def GET2POST(self, vuln):
"""
This method changes a vulnerability mutant, so all the data that was
sent in the query string, is now sent in the postData; of course, the
HTTP method is also changed from GET to POST.
"""
vuln_copy = copy.deepcopy(vuln)
mutant = vuln_copy.get_mutant()
# Sometimes there is no mutant (php_sca).
if mutant is None:
return vuln_copy
if mutant.get_method() == 'POST':
# No need to work !
return vuln_copy
else:
# Need to create a new PostDataMutant, to be able to easily change
# the values which we want to send in the HTTP post-data
fre = FuzzableRequest(mutant.get_url(),
headers=mutant.get_headers(),
method='POST',
cookie=mutant.get_cookie(),
post_data=mutant.get_uri().querystring)
pdm = PostDataMutant(fre)
vuln_copy.set_mutant(pdm)
return vuln_copy
def create_vuln(self):
v = super(FileUploadTemplate, self).create_vuln()
form_params = FormParameters()
for file_var in self.file_vars:
form_params.add_file_input([("name", file_var), ("type", "file")])
for token in self.data.iter_tokens():
if token.get_name() in self.file_vars:
continue
form_params.add_input([("name", token.get_name()),
("type", "text"),
("value", token.get_value())])
mpc = MultipartContainer(form_params)
freq = FuzzableRequest(self.url, method=self.method, post_data=mpc)
mutant = PostDataMutant(freq)
mutant.set_dc(mpc)
mutant.set_token((self.vulnerable_parameter, 0))
# User configured settings
v['file_vars'] = self.file_vars
v['file_dest'] = self.file_dest
v.set_mutant(mutant)
return v
def test_found_at(self):
form = Form()
form.add_input([("name", "username"), ("value", "")])
form.add_input([("name", "address"), ("value", "")])
freq = HTTPPostDataRequest(URL('http://www.w3af.com/?id=3'),
dc=form,
method='PUT')
m = PostDataMutant(freq)
m.set_var('username')
expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\
'The sent post-data was: "username=&address=" '\
'which modifies the "username" parameter.'
self.assertEqual(m.found_at(), expected)
def test_found_at(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"), ("value", "")])
form_params.add_field_by_attr_items([("name", "address"), ("value", "")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form,
method='PUT')
m = PostDataMutant(freq)
m.get_dc().set_token(('username', 0))
expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\
'The sent post-data was: "username=&address=" '\
'which modifies the "username" parameter.'
self.assertEqual(m.found_at(), expected)
def test_should_inject_form_hidden(self):
form_params = FormParameters()
form_params.add_field_by_attr_items([("name", "username"),
("type", "text")])
form_params.add_field_by_attr_items([("name", "csrf_token"),
("type", "hidden")])
form = URLEncodedForm(form_params)
freq = FuzzableRequest(URL('http://www.w3af.com/'),
post_data=form,
method='PUT')
m = PostDataMutant(freq)
m.get_dc().set_token(('username', 0))
self.assertFalse(self.plugin._should_inject(m, 'python'))
m.get_dc().set_token(('csrf_token', 0))
self.assertTrue(self.plugin._should_inject(m, 'python'))
def form_pointer_factory(freq):
if isinstance(freq.get_uri().querystring, Form):
return QSMutant(freq)
return PostDataMutant(freq)
