3
0

SQLiAttack.py 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351
  1. # Created by Aidmar
  2. """
  3. ATutor 2.2.1 SQL Injection / Remote Code Execution
  4. This module exploits a SQL Injection vulnerability and an authentication weakness vulnerability in ATutor. This essentially
  5. means an attacker can bypass authentication and reach the administrator's interface where they can upload malicious code.
  6. more info:
  7. https://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqli
  8. """
  9. import logging
  10. import math
  11. from operator import itemgetter
  12. import operator
  13. from random import randint, uniform
  14. from lea import Lea
  15. from Attack import BaseAttack
  16. from Attack.AttackParameters import Parameter as Param
  17. from Attack.AttackParameters import ParameterTypes
  18. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  19. # noinspection PyPep8
  20. from scapy.utils import RawPcapReader
  21. from scapy.layers.inet import IP, Ether, TCP, RandShort
  22. #from scapy.all import *
  23. class SQLiAttack(BaseAttack.BaseAttack):
  24. # Metasploit default packet rate
  25. maxDefaultPPS = 55
  26. minDefaultPPS = 5
  27. # HTTP port
  28. http_port = 80
  29. # Metasploit experiments show this range of ports
  30. minDefaultPort = 30000
  31. maxDefaultPort = 50000
  32. def __init__(self, statistics, pcap_file_path):
  33. """
  34. Creates a new instance of the SQLi Attack.
  35. :param statistics: A reference to the statistics class.
  36. """
  37. # Initialize attack
  38. super(SQLiAttack, self).__init__(statistics, "SQLi Attack", "Injects a SQLi attack'",
  39. "Resource Exhaustion")
  40. # Define allowed parameters and their type
  41. self.supported_params = {
  42. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  43. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  44. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  45. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  46. Param.TARGET_HOST: ParameterTypes.TYPE_DOMAIN,
  47. #Param.TARGET_URI: ParameterTypes.TYPE_URI,
  48. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  49. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  50. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  51. }
  52. # PARAMETERS: initialize with default utilsvalues
  53. # (values are overwritten if user specifies them)
  54. most_used_ip_address = self.statistics.get_most_used_ip_address()
  55. if isinstance(most_used_ip_address, list):
  56. most_used_ip_address = most_used_ip_address[0]
  57. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  58. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  59. #self.add_param_value(Param.TARGET_URI, "/")
  60. self.add_param_value(Param.TARGET_HOST, "www.hackme.com")
  61. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  62. self.add_param_value(Param.PACKETS_PER_SECOND,self.maxDefaultPPS)
  63. # victim configuration
  64. # consider that the destination has port 80 opened
  65. random_ip_address = self.statistics.get_random_ip_address()
  66. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  67. destination_mac = self.statistics.get_mac_address(random_ip_address)
  68. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  69. destination_mac = self.generate_random_mac_address()
  70. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  71. def generate_attack_pcap(self):
  72. def update_timestamp(timestamp, pps, maxdelay):
  73. """
  74. Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
  75. :return: Timestamp to be used for the next packet.
  76. """
  77. return timestamp + uniform(1 / pps, maxdelay)
  78. # Aidmar
  79. def getIntervalPPS(complement_interval_pps, timestamp):
  80. """
  81. Gets the packet rate (pps) in specific time interval.
  82. :return: the corresponding packet rate for packet rate (pps) .
  83. """
  84. for row in complement_interval_pps:
  85. if timestamp <= row[0]:
  86. return row[1]
  87. return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
  88. # Timestamp
  89. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  90. # TO-DO: find better pkt rate
  91. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  92. randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 30, 5 / pps: 15, 10 / pps: 3})
  93. # Aidmar - calculate complement packet rates of BG traffic per interval
  94. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  95. # Initialize parameters
  96. packets = []
  97. mac_source = self.get_param_value(Param.MAC_SOURCE)
  98. ip_source = self.get_param_value(Param.IP_SOURCE)
  99. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  100. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  101. target_host = self.get_param_value(Param.TARGET_HOST)
  102. target_uri = "/" #self.get_param_value(Param.TARGET_URI)
  103. # Aidmar - check ip.src == ip.dst
  104. if ip_source == ip_destination:
  105. print("\nERROR: Invalid IP addresses; source IP is the same as destination IP: " + ip_source + ".")
  106. import sys
  107. sys.exit(0)
  108. path_attack_pcap = None
  109. minDelay, maxDelay = self.get_reply_delay(ip_destination)
  110. # Set TTL based on TTL distribution of IP address
  111. source_ttl_dist = self.statistics.get_ttl_distribution(ip_source)
  112. if len(source_ttl_dist) > 0:
  113. source_ttl_prob_dict = Lea.fromValFreqsDict(source_ttl_dist)
  114. source_ttl_value = source_ttl_prob_dict.random()
  115. else:
  116. source_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  117. destination_ttl_dist = self.statistics.get_ttl_distribution(ip_destination)
  118. if len(destination_ttl_dist) > 0:
  119. destination_ttl_prob_dict = Lea.fromValFreqsDict(destination_ttl_dist)
  120. destination_ttl_value = destination_ttl_prob_dict.random()
  121. else:
  122. destination_ttl_value = self.statistics.process_db_query("most_used(ttlValue)")
  123. # Inject SQLi Attack
  124. # Read SQLi Attack pcap file
  125. orig_ip_dst = None
  126. exploit_raw_packets = RawPcapReader("resources/ATutorSQLi.pcap")
  127. port_source = randint(self.minDefaultPort,self.maxDefaultPort) # experiments show this range of ports
  128. # Random TCP sequence numbers
  129. global attacker_seq
  130. attacker_seq = randint(1000, 50000)
  131. global victim_seq
  132. victim_seq = randint(1000, 50000)
  133. for pkt_num, pkt in enumerate(exploit_raw_packets):
  134. eth_frame = Ether(pkt[0])
  135. ip_pkt = eth_frame.payload
  136. tcp_pkt = ip_pkt.payload
  137. str_tcp_seg = str(tcp_pkt.payload)
  138. # Clean payloads
  139. eth_frame.payload = b''
  140. ip_pkt.payload = b''
  141. tcp_pkt.payload = b''
  142. if pkt_num == 0:
  143. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  144. orig_ip_dst = ip_pkt.getfieldval("dst") # victim IP
  145. if tcp_pkt.getfieldval("dport") == 80 or tcp_pkt.getfieldval("sport") == 80:
  146. # Attacker --> vicitm
  147. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  148. # There are 363 TCP connections with different source ports, for each of them we generate random port
  149. if tcp_pkt.getfieldval("sport") != prev_orig_port_source and tcp_pkt.getfieldval("dport") != 4444:
  150. port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  151. prev_orig_port_source = tcp_pkt.getfieldval("sport")
  152. # New connection, new random TCP sequence numbers
  153. attacker_seq = randint(1000, 50000)
  154. victim_seq = randint(1000, 50000)
  155. # First packet in a connection has ACK = 0
  156. tcp_pkt.setfieldval("ack", 0)
  157. # Ether
  158. eth_frame.setfieldval("src", mac_source)
  159. eth_frame.setfieldval("dst", mac_destination)
  160. # IP
  161. ip_pkt.setfieldval("src", ip_source)
  162. ip_pkt.setfieldval("dst", ip_destination)
  163. ip_pkt.setfieldval("ttl", source_ttl_value)
  164. # TCP
  165. tcp_pkt.setfieldval("sport",port_source)
  166. if len(str_tcp_seg) > 0:
  167. # convert payload bytes to str => str = "b'..\\r\\n..'"
  168. str_tcp_seg = str_tcp_seg[2:-1]
  169. str_tcp_seg = str_tcp_seg.replace('/ATutor', target_uri)
  170. str_tcp_seg = str_tcp_seg.replace(orig_ip_dst, target_host)
  171. str_tcp_seg = str_tcp_seg.replace("\\n", "\n")
  172. str_tcp_seg = str_tcp_seg.replace("\\r", "\r")
  173. str_tcp_seg = str_tcp_seg.replace("\\t", "\t")
  174. str_tcp_seg = str_tcp_seg.replace("\\\'", "\'")
  175. # TCP Seq, Ack
  176. if tcp_pkt.getfieldval("ack") != 0:
  177. tcp_pkt.setfieldval("ack", victim_seq)
  178. tcp_pkt.setfieldval("seq", attacker_seq)
  179. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  180. attacker_seq += max(len(str_tcp_seg), 1)
  181. new_pkt = (eth_frame / ip_pkt/ tcp_pkt / str_tcp_seg)
  182. new_pkt.time = timestamp_next_pkt
  183. maxdelay = randomdelay.random()
  184. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), self.minDefaultPPS)
  185. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
  186. # Victim --> attacker
  187. else:
  188. # Ether
  189. eth_frame.setfieldval("src", mac_destination)
  190. eth_frame.setfieldval("dst", mac_source)
  191. # IP
  192. ip_pkt.setfieldval("src", ip_destination)
  193. ip_pkt.setfieldval("dst", ip_source)
  194. ip_pkt.setfieldval("ttl", destination_ttl_value)
  195. # TCP
  196. tcp_pkt.setfieldval("dport", port_source)
  197. if len(str_tcp_seg) > 0:
  198. # convert payload bytes to str => str = "b'..\\r\\n..'"
  199. str_tcp_seg = str_tcp_seg[2:-1]
  200. str_tcp_seg = str_tcp_seg.replace('/ATutor', target_uri)
  201. str_tcp_seg = str_tcp_seg.replace(orig_ip_dst, target_host)
  202. str_tcp_seg = str_tcp_seg.replace("\\n", "\n")
  203. str_tcp_seg = str_tcp_seg.replace("\\r", "\r")
  204. str_tcp_seg = str_tcp_seg.replace("\\t", "\t")
  205. str_tcp_seg = str_tcp_seg.replace("\\\'", "\'")
  206. # TCP Seq, ACK
  207. tcp_pkt.setfieldval("ack", attacker_seq)
  208. tcp_pkt.setfieldval("seq", victim_seq)
  209. strLen = len(str_tcp_seg)
  210. if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  211. victim_seq += max(strLen, 1)
  212. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  213. timestamp_next_pkt = timestamp_next_pkt + uniform(minDelay, 2 * maxDelay)
  214. new_pkt.time = timestamp_next_pkt
  215. # The last connection
  216. else:
  217. # New connection, new random TCP sequence numbers
  218. attacker_seq = randint(1000, 50000)
  219. victim_seq = randint(1000, 50000)
  220. # First packet in a connection has ACK = 0
  221. tcp_pkt.setfieldval("ack", 0)
  222. #port_source = randint(self.minDefaultPort, self.maxDefaultPort)
  223. # Attacker --> vicitm
  224. if ip_pkt.getfieldval("dst") == orig_ip_dst: # victim IP
  225. # Ether
  226. eth_frame.setfieldval("src", mac_source)
  227. eth_frame.setfieldval("dst", mac_destination)
  228. # IP
  229. ip_pkt.setfieldval("src", ip_source)
  230. ip_pkt.setfieldval("dst", ip_destination)
  231. ip_pkt.setfieldval("ttl", source_ttl_value)
  232. # TCP
  233. #tcp_pkt.setfieldval("sport", port_source)
  234. if len(str_tcp_seg) > 0:
  235. # convert payload bytes to str => str = "b'..\\r\\n..'"
  236. str_tcp_seg = str_tcp_seg[2:-1]
  237. str_tcp_seg = str_tcp_seg.replace('/ATutor', target_uri)
  238. str_tcp_seg = str_tcp_seg.replace(orig_ip_dst, target_host)
  239. str_tcp_seg = str_tcp_seg.replace("\\n", "\n")
  240. str_tcp_seg = str_tcp_seg.replace("\\r", "\r")
  241. str_tcp_seg = str_tcp_seg.replace("\\t", "\t")
  242. str_tcp_seg = str_tcp_seg.replace("\\\'", "\'")
  243. # TCP Seq, Ack
  244. if tcp_pkt.getfieldval("ack") != 0:
  245. tcp_pkt.setfieldval("ack", victim_seq)
  246. tcp_pkt.setfieldval("seq", attacker_seq)
  247. if not (tcp_pkt.getfieldval("flags") == 16 and len(str_tcp_seg) == 0): # flags=A:
  248. attacker_seq += max(len(str_tcp_seg), 1)
  249. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  250. new_pkt.time = timestamp_next_pkt
  251. maxdelay = randomdelay.random()
  252. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), self.minDefaultPPS)
  253. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps, maxdelay)
  254. # Victim --> attacker
  255. else:
  256. # Ether
  257. eth_frame.setfieldval("src", mac_destination)
  258. eth_frame.setfieldval("dst", mac_source)
  259. # IP
  260. ip_pkt.setfieldval("src", ip_destination)
  261. ip_pkt.setfieldval("dst", ip_source)
  262. ip_pkt.setfieldval("ttl", destination_ttl_value)
  263. # TCP
  264. #tcp_pkt.setfieldval("dport", port_source)
  265. if len(str_tcp_seg) > 0:
  266. # convert payload bytes to str => str = "b'..\\r\\n..'"
  267. str_tcp_seg = str_tcp_seg[2:-1]
  268. str_tcp_seg = str_tcp_seg.replace('/ATutor', target_uri)
  269. str_tcp_seg = str_tcp_seg.replace(orig_ip_dst, target_host)
  270. str_tcp_seg = str_tcp_seg.replace("\\n", "\n")
  271. str_tcp_seg = str_tcp_seg.replace("\\r", "\r")
  272. str_tcp_seg = str_tcp_seg.replace("\\t", "\t")
  273. str_tcp_seg = str_tcp_seg.replace("\\\'", "\'")
  274. # TCP Seq, ACK
  275. tcp_pkt.setfieldval("ack", attacker_seq)
  276. tcp_pkt.setfieldval("seq", victim_seq)
  277. strLen = len(str_tcp_seg)
  278. if not (tcp_pkt.getfieldval("flags") == 16 and strLen == 0): # flags=A:
  279. victim_seq += max(strLen, 1)
  280. new_pkt = (eth_frame / ip_pkt / tcp_pkt / str_tcp_seg)
  281. timestamp_next_pkt = timestamp_next_pkt + uniform(minDelay, 2 * maxDelay)
  282. new_pkt.time = timestamp_next_pkt
  283. packets.append(new_pkt)
  284. # Store timestamp of first packet (for attack label)
  285. self.attack_start_utime = packets[0].time
  286. self.attack_end_utime = packets[-1].time
  287. if len(packets) > 0:
  288. packets = sorted(packets, key=lambda pkt: pkt.time)
  289. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  290. # return packets sorted by packet time_sec_start
  291. # pkt_num+1: because pkt_num starts at 0
  292. return pkt_num + 1, path_attack_pcap