示例#1
0
async def test_direct_upload():
    respx.route(host="127.0.0.1").pass_through()
    persister = AsyncMock()
    request = Request("http://127.0.0.1:65084/xxe/outofband/upload.php",
                      file_params=[[
                          "foo",
                          ("bar.xml", "<xml>test</xml>", "application/xml")
                      ],
                                   [
                                       "calendar",
                                       ("calendar.xml", "<xml>test</xml>",
                                        "application/xml")
                                   ]])
    request.path_id = 8
    persister.get_path_by_id.return_value = request
    crawler = AsyncCrawler("http://127.0.0.1:65084/")
    options = {
        "timeout": 10,
        "level": 1,
        "external_endpoint": "http://wapiti3.ovh/",
        "internal_endpoint": "http://wapiti3.ovh/"
    }
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options, Event())

    await module.attack(request)

    respx.get(
        "http://wapiti3.ovh/get_xxe.php?session_id=" + module._session_id
    ).mock(return_value=httpx.Response(
        200,
        json={
            "8": {
                "63616c656e646172": [{
                    "date": "2019-08-17T16:52:41+00:00",
                    "url":
                    "https://wapiti3.ovh/xxe_data/yolo/8/63616c656e646172/31337-0-192.168.2.1.txt",
                    "ip": "192.168.2.1",
                    "size": 999,
                    "payload": "linux2"
                }]
            }
        }))

    assert not persister.add_payload.call_count
    await module.finish()

    assert persister.add_payload.call_count
    assert persister.add_payload.call_args_list[0][1][
        "parameter"] == "calendar"
    await crawler.close()
示例#2
0
def test_direct_query_string():
    persister = FakePersister()
    request = Request("http://127.0.0.1:65084/xxe/direct/qs.php")
    request.path_id = 42
    crawler = Crawler("http://127.0.0.1:65084/")
    options = {"timeout": 10, "level": 2}
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options)
    module.do_post = False
    module.attack(request)

    assert len(persister.vulnerabilities)
    assert persister.vulnerabilities[0][0] == "QUERY_STRING"
示例#3
0
async def test_out_of_band_body():
    respx.route(host="127.0.0.1").pass_through()

    persister = AsyncMock()
    request = Request("http://127.0.0.1:65084/xxe/outofband/body.php",
                      method="POST",
                      post_params=[["placeholder", "yolo"]])
    request.path_id = 42
    persister.get_path_by_id.return_value = request

    persister.requests.append(request)
    crawler = AsyncCrawler("http://127.0.0.1:65084/")
    options = {
        "timeout": 10,
        "level": 1,
        "external_endpoint": "http://wapiti3.ovh/",
        "internal_endpoint": "http://wapiti3.ovh/"
    }
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options, Event())

    respx.get(
        "http://wapiti3.ovh/get_xxe.php?session_id=" + module._session_id
    ).mock(return_value=httpx.Response(
        200,
        json={
            "42": {
                "72617720626f6479": [{
                    "date": "2019-08-17T16:52:41+00:00",
                    "url":
                    "https://wapiti3.ovh/xxe_data/yolo/3/72617720626f6479/31337-0-192.168.2.1.txt",
                    "ip": "192.168.2.1",
                    "size": 999,
                    "payload": "linux2"
                }]
            }
        }))

    module.do_post = False
    await module.attack(request)

    assert not persister.add_payload.call_count
    await module.finish()
    assert persister.add_payload.call_count
    assert persister.add_payload.call_args_list[0][1][
        "parameter"] == "raw body"
    assert "linux2" in persister.add_payload.call_args_list[0][1][
        "request"].post_params
    await crawler.close()
示例#4
0
async def test_direct_query_string():
    persister = AsyncMock()
    request = Request("http://127.0.0.1:65084/xxe/direct/qs.php")
    request.path_id = 42
    crawler = AsyncCrawler("http://127.0.0.1:65084/")
    options = {"timeout": 10, "level": 2}

    module = mod_xxe(crawler, persister, options, Event())
    module.do_post = False
    await module.attack(request)

    assert persister.add_payload.call_count
    assert persister.add_payload.call_args_list[0][1][
        "parameter"] == "QUERY_STRING"
    await crawler.close()
示例#5
0
def test_direct_upload():
    persister = FakePersister()
    request = Request(
        "http://127.0.0.1:65084/xxe/outofband/upload.php",
        file_params=[
            ["foo", ["bar.xml", "<xml>test</xml>"]],
            ["calendar", ["calendar.xml", "<xml>test</xml>"]]
        ]
    )
    request.path_id = 8
    persister.requests.append(request)
    crawler = Crawler("http://127.0.0.1:65084/")
    options = {
        "timeout": 10,
        "level": 1,
        "external_endpoint": "http://wapiti3.ovh/",
        "internal_endpoint": "http://wapiti3.ovh/"
    }
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options)

    for __ in module.attack():
        pass

    responses.add(
        responses.GET,
        "http://wapiti3.ovh/get_xxe.php?id=" + module._session_id,
        json={
            "8": {
                "63616c656e646172": [
                    {
                        "date": "2019-08-17T16:52:41+00:00",
                        "url": "https://wapiti3.ovh/xxe_data/yolo/8/63616c656e646172/31337-0-192.168.2.1.txt",
                        "ip": "192.168.2.1",
                        "size": 999,
                        "payload": "linux2"
                    }
                ]
            }
        }
    )

    assert not persister.vulnerabilities
    module.finish()

    assert len(persister.vulnerabilities)
    assert persister.vulnerabilities[0][0] == "calendar"
示例#6
0
async def test_direct_param():
    # check for false positives too
    persister = AsyncMock()
    request = Request(
        "http://127.0.0.1:65084/xxe/direct/param.php?foo=bar&vuln=yolo")
    request.path_id = 42
    crawler = AsyncCrawler("http://127.0.0.1:65084/")
    options = {"timeout": 10, "level": 1}

    module = mod_xxe(crawler, persister, options, Event())
    module.do_post = False
    await module.attack(request)

    assert persister.add_payload.call_count
    assert persister.add_payload.call_args_list[0][1]["parameter"] == "vuln"
    await crawler.close()
示例#7
0
def test_direct_param():
    # check for false positives too
    persister = FakePersister()
    request = Request(
        "http://127.0.0.1:65084/xxe/direct/param.php?foo=bar&vuln=yolo")
    request.path_id = 42
    crawler = Crawler("http://127.0.0.1:65084/")
    options = {"timeout": 10, "level": 1}
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options)
    module.do_post = False
    module.attack(request)

    assert len(persister.vulnerabilities)
    assert persister.vulnerabilities[0][0] == "vuln"
示例#8
0
def test_out_of_band_body():
    persister = FakePersister()
    request = Request(
        "http://127.0.0.1:65084/xxe/outofband/body.php",
        method="POST",
        post_params=[["placeholder", "yolo"]]
    )
    request.path_id = 42
    persister.requests.append(request)
    crawler = Crawler("http://127.0.0.1:65084/")
    options = {
        "timeout": 10,
        "level": 1,
        "external_endpoint": "http://wapiti3.ovh/",
        "internal_endpoint": "http://wapiti3.ovh/"
    }
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options)

    responses.add(
        responses.GET,
        "http://wapiti3.ovh/get_xxe.php?id=" + module._session_id,
        json={
            "42": {
                "72617720626f6479": [
                    {
                        "date": "2019-08-17T16:52:41+00:00",
                        "url": "https://wapiti3.ovh/xxe_data/yolo/3/72617720626f6479/31337-0-192.168.2.1.txt",
                        "ip": "192.168.2.1",
                        "size": 999,
                        "payload": "linux2"
                    }
                ]
            }
        }
    )

    module.do_post = False
    for __ in module.attack():
        pass

    assert not persister.vulnerabilities
    module.finish()
    assert persister.vulnerabilities
    assert persister.vulnerabilities[0][0] == "raw body"
    assert "linux2" in persister.vulnerabilities[0][1]
示例#9
0
def test_direct_body():
    persister = FakePersister()
    request = Request("http://127.0.0.1:65084/xxe/direct/body.php",
                      method="POST",
                      post_params=[["placeholder", "yolo"]])
    request.path_id = 42
    crawler = Crawler("http://127.0.0.1:65084/")
    options = {"timeout": 10, "level": 1}
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options)

    module.attack(request)

    assert len(persister.vulnerabilities)
    assert persister.vulnerabilities[0][0] == "raw body"
    assert "/etc/passwd" in persister.vulnerabilities[0][1]
示例#10
0
async def test_out_of_band_param():
    respx.route(host="127.0.0.1").pass_through()

    persister = AsyncMock()
    request = Request(
        "http://127.0.0.1:65084/xxe/outofband/param.php?foo=bar&vuln=yolo")
    request.path_id = 7
    persister.get_path_by_id.return_value = request
    crawler = AsyncCrawler("http://127.0.0.1:65084/")
    options = {
        "timeout": 10,
        "level": 1,
        "external_endpoint": "http://wapiti3.ovh/",
        "internal_endpoint": "http://wapiti3.ovh/"
    }
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options, Event())

    respx.get(
        "http://wapiti3.ovh/get_xxe.php?session_id=" + module._session_id
    ).mock(return_value=httpx.Response(
        200,
        json={
            "7": {
                "76756c6e": [{
                    "date": "2019-08-17T16:52:41+00:00",
                    "url":
                    "https://wapiti3.ovh/xxe_data/yolo/7/76756c6e/31337-0-192.168.2.1.txt",
                    "ip": "192.168.2.1",
                    "size": 999,
                    "payload": "linux2"
                }]
            }
        }))

    module.do_post = False
    await module.attack(request)

    assert not persister.add_payload.call_count
    await module.finish()
    assert persister.add_payload.call_count
    assert persister.add_payload.call_args_list[0][1]["parameter"] == "vuln"
    assert "linux2" in dict(persister.add_payload.call_args_list[0][1]
                            ["request"].get_params)["vuln"]
    await crawler.close()
示例#11
0
async def test_out_of_band_query_string():
    respx.route(host="127.0.0.1").pass_through()

    persister = AsyncMock()
    request = Request("http://127.0.0.1:65084/xxe/outofband/qs.php")
    request.path_id = 4
    persister.get_path_by_id.return_value = request
    crawler = AsyncCrawler("http://127.0.0.1:65084/")
    options = {
        "timeout": 10,
        "level": 2,
        "external_endpoint": "http://wapiti3.ovh/",
        "internal_endpoint": "http://wapiti3.ovh/"
    }
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options, Event())
    module.do_post = False
    await module.attack(request)

    respx.get(
        "http://wapiti3.ovh/get_xxe.php?session_id=" + module._session_id
    ).mock(return_value=httpx.Response(
        200,
        json={
            "4": {
                "51554552595f535452494e47": [{
                    "date": "2019-08-17T16:52:41+00:00",
                    "url":
                    "https://wapiti3.ovh/xxe_data/yolo/4/51554552595f535452494e47/31337-0-192.168.2.1.txt",
                    "ip": "192.168.2.1",
                    "size": 999,
                    "payload": "linux2"
                }]
            }
        }))

    assert not persister.add_payload.call_count
    await module.finish()

    assert persister.add_payload.call_count
    assert persister.add_payload.call_args_list[0][1][
        "parameter"] == "QUERY_STRING"
    await crawler.close()
示例#12
0
def test_out_of_band_param():
    persister = FakePersister()
    request = Request("http://127.0.0.1:65084/xxe/outofband/param.php?foo=bar&vuln=yolo")
    request.path_id = 7
    persister.requests.append(request)
    crawler = Crawler("http://127.0.0.1:65084/")
    options = {
        "timeout": 10,
        "level": 1,
        "external_endpoint": "http://wapiti3.ovh/",
        "internal_endpoint": "http://wapiti3.ovh/"
    }
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options)

    responses.add(
        responses.GET,
        "http://wapiti3.ovh/get_xxe.php?id=" + module._session_id,
        json={
            "7": {
                "76756c6e": [
                    {
                        "date": "2019-08-17T16:52:41+00:00",
                        "url": "https://wapiti3.ovh/xxe_data/yolo/7/76756c6e/31337-0-192.168.2.1.txt",
                        "ip": "192.168.2.1",
                        "size": 999,
                        "payload": "linux2"
                    }
                ]
            }
        }
    )

    module.do_post = False
    for __ in module.attack():
        pass

    assert not persister.vulnerabilities
    module.finish()
    assert persister.vulnerabilities
    assert persister.vulnerabilities[0][0] == "vuln"
    assert "linux2" in persister.vulnerabilities[0][1]
示例#13
0
def test_direct_upload():
    persister = FakePersister()
    request = Request(
        "http://127.0.0.1:65080/xxe/direct/upload.php",
        file_params=[["foo", ["bar.xml", "<xml>test</xml>"]],
                     ["calendar", ["calendar.xml", "<xml>test</xml>"]]])
    request.path_id = 42
    persister.requests.append(request)
    crawler = Crawler("http://127.0.0.1:65080/")
    options = {"timeout": 10, "level": 1}
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options)

    for __ in module.attack():
        pass

    assert len(persister.vulnerabilities)
    assert persister.vulnerabilities[0][0] == "calendar"
示例#14
0
def test_out_of_band_query_string():
    persister = FakePersister()
    request = Request("http://127.0.0.1:65084/xxe/outofband/qs.php")
    request.path_id = 4
    persister.requests.append(request)
    crawler = Crawler("http://127.0.0.1:65084/")
    options = {
        "timeout": 10,
        "level": 2,
        "external_endpoint": "http://wapiti3.ovh/",
        "internal_endpoint": "http://wapiti3.ovh/"
    }
    logger = Mock()

    module = mod_xxe(crawler, persister, logger, options)
    module.do_post = False
    for __ in module.attack():
        pass

    responses.add(
        responses.GET,
        "http://wapiti3.ovh/get_xxe.php?id=" + module._session_id,
        json={
            "4": {
                "51554552595f535452494e47": [
                    {
                        "date": "2019-08-17T16:52:41+00:00",
                        "url": "https://wapiti3.ovh/xxe_data/yolo/4/51554552595f535452494e47/31337-0-192.168.2.1.txt",
                        "ip": "192.168.2.1",
                        "size": 999,
                        "payload": "linux2"
                    }
                ]
            }
        }
    )

    assert not persister.vulnerabilities
    module.finish()

    assert len(persister.vulnerabilities)
    assert persister.vulnerabilities[0][0] == "QUERY_STRING"
示例#15
0
async def test_direct_body():
    persister = AsyncMock()
    request = Request("http://127.0.0.1:65084/xxe/direct/body.php",
                      method="POST",
                      post_params=[["placeholder", "yolo"]])
    request.path_id = 42
    crawler = AsyncCrawler("http://127.0.0.1:65084/")
    options = {"timeout": 10, "level": 1}

    module = mod_xxe(crawler, persister, options, Event())

    await module.attack(request)

    assert persister.add_payload.call_count
    assert persister.add_payload.call_args_list[0][1]["module"] == "xxe"
    assert persister.add_payload.call_args_list[0][1]["category"] == _(
        "XML External Entity")
    assert persister.add_payload.call_args_list[0][1][
        "parameter"] == "raw body"
    assert "/etc/passwd" in persister.add_payload.call_args_list[0][1][
        "request"].post_params
    await crawler.close()