http with multi-connect :session.connect(s.get"xxx")

Question

http with multi-connect :session.connect(s.get"xxx")

zhjygit opened this issue 2 years ago · comments

Proposal

In some blogs, session.connect for FTP is like:

session.connect(s_get("user"))
session.connect(s_get("user"), s_get("pass"))
session.connect(s_get("pass"), s_get("stor"))
session.connect(s_get("pass"), s_get("retr"))

So, maybe it is useful for FTP protocol, if i want to fuzz more after login;
However, with HTTP request，how could I connect 2 or 3 request after I login successfully？

Use-Case

No response

Anything else?

No response

CQ · Answer 1 · Fri Dec 09 2022 10:52:40 GMT+0800 (China Standard Time)

What do you mean multi-connect?

Take HTTP requests as an example, supposing you define 4 requests: login, req1, req2 and req3, you can connect them as follows.

session.connect(s_get("login"))
session.connect(s_get("login"), s_get("req1"), callback=handle_auth)
session.connect(s_get("login"), s_get("req2"), callback=handle_auth)
session.connect(s_get("login"), s_get("req3"), callback=handle_auth)

In my opinion, as for HTTP requests, these 3 requests (req1, req2, req3) have no explicit order. In addition, there might be a callback used to modify the auth cookie dynamically for next post-authenticated requests.

zhjygit · Answer 2 · Sat Dec 10 2022 12:40:03 GMT+0800 (China Standard Time)

Thank you very much. Yesterday，I have finished login and reqeust1 of boofuzz。 You are right, the cookie shoud be modified after one hours or more; Howerver, I modified the cookie manually，just beacause I don't know how to modify it by callback functionly; my cookie of dir-x1860 router contains cookieID、admin and password (MD5 maybe)、HNAP_auth and so on。 Therefore，I modified it manually with Burpsuite proxy capture. Finally, maybe it is not so important, in my opinion, the choice of request does matter, which should be analysed again and again.

CQ · Answer 3 · Sat Dec 10 2022 16:34:38 GMT+0800 (China Standard Time)

The auth information can be dynamically updated via callback automatically.

session.connect(s_get("req1"), callback=handle_auth)

Actually, the login request can be done in handle_auth callback. And in this callback, you can access all the attributes of req1 request via node parameter, also update the req1 request with values from login response.

def handle_auth(target, fuzz_data_logger, session, node, edge, *args, **kwargs):
    global cookie
    if not session.last_send or (session.last_recv and b'401 Not Authorized' in session.last_recv):
       
       # send login request and set the correct cookie with value from login response
       # ...

        # update cookie attribute in req1 request dynamically
        s_update(node.name + '.cookie', cookie)

        return node.render()

zhjygit · Answer 4 · Mon Dec 12 2022 16:04:54 GMT+0800 (China Standard Time)

My boofuzz is installed via pip;
In https://github.com/jtpereyda/boofuzz, there is no handle_auth in source code after search;
You mean that I manually added handle_auth function in session.py file ,and compile it myself？

CQ · Answer 5 · Mon Dec 12 2022 16:17:43 GMT+0800 (China Standard Time)

Yeah, the handle_auth() is the edge callback you need to implement by yourself. And the name doesn't matter, you can choose what you want.

No need to modify the session.py, you can implement it in the same file where you initialize Session().

zhjygit · Answer 6 · Mon Dec 12 2022 21:13:17 GMT+0800 (China Standard Time)

Thank you!
OK, I have added handle_auth() in my python scripy, as follows:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
from boofuzz import *

def handle_auth(target, fuzz_data_logger, session, node, edge, *args, **kwargs):
    global cookie
    if not session.last_send or (session.last_recv and b'401 Not Authorized' in session.last_recv):
       
       # send login request and set the correct cookie with value from login response
       # ...

        # update cookie attribute in req1 request dynamically
        s_update(node.name + '.cookie', cookie)

        return node.render()

def main():
    session = Session(
       target=Target(
           connection=SocketConnection("192.168.237.236", 80, proto="tcp")
       ),
    )

    s_initialize(name="login")
    #s_group("Method ", ["POST"])
    s_static("POST ")
    s_static("/HNAP1/ ")
    s_static("HTTP/1.1\r\n")
    s_static("Host: ")
    s_static("192.168.237.236\r\n")
    s_static("Content-Length: ")
    s_static("430\r\n")
    s_static("Accept: ")
    s_static("*/*\r\n")
    s_static("X-Requested-With: ")
    s_static("XMLHttpRequest\r\n")
    #s_static("\r\n")
    s_static("HNAP_AUTH: ")
    #s_static(":")
    #s_static(" ")
    s_static("6004097268C54FAB61FA79F6FD45DDC7 1670589351597\r\n")
    s_static("SOAPAction: ")
    s_static('"http://purenetworks.com/HNAP1/Login"\r\n')
    s_static("User-Agent: ")
    s_static("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\r\n")
    s_static("Content-Type: ")
    s_static("text/xml; charset=UTF-8\r\n")
    #s_static("\r\n")
    s_static("Origin: ")
    s_static("http://192.168.237.236\r\n")
    #s_static("\r\n")
    s_static("Referer: ")
    s_static("http://192.168.237.236/info/Login.html\r\n")
    s_static("Accept-Encoding: ")
    s_static("gzip, deflate\r\n")
    s_static("Accept-Language: ")
    s_static("zh-CN,zh;q=0.9,en;q=0.8\r\n") 
    s_static("Cookie")
    s_static(":")
    s_static(" ")
    s_static("uid=QWYkCuuB")
    s_static("\r\n")
    s_static("Connection")
    s_static(":")
    s_static(" ")
    s_static("close")
    s_static("\r\n")
    s_static("\r\n")
    s_static('<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><Login xmlns="http://purenetworks.com/HNAP1/"><Action>login</Action><Username>Admin</Username><LoginPassword>9DF796CEBD5CC64F0CD03FF37AF1A6CD</LoginPassword><Captcha></Captcha></Login></soap:Body></soap:Envelope>')


    s_initialize(name="adduser")
    #s_group("Method", ["POST"])
    with s_block("adduser-header"):
        s_static("POST ")
        s_static("/HNAP1/ ")
        s_static("HTTP/1.1\r\n")
        s_static("Host: ")
        s_static("192.168.237.236\r\n")
        s_static("Content-Length: ")
        s_size("data",output_format="ascii", fuzzable=True)
        s_static("\r\n")
        s_static("Accept: ")
        s_static("*/*")
        s_static("\r\n")
        s_static("X-Requested-With: ")
        s_static("XMLHttpRequest\r\n")
        s_static("HNAP_AUTH: ")
        s_static("6004097268C54FAB61FA79F6FD45DDC7 1670589351597\r\n")
        s_static("SOAPAction: ")
        s_string('"http://purenetworks.com/HNAP1/SetUsersSettings"')
        s_static("\r\n")
        s_static("User-Agent: ")
        s_static("Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\r\n")
        s_static("HNAP_Content: ")
        s_static("B387CD05F7B9C76D10D27094FF5B813F800B995AD1C10474B6FE061E014ACEED01D378F5FAEE013D293BDC1DD64303C901D378F5FAEE013D293BDC1DD64303C9")
        s_static("\r\n")
        s_static("Content-Type: ")
        s_static("text/xml; charset=UTF-8\r\n")
        s_static("Origin: ")
        s_string("http://192.168.237.236")
        s_static("\r\n")
        s_static("Referer: ")
        s_string("http://192.168.237.236/UserAndDevice.html")
        s_static("\r\n")
        s_static("Accept-Encoding: ")
        s_static("gzip, deflate\r\n")
        s_static("Accept-Language: ")
        s_static("zh-CN,zh;q=0.9,en;q=0.8\r\n")
        s_static("Cookie: ")
        s_static("uid=QWYkCuuB")
        s_static("\r\n")
        s_static("Connection: ")
        s_static("close")
        s_static("\r\n")
        s_static("\r\n")
    with s_block('data'):
        s_static('<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><SetUsersSettings')
        s_string('xmlns="http://purenetworks.com/HNAP1/">')
        s_string("<StorageUsersLists><StorageUser><Enabled>true</Enabled><UserName>Admin</UserName><Password>A95785DFD7509D3B613F120EBE7D3B59</Password><ServiceInfoLists><ServiceInfo><Enabled>false</Enabled><ServiceName>VPN</ServiceName><AccessPath></AccessPath><Permission>true</Permission></ServiceInfo></ServiceInfoLists></StorageUser><StorageUser><Enabled>true</Enabled><UserName>123</UserName><Password>")
        s_static("07db78f5fdee0108293be01dd6b103c901d378f5faee013d293bdc1dd64303c901d378f5faee013d293bdc1dd64303c901d378f5faee013d293bdc1dd64303c9")
        s_string("</Password><ServiceInfoLists><ServiceInfo><Enabled>false</Enabled><ServiceName>VPN</ServiceName><AccessPath></AccessPath><Permission>true</Permission></ServiceInfo></ServiceInfoLists></StorageUser></StorageUsersLists></SetUsersSettings></soap:Body></soap:Envelope>")

    session.connect(s_get("login"))
    session.connect(s_get("login"), s_get("adduser"),callback=handle_auth)
    session.fuzz()

if __name__ == "__main__":
    main()

However, after running python3 xxx.py, I can not prove that handle_auth works;
At first, s_get("login") has correct cookie，one hour later，response of “login” is failed，and boofuzz is still runting with s_get("req1")，so, without handle_auth, s_get("req1") still works.

CQ · Answer 7 · Tue Dec 13 2022 10:22:30 GMT+0800 (China Standard Time)

According to your code, you did nothing in the handle_auth() callback. The handle_auth() shown is just an empty template, you should implement your actual logic to update auth information inside it. In addition, based on your login and adduser request, it seems these requests may be for some D-Link routers. These information in request headers like uid, HNAP_AUTH are all related to authentication, therefore you should update them dynamically.

At first, s_get("login") has correct cookie，one hour later，response of “login” is failed

Since you have written these parameters as fixed values, after the session timeout, it will fail of course. Similarly, you can add another edge callback to update related parameters dynamically.

and boofuzz is still runting with s_get("req1")，so, without handle_auth, s_get("req1") still works.

The edge callback handle_auth() is just used for updating authentication if necessary. Yeah, boofuzz is still running with s_get("adduser"), however the requests sent will be discarded because of "Not Authorized".

zhjygit · Answer 8 · Tue Dec 13 2022 10:58:58 GMT+0800 (China Standard Time)

Thank you so much！
Yes，my device is dir-x1860.
Actually，I have no idea how to fill the empty template to dynamically update cookie、password、hnap_auth.

CQ · Answer 9 · Tue Dec 13 2022 22:28:13 GMT+0800 (China Standard Time)

The clue is already in the handle_auth(). s_update() can be used to achieve it.

In the handle_auth() callback, you need

send a normal login request, and parse its response to get the right uid, hnap_auth and so on;
update the corresponding value defined in requests using s_update()

By the way, to get yourself farmilar with the boofuzz, in my opinion, try to debug it is always a good choice. With debugging, you can find which functions or attributes are available, and know what you can do with them.

zhjygit · Answer 10 · Wed Dec 14 2022 08:23:13 GMT+0800 (China Standard Time)

Thank you!

Maximilian Lindner · Answer 11 · Thu Oct 05 2023 04:59:07 GMT+0800 (China Standard Time)

Thanks for the support @cq674350529!

Closing for now.