public void extensionUnloaded() { Utilities.log("Aborting param bruteforce"); Utilities.unloaded.set(true); }
public void extensionUnloaded() { if (!completed) { Utilities.log("Extension unloading - triggering abort"); unloaded = true; Thread.currentThread().interrupt(); } }
public void extensionUnloaded() { Utilities.log("Aborting all attacks"); Utilities.unloaded.set(true); taskEngine.getQueue().clear(); taskEngine.shutdown(); }
public void launchTask(WorkTarget next) { try { Thread.sleep(50); callbacks.sendToSpider(next.url); } catch (InterruptedException z) { Utilities.log("Scan feed interrupted, aborting"); } } }
protected void distributeWork(HashMap<String, ArrayDeque<WorkTarget>> itemsByHost) { int launched = 0; Set<String> hosts = itemsByHost.keySet(); while (!hosts.isEmpty()) { Iterator<String> hostIterator = hosts.iterator(); while (hostIterator.hasNext()) { String host = hostIterator.next(); ArrayDeque host_queue = itemsByHost.get(host); if (host_queue.isEmpty()) { hostIterator.remove(); continue; } launchTask(itemsByHost.get(host).pop()); if (unloaded) { Utilities.log("Scan feed interrupted by extension unload, aborting"); return; } launched +=1 ; } } Utilities.log("Launched " + launched + " tasks"); } }
static IHttpRequestResponse attemptRequest(IHttpService service, byte[] req) { if(unloaded.get()) { Utilities.out("Extension unloaded - aborting attack"); throw new RuntimeException("Extension unloaded"); } IHttpRequestResponse result = null; for(int attempt=1; attempt<3; attempt++) { try { result = callbacks.makeHttpRequest(service, req); } catch(RuntimeException e) { Utilities.log(e.toString()); Utilities.log("Critical request error, retrying..."); continue; } if (result.getResponse() == null) { Utilities.log("Request failed, retrying..."); //requestResponse.setResponse(new byte[0]); } else { break; } } if (result.getResponse() == null) { Utilities.log("Request failed multiple times, giving up"); } return result; }
static IHttpRequestResponse attemptRequest(IHttpService service, byte[] req) { if(unloaded.get()) { Utilities.out("Extension unloaded - aborting attack"); throw new RuntimeException("Extension unloaded"); } IHttpRequestResponse result = null; for(int attempt=1; attempt<3; attempt++) { try { result = callbacks.makeHttpRequest(service, req); } catch(RuntimeException e) { Utilities.log(e.toString()); Utilities.log("Critical request error, retrying..."); continue; } if (result.getResponse() == null) { Utilities.log("Request failed, retrying..."); //requestResponse.setResponse(new byte[0]); } else { break; } } if (result.getResponse() == null) { Utilities.log("Request failed multiple times, giving up"); } return result; }
static ArrayList<String> getParamKeys(byte[] resp, HashSet<Byte> types) { ArrayList<String> keys = new ArrayList<>(); IRequestInfo info = Utilities.helpers.analyzeRequest(resp); List<IParameter> currentParams = info.getParameters(); for (IParameter param : currentParams) { String parsedParam = parseParam(param.getName().replace(':', ';')); if(types.isEmpty() || types.contains(param.getType())) { keys.add(parsedParam); Utilities.log(parsedParam); } } return keys; }
private void addNewKeys(ArrayList<String> keys, ParamAttack state, int bucketSize, ParamHolder paramBuckets, ArrayList<String> candidates, Attack paramGuess) { if (!config.getBoolean("dynamic keyload")) { return; } ArrayList<String> discoveredParams = new ArrayList<>(); for (String key : keys) { String[] parsed = Keysmith.parseKey(key); if (!(state.valueParams.contains(key) || state.params.contains(key) || candidates.contains(parsed[1]) || candidates.contains(key))) { // || params.contains(parsed[1]) Utilities.log("Found new key: " + key); state.valueParams.add(key); discoveredParams.add(key); // fixme probably adds the key in the wrong format paramGrabber.saveParams(paramGuess.getFirstRequest()); } } paramBuckets.addParams(discoveredParams, true); }
Utilities.log("No default key available");
public HashMap<String, ArrayDeque<WorkTarget>> splitItemsByHost() { HashMap<String, ArrayDeque<WorkTarget>> scanItemsByHost = new HashMap<>(); int i = 0; for (IHttpRequestResponse request : requests) { i += 1; if(i % 1000 == 0) { Utilities.log(i + " of " + requests.length + " items processed"); } if (request.getResponse() != null ) { continue; } String host = request.getHttpService().getHost(); if (scanItemsByHost.containsKey(host)) { scanItemsByHost.get(host).add(new WorkTarget(Utilities.getURL(request))); } else { ArrayDeque<WorkTarget> newQueue = new ArrayDeque<>(); newQueue.add(new WorkTarget(Utilities.getURL(request))); scanItemsByHost.put(host, newQueue); } } return scanItemsByHost; }
public void launchTask(WorkTarget next) { IHttpRequestResponse itemToScanNext = next.req; IHttpService service = itemToScanNext.getHttpService(); boolean using_https = service.getProtocol().equals("https"); String host = service.getHost(); IScanQueueItem scanItem = callbacks.doActiveScan(host, service.getPort(), using_https, itemToScanNext.getRequest(), next.offsets); // Utilities.log("Launched scan on "+itemToScanNext.getHttpService().getHost()); if (Utilities.THROTTLE_SCANITEM_CREATION) { while ( scanItem.getStatus().equals("waiting")) { try { Thread.sleep(50); } catch (InterruptedException z) { Utilities.log("Scan feed interrupted, aborting"); return; } } } }
public void run() { int queueSize = taskEngine.getQueue().size(); Utilities.log("Adding "+reqs.length+" tasks to queue of "+queueSize); queueSize += reqs.length; int thread_count = taskEngine.getCorePoolSize(); Utilities.log("Loop "+i++); Iterator<IHttpRequestResponse> left = reqlist.iterator(); while (left.hasNext()) { keyCache.add(key); left.remove(); Utilities.log("Adding request on "+host+" to queue"); queued++; taskEngine.execute(new ParamGuesser(Utilities.callbacks.saveBuffersToTempFiles(req), backend, type, paramGrabber, taskEngine, stop, config));
Utilities.log(i + " of " + requests.length + " items processed");
Utilities.log("Trying bucket size: "+ bucketSize); StringBuilder trialPayload = new StringBuilder(); trialPayload.append(Utilities.randomString(longest));
for (String entry: Keysmith.getAllKeys(baseRequestResponse.getRequest(), new HashMap<>())) { // todo give precedence to shallower keys String[] parsed = Keysmith.parseKey(entry); Utilities.log("Request param: " +parsed[1]); requestParams.putIfAbsent(parsed[1], parsed[0]); sorted.addAll(responses.keySet()); for(Integer key: sorted) { Utilities.log("Loading keys with "+key+" matches"); ArrayList<String> sortedByLength = new ArrayList<>(responses.get(key)); sortedByLength.sort(new LengthCompare()); Utilities.log("Loaded " + new HashSet<>(params).size() + " params from response");
public void run() { int i = 0; for (IHttpRequestResponse req: requests) { i += 1; if (req.getResponse() != null && req.getResponse().length < 4000000) { IHttpService service = req.getHttpService(); boolean using_https = service.getProtocol().equals("https"); String host = service.getHost(); callbacks.doPassiveScan(host, service.getPort(), using_https, req.getRequest(), req.getResponse()); } if(i % 1000 == 0) { Utilities.log(i + " of " + requests.length + " items processed"); } } } }
public void run() { if(this.attack == null) { if (req.getResponse() == null) { Utilities.log("Baserequest has no response - fetching..."); try { req = Utilities.callbacks.makeHttpRequest(req.getHttpService(), req.getRequest());
private boolean tryReflectCache(PayloadInjector injector, String param, IHttpRequestResponse base, int attackDedication, int i, String pathSuffix) { IHttpService service = injector.getService(); byte[] setPoisonReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param)), pathSuffix); IParameter cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); setPoisonReq = Utilities.helpers.addParameter(setPoisonReq, cacheBuster); for (int j = attackDedication - i; j < attackDedication; j++) { Utilities.attemptRequest(service, setPoisonReq); } for (int j = attackDedication - i; j < attackDedication; j += 3) { IHttpRequestResponse getPoison = Utilities.attemptRequest(service, Utilities.appendToPath(Utilities.helpers.addParameter(base.getRequest(), cacheBuster), pathSuffix)); if (Utilities.containsBytes(getPoison.getResponse(), "wrtqv".getBytes())) { Utilities.log("Successful cache poisoning check"); String title = "Cache poisoning"; byte[] headerSplitReq = Utilities.appendToPath(injector.getInsertionPoint().buildRequest(Utilities.helpers.stringToBytes(param + "~zxcv\rvcz")), pathSuffix); cacheBuster = Utilities.helpers.buildParameter(Utilities.generateCanary(), "1", IParameter.PARAM_URL); byte[] headerSplitResp = Utilities.attemptRequest(service, Utilities.helpers.addParameter(headerSplitReq, cacheBuster)).getResponse(); if (Utilities.containsBytes(Arrays.copyOfRange(headerSplitResp, 0, Utilities.getBodyStart(headerSplitReq)), "zxcv\rvcz".getBytes())) { title = "Severe cache poisoning"; } title = title + " "+i; Utilities.callbacks.addScanIssue(new CustomScanIssue(getPoison.getHttpService(), Utilities.getURL(getPoison), getPoison, title, "Cache poisoning: '" + param + "'. Disregard the request and look for wrtqv in the response", "High", "Firm", "Investigate")); return true; } } return false; }