minor tweaks to config object

Author: phikshun

lib/ufuzz/command_line.rb

@@ -59,12 +59,6 @@ def parse_options(cmd_line)
       opts.on('--reverse-log', 'Fuzz proxy log in reverse order') do
         options[:reverse_log] = true
       end
-    
-      opts.on('--encoding STR', 'Encodings to use for fuzzing wordlists (default url, optional b64,hex)') do |o|
-        options[:fuzz_encoding] = o.split(',').inject({}) do |r,e|
-          r[e.downcase.strip.to_sym] = true; r
-        end
-      end
 
       opts.on('-v', '--verbose NUM', 'Enabled verbose output, from 0 (fail) to 4 (trace), default 2 (info)') do |v|
         options[:verbose] = v.to_i

lib/ufuzz/config.rb

@@ -17,11 +17,17 @@ def default_options
         :chunk_size       => UFuzz::DEFAULT_CHUNK_SIZE,
         :retry_limit      => UFuzz::DEFAULT_RETRY_LIMIT,
         :traversal_match  => UFuzz::DEFAULT_TRAVERSAL_MATCH,
-        :extra_param      => 't',
-        :csrf_token_regex => /csrfmiddlewaretoken/,
+        :csrf_token_regex => nil,
         :detect_delay     => 5,
-        #:fuzz_encoding    => { :url => true },
-        :thread_count     => 1
+        :thread_count     => 1,
+        :encoders         => [ proc { |f| f.to_s }, proc { |f| f.to_s.urlenc } ],
+        :extra_param      => { 't' => '1' },
+        :fuzzable_headers => {
+            'Host'          => 'localhost',
+            'Cookie'        => '0',
+            'User-Agent'    => 'Mozilla',
+            'Referer'       => 'localhost'
+          },
       }
     end
 

lib/ufuzz/http/fuzzer.rb

@@ -73,13 +73,13 @@ def new_session
   end
 
   def header_fuzzer
-    headers = partial_http_request_headers.merge(@request.headers)
+    headers = @config.fuzzable_headers.merge(@request.headers)
     headers = headers.merge({ 'User-Agent' => 'Mozilla/5.0' }) # speed fix
 
-    partial_http_request_headers.each_key do |header|
+    @config.fuzzable_headers.each_key do |header|
       value = headers[header]
       t = Tokenizer.new(value)
-      t.fuzz_each_token(testcase, encoder: [ proc { |f| f.to_s.urlenc } ]) do |fuzz_header, i, fuzz|
+      t.fuzz_each_token(testcase) do |fuzz_header, i, fuzz|
         req = Request.new(@request.to_s)
         req.set_header(header, fuzz_header)
         do_fuzz_case(req, i, fuzz)
@@ -95,27 +95,10 @@ def header_fuzzer
     end
   end
 
-  def default_fuzz_headers
-    {
-      'Cookie' => 'A=1',
-      'Referer' => 'http://www.example.com',
-      'User-Agent' => 'Mozilla/5.0',
-    }
-  end
-  
-  def partial_http_request_headers
-    {
-      'Host'   => 'localhost',
-      'Cookie' => '0',
-      'User-Agent' => 'Mozilla',
-      'Referer' => 'localhost'
-    }
-  end
-  
   def param_fuzzer
     @request.url_variables.each_pair do |k,v|
       t = Tokenizer.new(v)
-      t.fuzz_each_token(testcase, encoder: [ proc { |f| f.to_s.urlenc } ]) do |fuzz_param, i, fuzz|
+      t.fuzz_each_token(testcase) do |fuzz_param, i, fuzz|
         req = Request.new(@request.to_s)
         req.query_string = @request.url_variables.merge({k => fuzz_param})
         do_fuzz_case(req, i, fuzz)
@@ -125,35 +108,39 @@ def param_fuzzer
     @request.url_variables.each_pair do |k,v|
       testcase.rewind
       while(testcase.next?)
-        req = Request.new(@request.to_s)
         fuzz = testcase.next
-        req.query_string = @request.url_variables.merge({k => fuzz.to_s.urlenc})
-        do_fuzz_case(req, req.first_line.index(fuzz.to_s.urlenc), fuzz)
+        @config.encoders.each do |encoder|
+          encoded_fuzz = encoder.call(fuzz)
+          req = Request.new(@request.to_s)
+          req.query_string = @request.url_variables.merge({k => encoded_fuzz})
+          do_fuzz_case(req, req.first_line.index(encoded_fuzz), fuzz)
+        end
       end
     end
 
-    extra_param.each_pair do |k,v|
-      t = Tokenizer.new(v)
-      t.fuzz_each_token(testcase, encoder: [ proc { |f| f.to_s.urlenc } ]) do |fuzz_param, i, fuzz|
-        req = Request.new(@request.to_s)
-        req.query_string = @request.url_variables.merge({k => fuzz_param})
-        do_fuzz_case(req, i, fuzz)
+    if @config.extra_param
+      @config.extra_param.each_pair do |k,v|
+        t = Tokenizer.new(v)
+        t.fuzz_each_token(testcase) do |fuzz_param, i, fuzz|
+          req = Request.new(@request.to_s)
+          req.query_string = @request.url_variables.merge({k => fuzz_param})
+          do_fuzz_case(req, i, fuzz)
+        end
       end
     end
 
     testcase.rewind
     while(testcase.next?)
-      req = Request.new(@request.to_s)
       fuzz = testcase.next
-      req.query_string = @request.url_variables.merge({fuzz.to_s.urlenc => '1'})
-      do_fuzz_case(req, req.first_line.index(fuzz.to_s.urlenc), fuzz)
+      @config.encoders.each do |encoder|
+        encoded_fuzz = encoder.call(fuzz)
+        req = Request.new(@request.to_s)
+        req.query_string = @request.url_variables.merge({encoded_fuzz => '1'})
+        do_fuzz_case(req, req.first_line.index(encoded_fuzz), fuzz)
+      end
     end
   end
 
-  def extra_param
-    {'t' => '1'}
-  end
-  
   def post_fuzzer
     if @request.post?
       if @config.soap
@@ -165,9 +152,9 @@ def post_fuzzer
         end
       else
         @request.body_variables.each_pair do |k,v|
-          #next if @config.csrf_token_regex && k =~ @config.csrf_token_regex
+          next if @config.csrf_token_regex && k =~ @config.csrf_token_regex
           t = Tokenizer.new(v)
-          t.fuzz_each_token(testcase, encoder: [ proc { |f| f.to_s.urlenc } ]) do |fuzz_var, i, fuzz|
+          t.fuzz_each_token(testcase) do |fuzz_var, i, fuzz|
             req = Request.new(@request.to_s)
             req.body = req.body_variables.merge({k => fuzz_var})
             do_fuzz_case(req, i, fuzz)
@@ -177,19 +164,25 @@ def post_fuzzer
         @request.body_variables.each_pair do |k,v|
           testcase.rewind
           while(testcase.next?)
-            req = Request.new(@request.to_s)
             fuzz = testcase.next
-            req.body = @request.body_variables.merge({k => fuzz.to_s.urlenc})
-            do_fuzz_case(req, req.first_line.index(fuzz.to_s.urlenc), fuzz)
+            @config.encoders.each do |encoder|
+              encoded_fuzz = encoder.call(fuzz)
+              req = Request.new(@request.to_s)
+              req.body = @request.body_variables.merge({k => encoded_fuzz})
+              do_fuzz_case(req, req.first_line.index(encoded_fuzz), fuzz)
+            end
           end
         end
 
         testcase.rewind
         while(testcase.next?)
-          req  = Request.new(@request.to_s)
           fuzz = testcase.next
-          req.body = req.body_variables.merge({fuzz.to_s.urlenc => '1'})
-          do_fuzz_case(req, req.body.index(fuzz.to_s.urlenc), fuzz)
+          @config.encoders.each do |encoder|
+            encoded_fuzz = encoder.call(fuzz)
+            req = Request.new(@request.to_s)
+            req.body = req.body_variables.merge({encoded_fuzz => '1'})
+            do_fuzz_case(req, req.body.index(encoded_fuzz), fuzz)
+          end
         end
       end
     end
@@ -206,7 +199,7 @@ def rest_fuzzer
 
   def token_fuzzer
     t = Tokenizer.new(request.to_s)
-    t.fuzz_each_token(testcase, encoder: [ proc { |f| f.to_s.urlenc } ]) do |r, i, f|
+    t.fuzz_each_token(testcase) do |r, i, f|
       do_fuzz_case(Request.new(r).update_content_length, i, f)
     end
   end

lib/ufuzz/testcase/cmd_test.rb

@@ -15,7 +15,7 @@ def threadable?
 
   def test(content)
     delay = Time.now.to_f - @time
-    if content && content.to_s.length > 20 && delay > 5.0
+    if content && content.to_s.length > 20 && delay > Config.instance.detect_delay
       Fault.new('cmd injection', "possible cmd injection - #{@current.inspect}: delay #{delay}")
     else
       nil

lib/ufuzz/testcase/path_test.rb

@@ -14,7 +14,7 @@ def threadable?
   end
 
   def test(content)
-    [/xterm/, /root:/].each do |regex|
+    Config.instance.traversal_match.each do |regex|
       if content.to_s =~ regex
         return Fault.new('path traversal', "possible path traversal - #{@current.inspect}: found #{regex.inspect}")
       end

lib/ufuzz/testcase/sqli_test.rb

@@ -15,7 +15,7 @@ def threadable?
 
   def test(content)
     delay = Time.now.to_f - @time
-    if delay >= 5
+    if delay >= Config.instance.detect_delay
       Fault.new('sql injection', "possible sql injection - #{@current.inspect}: delay #{delay}")
     else
       nil

lib/ufuzz/testcase/xxe_test.rb

@@ -14,7 +14,7 @@ def threadable?
   end
 
   def test(content)
-    [/xterm/, /root:/].each do |regex|
+    Config.instance.traversal_match.each do |regex|
       if content.to_s =~ regex
         return Fault.new('xml external entity injection', "possible xxe injection - #{@current.inspect}: found #{regex.inspect}")
       end

lib/ufuzz/tokenizer.rb

@@ -42,10 +42,7 @@ def to_s
   end
 
   def fuzz_positions(tok, i, fuzz, opts)
-    encoder = [ proc { |a| a.to_s } ]
-    encoder += opts[:encoder] if opts[:encoder]
-      
-    encoder.each do |encode|
+    Config.instance.encoders.each do |encode|
       fuzz_val = encode.call(fuzz)
       ["#{fuzz_val}", "#{tok}#{fuzz_val}", "#{fuzz_val}#{tok}"].each do |f|
         t    = @tokens.dup

modules/generic/config.rb

@@ -4,7 +4,9 @@ def options
       platform:     'Generic',
       use_ssl:      false,
       use_session:  false,
-      #skip_urls:    /firmwareupdate1|UpdateWeeklyCalendar/, 
+      encoders:     [ proc { |f| f.to_s } ],
+      #skip_urls:   /firmwareupdate1|UpdateWeeklyCalendar|ChangeFriendlyName/,
+      #delay:       1, 
     }
   end
 end