def check(self, request):
rt_list = []
site = request.url.site
if site in self.__checked_sites:
return rt_list
self.__checked_sites.add(site)
file_names = self.__file_names
file_exts = self.__file_exts
content_types = self.__content_types
curl = Curl()
for name, ext in product(file_names, file_exts):
filename = '{0}{1}'.format(name, ext)
url = urljoin(site, filename)
response = curl.head(url)
logger.debug('check result: %s, %s', url, response)
content_type = response.headers.get('content-type', '').lower()
if content_type in content_types:
vul = Vulnerability(self.NAME, self.RANK, url, 'HEAD')
logger.info(vul)
rt_list.append(vul)
return rt_list
def check(self, request):
rt_list = []
url = request.url.url
if url in self.__checked_urls:
return rt_list
self.__checked_urls.add(url)
file_exts = self.__file_exts
target_files = self.__target_files
content_types = self.__content_types
filename = request.url.filename
fileext = request.url.fileext
pattern = target_files.get(fileext)
if not filename or pattern is None:
return []
curl = Curl()
for ext in file_exts:
if ext == '.swp':
bak_filename = '.{0}{1}'.format(filename, ext)
bak_url = urljoin(url.rpartition('/')[0], bak_filename)
response = curl.head(bak_url)
logger.debug('check result: %s, %s', bak_url, response)
content_type = response.headers.get('content-type', '').lower()
if content_type in content_types:
vul = Vulnerability(self.NAME, self.RANK, bak_url, 'HEAD')
logger.info(vul)
rt_list.append(vul)
else:
bak_url = '{0}{1}'.format(url, ext)
response = curl.get(bak_url)
logger.debug('check result: %s, %s', bak_url, response)
if response.is_ok and not Page404().is_404(response) \
and re.search(pattern, response.body, re.I):
vul = Vulnerability(self.NAME, self.RANK, bak_url, 'GET')
logger.info(vul)
rt_list.append(vul)
return rt_list
def __init__(self):
features = {}
for feature in FEATURES:
path = feature[-1].get('path', '/')
features.setdefault(path, []).append(feature)
self.__features = features
self.__curl = Curl()
def check(self, request):
distance = self.__distance
white_params = self.__white_params
curl = Curl()
key = ''
callback = None
params = {}
if request.method == 'GET':
key = 'params'
callback = curl.get
params = request.params
else:
key = 'data'
callback = curl.post
params = request.data
playloads = self.__get_playloads(params)
rt_list = []
for name, poc_true, poc_false in playloads:
if name in white_params:
continue
response = callback(request.url, **{key: params})
logger.debug('check result: %s, %s, %s, %s', request.url, key,
params, response)
response_true = callback(request.url, **{key: poc_true})
logger.debug('check result: %s, %s, %s, %s', request.url, key,
poc_true, response_true)
response_false = callback(request.url, **{key: poc_false})
logger.debug('check result: %s, %s, %s, %s', request.url, key,
poc_false, response_false)
if response_true.body == response_false.body:
continue
if Simhash(response_true.body).\
distance(Simhash(response_false.body)) < distance:
continue
if Simhash(response.body).\
distance(Simhash(response_true.body)) < self.__distance:
continue
vul = Vulnerability(self.NAME, self.RANK, request.url.url,
request.method, name, poc_true)
logger.info(vul)
rt_list.append(vul)
return rt_list
def check(self, request):
xss_key = self.__xss_key
white_params = self.__white_params
curl = Curl()
key = ''
callback = None
params = {}
if request.method == 'GET':
key = 'params'
callback = curl.get
params = request.params
else:
key = 'data'
callback = curl.post
params = request.data
playloads = self.__get_playloads(params)
rt_list = []
for name, poc, pattern in playloads:
if name in white_params:
continue
response = callback(request.url, **{key: poc})
logger.debug('check result: %s, %s, %s, %s', request.url, key, poc,
response)
if not response.body or re.search(pattern, response.body,
re.I) is None:
continue
vul = Vulnerability(self.NAME, self.RANK, request.url.url,
request.method, name, poc)
logger.info(vul)
rt_list.append(vul)
return rt_list