Skip to content

Commit

Permalink
Fix for issue mentioned in:
Browse files Browse the repository at this point in the history 
fix mod_security that drops timeout argument #17739
  • Loading branch information
@andresriancho
andresriancho committed Apr 1, 2019
1 parent e7c69f8 commit 2ecfad0
Show file tree
Hide file tree
Showing 11 changed files with 60 additions and 67 deletions.
6 changes: 6 additions & 0 deletions w3af/core/data/url/HTTPRequest.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,9 @@ def __eq__(self, other):
def with_binary_response(self):
return self._binary_response

def set_data(self, data):
self.data = data

def add_header(self, key, val):
"""
Override mostly to avoid having header values of DataToken type
Expand Down Expand Up @@ -127,6 +130,9 @@ def get_domain(self):

def get_uri(self):
return self.url_object

def set_uri(self, url_object):
self.url_object = url_object

def get_headers(self):
headers = Headers(self.headers.items())
Expand Down
7 changes: 3 additions & 4 deletions w3af/plugins/evasion/backspace_between_dots.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
"""
from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest


class backspace_between_dots(EvasionPlugin):
Expand All @@ -45,9 +44,9 @@ def modify_request(self, request):
# Finally, we set all the mutants to the request in order to return it
new_url = request.url_object.copy()
new_url.set_path(path)
new_req = HTTPRequest(new_url, request.get_data(),
request.headers, request.get_origin_req_host(),
retries=request.retries_left)

new_req = request.copy()
new_req.set_uri(new_url)

return new_req

Expand Down
15 changes: 5 additions & 10 deletions w3af/plugins/evasion/full_width_encode.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
import urllib

from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest
from w3af.core.data.parsers.doc.url import parse_qs


Expand All @@ -41,19 +40,13 @@ def modify_request(self, request):
:return: The modified request
"""
# This is a test URL
# http://172.16.1.132/index.asp?q=%uFF1Cscript%3Ealert(%22Hello%22)%3C/script%3E
# This is the content of index.asp :
# <%=Request.QueryString("q")%>

# First we mangle the URL
path = request.url_object.get_path()
path = self._mutate(path)

# Now we mangle the postdata
data = request.get_data()
if data:

try:
# Only mangle the postdata if it is a url encoded string
parse_qs(data)
Expand All @@ -67,20 +60,22 @@ def modify_request(self, request):
new_url = request.url_object.copy()
new_url.set_path(path)

new_req = HTTPRequest(new_url, data, request.headers,
request.get_origin_req_host(),
retries=request.retries_left)
new_req = request.copy()
new_req.set_data(data)
new_req.set_uri(new_url)

return new_req

def _mutate(self, to_mutate):
to_mutate = urllib.unquote(to_mutate)
mutant = ''

for char in to_mutate:
if char not in ['?', '/', '&', '\\', '=', '%', '+']:
# The "- 0x20" was taken from UFF00.pdf
char = "%%uFF%02x" % (ord(char) - 0x20)
mutant += char

return mutant

def get_priority(self):
Expand Down
34 changes: 17 additions & 17 deletions w3af/plugins/evasion/mod_security.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@

from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.parsers.doc.url import parse_qs
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest


class mod_security(EvasionPlugin):
Expand All @@ -40,23 +39,24 @@ def modify_request(self, request):
the evasion plugin
:return: The modified request
"""
# Mangle the postdata
data = str(request.get_data())
if data:

try:
# Only mangle the postdata if it is a url encoded string
parse_qs(data)
except:
pass
else:
data = '\x00' + data
headers_copy = copy.deepcopy(request.headers)
headers_copy['content-length'] = str(len(data))

request = HTTPRequest(request.url_object, data, headers_copy,
request.get_origin_req_host(),
retries=request.retries_left)

if not data:
return request

# Only mangle the postdata if it is a url encoded string
try:
parse_qs(data)
except:
return request

data = '\x00' + data
headers_copy = copy.deepcopy(request.headers)
headers_copy['content-length'] = str(len(data))

new_req = request.copy()
new_req.set_headers(headers_copy)
new_req.set_data(data)

return request

Expand Down
7 changes: 3 additions & 4 deletions w3af/plugins/evasion/reversed_slashes.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
"""
from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest


class reversed_slashes(EvasionPlugin):
Expand All @@ -43,9 +42,9 @@ def modify_request(self, request):
# Finally, we set all the mutants to the request in order to return it
new_url = request.url_object.copy()
new_url.set_path(path)
new_req = HTTPRequest(new_url, request.get_data(),
request.headers, request.get_origin_req_host(),
retries=request.retries_left)

new_req = request.copy()
new_req.set_uri(new_url)

return new_req

Expand Down
7 changes: 3 additions & 4 deletions w3af/plugins/evasion/rnd_case.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
from random import randint

from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest
from w3af.core.data.parsers.doc.url import parse_qs


Expand Down Expand Up @@ -59,9 +58,9 @@ def modify_request(self, request):
else:
data = self._mutate(data)

new_req = HTTPRequest(new_url, data, request.headers,
request.get_origin_req_host(),
retries=request.retries_left)
new_req = request.copy()
new_req.set_uri(new_url)
new_req.set_data(data)

return new_req

Expand Down
11 changes: 6 additions & 5 deletions w3af/plugins/evasion/rnd_hex_encode.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@

from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.parsers.doc.url import parse_qs
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest


class rnd_hex_encode(EvasionPlugin):
Expand Down Expand Up @@ -59,9 +58,9 @@ def modify_request(self, request):
else:
data = self._mutate(data)

new_req = HTTPRequest(new_url, data, request.headers,
request.get_origin_req_host(),
retries=request.retries_left)
new_req = request.copy()
new_req.set_uri(new_url)
new_req.set_data(data)

return new_req

Expand All @@ -72,11 +71,13 @@ def _mutate(self, data):
:return: a string.
"""
new_data = ''

for char in data:
if char not in ['?', '/', '&', '\\', '=', '%', '+']:
if randint(1, 2) == 2:
char = "%%%02x" % ord(char)
new_data += char

return new_data

def get_priority(self):
Expand All @@ -97,5 +98,5 @@ def get_long_desc(self):
Example:
Input: '/bar/foo.asp'
Output : '/b%61r/%66oo.asp'
Output: '/b%61r/%66oo.asp'
"""
16 changes: 7 additions & 9 deletions w3af/plugins/evasion/rnd_param.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.fuzzer.utils import rand_alnum
from w3af.core.data.parsers.doc.url import parse_qs
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest


class rnd_param(EvasionPlugin):
Expand All @@ -49,20 +48,19 @@ def modify_request(self, request):
new_url.querystring = qs

# Mangle the postdata
post_data = request.get_data()
if post_data:

data = request.get_data()
if data:
try:
# Only mangle the postdata if it is a url encoded string
post_data = parse_qs(post_data)
post_data = parse_qs(data)
except:
pass
else:
post_data = str(self._mutate(post_data))
data = str(self._mutate(post_data))

new_req = HTTPRequest(new_url, post_data, request.headers,
request.get_origin_req_host(),
retries=request.retries_left)
new_req = request.copy()
new_req.set_uri(new_url)
new_req.set_data(data)

return new_req

Expand Down
8 changes: 3 additions & 5 deletions w3af/plugins/evasion/rnd_path.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@
import re

from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest
from w3af.core.data.fuzzer.utils import rand_alnum


Expand Down Expand Up @@ -50,9 +49,8 @@ def modify_request(self, request):
new_url.set_path(path)

# Finally, we set all the mutants to the request in order to return it
new_req = HTTPRequest(new_url, request.data, request.headers,
request.get_origin_req_host(),
retries=request.retries_left)
new_req = request.copy()
new_req.set_uri(new_url)

return new_req

Expand All @@ -74,5 +72,5 @@ def get_long_desc(self):
Example:
Input: '/bar/foo.asp'
Output : '/aflsasfasfkn/../bar/foo.asp'
Output: '/aflsasfasfkn/../bar/foo.asp'
"""
9 changes: 4 additions & 5 deletions w3af/plugins/evasion/self_reference.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
"""
from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest


class self_reference(EvasionPlugin):
Expand All @@ -43,9 +42,9 @@ def modify_request(self, request):
# Finally, we set all the mutants to the request in order to return it
new_url = request.url_object.copy()
new_url.set_path(path)
new_req = HTTPRequest(new_url, request.get_data(),
request.headers, request.get_origin_req_host(),
retries=request.retries_left)

new_req = request.copy()
new_req.set_uri(new_url)

return new_req

Expand All @@ -67,5 +66,5 @@ def get_long_desc(self):
Example:
Input: '/bar/foo.asp'
Output : '/bar/./foo.asp'
Output: '/bar/./foo.asp'
"""
7 changes: 3 additions & 4 deletions w3af/plugins/evasion/shift_out_in_between_dots.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
"""
from w3af.core.controllers.plugins.evasion_plugin import EvasionPlugin
from w3af.core.data.url.HTTPRequest import HTTPRequest as HTTPRequest


class shift_out_in_between_dots(EvasionPlugin):
Expand All @@ -45,9 +44,9 @@ def modify_request(self, request):
# Finally, we set all the mutants to the request in order to return it
new_url = request.url_object.copy()
new_url.set_path(path)
new_req = HTTPRequest(new_url, request.get_data(),
request.headers, request.get_origin_req_host(),
retries=request.retries_left)

new_req = request.copy()
new_req.set_uri(new_url)

return new_req

Expand Down

0 comments on commit 2ecfad0

Please sign in to comment.