''' baseAttackPlugin.py Copyright 2006 Andres Riancho This file is part of w3af, w3af.sourceforge.net . w3af is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation version 2 of the License. w3af is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with w3af; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA ''' from core.controllers.w3afException import w3afException from core.controllers.basePlugin.basePlugin import basePlugin import core.controllers.outputManager as om import core.data.request.httpPostDataRequest as httpPostDataRequest import copy class baseAttackPlugin(basePlugin): ''' This is the base class for attack plugins, all attack plugins should inherit from it and implement the following methods : 1. fastExploit(...) 2. exploit(...) 3. canExploit(...) @author: Andres Riancho ( andres.riancho@gmail.com ) ''' def __init__(self): basePlugin.__init__( self ) self._urlOpener = None self._footer = None self._header = None def fastExploit(self, url ): ''' ''' raise w3afException('Plugin is not implementing required method fastExploit' ) def exploit(self, url ): ''' Exploits a vulnerability found by an audit plugin. @return: True when the exploit finishes. ''' raise w3afException('Plugin is not implementing required method exploit' ) def canExploit(self): ''' Determines if audit plugins found exploitable vulns. @return: True if we can exploit a vuln stored in the kb. ''' raise w3afException('Plugin is not implementing required method canExploit' ) def getType(self): ''' Returns the type of exploit, SHELL, PROXY, etc. ''' raise w3afException('Plugin is not implementing required method getType' ) def _defineCut( self, body, expectedResult, exact=True ): ''' Defines the section where the result of an attack will be. For example, when doing a local File Include attack, the included file could be in the middle of some HTML text, so a regex is created to cut the important part out of a simple html. @return: True if the cut could be defined ''' if body.count( expectedResult ): headerEnd = body.find( expectedResult ) if exact: footerStart = headerEnd + len( expectedResult ) if footerStart == len( body ): footerStart = -1 else: footerStart = body.find( '<', headerEnd ) self._header = body[:headerEnd] if footerStart == -1: self._footer = 'EOBody' else: self._footer = body[footerStart:len(body)] return True else: return False def _cut( self, body ): ''' After defining a cut, I can cut parts of an HTML and return the important sections. ''' if self._footer != 'EOBody': if body.rfind(self._footer) == -1: raise w3afException('An error ocurred. The command result footer wasnt found.') else: result = body[ len(self._header) : body.rfind(self._footer) ] return result else: result = body[ len(self._header) : ] return result def GET2POST( self, vuln ): ''' This method changes a vulnerability mutant, so all the data that was sent in the query string, is now sent in the postData; of course, the HTTP method is also changed from GET to POST. ''' vulnCopy = copy.deepcopy( vuln ) mutant = vulnCopy.getMutant() if mutant.getMethod() == 'POST': # No need to work ! return vulnCopy else: pdr = httpPostDataRequest.httpPostDataRequest() pdr.setURL( mutant.getURL() ) pdr.setDc( mutant.getDc() ) pdr.setHeaders( mutant.getHeaders() ) pdr.setCookie( mutant.getCookie() ) mutant.setFuzzableReq( pdr ) return vulnCopy def getRootProbability( self ): ''' @return: This method returns the probability of getting a root shell using this attack plugin. This is used by the "exploit *" function to order the plugins and first try to exploit the more critical ones. This method should return 0 for an exploit that will never return a root shell, and 1 for an exploit that WILL ALWAYS return a root shell. ''' raise w3afException( 'Plugin is not implementing required method getRootProbability' )