def _download_file(self):
logger.info(
f"Downloading zip file... [FROM: '{self._elvui_download_zip_link}' TO: '{self._zip_file_path}']"
)
request = self._get_response(self._elvui_download_zip_link,
allow_redirects=True)
with open(self._zip_file_path, 'wb') as zip_file:
zip_file.write(request.content)
def compress(self):
logger.info(f"Zipping file... [{self.old_zip_filename}]")
with zipfile.ZipFile(self._zip_path, "w") as zip_file:
for directory in self._compressed_directories:
for dirname, subdirs, files in os.walk(directory):
zip_file.write(dirname)
for filename in files:
zip_file.write(os.path.join(dirname, filename))
def unzip(self):
logger.info(
f"Unzipping version: {self._current_version}... [FROM: {self._zip_path} TO: {self._directory_to_extract_to}]"
)
if not os.path.exists(self._directory_to_extract_to):
os.mkdir(self._directory_to_extract_to)
with zipfile.ZipFile(self._zip_path, 'r') as zip_ref:
zip_ref.extractall(self._directory_to_extract_to)
def setName():
logger.info("post recieved")
if request.method == 'POST':
payload = request.form
logger.debug(f'post recieved : {payload}')
data = payload['data']
return {"Successfully stored ": str(data)}
return None
def _check_os(self):
os_running = platform.system()
logger.info(f"Current operating system: {os_running}")
if os_running == 'Windows':
self._client = 'win'
else:
logger.warning(
f"Your system is not tested for this application. [System: {os_running}]."
)
self._client = 'other'
def _get_content_from_page(self, url):
logger.info(f"Requesting page... [PAGE: {url}")
response = self._get_response(url)
if response.status_code != 200:
logger.error(f"Did not get proper response from server.\n"
f"Checked page: {url}. [CODE={response.status_code}]")
sys.exit(1)
else:
self._current_page_content = BeautifulSoup(response.content,
features="html.parser")
def _xss_stored(http, s):
"""
Performs a Stored XSS attack. Multiple requests are performed
sending all the XSS payloads.
"""
logger.info("Perform a stored XSS")
# we send all the xss payloads hoping that at least one is effective
for _payload in xss_payloads:
infoMsg = "Sending payload {}".format(_payload)
logger.info(infoMsg)
r = _run_payload_request(http, s, xss_payload)
def _sqli_dump(http, s):
vuln_param = http.action_params[0]
infoMsg = "Perform SQLi attack and dump the entire database"
logger.info(infoMsg)
sqlmap_details = dict()
sqlmap_details["url"] = http.url
sqlmap_details["method"] = http.method
sqlmap_details["get_params"] = http.get_params
sqlmap_details["post_params"] = http.post_params
sqlmap_details["vuln_param"] = http.get_params[vuln_param]
# we reuse the cookies in the session
sqlmap_details["cookies"] = s.cookies.get_dict()
sqlmap_details["dumpall"] = True
sqli.execute_sqlmap(sqlmap_details)
def _xss_response(http, s):
""" Performs a normal request and looks in the response for an XSS code. """
# after executing the request
# there is an XSS in the response
logger.info("Perform a request and check for xss in the response")
r = _normal_request(http)
# in the response we should have xss
if _check_response(r):
infoMsg = "Reflected XSS successful, the intruder gains honest's cookies"
logger.info(infoMsg)
intruder_session.cookies.update(honest_session.cookies)
else:
# abort execution, we were expenting XSS in the response
warningMsg = "No XSS in the response as exxpected"
logger.warning(warningMsg)
exit(-1)
def run_api_server():
global sqlmap_process
atexit.register(exiting)
logger.info("starting sqlmap APIs")
# NOTE: when executing sqlmapapi.py the working directory must be ./sqlmap/ otherwise when the analysis
# is started, it raises a not file execeptio 'cause it cannot find sqlmap.py
sqlmap_process = subprocess.Popen(SQLMAP_API.split(" "),
stderr=subprocess.PIPE,
stdout=subprocess.PIPE,
cwd="./sqlmap/")
time.sleep(2)
while True:
line = sqlmap_process.stdout.readline()
if "REST-JSON API server connected to IPC database" in line.decode(
'utf-8'):
# the webserver is up and running
return True
raise Exception()
return False
def _normal_request(http, s):
"""
Perform a normal HTTP request. Returns a Response object
that contains the response.
"""
logger.info("Perform normal request")
url_params = dict()
for abstract_k in http.get_params:
_get = http.get_params[abstract_k]
k, v = _instantiate_value(_get[0], _get[1], http.params[abstract_k])
url_params[k] = v
debugMsg = url_params
logger.debug(debugMsg)
post_params = dict()
for abstract_k in http.post_params:
_post = http.post_params[abstract_k]
k, v = _instantiate_value(_post[0], _post[1], http.params[abstract_k])
post_params[k] = v
debugMsg = post_params
logger.debug(debugMsg)
# configure the proxy if it was set
if config.proxy_ip and config.proxy_port:
proxies = {
"http": "http:{}:{}".format(config.proxy_ip, config.proxy_port),
"https": "https{}:{}".format(config.proxy_ip, config.proxy_port)
}
resp = s.request(method=http.method,
url=http.url,
params=url_params,
data=post_params,
proxies=proxies)
else:
resp = s.request(method=http.method,
url=http.url,
params=url_params,
data=post_params)
debugMsg = resp.headers
logger.debug(debugMsg)
return resp
def local_cl_atse(file_aslan, options=[]):
global CLATSE
logger.info("Executing CL-Atse locally")
atse_output = os.path.splitext(file_aslan)[0] + ".atse"
atse_output_descriptor = open(atse_output, "w")
atse_execution_array = [CLATSE] + options + [file_aslan]
logger.debug(atse_execution_array)
p1 = subprocess.Popen(atse_execution_array,
universal_newlines=True,
stderr=subprocess.PIPE,
stdout=subprocess.PIPE)
try:
out, err = p1.communicate(timeout=config.mc_timeout)
except subprocess.TimeoutExpired:
p1.kill()
logger.critical("Model checker timed out")
exit()
atse_output_descriptor.write(out)
atse_output_descriptor.close()
return atse_output
def _sqli_write(http, s):
""" Performs a SQLi attack for writing to the file-system."""
vuln_param = http.action_params[0]
file_to_write = http.action_params[1]
infoMsg = "Perform SQLi attack for writing file {}".format(file_to_read)
logger.info(infoMsg)
promptMsg = "Where should I write the file on the remote server?\n"
remote_path = ""
while remote_path == "":
remote_path = input(promptMsg)
sqlmap_details = dict()
sqlmap_details["url"] = http.url
sqlmap_details["method"] = http.method
sqlmap_details["get_params"] = http.get_params
sqlmap_details["post_params"] = http.post_params
sqlmap_details["vuln_param"] = http.get_params[vuln_param]
# we reuse the cookies in the session
sqlmap_details["cookies"] = s.cookies.get_dict()
sqlmap_details["write"] = file_to_write
sqlmap_details["path"] = remote_path
sqli.execute_sqlmap(sqlmap_details)
def main():
static_path = os.path.join(os.getcwd(), 'Static')
blizzard_addons_directory_path = f'{args.blizz_addon_path}'
addons = os.listdir(blizzard_addons_directory_path)
extracted_elvui_directory = os.path.join(static_path, args.extracted_elvui)
if not os.path.exists(static_path):
logger.info(f"Creating static path: {static_path}.")
os.mkdir(static_path)
# Download handling.
downloader = Downloader(static_directory_path=static_path)
downloader.run()
# Zipping Handling.
zip_file = UnZipFile(zip_path=downloader.zip_file_path,
current_version=downloader.current_elvui_version,
extracted_dir_name=args.extracted_elvui,
static_directory_path=static_path)
zip_file.unzip()
# ElvUI addons backuping.
elvui_addons = list(
filter(lambda dir: (str(dir).lower().find('elvui') > -1), addons))
elvui_directories = list(
map(
lambda elvui_directory: os.path.join(
blizzard_addons_directory_path, elvui_directory),
elvui_addons))
backup_file_handler = ZipFile(static_directory_path=static_path)
for elvui_directory in elvui_directories:
backup_file_handler.add_directory_to_be_compressed(elvui_directory)
backup_file_handler.compress()
# ElvUI file replacement.
replace_handler = ReplaceDirs(
blizzard_addons_path=args.blizz_addon_path,
extracted_version_path=f'{extracted_elvui_directory}')
replace_handler.replace()
def _sqli_read(http, s):
""" Performs a SQLi attack for reading from the file-system. """
vuln_param = http.action_params[0]
file_to_read = http.action_params[1]
infoMsg = "Perform SQLi attack for reading {}".format(file_to_read)
logger.info(infoMsg)
promptMsg = "What is the path of the file {} you want to read?\n".format(
file_to_read)
file_to_read = ""
while file_to_read == "":
file_to_read = input(promptMsg)
sqlmap_details = dict()
sqlmap_details["url"] = http.url
sqlmap_details["method"] = http.method
sqlmap_details["get_params"] = http.get_params
sqlmap_details["post_params"] = http.post_params
sqlmap_details["vuln_param"] = http.get_params[vuln_param]
# we reuse the cookies in the session
sqlmap_details["cookies"] = s.cookies.get_dict()
sqlmap_details["read"] = file_to_read
sqli.execute_sqlmap(sqlmap_details)
print("SQLi read {}".format(file_to_read))
def exitcleanup():
# remove temporary files
logger.info("Exiting wsfast...")
if not config.DEBUG:
logger.info("removing temporary files!")
for fl in glob.glob("./tmp_*"):
os.remove(fl)
logger.info("Bye!")
def aslanpp2aslan(file_aslanpp):
#connector = config.connector
# get the filename without extension
debugMsg = "file aslanpp: {}".format(file_aslanpp)
logger.debug(debugMsg)
basename = os.path.splitext(os.path.basename(file_aslanpp))[0]
translator_output_file = "tmp_" + basename + ".aslan"
logger.info("Generating ASlan model")
debugMsg = "{} on {} out-file {}".format(connector, file_aslanpp,
translator_output_file)
logger.debug(debugMsg)
p1 = subprocess.Popen([
"java", "-jar", connector, file_aslanpp, "-o", translator_output_file
],
universal_newlines=True,
stderr=subprocess.PIPE)
try:
out, err = p1.communicate(timeout=30)
except subprocess.TimeoutExpired:
p1.kill()
criticalMsg = "Error: {} timed out."
logger.critical(criticalMsg)
exit()
# check if an error has been generated from the translator
if "FATAL" in err or "ERROR" in err:
# there was an error in executing the translator
logger.critical("Translator generated an error")
logger.critical(err)
exit()
if config.verbosity and "WARNING" in err:
logger.debug(err.strip())
logger.info("ASlan model generated")
return translator_output_file, err
def _sqli_bypass(http):
""" Performs a SQLi attack for creating a tautology. """
logger.info("Perform a SQLi bypass attack")
for _payload in sqli_bypass_payloads:
r = _run_payload_request(http, s, _payload)
# in the response we should have xss
if _check_reponse(r):
infoMsg = "Reflected XSS successful, the intruder gains honest's cookies"
logger.info(infoMsg)
intruder_session.cookies.update(honest_session.cookies)
# break out of the for if XSS was successful
break
infoMsg = "Unsuccessful payload {}".format(xss_payload)
logger.info(infoMsg)
warningMsg = "No SQLi bypass payload was successful"
logger.warning(warningMsg)
def _xss_reflected(http, s):
"""
Performs a Reflected XSS attack. Multiple requests are performed
until a successful XSS is executed.
"""
logger.info("Perform a reflected XSS and check for XSS in the response")
for _payload in xss_payloads:
r = _run_payload_request(http, s, _payload)
# in the response we should have xss
if _check_response(r, tocheck="something"):
infoMsg = "SQLi successful"
logger.info(infoMsg)
# break out of the for if XSS was successful
break
infoMsg = "Unsuccessful payload {}".format(_payload)
logger.info(infoMsg)
warningMsg = "No SQLi bypass payload was successful"
logger.warning(warningMsg)
def Start(self):
"""
This function starts the process.
"""
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "******************************* Information about the call *******************************"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "From: " + self.CallInformation.From_Extension + " in " + self.CallInformation.From_IP + ":" + self.CallInformation.From_Port + "/" + self.CallInformation.From_Transport
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "To: " + self.CallInformation.To_Extension + " in " + self.CallInformation.To_IP
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "Contact: " + self.CallInformation.Contact_Extension + " in " + self.CallInformation.Contact_IP + ":" + self.CallInformation.Contact_Port + "/" + self.CallInformation.Contact_Transport
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "Connection: " + self.CallInformation.Connection
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "Owner: " + self.CallInformation.Owner
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
for i in range(len(self.CallInformation.Via)):
prtString = "Via " + str(i) + ": " + self.CallInformation.Via[i][
0] + ":" + self.CallInformation.Via[i][
1] + "/" + self.CallInformation.Via[i][2]
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = self.CallInformation.UserAgent
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "************************************* Classification *************************************"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
# ---------------------------------------------------------------------------------
# Check fingerprint
# ---------------------------------------------------------------------------------
self.Tests_CheckFingerprint()
# ---------------------------------------------------------------------------------
# Check DNS
# ---------------------------------------------------------------------------------
self.Tests_CheckDNS()
# ---------------------------------------------------------------------------------
# Check if SIP ports are opened
# ---------------------------------------------------------------------------------
self.Tests_CheckSIPPorts()
# ---------------------------------------------------------------------------------
# Check if media ports are opened
# ---------------------------------------------------------------------------------
self.Tests_CheckMediaPorts()
# ---------------------------------------------------------------------------------
# Check request URI
# ---------------------------------------------------------------------------------
self.Tests_CheckURI()
# ---------------------------------------------------------------------------------
# Check if proxy in Via
# ---------------------------------------------------------------------------------
self.Tests_CheckVia()
# ---------------------------------------------------------------------------------
# Check for ACK
# ---------------------------------------------------------------------------------
self.Tests_CheckACK()
# ---------------------------------------------------------------------------------
# Check received media
# ---------------------------------------------------------------------------------
self.Tests_CheckMedia()
# Print the categories
prtString = "+ The message is classified as:"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
for i in range(len(self.CallInformation.Classification)):
prtString = "| " + self.CallInformation.Classification[i]
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.Running = False
# Zipping Handling.
zip_file = UnZipFile(zip_path=downloader.zip_file_path,
current_version=downloader.current_elvui_version,
extracted_dir_name=args.extracted_elvui,
static_directory_path=static_path)
zip_file.unzip()
# ElvUI addons backuping.
elvui_addons = list(
filter(lambda dir: (str(dir).lower().find('elvui') > -1), addons))
elvui_directories = list(
map(
lambda elvui_directory: os.path.join(
blizzard_addons_directory_path, elvui_directory),
elvui_addons))
backup_file_handler = ZipFile(static_directory_path=static_path)
for elvui_directory in elvui_directories:
backup_file_handler.add_directory_to_be_compressed(elvui_directory)
backup_file_handler.compress()
# ElvUI file replacement.
replace_handler = ReplaceDirs(
blizzard_addons_path=args.blizz_addon_path,
extracted_version_path=f'{extracted_elvui_directory}')
replace_handler.replace()
if __name__ == '__main__':
logger.info("Starting program...")
main()
def sendemail(self, strData):
if not self.Enabled:
logger.info("E-mail notification is disabled.")
return
if self.SMTP_IP == "":
logger.info("No SMTP server address configured.")
return
if self.SMTP_PORT == "":
logger.info("SMTP server port is not configured.")
return
if self.Recipients == "":
logger.info("No recipient address is configured.")
return
msg = MIMEMultipart()
msg['To'] = self.To_header
msg['From'] = self.From
msg['Subject'] = self.Subject
msgText = MIMEText(strData, "html")
msg.attach(msgText)
# Read the logo
try:
fp = open(ARTEMISA_WEBLOGO_PATH, 'rb')
msgImage = MIMEImage(fp.read())
fp.close()
except:
logger.error("Cannot read file " + ARTEMISA_WEBLOGO_PATH)
return
# Define the image's ID as referenced above
msgImage.add_header('Content-ID', '<weblogo>')
msg.attach(msgImage)
try:
if self.TSLSSL:
server = SMTP(self.SMTP_IP, int(self.SMTP_PORT))
server.ehlo()
server.starttls()
server.ehlo()
server.login(self.SMTP_USERNAME, self.SMTP_PASSWORD)
else:
server = SMTP(self.SMTP_IP, int(self.SMTP_PORT))
server.ehlo()
server.login(self.SMTP_USERNAME, self.SMTP_PASSWORD)
server.sendmail(self.From, self.Recipients.split(","),
msg.as_string())
server.quit()
logger.info("E-mail notification sent.")
except SMTPAuthenticationError:
logger.warning(
"E-mail account username and/or password refused by SMTP server."
)
except Exception, e:
logger.error("E-mail notification couldn't be sent. Error: " +
str(e))
def sqli(msc_table,extended):
logger.info("Looking for SQL injection attacks")
sqli = []
injection_point = ""
# regexp
r_sqli = re.compile("(?:.*?)\.?sqli\.(?:.*)\.?")
r_tuple_response = re.compile("(?:.*?)\.?tuple\(")
r_tuple_request = re.compile("([a-z]*?)\.s\.tuple\((?:.*?)\)(?:\.s)?")
r_sqli_read = re.compile("(?:.*?)e_file\((.*?)\)")
r_sqli_write = re.compile("(?:.*?)newFile\((.*?)\)")
# data extraction
tag_sqli = ""
# second-order conditions
so_cond1 = False # i -> webapp : <something>.sqli.<something>
so_cond2 = False # i -> webapp : <something>
so_cond3 = False # webapp -> i : tuple(<something>.sqli.<something>
tag_so_cond1 = ""
tag_so = ""
for idx, row in enumerate(msc_table):
tag = row[0]
step = row[1]
sender = step[0]
receiver = step[1]
msg = step[2]
entry = None
if sender not in config.receiver_entities:
# is a message from the intruder
debugMsg = "Processing {}".format(msg)
logger.debug(debugMsg)
if r_sqli.search(msg) and "tuple(" not in msg:
if so_cond1 == False:
so_cond1 = True
tag_so_cond1 = tag
logger.debug("so_cond1")
# get the response
response = msc_table[idx+1]
response_msg = response[1][2] # (tag , ( sender, receiver, msg))
# and check if we have something function of file (sqli for file reading)
match_ftr = r_sqli_read.search(response_msg)
if match_ftr:
logger.debug("SQLi file-read {}".format(tag))
file_to_read = match_ftr.group(1)
extended[tag]["read"] = file_to_read
extended[tag]["attack"] = 1
else:
# or something function of new_file (sqli for file writing)
match_ftw = r_sqli_write.search(response_msg)
if match_ftw:
logger.debug("SQLi file-write {}".format(tag))
file_to_write = match_ftw.group(1)
extended[tag]["write"] = file_to_write
extended[tag]["attack"] = 2
else:
# ... otherwise is a sql injection
logger.debug("SQLi bypass {}".format(tag))
params = utils.__get_parameters(msg)
entry = { "attack":10, "params" : params }
extended[tag]["attack"] = 10
tag_sqli = tag
else:
exploit_sqli = r_tuple_request.findall(msg)
if exploit_sqli:
debugMsg = "Exploit SQLi {}".format(exploit_sqli)
logger.debug(debugMsg)
# it means we are using again the function tuple so it
# was a data extraction attack
debugMsg = "Change SQLi of {} to data extraction".format(tag_sqli)
logger.debug(debugMsg)
extended[tag_sqli]["attack"] = 0
extended[tag_sqli]["extract"] = exploit_sqli
extended[tag_sqli]["tag_sqli"] = tag
params = utils.__get_parameters(msg)
entry = { "attack" : 6, "params" : params }
extended[tag]["attack"] = 6
elif tag != "tag":
# this is a normal request ...
# we check if previous conditions for so are valid
if so_cond1 == True and so_cond2 == False:
logger.debug("so_cond2")
so_cond2 = True
tag_so = tag
logger.debug("Normal request {}".format(tag))
params = utils.__get_parameters(msg)
entry = {"attack":-1,"params":params}
extended[tag]["attack"] = -1
else:
debugMsg = "Processing {}".format(msg)
logger.debug(debugMsg)
if r_tuple_response.search(msg):
# we are exploiting a sqli
if so_cond1 == True and so_cond2 == True and so_cond3 == False:
logger.debug("so_cond3")
# we check if previous conditions for so are valid
extended[tag_so_cond1]["attack"] = 8
extended[tag_so_cond1]["tag_so"] = tag_so
so_cond3 = True
def execute_sqlmap(sqlmap_details):
global data_to_extract
logger.info("run sqlmapapi.py")
is_sqlmap_up = sqlmap.run_api_server()
if not is_sqlmap_up:
logger.critical("sqlmap server not running")
exit()
task = sqlmap.new_task()
# configure proxy
if config.proxy_ip and config.proxy_port and config.proxy_port.isdigit():
sqlmap.set_option("proxy","http://{}:{}".format(config.proxy_ip, config.proxy_port), task)
url = sqlmap_details["url"]
method = sqlmap_details["method"]
vuln_param = sqlmap_details["vuln_param"]
url_params = ""
if "get_params" in sqlmap_details:
params = sqlmap_details["get_params"]
url_params = ""
for ab_k,real_c in params.items():
# specify an injection point
if ab_k == vuln_param:
url_params = url_params+real_c[0]+"="+real_c[1]+"*&"
else:
url_params = url_params+real_c[0]+"="+real_c[1]+"&"
url_params = url_params[:-1]
body_params = ""
if "post_params" in sqlmap_details:
params = sqlmap_details["post_params"]
body_params = ""
for ab_k,real_c in params.items():
# specify an injection point
if ab_k == vuln_param:
body_params = body_params+real_c[0]+"="+real_c[1]+"*&"
else:
body_params = body_params+real_c[0]+"="+real_c[1]+"&"
body_params = body_params[:-1]
url = url+"?"+url_params
sqlmap.set_option("url",url,task)
if method == "POST":
sqlmap.set_option("data",body_params,task)
# if "params" in sqlmap_details:
# params = sqlmap_details["params"]
# url_params = ""
# for k,v in params.items():
# url_params = url_params+k+"="+v+"&"
# url_params = url_params[:-1]
# if method == "GET":
# url = url+"?"+url_params
# sqlmap.set_option("url",url,task)
# elif method == "POST":
# sqlmap.set_option("url",url,task)
# sqlmap.set_option("data",url_params,task)
# set cookie if present and should be considered
if "cookies" in sqlmap_details:
c = ""
for k,v in sqlmap_details["cookies"].items():
c = c + k + "=" + v + ";"
debugMsg = "sqlmap with cookie {}".format(c)
logger.debug(debugMsg)
sqlmap.set_option("cookie",c,task)
# BEGIN: set specific attack details
# data extraction
if "extract" in sqlmap_details:
data_to_extract = sqlmap_details["extract"]
sqlmap.set_option("dumpTable","true",task)
# set data extraction only if we have data to extract
col = ""
tbl = ""
for tblcol in data_to_extract:
tbl_list = tblcol.split(".")
# TODO: in here we're basically overwriting the table name
# whenever we find a new one
tbl = tbl_list[0]
col = col + tbl_list[1]
sqlmap.set_option("tbl",tbl,task)
sqlmap.set_option("col",col,task)
if "dumpall" in sqlmap_details:
# dump the entire database
sqlmap.set_option("dumpAll","true",task)
# file read
if "read" in sqlmap_details:
file_to_extract = sqlmap_details["read"]
sqlmap.set_option("rFile",file_to_extract,task)
# file write
if "write" in sqlmap_details:
file_to_write = sqlmap_details["write"]
remote_path = sqlmap_details["path"]
if not isfile(file_to_write):
criticalMsg = "Error: {} file not found".format(file_to_write)
debug.critical(criticalMsg)
exit()
sqlmap.set_option("wFile",join(".",file_to_write),task)
sqlmap.set_option("dFile",remote_path,task)
# second order
if "secondOrder" in sqlmap_details:
secondOrder_url = sqlmap_details["secondOrder"]
sqlmap.set_option("secondOrder",secondOrder_url,task)
# END: set specific attack details
logger.info("sqlmap analysis started")
sqlmap.start_scan(url,task)
stopFlag = threading.Event()
sqlmap_data = None
sqlmap_log = None
while not stopFlag.wait(5):
r = sqlmap.get_status(task)
if "terminated" in r:
logger.debug(sqlmap.get_log(task))
sqlmap_data = sqlmap.get_data(task)
sqlmap_log = sqlmap.get_log(task)
stopFlag.set()
else:
logger.debug(sqlmap.get_log(task))
logger.info("sqlmap analysis in progress ... ")
# we check if the last message generated by sqlmap is critical
# or an error
level = sqlmap_log[-1]["level"]
message = sqlmap_log[-1]["message"]
if level == "WARNING":
logger.warning(message)
if level == "INFO":
logger.info(message)
if level == "ERROR" or level == "CRITICAL":
logger.critical("sqlmap generated an error")
logger.critical(message)
logger.critical("Aborting execution")
exit()
logger.info("sqlmap analysis terminated")
return sqlmap_data, sqlmap_log
def Tests_CheckFingerprint(self):
"""
This method carries out the fingerprint test
"""
prtString = "+ Checking fingerprint..."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| " + self.CallInformation.UserAgent
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
# Artemisa will find fingerprint signatures in the whole SIP message
self.CallInformation.ToolName = CheckFingerprint(
self.CallInformation.SIP_Message)
#if self.CallInformation.ToolName < 0:
# prtString = "|"; self.CallInformation.Results_File_Buffer += "\n" + prtString; logger.info(prtString)
# prtString = "| Fingerprint check failed."; self.CallInformation.Results_File_Buffer += "\n" + prtString; logger.info(prtString)
if self.CallInformation.ToolName == "":
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| No fingerprint found."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
else:
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| Fingerprint found. The following attack tool was employed: " + self.CallInformation.ToolName
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| Category: Attack tool"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("Attack tool")
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
def Tests_CheckMedia(self):
"""
This method carries out the received media test
"""
prtString = "+ Checking for received media..."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
if self.MediaReceived:
prtString = "| Media received: Yes"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| Category: SPIT"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("SPIT")
else:
prtString = "| Media received: No"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| Category: Ringing"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("Ringing")
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
def Tests_CheckACK(self):
"""
This method carries out the ACK test
"""
prtString = "+ Checking for ACK..."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
if self.bACKReceived:
prtString = "| ACK received: Yes"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
else:
prtString = "| ACK received: No"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| Category: Scanning"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("Scanning")
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
def Tests_CheckVia(self):
"""
This method carries out the Via test
"""
# This entire tests depends on the result of the previous
if not self.bRequestURI:
# Via[0] is the first Via field, so that it has the IP of the last proxy.
prtString = "+ Checking if proxy in Via..."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
if len(self.CallInformation.Via) == 0:
prtString = "| No Via found."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
return
prtString = "| + Checking " + self.CallInformation.Via[0][
0] + ":" + self.CallInformation.Via[0][
1] + "/" + self.CallInformation.Via[0][2] + "..."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| |"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
# We determine the existence of the proxy by checking the port with nmap
strResult = CheckPort(self.CallInformation.Via[0][0],
self.CallInformation.Via[0][1],
self.CallInformation.Via[0][2], self.verbose)
if strResult == 0 or strResult < 0:
prtString = "| | Error while scanning."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| |"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| | Category: -"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
else:
if strResult.find("closed") != -1:
prtString = "| | Result: There is no SIP proxy"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| |"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| | Category: Dial plan fault"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("Dial plan fault")
else:
prtString = "| | Result: There is a SIP proxy"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| |"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| | Category: Direct attack"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("Direct attack")
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
def Tests_CheckURI(self):
"""
This method carries out the URI comprobation test
"""
self.bRequestURI = False # Flag to know if this test gives a positive or negative result
prtString = "+ Checking request URI..."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| Extension in field To: " + self.CallInformation.To_Extension
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
# Now it checks if the extension contained in the "To" field is one of the honeypot's registered
# extesions.
Found = False
for i in range(len(self.Extensions)):
if str(self.Extensions[i].Extension
) == self.CallInformation.To_Extension:
# The extension contained in the "To" field is an extension of the honeypot.
Found = True
prtString = "| Request addressed to the honeypot? Yes"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.bRequestURI = True
break
if not Found:
prtString = "| Request addressed to the honeypot? No"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.bRequestURI = False
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
def Tests_CheckMediaPorts(self):
"""
This method carries out the media ports test
"""
prtString = "+ Checking if media port is opened..."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
# FIXME: this parsing could be improved
strRTPPort = GetSIPHeader("m=audio", self.CallInformation.SIP_Message)
if strRTPPort == "": # Could happen that no RTP was delivered
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| No RTP info delivered."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| Category: Spoofed message"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("Spoofed message")
else:
strRTPPort = strRTPPort.split(" ")[1]
prtString = "|"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| + Checking " + self.CallInformation.Contact_IP + ":" + strRTPPort + "/" + "udp" + "..."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| |"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
strResult = CheckPort(self.CallInformation.Contact_IP, strRTPPort,
"udp", self.verbose)
if strResult == 0 or strResult < 0:
prtString = "| | Error while scanning the port."
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| |"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| | Category: -"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
else:
if strResult.find("closed") != -1:
strResult = strResult.splitlines()
for line in strResult:
prtString = "| | " + line
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| |"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| | Category: Spoofed message"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("Spoofed message")
else:
strResult = strResult.splitlines()
for line in strResult:
prtString = "| | " + line
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| |"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
prtString = "| | Category: Interactive attack"
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
self.AddCategory("Interactive attack")
prtString = ""
self.CallInformation.Results_File_Buffer += "\n" + prtString
logger.info(prtString)
