def test_from_parts(self):
u = URL.from_parts('http', 'w3af.com', '/foo/bar.txt', None, 'a=b',
'frag')
self.assertEqual(u.path, '/foo/bar.txt')
self.assertEqual(u.scheme, 'http')
self.assertEqual(u.get_file_name(), 'bar.txt')
self.assertEqual(u.get_extension(), 'txt')
def test_from_parts(self):
u = URL.from_parts('http', 'w3af.com', '/foo/bar.txt', None, 'a=b',
'frag')
self.assertEqual(u.path, '/foo/bar.txt')
self.assertEqual(u.scheme, 'http')
self.assertEqual(u.get_file_name(), 'bar.txt')
self.assertEqual(u.get_extension(), 'txt')
def _create_file(self):
"""
Create random name file php with random php content. To be used in the
remote file inclusion test.
:return: The file content to be served via the webserver.
Please note that the generated code works both in PHP and JSP without
any issues, since PHP will run everything between "<?" and "?>" and
JSP will run code between "<%" and "%>".
TODO: make this code compatible with: asp/aspx, jsp, js (nodejs), pl,
py, rb, etc. Some code snippets that might help to achieve this
task:
asp_code = 'response.write("%s");\n response.write("%s");' % (
rand1, rand2)
asp_code = '<% \n '+asp_code+'\n %>'
"""
with self._plugin_lock:
# First, generate the php file to be included.
rfi_result_part_1 = rand1 = self.RFI_TOKEN_1
rfi_result_part_2 = rand2 = self.RFI_TOKEN_2
rfi_result = rand1 + rand2
filename = rand_alnum(8)
php_jsp_code = '<?php echo "%(p1)s"; echo "%(p2)s"; ?>'
php_jsp_code += '<? echo "%(p1)s"; echo "%(p2)s"; ?>'
php_jsp_code += '<%% out.print("%(p1)s"); out.print("%(p2)s"); %%>'
php_jsp_code = php_jsp_code % {
'p1': rfi_result_part_1,
'p2': rfi_result_part_2
}
# Define the required parameters
netloc = self._listen_address + ':' + str(self._listen_port)
path = '/' + filename
rfi_url = URL.from_parts('http', netloc, path, None, None, None)
rfi_data = RFIData(rfi_url, rfi_result_part_1, rfi_result_part_2,
rfi_result)
return php_jsp_code, rfi_data
def _create_file(self):
"""
Create random name file php with random php content. To be used in the
remote file inclusion test.
:return: The file content to be served via the webserver.
Please note that the generated code works both in PHP and JSP without
any issues, since PHP will run everything between "<?" and "?>" and
JSP will run code between "<%" and "%>".
TODO: make this code compatible with: asp/aspx, jsp, js (nodejs), pl,
py, rb, etc. Some code snippets that might help to achieve this
task:
asp_code = 'response.write("%s");\n response.write("%s");' % (
rand1, rand2)
asp_code = '<% \n '+asp_code+'\n %>'
"""
with self._plugin_lock:
# First, generate the php file to be included.
rfi_result_part_1 = rand1 = self.RFI_TOKEN_1
rfi_result_part_2 = rand2 = self.RFI_TOKEN_2
rfi_result = rand1 + rand2
filename = rand_alnum(8)
php_jsp_code = '<?php echo "%(p1)s"; echo "%(p2)s"; ?>'
php_jsp_code += '<? echo "%(p1)s"; echo "%(p2)s"; ?>'
php_jsp_code += '<%% out.print("%(p1)s"); out.print("%(p2)s"); %%>'
php_jsp_code = php_jsp_code % {'p1': rfi_result_part_1,
'p2': rfi_result_part_2}
# Define the required parameters
netloc = self._listen_address + ':' + str(self._listen_port)
path = '/' + filename
rfi_url = URL.from_parts('http', netloc, path, None, None, None)
rfi_data = RFIData(rfi_url, rfi_result_part_1,
rfi_result_part_2, rfi_result)
return php_jsp_code, rfi_data