forked from mushorg/glastopf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
TODO
171 lines (113 loc) · 5.76 KB
/
TODO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
IMPLEMENTATION TODOs
--------------------
- configuration: user can choose between emulators sqli and sqlintectable
- cleaning databases cron job:
- add timestamp of latest_activity to attacker
- delete all dataxx.db for attackers whose latest_activity is longer than one week
- clean Docker stuff:
delete/rebuild specific db inside VM
- weired behaviour ambigious classifications, because priority is probably the order in requestsInjectable.xml
http://192.168.56.101:8181/manager/html?login=bla
http://192.168.56.101:8181/phpmyadmin.php?login=blub@example.com&password=blub
http://192.168.56.101:8181/robots.txt?login=bla
http://192.168.56.101:8181/phpinfo.php/login=
- Fix:
- python -m unittest discover -s testing -p 'test_emulators.py'
-->
from __init__ import __version__
ImportError: No module named __init__
- Docker
stop docker container throws error
- rewrite tests according to modified implementation
IMPLEMENTATION IN PROGRESS
--------------------------
- Attune GlastopfInjectable's queries and answers better to sqlmap techniques
B: Boolean-based blind
E: Error-based
U: Union query-based
S: Stacked queries
T: Time-based blind
Q: Inline queries
IMPLEMENTATION DONEs
--------------------
- deleted "connection_string_data" from configuration and code, as it is not used
- map user injected values to useful queries to comments and users tables
- improve classification in requests.xml
problem: SQLinjectableEmulator is only ran, when classified as sqlinjectable
-> looks weired when an attacker tries to login normally
"/comments", "?login=bla&password=bla
- use comments table instead of comments.txt for convincable SQL-injection delivered as a comment
(problem in unknown-emulator and comments-emulator)
- Check code: sqlalchemy sessions and concurrency
(Every Thread should use its own Session.
Session blocks other sessions, when it first did a modifying operation until it commits.)
Fixed for Attacker DB
- BUG Fix Internal Server Error through set_logged_in Method for Cookieless Clients:
[18:49:41] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 17 times
- make docker server faster through threading (+ threadsafe!!)
- session management
e.g. for remembering previous logins.
* SessionEmulator
* send HTTP-Cookie
* load SimpleCookie from HTTP-request
* cascade SessionEmulator prior other emulators
* make sure cookie is not overriden or HTTP-response is unclean due to cascaded response creation
* use session in other emulators, that deliver the login screen
- make input fields of GUI injectable
(seems to be a longer task, as the body seems to be ingored completely)
- Docker:
find out how to open NEW terminal for dockercontainer stdout
Workaraound: https://docs.docker.com/reference/commandline/cli/#logs
"The docker logs --follow command will continue streaming the new output from the container's STDOUT and STDERR."
- embedd response from sqlinjectable handler in fancy website
* smart use of dork generator and templates
- reduce dynamic dork page generation from 5 dork pages to 1 per time interval to improve sqlmap HTTP-response analyse
- implement MORE intelligent attacker fingerprinting, which is not only over HTTP headers (still stupid)
- check if ip-less attacker fingerprinting is really useful with browserless hacking (botnet, sqlmap)
- Fix timing problem: docker_setup needs initial database, which is not there before glastopfs first run.
- Check chronological order of: data.db creation and docker_setup, which copies data.db
does it exist if glastopf never ran before?
- implement intelligent attacker fingerprinting, which is not over ip address
- docker_server.py no access from outside! only host to container access.
- let injection only run in docker container
* image & container
* dockerfile
* dockerclient & dockerserver
* localclient
* docker_setup stuff
+ copy needed python files only into docker container
* error message if glastopf is started, before setup ran.
- clean Docker stuff:
* renew whole VM
* container and untagged images before docker_setup
- write test for SQLinjectableEmulator
- close connections in the end (e.g. attackerdb_session)
- add sqlite datasbase: attacker.db
Mapping Attacker class to attacker table
- add sqlite database: data.db
Mapping User class to user table
- add unique data databasename to each Attacker
- reuse mechanism of copy-data-db, accordingly to attacker
- 1 to 1 relation of copy-data-db and attacker-db
- take all connection strings from cfg file
- Integrate attacker-db logic in Glastopf request handler
write SQLinjectableEmulator
- open db connections in beginning
- setup data.db, attacker.db if not present yet
_________________________________________________________________
TESTING DOs
-----------
TESTING DONEs
-------------
_________________________________________________________________
NOT DONES with Reason
---------------------
- eliminate DB errors and other info in dork page?
[12:54:10] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
reason for undone:
dork pages are generated through Mnem_Service class over online Service mnemosyne from Honeynet Project
It is necessary to attract attckers -> need to keep it
- SQLmap says something is getting dropped:
18:47:20] [WARNING] there is a possibility that the target (or WAF) is dropping 'suspicious' requests
reason for undone:
could not reproduce this error