-n switch added, mime types and extensions sorted, most commons first

fuxploider.py

@@ -10,6 +10,7 @@
 parser.add_argument("-d", "--data", metavar="postData",dest="data", help="Additionnal data to be transmitted via POST method. Example : -d \"key1=value1&key2=value2\"", type=valid_postData)
 parser.add_argument("--proxy", metavar="proxyUrl", dest="proxy", help="Proxy information. Example : --proxy \"user:[email protected]:8080\"", type=valid_proxyString)
 parser.add_argument("--proxy-creds",metavar="credentials",nargs='?',const=True,dest="proxyCreds",help="Prompt for proxy credentials at runtime. Format : 'user:pass'",type=valid_proxyCreds)
+parser.add_argument("-n",metavar="n",nargs=1,default=["100"],dest="n",help="Number of common extensions to use. Example : -n 100")
 requiredNamedArgs = parser.add_argument_group('Required named arguments')
 requiredNamedArgs.add_argument("-u","--url", metavar="target", dest="url",required=True, help="Web page URL containing the file upload form to be tested. Example : http://test.com/index.html?action=upload", type=valid_url)
 requiredNamedArgs.add_argument("--not-regex", metavar="regex", help="Regex matching an upload failure", type=valid_regex, required=True,dest="notRegex")
@@ -18,6 +19,7 @@
 
 if args.proxyCreds and args.proxy == None :
 	parser.error("--proxy-creds must be used with --proxy.")
+args.n = int(args.n[0])
 
 print("""\033[1;32m
                                      
@@ -37,6 +39,8 @@
 	args.proxyCreds["password"] = getpass.getpass("Proxy password : ")
 
 now = datetime.datetime.now()
+mimeFiles = "mimeTypes.advanced"
+
 print("[*] starting at "+str(now.hour)+":"+str(now.minute)+":"+str(now.second))
 
 postData = postDataFromStringToJSON(args.data)
@@ -108,48 +112,60 @@
 
 
 
-extensions = loadExtensions("mime.types")
+extensions = loadExtensions(mimeFiles)
 nastyExtensions = ["php","asp"]
 
 
 ###### VALID EXTENSIONS DETECTION FOR THIS FORM ######
-logging.info("Starting detection of valid extensions ...")
+logging.info("### Starting detection of valid extensions ...")
+n = 0
 validExtensions = []
-for ext in extensions.keys() :
-	logging.info("Trying extension %s", ext)
-	with tempfile.TemporaryFile(suffix="."+ext) as fd :
-		fu = s.post(uploadURL,files={fileInput["name"]:(os.path.basename(fd.name),fd,extensions[ext])},data=postData)
-	fileUploaded = re.search(args.notRegex,fu.text)
-	if fileUploaded == None :
-		logging.info("\033[1m\033[42mExtension %s seems valid for this form.\033[m", ext)
-		validExtensions.append(ext)
-#################################################################
+for ext in extensions :
+	if n < args.n :
+		#ext = (ext,mime)
+		n += 1
+		logging.info("Trying extension %s", ext[0])
+		with tempfile.NamedTemporaryFile(suffix="."+ext[0]) as fd :
+			fu = s.post(uploadURL,files={fileInput["name"]:(os.path.basename(fd.name),fd,ext[1])},data=postData)
+		fileUploaded = re.search(args.notRegex,fu.text)
+		if fileUploaded == None :
+			logging.info("\033[1m\033[42mExtension %s seems valid for this form.\033[m", ext[0])
+			validExtensions.append(ext[0])
+	else :
+		break
+logging.info("### Tried %s extensions, %s are valid.",n,len(validExtensions))
 
+#################################################################
+logging.info("### Starting messing with file extensions and mime types...")
 #still looking for a more pythonic way to do this ...
 def techniques(legitExt,badExt,extensions) :
 	filesToTry = []
 	#filesToTry.append(("filename.extension1.extension2","mime/type"))
-	filesToTry.append(("."+legitExt+"."+badExt,extensions[legitExt]))
-	filesToTry.append(("."+legitExt+"."+badExt,extensions[badExt]))
-	filesToTry.append(("."+badExt+"."+legitExt,extensions[legitExt]))
-	filesToTry.append(("."+badExt+"."+legitExt,extensions[badExt]))
-	filesToTry.append(("."+legitExt+"%00."+badExt,extensions[legitExt]))
-	filesToTry.append(("."+legitExt+"%00."+badExt,extensions[badExt]))
-	filesToTry.append(("."+badExt+"%00."+legitExt,extensions[legitExt]))
-	filesToTry.append(("."+badExt+"%00."+legitExt,extensions[badExt]))
+	filesToTry.append(("."+legitExt+"."+badExt,getMime(extensions,legitExt)))
+	filesToTry.append(("."+legitExt+"."+badExt,getMime(extensions,badExt)))
+	filesToTry.append(("."+badExt+"."+legitExt,getMime(extensions,legitExt)))
+	filesToTry.append(("."+badExt+"."+legitExt,getMime(extensions,badExt)))
+	filesToTry.append(("."+legitExt+"%00."+badExt,getMime(extensions,legitExt)))
+	filesToTry.append(("."+legitExt+"%00."+badExt,getMime(extensions,badExt)))
+	filesToTry.append(("."+badExt+"%00."+legitExt,getMime(extensions,legitExt)))
+	filesToTry.append(("."+badExt+"%00."+legitExt,getMime(extensions,badExt)))
 
 	return filesToTry
 
 suceededAttemps = []
-for legitExt in list(set(extensions) & set(validExtensions)) :
+toutesLesExtensions = [x[0] for x in extensions]
+
+intersect = list(set(toutesLesExtensions) & set(validExtensions))
+
+for legitExt in intersect :
 	for badExt in nastyExtensions :
 		#files = [("nom.ext","mime"),("nom.ext","mime")]
 		files = techniques(legitExt,badExt,extensions)
 		for f in files :
 			fileSuffix = f[0]
 			mime = f[1]
 			filename=""
-			with tempfile.TemporaryFile(suffix=fileSuffix) as fd :
+			with tempfile.NamedTemporaryFile(suffix=fileSuffix) as fd :
 				logging.info("Trying file '%s' with mimetype '%s'.",os.path.basename(fd.name),mime)
 				fu = s.post(uploadURL,files={fileInput["name"]:(os.path.basename(fd.name),fd,mime)},data=postData)
 				filename = os.path.basename(fd.name)

mimeTypes.basic

@@ -1,103 +1,96 @@
-application/x-cbr cbr
-application/x-cdlink vcd
+image/jpeg jpeg jpg jpe
+image/x-ms-bmp bmp
+image/png png
+image/tiff tiff tif
+image/svg+xml svg svgz
+image/gif gif
+image/vnd.microsoft.icon ico
+text/plain asc txt text pot brf srt
+application/pdf pdf
+application/vnd.ms-powerpoint ppt pps
+application/vnd.openxmlformats-officedocument.presentationml.presentation pptx
+application/vnd.oasis.opendocument.text odt
+application/vnd.ms-excel xls xlb xlt
+application/msword doc dot
+application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx
+application/vnd.openxmlformats-officedocument.wordprocessingml.document docx
+video/mpeg mpeg mpg mpe
+audio/mpeg mpga mpega mp2 mp3 m4a
+video/x-msvideo avi
+audio/mpegurl m3u
+audio/x-wav wav
+image/x-photoshop psd
+video/x-flv flv
+video/mp4 mp4
 application/x-tar tar
+application/gzip gz
+application/zip zip
+application/rar rar
+application/x-7z-compressed 7z
+application/x-iso9660-image iso
+application/java-archive jar
+text/csv csv
 application/x-rss+xml rss
 text/css css
-application/vnd.oasis.opendocument.text odt
-application/x-trash ~ % bak old sik
-application/pdf pdf
-image/gif gif
 application/x-bittorrent torrent
-video/quicktime qt mov
-application/octet-stream bin deploy msu msp
-audio/midi mid midi kar
 text/html html htm shtml
-application/x-msdos-program com exe bat dll
-video/x-msvideo avi
-image/vnd.microsoft.icon ico
 application/font-sfnt otf ttf
 application/x-msdos-program com exe bat dll
+video/quicktime qt mov
+application/x-cbr cbr
+application/x-cdlink vcd
+application/x-trash ~ % bak old sik
+application/octet-stream bin deploy msu msp
+audio/midi mid midi kar
 chemical/x-cerius cer
 application/vnd.stardivision.math sdf
 chemical/x-mdl-sdfile sd sdf
-application/zip zip
-application/vnd.openxmlformats-officedocument.presentationml.presentation pptx
 text/vcard vcf vcard
 text/x-c++src c++ cpp cxx cc
 text/x-chdr h
-video/mpeg mpeg mpg mpe
 application/vnd.google-earth.kmz kmz
 application/x-shockwave-flash swf swfl
-application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx
 application/vnd.debian.binary-package deb ddeb udeb
 application/x-debian-package deb udeb
 application/javascript js
-application/vnd.ms-excel xls xlb xlt
-text/csv csv
 application/x-stuffit sit sitx
 application/java-vm class
 application/mac-binhex40 hqx
-image/tiff tiff tif
-audio/mpeg mpga mpega mp2 mp3 m4a
 application/x-sql sql
 text/html html htm shtml
 audio/x-pn-realaudio ra rm ram
-application/rar rar
-image/png png
 text/x-perl pl pm
-application/x-iso9660-image iso
-application/gzip gz
 application/rtf rtf
-application/x-7z-compressed 7z
 text/asp asp
 application/x-httpd-php phtml pht php
 application/x-sh sh
 text/x-sh sh
-application/java-archive jar
-audio/mpegurl m3u
 audio/x-mpegurl m3u
 text/x-csrc c
 application/x-msdos-program com exe bat dll
-image/x-ms-bmp bmp
 video/3gpp 3gp
 application/vnd.android.package-archive apk
 application/x-msdos-program com exe bat dll
-text/plain asc txt text pot brf srt
 chemical/x-gamess-input inp gam gamin
-image/jpeg jpeg jpg jpe
-image/tiff tiff tif
 application/postscript ps ai eps epsi epsf eps2 eps3
 text/x-tex tex ltx sty cls
 application/font-sfnt otf ttf
-image/x-photoshop psd
 application/msaccess mdb
 video/x-ms-wmv wmv
 application/vnd.google-earth.kml+xml kml
-image/svg+xml svg svgz
 audio/x-aiff aif aiff aifc
-application/vnd.ms-powerpoint ppt pps
 chemical/x-pdb pdb ent
-application/vnd.ms-powerpoint ppt pps
-application/msword doc dot
 video/x-ms-asf asf asx
 application/pics-rules prf
-video/x-flv flv
-video/mp4 mp4
 text/x-java java
 audio/x-ms-wma wma
-application/postscript ps ai eps epsi epsf eps2 eps3
 application/x-cab cab
 application/x-apple-diskimage dmg
-audio/mpeg mpga mpega mp2 mp3 m4a
-application/vnd.openxmlformats-officedocument.wordprocessingml.document docx
 application/pgp-keys key
-text/plain asc txt text pot brf srt
 text/calendar ics icz
 application/xhtml+xml xhtml xht
 application/xml xml xsd
-application/postscript ps ai eps epsi epsf eps2 eps3
 application/vnd.wordperfect wpd
 application/x-msi msi
 application/x-redhat-package-manager rpm
 text/x-python py
-audio/x-wav wav

utils.py

@@ -65,23 +65,27 @@ def detectForms(html) :
 				returnForms.append((f,fileInputs))
 
 	return returnForms
+def getMime(extensions,ext) :
+	for e in extensions :
+		if e[0] == ext :
+			return e[1]
 
 def getResource(url) :
 	exp = re.compile("^(https?\:\/\/)((([\da-z\.-]+)\.([a-z\.]{2,6}))|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(:[0-9]+)?([\/\w \.-]*)\/?([\/\w \.-]*)\/?((\?|&).+?(=.+?)?)*$")
 	r = exp.match(url)
 	z = r.group(7).split('/')
 	return z[len(z)-1]
 
-def loadExtensions(filepath="mime.types") :
+def loadExtensions(filepath="mimeTypes.advanced") :
 	with open(filepath, "r") as fd :
-		#ext = {"jpg":"application/jpeg",...}
-		ext = {}
+		#ext = [(ext,mime)]
+		ext = []
 		for e in fd :
 			e = e[:-1]
 			ligne = e.split(" ")
 			mime = ligne[0]
 			for z in ligne[1:] :
-				ext[z] = mime
+				ext.append((z,mime))
 	return ext
 
 def addProxyCreds(initProxy,creds) :