Ejemplo n.º 1
0
 def init_methods(self, args):
     methods = args["methods"] or []
     # Setting Methods
     if methods:
         if ("%sall%s" % (self.sig, self.sig)) in methods:
             methods.remove("%sall%s" % (self.sig, self.sig))
             methods.extend(load_payload_file("./payloads/HTTP/methods.txt"))
             methods = list(set(methods))  # Removing doublesk
     else:
         if args["data"] is None:
             methods.append("GET")  # Autodetect Method
         else:
             methods.append("POST")  # Autodetect Method
     return methods
Ejemplo n.º 2
0
 def init_methods(self, args):
     methods = args["methods"] or []
     # Setting Methods
     if methods:
         if self.sig + "all" + self.sig in methods:
             methods.remove(self.sig + "all" + self.sig)
             methods.extend(
                 load_payload_file("./payloads/HTTP/methods.txt"))
             methods = list(set(methods))  # Removing doublesk
     else:
         if args["data"] is None:
             methods.append("GET")  # Autodetect Method
         else:
             methods.append("POST")  # Autodetect Method
     return methods
Ejemplo n.º 3
0
    def start(self, args):
        # Initializations
        self.sig = args["fuzzing_signature"] or self.sig
        self.pm = PlaceholderManager(self.sig)
        target = args["target"]
        methods = self.init_methods(args)
        headers = self.init_headers(args)
        data = args["data"] or ""
        self.init_detection_struct(args)
        self.init_request.headers = headers
        self.http_helper = HTTPHelper(self.init_request)
        self.fuzzer = Fuzzer(self.http_helper)

        # Finding the length of a placeholder
        if args["mode"] == "length":
            self.require(args, ["accepted_value"])
            self.is_detection_set(args)
            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Length Detection"
            ch = args["accepted_value"][0]
            length = find_length(self.owtf, self.http_helper, self.length_signature, target, methods[0],
                                 self.detection_struct, ch, headers, data)
            print "Placeholder Allowed Length = %s" % str(length)
        # Detecting Allowed Sources
        elif args["mode"] == "detect_accepted_sources":
            self.is_detection_set(args)
            self.require(args, ["methods", "param_name", "accepted_value", "param_source"])

            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Allowed Sources Detection"

            accepted_method = methods[0]
            param_name = args["param_name"]
            accepted_value = args["accepted_value"]
            param_source = args["param_source"]

            requests = detect_accepted_sources(self.http_helper, target, data, headers, param_name, param_source,
                                               accepted_value, accepted_method)
            responses = self.fuzz(args, requests)
            analyze_accepted_sources(responses, self.detection_struct)

        elif args["mode"] == "content_type_tamper":
            print "Tampering Content-Type mode"
            cnt_types = load_payload_file("./payloads/HTTP/content_types.txt")
            new_headers = self.http_helper.add_header_param(headers, "Content-Type", self.fsig)
            self.pm = PlaceholderManager(self.sig)
            # cnt_types = Payloads
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, cnt_types, new_headers,
                                                         data)
            responses = self.fuzz(args, requests)
            for response in responses:
                print "[->]Request"
                print_request(response)
                print "[<-]Response"
                print_response(response)
                print
        # HPP modes
        elif args["mode"] == "asp_hpp" or args["mode"] == "param_overwriting":
            self.require(args, ["param_name", "param_source", "payloads"])
            param_name = args["param_name"]
            param_source = args["param_source"]
            self.is_detection_set(args)
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            if args["mode"] == "asp_hpp":
                print "Scanning mode: ASP HPP Parameter Splitting"
                requests = asp_hpp(self.http_helper, methods, payloads, param_name, param_source, target, headers, data)
                responses = self.fuzz(args, requests)
            elif args["mode"] == "param_overwriting":
                requests = param_overwrite(self.http_helper, param_name, param_source, payloads[0], target, data,
                                           headers)
                responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)

        elif args["mode"] == "detect_chars":
            self.is_detection_set(args)
            payloads = []
            for i in range(0, 256):
                payloads.append(chr(i))

            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            sent_payloads = analyze_chars(responses, self.http_helper, self.detection_struct)
            payloads = []
            if sent_payloads["detected"]:
                # urlencode blocked chars
                print
                print "URL encoding bad characters"
                for bad_char in sent_payloads["detected"]:
                    payloads.append(urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print
                print "UnicodeURL encoding bad characters"
                payloads = []
                # unicode urlencode blocked chars
                for bad_char in sent_payloads["detected"]:
                    payloads.append(unicode_urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)
            # Finding a white-listed character
                good_char = None
                for char in string.letters:
                    good_char = char
                    break
                if not good_char:
                    for char in string.digits:
                        good_char = char
                        break
                if not good_char:
                    good_char = sent_payloads["undetected"][0]

                print
                print "Sending a detected char followed by an undetected"
                payloads = []
                # add an accepted char before a blocked char
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)
                print
                print "Sending a detected char after an undetected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print "Sending an undetected char after a detected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print "Sending an detected char surrounded by undetected chars"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

        # Fuzzing mode
        elif args["mode"] == "fuzz":
            fuzzing_placeholders = PlaceholderManager.get_placeholder_number(self.template_signature_re, str(args))
            if fuzzing_placeholders > 1:
                Error(self.owtf, "Multiple fuzzing placeholder signatures found. "
                      "Only one fuzzing placeholder is supported.")
            elif fuzzing_placeholders == 0:
                Error(self.owtf, "No fuzzing placeholder signatures found.")
            self.is_detection_set(args)
            payloads = []
            if args["payloads"]:
                for p_file in args["payloads"]:
                    payloads += load_payload_file(p_file)
            else:
                payloads.append("")
            print "Scanning mode: Fuzzing Using placeholders"
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)

        elif args["mode"] == "show_transform_functions":
            print transformations_info()

        elif args["mode"] == "overchar":
            self.require(args, ["payloads", "accepted_value"])
            length = int(args["length"][0])
            accepted_value = args["accepted_value"][0]
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            payloads = [(length - len(payload)) * accepted_value + payload for payload in payloads]
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)
        else:
            Error(self.owtf, "Unknown bypassing mode.")
Ejemplo n.º 4
0
    def start(self, args):
        # Initializations
        self.sig = args["fuzzing_signature"] or self.sig
        self.pm = PlaceholderManager(self.sig)
        target = args["target"]
        methods = self.init_methods(args)
        headers = self.init_headers(args)
        data = args["data"] or ""
        self.init_detection_struct(args)
        self.init_request.headers = headers
        self.http_helper = HTTPHelper(self.init_request)
        self.fuzzer = Fuzzer(self.http_helper)

        # Finding the length of a placeholder
        if args["mode"] == "length":
            self.require(args, ["accepted_value"])
            self.is_detection_set(args)
            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Length Detection"
            ch = args["accepted_value"][0]
            length = find_length(self.owtf,
                                 self.http_helper,
                                 self.length_signature,
                                 target,
                                 methods[0],
                                 self.detection_struct,
                                 ch,
                                 headers,
                                 data)
            print "Placeholder Allowed Length = " + str(length)
        # Detecting Allowed Sources
        elif args["mode"] == "detect_accepted_sources":
            self.is_detection_set(args)
            self.require(args, ["methods",
                                "param_name",
                                "accepted_value",
                                "param_source"])

            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Allowed Sources Detection"

            accepted_method = methods[0]
            param_name = args["param_name"]
            accepted_value = args["accepted_value"]
            param_source = args["param_source"]

            requests = detect_accepted_sources(self.http_helper,
                                               target,
                                               data,
                                               headers,
                                               param_name,
                                               param_source,
                                               accepted_value,
                                               accepted_method)
            responses = self.fuzz(args, requests)
            analyze_accepted_sources(responses, self.detection_struct)

        elif args["mode"] == "content_type_tamper":
            print "Tampering Content-Type mode"
            cnt_types = load_payload_file("./payloads/HTTP/content_types.txt")
            new_headers = self.http_helper.add_header_param(
                headers,
                "Content-Type", self.fsig)
            self.pm = PlaceholderManager(self.sig)
            requests = self.pm.transformed_http_requests(
                self.http_helper,
                methods,
                target,
                cnt_types,  # Payloads
                new_headers,
                data)
            responses = self.fuzz(args, requests)
            for response in responses:
                print "[->]Request"
                print_request(response)
                print "[<-]Response"
                print_response(response)
                print
        # HPP modes
        elif args["mode"] == "asp_hpp" or args["mode"] == "param_overwriting":
            self.require(args, ["param_name", "param_source", "payloads"])
            param_name = args["param_name"]
            param_source = args["param_source"]
            self.is_detection_set(args)
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            if args["mode"] == "asp_hpp":
                print "Scanning mode: ASP HPP Parameter Splitting"
                requests = asp_hpp(self.http_helper,
                                   methods,
                                   payloads,
                                   param_name,
                                   param_source,
                                   target,
                                   headers,
                                   data)
                responses = self.fuzz(args, requests)
            elif args["mode"] == "param_overwriting":
                requests = param_overwrite(self.http_helper,
                                           param_name,
                                           param_source,
                                           payloads[0],
                                           target,
                                           data,
                                           headers)
                responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)

        elif args["mode"] == "detect_chars":
            self.is_detection_set(args)
            payloads = []
            for i in range(0, 256):
                payloads.append(chr(i))

            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            sent_payloads = analyze_chars(responses,
                                          self.http_helper,
                                          self.detection_struct)
            payloads = []
            if sent_payloads["detected"]:
                # urlencode blocked chars
                print
                print "URL encoding bad characters"
                for bad_char in sent_payloads["detected"]:
                    payloads.append(urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print
                print "UnicodeURL encoding bad characters"
                payloads = []
                # unicode urlencode blocked chars
                for bad_char in sent_payloads["detected"]:
                    payloads.append(unicode_urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)
            # Finding a white-listed character
                good_char = None
                for char in string.letters:
                    good_char = char
                    break
                if not good_char:
                    for char in string.digits:
                        good_char = char
                        break
                if not good_char:
                    good_char = sent_payloads["undetected"][0]

                print
                print "Sending a detected char followed by an undetected"
                payloads = []
                # add an accepted char before a blocked char
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)
                print
                print "Sending a detected char after an undetected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print "Sending an undetected char after a detected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print "Sending an detected char surrounded by undetected chars"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

        # Fuzzing mode
        elif args["mode"] == "fuzz":
            fuzzing_placeholders = PlaceholderManager.get_placeholder_number(
                    self.template_signature_re, str(args))
            if fuzzing_placeholders> 1:
                Error(self.owtf, "Multiple fuzzing placeholder signatures found. "
                      "Only one fuzzing placeholder is supported.")
            elif fuzzing_placeholders == 0:
                Error(self.owtf, "No fuzzing placeholder signatures found.")
            self.is_detection_set(args)
            payloads = []
            if args["payloads"]:
                for p_file in args["payloads"]:
                    payloads += load_payload_file(p_file)
            else:
                payloads.append("")
            print "Scanning mode: Fuzzing Using placeholders"

            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)

        elif args["mode"] == "show_transform_functions":
            print transformations_info()

        elif args["mode"] == "overchar":
            self.require(args, ["payloads", "accepted_value"])
            length = int(args["length"][0])
            accepted_value = args["accepted_value"][0]
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            payloads = [(length - len(payload)) * accepted_value + payload
                        for payload in payloads]
            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)
        else:
            Error(self.owtf, "Unknown bypassing mode.")