-
Notifications
You must be signed in to change notification settings - Fork 0
Dradis Logger
##Dradis Output##
This is a logging feature of wXf. Modules can leverage this logging function in order to output a large number of request/response sequences. Lets cover some examples of using this in your module...
When creating a module, for example an auxiliary module, a function or method named 'run' exists inside the module. This is where the body of your code to be run is placed. Below we start with a very simple piece of code which sends a single request to a website and receives a response.
def run
response = send_request_cgi({
'method' => 'GET',
'RURL' => rurl,
'UA' => 'Mozilla'
})
end
In order to log this request and the response, we need to add a few lines of code. First, lets turn debugging on (necessary to capture the request/response sequence). Notice the 'DEBUG' => 'log'.
def run
response = send_request_cgi({
'method' => 'GET',
'RURL' => rurl,
'UA' => 'Mozilla',
'DEBUG' => 'log'
})
end
Immediately after 'def run', invoke the Dradis class. Include a name for your module and a filename to write to. The file will always be stored under the lib/wXf/wXflog/ directory.
def run
dradis = WXf::WXflog::DradisLog.new({
'Name' => "fuzzing 192.168.1.117",
'Filename' => 'dir_trav_fuzz.xml'
})
response = send_request_cgi({
'method' => 'GET',
'RURL' => rurl,
'UA' => 'Mozilla',
'DEBUG' => 'log'
})
end
You can see what the filename will look like in the left pane of the image below. Each request/response is prepended with a numeric value (the order in which the request took place).
Once the response object has been created, we now have values to add on a PER REQUEST basis. This means, if you are sending multiple requests this must be done within the loop. The module, dir_trav_fuzz, is an example of this. Three (3) values will show up in the Dradis note. We've provided a brief description below:
Request (Logs the request, or any other unique string data you'd like to track)
Response Headers (Logs the Response headers, if omitted will be blank)
Response Body (Logs the body of the response, if omitted will be blank)
The following is a sample of that code (note: req_seq is a method exposed ONLY in modules using the mechanize assist):
def run
dradis = WXf::WXflog::DradisLog.new({
'Name' => "fuzzing 192.168.1.117",
'Filename' => 'dir_trav_fuzz.xml'
})
response = send_request_cgi({
'method' => 'GET',
'RURL' => rurl,
'UA' => 'Mozilla',
'DEBUG' => 'log'
})
end
if (response) and (response.respond_to?('code')) and (response.code == '200') # Making sure we had a response "200 OK"
dradis.add_ritems([response.header, req_seq , response.body]) # Here we add our 3 values
end
dradis.log #Necessary to complete the dradis logging
end
The above code is the entire run method. We initiate the DradisLog class, we make a request and if the response is valid we log it. The line dradis.add_ritems([response.header, req_seq , response.body]) must be performed in that order. The only deviation from this is if you'd like to replace req_seq with some other string. Other than that, broken imports are bound to happen.
The last DradisLogger related line of code should be placed just before the end of the method (or right above the last end). The line we are referring to is dradis.log.
Again, you can retrieve the xml file from the lib/wXf/wXflog/ directory.