Permalink
Browse files

PHP Code Injection Emulator (#183)

* Basic php code  injection

* make injection more particular

* add new function

* make regex hard

* fix tests

* minor changes
  • Loading branch information...
rnehra01 authored and afeena committed Aug 9, 2017
1 parent 6a11703 commit d063e77daf801082ddaafcc1e8cbb6400bc63326
Showing with 46 additions and 7 deletions.
  1. +1 −1 tanner/config.py
  2. +8 −5 tanner/emulators/base.py
  3. +35 −0 tanner/emulators/php_code_injection.py
  4. +2 −1 tanner/utils/patterns.py
View
@@ -12,7 +12,7 @@
'API': {'host': '0.0.0.0', 'port': 8092},
'REDIS': {'host': 'localhost', 'port': 6379, 'poolsize': 80, 'timeout': 1},
'EMULATORS': {'root_dir': '/opt/tanner',
'emulator_enabled': {'sqli': True, 'rfi': True, 'lfi': True, 'xss': True, 'cmd_exec': True}
'emulator_enabled': {'sqli': True, 'rfi': True, 'lfi': True, 'xss': True, 'php_code_injection': True, 'cmd_exec': True}
},
'SQLI': {'type':'SQLITE', 'db_name': 'tanner_db', 'host':'localhost', 'user':'root', 'password':'user_pass'},
'DOCKER': {'host_image': 'busybox:latest'},
View
@@ -5,21 +5,24 @@
import yarl
from tanner.config import TannerConfig
from tanner.emulators import lfi, rfi, sqli, xss, cmd_exec
from tanner.emulators import lfi, rfi, sqli, xss, cmd_exec, php_code_injection
from tanner.utils import patterns
class BaseHandler:
def __init__(self, base_dir, db_name, loop=None):
self.emulator_enabled = TannerConfig.get('EMULATORS', 'emulator_enabled')
self.emulators = {
'rfi': rfi.RfiEmulator(base_dir, loop) if self.emulator_enabled['rfi'] else None,
'lfi': lfi.LfiEmulator() if self.emulator_enabled['lfi'] else None,
'xss': xss.XssEmulator() if self.emulator_enabled['xss'] else None,
'sqli': sqli.SqliEmulator(db_name, base_dir) if self.emulator_enabled['sqli'] else None,
'cmd_exec': cmd_exec.CmdExecEmulator() if self.emulator_enabled['cmd_exec'] else None
}
self.get_emulators = ['sqli', 'rfi', 'lfi', 'xss', 'cmd_exec']
self.post_emulators = ['sqli', 'rfi', 'lfi', 'xss', 'cmd_exec']
'cmd_exec': cmd_exec.CmdExecEmulator() if self.emulator_enabled['cmd_exec'] else None,
'php_code_injection': php_code_injection.PHPCodeInjection(loop) if self.emulator_enabled['php_code_injection'] else None
}
self.get_emulators = ['sqli', 'rfi', 'lfi', 'xss', 'php_code_injection', 'cmd_exec' ]
self.post_emulators = ['sqli', 'rfi', 'lfi', 'xss', 'php_code_injection', 'cmd_exec']
self.cookie_emulators = ['sqli']
def extract_get_data(self, path):
@@ -0,0 +1,35 @@
import aiohttp
import asyncio
import logging
from tanner.utils import patterns
class PHPCodeInjection:
def __init__(self, loop=None):
self._loop = loop if loop is not None else asyncio.get_event_loop()
self.logger = logging.getLogger('tanner.php_code_injecton')
async def get_injection_result(self, code):
code_injection_result = None
code = '<?php eval(\'$a = {code}\'); ?>'.format(code=code)
try:
async with aiohttp.ClientSession(loop=self._loop) as session:
async with session.post('http://127.0.0.1:8088/', data=code) as resp:
code_injection_result = await resp.json()
except aiohttp.ClientError as client_error:
self.logger.error('Error during connection to php sandbox %s', client_error)
else:
await session.close()
return code_injection_result
def scan(self, value):
detection = None
if patterns.PHP_CODE_INJECTION.match(value):
detection = dict(name='php_code_injection', order=3)
return detection
async def handle(self, attack_params, session=None):
result = await self.get_injection_result(attack_params[0]['value'])
if not result or 'stdout' not in result:
return ''
return result['stdout']
View
@@ -7,7 +7,8 @@
LFI_FILEPATH = re.compile('((\.\.|\/).*)')
XSS_ATTACK = re.compile('.*<(.|\n)*?>')
CMD_ATTACK = re.compile('.*(alias|cat|cd|cp|echo|exec|find|for|grep|ifconfig|ls|man|mkdir|netstat|ping|ps|pwd|uname|wget|touch|while).*')
PHP_CODE_INJECTION = re.compile('.*(;)*(echo|system|print|phpinfo)(\(.*\)).*')
REMOTE_FILE_URL = re.compile('(.*(http(s){0,1}|ftp(s){0,1}):.*)')
WORD_PRESS_CONTENT = re.compile('\/wp-content\/.*')
HTML_TAGS = re.compile('.*<(.*)>.*')
QUERY = re.compile('.*\?.*=')
QUERY = re.compile('.*\?.*=')

0 comments on commit d063e77

Please sign in to comment.