Location: PHPKode > projects > WebSecurityTester > php-gtk/security/lib/WebAttack.cls.php
<?

class WebAttack
{
	
	var $xml_doc;
	var $match_pattern;
	var $ready;
	var $HttpRequest;
	var $verbose;
			
	function WebAttack() 
	{
		$this->xml_doc = new xml_doc();
		$this->HttpRequest = new HttpRequest();
		$this->match_pattern = '';
		$this->ready = false;
		$this->verbose = false;
	}
	
	function Load($filename)
	{
		if(!file_exists($filename)) return false;
		
		$this->xml_doc = new xml_doc;
		$this->xml_doc->xml = FileRead($filename);
		$this->xml_doc->parse();
		
		$this->HttpRequest->server = $this->xml_doc->XPath_eval('/wst_project/resource/server/text()');
		$this->HttpRequest->host = $this->xml_doc->XPath_eval('/wst_project/resource/host/text()');
		$this->HttpRequest->protocol = $this->xml_doc->XPath_eval('/wst_project/resource/protocol/text()');
		$this->HttpRequest->protocol_version = $this->xml_doc->XPath_eval('/wst_project/resource/protocol_version/text()');
		$this->HttpRequest->port = $this->xml_doc->XPath_eval('/wst_project/resource/port/text()');
		$this->HttpRequest->method = $this->xml_doc->XPath_eval('/wst_project/resource/method/text()');
		$this->HttpRequest->bytes = $this->xml_doc->XPath_eval('/wst_project/resource/bytes/text()');
		$this->HttpRequest->timeout = $this->xml_doc->XPath_eval('/wst_project/resource/timeout/text()');
		$this->HttpRequest->target = $this->xml_doc->XPath_eval('/wst_project/resource/target/text()');
		$this->ready = true;
		return true;
	}
	
	
	function Create()
	{
		$args = func_get_args();
		$code = $args[0];
		$name = isset($args[1])?$args[1]:'';
		
		$this->xml_doc = new xml_doc;
		$root = $this->xml_doc->createTag('wst_project');
		$tag['attack'] = $this->xml_doc->createTag('attack',array('name' => $name, 'value' => $code),'',$root);
		
		$tag['resource'] = $this->xml_doc->createTag('resource',array(),'',$root);
		$tag['protocol'] = $this->xml_doc->createTag('protocol',array(),$this->HttpRequest->protocol,$tag['resource']);
		$tag['protocol_version'] = $this->xml_doc->createTag('protocol_version',array(),$this->HttpRequest->protocol_version,$tag['resource']);
		$tag['port'] = $this->xml_doc->createTag('port',array(),$this->HttpRequest->port,$tag['resource']);
		$tag['host'] = $this->xml_doc->createTag('host',array(),$this->HttpRequest->host,$tag['resource']);
		$tag['server'] = $this->xml_doc->createTag('server',array(),$this->HttpRequest->server,$tag['resource']);
		$tag['target'] = $this->xml_doc->createTag('target',array(),$this->HttpRequest->target,$tag['resource']);
		$tag['bytes'] = $this->xml_doc->createTag('bytes',array(),$this->HttpRequest->bytes,$tag['resource']);
		$tag['timeout'] = $this->xml_doc->createTag('timeout',array(),$this->HttpRequest->timeout,$tag['resource']);
		$tag['method'] = $this->xml_doc->createTag('method',array(),$this->HttpRequest->method,$tag['resource']);

		switch ($code){
			case 'TRV':
				/**
				 * Example of TRV create call
				 * Create(
				 * 			'TRV',					// Type
				 * 			'Dir.Trasversal 1',		// Name 								Default ''
				 * 			'/etc/passwd'			// Trasversal pattern
				 * 			array('var1','var2'),	// array of params names to combine 	Default All ($this->HttpRequest->vars)
				 * 			5						// Deep 								Default 10
				 * 		 )
				 */
				$trasversal_pattern = isset($args[2])?$args[2]:'etc/passwd';
				$combine_vars = isset($args[3])?$args[3]:$this->HttpRequest->vars;
				$deep = isset($args[4])?$args[4]:10;
				
				$tag['trasversal_pattern'] = $this->xml_doc->createTag('trasversal_pattern',array(),$trasversal_pattern,$tag['attack']);
				$tag['match_pattern'] = $this->xml_doc->createTag('match_pattern',array(),$this->match_pattern,$tag['attack']);
				
				$cVars = count($combine_vars);
				$z = 0;
				$tag['combinations'] = $this->xml_doc->createTag('combinations',array(),'',$root);
				for($i=0; $i<$deep; $i++){
					foreach($combine_vars as $comb_var){
						$tag['combination'] = $this->xml_doc->createTag('combination',array('id'=>$z,'repeat'=>1),'',$tag['combinations']);
						$z++;
						$tag['vars'] = $this->xml_doc->createTag('vars',array(),'',$tag['combination']);
						foreach($this->HttpRequest->vars as $param_name=>$param_value){
							if($param_name == $comb_var) $param_value = str_replace('//','/',str_repeat('../',$i).$trasversal_pattern);
							$tag['param'] = $this->xml_doc->createTag('param',array('name'=>$param_name),$param_value,$tag['vars']);
						}
						$tag['headers'] = $this->xml_doc->createTag('headers',array(),'',$tag['combination']);
						foreach($this->HttpRequest->headers as $param_name=>$param_value) $tag['param'] = $this->xml_doc->createTag('param',array('name'=>$param_name),$param_value,$tag['headers']);
						$tag['cookies'] = $this->xml_doc->createTag('cookies',array(),'',$tag['combination']);
						foreach($this->HttpRequest->cookies as $param_name=>$param_value) $tag['param'] = $this->xml_doc->createTag('param',array('name'=>$param_name),$param_value,$tag['cookies']);
						$tag['files'] = $this->xml_doc->createTag('files',array(),'',$tag['combination']);
						foreach($this->HttpRequest->files as $param_name=>$param_value)	$tag['param'] = $this->xml_doc->createTag('param',array('name'=>$param_name),$param_value,$tag['files']);
					}
				}
				break;
				
				
			case 'SQL':
			case 'RCX':
			case 'XSS':
				/**
				 * Example of XSS/RCX/SQL create call
				 * Create(
				 * 			'XSS',					// Type
				 * 			'CrossSiteScript 1',	// Name 								Default ''
				 * 			array('Alert'=>'<script>alert(document.cookie)</script>')		// XSS patterns array
				 * 			array('var1','var2'),	// array of params names to combine 	Default All ($this->HttpRequest->vars)
				 * 		 )
				 */
				$patterns = isset($args[2])?$args[2]:array();
				$combine_vars = isset($args[3])?$args[3]:$this->HttpRequest->vars;
				$tag['match_pattern'] = $this->xml_doc->createTag('match_pattern',array(),$this->match_pattern,$tag['attack']);
				$cVars = count($combine_vars);
				$z = 0;
				$tag['combinations'] = $this->xml_doc->createTag('combinations',array(),'',$root);
				foreach($combine_vars as $comb_var){
					foreach($patterns as $key=>$pattern_value){
						$tag['combination'] = $this->xml_doc->createTag('combination',array('id'=>$z,'repeat'=>1),'',$tag['combinations']);
						$z++;
						$tag['vars'] = $this->xml_doc->createTag('vars',array(),'',$tag['combination']);
						foreach($this->HttpRequest->vars as $param_name=>$param_value){
							if($param_name == $comb_var){
								$param_value = urlencode($pattern_value);
							}
							$tag['param'] = $this->xml_doc->createTag('param',array('name'=>$param_name),$param_value,$tag['vars']);
						}
						$tag['headers'] = $this->xml_doc->createTag('headers',array(),'',$tag['combination']);
						foreach($this->HttpRequest->headers as $param_name=>$param_value) $tag['param'] = $this->xml_doc->createTag('param',array('name'=>$param_name),$param_value,$tag['headers']);
						$tag['cookies'] = $this->xml_doc->createTag('cookies',array(),'',$tag['combination']);
						foreach($this->HttpRequest->cookies as $param_name=>$param_value) $tag['param'] = $this->xml_doc->createTag('param',array('name'=>$param_name),$param_value,$tag['cookies']);
						$tag['files'] = $this->xml_doc->createTag('files',array(),'',$tag['combination']);
						foreach($this->HttpRequest->files as $param_name=>$param_value)	$tag['param'] = $this->xml_doc->createTag('param',array('name'=>$param_name),$param_value,$tag['files']);
					}
				}
				break;
				
			default: die('undefined attack '.$code.' in '.__FILE__.' on line '.__LINE__); break;
		}
		$this->ready = true;
		return $this->xml_doc->generate();
	}
	
	function Attack()
	{
		if(!$this->ready) return 'Not Ready';
		$return_string = '';
		$tag['attack'] = $this->xml_doc->XPath_eval('/wst_project/attack/tag()');
		$name = $tag['attack']->attributes['NAME'];
		$type = $tag['attack']->attributes['VALUE'];
		$matched = false;
		switch($type){
			case 'TRV':
				$trasversal_pattern =  $this->xml_doc->XPath_eval('/wst_project/attack/trasversal_pattern/text()');
			case 'RCX':
			case 'SQL':
			case 'XSS':
				$this->match_pattern = $this->xml_doc->XPath_eval('/wst_project/attack/match_pattern/text()');
				$tag['combinations'] = $this->xml_doc->XPath_eval('/wst_project/combinations/tag()');
				foreach($tag['combinations']->children as $tag['combination']){
					foreach($tag['combination']->children as $tag_item){
						$item = strtolower($tag_item->name);
						foreach($tag_item->children as $param){
							if($item=='vars') $param->contents = urldecode($param->contents);
							$this->HttpRequest->{$item}[$param->attributes['NAME']] = $param->contents;
						}
					}
					if($this->verbose){	echo "Now testing:\n".$this->HttpRequest->_request."\n\n..."; }
					if(!$this->HttpRequest->Init()) die($this->HttpRequest->err);
					if(!$this->HttpRequest->Send()) die($this->HttpRequest->err);
					$match = stristr($this->HttpRequest->response->body, $this->match_pattern);
					if($this->verbose){	echo "DONE\n\n"; }
					if($match){
						$out = "\n\n------------------------------------------------\n";
						$out .= 'Combination '.$tag['combination']->attributes['ID'].' match this pattern'.LFCR;
						$out .= $this->match_pattern."\n\n";
						$out .= $match."\n\n------------------------------------------------\n";
						$return_string .= $out;
						$matched = true;
						if($this->verbose){ echo $out; }
					}
				}
				if($matched){
					$return_string .= "\nThe resource seems to be vulnerable to $type attacks\n";
				}
			
				break;
				
			default:
				$return_string .= 'Unimplemented attack type: '.$type; 
		}
		return $return_string;
	}
}

?>
Return current item: WebSecurityTester