def report(self, msg, flow, identifier): if identifier not in self.missing_headers: self.write("\n[VULN] %s - %s" % (msg, flow.request.url), type="danger") http_dumper = HTTPDumper(self.report_file, False) http_dumper.dump("====================================") http_dumper.dump("%s" % (msg)) http_dumper.dump("====================================") http_dumper.save_http(flow) self.missing_headers.append(identifier)
def response_analyzer(flow, options): meta = flow.metadata["fuzz_pathtraversal"] res = flow.response write = options["write"] if re.findall(b"root:|nobody:", res.content): write("\n[VULN] Path Traversal via Query Params - %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], False) http_dumper.dump("====================================") http_dumper.dump("Path Traversal via Query Params") http_dumper.dump("====================================") http_dumper.save_http(flow)
def response_analyzer(flow, options): """ Totally Async Reimplement print (api_req) """ global api_reason, api_code meta = flow.metadata["fuzz_api"] res = flow.response write = options["write"] api_req = meta["api_rate_limit"] api_name = meta["api_name"] #Why 5 we are not sure whats the order if api_req in [1, 2, 3, 4, 5]: api_reason[api_name] = flow.response.reason api_code[api_name] = flow.response.status_code if api_req == settings.RATELIMIT_REQ_NOS - 1: if api_reason[api_name] == flow.response.reason or api_code[api_name] == flow.response.status_code: write("\n[VULN] API may not be rate limited (Requests %s) - %s" % (str(api_req + 1), flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], False) http_dumper.dump("===========================") http_dumper.dump("API may not be rate limited") http_dumper.dump("===========================") http_dumper.save_http(flow)
def error_rep(flow, lang, write, report_file): write( "\n[VULN] Possible Deserialization Vulnerability via Error Response in %s - %s" % (flow.request.url, lang), type="danger") http_dumper = HTTPDumper(report_file, False) http_dumper.dump( "========================================================================" ) http_dumper.dump( "Possible Deserialization Vulnerability via Error Response in %s" % lang) http_dumper.dump( "========================================================================" ) http_dumper.save_http(flow)
def response_analyzer(flow, options): meta = flow.metadata["fuzz_xss"] res = flow.response write = options["write"] if meta["payload"] in res.content and "text/html" in get_content_type_lower(res): write ("\n[VULN] Cross Site Scripting via Query Params - %s" %(flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], False) http_dumper.dump("====================================") http_dumper.dump("Cross Site Scipting via Query Params") http_dumper.dump("====================================") http_dumper.save_http(flow)
def response_analyzer(flow, options): meta = flow.metadata["fuzz_xxe"] res = flow.response md5 = meta["md5"] write = options["write"] # Reflection XXE if bytes(settings.VALIDATE_STRING, "utf-8") in res.content: write( "\n[VULN] Generic XML External Entity (XXE) via Request Body - %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], False) http_dumper.dump( "====================================================") http_dumper.dump( "Generic XML External Entity (XXE) Payload Reflection") http_dumper.dump( "====================================================") http_dumper.save_http(flow) # OOB XXE oob_validator = OOBValidator(settings.OUT_OF_BAND_SERVER) if oob_validator.get_status_by_md5(md5): write("\n[VULN] XML External Entity (XXE) via OOB Hash Method- %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], True) http_dumper.dump("==============================================") http_dumper.dump("XML External Entity (XXE) via OOB Hash Method") http_dumper.dump("==============================================") http_dumper.save_http(flow) # Error Based if any(bytes(exp, "utf-8") in res.content for exp in get_xxe_exceptions()): write( "\n[VULN] Possible XML External Entity (XXE) via XML exception- %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], False) http_dumper.dump( "====================================================") http_dumper.dump( "Possible XML External Entity (XXE) via XML exception") http_dumper.dump( "====================================================") http_dumper.save_http(flow)
def response_analyzer(flow, options): meta = flow.metadata["fuzz_deserialize"] res = flow.response req = flow.request write = options["write"] rep_file = options["report_file"] # Error Based if re.findall(b"pickle\.|<module>", res.content): error_rep(flow, "Python", write, rep_file) elif re.findall(b"incompatible marshal|`load'|control characters|`parse'", res.content): error_rep(flow, "Ruby", write, rep_file) elif re.findall(b"E_NOTICE", res.content): error_rep(flow, "PHP", write, rep_file) elif re.findall(b"InvalidClassException|Exception in|at com\.", res.content): error_rep(flow, "Java", write, rep_file) # Response Based Validator if re.findall(b"root:|nobody:", res.content): write("\n[VULN] Deserialization Vulnerability by Response - %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], True) http_dumper.dump("=========================================") http_dumper.dump("Deserialization Vulnerability by Response") http_dumper.dump("=========================================") http_dumper.save_http(flow) # OOB oob_validator = OOBValidator(settings.OUT_OF_BAND_SERVER) if "md5" in meta: md5 = meta["md5"] if oob_validator.get_status_by_md5(md5): write( "\n[VULN] Deserialization Vulnerability via Body by OOB Method - %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], True) http_dumper.dump("===========================================") http_dumper.dump("Deserialization Vulnerability by OOB Method") http_dumper.dump("===========================================") http_dumper.save_http(flow) # Blind if "blind" in meta: tms = meta["tms"] ctms = time.time() if (ctms - tms) > 8: write( "\n[VULN] Deserialization Vulnerability via Body by Blind Sleep Method - %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], False) http_dumper.dump( "=====================================================") http_dumper.dump( "Deserialization Vulnerability via Blind Sleep Method ") http_dumper.dump( "=====================================================") http_dumper.save_http(flow)
def response_analyzer(flow, options): meta = flow.metadata["fuzz_ssrf"] res = flow.response oob_validator = OOBValidator(settings.OUT_OF_BAND_SERVER) write = options["write"] if "url" in meta: md5 = meta["md5"] # OOB URL SSRF if oob_validator.get_status_by_md5(md5): write("\n[VULN] SSRF via OOB Hash Method - %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], False) http_dumper.dump("=========================") http_dumper.dump("SSRF via OOB Hash Method") http_dumper.dump("=========================") http_dumper.save_http(flow) if "ip" in meta: if oob_validator.get_status_by_ip(flow.request.url): write("\nVULN] SSRF via OOB IP Method - %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], True) http_dumper.dump("=======================") http_dumper.dump("SSRF via OOB IP Method") http_dumper.dump("=======================") http_dumper.save_http(flow) if "count" in meta: if oob_validator.get_status_by_count(9): write("\n[VULN] SSRF via OOB Request Count Method - %s" % (flow.request.url), type="danger") http_dumper = HTTPDumper(options["report_file"], True) http_dumper.dump("=================================") http_dumper.dump("SSRF via OOB Request Count Method") http_dumper.dump("=================================") http_dumper.save_http(flow)