def test_from_template_534(self): fut = FileUploadTemplate() base_url = get_php_moth_http('/audit/file_upload/strange_extension_534/') options = fut.get_options() options['url'].set_value(base_url + 'uploader.534') options['data'].set_value('uploadedfile=&MAX_FILE_SIZE=10000000') options['file_vars'].set_value('uploadedfile') options['file_dest'].set_value(get_php_moth_http('/audit/file_upload/trivial/uploads/')) options['vulnerable_parameter'].set_value('uploadedfile') fut.set_options(options) fut.store_in_kb() vuln = self.kb.get(*fut.get_kb_location())[0] vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'file_upload')
def test_from_template_534(self): fut = FileUploadTemplate() base_url = get_php_moth_http('/audit/file_upload/strange_extension_534/') options = fut.get_options() options['url'].set_value(base_url + 'uploader.534') options['data'].set_value('uploadedfile=&MAX_FILE_SIZE=10000000') options['file_vars'].set_value('uploadedfile') options['file_dest'].set_value(get_php_moth_http('/audit/file_upload/trivial/uploads/')) options['vulnerable_parameter'].set_value('uploadedfile') fut.set_options(options) fut.store_in_kb() vuln = self.kb.get(*fut.get_kb_location())[0] vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'file_upload')
class PayloadTestHelperExec(PluginTest): target_rce = get_php_moth_http('/audit/rfi/rfi-rce.php') _run_configs = { 'cfg': { 'target': target_rce + '?file=section.php', 'plugins': { 'audit': (PluginConfig('rfi'),), } } } def _scan_wrapper(self): """ :return: Run the scan and return the vulnerability itself and the vuln_id. """ # Run the scan cfg = self._run_configs['cfg'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(1, len(vulns)) vuln = vulns[0] vuln_to_exploit_id = vuln.get_id() return vuln, vuln_to_exploit_id def _get_shell(self): vuln, vuln_to_exploit_id = self._scan_wrapper() plugin = self.w3afcore.plugins.get_plugin_inst('attack', 'rfi') self.assertTrue(plugin.can_exploit(vuln_to_exploit_id)) exploit_result = plugin.exploit(vuln_to_exploit_id) self.assertGreaterEqual(len(exploit_result), 1) shell = exploit_result[0] return shell def setUp(self): super(PayloadTestHelperExec, self).setUp() cf.cf.save('target_os', 'unix') self.shell = self._get_shell()
def test_find_in_file_upload_content(self): """ Find XSS in the content of an uploaded file https://github.com/andresriancho/w3af/issues/3149 """ self.scan_file_upload_fuzz_files() target_path = get_php_moth_http("/audit/file_upload/echo_content/") xss_vulns = self.kb.get("xss", "xss") kb_data = self.normalize_kb_data(xss_vulns) EXPECTED = [("txt_uploader.php", "txt_file", ["txt_file"])] expected_data = self.normalize_expected_data(target_path, EXPECTED) self.assertEquals(set(expected_data), set(kb_data))
class TestRFI(ExecExploitTest): target_url = get_php_moth_http('/audit/rfi/rfi-rce.php') unused_port = get_unused_port() _run_configs = { 'cfg': { 'target': target_url, 'plugins': { 'audit': (PluginConfig('rfi', ('use_w3af_site', False, PluginConfig.BOOL), ('listen_port', unused_port, PluginConfig.INT)),), } } } def test_found_exploit_rfi(self): cfg = self._run_configs['cfg'] self._scan(cfg['target'] + '?file=abc.txt', cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(1, len(vulns)) vuln = vulns[0] self.assertEquals(vuln.get_name(), 'Remote code execution') self.assertEquals(vuln.get_url().url_string, self.target_url) vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'rfi') def test_from_template(self): rfit = RFITemplate() options = rfit.get_options() options['url'].set_value(self.target_url) options['data'].set_value('file=abc.txt') options['vulnerable_parameter'].set_value('file') rfit.set_options(options) rfit.store_in_kb() vuln = self.kb.get(*rfit.get_kb_location())[0] vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'rfi')
def test_find_in_file_upload_content(self): """ Find XSS in the content of an uploaded file https://github.com/andresriancho/w3af/issues/3149 """ self.scan_file_upload_fuzz_files() target_path = get_php_moth_http('/audit/file_upload/echo_content/') xss_vulns = self.kb.get('xss', 'xss') kb_data = self.normalize_kb_data(xss_vulns) EXPECTED = [('txt_uploader.php', 'txt_file', ['txt_file']), ] expected_data = self.normalize_expected_data(target_path, EXPECTED) self.assertEquals( set(expected_data), set(kb_data), )
class TestFileUploadShell(ExecExploitTest): file_upload_url = get_php_moth_http('/audit/file_upload/trivial/') _run_configs = { 'cfg': { 'target': file_upload_url, 'plugins': { 'crawl': (PluginConfig('web_spider', ('only_forward', True, PluginConfig.BOOL)), ), 'audit': (PluginConfig('file_upload', ('extensions', 'gif,html,bmp,jpg,png,txt', PluginConfig.LIST)), ) }, } } def test_found_exploit_file_upload(self): # Run the scan cfg = self._run_configs['cfg'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('file_upload', 'file_upload') self.assertEquals(1, len(vulns)) vuln = vulns[0] self.assertEquals("Insecure file upload", vuln.get_name()) vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'file_upload') def test_from_template(self): fut = FileUploadTemplate() base_url = get_php_moth_http('/audit/file_upload/trivial/') options = fut.get_options() options['url'].set_value(base_url + 'uploader.php') options['data'].set_value('uploadedfile=&MAX_FILE_SIZE=10000000') options['file_vars'].set_value('uploadedfile') options['file_dest'].set_value(base_url + '/uploads/') options['vulnerable_parameter'].set_value('uploadedfile') fut.set_options(options) fut.store_in_kb() vuln = self.kb.get(*fut.get_kb_location())[0] vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'file_upload') def test_from_template_534(self): fut = FileUploadTemplate() base_url = get_php_moth_http( '/audit/file_upload/strange_extension_534/') options = fut.get_options() options['url'].set_value(base_url + 'uploader.534') options['data'].set_value('uploadedfile=&MAX_FILE_SIZE=10000000') options['file_vars'].set_value('uploadedfile') options['file_dest'].set_value( get_php_moth_http('/audit/file_upload/trivial/uploads/')) options['vulnerable_parameter'].set_value('uploadedfile') fut.set_options(options) fut.store_in_kb() vuln = self.kb.get(*fut.get_kb_location())[0] vuln_to_exploit_id = vuln.get_id() self._exploit_vuln(vuln_to_exploit_id, 'file_upload')
class TestRFI(PluginTest): target_rce = get_php_moth_http('/audit/rfi/rfi-rce.php') target_read = get_php_moth_http('/audit/rfi/rfi-read.php') _run_configs = { 'remote_rce': { 'target': target_rce + '?file=abc.txt', 'plugins': { 'audit': (PluginConfig('rfi'), ), } }, 'local_rce': { 'target': target_rce + '?file=abc.txt', 'plugins': { 'audit': (PluginConfig( 'rfi', ('use_w3af_site', False, PluginConfig.BOOL), ), ), } }, 'local_read': { 'target': target_read + '?file=abc.txt', 'plugins': { 'audit': (PluginConfig( 'rfi', ('use_w3af_site', False, PluginConfig.BOOL), ), ), } }, 'remote_read': { 'target': target_read + '?file=abc.txt', 'plugins': { 'audit': (PluginConfig( 'rfi', ('use_w3af_site', False, PluginConfig.BOOL), ), ), } } } def test_found_rfi_with_w3af_site(self): cfg = self._run_configs['remote_rce'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(len(vulns), 1) vuln = vulns[0] self.assertEquals("Remote code execution", vuln.get_name()) self.assertEquals(self.target_rce, vuln.get_url().url_string) @attr('smoke') def test_found_rfi_with_local_server_rce(self): cfg = self._run_configs['local_rce'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(len(vulns), 1) vuln = vulns[0] self.assertEquals("Remote code execution", vuln.get_name()) self.assertEquals(self.target_rce, vuln.get_url().url_string) def test_found_rfi_with_local_server_read(self): cfg = self._run_configs['local_read'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(len(vulns), 1) vuln = vulns[0] self.assertEquals("Remote file inclusion", vuln.get_name()) self.assertEquals(self.target_read, vuln.get_url().url_string) def test_found_rfi_with_remote_server_read(self): cfg = self._run_configs['remote_read'] self._scan(cfg['target'], cfg['plugins']) # Assert the general results vulns = self.kb.get('rfi', 'rfi') self.assertEquals(len(vulns), 1) vuln = vulns[0] self.assertEquals("Remote file inclusion", vuln.get_name()) self.assertEquals(self.target_read, vuln.get_url().url_string) def test_custom_web_server(self): RFIWebHandler.RESPONSE_BODY = '<? echo "hello world"; ?>' ws = w3afHTTPServer(('127.0.0.1', 0), '.', RFIWebHandler) ws.wait_for_start() port = ws.get_port() server_thread = threading.Thread(target=ws.serve_forever) server_thread.name = 'WebServer' server_thread.daemon = True server_thread.start() foobar_url = 'http://localhost:%s/foobar' % port spameggs_url = 'http://localhost:%s/spameggs' % port response_foobar = urllib2.urlopen(foobar_url).read() response_spameggs = urllib2.urlopen(spameggs_url).read() self.assertEqual(response_foobar, response_spameggs) self.assertEqual(response_foobar, RFIWebHandler.RESPONSE_BODY)
def scan_file_upload_fuzz_files(self): cfg = self._run_configs['cfg'] target_path = get_php_moth_http('/audit/file_upload/echo_content/') self._scan(target_path, cfg['plugins'])
def scan_file_upload_fuzz_files(self): cfg = self._run_configs['cfg'] target_path = get_php_moth_http('/audit/file_upload/echo_content/') self._scan(target_path, cfg['plugins'])
def scan_file_upload_fuzz_files(self): cfg = self._run_configs["cfg"] target_path = get_php_moth_http("/audit/file_upload/echo_content/") self._scan(target_path, cfg["plugins"])