Ejemplo n.º 1
0
 def is_injectable( self, mutant ):
     '''
     Check if this mutant is delay injectable or not.
     
     @mutant: The mutant object that I have to inject to
     @return: A vulnerability object or None if nothing is found
     '''
     for delay_obj in self._get_delays():
         
         ed = exact_delay(mutant, delay_obj, self._uri_opener)
         success, responses = ed.delay_is_controlled()
         
         if success:
             # Now I can be sure that I found a vuln, we control the response
             # time with the delay
             v = vuln.vuln( mutant )
             v.setName( 'Blind SQL injection vulnerability' )
             v.setSeverity(severity.HIGH)
             desc = 'Blind SQL injection using time delays was found at: %s'
             desc = desc % mutant.foundAt()
             v.setDesc( desc )
             v.setDc( mutant.getDc() )
             v.setId( [r.id for r in responses ] )
             v.setURI( r.getURI() )
             
             om.out.debug( v.getDesc() )
 
             return v
             
     return None
Ejemplo n.º 2
0
 def _with_time_delay(self, freq):
     '''
     Tests an URL for OS Commanding vulnerabilities using time delays.
     
     @param freq: A fuzzableRequest
     '''
     fake_mutants = createMutants(freq, ['',])
     
     for mutant in fake_mutants:
         
         if self._has_bug(mutant):
             continue
         
         for delay_obj in self._get_wait_commands():
             
             ed = exact_delay(mutant, delay_obj, self._uri_opener)
             success, responses = ed.delay_is_controlled()
             
             if success:
                 v = vuln.vuln( mutant )
                 v.setPluginName(self.getName())
                 v.setName( 'OS commanding vulnerability' )
                 v.setSeverity(severity.HIGH)
                 v['os'] = delay_obj.get_OS()
                 v['separator'] = delay_obj.get_separator()
                 v.setDesc( 'OS Commanding was found at: ' + mutant.foundAt() )
                 v.setDc( mutant.getDc() )
                 v.setId( [r.id for r in responses] )
                 v.setURI( r.getURI() )
                 kb.kb.append( self, 'osCommanding', v )
                 
                 break
Ejemplo n.º 3
0
    def _fuzz_with_time_delay(self, freq):
        """
        Tests an URL for eval() usage vulnerabilities using time delays.
        @param freq: A fuzzableRequest
        """
        fake_mutants = createMutants(freq, [""])

        for mutant in fake_mutants:

            if self._has_bug(mutant):
                continue

            for delay_obj in self.WAIT_OBJ:

                ed = exact_delay(mutant, delay_obj, self._uri_opener)
                success, responses = ed.delay_is_controlled()

                if success:
                    v = vuln.vuln(mutant)
                    v.setPluginName(self.getName())
                    v.setId([r.id for r in responses])
                    v.setSeverity(severity.HIGH)
                    v.setName("eval() input injection vulnerability")
                    v.setDesc("eval() input injection was found at: " + mutant.foundAt())
                    kb.kb.append(self, "eval", v)
                    break