Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
TeamMentor python - Parameterless methods tested for 2 roles and sample output uploaded (by arvinddoraiswamy)
import suds
import re
import sys
import os
import traceback
url='http://....:8000//aspx_pages/TM_WebServices.asmx?WSDL'
users={}
def main():
client=connect_and_login(url)
users=get_users_passwords()
methods=get_methods_parameters_datatypes(client)
methods=map_adversaries_to_methods(methods)
report=analysis(client,users,methods)
def connect_and_login(url):
client = suds.client.Client(url)
client.service.Login('admin','............................')
match = re.search(r'ASP.NET_SessionId=.*Cookie Session=', str(client.options.transport.cookiejar))
if match:
user_properties=client.service.Current_User()
client.set_options(headers={'CSRF_Token': user_properties['CSRF_Token']})
return client
client.service.Logout()
def get_users_passwords():
f=open('users','rU')
for line in f:
t1=line.split('\t')
t1[1]=re.sub(r'\s+$',r'',t1[1])
users[t1[0]]=t1[1]
f.close()
return users
def get_methods_parameters_datatypes(client):
t1=re.findall(r'.*Methods\ \(\d+\)(.*)Types\ \(\d+\)',str(client),re.DOTALL)
t3=t1[0].split('\n')
methods={}
for i in t3:
t2=re.sub(r'^\s*',r'',i)
if re.search(r'^\w',t2):
methods[t2]=''
return methods
def map_adversaries_to_methods(methods):
manual_action_adversary_map={}
f=open('method_attacker_mapping','rU')
for line in f:
t1=line.split('\t')
t1[1]=re.sub(r'\n$',r'',t1[1])
manual_action_adversary_map[t1[0]]=t1[1]
for key in methods.keys():
t2=key.split('(')
if t2[0] in manual_action_adversary_map:
methods[key]=manual_action_adversary_map[t2[0]]
return methods
def analysis(client,users,methods):
ignored_methods = ['GetAllGuidanceItems()','GitHub_Push_Origin()','Logout()','GetAllUserLogs()','GetDeletedLibraries()','GitHub_Push_Commit()','DeleteDeletedGuidanceTypes()','DeleteDeletedLibraries()','GitHub_Pull_Origin()','GetGuidanceTypes()','GetGuidanceTypes()','GetGuidanceTypes()','GetUploadToken()']
os.remove('report.csv')
for key in users.keys():
print "User -- " + key
d = dict(http='127.0.0.1:8080')
client.set_options(proxy=d)
client.service.Login(key,users[key])
match = re.search(r'ASP.NET_SessionId=.*Cookie Session=', str(client.options.transport.cookiejar))
if match:
user_properties=client.service.Current_User()
client.set_options(headers={'CSRF_Token': user_properties['CSRF_Token']})
analysis_methods_no_params(key,client,methods,ignored_methods)
analysis_methods_params(key,client,methods,ignored_methods)
def analysis_methods_no_params(key,client,methods,ignored_methods):
k=0
f=open('report.csv','a')
for method in methods.keys():
if not method in ignored_methods:
try:
t2=methods[method].split(',')
if re.search(r'\(\)',method) and key in t2:
k+=1
b=eval('client.service.'+method)
f.write(key+'^'+method+'^'+'OK\n')
except Exception:
exc_type, exc_value = sys.exc_info()[:2]
t1=str(exc_value).split('\n')
f.write(key+'^'+method+'^'+t1[0]+'\n')
pass
client.service.Logout()
def analysis_methods_params(key,client,methods,ignored_methods):
print 'Inside function which analyzes methods which contain parameters\n'
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.