Пример #1
0
 def test_delay_controlled_random(self):
     for expected_result, delays in self.TEST_SUITE:
         print delays
         mock_uri_opener = Mock()
         side_effect = generate_delays(delays, rand_range=(0,2))
         mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
         delay_obj = ExactDelay('sleep(%s)')
         
         url = URL('http://moth/?id=1')
         req = FuzzableRequest(url)
         mutant = QSMutant(req)
         mutant.set_dc(url.querystring)
         mutant.set_var('id', 0)
         
         ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
         controlled, responses = ed.delay_is_controlled()
         
         # This is where we change from test_delay_controlled, the basic
         # idea is that we'll allow false negatives but no false positives
         if expected_result == True:
             expected_result = [True, False]
         else:
             expected_result = [False,]
             
         self.assertIn(controlled, expected_result, delays)
Пример #2
0
    def test_kb_list_shells_rfi_port_scan_2181(self):
        """
        :see: https://github.com/andresriancho/w3af/issues/2181
        """
        w3af_core = w3afCore()

        vuln = MockVuln()
        url = URL('http://moth/?a=1')
        freq = FuzzableRequest(url)
        exploit_mutant = QSMutant.create_mutants(freq, [''], [], False, {})[0]

        shell = PortScanShell(vuln, w3af_core.uri_opener, w3af_core.worker_pool,
                              exploit_mutant)
        kb.append('a', 'b', shell)

        shells = kb.get_all_shells(w3af_core=w3af_core)
        self.assertEqual(len(shells), 1)
        unpickled_shell = shells[0]

        self.assertEqual(shell, unpickled_shell)
        self.assertIs(unpickled_shell._uri_opener, w3af_core.uri_opener)
        self.assertIs(unpickled_shell.worker_pool, w3af_core.worker_pool)
        self.assertEqual(unpickled_shell._exploit_mutant, exploit_mutant)

        w3af_core.quit()
Пример #3
0
    def test_mutant_creation_repeated_parameter_names(self):
        self.url = URL('http://moth/?id=1&id=2')
        freq = HTTPQSRequest(self.url)

        created_mutants = QSMutant.create_mutants(freq, self.payloads, [],
                                                  False, self.fuzzer_config)

        expected_dc_lst = [
            DataContainer([('id', ['abc', '2'])]),
            DataContainer([('id', ['def', '2'])]),
            DataContainer([('id', ['1', 'abc'])]),
            DataContainer([('id', ['1', 'def'])])
        ]

        created_dc_lst = [i.get_dc() for i in created_mutants]

        self.assertEqual(created_dc_lst, expected_dc_lst)

        self.assertEqual(created_mutants[0].get_var(), 'id')
        self.assertEqual(created_mutants[0].get_var_index(), 0)
        self.assertEqual(created_mutants[0].get_original_value(), '1')

        self.assertEqual(created_mutants[2].get_var(), 'id')
        self.assertEqual(created_mutants[2].get_var_index(), 1)
        self.assertEqual(created_mutants[2].get_original_value(), '2')

        self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
Пример #4
0
    def test_kb_list_shells_rfi_port_scan_2181(self):
        """
        :see: https://github.com/andresriancho/w3af/issues/2181
        """
        w3af_core = w3afCore()

        vuln = MockVuln()
        url = URL('http://moth/?a=1')
        freq = FuzzableRequest(url)
        exploit_mutant = QSMutant.create_mutants(freq, [''], [], False, {})[0]

        shell = PortScanShell(vuln, w3af_core.uri_opener, w3af_core.worker_pool,
                              exploit_mutant)
        kb.append('a', 'b', shell)

        shells = kb.get_all_shells(w3af_core=w3af_core)
        self.assertEqual(len(shells), 1)
        unpickled_shell = shells[0]

        self.assertEqual(shell, unpickled_shell)
        self.assertIs(unpickled_shell._uri_opener, w3af_core.uri_opener)
        self.assertIs(unpickled_shell.worker_pool, w3af_core.worker_pool)
        self.assertEqual(unpickled_shell._exploit_mutant, exploit_mutant)

        w3af_core.quit()
Пример #5
0
    def test_mutant_creation_repeated_parameter_names(self):
        self.url = URL('http://moth/?id=1&id=2')
        freq = FuzzableRequest(self.url)

        created_mutants = QSMutant.create_mutants(freq, self.payloads, [],
                                                  False, self.fuzzer_config)

        expected_dcs = [
            'id=abc&id=2', 'id=1&id=abc', 'id=def&id=2', 'id=1&id=def'
        ]

        created_dcs = [str(i.get_dc()) for i in created_mutants]

        self.assertEquals(expected_dcs, created_dcs)

        token_0 = created_mutants[0].get_token()
        self.assertIsInstance(token_0, DataToken)
        self.assertEqual(token_0.get_name(), 'id')
        self.assertEqual(token_0.get_original_value(), '1')
        self.assertEqual(token_0.get_value(), 'abc')

        token_1 = created_mutants[1].get_token()
        self.assertIsInstance(token_1, DataToken)
        self.assertEqual(token_1.get_name(), 'id')
        self.assertEqual(token_1.get_original_value(), '2')
        self.assertEqual(token_1.get_value(), 'abc')

        self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
Пример #6
0
    def test_mutant_creation_repeated_parameter_names(self):
        self.url = URL('http://moth/?id=1&id=2')
        freq = FuzzableRequest(self.url)

        created_mutants = QSMutant.create_mutants(freq, self.payloads, [],
                                                  False, self.fuzzer_config)

        expected_dcs = ['id=abc&id=2', 'id=1&id=abc',
                        'id=def&id=2', 'id=1&id=def']

        created_dcs = [str(i.get_dc()) for i in created_mutants]

        self.assertEquals(expected_dcs, created_dcs)

        token_0 = created_mutants[0].get_token()
        self.assertIsInstance(token_0, DataToken)
        self.assertEqual(token_0.get_name(), 'id')
        self.assertEqual(token_0.get_original_value(), '1')
        self.assertEqual(token_0.get_value(), 'abc')

        token_1 = created_mutants[1].get_token()
        self.assertIsInstance(token_1, DataToken)
        self.assertEqual(token_1.get_name(), 'id')
        self.assertEqual(token_1.get_original_value(), '2')
        self.assertEqual(token_1.get_value(), 'abc')

        self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
Пример #7
0
    def test_mutant_creation(self):
        self.url = URL("http://moth/?a=1&b=2")
        freq = FuzzableRequest(self.url)

        created_mutants = QSMutant.create_mutants(freq, self.payloads, [], False, self.fuzzer_config)

        expected_dcs = ["a=abc&b=2", "a=1&b=abc", "a=def&b=2", "a=1&b=def"]

        created_dcs = [str(i.get_dc()) for i in created_mutants]

        self.assertEquals(expected_dcs, created_dcs)

        token_0 = created_mutants[0].get_token()
        self.assertIsInstance(token_0, DataToken)
        self.assertEqual(token_0.get_name(), "a")
        self.assertEqual(token_0.get_original_value(), "1")
        self.assertEqual(token_0.get_value(), "abc")

        token_2 = created_mutants[1].get_token()
        self.assertIsInstance(token_0, DataToken)
        self.assertEqual(token_2.get_name(), "b")
        self.assertEqual(token_2.get_original_value(), "2")
        self.assertEqual(token_2.get_value(), "abc")

        self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
Пример #8
0
    def test_mutant_creation_repeated_parameter_names(self):
        self.url = URL('http://moth/?id=1&id=2')
        freq = HTTPQSRequest(self.url)

        created_mutants = QSMutant.create_mutants(freq, self.payloads, [],
                                                  False, self.fuzzer_config)

        expected_dc_lst = [DataContainer([('id', ['abc', '2'])]),
                           DataContainer([('id', ['def', '2'])]),
                           DataContainer([('id', ['1', 'abc'])]),
                           DataContainer([('id', ['1', 'def'])])]

        created_dc_lst = [i.get_dc() for i in created_mutants]

        self.assertEqual(created_dc_lst, expected_dc_lst)

        self.assertEqual(created_mutants[0].get_var(), 'id')
        self.assertEqual(created_mutants[0].get_var_index(), 0)
        self.assertEqual(created_mutants[0].get_original_value(), '1')

        self.assertEqual(created_mutants[2].get_var(), 'id')
        self.assertEqual(created_mutants[2].get_var_index(), 1)
        self.assertEqual(created_mutants[2].get_original_value(), '2')

        self.assertTrue(all(isinstance(m, QSMutant) for m in created_mutants))
Пример #9
0
    def test_should_not_inject_qs_with_digit(self):
        self.url = URL('http://moth/?id=1')
        freq = FuzzableRequest(self.url)

        mutant = QSMutant.create_mutants(freq, self.payloads, [], False,
                                         self.fuzzer_config)[0]

        self.assertFalse(self.plugin._should_inject(mutant, 'python'))
Пример #10
0
    def test_should_not_inject_random_binary(self):
        self.url = URL('http://moth/?id=%s' % '\x00\x01\x02')
        freq = FuzzableRequest(self.url)

        mutant = QSMutant.create_mutants(freq, self.payloads, [], False,
                                         self.fuzzer_config)[0]

        self.assertFalse(self.plugin._should_inject(mutant, 'java'))
Пример #11
0
    def test_should_not_inject_qs_with_b64(self):
        b64data = base64.b64encode('just some random b64 data here')
        self.url = URL('http://moth/?id=%s' % b64data)
        freq = FuzzableRequest(self.url)

        mutant = QSMutant.create_mutants(freq, self.payloads, [], False,
                                         self.fuzzer_config)[0]

        self.assertFalse(self.plugin._should_inject(mutant, 'python'))
Пример #12
0
    def test_delay_controlled(self):
        
        for expected_result, delays in self.TEST_SUITE:

            mock_uri_opener = Mock()
            side_effect = generate_delays(delays)
            mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
            delay_obj = AproxDelay('%s9!', '1', 10)
            
            url = URL('http://moth/?id=1')
            req = FuzzableRequest(url)
            mutant = QSMutant(req)
            mutant.set_dc(url.querystring)
            mutant.set_token(('id', 0))
            
            ed = AproxDelayController(mutant, delay_obj, mock_uri_opener)
            controlled, responses = ed.delay_is_controlled()
            self.assertEqual(expected_result, controlled, delays)
    def test_delay_controlled(self):
        
        for expected_result, delays in self.TEST_SUITE:
            urllib = ExtendedUrllib()
            side_effect = generate_delays(delays)
            urllib.send_mutant = MagicMock(side_effect=side_effect)

            delay_obj = ExactDelay('sleep(%s)')
            
            url = URL('http://moth/?id=1')
            req = FuzzableRequest(url)
            mutant = QSMutant(req)
            mutant.set_dc(url.querystring)
            mutant.set_token(('id', 0))
            
            ed = ExactDelayController(mutant, delay_obj, urllib)
            controlled, responses = ed.delay_is_controlled()
            self.assertEqual(expected_result, controlled, delays)
Пример #14
0
    def test_should_not_inject_qs_with_b64_pickle_java(self):
        b64data = base64.b64encode(cPickle.dumps(1))
        self.url = URL('http://moth/?id=%s' % b64data)
        freq = FuzzableRequest(self.url)

        mutant = QSMutant.create_mutants(freq, self.payloads, [], False,
                                         self.fuzzer_config)[0]

        self.assertFalse(self.plugin._should_inject(mutant, 'java'))
Пример #15
0
    def test_should_inject_qs_with_pickle(self):
        pickle_data = cPickle.dumps(1)
        self.url = URL('http://moth/?id=%s' % pickle_data)
        freq = FuzzableRequest(self.url)

        mutant = QSMutant.create_mutants(freq, self.payloads, [], False,
                                         self.fuzzer_config)[0]

        self.assertTrue(self.plugin._should_inject(mutant, 'python'))
Пример #16
0
    def test_delay_controlled_random(self):
        for expected_result, delays in self.TEST_SUITE:
            print delays
            mock_uri_opener = Mock()
            side_effect = generate_delays(delays, rand_range=(0, 2))
            mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
            delay_obj = ExactDelay('sleep(%s)')

            url = URL('http://moth/?id=1')
            req = FuzzableRequest(url)
            mutant = QSMutant(req)
            mutant.set_dc(url.querystring)
            mutant.set_var('id', 0)

            ed = ExactDelayController(mutant, delay_obj, mock_uri_opener)
            controlled, responses = ed.delay_is_controlled()

            # This is where we change from test_delay_controlled, the basic
            # idea is that we'll allow false negatives but no false positives
            if expected_result == True:
                expected_result = [True, False]
            else:
                expected_result = [
                    False,
                ]

            self.assertIn(controlled, expected_result, delays)
Пример #17
0
    def test_should_inject_qs_with_b64_pickle(self):
        b64data = base64.b64encode(
            cPickle.dumps({
                'data': 'here',
                'cookie': 'A' * 16
            }))
        self.url = URL('http://moth/?id=%s' % b64data)
        freq = FuzzableRequest(self.url)

        mutant = QSMutant.create_mutants(freq, self.payloads, [], False,
                                         self.fuzzer_config)[0]

        self.assertTrue(self.plugin._should_inject(mutant, 'python'))
Пример #18
0
    def _generate_qs(self, fuzzable_request):
        """
        Check the URL query string.
        :return: A list of mutants.
        """
        query_string = fuzzable_request.get_uri().querystring
        
        for token in query_string.iter_tokens():
            wordnet_results = self._search_wn(token.get_value())

            mutants = QSMutant.create_mutants(fuzzable_request, wordnet_results,
                                              [token.get_name()], False, {})

            for mutant in mutants:
                yield mutant
Пример #19
0
    def _generate_qs(self, fuzzable_request):
        """
        Check the URL query string.
        :return: A list of mutants.
        """
        query_string = fuzzable_request.get_uri().querystring

        for token in query_string.iter_tokens():
            wordnet_results = self._search_wn(token.get_value())

            mutants = QSMutant.create_mutants(fuzzable_request,
                                              wordnet_results,
                                              [token.get_name()], False, {})

            for mutant in mutants:
                yield mutant
    def _generate_qs(self, fuzzable_request):
        """
        Check the URL query string.
        :return: A list of mutants.
        """
        query_string = fuzzable_request.get_uri().querystring

        for parameter_name in query_string:
            # this for loop was added to address the repeated parameter name issue
            for element_index in xrange(len(query_string[parameter_name])):

                orig_content = query_string[parameter_name][element_index]
                wordnet_result = self._search_wn(orig_content)

                mutants = QSMutant.create_mutants(fuzzable_request, wordnet_result, [parameter_name], False, {})

                for mutant in mutants:
                    yield mutant
Пример #21
0
    def test_from_mutant(self):
        url = URL("http://moth/?a=1&b=2")
        payloads = ["abc", "def"]

        freq = FuzzableRequest(url)
        fuzzer_config = {}

        created_mutants = QSMutant.create_mutants(freq, payloads, [], False, fuzzer_config)

        mutant = created_mutants[0]

        inst = Info.from_mutant("TestCase", "desc" * 30, 1, "plugin_name", mutant)

        self.assertIsInstance(inst, Info)

        self.assertEqual(inst.get_uri(), mutant.get_uri())
        self.assertEqual(inst.get_url(), mutant.get_url())
        self.assertEqual(inst.get_method(), mutant.get_method())
        self.assertEqual(inst.get_dc(), mutant.get_dc())
        self.assertIsInstance(inst.get_dc(), QueryString)
Пример #22
0
    def _generate_qs(self, fuzzable_request):
        """
        Check the URL query string.
        :return: A list of mutants.
        """
        query_string = fuzzable_request.get_uri().querystring

        for parameter_name in query_string:
            # this for loop was added to address the repeated parameter name issue
            for element_index in xrange(len(query_string[parameter_name])):

                orig_content = query_string[parameter_name][element_index]
                wordnet_result = self._search_wn(orig_content)

                mutants = QSMutant.create_mutants(fuzzable_request,
                                                  wordnet_result, [
                                                      parameter_name,
                                                  ], False, {})

                for mutant in mutants:
                    yield mutant
Пример #23
0
    def test_delay_controlled(self):
        for expected_result, delays in self.TEST_SUITE:
            mock_uri_opener = Mock()
            side_effect = generate_delays(delays)
            mock_uri_opener.send_mutant = MagicMock(side_effect=side_effect)
            delay_obj = AproxDelay('%s9!', '1', 10)

            url = URL('http://moth/?id=1')
            req = FuzzableRequest(url)
            mutant = QSMutant(req)
            mutant.set_dc(url.querystring)
            mutant.set_token(('id', 0))

            ed = AproxDelayController(mutant, delay_obj, mock_uri_opener)
            controlled, responses = ed.delay_is_controlled()
            self.assertEqual(expected_result, controlled, delays)
Пример #24
0
    def test_from_mutant(self):
        url = URL('http://moth/?a=1&b=2')
        payloads = ['abc', 'def']

        freq = FuzzableRequest(url)
        fuzzer_config = {}

        created_mutants = QSMutant.create_mutants(freq, payloads, [], False,
                                                  fuzzer_config)

        mutant = created_mutants[0]

        inst = Info.from_mutant('TestCase', 'desc' * 30, 1, 'plugin_name',
                                mutant)

        self.assertIsInstance(inst, Info)

        self.assertEqual(inst.get_uri(), mutant.get_uri())
        self.assertEqual(inst.get_url(), mutant.get_url())
        self.assertEqual(inst.get_method(), mutant.get_method())
        self.assertEqual(inst.get_dc(), mutant.get_dc())
        self.assertIsInstance(inst.get_dc(), QueryString)
Пример #25
0
    def test_from_mutant(self):
        url = URL('http://moth/?a=1&b=2')
        payloads = ['abc', 'def']

        freq = FuzzableRequest(url)
        fuzzer_config = {}
        
        created_mutants = QSMutant.create_mutants(freq, payloads, [], False,
                                                  fuzzer_config)
                
        mutant = created_mutants[0]
        
        inst = Vuln.from_mutant('TestCase', 'desc' * 30, 'High', 1,
                                'plugin_name', mutant)
        
        self.assertIsInstance(inst, Vuln)
        
        self.assertEqual(inst.get_uri(), mutant.get_uri())
        self.assertEqual(inst.get_url(), mutant.get_url())
        self.assertEqual(inst.get_method(), mutant.get_method())
        self.assertEqual(inst.get_dc(), mutant.get_dc())
        self.assertEqual(inst.get_token_name(), mutant.get_token().get_name())
Пример #26
0
    def test_delay_controlled(self):

        for expected_result, delays in self.TEST_SUITE:
            urllib = ExtendedUrllib()
            side_effect = generate_delays(delays)
            urllib.send_mutant = MagicMock(side_effect=side_effect)

            delay_obj = ExactDelay('sleep(%s)')

            url = URL('http://moth/?id=1')
            req = FuzzableRequest(url)
            mutant = QSMutant(req)
            mutant.set_dc(url.querystring)
            mutant.set_token(('id', 0))

            ed = ExactDelayController(mutant, delay_obj, urllib)
            controlled, responses = ed.delay_is_controlled()
            self.assertEqual(expected_result, controlled, delays)
Пример #27
0
def form_pointer_factory(freq):

    if isinstance(freq.get_uri().querystring, Form):
        return QSMutant(freq)

    return PostDataMutant(freq)
Пример #28
0
    def test_print_mod_value(self):
        freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'))
        m = QSMutant(freq)

        expected = 'The sent URI was http://www.w3af.com/?id=3 .'
        self.assertEqual(m.print_mod_value(), expected)
Пример #29
0
    def test_print_mod_value(self):
        freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'))
        m = QSMutant(freq)

        expected = 'The sent URI was http://www.w3af.com/?id=3 .'
        self.assertEqual(m.print_mod_value(), expected)