Daniel,
On Tue, Mar 27, 2012 at 11:26 PM, Daniel Zulla
<daniel.zu...@googlemail.com> wrote:
> This patch *may* work. Untested.
Applied the patch to the latest eval.py in our SVN, and tested using:
* sudo python w3af_console -s scripts/script-eval.w3af
This triggered various errors in the line where this was performed:
print_strings = [pstr % (self._rnd1, self._rnd2)
for pstr in self.PRINT_STRINGS]
Since there are two %s which are not correctly formatted in the
proposed payloads.
Worked a little bit around the patch and finally applied what's
attached. That works with PHP, could you verify if it works with Perl
and/or Python?
PS: Sadly, the patch wasn't in the correct format so I could apply it
with "patch -p0 < eval.py.patch"
>
>
>
>
>> Dan,
>>
>> On Tue, Mar 27, 2012 at 10:36 PM, Daniel Zulla
>> <daniel.zu...@googlemail.com> wrote:
>>> Hi there,
>>> The "string1"."string2" --> .match("string1string2") strategy of eval.py
>>> turned out to produce false-positives when the webapp strips out
>>> everything but [a-zA-Z0-9_-].
>>>
>>> Instead of "Error 404 "string1"."string2", string1string2 will be returned.
>>> Why not implementing it like this:
>>>
>>> Case 1) ."random_string"*5
>>> Case 2) ."random_string"x5
>>>
>>> If the response content contains
>>> "random_stringrandom_stringrandom_stringrandom_stringrandom_string" we can
>>> be sure that it is not a false-
>>> positive.
>>>
>>> What do you think?
>>
>> Sure! That's a good idea, I've been thinking about similar
>> solutions to that problem too but never got to implement them. My two
>> potential solutions were:
>> - Do some math, maybe random_number+random_number and look for the
>> result of that
>> - String replacement, 'abcdef'.replace('bcd', '111') and search for a111ef
>>
>> Your idea is equally nice and valid, if I would have to choose, I
>> would choose the one that uses the less amount of "special characters"
>> (like single quotes, quotes, parenthesis, etc.) in the payload being
>> sent; and the one that uses less characters at all (as a measurement
>> to reduce complexity). By taking those into account I think that both
>> the sum of two random numbers and the "string multiplication" are
>> almost the same.
>>
>> Want to give it a try at the code and send a patch?
>>
>> Regards,
>>
>>> Best,
>>> Dan
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> This SF email is sponsosred by:
>>> Try Windows Azure free for 90 days Click Here
>>> http://p.sf.net/sfu/sfd2d-msazure
>>> _______________________________________________
>>> W3af-develop mailing list
>>> W3af-develop@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/w3af-develop
>>
>>
>>
>> --
>> Andrés Riancho
>> Director of Web Security at Rapid7 LLC
>> Founder at Bonsai Information Security
>> Project Leader at w3af
>
>
--
Andrés Riancho
Director of Web Security at Rapid7 LLC
Founder at Bonsai Information Security
Project Leader at w3af
Index: plugins/audit/eval.py
===================================================================
--- plugins/audit/eval.py (revision 4754)
+++ plugins/audit/eval.py (working copy)
@@ -42,13 +42,13 @@
PRINT_STRINGS = (
# PHP http://php.net/eval
- "echo \x27%s\x27 . \x27%s\x27\x3b",
+ "echo str_repeat('%s',5);",
# Perl http://perldoc.perl.org/functions/eval.html
- "print \x27%s\x27.\x27%s\x27\x3b",
+ "print '%s'x5",
# Python http://docs.python.org/reference/simple_stmts.html#the-exec-statement
- "print \x27%s\x27 + \x27%s\x27",
+ "print '%s'*5",
# ASP
- "Response.Write\x28\x22%s+%s\x22\x29"
+ "Response.Write(new String(\"%s\",5))"
)
WAIT_STRINGS = (
# PHP http://php.net/sleep
@@ -73,9 +73,7 @@
#Create some random strings, which the plugin will use.
# for the fuzz_with_echo
- self._rnd1 = createRandAlpha(5)
- self._rnd2 = createRandAlpha(5)
- self._rndn = self._rnd1 + self._rnd2
+ self._rnd = createRandAlpha(5)
# And now for the fuzz_with_time_delay
# The wait time of the unfuzzed request
@@ -108,8 +106,7 @@
@param freq: A fuzzableRequest
'''
oResponse = self._sendMutant(freq , analyze=False)
- print_strings = [pstr % (self._rnd1, self._rnd2)
- for pstr in self.PRINT_STRINGS]
+ print_strings = [pstr % (self._rnd,) for pstr in self.PRINT_STRINGS]
mutants = createMutants(freq, print_strings, oResponse=oResponse)
@@ -235,7 +232,7 @@
def _find_eval_result(self, response):
'''
- This method searches for the randomized self._rndn string in html's.
+ This method searches for the randomized self._rnd string in html's.
@parameter response: The HTTP response object
@return: A list of error found on the page
@@ -256,7 +253,7 @@
'''
@return: The string that results from the evaluation of what I sent.
'''
- return [self._rndn]
+ return [self._rnd*5]
def getOptions(self):
'''
------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop
