def GET2POST(self, vuln): """ This method changes a vulnerability mutant, so all the data that was sent in the query string, is now sent in the postData; of course, the HTTP method is also changed from GET to POST. """ vuln_copy = copy.deepcopy(vuln) mutant = vuln_copy.get_mutant() # Sometimes there is no mutant (php_sca). if mutant is None: return vuln_copy if mutant.get_method() == 'POST': # No need to work ! return vuln_copy else: # Need to create a new PostDataMutant, to be able to easily change # the values which we want to send in the HTTP post-data fre = FuzzableRequest(mutant.get_url(), headers=mutant.get_headers(), method='POST', cookie=mutant.get_cookie(), post_data=mutant.get_uri().querystring) pdm = PostDataMutant(fre) vuln_copy.set_mutant(pdm) return vuln_copy
def create_vuln(self): v = super(FileUploadTemplate, self).create_vuln() form_params = FormParameters() for file_var in self.file_vars: form_params.add_file_input([("name", file_var), ("type", "file")]) for token in self.data.iter_tokens(): if token.get_name() in self.file_vars: continue form_params.add_input([("name", token.get_name()), ("type", "text"), ("value", token.get_value())]) mpc = MultipartContainer(form_params) freq = FuzzableRequest(self.url, method=self.method, post_data=mpc) mutant = PostDataMutant(freq) mutant.set_dc(mpc) mutant.set_token((self.vulnerable_parameter, 0)) # User configured settings v['file_vars'] = self.file_vars v['file_dest'] = self.file_dest v.set_mutant(mutant) return v
def test_found_at(self): form = Form() form.add_input([("name", "username"), ("value", "")]) form.add_input([("name", "address"), ("value", "")]) freq = HTTPPostDataRequest(URL('http://www.w3af.com/?id=3'), dc=form, method='PUT') m = PostDataMutant(freq) m.set_var('username') expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\ 'The sent post-data was: "username=&address=" '\ 'which modifies the "username" parameter.' self.assertEqual(m.found_at(), expected)
def test_found_at(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("value", "")]) form_params.add_field_by_attr_items([("name", "address"), ("value", "")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/?id=3'), post_data=form, method='PUT') m = PostDataMutant(freq) m.get_dc().set_token(('username', 0)) expected = '"http://www.w3af.com/?id=3", using HTTP method PUT. '\ 'The sent post-data was: "username=&address=" '\ 'which modifies the "username" parameter.' self.assertEqual(m.found_at(), expected)
def test_should_inject_form_hidden(self): form_params = FormParameters() form_params.add_field_by_attr_items([("name", "username"), ("type", "text")]) form_params.add_field_by_attr_items([("name", "csrf_token"), ("type", "hidden")]) form = URLEncodedForm(form_params) freq = FuzzableRequest(URL('http://www.w3af.com/'), post_data=form, method='PUT') m = PostDataMutant(freq) m.get_dc().set_token(('username', 0)) self.assertFalse(self.plugin._should_inject(m, 'python')) m.get_dc().set_token(('csrf_token', 0)) self.assertTrue(self.plugin._should_inject(m, 'python'))
def form_pointer_factory(freq): if isinstance(freq.get_uri().querystring, Form): return QSMutant(freq) return PostDataMutant(freq)