-
-
Notifications
You must be signed in to change notification settings - Fork 102
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Php Object Injection Emulator (#320)
* POI emulator * changed vuln class * phpox helper added * improved naming
- Loading branch information
Showing
5 changed files
with
80 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
import asyncio | ||
import logging | ||
|
||
from tanner.utils.php_sandbox_helper import PHPSandboxHelper | ||
from tanner.utils import patterns | ||
|
||
|
||
class PHPObjectInjection: | ||
def __init__(self, loop=None): | ||
self._loop = loop if loop is not None else asyncio.get_event_loop() | ||
self.logger = logging.getLogger('tanner.php_object_injection') | ||
self.helper = PHPSandboxHelper(self._loop) | ||
|
||
async def get_injection_result(self, code): | ||
|
||
vul_code = "<?php " \ | ||
"class ObjectInjection { " \ | ||
"public $insert; " \ | ||
"public function __destruct() { " \ | ||
"$var = system($this->insert, $ret);" \ | ||
"print $var[0];" \ | ||
"$this->date = date('d-m-y');" \ | ||
"$this->filename = '/tmp/logs/' . $this->date;" \ | ||
"file_put_contents($this->filename, $var[0], FILE_APPEND);" \ | ||
"}} " \ | ||
"$cmd = unserialize(\'%s\');" \ | ||
"?>" % code | ||
|
||
object_injection_result = await self.helper.get_result(vul_code) | ||
|
||
return object_injection_result | ||
|
||
def scan(self, value): | ||
detection = None | ||
if patterns.PHP_OBJECT_INJECTION.match(value): | ||
detection = dict(name='php_object_injection', order=3) | ||
return detection | ||
|
||
async def handle(self, attack_params): | ||
result = await self.get_injection_result(attack_params[0]['value']) | ||
if not result or 'stdout' not in result: | ||
return dict(status_code=504) | ||
return dict(value=result['stdout'], page=False) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
import logging | ||
import asyncio | ||
import aiohttp | ||
from tanner import config | ||
|
||
|
||
class PHPSandboxHelper: | ||
def __init__(self, loop): | ||
self.logger = logging.getLogger('tanner.php_sandbox_helper.PHPSandboxHelper') | ||
self._loop = loop if loop is not None else asyncio.get_event_loop() | ||
|
||
async def get_result(self, code): | ||
result = None | ||
|
||
phpox_address = 'http://{host}:{port}'.format(host=config.TannerConfig.get('PHPOX', 'host'), | ||
port=config.TannerConfig.get('PHPOX', 'port') | ||
) | ||
|
||
try: | ||
async with aiohttp.ClientSession(loop=self._loop) as session: | ||
async with session.post(phpox_address, data=code) as resp: | ||
result = await resp.json() | ||
except aiohttp.ClientError as client_error: | ||
self.logger.error('Error during connection to php sandbox %s', client_error) | ||
finally: | ||
await session.close() | ||
return result |