From 14a7204e885e1a9d43d17e59ce91fece056400e2 Mon Sep 17 00:00:00 2001 From: ekultek Date: Fri, 8 Dec 2017 12:25:29 -0600 Subject: [PATCH] created a new tamper script, this will obfuscate the script by it's HTML entity IE < == < > == > --- etc/checksum/md5sum.md5 | 3 +- lib/core/settings.py | 2 +- lib/tamper_scripts/obfuscateentity_encode.py | 29 ++++++++++++++++++++ 3 files changed, 32 insertions(+), 2 deletions(-) create mode 100644 lib/tamper_scripts/obfuscateentity_encode.py diff --git a/etc/checksum/md5sum.md5 b/etc/checksum/md5sum.md5 index 4ae161d..888563e 100644 --- a/etc/checksum/md5sum.md5 +++ b/etc/checksum/md5sum.md5 @@ -37,6 +37,7 @@ d41d8cd98f00b204e9800998ecf8427e ./lib/tamper_scripts/__init__.py 9fd42d65993aa20d1bf5acbc4d042d2e ./lib/tamper_scripts/base64_encode.py f77b7a9a19b94e26903eeecf5a787ea3 ./lib/tamper_scripts/space2null_encode.py 3b8c95a6a3b7cecce5118f2fb1ccc6b8 ./lib/tamper_scripts/appendnull_encode.py +8e8792e38649f18d90bb0084202bb59e ./lib/tamper_scripts/obfuscateentity_encode.py d41d8cd98f00b204e9800998ecf8427e ./lib/__init__.py 6299b188a730844954044887f528435a ./lib/firewall/cloudfront.py d41d8cd98f00b204e9800998ecf8427e ./lib/firewall/__init__.py @@ -107,7 +108,7 @@ daab1cac629a5f59abfeb510d0cb9b67 ./lib/header_check/__init__.py de4254c5e40f7aa4fb81e0608f758a2c ./lib/core/decorators.py 4433353fb5c55578391d8b4006191ee8 ./lib/core/errors.py d41d8cd98f00b204e9800998ecf8427e ./lib/core/__init__.py -93f0a11909b7baf0581e25d289721732 ./lib/core/settings.py +6a6d454292a186599e37925975f8b656 ./lib/core/settings.py afc8dc07dfdac4f70795ba718832f5a6 ./lib/core/parse.py d41d8cd98f00b204e9800998ecf8427e ./var/__init__.py d41d8cd98f00b204e9800998ecf8427e ./var/auto_issue/__init__.py diff --git a/lib/core/settings.py b/lib/core/settings.py index b5069e2..2d96f5d 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -45,7 +45,7 @@ CLONE = "https://github.com/ekultek/zeus-scanner.git" ISSUE_LINK = "https://github.com/ekultek/zeus-scanner/issues" # current version -VERSION = "1.4.6".format(PATCH_ID) +VERSION = "1.4.7".format(PATCH_ID) # colors to output depending on the version VERSION_TYPE_COLORS = {"dev": 33, "stable": 92, "other": 30} diff --git a/lib/tamper_scripts/obfuscateentity_encode.py b/lib/tamper_scripts/obfuscateentity_encode.py new file mode 100644 index 0000000..25ec2be --- /dev/null +++ b/lib/tamper_scripts/obfuscateentity_encode.py @@ -0,0 +1,29 @@ +from lib.core.settings import ( + logger, + set_color +) + + +def tamper(payload, **kwargs): + warning = kwargs.get("warning", True) + + if warning: + logger.warning(set_color( + "obfuscating payloads by their entity encoding equivalent may increase the " + "risk of false positives", level=30 + )) + + skip = ";" + encoding_schema = { + " ": " ", "<": "<", ">": ">", + "&": "&", '"': """, "'": "'", + } + retval = "" + for char in str(payload): + if char in encoding_schema.iterkeys(): + retval += encoding_schema[char] + elif char not in encoding_schema.iterkeys() and char != skip: + retval += char + else: + retval += char + return retval