Adding templates and test cases

Adding templates and test cases

Templates

Config file : templates.json

Templates can be seen as payloads. A template represents a file that we want to upload on the remote server we are attacking.

A template is made of the following pieces of information :

{
	"templateName" : "a one-word name",
	"description" : "a simple description to put in the help message (-h switch)",
	"filename":"the name of the file to use for this template",
	"nastyExt":"the real extension of the file to use",
	"codeExecRegex":"a code execution detection regex, matching the output of the file when executed",
	"extVariants": ["a","list","of","possible","variants","of","the","original","file","extension"]
}

One template used by default by fuxploider is the following :

{
	"templateName" : "phpinfo",
	"description" : "Basic php file (plain text) with simple call to phpinfo().",
	"filename":"template.php",
	"nastyExt":"php",
	"codeExecRegex":"\\<title\\>phpinfo\\(\\)\\<\\/title\\>(.|\n)*\\<h2\\>PHP License\\<\\/h2\\>",
	"extVariants":["php1","php2","php3","php4","php5","phtml","pht","Php","PhP","pHp","pHp1","pHP2","pHtMl","PHp5"]
}

• templateName : The name of the template. This name will be used with the -t,--template argument, and will be displayed in the help mesage of fuxploider
• description : A short description that will be displayed in the help message of fuxploider
• filename : The name of the file we want to upload on the remote server. This file must be present in the configured payloads folder.
• nastyExt : The real extension of the payload file
• codeExecRegex : A valid regular expression matching the output of the file we want to upload. For example, if our payload is expected to print "hacked", the regular expression must match this string. This can be more complicated (for instance, the default php template matches a phpinfo() call).
• extVariants : A list of different extensions that could be used instead of the real one, without any impact. These variants will be used to bypass white and black listing of extensions server-side.

---

Techniques

Config file : techniques.json

For each templates configured, a list of different techniques will be tried to get the template file uploaded and executed. These test cases are combinations of different mime types and tampered/false file extensions. Each technique will be tested for each template and for each extension that is accepted by the server (either detected previously or configured at command line).

{"suffix":".$nastyExt$","mime":"nasty"}

The previous json text is the description of a technique as written in techniques.json. Techniques are made of two parts :

• A suffix : Text to put after the randomly generated name of the uploaded file (extension(s)). In the suffix field, two variables can be used : $legitExt$ will be replaced by a valid extension that the server expects, and $nastyExt$ will be replaced by the tampered extension currently used when using the actual technique.
• A mime type : The mime type to use along with the file upload. This can be either the expected one (legit) or the tampered one (nasty).

The final algorithm for fuxploider to run techniques is the following :

for each template, as T :
    for each valid extension, as legitExt :
        for each nasty extension variant, as nastyExt :
            compute techniques, for this template, using this legitExt and this actual variant of the nasty extension
        run techniques

A more advanced example is the following :

{"suffix":".$legitExt$%00.$nastyExt$","mime":"legit"}

Given that the server accepts jpeg files, and using a basic template made of a simple php file (.php file), the previous technique will generate file names like .jpeg%00.php,.jpeg%00.php2,.jpeg%00.pHP,.jpeg%00.phtml etc, along with the mime type image/jpeg.