PLC/vPLC>> explo>> 返回
项目作者: telekom-security

项目描述 :
Human and machine readable web vulnerability testing format
高级语言: Python
项目地址: git://github.com/telekom-security/explo.git
创建时间: 2015-11-17T12:24:47Z
项目社区:https://github.com/telekom-security/explo
开源协议:GNU General Public License v3.0
下载


explo

screenshot

explo is a simple tool to describe web security issues in a human and machine readable format.
By defining a request/condition workflow, explo is able to exploit security issues without the
need of writing a script. This allows to share complex vulnerabilities in a simple readable and executable format.

Example for extracting a csrf token and using this in a form:

  1. name: get_csrf
  2. description: extract csrf token
  3. module: http
  4. parameter:
  5.     url: http://example.com/contact
  6.     method: GET
  7.     header:
  8.         user-agent: Mozilla/5.0
  9.     extract:
  10.         csrf: [CSS, "#csrf"]
  11. ---
  12. name: exploit
  13. description: exploits sql injection vulnerability with valid csrf token
  14. module: http
  15. parameter:
  16.     url: http://example.com/contact
  17.     method: POST
  18.     body:
  19.         csrf: "{{get_csrf.extracted.csrf}}"
  20.         username: "' SQL INJECTION"
  21.     find: You have an error in your SQL syntax

Table of contents

In this example definition file the security issue is tested by executing two steps which are run from top to bottom. The last step returns a success or failure, depending on the string ‘You have an error in your SQL syntax’ to be found.

Installation

Install via PyPI

  1. pip install explo

Install via source

  1. git clone https://github.com/dtag-dev-sec/explo
  2. cd explo
  3. python setup.py install

Usage

  1. explo [--verbose|-v] testcase.yaml
  2. explo [--verbose|-v] examples/*.yaml

There are a few example testcases in the examples/ folder.

  1. $ explo examples/SQLI_simple_testphp.vulnweb.com.yaml

You can also include explo as a python lib:

  1. from explo.core import from_content as explo_from_content
  2. from explo.core import ExploException, ProxyException
  4. def save_log(msg):
  5.     print(msg)
  7. try:
  8.     result = explo_from_content(explo_yaml_file, save_log)
  9. except ExploException as err:
  10.     print(err)

Options

A http/https proxy and a timeout for requests can be set via environment variables. The default timeout is set to 15 seconds.

  1. $ export http_proxy=http://proxy:8089
  2. $ export https_proxy=https://proxy:8090
  3. $ export timeout=10
  4. $ explo ...

Modules

Modules can be added to improve functionality and classes of security issues.

http (basic)

The http modules allows to make a http request, extract content and search/verify content.

The following data is made available for following steps:

  • the http response body: stepname.response.content
  • the http response cookies: stepname.response.cookies
  • extracted content: response.extracted.variable_name

If a find_regex parameter is set, a regular expression match is executed on the response body. If this fails, this module returns a failure and thus stopping the executing of the current workflow (and all steps).

When extracting by regular expressions, use the match group extract to mark the value to extract (view below for an example).

For referencing cookies, reference the name of the previous step where cookies should be taken from (cookies: the_other_step.response.cookies).

Parameter examples:

  1. parameter:
  2.     url: http://example.com
  3.     method: GET
  4.     allow_redirects: True
  5.     headers:
  6.         User-Agent: explo
  7.         Content-Type: abc
  8.     cookies: stepname.response.cookies
  9.     body:
  10.         key: value
  11.     find: search for string
  12.     find_regex: search for (reg|ular)expression
  13.     find_in_headers: searchstring in headers
  14.     expect_response_code: 200
  15.     extract:
  16.         variable1: [CSS, '#csrf']
  17.         variable2: [REGEX, '<input(.*?)value="(?P<extract>.*?)"']

http_header

The http_header module allows to check if a response misses a specified set of headers (and values). All other parameters are identical to the http module.

The following data is made available for other modules:

  • the http response body: stepname.response.content
  • the http response cookies: stepname.response.cookies

Parameter examples:

  1. parameter:
  2.     url: http://example.com
  3.     method: GET
  4.     allow_redirects: True
  5.     headers:
  6.         User-Agent: explo
  7.         Content-Type: abc
  8.     body:
  9.         key: value
  10.     headers_required:
  11.         X-XSS-Protection: 1
  12.         Server: .               # all values are valid

sqli_blind

The sqli_blind module is able to identify time based blind sql injections.

The following data is made available for other modules:

  • the http response body: stepname.response.content
  • the http response cookies: stepname.response.cookies

Parameter examples:

  1. parameter:
  2.     url: http://example.com/vulnerable.php?id=1' waitfor delay '00:00:5'--
  3.     method: GET
  4.     delay_seconds: 5

If the threshold of 5 seconds (delay_seconds) is exceeded, the check returns true (and thus resulting in a success).

metadata

The metadata block is a special block which can be added as the first block in a .yaml file to add metadata to a vulnerability for further processing. This becomes usefull when explo is used as a lib and metadata for each vulnerability description can be read with meta_from_content(content). This module does not need a name or description.

Examples:

  1. module: metadata
  2. parameter:
  3.     cvss: 8.9
  4.     author: Robin Verton
  5. ---
  6. name: login
  7. description: login with test credentials
  8. module: http
  9. parameter:
  10.     url: http://testphp.vulnweb.com/userinfo.php
  11.     method: POST
  12.     body:
  13.         uname: test
  14.         pass: test