def initialize(url, include, headers, GET, delay, paramList, threadCount):
url = stabilize(url)
if not url:
return {}
else:
firstResponse = requester(url, include, headers, GET, delay)
originalFuzz = randomString(6)
data = {originalFuzz: originalFuzz[::-1]}
data.update(include)
response = requester(url, data, headers, GET, delay)
reflections = response.text.count(originalFuzz[::-1])
originalResponse = response.text
originalCode = response.status_code
newLength = len(response.text)
plainText = removeTags(originalResponse)
plainTextLength = len(plainText)
factors = {'sameHTML': False, 'samePlainText': False}
if len(firstResponse.text) == len(originalResponse):
factors['sameHTML'] = True
elif len(removeTags(firstResponse.text)) == len(plainText):
factors['samePlainText'] = True
heuristic(firstResponse.text, paramList)
fuzz = randomString(8)
data = {fuzz: fuzz[::-1]}
data.update(include)
toBeChecked = slicer(paramList, 50)
foundParamsTemp = []
while True:
toBeChecked = narrower(toBeChecked, url, include, headers, GET,
delay, originalResponse, originalCode,
reflections, factors, threadCount)
toBeChecked = unityExtracter(toBeChecked, foundParamsTemp)
if not toBeChecked:
break
foundParams = []
for param in foundParamsTemp:
exists = quickBruter([param], originalResponse, originalCode,
reflections, factors, include, delay, headers,
url, GET)
if exists:
foundParams.append(param)
for each in foundParams:
print('%s?%s' % (url, each))
if not foundParams:
pass
return foundParams
def initialize(request, wordlist):
url = request['url']
if not url.startswith('http'):
print('%s %s is not a valid URL' % (bad, url))
return 'skipped'
print('%s Probing the target for stability' % run)
stable = stable_request(url, request['headers'])
if not stable:
return 'skipped'
else:
fuzz = randomString(6)
response_1 = requester(request, {fuzz : fuzz[::-1]})
print('%s Analysing HTTP response for anamolies' % run)
fuzz = randomString(6)
response_2 = requester(request, {fuzz : fuzz[::-1]})
if type(response_1) == str or type(response_2) == str:
return 'skipped'
factors = define(response_1, response_2, fuzz, fuzz[::-1], wordlist)
print('%s Analysing HTTP response for potential parameter names' % run)
found = heuristic(response_1.text, wordlist)
if found:
num = len(found)
s = 's' if num > 1 else ''
print('%s Heuristic scanner found %i parameter%s: %s' % (good, num, s, ', '.join(found)))
print('%s Logicforcing the URL endpoint' % run)
populated = populate(wordlist)
param_groups = slicer(populated, int(len(wordlist)/args.chunks))
last_params = []
while True:
param_groups = narrower(request, factors, param_groups)
if mem.var['kill']:
return 'skipped'
param_groups = confirm(param_groups, last_params)
if not param_groups:
break
confirmed_params = []
for param in last_params:
reason = bruter(request, factors, param, mode='verify')
if reason:
name = list(param.keys())[0]
confirmed_params.append(name)
print('%s name: %s, factor: %s' % (res, name, reason))
return confirmed_params
def _create_user(self,
first_name,
last_name,
password,
is_staff,
is_superuser,
username=None,
email=None,
phone_number=None,
**kwargs):
now = timezone.now()
if not first_name:
raise ValueError("You must enter a first name")
if not last_name:
raise ValueError("You must enter a last name")
if not password:
raise ValueError("You must enter a password")
# Creates an username from email if doesn't exists
if username is None:
fname = str(self.cleaned_data['first_name']).lower().replace(
' ', '')
lname = str(self.cleaned_data['last_name']).lower().replace(
' ', '')
username = ''.join([fname, lname, randomString()])
print('Your username is ', username)
email = self.normalize_email(email)
user = self.model(username=username,
first_name=first_name,
last_name=last_name,
is_staff=is_staff,
is_active=True,
is_superuser=is_superuser,
last_login=now,
date_joined=now,
email=email,
phone_number=phone_number,
**kwargs)
user.set_password(password)
user.save(using=self.db)
return user
def bruter(param, originalResponse, originalCode, factors, include, reflections, delay, headers, url, GET):
fuzz = randomString(6)
data = {param : fuzz}
data.update(include)
response = requester(url, data, headers, GET, delay)
newReflections = response.text.count(fuzz)
reason = False
if response.status_code != originalCode:
reason = 'Different response code'
elif reflections != newReflections:
reason = 'Different number of reflections'
elif not factors['sameHTML'] and len(response.text) != (len(originalResponse)):
reason = 'Different content length'
elif not factors['samePlainText'] and len(removeTags(response.text)) != (len(removeTags(originalResponse))):
reason = 'Different plain-text content length'
if reason:
return {param : reason}
else:
return None
def clean_username(self):
username = self.cleaned_data['username']
if username is not None and len(username) > 0:
try:
User.objects.get(username=username)
except User.DoesNotExist:
return username
raise forms.ValidationError(self.error_messages['duplicate_username'])
else:
# generate a unique username
fname = str(self.cleaned_data['first_name']).lower().replace(' ', '')
lname = str(self.cleaned_data['last_name']).lower().replace(' ', '')
while True:
username = ''.join([fname, lname, randomString()])
try:
User.objects.get(username=username)
except User.DoesNotExist:
return username
break
def bruter(param, originalResponse, originalCode, multiplier, reflections,
delay, headers, url, GET):
fuzz = randomString(6)
data = {param: fuzz}
response = requester(url, data, headers, GET, delay)
newReflections = response.text.count(fuzz)
if response.status_code != originalCode:
print('%s Found a valid parameter: %s%s%s' % (good, green, param, end))
print('%s Reason: Different response code' % info)
elif reflections != newReflections:
print('%s Found a valid parameter: %s%s%s' % (good, green, param, end))
print('%s Reason: Different number of reflections' % info)
elif len(response.text.replace(
param + '=' + fuzz, '')) != (len(
originalResponse.text.replace(
originalFuzz + '=' + originalFuzz[::-1], '')) +
(len(param) * multiplier)):
print('%s Found a valid parameter: %s%s%s' % (good, green, param, end))
print('%s Reason: Different content length' % info)
if inpName not in done:
if inpName in paramList:
paramList.remove(inpName)
done.append(inpName)
paramList.insert(0, inpName)
print ('%s Heuristic found a potenial parameter: %s%s%s' % (good, green, inpName, end))
print ('%s Prioritizing it' % good)
url = stabilize(url)
print ('%s Analysing the content of the webpage' % run)
firstResponse = requester(url, include, headers, GET, delay)
print ('%s Now lets see how target deals with a non-existent parameter' % run)
originalFuzz = randomString(6)
data = {originalFuzz : originalFuzz[::-1]}
data.update(include)
response = requester(url, data, headers, GET, delay)
reflections = response.text.count(originalFuzz[::-1])
print ('%s Reflections: %s%i%s' % (info, green, reflections, end))
originalResponse = response.text
originalCode = response.status_code
print ('%s Response Code: %s%i%s' % (info, green, originalCode, end))
newLength = len(response.text)
plainText = removeTags(originalResponse)
plainTextLength = len(plainText)
print ('%s Content Length: %s%i%s' % (info, green, newLength, end))
print ('%s Plain-text Length: %s%i%s' % (info, green, plainTextLength, end))
def initialize(url, include, headers, GET, delay, paramList, threadCount):
url = stabilize(url)
if not url:
return {}
else:
print('%s Analysing the content of the webpage' % run)
firstResponse = requester(url, include, headers, GET, delay)
print('%s Analysing behaviour for a non-existent parameter' % run)
originalFuzz = randomString(6)
data = {originalFuzz: originalFuzz[::-1]}
data.update(include)
response = requester(url, data, headers, GET, delay)
reflections = response.text.count(originalFuzz[::-1])
print('%s Reflections: %s%i%s' % (info, green, reflections, end))
originalResponse = response.text
originalCode = response.status_code
print('%s Response Code: %s%i%s' % (info, green, originalCode, end))
newLength = len(response.text)
plainText = removeTags(originalResponse)
plainTextLength = len(plainText)
print('%s Content Length: %s%i%s' % (info, green, newLength, end))
print('%s Plain-text Length: %s%i%s' %
(info, green, plainTextLength, end))
factors = {'sameHTML': False, 'samePlainText': False}
if len(firstResponse.text) == len(originalResponse):
factors['sameHTML'] = True
elif len(removeTags(firstResponse.text)) == len(plainText):
factors['samePlainText'] = True
print('%s Parsing webpage for potential parameters' % run)
heuristic(firstResponse.text, paramList)
fuzz = randomString(8)
data = {fuzz: fuzz[::-1]}
data.update(include)
print('%s Performing heuristic level checks' % run)
toBeChecked = slicer(paramList, 50)
foundParamsTemp = []
while True:
toBeChecked = narrower(toBeChecked, url, include, headers, GET,
delay, originalResponse, originalCode,
reflections, factors, threadCount)
toBeChecked = unityExtracter(toBeChecked, foundParamsTemp)
if not toBeChecked:
break
foundParams = []
for param in foundParamsTemp:
exists = quickBruter([param], originalResponse, originalCode,
reflections, factors, include, delay, headers,
url, GET)
if exists:
foundParams.append(param)
print('%s Scan Completed ' % info)
for each in foundParams:
print('%s Valid parameter found: %s%s%s' %
(good, green, each, end))
if not foundParams:
print(
'%s Unable to verify existence of parameters detected by heuristic.'
% bad)
return foundParams
def initialize(url, include, headers, GET, delay, paramList, threadCount):
url = stabilize(url)
log('%s Analysing the content of the webpage' % run)
firstResponse = requester(url, include, headers, GET, delay)
log('%s Analysing behaviour for a non-existent parameter' % run)
originalFuzz = randomString(6)
data = {originalFuzz : originalFuzz[::-1]}
data.update(include)
response = requester(url, data, headers, GET, delay)
reflections = response.text.count(originalFuzz[::-1])
log('%s Reflections: %s%i%s' % (info, green, reflections, end))
originalResponse = response.text
originalCode = response.status_code
log('%s Response Code: %s%i%s' % (info, green, originalCode, end))
newLength = len(response.text)
plainText = removeTags(originalResponse)
plainTextLength = len(plainText)
log('%s Content Length: %s%i%s' % (info, green, newLength, end))
log('%s Plain-text Length: %s%i%s' % (info, green, plainTextLength, end))
factors = {'sameHTML': False, 'samePlainText': False}
if len(firstResponse.text) == len(originalResponse):
factors['sameHTML'] = True
elif len(removeTags(firstResponse.text)) == len(plainText):
factors['samePlainText'] = True
log('%s Parsing webpage for potential parameters' % run)
heuristic(firstResponse.text, paramList)
fuzz = randomString(8)
data = {fuzz : fuzz[::-1]}
data.update(include)
log('%s Performing heuristic level checks' % run)
toBeChecked = slicer(paramList, 50)
foundParams = []
while True:
toBeChecked = narrower(toBeChecked, url, include, headers, GET, delay, originalResponse, originalCode, reflections, factors, threadCount)
toBeChecked = unityExtracter(toBeChecked, foundParams)
if not toBeChecked:
break
if foundParams:
log('%s Heuristic found %i potential parameters.' % (info, len(foundParams)))
paramList = foundParams
finalResult = []
jsonResult = []
threadpool = concurrent.futures.ThreadPoolExecutor(max_workers=threadCount)
futures = (threadpool.submit(bruter, param, originalResponse, originalCode, factors, include, reflections, delay, headers, url, GET) for param in foundParams)
for i, result in enumerate(concurrent.futures.as_completed(futures)):
if result.result():
finalResult.append(result.result())
log('%s Progress: %i/%i' % (info, i + 1, len(paramList)), mode='run')
log('%s Scan Completed ' % info)
for each in finalResult:
for param, reason in each.items():
log('%s Valid parameter found: %s%s%s' % (good, green, param, end))
log('%s Reason: %s' % (info, reason))
jsonResult.append({"param": param, "reason": reason})
if not jsonResult:
log('%s Unable to verify existence of parameters detected by heuristic' % bad)
return jsonResult
