Beispiel #1
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the send_mutant method.
        """
        orig_resp_body = mutant.get_original_response_body()
        body = response.get_body()

        for pattern_match in self._find_patterns(body):

            # Remove false positives
            if pattern_match in orig_resp_body:
                continue

            # Only report vulnerabilities once
            if self._has_bug(mutant):
                return

            # Create the vulnerability!
            desc = 'An XML External Entity injection was found at: %s'
            desc %= mutant.found_at()

            v = Vuln.from_mutant('XML External Entity', desc, severity.HIGH,
                                 response.id, self.get_name(), mutant)

            v.add_to_highlight(pattern_match)

            self.kb_append_uniq(self, 'xxe', v)
            return

        # We get here when there are no vulnerabilities in the response
        # but we still want to flag any parsing errors which might be
        # pointers to other (more complex to identify and exploit)
        # vulnerabilities
        for parser_error in self.parser_errors_multi_in.query(body):

            # Do not report that we found an error when we already found
            # something with higher priority in the same mutant
            if self._has_bug(mutant):
                return

            # Do not report the same error twice
            if self._has_bug(mutant, kb_varname='errors'):
                return

            desc = ('An XML library parsing error was found at: %s. These'
                    ' errors usually indicate that an XML injection is'
                    ' possible.')
            desc %= mutant.found_at()

            v = Vuln.from_mutant('XML Parsing Error', desc, severity.LOW,
                                 response.id, self.get_name(), mutant)

            v.add_to_highlight(parser_error)

            self.kb_append_uniq(self, 'errors', v)
            return
Beispiel #2
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the send_mutant method.
        """
        orig_resp_body = mutant.get_original_response_body()
        body = response.get_body()

        for pattern_match in self._find_patterns(body):

            # Remove false positives
            if pattern_match in orig_resp_body:
                continue

            # Only report vulnerabilities once
            if self._has_bug(mutant):
                return

            # Create the vulnerability!
            desc = 'An XML External Entity injection was found at: %s'
            desc %= mutant.found_at()

            v = Vuln.from_mutant('XML External Entity', desc, severity.HIGH,
                                 response.id, self.get_name(), mutant)

            v.add_to_highlight(pattern_match)

            self.kb_append_uniq(self, 'xxe', v)
            return

        # We get here when there are no vulnerabilities in the response
        # but we still want to flag any parsing errors which might be
        # pointers to other (more complex to identify and exploit)
        # vulnerabilities
        for parser_error in self.parser_errors_multi_in.query(body):

            # Do not report that we found an error when we already found
            # something with higher priority in the same mutant
            if self._has_bug(mutant):
                return

            # Do not report the same error twice
            if self._has_bug(mutant, kb_varname='errors'):
                return

            desc = ('An XML library parsing error was found at: %s. These'
                    ' errors usually indicate that an XML injection is'
                    ' possible.')
            desc %= mutant.found_at()

            v = Vuln.from_mutant('XML Parsing Error', desc, severity.LOW,
                                 response.id, self.get_name(), mutant)

            v.add_to_highlight(parser_error)

            self.kb_append_uniq(self, 'errors', v)
            return
Beispiel #3
0
    def _analyze_result(self, mutant, response):
        """
        Analyze the result of the previously sent request.
        :return: None, save the vuln to the kb.
        """
        # Store the mutants in order to be able to analyze the persistent case
        # later
        expected_results = self._get_expected_results(mutant)

        for expected_result in expected_results:
            self._expected_mutant_dict[expected_result] = mutant

        # Now we analyze the "reflected" case
        if self._has_bug(mutant):
            return

        for expected_result in expected_results:
            if expected_result not in response:
                continue

            if expected_result in mutant.get_original_response_body():
                continue

            desc = "Server side include (SSI) was found at: %s"
            desc %= mutant.found_at()

            v = Vuln.from_mutant(
                "Server side include vulnerability", desc, severity.HIGH, response.id, self.get_name(), mutant
            )

            v.add_to_highlight(expected_result)
            self.kb_append_uniq(self, "ssi", v)
Beispiel #4
0
    def _analyze_persistent(self, freq, response):
        """
        Analyze the response of sending each fuzzable request found by the
        framework, trying to identify any locations where we might have injected
        a payload.

        :param freq: The fuzzable request
        :param response: The HTTP response
        :return: None, vulns are stored in KB
        """
        for matched_expected_result in self._persistent_multi_in.query(response.get_body()):
            # We found one of the expected results, now we search the
            # self._expected_mutant_dict to find which of the mutants sent it
            # and create the vulnerability
            mutant = self._expected_mutant_dict[matched_expected_result]

            desc = ('Server side include (SSI) was found at: %s'
                    ' The result of that injection is shown by browsing'
                    ' to "%s".')
            desc %= (mutant.found_at(), freq.get_url())

            v = Vuln.from_mutant('Persistent server side include vulnerability',
                                 desc, severity.HIGH, response.id,
                                 self.get_name(), mutant)

            v.add_to_highlight(matched_expected_result)
            self.kb_append(self, 'ssi', v)
Beispiel #5
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        #
        #   I will only report the vulnerability once.
        #
        if self._has_no_bug(mutant):

            for error in self.ERROR_STRINGS:
                # Check if the error string is in the response

                if error in response.body and \
                error not in mutant.get_original_response_body():
                    desc = 'A possible (detection is really hard...) format'\
                          ' string vulnerability was found at: %s'
                    desc = desc % mutant.found_at()
                    
                    v = Vuln.from_mutant('Format string vulnerability', desc,
                                         severity.MEDIUM, response.id,
                                         self.get_name(), mutant)
                    
                    v.add_to_highlight(error)
                    
                    self.kb_append_uniq(self, 'format_string', v)
                    break
Beispiel #6
0
 def _report_vuln(self, mutant, response, mod_value):
     """
     Create a Vuln object and store it in the KB.
     
     :return: None
     """
     csp_protects = site_protected_against_xss_by_csp(response)
     vuln_severity = severity.LOW if csp_protects else severity.MEDIUM
     
     desc = 'A Cross Site Scripting vulnerability was found at: %s'
     desc = desc % mutant.found_at()
     
     if csp_protects:
         desc += 'The risk associated with this vulnerability was lowered'\
                 ' because the site correctly implements CSP. The'\
                 ' vulnerability is still a risk for the application since'\
                 ' only the latest versions of some browsers implement CSP'\
                 ' checking.'
     
     v = Vuln.from_mutant('Cross site scripting vulnerability', desc,
                          vuln_severity, response.id, self.get_name(),
                          mutant)
     v.add_to_highlight(mod_value) 
     
     self.kb_append_uniq(self, 'xss', v)
Beispiel #7
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if self._has_bug(mutant):
            return
        
        dom = response.get_dom()

        if response.is_text_or_html() and dom is not None:

            elem_list = self._tag_xpath(dom)

            for element in elem_list:

                if 'src' not in element.attrib:
                    return []

                src_attr = element.attrib['src']

                for url in self._test_urls:
                    if src_attr.startswith(url):
                        # Vuln vuln!
                        desc = 'A phishing vector was found at: %s'
                        desc = desc % mutant.found_at()
                        
                        v = Vuln.from_mutant('Phishing vector', desc,
                                             severity.LOW, response.id,
                                             self.get_name(), mutant)
                        
                        v.add_to_highlight(src_attr)
                        self.kb_append_uniq(self, 'phishing_vector', v)
Beispiel #8
0
    def _with_time_delay(self, freq):
        """
        Tests an URLs for shell shock vulnerabilities using time delays.

        :param freq: A FuzzableRequest
        :return: True if a vulnerability was found
        """
        mutant = self.create_mutant(freq, TEST_HEADER)

        for delay_obj in self.DELAY_TESTS:
            ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
            success, responses = ed.delay_is_controlled()

            if success:
                mutant.set_token_value(delay_obj.get_string_for_delay(3))
                desc = u"Shell shock was found at: %s" % mutant.found_at()

                v = Vuln.from_mutant(
                    u"Shell shock vulnerability",
                    desc,
                    severity.HIGH,
                    [r.id for r in responses],
                    self.get_name(),
                    mutant,
                )

                self.kb_append_uniq(self, "shell_shock", v)
                return True
Beispiel #9
0
    def _analyze_persistent(self, freq, response):
        """
        Analyze the response of sending each fuzzable request found by the
        framework, trying to identify any locations where we might have injected
        a payload.

        :param freq: The fuzzable request
        :param response: The HTTP response
        :return: None, vulns are stored in KB
        """
        multi_in_inst = multi_in(self._expected_mutant_dict.keys())

        for matched_expected_result in multi_in_inst.query(
                response.get_body()):
            # We found one of the expected results, now we search the
            # self._expected_mutant_dict to find which of the mutants sent it
            # and create the vulnerability
            mutant = self._expected_mutant_dict[matched_expected_result]

            desc = ('Server side include (SSI) was found at: %s'
                    ' The result of that injection is shown by browsing'
                    ' to "%s".')
            desc %= (mutant.found_at(), freq.get_url())

            v = Vuln.from_mutant(
                'Persistent server side include vulnerability', desc,
                severity.HIGH, response.id, self.get_name(), mutant)

            v.add_to_highlight(matched_expected_result)
            self.kb_append(self, 'ssi', v)
Beispiel #10
0
    def audit(self, freq, orig_response):
        if not self._dns_zone:
            om.out.debug("DNS zone not configured!")
            return

        self.fqdn = "xxe.{target}.{domain}".format(
            target=freq.get_uri().get_domain(), domain=self._dns_zone)
        for mutant in create_mutants(freq, [
                '&a;',
        ]):
            if isinstance(mutant, XMLMutant):
                mutant.get_dc().doctype = '<!DOCTYPE aa [\n'
                mutant.get_dc(
                ).doctype += ' <!ENTITY a SYSTEM "http://{FQDN}">\n'.format(
                    FQDN=self.fqdn)
                mutant.get_dc().doctype += ']>'
                try:
                    response = self._uri_opener.send_mutant(mutant,
                                                            cache=False,
                                                            timeout=10)
                    if self.check('get.' + self.fqdn):
                        desc = 'XXE injection at: "%s", using'\
                         ' HTTP method %s. The injectable parameter may be: "%s"'
                        desc = desc % (mutant.get_url(), mutant.get_method(),
                                       mutant.get_token_name())
                        vuln = Vuln.from_mutant('XXE injection vulnerability',
                                                desc, severity.HIGH,
                                                response.id, 'xxe', mutant)
                        om.out.debug(vuln.get_desc())
                        om.out.vulnerability("XXE injection",
                                             severity=severity.HIGH)
                except HTTPRequestException:
                    om.out.debug("HTTPRequestException")
                except Exception as e:
                    om.out.debug(str(e))
Beispiel #11
0
    def test_from_mutant(self):
        dc = DataContainer()
        url = URL('http://moth/')
        payloads = ['abc', 'def']

        dc['a'] = ['1', ]
        dc['b'] = ['2', ]
        freq = FuzzableRequest(url, dc=dc)
        fuzzer_config = {}
        
        created_mutants = Mutant.create_mutants(freq, payloads, [], False,
                                                fuzzer_config)
                
        mutant = created_mutants[0]
        
        inst = Vuln.from_mutant('TestCase', 'desc' * 30, 'High', 1,
                                'plugin_name', mutant)
        
        self.assertIsInstance(inst, Vuln)
        
        self.assertEqual(inst.get_uri(), mutant.get_uri())
        self.assertEqual(inst.get_url(), mutant.get_url())
        self.assertEqual(inst.get_method(), mutant.get_method())
        self.assertEqual(inst.get_dc(), mutant.get_dc())
        self.assertEqual(inst.get_var(), mutant.get_var())
Beispiel #12
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if self._has_bug(mutant):
            return

        dom = response.get_dom()

        if response.is_text_or_html() and dom is not None:

            elem_list = self._tag_xpath(dom)

            for element in elem_list:

                if 'src' not in element.attrib:
                    return []

                src_attr = element.attrib['src']

                for url in self._test_urls:
                    if src_attr.startswith(url):
                        # Vuln vuln!
                        desc = 'A phishing vector was found at: %s'
                        desc = desc % mutant.found_at()

                        v = Vuln.from_mutant('Phishing vector', desc,
                                             severity.LOW, response.id,
                                             self.get_name(), mutant)

                        v.add_to_highlight(src_attr)
                        self.kb_append_uniq(self, 'phishing_vector', v)
Beispiel #13
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        #
        #   I will only report the vulnerability once.
        #
        if self._has_no_bug(mutant):

            for error in self.ERROR_STRINGS:
                # Check if the error string is in the response

                if error in response.body and \
                                error not in mutant.get_original_response_body():
                    desc = 'A possible (detection is really hard...) format' \
                           ' string vulnerability was found at: %s'
                    desc = desc % mutant.found_at()

                    v = Vuln.from_mutant('Format string vulnerability', desc,
                                         severity.MEDIUM, response.id,
                                         self.get_name(), mutant)

                    v.add_to_highlight(error)

                    self.kb_append_uniq(self, 'format_string', v)
                    break
Beispiel #14
0
    def _confirm_file_upload(self, path, mutant, http_response):
        """
        Confirms if the file was uploaded to path

        :param path: The URL where we suspect that a file was uploaded to.
        :param mutant: The mutant that originated the file on the remote end
        :param http_response: The HTTP response asociated with sending mutant
        """
        get_response = self._uri_opener.GET(path, cache=False)

        if not is_404(get_response) and self._has_no_bug(mutant):
            desc = "A file upload to a directory inside the webroot" " was found at: %s" % mutant.found_at()

            v = Vuln.from_mutant(
                "Insecure file upload",
                desc,
                severity.HIGH,
                [http_response.id, get_response.id],
                self.get_name(),
                mutant,
            )

            v["file_dest"] = get_response.get_url()
            v["file_vars"] = mutant.get_file_vars()

            self.kb_append_uniq(self, "file_upload", v)
Beispiel #15
0
    def batch_injection_test(self, freq, orig_response):
        """
        Uses the batch injection technique to find memcache injections
        """
        # shortcuts
        send_clean = self._uri_opener.send_clean
        orig_body = orig_response.get_body()

        for mutant in create_mutants(freq, ['']):

            # trying to break normal execution flow with ERROR_1 payload
            mutant.set_token_value(self.ERROR_1)
            error_1_response, body_error_1_response = send_clean(mutant)

            if fuzzy_equal(orig_body, body_error_1_response, self._eq_limit):
                #
                # if we manage to break execution flow, there is a potential
                # injection otherwise - no injection!
                #
                continue

            # trying the correct injection request, to confirm that we've found
            # it!
            mutant.set_token_value(self.OK)
            ok_response, body_ok_response = send_clean(mutant)

            if fuzzy_equal(body_error_1_response, body_ok_response,
                           self._eq_limit):
                #
                # The "OK" and "ERROR_1" responses are equal, this means that
                # we're not in a memcached injection
                #
                continue

            # ERROR_2 request to just make sure that we're in a memcached case
            mutant.set_token_value(self.ERROR_2)
            error_2_response, body_error_2_response = send_clean(mutant)

            if fuzzy_equal(orig_body, body_error_2_response, self._eq_limit):
                #
                # now requests should be different again, otherwise injection
                # is not confirmed
                #
                continue

            response_ids = [error_1_response.id,
                            ok_response.id,
                            error_2_response.id]

            desc = ('Memcache injection was found at: "%s", using'
                    ' HTTP method %s. The injectable parameter is: "%s"')
            desc %= (mutant.get_url(),
                     mutant.get_method(),
                     mutant.get_token_name())

            v = Vuln.from_mutant('Memcache injection vulnerability', desc,
                                 severity.HIGH, response_ids, 'memcachei',
                                 mutant)

            self.kb_append_uniq(self, 'memcachei', v)
Beispiel #16
0
    def _analyze_result(self, mutant, response):
        """
        Analyze the result of the previously sent request.
        :return: None, save the vuln to the kb.
        """
        # Store the mutants in order to be able to analyze the persistent case
        # later
        expected_results = self._get_expected_results(mutant)

        for expected_result in expected_results:
            self._expected_mutant_dict[expected_result] = mutant

        # Now we analyze the "reflected" case
        if self._has_bug(mutant):
            return

        for expected_result in expected_results:
            if expected_result not in response:
                continue

            if expected_result in mutant.get_original_response_body():
                continue

            desc = 'Server side include (SSI) was found at: %s'
            desc %= mutant.found_at()

            v = Vuln.from_mutant('Server side include vulnerability',
                                 desc, severity.HIGH, response.id,
                                 self.get_name(), mutant)

            v.add_to_highlight(expected_result)
            self.kb_append_uniq(self, 'ssi', v)
Beispiel #17
0
    def _with_time_delay(self, freq):
        """
        Tests an URL for OS Commanding vulnerabilities using time delays.

        :param freq: A FuzzableRequest
        """
        fake_mutants = create_mutants(freq, ['', ])

        for mutant in fake_mutants:

            if self._has_bug(mutant):
                continue

            for delay_obj in self._get_wait_commands():

                ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
                success, responses = ed.delay_is_controlled()

                if success:
                    desc = 'OS Commanding was found at: %s' % mutant.found_at()
                                        
                    v = Vuln.from_mutant('OS commanding vulnerability', desc,
                                         severity.HIGH, [r.id for r in responses],
                                         self.get_name(), mutant)

                    v['os'] = delay_obj.get_OS()
                    v['separator'] = delay_obj.get_separator()

                    self.kb_append_uniq(self, 'os_commanding', v)
                    break
Beispiel #18
0
    def _confirm_file_upload(self, path, mutant, http_response, debugging_id):
        """
        Confirms if the file was uploaded to path

        :param path: The URL where we suspect that a file was uploaded to.
        :param mutant: The mutant that originated the file on the remote end
        :param http_response: The HTTP response associated with sending mutant
        """
        response = self._uri_opener.GET(path,
                                        cache=False,
                                        grep=False,
                                        debugging_id=debugging_id)

        if mutant.file_payload not in response.body:
            return

        if self._has_bug(mutant):
            return

        desc = 'A file upload to a directory inside the webroot was found at: %s'
        desc %= mutant.found_at()

        v = Vuln.from_mutant('Insecure file upload', desc,
                             severity.HIGH, [http_response.id, response.id],
                             self.get_name(), mutant)

        v['file_dest'] = response.get_url()
        v['file_vars'] = mutant.get_file_vars()

        self.kb_append_uniq(self, 'file_upload', v)
Beispiel #19
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if self._has_bug(mutant):
            return

        if self._header_was_injected(mutant, response):
            desc = "Response splitting was found at: %s" % mutant.found_at()

            v = Vuln.from_mutant(
                "Response splitting vulnerability", desc, severity.MEDIUM, response.id, self.get_name(), mutant
            )

            self.kb_append_uniq(self, "response_splitting", v)

        # When trying to send a response splitting to php 5.1.2 I get :
        # Header may not contain more than a single header, new line detected
        for error in self.HEADER_ERRORS:

            if error in response:
                desc = (
                    'The variable "%s" at URL "%s" modifies the HTTP'
                    " response headers, but this error was sent while"
                    ' testing for response splitting: "%s".'
                )
                args = (mutant.get_token_name(), mutant.get_url(), error)
                desc = desc % args
                i = Info.from_mutant("Parameter modifies response headers", desc, response.id, self.get_name(), mutant)

                self.kb_append_uniq(self, "response_splitting", i)

                return
        def analyze_persistent(freq, response):

            for matched_expected_result in multi_in_inst.query(response.get_body()):
                # We found one of the expected results, now we search the
                # self._persistent_data to find which of the mutants sent it
                # and create the vulnerability
                mutant = self._expected_res_mutant[matched_expected_result]

                desc = (
                    "Server side include (SSI) was found at: %s"
                    " The result of that injection is shown by browsing"
                    ' to "%s".'
                )
                desc = desc % (mutant.found_at(), freq.get_url())

                v = Vuln.from_mutant(
                    "Persistent server side include vulnerability",
                    desc,
                    severity.HIGH,
                    response.id,
                    self.get_name(),
                    mutant,
                )

                v.add_to_highlight(matched_expected_result)
                self.kb_append(self, "ssi", v)
Beispiel #21
0
    def test_from_mutant(self):
        dc = DataContainer()
        url = URL('http://moth/')
        payloads = ['abc', 'def']

        dc['a'] = [
            '1',
        ]
        dc['b'] = [
            '2',
        ]
        freq = FuzzableRequest(url, dc=dc)
        fuzzer_config = {}

        created_mutants = Mutant.create_mutants(freq, payloads, [], False,
                                                fuzzer_config)

        mutant = created_mutants[0]

        inst = Vuln.from_mutant('TestCase', 'desc' * 30, 'High', 1,
                                'plugin_name', mutant)

        self.assertIsInstance(inst, Vuln)

        self.assertEqual(inst.get_uri(), mutant.get_uri())
        self.assertEqual(inst.get_url(), mutant.get_url())
        self.assertEqual(inst.get_method(), mutant.get_method())
        self.assertEqual(inst.get_dc(), mutant.get_dc())
        self.assertEqual(inst.get_var(), mutant.get_var())
Beispiel #22
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        #
        #   I will only report the vulnerability once.
        #
        if self._has_no_bug(mutant):

            if self._header_was_injected(mutant, response):
                desc = 'Response splitting was found at: %s' % mutant.found_at()
                
                v = Vuln.from_mutant('Response splitting vulnerability', desc,
                                     severity.MEDIUM, response.id,
                                     self.get_name(), mutant)

                self.kb_append_uniq(self, 'response_splitting', v)
                
            # When trying to send a response splitting to php 5.1.2 I get :
            # Header may not contain more than a single header, new line detected
            for error in self.HEADER_ERRORS:

                if error in response:
                    desc = 'The variable "%s" at URL "%s" modifies the HTTP'\
                           ' response headers, but this error was sent while'\
                           ' testing for response splitting: "%s".'
                    desc = desc % (mutant.get_var(), mutant.get_url(), error)
                    i = Info.from_mutant('Parameter modifies response headers',
                                         desc, response.id, self.get_name(),
                                         mutant)
                    
                    self.kb_append_uniq(self, 'response_splitting', i)

                    return
Beispiel #23
0
    def _analyze_echo(self, mutant, response):
        """
        Analyze results of the _send_mutant method that was sent in the
        _with_echo method.
        """
        #
        #   I will only report the vulnerability once.
        #
        if self._has_bug(mutant):
            return

        for file_pattern_match in self._multi_in.query(response.get_body()):

            if file_pattern_match not in mutant.get_original_response_body():
                # Search for the correct command and separator
                sentOs, sentSeparator = self._get_os_separator(mutant)

                desc = 'OS Commanding was found at: %s' % mutant.found_at()
                # Create the vuln obj
                v = Vuln.from_mutant('OS commanding vulnerability',
                                     desc, severity.HIGH, response.id,
                                     self.get_name(), mutant)

                v['os'] = sentOs
                v['separator'] = sentSeparator
                v.add_to_highlight(file_pattern_match)

                self.kb_append_uniq(self, 'os_commanding', v)
                break
Beispiel #24
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        #
        #   I will only report the vulnerability once.
        #
        if self._has_no_bug(mutant):

            ldap_error_list = self._find_ldap_error(response)
            for ldap_error_string in ldap_error_list:
                if ldap_error_string not in mutant.get_original_response_body(
                ):

                    desc = 'LDAP injection was found at: %s' % mutant.found_at(
                    )

                    v = Vuln.from_mutant('LDAP injection vulnerability', desc,
                                         severity.HIGH, response.id,
                                         self.get_name(), mutant)

                    v.add_to_highlight(ldap_error_string)

                    self.kb_append_uniq(self, 'ldapi', v)
                    break
Beispiel #25
0
    def _confirm_file_upload(self, path, mutant, http_response):
        """
        Confirms if the file was uploaded to path

        :param path: The URL where we suspect that a file was uploaded to.
        :param mutant: The mutant that originated the file on the remote end
        :param http_response: The HTTP response asociated with sending mutant
        """
        get_response = self._uri_opener.GET(path, cache=False)

        if not is_404(get_response) and self._has_no_bug(mutant):
            # This is necessary, if I don't do this, the session
            # saver will break cause REAL file objects can't
            # be picked
            mutant.set_mod_value('<file_object>')

            desc = 'A file upload to a directory inside the webroot' \
                   ' was found at: %s' % mutant.found_at()
            
            v = Vuln.from_mutant('Insecure file upload', desc, severity.HIGH,
                                 [http_response.id, get_response.id],
                                 self.get_name(), mutant)
            
            v['file_dest'] = get_response.get_url()
            v['file_vars'] = mutant.get_file_vars()

            self.kb_append_uniq(self, 'file_upload', v)
Beispiel #26
0
    def audit(self, freq, orig_response):
        """
        Tests an URL for ReDoS vulnerabilities using time delays.

        :param freq: A FuzzableRequest
        """
        if self.ignore_this_request(freq):
            return

        fake_mutants = create_mutants(freq, [
            '',
        ])

        for mutant in fake_mutants:
            for delay_obj in self.get_delays():

                adc = AproxDelayController(mutant,
                                           delay_obj,
                                           self._uri_opener,
                                           delay_setting=EXPONENTIALLY)
                success, responses = adc.delay_is_controlled()

                if success:
                    # Now I can be sure that I found a vuln, we control the
                    # response time with the delay
                    desc = 'ReDoS was found at: %s' % mutant.found_at()

                    response_ids = [r.id for r in responses]

                    v = Vuln.from_mutant('ReDoS vulnerability', desc,
                                         severity.MEDIUM, response_ids,
                                         self.get_name(), mutant)

                    self.kb_append_uniq(self, 'redos', v)
                    break
Beispiel #27
0
    def _with_header_echo_injection(self, freq):
        """
        We're sending a payload that will trigger the injection of various
        headers in the HTTP response body.

        :param freq: A FuzzableRequest
        :return: True if a vulnerability was found
        """
        injected_header = 'shellshock'
        injected_value = 'check'
        payload = '() { :;}; echo "%s: %s"' % (injected_header, injected_value)

        mutant = self.create_mutant(freq, TEST_HEADER)
        mutant.set_token_value(payload)

        response = self._uri_opener.send_mutant(mutant)
        header_value, header_name = response.get_headers().iget(injected_header)

        if header_value is not None and injected_value in header_value.lower():
            desc = u'Shell shock was found at: %s' % mutant.found_at()

            v = Vuln.from_mutant(u'Shell shock vulnerability', desc,
                                 severity.HIGH, [response.id],
                                 self.get_name(), mutant)

            self.kb_append_uniq(self, 'shell_shock', v)
            return True
    def is_injectable(self, mutant):
        """
        Check if this mutant is delay injectable or not.

        @mutant: The mutant object that I have to inject to
        :return: A vulnerability object or None if nothing is found
        """
        for delay_obj in self._get_delays():

            ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
            success, responses = ed.delay_is_controlled()

            if success:
                # Now I can be sure that I found a vuln, we control the response
                # time with the delay
                desc = 'Blind SQL injection using time delays was found at: %s'
                desc = desc % mutant.found_at()

                response_ids = [r.id for r in responses]

                v = Vuln.from_mutant('Blind SQL injection vulnerability', desc,
                                     severity.HIGH, response_ids, 'blind_sqli',
                                     mutant)

                om.out.debug(v.get_desc())

                return v

        return None
Beispiel #29
0
    def _find_delay_in_mutant(self, mutant, delay_obj, debugging_id):
        """
        Try to delay the response and save a vulnerability if successful

        :param mutant: The mutant to modify and test
        :param delay_obj: The delay to use
        :param debugging_id: The debugging ID for logging
        """
        adc = AproxDelayController(mutant,
                                   delay_obj,
                                   self._uri_opener,
                                   delay_setting=EXPONENTIALLY)
        adc.set_debugging_id(debugging_id)
        success, responses = adc.delay_is_controlled()

        if not success:
            return

        # Now I can be sure that I found a vuln, we control the
        # response time with the delay
        desc = 'ReDoS was found at: %s' % mutant.found_at()
        response_ids = [r.id for r in responses]

        v = Vuln.from_mutant('ReDoS vulnerability', desc, severity.MEDIUM,
                             response_ids, self.get_name(), mutant)

        self.kb_append_uniq(self, 'redos', v)
Beispiel #30
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if not response.is_text_or_html():
            return

        if self._has_bug(mutant):
            return

        for tag in mp_doc_parser.get_tags_by_filter(response, self.TAGS):
            src_attr = tag.attrib.get('src', None)
            if src_attr is None:
                continue

            for url in self._test_urls:
                if not src_attr.startswith(url):
                    continue

                # Vuln vuln!
                desc = 'A phishing vector was found at: %s'
                desc %= mutant.found_at()

                v = Vuln.from_mutant('Phishing vector', desc, severity.LOW,
                                     response.id, self.get_name(), mutant)

                v.add_to_highlight(src_attr)
                self.kb_append_uniq(self, 'phishing_vector', v)
                break
    def is_injectable(self, mutant):
        """
        Check if this mutant is delay injectable or not.

        @mutant: The mutant object that I have to inject to
        :return: A vulnerability object or None if nothing is found
        """
        for delay_obj in self._get_delays():

            ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
            success, responses = ed.delay_is_controlled()

            if success:
                # Now I can be sure that I found a vuln, we control the response
                # time with the delay
                desc = 'Blind SQL injection using time delays was found at: %s'
                desc = desc % mutant.found_at()
                
                response_ids = [r.id for r in responses]
                
                v = Vuln.from_mutant('Blind SQL injection vulnerability', desc,
                                     severity.HIGH, response_ids, 'blind_sqli',
                                     mutant)

                om.out.debug(v.get_desc())

                return v

        return None
Beispiel #32
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if self._has_bug(mutant):
            return

        if self._header_was_injected(mutant, response):
            desc = 'Response splitting was found at: %s' % mutant.found_at()

            v = Vuln.from_mutant('Response splitting vulnerability',
                                 desc, severity.MEDIUM, response.id,
                                 self.get_name(), mutant)

            self.kb_append_uniq(self, 'response_splitting', v)

        # When trying to send a response splitting to php 5.1.2 I get :
        # Header may not contain more than a single header, new line detected
        for error in self.HEADER_ERRORS:

            if error in response:
                desc = ('The variable "%s" at URL "%s" modifies the HTTP'
                        ' response headers, but this error was sent while'
                        ' testing for response splitting: "%s".')
                args = (mutant.get_token_name(), mutant.get_url(), error)
                desc = desc % args
                i = Info.from_mutant('Parameter modifies response headers',
                                     desc, response.id, self.get_name(),
                                     mutant)

                self.kb_append_uniq(self, 'response_splitting', i)

                return
Beispiel #33
0
    def _analyze_echo(self, mutant, response):
        """
        Analyze results of the _send_mutant method that was sent in the
        _with_echo method.
        """
        #
        #   I will only report the vulnerability once.
        #
        if self._has_bug(mutant):
            return

        for file_pattern_match in self._multi_in.query(response.get_body()):

            if file_pattern_match not in mutant.get_original_response_body():
                # Search for the correct command and separator
                sentOs, sentSeparator = self._get_os_separator(mutant)

                desc = 'OS Commanding was found at: %s' % mutant.found_at()
                # Create the vuln obj
                v = Vuln.from_mutant('OS commanding vulnerability', desc,
                                     severity.HIGH, response.id,
                                     self.get_name(), mutant)

                v['os'] = sentOs
                v['separator'] = sentSeparator
                v.add_to_highlight(file_pattern_match)

                self.kb_append_uniq(self, 'os_commanding', v)
                break
Beispiel #34
0
    def _with_header_echo_injection(self, freq, debugging_id):
        """
        We're sending a payload that will trigger the injection of various
        headers in the HTTP response body.

        :param freq: A FuzzableRequest
        :return: True if a vulnerability was found
        """
        injected_header = 'shellshock'
        injected_value = 'check'
        payload = '() { :;}; echo "%s: %s"' % (injected_header, injected_value)

        mutant = self.create_mutant(freq, TEST_HEADER)
        mutant.set_token_value(payload)

        response = self._uri_opener.send_mutant(mutant, debugging_id=debugging_id)
        header_value, header_name = response.get_headers().iget(injected_header)

        if header_value is not None and injected_value in header_value.lower():
            desc = u'Shell shock was found at: %s' % mutant.found_at()

            v = Vuln.from_mutant(u'Shell shock vulnerability', desc,
                                 severity.HIGH, [response.id],
                                 self.get_name(), mutant)

            self.kb_append_uniq(self, 'shell_shock', v)
            return True
Beispiel #35
0
    def _confirm_file_upload(self, path, mutant, http_response):
        """
        Confirms if the file was uploaded to path

        :param path: The URL where we suspect that a file was uploaded to.
        :param mutant: The mutant that originated the file on the remote end
        :param http_response: The HTTP response asociated with sending mutant
        """
        get_response = self._uri_opener.GET(path, cache=False)

        if not is_404(get_response) and self._has_no_bug(mutant):
            # This is necessary, if I don't do this, the session
            # saver will break cause REAL file objects can't
            # be picked
            mutant.set_mod_value('<file_object>')

            desc = 'A file upload to a directory inside the webroot' \
                   ' was found at: %s' % mutant.found_at()

            v = Vuln.from_mutant('Insecure file upload', desc, severity.HIGH,
                                 [http_response.id, get_response.id],
                                 self.get_name(), mutant)

            v['file_dest'] = get_response.get_url()
            v['file_vars'] = mutant.get_file_vars()

            self.kb_append_uniq(self, 'file_upload', v)
            return
Beispiel #36
0
    def _report_vuln(self, mutant, response, mod_value):
        """
        Create a Vuln object and store it in the KB.
        
        :return: None
        """
        csp_protects = site_protected_against_xss_by_csp(response)
        vuln_severity = severity.LOW if csp_protects else severity.MEDIUM

        desc = 'A Cross Site Scripting vulnerability was found at: %s'
        desc %= mutant.found_at()

        if csp_protects:
            desc += ('The risk associated with this vulnerability was lowered'
                     ' because the site correctly implements CSP. The'
                     ' vulnerability is still a risk for the application since'
                     ' only the latest versions of some browsers implement CSP'
                     ' checking.')

        v = Vuln.from_mutant('Cross site scripting vulnerability', desc,
                             vuln_severity, response.id, self.get_name(),
                             mutant)
        v.add_to_highlight(mod_value)

        self.kb_append_uniq(self, 'xss', v)
Beispiel #37
0
    def audit(self, freq, orig_response):
        """
        Tests an URL for ReDoS vulnerabilities using time delays.

        :param freq: A FuzzableRequest
        """
        if self.ignore_this_request(freq):
            return

        fake_mutants = create_mutants(freq, ['', ])

        for mutant in fake_mutants:
            for delay_obj in self.get_delays():
                
                adc = AproxDelayController(mutant, delay_obj, self._uri_opener,
                                           delay_setting=EXPONENTIALLY)
                success, responses = adc.delay_is_controlled()
    
                if not success:
                    continue

                # Now I can be sure that I found a vuln, we control the
                # response time with the delay
                desc = 'ReDoS was found at: %s' % mutant.found_at()
                response_ids = [r.id for r in responses]

                v = Vuln.from_mutant('ReDoS vulnerability', desc,
                                     severity.MEDIUM, response_ids,
                                     self.get_name(), mutant)

                self.kb_append_uniq(self, 'redos', v)

                # Only test regular expressions until we find a delay
                break
Beispiel #38
0
    def _with_time_delay(self, freq):
        """
        Tests an URL for OS Commanding vulnerabilities using time delays.

        :param freq: A FuzzableRequest
        """
        fake_mutants = create_mutants(freq, [
            '',
        ])

        for mutant in fake_mutants:

            if self._has_bug(mutant):
                continue

            for delay_obj in self._get_wait_commands():

                ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
                success, responses = ed.delay_is_controlled()

                if success:
                    desc = 'OS Commanding was found at: %s' % mutant.found_at()

                    v = Vuln.from_mutant('OS commanding vulnerability', desc,
                                         severity.HIGH,
                                         [r.id for r in responses],
                                         self.get_name(), mutant)

                    v['os'] = delay_obj.get_OS()
                    v['separator'] = delay_obj.get_separator()

                    self.kb_append_uniq(self, 'os_commanding', v)
                    break
Beispiel #39
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if not response.is_text_or_html():
            return

        if self._has_bug(mutant):
            return

        for tag in mp_doc_parser.get_tags_by_filter(response, self.TAGS):
            src_attr = tag.attrib.get('src', None)
            if src_attr is None:
                continue

            for url in self._test_urls:
                if not src_attr.startswith(url):
                    continue

                # Vuln vuln!
                desc = 'A phishing vector was found at: %s'
                desc %= mutant.found_at()

                v = Vuln.from_mutant('Phishing vector', desc, severity.LOW,
                                     response.id, self.get_name(), mutant)

                v.add_to_highlight(src_attr)
                self.kb_append_uniq(self, 'phishing_vector', v)
                break
Beispiel #40
0
    def batch_injection_test(self, freq, orig_response):
        """
        Uses the batch injection technique to find memcache injections
        """
        # shortcuts
        send_clean = self._uri_opener.send_clean
        orig_body = orig_response.get_body()

        for mutant in create_mutants(freq, ['']):

            # trying to break normal execution flow with ERROR_1 payload
            mutant.set_token_value(self.ERROR_1)
            error_1_response, body_error_1_response = send_clean(mutant)

            if fuzzy_equal(orig_body, body_error_1_response, self._eq_limit):
                #
                # if we manage to break execution flow, there is a potential
                # injection otherwise - no injection!
                #
                continue

            # trying the correct injection request, to confirm that we've found
            # it!
            mutant.set_token_value(self.OK)
            ok_response, body_ok_response = send_clean(mutant)

            if fuzzy_equal(body_error_1_response, body_ok_response,
                           self._eq_limit):
                #
                # The "OK" and "ERROR_1" responses are equal, this means that
                # we're not in a memcached injection
                #
                continue

            # ERROR_2 request to just make sure that we're in a memcached case
            mutant.set_token_value(self.ERROR_2)
            error_2_response, body_error_2_response = send_clean(mutant)

            if fuzzy_equal(orig_body, body_error_2_response, self._eq_limit):
                #
                # now requests should be different again, otherwise injection
                # is not confirmed
                #
                continue

            response_ids = [
                error_1_response.id, ok_response.id, error_2_response.id
            ]

            desc = ('Memcache injection was found at: "%s", using'
                    ' HTTP method %s. The injectable parameter is: "%s"')
            desc %= (mutant.get_url(), mutant.get_method(),
                     mutant.get_token_name())

            v = Vuln.from_mutant('Memcache injection vulnerability', desc,
                                 severity.HIGH, response_ids, 'memcachei',
                                 mutant)

            self.kb_append_uniq(self, 'memcachei', v)
Beispiel #41
0
    def _analyze_result(self, rfi_data, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if rfi_data.rfi_result in response:
            desc = 'A remote file inclusion vulnerability that allows remote' \
                   ' code execution was found at: %s' % mutant.found_at()

            v = Vuln.from_mutant('Remote code execution', desc, severity.HIGH,
                                 response.id, self.get_name(), mutant)

            self._vulns.append(v)

        elif rfi_data.rfi_result_part_1 in response \
        and rfi_data.rfi_result_part_2 in response:
            # This means that both parts ARE in the response body but the
            # rfi_data.rfi_result is NOT in it. In other words, the remote
            # content was embedded but not executed
            desc = 'A remote file inclusion vulnerability without code' \
                   ' execution was found at: %s' % mutant.found_at()

            v = Vuln.from_mutant('Remote file inclusion',
                                 desc, severity.MEDIUM, response.id,
                                 self.get_name(), mutant)

            self._vulns.append(v)

        else:
            #
            #   Analyze some errors that indicate that there is a RFI but
            #   with some "configuration problems"
            #
            for error in self.RFI_ERRORS:
                if error in response and not error in mutant.get_original_response_body(
                ):
                    desc = 'A potential remote file inclusion vulnerability' \
                           ' was identified by the means of application error' \
                           ' messages at: %s' % mutant.found_at()

                    v = Vuln.from_mutant('Potential remote file inclusion',
                                         desc, severity.LOW, response.id,
                                         self.get_name(), mutant)

                    v.add_to_highlight(error)
                    self._vulns.append(v)
                    break
Beispiel #42
0
    def _analyze_result(self, rfi_data, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if rfi_data.rfi_result in response:
            desc = 'A remote file inclusion vulnerability that allows remote' \
                   ' code execution was found at: %s' % mutant.found_at()
            
            v = Vuln.from_mutant('Remote code execution', desc,
                                 severity.HIGH, response.id, self.get_name(),
                                 mutant)

            self._vulns.append(v)

        elif rfi_data.rfi_result_part_1 in response \
        and rfi_data.rfi_result_part_2 in response:
            # This means that both parts ARE in the response body but the
            # rfi_data.rfi_result is NOT in it. In other words, the remote
            # content was embedded but not executed
            desc = 'A remote file inclusion vulnerability without code' \
                   ' execution was found at: %s' % mutant.found_at()
            
            v = Vuln.from_mutant('Remote file inclusion', desc,
                                 severity.MEDIUM, response.id, self.get_name(),
                                 mutant)

            self._vulns.append(v)

        else:
            #
            #   Analyze some errors that indicate that there is a RFI but
            #   with some "configuration problems"
            #
            for error in self.RFI_ERRORS:
                if error in response and not error in mutant.get_original_response_body():
                    desc = 'A potential remote file inclusion vulnerability' \
                           ' was identified by the means of application error' \
                           ' messages at: %s' % mutant.found_at()
                    
                    v = Vuln.from_mutant('Potential remote file inclusion',
                                         desc, severity.LOW, response.id,
                                         self.get_name(), mutant)

                    v.add_to_highlight(error)
                    self._vulns.append(v)
                    break
Beispiel #43
0
class redos(AuditPlugin):
    """
    Find ReDoS vulnerabilities.

    :author: Sebastien Duquette ( [email protected] )
    :author: Andres Riancho ([email protected])
    """
    def audit(self, freq, orig_response, debugging_id):
        """
        Tests an URL for ReDoS vulnerabilities using time delays.

        :param freq: A FuzzableRequest
        :param orig_response: The HTTP response associated with the fuzzable request
        :param debugging_id: A unique identifier for this call to audit()
        """
        if self.ignore_this_request(freq):
            return

        self._send_mutants_in_threads(func=self._find_delay_in_mutant,
                                      iterable=self._generate_delay_tests(
                                          freq, debugging_id),
                                      callback=lambda x, y: None)

    def _generate_delay_tests(self, freq, debugging_id):
        for mutant in create_mutants(freq, [
                '',
        ]):
            for delay_obj in self.get_delays():
                yield mutant, delay_obj, debugging_id

    def _find_delay_in_mutant(self, (mutant, delay_obj, debugging_id)):
        """
        Try to delay the response and save a vulnerability if successful

        :param mutant: The mutant to modify and test
        :param delay_obj: The delay to use
        :param debugging_id: The debugging ID for logging
        """
        adc = AproxDelayController(mutant,
                                   delay_obj,
                                   self._uri_opener,
                                   delay_setting=EXPONENTIALLY)
        adc.set_debugging_id(debugging_id)
        success, responses = adc.delay_is_controlled()

        if not success:
            return

        # Now I can be sure that I found a vuln, we control the
        # response time with the delay
        desc = 'ReDoS was found at: %s' % mutant.found_at()
        response_ids = [r.id for r in responses]

        v = Vuln.from_mutant('ReDoS vulnerability', desc, severity.MEDIUM,
                             response_ids, self.get_name(), mutant)

        self.kb_append_uniq(self, 'redos', v)
Beispiel #44
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if self._find_redirect(response):
            desc = 'Global redirect was found at: ' + mutant.found_at()

            v = Vuln.from_mutant('Insecure redirection', desc, severity.MEDIUM,
                                 response.id, self.get_name(), mutant)

            self.kb_append_uniq(self, 'global_redirect', v)
Beispiel #45
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if self._find_redirect(response):
            desc = 'Global redirect was found at: ' + mutant.found_at()
            
            v = Vuln.from_mutant('Insecure redirection', desc, severity.MEDIUM,
                                 response.id, self.get_name(), mutant)

            self.kb_append_uniq(self, 'global_redirect', v)
Beispiel #46
0
    def _from_csv_get_vulns(self):
        file_vulns = []
        vuln_reader = csv.reader(open(self.OUTPUT_FILE, 'rb'), delimiter=',',
                                 quotechar='|', quoting=csv.QUOTE_MINIMAL)

        for name, method, uri, var, post_data, _id, desc in vuln_reader:
            mutant = create_mutant_from_params(method, uri, var, post_data)
            v = Vuln.from_mutant(name, desc, 'High', json.loads(_id),
                                 'TestCase', mutant)
            file_vulns.append(v)

        return file_vulns
Beispiel #47
0
    def is_injectable(self, mutant):
        is_vuln = False
        resp_len_orig = len(self._orig_response.get_body())
        mutant.set_token_value(self._get_random_letters(10))
        resp_valid = self._do_request(mutant)
        resp_len_valid = len(resp_valid.get_body())
        resp_time_valid = resp_valid.get_wait_time()

        for injection in BOOLEAN_BASED:
            mutant.set_token_value(injection)
            resp_injection = self._do_request(mutant)
            if not resp_injection:
                is_vuln = True
                break
            resp_len_injection = len(resp_injection.get_body())
            if resp_len_injection != resp_len_valid != resp_len_orig:
                is_vuln = True
                break
            sleep(self._timeout)

        if not is_vuln:
            for injection in TIME_BASED:
                mutant.set_token_value(injection)
                resp_injection = self._do_request(mutant)
                if not resp_injection:
                    is_vuln = True
                    break
                resp_time_injection = resp_injection.get_wait_time()
                if resp_time_injection > resp_time_valid + 1:
                    is_vuln = True
                    break
                sleep(self._timeout)

        if is_vuln:
            response_ids = [resp_valid.id, resp_injection.id]

            desc = 'NOSQL injection at: "%s", using'\
                   ' HTTP method %s. The injectable parameter may be: "%s"'
            desc = desc % (mutant.get_url(), mutant.get_method(),
                           mutant.get_token_name())

            vuln = Vuln.from_mutant('NOSQL injection vulnerability', desc,
                                    severity.HIGH, response_ids, 'nosqli',
                                    mutant)

            om.out.debug(vuln.get_desc())
            om.out.vulnerability("NOSQL injection", severity=severity.HIGH)

            vuln['valid_html'] = self.resp_valid.get_body()
            vuln['error_html'] = self.resp_injection.get_body()
            return vuln
Beispiel #48
0
    def _from_csv_get_vulns(self):
        file_vulns = []
        vuln_reader = csv.reader(open(self.OUTPUT_FILE, 'rb'),
                                 delimiter=',',
                                 quotechar='|',
                                 quoting=csv.QUOTE_MINIMAL)

        for severity, name, method, uri, var, post_data, _id, desc in vuln_reader:
            mutant = create_mutant_from_params(method, uri, var, post_data)
            v = Vuln.from_mutant(name, desc, severity, json.loads(_id),
                                 'TestCase', mutant)
            file_vulns.append(v)

        return file_vulns
Beispiel #49
0
	def audit(self, freq, orig_response):
		if not self._dns_zone:
			om.out.debug("DNS zone not configured!")
			return

		self.fqdn_imagemagic_exist = "im.{target}.{domain}".format( target=freq.get_uri().get_domain(), domain=self._dns_zone )
		self.fqdn_imagemagic_vuln = "rce.{target}.{domain}".format( target=freq.get_uri().get_domain(), domain=self._dns_zone )
		PAYLOAD = imagemagic.PAYLOAD.format( detect=self.fqdn_imagemagic_exist, rce=self.fqdn_imagemagic_vuln )
		for mutant in create_mutants(freq, [PAYLOAD, ]):
			if isinstance(mutant, FileContentMutant):
				try:
					response = self._uri_opener.send_mutant( mutant, cache=False, timeout=10 )
					if self.check('get.' + self.fqdn_imagemagic_exist):
						desc = 'Imagemagic found: "%s"' % response.get_uri()
						i = Vuln.from_mutant('Imagemagic detected', desc,
										severity.INFORMATION, response.id, self.get_name(),
										mutant)
						i.add_to_highlight('Imagemagic')
						self.kb_append_uniq(self, 'imagemagic_detect', i)

					if self.check('get.' + self.fqdn_imagemagic_vuln):
						desc = 'Imagemagic OS-injection at: "%s", using'\
							' HTTP method %s. The injectable parameter may be: "%s"'
						desc = desc % ( mutant.get_url(),
										mutant.get_method(),
										mutant.get_token_name() )
						vuln = Vuln.from_mutant('Imagemagic OS-injection vulnerability', desc,
										severity.HIGH, response.id, self.get_name(),
										mutant)
						self.kb_append_uniq(self, 'imagemagic_rce', vuln)
						

				except HTTPRequestException:
					om.out.debug("HTTPRequestException")
				except Exception as e:
					om.out.debug( str(e) )
Beispiel #50
0
 def _analyze_result(self, mutant, response):
     """
     Analyze results of the _send_mutant method.
     """
     for error_str in self._multi_in.query(response.body):
         # And not in the original response
         if error_str not in mutant.get_original_response_body() and \
         self._has_no_bug(mutant):
             desc = 'A potential buffer overflow (accurate detection is' \
                    ' hard...) was found at: %s' % mutant.found_at()
                   
             v = Vuln.from_mutant('Buffer overflow vulnerability', desc,
                                  severity.MEDIUM, response.id,
                                  self.get_name(), mutant)
             v.add_to_highlight(error_str)
             
             self.kb_append_uniq(self, 'buffer_overflow', v)
Beispiel #51
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        for error_str in self._multi_in.query(response.body):
            # And not in the original response
            if error_str not in mutant.get_original_response_body() and \
                    self._has_no_bug(mutant):
                desc = 'A potential buffer overflow (accurate detection is' \
                       ' hard...) was found at: %s' % mutant.found_at()

                v = Vuln.from_mutant('Buffer overflow vulnerability', desc,
                                     severity.MEDIUM, response.id,
                                     self.get_name(), mutant)
                v.add_to_highlight(error_str)

                self.kb_append_uniq(self, 'buffer_overflow', v)
Beispiel #52
0
    def _analyze_echo(self, mutant, response):
        """
        Analyze results of the _send_mutant method that was sent in the
        _fuzz_with_echo method.
        """
        eval_error_list = self._find_eval_result(response)
        for eval_error in eval_error_list:
            if not re.search(eval_error, mutant.get_original_response_body(),
                             re.I):
                desc = 'eval() input injection was found at: %s'
                desc = desc % mutant.found_at()

                v = Vuln.from_mutant('eval() input injection vulnerability',
                                     desc, severity.HIGH, response.id,
                                     self.get_name(), mutant)

                self.kb_append_uniq(self, 'eval', v)
Beispiel #53
0
    def _analyze_echo(self, mutant, response):
        """
        Analyze results of the _send_mutant method that was sent in the
        _fuzz_with_echo method.
        """
        eval_error_list = self._find_eval_result(response)
        for eval_error in eval_error_list:
            if not re.search(eval_error,
                             mutant.get_original_response_body(), re.I):

                desc = 'eval() input injection was found at: %s'
                desc = desc % mutant.found_at()

                v = Vuln.from_mutant('eval() input injection vulnerability',
                                     desc, severity.HIGH, response.id,
                                     self.get_name(), mutant)

                self.kb_append_uniq(self, 'eval', v)
Beispiel #54
0
    def _analyze_result(self, mutant, response):
        """
        Analyze the result of the previously sent request.
        :return: None, save the vuln to the kb.
        """
        if self._has_no_bug(mutant):
            e_res = self._extract_result_from_payload(mutant.get_token_value())
            if e_res in response and not e_res in mutant.get_original_response_body():
                
                desc = 'Server side include (SSI) was found at: %s'
                desc = desc % mutant.found_at()
                
                v = Vuln.from_mutant('Server side include vulnerability', desc,
                                     severity.HIGH, response.id, self.get_name(),
                                     mutant)

                v.add_to_highlight(e_res)
                self.kb_append_uniq(self, 'ssi', v)
Beispiel #55
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        if self._has_bug(mutant):
            return

        self._report_php_errors(mutant, response)

        if not self._header_was_injected(mutant, response):
            return

        desc = 'Response splitting was found at: %s' % mutant.found_at()
        v = Vuln.from_mutant('Response splitting vulnerability', desc,
                             severity.MEDIUM, response.id, self.get_name(),
                             mutant)

        self.kb_append_uniq(self, 'response_splitting', v)
Beispiel #56
0
    def _analyze_result(self, mutant, response):
        """
        Analyze the result of the previously sent request.
        :return: None, save the vuln to the kb.
        """
        if self._has_no_bug(mutant):
            e_res = self._extract_result_from_payload(mutant.get_token_value())
            if e_res in response and not e_res in mutant.get_original_response_body():
                
                desc = 'Server side include (SSI) was found at: %s'
                desc = desc % mutant.found_at()
                
                v = Vuln.from_mutant('Server side include vulnerability', desc,
                                     severity.HIGH, response.id, self.get_name(),
                                     mutant)

                v.add_to_highlight(e_res)
                self.kb_append_uniq(self, 'ssi', v)
Beispiel #57
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method.
        """
        # I will only report the vulnerability once.
        if self._has_no_bug(mutant):

            mx_error_list = self._multi_in.query(response.body)
            for mx_error in mx_error_list:
                if mx_error not in mutant.get_original_response_body():
                    
                    desc = 'MX injection was found at: %s' % mutant.found_at()
                    
                    v = Vuln.from_mutant('MX injection vulnerability', desc,
                                         severity.MEDIUM, response.id,
                                         self.get_name(), mutant)
                    
                    v.add_to_highlight(mx_error)
                    self.kb_append_uniq(self, 'mx_injection', v)
                    break
Beispiel #58
0
    def _analyze_result(self, mutant, response):
        """
        Analyze results of the _send_mutant method, in order for a Rosetta Flash
        vulnerability to be present we need to have the FLASH attribute
        reflected at the beginning of the response body
        """
        if self._has_bug(mutant):
            return

        if not response.get_body().startswith(self.FLASH):
            return

        desc = 'Rosetta flash vulnerability found in JSONP endpoint at: %s'
        desc %= mutant.found_at()

        v = Vuln.from_mutant('Rosetta Flash', desc,
                             severity.LOW, response.id,
                             self.get_name(), mutant)
        v.add_to_highlight(self.FLASH)
        self.kb_append_uniq(self, 'rosetta_flash', v)
Beispiel #59
0
    def end(self):
        """
        This method is called when the plugin wont be used anymore.
        """
        all_findings = kb.kb.get_all_findings()

        for url, variable, mutant, id_list in self._potential_vulns:
            for info in all_findings:
                if info.get_token_name() == variable and info.get_url() == url:
                    break
            else:
                desc = 'An unidentified vulnerability was found at: %s'
                desc = desc % mutant.found_at()
                
                v = Vuln.from_mutant('Unidentified vulnerability', desc,
                                     severity.MEDIUM, id_list, self.get_name(),
                                     mutant)
        
                self.kb_append_uniq(self, 'generic', v)
        
        self._potential_vulns.cleanup()        
Beispiel #60
0
    def end(self):
        """
        This method is called when the plugin wont be used anymore.
        """
        all_findings = kb.kb.get_all_findings()

        for url, variable, mutant, id_list in self._potential_vulns:
            for info in all_findings:
                if info.get_token_name() == variable and info.get_url() == url:
                    break
            else:
                desc = ('An unhandled error, which could potentially translate'
                        ' to a vulnerability, was found at: %s')
                desc %= mutant.found_at()
                
                v = Vuln.from_mutant('Unhandled error in web application', desc,
                                     severity.LOW, id_list, self.get_name(),
                                     mutant)
        
                self.kb_append_uniq(self, 'generic', v)
        
        self._potential_vulns.cleanup()