def is_injectable( self, mutant ): ''' Check if this mutant is delay injectable or not. @mutant: The mutant object that I have to inject to @return: A vulnerability object or None if nothing is found ''' for delay_obj in self._get_delays(): ed = exact_delay(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: # Now I can be sure that I found a vuln, we control the response # time with the delay v = vuln.vuln( mutant ) v.setName( 'Blind SQL injection vulnerability' ) v.setSeverity(severity.HIGH) desc = 'Blind SQL injection using time delays was found at: %s' desc = desc % mutant.foundAt() v.setDesc( desc ) v.setDc( mutant.getDc() ) v.setId( [r.id for r in responses ] ) v.setURI( r.getURI() ) om.out.debug( v.getDesc() ) return v return None
def _with_time_delay(self, freq): ''' Tests an URL for OS Commanding vulnerabilities using time delays. @param freq: A fuzzableRequest ''' fake_mutants = createMutants(freq, ['',]) for mutant in fake_mutants: if self._has_bug(mutant): continue for delay_obj in self._get_wait_commands(): ed = exact_delay(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: v = vuln.vuln( mutant ) v.setPluginName(self.getName()) v.setName( 'OS commanding vulnerability' ) v.setSeverity(severity.HIGH) v['os'] = delay_obj.get_OS() v['separator'] = delay_obj.get_separator() v.setDesc( 'OS Commanding was found at: ' + mutant.foundAt() ) v.setDc( mutant.getDc() ) v.setId( [r.id for r in responses] ) v.setURI( r.getURI() ) kb.kb.append( self, 'osCommanding', v ) break
def _fuzz_with_time_delay(self, freq): """ Tests an URL for eval() usage vulnerabilities using time delays. @param freq: A fuzzableRequest """ fake_mutants = createMutants(freq, [""]) for mutant in fake_mutants: if self._has_bug(mutant): continue for delay_obj in self.WAIT_OBJ: ed = exact_delay(mutant, delay_obj, self._uri_opener) success, responses = ed.delay_is_controlled() if success: v = vuln.vuln(mutant) v.setPluginName(self.getName()) v.setId([r.id for r in responses]) v.setSeverity(severity.HIGH) v.setName("eval() input injection vulnerability") v.setDesc("eval() input injection was found at: " + mutant.foundAt()) kb.kb.append(self, "eval", v) break