def _to_libmproxy_response(self, request, response):
"""
Convert w3af.core.data.url.HTTPResponse.HTTPResponse to
libmproxy.http.HTTPResponse
"""
charset = response.charset
body = smart_str(response.body, charset, errors='ignore')
header_items = []
for header_name, header_value in response.headers.items():
header_name = smart_str(header_name, charset, errors='ignore')
header_value = smart_str(header_value, charset, errors='ignore')
header_items.append((header_name, header_value))
headers = ODictCaseless(header_items)
# This is an important step! The ExtendedUrllib will gunzip the body
# for us, which is great, but we need to change the content-encoding
# for the response in order to match the decoded body and avoid the
# HTTP client using the proxy from failing
headers['content-encoding'] = ['identity']
return LibMITMProxyHTTPResponse(request.httpversion,
response.get_code(),
str(response.get_msg()),
headers,
body)
def multipart_encode(_vars, files, boundary=None, _buffer=None):
if boundary is None:
# Before:
# boundary = mimetools.choose_boundary()
# '127.0.0.1.1000.6267.1173556103.828.1'
# This contains my IP address, I don't like that...
# Now:
boundary = get_boundary()
if _buffer is None:
_buffer = ''
for key, value in _vars:
_buffer += '--%s\r\n' % boundary
_buffer += 'Content-Disposition: form-data; name="%s"' % key
_buffer += '\r\n\r\n' + value + '\r\n'
for key, fd in files:
fd.seek(0)
filename = fd.name.split(os.path.sep)[-1]
guessed_mime = mimetypes.guess_type(filename)[0]
content_type = guessed_mime or 'application/octet-stream'
args = (smart_str(key), smart_str(filename))
_buffer += '--%s\r\n' % boundary
_buffer += 'Content-Disposition: form-data; name="%s"; filename="%s"\r\n' % args
_buffer += 'Content-Type: %s\r\n' % content_type
_buffer += '\r\n%s\r\n' % fd.read()
_buffer += '--%s--\r\n\r\n' % boundary
return boundary, _buffer
def _split_vars_files(data):
"""
Based on the request it decides if we should send the request as
multipart or not.
:return: (List with string variables,
List with file variables)
"""
v_vars = []
v_files = []
for token in data.iter_tokens():
pname = token.get_name()
value = token.get_value()
enc_pname = smart_str(pname, encoding=DEFAULT_ENCODING)
if is_file_like(value):
if not value.closed:
v_files.append((enc_pname, value))
else:
v_vars.append((enc_pname, ''))
elif hasattr(value, 'isFile'):
v_files.append((enc_pname, value))
else:
# Ensuring we actually send a string
value = smart_str(value, encoding=DEFAULT_ENCODING)
v_vars.append((enc_pname, value))
return v_vars, v_files
def get_desc(self, with_id=False):
if self.TEMPLATE is None:
return self.first_info.get_desc(with_id=with_id)
# We render the template using the information set data
context = {'urls': [smart_unicode(u) for u in self.get_urls()],
'uris': [smart_unicode(u) for u in self.get_uris()],
'severity': self.get_severity(),
'name': self.get_name(),
'id': self.get_id(),
'method': smart_unicode(self.get_method()),
'plugin': self.get_plugin_name()}
context.update(self.first_info.items())
template_str = textwrap.dedent(self.TEMPLATE)
template = self.JINJA2_ENV.from_string(template_str)
try:
rendered_desc = template.render(context)
except UnicodeDecodeError:
context_pp = pprint.pformat(context, indent=4)
msg = ('UnicodeDecodeError found while rendering:\n\n%s\n\n'
'Using the following context:\n\n%r\n\n')
om.out.debug(msg % (smart_str(template_str),
smart_str(context_pp)))
raise
return rendered_desc
def get_desc(self, with_id=False):
if self.TEMPLATE is None:
return self.first_info.get_desc(with_id=with_id)
# We render the template using the information set data
context = {
'urls': [smart_unicode(u) for u in self.get_urls()],
'uris': [smart_unicode(u) for u in self.get_uris()],
'severity': self.get_severity(),
'name': self.get_name(),
'id': self.get_id(),
'method': smart_unicode(self.get_method()),
'plugin': self.get_plugin_name()
}
context.update(self.first_info.items())
template_str = textwrap.dedent(self.TEMPLATE)
template = self.JINJA2_ENV.from_string(template_str)
try:
rendered_desc = template.render(context)
except UnicodeDecodeError:
context_pp = pprint.pformat(context, indent=4)
msg = ('UnicodeDecodeError found while rendering:\n\n%s\n\n'
'Using the following context:\n\n%r\n\n')
om.out.debug(msg %
(smart_str(template_str), smart_str(context_pp)))
raise
return rendered_desc
def multipart_encode(_vars, files, boundary=None, _buffer=None):
if boundary is None:
boundary = get_boundary()
if _buffer is None:
_buffer = ''
for key, value in _vars:
_buffer += '--%s\r\n' % boundary
_buffer += 'Content-Disposition: form-data; name="%s"' % key
_buffer += '\r\n\r\n' + value + '\r\n'
for key, fd in files:
fd.seek(0)
filename = fd.name.split(os.path.sep)[-1]
guessed_mime = mimetypes.guess_type(filename)[0]
content_type = guessed_mime or 'application/octet-stream'
args = (smart_str(key), smart_str(filename))
_buffer += '--%s\r\n' % boundary
_buffer += 'Content-Disposition: form-data; name="%s"; filename="%s"\r\n' % args
_buffer += 'Content-Type: %s\r\n' % content_type
_buffer += '\r\n%s\r\n' % fd.read()
_buffer += '--%s--\r\n\r\n' % boundary
return boundary, _buffer
def _to_libmproxy_response(self, request, response):
"""
Convert w3af.core.data.url.HTTPResponse.HTTPResponse to
libmproxy.http.HTTPResponse
"""
charset = response.charset
body = smart_str(response.body, charset, errors='ignore')
header_items = []
for header_name, header_value in response.headers.items():
header_name = smart_str(header_name, charset, errors='ignore')
header_value = smart_str(header_value, charset, errors='ignore')
header_items.append((header_name, header_value))
headers = ODictCaseless(header_items)
# This is an important step! The ExtendedUrllib will gunzip the body
# for us, which is great, but we need to change the content-encoding
# for the response in order to match the decoded body and avoid the
# HTTP client using the proxy from failing
headers['content-encoding'] = ['identity']
return LibMITMProxyHTTPResponse(request.httpversion,
response.get_code(),
str(response.get_msg()),
headers,
body)
def test_get_path_qs_string(self):
u = URL('https://domain/konto/insättning?amount=1&method=abc')
self.assertEqual(smart_str(u.get_path_qs()), '/konto/insättning?amount=1&method=abc')
u = URL('https://domain/konto/insättning;x=1?amount=1&method=abc')
self.assertEqual(smart_str(u.get_path_qs()), '/konto/insättning;x=1?amount=1&method=abc')
u = URL('https://domain/konto/insättning;insättning=1?amount=1&method=abc')
self.assertEqual(smart_str(u.get_path_qs()), '/konto/insättning;insättning=1?amount=1&method=abc')
def test_get_path_qs_string(self):
u = URL('https://domain/konto/insättning?amount=1&method=abc')
self.assertEqual(smart_str(u.get_path_qs()), '/konto/insättning?amount=1&method=abc')
u = URL('https://domain/konto/insättning;x=1?amount=1&method=abc')
self.assertEqual(smart_str(u.get_path_qs()), '/konto/insättning;x=1?amount=1&method=abc')
u = URL('https://domain/konto/insättning;insättning=1?amount=1&method=abc')
self.assertEqual(smart_str(u.get_path_qs()), '/konto/insättning;insättning=1?amount=1&method=abc')
def __str__(self):
"""
:return: A string representation of self
"""
urlstr = smart_str(self.url_string,
self._encoding,
errors=PERCENT_ENCODE)
return urlstr.replace(' ', '%20')
def __str__(self):
"""
:return: A string representation of myself
"""
urlstr = smart_str(
self.url_string,
self._encoding,
errors=PERCENT_ENCODE
)
return urlstr.replace(' ', '%20')
def _to_libmproxy_response(self, request, response):
"""
Convert w3af.core.data.url.HTTPResponse.HTTPResponse to
libmproxy.http.HTTPResponse
"""
charset = response.charset
body = smart_str(response.body, charset, errors='ignore')
header_items = []
for header_name, header_value in response.headers.items():
header_name = smart_str(header_name, charset, errors='ignore')
header_value = smart_str(header_value, charset, errors='ignore')
header_items.append((header_name, header_value))
headers = ODictCaseless(header_items)
return LibMITMProxyHTTPResponse(request.httpversion,
response.get_code(),
str(response.get_msg()),
headers,
body)
def xml_str(s):
"""
Avoid encoding errors while generating objects' utf8 byte-string
representations.
Should fix issues similar to:
https://github.com/andresriancho/w3af/issues/12924
:param s: The input string/unicode
:return: A string ready to be sent to the XML file
"""
encoded_str = smart_str(s, encoding='utf8', errors='xmlcharrefreplace')
encoded_str = re.sub(INVALID_XML, '?', encoded_str)
return encoded_str
def xml_str(s):
"""
Avoid encoding errors while generating objects' utf8 byte-string
representations.
Should fix issues similar to:
https://github.com/andresriancho/w3af/issues/12924
:param s: The input string/unicode
:return: A string ready to be sent to the XML file
"""
encoded_str = smart_str(s, encoding='utf8', errors='xmlcharrefreplace')
encoded_str = re.sub(INVALID_XML, '?', encoded_str)
return encoded_str
def _handle_first_level(self, data):
"""
If data.location_a is not already in the treestore, add it.
If data.location_a is in the treestore, make sure we paint it the right
color based on data.color_level
Update the child count, keep in mind that the child count for this
level is increased only when a new data.location_b is added.
:param data: The data for the new item to add.
"""
contains_location_a = [r for r in self.treestore if
r[1] == data.location_a]
if not contains_location_a:
# Add the new data to the treestore
child_count = '( 1 )'
color = helpers.KB_COLORS[data.color_level]
location_a = smart_str(data.location_a, errors='ignore')
store_iter = self.treestore.append(None, [None,
location_a,
0, None, 0,
color,
child_count])
else:
# There's already data in location_a, might need to update the
# child count
assert len(contains_location_a), 1
location_a_row = contains_location_a[0]
location_a_b_iter = location_a_row.iterchildren()
stored_locations_b = [r[1] for r in location_a_b_iter]
store_iter = location_a_row.iter
if data.location_b not in stored_locations_b:
# Update the child count
child_count = '( %s )' % (len(stored_locations_b) + 1)
self.treestore[store_iter][6] = child_count
# Make sure we paint it the right color, if it was originally of color
# X and then we add a vulnerability that has a higher color level then
# we need to "upgrade" the color
if data.color_level > self.treestore[store_iter][4]:
color = helpers.KB_COLORS[data.color_level]
self.treestore[store_iter][5] = color
def _handle_first_level(self, data):
"""
If data.location_a is not already in the treestore, add it.
If data.location_a is in the treestore, make sure we paint it the right
color based on data.color_level
Update the child count, keep in mind that the child count for this
level is increased only when a new data.location_b is added.
:param data: The data for the new item to add.
"""
contains_location_a = [r for r in self.treestore if
r[1] == data.location_a]
if not contains_location_a:
# Add the new data to the treestore
child_count = '( 1 )'
color = helpers.KB_COLORS[data.color_level]
location_a = smart_str(data.location_a, errors='ignore')
store_iter = self.treestore.append(None, [None,
location_a,
0, None, 0,
color,
child_count])
else:
# There's already data in location_a, might need to update the
# child count
assert len(contains_location_a), 1
location_a_row = contains_location_a[0]
location_a_b_iter = location_a_row.iterchildren()
stored_locations_b = [r[1] for r in location_a_b_iter]
store_iter = location_a_row.iter
if data.location_b not in stored_locations_b:
# Update the child count
child_count = '( %s )' % (len(stored_locations_b) + 1)
self.treestore[store_iter][6] = child_count
# Make sure we paint it the right color, if it was originally of color
# X and then we add a vulnerability that has a higher color level then
# we need to "upgrade" the color
if data.color_level > self.treestore[store_iter][4]:
color = helpers.KB_COLORS[data.color_level]
self.treestore[store_iter][5] = color
def xml_str(s, replace_invalid=True):
"""
Avoid encoding errors while generating objects' utf8 byte-string
representations.
Should fix issues similar to:
https://github.com/andresriancho/w3af/issues/12924
:param s: The input string/unicode
:param replace_invalid: If there are invalid XML chars, replace them.
:return: A string ready to be sent to the XML file
"""
encoded_str = smart_str(s, encoding='utf8', errors='xmlcharrefreplace')
if replace_invalid:
encoded_str = INVALID_XML.sub('?', encoded_str)
return encoded_str
def xml_str(s, replace_invalid=True):
"""
Avoid encoding errors while generating objects' utf8 byte-string
representations.
Should fix issues similar to:
https://github.com/andresriancho/w3af/issues/12924
:param s: The input string/unicode
:param replace_invalid: If there are invalid XML chars, replace them.
:return: A string ready to be sent to the XML file
"""
encoded_str = smart_str(s, encoding='utf8', errors='xmlcharrefreplace')
if replace_invalid:
encoded_str = INVALID_XML.sub('?', encoded_str)
return encoded_str
def __str__(self):
return smart_str(self._value, errors='ignore')
def __str__(self):
return smart_str(self._value, errors='ignore')
def get_template_with_payload(extension, payload):
success, file_content, file_name = get_file_from_template(extension)
# TODO: Add support for file types which have some type of CRC
file_content = file_content.replace('A' * 239, smart_str(payload))
return success, file_content, file_name
