def _with_time_delay(self, freq):
'''
Tests an URL for OS Commanding vulnerabilities using time delays.
:param freq: A FuzzableRequest
'''
fake_mutants = create_mutants(freq, ['', ])
for mutant in fake_mutants:
if self._has_bug(mutant):
continue
for delay_obj in self._get_wait_commands():
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
desc = 'OS Commanding was found at: %s' % mutant.found_at()
v = Vuln.from_mutant('OS commanding vulnerability', desc,
severity.HIGH, [r.id for r in responses],
self.get_name(), mutant)
v['os'] = delay_obj.get_OS()
v['separator'] = delay_obj.get_separator()
self.kb_append_uniq(self, 'os_commanding', v)
break
def is_injectable(self, mutant):
'''
Check if this mutant is delay injectable or not.
@mutant: The mutant object that I have to inject to
:return: A vulnerability object or None if nothing is found
'''
for delay_obj in self._get_delays():
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
# Now I can be sure that I found a vuln, we control the response
# time with the delay
desc = 'Blind SQL injection using time delays was found at: %s'
desc = desc % mutant.found_at()
response_ids = [r.id for r in responses]
v = Vuln.from_mutant('Blind SQL injection vulnerability', desc,
severity.HIGH, response_ids, 'blind_sqli',
mutant)
om.out.debug(v.get_desc())
return v
return None
def test_delay_controlled_random(self):
for expected_result, delays in self.TEST_SUITE:
mock_uri_opener = Mock()
side_effect = generate_delays(delays, rand_range=(0, 2))
mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
delay_obj = ExactDelay('sleep(%s)')
url = URL('http://moth/?id=1')
req = FuzzableRequest(url)
mutant = QSMutant(req)
mutant.set_dc(url.querystring)
mutant.set_var('id', 0)
ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
controlled, responses = ed.delay_is_controlled()
# This is where we change from test_delay_controlled, the basic
# idea is that we'll allow false negatives but no false positives
if expected_result == True:
expected_result = [True, False]
else:
expected_result = [
False,
]
self.assertIn(controlled, expected_result, delays)
def _with_time_delay(self, freq):
'''
Tests an URL for OS Commanding vulnerabilities using time delays.
:param freq: A FuzzableRequest
'''
fake_mutants = create_mutants(freq, [
'',
])
for mutant in fake_mutants:
if self._has_bug(mutant):
continue
for delay_obj in self._get_wait_commands():
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
desc = 'OS Commanding was found at: %s' % mutant.found_at()
v = Vuln.from_mutant('OS commanding vulnerability', desc,
severity.HIGH,
[r.id for r in responses],
self.get_name(), mutant)
v['os'] = delay_obj.get_OS()
v['separator'] = delay_obj.get_separator()
self.kb_append_uniq(self, 'os_commanding', v)
break
def is_injectable(self, mutant):
"""
Check if this mutant is delay injectable or not.
@mutant: The mutant object that I have to inject to
:return: A vulnerability object or None if nothing is found
"""
for delay_obj in self._get_delays():
ed = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
# Now I can be sure that I found a vuln, we control the response
# time with the delay
desc = "Blind SQL injection using time delays was found at: %s"
desc = desc % mutant.found_at()
response_ids = [r.id for r in responses]
v = Vuln.from_mutant(
"Blind SQL injection vulnerability", desc, severity.HIGH, response_ids, "blind_sqli", mutant
)
om.out.debug(v.get_desc())
return v
return None
def test_delay_controlled(self):
for expected_result, delays in self.TEST_SUITE:
mock_uri_opener = Mock()
side_effect = generate_delays(delays)
mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
delay_obj = ExactDelay('sleep(%s)')
url = URL('http://moth/?id=1')
req = FuzzableRequest(url)
mutant = QSMutant(req)
mutant.set_dc(url.querystring)
mutant.set_var('id', 0)
ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
controlled, responses = ed.delay_is_controlled()
self.assertEqual(expected_result, controlled, delays)
def _test_delay(self, mutant):
'''
Try to delay the response and save a vulnerability if successful
'''
if self._has_bug(mutant):
return
for delay_obj in self.WAIT_OBJ:
ed_inst = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed_inst.delay_is_controlled()
if success:
desc = 'eval() input injection was found at: %s'
desc = desc % mutant.found_at()
response_ids = [r.id for r in responses]
v = Vuln.from_mutant('eval() input injection vulnerability',
desc, severity.HIGH, response_ids,
self.get_name(), mutant)
self.kb_append_uniq(self, 'eval', v)
break
def _test_delay(self, mutant):
'''
Try to delay the response and save a vulnerability if successful
'''
if self._has_bug(mutant):
return
for delay_obj in self.WAIT_OBJ:
ed_inst = ExactDelayController(mutant, delay_obj, self._uri_opener)
success, responses = ed_inst.delay_is_controlled()
if success:
desc = 'eval() input injection was found at: %s'
desc = desc % mutant.found_at()
response_ids = [r.id for r in responses]
v = Vuln.from_mutant('eval() input injection vulnerability',
desc, severity.HIGH, response_ids,
self.get_name(), mutant)
self.kb_append_uniq(self, 'eval', v)
break
