def test_bad_file_descriptor_8125_local(self): """ :see: https://github.com/andresriancho/w3af/issues/8125 """ port = get_unused_port() raw_http_response = "HTTP/1.1 200 Ok\r\n"\ "Connection: close\r\n"\ "Content-Type: text/html\r\n"\ "Content-Length: 3\r\n\r\nabc" certfile = os.path.join(ROOT_PATH, 'plugins', 'tests', 'audit', 'certs', 'invalid_cert.pem') s = SSLServer('localhost', port, certfile, http_response=raw_http_response) s.start() body = 'abc' mock_url = 'https://localhost:%s/' % port url = URL(mock_url) http_response = self.uri_opener.GET(url, cache=False) self.assertEqual(body, http_response.body) s.stop()
def test_bad_file_descriptor_8125_local(self): """ 8125 is basically an issue with the way HTTP SSL connections handle the Connection: Close header. :see: https://github.com/andresriancho/w3af/issues/8125 """ raw_http_response = ('HTTP/1.1 200 Ok\r\n' 'Connection: close\r\n' 'Content-Type: text/html\r\n' 'Content-Length: 3\r\n\r\nabc') certfile = os.path.join(ROOT_PATH, 'plugins', 'tests', 'audit', 'certs', 'invalid_cert.pem') port = get_unused_port() s = SSLServer('localhost', port, certfile, http_response=raw_http_response) s.start() body = 'abc' mock_url = 'https://localhost:%s/' % port url = URL(mock_url) http_response = self.uri_opener.GET(url, cache=False) self.assertEqual(body, http_response.body) s.stop() # This error is expected, it's generated when the xurllib negotiates # the different SSL protocols with the server self.assertEqual(set([e.strerror for e in s.errors]), {'Bad file descriptor'})
def test_spiderman_https(self): port = get_unused_port() run_config = { "target": get_moth_https(), "plugins": {"crawl": (PluginConfig("spider_man", ("listen_port", port, PluginConfig.INT)),)}, } self.generic_spiderman_run(run_config, get_moth_https, port)
def test_spiderman_https(self): port = get_unused_port() run_config = { 'target': get_moth_https(), 'plugins': {'crawl': (PluginConfig('spider_man', ('listen_port', port, PluginConfig.INT), ),)} } self.generic_spiderman_run(run_config, get_moth_https, port)
def start_api(): """ Start the REST API server in 127.0.0.1 on any random port :return: * Process (so that I can kill() it later) * Port * URL """ port = get_unused_port() dev_null = open(os.devnull, 'w') w3af_api_path = os.path.abspath(os.path.join(ROOT_PATH, '..')) python_executable = sys.executable api_auth = ('admin', 'unittests') cmd = [ python_executable, 'w3af_api', '-p', sha512(api_auth[1]).hexdigest(), '127.0.0.1:%s' % port ] process = subprocess.Popen(cmd, stdout=dev_null, stderr=subprocess.STDOUT, preexec_fn=os.setsid, cwd=w3af_api_path) api_url = 'https://127.0.0.1:%s' % port # Now we wait until the API is ready to answer requests for i in xrange(75): time.sleep(0.5) try: response = requests.get(api_url, auth=api_auth, verify=False) except: if process.pid is None and i > 25: raise RuntimeError('Failed to start the REST API service') else: if response.status_code in (200, 404, 401): break else: raise RuntimeError('Timed out waiting for REST API service at %s' % api_url) return process, port, api_url, api_auth
def start_api(): """ Start the REST API server in 127.0.0.1 on any random port :return: * Process (so that I can kill() it later) * Port * URL """ port = get_unused_port() dev_null = open(os.devnull, 'w') w3af_api_path = os.path.abspath(os.path.join(ROOT_PATH, '..')) python_executable = sys.executable api_auth = ('admin', 'unittests') cmd = [python_executable, 'w3af_api', '-p', sha512(api_auth[1]).hexdigest(), '127.0.0.1:%s' % port] process = subprocess.Popen(cmd, stdout=dev_null, stderr=subprocess.STDOUT, preexec_fn=os.setsid, cwd=w3af_api_path) api_url = 'https://127.0.0.1:%s' % port # Now we wait until the API is ready to answer requests for i in xrange(75): time.sleep(0.5) try: response = requests.get(api_url, auth=api_auth, verify=False) except: if process.pid is None and i > 25: raise RuntimeError('Failed to start the REST API service') else: if response.status_code in (200, 404, 401): break else: raise RuntimeError('Timed out waiting for REST API service at %s' % api_url) return process, port, api_url, api_auth
class TestRFI(ExecExploitTest): target_url = get_php_moth_http('/audit/rfi/rfi-rce.php') unused_port = get_unused_port() _run_configs = { 'cfg': { 'target': target_url, 'plugins': { 'audit': (PluginConfig('rfi', ('use_w3af_site', False, PluginConfig.BOOL), ('listen_port', unused_port, PluginConfig.INT)),), } } } def test_found_exploit_rfi(self): cfg = self._run_configs['cfg'] self._scan(cfg['target'] + '?file=abc.txt', cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(1, len(vulns)) vuln = vulns[0] self.assertEquals(vuln.get_name(), 'Remote code execution') self.assertEquals(vuln.get_url().url_string, self.target_url) vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'rfi') def test_from_template(self): rfit = RFITemplate() options = rfit.get_options() options['url'].set_value(self.target_url) options['data'].set_value('file=abc.txt') options['vulnerable_parameter'].set_value('file') rfit.set_options(options) rfit.store_in_kb() vuln = self.kb.get(*rfit.get_kb_location())[0] vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'rfi')
def test_upload_file_mock(self): exec_method = commands.getoutput os = 'linux' create_temp_dir() cf.cf.save('interface', 'lo') cf.cf.save('local_ip_address', '127.0.0.1') inbound_port = get_unused_port() echo_linux = ClientlessReverseHTTP(exec_method, os, inbound_port) self.assertTrue(echo_linux.can_transfer()) file_len = 8195 file_content = 'A' * file_len echo_linux.estimate_transfer_time(file_len) temp_file_inst = tempfile.NamedTemporaryFile() temp_fname = temp_file_inst.name upload_success = echo_linux.transfer(file_content, temp_fname) self.assertTrue(upload_success)
class TestRFI(PluginTest): target_rce = get_php_moth_http('/audit/rfi/rfi-rce.php') target_read = get_php_moth_http('/audit/rfi/rfi-read.php') unused_port = get_unused_port() _run_configs = { 'remote_rce': { 'target': target_rce + '?file=abc.txt', 'plugins': { 'audit': (PluginConfig('rfi'), ), } }, 'local_rce': { 'target': target_rce + '?file=abc.txt', 'plugins': { 'audit': (PluginConfig( 'rfi', ('use_w3af_site', False, PluginConfig.BOOL), ('listen_port', unused_port, PluginConfig.INT)), ), } }, 'local_read': { 'target': target_read + '?file=abc.txt', 'plugins': { 'audit': (PluginConfig( 'rfi', ('use_w3af_site', False, PluginConfig.BOOL), ('listen_port', unused_port, PluginConfig.INT)), ), } }, 'remote_read': { 'target': target_read + '?file=abc.txt', 'plugins': { 'audit': (PluginConfig( 'rfi', ('use_w3af_site', False, PluginConfig.BOOL), ('listen_port', unused_port, PluginConfig.INT)), ), } } } def test_found_rfi_with_w3af_site(self): cfg = self._run_configs['remote_rce'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(len(vulns), 1) vuln = vulns[0] self.assertEquals("Remote code execution", vuln.get_name()) self.assertEquals(self.target_rce, vuln.get_url().url_string) @attr('smoke') def test_found_rfi_with_local_server_rce(self): cfg = self._run_configs['local_rce'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(len(vulns), 1) vuln = vulns[0] self.assertEquals("Remote code execution", vuln.get_name()) self.assertEquals(self.target_rce, vuln.get_url().url_string) def test_found_rfi_with_local_server_read(self): cfg = self._run_configs['local_read'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(len(vulns), 1) vuln = vulns[0] self.assertEquals("Remote file inclusion", vuln.get_name()) self.assertEquals(self.target_read, vuln.get_url().url_string) def test_found_rfi_with_remote_server_read(self): cfg = self._run_configs['remote_read'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(len(vulns), 1) vuln = vulns[0] self.assertEquals("Remote file inclusion", vuln.get_name()) self.assertEquals(self.target_read, vuln.get_url().url_string) def test_custom_web_server(self): RFIWebHandler.RESPONSE_BODY = '<? echo "hello world"; ?>' ws = HTTPServer(('127.0.0.1', 0), '.', RFIWebHandler) ws.wait_for_start() port = ws.get_port() server_thread = threading.Thread(target=ws.serve_forever) server_thread.name = 'WebServer' server_thread.daemon = True server_thread.start() foobar_url = 'http://localhost:%s/foobar' % port spameggs_url = 'http://localhost:%s/spameggs' % port response_foobar = urllib2.urlopen(foobar_url).read() response_spameggs = urllib2.urlopen(spameggs_url).read() self.assertEqual(response_foobar, response_spameggs) self.assertEqual(response_foobar, RFIWebHandler.RESPONSE_BODY)