示例#1
0
 def _getQuote(self, source, searchString, searchNickname, index):
     if len(self.storage) == 0 or source not in self.storage:
         return IRCResponse(ResponseType.Say,
                            "There are no quotes in the log.", source)
     regex = re2.compile(searchString, re2.IGNORECASE)
     matches = []
     if searchNickname:
         for x in self.storage[source]:
             if x[21] == "*":
                 match = re2.search(regex, x[:x.find(" ", 23)])
             else:
                 match = re2.search(regex, x[x.find("<") + 1:x.find(">")])
             if match:
                 matches.append(x)
     else:
         for x in self.storage[source]:
             if re2.search(regex, x[x.find(">") + 1:]):
                 matches.append(x)
     if len(matches) == 0:
         return IRCResponse(ResponseType.Say,
                            f"No matches for '{searchString}' found.",
                            source)
     if index < 0 or index > len(matches) - 1:
         index = random.randint(0, len(matches) - 1)
     return IRCResponse(
         ResponseType.Say,
         f"Quote #{index + 1}/{len(matches)}: {matches[index]}", source)
    def on_call(self, call, process):
        if call["api"] == "CreateProcessInternalW":
            clbuf = self.get_argument(call, "CommandLine").lower()
            cfbuf = int(self.get_argument(call, "CreationFlags"), 16)
            # Handle Powershell CommandLine Arguments
            if "powershell" in clbuf and (re.search("-win[ ]+hidden", clbuf) or
                                          re.search("-windowstyle[ ]+hidden", clbuf)):
                proc = process["process_name"]
                spawn = self.get_argument(call, "ApplicationName")
                self.hidden.append((proc, spawn))
                self.data.append({"Process": proc + " -> " + spawn})
            # Handle CREATE_NO_WINDOW flag, ignored for CREATE_NEW_CONSOLE and DETACHED_PROCESS
            elif cfbuf & 0x08000000 and  not (cfbuf & 0x10 or cfbuf & 0x8):
                proc = process["process_name"]
                spawn = self.get_argument(call, "ApplicationName")
                self.hidden.append((proc, spawn))
                self.data.append({"Process": proc + " -> " + spawn})

        elif call["api"] == "ShellExecuteExW":
            buf = int(self.get_argument(call, "Show"), 10)
            # Handle SW_HIDE flag
            if buf == 0:
                proc = process["process_name"]
                spawn = self.get_argument(call, "FilePath")
                self.hidden.append((proc, spawn))
                self.data.append({"Process": proc + " -> " + spawn})
示例#3
0
    def impfuzzy_comp(self, list, list_new):
        ssdeep = re.compile("^[0-9]{1,5}:[0-9a-zA-Z\/\+]+:[0-9a-zA-Z\/\+]+$",
                            re.DOTALL)
        complist = []
        list_len = len(list_new)
        i = 0
        for item_new in list_new:
            i += 1
            if re.search(ssdeep, item_new[2]) and len(item_new[2]) < 150:
                for j in range(i, list_len):
                    if re.search(ssdeep,
                                 list_new[j][2]) and len(list_new[j][2]) < 150:
                        complist.append([
                            item_new[0], list_new[j][0],
                            pyimpfuzzy.hash_compare(item_new[2],
                                                    list_new[j][2])
                        ])

        if list:
            for item_new in list_new:
                if re.search(ssdeep, item_new[2]) and len(item_new[2]) < 150:
                    for item in list:
                        if re.search(ssdeep, item[2]) and len(item[2]) < 150:
                            complist.append([
                                item_new[0], item[0],
                                pyimpfuzzy.hash_compare(item_new[2], item[2])
                            ])

        return complist
示例#4
0
    def on_call(self, call, process):
        if call["api"] == "CreateProcessInternalW":
            clbuf = call["arguments"]["command_line"].lower()
            cfbuf = call["arguments"]["creation_flags"]
            # Handle Powershell CommandLine Arguments
            if "powershell" in clbuf and (re.search("-win[ ]+hidden", clbuf) or
                                          re.search("-windowstyle[ ]+hidden", clbuf)):
                proc = process["process_name"]
                spawn = call["arguments"]["command_line"]
                self.hidden.append((proc, spawn))
                self.mark_ioc("Process", proc + " -> " + spawn)
            # Handle CREATE_NO_WINDOW flag, ignored for CREATE_NEW_CONSOLE and DETACHED_PROCESS
            elif cfbuf & 0x08000000 and  not (cfbuf & 0x10 or cfbuf & 0x8):
                proc = process["process_name"]
                spawn = call["arguments"]["command_line"]
                self.hidden.append((proc, spawn))
                self.mark_ioc("Process", proc + " -> " + spawn)

        elif call["api"] == "ShellExecuteExW":
            buf = call["arguments"]["show_type"]
            # Handle SW_HIDE flag
            if buf == 0:
                proc = process["process_name"]
                spawn = call["arguments"]["filepath"]
                self.hidden.append((proc, spawn))
                self.mark_ioc("Process", proc + " -> " + spawn)
示例#5
0
文件: worker.py 项目: skobkin/point
        def _route(user, jid, msg):
            session = env.user.session()
            try:
                return session(msg['body'])
            except SessionCallError:
                pass

            message = env.user.resolve_aliases(msg['body'])

            args = {}
            for r in self.route:
                m = re.search(r['resource'], msg['resource'])
                if m:
                    args = m.groupdict()
                    route = r['route']
                    break

            for regex, view in route:
                match = re.search(regex, message)
                if match:
                    for g, val in match.groupdict().iteritems():
                        args[g] = val
                    log.debug(">>> %s routed to %s(%s) via '%s'" % \
                              (jid, view.__name__, str(args), regex.pattern))
                    return view(**args)
示例#6
0
 def _vrfy_response(self, r):
     """ szuka stringów występujących tylko w poprawnych odpowiedziach,
         jeśli występują przekazuje odpowiedź, jeśli nie -> False
     ----------------------------------------------------------------"""
     return r if search('userAcceptedTradeIDs',r) and search('tradeOffers',r)\
     and search('defaultGame.Communication.VO.TradeWindow.dTradeWindowResultVO',r)\
     else False
示例#7
0
def response(context, flow):
    """========================================================================
    "Called when a server response has been received"... łapię wyłącznie
    odpowiedzi, bo interesują mnie zestawy (request/response). Przechwycony
    response wraz z requestem wchodzą w skład transakcji, reprezentowanej przez
    mitmproxy.models.HTTPFlow()
    "HTTPFlow is collection of objects representing a single HTTP transaction".
    Więcej info na WWW:  http://docs.mitmproxy.org/en/stable/dev/models.html
 ==========================================================================="""
    if flow.request.host.endswith('.thesettlersonline.pl'):
        if "application/x-amf" in flow.response.headers.get("Content-Type", "_"):
            with decoded(flow.response):
                res = flow.response.content
                req = flow.request.content
                if  search( 'defaultGame.Communication.VO.TradeWindow.dTradeWindowResultVO', res )\
                and search( 'userAcceptedTradeIDs', res ) and search( 'tradeOffers', res )\
                and search( 'GetAvailableOffers', req ):
                    log.debug("got trade REQ/RESP pair, feeding TDD thread...")
                    try:
                        t= Thread(target=ttd._incoming_traffic_handler, args=(context, flow,))
                        t.setDaemon(True) 
                        t.start()
                    except (KeyboardInterrupt, SystemExit):
                        log.info('caught either KeyboardInterrupt or SystemExit, quitting threads')
                        t.__stop()
                        import thread
                        thread.interrupt_main()
def find_competitor_list(search_text):
    processed_text = grammar_matcher.StringProcessor(search_text)
    results_match = re.search(r'\n0*1[^\d].+\n^0*2[^\d].+\n(?:^\d+.+\n){2,}', processed_text.text, re.MULTILINE)
    if results_match:
        numbered_list = results_match.group(0)
        num_lines = numbered_list.count('\n')
        if len(re.findall(r'\d ?[.:h] ?\d\d|\bam\b|\bpm\b', numbered_list)) > num_lines / 4:
            return None  # good list of times! workshops, etc! performance/shows/club-set times!
        processed_numbered_list = grammar_matcher.StringProcessor(numbered_list, processed_text.match_on_word_boundaries)
        event_keywords = processed_numbered_list.get_tokens(rules.EVENT)
        if len(event_keywords) > num_lines / 8:
            return None
        if processed_text.has_token(keywords.WRONG_NUMBERED_LIST):
            return None
        if num_lines > 10:
            return numbered_list
        else:
            lines = numbered_list.split('\n')
            qualified_lines = len([x for x in lines if re.search(r'[^\d\W].*[-(]', x)])
            if qualified_lines > num_lines / 2:
                return numbered_list
            for type in ['crew', 'pop|boog', 'lock', 'b\W?(?:boy|girl)']:
                qualified_lines = len([x for x in lines if re.search(type, x)])
                if qualified_lines > num_lines / 8:
                    return numbered_list
            if processed_text.match_on_word_boundaries == regex_keywords.WORD_BOUNDARIES:  # maybe separate on kana vs kanji?
                avg_words = 1.0 * sum([len([y for y in x.split(' ')]) for x in lines]) / num_lines
                if avg_words < 3:
                    return numbered_list
    return None
    def on_call(self, call, process):
        if call["api"] == "CreateProcessInternalW":
            clbuf = self.get_argument(call, "CommandLine").lower()
            cfbuf = int(self.get_argument(call, "CreationFlags"), 16)
            # Handle Powershell CommandLine Arguments
            if "powershell" in clbuf and (
                    re.search("-win[ ]+hidden", clbuf)
                    or re.search("-windowstyle[ ]+hidden", clbuf)):
                proc = process["process_name"]
                spawn = self.get_argument(call, "ApplicationName")
                if not spawn:
                    spawn = self.get_argument(call, "CommandLine")
                self.hidden.append((proc, spawn))
                #self.data.append({"Process": proc + " -> " + spawn})
            # Handle CREATE_NO_WINDOW flag, ignored for CREATE_NEW_CONSOLE and DETACHED_PROCESS
            elif cfbuf & 0x08000000 and not (cfbuf & 0x10 or cfbuf & 0x8):
                proc = process["process_name"]
                spawn = self.get_argument(call, "ApplicationName")
                if not spawn:
                    spawn = self.get_argument(call, "CommandLine")
                self.hidden.append((proc, spawn))
                #self.data.append({"Process": proc + " -> " + spawn})

        elif call["api"] == "ShellExecuteExW":
            buf = int(self.get_argument(call, "Show"), 10)
            # Handle SW_HIDE flag
            if buf == 0:
                proc = process["process_name"]
                spawn = self.get_argument(call, "FilePath")
                self.hidden.append((proc, spawn))
示例#10
0
        def _route(user, jid, msg):
            session = env.user.session()
            try:
                return session(msg['body'])
            except SessionCallError:
                pass

            message = env.user.resolve_aliases(msg['body'])

            args = {}
            for r in self.route:
                m = re.search(r['resource'], msg['resource'])
                if m:
                    args = m.groupdict()
                    route = r['route']
                    break

            for regex, view in route:
                match = re.search(regex, message)
                if match:
                    for g, val in match.groupdict().iteritems():
                        args[g] = val
                    log.debug(">>> %s routed to %s(%s) via '%s'" % \
                              (jid, view.__name__, str(args), regex.pattern))
                    return view(**args)
示例#11
0
    def _postList(self, source, searchString, searchNickname):
        if len(self.storage) == 0 or source not in self.storage:
            return IRCResponse(ResponseType.Say,
                               "There are no quotes in the log.", source)
        regex = re2.compile(searchString, re2.IGNORECASE)
        matches = []
        if searchNickname:
            for x in self.storage[source]:
                if x[21] == "*":
                    match = re2.search(regex, x[:x.find(" ", 23)])
                else:
                    match = re2.search(regex, x[x.find("<") + 1:x.find(">")])
                if match:
                    matches.append(x)
        else:
            for x in self.storage[source]:
                if re2.search(regex, x[x.find(">") + 1:]):
                    matches.append(x)
        if len(matches) == 0:
            return IRCResponse(ResponseType.Say,
                               f"No matches for '{searchString}' found.",
                               source)

        pasteLink = self.bot.moduleHandler.runActionUntilValue(
            'upload-dbco', string.stripFormatting("\n".join(matches)), 10 * 60)

        return IRCResponse(
            ResponseType.Say,
            f"Link posted! (Expires in 10 minutes) {pasteLink}.", source)
示例#12
0
def find_enc_function(macro):
    match, type = re.search(
        r"(?ims)Public Function (\w+).+? Xor .+?End Function", macro), "xor"
    if not match:
        match, type = re.search(
            r"(?ims)Public Function (\w+).+?\d+\s*-\s*\d+.+?End Function",
            macro), "sub"
    return (match.group(1), type) if match else (None, None)
示例#13
0
def extract_config(file_path, decomp_jar):
    enckey = coded_jar = False

    if not decomp_jar:
        return None

    ret = {}

    try:
        with ZipFile(file_path, "r") as zip:
            for name in zip.namelist():
                if name == "e-data":
                    coded_data = zip.read(name)
                    seed = coded_data[:8]
                    enckey = unpack(">Q", seed)[0]

        if enckey and coded_data:
            java_rand = JavaRandom(enckey)
            coded_data = coded_data[8:]
            decoded_data = ""
            for i in range(len(coded_data)):
                key = java_rand.nextInt(255)
                dec_byte = chr((ord(coded_data[i]) - key + 256) % 256)
                decoded_data += dec_byte
            decoded_path = store_temp_file(decoded_data, "qrat.jar")

            try:
                p = Popen(["java", "-jar", decomp_jar, decoded_path], stdout=PIPE)
                decompiled_data = p.stdout.read()
            except:
                pass

            match = re.search("Utils\.serverHost = new String\[\] \{(?P<stringlist>[^};\r\n]*)\};", decompiled_data)
            if match:
                hostlist = match.group("stringlist").split(",")
                serverhosts = [x.strip(' "') for x in hostlist]
                for i in range(len(serverhosts)):
                    ret["ServerHost" + str(i)] = serverhosts[i]
            match = re.search("Utils\.serverPort = (?P<portnum>\d+);", decompiled_data)
            if match:
                ret["ServerPort"] = int(match.group("portnum"))
            match = re.search("Utils\.instanceControlPortAgent = (?P<portnum>\d+);", decompiled_data)
            if match:
                ret["InstanceControlPortAgent"] = int(match.group("portnum"))
            match = re.search("Utils\.instanceControlPortClient = (?P<portnum>\d+);", decompiled_data)
            if match:
                ret["InstanceControlPortClient"] = int(match.group("portnum"))

            try:
                os.unlink(decoded_path)
            except:
                pass

            return ret
    except:
        pass

    return None
示例#14
0
def extract_config(file_path, decomp_jar):
    enckey = coded_jar = False

    if not decomp_jar:
        return None

    ret = { }

    try:
        with ZipFile(file_path, 'r') as zip:
            for name in zip.namelist():
                if name == 'e-data':
                    coded_data = zip.read(name)
                    seed = coded_data[:8]
                    enckey = unpack('>Q', seed)[0]
        
        if enckey and coded_data:
            java_rand = JavaRandom(enckey)
            coded_data = coded_data[8:]
            decoded_data = ""
            for i in range(len(coded_data)):
                key = java_rand.nextInt(255)
                dec_byte = chr((ord(coded_data[i]) - key + 256) % 256)
                decoded_data += dec_byte
            decoded_path = store_temp_file(decoded_data, "qrat.jar")

            try:
                p = Popen(["java", "-jar", decomp_jar, decoded_path], stdout=PIPE)
                decompiled_data = p.stdout.read()
            except:
                pass

            match = re.search("Utils\.serverHost = new String\[\] \{(?P<stringlist>[^};\r\n]*)\};", decompiled_data)
            if match:
                hostlist = match.group('stringlist').split(',')
                serverhosts = [x.strip(" \"") for x in hostlist]
                for i in xrange(len(serverhosts)):
                    ret["ServerHost" + str(i)] = serverhosts[i]
            match = re.search("Utils\.serverPort = (?P<portnum>\d+);", decompiled_data)
            if match:
                ret["ServerPort"] = int(match.group('portnum'))
            match = re.search("Utils\.instanceControlPortAgent = (?P<portnum>\d+);", decompiled_data)
            if match:
                ret["InstanceControlPortAgent"] = int(match.group('portnum'))
            match = re.search("Utils\.instanceControlPortClient = (?P<portnum>\d+);", decompiled_data)
            if match:
                ret["InstanceControlPortClient"] = int(match.group('portnum'))

            try:
                os.unlink(decoded_path)
            except:
                pass

            return ret
    except:
        pass

    return None
示例#15
0
    def on_call(self, call, process):
        if call["api"].startswith("CopyFile"):
            self.sname = self.get_argument(call, "ExistingFileName")
            if self.sname:
                for tool in self.devtools:
                    if re.search(tool, self.sname.lower()):
                        self.dname = self.get_argument(call, "NewFileName")

        if call["api"] == "CreateProcessInternalA" or call[
                "api"] == "CreateProcessInternalW":
            cmdline = self.get_argument(call, "CommandLine").lower()
            appname = self.get_argument(call, "ApplicationName")
            if cmdline:
                flags = int(self.get_argument(call, "CreationFlags"), 16)
                # CREATE_SUSPENDED or CREATE_SUSPENDED|CREATE_NO_WINDOW
                if flags & 0x4 or flags & 0x08000004:
                    for tool in self.devtools:
                        if "{path}" in cmdline:
                            appname = self.get_argument(
                                call, "ApplicationName")
                            if appname:
                                if re.search(tool, appname):
                                    procname = process["process_name"]
                                    self.data.append({
                                        "Process":
                                        procname + " > " + appname
                                    })
                        elif self.dname and self.dname.lower() in cmdline:
                            self.executecopy = True
                            procname = process["process_name"]
                            self.data.append({
                                "Copy":
                                self.sname.lower() + " > " +
                                self.dname.lower()
                            })
                            self.data.append({
                                "Process":
                                procname + " > " + self.dname.lower()
                            })
                        elif re.search(tool, cmdline):
                            procname = process["process_name"]
                            spawnapp = self.get_argument(
                                call, "ApplicationName")
                            if not spawnapp:
                                spawnapp = cmdline
                            self.data.append(
                                {"Process": procname + " > " + spawnapp})
            # Handle cases were CommandLine is null
            elif appname:
                flags = int(self.get_argument(call, "CreationFlags"), 16)
                # CREATE_SUSPENDED or CREATE_SUSPENDED|CREATE_NO_WINDOW
                if flags & 0x4 or flags & 0x08000004:
                    for tool in self.devtools:
                        if re.search(tool, appname):
                            procname = process["process_name"]
                            self.data.append(
                                {"Process": procname + " > " + appname})
示例#16
0
def _ignore_link_pattern(url: Optional[str]) -> bool:
    """Return true if the url or redirect_url matches the ignore link pattern."""
    if url is None:
        return False

    p = IGNORE_LINK_PATTERN
    nu = normalize_url_lossy(url)

    return re2.search(p, url, re2.I) or re2.search(p, nu, re2.I)
示例#17
0
文件: autoparser.py 项目: aih/uscites
def parsesections(pattern, pattern_replace, section):
    sectionsref = re.search(pattern, section)
    while sectionsref:
        i1 = sectionsref.start(1)
        i2 = sectionsref.end(2)
        #print "found multiple secs at", i1, "-", i2
        section = section[:i1]+re.sub(pattern_replace[0], pattern_replace[1] % sectionsref.group(2), section[i1:i2]) + section[1+i2:]
        sectionsref = re.search(pattern, section)
    return section 
示例#18
0
def _ignore_link_pattern(url: typing.Optional[str]) -> bool:
    """Return true if the url or redirect_url matches the ignore link pattern."""
    if url is None:
        return False

    p = mediawords.tm.extract_story_links.IGNORE_LINK_PATTERN
    nu = mediawords.util.url.normalize_url_lossy(url)

    return re2.search(p, url, re2.I) or re2.search(p, nu, re2.I)
示例#19
0
def _ignore_link_pattern(url: typing.Optional[str]) -> bool:
    """Return true if the url or redirect_url matches the ignore link pattern."""
    if url is None:
        return False

    p = mediawords.tm.extract_story_links.IGNORE_LINK_PATTERN
    nu = mediawords.util.url.normalize_url_lossy(url)

    return re2.search(p, url, flags=re2.I) or re2.search(p, nu, flags=re2.I)
示例#20
0
    def run(self, info):

        m_return = []

        if info.has_url_params:
            #param_dict = info.url_params
            for k, v in info.url_params.iteritems():
                key = to_utf8(k)
                value = to_utf8(v)

                for cmd_inject_case in cmd_inject_detect_test_cases:
                    p = payload_muntants(info,
                                         payload={
                                             'k': k,
                                             'pos': 1,
                                             'payload':
                                             cmd_inject_case['input'],
                                             'type': 0
                                         },
                                         bmethod=info.method,
                                         timeout=15.0)

                    if cmd_inject_case['target'] is not None:
                        if p is not None:
                            __ = re.search(cmd_inject_case['target'], p.data)
                            if __ is not None:
                                Logger.log_verbose('[+] found cmd inject!')
                                return m_return

        if info.has_post_params:
            #param_dict = info.post_params
            for k, v in info.post_params.iteritems():
                key = to_utf8(k)
                value = to_utf8(v)

                for cmd_inject_case in cmd_inject_detect_test_cases:
                    p = payload_muntants(info,
                                         payload={
                                             'k': k,
                                             'pos': 1,
                                             'payload':
                                             cmd_inject_case['input'],
                                             'type': 0
                                         },
                                         bmethod=info.method,
                                         timeout=15.0)

                    if cmd_inject_case['target'] is not None:
                        if p is not None:
                            __ = re.search(cmd_inject_case['target'], p.data)
                            if __ is not None:
                                Logger.log_verbose('[+] found cmd inject!')
                                return m_return

        # Send the results
        return m_return
示例#21
0
def _filter(source):
    """Extracts and decode payload (original file) from `source`"""
    try:
        varname = re.search(r'eval\(\w+\(\w+\((\w+)\)\)\);', source).group(1)
        reverse = re.search(r"var +%s *\= *'(.*)';" % varname, source).group(1)
    except AttributeError:
        raise UnpackingError('Malformed MyObfuscate data.')
    try:
        return base64.b64decode(reverse[::-1].encode('utf8')).decode('utf8')
    except TypeError:
        raise UnpackingError('MyObfuscate payload is not base64-encoded.')
示例#22
0
 def test_search_star_plus(self):
     self.assertEqual(re.search('x*', 'axx').span(0), (0, 0))
     self.assertEqual(re.search('x*', 'axx').span(), (0, 0))
     self.assertEqual(re.search('x+', 'axx').span(0), (1, 3))
     self.assertEqual(re.search('x+', 'axx').span(), (1, 3))
     self.assertEqual(re.search('x', 'aaa'), None)
     self.assertEqual(re.match('a*', 'xxx').span(0), (0, 0))
     self.assertEqual(re.match('a*', 'xxx').span(), (0, 0))
     self.assertEqual(re.match('x*', 'xxxa').span(0), (0, 3))
     self.assertEqual(re.match('x*', 'xxxa').span(), (0, 3))
     self.assertEqual(re.match('a+', 'xxx'), None)
示例#23
0
def _filter(source):
    """Extracts and decode payload (original file) from `source`"""
    try:
        varname = re.search(r'eval\(\w+\(\w+\((\w+)\)\)\);', source).group(1)
        reverse = re.search(r"var +%s *\= *'(.*)';" % varname, source).group(1)
    except AttributeError:
        raise UnpackingError('Malformed MyObfuscate data.')
    try:
        return base64.b64decode(reverse[::-1].encode('utf8')).decode('utf8')
    except TypeError:
        raise UnpackingError('MyObfuscate payload is not base64-encoded.')
示例#24
0
 def test_search_star_plus(self):
     self.assertEqual(re.search('x*', 'axx').span(0), (0, 0))
     self.assertEqual(re.search('x*', 'axx').span(), (0, 0))
     self.assertEqual(re.search('x+', 'axx').span(0), (1, 3))
     self.assertEqual(re.search('x+', 'axx').span(), (1, 3))
     self.assertEqual(re.search('x', 'aaa'), None)
     self.assertEqual(re.match('a*', 'xxx').span(0), (0, 0))
     self.assertEqual(re.match('a*', 'xxx').span(), (0, 0))
     self.assertEqual(re.match('x*', 'xxxa').span(0), (0, 3))
     self.assertEqual(re.match('x*', 'xxxa').span(), (0, 3))
     self.assertEqual(re.match('a+', 'xxx'), None)
示例#25
0
    def on_call(self, call, process):
        if call["api"] == "CreateProcessInternalW":
            clbuf = call["arguments"]["command_line"].lower()
            # Handle Powershell CommandLine Arguments
            if "powershell" in clbuf and (re.search("-win[ ]+hidden", clbuf) or re.search("-windowstyle[ ]+hidden", clbuf)):
                self.mark_call()
            # CREATE_NO_WINDOW flag
            elif call["flags"]["creation_flags"] == "CREATE_NO_WINDOW":
                self.mark_call()

        elif call["api"] == "ShellExecuteExW":
            if call["arguments"]["show_type"] == 0:
                self.mark_call()
    def on_call(self, call, process):
        if call["api"] == "CreateProcessInternalW":
            clbuf = call["arguments"]["command_line"].lower()
            # Handle Powershell CommandLine Arguments
            if "powershell" in clbuf and (
                    re.search("-win[ ]+hidden", clbuf)
                    or re.search("-windowstyle[ ]+hidden", clbuf)):
                self.mark_call()
            # CREATE_NO_WINDOW flag
            elif call["flags"]["creation_flags"] == "CREATE_NO_WINDOW":
                self.mark_call()

        elif call["api"] == "ShellExecuteExW":
            if call["arguments"]["show_type"] == 0:
                self.mark_call()
示例#27
0
def getMatches(regex):
    # print "getMatches called"
    # print os.path
    for root, dirs, files in os.walk("./public/rawonions", topdown=False):
        for name in files:
            # filename = os.path.join("./public/rawonions", name)
            filename = os.path.join(root, name)
            print "fname = " + filename
            # print filename
            url = name.replace('+', '/')
            try:
                with open(filename, 'r') as f:
                    text = f.read()
                    # print text
                    match = re2.search(regex, text)
                    if not match is None:
                        # print match.group() 
                        context = text[max(0, (match.span()[0]-width)) : (match.span()[1]+width)]
                        # print context
                        # print url
                        yield (url, match.group(), context)
                        
            except re2.RegexError:
                print "Had a regex error."
                pass
示例#28
0
def add_post():
    text = env.request.args('text', '').strip()

    tags = env.request.args('tags', '').strip(' \t*,;')
    if isinstance(tags, str):
        tags = tags.decode('utf-8')
    tags = [t.replace(u"\xa0", " ") for t in re.split(r'\s*[,;*]\s*', tags)]

    private = bool(env.request.args('private'))

    m = re.search(r'^\s*(?P<to>(?:@[a-z0-9_-]+[,\s]*)+)', text)
    to = parse_logins(m.group('to')) if m else []

    files = _files([])

    sess = Session()
    sess['clear_post_input'] = True
    sess.save()

    try:
        id = posts.add_post(text, tags=tags, to=to, private=private, files=files)
    except PostTextError:
        return render('/post-error.html')

    return Response(redirect='%s://%s.%s/%s' % \
                             (env.request.protocol,
                              env.user.login, settings.domain, id))
示例#29
0
def assign_date_guess_tag(
        db: DatabaseHandler,
        story: dict,
        date_guess: GuessDateResult,
        fallback_date: Optional[str]) -> None:
    """Assign a guess method tag to the story based on the date_guess result.

    If date_guess found a result, assign a date_guess_method:guess_by_url, guess_by_tag_*, or guess_by_unknown tag.
    Otherwise if there is a fallback_date, assign date_guess_metehod:fallback_date.  Else assign
    date_invalid:date_invalid.

    Arguments:
    db - db handle
    story - story dict from db
    date_guess - GuessDateResult from guess_date() call

    Returns:
    None

    """
    if date_guess.found:
        tag_set = GUESS_METHOD_TAG_SET
        guess_method = date_guess.guess_method
        if guess_method.startswith('Extracted from url'):
            tag = 'guess_by_url'
        elif guess_method.startswith('Extracted from tag'):
            match = re2.search(r'\<(\w+)', guess_method)
            html_tag = match.group(1) if match is not None else 'unknown'
            tag = 'guess_by_tag_' + str(html_tag)
        else:
            tag = 'guess_by_unknown'
    elif fallback_date is not None:
        tag_set = GUESS_METHOD_TAG_SET
        tag = 'fallback_date'
    else:
        tag_set = INVALID_TAG_SET
        tag = INVALID_TAG

    ts = db.find_or_create('tag_sets', {'name': tag_set})
    t = db.find_or_create('tags', {'tag': tag, 'tag_sets_id': ts['tag_sets_id']})

    stories_id = story['stories_id']
    tags_id = t['tags_id']

    db.query(
        """
        DELETE FROM stories_tags_map
        WHERE stories_id = %(stories_id)s
        """,
        {'stories_id': stories_id}
    )

    db.query("""
        INSERT INTO stories_tags_map (stories_id, tags_id)
        VALUES (%(stories_id)s, %(tags_id)s)
        ON CONFLICT (stories_id, tags_id) DO NOTHING
    """, {
        'stories_id': stories_id,
        'tags_id': tags_id,
    })
示例#30
0
def set_param(param, value):
    """Set profile/info parameter, add/remove account
    """
    value = value.strip()
    try:
        if re.search(r'[^a-z0-9_\.]', param, re.I):
            raise KeyError

        #if param in ('passwd', 'password'):
        #    env.user.set_password(value)

        elif param.startswith('info.') and param[5:] in fields['info']:
            env.user.set_info(param[5:], value)

        elif param in fields['account']:
            if value.startswith('-'):
                return del_account(param, value[1:].strip())
            if value.startswith('+'):
                value = value[1:]
            return add_account(param, value.strip())

        else:
            env.user.set_profile(param, value)

        env.user.save()

    except ValueError, e:
        v = e.message if e.message else value
        return xmpp_template('profile_value_err', value=v)
示例#31
0
    def on_call(self, call, process):
        if call["api"] == "CDocument_write":
            buf = self.get_argument(call, "Buffer")
        elif call["api"] == "JsEval":
            buf = self.get_argument(call, "Javascript")
        else:
            buf = self.get_argument(call, "Script")

        buf = buf.strip()
        if "style" in buf.lower() and "iframe" in buf.lower(
        ) and len(buf) < 500:
            check = re.match(self.styleRE, buf)
            if check:
                style = check.group("styleName")
                hclass1 = "class=\"{0}\"".format(style)
                hclass2 = "class='{0}'".format(style)
                if hclass1 in buf or hclass2 in buf:
                    redirect = re.search(self.iframeRE, buf)
                    if redirect:
                        self.ret = True
                        self.severity = 3
                        self.data.append({
                            "Info":
                            "Javascript generated CSS styling for a div "
                            "containing an iframe redirect."
                        })
                        self.data.append({"Redirect": redirect.group("redir")})
示例#32
0
def content_matches_topic(content: str, topic: dict, assume_match: bool = False) -> bool:
    """Test whether the content matches the topic['pattern'] regex.

    Only check the first megabyte of the string to avoid the occasional very long regex check.

    Arguments:
    content - text content
    topic - topic dict from db
    assume_match - assume that the content matches

    Return:
    True if the content matches the topic pattern

    """
    if assume_match:
        return True

    if content is None:
        return False

    content = content[0:1024 * 1024]

    # for some reason I can't reproduce in dev, in production a small number of fields come from
    # the database into the stories fields or the text value produced in the query below in _story_matches_topic
    # as bytes objects, which re2.search chokes on
    if isinstance(content, bytes):
        content = content.decode('utf8', 'backslashreplace')

    return re2.search(topic['pattern'], content, re2.I | re2.X | re2.S) is not None
示例#33
0
def set_param(param, value):
    """Set profile/info parameter, add/remove account
    """
    value = value.strip()
    try:
        if re.search(r'[^a-z0-9_\.]', param, re.I):
            raise KeyError

        #if param in ('passwd', 'password'):
        #    env.user.set_password(value)

        elif param.startswith('info.') and param[5:] in fields['info']:
            env.user.set_info(param[5:], value)

        elif param in fields['account']:
            if value.startswith('-'):
                return del_account(param, value[1:].strip())
            if value.startswith('+'):
                value = value[1:]
            return add_account(param, value.strip())

        else:
            env.user.set_profile(param, value)

        env.user.save()

    except ValueError, e:
        v = e.message if e.message else value
        return xmpp_template('profile_value_err', value=v)
示例#34
0
def getBestMessage(lines, codeStr):
    """Extracts message from one AssertionLocation.lines entry

    Args:
        lines: list of contiguous C++ source lines
        codeStr: assertion code found in first line
    """
    line = lines if isinstance(lines, str) else " ".join(lines)

    err = line.partition(codeStr)[2]
    if not err:
        return ""

    # Trim to outer quotes
    m = re.search(r'"(.*)"', err)
    if not m:
        return ""
    err = m.group(1)

    # Trim inner quote pairs
    err = re.sub(r'" +"', '', err)
    err = re.sub(r'" *<< *"', '', err)
    err = re.sub(r'" *<<[^<]+<< *"', '<X>', err)
    err = re.sub(r'" *\+[^+]+\+ *"', '<X>', err)

    # Trim escaped quotes
    err = re.sub(r'\\"', '', err)

    # Iff doublequote still present, trim that and any trailing text
    err = re.sub(r'".*$', '', err)

    return err.strip()
示例#35
0
 def search(self, regex, flags=0, all=False):
     if all:
         result = dict()
         result["detail"] = []
         matches = []
         for map in self.address_space:
             for chunk in map["chunks"]:
                 self.dumpfile.seek(chunk["offset"])
                 match = re.findall(
                     regex,
                     self.dumpfile.read(chunk["end"] - chunk["start"]),
                     flags)
                 if match:
                     matches.extend(match)
                     result["detail"].append({
                         "match": match,
                         "chunk": chunk
                     })
         result["matches"] = matches
         return result
     else:
         for map in self.address_space:
             for chunk in map["chunks"]:
                 self.dumpfile.seek(chunk["offset"])
                 match = re.search(
                     regex,
                     self.dumpfile.read(chunk["end"] - chunk["start"]),
                     flags)
                 if match:
                     result = dict()
                     result["match"] = match
                     result["chunk"] = chunk
                     return result
示例#36
0
 def search(self, regex, flags=0, all=False):
     if all:
         result = dict()
         result["detail"] = []
         matches = []
         for map in self.address_space:
             for chunk in map["chunks"]:
                 self.dumpfile.seek(chunk["offset"])
                 match = re.finditer(regex, self.dumpfile.read(chunk["end"] - chunk["start"]), flags)
                 thismatch = []
                 try:
                     while True:
                         m = match.next()
                         thismatch.append(m)
                         matches.append(m.group(0))
                 except StopIteration:
                     pass
                 if thismatch:
                     result["detail"].append({"match": thismatch, "chunk": chunk})
         result["matches"] = matches
         return result
     else:
         for map in self.address_space:
             for chunk in map["chunks"]:
                 self.dumpfile.seek(chunk["offset"])
                 match = re.search(regex, self.dumpfile.read(chunk["end"] - chunk["start"]), flags)
                 if match:
                     result = dict()
                     result["match"] = match
                     result["chunk"] = chunk
                     return result
    def on_call(self, call, process):
        if call["api"] == "RegQueryValueExA":
            # There are many more ways to get the computer name, this is the
            # pattern observed with all Dridex varients 08/14 - 03/15 so far.
            testkey = self.get_argument(call, "FullName").lower()
            if testkey == "hkey_local_machine\\system\\controlset001\\control\\computername\\computername\\computername":
                buf = self.get_argument(call, "Data")
                if buf:
                    self.compname = buf.lower()
            if testkey == "hkey_current_user\\volatile environment\\username":
                if call["status"]:
                    buf = self.get_argument(call, "Data")
                    if buf:
                        self.username = buf.lower()
                else:
                    self.is_xp = True

        if call["api"] == "CryptHashData":
            self.crypted.append(self.get_argument(call, "Buffer").lower())

        if call["api"] == "connect":
            if not self.extract:
                return None

            socknum = str(self.get_argument(call, "socket"))
            if socknum and socknum not in self.sockmon.keys():
                self.sockmon[socknum] = ""

            lastip = self.get_argument(call, "ip")
            self.sockmon[socknum] = lastip

        if call["api"] == "send":
            if not self.extract:
                return None

            socknum = str(self.get_argument(call, "socket"))
            if socknum and socknum in self.sockmon.keys():
                buf = self.get_argument(call, "buffer")
                # POST is a stable indicator observed so far
                if buf and buf[:4] == "POST":
                    self.payloadip["send"] = self.sockmon[socknum]

        if call["api"] == "recv":
            if not self.extract:
                return None

            socknum = str(self.get_argument(call, "socket"))
            if socknum and socknum in self.sockmon.keys():
                buf = self.get_argument(call, "buffer")
                if buf:
                    clen = re.search(r"Content-Length:\s([^\s]+)", buf)
                    if clen:
                        length = int(clen.group(1))
                        if length > 100000:
                            if "send" in self.payloadip and self.sockmon[socknum] == self.payloadip["send"]:
                                # Just a sanity check to make sure the IP hasn't changed
                                # since this is a primitive send/recv monitor
                                self.payloadip["recv"] = self.sockmon[socknum]

        return None
示例#38
0
    def check(self, msg):
        if not self.active:
            return False

        channels = self.channels.get(str(msg.guild.id), [])
        if channels and msg.channel.id not in channels:
            return False

        content = msg.content
        triggered_by = self.triggered_by

        if (self.server == msg.guild.id or self.server is None) is False:
            return False

        if not self.case_sensitive:
            triggered_by = triggered_by.lower()
            content = content.lower()

        if not self.regex:
            if triggered_by not in content:
                return False
        else:
            found = re.search(triggered_by, content)
            if not found:
                return False

        timestamp = datetime.datetime.now()
        passed = (timestamp - self.last_triggered).seconds
        if passed > self.cooldown:
            self.last_triggered = timestamp
            return True
        else:
            return False
示例#39
0
    def run(self,results):
        """Run Moloch to import pcap
        @return: nothing 
        """
        self.key = "moloch"
        self.alerthash ={}
        self.MOLOCH_CAPTURE_BIN = self.options.get("capture", None)
        self.MOLOCH_CAPTURE_CONF = self.options.get("captureconf",None)
        self.CUCKOO_INSTANCE_TAG = self.options.get("node",None)
        self.MOLOCH_USER = self.options.get("user",None)
        self.MOLOCH_PASSWORD = self.options.get("pass",None) 
        self.MOLOCH_REALM = self.options.get("realm",None)
        self.pcap_path = os.path.join(self.analysis_path, "dump.pcap")
        self.MOLOCH_URL = self.options.get("base",None)

        m = re.search(r"/(?P<task_id>\d+)/dump.pcap$",self.pcap_path)
        if m == None:
            log.warning("Unable to find task id from %s" % (self.pcap_path))
            return results  
        else:
            self.task_id = m.group("task_id")

        if not os.path.exists(self.MOLOCH_CAPTURE_BIN):
            log.warning("Unable to Run moloch-capture: BIN File %s Does Not Exist" % (self.MOLOCH_CAPTURE_BIN))
            return
        
        if not os.path.exists(self.MOLOCH_CAPTURE_CONF):
            log.warning("Unable to Run moloch-capture Conf File %s Does Not Exist" % (self.MOLOCH_CAPTURE_CONF))
            return         
        try:
            cmd = "%s -c %s -r %s -n %s -t %s:%s" % (self.MOLOCH_CAPTURE_BIN,self.MOLOCH_CAPTURE_CONF,self.pcap_path,self.CUCKOO_INSTANCE_TAG,self.CUCKOO_INSTANCE_TAG,self.task_id)
        except Exception,e:
            log.warning("Unable to Build Basic Moloch CMD: %s" % e)
示例#40
0
def add_post():
    text = env.request.args('text', '').strip()

    tags = env.request.args('tags', '').strip(' \t*,;')
    if isinstance(tags, str):
        tags = tags.decode('utf-8')
    tags = [t.replace(u"\xa0", " ") for t in re.split(r'\s*[,;*]\s*', tags)]

    private = bool(env.request.args('private'))

    m = re.search(r'^\s*(?P<to>(?:@[a-z0-9_-]+[,\s]*)+)', text)
    to = parse_logins(m.group('to')) if m else []

    files = _files([])

    try:
        id = posts.add_post(text,
                            tags=tags,
                            to=to,
                            private=private,
                            files=files)
    except PostTextError:
        return render('/post-error.html')

    return Response(redirect='%s://%s.%s/%s' % \
                             (env.request.protocol,
                              env.user.login, settings.domain, id))
示例#41
0
 def search(self, table, line):
     message_dict = {}
     matches = []
     try:
         choice = int(line.split(" ")[-1])
         line = line.replace(line.split(" ")[-1], "", 1).strip()
         specific = True
     except Exception:
         choice = None
         specific = False
     with sqlite3.connect(self.bot.database_file) as conn:
         c = conn.cursor()
         for row in c.execute("SELECT * FROM {}".format(table)):
             message_dict[row[0]] = row[1]
     if len(message_dict) == 0:
         return "There are no entries in this list!"
     for number, text in message_dict.items():
         match = re.search(line, text, re.IGNORECASE)
         if match:
             for nr, txt in message_dict.items():
                 if txt == match.string:
                     found_number = nr
                     matches.append("{}. {}".format(found_number, match.string))
     if len(matches) > 0:
         if not specific:
             choice = random.choice(matches)
             return "Match #{}/{} - {}".format(matches.index(choice) + 1, len(matches), choice)
         elif choice <= len(matches):
             return "Match #{}/{} - {}".format(choice, len(matches), matches[choice - 1])
         else:
             return "There is no '#{}' entry of '{}'!".format(choice, line)
     else:
         return "Could not find '{}'!".format(line)
示例#42
0
def create_blacklist_ip_trie():
    print('* Creating Blacklist IP Trie.')
    try:
        print('* Last update: {}'.format(time.strftime('%Y-%m-%d %H:%M:%S', time.localtime(os.path.getmtime(BLACKLISTED_IP_TRIE_JOBLIB)))))
    except:
        pass
    blip = None
    blacklisted_ip_trie = trie.CharTrie()
    z = download_zipfile()
    if(z != None):
        try:
            with z.open(z.filelist[0].filename) as myfile:
                blip = myfile.read()
            blip = blip.decode()
            blip = blip.split('\n')
            for row in blip:
                re_obj = re.search(IP_PATTERN, row)
                if re_obj is not None:
                    matched_ip = row[re_obj.span()[0]:re_obj.span()[1]].split('\t')[0]
                    blacklisted_ip_trie[matched_ip] = True
            dump(blacklisted_ip_trie, BLACKLISTED_IP_TRIE_JOBLIB)
            print('* Blacklist IP Trie created.')
        except Exception as e:
            print('* ERROR IN CREATING BLACKLIST IP TRIE : ', e)
            sys.exit(1)
    else:
        print('* UNABLE TO UPDATE Blacklist IP Trie!!')
        sys.exit(1)
示例#43
0
文件: __init__.py 项目: jaseg/ponysay
def render_pony(name, text, balloonstyle, width=80, center=False, centertext=False):
	pony = load_pony(name)
	balloon = link_l = link_r = ''
	if text:
		[link_l, link_r] = balloonstyle[-2:]
	for i,line in enumerate(pony):
		match = re.search('\$balloon([0-9]*)\$', line)
		if match:
			minwidth = int(match.group(1) or '0')
			pony[i:i+1] = render_balloon(text, balloonstyle, minwidth=minwidth, maxwidth=int(width/2), pad=str.center if centertext else str.ljust)
			break
	try:
		first = pony.index('$$$')
		second = pony[first+1:].index('$$$')
		pony[first:] = pony[first+1+second+1:]
	except:
		pass
	pony = [ line.replace('$\\$', link_l).replace('$/$', link_r) for line in pony ]
	indent = ''
	if center:
		ponywidth = max([ len(re.sub(r'\x1B\[[0-9;]+m|\$.*\$', '', line)) for line in pony ])
		indent = ' '*int((width-ponywidth)/2)
	wre = re.compile('((\x1B\[[0-9;]+m)*.){0,%s}' % width)
	reset = '\n'
	return indent+(reset+indent).join([ wre.search(line).group() for line in pony ])+reset
示例#44
0
    def on_complete(self):
        if self.sigchanged:
            return True

        ret = False
        if self.found:
            ret = True
            if self.c2s:
                for c2 in self.c2s:
                    self.data.append({"C2": c2})

            if self.carve_mem:
                if "procmemory" in self.results and self.results["procmemory"]:
                    dump_path = str()
                    for process in self.results["procmemory"]:
                        if process["pid"] == int(self.found):
                            dump_path = process["file"]
                            break

                    if dump_path:
                        with open(dump_path, "rb") as dump_file:
                            cData = dump_file.read()
                        buf = re.search(r"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3},[\d.,]+)\x00", cData)
                        if buf:
                            for c2 in buf.group(1).split(","):
                                tmp = {"C2": c2}
                                if tmp not in self.data:
                                    self.data.append(tmp)

            if self.payment:
                for url in self.payment:
                    self.data.append({"Payment": url})

        return ret
示例#45
0
    def _add_http(self, conn, tcpdata):
        """Adds an HTTP flow.
        @param conn: TCP connection info.
        @param tcpdata: TCP data flow.
        """
        if tcpdata in self.http_requests:
            self.http_requests[tcpdata]["count"] += 1
            return True

        try:
            http = dpkt.http.Request()
            http.unpack(tcpdata)
        except dpkt.dpkt.UnpackError:
            pass

        try:
            entry = {"count": 1}

            if "host" in http.headers and re.match(
                    "^([A-Z0-9]|[A-Z0-9][A-Z0-9\-]{0,61}[A-Z0-9])(\.([A-Z0-9]|[A-Z0-9][A-Z0-9\-]{0,61}[A-Z0-9]))+(:[0-9]{1,5})?$",
                    http.headers["host"],
                    re.IGNORECASE,
            ):
                entry["host"] = convert_to_printable(http.headers["host"])
            else:
                entry["host"] = conn["dst"]

            if enabled_passlist:
                for reject in domain_passlist_re:
                    if re.search(reject, entry["host"]):
                        return False

            entry["port"] = conn["dport"]

            # Manually deal with cases when destination port is not the default one,
            # and it is  not included in host header.
            netloc = entry["host"]
            if entry["port"] != 80 and ":" not in netloc:
                netloc += ":" + str(entry["port"])

            entry["data"] = convert_to_printable(tcpdata)
            entry["uri"] = convert_to_printable(
                urlunparse(("http", netloc, http.uri, None, None, None)))
            entry["body"] = convert_to_printable(http.body)
            entry["path"] = convert_to_printable(http.uri)

            if "user-agent" in http.headers:
                entry["user-agent"] = convert_to_printable(
                    http.headers["user-agent"])
            else:
                entry["user-agent"] = ""

            entry["version"] = convert_to_printable(http.version)
            entry["method"] = convert_to_printable(http.method)

            self.http_requests[tcpdata] = entry
        except Exception:
            return False

        return True
示例#46
0
 def search(self, regex, flags=0, all=False):
     if all:
         result = dict()
         result["detail"] = []
         matches = []
         for map in self.address_space:
             for chunk in map["chunks"]:
                 self.dumpfile.seek(chunk["offset"])
                 match = re.finditer(regex, self.dumpfile.read(chunk["end"] - chunk["start"]), flags)
                 thismatch = []
                 try:
                     while True:
                         m = next(match)
                         thismatch.append(m)
                         matches.append(m.group(0))
                 except StopIteration:
                     pass
                 if thismatch:
                     result["detail"].append({"match": thismatch, "chunk": chunk})
         result["matches"] = matches
         return result
     else:
         for map in self.address_space:
             for chunk in map["chunks"]:
                 self.dumpfile.seek(chunk["offset"])
                 match = re.search(regex, self.dumpfile.read(chunk["end"] - chunk["start"]), flags)
                 if match:
                     result = dict()
                     result["match"] = match
                     result["chunk"] = chunk
                     return result
示例#47
0
def _content_matches_topic(content: str, topic: dict, assume_match: bool = False) -> bool:
    """Test whether the content matches the topic['pattern'] regex.

    Only check the first megabyte of the string to avoid the occasional very long regex check.

    Arguments:
    content - text content
    topic - topic dict from db
    assume_match - assume that the content matches

    Return:
    True if the content matches the topic pattern

    """
    if assume_match:
        return True

    if content is None:
        return False

    content = content[0:1024 * 1024]

    # for some reason I can't reproduce in dev, in production a small number of fields come from
    # the database into the stories fields or the text value produced in the query below in _story_matches_topic
    # as bytes objects, which re2.search chokes on
    if isinstance(content, bytes):
        content = content.decode('utf8', 'backslashreplace')

    return re2.search(topic['pattern'], content, flags=re2.I | re2.X | re2.S) is not None
示例#48
0
    def on_complete(self):
        if self.sigchanged:
            return True

        ret = False
        if self.found:
            ret = True
            if self.c2s:
                for c2 in self.c2s:
                    self.data.append({"C2": c2})

            if self.carve_mem:
                if "procmemory" in self.results and self.results["procmemory"]:
                    dump_path = str()
                    for process in self.results["procmemory"]:
                        if process["pid"] == int(self.found):
                            dump_path = process["file"]
                            break

                    if dump_path:
                        with open(dump_path, "rb") as dump_file:
                            cData = dump_file.read()
                        buf = re.search(r"(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3},[\d.,]+)\x00", cData)
                        if buf:
                            for c2 in buf.group(1).split(","):
                                tmp = {"C2": c2}
                                if tmp not in self.data:
                                    self.data.append(tmp)

            if self.payment:
                for url in self.payment:
                    self.data.append({"Payment": url})

        return ret
示例#49
0
    def run(self, info, **kwargs):
        #if not info.has_url_params and not info.has_post_params:
        #    return

        m_return = []

        if info.has_url_params:
            '''
            cookie_dict = Config.audit_config.cookie
            print cookie_dict
            if hasattr(cookie_dict, "iteritems"):
                    cookie_params = {
                        to_utf8(k): to_utf8(v) for k, v in cookie_dict.iteritems()
                    }
                    cookie_param = ';'.join(
                        '%s=%s' % (k ,v) for (k, v) in sorted(cookie_params.iteritems())
                    )

            print cookie_param
            print "GET"

            '''

            method = kwargs.get('method', None)
            if method is None or not isinstance(method, str):
                raise LalascanValueError("run plugin param has not method!")

            param = kwargs.get('param', None)
            if param is None or not isinstance(param, dict):
                raise LalascanValueError("run plugin param has not param!")

            for any_file_read_case in any_file_read_detect_test_cases:
                p, payload_resource = payload_muntants(
                    info,
                    payload={
                        'k': param['param_key'],
                        'pos': 1,
                        'payload': any_file_read_case['input'],
                        'type': 1
                    },
                    bmethod=method)
                if p is not None:
                    __ = re.search(any_file_read_case['target'], p.data)
                    if __ is not None:
                        vul = WebVulnerability(
                            target=payload_resource,
                            vulparam_point=param['param_key'],
                            method=method,
                            payload=any_file_read_case['input'],
                            injection_type="ANY_FILE_READ")
                        vulresult.put_nowait(vul)
                        logger.log_success(
                            '[!+>>>] found %s reflect xss vulnerable!' %
                            payload_resource.url)

                        return m_return

        # Send the results
        return m_return
示例#50
0
    def on_call(self, call, process):
        if call["api"] == "JsEval":
            buf = self.get_argument(call, "Javascript")
        else:
            buf = self.get_argument(call, "Script")

        if re.search("allowscriptaccess\s*?=\s*?[\x22\x27]?always", buf, re.I|re.M):
            return True
    def on_call(self, call, process):
        if call["api"] == "JsEval":
            buf = self.get_argument(call, "Javascript")
        else:
            buf = self.get_argument(call, "Script")

        if re.search(".*\<applet.*code[ \t\n]*=.*archive[ \t\n]*=.*\<\/applet\>.*", buf, re.IGNORECASE|re.DOTALL):
            return True
示例#52
0
    def on_call(self, call, process):
        if call["api"] == "JsEval":
            buf = self.get_argument(call, "Javascript")
        else:
            buf = self.get_argument(call, "Script")

        if re.search("application\/x\-silverlight.*?\<param name[ \t\n]*=.*?value[ \t\n]*=.*?\<\/object\>.*", buf, re.IGNORECASE|re.DOTALL):
            return True
示例#53
0
def check_stoplist(text):
    slist = cache_get('stoplist')
    if not slist:
        slist = load_stoplist()
    for s in slist:
        if re.search(s, text, re.I):
            return True
    return False
    def on_call(self, call, process):
        if call["api"] == "JsEval":
            buf = self.get_argument(call, "Javascript")
        else:
            buf = self.get_argument(call, "Script")

        if re.search("(Save|Write)ToFile(\(|\/).*?\.exe\".*?Run(\(|\/).*?\.exe\"", buf, re.IGNORECASE|re.DOTALL):
            return True
示例#55
0
    def check_user_conditions(self, item):
        """Checks an item's author against the defined requirements."""
        # if no user conditions are set, no need to check at all
        if not self.user_conditions:
            return True

        must_satisfy = self.user_conditions.get('must_satisfy', 'all')
        user = item.author

        for attr, compare in self.user_conditions.iteritems():
            if attr == 'must_satisfy':
                continue

            # extract the comparison operator
            operator = '='
            if not isinstance(compare, bool):
                operator_regex = '^(==?|<|>)'
                match = re.search(operator_regex, compare)
                if match:
                    operator = match.group(1)
                    compare = compare[len(operator):].strip()
                    if operator == '==':
                        operator = '='

            # convert rank to a numerical value
            if attr == 'rank':
                rank_values = {'user': 0, 'contributor': 1, 'moderator': 2}
                compare = rank_values[compare]

            if user:
                if attr == 'rank':
                    value = rank_values[get_user_rank(user, item.subreddit)]
                elif attr == 'account_age':
                    user_date = datetime.utcfromtimestamp(user.created_utc)
                    value = (datetime.utcnow() - user_date).days
                elif attr == 'combined_karma':
                    value = user.link_karma + user.comment_karma
                else:
                    value = getattr(user, attr, 0)
            else:
                value = 0
                
            if operator == '<':
                result = int(value) < int(compare)
            elif operator == '>':
                result = int(value) > int(compare)
            elif operator == '=':
                result = int(value) == int(compare)

            if result and must_satisfy == 'any':
                return True
            elif not result and must_satisfy == 'all':
                return False

        # if we reached this point, success depends on if this is any/all
        if must_satisfy == 'any' and not result:
            return False
        return True
示例#56
0
def filtercomments(source):
    """NOT USED: strips trailing comments and put them at the top."""
    trailing_comments = []
    comment = True

    while comment:
        if re.search(r'^\s*\/\*', source):
            comment = source[0, source.index('*/') + 2]
        elif re.search(r'^\s*\/\/', source):
            comment = re.search(r'^\s*\/\/', source).group(0)
        else:
            comment = None

        if comment:
            source = re.sub(r'^\s+', '', source[len(comment):])
            trailing_comments.append(comment)

    return '\n'.join(trailing_comments) + source
    def on_call(self, call, process):
        if call["api"] == "JsEval":
            buf = self.get_argument(call, "Javascript")
        else:
            buf = self.get_argument(call, "Script")

        if re.search('(Save|Write)ToFile(\(|\/).*?\.exe"', buf, re.IGNORECASE | re.DOTALL):
            self.data.append({"dropper_script": buf})
            return True
示例#58
0
def unpack(source):
    """Unpacks js code packed with MyObfuscate.com"""
    if not detect(source):
        return source
    payload = unquote(_filter(source))
    match = re.search(r"^var _escape\='<script>(.*)<\/script>'",
                      payload, re.DOTALL)
    polished = match.group(1) if match else source
    return CAVEAT + polished