def _with_time_delay(self, freq):
"""
Tests an URL for OS Commanding vulnerabilities using time delays.
@param freq: A fuzzableRequest
"""
# Send the fuzzableRequest without any fuzzing, so we can measure the response
# time of this script in order to compare it later
res = self._sendMutant(freq, analyze=False, grepResult=False)
self._original_wait_time = res.getWaitTime()
# Prepare the strings to create the mutants
command_list = self._get_wait_commands()
only_command_strings = [v.getCommand() for v in command_list]
mutants = createMutants(freq, only_command_strings)
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug("osCommanding", "osCommanding", mutant.getURL(), mutant.getVar()):
targs = (mutant,)
kwds = {"analyze_callback": self._analyze_wait}
self._tm.startFunction(target=self._sendMutant, args=targs, kwds=kwds, ownerObj=self)
self._tm.join(self)
def audit(self, freq ):
'''
Searches for file upload vulns.
@param freq: A fuzzableRequest
'''
# Start
if freq.getMethod().upper() == 'POST' and len ( freq.getFileVariables() ) != 0:
om.out.debug( 'fileUpload plugin is testing: ' + freq.getURL() )
# I do all this to be able to perform the enumerate() below
for file_parameter in freq.getFileVariables():
self._file_list = self._get_files()
# Only file handlers are passed to the createMutants functions
file_handlers = [ i[0] for i in self._file_list ]
mutants = createMutants( freq, file_handlers, fuzzableParamList=[file_parameter, ] )
for mutant in mutants:
_, filename = os.path.split( mutant.getModValue().name )
mutant.uploaded_file_name = filename
for mutant in mutants:
args = (mutant,)
kwds = {'callback': self._analyze_result }
self._run_async(meth=self._uri_opener.send_mutant, args=args,
kwds=kwds)
self._join()
def _with_time_delay(self, freq):
'''
Tests an URL for OS Commanding vulnerabilities using time delays.
@param freq: A fuzzableRequest
'''
fake_mutants = createMutants(freq, ['',])
for mutant in fake_mutants:
if self._has_bug(mutant):
continue
for delay_obj in self._get_wait_commands():
ed = exact_delay(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
v = vuln.vuln( mutant )
v.setPluginName(self.getName())
v.setName( 'OS commanding vulnerability' )
v.setSeverity(severity.HIGH)
v['os'] = delay_obj.get_OS()
v['separator'] = delay_obj.get_separator()
v.setDesc( 'OS Commanding was found at: ' + mutant.foundAt() )
v.setDc( mutant.getDc() )
v.setId( [r.id for r in responses] )
v.setURI( r.getURI() )
kb.kb.append( self, 'osCommanding', v )
break
def audit(self, freq ):
'''
Tests an URL for server side inclusion vulnerabilities.
@param freq: A fuzzableRequest
'''
om.out.debug( 'ssi plugin is testing: ' + freq.getURL() )
oResponse = self._uri_opener.send_mutant(freq)
# Used in end() to detect "persistent SSI"
self._add_persistent_SSI( freq, oResponse )
# Create the mutants to send right now,
ssi_strings = self._get_ssi_strings()
mutants = createMutants( freq , ssi_strings, oResponse=oResponse )
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._has_no_bug(mutant):
args = (mutant,)
kwds = {'callback': self._analyze_result }
self._run_async(meth=self._uri_opener.send_mutant, args=args,
kwds=kwds)
self._join()
def _fuzz_with_time_delay(self, freq):
"""
Tests an URL for eval() usage vulnerabilities using time delays.
@param freq: A fuzzableRequest
"""
fake_mutants = createMutants(freq, [""])
for mutant in fake_mutants:
if self._has_bug(mutant):
continue
for delay_obj in self.WAIT_OBJ:
ed = exact_delay(mutant, delay_obj, self._uri_opener)
success, responses = ed.delay_is_controlled()
if success:
v = vuln.vuln(mutant)
v.setPluginName(self.getName())
v.setId([r.id for r in responses])
v.setSeverity(severity.HIGH)
v.setName("eval() input injection vulnerability")
v.setDesc("eval() input injection was found at: " + mutant.foundAt())
kb.kb.append(self, "eval", v)
break
def audit(self, freq):
"""
Tests an URL for XSS vulnerabilities.
@param freq: A fuzzableRequest
"""
om.out.debug("XSS plugin is testing: " + freq.getURL())
# Save it here, so I can search for permanent XSS
self._fuzzableRequests.append(freq)
# This list is just to test if the parameter is echoed back
fake_mutants = createMutants(freq, [""])
for mutant in fake_mutants:
# verify if the variable we are fuzzing is actually being
# echoed back
if self._is_echoed(mutant):
# Search for reflected XSS
self._search_reflected_xss(mutant)
# And also check stored
self._search_stored_xss(mutant)
elif self._check_stored_xss:
# Search for permanent XSS
self._search_stored_xss(mutant)
def audit(self, freq ):
'''
Tests an URL for local file inclusion vulnerabilities.
@param freq: A fuzzableRequest
'''
om.out.debug( 'localFileInclude plugin is testing: ' + freq.getURL() )
oResponse = self._sendMutant( freq , analyze=False ).getBody()
# What payloads do I want to send to the remote end?
local_files = []
local_files.append( urlParser.getFileName( freq.getURL() ) )
if not self._open_basedir:
local_files.extend( self._get_local_file_list(freq.getURL()) )
mutants = createMutants( freq , local_files, oResponse=oResponse )
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug( 'localFileInclude' , 'localFileInclude', mutant.getURL() , mutant.getVar() ):
targs = (mutant,)
# I don't grep the result, because if I really find a local file inclusion,
# I will be requesting /etc/passwd and that would generate A LOT of false
# positives in the grep.pathDisclosure plugin
kwds = {'grepResult':False}
self._tm.startFunction( target=self._sendMutant, args=targs , \
kwds=kwds, ownerObj=self )
self._tm.join( self )
def _search_stored_xss(self, mutant):
'''
Analyze the mutant for stored XSS. We get here because we already verified and the
parameter is NOT being echoed back.
@parameter mutant: A mutant that was used to test if the parameter was echoed back or not
@return: None
'''
xss_tests = self._get_xss_tests()
xss_tests = xss_tests[:self._number_of_stored_xss_checks]
# Get the strings only
xss_strings = [ i[0] for i in xss_tests ]
# And now replace the alert by fake_alert; I don't want to break web applications
xss_strings = [ xss_test.replace('alert', 'fake_alert') for xss_test in xss_strings ]
mutant_list = createMutants( mutant.getFuzzableReq() , xss_strings , \
fuzzableParamList=[mutant.getVar(), ])
# In the mutant, we have to save which browsers are vulnerable to that specific string
for mutant in mutant_list:
for xss_string, affected_browsers in xss_tests:
if xss_string.replace('alert', 'fake_alert') in mutant.getModValue():
mutant.affected_browsers = affected_browsers
for mutant in mutant_list:
targs = (mutant,)
self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self )
self._tm.join( self )
def audit(self, freq ):
'''
Searches for file upload vulns.
@param freq: A fuzzableRequest
'''
# Start
if freq.getMethod().upper() == 'POST' and len ( freq.getFileVariables() ) != 0:
om.out.debug( 'fileUpload plugin is testing: ' + freq.getURL() )
# I do all this to be able to perform the enumerate() below
for file_parameter in freq.getFileVariables():
self._file_list = self._get_files()
# Only file handlers are passed to the createMutants functions
file_handlers = [ i[0] for i in self._file_list ]
mutants = createMutants( freq, file_handlers, fuzzableParamList=[file_parameter, ] )
for mutant in mutants:
_, filename = os.path.split( mutant.getModValue().name )
mutant.uploaded_file_name = filename
for mutant in mutants:
targs = (mutant,)
self._tm.startFunction(target=self._sendMutant,
args=targs, ownerObj=self)
self._tm.join( self )
def audit(self, freq ):
'''
Tests an URL for local file inclusion vulnerabilities.
@param freq: A fuzzableRequest
'''
om.out.debug( 'localFileInclude plugin is testing: ' + freq.getURL() )
oResponse = self._uri_opener.send_mutant(freq)
# What payloads do I want to send to the remote end?
local_files = []
local_files.append( freq.getURL().getFileName() )
if not self._open_basedir:
local_files.extend( self._get_local_file_list(freq.getURL()) )
mutants = createMutants( freq , local_files, oResponse=oResponse )
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._has_no_bug(mutant):
# I don't grep the result, because if I really find a local
# file inclusion I will be requesting /etc/passwd and that
# would generate A LOT of false positives in the
# grep.pathDisclosure plugin
args = (mutant,)
kwds = {'callback': self._analyze_result,
'grep': False }
self._run_async(meth=self._uri_opener.send_mutant, args=args,
kwds=kwds)
self._join()
def _search_stored_xss(self, mutant):
"""
Analyze the mutant for stored XSS. We get here because we
already verified and the parameter is NOT being echoed back.
@parameter mutant: A mutant that was used to test if the
parameter was echoed back or not
"""
xss_tests = self._get_xss_tests()
xss_tests = xss_tests[: self._number_of_stored_xss_checks]
# Get the strings only
xss_strings = [i[0] for i in xss_tests]
# And now replace the alert by fake_alert; I don't want to
# break web applications
xss_strings = [xss_test.replace("alert", "fake_alert") for xss_test in xss_strings]
mutant_list = createMutants(mutant.getFuzzableReq(), xss_strings, fuzzableParamList=[mutant.getVar()])
# In the mutant, we have to save which browsers are vulnerable
# to that specific string
for mutant in mutant_list:
for xss_string, affected_browsers in xss_tests:
if xss_string.replace("alert", "fake_alert") in mutant.getModValue():
mutant.affected_browsers = affected_browsers
if self._has_no_bug(mutant):
args = (mutant,)
kwds = {"callback": self._analyze_result}
self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds)
self._join()
def audit(self, freq ):
'''
Tests an URL for server side inclusion vulnerabilities.
@param freq: A fuzzableRequest
'''
om.out.debug( 'ssi plugin is testing: ' + freq.getURL() )
oResponse = self._sendMutant( freq , analyze=False ).getBody()
# Used in end() to detect "persistent SSI"
self._add_persistent_SSI( freq, oResponse )
# Create the mutants to send right now,
ssi_strings = self._get_ssi_strings()
mutants = createMutants( freq , ssi_strings, oResponse=oResponse )
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug( 'ssi' , 'ssi', mutant.getURL() , mutant.getVar() ):
targs = (mutant,)
self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self )
self._tm.join( self )
def audit(self, freq):
'''
Tester les vulnerabilites d'injection SQL d'une URL
@param freq: Une URL a tester
'''
# New audit, everything following will have global_id for identifying
global global_id
global_id = global_id + 1
# Recupere la page : OK
oResponse = self._sendMutant( freq , analyze=False ).getBody()
# Recupere un tableau de string a tester
drame_str_reject = self.getDrameStrings("reject")
drame_str_error = self.getDrameStrings("error")
drame_str_injection = self.getDrameStrings("injection")
# REJECT URL
mutantsReject = createMutants( freq , drame_str_reject, oResponse=oResponse )
for mutant in mutantsReject:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug( 'drame' , 'drame', mutant.getURL() , mutant.getVar() ):
# resultReject function will be the callback of this _sendMutant
targs = (mutant,True,True,self._resultReject)
self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self )
# ERROR URL
mutantsError = createMutants( freq , drame_str_error, oResponse=oResponse )
for mutant in mutantsError:
if self._hasNoBug( 'drame' , 'drame', mutant.getURL() , mutant.getVar() ):
# resultError function will be the callback of this _sendMutant
targs = ( mutant, True, True, self._resultError )
self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self )
# INJECTION URL
mutantsInjection = createMutants( freq , drame_str_injection, oResponse=oResponse )
for mutant in mutantsInjection:
if self._hasNoBug( 'drame' , 'drame', mutant.getURL() , mutant.getVar() ):
# resultInjection function will be the callback of this _sendMutant
targs = (mutant,True,True,self._resultInjection)
self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self )
self._tm.join( self )
def audit(self, freq):
"""
Find those phishing vectors!
@param freq: A fuzzableRequest
"""
om.out.debug("phishingVector plugin is testing: " + freq.getURL())
mutants = createMutants(freq, self._test_urls)
for mutant in mutants:
args = (mutant,)
kwds = {"callback": self._analyze_result}
self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds)
self._join()
def audit(self, freq ):
'''
Find those phishing vectors!
@param freq: A fuzzableRequest
'''
om.out.debug( 'phishingVector plugin is testing: ' + freq.getURL() )
mutants = createMutants( freq , self._test_urls )
for mutant in mutants:
targs = (mutant,)
self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self )
self._tm.join( self )
def _search_reflected_xss(self, mutant):
'''
Analyze the mutant for reflected XSS. We get here because we already verified and the
parameter is being echoed back.
@parameter mutant: A mutant that was used to test if the parameter was echoed back or not
@return: None
'''
# Verify what characters are allowed
try:
allowed_chars = self._get_allowed_chars(mutant)
except w3afException:
# If something fails, every char is allowed
allowed_chars = self._special_characters[:]
# Filter the tests based on the knowledge we got from the previous test
orig_xss_tests = self._get_xss_tests()
filtered_xss_tests = []
for xss_string, affected_browsers in orig_xss_tests:
for char in self._special_characters:
all_allowed = True
if char in xss_string and not char in allowed_chars:
all_allowed = False
break
# Decide wether to send the test or not
if all_allowed:
filtered_xss_tests.append((xss_string, affected_browsers))
# Get the strings only
xss_strings = [ i[0] for i in filtered_xss_tests ]
mutant_list = createMutants( mutant.getFuzzableReq() , xss_strings , \
fuzzableParamList=[mutant.getVar(), ])
# In the mutant, we have to save which browsers are vulnerable to that specific string
for mutant in mutant_list:
for xss_string, affected_browsers in filtered_xss_tests:
if xss_string in mutant.getModValue():
mutant.affected_browsers = affected_browsers
for mutant in mutant_list:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug( 'xss' , 'xss', mutant.getURL() , mutant.getVar() ):
targs = (mutant,)
self._tm.startFunction( target=self._sendMutant, args=targs, ownerObj=self )
self._tm.join( self )
def audit(self, freq):
"""
Tests an URL for global redirect vulnerabilities.
@param freq: A fuzzableRequest
"""
om.out.debug("golbalRedirect plugin is testing: " + freq.getURL())
mutants = createMutants(freq, [self._test_site])
for mutant in mutants:
if self._hasNoBug("globalRedirect", "globalRedirect", mutant.getURL(), mutant.getVar()):
targs = (mutant,)
self._tm.startFunction(target=self._sendMutant, args=targs, ownerObj=self)
self._tm.join(self)
def _search_reflected_xss(self, mutant):
"""
Analyze the mutant for reflected XSS. We get here because we
already verified and the parameter is being echoed back.
@parameter mutant: A mutant that was used to test if the parameter
was echoed back or not
"""
# Verify what characters are allowed
try:
allowed_chars = self._get_allowed_chars(mutant)
except w3afException:
# If something fails, every char is allowed
allowed_chars = self._special_characters[:]
# Filter the tests based on the knowledge we got from the
# previous test
orig_xss_tests = self._get_xss_tests()
filtered_xss_tests = []
for xss_string, affected_browsers in orig_xss_tests:
for char in self._special_characters:
all_allowed = True
if char in xss_string and not char in allowed_chars:
all_allowed = False
break
# Decide wether to send the test or not
if all_allowed:
filtered_xss_tests.append((xss_string, affected_browsers))
# Get the strings only
xss_strings = [i[0] for i in filtered_xss_tests]
mutant_list = createMutants(mutant.getFuzzableReq(), xss_strings, fuzzableParamList=[mutant.getVar()])
# In the mutant, we have to save which browsers are vulnerable
# to that specific string
for mutant in mutant_list:
for xss_string, affected_browsers in filtered_xss_tests:
if xss_string in mutant.getModValue():
mutant.affected_browsers = affected_browsers
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._has_no_bug(mutant):
args = (mutant,)
kwds = {"callback": self._analyze_result}
self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds)
self._join()
def audit(self, freq ):
'''
Tests an URL for global redirect vulnerabilities.
@param freq: A fuzzableRequest
'''
om.out.debug( 'globalRedirect plugin is testing: ' + freq.getURL() )
mutants = createMutants( freq , [self._test_site, ] )
for mutant in mutants:
if self._has_no_bug(mutant):
args = (mutant,)
kwds = {'callback': self._analyze_result,
'follow_redir': False }
self._run_async(meth=self._uri_opener.send_mutant, args=args,
kwds=kwds)
self._join()
def _fuzz_with_echo( self, freq ):
'''
Tests an URL for eval() usage vulnerabilities using echo strings.
@param freq: A fuzzableRequest
'''
oResponse = self._sendMutant( freq , analyze=False ).getBody()
print_strings = self._get_print_strings()
mutants = createMutants( freq , print_strings, oResponse=oResponse )
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug( 'eval' , 'eval', mutant.getURL() , mutant.getVar() ):
targs = (mutant,)
kwds = {'analyze_callback':self._analyze_echo}
self._tm.startFunction( target=self._sendMutant, args=targs, kwds=kwds, ownerObj=self )
def audit(self, freq):
'''
Tests an URL for blind SQL injection vulnerabilities.
@param freq: A fuzzableRequest
'''
om.out.debug('blindSqli plugin is testing: ' + freq.getURL())
#
# Setup blind SQL injection detector objects
#
self._bsqli_response_diff = blind_sqli_response_diff(self._uri_opener)
bsqli_resp_diff = self._bsqli_response_diff
bsqli_resp_diff.set_eq_limit(self._eq_limit)
self._blind_sqli_time_delay = blind_sqli_time_delay(self._uri_opener)
bsqli_time_delay = self._blind_sqli_time_delay
method_list = [bsqli_resp_diff, bsqli_time_delay]
#
# Use the objects to identify the vulnerabilities
#
fake_mutants = createMutants(freq, ['',])
for mutant in fake_mutants:
if self._has_sql_injection( mutant ):
#
# If sqli.py was enabled and already detected a vulnerability
# in this parameter, then it makes no sense to test it again
# and report a duplicate to the user
#
continue
for method in method_list:
found_vuln = method.is_injectable( mutant )
if found_vuln is not None and \
self._has_no_bug(freq, varname=found_vuln.getVar()):
om.out.vulnerability(found_vuln.getDesc())
kb.kb.append(self, 'blindSqli', found_vuln)
break
def _fuzz_with_echo(self, freq):
"""
Tests an URL for eval() usage vulnerabilities using echo strings.
@param freq: A fuzzableRequest
"""
oResponse = self._uri_opener.send_mutant(freq)
print_strings = [pstr % (self._rnd,) for pstr in self.PRINT_STRINGS]
mutants = createMutants(freq, print_strings, oResponse=oResponse)
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._has_no_bug(mutant):
args = (mutant,)
kwds = {"callback": self._analyze_echo}
self._run_async(meth=self._uri_opener.send_mutant, args=args, kwds=kwds)
self._join()
def audit(self, freq):
'''
Tests an URL for SQL injection vulnerabilities.
@param freq: A fuzzableRequest
'''
om.out.debug('SQLi plugin is testing: ' + freq.getURL())
oResponse = self._uri_opener.send_mutant(freq)
mutants = createMutants(freq, self.SQLI_STRINGS, oResponse=oResponse)
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._has_no_bug(mutant):
args = (mutant,)
kwds = {'callback': self._analyze_result }
self._run_async(meth=self._uri_opener.send_mutant, args=args,
kwds=kwds)
self._join()
def fastExploit( self ):
'''
Exploits a web app with [blind] sql injections vulns.
The options are configured using the plugin options and setOptions() method.
'''
om.out.debug( 'Starting sql_webshell fastExploit.' )
if any(
lambda attr: attr is None,
(self._url, self._method, self._data, self._injvar)
):
raise w3afException('You have to configure the plugin parameters')
else:
if self._method == 'POST':
freq = httpPostDataRequest(self._url)
elif self._method == 'GET':
freq = HTTPQSRequest(self._url)
else:
raise w3afException('Method not supported.')
freq.setDc(parse_qs(self._data))
bsql = blind_sqli_response_diff(self._uri_opener)
bsql.set_eq_limit(self._eq_limit)
fake_mutants = createMutants(freq, [''], fuzzableParamList=[self._injvar,])
for mutant in fake_mutants:
vuln_obj = bsql.is_injectable(mutant)
if vuln_obj is not None:
om.out.console('SQL injection verified, trying to create the DB driver.')
# Try to get a shell using all vuln
msg = 'Trying to exploit using vulnerability with id: ' + str(vuln_obj.getId())
msg += '. Please wait...'
om.out.console(msg)
shell_obj = self._generateShell(vuln_obj)
if shell_obj is not None:
kb.kb.append(self, 'shell', shell_obj)
return [shell_obj, ]
else:
raise w3afException('No exploitable vulnerabilities found.')
def audit(self, freq ):
'''
Find all kind of bugs without using a fixed database of errors.
@param freq: A fuzzableRequest
'''
om.out.debug( 'generic plugin is testing: ' + freq.getURL() )
# First, get the original response and create the mutants
oResponse = self._uri_opener.send_mutant(freq)
mutants = createMutants( freq , ['', ] , oResponse=oResponse )
for m in mutants:
# First I check that the current modified parameter in the mutant doesn't have
# an already reported vulnerability. I don't want to report vulnerabilities more
# than once.
if (m.getURL(), m.getVar()) in self._already_reported:
continue
# Now, we request the limit (something that doesn't exist)
# If http://localhost/a.php?b=1 ; then I should request b=12938795 (random number)
# If http://localhost/a.php?b=abc ; then I should request b=hnv98yks (random alnum)
limit_response = self._get_limit_response( m )
# Now I request something that could generate an error
# If http://localhost/a.php?b=1 ; then I should request b=d'kcz'gj'"**5*(((*)
# If http://localhost/a.php?b=abc ; then I should request b=d'kcz'gj'"**5*(((*)
#
# I also try to trigger errors by sending empty strings
# If http://localhost/a.php?b=1 ; then I should request b=
# If http://localhost/a.php?b=abc ; then I should request b=
for error_string in self._get_error_strings():
if self._has_no_bug(m):
m.setModValue( error_string )
error_response = self._uri_opener.send_mutant(m)
# Now I compare all responses
self._analyze_responses( oResponse, limit_response, error_response, m )
def audit(self, freq ):
'''
Tests an URL for unsafe usage of PHP's preg_replace.
@param freq: A fuzzableRequest
'''
om.out.debug( 'preg_replace plugin is testing: ' + freq.getURL() )
# First I check If I get the error message from php
oResponse = self._uri_opener.send_mutant(freq)
mutants = createMutants( freq , ['a' + ')/' * 100, ] , oResponse=oResponse )
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._has_no_bug(mutant):
args = (mutant,)
kwds = {'callback': self._analyze_result }
self._run_async(meth=self._uri_opener.send_mutant, args=args,
kwds=kwds)
self._join()
def _test_inclusion(self, freq):
'''
Checks a fuzzableRequest for remote file inclusion bugs.
@return: None
'''
oResponse = self._sendMutant(freq, analyze=False).getBody()
rfi_url_list = [self._rfi_url]
mutants = createMutants(freq, rfi_url_list, oResponse=oResponse)
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug('remoteFileInclude', 'remoteFileInclude',
mutant.getURL(), mutant.getVar()):
targs = (mutant,)
self._tm.startFunction(target=self._sendMutant, args=targs,
ownerObj=self)
def audit(self, freq):
"""
Tests an URL for buffer overflow vulnerabilities.
@param freq: A fuzzableRequest
"""
om.out.debug("bufferOverflow plugin is testing: " + freq.getURL())
str_list = self._get_string_list()
try:
oResponse = self._uri_opener.send_mutant(freq)
except:
msg = "Failed to perform the initial request during buffer"
msg += " overflow testing"
om.out.debug(msg)
else:
mutants = createMutants(freq, str_list, oResponse=oResponse)
for mutant in mutants:
self._run_async(meth=self._send_request, args=(mutant,))
self._join()
def _fuzz_with_time_delay( self, freq):
'''
Tests an URL for eval() usage vulnerabilities using time delays.
@param freq: A fuzzableRequest
'''
res = self._sendMutant( freq, analyze=False, grepResult=False )
self._original_wait_time = res.getWaitTime()
# Prepare the strings to create the mutants
wait_strings = self._get_wait_strings()
mutants = createMutants( freq, wait_strings )
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug( 'eval' , 'eval', mutant.getURL() , mutant.getVar() ):
targs = (mutant,)
kwds = {'analyze_callback':self._analyze_wait}
self._tm.startFunction( target=self._sendMutant, args=targs, kwds=kwds, ownerObj=self )
def audit(self, freq):
"""
Tests an URL for response splitting vulnerabilities.
@param freq: A fuzzableRequest
"""
om.out.debug("responseSplitting plugin is testing: " + freq.getURL())
rsList = self._get_header_inj()
mutants = createMutants(freq, rsList)
for mutant in mutants:
# Only spawn a thread if the mutant has a modified variable
# that has no reported bugs in the kb
if self._hasNoBug("responseSplitting", "responseSplitting", mutant.getURL(), mutant.getVar()):
targs = (mutant,)
self._tm.startFunction(target=self._sendMutant, args=targs, ownerObj=self)
self._tm.join(self)
