Fuzzing with python with pywebfuzz

pywebfuzz is a Python module to assist in the identification of vulnerabilities in web applications through brute-force methods, and provides resources for testing vulnerabilities in servers and web applications such as apache server, jboss, and databases.

One of the objectives of the project is to facilitate the testing of web applications. The pywebfuzz project provides values and logic to test users, passwords, and codes against web applications.

In Python, we find the pywebfuzz module, where we have a set of classes that allow access to the FuzzDB directories and use their payloads.The structure of classes created in PyWebFuzz is organized by different attack schemes; these schemes represent the different payloads available in FuzzDB.

It has a class structure that is responsible for reading the files available in FuzzDB, so that later, we can use them from Python in our scripts.

First, we need to import the fuzzdb module:

from pywebfuzz import fuzzdb

For example, if we want to search for login pages on a server we can use the fuzzdb.Discovery.PredictableRes.Logins module:

logins = fuzzdb.Discovery.PredictableRes.Logins

This returns a list of predictable resources, where each element corresponds to a URL that, if it exists in the web server, can be vulnerable:

We can make a script in Python where, given a URL that we are analyzing, we can test the connection to each of the login routes, and if the request returns a code 200, the pages has been found in the server.

In this script, we can obtain predictable URLs, such as login, admin, administrator, and default page, and for each combination domain + predictable URL we verify the status code returned.

You can find the following code in the demofuzzdb.py file inside pywebfuzz_folder:

from pywebfuzz import fuzzdb
import requests

logins = fuzzdb.Discovery.PredictableRes.Logins
domain = "http://testphp.vulnweb.com"

for login in logins:
 print("Testing... "+ domain + login)
 response = requests.get(domain + login)
 if response.status_code == 200:
 print("Login Resource detected: " +login)

You can also obtain the HTTP methods supported by the server:

httpMethods= fuzzdb.attack_payloads.http_protocol.http_protocol_methods

The output of the previous command from the python interpreter shows the available HTTP methods:

You can find the following code in the demofuzzdb2.py file inside pywebfuzz_folder:

from pywebfuzz import fuzzdb
import requests
httpMethods= fuzzdb.attack_payloads.http_protocol.http_protocol_methods
domain = "http://www.google.com"
for method in httpMethods:
    print("Testing... "+ domain +"/"+ method)
    response = requests.get(domain, method)
    if response.status_code not in range(400,599):
        print(" Method Allowed: " + method)

There is a module that allows you to search for predictable resources on an Apache tomcat server:

tomcat = fuzzdb.Discovery. PredictableRes.ApacheTomcat

This submodule allows you to obtain strings to detect SQL injection vulnerabilities :

fuzzdb.attack_payloads.sql_injection.detect.GenericBlind

In this screen capture, we can see the execution of the fuzzdb sql_injection module:

The information returned in this case matches that found in the GitHub repository of the project. https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/sql-injection/detect contains many files for detecting situations of SQL injection, for example, we can find the GenericBlind.txt file, which contains the same strings that the module returns from Python.

In the GitHub repository, we see some files depending the SQL attack and the database type we are testing:

We can also find other files for testing SQL injection in MySQL databases: https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/sql-injection/detect/MySQL.txt.

In the Mysql.txt file, we can see all available attack vectors to discover an SQL injection vulnerability:

We can use the previous file to detect a SQL injection vulnerability in a specific site: testphp.vulnweb.com.

You can find the following code in the demofuzz_sql.py file inside pywebfuzz_folder:

from pywebfuzz import fuzzdb
import requests

mysql_attacks= fuzzdb.attack_payloads.sql_injection.detect.MySQL

domain = "http://testphp.vulnweb.com/listproducts.php?cat="

for attack in mysql_attacks:
    print "Testing... "+ domain + attack
    response = requests.get(domain + attack)
    if "mysql" in response.text.lower(): 
        print("Injectable MySQL detected")
        print("Attack string: "+attack)

The execution of the previous script shows the output:

The following example would create a Python list that contains all of the values from fuzzdb for LDAP Injection:

from pywebfuzz import fuzzdb ldap_values=fuzzdb.attack_payloads.ldap.ldap_injection

Now the ldap_values variable would be a Python dictionary containing the values from fuzzdb’s ldap_injection file. You could then iterate over the top of this variable with your tests.

We can find ldap folder inside the fuzzbd project: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/ldap.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.220.92