def process(self, url, value):
s = requests.Session()
req = s.get(url)
self.display_message("Server answered: %s status code" %
req.status_code)
pattern = r'S=\'([a-zA-Z0-9\=]+)\''
cookie_sucuri = base64.b64decode(re.findall(pattern, req.content)[0])
cookie_sucuri = cookie_sucuri.replace('document.cookie', 'res')
cookie_sucuri = cookie_sucuri.replace('location.reload();', '')
# executing the javascript
rt = Runtime()
cx = rt.new_context()
result = cx.execute(cookie_sucuri)
self.display_message("Sucuri cookie: %s" % result)
cookie_sucuri = result.split('=')
cookies = {cookie_sucuri[0]: cookie_sucuri[1]}
data = {'domainName': value, 'domainResolved': '', 'resolveDomain': ''}
req = s.post(url, cookies=cookies, data=data)
self.display_message("Server answered: %s status code" %
req.status_code)
soup = BeautifulSoup(req.content, 'html.parser')
res = soup.find('input', attrs={'name': 'domainResolved'})['value']
if res:
return filter(None, res.split(', '))
else:
return None
def __init__(self, connection, name):
self._name = name
self._connection = connection
self._collections = {}
if Runtime is not None:
self._jsruntime = Runtime()
else:
self._jsruntime = None
def setUp(self):
rt = Runtime()
self.cx = rt.new_context()
self.x = []
def echo(arg):
self.x.append(arg)
return arg
self.cx.bind_callable("echo", echo)
def __init__(self, client, name, **__):
super(Database, self).__init__(client, name)
self._name = name
self._client = client
self._collections = {}
if Runtime is not None:
self._jsruntime = Runtime()
else:
self._jsruntime = None
def activate(self):
super(Hubot, self).activate()
self.process = HubotProcess(self)
self.rt = Runtime()
if not self.get('scripts', None):
self['scripts'] = {}
else:
for name, snippet in self['scripts'].iteritems():
logging.debug("Inserting %s... " % name)
self.add_snippet(name, snippet)
def setUp(self):
class Nonce: pass
class Window:
def __init__(self):
self.arg = Nonce()
self.window = self
self.name = "foobar"
self.val = 42
def foo(self, arg):
self.arg = arg
self.window = Window()
rt = Runtime()
self.cx = rt.new_context(self.window)
self.cx.bind_class(Nonce)
def setUp(self):
rt = Runtime()
self.cx = rt.new_context()
class spam:
def __init__(self):
self.args = []
self.val = 42
self._private = "no peeking"
def foo(self, *args):
self.args.append(args)
def _private_method(self): assert False
def __getitem__(self, key):
assert type(key) == IntType
self.args.append(key)
return self.val
def __setitem__(self, key, value):
assert type(key) == IntType
self.args.append((key, value))
self.val = value
self.cx.bind_class(spam)
self.spam = spam()
self.cx.bind_object("bs", self.spam)
def analyseJS(code):
'''
Search for obfuscated functions in the Javascript code
@param code: The Javascript code (string)
@return: List with analysis information of the Javascript code: [JSCode,unescapedBytes,urlsFound], where JSCode is a list with the several stages Javascript code, unescapedBytes is a list with the parameters of unescape functions, and urlsFound is a list with the URLs found in the unescaped bytes.
'''
error = ''
errors = []
JSCode = []
unescapedBytes = []
urlsFound = []
oldStdErr = sys.stderr
errorFile = open('jserror.log','w')
sys.stderr = errorFile
if code != None and JS_MODULE:
r = Runtime()
context = r.new_context()
while True:
evalFunctionsData = searchObfuscatedFunctions(code, 'eval')
originalElement = code
for evalFunctionData in evalFunctionsData:
if not evalFunctionData[2]:
modifiedCode = evalFunctionData[1][0].replace(evalFunctionData[0],'return')
code = originalElement.replace(evalFunctionData[1][0],modifiedCode)
else:
code = originalElement.replace(evalFunctionData[1][0],evalFunctionData[1][1]+';')
try:
executedJS = context.eval_script(code)
if executedJS == None:
raise exception
break
except:
if evalFunctionData[2]:
modifiedCode = evalFunctionData[1][0].replace(evalFunctionData[0],'return')
code = originalElement.replace(evalFunctionData[1][0],modifiedCode)
else:
code = originalElement.replace(evalFunctionData[1][0],evalFunctionData[1][1]+';')
try:
executedJS = context.eval_script(code)
if executedJS == None:
raise exception
except:
code = originalElement
continue
else:
break
if executedJS != originalElement and executedJS != None and executedJS != '':
code = executedJS
JSCode.append(code)
else:
break
if code != None:
escapedVars = re.findall('(\w*?)\s*?=\s*?(unescape\((.*?)\))', code, re.DOTALL)
for var in escapedVars:
bytes = var[2]
if bytes.find('+') != -1:
varContent = getVarContent(code, bytes)
if len(varContent) > 150:
ret = unescape(varContent)
if ret[0] != -1:
bytes = ret[1]
urls = re.findall('https?://.*$', bytes, re.DOTALL)
if bytes not in unescapedBytes:
unescapedBytes.append(bytes)
for url in urls:
if url not in urlsFound:
urlsFound.append(url)
else:
bytes = bytes[1:-1]
if len(bytes) > 150:
ret = unescape(bytes)
if ret[0] != -1:
bytes = ret[1]
urls = re.findall('https?://.*$', bytes, re.DOTALL)
if bytes not in unescapedBytes:
unescapedBytes.append(bytes)
for url in urls:
if url not in urlsFound:
urlsFound.append(url)
errorFile.close()
sys.stderr = oldStdErr
errorFileContent = open('jserror.log','r').read()
if errorFileContent != '' and errorFileContent.find('JavaScript error') != -1:
lines = errorFileContent.split(newLine)
for line in lines:
if line.find('JavaScript error') != -1 and line not in errors:
errors.append(line)
return [JSCode,unescapedBytes,urlsFound,errors]
def analyseJS(code):
'''
Search for obfuscated functions in the Javascript code
@param code: The Javascript code (string)
@return: List with analysis information of the Javascript code: [JSCode,unescapedBytes,urlsFound], where JSCode is a list with the several stages Javascript code, unescapedBytes is a list with the parameters of unescape functions, and urlsFound is a list with the URLs found in the unescaped bytes.
'''
errors = []
JSCode = []
unescapedBytes = []
urlsFound = []
oldStdErr = sys.stderr
errorFile = StringIO()
sys.stderr = errorFile
try:
scriptCode = re.findall(reJSscript, code, re.DOTALL | re.IGNORECASE)
if scriptCode != []:
for c in scriptCode:
code = unescapeHTMLEntities(c)
code = jsbeautifier.beautify(c)
JSCode.append(c)
else:
code_items = filter(
lambda x: re.match('^\s*\d+\s+\d+', x) == None, [
re.sub('^\s*\(', '',
re.sub('\)[^\)]+$', '',
a.split('JavaScript')[0]))
for a in re.split('/\s*JS', code)[1:]
])
if code_items != []:
for ci in code_items:
ci = ci.replace("\\\\", "\\").replace("\(", "(").replace(
"\)",
")").replace("\ ",
" ").replace("\\r",
"\r").replace("\\n", "\n")
ci = unescapeHTMLEntities(ci)
ci = jsbeautifier.beautify(ci)
JSCode.append(ci)
else:
code = unescapeHTMLEntities(code)
code = jsbeautifier.beautify(code)
JSCode.append(code)
for code in JSCode:
if code != None and JS_MODULE:
r = Runtime()
context = r.new_context()
while True:
evalFunctionsData = searchObfuscatedFunctions(code, 'eval')
originalElement = code
for evalFunctionData in evalFunctionsData:
if not evalFunctionData[2]:
modifiedCode = evalFunctionData[1][0].replace(
evalFunctionData[0], 'return')
code = originalElement.replace(
evalFunctionData[1][0], modifiedCode)
else:
code = originalElement.replace(
evalFunctionData[1][0],
evalFunctionData[1][1] + ';')
try:
executedJS = context.eval_script(code)
if executedJS == None:
raise Exception
break
except:
if evalFunctionData[2]:
modifiedCode = evalFunctionData[1][0].replace(
evalFunctionData[0], 'return')
code = originalElement.replace(
evalFunctionData[1][0], modifiedCode)
else:
code = originalElement.replace(
evalFunctionData[1][0],
evalFunctionData[1][1] + ';')
try:
executedJS = context.eval_script(code)
if executedJS == None:
raise Exception
except:
code = originalElement
continue
else:
break
if executedJS != originalElement and executedJS != None and executedJS != '':
code = executedJS
JSCode.append(code)
else:
break
if code != None:
escapedVars = re.findall(
'(\w*?)\s*?=\s*?(unescape\((.*?)\))', code, re.DOTALL)
for var in escapedVars:
bytes = var[2]
if bytes.find('+') != -1:
varContent = getVarContent(code, bytes)
if len(varContent) > 150:
ret = unescape(varContent)
if ret[0] != -1:
bytes = ret[1]
urls = re.findall('https?://.*$', bytes,
re.DOTALL)
if bytes not in unescapedBytes:
unescapedBytes.append(bytes)
for url in urls:
if url not in urlsFound:
urlsFound.append(url)
else:
bytes = bytes[1:-1]
if len(bytes) > 150:
ret = unescape(bytes)
if ret[0] != -1:
bytes = ret[1]
urls = re.findall('https?://.*$', bytes,
re.DOTALL)
if bytes not in unescapedBytes:
unescapedBytes.append(bytes)
for url in urls:
if url not in urlsFound:
urlsFound.append(url)
except Exception, e:
errors.append('Unknown error!! [%s]' % e)
def setUp(self):
rt = Runtime()
self.cx = rt.new_context()
def _get_runtime(self):
return Runtime()
