def test_bad_file_descriptor_8125_local(self):
"""
:see: https://github.com/andresriancho/w3af/issues/8125
"""
port = get_unused_port()
raw_http_response = "HTTP/1.1 200 Ok\r\n"\
"Connection: close\r\n"\
"Content-Type: text/html\r\n"\
"Content-Length: 3\r\n\r\nabc"
certfile = os.path.join(ROOT_PATH, 'plugins', 'tests', 'audit',
'certs', 'invalid_cert.pem')
s = SSLServer('localhost',
port,
certfile,
http_response=raw_http_response)
s.start()
body = 'abc'
mock_url = 'https://localhost:%s/' % port
url = URL(mock_url)
http_response = self.uri_opener.GET(url, cache=False)
self.assertEqual(body, http_response.body)
s.stop()
def test_bad_file_descriptor_8125_local(self):
"""
8125 is basically an issue with the way HTTP SSL connections handle the
Connection: Close header.
:see: https://github.com/andresriancho/w3af/issues/8125
"""
raw_http_response = ('HTTP/1.1 200 Ok\r\n'
'Connection: close\r\n'
'Content-Type: text/html\r\n'
'Content-Length: 3\r\n\r\nabc')
certfile = os.path.join(ROOT_PATH, 'plugins', 'tests', 'audit',
'certs', 'invalid_cert.pem')
port = get_unused_port()
s = SSLServer('localhost', port, certfile,
http_response=raw_http_response)
s.start()
body = 'abc'
mock_url = 'https://localhost:%s/' % port
url = URL(mock_url)
http_response = self.uri_opener.GET(url, cache=False)
self.assertEqual(body, http_response.body)
s.stop()
# This error is expected, it's generated when the xurllib negotiates
# the different SSL protocols with the server
self.assertEqual(set([e.strerror for e in s.errors]),
{'Bad file descriptor'})
def test_bad_file_descriptor_8125_local(self):
"""
8125 is basically an issue with the way HTTP SSL connections handle the
Connection: Close header.
:see: https://github.com/andresriancho/w3af/issues/8125
"""
raw_http_response = ('HTTP/1.1 200 Ok\r\n'
'Connection: close\r\n'
'Content-Type: text/html\r\n'
'Content-Length: 3\r\n\r\nabc')
certfile = os.path.join(ROOT_PATH, 'plugins', 'tests', 'audit',
'certs', 'invalid_cert.pem')
port = get_unused_port()
s = SSLServer('localhost',
port,
certfile,
http_response=raw_http_response)
s.start()
body = 'abc'
mock_url = 'https://localhost:%s/' % port
url = URL(mock_url)
http_response = self.uri_opener.GET(url, cache=False)
self.assertEqual(body, http_response.body)
s.stop()
# This error is expected, it's generated when the xurllib negotiates
# the different SSL protocols with the server
self.assertEqual(set([e.strerror for e in s.errors]),
{'Bad file descriptor'})
def test_spiderman_https(self):
port = get_unused_port()
run_config = {
"target": get_moth_https(),
"plugins": {"crawl": (PluginConfig("spider_man", ("listen_port", port, PluginConfig.INT)),)},
}
self.generic_spiderman_run(run_config, get_moth_https, port)
def test_spiderman_https(self):
port = get_unused_port()
run_config = {
'target': get_moth_https(),
'plugins': {'crawl': (PluginConfig('spider_man',
('listen_port', port,
PluginConfig.INT),
),)}
}
self.generic_spiderman_run(run_config, get_moth_https, port)
def test_spiderman_https(self):
port = get_unused_port()
run_config = {
'target': get_moth_https(),
'plugins': {'crawl': (PluginConfig('spider_man',
('listen_port', port,
PluginConfig.INT),
),)}
}
self.generic_spiderman_run(run_config, get_moth_https, port)
def start_api():
"""
Start the REST API server in 127.0.0.1 on any random port
:return:
* Process (so that I can kill() it later)
* Port
* URL
"""
port = get_unused_port()
dev_null = open(os.devnull, 'w')
w3af_api_path = os.path.abspath(os.path.join(ROOT_PATH, '..'))
python_executable = sys.executable
api_auth = ('admin', 'unittests')
cmd = [
python_executable, 'w3af_api', '-p',
sha512(api_auth[1]).hexdigest(),
'127.0.0.1:%s' % port
]
process = subprocess.Popen(cmd,
stdout=dev_null,
stderr=subprocess.STDOUT,
preexec_fn=os.setsid,
cwd=w3af_api_path)
api_url = 'https://127.0.0.1:%s' % port
# Now we wait until the API is ready to answer requests
for i in xrange(75):
time.sleep(0.5)
try:
response = requests.get(api_url, auth=api_auth, verify=False)
except:
if process.pid is None and i > 25:
raise RuntimeError('Failed to start the REST API service')
else:
if response.status_code in (200, 404, 401):
break
else:
raise RuntimeError('Timed out waiting for REST API service at %s' %
api_url)
return process, port, api_url, api_auth
def start_api():
"""
Start the REST API server in 127.0.0.1 on any random port
:return:
* Process (so that I can kill() it later)
* Port
* URL
"""
port = get_unused_port()
dev_null = open(os.devnull, 'w')
w3af_api_path = os.path.abspath(os.path.join(ROOT_PATH, '..'))
python_executable = sys.executable
api_auth = ('admin', 'unittests')
cmd = [python_executable,
'w3af_api',
'-p',
sha512(api_auth[1]).hexdigest(),
'127.0.0.1:%s' % port]
process = subprocess.Popen(cmd,
stdout=dev_null,
stderr=subprocess.STDOUT,
preexec_fn=os.setsid,
cwd=w3af_api_path)
api_url = 'https://127.0.0.1:%s' % port
# Now we wait until the API is ready to answer requests
for i in xrange(75):
time.sleep(0.5)
try:
response = requests.get(api_url, auth=api_auth, verify=False)
except:
if process.pid is None and i > 25:
raise RuntimeError('Failed to start the REST API service')
else:
if response.status_code in (200, 404, 401):
break
else:
raise RuntimeError('Timed out waiting for REST API service at %s' % api_url)
return process, port, api_url, api_auth
class TestRFI(ExecExploitTest):
target_url = get_php_moth_http('/audit/rfi/rfi-rce.php')
unused_port = get_unused_port()
_run_configs = {
'cfg': {
'target': target_url,
'plugins': {
'audit': (PluginConfig('rfi',
('use_w3af_site', False, PluginConfig.BOOL),
('listen_port', unused_port, PluginConfig.INT)),),
}
}
}
def test_found_exploit_rfi(self):
cfg = self._run_configs['cfg']
self._scan(cfg['target'] + '?file=abc.txt', cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(1, len(vulns))
vuln = vulns[0]
self.assertEquals(vuln.get_name(), 'Remote code execution')
self.assertEquals(vuln.get_url().url_string, self.target_url)
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'rfi')
def test_from_template(self):
rfit = RFITemplate()
options = rfit.get_options()
options['url'].set_value(self.target_url)
options['data'].set_value('file=abc.txt')
options['vulnerable_parameter'].set_value('file')
rfit.set_options(options)
rfit.store_in_kb()
vuln = self.kb.get(*rfit.get_kb_location())[0]
vuln_to_exploit_id = vuln.get_id()
self._exploit_vuln(vuln_to_exploit_id, 'rfi')
def test_upload_file_mock(self):
exec_method = commands.getoutput
os = 'linux'
create_temp_dir()
cf.cf.save('interface', 'lo')
cf.cf.save('local_ip_address', '127.0.0.1')
inbound_port = get_unused_port()
echo_linux = ClientlessReverseHTTP(exec_method, os, inbound_port)
self.assertTrue(echo_linux.can_transfer())
file_len = 8195
file_content = 'A' * file_len
echo_linux.estimate_transfer_time(file_len)
temp_file_inst = tempfile.NamedTemporaryFile()
temp_fname = temp_file_inst.name
upload_success = echo_linux.transfer(file_content, temp_fname)
self.assertTrue(upload_success)
def test_upload_file_mock(self):
exec_method = commands.getoutput
os = 'linux'
create_temp_dir()
cf.cf.save('interface', 'lo')
cf.cf.save('local_ip_address', '127.0.0.1')
inbound_port = get_unused_port()
echo_linux = ClientlessReverseHTTP(exec_method, os, inbound_port)
self.assertTrue(echo_linux.can_transfer())
file_len = 8195
file_content = 'A' * file_len
echo_linux.estimate_transfer_time(file_len)
temp_file_inst = tempfile.NamedTemporaryFile()
temp_fname = temp_file_inst.name
upload_success = echo_linux.transfer(file_content, temp_fname)
self.assertTrue(upload_success)
def test_bad_file_descriptor_8125_local(self):
"""
:see: https://github.com/andresriancho/w3af/issues/8125
"""
port = get_unused_port()
raw_http_response = "HTTP/1.1 200 Ok\r\n"\
"Connection: close\r\n"\
"Content-Type: text/html\r\n"\
"Content-Length: 3\r\n\r\nabc"
certfile = os.path.join(ROOT_PATH, 'plugins', 'tests', 'audit',
'certs', 'invalid_cert.pem')
s = SSLServer('localhost', port, certfile,
http_response=raw_http_response)
s.start()
body = 'abc'
mock_url = 'https://localhost:%s/' % port
url = URL(mock_url)
http_response = self.uri_opener.GET(url, cache=False)
self.assertEqual(body, http_response.body)
s.stop()
class TestRFI(PluginTest):
target_rce = get_php_moth_http('/audit/rfi/rfi-rce.php')
target_read = get_php_moth_http('/audit/rfi/rfi-read.php')
unused_port = get_unused_port()
_run_configs = {
'remote_rce': {
'target': target_rce + '?file=abc.txt',
'plugins': {
'audit': (PluginConfig('rfi'), ),
}
},
'local_rce': {
'target': target_rce + '?file=abc.txt',
'plugins': {
'audit': (PluginConfig(
'rfi', ('use_w3af_site', False, PluginConfig.BOOL),
('listen_port', unused_port, PluginConfig.INT)), ),
}
},
'local_read': {
'target': target_read + '?file=abc.txt',
'plugins': {
'audit': (PluginConfig(
'rfi', ('use_w3af_site', False, PluginConfig.BOOL),
('listen_port', unused_port, PluginConfig.INT)), ),
}
},
'remote_read': {
'target': target_read + '?file=abc.txt',
'plugins': {
'audit': (PluginConfig(
'rfi', ('use_w3af_site', False, PluginConfig.BOOL),
('listen_port', unused_port, PluginConfig.INT)), ),
}
}
}
def test_found_rfi_with_w3af_site(self):
cfg = self._run_configs['remote_rce']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(len(vulns), 1)
vuln = vulns[0]
self.assertEquals("Remote code execution", vuln.get_name())
self.assertEquals(self.target_rce, vuln.get_url().url_string)
@attr('smoke')
def test_found_rfi_with_local_server_rce(self):
cfg = self._run_configs['local_rce']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(len(vulns), 1)
vuln = vulns[0]
self.assertEquals("Remote code execution", vuln.get_name())
self.assertEquals(self.target_rce, vuln.get_url().url_string)
def test_found_rfi_with_local_server_read(self):
cfg = self._run_configs['local_read']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(len(vulns), 1)
vuln = vulns[0]
self.assertEquals("Remote file inclusion", vuln.get_name())
self.assertEquals(self.target_read, vuln.get_url().url_string)
def test_found_rfi_with_remote_server_read(self):
cfg = self._run_configs['remote_read']
self._scan(cfg['target'], cfg['plugins'])
# Assert the general results
vulns = self.kb.get('rfi', 'rfi')
self.assertEquals(len(vulns), 1)
vuln = vulns[0]
self.assertEquals("Remote file inclusion", vuln.get_name())
self.assertEquals(self.target_read, vuln.get_url().url_string)
def test_custom_web_server(self):
RFIWebHandler.RESPONSE_BODY = '<? echo "hello world"; ?>'
ws = HTTPServer(('127.0.0.1', 0), '.', RFIWebHandler)
ws.wait_for_start()
port = ws.get_port()
server_thread = threading.Thread(target=ws.serve_forever)
server_thread.name = 'WebServer'
server_thread.daemon = True
server_thread.start()
foobar_url = 'http://localhost:%s/foobar' % port
spameggs_url = 'http://localhost:%s/spameggs' % port
response_foobar = urllib2.urlopen(foobar_url).read()
response_spameggs = urllib2.urlopen(spameggs_url).read()
self.assertEqual(response_foobar, response_spameggs)
self.assertEqual(response_foobar, RFIWebHandler.RESPONSE_BODY)
