def _fingerprint_URLScan(self, fuzzableRequest): ''' Try to verify if URLScan is installed or not. ''' # detect using GET # Get the original response originalResponse = self._uri_opener.GET( fuzzableRequest.getURL(), cache=True ) if originalResponse.getCode() != 404: # Now add the if header and try again headers = fuzzableRequest.getHeaders() headers['If'] = createRandAlpha(8) if_response = self._uri_opener.GET( fuzzableRequest.getURL(), headers=headers, cache=True ) headers = fuzzableRequest.getHeaders() headers['Translate'] = createRandAlpha(8) translate_response = self._uri_opener.GET( fuzzableRequest.getURL(), headers=headers, cache=True ) headers = fuzzableRequest.getHeaders() headers['Lock-Token'] = createRandAlpha(8) lock_response = self._uri_opener.GET( fuzzableRequest.getURL(), headers=headers, cache=True ) headers = fuzzableRequest.getHeaders() headers['Transfer-Encoding'] = createRandAlpha(8) transfer_enc_response = self._uri_opener.GET( fuzzableRequest.getURL(), headers=headers, cache=True ) if if_response.getCode() == 404 or translate_response.getCode() == 404 or\ lock_response.getCode() == 404 or transfer_enc_response.getCode() == 404: self._report_finding('URLScan', lock_response)
def _verifyVuln( self, vuln ): ''' This command verifies a vuln. This is really hard work! @return : True if vuln can be exploited. ''' # The vuln was saved to the kb as: # kb.kb.append( self, 'osCommanding', v ) exploitDc = vuln.getDc() # Define a test command: rand = createRandAlpha( 8 ) if vuln['os'] == 'windows': command = vuln['separator'] + 'echo ' + rand # TODO: Confirm that this works in windows rand = rand + '\n\n' else: command = vuln['separator'] + '/bin/echo ' + rand rand = rand + '\n' # Lets define the result header and footer. functionReference = getattr( self._uri_opener , vuln.getMethod() ) exploitDc[vuln.getVar()] = command try: response = functionReference( vuln.getURL(), str(exploitDc) ) except w3afException, e: om.out.error( str(e) ) return False
def _verifyVuln( self, vuln ): ''' This command verifies a vuln. This is really hard work! @return : True if vuln can be exploited. ''' # The vuln was saved to the kb as: # kb.kb.append( self, 'osCommanding', v ) exploitDc = vuln.getDc() if exploitDc is None: om.out.error('You hitted bug #1948260. Please report how to reproduce it here:') bug_URL = 'https://sourceforge.net/tracker/index.php?func=detail&aid=1948260' bug_URL += '&group_id=170274&atid=853652' om.out.error( bug_URL ) # Define a test command: rand = createRandAlpha( 8 ) if vuln['os'] == 'windows': command = vuln['separator'] + 'echo ' + rand # TODO: Confirm that this works in windows rand = rand + '\n\n' else: command = vuln['separator'] + '/bin/echo ' + rand rand = rand + '\n' # Lets define the result header and footer. functionReference = getattr( self._urlOpener , vuln.getMethod() ) exploitDc[vuln.getVar()] = command try: response = functionReference( vuln.getURL(), str(exploitDc) ) except w3afException, e: om.out.error( str(e) ) return False
def __init__(self): baseAuditPlugin.__init__(self) # Create some random strings, which the plugin will use. # for the fuzz_with_echo self._rnd = createRandAlpha(5) # User configured parameters self._use_time_delay = True self._use_echo = True
def __init__(self): baseAuditPlugin.__init__(self) #Create some random strings, which the plugin will use. # for the fuzz_with_echo self._rnd1 = createRandAlpha(5) self._rnd2 = createRandAlpha(5) self._rndn = self._rnd1 + self._rnd2 # And now for the fuzz_with_time_delay # The wait time of the unfuzzed request self._original_wait_time = 0 # The wait time of the first test I'm going to perform self._wait_time = 4 # The wait time of the second test I'm going to perform (this one is just to be sure!) self._second_wait_time = 9 # User configured parameters self._use_time_delay = True self._use_echo = True
def _get_string_list(self): """ @return: This method returns a list of strings that could overflow a buffer. """ strings = [] lengths = [65, 257, 513, 1025, 2049] ### TODO !! if lengths = [ 65 , 257 , 513 , 1025, 2049, 4097, 8000 ] ### then i get a badStatusLine exception from urllib2, is seems to be a internal error. ### tested against tomcat 5.5.7 for i in lengths: strings.append(createRandAlpha(i)) return strings
def _fingerprint_SecureIIS(self, fuzzableRequest): ''' Try to verify if SecureIIS is installed or not. ''' # And now a final check for SecureIIS headers = fuzzableRequest.getHeaders() headers['Transfer-Encoding'] = createRandAlpha(1024 + 1) try: lock_response2 = self._uri_opener.GET( fuzzableRequest.getURL(), headers=headers, cache=True ) except w3afException, w3: om.out.debug('Failed to identify secure IIS, exception: ' + str(w3) )
def _PUT(self, domain_path): """ Tests PUT method. """ # upload url = domain_path.urlJoin(createRandAlpha(5)) rndContent = createRandAlNum(6) put_response = self._urlOpener.PUT(url, data=rndContent) # check if uploaded res = self._urlOpener.GET(url, useCache=True) if res.getBody() == rndContent: v = vuln.vuln() v.setPluginName(self.getName()) v.setURL(url) v.setId([put_response.id, res.id]) v.setSeverity(severity.HIGH) v.setName("Insecure DAV configuration") v.setMethod("PUT") msg = 'File upload with HTTP PUT method was found at resource: "' + domain_path + '".' msg += ' A test file was uploaded to: "' + res.getURL() + '".' v.setDesc(msg) kb.kb.append(self, "dav", v) # Report some common errors elif put_response.getCode() == 500: i = info.info() i.setPluginName(self.getName()) i.setURL(url) i.setId(res.id) i.setName("DAV incorrect configuration") i.setMethod("PUT") msg = "DAV seems to be incorrectly configured. The web server answered with a 500" msg += " error code. In most cases, this means that the DAV extension failed in" msg += ' some way. This error was found at: "' + put_response.getURL() + '".' i.setDesc(msg) kb.kb.append(self, "dav", i) # Report some common errors elif put_response.getCode() == 403: i = info.info() i.setPluginName(self.getName()) i.setURL(url) i.setId([put_response.id, res.id]) i.setName("DAV insufficient privileges") i.setMethod("PUT") msg = "DAV seems to be correctly configured and allowing you to use the PUT method" msg += " but the directory does not have the correct permissions that would allow" msg += ' the web server to write to it. This error was found at: "' msg += put_response.getURL() + '".' i.setDesc(msg) kb.kb.append(self, "dav", i)
def _verifyVuln( self, vuln_obj ): ''' This command verifies a vuln. This is really hard work! :P @return : True if vuln can be exploited. ''' # Create the shell filename = createRandAlpha( 7 ) extension = vuln_obj.getURL().getExtension() # I get a list of tuples with file_content and extension to use shell_list = shell_handler.get_webshells( extension ) for file_content, real_extension in shell_list: if extension == '': extension = real_extension om.out.debug('Uploading shell with extension: "'+extension+'".' ) # Upload the shell url_to_upload = vuln_obj.getURL().urlJoin( filename + '.' + extension ) om.out.debug('Uploading file: ' + url_to_upload ) self._urlOpener.PUT( url_to_upload, data=file_content ) # Verify if I can execute commands # All w3af shells, when invoked with a blank command, return a # specific value in the response: # shell_handler.SHELL_IDENTIFIER exploit_url = url_object( url_to_upload + '?cmd=' ) response = self._urlOpener.GET( exploit_url ) if shell_handler.SHELL_IDENTIFIER in response.getBody(): msg = 'The uploaded shell returned the SHELL_IDENTIFIER: "' msg += shell_handler.SHELL_IDENTIFIER + '".' om.out.debug( msg ) self._exploit_url = exploit_url return True else: msg = 'The uploaded shell with extension: "' + extension msg += '" DIDN\'T returned what we expected, it returned: ' + response.getBody() om.out.debug( msg ) extension = ''
def getDrameStrings(self, kind): ''' Gets a list of strings to test against the web app. @return: A list with all drame strings to test. Example: [ '\'','\'\''] ''' drame_strings = [] if kind == "reject": drame_strings.append(createRandAlpha(5)) #drame_strings.append(createRandAlpha(5)) elif kind == "error": #drame_strings.append("d'z\"0") drame_strings.append("' or '1'=PLOOP") #drame_strings.append("#") elif kind == "injection": drame_strings.append("' or '1'='1") #drame_strings.append("' or '1'='1' #") return drame_strings
def audit(self, freq ): ''' Searches for file upload vulns using a POST to author.dll. @param freq: A fuzzableRequest ''' # Set some value domain_path = urlParser.getDomainPath( freq.getURL() ) # Start if self._stop_on_first and kb.kb.getData('frontpage', 'frontpage'): # Nothing to do, I have found vuln(s) and I should stop on first msg = 'Not verifying if I can upload files to: "' + domain_path + '" using author.dll' msg += '. Because I already found one vulnerability.' om.out.debug(msg) else: # I haven't found any vulns yet, OR i'm trying to find every # directory where I can write a file. if domain_path not in self._already_tested: om.out.debug( 'frontpage plugin is testing: ' + freq.getURL() ) self._already_tested.add( domain_path ) # Find a file that doesn't exist found404 = False for i in xrange(3): randFile = createRandAlpha( 5 ) + '.html' randPathFile = urlParser.urlJoin(domain_path, randFile) res = self._urlOpener.GET( randPathFile ) if is_404( res ): found404 = True break if found404: upload_id = self._upload_file( domain_path, randFile ) self._verify_upload( domain_path, randFile, upload_id ) else: msg = 'frontpage plugin failed to find a 404 page. This is mostly because of an' msg += ' error in 404 page detection.' om.out.error(msg)
/es/ga.js/google-analytics.com/google-analytics.com/ga.js/ /es/ga.js/google-analytics.com/google-analytics.com/ /es/ga.js/google-analytics.com/google-analytics.com/google-analytics.com/ga.js /ga.js/google-analytics.com/google-analytics.com/ga.js /services/google-analytics.com/google-analytics.com/ /services/google-analytics.com/google-analytics.com/google-analytics.com/ga.js /es/ga.js/google-analytics.com/ga.js/google-analytics.com/ga.js/ /ga.js/google-analytics.com/ga.js/google-analytics.com/ga.js/ /ga.js/google-analytics.com/ga.js/google-analytics.com/ /ga.js/google-analytics.com/ga.js/google-analytics.com/google-analytics.com/ga.js ''' filename = reference.getFileName() if filename: new_reference = reference.copy() new_reference.setFileName( createRandAlpha(3) + filename ) check_response = self._urlOpener.GET( new_reference, useCache=True, headers= headers) resp_body = resp.getBody() check_resp_body = check_response.getBody() if relative_distance_ge(resp_body, check_resp_body, IS_EQUAL_RATIO): # If they are equal, then they are both a 404 (or something invalid) #om.out.debug( reference + ' was broken!') return else: # The URL was possibly_broken, but after testing we found out that # it was not, so not we use it!