Ejemplo n.º 1
0
    def _verify_vuln(self, vuln_obj):
        """
        This command verifies a vuln. This is really hard work!

        :param vuln_obj: The vulnerability to exploit.
        :return : True if vuln can be exploited.
        """
        # Get the shells
        extension = vuln_obj.get_url().get_extension()

        # I get a list of tuples with code and extension to use
        null_command = ''
        shell_code_list = shell_handler.get_shell_code(extension, null_command)

        for code, real_extension, shellcode_generator in shell_code_list:
            # Prepare for exploitation...
            mutant = vuln_obj.get_mutant()
            mutant = mutant.copy()
            mutant.set_token_value(code)

            try:
                http_res = self._uri_opener.send_mutant(mutant)
            except BaseFrameworkException, w3:
                msg = 'An error occurred while trying to exploit the eval()'\
                      ' vulnerability. Original exception: "%s".'
                om.out.debug(msg % w3)
            else:
                if shell_handler.SHELL_IDENTIFIER in http_res.get_body():
                    msg = 'Successfully exploited eval() vulnerability using'\
                          ' the following code snippet: "%s...".' % code[:35]
                    om.out.debug(msg)
                    self._shellcode_generator = shellcode_generator
                    return True
Ejemplo n.º 2
0
    def _verify_vuln(self, vuln_obj):
        """
        This command verifies a vuln. This is really hard work!

        :param vuln_obj: The vulnerability to exploit.
        :return : True if vuln can be exploited.
        """
        # Get the shells
        extension = vuln_obj.get_url().get_extension()

        # I get a list of tuples with code and extension to use
        null_command = ''
        shell_code_list = shell_handler.get_shell_code(extension, null_command)

        for code, real_extension, shellcode_generator in shell_code_list:
            # Prepare for exploitation...
            mutant = vuln_obj.get_mutant()
            mutant = mutant.copy()
            mutant.set_token_value(code)

            try:
                http_res = self._uri_opener.send_mutant(mutant)
            except BaseFrameworkException, w3:
                msg = 'An error occurred while trying to exploit the eval()' \
                      ' vulnerability. Original exception: "%s".'
                om.out.debug(msg % w3)
            else:
                if shell_handler.SHELL_IDENTIFIER in http_res.get_body():
                    msg = 'Successfully exploited eval() vulnerability using' \
                          ' the following code snippet: "%s...".' % code[:35]
                    om.out.debug(msg)
                    self._shellcode_generator = shellcode_generator
                    return True
Ejemplo n.º 3
0
 def test_get_shell_code_invalid_extension(self):
     shells = get_shell_code('123456', self.TEST_CMD)
     
     self.assertEqual(len(shells), 2)
     php_shell_code, lang, shellcode_generator = shells[0]
     
     self.assertEqual(lang, 'php')
     self.assertIn('echo ', php_shell_code)
Ejemplo n.º 4
0
 def test_get_shell_code_extension_force(self):
     shells = get_shell_code('php', self.TEST_CMD, True)
     
     self.assertEqual(len(shells), 1)
     php_shell_code, lang, shellcode_generator = shells[0]
     
     self.assertEqual(lang, 'php')
     self.assertIn('echo ', php_shell_code)
Ejemplo n.º 5
0
    def test_get_shell_code_invalid_extension(self):
        shells = get_shell_code('123456', self.TEST_CMD)

        self.assertEqual(len(shells), 2)
        php_shell_code, lang, shellcode_generator = shells[0]

        self.assertEqual(lang, 'php')
        self.assertIn('echo ', php_shell_code)
Ejemplo n.º 6
0
    def test_get_shell_code_extension_force(self):
        shells = get_shell_code('php', self.TEST_CMD, True)

        self.assertEqual(len(shells), 1)
        php_shell_code, lang, shellcode_generator = shells[0]

        self.assertEqual(lang, 'php')
        self.assertIn('echo ', php_shell_code)
Ejemplo n.º 7
0
    def test_kb_list_shells_eval_2181(self):
        """
        :see: https://github.com/andresriancho/w3af/issues/2181
        """
        w3af_core = w3afCore()

        shellcodes = get_shell_code('php', 'ls')
        shellcode_generator = shellcodes[0][2]

        shell = EvalShell(MockVuln(), w3af_core.uri_opener,
                          w3af_core.worker_pool, shellcode_generator)
        kb.append('a', 'b', shell)

        shells = kb.get_all_shells(w3af_core=w3af_core)
        self.assertEqual(len(shells), 1)
        unpickled_shell = shells[0]

        self.assertEqual(shell, unpickled_shell)
        self.assertIs(unpickled_shell._uri_opener, w3af_core.uri_opener)
        self.assertIs(unpickled_shell.worker_pool, w3af_core.worker_pool)
        self.assertEqual(unpickled_shell.shellcode_generator.args,
                         shell.shellcode_generator.args)

        w3af_core.quit()
Ejemplo n.º 8
0
    def test_kb_list_shells_eval_2181(self):
        """
        :see: https://github.com/andresriancho/w3af/issues/2181
        """
        w3af_core = w3afCore()

        shellcodes = get_shell_code('php', 'ls')
        shellcode_generator = shellcodes[0][2]

        shell = EvalShell(MockVuln(), w3af_core.uri_opener,
                          w3af_core.worker_pool, shellcode_generator)
        kb.append('a', 'b', shell)

        shells = kb.get_all_shells(w3af_core=w3af_core)
        self.assertEqual(len(shells), 1)
        unpickled_shell = shells[0]

        self.assertEqual(shell, unpickled_shell)
        self.assertIs(unpickled_shell._uri_opener, w3af_core.uri_opener)
        self.assertIs(unpickled_shell.worker_pool, w3af_core.worker_pool)
        self.assertEqual(unpickled_shell.shellcode_generator.args,
                         shell.shellcode_generator.args)

        w3af_core.quit()