miketracy-wwmd 0.2.16 → 0.2.17

data/lib/wwmd/page/auth.rb

@@ -1,30 +1,6 @@
-=begin rdoc
-This is where we do all the undocumented auth stuff.  NTLM is here and 
-hooked in.
-
-WWMDNTLM is an incredibly naive NTLM implementation (used to get 
-around NTLM for one project ahwile back
-=end
-
 module WWMD
   class Page
 
-#:stopdoc:
-
-#:section: Authentication helpers
-
-    # check if this request requires NTLM
-    def ntlm?
-      return false if self.code != 401
-      count = 0
-      self.header_data.each do |i|
-        if i[0] =~ /www-authenticate/i
-          count += 1 if (i[1] == "Negotiate" || i[1] == "NTLM")
-        end
-      end
-      return (count > 0)
-    end
-
     # does this request have an authenticate header?
     def auth?
       return false if self.code != 401
@@ -37,147 +13,5 @@ module WWMD
       return (count > 0)
     end
 
-    # not sure why this is here
-    def ntlm_perform(exp=nil)#:nodoc:
-      self.perform
-      return (self.code == exp)
-    end
-
-    # perform a get usig NTLM
-    def ntlm_get(url=nil?,debug=false)
-      self.clear_header('Authorization')
-      nobj = WWMDNTLM.new(self.opts)
-      self.url = @urlparse.parse(self.opts[:base_url],url) if not url.nil?
-      self.perform
-      return "This request does not appear to require NTLM" if not self.ntlm?
-      self.headers['Authorization'] = nobj.type_1_msg
-      self.perform
-      type2 = self.header_data.get_value('WWW-Authenticate')
-      nonce = nobj.get_nonce(type2)
-      type3 = nobj.type_3_msg(nonce)
-      self.headers['Authorization'] = type3
-      self.perform
-      self.clear_header('Authorization')
-      return self.code
-    end
-
-#:startdoc:
-
-  end
-
-  class WWMDNTLM#:nodoc:
-    attr_accessor :hostname
-    attr_accessor :domain
-    attr_accessor :username
-    attr_accessor :password
-    attr_accessor :opts
-    attr_accessor :negotiate_flags
-    attr_accessor :debug
-
-    def initialize(opts,debug=false)
-      @opts = opts
-      @hostname = self.opts[:hostname]
-      @domain   = self.opts[:domain]
-      @username = self.opts[:username]
-      @password = self.opts[:password]
-      @hostname = "LOCALHOST" if self.hostname.nil?
-      @negotiate_flags = 0x00002201.to_l32
-      @debug = debug
-    end
-
-    def type_1_msg
-# do not add domain for now here as it doesn't seem to be needed
-# it does need to be set for type3 messages
-      host_len = self.hostname.size
-      host_off = 0x20
-#      if self.domain.nil?
-      if true
-        dom_off = 0
-        dom_len = 0
-      else
-        dom_off = (host_off + hostname.size)
-        dom_len = self.domain.size
-      end
-      msg = ""
-      msg << "NTLMSSP\x00"        # signature[8]
-      msg << 0x01.to_l32          # type[4]
-      msg << self.negotiate_flags # NegotiateFlags[4]
-      msg << dom_len.to_l16       # domain string length[2]
-      msg << dom_len.to_l16       # domain string length[2]
-      msg << dom_off.to_l32       # domain string offset[4]
-      msg << host_len.to_l16      # host string length[2]
-      msg << host_len.to_l16      # host string length[2]
-      msg << host_off.to_l32      # host string offset[4]
-#      msg << self.domain if not self.domain.nil? # domain[var]
-      msg << self.hostname        # host name[var]
-      return "NTLM " + msg.b64e
-    end
-
-    def get_nonce(t2msg)
-      # Signature[8]
-      # MessageType[4]
-      # TargetNameFields[8]
-      # NegotiateFlags[4]
-      # ServerChallenge[8]
-      # Reserved[8] ! 0x00
-      # TargetInfoFields[8]
-      # Version[8]
-      # Payload[var]
-      msg = t2msg.split[1].b64d
-      return msg[24..31]
-    end
-
-    def type_3_msg(nonce)
-      hlen = 0x40
-      poff = hlen
-      domain = self.domain.to_utf16
-      username = self.username.to_utf16
-      hostname = self.hostname.to_utf16
-      lmresp = NTLM.lm_response(self.opts[:password],nonce,:lmhash)
-      ntresp = NTLM.lm_response(self.opts[:password],nonce,:nthash)
-      msg = ""
-      msg << "NTLMSSP\x00"            # Signature[8]
-      msg << 0x03.to_l32              # MessageType[4]
-                                      # LmChallengeResonseFields[8]
-      msg << lmresp.size.to_l16           # LmChallengeResponseLen[2]
-      msg << lmresp.size.to_l16           # LmChallengeResponseMaxLen[2]
-      msg << poff.to_l32                  # LmChallengeResponseBufferOffset[4]
-      poff += lmresp.size
-#      msg << 0x40.to_l32                  # LmChallengeResponseBufferOffset[4]
-                                      # NtChallengeResponseFields[8]
-      msg << ntresp.size.to_l16           # NtChallengeResponseLen[2]
-      msg << ntresp.size.to_l16           # NtChallengeResponseMaxLen[2]
-#      msg << 0x58.to_l32                  # NtChallengeResponseBufferOffset[4]
-      msg << poff.to_l32                  # NtChallengeResponseBufferOffset[4]
-      poff += ntresp.size
-                                      # DomainNameFields[8]
-      msg << domain.size.to_l16           # DomainNameLen[2]
-      msg << domain.size.to_l16           # DomainNameMaxLen[2]
-      msg << poff.to_l32                  # DomainNameBufferOffset[4]
-      poff += domain.size
-                                      # UserNameFields[8]
-      msg << username.size.to_l16         # UserNameLen[2]
-      msg << username.size.to_l16         # UserNameMaxLen[2]
-      msg << poff.to_l32                  # UserNameBufferOffset[4]
-      poff += username.size
-                                      # WorkstationFields[8]
-      msg << hostname.size.to_l16         # WorkstationLen[2]
-      msg << hostname.size.to_l16         # WorkstationMaxLen[2]
-      msg << poff.to_l32                  # WorkstationBufferOffset[4]
-      poff += hostname.size
-                                      # EncryptedRandomSessionKeyFields[8]
-      msg << 0x00.to_l16                  # EncryptedRandomSessionKeyLen[2]
-      msg << 0x00.to_l16                  # EncryptedRandomSessionKeyMaxLen[2]
-      msg << 0x00.to_l32                  # EncryptedRandomSessionKeyBufferOffset[4]
-      msg << self.negotiate_flags     # NegotiateFlags[4]
-                                      # Version[8] (optional do not add)
-                                      # Payload[var]
-      msg << lmresp                       # LmChallenge[var]
-      msg << ntresp                       # NtChallenge[var]
-      msg << domain                       # DomainName[var]
-      msg << username                     # UserName[var]
-      msg << hostname                     # Workstation[var]
-      return "NTLM " + msg.b64e
-    end
   end
 end

data/lib/wwmd/page/constants.rb

@@ -18,10 +18,11 @@ module WWMD
   ESCAPE = {
     :url     => /[^a-zA-Z0-9\-_%]/,
     :nalnum  => /[^a-zA-Z0-9]/,
-    :xss     => /[^a-zA-Z0-9=?&()']/,
+    :xss     => /[^a-zA-Z0-9=?()']/,
     :ltgt    => /[<>]/,
     :all     => /.*/,
-    :b64     => /[=+\/]/,
+#    :b64     => /[=+\/]/,
+    :b64     => /[^a-zA-Z0-9]/,
     :none    => :none,
     :default => :default,
   }
@@ -33,11 +34,13 @@ module WWMD
     :ie7 => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)",
     :ie8 => "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)",
     :opera => "Opera/9.20 (Windows NT 6.0; U; en)",
-    :safari => "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.22"
+    :safari => "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_4_11; en) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.2 Safari/525.22",
+    :safari4 => "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; en-us) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Safari/530.17",
+    :wwmd => "Mozilla/5.0 (compatible; WWMD #{WWMD::VERSION}; o_hai)"
   }
 
   DEFAULT_HEADERS = {
-    "User-Agent" => UA[:moz3],
+    "User-Agent" => UA[:wwmd],
     "Accept" => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
     "Accept-Language" => "en-US,en;q=0.8,en-au;q=0.6,en-us;q=0.4,en;q=0.2",
     "Accept-Encoding" => "gzip,deflate",

data/lib/wwmd/page/form.rb

@@ -40,21 +40,6 @@ module WWMD
       return self.get_attribute("action")
     end
 
-    def report
-      puts "action = #{self.action}"
-      self.fields.each { |field| puts field.to_text }
-      return nil
-    end
-
-    alias_method :show, :report
-
-    def to_form_array
-      FormArray.new(self.fields)
-    end
-
-    def to_array
-      self.to_form_array
-    end
   end
 
   class Field < Form

data/lib/wwmd/page/form_array.rb

@@ -6,35 +6,48 @@ Accessing this either as a hash or an array (but => won't work)
 
 Some of the methods in here are kept for backward compat before the refactor
 and now everything in this array should be accessed with []= and []
+
+Set :action and take a block.  Page#submit_form should take this and do the
+right thing.
 =end
 
 module WWMD
   class FormArray < Array
+    attr_accessor :action
+    attr_accessor :delimiter
+    attr_accessor :equals
+
+    def initialize(fields=nil,action=nil,&block)
+      set_fields(fields)
+      @delimiter = "&"
+      @equals = "="
+      @action = action
+      instance_eval(&block) if block_given?
+    end
 
-    def initialize(fields=nil)
-      if not fields.nil?
-        # this first one is an array of field objects
-        if fields.class == Array
-          fields.each do |f|
-            name = f['name']
-            if self.name_exists(name)
-              if f['type'] == "hidden"
-                self.set name,f.get_value
-              elsif f['type'] == "checkbox" and f.to_html.grep(/checked/) != ''
-                self[name] = f.get_value
-              end
-            else
-              self << [ f['name'],f.get_value ]
+    def set_fields(fields=nil)
+      return nil if fields.nil?
+      # this first one is an array of field objects
+      if fields.class == Array
+        fields.each do |f|
+          name = f['name']
+          if self.name_exists(name)
+            if f['type'] == "hidden"
+              self.set name,f.get_value
+            elsif f['type'] == "checkbox" and f.to_html.grep(/checked/) != ''
+              self[name] = f.get_value
             end
-          end
-        elsif fields.class == Hash
-          fields.each_pair { |k,v| self[k] = v }
-        elsif fields.class == String
-          fields.split("&").each do |f|
-            k,v = f.split("=",2)
-            self[k] = v
+          else
+            self << [ f['name'],f.get_value ]
           end
         end
+      elsif fields.class == Hash
+        fields.each_pair { |k,v| self[k] = v }
+      elsif fields.class == String
+        fields.split(@delimiter).each do |f|
+          k,v = f.split(@equals,2)
+          self[k] = v
+        end
       end
     end
 
@@ -43,6 +56,7 @@ module WWMD
     def clone
       ret = self.class.new
       self.each { |r| ret << r.clone }
+      ret.action = self.action
       return ret
     end
 
@@ -64,14 +78,6 @@ module WWMD
       self << [key,value]
     end
 
-    def clear_viewstate
-      self.each { |k,v|
-        self[k] = "" if k == "__VIEWSTATE"
-      }
-    end
-
-    alias_method :extend!, :add #:nodoc (this is here for backward compat)
-
     # key = Fixnum set value at index key
     # key = String find key named string and set value
     def set_value!(key,value)
@@ -87,6 +93,8 @@ module WWMD
       return [key,value]
     end
 
+    # get a value using its index
+    # override Array#[]
     alias_method :old_get, :[]#:nodoc:
     def [](*args)
       if args.first.class == Fixnum
@@ -133,6 +141,10 @@ module WWMD
 
     alias_method :get, :get_value
 
+    def keys
+      self.map { |k,v| k }
+    end
+
     def setall!(value)
       self.each_index { |i| self.set_value!(i,value) }
     end
@@ -176,39 +188,38 @@ module WWMD
 
     alias_method :unescape_all, :unescape_all!#:nodoc:
 
-    # convert form into a post parameters string
-    def to_post
-      ret = []
-      self.each do |i|
-        ret.push(i.join("="))
-      end
-      ret.join("&")
+    # remove form elements with null values
+    def remove_nulls!
+      self.delete_if { |x| x[1].to_s.empty? || x[1].nil? }
     end
 
-    # convert form into a get parameters string
-    #
-    # pass me a base to get a full url to pass to Page.get
-    def to_get(base="")
-      ret = []
-      self.each do |i|
-        ret.push(i.join("="))
-      end
-      ret = ret.join("&")
-      return base.clip + "?" + ret.to_s
+    alias_method :squeeze!, :remove_nulls!
+
+    # remove form elements with null keys (for housekeeping returns)
+    def remove_null_keys!
+      self.delete_if { |x,y| x.to_s.empty? || x.nil? }
     end
 
-    # IRB: puts the form in human readable format
-    # if you <tt>form.show(true)</tt> it will show unescaped values
-    def show(unescape=false)
-      if unescape
-        self.each_index { |i| puts i.to_s + " :: " + self[i][0].to_s + " = " + self[i][1].to_s.unescape }
-      else
-        self.each_index { |i| puts i.to_s + " :: " + self[i][0].to_s + " = " + self[i][1].to_s }
-      end
-      return nil
+    alias_method :squeeze_keys!, :remove_null_keys!
+
+## viewstate
+
+    # clear viewstate variables
+    def clear_viewstate
+      self.each { |k,v|
+        self[k] = "" if k =~ /^__/
+      }
+    end
+
+    # remove viewstate variables
+    def rm_viewstate
+      # my least favorite ruby idiom
+      self.replace(self.map { |k,v| [k,v] if not k =~ /^__/ }.reject { |x| x.nil? })
     end
 
-    # meh
+    alias_method :extend!, :add #:nodoc (this is here for backward compat)
+
+    # add viewstate stuff
     def add_viewstate#:nodoc:
       self.insert(0,[ "__VIEWSTATE","" ])
       self.insert(0,[ "__EVENTARGUMENT","" ])
@@ -217,31 +228,40 @@ module WWMD
       return nil
     end
 
-#    alias_method, :add_state, :add_viewstate#:nodoc:
+## conversions
 
-    # remove form elements with null values
-    def remove_nulls!
-      self.delete_if { |x| x[1].to_s.empty? || x[1].nil? }
+    # convert form into a post parameters string
+    def to_post
+      ret = []
+      self.each do |i|
+        ret << i.join(@equals)
+      end
+      ret.join(@delimiter)
     end
 
-    alias_method :squeeze!, :remove_nulls!
-
-    # remove form elements with null keys (for housekeeping returns)
-    def remove_null_keys!
-      self.delete_if { |x,y| x.to_s.empty? || x.nil? }
+    # convert form into a get parameters string
+    #
+    # pass me a base to get a full url to pass to Page.get
+    def to_get(base="")
+      ret = []
+      self.each do |i|
+        ret << i.join(@equals)
+      end
+      ret = ret.join(@delimiter)
+      return base.clip + "?" + ret.to_s
     end
 
-    alias_method :squeeze_keys!, :remove_null_keys!
+## parsing convenience
 
     # dump a web page containing a csrf example of the current FormArray
-    def to_csrf(action,unescval=false)
+    def to_csrf(action=nil,unescval=false)
+      action = self.action if not action
       ret = ""
       ret << "<html><body>\n"
       ret << "<form method='post' id='wwmdtest' name='wwmdtest' action='#{action}'>\n"
       self.each do |key,val|
         val = val.unescape.gsub(/'/) { %q[\'] } if unescval
-            ret << "<input name='#{key.to_s.unescape}' type='hidden' value='#{val}' />\n"
-#            ret << "<input name='#{key.to_s.unescape}' type='hidden' value='#{val.to_s.unescape.gsub(/'/,"\\'")}' />\n"
+            ret << "<input name='#{key.to_s.unescape}' type='hidden' value='#{val.to_s.unescape}' />\n"
       end
       ret << "</form>\n"
       ret << "<script>document.wwmdtest.submit()</script>\n"
@@ -249,17 +269,14 @@ module WWMD
       return ret
     end
 
-    def keys
-      self.map { |k,v| k }
-    end
-
+    # add markers for burp intruder to form
     def burpify #:nodoc:
       ret = self.clone
       ret.each_index do |i|
         next if ret[i][0] =~ /^__/
         ret.set_value!(i,"#{ret.get_value(i)}" + "\302\247" + "\302\247")
       end
-      system("echo '#{ret.to_post}' | pbcopy")
+      ret.to_post.pbcopy
       return ret
     end
 
@@ -269,5 +286,10 @@ module WWMD
     end
     alias_method :fp, :fingerprint #:nodoc:
 
+    def from_array(arr)
+      self.clear
+      arr.each { |k,v| self[k] = v }
+    end
+
   end
 end