def test_delay_controlled_random(self):
for expected_result, delays in self.TEST_SUITE:
print delays
mock_uri_opener = Mock()
side_effect = generate_delays(delays, rand_range=(0, 2))
mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
delay_obj = ExactDelay('sleep(%s)')
url = URL('http://moth/?id=1')
req = FuzzableRequest(url)
mutant = QSMutant(req)
mutant.set_dc(url.querystring)
mutant.set_var('id', 0)
ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
controlled, responses = ed.delay_is_controlled()
# This is where we change from test_delay_controlled, the basic
# idea is that we'll allow false negatives but no false positives
if expected_result == True:
expected_result = [True, False]
else:
expected_result = [
False,
]
self.assertIn(controlled, expected_result, delays)
def _with_time_delay(self, freq):
"""
Tests an URL for OS Commanding vulnerabilities using time delays.
:param freq: A FuzzableRequest
"""
fake_mutants = create_mutants(freq, [
'',
])
for mutant in fake_mutants:
if self._has_bug(mutant):
continue
for delay_obj in self._get_wait_commands():
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
desc = 'OS Commanding was found at: %s' % mutant.found_at()
v = Vuln.from_mutant('OS commanding vulnerability', desc,
severity.HIGH,
[r.id for r in responses],
self.get_name(), mutant)
v['os'] = delay_obj.get_OS()
v['separator'] = delay_obj.get_separator()
self.kb_append_uniq(self, 'os_commanding', v)
break
def is_injectable(self, mutant):
"""
Check if this mutant is delay injectable or not.
@mutant: The mutant object that I have to inject to
:return: A vulnerability object or None if nothing is found
"""
for delay_obj in self._get_delays():
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
# Now I can be sure that I found a vuln, we control the response
# time with the delay
desc = 'Blind SQL injection using time delays was found at: %s'
desc = desc % mutant.found_at()
response_ids = [r.id for r in responses]
v = Vuln.from_mutant('Blind SQL injection vulnerability', desc,
severity.HIGH, response_ids, 'blind_sqli',
mutant)
om.out.debug(v.get_desc())
return v
return None
def _with_time_delay(self, freq):
"""
Tests an URL for OS Commanding vulnerabilities using time delays.
:param freq: A FuzzableRequest
"""
fake_mutants = create_mutants(freq, ['', ])
for mutant in fake_mutants:
if self._has_bug(mutant):
continue
for delay_obj in self._get_wait_commands():
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
desc = 'OS Commanding was found at: %s' % mutant.found_at()
v = Vuln.from_mutant('OS commanding vulnerability', desc,
severity.HIGH, [r.id for r in responses],
self.get_name(), mutant)
v['os'] = delay_obj.get_OS()
v['separator'] = delay_obj.get_separator()
self.kb_append_uniq(self, 'os_commanding', v)
break
def is_injectable(self, mutant):
"""
Check if this mutant is delay injectable or not.
@mutant: The mutant object that I have to inject to
:return: A vulnerability object or None if nothing is found
"""
for delay_obj in self._get_delays():
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
# Now I can be sure that I found a vuln, we control the response
# time with the delay
desc = 'Blind SQL injection using time delays was found at: %s'
desc = desc % mutant.found_at()
response_ids = [r.id for r in responses]
v = Vuln.from_mutant('Blind SQL injection vulnerability', desc,
severity.HIGH, response_ids, 'blind_sqli',
mutant)
om.out.debug(v.get_desc())
return v
return None
def _with_time_delay(self, freq):
"""
Tests an URLs for shell shock vulnerabilities using time delays.
:param freq: A FuzzableRequest
:return: True if a vulnerability was found
"""
mutant = self.create_mutant(freq, TEST_HEADER)
for delay_obj in self.DELAY_TESTS:
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
mutant.set_token_value(delay_obj.get_string_for_delay(3))
desc = u"Shell shock was found at: %s" % mutant.found_at()
v = Vuln.from_mutant(
u"Shell shock vulnerability",
desc,
severity.HIGH,
[r.id for r in responses],
self.get_name(),
mutant,
)
self.kb_append_uniq(self, "shell_shock", v)
return True
def test_delay_controlled_random(self):
for expected_result, delays in self.TEST_SUITE:
print delays
mock_uri_opener = Mock()
side_effect = generate_delays(delays, rand_range=(0,2))
mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
delay_obj = ExactDelay('sleep(%s)')
url = URL('http://moth/?id=1')
req = FuzzableRequest(url)
mutant = QSMutant(req)
mutant.set_dc(url.querystring)
mutant.set_var('id', 0)
ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
controlled, responses = ed.delay_is_controlled()
# This is where we change from test_delay_controlled, the basic
# idea is that we'll allow false negatives but no false positives
if expected_result == True:
expected_result = [True, False]
else:
expected_result = [False,]
self.assertIn(controlled, expected_result, delays)
def test_delay_controlled(self):
for expected_result, delays in self.TEST_SUITE:
mock_uri_opener = Mock()
side_effect = generate_delays(delays)
mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
delay_obj = ExactDelay('sleep(%s)')
url = URL('http://moth/?id=1')
req = FuzzableRequest(url)
mutant = QSMutant(req)
mutant.set_dc(url.querystring)
mutant.set_token(('id', 0))
ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
controlled, responses = ed.delay_is_controlled()
self.assertEqual(expected_result, controlled, delays)
def test_delay_controlled(self):
for expected_result, delays in self.TEST_SUITE:
mock_uri_opener = Mock()
side_effect = generate_delays(delays)
mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
delay_obj = ExactDelay('sleep(%s)')
url = URL('http://moth/?id=1')
req = FuzzableRequest(url)
mutant = QSMutant(req)
mutant.set_dc(url.querystring)
mutant.set_token(('id', 0))
ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
controlled, responses = ed.delay_is_controlled()
self.assertEqual(expected_result, controlled, delays)
def _with_time_delay(self, freq):
"""
Tests an URLs for shell shock vulnerabilities using time delays.
:param freq: A FuzzableRequest
:return: True if a vulnerability was found
"""
mutant = self.create_mutant(freq, TEST_HEADER)
for delay_obj in self.DELAY_TESTS:
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
mutant.set_token_value(delay_obj.get_string_for_delay(3))
desc = u'Shell shock was found at: %s' % mutant.found_at()
v = Vuln.from_mutant(u'Shell shock vulnerability', desc,
severity.HIGH, [r.id for r in responses],
self.get_name(), mutant)
self.kb_append_uniq(self, 'shell_shock', v)
return True
def _test_delay(self, mutant):
"""
Try to delay the response and save a vulnerability if successful
"""
if self._has_bug(mutant):
return
for delay_obj in self.WAIT_OBJ:
ed_inst = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed_inst.delay_is_controlled()
if success:
desc = 'eval() input injection was found at: %s'
desc = desc % mutant.found_at()
response_ids = [r.id for r in responses]
v = Vuln.from_mutant('eval() input injection vulnerability',
desc, severity.HIGH, response_ids,
self.get_name(), mutant)
self.kb_append_uniq(self, 'eval', v)
break
def _test_delay(self, mutant):
"""
Try to delay the response and save a vulnerability if successful
"""
if self._has_bug(mutant):
return
for delay_obj in self.WAIT_OBJ:
ed_inst = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed_inst.delay_is_controlled()
if success:
desc = 'eval() input injection was found at: %s'
desc = desc % mutant.found_at()
response_ids = [r.id for r in responses]
v = Vuln.from_mutant('eval() input injection vulnerability',
desc, severity.HIGH, response_ids,
self.get_name(), mutant)
self.kb_append_uniq(self, 'eval', v)
break
yield language, json.loads(json_str)
def _find_delay_in_mutant(self, (mutant, delay_obj), debugging_id=None):
"""
Try to delay the response and save a vulnerability if successful
:param mutant: The mutant to modify and test
:param delay_obj: The delay to use
:param debugging_id: The debugging ID for logging
"""
if self._has_bug(mutant):
return
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
ed.set_debugging_id(debugging_id)
success, responses = ed.delay_is_controlled()
if not success:
return
desc = 'Insecure deserialization vulnerability was found at: %s'
desc %= mutant.found_at()
v = Vuln.from_mutant('Insecure deserialization', desc,
severity.HIGH, [r.id for r in responses],
self.get_name(), mutant)
self.kb_append_uniq(self, 'deserialization', v)
def get_plugin_deps(self):
return ['grep.serialized_object']
