Add parameters for Web Attack

Cotonne · Cotonne · commit 0628784b1e92 · 2018-09-16T10:44:30.000+02:00
diff --git a/nosqlmap.py b/nosqlmap.py
@@ -152,14 +152,14 @@ def attack(args):
     
     if args.attack == 1:
         if platform == "MongoDB":
-            nsmmongo.netAttacks(victim, dbPort, myIP, myPort)
+            nsmmongo.netAttacks(victim, dbPort, myIP, myPort, args)
         elif platform == "CouchDB":
-            nsmcouch.netAttacks(victim, dbPort, myIP)
+            nsmcouch.netAttacks(victim, dbPort, myIP, args)
     elif args.attack == 2:
         if httpMethod == "GET":
-            nsmweb.getApps(webPort,victim,uri,https,verb,requestHeaders)
+            nsmweb.getApps(webPort,victim,uri,https,verb,requestHeaders, args)
         elif httpMethod == "POST":
-            nsmweb.postApps(victim,webPort,uri,https,verb,postData,requestHeaders)
+            nsmweb.postApps(victim,webPort,uri,https,verb,postData,requestHeaders, args)
     elif args.attack == 3:
         scanResult = nsmscan.massScan(platform)
         if scanResult != None:
@@ -514,6 +514,12 @@ def build_parser():
     parser.add_argument("--verb", help="Toggle Verbose Mode", choices=["ON", "OFF"], default="OFF")
     parser.add_argument("--postData", help="Enter POST data in a comma separated list (i.e. param name 1,value1,param name 2,value2)", default="")
     parser.add_argument("--requestHeaders", help="Request headers in a comma separated list (i.e. param name 1,value1,param name 2,value2)", default="")
+
+    modules = [nsmcouch, nsmmongo, nsmscan, nsmweb]
+    for module in modules:     
+        for arg in module.args():
+            parser.add_argument(arg[0], help=arg[1])
+    
     return parser
 
 def signal_handler(signal, frame):
diff --git a/nsmcouch.py b/nsmcouch.py
@@ -21,6 +21,8 @@
 yes_tag = ['y', 'Y']
 no_tag = ['n', 'N']
 
+def args():
+    return []
 
 def couchScan(target,port,pingIt):
     if pingIt == True:
@@ -63,8 +65,7 @@ def couchScan(target,port,pingIt):
         except:
             return [3,None]
 
-
-def netAttacks(target,port, myIP):
+def netAttacks(target,port, myIP, args = None):
     print "DB Access attacks (CouchDB)"
     print "======================"
     mgtOpen = False
diff --git a/nsmmongo.py b/nsmmongo.py
@@ -18,8 +18,10 @@
 yes_tag = ['y', 'Y']
 no_tag = ['n', 'N']
 
+def args():
+    return []
 
-def netAttacks(target, dbPort, myIP, myPort):
+def netAttacks(target, dbPort, myIP, myPort, args = None):
     print "DB Access attacks (MongoDB)"
     print "================="
     mgtOpen = False
diff --git a/nsmscan.py b/nsmscan.py
@@ -7,8 +7,10 @@
 import nsmmongo
 import nsmcouch
 
+def args():
+    return []
 
-def massScan(platform):
+def massScan(platform, args = None):
     yes_tag = ['y', 'Y']
     no_tag = ['n', 'N']
     optCheck = True
diff --git a/nsmweb.py b/nsmweb.py
@@ -19,7 +19,14 @@
     ssl._create_default_https_context = ssl._create_unverified_context
 
 
-def getApps(webPort,victim,uri,https,verb,requestHeaders):
+def args():
+    return [
+            ["--injectSize", "Size of payload"],
+            ["--injectFormat", "1-Alphanumeric, 2-Letters only, 3-Numbers only, 4-Email address"],
+            ["--params", "Enter parameters to inject in a comma separated list"],
+            ["--doTimeAttack", "Start timing based tests (y/n)"]]
+
+def getApps(webPort,victim,uri,https,verb,requestHeaders, args = None):
     print "Web App Attacks (GET)"
     print "==============="
     paramName = []
@@ -81,25 +88,32 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
 
     if appUp == True:
 
-        sizeSelect = True
+        if args == None:
+            sizeSelect = not injectSize.isdigit() 
 
-        while sizeSelect:
-            injectSize = raw_input("Baseline test-Enter random string size: ")
-            if injectSize.isdigit():
-                sizeSelect = False
-            else:
-                print "Invalid! The size should be an integer."
+            while sizeSelect:
+                injectSize = raw_input("Baseline test-Enter random string size: ")
+                sizeSelect = not injectSize.isdigit() 
+                if sizeSelect:
+                    print "Invalid! The size should be an integer."
+
+            format = randInjString(int(injectSize))
+        else:
+            injectSize = int(args.injectSize)
+            format = args.injectFormat
+            
+        injectString = build_random_string(format, injectSize)
 
-        injectString = randInjString(int(injectSize))
         print "Using " + injectString + " for injection testing.\n"
 
         # Build a random string and insert; if the app handles input correctly, a random string and injected code should be treated the same.
         if "?" not in appURL:
             print "No URI parameters provided for GET request...Check your options.\n"
-            raw_input("Press enter to continue...")
+            if args == None:
+                raw_input("Press enter to continue...")
             return()
 
-        randomUri = buildUri(appURL,injectString)
+        randomUri = buildUri(appURL,injectString, args)
         print "URI : " + randomUri
         req = urllib2.Request(randomUri, None, requestHeaders)
 
@@ -260,8 +274,10 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
             checkResult(randLength,injLen,testNum,verb,None)
             testNum += 1
 
-
-        doTimeAttack = raw_input("Start timing based tests (y/n)? ")
+        if args == None:
+            doTimeAttack = raw_input("Start timing based tests (y/n)? ")
+        else:
+            doTimeAttack = args.doTimeAttack
 
         if doTimeAttack.lower() == "y":
             print "Starting Javascript string escape time based injection..."
@@ -323,7 +339,10 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
         else:
             print "Integer attack-Unsuccessful"
 
-        fileOut = raw_input("Save results to file (y/n)? ")
+        if args == None:
+            fileOut = raw_input("Save results to file (y/n)? ")
+        else:
+            fileOut = "n"
 
         if fileOut.lower() == "y":
             savePath = raw_input("Enter output file name: ")
@@ -349,7 +368,8 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
             fo.write("\n")
             fo.close()
 
-    raw_input("Press enter to continue...")
+    if args == None:
+        raw_input("Press enter to continue...")
     return()
 
 
@@ -430,20 +450,25 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
             menuItem += 1
 
         try:
-            injIndex = raw_input("Which parameter should we inject? ")
+            injIndex = 1
+            if args == None:
+                injIndex = raw_input("Which parameter should we inject? ")
+                
             injOpt = str(postData.keys()[int(injIndex)-1])
             print "Injecting the " + injOpt + " parameter..."
         except:
-            raw_input("Something went wrong.  Press enter to return to the main menu...")
+            if args == None:
+                raw_input("Something went wrong.  Press enter to return to the main menu...")
             return
 
-        sizeSelect = True
+
+        sizeSelect = (args == None)
+        injectSize = 1000
 
         while sizeSelect:
             injectSize = raw_input("Baseline test-Enter random string size: ")
-            if injectSize.isdigit():
-                sizeSelect = False
-            else:
+            sizeSelect = not injectSize.isdigit()
+            if sizeSelect:
                 print "Invalid! The size should be an integer."
                 
         injectString = randInjString(int(injectSize))
@@ -454,7 +479,6 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
         postData.update({injOpt:injectString})
         if verb == "ON":
             print "Checking random injected parameter HTTP response size sending " + str(postData) +"...\n"
-
         else:
             print "Sending random parameter value..."
 
@@ -641,7 +665,9 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
             testNum += 1
         print "\n"
 
-        doTimeAttack = raw_input("Start timing based tests (y/n)? ")
+        doTimeAttack = "N"
+        if args == None:        
+            doTimeAttack = raw_input("Start timing based tests (y/n)? ")
 
         if doTimeAttack == "y" or doTimeAttack == "Y":
             print "Starting Javascript string escape time based injection..."
@@ -849,28 +875,29 @@ def randInjString(size):
 
     while format:
         format = raw_input("Select an option: ")
+        if format not in ["1", "2", "3", "4"]:
+            format = True
+            print "Invalid selection."
+    return format
 
-        if format == "1":
-            chars = string.ascii_letters + string.digits
-            return ''.join(random.choice(chars) for x in range(size))
-
-        elif format == "2":
-            chars = string.ascii_letters
-            return ''.join(random.choice(chars) for x in range(size))
+def build_random_string(format, size):
+    if format == "1":
+        chars = string.ascii_letters + string.digits
+        return ''.join(random.choice(chars) for x in range(size))
 
-        elif format == "3":
-            chars = string.digits
-            return ''.join(random.choice(chars) for x in range(size))
+    elif format == "2":
+        chars = string.ascii_letters
+        return ''.join(random.choice(chars) for x in range(size))
 
-        elif format == "4":
-            chars = string.ascii_letters + string.digits
-            return ''.join(random.choice(chars) for x in range(size)) + '@' + ''.join(random.choice(chars) for x in range(size)) + '.com'
-        else:
-            format = True
-            print "Invalid selection."
+    elif format == "3":
+        chars = string.digits
+        return ''.join(random.choice(chars) for x in range(size))
 
+    else: # format == "4":
+        chars = string.ascii_letters + string.digits
+        return ''.join(random.choice(chars) for x in range(size)) + '@' + ''.join(random.choice(chars) for x in range(size)) + '.com'
 
-def buildUri(origUri, randValue):
+def buildUri(origUri, randValue, args=None):
     paramName = []
     paramValue = []
     global uriArray
@@ -898,7 +925,10 @@ def buildUri(origUri, randValue):
         menuItem += 1
 
     try:
-        injIndex = raw_input("Enter parameters to inject in a comma separated list:  ")
+        if args == None:
+            injIndex = raw_input("Enter parameters to inject in a comma separated list:  ")
+        else:
+            injIndex = args.params
 
         for params in injIndex.split(","):
             injOpt.append(paramName[int(params)-1])
