Skip to content

Commit

Permalink
Security: Fix for LFI found by thongngo
Browse files Browse the repository at this point in the history
  • Loading branch information
ajinabraham committed May 26, 2016
1 parent 0458e21 commit b9cdd1f
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 22 deletions.
6 changes: 3 additions & 3 deletions APITester/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ def APIFuzzer(request):
try:
if request.method == 'GET':
MD5=request.GET['md5']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
URLS = getListOfURLS(MD5,False)
if (len(URLS)) == 0:
Expand All @@ -71,7 +71,7 @@ def APIFuzzer(request):
return HttpResponseRedirect('/error/')
elif request.method =="POST":
MD5=request.POST['md5']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
SCOPE_URLS = [] #All DOMAINS that needs to be tested
SCOPE_TESTS = [] #All TESTS that needs to be executed
Expand Down Expand Up @@ -128,7 +128,7 @@ def StartScan(request):
try:
if request.method =="POST":
MD5=request.POST['md5']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
#Scan Mode
SCAN_MODE=request.POST['scanmode']
Expand Down
18 changes: 9 additions & 9 deletions DynamicAnalyzer/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ def DynamicAnalyzer(request):
if re.findall(";|\$\(|\|\||&&",PKG) or re.findall(";|\$\(|\|\||&&",LNCH):
print "[ATTACK] Possible RCE"
return HttpResponseRedirect('/error/')
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
# Delete ScreenCast Cache
SCREEN_FILE=os.path.join(settings.SCREEN_DIR, 'screen.png')
Expand Down Expand Up @@ -82,7 +82,7 @@ def GetEnv(request):
if re.findall(";|\$\(|\|\||&&",PKG) or re.findall(";|\$\(|\|\||&&",LNCH):
print "[ATTACK] Possible RCE"
return HttpResponseRedirect('/error/')
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
DIR=settings.BASE_DIR
APP_DIR=os.path.join(settings.UPLD_DIR, MD5+'/') #APP DIRECTORY
Expand Down Expand Up @@ -113,7 +113,7 @@ def TakeScreenShot(request):
try:
if request.method == 'POST':
MD5=request.POST['md5']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
data = {}
r=random.randint(1, 1000000)
Expand Down Expand Up @@ -263,7 +263,7 @@ def FinalTest(request):
if re.findall(";|\$\(|\|\||&&",PACKAGE):
print "[ATTACK] Possible RCE"
return HttpResponseRedirect('/error/')
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
#Stop ScreenCast Client if it is running
tcp_server_mode = "off"
Expand Down Expand Up @@ -307,7 +307,7 @@ def DumpData(request):
data = {}
PACKAGE=request.POST['pkg']
MD5=request.POST['md5']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
if re.findall(";|\$\(|\|\||&&",PACKAGE):
print "[ATTACK] Possible RCE"
Expand Down Expand Up @@ -353,7 +353,7 @@ def ExportedActivityTester(request):
try:
MD5=request.POST['md5']
PKG=request.POST['pkg']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
if re.findall(";|\$\(|\|\||&&",PKG):
print "[ATTACK] Possible RCE"
Expand Down Expand Up @@ -410,7 +410,7 @@ def ActivityTester(request):
try:
MD5=request.POST['md5']
PKG=request.POST['pkg']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
if re.findall(";|\$\(|\|\||&&",PKG):
print "[ATTACK] Possible RCE"
Expand Down Expand Up @@ -473,7 +473,7 @@ def Report(request):
if re.findall(";|\$\(|\|\||&&",PKG):
print "[ATTACK] Possible RCE"
return HttpResponseRedirect('/error/')
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
DIR=settings.BASE_DIR
APP_DIR=os.path.join(settings.UPLD_DIR, MD5+'/') #APP DIRECTORY
Expand Down Expand Up @@ -891,7 +891,7 @@ def View(request):
fil=''
rtyp=''
dat=''
m=re.match('[0-9a-f]{32}',request.GET['md5'])
m=re.match('^[0-9a-f]{32}$',request.GET['md5'])
if m:
fil=request.GET['file']
MD5=request.GET['md5']
Expand Down
26 changes: 25 additions & 1 deletion MalwareAnalyzer/malwaredb/malwaredomainlist
Original file line number Diff line number Diff line change
Expand Up @@ -3038,4 +3038,28 @@
"2016/05/12_08:01","oceanviewfootmassage.com/js/BKTbCv.html","192.254.225.146","-","Compromised site, leads to Locky","Registrar Abuse Contact abuse@1and1.com","46606","0","US",
"2016/05/12_08:36","www.airsonett.se","193.44.13.93","193-44-13-93.net.tnm.se.","pseudo darkleech on compromised site leads to Angler EK","-","3301","0","SE",
"2016/05/12_09:49","chashmawala.com/mn3yhds","142.4.1.197","142-4-1-197.unifiedlayer.com.","Locky ransomware","-","46606","0","US",
"2016/05/12_10:40","lojasrana.com:7080/ujh3jmd","186.202.183.138","pleskcl0243.hospedagemdesites.ws."
"2016/05/12_10:40","lojasrana.com:7080/ujh3jmd","186.202.183.138","pleskcl0243.hospedagemdesites.ws.","Locky ransomware","-","27715","0","BR",
"2016/05/12_10:40","scrubs.dresscool.co/zcv3hhs","107.180.25.1","ip-107-180-25-1.ip.secureserver.net.","Locky ransomware","dresscool.co@domainsbyproxy.com","26496","0","US",
"2016/05/12_12:39","www.jobbainorge.nu/","195.74.38.95","cl-11.atm.binero.net.","pseudo darkleech on compromised site leads to Angler EK","-","41528","0","SE",
"2016/05/12_12:39","microencapsulation.readmyweather.com/satire/pairing/58798892_pkfpfGESM","69.162.126.172","172-126-162-69.static.reverse.lstn.net.","Angler EK","Registrar Abuse Contact support@domainbox.com","46475","0","US",
"2016/05/12_14:22","www.autoappassionati.it/","109.233.126.14","cpanel01.infinitynet.it.","pseudo darkleech on compromised site leads to Angler EK","-","48815","0","IT",
"2016/05/12_14:23","tannpastnevicher.themakershop.co.uk/mj/o/3557/","69.162.126.172","172-126-162-69.static.reverse.lstn.net.","Angler EK","Colyton Industrial Designs ltd / -","46475","0","US",
"2016/05/13_13:23","www.imageprecision.com/","188.121.41.53","n1nw8shg125.shr.prod.ams1.secureserver.net.","pseudo darkleech on compromised site leads to Angler EK","-","26496","0","NL",
"2016/05/13_13:23","arbeiderspartij.be-spry.co.uk/NTQBuUVxO/gXyyX/IobVvqD-pRXCfMd/","85.25.41.91","static-ip-85-25-41-91.inaddr.ip-pool.com.","Angler EK","H R Searle / -","8972","0","DE",
"2016/05/15_15:23","meuble-ligansadaequabat.thepinkskip.co.uk/hoteliers/6719/66/01/511758321.html","188.165.167.255","-","Angler EK","Brian Barr / -","16276","0","FR",
"2016/05/16_10:40","sign.cdrn70.xyz/hfziso4.html","93.190.140.154","-","gateway to Angler EK","-","49981","0","NL",
"2016/05/16_11:15","inclination.cdrn70.xyz/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","-","49981","0","NL",
"2016/05/16_11:51","no-id.eu/987t5t7g","83.137.194.81","server6.hosting2go.nl.","trojan","NOT DISCLOSED! / -","34233","0","NL",
"2016/05/16_11:55","press.centraljoias.com/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","Registrant flavio.dygo@gmail.com","49981","0","NL",
"2016/05/16_12:00","gutter.celebway.net/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","Registrar Abuse Contact abuse@bizcn.com","49981","0","NL",
"2016/05/16_12:35","charge.cenzorate-expertize.ro/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","-","49981","0","NL",
"2016/05/16_12:40","excitable.charmedmultimedia.eu/brhsc4.html","93.190.140.219","s10.sheermail.com.","gateway to Angler EK","NOT DISCLOSED! / -","49981","0","NL",
"2016/05/16_18:05","sunlite.com.au/j76jn5nbv","27.124.119.225","server-69-r12.ipv4.au.syrahost.com.","Locky ransomware","Wayne Hughes / Visit whois.ausregistry.com.au for Web based WhoIs","38719","0","AU",
"2016/05/17_07:17","uwzorg.info/k76gf34g4g","89.105.197.30","mail.teurlings.biz.","Locky ransomware","MAM Teurlings / webmaster@teurlings.biz","24875","0","NL",
"2016/05/17_09:54","actinomorphous.excelwood.co.uk/euNsbCci/FAUk/Olvp/82749/SAitPlttYB-35817144-hgs.png","37.130.229.104","uk.server.","Angler EK","Decora Blind Systems / -","13213","0","GB",
"2016/05/17_10:32","www.gptecno.it/","178.255.186.250","www010.avanzati.it.","pseudo darkleech on compromised site leads to Angler EK","-","42425","0","IT",
"2016/05/17_10:32","armstrongcreekgeleedpotig.imber.me.uk/VDBGs/ftPRd/ZXyG-lBfzftj/","37.130.229.104","uk.server.","Angler EK","Nominet UK / -","13213","0","GB",
"2016/05/17_13:34","passagegoldtravel.com/678y8h","23.229.182.198","ip-23-229-182-198.ip.secureserver.net.","Locky ransomware","-","26496","0","US",
"2016/05/18_07:28","spreadware.com/09jhg54g","162.244.95.27","-","Locky ransomware","Registrar Abuse Contact abuse@namesilo.com","53667","0","US",
"2016/05/18_15:05","www.cafecalluna.nl/","193.239.186.142","sweb02.plinq.nl.","pseudo darkleech on compromised site leads to Angler EK","-","35224","0","NL",
"2016/05/18_15:05","brunowtrahoque-miagola.unishadeverticalsystem.com/1331481-positivity-misdiagnosis-refrigerants-slim-twinkles-array.png","63.143.54.198","198-54-143-63.static.reverse.lstn.
18 changes: 9 additions & 9 deletions StaticAnalyzer/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ def PDF(request):
try:
MD5=request.GET['md5']
TYP=request.GET['type']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m:
if (TYP=='APK' or TYP=='ANDZIP'):
DB=StaticAnalyzerAndroid.objects.filter(MD5=MD5)
Expand Down Expand Up @@ -159,7 +159,7 @@ def PDF(request):
pass
def Java(request):
try:
m=re.match('[0-9a-f]{32}',request.GET['md5'])
m=re.match('^[0-9a-f]{32}$',request.GET['md5'])
typ=request.GET['type']
if m:
MD5=request.GET['md5']
Expand Down Expand Up @@ -198,7 +198,7 @@ def Java(request):
return HttpResponseRedirect('/error/')
def Smali(request):
try:
m=re.match('[0-9a-f]{32}',request.GET['md5'])
m=re.match('^[0-9a-f]{32}$',request.GET['md5'])
if m:
MD5=request.GET['md5']
SRC=os.path.join(settings.UPLD_DIR, MD5+'/smali_source/')
Expand All @@ -224,7 +224,7 @@ def Smali(request):
return HttpResponseRedirect('/error/')
def Find(request):
try:
m=re.match('[0-9a-f]{32}',request.POST['md5'])
m=re.match('^[0-9a-f]{32}$',request.POST['md5'])
if m:
MD5=request.POST['md5']
q=request.POST['q']
Expand Down Expand Up @@ -265,7 +265,7 @@ def Find(request):
def ViewSource(request):
try:
fil=''
m=re.match('[0-9a-f]{32}',request.GET['md5'])
m=re.match('^[0-9a-f]{32}$',request.GET['md5'])
if m and (request.GET['file'].endswith('.java') or request.GET['file'].endswith('.smali')):
fil=request.GET['file']
MD5=request.GET['md5']
Expand Down Expand Up @@ -304,7 +304,7 @@ def ManifestView(request):
MD5=request.GET['md5'] #MD5
TYP=request.GET['type'] #APK or SOURCE
BIN=request.GET['bin']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
if m and (TYP=='eclipse' or TYP=='studio' or TYP=='apk') and (BIN=='1' or BIN=='0'):
APP_DIR=os.path.join(settings.UPLD_DIR, MD5+'/') #APP DIRECTORY
TOOLS_DIR=os.path.join(DIR, 'StaticAnalyzer/tools/') #TOOLS DIR
Expand All @@ -326,7 +326,7 @@ def StaticAnalyzer(request):
try:
#Input validation
TYP=request.GET['type']
m=re.match('[0-9a-f]{32}',request.GET['checksum'])
m=re.match('^[0-9a-f]{32}$',request.GET['checksum'])
if ((m) and (request.GET['name'].lower().endswith('.apk') or request.GET['name'].lower().endswith('.zip')) and ((TYP=='zip') or (TYP=='apk'))):
DIR=settings.BASE_DIR #BASE DIR
APP_NAME=request.GET['name'] #APP ORGINAL NAME
Expand Down Expand Up @@ -1754,7 +1754,7 @@ def StaticAnalyzer_iOS(request):
print "[INFO] iOS Static Analysis Started"
TYP=request.GET['type']
RESCAN= str(request.GET.get('rescan', 0))
m=re.match('[0-9a-f]{32}',request.GET['checksum'])
m=re.match('^[0-9a-f]{32}$',request.GET['checksum'])
if ((m) and (request.GET['name'].lower().endswith('.ipa') or request.GET['name'].lower().endswith('.zip')) and ((TYP=='ipa') or (TYP=='ios'))):
DIR=settings.BASE_DIR #BASE DIR
APP_NAME=request.GET['name'] #APP ORGINAL NAME
Expand Down Expand Up @@ -1963,7 +1963,7 @@ def ViewFile(request):
typ=request.GET['type']
MD5=request.GET['md5']
mode=request.GET['mode']
m=re.match('[0-9a-f]{32}',MD5)
m=re.match('^[0-9a-f]{32}$',MD5)
ext=fil.split('.')[-1]
f=re.search("plist|db|sqlitedb|sqlite|txt|m",ext)
if m and f and re.findall('xml|db|txt|m',typ) and re.findall('ios|ipa',mode):
Expand Down

0 comments on commit b9cdd1f

Please sign in to comment.