def get_seeds():
"""
:return: A couple of random numbers which will be used to make the payloads
unique. Please note that I'm excluding the zeroes in order to avoid
some bugs where leading zeroes are truncated.
"""
return (rand_number(5, exclude_numbers=(0,)), rand_number(5, exclude_numbers=(0,)))
def get_seeds():
"""
:return: A couple of random numbers which will be used to make the payloads
unique. Please note that I'm excluding the zeroes in order to avoid
some bugs where leading zeroes are truncated.
"""
return (rand_number(5, exclude_numbers=(0, )),
rand_number(5, exclude_numbers=(0, )))
def generator(count):
for _ in xrange(count):
a = rand_number(5)
yield a
a = int(a)
b = int(rand_number(5))
yield str(a * b)
def _get_statements(self, mutant, exclude_numbers=[]):
"""
Returns a list of statement tuples.
"""
res = {}
rnd_num = int(rand_number(2, exclude_numbers))
rnd_num_plus_one = rnd_num + 1
num_dict = {'num': rnd_num}
# Numeric/Datetime
true_stm = '%(num)s OR %(num)s=%(num)s OR %(num)s=%(num)s ' % num_dict
false_stm = '%i AND %i=%i ' % (rnd_num, rnd_num, rnd_num_plus_one)
res['numeric'] = (true_stm, false_stm)
# Single quotes
true_stm = "%(num)s' OR '%(num)s'='%(num)s' OR '%(num)s'='%(num)s" % num_dict
false_stm = "%i' AND '%i'='%i" % (rnd_num, rnd_num, rnd_num_plus_one)
res['string_single'] = (true_stm, false_stm)
# Double quotes
true_stm = '%(num)s" OR "%(num)s"="%(num)s" OR "%(num)s"="%(num)s' % num_dict
false_stm = '%i" AND "%i"="%i' % (rnd_num, rnd_num, rnd_num_plus_one)
res['string_double'] = (true_stm, false_stm)
return res
def _get_statements(self, mutant, exclude_numbers=[]):
"""
Returns a list of statement tuples.
"""
res = {}
rnd_num = int(rand_number(2, exclude_numbers))
rnd_num_plus_one = rnd_num + 1
num_dict = {'num': rnd_num}
# Numeric/Datetime
true_stm = '%(num)s OR %(num)s=%(num)s OR %(num)s=%(num)s ' % num_dict
false_stm = '%i AND %i=%i ' % (rnd_num, rnd_num, rnd_num_plus_one)
res[self.NUMERIC] = (true_stm, false_stm)
# Single quotes
true_stm = "%(num)s' OR '%(num)s'='%(num)s' OR '%(num)s'='%(num)s" % num_dict
false_stm = "%i' AND '%i'='%i" % (rnd_num, rnd_num, rnd_num_plus_one)
res[self.STRING_SINGLE] = (true_stm, false_stm)
# Double quotes
true_stm = '%(num)s" OR "%(num)s"="%(num)s" OR "%(num)s"="%(num)s' % num_dict
false_stm = '%i" AND "%i"="%i' % (rnd_num, rnd_num, rnd_num_plus_one)
res[self.STRING_DOUBLE] = (true_stm, false_stm)
return res
def _get_statements(self, mutant, exclude_numbers=None):
"""
Returns a list of statement tuples.
"""
res = {}
exclude_numbers = exclude_numbers or []
rnd_num = int(rand_number(2, exclude_numbers))
rnd_num_plus_one = rnd_num + 1
num_dict = {'num': rnd_num}
# Numeric/Datetime
true_stm = '%(num)s OR %(num)s=%(num)s OR %(num)s=%(num)s ' % num_dict
false_stm = '%i AND %i=%i ' % (rnd_num, rnd_num, rnd_num_plus_one)
res[self.NUMERIC] = (true_stm, false_stm)
# Single quotes
true_stm = "%(num)s' OR '%(num)s'='%(num)s' OR '%(num)s'='%(num)s" % num_dict
false_stm = "%i' AND '%i'='%i" % (rnd_num, rnd_num, rnd_num_plus_one)
res[self.STRING_SINGLE] = (true_stm, false_stm)
# Double quotes
true_stm = '%(num)s" OR "%(num)s"="%(num)s" OR "%(num)s"="%(num)s' % num_dict
false_stm = '%i" AND "%i"="%i' % (rnd_num, rnd_num, rnd_num_plus_one)
res[self.STRING_DOUBLE] = (true_stm, false_stm)
return res
def test_rand_number(self):
x = rand_number(length=1)
self.assertIn(int(x), range(10))
x = rand_number(length=2)
self.assertIn(int(x), range(100))
x = rand_number(length=3)
self.assertIn(int(x), range(1000))
x = rand_number(length=5)
y = rand_number(length=5)
z = rand_number(length=5)
w = rand_number(length=5)
self.assertTrue(x != y != z != w)
def _get_limit_response(self, mutant):
"""
We request the limit (something that doesn't exist)
- If http://localhost/a.php?b=1
then I should request b=12938795 (random number)
- If http://localhost/a.php?b=abc
then I should request b=hnv98yks (random alnum)
:return: The limit response object
"""
mutant_copy = mutant.copy()
is_digit = mutant.get_token_original_value().isdigit()
value = rand_number(length=8) if is_digit else rand_alnum(length=8)
mutant_copy.set_token_value(value)
limit_response = self._uri_opener.send_mutant(mutant_copy)
return limit_response
def _get_limit_response(self, mutant):
"""
We request the limit (something that doesn't exist)
- If http://localhost/a.php?b=1
then I should request b=12938795 (random number)
- If http://localhost/a.php?b=abc
then I should request b=hnv98yks (random alnum)
:return: The limit response object
"""
mutant_copy = mutant.copy()
is_digit = mutant.get_token_original_value().isdigit()
value = rand_number(length=8) if is_digit else rand_alnum(length=8)
mutant_copy.set_token_value(value)
limit_response = self._uri_opener.send_mutant(mutant_copy)
return limit_response
def _get_limit_response(self, m):
"""
We request the limit (something that doesn't exist)
- If http://localhost/a.php?b=1 ; then I should request b=12938795
(random number)
- If http://localhost/a.php?b=abc ; then I should request b=hnv98yks
(random alnum)
:return: The limit response object
"""
# Copy the dc, needed to make a good vuln report
dc = copy.deepcopy(m.get_dc())
if m.get_original_value().isdigit():
m.set_mod_value(rand_number(length=8))
else:
m.set_mod_value(rand_alnum(length=8))
limit_response = self._uri_opener.send_mutant(m)
# restore the dc
m.set_dc(dc)
return limit_response
def _get_limit_response(self, m):
"""
We request the limit (something that doesn't exist)
- If http://localhost/a.php?b=1
then I should request b=12938795 (random number)
- If http://localhost/a.php?b=abc
then I should request b=hnv98yks (random alnum)
:return: The limit response object
"""
# Copy the dc, needed to make a good vuln report
dc = copy.deepcopy(m.get_dc())
if m.get_token_original_value().isdigit():
m.set_token_value(rand_number(length=8))
else:
m.set_token_value(rand_alnum(length=8))
limit_response = self._uri_opener.send_mutant(m)
# restore the dc
m.set_dc(dc)
return limit_response
def _get_statements(self, mutant, exclude_numbers=[]):
"""
Returns a list of statement tuples.
"""
res = {}
rnd_num = int(rand_number(2, exclude_numbers))
rnd_num_plus_one = rnd_num + 1
# Numeric/Datetime
true_stm = "%i OR %i=%i " % (rnd_num, rnd_num, rnd_num)
false_stm = "%i AND %i=%i " % (rnd_num, rnd_num, rnd_num_plus_one)
res["numeric"] = (true_stm, false_stm)
# Single quotes
true_stm = "%i' OR '%i'='%i" % (rnd_num, rnd_num, rnd_num)
false_stm = "%i' AND '%i'='%i" % (rnd_num, rnd_num, rnd_num_plus_one)
res["stringsingle"] = (true_stm, false_stm)
# Double quotes
true_stm = '%i" OR "%i"="%i' % (rnd_num, rnd_num, rnd_num)
false_stm = '%i" AND "%i"="%i' % (rnd_num, rnd_num, rnd_num_plus_one)
res["stringdouble"] = (true_stm, false_stm)
return res
def replace_randomize(data, length=0, exclude_numbers=[]):
rand_num = rand_number(length,exclude_numbers)
return data.replace("RANDOMIZE", rand_num)
def generator(count):
for _ in xrange(count):
a = rand_number(5)
yield prefix + a
def replace_randomize(data, length=0, exclude_numbers=[]):
rand_num = rand_number(length, exclude_numbers)
return data.replace("RANDOMIZE", rand_num)
