Exemple #1
0
    def test_from_parts(self):
        u = URL.from_parts('http', 'w3af.com', '/foo/bar.txt', None, 'a=b',
                           'frag')

        self.assertEqual(u.path, '/foo/bar.txt')
        self.assertEqual(u.scheme, 'http')
        self.assertEqual(u.get_file_name(), 'bar.txt')
        self.assertEqual(u.get_extension(), 'txt')
Exemple #2
0
 def test_from_parts(self):
     u = URL.from_parts('http', 'w3af.com', '/foo/bar.txt', None, 'a=b',
                        'frag')
     
     self.assertEqual(u.path, '/foo/bar.txt')
     self.assertEqual(u.scheme, 'http')
     self.assertEqual(u.get_file_name(), 'bar.txt')
     self.assertEqual(u.get_extension(), 'txt')
Exemple #3
0
    def _create_file(self):
        """
        Create random name file php with random php content. To be used in the
        remote file inclusion test.

        :return: The file content to be served via the webserver.

        Please note that the generated code works both in PHP and JSP without
        any issues, since PHP will run everything between "<?" and "?>" and
        JSP will run code between "<%" and "%>".

        TODO: make this code compatible with: asp/aspx, jsp, js (nodejs), pl,
              py, rb, etc. Some code snippets that might help to achieve this
              task:

        asp_code = 'response.write("%s");\n response.write("%s");' % (
            rand1, rand2)
        asp_code = '<% \n '+asp_code+'\n %>'
        """
        with self._plugin_lock:
            # First, generate the php file to be included.
            rfi_result_part_1 = rand1 = self.RFI_TOKEN_1
            rfi_result_part_2 = rand2 = self.RFI_TOKEN_2
            rfi_result = rand1 + rand2

            filename = rand_alnum(8)
            php_jsp_code = '<?php echo "%(p1)s"; echo "%(p2)s"; ?>'
            php_jsp_code += '<? echo "%(p1)s"; echo "%(p2)s"; ?>'
            php_jsp_code += '<%% out.print("%(p1)s"); out.print("%(p2)s"); %%>'
            php_jsp_code = php_jsp_code % {
                'p1': rfi_result_part_1,
                'p2': rfi_result_part_2
            }

            # Define the required parameters
            netloc = self._listen_address + ':' + str(self._listen_port)
            path = '/' + filename
            rfi_url = URL.from_parts('http', netloc, path, None, None, None)

            rfi_data = RFIData(rfi_url, rfi_result_part_1, rfi_result_part_2,
                               rfi_result)

            return php_jsp_code, rfi_data
Exemple #4
0
    def _create_file(self):
        """
        Create random name file php with random php content. To be used in the
        remote file inclusion test.

        :return: The file content to be served via the webserver.

        Please note that the generated code works both in PHP and JSP without
        any issues, since PHP will run everything between "<?" and "?>" and
        JSP will run code between "<%" and "%>".

        TODO: make this code compatible with: asp/aspx, jsp, js (nodejs), pl,
              py, rb, etc. Some code snippets that might help to achieve this
              task:

        asp_code = 'response.write("%s");\n response.write("%s");' % (
            rand1, rand2)
        asp_code = '<% \n '+asp_code+'\n %>'
        """
        with self._plugin_lock:
            # First, generate the php file to be included.
            rfi_result_part_1 = rand1 = self.RFI_TOKEN_1
            rfi_result_part_2 = rand2 = self.RFI_TOKEN_2
            rfi_result = rand1 + rand2

            filename = rand_alnum(8)
            php_jsp_code = '<?php echo "%(p1)s"; echo "%(p2)s"; ?>'
            php_jsp_code += '<? echo "%(p1)s"; echo "%(p2)s"; ?>'
            php_jsp_code += '<%% out.print("%(p1)s"); out.print("%(p2)s"); %%>'
            php_jsp_code = php_jsp_code % {'p1': rfi_result_part_1,
                                           'p2': rfi_result_part_2}

            # Define the required parameters
            netloc = self._listen_address + ':' + str(self._listen_port)
            path = '/' + filename
            rfi_url = URL.from_parts('http', netloc, path, None, None, None)

            rfi_data = RFIData(rfi_url, rfi_result_part_1,
                               rfi_result_part_2, rfi_result)

            return php_jsp_code, rfi_data