Skip to content
cktricky edited this page May 9, 2011 · 9 revisions

##Dradis Output##

This is a logging feature of wXf. Modules can leverage this logging function in order to output a large number of request/response sequences. Lets cover some examples of using this in your module...

Using the dradis logger within your module

When creating a module, for example an auxiliary module, a function or method named 'run' exists inside the module. This is where the body of your code to be run is placed. Below we start with a very simple piece of code which sends a single request to a website and receives a response.

def run
  response = send_request_cgi({
    'method'     => 'GET',
    'RURL'       => rurl,
    'UA'         => 'Mozilla'
    })
end 

In order to log this request and the response, we need to add a few lines of code. First, lets turn debugging on (necessary to capture the request/response sequence). Notice the 'DEBUG' => 'log'.

def run
  response = send_request_cgi({
    'method'     => 'GET',
    'RURL'       => rurl,
    'UA'         => 'Mozilla',
    'DEBUG'      => 'log'
  })
end 

Immediately after 'def run', invoke the Dradis class. Include a name for your module and a filename to write to. The file will always be stored under the lib/wXf/wXflog/ directory.

def run
  dradis = WXf::WXflog::DradisLog.new({
    'Name' => "fuzzing 192.168.1.117",
    'Filename' => 'dir_trav_fuzz.xml'
  })

  response = send_request_cgi({
    'method'     => 'GET',
    'RURL'       => rurl,
    'UA'         => 'Mozilla',
    'DEBUG'      => 'log'
  })
end 

You can see what the filename will look like in the left pane of the image below. Each request/response is prepended with a numeric value (the order in which the request took place).

Once the response object has been created, we now have values to add on a PER REQUEST basis. This means, if you are sending multiple requests this must be done within the loop. The module, dir_trav_fuzz, is an example of this. Three (3) values will show up in the Dradis note. We've provided a brief description below:

 Request          (Logs the request, or any other unique string data you'd like to track)
 Response Headers (Logs the Response headers, if omitted will be blank)
 Response Body    (Logs the body of the response, if omitted will be blank)

The following is a sample of that code (note: req_seq is a method exposed ONLY in modules using the mechanize assist):

def run
  dradis = WXf::WXflog::DradisLog.new({
    'Name' => "fuzzing 192.168.1.117",
    'Filename' => 'dir_trav_fuzz.xml'
  })

  response = send_request_cgi({
    'method'     => 'GET',
    'RURL'       => rurl,
    'UA'         => 'Mozilla',
    'DEBUG'      => 'log'
  })
  end 

  if (response) and (response.respond_to?('code')) and (response.code == '200') # Making sure we had a response "200 OK"
    dradis.add_ritems([response.header, req_seq , response.body]) # Here we add our 3 values
  end
 dradis.log #Necessary to complete the dradis logging 
end

The above code is the entire run method. We initiate the DradisLog class, we make a request and if the response is valid we log it. The line dradis.add_ritems([response.header, req_seq , response.body]) must be performed in that order. The only deviation from this is if you'd like to replace req_seq with some other string. Other than that, broken imports are bound to happen.

The last DradisLogger related line of code should be placed just before the end of the method (or right above the last end). The line we are referring to is dradis.log.

Again, you can retrieve the xml file from the lib/wXf/wXflog/ directory.

Clone this wiki locally