本中所有其它参数的默认值
if ($get[$z] != $whichparam)
$testing.=";".$get[$z]."=".$getvalue[$z];
}
$testing .= ";" . $whichparam . "=" . $vulnchars[$vulni][$i];
$fun = MakeRequest($testing);
if ($parseforlinks == true) ParseForLinks($fun);
$error = TestResult($fun);
if ($error != 0)
echo " FLAG! .. $testing$newline";
if ($error == 0 and $verbose == true)
echo " OK .. $testing $newline";
}
}
}
}
}
http://$host/">标志的形式添加到数组$list中。另外也可以添加其它请求方式,比如POST,SSL,cookie以及文件上传漏洞。编写一个web fuzzer是一项很值得去做的编程工作,但可能也是项没完没了的工作
