def test_from_template_534(self):
fut = FileUploadTemplate()
base_url = get_php_moth_http('/audit/file_upload/strange_extension_534/')
options = fut.get_options()
options['url'].set_value(base_url + 'uploader.534')
options['data'].set_value('uploadedfile=&MAX_FILE_SIZE=10000000')
options['file_vars'].set_value('uploadedfile')
options['file_dest'].set_value(get_php_moth_http('/audit/file_upload/trivial/uploads/'))
options['vulnerable_parameter'].set_value('uploadedfile')
fut.set_options(options)
fut.store_in_kb()
vuln = self.kb.get(*fut.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'file_upload')
def test_from_template_534(self):
fut = FileUploadTemplate()
base_url = get_php_moth_http('/audit/file_upload/strange_extension_534/')
options = fut.get_options()
options['url'].set_value(base_url + 'uploader.534')
options['data'].set_value('uploadedfile=&MAX_FILE_SIZE=10000000')
options['file_vars'].set_value('uploadedfile')
options['file_dest'].set_value(get_php_moth_http('/audit/file_upload/trivial/uploads/'))
options['vulnerable_parameter'].set_value('uploadedfile')
fut.set_options(options)
fut.store_in_kb()
vuln = self.kb.get(*fut.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'file_upload')
class PayloadTestHelperExec(PluginTest):
target_rce = get_php_moth_http('/audit/rfi/rfi-rce.php')
_run_configs = {
'cfg': {
'target': target_rce + '?file=section.php',
'plugins': {
'audit': (PluginConfig('rfi'),),
}
}
}
def _scan_wrapper(self):
"""
:return: Run the scan and return the vulnerability itself and the
vuln_id.
"""
# Run the scan
cfg = self._run_configs['cfg']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(1, len(vulns))
vuln = vulns[0]
vuln_to_exploit_id = vuln.get_id()
return vuln, vuln_to_exploit_id
def _get_shell(self):
vuln, vuln_to_exploit_id = self._scan_wrapper()
plugin = self.w3afcore.plugins.get_plugin_inst('attack', 'rfi')
self.assertTrue(plugin.can_exploit(vuln_to_exploit_id))
exploit_result = plugin.exploit(vuln_to_exploit_id)
self.assertGreaterEqual(len(exploit_result), 1)
shell = exploit_result[0]
return shell
def setUp(self):
super(PayloadTestHelperExec, self).setUp()
cf.cf.save('target_os', 'unix')
self.shell = self._get_shell()
def test_find_in_file_upload_content(self):
"""
Find XSS in the content of an uploaded file
https://github.com/andresriancho/w3af/issues/3149
"""
self.scan_file_upload_fuzz_files()
target_path = get_php_moth_http("/audit/file_upload/echo_content/")
xss_vulns = self.kb.get("xss", "xss")
kb_data = self.normalize_kb_data(xss_vulns)
EXPECTED = [("txt_uploader.php", "txt_file", ["txt_file"])]
expected_data = self.normalize_expected_data(target_path, EXPECTED)
self.assertEquals(set(expected_data), set(kb_data))
class TestRFI(ExecExploitTest):
target_url = get_php_moth_http('/audit/rfi/rfi-rce.php')
unused_port = get_unused_port()
_run_configs = {
'cfg': {
'target': target_url,
'plugins': {
'audit': (PluginConfig('rfi',
('use_w3af_site', False, PluginConfig.BOOL),
('listen_port', unused_port, PluginConfig.INT)),),
}
}
}
def test_found_exploit_rfi(self):
cfg = self._run_configs['cfg']
self._scan(cfg['target'] + '?file=abc.txt', cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(1, len(vulns))
vuln = vulns[0]
self.assertEquals(vuln.get_name(), 'Remote code execution')
self.assertEquals(vuln.get_url().url_string, self.target_url)
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'rfi')
def test_from_template(self):
rfit = RFITemplate()
options = rfit.get_options()
options['url'].set_value(self.target_url)
options['data'].set_value('file=abc.txt')
options['vulnerable_parameter'].set_value('file')
rfit.set_options(options)
rfit.store_in_kb()
vuln = self.kb.get(*rfit.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'rfi')
def test_find_in_file_upload_content(self):
"""
Find XSS in the content of an uploaded file
https://github.com/andresriancho/w3af/issues/3149
"""
self.scan_file_upload_fuzz_files()
target_path = get_php_moth_http('/audit/file_upload/echo_content/')
xss_vulns = self.kb.get('xss', 'xss')
kb_data = self.normalize_kb_data(xss_vulns)
EXPECTED = [('txt_uploader.php', 'txt_file', ['txt_file']), ]
expected_data = self.normalize_expected_data(target_path, EXPECTED)
self.assertEquals(
set(expected_data),
set(kb_data),
)
class TestFileUploadShell(ExecExploitTest):
file_upload_url = get_php_moth_http('/audit/file_upload/trivial/')
_run_configs = {
'cfg': {
'target': file_upload_url,
'plugins': {
'crawl':
(PluginConfig('web_spider',
('only_forward', True, PluginConfig.BOOL)), ),
'audit':
(PluginConfig('file_upload',
('extensions', 'gif,html,bmp,jpg,png,txt',
PluginConfig.LIST)), )
},
}
}
def test_found_exploit_file_upload(self):
# Run the scan
cfg = self._run_configs['cfg']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('file_upload', 'file_upload')
self.assertEquals(1, len(vulns))
vuln = vulns[0]
self.assertEquals("Insecure file upload", vuln.get_name())
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'file_upload')
def test_from_template(self):
fut = FileUploadTemplate()
base_url = get_php_moth_http('/audit/file_upload/trivial/')
options = fut.get_options()
options['url'].set_value(base_url + 'uploader.php')
options['data'].set_value('uploadedfile=&MAX_FILE_SIZE=10000000')
options['file_vars'].set_value('uploadedfile')
options['file_dest'].set_value(base_url + '/uploads/')
options['vulnerable_parameter'].set_value('uploadedfile')
fut.set_options(options)
fut.store_in_kb()
vuln = self.kb.get(*fut.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'file_upload')
def test_from_template_534(self):
fut = FileUploadTemplate()
base_url = get_php_moth_http(
'/audit/file_upload/strange_extension_534/')
options = fut.get_options()
options['url'].set_value(base_url + 'uploader.534')
options['data'].set_value('uploadedfile=&MAX_FILE_SIZE=10000000')
options['file_vars'].set_value('uploadedfile')
options['file_dest'].set_value(
get_php_moth_http('/audit/file_upload/trivial/uploads/'))
options['vulnerable_parameter'].set_value('uploadedfile')
fut.set_options(options)
fut.store_in_kb()
vuln = self.kb.get(*fut.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'file_upload')
class TestRFI(PluginTest):
target_rce = get_php_moth_http('/audit/rfi/rfi-rce.php')
target_read = get_php_moth_http('/audit/rfi/rfi-read.php')
_run_configs = {
'remote_rce': {
'target': target_rce + '?file=abc.txt',
'plugins': {
'audit': (PluginConfig('rfi'), ),
}
},
'local_rce': {
'target': target_rce + '?file=abc.txt',
'plugins': {
'audit': (PluginConfig(
'rfi',
('use_w3af_site', False, PluginConfig.BOOL),
), ),
}
},
'local_read': {
'target': target_read + '?file=abc.txt',
'plugins': {
'audit': (PluginConfig(
'rfi',
('use_w3af_site', False, PluginConfig.BOOL),
), ),
}
},
'remote_read': {
'target': target_read + '?file=abc.txt',
'plugins': {
'audit': (PluginConfig(
'rfi',
('use_w3af_site', False, PluginConfig.BOOL),
), ),
}
}
}
def test_found_rfi_with_w3af_site(self):
cfg = self._run_configs['remote_rce']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(len(vulns), 1)
vuln = vulns[0]
self.assertEquals("Remote code execution", vuln.get_name())
self.assertEquals(self.target_rce, vuln.get_url().url_string)
@attr('smoke')
def test_found_rfi_with_local_server_rce(self):
cfg = self._run_configs['local_rce']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(len(vulns), 1)
vuln = vulns[0]
self.assertEquals("Remote code execution", vuln.get_name())
self.assertEquals(self.target_rce, vuln.get_url().url_string)
def test_found_rfi_with_local_server_read(self):
cfg = self._run_configs['local_read']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(len(vulns), 1)
vuln = vulns[0]
self.assertEquals("Remote file inclusion", vuln.get_name())
self.assertEquals(self.target_read, vuln.get_url().url_string)
def test_found_rfi_with_remote_server_read(self):
cfg = self._run_configs['remote_read']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(len(vulns), 1)
vuln = vulns[0]
self.assertEquals("Remote file inclusion", vuln.get_name())
self.assertEquals(self.target_read, vuln.get_url().url_string)
def test_custom_web_server(self):
RFIWebHandler.RESPONSE_BODY = '<? echo "hello world"; ?>'
ws = w3afHTTPServer(('127.0.0.1', 0), '.', RFIWebHandler)
ws.wait_for_start()
port = ws.get_port()
server_thread = threading.Thread(target=ws.serve_forever)
server_thread.name = 'WebServer'
server_thread.daemon = True
server_thread.start()
foobar_url = 'http://localhost:%s/foobar' % port
spameggs_url = 'http://localhost:%s/spameggs' % port
response_foobar = urllib2.urlopen(foobar_url).read()
response_spameggs = urllib2.urlopen(spameggs_url).read()
self.assertEqual(response_foobar, response_spameggs)
self.assertEqual(response_foobar, RFIWebHandler.RESPONSE_BODY)
def scan_file_upload_fuzz_files(self):
cfg = self._run_configs['cfg']
target_path = get_php_moth_http('/audit/file_upload/echo_content/')
self._scan(target_path, cfg['plugins'])
def scan_file_upload_fuzz_files(self):
cfg = self._run_configs['cfg']
target_path = get_php_moth_http('/audit/file_upload/echo_content/')
self._scan(target_path, cfg['plugins'])
def scan_file_upload_fuzz_files(self):
cfg = self._run_configs["cfg"]
target_path = get_php_moth_http("/audit/file_upload/echo_content/")
self._scan(target_path, cfg["plugins"])
