def _fingerprint_URLScan(self, fuzzableRequest):
'''
Try to verify if URLScan is installed or not.
'''
# detect using GET
# Get the original response
originalResponse = self._uri_opener.GET( fuzzableRequest.getURL(), cache=True )
if originalResponse.getCode() != 404:
# Now add the if header and try again
headers = fuzzableRequest.getHeaders()
headers['If'] = createRandAlpha(8)
if_response = self._uri_opener.GET( fuzzableRequest.getURL(), headers=headers,
cache=True )
headers = fuzzableRequest.getHeaders()
headers['Translate'] = createRandAlpha(8)
translate_response = self._uri_opener.GET( fuzzableRequest.getURL(), headers=headers,
cache=True )
headers = fuzzableRequest.getHeaders()
headers['Lock-Token'] = createRandAlpha(8)
lock_response = self._uri_opener.GET( fuzzableRequest.getURL(), headers=headers,
cache=True )
headers = fuzzableRequest.getHeaders()
headers['Transfer-Encoding'] = createRandAlpha(8)
transfer_enc_response = self._uri_opener.GET( fuzzableRequest.getURL(),
headers=headers,
cache=True )
if if_response.getCode() == 404 or translate_response.getCode() == 404 or\
lock_response.getCode() == 404 or transfer_enc_response.getCode() == 404:
self._report_finding('URLScan', lock_response)
def _verifyVuln( self, vuln ):
'''
This command verifies a vuln. This is really hard work!
@return : True if vuln can be exploited.
'''
# The vuln was saved to the kb as:
# kb.kb.append( self, 'osCommanding', v )
exploitDc = vuln.getDc()
# Define a test command:
rand = createRandAlpha( 8 )
if vuln['os'] == 'windows':
command = vuln['separator'] + 'echo ' + rand
# TODO: Confirm that this works in windows
rand = rand + '\n\n'
else:
command = vuln['separator'] + '/bin/echo ' + rand
rand = rand + '\n'
# Lets define the result header and footer.
functionReference = getattr( self._uri_opener , vuln.getMethod() )
exploitDc[vuln.getVar()] = command
try:
response = functionReference( vuln.getURL(), str(exploitDc) )
except w3afException, e:
om.out.error( str(e) )
return False
def _verifyVuln( self, vuln ):
'''
This command verifies a vuln. This is really hard work!
@return : True if vuln can be exploited.
'''
# The vuln was saved to the kb as:
# kb.kb.append( self, 'osCommanding', v )
exploitDc = vuln.getDc()
if exploitDc is None:
om.out.error('You hitted bug #1948260. Please report how to reproduce it here:')
bug_URL = 'https://sourceforge.net/tracker/index.php?func=detail&aid=1948260'
bug_URL += '&group_id=170274&atid=853652'
om.out.error( bug_URL )
# Define a test command:
rand = createRandAlpha( 8 )
if vuln['os'] == 'windows':
command = vuln['separator'] + 'echo ' + rand
# TODO: Confirm that this works in windows
rand = rand + '\n\n'
else:
command = vuln['separator'] + '/bin/echo ' + rand
rand = rand + '\n'
# Lets define the result header and footer.
functionReference = getattr( self._urlOpener , vuln.getMethod() )
exploitDc[vuln.getVar()] = command
try:
response = functionReference( vuln.getURL(), str(exploitDc) )
except w3afException, e:
om.out.error( str(e) )
return False
def __init__(self):
baseAuditPlugin.__init__(self)
# Create some random strings, which the plugin will use.
# for the fuzz_with_echo
self._rnd = createRandAlpha(5)
# User configured parameters
self._use_time_delay = True
self._use_echo = True
def __init__(self):
baseAuditPlugin.__init__(self)
#Create some random strings, which the plugin will use.
# for the fuzz_with_echo
self._rnd1 = createRandAlpha(5)
self._rnd2 = createRandAlpha(5)
self._rndn = self._rnd1 + self._rnd2
# And now for the fuzz_with_time_delay
# The wait time of the unfuzzed request
self._original_wait_time = 0
# The wait time of the first test I'm going to perform
self._wait_time = 4
# The wait time of the second test I'm going to perform (this one is just to be sure!)
self._second_wait_time = 9
# User configured parameters
self._use_time_delay = True
self._use_echo = True
def _get_string_list(self):
"""
@return: This method returns a list of strings that could overflow a buffer.
"""
strings = []
lengths = [65, 257, 513, 1025, 2049]
### TODO !! if lengths = [ 65 , 257 , 513 , 1025, 2049, 4097, 8000 ]
### then i get a badStatusLine exception from urllib2, is seems to be a internal error.
### tested against tomcat 5.5.7
for i in lengths:
strings.append(createRandAlpha(i))
return strings
def _fingerprint_SecureIIS(self, fuzzableRequest):
'''
Try to verify if SecureIIS is installed or not.
'''
# And now a final check for SecureIIS
headers = fuzzableRequest.getHeaders()
headers['Transfer-Encoding'] = createRandAlpha(1024 + 1)
try:
lock_response2 = self._uri_opener.GET( fuzzableRequest.getURL(),
headers=headers, cache=True )
except w3afException, w3:
om.out.debug('Failed to identify secure IIS, exception: ' + str(w3) )
def _PUT(self, domain_path):
"""
Tests PUT method.
"""
# upload
url = domain_path.urlJoin(createRandAlpha(5))
rndContent = createRandAlNum(6)
put_response = self._urlOpener.PUT(url, data=rndContent)
# check if uploaded
res = self._urlOpener.GET(url, useCache=True)
if res.getBody() == rndContent:
v = vuln.vuln()
v.setPluginName(self.getName())
v.setURL(url)
v.setId([put_response.id, res.id])
v.setSeverity(severity.HIGH)
v.setName("Insecure DAV configuration")
v.setMethod("PUT")
msg = 'File upload with HTTP PUT method was found at resource: "' + domain_path + '".'
msg += ' A test file was uploaded to: "' + res.getURL() + '".'
v.setDesc(msg)
kb.kb.append(self, "dav", v)
# Report some common errors
elif put_response.getCode() == 500:
i = info.info()
i.setPluginName(self.getName())
i.setURL(url)
i.setId(res.id)
i.setName("DAV incorrect configuration")
i.setMethod("PUT")
msg = "DAV seems to be incorrectly configured. The web server answered with a 500"
msg += " error code. In most cases, this means that the DAV extension failed in"
msg += ' some way. This error was found at: "' + put_response.getURL() + '".'
i.setDesc(msg)
kb.kb.append(self, "dav", i)
# Report some common errors
elif put_response.getCode() == 403:
i = info.info()
i.setPluginName(self.getName())
i.setURL(url)
i.setId([put_response.id, res.id])
i.setName("DAV insufficient privileges")
i.setMethod("PUT")
msg = "DAV seems to be correctly configured and allowing you to use the PUT method"
msg += " but the directory does not have the correct permissions that would allow"
msg += ' the web server to write to it. This error was found at: "'
msg += put_response.getURL() + '".'
i.setDesc(msg)
kb.kb.append(self, "dav", i)
def _verifyVuln( self, vuln_obj ):
'''
This command verifies a vuln. This is really hard work! :P
@return : True if vuln can be exploited.
'''
# Create the shell
filename = createRandAlpha( 7 )
extension = vuln_obj.getURL().getExtension()
# I get a list of tuples with file_content and extension to use
shell_list = shell_handler.get_webshells( extension )
for file_content, real_extension in shell_list:
if extension == '':
extension = real_extension
om.out.debug('Uploading shell with extension: "'+extension+'".' )
# Upload the shell
url_to_upload = vuln_obj.getURL().urlJoin( filename + '.' + extension )
om.out.debug('Uploading file: ' + url_to_upload )
self._urlOpener.PUT( url_to_upload, data=file_content )
# Verify if I can execute commands
# All w3af shells, when invoked with a blank command, return a
# specific value in the response:
# shell_handler.SHELL_IDENTIFIER
exploit_url = url_object( url_to_upload + '?cmd=' )
response = self._urlOpener.GET( exploit_url )
if shell_handler.SHELL_IDENTIFIER in response.getBody():
msg = 'The uploaded shell returned the SHELL_IDENTIFIER: "'
msg += shell_handler.SHELL_IDENTIFIER + '".'
om.out.debug( msg )
self._exploit_url = exploit_url
return True
else:
msg = 'The uploaded shell with extension: "' + extension
msg += '" DIDN\'T returned what we expected, it returned: ' + response.getBody()
om.out.debug( msg )
extension = ''
def getDrameStrings(self, kind):
'''
Gets a list of strings to test against the web app.
@return: A list with all drame strings to test. Example: [ '\'','\'\'']
'''
drame_strings = []
if kind == "reject":
drame_strings.append(createRandAlpha(5))
#drame_strings.append(createRandAlpha(5))
elif kind == "error":
#drame_strings.append("d'z\"0")
drame_strings.append("' or '1'=PLOOP")
#drame_strings.append("#")
elif kind == "injection":
drame_strings.append("' or '1'='1")
#drame_strings.append("' or '1'='1' #")
return drame_strings
def audit(self, freq ):
'''
Searches for file upload vulns using a POST to author.dll.
@param freq: A fuzzableRequest
'''
# Set some value
domain_path = urlParser.getDomainPath( freq.getURL() )
# Start
if self._stop_on_first and kb.kb.getData('frontpage', 'frontpage'):
# Nothing to do, I have found vuln(s) and I should stop on first
msg = 'Not verifying if I can upload files to: "' + domain_path + '" using author.dll'
msg += '. Because I already found one vulnerability.'
om.out.debug(msg)
else:
# I haven't found any vulns yet, OR i'm trying to find every
# directory where I can write a file.
if domain_path not in self._already_tested:
om.out.debug( 'frontpage plugin is testing: ' + freq.getURL() )
self._already_tested.add( domain_path )
# Find a file that doesn't exist
found404 = False
for i in xrange(3):
randFile = createRandAlpha( 5 ) + '.html'
randPathFile = urlParser.urlJoin(domain_path, randFile)
res = self._urlOpener.GET( randPathFile )
if is_404( res ):
found404 = True
break
if found404:
upload_id = self._upload_file( domain_path, randFile )
self._verify_upload( domain_path, randFile, upload_id )
else:
msg = 'frontpage plugin failed to find a 404 page. This is mostly because of an'
msg += ' error in 404 page detection.'
om.out.error(msg)
/es/ga.js/google-analytics.com/google-analytics.com/ga.js/
/es/ga.js/google-analytics.com/google-analytics.com/
/es/ga.js/google-analytics.com/google-analytics.com/google-analytics.com/ga.js
/ga.js/google-analytics.com/google-analytics.com/ga.js
/services/google-analytics.com/google-analytics.com/
/services/google-analytics.com/google-analytics.com/google-analytics.com/ga.js
/es/ga.js/google-analytics.com/ga.js/google-analytics.com/ga.js/
/ga.js/google-analytics.com/ga.js/google-analytics.com/ga.js/
/ga.js/google-analytics.com/ga.js/google-analytics.com/
/ga.js/google-analytics.com/ga.js/google-analytics.com/google-analytics.com/ga.js
'''
filename = reference.getFileName()
if filename:
new_reference = reference.copy()
new_reference.setFileName( createRandAlpha(3) + filename )
check_response = self._urlOpener.GET( new_reference, useCache=True,
headers= headers)
resp_body = resp.getBody()
check_resp_body = check_response.getBody()
if relative_distance_ge(resp_body,
check_resp_body, IS_EQUAL_RATIO):
# If they are equal, then they are both a 404 (or something invalid)
#om.out.debug( reference + ' was broken!')
return
else:
# The URL was possibly_broken, but after testing we found out that
# it was not, so not we use it!
