def init(self, out_stream, url, proxy=None,g_stopEvent=None, maxbitRate=0):
try:
self.init_done=False
self.init_url=url
self.clientHeader=None
self.status='init'
self.proxy = proxy
self.maxbitRate=maxbitRate
if self.proxy and len(self.proxy)==0:
self.proxy=None
self.out_stream=out_stream
self.g_stopEvent=g_stopEvent
if '|' in url:
sp = url.split('|')
url = sp[0]
self.clientHeader = sp[1]
if PY3:
self.clientHeader= urllib.parse.parse_qsl(self.clientHeader)
else:
self.clientHeader= urlparse.parse_qsl(self.clientHeader)
#print 'header recieved now url and headers are',url, self.clientHeader
self.status='init done'
self.url=url
return True
#return self.downloadInternal(testurl=True)
#os.remove(self.outputfile)
except:
traceback.print_exc()
self.status='finished'
return False
def build_request(request):
url = urlparse(request.url)
ret = dict(
method = request.method,
url = request.url,
httpVersion = 'HTTP/1.1',
headers = build_headers(request.headers),
queryString = [
{'name': n, 'value': v} for n, v in\
parse_qsl(url.query)],
cookies = [
{'name': n, 'value': v} for n, v in \
parse_qsl(request.headers.get('cookie', ''))],
headersSize = -1,
bodySize = len(request.body) if request.body else 0,
)
if request.body:
ret['postData'] = dict(
mimeType = request.headers.get('content-type'),
text = request.body,
)
if ret['postData']['mimeType'] == 'application/x-www-form-urlencoded':
ret['postData']['params'] = [
{'name': n, 'value': v} for n, v in \
urlparse.parse_qsl(request.body)]
try:
_ = json.dumps(ret['postData']['params'])
except UnicodeDecodeError:
logger.error('params encoding error')
del ret['postData']['params']
return ret
def build_request(en):
url = urlparse(en['request']['url'])
request = dict(
method = en['request']['method'],
url = en['request']['url'],
httpVersion = 'HTTP/1.1',
headers = [
{'name': x['name'], 'value': x['value'], 'checked': True} for x in\
en['request'].get('headers', [])],
queryString = [
{'name': n, 'value': v} for n, v in\
parse_qsl(url.query)],
cookies = [
{'name': x['name'], 'value': x['value'], 'checked': True} for x in\
en['request'].get('cookies', [])],
headersSize = -1,
bodySize = len(en['request'].get('data')) if en['request'].get('data') else 0,
)
if en['request'].get('data'):
request['postData'] = dict(
mimeType = en['request'].get('mimeType'),
text = en['request'].get('data'),
)
if en['request'].get('mimeType') == 'application/x-www-form-urlencoded':
params = [{'name': x[0], 'value': x[1]} \
for x in urlparse.parse_qsl(en['request']['data'], True)]
request['postData']['params'] = params
return request
def make_job_desc_url(self, job_post_id):
url_parts = list(urlparse.urlparse(self.url))
query = dict(urlparse.parse_qsl(url_parts[4]))
query.update({'postid': job_post_id})
url_parts[4] = urlencode(query)
return urlparse.urlunparse(url_parts)
def http_post(url, cookie_file='', postData={}, data=''):
try:
if (data != ''):
postData = dict(urlparse.parse_qsl(data))
net = Net(cookie_file=cookie_file)
return net.http_POST(url, postData).content
except URLError:
return ''
def do_POST(self):
from urllib.parse import urlparse, parse_qsl
url = urlparse(self.path)
fields = OrderedDict(parse_qsl(url.query))
length = int(self.headers.getheader('content-length'))
field_data = self.rfile.read(length)
fields.update(urlparse.parse_qsl(field_data))
self.dispatch(url, fields)
def do_POST(self):
from urllib.parse import urlparse, parse_qsl
url = urlparse(self.path)
fields = OrderedDict(parse_qsl(url.query))
length = int(self.headers.getheader('content-length'))
field_data = self.rfile.read(length)
fields.update(urlparse.parse_qsl(field_data))
self.dispatch(url, fields)
def add_url_params(url, new_params, concat=True, unique=True):
if isinstance(new_params, dict):
new_params = [(k, v) for k, v in new_params.iteritems()]
url_parts = list(urlparse.urlparse(url))
params = urlparse.parse_qsl(url_parts[4])
params = new_params if not concat else params + new_params
if unique:
params = dict(params)
url_parts[4] = urllib.urlencode(params)
return urlparse.urlunparse(url_parts)
def parse_qs(qs, keep_blank_values=0, strict_parsing=0, keep_attr_order=True):
"""
Kind of like urlparse.parse_qs, except returns an ordered dict.
Also avoids replicating that function's bad habit of overriding the
built-in 'dict' type.
Taken from below with modification:
<https://bitbucket.org/btubbs/thumpy/raw/8cdece404f15/thumpy.py>
"""
od = DefaultOrderedDict(list) if keep_attr_order else defaultdict(list)
for name, value in urlparse.parse_qsl(qs, keep_blank_values, strict_parsing):
od[name].append(value)
return od
def parse_qs(qs, keep_blank_values=0, strict_parsing=0, keep_attr_order=True):
"""
Kind of like urlparse.parse_qs, except returns an ordered dict.
Also avoids replicating that function's bad habit of overriding the
built-in 'dict' type.
Taken from below with modification:
<https://bitbucket.org/btubbs/thumpy/raw/8cdece404f15/thumpy.py>
"""
od = DefaultOrderedDict(list) if keep_attr_order else defaultdict(list)
for name, value in urlparse.parse_qsl(qs, keep_blank_values,
strict_parsing):
od[name].append(value)
return od
def init(self,
out_stream,
url,
proxy=None,
use_proxy_for_chunks=True,
g_stopEvent=None,
maxbitrate=0,
auth=''):
global clientHeader, gproxy, gauth
try:
self.init_done = False
self.init_url = url
clientHeader = None
self.status = 'init'
self.proxy = proxy
self.auth = auth
if self.auth == None or self.auth == 'None' or self.auth == '':
self.auth = None
if self.auth:
gauth = self.auth
if self.proxy and len(self.proxy) == 0:
self.proxy = None
gproxy = self.proxy
self.use_proxy_for_chunks = use_proxy_for_chunks
self.out_stream = out_stream
self.g_stopEvent = g_stopEvent
self.maxbitrate = maxbitrate
if '|' in url:
sp = url.split('|')
url = sp[0]
clientHeader = sp[1]
print(clientHeader)
if PY3:
clientHeader = urllib.parse.parse_qsl(clientHeader)
else:
clientHeader = urlparse.parse_qsl(clientHeader)
print('header recieved now url and headers are', url,
clientHeader)
self.status = 'init done'
self.url = url
return self.preDownoload()
except:
traceback.print_exc()
self.status = 'finished'
return False
def check_request(self,
request,
method,
params=None,
data=None,
headers=None):
self.assertEqual(request.method, method)
if params is not None:
url = urlparse.urlparse(request.url)
qs = urlparse.parse_qsl(url.query)
self.assertEqual(dict(qs), params)
if headers is not None:
for key, value in headers.items():
self.assertEqual(request.headers[key], value)
if data is None:
self.assertEqual(request.body, None)
else:
self.assertEqual(json.loads(request.body), data)
def build_ics_urls(ics_url):
google_calendar_url_base = 'http://www.google.com/calendar/render?cid='
# Parse the URL into [scheme, netloc, path, params, query, fragment]
parsed_ics_url = list(urlparse.urlparse(ics_url))
if parsed_ics_url[0] != 'https':
parsed_ics_url[0] = 'http'
ics_url_http = urlparse.urlunparse(parsed_ics_url)
parsed_ics_url[0] = 'webcal'
ics_url_webcal = urlparse.urlunparse(parsed_ics_url)
parsed_google_url = list(urlparse.urlparse(google_calendar_url_base))
parsed_google_url[4] = dict(urlparse.parse_qsl(parsed_google_url[4]))
parsed_google_url[4]['cid'] = ics_url_webcal
parsed_google_url[4] = urllib.urlencode(parsed_google_url[4])
ics_url_google = urlparse.urlunparse(parsed_google_url)
return ics_url_http, ics_url_webcal, ics_url_google
def get_oauth_url(self):
""" Returns the URL with OAuth params """
params = {}
if "?" in self.url:
url = self.url[: self.url.find("?")]
for key, value in urlparse.parse_qsl(urlparse.urlparse(self.url).query):
params[key] = value
else:
url = self.url
params["oauth_consumer_key"] = self.consumer_key
params["oauth_timestamp"] = int(time())
params["oauth_nonce"] = HMAC(str(time() + randint(0, 99999)).encode(), "secret".encode(), sha1).hexdigest()
params["oauth_signature_method"] = "HMAC-SHA256"
params["oauth_signature"] = self.generate_oauth_signature(params, url)
query_string = urlencode(params)
return "%s?%s" % (url, query_string)
def read_url_post(url):
'''Transform a JSON contained in a file into an equivalent
nested python dict.
Parameters
----------
url : string
where to get the json.
Returns
-------
dict
Python version of the input
Note: if the input is a bare array or literal, for example,
the output will be of the corresponding type.
'''
urlp = urlparse.urlparse(url)
main_url = urlparse.urlunsplit(
(urlp.scheme, urlp.netloc, urlp.path, '', ''))
data = json.dumps(dict(urlparse.parse_qsl(urlp.query)))
handler = urllib_request.HTTPHandler()
opener = urllib_request.build_opener(handler)
request = urllib_request.Request(main_url, data)
request.add_header("Content-Type", 'application/json')
request.get_method = lambda: 'POST'
try:
response = opener.open(request)
except Exception as e:
response = e
if response.code == 200:
json_string = response.read()
else:
json_string = response.read()
return json.loads(json_string)
def read_url_post(url):
'''Transform a JSON contained in a file into an equivalent
nested python dict.
Parameters
----------
url : string
where to get the json.
Returns
-------
dict
Python version of the input
Note: if the input is a bare array or literal, for example,
the output will be of the corresponding type.
'''
urlp = urlparse.urlparse(url)
main_url = urlparse.urlunsplit(
(urlp.scheme, urlp.netloc, urlp.path, '', ''))
data = json.dumps(dict(urlparse.parse_qsl(urlp.query)))
handler = urllib_request.HTTPHandler()
opener = urllib_request.build_opener(handler)
request = urllib_request.Request(main_url, data)
request.add_header("Content-Type", 'application/json')
request.get_method = lambda: 'POST'
try:
response = opener.open(request)
except Exception as e:
response = e
if response.code == 200:
json_string = response.read()
else:
json_string = response.read()
return json.loads(json_string)
def parameterarrange(payload):
parsedurl = urlparse.urlparse(host)
parameters = urlparse.parse_qsl(parsedurl.query,
keep_blank_values=True)
parameternames = []
parametervalues = []
for m in parameters:
parameternames.append(m[0])
parametervalues.append(m[1])
for n in parameters:
try:
print("Checking '%s' parameter") % n[0]
index = parameternames.index(n[0])
original = parametervalues[index]
parametervalues[index] = payload
return urllib.urlencode(
dict(zip(parameternames, parametervalues)))
parametervalues[index] = original
except (KeyError):
pass
def get_oauth_url(self):
""" Returns the URL with OAuth params """
params = {}
if "?" in self.url:
url = self.url[:self.url.find("?")]
for key, value in urlparse.parse_qsl(
urlparse.urlparse(self.url).query):
params[key] = value
else:
url = self.url
params["oauth_consumer_key"] = self.consumer_key
params["oauth_timestamp"] = int(time())
params["oauth_nonce"] = HMAC(
str(time() + randint(0, 99999)).encode(), "secret".encode(),
sha1).hexdigest()
params["oauth_signature_method"] = "HMAC-SHA256"
params["oauth_signature"] = self.generate_oauth_signature(params, url)
query_string = urlencode(params)
return "%s?%s" % (url, query_string)
def connect(request):
consumer_key = '279983135533947'
consumer_secret = '9ff237e023f95b524274adef3af1ea21'
redirect_uri = 'https://fbsentiments.azurewebsites.net/status/authorize'
request_token_url = 'https://www.facebook.com/dialog/oauth?client_id=' + consumer_key
+ '&redirect_uri=' + redirect_uri
+ '&scope=user_posts'
access_token_url = 'https://graph.facebook.com/v2.3/oauth/access_token?client_id=' + consumer_key
+ '&redirect_uri=' + redirect_uri
+ '&client_secret=' + consumer_secret
+ '&code='#{code-parameter}
#authorize_url = 'https://api.twitter.com/oauth/authorize'
#Authorization URL: https://www.facebook.com/dialog/oauth (the scopes that can be specified with this URL, can be found here)
consumer = oauth.Consumer(consumer_key, consumer_secret)
client = oauth.Client(consumer)
# Step 1: Get a request token. This is a temporary token that is used for
# having the user authorize an access token and to sign the request to obtain
# said access token.
resp, content = client.request(request_token_url, "GET")
#OJO: revisar error code (cuando sepa el formato)
#https://developers.facebook.com/docs/graph-api/using-graph-api/#errors
#if resp['status'] != '200':
#raise Exception("Invalid response %s." % resp['status'])
request_token = dict(urlparse.parse_qsl(content))
#print "Request Token:"
#print " - oauth_token = %s" % request_token['oauth_token'] #Ver nombre en documentación de facebook.
#print " - oauth_token_secret = %s" % request_token['oauth_token_secret']
#print
return HttpResponse("Hello, world. You're at the polls index.")
if resp['status'] != '401':
raise Exception("Should have no access!")
consumer = oauth.Consumer(consumer_key, consumer_secret)
client = oauth.Client(consumer)
client.set_signature_method(SignatureMethod_RSA_SHA1())
# Step 1: Get a request token. This is a temporary token that is used for
# having the user authorize an access token and to sign the request to obtain
# said access token.
resp, content = client.request(request_token_url, "POST")
if resp['status'] != '200':
raise Exception("Invalid response %s: %s" % (resp['status'], content))
request_token = dict(urlparse.parse_qsl(content))
print "Request Token:"
print " - oauth_token = %s" % request_token['oauth_token']
print " - oauth_token_secret = %s" % request_token['oauth_token_secret']
print
# Step 2: Redirect to the provider. Since this is a CLI script we do not
# redirect. In a web application you would redirect the user to the URL
# below.
print "Go to the following link in your browser:"
print "%s?oauth_token=%s" % (authorize_url, request_token['oauth_token'])
print
# After the user has granted access to you, the consumer, the provider will
def get_url_params(url, unique=True):
url_parts = list(urlparse.urlparse(url))
params = urlparse.parse_qsl(url_parts[4])
if unique:
params = dict(params)
return params
def application(self, environ, start_response):
# Require a query string and a recognized content type.
writer_conf = None
path_info = environ.get('PATH_INFO')
if path_info == '/json':
writer_conf = 'json'
content_type = 'application/json'
elif path_info == '/manager':
writer_conf = 'manager'
content_type = 'text/html'
elif path_info == '/mxml':
writer_conf = 'mxml'
content_type = 'text/html'
elif path_info == '/rawman':
writer_conf = 'rawman'
content_type = 'text/plain'
query_string = environ.get('QUERY_STRING')
if writer_conf is None or query_string is None:
start_response("404 Not found", [])
return
# Recover the session client or create a new one.
cookie = Cookie.SimpleCookie(environ.get('HTTP_COOKIE'))
try:
session = cookie['mansession_id'].value
except KeyError:
client = None
else:
client = self.active_sessions.get(session)
if client is None:
session = '%.8x' % random.randint(0, (1 << 32) - 1)
if 'REMOTE_ADDR' in environ and 'REMOTE_PORT' in environ:
suffix = ('-web-%s:%s' %
(environ['REMOTE_ADDR'], environ['REMOTE_PORT']))
else:
suffix = '-web-' + session
client = Client(suffix=suffix)
self.active_sessions[session] = client
writer = Writer(suffix=suffix, timeout=idle_client_timeout)
client.configure(self.config, writer)
# Plumber so the results return to the original requester.
fragments = []
client.writer.set_write(fragments.append)
client.writer.configure(writer_conf)
# Trigger the action by sending the request to the client.
start_response(
"200 OK", [('Content-type', content_type),
('Cache-Control', 'no-cache, no-store'),
('Set-Cookie',
'mansession_id="%s"; Version=1; Max_Age=60' % session),
('Pragma', 'SuppressEvents')])
ami_message = AMI_Message()
for key, value in urlparse.parse_qsl(query_string):
ami_message[key] = value
# Login actions from the Web should have "Events: off" forced!
if ami_message.get_lower('Action') == 'login':
ami_message['Events'] = 'off'
client.process_ami_message(ami_message)
# Collect and return the results.
yield ''.join(fragments)
if resp['status'] != '401':
raise Exception("Should have no access!")
consumer = oauth.Consumer(consumer_key, consumer_secret)
client = oauth.Client(consumer)
client.set_signature_method(SignatureMethod_RSA_SHA1())
# Step 1: Get a request token. This is a temporary token that is used for
# having the user authorize an access token and to sign the request to obtain
# said access token.
resp, content = client.request(request_token_url, "POST")
if resp['status'] != '200':
raise Exception("Invalid response %s: %s" % (resp['status'], content))
request_token = dict(urlparse.parse_qsl(content))
print "Request Token:"
print " - oauth_token = %s" % request_token['oauth_token']
print " - oauth_token_secret = %s" % request_token['oauth_token_secret']
print
# Step 2: Redirect to the provider. Since this is a CLI script we do not
# redirect. In a web application you would redirect the user to the URL
# below.
print "Go to the following link in your browser:"
print "%s?oauth_token=%s" % (authorize_url, request_token['oauth_token'])
print
# After the user has granted access to you, the consumer, the provider will
def SQLIscan(site):
print("[+] [ SQLI ] Scanner Started...\n")
vuln = []
payloads = {'2': '"', '1': '\''}
errors = {
'MySQL': 'You have an error in your SQL syntax;',
'Oracle': 'SQL command not properly ended',
'MSSQL': 'Unclosed quotation mark after the character string',
'PostgreSQL': 'syntax error at or near'
}
path = urlparse.urlparse(site).scheme + "://" + urlparse.urlparse(
site).netloc + urlparse.urlparse(site).path
parsedurl = urlparse.urlparse(host)
parameters = urlparse.parse_qsl(parsedurl.query,
keep_blank_values=True)
parameternames = []
parametervalues = []
for m in parameters:
parameternames.append(m[0])
parametervalues.append(m[1])
for n in parameters:
found = 0
print("[+] Checking '%s' parameter") % n[0]
try:
for i in payloads:
pay = payloads[i]
index = parameternames.index(n[0])
original = parametervalues[index]
parametervalues[index] = pay
modifiedurl = urllib.urlencode(
dict(zip(parameternames, parametervalues)))
parametervalues[index] = original
modifiedparams = modifiedurl
payload = urllib.quote_plus(payloads[i])
u = urllib.urlopen(path + "?" + modifiedparams)
source = u.read()
#print ("[+] Checking HTML Context...")
for i in errors:
if errors[i] in source: #htmlcode[0].contents[0]:
dbfound = " | Back-End Database: " + green + str(
i) + reset
found = 1
break
if found != 1:
break
except (KeyError):
pass
if found == 1:
print("[!] " + red + "SQL Injection Vulnerability Found!" +
reset)
print(dbfound)
vuln.append("'" + n[0] + "'")
found = 0
if len(vuln) != 0:
print(" | Vulnerable Parameter/s:"),
for i in vuln:
print(i),
else:
print("[!] Not Vulnerable")
def _manage_images_on_page(self, page_node, data_node, exported_resources):
"""
- Extract images from page and generate an xml node
- Replace db id in url with xml id
"""
img_model = 'ir.attachment'
urls = self.img_url_map.bind("dummy.org", "/")
for img_elem in page_node.iter('img'):
img_src = img_elem.get('src')
parse_result = urlparse.urlparse(img_src)
path = parse_result.path
query_args = parse_result.query
if urls.test(parse_result.path, "GET"):
endpoint, kwargs = urls.match(path,
"GET",
query_args=query_args)
kwargs.update(dict(urlparse.parse_qsl(query_args)))
image = None
# get the binary object
xml_id = kwargs.get('xmlid')
if xml_id:
image = self.env.ref(xml_id, False)
else:
_id = kwargs.get('id')
model = kwargs.get('model', 'ir.attachment')
if _id and model:
_id, _, unique = str(_id).partition('_')
image = self.env[model].browse(int(_id))
if (not image or not image.exists()
or image._name != img_model):
raise exceptions.UserError(
_('Only images from ir.attachment are supported when '
'exporting help pages'))
exported_data = image.export_data([
'id', 'datas', 'datas_fname', 'name', 'res_model',
'mimetype'
],
raw_data=False)['datas'][0]
xml_id = exported_data[0]
new_src = '/web/image/%s' % xml_id
img_elem.attrib['src'] = new_src
if xml_id in exported_resources:
continue
img_node = ET.SubElement(data_node,
'record',
attrib={
'id': xml_id,
'model': image._name
})
field_node = ET.SubElement(img_node,
'field',
attrib={'name': 'datas'})
field_node.text = str(exported_data[1])
field_node = ET.SubElement(img_node,
'field',
attrib={'name': 'datas_fname'})
field_node.text = exported_data[2]
field_node = ET.SubElement(img_node,
'field',
attrib={'name': 'name'})
field_node.text = exported_data[3]
field_node = ET.SubElement(img_node,
'field',
attrib={'name': 'res_model'})
field_node.text = exported_data[4]
field_node = ET.SubElement(img_node,
'field',
attrib={'name': 'mimetype'})
field_node.text = exported_data[5]
data_node.append(img_node)
exported_resources.add(xml_id)
def XSSscan(site):
print("[+] [ XSS ] Scanner Started...")
vuln = []
payloads = {
'3': 'd4rk();"\'\\/}{d4rk',
'2': 'd4rk</script><script>alert(1)</script>d4rk',
'1': '<d4rk>'
}
path = urlparse.urlparse(site).scheme + "://" + urlparse.urlparse(
site).netloc + urlparse.urlparse(site).path
parsedurl = urlparse.urlparse(host)
parameters = urlparse.parse_qsl(parsedurl.query,
keep_blank_values=True)
parameternames = []
parametervalues = []
for m in parameters:
parameternames.append(m[0])
parametervalues.append(m[1])
for n in parameters:
found = 0
print(" | Checking '%s' parameter") % n[0]
try:
for i in payloads:
pay = payloads[i]
index = parameternames.index(n[0])
original = parametervalues[index]
parametervalues[index] = pay
modifiedurl = urllib.urlencode(
dict(zip(parameternames, parametervalues)))
parametervalues[index] = original
modifiedparams = modifiedurl
payload = urllib.quote_plus(payloads[i])
u = urllib.urlopen(path + "?" + modifiedparams)
source = u.read()
code = BeautifulSoup(source)
if str(i) == str(1):
#print ("[+] Checking HTML Context...")
if payloads[i] in source: #htmlcode[0].contents[0]:
#print("[+] XSS Vulnerability Found.")
found = 1
script = code.findAll('script')
if str(i) == str(3) or str(i) == str(2):
#print("[+] Checking JS Context...")
if str(i) == str(3):
#JS Context
for p in range(len(script)):
try:
if pay in script[p].contents[0]:
#print("[+] XSS Vulnerability Found")
found = 1
except (IndexError):
pass
if str(i) == str(2):
if payloads['2'] in source:
# print("[+] XSS Vulnerability Found")
found = 1
except (KeyError):
pass
if found == 1:
vuln.append("'" + n[0] + "'")
found = 0
if len(vuln) != 0:
print("[!] " + red + "Vulnerable Parameter/s:" + reset),
for i in vuln:
print(boldred + i + reset),
else:
print("[!] Not Vulnerable")
