def test_mutant_creation(self):
self.dc['a'] = [
'1',
]
self.dc['b'] = [
'2',
]
freq = FuzzableRequest(self.url, dc=self.dc)
created_mutants = Mutant.create_mutants(freq, self.payloads, [], False,
self.fuzzer_config)
expected_dc_lst = [
DataContainer([('a', ['abc']), ('b', ['2'])]),
DataContainer([('a', ['def']), ('b', ['2'])]),
DataContainer([('a', ['1']), ('b', ['abc'])]),
DataContainer([('a', ['1']), ('b', ['def'])])
]
created_dc_lst = [i.get_dc() for i in created_mutants]
self.assertEqual(created_dc_lst, expected_dc_lst)
self.assertEqual(created_mutants[0].get_var(), 'a')
self.assertEqual(created_mutants[0].get_var_index(), 0)
self.assertEqual(created_mutants[0].get_original_value(), '1')
self.assertEqual(created_mutants[2].get_var(), 'b')
self.assertEqual(created_mutants[2].get_var_index(), 0)
self.assertEqual(created_mutants[2].get_original_value(), '2')
self.assertTrue(all(isinstance(m, Mutant) for m in created_mutants))
self.assertTrue(
all(m.get_mutant_class() == 'Mutant' for m in created_mutants))
def test_str(self):
dc = DataContainer([(u'a', ['1']), (u'b', ['2', '3'])])
str_dc = str(dc)
self.assertEqual(str_dc, 'a=1&b=2&b=3')
self.assertIsInstance(str_dc, str)
dc = DataContainer([(u'aaa', [''])])
self.assertEqual(str(dc), 'aaa=')
dc = DataContainer([(u'aaa', ('', ''))])
self.assertEqual(str(dc), 'aaa=&aaa=')
def write_vuln_to_kb(vulnty, url, funcs):
vulndata = php_sca.KB_DATA[vulnty]
for f in funcs:
vuln_sev = vulndata['severity']
desc = name = vulndata['name']
v = Vuln(name, desc, vuln_sev, 1, 'PHP Static Code Analyzer')
v.set_uri(url)
v.set_var(f.vulnsources[0])
args = list(vulndata['kb_key']) + [v]
# TODO: Extract the method from the PHP code
# $_GET == GET
# $_POST == POST
# $_REQUEST == GET
v.set_method('GET')
# TODO: Extract all the other variables that are
# present in the PHP file using the SCA
v.set_dc(DataContainer())
#
# TODO: This needs to be checked! OS Commanding specific
# attributes.
v['os'] = 'unix'
v['separator'] = ''
kb.kb.append(*args)
def test_from_mutant(self):
dc = DataContainer()
url = URL('http://moth/')
payloads = ['abc', 'def']
dc['a'] = [
'1',
]
dc['b'] = [
'2',
]
freq = FuzzableRequest(url, dc=dc)
fuzzer_config = {}
created_mutants = Mutant.create_mutants(freq, payloads, [], False,
fuzzer_config)
mutant = created_mutants[0]
inst = Info.from_mutant('TestCase', 'desc' * 30, 1, 'plugin_name',
mutant)
self.assertIsInstance(inst, Info)
self.assertEqual(inst.get_uri(), mutant.get_uri())
self.assertEqual(inst.get_url(), mutant.get_url())
self.assertEqual(inst.get_method(), mutant.get_method())
self.assertEqual(inst.get_dc(), mutant.get_dc())
self.assertEqual(inst.get_var(), mutant.get_var())
def test_basic(self):
dc = DataContainer([(u'a', ['1']), (u'b', ['2', '3'])])
self.assertIn('a', dc)
self.assertIn('b', dc)
self.assertEqual(dc['a'], ['1'])
self.assertEqual(dc['b'], ['2', '3'])
def test_export_with_dc(self):
fr = FuzzableRequest(URL("http://www.w3af.com/"))
d = DataContainer()
d['a'] = [
'1',
]
fr.set_dc(d)
self.assertEqual(fr.export(), 'GET,http://www.w3af.com/?a=1,')
def __init__(self, freq, israw=False):
super(Mutant, self).__init__()
self._freq = freq
self._var = ''
self._index = 0
self._original_value = ''
self._original_response_body = None
self._mutant_dc = DataContainer()
def test_mutant_creation_ignore_params(self):
self.dc['a'] = [
'1',
]
self.dc['b'] = [
'2',
]
freq = FuzzableRequest(self.url, dc=self.dc)
created_mutants = Mutant.create_mutants(freq, self.payloads, [
'a',
], False, self.fuzzer_config)
expected_dc_lst = [
DataContainer([('a', ['abc']), ('b', ['2'])]),
DataContainer([('a', ['def']), ('b', ['2'])])
]
created_dc_lst = [i.get_dc() for i in created_mutants]
self.assertEqual(created_dc_lst, expected_dc_lst)
def test_mutant_creation_repeated_params(self):
self.dc['a'] = ['1', '2']
self.dc['b'] = [
'3',
]
freq = FuzzableRequest(self.url, dc=self.dc)
created_mutants = Mutant.create_mutants(freq, self.payloads, [], False,
self.fuzzer_config)
expected_dc_lst = [
DataContainer([('a', ['abc', '2']), ('b', ['3'])]),
DataContainer([('a', ['def', '2']), ('b', ['3'])]),
DataContainer([('a', ['1', 'abc']), ('b', ['3'])]),
DataContainer([('a', ['1', 'def']), ('b', ['3'])]),
DataContainer([('a', ['1', '2']), ('b', ['abc'])]),
DataContainer([('a', ['1', '2']), ('b', ['def'])])
]
created_dc_lst = [i.get_dc() for i in created_mutants]
self.assertEqual(created_dc_lst, expected_dc_lst)
self.assertEqual(created_mutants[0].get_var(), 'a')
self.assertEqual(created_mutants[0].get_var_index(), 0)
self.assertEqual(created_mutants[0].get_original_value(), '1')
self.assertEqual(created_mutants[2].get_var(), 'a')
self.assertEqual(created_mutants[2].get_var_index(), 1)
self.assertEqual(created_mutants[2].get_original_value(), '2')
def __init__(self, uri, method='GET', headers=None, cookie=None, dc=None):
super(FuzzableRequest, self).__init__()
# Internal variables
self._dc = dc or DataContainer()
self._method = method
self._headers = Headers(headers or ())
self._cookie = cookie or Cookie()
self._data = None
self.set_uri(uri)
# Set the internal variables
self._sent_info_comp = None
def test_mutant_creation(self):
self.url = URL('http://moth/?a=1&b=2')
freq = HTTPQSRequest(self.url)
created_mutants = QSMutant.create_mutants(freq, self.payloads, [],
False, self.fuzzer_config)
expected_dc_lst = [DataContainer([('a', ['abc']), ('b', ['2'])]),
DataContainer([('a', ['def']), ('b', ['2'])]),
DataContainer([('a', ['1']), ('b', ['abc'])]),
DataContainer([('a', ['1']), ('b', ['def'])])]
created_dc_lst = [i.get_dc() for i in created_mutants]
self.assertEqual(created_dc_lst, expected_dc_lst)
self.assertEqual(created_mutants[0].get_var(), 'a')
self.assertEqual(created_mutants[0].get_var_index(), 0)
self.assertEqual(created_mutants[0].get_original_value(), '1')
self.assertEqual(created_mutants[2].get_var(), 'b')
self.assertEqual(created_mutants[2].get_var_index(), 0)
self.assertEqual(created_mutants[2].get_original_value(), '2')
self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
def create_mutants(freq, mutant_str_list, fuzzable_param_list,
append, fuzzer_config, data_container=None):
'''
This is a very important method which is called in order to create
mutants. Usually called from fuzzer.py module.
'''
if not fuzzer_config['fuzz_url_parts']:
return []
if not isinstance(freq, HTTPQSRequest):
return []
res = []
path_sep = '/'
path = freq.get_url().get_path()
path_chunks = path.split(path_sep)
for idx, p_chunk in enumerate(path_chunks):
if not p_chunk:
continue
for mutant_str in mutant_str_list:
divided_path = DataContainer()
divided_path['start'] = path_sep.join(path_chunks[:idx] + [''])
divided_path['end'] = path_sep.join([''] +
path_chunks[idx + 1:])
divided_path['modified_part'] = \
(p_chunk if append else '') + urllib.quote_plus(mutant_str)
freq_copy = freq.copy()
freq_copy.set_url(freq.get_url())
m = URLPartsMutant(freq_copy)
m.set_original_value(p_chunk)
m.set_var('modified_part')
m.set_mutant_dc(divided_path)
m.set_mod_value(mutant_str)
res.append(m)
# Same URLs but with different types of encoding!
m2 = m.copy()
m2.set_double_encoding(True)
if m2.get_url() != m.get_url():
res.append(m2)
return res
def test_basics(self):
divided_path = DataContainer()
divided_path['start'] = '/'
divided_path['modified_part'] = 'ping!'
divided_path['end'] = '/bar'
freq = HTTPQSRequest(URL('http://www.w3af.com/foo/bar'))
m = URLPartsMutant(freq)
m.set_mutant_dc(divided_path)
m.set_var('modified_part')
self.assertEqual(m.get_url().url_string,
u'http://www.w3af.com/ping%21/bar')
expected_mod_value = 'The sent urlparts is: "/ping!/bar".'
generated_mod_value = m.print_mod_value()
self.assertEqual(generated_mod_value, expected_mod_value)
expected_found_at = '"http://www.w3af.com/ping%21/bar", using HTTP method'\
' GET. The modified parameter was the URL path, with'\
' value: "ping!".'
generated_found_at = m.found_at()
self.assertEqual(generated_found_at, expected_found_at)
def test_basics(self):
divided_path = DataContainer()
divided_path['start'] = ''
divided_path['modified_part'] = 'ping!'
divided_path['end'] = '.htm'
freq = HTTPQSRequest(URL('http://www.w3af.com/foo/bar.htm'))
m = FileNameMutant(freq)
m.set_mutant_dc(divided_path)
m.set_var('modified_part')
self.assertEqual(m.get_url().url_string,
u'http://www.w3af.com/foo/ping%21.htm')
expected_mod_value = 'The sent url filename is: "ping!.htm".'
generated_mod_value = m.print_mod_value()
self.assertEqual(generated_mod_value, expected_mod_value)
expected_found_at = '"http://www.w3af.com/foo/ping%21.htm", using HTTP'\
' method GET. The modified parameter was the URL '\
'filename, with value: "ping!".'
generated_found_at = m.found_at()
self.assertEqual(generated_found_at, expected_found_at)
def create_mutants(freq,
mutant_str_list,
fuzzable_param_list,
append,
fuzzer_config,
data_container=None):
'''
This is a very important method which is called in order to create
mutants. Usually called from fuzzer.py module.
:param fuzzable_param_list: Please note that in this case the user
specifies the chunk of the filename that
he wants to fuzz. Chunks:
foo.bar.html
0 1 2
'''
if not fuzzer_config['fuzz_url_filenames']:
return []
if not isinstance(freq, HTTPQSRequest):
return []
res = []
fname = freq.get_url().get_file_name()
fname_chunks = [x for x in re.split(r'([a-zA-Z0-9]+)', fname) if x]
for idx, fn_chunk in enumerate(fname_chunks):
if not (fuzzable_param_list == [] or idx in fuzzable_param_list):
continue
for mutant_str in mutant_str_list:
if re.match('[a-zA-Z0-9]', fn_chunk):
divided_fname = DataContainer()
divided_fname['start'] = ''.join(fname_chunks[:idx])
divided_fname['end'] = ''.join(fname_chunks[idx + 1:])
divided_fname['modified_part'] = \
(fn_chunk if append else '') + \
urllib.quote_plus(mutant_str)
freq_copy = freq.copy()
freq_copy.set_url(freq.get_url())
# Create the mutant
m = FileNameMutant(freq_copy)
m.set_original_value(fn_chunk)
m.set_var('modified_part')
m.set_mutant_dc(divided_fname)
m.set_mod_value(mutant_str)
# Special for filename fuzzing and some configurations
# of mod_rewrite
m.set_double_encoding(False)
res.append(m)
# The same but with a different type of encoding! (mod_rewrite)
m2 = m.copy()
m2.set_safe_encode_chars('/')
if m2.get_url() != m.get_url():
res.append(m2)
return res
def test_unicode(self):
dc = DataContainer([(u'a', ['1']), (u'b', ['2', '3'])])
udc = unicode(dc)
self.assertEqual(udc, u'a=1&b=2&b=3')
self.assertIsInstance(udc, unicode)
def test_str_special_chars(self):
dc = DataContainer([(u'a', ['1']), (u'u', [u'Ú-ú-Ü-ü'])], 'latin1')
decoded_str = urllib.unquote(str(dc)).decode('latin-1')
self.assertEquals(u'a=1&u=Ú-ú-Ü-ü', decoded_str)
def setUp(self):
self.dc = DataContainer()
self.url = URL('http://moth/')
self.payloads = ['abc', 'def']
self.fuzzer_config = {}
self.fuzzer_config['fuzz_form_files'] = 'gif'
def test_POST_special_chars(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
test_data = u'abc<def>"-á-'
data = DataContainer([('empresa', test_data), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertIn(test_data, http_response.body)
def test_POST(self):
url = URL('http://moth/w3af/audit/xss/data_receptor2.php')
data = DataContainer([('empresa', 'abc'), ('firstname', 'def')])
http_response = self.uri_opener.POST(url, data, cache=False)
self.assertTrue('def' in http_response.body, http_response.body)
