WIP

Author: clouedoc

WhatWaf

@@ -1,9 +1,11 @@
-#From AutoSQLi
+# From AutoSQLi
 
 # Intensity of WhatWaf's WAF research. Must be >= 1 and <= 5
 WHATWAF_VERIFY_NUM = "3"
 
-WHATWAF_DEBUG = True
+# WHATWAF_DEBUG = True
+WHATWAF_DEBUG = False
+
 WHATWAF_DEBUG_REPORT = """
 ------------------------------
 {

autosqli/consts.py

@@ -8,6 +8,7 @@ def get_options_for_target(target):
     # FIXME: to debug :)
     tampers = target.get_tampers_paths()
     options = sqlmap_options.BASE_SQLMAP_OPTIONS
+    import pudb; pudb.set_trace()  # XXX BREAKPOINT
 
     # add all the tampers in tampers to a string: tampers_string
     # format: tamper1,tamper2,tamper3

autosqli/tamper_engine.py

@@ -11,9 +11,10 @@
 """ + '-' * 30
 
 
-class Target:  # TODO: set proper getters and setters
+class Target:
     url = ""
     waf_detection_done = False
+    whatwaf_report = None
     is_protected_by_waf = False
     waf_name = ""
     working_tampers = []

autosqli/target.py

@@ -5,6 +5,8 @@
 
 import shutil
 import tempfile
+import threading
+import time
 
 WHITELISTED_TAMPERS_PATH = './tampers/whitelisted'
 
@@ -36,23 +38,133 @@ def init_whatwaf():
     return tmp_whatwaf_dir
 
 
+class WhatWafScan():
+    """ threaded class to scan a target """
+
+    def __init__(self, target):
+        self.NOT_LAUCHED_STATE = 0
+        self.RUNNING_STATE = 1
+        self.ENDED_STATE = 2
+
+        self.state = self.NOT_LAUCHED_STATE
+        self.target = target
+        self.waffed_target = None
+        self.thread = None
+        self.launched = False
+
+    def get_waffed_target(self):
+        """ return the new target WhatWaf created if the scan ended
+             , else return None
+        """
+        if self.state is self.ENDED_STATE:
+            return self.results
+        else:
+            return None
+
+    def _scan_thread_function(self):
+        self.launched = True
+        log.debug("Waffing {}".format(self.target.url))
+        self.waffed_target = whatwaf_target(self.target)
+
+    def start(self):
+        """ scan a target in a new thread and save it in self.waffed_target """
+        self.thread = threading.Thread(target=self._scan_thread_function)
+        self.thread.start()
+        self.state = self.RUNNING_STATE
+
+    def update_status(self):
+        """ set self.state to self.ENDED_STATE if self.launched and
+        self.thread is dead
+        """
+        try:
+            if self.launched and not self.thread.is_alive():
+                self.state = self.ENDED_STATE
+        except AttributeError:
+            pass
+
+    def save_target(self):
+        """ update the target which resides in the save """
+        save.update_target(self.waffed_target)
+
+    def join(self):
+        if self.state is self.ENDED_STATE:
+            self.thread.join()
+
+    def isEnded(self):
+        return True if self.state is self.ENDED_STATE else False
+
+    def isRunning(self):
+        return True if self.state is self.RUNNING_STATE else False
+
+    def gotStarted(self):
+        return False if self.state is self.NOT_LAUCHED_STATE else True
+
+
 def wafdetect_stage(args):
     """init whatwaf with custom tampers and add details to the targets of the
     save
     """
-    set_whatwaf_path(
-        init_whatwaf()
-    )
+    set_whatwaf_path(init_whatwaf())
+
+    targets_queue = []
+    whatwafscan_queue = []
+
+    # add all unwaffed targets to targets_queue
+    for target in save.getTargets():
+        if not target.isWaffed():
+            if target is not None:
+                targets_queue.append(target)
+
+    # create a whatwafscan for every target and add them in whatwafscan_queue
+    for target in targets_queue:
+        log.debug('Adding {} to the target queue'.format(target.url))
+        whatwafscan_queue.append(WhatWafScan(target))
 
+    # constantly check the number of scans launched
+    # if it is under 5, launch scan
+    # also, check for ended scans. If there are, do scan.save_target(), and
+    # remove() it from whatwafscan_queue
+    # if there are no scans remaining, break.
+    MINIMUM_RUNNING_SCANS = 5
     while True:
-        target = save.getUnwaffedTarget()
-        if target is not None:
-            log.debug("Waffing {}".format(target.url))
-            target = whatwaf_target(target)
-            save.updateTarget(target)
-        else:
-            log.debug("All targets got waffed !")
+        # break if there are no scan remaining
+        if len(whatwafscan_queue) == 0:
             break
 
+        running_scans = 0
+        for scan in whatwafscan_queue:
+            # if the scan is finished, save and remove
+            scan.update_status()
+            if scan.isEnded():
+                log.debug(
+                    'Properly ending scan for {}'
+                    .format(scan.target.url)
+                )
+
+                scan.save_target()
+                whatwafscan_queue.remove(scan)
+
+            # if the scan is running, increment running_scans
+            if scan.isRunning():
+                running_scans += 1
+
+        # if there are not enough running scans, launch some
+        to_launch = MINIMUM_RUNNING_SCANS - running_scans
+        log.debug('Running scans: {}; Scans to launch: {}'.format(
+            running_scans, to_launch
+        ))
+
+        for scan in whatwafscan_queue:
+            if to_launch > 0:
+                if not scan.gotStarted():
+                    log.debug('Starting scan for {}'.format(scan.target.url))
+                    scan.start()
+                    to_launch -= 1
+            else:
+                break
+
+        # check every 5 seconds
+        time.sleep(5)
 
-print(init_whatwaf())
+    # hello, code reader. If you like reading code, tell me in the issue
+    # tracker !

autosqli/wafdetect_stage.py

@@ -4,7 +4,7 @@
 from autosqli import log
 
 from autosqli.strings import BANNED_TAMPERS
-from autosqli.satanize import remove_thing_url
+# from autosqli.satanize import remove_thing_url
 from autosqli.execute import execute
 from autosqli.consts import WHATWAF_VERIFY_NUM, WHATWAF_DEBUG, \
     WHATWAF_DEBUG_REPORT
@@ -22,8 +22,9 @@ def whatwaf_url(url):
     """ return WhatWaf's results for a specified url """
     log.debug("Launching WhatWaf on {}".format(url))
     return execute([
-        "python2.7", whatwaf_path, "-u",
-        remove_thing_url(url), "--ra", "--hide", "--json", "--verify-num",
+        "python2.7", whatwaf_path + 'whatwaf.py', "-u",
+        url, "--ra", "--hide", "--json",
+        "--verify-num",
         str(WHATWAF_VERIFY_NUM)
     ], paths.WHATWAF_PATH, None, True)
 
@@ -39,9 +40,12 @@ def whatwaf_target(target):
     whatwaf_report = WHATWAF_DEBUG_REPORT if WHATWAF_DEBUG else \
         whatwaf_url(target.url)
 
-    if "no protection identified on target" in whatwaf_report:
+    if 'detected website protection' in whatwaf_report:
+        target.is_protected_by_waf = True
+    else:
         target.is_protected_by_waf = False
-    elif '-' * 30 in whatwaf_report:
+
+    if '-' * 30 in whatwaf_report:
         # extract the json part ( using those " - " )
         gorgeous_report = whatwaf_report.split('-' * 30 + '\n')[1].split(
             '\n' + '-' * 30)[0]
@@ -58,5 +62,6 @@ def whatwaf_target(target):
                 target.working_tamper.append(tamper)
 
     # TODO: analyze the report to return the target
+    target.whatwaf_report = whatwaf_report
     target.waf_detection_done = True
     return target