POST requests detected, WIP: cookie for post, scanners for post

master
swisskyrepo 2016-12-29 20:03:58 +01:00
parent 6bc3910d60
commit e6d1bd7a86
3 changed files with 89 additions and 21 deletions

View File

@ -25,9 +25,9 @@ function extract_domain(url){
* @param string(impact) - aggressivity of the scan from 0 to 5
*
*/
function send_target(server, url, deep, impact, cookies){
function send_target(server, url, deep, impact, cookies, method, data){
var http = new XMLHttpRequest();
infos = server + "/?url=" + url + "&deep="+ deep + "&impact=" + impact + "&cookies=" + cookies + "&useragent=" + navigator.userAgent;
infos = server + "/?url=" + url + "&deep="+ deep + "&impact=" + impact + "&cookies=" + cookies + "&useragent=" + navigator.userAgent + "&method=" + method + "&data="+ data;
// Display the informations sent by the scanner
http.onreadystatechange = function() {
@ -86,10 +86,46 @@ function send_target(server, url, deep, impact, cookies){
chrome.storage.sync.set({'rce':0, 'xss': 0, 'sql': 0, 'lfi': 0, 'work': 0, 'list':'' })
// Handle POST scan
chrome.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
if (request.type == "scan_plz" && request.data != ''){
// Start a POST scan with the url and the cookies
send_target(config_server, escape(request.url), 0, 0, escape(request.cookie), 'POST', escape(request.data));
}
});
// Launch a scan when the tab change - Submit a form / Open new URL from bar
chrome.tabs.onUpdated.addListener(function(tabId,changeInfo, tab) {
if(changeInfo.status == 'complete'){
// Inject this function into the page to catch a submit event for every forms
function inject_onsubmit(){
for (var i = 0; i < document.forms.length ; i++) {
document.forms[i].addEventListener('submit', function(){
// Detect value of inputs of the form
post_data = '';
for (var j = 0; j < document.forms[i-1].elements.length -1; j++) {
post_data += (document.forms[i-1].elements[j].name+":"+document.forms[i-1].elements[j].value+"|");
}
// Send data to this plugin (POST Scan)
if(post_data != ''){
console.log(post_data);
chrome.runtime.sendMessage({type: "scan_plz", data:post_data, url:document.location.href, cookie:document.cookie}, function() {});
}
});
}
}
chrome.tabs.executeScript({code: '(' + inject_onsubmit + ')();'}, (results) => {});
// Get the information of the updated tab
chrome.tabs.get(tabId, function(tab){
// Handle start/stop button
@ -99,17 +135,19 @@ chrome.tabs.onUpdated.addListener(function(tabId,changeInfo, tab) {
// Extract cookies from the domain
var cookies_string = "";
chrome.cookies.getAll({ 'domain': extract_domain(tab.url)}, function(cookies) {
// Custom cookie string with all cookies from the domain
for (var i = 0; i < cookies.length; i++) {
cookies_string += ("name:" + cookies[i].name + "|value:" + cookies[i].value+"\n");
}
// Start a scan with the url and the cookies
send_target(config_server, escape(tab.url), 0, 0, escape((cookies_string)) );
// Start a GET scan with the url and the cookies
send_target(config_server, escape(tab.url), 0, 0, escape(cookies_string), 'GET', '');
});
}
});
});
}
});

View File

@ -51,6 +51,7 @@ You can try the Error SQL, Blind SQL, LFI with Damn Vulnerable Web App
## TODO - Work in progress
- Should detect target in source code.. (list of targets, then launch scan)
- Should detect and work with POST requests
- all scans will be in another file, scans.py, (get_scan, post_scan)
## Thanks
- Polyglot vector for SQL injections [The Ultimate SQL Injection Payload](https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/)

View File

@ -163,34 +163,63 @@ def index():
args = request.args
url = args['url']
useragent = args['useragent']
methods = args['method']
data = args['data']
# Parse cookies strings - string like name:username|value:admin
cookies_requests = {}
cookies_ghost = ""
for cookie in args['cookies'].split('\n'):
c = cookie.split('|')
if c != '' and c != None:
if len(c) != 1:
name = str(c[0]).replace('name:','')
value = str(c[1]).replace('value:','')
cookies_requests[name] = value
cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";"
# Parse args for GET
if "?" in url:
# Parse cookies strings - string like name:username|value:admin
cookies_requests = {}
cookies_ghost = ""
for cookie in args['cookies'].split('\n'):
c = cookie.split('|')
if c != '' and c != None:
if len(c) != 1:
name = str(c[0]).replace('name:','')
value = str(c[1]).replace('value:','')
cookies_requests[name] = value
cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";"
# Parse url
params = url.split('?')[1]
regex = re.compile('([a-zA-Z0-9\-_]*?)=')
matches = regex.findall(params)
# Launch scans
for fuzz in matches:
print "\n---[ New parameter " + fuzz + " for url: " + url + " ]---"
print "\n---[ GET - New parameter " + fuzz + " for url: " + url + " ]---"
scan_xss(vulns, url, fuzz, cookies_ghost, useragent)
scan_lfi(vulns, url, fuzz, cookies_requests, useragent)
scan_sql_error(vulns, url, fuzz, cookies_requests, useragent)
scan_sql_blind_time(vulns, url, fuzz, cookies_requests, useragent)
scan_rce(vulns, url, fuzz, cookies_requests, useragent)
# Parse args for POST
if data != '':
# Parse document.cookie for Ghost and Requests
cookies_requests = {} #dict
cookies_ghost = "" #string header
for cookie in args['cookies'].split(';'):
c = cookie.split('=')
if c != '' and c != None:
if len(c) != 1:
name = c[0]
value = c[1]
cookies_requests[name] = value
cookies_ghost += " "+cookie.replace('name:','').replace('value:','=').replace('|','') + ";"
# DEBUG
print cookies_requests
print cookies_ghost
# TODO parse POST data
fuzz = data
print "\n---[ POST - New parameter |" + fuzz + "| for url: " + url + " ]---"
# Display results as a json
return jsonify(vulns)