Minor improvements for memcached injection andresriancho#4406 , tests can now be run at CI using docker compose + memcached docker image

Author: andresriancho

w3af/plugins/audit/memcachei.py

@@ -25,23 +25,23 @@
 
 from w3af.core.controllers.plugins.audit_plugin import AuditPlugin
 from w3af.core.controllers.misc.fuzzy_string_cmp import fuzzy_equal
-from w3af.core.controllers.misc.fuzzy_string_cmp import fuzzy_not_equal
 from w3af.core.controllers.exceptions import HTTPRequestException
 from w3af.core.data.fuzzer.fuzzer import create_mutants
 from w3af.core.data.kb.vuln import Vuln
 
 
-MemcacheInjection = namedtuple('MemcacheInjection', ['ok', 'error_1', 'error_2'])
+MemcacheInjection = namedtuple('MemcacheInjection',
+                               ['ok', 'error_1', 'error_2'])
 
 
 class memcachei(AuditPlugin):
 
+    OK = u'key1 0 30 1\r\n1\r\nset injected 0 10 10\r\n1234567890\r\n'
+    ERROR_1 = u'key1 0 f 1\r\n1\r\n'
+    ERROR_2 = u'key1 0 30 0\r\n1\r\n'
+
     def __init__(self):
         AuditPlugin.__init__(self)
-        self.mci = MemcacheInjection(u'key1 0 30 1\r\n1\r\n'
-                                     u'set injected 0 10 10\r\n1234567890\r\n',
-                                     u'key1 0 f 1\r\n1\r\n',
-                                     u'key1 0 30 0\r\n1\r\n')
         self._eq_limit = 0.97
 
     def audit(self, freq, orig_response):
@@ -58,18 +58,14 @@ def batch_injection_test(self, freq, orig_response):
         """
         Uses the batch injection technique to find memcache injections
         """
-        # shortcut
+        # shortcuts
         send_clean = self._uri_opener.send_clean
+        orig_body = orig_response.get_body()
 
-        # first checking error response
-        fake_mutants = create_mutants(freq, ['', ])
-
-        for mutant in fake_mutants:
+        for mutant in create_mutants(freq, ['']):
 
-            orig_body = orig_response.get_body()
-
-            # trying to break normal execution flow with error1 payload
-            mutant.set_token_value(self.mci.error_1)
+            # trying to break normal execution flow with ERROR_1 payload
+            mutant.set_token_value(self.ERROR_1)
             error_1_response, body_error_1_response = send_clean(mutant)
 
             if fuzzy_equal(orig_body, body_error_1_response, self._eq_limit):
@@ -81,19 +77,19 @@ def batch_injection_test(self, freq, orig_response):
 
             # trying the correct injection request, to confirm that we've found
             # it!
-
-            mutant.set_token_value(self.mci.ok)
+            mutant.set_token_value(self.OK)
             ok_response, body_ok_response = send_clean(mutant)
 
-            if fuzzy_not_equal(orig_body, body_ok_response, self._eq_limit):
+            if fuzzy_equal(body_error_1_response, body_ok_response,
+                           self._eq_limit):
                 #
-                #  now requests should be equal, otherwise injection failed!
+                # The "OK" and "ERROR_1" responses are equal, this means that
+                # we're not in a memcached injection
                 #
                 continue
 
-            # error2 request to just make sure that wasn't random bytes
-
-            mutant.set_token_value(self.mci.error_2)
+            # ERROR_2 request to just make sure that we're in a memcached case
+            mutant.set_token_value(self.ERROR_2)
             error_2_response, body_error_2_response = send_clean(mutant)
 
             if fuzzy_equal(orig_body, body_error_2_response, self._eq_limit):
@@ -107,24 +103,18 @@ def batch_injection_test(self, freq, orig_response):
                             ok_response.id,
                             error_2_response.id]
 
-            desc = 'Memcache injection was found at: "%s", using'\
-                   ' HTTP method %s. The injectable parameter is: "%s"'
-            desc = desc % (mutant.get_url(),
-                           mutant.get_method(),
-                           mutant.get_token_name())
+            desc = ('Memcache injection was found at: "%s", using'
+                    ' HTTP method %s. The injectable parameter is: "%s"')
+            desc %= (mutant.get_url(),
+                     mutant.get_method(),
+                     mutant.get_token_name())
 
             v = Vuln.from_mutant('Memcache injection vulnerability', desc,
                                  severity.HIGH, response_ids, 'memcachei',
                                  mutant)
 
-            v['ok_html'] = ok_response.get_body()
-            v['error_1_html'] = error_1_response.get_body()
-            v['error_2_html'] = error_2_response.get_body()
-
             self.kb_append_uniq(self, 'memcachei', v)
 
-        return
-
     def get_long_desc(self):
         """
         :return: A DETAILED description of the plugin functions and features.

w3af/plugins/tests/audit/test_memcachei.py

@@ -18,8 +18,6 @@
 along with w3af; if not, write to the Free Software
 Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """
-
-from nose.plugins.attrib import attr
 from w3af.plugins.tests.helper import PluginTest, PluginConfig
 from w3af.core.controllers.ci.moth import get_moth_http
 
@@ -37,13 +35,14 @@ class TestMemcachei(PluginTest):
         }
     }
 
-    @attr('ci_fails')
     def test_found_memcachei(self):
         cfg = self._run_configs['cfg']
         self._scan(cfg['target'], cfg['plugins'])
+
         vulns = self.kb.get('memcachei', 'memcachei')
         self.assertEquals(1, len(vulns))
-        # Now some tests around specific details of the found vuln
         vuln = vulns[0]
-        self.assertEquals("Memcache injection vulnerability", vuln.get_name())
+
+        # Now some tests around specific details of the found vuln
+        self.assertEquals('Memcache injection vulnerability', vuln.get_name())
         self.assertEquals(self.target_url, str(vuln.get_url()))

w3af/tests/docker-compose.yml

@@ -3,6 +3,11 @@ moth:
   ports:
     - "8000:8000"
     - "8001:8001"
+  links:
+    - cache
+
+cache:
+  image: memcached
 
 
 wivet: