因为自己测试经常是写个脚本执行,现在学了wxpython,就尝试写了一个图形化的工具,组员也能轻便的使用
先看一下我的tool界面,比较简单啦
源代码如下waftool.py:
Code
1#!/usr/bin/env python
2#coding=utf-8
3import wx
4import wx.lib.buttons as buttons
5import os
6import urllib2,httplib
7class WAFtoolFrame(wx.Frame):
8 def __init__(self):
9 wx.Frame.__init__(self,None,-1,'WAF-Easy-Tool',size=(400,300))
10 panel = wx.Panel(self,-1)
11 self.button1 = buttons.GenButton(panel,-1,"SQL-Injection",pos=(270,15),size=(100,30))
12 self.button2 = buttons.GenButton(panel,-1,"XSS-Attack",pos=(270,60),size=(100,30))
13 self.button3 = buttons.GenButton(panel,-1,'WEB-Common',pos = (270,105),size=(100,30))
14 self.button4 = buttons.GenButton(panel,-1,'CMD',pos = (270,150),size=(100,30))
15 self.button5 = buttons.GenButton(panel,-1,'Ping',pos = (270,195),size=(100,30))
16 self.LabelIP = wx.StaticText(panel,-1,' IP:',pos=(10,203),size = (30,30))
17 self.LabelURL = wx.StaticText(panel,-1,'URL:',pos=(10,67),size = (30,30))
18 self.Text1 = wx.TextCtrl(panel,-1,"",pos=(50,200),size = (100,22),style=wx.TE_CENTER)
19 self.Text2 = wx.TextCtrl(panel,-1,"http://10.26.2.22/upload/index.php?id=1",pos=(50,65),size = (200,22))
20 self.Text1.SetInsertionPoint(0)
21 self.Text2.SetInsertionPoint(0)
22 self.Bind(wx.EVT_BUTTON,self.SqlAction,self.button1)
23 self.Bind(wx.EVT_BUTTON,self.CMD,self.button4)
24 self.Bind(wx.EVT_BUTTON,self.PING,self.button5)
25 self.Bind(wx.EVT_BUTTON,self.XssAction,self.button2)
26 self.button3.Disable()
27
28
29 def SqlAction(self,event):
30 self.url = self.Text2.GetValue()
31 self.KeepGoing = True
32 self.count = 0
33 self.ProgressMax = 0
34 self.filename = 'GET.txt'
35 if os.path.exists(self.filename):
36 os.remove(self.filename)
37 self.fp = open('sql.txt')
38 self.file_get = open(self.filename,'ab')
39 for self.param in self.fp:
40 self.value = self.url+self.param
41 self.file_get.write(self.value)
42 self.ProgressMax=self.ProgressMax+1
43 self.dialog = wx.ProgressDialog('SENDING','Please wait for minutes',maximum=self.ProgressMax,style=wx.PD_CAN_ABORT|wx.PD_ELAPSED_TIME|wx.PD_REMAINING_TIME)
44 self.file_get.close()
45 self.fp1 = open(self.filename)
46 for item in self.fp1:
47 if self.KeepGoing and self.count<self.ProgressMax:
48 urllib2.urlopen(item)
49 self.count=self.count+1
50# wx.Sleep(1)
51 self.KeepGoing = self.dialog.Update(self.count)
52 self.dialog.Destroy()
53 self.fp1.close()
54 os.remove(self.filename)
55 def CMD(self,event):
56 os.system('cmd')
57 def PING(self,event):
58 self.ip = self.Text1.GetValue()
59 os.system('ping '+self.ip)
60 def XssAction(self,event):
61 self.url = self.Text2.GetValue()
62 self.KeepGoing = True
63 self.count = 0
64 self.ProgressMax = 0
65 self.filename = 'GET.txt'
66 if os.path.exists(self.filename):
67 os.remove(self.filename)
68 self.fp = open('xss.txt')
69 self.file_get = open(self.filename,'ab')
70 for self.param in self.fp:
71 self.value = self.url+self.param
72 self.file_get.write(self.value)
73 self.ProgressMax=self.ProgressMax+1
74 self.dialog = wx.ProgressDialog('SENDING','Please wait for minutes',maximum=self.ProgressMax,style=wx.PD_CAN_ABORT|wx.PD_ELAPSED_TIME|wx.PD_REMAINING_TIME)
75 self.file_get.close()
76 self.fp1 = open(self.filename)
77 for item in self.fp1:
78 if self.KeepGoing and self.count<self.ProgressMax:
79 urllib2.urlopen(item)
80 self.count=self.count+1
81 # wx.Sleep(1)
82 self.KeepGoing = self.dialog.Update(self.count)
83 self.dialog.Destroy()
84 self.fp1.close()
85 os.remove(self.filename)
86
87
88if __name__=="__main__":
89 app = wx.PySimpleApp()
90 provider = wx.CreateFileTipProvider('tips.txt',0)
91 wx.ShowTip(None,provider,True)
92 WAFtoolFrame().Show()
93 app.MainLoop()
1#!/usr/bin/env python
2#coding=utf-8
3import wx
4import wx.lib.buttons as buttons
5import os
6import urllib2,httplib
7class WAFtoolFrame(wx.Frame):
8 def __init__(self):
9 wx.Frame.__init__(self,None,-1,'WAF-Easy-Tool',size=(400,300))
10 panel = wx.Panel(self,-1)
11 self.button1 = buttons.GenButton(panel,-1,"SQL-Injection",pos=(270,15),size=(100,30))
12 self.button2 = buttons.GenButton(panel,-1,"XSS-Attack",pos=(270,60),size=(100,30))
13 self.button3 = buttons.GenButton(panel,-1,'WEB-Common',pos = (270,105),size=(100,30))
14 self.button4 = buttons.GenButton(panel,-1,'CMD',pos = (270,150),size=(100,30))
15 self.button5 = buttons.GenButton(panel,-1,'Ping',pos = (270,195),size=(100,30))
16 self.LabelIP = wx.StaticText(panel,-1,' IP:',pos=(10,203),size = (30,30))
17 self.LabelURL = wx.StaticText(panel,-1,'URL:',pos=(10,67),size = (30,30))
18 self.Text1 = wx.TextCtrl(panel,-1,"",pos=(50,200),size = (100,22),style=wx.TE_CENTER)
19 self.Text2 = wx.TextCtrl(panel,-1,"http://10.26.2.22/upload/index.php?id=1",pos=(50,65),size = (200,22))
20 self.Text1.SetInsertionPoint(0)
21 self.Text2.SetInsertionPoint(0)
22 self.Bind(wx.EVT_BUTTON,self.SqlAction,self.button1)
23 self.Bind(wx.EVT_BUTTON,self.CMD,self.button4)
24 self.Bind(wx.EVT_BUTTON,self.PING,self.button5)
25 self.Bind(wx.EVT_BUTTON,self.XssAction,self.button2)
26 self.button3.Disable()
27
28
29 def SqlAction(self,event):
30 self.url = self.Text2.GetValue()
31 self.KeepGoing = True
32 self.count = 0
33 self.ProgressMax = 0
34 self.filename = 'GET.txt'
35 if os.path.exists(self.filename):
36 os.remove(self.filename)
37 self.fp = open('sql.txt')
38 self.file_get = open(self.filename,'ab')
39 for self.param in self.fp:
40 self.value = self.url+self.param
41 self.file_get.write(self.value)
42 self.ProgressMax=self.ProgressMax+1
43 self.dialog = wx.ProgressDialog('SENDING','Please wait for minutes',maximum=self.ProgressMax,style=wx.PD_CAN_ABORT|wx.PD_ELAPSED_TIME|wx.PD_REMAINING_TIME)
44 self.file_get.close()
45 self.fp1 = open(self.filename)
46 for item in self.fp1:
47 if self.KeepGoing and self.count<self.ProgressMax:
48 urllib2.urlopen(item)
49 self.count=self.count+1
50# wx.Sleep(1)
51 self.KeepGoing = self.dialog.Update(self.count)
52 self.dialog.Destroy()
53 self.fp1.close()
54 os.remove(self.filename)
55 def CMD(self,event):
56 os.system('cmd')
57 def PING(self,event):
58 self.ip = self.Text1.GetValue()
59 os.system('ping '+self.ip)
60 def XssAction(self,event):
61 self.url = self.Text2.GetValue()
62 self.KeepGoing = True
63 self.count = 0
64 self.ProgressMax = 0
65 self.filename = 'GET.txt'
66 if os.path.exists(self.filename):
67 os.remove(self.filename)
68 self.fp = open('xss.txt')
69 self.file_get = open(self.filename,'ab')
70 for self.param in self.fp:
71 self.value = self.url+self.param
72 self.file_get.write(self.value)
73 self.ProgressMax=self.ProgressMax+1
74 self.dialog = wx.ProgressDialog('SENDING','Please wait for minutes',maximum=self.ProgressMax,style=wx.PD_CAN_ABORT|wx.PD_ELAPSED_TIME|wx.PD_REMAINING_TIME)
75 self.file_get.close()
76 self.fp1 = open(self.filename)
77 for item in self.fp1:
78 if self.KeepGoing and self.count<self.ProgressMax:
79 urllib2.urlopen(item)
80 self.count=self.count+1
81 # wx.Sleep(1)
82 self.KeepGoing = self.dialog.Update(self.count)
83 self.dialog.Destroy()
84 self.fp1.close()
85 os.remove(self.filename)
86
87
88if __name__=="__main__":
89 app = wx.PySimpleApp()
90 provider = wx.CreateFileTipProvider('tips.txt',0)
91 wx.ShowTip(None,provider,True)
92 WAFtoolFrame().Show()
93 app.MainLoop()
这部分源代码还有部分功能未完成,比如绑定cancel按钮
然后制作.exe:waf.py
Code
1#!/usr/bin/env python
2#coding=utf-8
3from distutils.core import setup
4import py2exe
5includes = ['encodings','encodings.*']
6options = {'py2exe':{'compressed':1,'optimize':2,'includes':includes,'bundle_files':1}}
7setup(version='0.1.0',description='WAF Tool',name='WAF-Tool',options=options,zipfile=None,windows=[{'script':'waftool.py',"icon_resources":[(1,'waf.ico')]}])
8
1#!/usr/bin/env python
2#coding=utf-8
3from distutils.core import setup
4import py2exe
5includes = ['encodings','encodings.*']
6options = {'py2exe':{'compressed':1,'optimize':2,'includes':includes,'bundle_files':1}}
7setup(version='0.1.0',description='WAF Tool',name='WAF-Tool',options=options,zipfile=None,windows=[{'script':'waftool.py',"icon_resources":[(1,'waf.ico')]}])
8
最后用py2exe生成.exe文件即可。
1.0版本说明:
1.使用wxpython编写;
2.支持sql注入、xss的内置规则测试:填入完整的url,如"http://10.30.2.22/upload/index.php?id=1",然后点击相应按钮,有进度条显示进度;
3.集成cmd和ping工具;
不足:
1.未完成web通用防护的编写,所以按钮暂时置灰;
2.开始测试后,不能中途停止任务(未定义cancel函数),只能等待测试完成(大约40秒以内)