예제 #1
0
def detect_accepted_sources(http_helper, url, data, headers, param_name,
                            param_source, param_value, method):
    requests = []
    new_url = url
    new_data = data
    new_headers = headers.copy()
    sources = ['URL', 'DATA', 'COOKIE', 'HEADER']
    for source in sources:
        new_url = url
        new_data = data
        new_headers = headers.copy()
        if source is "URL":
            new_url = HTTPHelper.add_url_param(url, param_name, param_value)
        elif source is "DATA":
            new_data = HTTPHelper.add_body_param(data, param_name, param_value)
        elif source is "COOKIE":
            new_headers = HTTPHelper.add_cookie_param(new_headers, param_name,
                                                      param_value)
        elif source is "HEADER":
            new_headers = HTTPHelper.add_cookie_param(new_headers, param_name,
                                                      param_value)

        request = http_helper.create_http_request(method, new_url, new_data,
                                                  new_headers)
        requests.append(request)
    return requests
예제 #2
0
def detect_accepted_sources(http_helper, url, data, headers, param_name,
                            param_source, param_value, method):
    requests = []
    new_url = url
    new_data = data
    new_headers = headers.copy()
    sources = ['URL', 'DATA', 'COOKIE', 'HEADER']
    for source in sources:
        new_url = url
        new_data = data
        new_headers = headers.copy()

        if source is "URL":
            new_url = HTTPHelper.add_url_param(url,
                                               param_name,
                                               param_value)
        elif source is "DATA":
            new_data = HTTPHelper.add_body_param(data,
                                                 param_name,
                                                 param_value)
        elif source is "COOKIE":
            new_headers = HTTPHelper.add_cookie_param(new_headers,
                                                      param_name,
                                                      param_value)
        elif source is "HEADER":
            new_headers = HTTPHelper.add_cookie_param(new_headers,
                                                      param_name,
                                                      param_value)

        request = http_helper.create_http_request(
            method,
            new_url,
            new_data,
            new_headers
        )
        requests.append(request)

    return requests
예제 #3
0
파일: fuzzer.py 프로젝트: arunk-s/owtf
 def sync_fuzz(self, requests, delay=0, follow_cookies=True):
     """ This is the synchronous fuzzing engine. Useful for fuzzing with
     delays and fuzzing that follows cookies"""
     self.reset()
     http_client = HTTPClient()
     cookie = None
     for request in requests:
         try:
             if follow_cookies and cookie:
                 request.headers = HTTPHelper.add_header_param(request.header, "Cookie", cookie)
             response = http_client.fetch(request)
         except HTTPError as e:
             if e.response:
                 response = e.response
         self.responses.append(response)
         if follow_cookies:
             if "Set-Cookie" in response.headers:
                 cookie = response.headers["Set-Cookie"]
         if delay:
             sleep(delay)
     return self.responses
예제 #4
0
파일: fuzzer.py 프로젝트: wuyasec/owtf
 def sync_fuzz(self, requests, delay=0, follow_cookies=True):
     ''' This is the synchronous fuzzing engine. Useful for fuzzing with
     delays and fuzzing that follows cookies'''
     self.reset()
     http_client = HTTPClient()
     cookie = None
     for request in requests:
         try:
             if follow_cookies and cookie:
                 request.headers = HTTPHelper.add_header_param(request.header, "Cookie", cookie)
             response = http_client.fetch(request)
         except HTTPError as e:
             if e.response:
                 response = e.response
         self.responses.append(response)
         if follow_cookies:
             if "Set-Cookie" in response.headers:
                 cookie = response.headers["Set-Cookie"]
         if delay:
             sleep(delay)
     return self.responses
예제 #5
0
파일: wafbypasser.py 프로젝트: wuyasec/owtf
class WAFBypasser:

    def fuzz(self, args, requests):
        if args["follow_cookies"] or args["delay"]:
            delay = args["delay"] or 0
            follow_cookies = args["follow_cookies"] or False
            print "Synchronous Fuzzing: Started"
            responses = self.fuzzer.sync_fuzz(requests, delay, follow_cookies)
        else:
            print "Requests number: %s" % str(len(requests))
            print "Asynchronous Fuzzing: Started"
            responses = self.fuzzer.async_fuzz(requests)
        print "Fuzzing: Completed"
        return responses

    def is_detection_set(self, args):
        det_functions = ["contains", "resp_code_det", "response_time"]
        args_set = False
        for name in det_functions:
            if args[name] is not None:
                return
        Error(self.owtf, "You need to specify at least one Detection Function.")

    def require(self, args, params):
        param_missing = False
        for param in params:
            if args[param] is None:
                param_missing = True
                print "Specify: --%s" % param
        if param_missing:
            Error(self.owtf, "Missing Parameter(s).")

    def __init__(self, owtf):
        self.ua = "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 /Firefox/15.0"
        self.init_request = HTTPRequest("", auth_username=None, auth_password=None, follow_redirects=True,
                                        max_redirects=10, allow_nonstandard_methods=True, headers=None, proxy_host=None,
                                        proxy_port=None, proxy_username=None, proxy_password=None, user_agent=self.ua,
                                        request_timeout=40.0)
        self.sig = "@@@"
        self.length_signature = "%slength%s" % (self.sig, self.sig)
        self.fsig = "%sfuzzhere%s" % (self.sig, self.sig)  # fuzzing signature
        # Template signature regular expression
        self.template_signature_re = "%s[^%s]+" % (self.sig, self.sig)
        self.template_signature_re += self.sig
        self.detection_struct = []
        self.pm = None  # PlaceholderManager
        self.http_helper = None
        self.fuzzer = None
        self.owtf = owtf

    def init_methods(self, args):
        methods = args["methods"] or []
        # Setting Methods
        if methods:
            if ("%sall%s" % (self.sig, self.sig)) in methods:
                methods.remove("%sall%s" % (self.sig, self.sig))
                methods.extend(load_payload_file("./payloads/HTTP/methods.txt"))
                methods = list(set(methods))  # Removing doublesk
        else:
            if args["data"] is None:
                methods.append("GET")  # Autodetect Method
            else:
                methods.append("POST")  # Autodetect Method
        return methods

    def init_headers(self, args):
        headers = HTTPHeaders()
        if args["headers"]:
            for header in args["headers"]:
                values = header.split(':', 1)
                if len(values) == 2:
                    headers.add(*values)
                else:  # values == 1
                    headers.add(values[0], "")
        # Setting Cookies
        if args["cookie"]:
            headers.add("Cookie", args["cookie"])
        return headers

    def init_detection_struct(self, args):
        if args["contains"]:
            detection_args = {}
            detection_args["phrase"] = args["contains"][0]  # detection string
            detection_args["case_sensitive"] = "cs" in args["contains"][1:]
            detection_args["reverse"] = False
            if args["reverse"]:
                detection_args["reverse"] = True
            self.detection_struct.append({"method": contains, "arguments": detection_args, "info": "Contains"})
        if args["resp_code_det"]:
            detection_args = {}
            detection_args["response_codes"] = args["resp_code_det"][0]
            detection_args["reverse"] = False
            if args["reverse"]:
                detection_args["reverse"] = True
            self.detection_struct.append({
                "method": resp_code_detection,
                "arguments": detection_args,
                "info": "Response code detection"
            })
        if args["response_time"]:
            detection_args = {}
            detection_args["time"] = args["response_time"][0]
            detection_args["reverse"] = False
            if args["reverse"]:
                detection_args["reverse"] = True
            self.detection_struct.append({
                "method": resp_time_detection,
                "arguments": detection_args,
                "info": "Response time detection"
            })

    def start(self, args):
        # Initializations
        self.sig = args["fuzzing_signature"] or self.sig
        self.pm = PlaceholderManager(self.sig)
        target = args["target"]
        methods = self.init_methods(args)
        headers = self.init_headers(args)
        data = args["data"] or ""
        self.init_detection_struct(args)
        self.init_request.headers = headers
        self.http_helper = HTTPHelper(self.init_request)
        self.fuzzer = Fuzzer(self.http_helper)

        # Finding the length of a placeholder
        if args["mode"] == "length":
            self.require(args, ["accepted_value"])
            self.is_detection_set(args)
            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Length Detection"
            ch = args["accepted_value"][0]
            length = find_length(self.owtf, self.http_helper, self.length_signature, target, methods[0],
                                 self.detection_struct, ch, headers, data)
            print "Placeholder Allowed Length = %s" % str(length)
        # Detecting Allowed Sources
        elif args["mode"] == "detect_accepted_sources":
            self.is_detection_set(args)
            self.require(args, ["methods", "param_name", "accepted_value", "param_source"])

            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Allowed Sources Detection"

            accepted_method = methods[0]
            param_name = args["param_name"]
            accepted_value = args["accepted_value"]
            param_source = args["param_source"]

            requests = detect_accepted_sources(self.http_helper, target, data, headers, param_name, param_source,
                                               accepted_value, accepted_method)
            responses = self.fuzz(args, requests)
            analyze_accepted_sources(responses, self.detection_struct)

        elif args["mode"] == "content_type_tamper":
            print "Tampering Content-Type mode"
            cnt_types = load_payload_file("./payloads/HTTP/content_types.txt")
            new_headers = self.http_helper.add_header_param(headers, "Content-Type", self.fsig)
            self.pm = PlaceholderManager(self.sig)
            # cnt_types = Payloads
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, cnt_types, new_headers,
                                                         data)
            responses = self.fuzz(args, requests)
            for response in responses:
                print "[->]Request"
                print_request(response)
                print "[<-]Response"
                print_response(response)
                print
        # HPP modes
        elif args["mode"] == "asp_hpp" or args["mode"] == "param_overwriting":
            self.require(args, ["param_name", "param_source", "payloads"])
            param_name = args["param_name"]
            param_source = args["param_source"]
            self.is_detection_set(args)
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            if args["mode"] == "asp_hpp":
                print "Scanning mode: ASP HPP Parameter Splitting"
                requests = asp_hpp(self.http_helper, methods, payloads, param_name, param_source, target, headers, data)
                responses = self.fuzz(args, requests)
            elif args["mode"] == "param_overwriting":
                requests = param_overwrite(self.http_helper, param_name, param_source, payloads[0], target, data,
                                           headers)
                responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)

        elif args["mode"] == "detect_chars":
            self.is_detection_set(args)
            payloads = []
            for i in range(0, 256):
                payloads.append(chr(i))

            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            sent_payloads = analyze_chars(responses, self.http_helper, self.detection_struct)
            payloads = []
            if sent_payloads["detected"]:
                # urlencode blocked chars
                print
                print "URL encoding bad characters"
                for bad_char in sent_payloads["detected"]:
                    payloads.append(urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print
                print "UnicodeURL encoding bad characters"
                payloads = []
                # unicode urlencode blocked chars
                for bad_char in sent_payloads["detected"]:
                    payloads.append(unicode_urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)
            # Finding a white-listed character
                good_char = None
                for char in string.letters:
                    good_char = char
                    break
                if not good_char:
                    for char in string.digits:
                        good_char = char
                        break
                if not good_char:
                    good_char = sent_payloads["undetected"][0]

                print
                print "Sending a detected char followed by an undetected"
                payloads = []
                # add an accepted char before a blocked char
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)
                print
                print "Sending a detected char after an undetected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print "Sending an undetected char after a detected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print "Sending an detected char surrounded by undetected chars"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

        # Fuzzing mode
        elif args["mode"] == "fuzz":
            fuzzing_placeholders = PlaceholderManager.get_placeholder_number(self.template_signature_re, str(args))
            if fuzzing_placeholders > 1:
                Error(self.owtf, "Multiple fuzzing placeholder signatures found. "
                      "Only one fuzzing placeholder is supported.")
            elif fuzzing_placeholders == 0:
                Error(self.owtf, "No fuzzing placeholder signatures found.")
            self.is_detection_set(args)
            payloads = []
            if args["payloads"]:
                for p_file in args["payloads"]:
                    payloads += load_payload_file(p_file)
            else:
                payloads.append("")
            print "Scanning mode: Fuzzing Using placeholders"
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)

        elif args["mode"] == "show_transform_functions":
            print transformations_info()

        elif args["mode"] == "overchar":
            self.require(args, ["payloads", "accepted_value"])
            length = int(args["length"][0])
            accepted_value = args["accepted_value"][0]
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            payloads = [(length - len(payload)) * accepted_value + payload for payload in payloads]
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)
        else:
            Error(self.owtf, "Unknown bypassing mode.")
예제 #6
0
파일: wafbypasser.py 프로젝트: wuyasec/owtf
    def start(self, args):
        # Initializations
        self.sig = args["fuzzing_signature"] or self.sig
        self.pm = PlaceholderManager(self.sig)
        target = args["target"]
        methods = self.init_methods(args)
        headers = self.init_headers(args)
        data = args["data"] or ""
        self.init_detection_struct(args)
        self.init_request.headers = headers
        self.http_helper = HTTPHelper(self.init_request)
        self.fuzzer = Fuzzer(self.http_helper)

        # Finding the length of a placeholder
        if args["mode"] == "length":
            self.require(args, ["accepted_value"])
            self.is_detection_set(args)
            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Length Detection"
            ch = args["accepted_value"][0]
            length = find_length(self.owtf, self.http_helper, self.length_signature, target, methods[0],
                                 self.detection_struct, ch, headers, data)
            print "Placeholder Allowed Length = %s" % str(length)
        # Detecting Allowed Sources
        elif args["mode"] == "detect_accepted_sources":
            self.is_detection_set(args)
            self.require(args, ["methods", "param_name", "accepted_value", "param_source"])

            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Allowed Sources Detection"

            accepted_method = methods[0]
            param_name = args["param_name"]
            accepted_value = args["accepted_value"]
            param_source = args["param_source"]

            requests = detect_accepted_sources(self.http_helper, target, data, headers, param_name, param_source,
                                               accepted_value, accepted_method)
            responses = self.fuzz(args, requests)
            analyze_accepted_sources(responses, self.detection_struct)

        elif args["mode"] == "content_type_tamper":
            print "Tampering Content-Type mode"
            cnt_types = load_payload_file("./payloads/HTTP/content_types.txt")
            new_headers = self.http_helper.add_header_param(headers, "Content-Type", self.fsig)
            self.pm = PlaceholderManager(self.sig)
            # cnt_types = Payloads
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, cnt_types, new_headers,
                                                         data)
            responses = self.fuzz(args, requests)
            for response in responses:
                print "[->]Request"
                print_request(response)
                print "[<-]Response"
                print_response(response)
                print
        # HPP modes
        elif args["mode"] == "asp_hpp" or args["mode"] == "param_overwriting":
            self.require(args, ["param_name", "param_source", "payloads"])
            param_name = args["param_name"]
            param_source = args["param_source"]
            self.is_detection_set(args)
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            if args["mode"] == "asp_hpp":
                print "Scanning mode: ASP HPP Parameter Splitting"
                requests = asp_hpp(self.http_helper, methods, payloads, param_name, param_source, target, headers, data)
                responses = self.fuzz(args, requests)
            elif args["mode"] == "param_overwriting":
                requests = param_overwrite(self.http_helper, param_name, param_source, payloads[0], target, data,
                                           headers)
                responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)

        elif args["mode"] == "detect_chars":
            self.is_detection_set(args)
            payloads = []
            for i in range(0, 256):
                payloads.append(chr(i))

            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            sent_payloads = analyze_chars(responses, self.http_helper, self.detection_struct)
            payloads = []
            if sent_payloads["detected"]:
                # urlencode blocked chars
                print
                print "URL encoding bad characters"
                for bad_char in sent_payloads["detected"]:
                    payloads.append(urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print
                print "UnicodeURL encoding bad characters"
                payloads = []
                # unicode urlencode blocked chars
                for bad_char in sent_payloads["detected"]:
                    payloads.append(unicode_urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)
            # Finding a white-listed character
                good_char = None
                for char in string.letters:
                    good_char = char
                    break
                if not good_char:
                    for char in string.digits:
                        good_char = char
                        break
                if not good_char:
                    good_char = sent_payloads["undetected"][0]

                print
                print "Sending a detected char followed by an undetected"
                payloads = []
                # add an accepted char before a blocked char
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)
                print
                print "Sending a detected char after an undetected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print "Sending an undetected char after a detected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

                print "Sending an detected char surrounded by undetected chars"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses, self.http_helper, self.detection_struct)

        # Fuzzing mode
        elif args["mode"] == "fuzz":
            fuzzing_placeholders = PlaceholderManager.get_placeholder_number(self.template_signature_re, str(args))
            if fuzzing_placeholders > 1:
                Error(self.owtf, "Multiple fuzzing placeholder signatures found. "
                      "Only one fuzzing placeholder is supported.")
            elif fuzzing_placeholders == 0:
                Error(self.owtf, "No fuzzing placeholder signatures found.")
            self.is_detection_set(args)
            payloads = []
            if args["payloads"]:
                for p_file in args["payloads"]:
                    payloads += load_payload_file(p_file)
            else:
                payloads.append("")
            print "Scanning mode: Fuzzing Using placeholders"
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)

        elif args["mode"] == "show_transform_functions":
            print transformations_info()

        elif args["mode"] == "overchar":
            self.require(args, ["payloads", "accepted_value"])
            length = int(args["length"][0])
            accepted_value = args["accepted_value"][0]
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            payloads = [(length - len(payload)) * accepted_value + payload for payload in payloads]
            requests = self.pm.transformed_http_requests(self.http_helper, methods, target, payloads, headers, data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses, self.http_helper, self.detection_struct)
        else:
            Error(self.owtf, "Unknown bypassing mode.")
예제 #7
0
파일: wafbypasser.py 프로젝트: 0day29/owtf
class WAFBypasser:

    def fuzz(self, args, requests):
        if args["follow_cookies"] or args["delay"]:
            delay = args["delay"] or 0
            follow_cookies = args["follow_cookies"] or False
            print "Synchronous Fuzzing: Started"
            responses = self.fuzzer.sync_fuzz(requests, delay, follow_cookies)
        else:
            print "Requests number: " + str(len(requests))
            print "Asynchronous Fuzzing: Started"
            responses = self.fuzzer.async_fuzz(requests)
        print "Fuzzing: Completed"
        return responses

    def is_detection_set(self, args):
        det_functions = ["contains", "resp_code_det", "response_time"]
        args_set = False
        for name in det_functions:
            if args[name] is not None:
                return
        Error(self.owtf, "You need to specify at least one Detection Function.")

    def require(self, args, params):
        param_missing = False
        for param in params:
            if args[param] is None:
                param_missing = True
                print "Specify: --" + param
        if param_missing:
            Error(self.owtf, "Missing Parameter(s).")

    def __init__(self, owtf):
        self.ua = "Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 /" \
                  "Firefox/15.0"
        self.init_request = HTTPRequest("",
                                        auth_username=None,
                                        auth_password=None,
                                        follow_redirects=True,
                                        max_redirects=10,
                                        allow_nonstandard_methods=True,
                                        headers=None,
                                        proxy_host=None,
                                        proxy_port=None,
                                        proxy_username=None,
                                        proxy_password=None,
                                        user_agent=self.ua,
                                        request_timeout=40.0)
        self.sig = "@@@"
        self.length_signature = self.sig + "length" + self.sig
        self.fsig = self.sig + "fuzzhere" + self.sig  # fuzzing signature
        # Template signature regular expression
        self.template_signature_re = self.sig + "[^" + self.sig + "]+"
        self.template_signature_re += self.sig
        self.detection_struct = []
        self.pm = None  # PlaceholderManager
        self.http_helper = None
        self.fuzzer = None
        self.owtf = owtf

    def init_methods(self, args):
        methods = args["methods"] or []
        # Setting Methods
        if methods:
            if self.sig + "all" + self.sig in methods:
                methods.remove(self.sig + "all" + self.sig)
                methods.extend(
                    load_payload_file("./payloads/HTTP/methods.txt"))
                methods = list(set(methods))  # Removing doublesk
        else:
            if args["data"] is None:
                methods.append("GET")  # Autodetect Method
            else:
                methods.append("POST")  # Autodetect Method
        return methods

    def init_headers(self, args):
        headers = HTTPHeaders()
        if args["headers"]:
            for header in args["headers"]:
                values = header.split(':', 1)
                if len(values) == 2:
                    headers.add(*values)
                else:  # values == 1
                    headers.add(values[0], "")
        # Setting Cookies
        if args["cookie"]:
            headers.add("Cookie", args["cookie"])
        return headers

    def init_detection_struct(self, args):
        if args["contains"]:
            detection_args = {}
            detection_args["phrase"] = args["contains"][0]  # detection string
            detection_args["case_sensitive"] = "cs" in args["contains"][1:]
            detection_args["reverse"] = False
            if args["reverse"]:
                detection_args["reverse"] = True
            self.detection_struct.append({"method": contains,
                                          "arguments": detection_args,
                                          "info": "Contains"})
        if args["resp_code_det"]:
            detection_args = {}
            detection_args["response_codes"] = args["resp_code_det"][0]
            detection_args["reverse"] = False
            if args["reverse"]:
                detection_args["reverse"] = True
            self.detection_struct.append({"method": resp_code_detection,
                                          "arguments": detection_args,
                                          "info": "Response code detection"})
        if args["response_time"]:
            detection_args = {}
            detection_args["time"] = args["response_time"][0]
            detection_args["reverse"] = False
            if args["reverse"]:
                detection_args["reverse"] = True
            self.detection_struct.append({"method": resp_time_detection,
                                          "arguments": detection_args,
                                          "info": "Response time detection"})

    def start(self, args):
        # Initializations
        self.sig = args["fuzzing_signature"] or self.sig
        self.pm = PlaceholderManager(self.sig)
        target = args["target"]
        methods = self.init_methods(args)
        headers = self.init_headers(args)
        data = args["data"] or ""
        self.init_detection_struct(args)
        self.init_request.headers = headers
        self.http_helper = HTTPHelper(self.init_request)
        self.fuzzer = Fuzzer(self.http_helper)

        # Finding the length of a placeholder
        if args["mode"] == "length":
            self.require(args, ["accepted_value"])
            self.is_detection_set(args)
            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Length Detection"
            ch = args["accepted_value"][0]
            length = find_length(self.owtf,
                                 self.http_helper,
                                 self.length_signature,
                                 target,
                                 methods[0],
                                 self.detection_struct,
                                 ch,
                                 headers,
                                 data)
            print "Placeholder Allowed Length = " + str(length)
        # Detecting Allowed Sources
        elif args["mode"] == "detect_accepted_sources":
            self.is_detection_set(args)
            self.require(args, ["methods",
                                "param_name",
                                "accepted_value",
                                "param_source"])

            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Allowed Sources Detection"

            accepted_method = methods[0]
            param_name = args["param_name"]
            accepted_value = args["accepted_value"]
            param_source = args["param_source"]

            requests = detect_accepted_sources(self.http_helper,
                                               target,
                                               data,
                                               headers,
                                               param_name,
                                               param_source,
                                               accepted_value,
                                               accepted_method)
            responses = self.fuzz(args, requests)
            analyze_accepted_sources(responses, self.detection_struct)

        elif args["mode"] == "content_type_tamper":
            print "Tampering Content-Type mode"
            cnt_types = load_payload_file("./payloads/HTTP/content_types.txt")
            new_headers = self.http_helper.add_header_param(
                headers,
                "Content-Type", self.fsig)
            self.pm = PlaceholderManager(self.sig)
            requests = self.pm.transformed_http_requests(
                self.http_helper,
                methods,
                target,
                cnt_types,  # Payloads
                new_headers,
                data)
            responses = self.fuzz(args, requests)
            for response in responses:
                print "[->]Request"
                print_request(response)
                print "[<-]Response"
                print_response(response)
                print
        # HPP modes
        elif args["mode"] == "asp_hpp" or args["mode"] == "param_overwriting":
            self.require(args, ["param_name", "param_source", "payloads"])
            param_name = args["param_name"]
            param_source = args["param_source"]
            self.is_detection_set(args)
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            if args["mode"] == "asp_hpp":
                print "Scanning mode: ASP HPP Parameter Splitting"
                requests = asp_hpp(self.http_helper,
                                   methods,
                                   payloads,
                                   param_name,
                                   param_source,
                                   target,
                                   headers,
                                   data)
                responses = self.fuzz(args, requests)
            elif args["mode"] == "param_overwriting":
                requests = param_overwrite(self.http_helper,
                                           param_name,
                                           param_source,
                                           payloads[0],
                                           target,
                                           data,
                                           headers)
                responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)

        elif args["mode"] == "detect_chars":
            self.is_detection_set(args)
            payloads = []
            for i in range(0, 256):
                payloads.append(chr(i))

            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            sent_payloads = analyze_chars(responses,
                                          self.http_helper,
                                          self.detection_struct)
            payloads = []
            if sent_payloads["detected"]:
                # urlencode blocked chars
                print
                print "URL encoding bad characters"
                for bad_char in sent_payloads["detected"]:
                    payloads.append(urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print
                print "UnicodeURL encoding bad characters"
                payloads = []
                # unicode urlencode blocked chars
                for bad_char in sent_payloads["detected"]:
                    payloads.append(unicode_urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)
            # Finding a white-listed character
                good_char = None
                for char in string.letters:
                    good_char = char
                    break
                if not good_char:
                    for char in string.digits:
                        good_char = char
                        break
                if not good_char:
                    good_char = sent_payloads["undetected"][0]

                print
                print "Sending a detected char followed by an undetected"
                payloads = []
                # add an accepted char before a blocked char
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)
                print
                print "Sending a detected char after an undetected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print "Sending an undetected char after a detected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print "Sending an detected char surrounded by undetected chars"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

        # Fuzzing mode
        elif args["mode"] == "fuzz":
            fuzzing_placeholders = PlaceholderManager.get_placeholder_number(
                    self.template_signature_re, str(args))
            if fuzzing_placeholders> 1:
                Error(self.owtf, "Multiple fuzzing placeholder signatures found. "
                      "Only one fuzzing placeholder is supported.")
            elif fuzzing_placeholders == 0:
                Error(self.owtf, "No fuzzing placeholder signatures found.")
            self.is_detection_set(args)
            payloads = []
            if args["payloads"]:
                for p_file in args["payloads"]:
                    payloads += load_payload_file(p_file)
            else:
                payloads.append("")
            print "Scanning mode: Fuzzing Using placeholders"

            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)

        elif args["mode"] == "show_transform_functions":
            print transformations_info()

        elif args["mode"] == "overchar":
            self.require(args, ["payloads", "accepted_value"])
            length = int(args["length"][0])
            accepted_value = args["accepted_value"][0]
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            payloads = [(length - len(payload)) * accepted_value + payload
                        for payload in payloads]
            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)
        else:
            Error(self.owtf, "Unknown bypassing mode.")
예제 #8
0
파일: wafbypasser.py 프로젝트: 0day29/owtf
    def start(self, args):
        # Initializations
        self.sig = args["fuzzing_signature"] or self.sig
        self.pm = PlaceholderManager(self.sig)
        target = args["target"]
        methods = self.init_methods(args)
        headers = self.init_headers(args)
        data = args["data"] or ""
        self.init_detection_struct(args)
        self.init_request.headers = headers
        self.http_helper = HTTPHelper(self.init_request)
        self.fuzzer = Fuzzer(self.http_helper)

        # Finding the length of a placeholder
        if args["mode"] == "length":
            self.require(args, ["accepted_value"])
            self.is_detection_set(args)
            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Length Detection"
            ch = args["accepted_value"][0]
            length = find_length(self.owtf,
                                 self.http_helper,
                                 self.length_signature,
                                 target,
                                 methods[0],
                                 self.detection_struct,
                                 ch,
                                 headers,
                                 data)
            print "Placeholder Allowed Length = " + str(length)
        # Detecting Allowed Sources
        elif args["mode"] == "detect_accepted_sources":
            self.is_detection_set(args)
            self.require(args, ["methods",
                                "param_name",
                                "accepted_value",
                                "param_source"])

            if len(methods) > 1:
                Error(self.owtf, "Only you need to specify only one Method")
            print "Scanning mode: Allowed Sources Detection"

            accepted_method = methods[0]
            param_name = args["param_name"]
            accepted_value = args["accepted_value"]
            param_source = args["param_source"]

            requests = detect_accepted_sources(self.http_helper,
                                               target,
                                               data,
                                               headers,
                                               param_name,
                                               param_source,
                                               accepted_value,
                                               accepted_method)
            responses = self.fuzz(args, requests)
            analyze_accepted_sources(responses, self.detection_struct)

        elif args["mode"] == "content_type_tamper":
            print "Tampering Content-Type mode"
            cnt_types = load_payload_file("./payloads/HTTP/content_types.txt")
            new_headers = self.http_helper.add_header_param(
                headers,
                "Content-Type", self.fsig)
            self.pm = PlaceholderManager(self.sig)
            requests = self.pm.transformed_http_requests(
                self.http_helper,
                methods,
                target,
                cnt_types,  # Payloads
                new_headers,
                data)
            responses = self.fuzz(args, requests)
            for response in responses:
                print "[->]Request"
                print_request(response)
                print "[<-]Response"
                print_response(response)
                print
        # HPP modes
        elif args["mode"] == "asp_hpp" or args["mode"] == "param_overwriting":
            self.require(args, ["param_name", "param_source", "payloads"])
            param_name = args["param_name"]
            param_source = args["param_source"]
            self.is_detection_set(args)
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            if args["mode"] == "asp_hpp":
                print "Scanning mode: ASP HPP Parameter Splitting"
                requests = asp_hpp(self.http_helper,
                                   methods,
                                   payloads,
                                   param_name,
                                   param_source,
                                   target,
                                   headers,
                                   data)
                responses = self.fuzz(args, requests)
            elif args["mode"] == "param_overwriting":
                requests = param_overwrite(self.http_helper,
                                           param_name,
                                           param_source,
                                           payloads[0],
                                           target,
                                           data,
                                           headers)
                responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)

        elif args["mode"] == "detect_chars":
            self.is_detection_set(args)
            payloads = []
            for i in range(0, 256):
                payloads.append(chr(i))

            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            sent_payloads = analyze_chars(responses,
                                          self.http_helper,
                                          self.detection_struct)
            payloads = []
            if sent_payloads["detected"]:
                # urlencode blocked chars
                print
                print "URL encoding bad characters"
                for bad_char in sent_payloads["detected"]:
                    payloads.append(urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print
                print "UnicodeURL encoding bad characters"
                payloads = []
                # unicode urlencode blocked chars
                for bad_char in sent_payloads["detected"]:
                    payloads.append(unicode_urlencode(bad_char))
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)
            # Finding a white-listed character
                good_char = None
                for char in string.letters:
                    good_char = char
                    break
                if not good_char:
                    for char in string.digits:
                        good_char = char
                        break
                if not good_char:
                    good_char = sent_payloads["undetected"][0]

                print
                print "Sending a detected char followed by an undetected"
                payloads = []
                # add an accepted char before a blocked char
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)
                print
                print "Sending a detected char after an undetected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print "Sending an undetected char after a detected"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

                print "Sending an detected char surrounded by undetected chars"
                payloads = []
                for bad_char in sent_payloads["detected"]:
                    payloads.append(good_char + bad_char + good_char)
                requests = self.pm.transformed_http_requests(self.http_helper,
                                                             methods,
                                                             target,
                                                             payloads,
                                                             headers,
                                                             data)
                responses = self.fuzz(args, requests)
                analyze_encoded_chars(responses,
                                      self.http_helper,
                                      self.detection_struct)

        # Fuzzing mode
        elif args["mode"] == "fuzz":
            fuzzing_placeholders = PlaceholderManager.get_placeholder_number(
                    self.template_signature_re, str(args))
            if fuzzing_placeholders> 1:
                Error(self.owtf, "Multiple fuzzing placeholder signatures found. "
                      "Only one fuzzing placeholder is supported.")
            elif fuzzing_placeholders == 0:
                Error(self.owtf, "No fuzzing placeholder signatures found.")
            self.is_detection_set(args)
            payloads = []
            if args["payloads"]:
                for p_file in args["payloads"]:
                    payloads += load_payload_file(p_file)
            else:
                payloads.append("")
            print "Scanning mode: Fuzzing Using placeholders"

            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)

        elif args["mode"] == "show_transform_functions":
            print transformations_info()

        elif args["mode"] == "overchar":
            self.require(args, ["payloads", "accepted_value"])
            length = int(args["length"][0])
            accepted_value = args["accepted_value"][0]
            payloads = []
            for p_file in args["payloads"]:
                payloads += load_payload_file(p_file)
            payloads = [(length - len(payload)) * accepted_value + payload
                        for payload in payloads]
            requests = self.pm.transformed_http_requests(self.http_helper,
                                                         methods,
                                                         target,
                                                         payloads,
                                                         headers,
                                                         data)
            responses = self.fuzz(args, requests)
            analyze_responses(responses,
                              self.http_helper,
                              self.detection_struct)
        else:
            Error(self.owtf, "Unknown bypassing mode.")