def do_POST_check(parameter): http_request_method = "POST" # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided. parameter = checks.wildcard_character(parameter).replace("'", "\"") # Check if JSON Object. if checks.is_JSON_check(parameter): if not settings.IS_JSON: checks.process_json_data() settings.PARAMETER_DELIMITER = "," # Check if XML Object. elif checks.is_XML_check(parameter): if not settings.IS_XML: checks.process_xml_data() settings.PARAMETER_DELIMITER = "" else: pass parameters_list = [] # Split multiple parameters if settings.IS_XML: _ = [] parameters = re.findall(r'(.*)', parameter) parameters = [param + "\n" for param in parameters if param] for value in range(0, len(parameters)): _.append(parameters[value]) multi_parameters = _ else: try: multi_parameters = parameter.split(settings.PARAMETER_DELIMITER) except ValueError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0)
def do_POST_check(parameter): http_request_method = "POST" # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided. parameter = checks.wildcard_character(parameter).replace("'","\"") # Check if JSON Object. if checks.is_JSON_check(parameter): if not settings.IS_JSON: checks.process_json_data() settings.PARAMETER_DELIMITER = "," # Check if XML Object. elif checks.is_XML_check(parameter): if not settings.IS_XML: checks.process_xml_data() settings.PARAMETER_DELIMITER = "" else: pass parameters_list = [] # Split multiple parameters if settings.IS_XML: _ = [] parameters = re.findall(r'(.*)', parameter) parameters = [param + "\n" for param in parameters if param] for value in range(0,len(parameters)): _.append(parameters[value]) multi_parameters = _ else: try: multi_parameters = parameter.split(settings.PARAMETER_DELIMITER) multi_parameters = [x for x in multi_parameters if x] except ValueError, err_msg: print settings.print_critical_msg(err_msg) raise SystemExit()
def do_POST_check(parameter): http_request_method = "POST" # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided. parameter = checks.wildcard_character(parameter).replace("'", "\"") # Check if JSON Object. if checks.is_JSON_check(parameter): if not settings.IS_JSON: checks.process_json_data() settings.PARAMETER_DELIMITER = "," # Check if XML Object. elif checks.is_XML_check(parameter): if not settings.IS_XML: checks.process_xml_data() settings.PARAMETER_DELIMITER = "" else: pass parameters_list = [] # Split multiple parameters if settings.IS_XML: _ = [] parameters = re.findall(r'(.*)', parameter) parameters = [param + "\n" for param in parameters if param] for value in range(0, len(parameters)): _.append(parameters[value]) multi_parameters = _ else: multi_parameters = parameter.split(settings.PARAMETER_DELIMITER) # Check for inappropriate format in provided parameter(s). if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)) and \ not settings.IS_JSON and \ not settings.IS_XML: checks.inappropriate_format(multi_parameters) # Check for empty values (in provided parameters). # Check if single parameter is supplied. if len(multi_parameters) == 1: #Grab the value of parameter. if settings.IS_JSON: #Grab the value of parameter. value = re.findall(r'\"(.*)\"', parameter) value = ''.join(value) if value != settings.INJECT_TAG: value = re.findall(r'\s*\:\s*\"(.*)\"', parameter) value = ''.join(value) elif settings.IS_XML: #Grab the value of parameter. value = re.findall(r'>(.*)</', parameter) value = ''.join(value) else: _ = [] _.append(parameter) parameter = ''.join(checks.check_similarities(_)) value = re.findall(r'=(.*)', parameter) value = ''.join(value) if checks.is_empty(multi_parameters, http_request_method): return parameter else: # Replace the value of parameter with INJECT tag inject_value = value.replace(value, settings.INJECT_TAG) if len(value) == 0: if settings.IS_JSON: parameter = parameter.replace( ":\"\"", ":\"" + settings.INJECT_TAG + "\"") else: parameter = parameter + settings.INJECT_TAG else: parameter = parameter.replace(value, inject_value) return parameter else: # Check if multiple parameters are supplied without the "INJECT_HERE" tag. if settings.IS_XML: all_params = multi_parameters else: all_params = settings.PARAMETER_DELIMITER.join(multi_parameters) # Check for similarity in provided parameter name and value. all_params = all_params.split(settings.PARAMETER_DELIMITER) all_params = checks.check_similarities(all_params) # Check if not defined the "INJECT_HERE" tag in parameter if settings.INJECT_TAG not in parameter: checks.is_empty(multi_parameters, http_request_method) for param in range(0, len(all_params)): if param == 0: if settings.IS_JSON: old = re.findall(r'\:\"(.*)\"', all_params[param]) old = ''.join(old) elif settings.IS_XML: old = re.findall(r'>(.*)</', all_params[param]) old = ''.join(old) else: old = re.findall(r'=(.*)', all_params[param]) old = ''.join(old) else: old = value # Grab the value of parameter. if settings.IS_JSON: #Grab the value of parameter. value = re.findall(r'\:\"(.*)\"', all_params[param]) value = ''.join(value) elif settings.IS_XML: value = re.findall(r'>(.*)</', all_params[param]) value = ''.join(value) else: value = re.findall(r'=(.*)', all_params[param]) value = ''.join(value) # Replace the value of parameter with INJECT tag inject_value = value.replace(value, settings.INJECT_TAG) # Skip testing the parameter(s) with empty value(s). if menu.options.skip_empty: if len(value) == 0: if settings.IS_JSON: #Grab the value of parameter. provided_value = re.findall( r'\"(.*)\"\:', all_params[param]) provided_value = ''.join(provided_value) elif settings.IS_XML: provided_value = re.findall( r'>(.*)</', all_params[param]) provided_value = ''.join(provided_value) else: provided_value = re.findall( r'(.*)=', all_params[param]) provided_value = ''.join(provided_value) else: all_params[param] = all_params[param].replace( value, inject_value) all_params[param - 1] = all_params[param - 1].replace( inject_value, old) parameter = settings.PARAMETER_DELIMITER.join( all_params) parameters_list.append(parameter) parameter = parameters_list else: if len(value) == 0: if settings.IS_JSON: all_params[param] = all_params[param].replace( ":\"\"", ":\"" + settings.INJECT_TAG + "\"") elif settings.IS_XML: all_params[param] = all_params[param].replace( "></", ">" + settings.INJECT_TAG + "</") else: all_params[param] = all_params[ param] + settings.INJECT_TAG else: all_params[param] = all_params[param].replace( value, inject_value) all_params[param - 1] = all_params[param - 1].replace( inject_value, old) parameter = settings.PARAMETER_DELIMITER.join(all_params) parameters_list.append(parameter) parameter = parameters_list else: for param in range(0, len(multi_parameters)): # Grab the value of parameter. if settings.IS_JSON: value = re.findall(r'\"(.*)\"', multi_parameters[param]) value = ''.join(value) if settings.IS_XML: value = re.findall(r'>(.*)</', all_params[param]) value = ''.join(value) else: value = re.findall(r'=(.*)', multi_parameters[param]) value = ''.join(value) parameter = settings.PARAMETER_DELIMITER.join(multi_parameters) return parameter
def do_POST_check(parameter, http_request_method): # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided. parameter = checks.wildcard_character(parameter).replace("'", "\"") # Check if JSON Object. if checks.is_JSON_check(checks.check_quotes_json_data(parameter)): parameter = checks.check_quotes_json_data(parameter) if not settings.IS_JSON: checks.process_json_data() settings.PARAMETER_DELIMITER = "," # Check if XML Object. elif checks.is_XML_check(parameter): if not settings.IS_XML: checks.process_xml_data() settings.PARAMETER_DELIMITER = "" else: pass parameters_list = [] # Split multiple parameters if settings.IS_XML: parameter = re.sub(r">\s*<", '>\n<', parameter).replace("\\n", "\n") _ = [] parameters = re.findall(r'(.*)', parameter) parameters = [param + "\n" for param in parameters if param] for value in range(0, len(parameters)): _.append(parameters[value]) multi_parameters = _ else: try: multi_parameters = parameter.split(settings.PARAMETER_DELIMITER) multi_parameters = [x for x in multi_parameters if x] except ValueError as err_msg: print(settings.print_critical_msg(err_msg)) raise SystemExit() # Check for inappropriate format in provided parameter(s). if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)) and \ not settings.IS_JSON and \ not settings.IS_XML: checks.inappropriate_format(multi_parameters) # Check if single parameter is supplied. if len(multi_parameters) == 1: # Grab the value of parameter. if settings.IS_JSON: # Grab the value of parameter. value = re.findall(r'\"(.*)\"', parameter) value = ''.join(value) if value != settings.INJECT_TAG: value = re.findall(r'\s*\:\s*\"(.*)\"', parameter) value = ''.join(value) elif settings.IS_XML: # Grab the value of parameter. value = re.findall(r'>(.*)</', parameter) value = ''.join(value) else: _ = [] _.append(parameter) parameter = ''.join(checks.check_similarities(_)) value = re.findall(r'=(.*)', parameter) value = ''.join(value) if checks.is_empty(multi_parameters, http_request_method): return parameter else: # Ignoring the anti-CSRF parameter(s). if checks.ignore_anticsrf_parameter(parameter): return parameter if re.search(settings.VALUE_BOUNDARIES, value): value = checks.value_boundaries(value) # Replace the value of parameter with INJECT_HERE tag if len(value) == 0: if settings.IS_JSON: parameter = parameter.replace( ":\"\"", ":\"" + settings.INJECT_TAG + "\"") else: parameter = parameter + settings.INJECT_TAG else: parameter = parameter.replace(value, value + settings.INJECT_TAG) return parameter else: # Check if multiple parameters are supplied without the "INJECT_HERE" tag. if settings.IS_XML: all_params = multi_parameters else: all_params = settings.PARAMETER_DELIMITER.join(multi_parameters) # Check for similarity in provided parameter name and value. all_params = all_params.split(settings.PARAMETER_DELIMITER) all_params = checks.check_similarities(all_params) # Check if not defined the "INJECT_HERE" tag in parameter if settings.INJECT_TAG not in parameter: if checks.is_empty(multi_parameters, http_request_method): return parameter for param in range(0, len(all_params)): if param == 0: if settings.IS_JSON: old = re.findall(r'\:(.*)', all_params[param]) old = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '', ''.join(old)) elif settings.IS_XML: old = re.findall(r'>(.*)</', all_params[param]) old = ''.join(old) else: old = re.findall(r'=(.*)', all_params[param]) old = ''.join(old) else: old = value if settings.IS_JSON: value = re.findall(r'\:(.*)', all_params[param]) if re.findall(r'\\"(.*)\\"', value[0]): value = re.findall(r'\\"(.*)\\"', value[0]) value = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '', ''.join(value)) elif settings.IS_XML: value = re.findall(r'>(.*)</', all_params[param]) value = ''.join(value) else: value = re.findall(r'=(.*)', all_params[param]) value = ''.join(value) # Ignoring the anti-CSRF parameter(s). if checks.ignore_anticsrf_parameter(all_params[param]): continue if re.search(settings.VALUE_BOUNDARIES, value): value = checks.value_boundaries(value) # Replace the value of parameter with INJECT_HERE tag # Skip testing the parameter(s) with empty value(s). if menu.options.skip_empty: if len(value) != 0: all_params[param] = all_params[param].replace( value, value + settings.INJECT_TAG) all_params[param - 1] = all_params[param - 1].replace( value, "").replace(settings.INJECT_TAG, "") parameter = settings.PARAMETER_DELIMITER.join( all_params) else: if len(value) == 0: if settings.IS_JSON: all_params[param] = all_params[param].replace( ":\"\"", ":\"" + settings.INJECT_TAG + "\"") elif settings.IS_XML: all_params[param] = all_params[param].replace( "></", ">" + settings.INJECT_TAG + "</") else: all_params[param] = all_params[ param] + settings.INJECT_TAG else: all_params[param] = all_params[param].replace( value, value + settings.INJECT_TAG) all_params[param - 1] = all_params[param - 1].replace( value, "").replace(settings.INJECT_TAG, "") parameter = settings.PARAMETER_DELIMITER.join(all_params) parameter = parameter.replace(settings.RANDOM_TAG, "") parameters_list.append(parameter) parameter = parameters_list else: for param in range(0, len(multi_parameters)): # Grab the value of parameter. if settings.IS_JSON: value = re.findall(r'\"(.*)\"', multi_parameters[param]) value = ''.join(value) if settings.IS_XML: value = re.findall(r'>(.*)</', all_params[param]) value = ''.join(value) else: value = re.findall(r'=(.*)', multi_parameters[param]) value = ''.join(value) parameter = settings.PARAMETER_DELIMITER.join(multi_parameters) return parameter