def _with_time_delay(self, freq): ''' Tests an URL for OS Commanding vulnerabilities using time delays. :param freq: A FuzzableRequest ''' fake_mutants = create_mutants(freq, ['', ]) for mutant in fake_mutants: if self._has_bug(mutant): continue for delay_obj in self._get_wait_commands(): ed = ExactDelayController(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: desc = 'OS Commanding was found at: %s' % mutant.found_at() v = Vuln.from_mutant('OS commanding vulnerability', desc, severity.HIGH, [r.id for r in responses], self.get_name(), mutant) v['os'] = delay_obj.get_OS() v['separator'] = delay_obj.get_separator() self.kb_append_uniq(self, 'os_commanding', v) break
def is_injectable(self, mutant): ''' Check if this mutant is delay injectable or not. @mutant: The mutant object that I have to inject to :return: A vulnerability object or None if nothing is found ''' for delay_obj in self._get_delays(): ed = ExactDelayController(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: # Now I can be sure that I found a vuln, we control the response # time with the delay desc = 'Blind SQL injection using time delays was found at: %s' desc = desc % mutant.found_at() response_ids = [r.id for r in responses] v = Vuln.from_mutant('Blind SQL injection vulnerability', desc, severity.HIGH, response_ids, 'blind_sqli', mutant) om.out.debug(v.get_desc()) return v return None
def test_delay_controlled_random(self): for expected_result, delays in self.TEST_SUITE: mock_uri_opener = Mock() side_effect = generate_delays(delays, rand_range=(0, 2)) mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect) delay_obj = ExactDelay('sleep(%s)') url = URL('http://moth/?id=1') req = FuzzableRequest(url) mutant = QSMutant(req) mutant.set_dc(url.querystring) mutant.set_var('id', 0) ed = ExactDelayController(mutant, delay_obj, mock_uri_opener) controlled, responses = ed.delay_is_controlled() # This is where we change from test_delay_controlled, the basic # idea is that we'll allow false negatives but no false positives if expected_result == True: expected_result = [True, False] else: expected_result = [ False, ] self.assertIn(controlled, expected_result, delays)
def _with_time_delay(self, freq): ''' Tests an URL for OS Commanding vulnerabilities using time delays. :param freq: A FuzzableRequest ''' fake_mutants = create_mutants(freq, [ '', ]) for mutant in fake_mutants: if self._has_bug(mutant): continue for delay_obj in self._get_wait_commands(): ed = ExactDelayController(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: desc = 'OS Commanding was found at: %s' % mutant.found_at() v = Vuln.from_mutant('OS commanding vulnerability', desc, severity.HIGH, [r.id for r in responses], self.get_name(), mutant) v['os'] = delay_obj.get_OS() v['separator'] = delay_obj.get_separator() self.kb_append_uniq(self, 'os_commanding', v) break
def is_injectable(self, mutant): """ Check if this mutant is delay injectable or not. @mutant: The mutant object that I have to inject to :return: A vulnerability object or None if nothing is found """ for delay_obj in self._get_delays(): ed = ExactDelayController(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: # Now I can be sure that I found a vuln, we control the response # time with the delay desc = "Blind SQL injection using time delays was found at: %s" desc = desc % mutant.found_at() response_ids = [r.id for r in responses] v = Vuln.from_mutant( "Blind SQL injection vulnerability", desc, severity.HIGH, response_ids, "blind_sqli", mutant ) om.out.debug(v.get_desc()) return v return None
def test_delay_controlled(self): for expected_result, delays in self.TEST_SUITE: mock_uri_opener = Mock() side_effect = generate_delays(delays) mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect) delay_obj = ExactDelay('sleep(%s)') url = URL('http://moth/?id=1') req = FuzzableRequest(url) mutant = QSMutant(req) mutant.set_dc(url.querystring) mutant.set_var('id', 0) ed = ExactDelayController(mutant, delay_obj, mock_uri_opener) controlled, responses = ed.delay_is_controlled() self.assertEqual(expected_result, controlled, delays)
def _test_delay(self, mutant): ''' Try to delay the response and save a vulnerability if successful ''' if self._has_bug(mutant): return for delay_obj in self.WAIT_OBJ: ed_inst = ExactDelayController(mutant, delay_obj, self._uri_opener) success, responses = ed_inst.delay_is_controlled() if success: desc = 'eval() input injection was found at: %s' desc = desc % mutant.found_at() response_ids = [r.id for r in responses] v = Vuln.from_mutant('eval() input injection vulnerability', desc, severity.HIGH, response_ids, self.get_name(), mutant) self.kb_append_uniq(self, 'eval', v) break