├── .gitignore
├── Makefile
├── README.md
├── deephack.py
├── docs
    └── man
    │   └── man1
    │       └── python_truss.1.ronn
├── dqnagent.py
├── models
    ├── postgresv-v1.model
    └── sqlite-v1.model
├── scripts
    ├── build.sh
    ├── postgres.sh
    ├── qt.py
    └── vulnserver.sh
├── setup.py
├── state.py
├── tests
    ├── __init__.py
    ├── test_cli.py
    └── test_lib.py
├── tox.ini
└── vulnserver
    ├── __init__.py
    ├── cli
        ├── __init__.py
        └── vulnserver.py
    └── lib
        ├── __init__.py
        ├── keywords
        ├── models.py
        └── vroutes.py


/.gitignore:
--------------------------------------------------------------------------------
 1 | #Model file
 2 | saved.model
 3 | training.json
 4 | TensorBoard/
 5 | 
 6 | # Byte-compiled / optimized / DLL files
 7 | __pycache__/
 8 | *.py[cod]
 9 | *$py.class
10 | 
11 | # C extensions
12 | *.so
13 | 
14 | # Distribution / packaging
15 | .Python
16 | env/
17 | build/
18 | develop-eggs/
19 | dist/
20 | downloads/
21 | eggs/
22 | .eggs/
23 | lib64/
24 | parts/
25 | sdist/
26 | var/
27 | wheels/
28 | *.egg-info/
29 | .installed.cfg
30 | *.egg
31 | 
32 | # PyInstaller
33 | #  Usually these files are written by a python script from a template
34 | #  before PyInstaller builds the exe, so as to inject date/other infos into it.
35 | *.manifest
36 | *.spec
37 | 
38 | # Installer logs
39 | pip-log.txt
40 | pip-delete-this-directory.txt
41 | 
42 | # Unit test / coverage reports
43 | htmlcov/
44 | .tox/
45 | .coverage
46 | .coverage.*
47 | .cache
48 | nosetests.xml
49 | coverage.xml
50 | *,cover
51 | .hypothesis/
52 | 
53 | # Translations
54 | *.mo
55 | *.pot
56 | 
57 | # Django stuff:
58 | *.log
59 | local_settings.py
60 | 
61 | # Flask stuff:
62 | instance/
63 | .webassets-cache
64 | 
65 | # Scrapy stuff:
66 | .scrapy
67 | 
68 | # Sphinx documentation
69 | docs/_build/
70 | 
71 | # PyBuilder
72 | target/
73 | 
74 | # Jupyter Notebook
75 | .ipynb_checkpoints
76 | 
77 | # pyenv
78 | .python-version
79 | 
80 | # celery beat schedule file
81 | celerybeat-schedule
82 | 
83 | # SageMath parsed files
84 | *.sage.py
85 | 
86 | # dotenv
87 | .env
88 | 
89 | # virtualenv
90 | .venv
91 | venv/
92 | ENV/
93 | 
94 | # Spyder project settings
95 | .spyderproject
96 | 
97 | # Rope project settings
98 | .ropeproject
99 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/make
 2 | # WARN: gmake syntax
 3 | ########################################################
 4 | #
 5 | # useful targets:
 6 | #   make test   - run the unit tests
 7 | #   make flake8 - linting and pep8
 8 | #   make docs 	- create manpages and html documentation
 9 | #   make loc 	- stats about loc
10 | 
11 | ########################################################
12 | # variable section
13 | 
14 | NAME = vulnserver
15 | OS = $(shell uname -s)
16 | PYTHON = $(shell which python3)
17 | VIRTUALENV_PATH = $(shell echo $$HOME/.virtualenvs)
18 | INSTALL_PATH = /usr/local/lib
19 | EXEC_PATH = /usr/local/bin
20 | 
21 | MANPAGES=$(wildcard docs/man/**/*.*.ronn)
22 | MANPAGES_GEN=$(patsubst %.ronn,%,$(MANPAGES))
23 | MANPAGES_HTML=$(patsubst %.ronn,%.html,$(MANPAGES))
24 | ifneq ($(shell which ronn 2>/dev/null),)
25 | RONN2MAN = ronn
26 | else
27 | RONN2MAN = @echo "ERROR: 'ronn' command is not installed but is required to build $(MANPAGES)" && exit 1
28 | endif
29 | 
30 | UNITTESTS=unittest
31 | COVERAGE=coverage
32 | 
33 | ########################################################
34 | 
35 | 
36 | docs: $(MANPAGES)
37 | 	$(RONN2MAN) $^
38 | 
39 | .PHONY: clean
40 | clean:
41 | 	rm -f $(MANPAGES_GEN) $(MANPAGES_HTML)
42 | 	rm -rf ./build
43 | 	rm -rf ./dist
44 | 	rm -rf ./*.egg-info
45 | 	rm -rf ./*.deb
46 | 	rm -rf .tox
47 | 	rm -rf .coverage
48 | 	rm -rf .sloccount
49 | 	rm -rf .cache
50 | 	find . -name '*.pyc.*' -delete
51 | 	find . -name '*.pyc' -delete
52 | 	find . -name '__pycache__' -delete
53 | 
54 | loc:
55 | 	mkdir -p .sloccount
56 | 	sloccount --datadir .sloccount $(NAME)/lib $(NAME)/cli | grep -v SLOCCount | grep -v license | grep -v "see the documentation"
57 | 
58 | flake8:
59 | 	@echo "#############################################"
60 | 	@echo "# Running flake8 Compliance Tests"
61 | 	@echo "#############################################"
62 | 	-flake8 --ignore=E501,E221,W291,W391,E302,E251,E203,W293,E231,E303,E201,E225,E261,E241 $(NAME)/lib $(NAME)/cli
63 | 
64 | test:
65 | 	py.test --cov-report term --cov=$(NAME) ./tests/*
66 | 
67 | virtualenv:
68 | 	mkdir -p $(VIRTUALENV_PATH)
69 | 	rm -rf $(VIRTUALENV_PATH)/$(NAME)
70 | 	virtualenv -p $(PYTHON) $(VIRTUALENV_PATH)/$(NAME)
71 | 
72 | virtualenv-install: virtualenv
73 | 	$(VIRTUALENV_PATH)/$(NAME)/bin/python setup.py install
74 | 
75 | virtualenv-develop: virtualenv
76 | 	# hack no idea why this isn't working
77 | 	$(VIRTUALENV_PATH)/$(NAME)/bin/pip install numpy scipy
78 | 	$(VIRTUALENV_PATH)/$(NAME)/bin/python3 setup.py develop
79 | 
80 | virtualenv-sdist: virtualenv
81 | 	$(VIRTUALENV_PATH)/$(NAME)/bin/python setup.py sdist
82 | 
83 | install:
84 | 	cp -r $(VIRTUALENV_PATH)/$(NAME) $(INSTALL_PATH)/$(NAME)
85 | 	ln -f -s $(INSTALL_PATH)/$(NAME)/bin/$(NAME) $(EXEC_PATH)/$(NAME)
86 | 
87 | container:
88 | 	bash ./scripts/build.sh -d
89 | 	bash ./scripts/build.sh -b
90 | 
91 | all: docs flake8 test loc
92 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | docs/man/man1/python_truss.1.ronn


--------------------------------------------------------------------------------
/deephack.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | import dqnagent
  3 | import state
  4 | import numpy as np
  5 | import requests
  6 | import argparse
  7 | import json
  8 | import sys
  9 | from collections import deque
 10 | 
 11 | parser = argparse.ArgumentParser()
 12 | parser.add_argument("--supervise", help="Perform supervised learning with argument as file")
 13 | parser.add_argument("--batchsize", help="Training batch size", default=32)
 14 | parser.add_argument("--epochs", help="num epochs", default=10)
 15 | parser.add_argument("--tensorboard", help="enable tensorboard", action='store_true')
 16 | parser.add_argument("model")
 17 | args = parser.parse_args()
 18 | 
 19 | filename = args.model
 20 | 
 21 | #TODO: Hyperparameter.
 22 | #This is the maxmimum length of our query string
 23 | input_len = 30
 24 | context_len = 5
 25 | max_qstringlen = 140
 26 | 
 27 | agent = dqnagent.Agent(input_len=input_len, context_len=context_len)
 28 | agent.load(filename)
 29 | 
 30 | if args.supervise != None:
 31 |     types = args.supervise.split(',')
 32 |     for rounds in range(500):
 33 |         contents = []
 34 |         [contents.extend(v(int(args.trainscale))) for k,v in supervising_types.items() if k in types]
 35 |         if not contents:
 36 |             print("cannot supervise on types: {0}\nvalid types are {1}".format(
 37 |                 types, supervising_types.keys()))
 38 |             sys.exit(1)
 39 |         print("-" * 20)
 40 |         print("\tRound " + str(rounds))
 41 |         agent.train_batch(contents, int(args.batchsize), int(args.epochs), args.tensorboard)
 42 |         agent.save(filename)
 43 | 
 44 |     print("Finished supervising.")
 45 |     agent.save(filename)
 46 | else:
 47 |     table = state.State()
 48 |     failed_attempts = {}
 49 |     queries = set()
 50 |     while True:
 51 |         #Iterate through the state table and try to add on to each item in there (plus the empty string)
 52 |         for context in table:
 53 |             value = table.value()
 54 | 
 55 |             qstring = ""
 56 |             input_state = ""
 57 |             experience = dqnagent.Experience()
 58 |             #Predict a character until it produces an end-of-string character (|) or it reaches the max length
 59 |             while not qstring.endswith("|") and len(qstring) < max_qstringlen:
 60 |                 #Shrink our query down to length input_len
 61 |                 input_state = qstring[-input_len:]
 62 |                 attempts = []
 63 |                 if (input_state, context) in failed_attempts:
 64 |                     attempts = failed_attempts[input_state, context]
 65 |                 action = agent.act(input_state, context, attempts)
 66 |                 experience.add(input_state, context, attempts, action)
 67 |                 qstring += action
 68 | 
 69 |             #Remove the trailing bar, it's not actually supposed to be sent
 70 |             chopped = qstring
 71 |             if qstring.endswith("|"):
 72 |                 chopped = qstring[:-1]
 73 | 
 74 |             # Is this a repeat or blank?
 75 |             repeat = qstring in queries or (chopped.split("%")[0][-1:] == "'")
 76 |             queries.add(qstring)
 77 | 
 78 |             success = False
 79 |             if not repeat:
 80 |                 #Perform the action
 81 |                 param = {"user_id": chopped}
 82 |                 req = requests.get("http://127.0.0.1:5000/v0/sqli/select", params=param)
 83 |                 success = req.status_code == 200 and (len(req.text) >2)
 84 | 
 85 |             #If the query was successful, update the state table
 86 |             if success:
 87 |                 print("Got a hit!", qstring)
 88 |                 lastchar = chopped.split("%")[0][-1:]
 89 |                 table.update(context+lastchar)
 90 |                 #Find out what reward we received
 91 |                 value_new = table.value()
 92 |                 reward = value_new - value
 93 | 
 94 |             #Learn from how that action performed
 95 |             # attempts = []
 96 |             # if (input_state, context) in failed_attempts:
 97 |             #     attempts = failed_attempts[input_state, context]
 98 |             # agent.train_single(qstring[-1], context, input_state, attempts, reward)
 99 |             #agent.train_experience(experience, success)
100 | 
101 |             else:
102 |                 # Add the character we just tried to the list of failures
103 |                 #   So that we can use it as input in later attempts
104 |                 lastchar = chopped.split("%")[0][-1:]
105 |                 guess_state = chopped.split("%")[0][:-1][-input_len:]
106 |                 print("Incorrect: ", qstring)
107 |                 if (guess_state, context) in failed_attempts:
108 |                     failures = failed_attempts[guess_state, context]
109 |                     if lastchar not in failures:
110 |                         failures.extend(lastchar)
111 |                         failed_attempts[guess_state, context] = failures
112 |                 # Add this character to the list of failures
113 |                 #   Unless this was just a repeat. In which case ignore it
114 |                 elif not repeat:
115 |                     failed_attempts[guess_state, context] = [lastchar]
116 | 


--------------------------------------------------------------------------------
/docs/man/man1/python_truss.1.ronn:
--------------------------------------------------------------------------------
 1 | DeepHack
 2 | ====
 3 | 
 4 | ## SYNOPSIS
 5 | 
 6 | `make virtualenv-develop`
 7 | 
 8 | `~/.virtualenvs/vulnserver/bin/vulnserver`
 9 | 
10 | `curl 127.0.0.1:5000/v0/sqli/select?user_id=1`
11 | 
12 | ## Dependencies
13 | 
14 | sudo apt install virtualenv libpq-dev
15 | sudo pip3 install keras tensorflow
16 | 
17 | ## DESCRIPTION
18 | 
19 | DeepHack
20 | 
21 | ## COMMAND LINE OPTIONS
22 | 
23 | * `--example` <action>:
24 |     This is an example action, replace it with a real argument!
25 | 
26 | ## EXAMPLES
27 | 
28 |     Setup a python virtualenv to do development work
29 | 
30 |         $ make virtualenv-develop
31 | 
32 |     Create an LXC and install the module into it for development
33 | 
34 |         $ make lxc-develop
35 | 
36 |     Create an LXC and install the project into it for production
37 | 
38 |         $ make lxc
39 | 


--------------------------------------------------------------------------------
/dqnagent.py:
--------------------------------------------------------------------------------
  1 | import numpy as np
  2 | import random
  3 | import os
  4 | import json
  5 | import string
  6 | from collections import deque
  7 | 
  8 | import keras
  9 | from keras.models import Sequential, Model
 10 | from keras.layers import LSTM, Dense, Activation, Flatten, Concatenate, Input
 11 | from keras.optimizers import Adam
 12 | from keras.callbacks import TensorBoard
 13 | 
 14 | """An 'experience' consists of a grouping of the previous states and actions we took"""
 15 | class Experience():
 16 |     def __init__(self):
 17 |         self.list = []
 18 | 
 19 |     def add(self, qstring, context, attempts, action):
 20 |         self.list.append({"qstring":qstring, "context":context, "attempts":attempts, "action":action})
 21 | 
 22 | """This defines the shape of the model we're building in a mostly declarative way"""
 23 | class Agent():
 24 |     #input_len: Length of the input
 25 |     def __init__(self, input_len, context_len):
 26 | 
 27 |         chars = list(string.ascii_lowercase + string.digits + "=.;_ '()|%")
 28 |         print("Valid character set: ", chars)
 29 | 
 30 |         self.char_depth = len(chars)
 31 | 
 32 |         self.char_indices = dict((c, i) for i, c in enumerate(chars))
 33 |         self.indices_char = dict((i, c) for i, c in enumerate(chars))
 34 | 
 35 |         # Build the model
 36 |         context_input = Input(shape=(context_len, self.char_depth), name='context_input')
 37 |         context_layer_1 = LSTM(32, name='context_layer_1')(context_input)
 38 |         context_layer_3 = Dense(128, name='context_layer_3')(context_layer_1)
 39 | 
 40 |         qstring_input = Input(shape=(input_len, self.char_depth), name='qstring_input')
 41 |         qstring_layer_1 = LSTM(128, name='qstring_layer_1')(qstring_input)
 42 |         qstring_layer_3 = Dense(128, name='qstring_layer_3')(qstring_layer_1)
 43 | 
 44 |         attempts_input = Input(shape=(self.char_depth,), name='attempts_input')
 45 |         attempts_layer_1 = Dense(128, name='attempts_layer_1')(attempts_input)
 46 | 
 47 |         x = keras.layers.concatenate([context_layer_3, qstring_layer_3])
 48 |         x = Dense(64, name='hidden_layer_1')(x)
 49 |         x = keras.layers.concatenate([x, attempts_layer_1])
 50 | 
 51 |         # We stack a deep densely-connected network on top
 52 |         main_output = Dense(self.char_depth, activation='softmax', name="output_layer")(x)
 53 |         self.model = Model(inputs=[context_input, qstring_input, attempts_input], outputs=[main_output])
 54 |         print(self.model.summary())
 55 | 
 56 |         #"Compile" the model
 57 |         #XXX: Hyperparameters here. May need tinkering.
 58 |         self.supervised_reward = 1
 59 |         self.content = None
 60 |         self.model.compile(loss='categorical_crossentropy', optimizer='adam', metrics=['accuracy'])
 61 |         self.temperature = .2
 62 |         # We want a pretty steep dropoff here
 63 |         self.epsilon = .65
 64 |         self.input_len = input_len
 65 |         self.context_len = context_len
 66 | 
 67 |     #Given the current state, choose an action an return it
 68 |     #Stochastic! (ie: we choose an action at random, using each state as a probability)
 69 |     def act(self, qstring, context, attempts):
 70 |         qstring = self.onehot(qstring, self.input_len)
 71 |         context = self.onehot(context, self.context_len)
 72 |         attempts = self.encodeattempts(attempts)
 73 |         #[context_layer, qstring_layer, attempts_layer]
 74 |         predictions = self.model.predict_on_batch([context, qstring, attempts])
 75 |         action = self.sample(predictions[0], self.temperature)
 76 |         #print(predictions, action, self.indices_char[action])
 77 |         return self.indices_char[action]
 78 | 
 79 |     #Given a stochastic prediction, generate a concrete sample from it
 80 |     #temperature: How much we should "smear" the probability distribution. 0 means not at all, high numbers is more.
 81 |     def sample(self, preds, temperature=1.0):
 82 |         # helper function to sample an index from a probability array
 83 |         with np.errstate(divide='ignore'):
 84 |             preds = np.asarray(preds).astype('float64')
 85 |             preds = np.log(preds) / temperature
 86 |             exp_preds = np.exp(preds)
 87 |             preds = exp_preds / np.sum(exp_preds)
 88 |             probas = np.random.multinomial(1, preds, 1)
 89 |             return np.argmax(probas)
 90 | 
 91 |     #Update the model for a single given experience
 92 |     def train_single(self, action, context, prev_state, attempts, reward):
 93 |         #make a one-hot array of our output choices, with the "hot" option
 94 |         #   equal to our discounted reward
 95 |         action = self.char_indices[action]
 96 |         prev_state = self.onehot(prev_state, self.input_len)
 97 |         reward_array = np.zeros((1, self.char_depth))
 98 |         reward_array[0, action] = reward
 99 |         attempts = self.encodeattempts(attempts)
100 |         context = self.onehot(context, self.context_len)
101 |         #[context_layer, qstring_layer, attempts_layer]
102 |         self.model.train_on_batch([context, prev_state, attempts], reward_array)
103 | 
104 |     # Batch the training
105 |     def train_batch(self, contents, batch_size, epochs, tensorboard=False):
106 |         self.content = contents
107 | 
108 |         qstrings = np.zeros((len(self.content), self.input_len, self.char_depth))
109 |         contexts = np.zeros((len(self.content), self.context_len, self.char_depth))
110 |         attempts = np.zeros((len(self.content), self.char_depth))
111 |         rewards = np.zeros((len(self.content), self.char_depth))
112 | 
113 |         for i in range(len(self.content)):
114 |             entry = random.choice(self.content)
115 | 
116 |             qstrings[i] = self.onehot(entry["qstring"], self.input_len)
117 |             contexts[i] = self.onehot(entry["context"], self.context_len)
118 |             attempts[i] = self.encodeattempts(entry["attempts"])
119 |             reward = self.supervised_reward
120 |             if not entry["success"]:
121 |                 reward *= -0.1
122 |             action = self.char_indices[entry["action"]]
123 |             reward_array = np.zeros(self.char_depth)
124 |             reward_array[action] = reward
125 |             rewards[i] = reward_array
126 |         callbacks = []
127 |         if tensorboard:
128 |             callbacks.append(TensorBoard(log_dir='./TensorBoard', histogram_freq=1, write_graph=True))
129 |         self.model.fit([contexts, qstrings, attempts], rewards, callbacks=callbacks,
130 |                         epochs=epochs, batch_size=batch_size, verbose=1, validation_split=0.2)
131 | 
132 |     # Given a full experience, go back and reward it appropriately
133 |     def train_experience(self, experience, success):
134 |         experience.list.reverse()
135 |         reward = self.supervised_reward
136 |         if not success:
137 |             reward *= -0.1
138 |         i = 0
139 |         for item in experience.list:
140 |             i += 1
141 |             if i > 4:
142 |                 if item["action"] == "'":
143 |                     return
144 |                 reward *= self.epsilon
145 |                 self.train_single(item["action"], item["context"], item["qstring"], item["attempts"], reward)
146 | 
147 |     #Encode a given string into a 2d array of one-hot encoded numpy arrays
148 |     def onehot(self, string, length):
149 |         assert len(string) <= length
150 |         #First, pad the string out to be 'input_len' long
151 |         string = string.ljust(length, "|")
152 | 
153 |         output = np.zeros((1, length, self.char_depth), dtype=np.bool)
154 |         for index, item in enumerate(string):
155 |             output[0, index, self.char_indices[item]] = 1
156 |         return output
157 | 
158 |     def encodeattempts(self, attempts):
159 |         output = np.zeros((1, self.char_depth))
160 |         for i, item in enumerate(attempts):
161 |             output[0, i] = 1
162 |         return output
163 | 
164 |     def save(self, path):
165 |         self.model.save_weights(path)
166 |         print("Saved model to disk")
167 | 
168 |     def load(self, path):
169 |         if os.path.isfile(path):
170 |             self.model.load_weights(path)
171 |             print("Loaded model from disk")
172 |         else:
173 |             print("No model on disk, starting fresh")
174 | 


--------------------------------------------------------------------------------
/models/postgresv-v1.model:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BishopFox/deephack/3a0b837130cbfa000c4f3a33798affd93dc31d17/models/postgresv-v1.model


--------------------------------------------------------------------------------
/models/sqlite-v1.model:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BishopFox/deephack/3a0b837130cbfa000c4f3a33798affd93dc31d17/models/sqlite-v1.model


--------------------------------------------------------------------------------
/scripts/build.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | 
  3 | PROGRAM_NAME="python_truss"
  4 | DEV_DEPS="python-virtualenv python3 python3-dev postgresql-server-dev-all"
  5 | SYSTEM_DEPS="postgresql python-psychopg2 postgresql-server-dev-all"
  6 | ALL_DEPS=$(echo $DEV_DEPS $SYSTEM_DEPS | tr ' ' ',' | tr '\n' ',')
  7 | 
  8 | # get current directory
  9 | SCRIPTS_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 10 | # strip current dir to get to the root of the project directory
 11 | SRC_DIR=${SCRIPTS_DIR%$(basename $SCRIPTS_DIR)}
 12 | 
 13 | CONTAINER_NAME='deephack.lxc'
 14 | 
 15 | lxc_config="/var/lib/lxc/$CONTAINER_NAME/config"
 16 | lxc_rootfs="/var/lib/lxc/$CONTAINER_NAME/rootfs/"
 17 | 
 18 | Lxc_create() {
 19 |     name=$1
 20 |     if [[ -z $name ]]; then
 21 |     cat <<EOF
 22 | Lxc_create container_name
 23 | default is to use ubuntu template
 24 | EOF
 25 |     else
 26 |         container_template=ubuntu
 27 |         auth_keys=".ssh/authorized_keys"
 28 |         sudo -E lxc-create -t $container_template -n $name -- -u $USER -S $HOME/$auth_keys --packages ${ALL_DEPS%?}
 29 |         sudo -E lxc-start -d -n $name
 30 |     fi
 31 | }
 32 | 
 33 | install_deps() {
 34 |     if [[ "$OSTYPE" == "linux-gnu" ]]; then
 35 |         if [[ $(cat /etc/os-release  | grep ID_LIKE | tr '=' ' ' | awk '{ print $2 }') == "debian" ]]; then
 36 |             if [[ ! -f '/var/lib/apt/periodic/update-success-stamp' || \
 37 |                 "$[$(date +%s) - $(stat -c %Z /var/lib/apt/periodic/update-success-stamp)]" -ge 600000 ]]; then
 38 | 
 39 |                 sudo apt-get update
 40 |             fi
 41 |             sudo apt-get install -y lxc liblxc1 python3-lxc
 42 |         else
 43 |             echo 'install_deps not implemented on this distro'
 44 |             exit 1
 45 |         fi
 46 |     elif [[ "$OSTYPE" == "darwin"* ]]; then
 47 |         echo 'sorry lxc does not work on OSX, use a vagrant VM'
 48 |         exit 1
 49 |     fi
 50 | }
 51 | 
 52 | bootstrap() {
 53 |     Lxc_create $CONTAINER_NAME
 54 | 
 55 |     repo_mount="lxc.mount.entry = $SRC_DIR home/$USER/$PROGRAM_NAME none bind,create=dir 0 0"
 56 |     if ! sudo grep -q "$repo_mount" "$lxc_config"; then
 57 |         echo "$repo_mount" | sudo tee -a $lxc_config
 58 |     fi
 59 |     sudo lxc-stop -n "$CONTAINER_NAME"
 60 |     sudo lxc-start -d -n "$CONTAINER_NAME"
 61 |     #TODO
 62 |     # install postgres
 63 |     # create database users
 64 |     # ensure listening on 0.0.0.0
 65 |     # pg_hba.conf to allow access
 66 | }
 67 | 
 68 | usage() {
 69 |     msgs=(
 70 |         'build.sh option [arg]'
 71 |         '-b | --bootstrap - create minimal dev lxc container'
 72 |     )
 73 | 
 74 |     for msg in "${msgs[@]}"; do
 75 |         echo $msg
 76 |     done
 77 | 
 78 |     exit 1
 79 | }
 80 | 
 81 | main() {
 82 |     options=$@
 83 |     args=($options)
 84 |     i=0
 85 | 
 86 |     for arg in $options; do
 87 |         i=$(( $i + 1 ))
 88 | 
 89 |         case $arg in
 90 |             -b|--bootstrap|bootstrap)
 91 |                 bootstrap
 92 |                 break
 93 |                 ;;
 94 |             -d|--depends|depends)
 95 |                 install_deps
 96 |                 break
 97 |                 ;;
 98 |             *)
 99 |                 usage
100 |                 break
101 |                 ;;
102 |         esac
103 |     done
104 | }
105 | 
106 | main $@
107 | 


--------------------------------------------------------------------------------
/scripts/postgres.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env bash
 2 | set -euo pipefail
 3 | sudo apt update
 4 | sudo apt install postgresql postgresql-server-dev-all postgresql-client python-psycopg2
 5 | sudo service postgresql start
 6 | sudo -u postgres psql -c 'create database deephack'
 7 | sudo -u postgres psql -c "CREATE USER deephack WITH PASSWORD 'deephack';"
 8 | sudo -u postgres psql -c 'alter database deephack owner to deephack'
 9 | pg_hba="/etc/postgresql/9.5/main/pg_hba.conf"
10 | if ! sudo grep -Fxq "deephack" $pg_hba; then
11 |     cat <<EOF | sudo tee $pg_hba
12 | local   all             postgres                                peer
13 | # IPv4 local connections:
14 | host    all             all             127.0.0.1/32            md5
15 | # IPv6 local connections:
16 | host    all             all             ::1/128                 md5
17 | # very secure k?
18 | local deephack deephack trust
19 | EOF
20 |     sudo service postgresql reload
21 | fi
22 | 


--------------------------------------------------------------------------------
/scripts/qt.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | class AnsiColors:
 3 |     off = "\x1b[0m"             # text reset
 4 | 
 5 |     # regular colors
 6 |     black = "\x1b[0;30m"        # black
 7 |     red = "\x1b[0;31m"          # red
 8 |     green = "\x1b[0;32m"        # green
 9 |     yellow = "\x1b[0;33m"       # yellow
10 |     blue = "\x1b[0;34m"         # blue
11 |     purple = "\x1b[0;35m"       # purple
12 |     cyan = "\x1b[0;36m"         # cyan
13 |     white = "\x1b[0;37m"        # white
14 | 
15 |     # bold
16 |     bblack = "\x1b[1;30m"       # black
17 |     bred = "\x1b[1;31m"         # red
18 |     bgreen = "\x1b[1;32m"       # green
19 |     byellow = "\x1b[1;33m"      # yellow
20 |     bblue = "\x1b[1;34m"        # blue
21 |     bpurple = "\x1b[1;35m"      # purple
22 |     bcyan = "\x1b[1;36m"        # cyan
23 |     bwhite = "\x1b[1;37m"       # white
24 | 
25 |     # underline
26 |     ublack = "\x1b[4;30m"       # black
27 |     ured = "\x1b[4;31m"         # red
28 |     ugreen = "\x1b[4;32m"       # green
29 |     uyellow = "\x1b[4;33m"      # yellow
30 |     ublue = "\x1b[4;34m"        # blue
31 |     upurple = "\x1b[4;35m"      # purple
32 |     ucyan = "\x1b[4;36m"        # cyan
33 |     uwhite = "\x1b[4;37m"       # white
34 | 
35 |     # background
36 |     on_black = "\x1b[40m"       # black
37 |     on_red = "\x1b[41m"         # red
38 |     on_green = "\x1b[42m"       # green
39 |     on_yellow = "\x1b[43m"      # yellow
40 |     on_blue = "\x1b[44m"        # blue
41 |     on_purple = "\x1b[45m"      # purple
42 |     on_cyan = "\x1b[46m"        # cyan
43 |     on_white = "\x1b[47m"       # white
44 | 
45 |     # high intensty
46 |     iblack = "\x1b[0;90m"       # black
47 |     ired = "\x1b[0;91m"         # red
48 |     igreen = "\x1b[0;92m"       # green
49 |     iyellow = "\x1b[0;93m"      # yellow
50 |     iblue = "\x1b[0;94m"        # blue
51 |     ipurple = "\x1b[0;95m"      # purple
52 |     icyan = "\x1b[0;96m"        # cyan
53 |     iwhite = "\x1b[0;97m"       # white
54 | 
55 |     # bold high intensty
56 |     biblack = "\x1b[1;90m"      # black
57 |     bired = "\x1b[1;91m"        # red
58 |     bigreen = "\x1b[1;92m"      # green
59 |     biyellow = "\x1b[1;93m"     # yellow
60 |     biblue = "\x1b[1;94m"       # blue
61 |     bipurple = "\x1b[1;95m"     # purple
62 |     bicyan = "\x1b[1;96m"       # cyan
63 |     biwhite = "\x1b[1;97m"      # white
64 | 
65 |     # high intensty backgrounds
66 |     on_iblack = "\x1b[0;100m"   # black
67 |     on_ired = "\x1b[0;101m"     # red
68 |     on_igreen = "\x1b[0;102m"   # green
69 |     on_iyellow = "\x1b[0;103m"  # yellow
70 |     on_iblue = "\x1b[0;104m"    # blue
71 |     on_ipurple = "\x1b[10;95m"  # purple
72 |     on_icyan = "\x1b[0;106m"    # cyan
73 |     on_iwhite = "\x1b[0;107m" # white
74 | 
75 | def main():
76 |     return
77 | 
78 | def __name__ == '__main__':
79 |     main()
80 | 


--------------------------------------------------------------------------------
/scripts/vulnserver.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | . ~/.virtualenvs/vulnserver/bin/activate
3 | uwsgi --reuse-port --http 127.0.0.1:5000 --wsgi-file vulnserver/lib/vroutes.py --callable app --processes 2 --logto /tmp/vulnserver.log
4 | 


--------------------------------------------------------------------------------
/setup.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python3
 2 | 
 3 | from setuptools import setup, find_packages
 4 | 
 5 | setup(
 6 |     name='deephack',
 7 |     version='1.0.0',
 8 |     packages=find_packages(),
 9 |     zip_safe=False,
10 |     include_package_data=True,
11 |     install_requires=[
12 |         'uwsgi',
13 |         'coverage',
14 |         'Flask',
15 |         'psycopg2',
16 |         'sqlalchemy',
17 |         'scipy',
18 |         'numpy',
19 |         'keras',
20 |         'ipython',
21 |         'faker',
22 |     ],
23 |     classifiers=[
24 |         'Private :: Do Not Upload'
25 |     ],
26 |     entry_points={
27 |         'console_scripts': [
28 |             'vulnserver = vulnserver.cli.vulnserver:main',
29 |         ]
30 |     }
31 | )
32 | 


--------------------------------------------------------------------------------
/state.py:
--------------------------------------------------------------------------------
 1 | 
 2 | """The state of a given episode is what DeepHack has learned about the database."""
 3 | class State():
 4 |     def __init__(self):
 5 |         self.statetable = [""]
 6 |         self.current = 0
 7 | 
 8 |     def __str__(self):
 9 |         out = ""
10 |         for entry in self.statetable:
11 |             out += entry + "\n"
12 |         return out
13 | 
14 |     def __iter__(self):
15 |         self.current = 0
16 |         return self
17 | 
18 |     def __next__(self):
19 |         try:
20 |             result = self.statetable[self.current]
21 |             self.current += 1
22 |         except IndexError:
23 |             raise StopIteration
24 |         return result
25 | 
26 |     def update(self, query):
27 |         query = query.split("%")[0]
28 |         for i, entry in enumerate(self.statetable):
29 |             if query.startswith(entry):
30 |                 self.statetable[i] = query
31 |                 return
32 |             if entry.startswith(query):
33 |                 return
34 |         self.statetable.append(query)
35 | 
36 |     """Counts up the total length of the state table and calls that the state's value"""
37 |     def value(self):
38 |         value = 0
39 |         for entry in self.statetable:
40 |             value += len(entry)
41 |         return value
42 | 


--------------------------------------------------------------------------------
/tests/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BishopFox/deephack/3a0b837130cbfa000c4f3a33798affd93dc31d17/tests/__init__.py


--------------------------------------------------------------------------------
/tests/test_cli.py:
--------------------------------------------------------------------------------
1 | from vulnserver.cli.vulnserver import main
2 | 
3 | def test_func():
4 |     assert True
5 | 


--------------------------------------------------------------------------------
/tests/test_lib.py:
--------------------------------------------------------------------------------
 1 | import vulnserver.lib
 2 | import vulnserver.lib.models
 3 | from vulnserver.lib.models import SchemaGen
 4 | 
 5 | def test_func():
 6 |     s = SchemaGen()
 7 |     s.gen()
 8 |     s.populate()
 9 |     assert True
10 | 


--------------------------------------------------------------------------------
/tox.ini:
--------------------------------------------------------------------------------
 1 | [tox]
 2 | envlist =
 3 |     py35
 4 | 
 5 | [testenv]
 6 | deps=
 7 |     pytest
 8 |     pytest-cov
 9 |     coverage
10 |     flake8
11 | 
12 | whitelist_externals= make
13 | 
14 | commands=
15 |     python --version
16 |     py35: python -m compileall -fq vulnserver/lib
17 |     make flake8
18 |     make test
19 |     make loc
20 | 


--------------------------------------------------------------------------------
/vulnserver/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BishopFox/deephack/3a0b837130cbfa000c4f3a33798affd93dc31d17/vulnserver/__init__.py


--------------------------------------------------------------------------------
/vulnserver/cli/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/BishopFox/deephack/3a0b837130cbfa000c4f3a33798affd93dc31d17/vulnserver/cli/__init__.py


--------------------------------------------------------------------------------
/vulnserver/cli/vulnserver.py:
--------------------------------------------------------------------------------
 1 | ''' a skeleton cli program to begin development with '''
 2 | import os
 3 | 
 4 | from vulnserver.lib.vroutes import app
 5 | 
 6 | def main():
 7 |     ''' entry point for console_scripts, and cli binary '''
 8 |     app.run(host='0.0.0.0')
 9 |     # webscale database reloading
10 |     os.system('''psql -d deephack -U deephack -c "drop owned by deephack"''')
11 |     return 0
12 | 
13 | if __name__ == '__main__':
14 |     main()
15 | 


--------------------------------------------------------------------------------
/vulnserver/lib/__init__.py:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/vulnserver/lib/keywords:
--------------------------------------------------------------------------------
   1 | 0
   2 | 01
   3 | 02
   4 | 03
   5 | 1
   6 | 10
   7 | 11
   8 | 12
   9 | 13
  10 | 14
  11 | 15
  12 | 16
  13 | 17
  14 | 18
  15 | 19
  16 | 2
  17 | 20
  18 | 3
  19 | 3com
  20 | 4
  21 | 5
  22 | 6
  23 | 7
  24 | 8
  25 | 9
  26 | ILMI
  27 | a
  28 | a.auth-ns
  29 | a01
  30 | a02
  31 | a1
  32 | a2
  33 | abc
  34 | about
  35 | ac
  36 | academico
  37 | acceso
  38 | access
  39 | accounting
  40 | accounts
  41 | acid
  42 | activestat
  43 | ad
  44 | adam
  45 | adkit
  46 | admin
  47 | administracion
  48 | administrador
  49 | administrator
  50 | administrators
  51 | admins
  52 | ads
  53 | adserver
  54 | adsl
  55 | ae
  56 | af
  57 | affiliate
  58 | affiliates
  59 | afiliados
  60 | ag
  61 | agenda
  62 | agent
  63 | ai
  64 | aix
  65 | ajax
  66 | ak
  67 | akamai
  68 | al
  69 | alabama
  70 | alaska
  71 | albuquerque
  72 | alerts
  73 | alpha
  74 | alterwind
  75 | am
  76 | amarillo
  77 | americas
  78 | an
  79 | anaheim
  80 | analyzer
  81 | announce
  82 | announcements
  83 | antivirus
  84 | ao
  85 | ap
  86 | apache
  87 | apollo
  88 | app
  89 | app01
  90 | app1
  91 | apple
  92 | application
  93 | applications
  94 | apps
  95 | appserver
  96 | aq
  97 | ar
  98 | archie
  99 | arcsight
 100 | argentina
 101 | arizona
 102 | arkansas
 103 | arlington
 104 | as
 105 | as400
 106 | asia
 107 | asterix
 108 | at
 109 | athena
 110 | atlanta
 111 | atlas
 112 | att
 113 | au
 114 | auction
 115 | austin
 116 | auth
 117 | auto
 118 | autodiscover
 119 | autorun
 120 | av
 121 | aw
 122 | ayuda
 123 | az
 124 | b
 125 | b.auth-ns
 126 | b01
 127 | b02
 128 | b1
 129 | b2
 130 | b2b
 131 | b2c
 132 | ba
 133 | back
 134 | backend
 135 | backup
 136 | baker
 137 | bakersfield
 138 | balance
 139 | balancer
 140 | baltimore
 141 | banking
 142 | bayarea
 143 | bb
 144 | bbdd
 145 | bbs
 146 | bd
 147 | bdc
 148 | be
 149 | bea
 150 | beta
 151 | bf
 152 | bg
 153 | bh
 154 | bi
 155 | billing
 156 | biz
 157 | biztalk
 158 | bj
 159 | black
 160 | blackberry
 161 | blog
 162 | blogs
 163 | blue
 164 | bm
 165 | bn
 166 | bnc
 167 | bo
 168 | bob
 169 | bof
 170 | boise
 171 | bolsa
 172 | border
 173 | boston
 174 | boulder
 175 | boy
 176 | br
 177 | bravo
 178 | brazil
 179 | britian
 180 | broadcast
 181 | broker
 182 | bronze
 183 | brown
 184 | bs
 185 | bsd
 186 | bsd0
 187 | bsd01
 188 | bsd02
 189 | bsd1
 190 | bsd2
 191 | bt
 192 | bug
 193 | buggalo
 194 | bugs
 195 | bugzilla
 196 | build
 197 | bulletins
 198 | burn
 199 | burner
 200 | buscador
 201 | buy
 202 | bv
 203 | bw
 204 | by
 205 | bz
 206 | c
 207 | c.auth-ns
 208 | ca
 209 | cache
 210 | cafe
 211 | calendar
 212 | california
 213 | call
 214 | calvin
 215 | canada
 216 | canal
 217 | canon
 218 | careers
 219 | catalog
 220 | cc
 221 | cd
 222 | cdburner
 223 | cdn
 224 | cert
 225 | certificates
 226 | certify
 227 | certserv
 228 | certsrv
 229 | cf
 230 | cg
 231 | cgi
 232 | ch
 233 | channel
 234 | channels
 235 | charlie
 236 | charlotte
 237 | chat
 238 | chats
 239 | chatserver
 240 | check
 241 | checkpoint
 242 | chi
 243 | chicago
 244 | ci
 245 | cims
 246 | cincinnati
 247 | cisco
 248 | citrix
 249 | ck
 250 | cl
 251 | class
 252 | classes
 253 | classifieds
 254 | classroom
 255 | cleveland
 256 | clicktrack
 257 | client
 258 | clientes
 259 | clients
 260 | club
 261 | clubs
 262 | cluster
 263 | clusters
 264 | cm
 265 | cmail
 266 | cms
 267 | cn
 268 | co
 269 | cocoa
 270 | code
 271 | coldfusion
 272 | colombus
 273 | colorado
 274 | columbus
 275 | com
 276 | commerce
 277 | commerceserver
 278 | communigate
 279 | community
 280 | compaq
 281 | compras
 282 | con
 283 | concentrator
 284 | conf
 285 | conference
 286 | conferencing
 287 | confidential
 288 | connect
 289 | connecticut
 290 | consola
 291 | console
 292 | consult
 293 | consultant
 294 | consultants
 295 | consulting
 296 | consumer
 297 | contact
 298 | content
 299 | contracts
 300 | core
 301 | core0
 302 | core01
 303 | corp
 304 | corpmail
 305 | corporate
 306 | correo
 307 | correoweb
 308 | cortafuegos
 309 | counterstrike
 310 | courses
 311 | cr
 312 | cricket
 313 | crm
 314 | crs
 315 | cs
 316 | cso
 317 | css
 318 | ct
 319 | cu
 320 | cust1
 321 | cust10
 322 | cust100
 323 | cust101
 324 | cust102
 325 | cust103
 326 | cust104
 327 | cust105
 328 | cust106
 329 | cust107
 330 | cust108
 331 | cust109
 332 | cust11
 333 | cust110
 334 | cust111
 335 | cust112
 336 | cust113
 337 | cust114
 338 | cust115
 339 | cust116
 340 | cust117
 341 | cust118
 342 | cust119
 343 | cust12
 344 | cust120
 345 | cust121
 346 | cust122
 347 | cust123
 348 | cust124
 349 | cust125
 350 | cust126
 351 | cust13
 352 | cust14
 353 | cust15
 354 | cust16
 355 | cust17
 356 | cust18
 357 | cust19
 358 | cust2
 359 | cust20
 360 | cust21
 361 | cust22
 362 | cust23
 363 | cust24
 364 | cust25
 365 | cust26
 366 | cust27
 367 | cust28
 368 | cust29
 369 | cust3
 370 | cust30
 371 | cust31
 372 | cust32
 373 | cust33
 374 | cust34
 375 | cust35
 376 | cust36
 377 | cust37
 378 | cust38
 379 | cust39
 380 | cust4
 381 | cust40
 382 | cust41
 383 | cust42
 384 | cust43
 385 | cust44
 386 | cust45
 387 | cust46
 388 | cust47
 389 | cust48
 390 | cust49
 391 | cust5
 392 | cust50
 393 | cust51
 394 | cust52
 395 | cust53
 396 | cust54
 397 | cust55
 398 | cust56
 399 | cust57
 400 | cust58
 401 | cust59
 402 | cust6
 403 | cust60
 404 | cust61
 405 | cust62
 406 | cust63
 407 | cust64
 408 | cust65
 409 | cust66
 410 | cust67
 411 | cust68
 412 | cust69
 413 | cust7
 414 | cust70
 415 | cust71
 416 | cust72
 417 | cust73
 418 | cust74
 419 | cust75
 420 | cust76
 421 | cust77
 422 | cust78
 423 | cust79
 424 | cust8
 425 | cust80
 426 | cust81
 427 | cust82
 428 | cust83
 429 | cust84
 430 | cust85
 431 | cust86
 432 | cust87
 433 | cust88
 434 | cust89
 435 | cust9
 436 | cust90
 437 | cust91
 438 | cust92
 439 | cust93
 440 | cust94
 441 | cust95
 442 | cust96
 443 | cust97
 444 | cust98
 445 | cust99
 446 | customer
 447 | customers
 448 | cv
 449 | cvs
 450 | cx
 451 | cy
 452 | cz
 453 | d
 454 | dallas
 455 | data
 456 | database
 457 | database01
 458 | database02
 459 | database1
 460 | database2
 461 | databases
 462 | datastore
 463 | datos
 464 | david
 465 | db
 466 | db0
 467 | db01
 468 | db02
 469 | db1
 470 | db2
 471 | dc
 472 | de
 473 | dealers
 474 | dec
 475 | def
 476 | default
 477 | defiant
 478 | delaware
 479 | dell
 480 | delta
 481 | delta1
 482 | demo
 483 | demonstration
 484 | demos
 485 | denver
 486 | depot
 487 | des
 488 | desarrollo
 489 | descargas
 490 | design
 491 | designer
 492 | desktop
 493 | detroit
 494 | dev
 495 | dev0
 496 | dev01
 497 | dev1
 498 | devel
 499 | develop
 500 | developer
 501 | developers
 502 | development
 503 | device
 504 | devserver
 505 | devsql
 506 | dhcp
 507 | dial
 508 | dialup
 509 | digital
 510 | dilbert
 511 | dir
 512 | direct
 513 | directory
 514 | disc
 515 | discovery
 516 | discuss
 517 | discussion
 518 | discussions
 519 | disk
 520 | disney
 521 | distributer
 522 | distributers
 523 | dj
 524 | dk
 525 | dm
 526 | dmail
 527 | dmz
 528 | dnews
 529 | dns
 530 | dns-2
 531 | dns0
 532 | dns1
 533 | dns2
 534 | dns3
 535 | do
 536 | docs
 537 | documentacion
 538 | documentos
 539 | domain
 540 | domains
 541 | dominio
 542 | domino
 543 | dominoweb
 544 | doom
 545 | download
 546 | downloads
 547 | downtown
 548 | dragon
 549 | drupal
 550 | dsl
 551 | dyn
 552 | dynamic
 553 | dynip
 554 | dz
 555 | e
 556 | e-com
 557 | e-commerce
 558 | e0
 559 | eagle
 560 | earth
 561 | east
 562 | ec
 563 | echo
 564 | ecom
 565 | ecommerce
 566 | edi
 567 | edu
 568 | education
 569 | edward
 570 | ee
 571 | eg
 572 | eh
 573 | ejemplo
 574 | elpaso
 575 | email
 576 | employees
 577 | empresa
 578 | empresas
 579 | en
 580 | enable
 581 | eng
 582 | eng01
 583 | eng1
 584 | engine
 585 | engineer
 586 | engineering
 587 | enterprise
 588 | epsilon
 589 | er
 590 | erp
 591 | es
 592 | esd
 593 | esm
 594 | espanol
 595 | estadisticas
 596 | esx
 597 | et
 598 | eta
 599 | europe
 600 | events
 601 | example
 602 | exchange
 603 | exec
 604 | extern
 605 | external
 606 | extranet
 607 | f
 608 | f5
 609 | falcon
 610 | farm
 611 | faststats
 612 | fax
 613 | feedback
 614 | feeds
 615 | fi
 616 | field
 617 | file
 618 | files
 619 | fileserv
 620 | fileserver
 621 | filestore
 622 | filter
 623 | find
 624 | finger
 625 | firewall
 626 | fix
 627 | fixes
 628 | fj
 629 | fk
 630 | fl
 631 | flash
 632 | florida
 633 | flow
 634 | fm
 635 | fo
 636 | foobar
 637 | formacion
 638 | foro
 639 | foros
 640 | fortworth
 641 | forum
 642 | forums
 643 | foto
 644 | fotos
 645 | foundry
 646 | fox
 647 | foxtrot
 648 | fr
 649 | france
 650 | frank
 651 | fred
 652 | freebsd
 653 | freebsd0
 654 | freebsd01
 655 | freebsd02
 656 | freebsd1
 657 | freebsd2
 658 | freeware
 659 | fresno
 660 | front
 661 | frontdesk
 662 | fs
 663 | fsp
 664 | ftp
 665 | ftp-
 666 | ftp0
 667 | ftp2
 668 | ftpserver
 669 | fw
 670 | fw-1
 671 | fw1
 672 | fwsm
 673 | fwsm0
 674 | fwsm01
 675 | fwsm1
 676 | g
 677 | ga
 678 | galeria
 679 | galerias
 680 | galleries
 681 | gallery
 682 | games
 683 | gamma
 684 | gandalf
 685 | gate
 686 | gatekeeper
 687 | gateway
 688 | gauss
 689 | gd
 690 | ge
 691 | gemini
 692 | general
 693 | george
 694 | georgia
 695 | germany
 696 | gf
 697 | gg
 698 | gh
 699 | gi
 700 | gl
 701 | glendale
 702 | gm
 703 | gmail
 704 | gn
 705 | go
 706 | gold
 707 | goldmine
 708 | golf
 709 | gopher
 710 | gp
 711 | gq
 712 | gr
 713 | green
 714 | group
 715 | groups
 716 | groupwise
 717 | gs
 718 | gsx
 719 | gt
 720 | gu
 721 | guest
 722 | gw
 723 | gw1
 724 | gy
 725 | h
 726 | hal
 727 | halflife
 728 | hawaii
 729 | hello
 730 | help
 731 | helpdesk
 732 | helponline
 733 | henry
 734 | hermes
 735 | hi
 736 | hidden
 737 | hk
 738 | hm
 739 | hn
 740 | hobbes
 741 | hollywood
 742 | home
 743 | homebase
 744 | homer
 745 | honeypot
 746 | honolulu
 747 | host
 748 | host1
 749 | host3
 750 | host4
 751 | host5
 752 | hotel
 753 | hotjobs
 754 | houstin
 755 | houston
 756 | howto
 757 | hp
 758 | hpov
 759 | hr
 760 | ht
 761 | http
 762 | https
 763 | hu
 764 | hub
 765 | humanresources
 766 | i
 767 | ia
 768 | ias
 769 | ibm
 770 | ibmdb
 771 | id
 772 | ida
 773 | idaho
 774 | ids
 775 | ie
 776 | iis
 777 | il
 778 | illinois
 779 | im
 780 | images
 781 | imail
 782 | imap
 783 | imap4
 784 | img
 785 | img0
 786 | img01
 787 | img02
 788 | in
 789 | inbound
 790 | inc
 791 | include
 792 | incoming
 793 | india
 794 | indiana
 795 | indianapolis
 796 | info
 797 | informix
 798 | inside
 799 | install
 800 | int
 801 | intern
 802 | internal
 803 | international
 804 | internet
 805 | intl
 806 | intranet
 807 | invalid
 808 | investor
 809 | investors
 810 | io
 811 | iota
 812 | iowa
 813 | iplanet
 814 | ipmonitor
 815 | ipsec
 816 | ipsec-gw
 817 | ipv6
 818 | ipv6.teredo
 819 | iq
 820 | ir
 821 | irc
 822 | ircd
 823 | ircserver
 824 | ireland
 825 | iris
 826 | irvine
 827 | irving
 828 | is
 829 | isa
 830 | isaserv
 831 | isaserver
 832 | ism
 833 | israel
 834 | isync
 835 | it
 836 | italy
 837 | ix
 838 | j
 839 | japan
 840 | java
 841 | je
 842 | jedi
 843 | jm
 844 | jo
 845 | jobs
 846 | john
 847 | jp
 848 | jrun
 849 | juegos
 850 | juliet
 851 | juliette
 852 | juniper
 853 | k
 854 | kansas
 855 | kansascity
 856 | kappa
 857 | kb
 858 | ke
 859 | kentucky
 860 | kerberos
 861 | keynote
 862 | kg
 863 | kh
 864 | ki
 865 | kilo
 866 | king
 867 | km
 868 | kn
 869 | knowledgebase
 870 | knoxville
 871 | koe
 872 | korea
 873 | kp
 874 | kr
 875 | ks
 876 | kw
 877 | ky
 878 | kz
 879 | l
 880 | la
 881 | lab
 882 | laboratory
 883 | labs
 884 | lambda
 885 | lan
 886 | laptop
 887 | laserjet
 888 | lasvegas
 889 | launch
 890 | lb
 891 | lc
 892 | ldap
 893 | legal
 894 | leo
 895 | li
 896 | lib
 897 | library
 898 | lima
 899 | lincoln
 900 | link
 901 | linux
 902 | linux0
 903 | linux01
 904 | linux02
 905 | linux1
 906 | linux2
 907 | lista
 908 | lists
 909 | listserv
 910 | listserver
 911 | live
 912 | lk
 913 | load
 914 | loadbalancer
 915 | local
 916 | localhost
 917 | log
 918 | log0
 919 | log01
 920 | log02
 921 | log1
 922 | log2
 923 | logfile
 924 | logfiles
 925 | logger
 926 | logging
 927 | loghost
 928 | login
 929 | logs
 930 | london
 931 | longbeach
 932 | losangeles
 933 | lotus
 934 | louisiana
 935 | lr
 936 | ls
 937 | lt
 938 | lu
 939 | luke
 940 | lv
 941 | ly
 942 | lyris
 943 | m
 944 | ma
 945 | mac
 946 | mac1
 947 | mac10
 948 | mac11
 949 | mac2
 950 | mac3
 951 | mac4
 952 | mac5
 953 | mach
 954 | macintosh
 955 | madrid
 956 | mail
 957 | mail2
 958 | mailer
 959 | mailgate
 960 | mailhost
 961 | mailing
 962 | maillist
 963 | maillists
 964 | mailroom
 965 | mailserv
 966 | mailsite
 967 | mailsrv
 968 | main
 969 | maine
 970 | maint
 971 | mall
 972 | manage
 973 | management
 974 | manager
 975 | manufacturing
 976 | map
 977 | mapas
 978 | maps
 979 | marketing
 980 | marketplace
 981 | mars
 982 | marvin
 983 | mary
 984 | maryland
 985 | massachusetts
 986 | master
 987 | max
 988 | mc
 989 | mci
 990 | md
 991 | mdaemon
 992 | me
 993 | media
 994 | member
 995 | members
 996 | memphis
 997 | mercury
 998 | merlin
 999 | messages
1000 | messenger
1001 | mg
1002 | mgmt
1003 | mh
1004 | mi
1005 | miami
1006 | michigan
1007 | mickey
1008 | midwest
1009 | mike
1010 | milwaukee
1011 | minneapolis
1012 | minnesota
1013 | mirror
1014 | mis
1015 | mississippi
1016 | missouri
1017 | mk
1018 | ml
1019 | mm
1020 | mn
1021 | mngt
1022 | mo
1023 | mobile
1024 | mobilemail
1025 | mom
1026 | monitor
1027 | monitoring
1028 | montana
1029 | moon
1030 | moscow
1031 | movies
1032 | mozart
1033 | mp
1034 | mp3
1035 | mpeg
1036 | mpg
1037 | mq
1038 | mr
1039 | mrtg
1040 | ms
1041 | ms-exchange
1042 | ms-sql
1043 | msexchange
1044 | mssql
1045 | mssql0
1046 | mssql01
1047 | mssql1
1048 | mt
1049 | mta
1050 | mtu
1051 | mu
1052 | multimedia
1053 | music
1054 | mv
1055 | mw
1056 | mx
1057 | my
1058 | mysql
1059 | mysql0
1060 | mysql01
1061 | mysql1
1062 | mz
1063 | n
1064 | na
1065 | name
1066 | names
1067 | nameserv
1068 | nameserver
1069 | nas
1070 | nashville
1071 | nat
1072 | nc
1073 | nd
1074 | nds
1075 | ne
1076 | nebraska
1077 | neptune
1078 | net
1079 | netapp
1080 | netdata
1081 | netgear
1082 | netmeeting
1083 | netscaler
1084 | netscreen
1085 | netstats
1086 | network
1087 | nevada
1088 | new
1089 | newhampshire
1090 | newjersey
1091 | newmexico
1092 | neworleans
1093 | news
1094 | newsfeed
1095 | newsfeeds
1096 | newsgroups
1097 | newton
1098 | newyork
1099 | newzealand
1100 | nf
1101 | ng
1102 | nh
1103 | ni
1104 | nigeria
1105 | nj
1106 | nl
1107 | nm
1108 | nms
1109 | nntp
1110 | no
1111 | node
1112 | nokia
1113 | nombres
1114 | nora
1115 | north
1116 | northcarolina
1117 | northdakota
1118 | northeast
1119 | northwest
1120 | noticias
1121 | novell
1122 | november
1123 | np
1124 | nr
1125 | ns
1126 | ns-
1127 | ns0
1128 | ns01
1129 | ns02
1130 | ns1
1131 | ns2
1132 | ns3
1133 | ns4
1134 | ns5
1135 | nt
1136 | nt4
1137 | nt40
1138 | ntmail
1139 | ntp
1140 | ntserver
1141 | nu
1142 | null
1143 | nv
1144 | ny
1145 | nz
1146 | o
1147 | oakland
1148 | ocean
1149 | odin
1150 | office
1151 | offices
1152 | oh
1153 | ohio
1154 | ok
1155 | oklahoma
1156 | oklahomacity
1157 | old
1158 | om
1159 | omaha
1160 | omega
1161 | omicron
1162 | online
1163 | ontario
1164 | open
1165 | openbsd
1166 | openview
1167 | operations
1168 | ops
1169 | ops0
1170 | ops01
1171 | ops02
1172 | ops1
1173 | ops2
1174 | opsware
1175 | or
1176 | oracle
1177 | orange
1178 | order
1179 | orders
1180 | oregon
1181 | orion
1182 | orlando
1183 | oscar
1184 | out
1185 | outbound
1186 | outgoing
1187 | outlook
1188 | outside
1189 | ov
1190 | owa
1191 | owa01
1192 | owa02
1193 | owa1
1194 | owa2
1195 | ows
1196 | oxnard
1197 | p
1198 | pa
1199 | page
1200 | pager
1201 | pages
1202 | paginas
1203 | papa
1204 | paris
1205 | parners
1206 | partner
1207 | partners
1208 | patch
1209 | patches
1210 | paul
1211 | payroll
1212 | pbx
1213 | pc
1214 | pc01
1215 | pc1
1216 | pc10
1217 | pc101
1218 | pc11
1219 | pc12
1220 | pc13
1221 | pc14
1222 | pc15
1223 | pc16
1224 | pc17
1225 | pc18
1226 | pc19
1227 | pc2
1228 | pc20
1229 | pc21
1230 | pc22
1231 | pc23
1232 | pc24
1233 | pc25
1234 | pc26
1235 | pc27
1236 | pc28
1237 | pc29
1238 | pc3
1239 | pc30
1240 | pc31
1241 | pc32
1242 | pc33
1243 | pc34
1244 | pc35
1245 | pc36
1246 | pc37
1247 | pc38
1248 | pc39
1249 | pc4
1250 | pc40
1251 | pc41
1252 | pc42
1253 | pc43
1254 | pc44
1255 | pc45
1256 | pc46
1257 | pc47
1258 | pc48
1259 | pc49
1260 | pc5
1261 | pc50
1262 | pc51
1263 | pc52
1264 | pc53
1265 | pc54
1266 | pc55
1267 | pc56
1268 | pc57
1269 | pc58
1270 | pc59
1271 | pc6
1272 | pc60
1273 | pc7
1274 | pc8
1275 | pc9
1276 | pcmail
1277 | pda
1278 | pdc
1279 | pe
1280 | pegasus
1281 | pennsylvania
1282 | peoplesoft
1283 | personal
1284 | pf
1285 | pg
1286 | pgp
1287 | ph
1288 | phi
1289 | philadelphia
1290 | phoenix
1291 | phoeniz
1292 | phone
1293 | phones
1294 | photos
1295 | pi
1296 | pics
1297 | pictures
1298 | pink
1299 | pipex-gw
1300 | pittsburgh
1301 | pix
1302 | pk
1303 | pki
1304 | pl
1305 | plano
1306 | platinum
1307 | pluto
1308 | pm
1309 | pm1
1310 | pn
1311 | po
1312 | policy
1313 | polls
1314 | pop
1315 | pop3
1316 | portal
1317 | portals
1318 | portfolio
1319 | portland
1320 | post
1321 | postales
1322 | postoffice
1323 | ppp1
1324 | ppp10
1325 | ppp11
1326 | ppp12
1327 | ppp13
1328 | ppp14
1329 | ppp15
1330 | ppp16
1331 | ppp17
1332 | ppp18
1333 | ppp19
1334 | ppp2
1335 | ppp20
1336 | ppp21
1337 | ppp3
1338 | ppp4
1339 | ppp5
1340 | ppp6
1341 | ppp7
1342 | ppp8
1343 | ppp9
1344 | pptp
1345 | pr
1346 | prensa
1347 | press
1348 | printer
1349 | printserv
1350 | printserver
1351 | priv
1352 | privacy
1353 | private
1354 | problemtracker
1355 | products
1356 | profiles
1357 | project
1358 | projects
1359 | promo
1360 | proxy
1361 | prueba
1362 | pruebas
1363 | ps
1364 | psi
1365 | pss
1366 | pt
1367 | pub
1368 | public
1369 | pubs
1370 | purple
1371 | pw
1372 | py
1373 | q
1374 | qa
1375 | qmail
1376 | qotd
1377 | quake
1378 | quebec
1379 | queen
1380 | quotes
1381 | r
1382 | r01
1383 | r02
1384 | r1
1385 | r2
1386 | ra
1387 | radio
1388 | radius
1389 | rapidsite
1390 | raptor
1391 | ras
1392 | rc
1393 | rcs
1394 | rd
1395 | re
1396 | read
1397 | realserver
1398 | recruiting
1399 | red
1400 | redhat
1401 | ref
1402 | reference
1403 | reg
1404 | register
1405 | registro
1406 | registry
1407 | regs
1408 | relay
1409 | rem
1410 | remote
1411 | remstats
1412 | reports
1413 | research
1414 | reseller
1415 | reserved
1416 | resumenes
1417 | rho
1418 | rhodeisland
1419 | ri
1420 | ris
1421 | rmi
1422 | ro
1423 | robert
1424 | romeo
1425 | root
1426 | rose
1427 | route
1428 | router
1429 | router1
1430 | rs
1431 | rss
1432 | rtelnet
1433 | rtr
1434 | rtr01
1435 | rtr1
1436 | ru
1437 | rune
1438 | rw
1439 | rwhois
1440 | s
1441 | s1
1442 | s2
1443 | sa
1444 | sac
1445 | sacramento
1446 | sadmin
1447 | safe
1448 | sales
1449 | saltlake
1450 | sam
1451 | san
1452 | sanantonio
1453 | sandiego
1454 | sanfrancisco
1455 | sanjose
1456 | saskatchewan
1457 | saturn
1458 | sb
1459 | sbs
1460 | sc
1461 | scanner
1462 | schedules
1463 | scotland
1464 | scotty
1465 | sd
1466 | se
1467 | search
1468 | seattle
1469 | sec
1470 | secret
1471 | secure
1472 | secured
1473 | securid
1474 | security
1475 | sendmail
1476 | seri
1477 | serv
1478 | serv2
1479 | server
1480 | server1
1481 | servers
1482 | service
1483 | services
1484 | servicio
1485 | servidor
1486 | setup
1487 | sg
1488 | sh
1489 | shared
1490 | sharepoint
1491 | shareware
1492 | shipping
1493 | shop
1494 | shoppers
1495 | shopping
1496 | si
1497 | siebel
1498 | sierra
1499 | sigma
1500 | signin
1501 | signup
1502 | silver
1503 | sim
1504 | sirius
1505 | site
1506 | sj
1507 | sk
1508 | skywalker
1509 | sl
1510 | slackware
1511 | slmail
1512 | sm
1513 | smc
1514 | sms
1515 | smtp
1516 | smtphost
1517 | sn
1518 | sniffer
1519 | snmp
1520 | snmpd
1521 | snoopy
1522 | snort
1523 | so
1524 | soap
1525 | socal
1526 | software
1527 | sol
1528 | solaris
1529 | solutions
1530 | soporte
1531 | source
1532 | sourcecode
1533 | sourcesafe
1534 | south
1535 | southcarolina
1536 | southdakota
1537 | southeast
1538 | southwest
1539 | spain
1540 | spam
1541 | spider
1542 | spiderman
1543 | splunk
1544 | spock
1545 | spokane
1546 | springfield
1547 | sprint
1548 | sqa
1549 | sql
1550 | sql0
1551 | sql01
1552 | sql1
1553 | sql7
1554 | sqlserver
1555 | squid
1556 | sr
1557 | ss
1558 | ssh
1559 | ssl
1560 | ssl0
1561 | ssl01
1562 | ssl1
1563 | st
1564 | staff
1565 | stage
1566 | staging
1567 | start
1568 | stat
1569 | static
1570 | statistics
1571 | stats
1572 | stlouis
1573 | stock
1574 | storage
1575 | store
1576 | storefront
1577 | streaming
1578 | stronghold
1579 | strongmail
1580 | studio
1581 | submit
1582 | subversion
1583 | sun
1584 | sun0
1585 | sun01
1586 | sun02
1587 | sun1
1588 | sun2
1589 | superman
1590 | supplier
1591 | suppliers
1592 | support
1593 | sv
1594 | sw
1595 | sw0
1596 | sw01
1597 | sw1
1598 | sweden
1599 | switch
1600 | switzerland
1601 | sy
1602 | sybase
1603 | sydney
1604 | sysadmin
1605 | sysback
1606 | syslog
1607 | syslogs
1608 | system
1609 | sz
1610 | t
1611 | tacoma
1612 | taiwan
1613 | talk
1614 | tampa
1615 | tango
1616 | tau
1617 | tc
1618 | tcl
1619 | td
1620 | team
1621 | tech
1622 | technology
1623 | techsupport
1624 | telephone
1625 | telephony
1626 | telnet
1627 | temp
1628 | tennessee
1629 | terminal
1630 | terminalserver
1631 | termserv
1632 | test
1633 | test2k
1634 | testajax
1635 | testasp
1636 | testaspnet
1637 | testbed
1638 | testcf
1639 | testing
1640 | testjsp
1641 | testlab
1642 | testlinux
1643 | testphp
1644 | testserver
1645 | testsite
1646 | testsql
1647 | testxp
1648 | texas
1649 | tf
1650 | tftp
1651 | tg
1652 | th
1653 | thailand
1654 | theta
1655 | thor
1656 | tienda
1657 | tiger
1658 | time
1659 | titan
1660 | tivoli
1661 | tj
1662 | tk
1663 | tm
1664 | tn
1665 | to
1666 | tokyo
1667 | toledo
1668 | tom
1669 | tool
1670 | tools
1671 | toplayer
1672 | toronto
1673 | tour
1674 | tp
1675 | tr
1676 | tracker
1677 | train
1678 | training
1679 | transfers
1680 | trinidad
1681 | trinity
1682 | ts
1683 | ts1
1684 | tt
1685 | tucson
1686 | tulsa
1687 | tunnel
1688 | tv
1689 | tw
1690 | tx
1691 | tz
1692 | u
1693 | ua
1694 | uddi
1695 | ug
1696 | uk
1697 | um
1698 | uniform
1699 | union
1700 | unitedkingdom
1701 | unitedstates
1702 | unix
1703 | unixware
1704 | update
1705 | updates
1706 | upload
1707 | ups
1708 | upsilon
1709 | uranus
1710 | urchin
1711 | us
1712 | usa
1713 | usenet
1714 | user
1715 | users
1716 | ut
1717 | utah
1718 | utilities
1719 | uy
1720 | uz
1721 | v
1722 | v6
1723 | va
1724 | vader
1725 | vantive
1726 | vault
1727 | vc
1728 | ve
1729 | vega
1730 | vegas
1731 | vend
1732 | vendors
1733 | venus
1734 | vermont
1735 | vg
1736 | vi
1737 | victor
1738 | video
1739 | videos
1740 | viking
1741 | violet
1742 | vip
1743 | virginia
1744 | vista
1745 | vm
1746 | vmserver
1747 | vmware
1748 | vn
1749 | vnc
1750 | voice
1751 | voicemail
1752 | voip
1753 | voyager
1754 | vpn
1755 | vpn0
1756 | vpn01
1757 | vpn02
1758 | vpn1
1759 | vpn2
1760 | vt
1761 | vu
1762 | w
1763 | w1
1764 | w2
1765 | w3
1766 | wa
1767 | wais
1768 | wallet
1769 | wam
1770 | wan
1771 | wap
1772 | warehouse
1773 | washington
1774 | wc3
1775 | web
1776 | webaccess
1777 | webadmin
1778 | webalizer
1779 | webboard
1780 | webcache
1781 | webcam
1782 | webcast
1783 | webdev
1784 | webdocs
1785 | webfarm
1786 | webhelp
1787 | weblib
1788 | weblogic
1789 | webmail
1790 | webmaster
1791 | webproxy
1792 | webring
1793 | webs
1794 | webserv
1795 | webserver
1796 | webservices
1797 | website
1798 | websites
1799 | websphere
1800 | websrv
1801 | websrvr
1802 | webstats
1803 | webstore
1804 | websvr
1805 | webtrends
1806 | welcome
1807 | west
1808 | westvirginia
1809 | wf
1810 | whiskey
1811 | white
1812 | whois
1813 | wi
1814 | wichita
1815 | wiki
1816 | wililiam
1817 | win
1818 | win01
1819 | win02
1820 | win1
1821 | win2
1822 | win2000
1823 | win2003
1824 | win2k
1825 | win2k3
1826 | windows
1827 | windows01
1828 | windows02
1829 | windows1
1830 | windows2
1831 | windows2000
1832 | windows2003
1833 | windowsxp
1834 | wingate
1835 | winnt
1836 | winproxy
1837 | wins
1838 | winserve
1839 | winxp
1840 | wire
1841 | wireless
1842 | wisconsin
1843 | wlan
1844 | wordpress
1845 | work
1846 | world
1847 | wpad
1848 | write
1849 | ws
1850 | ws1
1851 | ws10
1852 | ws11
1853 | ws12
1854 | ws13
1855 | ws2
1856 | ws3
1857 | ws4
1858 | ws5
1859 | ws6
1860 | ws7
1861 | ws8
1862 | ws9
1863 | wusage
1864 | wv
1865 | ww
1866 | www
1867 | www-
1868 | www-01
1869 | www-02
1870 | www-1
1871 | www-2
1872 | www-int
1873 | www0
1874 | www01
1875 | www02
1876 | www1
1877 | www2
1878 | www3
1879 | wwwchat
1880 | wwwdev
1881 | wwwmail
1882 | wy
1883 | wyoming
1884 | x
1885 | x-ray
1886 | xi
1887 | xlogan
1888 | xmail
1889 | xml
1890 | xp
1891 | y
1892 | yankee
1893 | ye
1894 | yellow
1895 | young
1896 | yt
1897 | yu
1898 | z
1899 | z-log
1900 | za
1901 | zebra
1902 | zera
1903 | zeus
1904 | zlog
1905 | zm
1906 | zulu
1907 | zw
1908 | 


--------------------------------------------------------------------------------
/vulnserver/lib/models.py:
--------------------------------------------------------------------------------
  1 | import string
  2 | import random
  3 | import sys
  4 | import os
  5 | from IPython.core import ultratb
  6 | if bool(os.environ.get('VULNSERVER_DEBUG')) == True:
  7 |     sys.excepthook = ultratb.FormattedTB(mode='Verbose',
  8 |          color_scheme='Linux', call_pdb=1)
  9 | 
 10 | from faker import Faker
 11 | 
 12 | from sqlalchemy import *
 13 | from sqlalchemy import Column, Integer, String, Date,Table, Column, Integer, ForeignKey
 14 | from sqlalchemy.ext.declarative import declarative_base
 15 | from sqlalchemy.orm import relationship
 16 | 
 17 | #hack please ignore
 18 | db_type = os.environ.get('VULNSERVER_DB_TYPE', '')
 19 | engine = None
 20 | if db_type.lower() == 'postgres':
 21 |     print("starting postgres server")
 22 |     engine = create_engine('postgresql+psycopg2://deephack:deephack@/deephack?host=/var/run/postgresql/')
 23 | else:
 24 |     engine = create_engine('sqlite:///:memory:')
 25 | Base = declarative_base()
 26 | Fake = Faker()
 27 | 
 28 | '''
 29 | TODO
 30 |     - set column names to mined column names
 31 |     - set table names to mined table names
 32 | 
 33 |     - scraping ideas
 34 |         - search github.com for all .sql files
 35 |             - parse them for create table statements
 36 |             - use those to populate table names
 37 | '''
 38 | 
 39 | '''
 40 |     patterns - column names
 41 |     {keyword}_{randint}
 42 |     {keyword}_id
 43 |     {product_prefix}_{keyword}
 44 |     {small_az_code}_{keyword}
 45 |     {product_prefix}_{keyword}_{randint}
 46 |     {small_az_code}_{keyword}_{randint}
 47 |     {product_prefix}_{keyword}{randint}
 48 |     {small_az_code}_{keyword}{randint}
 49 |     {keyword}
 50 |     {keyword}_{keyword}
 51 |     {keyword}_{keyword}_{keyword}
 52 |     {keyword}_{keyword}_{keyword}_{keyword}
 53 | 
 54 |     table names
 55 |     {keyword}
 56 |     {product_prefix}_keyword
 57 |     {product_prefix}Keyword
 58 |     {keyword}{int}
 59 |     {product_prefix}_keyword{int}
 60 |     {product_prefix}Keyword{int}
 61 |     {keyword}_{int}
 62 |     {product_prefix}_keyword_{int}
 63 |     {product_prefix}Keyword_{int}
 64 | '''
 65 | 
 66 | class NamePatterns:
 67 |     '''Class for generating random realistic name patterns'''
 68 |     # TODO: finish name pattern functions
 69 |     def __init__(self):
 70 |         self.name_patterns = {
 71 |             "keyword_randint": self.keyword_randint,
 72 |             #"keyword_id": self.keyword_id,
 73 |             "product_keyword": self.product_keyword,
 74 |             #"small_code_keyword": self.small_code_keyword,
 75 |             #"product_prefix_keyword_randint": self.product_prefix_keyword_randint,
 76 |             #"small_code_keyword_randint": self.small_code_keyword_randint,
 77 |             #"product_keywordrandint": self.product_keywordrandint,
 78 |             #"small_code_keywordrandint": self.small_code_keywordrandint,
 79 |             "keyword": self.keyword,
 80 |             "keyword_skeyword": self.keyword_skeyword,
 81 |             "keyword_skeyword_skeyword": self.keyword_skeyword_skeyword,
 82 |             "keyword_skeyword_skeyword_skeyword": self.keyword_skeyword_skeyword_skeyword,
 83 |         }
 84 | 
 85 |         self.product_code = "".join([random.choice(string.ascii_letters) for i in range(
 86 |             0, random.randint(1,5))])
 87 |         self.table_secondary_keywords = self.get_table_secondary_keywords()
 88 | 
 89 |     def _get_secondary_keyword(self):
 90 |         return 'test_secondary'
 91 | 
 92 |     def _get_product(self):
 93 |         return 'test_product'
 94 | 
 95 |     def _get_small_code(self):
 96 |         return 'test_product'
 97 | 
 98 |     def _get_randint(self):
 99 |         return random.choice(['00', '01', '02', '03','0', '1', '2', '3'])
100 | 
101 |     def _camelcase(self, argv):
102 |         '''camel cases the first letter of each word in keywords list'''
103 |         camel_cased=[]
104 |         for i in argv:
105 |             first_letter = i[:1].upper()
106 |             camel_cased.append(first_letter+i[1:])
107 |         return "".join(camel_cased)
108 | 
109 |     def _underscores(self, argv):
110 |         '''adds unscores to keywords'''
111 |         return "_".join(["{"+str(i)+"}" for i in range(len(argv))]).format(*argv)
112 | 
113 |     def _nospaces(self, argv):
114 |         '''adds unscores to keywords'''
115 |         return "".join(["{"+str(i)+"}" for i in range(len(argv))]).format(*argv)
116 | 
117 |     def _random_fmt(self, argv):
118 |         ''' return a format string with a specified number of args,
119 |         either camel case, underscores, or nospaces'''
120 |         selector = random.choice(['camelcase','underscores','nospaces'])
121 |         selectors = {
122 |             'underscores': self._underscores,
123 |             'nospaces': self._nospaces,
124 |             #'camelcase': self._camelcase,
125 |         }
126 |         return selectors.get(selector, self._underscores)(argv)
127 | 
128 |     def original_column_name(self, column_name):
129 |         return column_name
130 | 
131 |     def keyword_randint(self, column_name):
132 |         randint = self._get_randint()
133 |         return self._random_fmt([column_name, randint])
134 | 
135 |     def keyword_id(self, column_name):
136 |         pass
137 | 
138 |     def product_keyword(self, column_name):
139 |         return self._random_fmt([self.product_code, column_name])
140 | 
141 |     def small_code_keyword(self, column_name):
142 |         pass
143 | 
144 |     def product_keyword_randint(self, column_name):
145 |         pass
146 | 
147 |     def small_code_keyword_randint(self, column_name):
148 |         pass
149 | 
150 |     def product_keywordrandint(self, column_name):
151 |         pass
152 | 
153 |     def small_code_keywordrandint(self, column_name):
154 |         pass
155 | 
156 |     def keyword(self, column_name):
157 |         return column_name
158 | 
159 |     def keyword_skeyword(self, column_name):
160 |         return self._random_fmt([column_name,
161 |             random.choice(self.table_secondary_keywords)])
162 | 
163 |     def keyword_skeyword_skeyword(self, column_name):
164 |         return self._random_fmt([column_name,
165 |             random.choice(self.table_secondary_keywords),
166 |             random.choice(self.table_secondary_keywords),
167 |             ])
168 | 
169 |     def keyword_skeyword_skeyword_skeyword(self, column_name):
170 |         return self._random_fmt([column_name,
171 |             random.choice(self.table_secondary_keywords),
172 |             random.choice(self.table_secondary_keywords),
173 |             random.choice(self.table_secondary_keywords),
174 |             ])
175 | 
176 |     def get_table_secondary_keywords(self):
177 |         cur_path = os.path.dirname(os.path.abspath(__file__))
178 |         keyword_path = os.path.join(cur_path, 'keywords')
179 |         if not os.path.is_file(keyword_path):
180 |             sys.exit("need text file with keywords to generate table and column names")
181 |         with open(keyword_path) as f:
182 |              return [i.strip() for i in f.readlines()]
183 | 
184 |     def get_name(self, name_opts):
185 |         '''generate a random name pattern from list name_opts'''
186 |         # choose item from provided list
187 |         name_opt = random.choice(name_opts)
188 |         # choose a random pattern func
189 |         pattern_choice = self.name_patterns[
190 |                 random.choice(list(
191 |                     self.name_patterns.keys()))]
192 |         # populate the pattern and return
193 |         return pattern_choice(name_opt).lower()
194 | 
195 | class User:
196 |     '''Generate a user table'''
197 |     def get_tables(self, num_tables=1):
198 |         tables = {}
199 |         for i in range(num_tables):
200 |             table_name = self.get_table_keyword()
201 |             # loop until we generate a unique tablename
202 |             while table_name.lower() in [x.lower() for x in tables.keys()]:
203 |                 table_name = self.get_table_keyword()
204 |             #print("creating table name: %s" % table_name)
205 |             columns = self.create_table(table_name)
206 |             #print("columns %s" % columns)
207 |             tables[table_name] = columns
208 |         print("creating table %s" % tables)
209 |         return tables
210 | 
211 |     def get_table_keyword(self):
212 |         np = NamePatterns()
213 |         return np.get_name([
214 |             'users','usrs','user', 'usr',
215 |             'groups','grps','group', 'grp',
216 |             'customers','customer','cstmr', 'cst',
217 |             'product','product','inventory', 'invt',
218 |             'admin','administrator','manage', 'superuser',
219 |             'account','acct','archive', 'message', 'msg',
220 |             'vote','core','article', 'post',
221 |             ])
222 | 
223 |     def _get_sqlalchemy_type(self, cname, primary_key=False, relationship=None):
224 |         ''' returns a random sqlalchemy type, return str for now '''
225 |         if primary_key:
226 |             return Column(cname, Integer, primary_key=True, autoincrement=True)
227 |         else:
228 |             return Column(cname, String)
229 | 
230 |     def create_table(self, table_name, num_columns=5):
231 | 
232 |         faker_types = {
233 |             Fake.user_name: ['user', 'usr',
234 |                 'uname', 'usrnme','username', 'user_name'],
235 |             Fake.email: ['email', 'emailaddr', 'email_addr', 'emailaddress','mailaddr','contactemail','contact_email'],
236 |             Fake.company_email: ['email', 'emailaddr', 'email_addr', 'emailaddress','mailaddr','contactemail','contact_email'],
237 |             Fake.password: ['password', 'passwd', 'pword', 'pw','password_hash', 'passwd_hash', 'pword_hash', 'pw_hash'],
238 |             Fake.address: ['addr', 'address', 'location', 'mailing_addr', 'mail_addr', 'mailing_address'],
239 |             Fake.phone_number: ['phone_number', 'pnumber', 'phonenum', 'phone', 'cell', 'cellphone', 'contact_number', 'contact_num'],
240 |             Fake.company: ['company', 'business'],
241 |             Fake.credit_card_full: ['cc_details', 'card_data', 'creditcard', 'credit_card', 'cc'],
242 |             #Fake.credit_card_provider,
243 |             Fake.md5: ['password', 'passwd', 'pword', 'pw','password_hash', 'passwd_hash', 'pword_hash', 'pw_hash'],
244 |             Fake.sha1: ['password', 'passwd', 'pword', 'pw','password_hash', 'passwd_hash', 'pword_hash', 'pw_hash'],
245 |             Fake.sha256: ['password', 'passwd', 'pword', 'pw','password_hash', 'passwd_hash', 'pword_hash', 'pw_hash'],
246 |             Fake.bs: ['information', 'info', 'story', 'content', 'post', 'blogtext', 'text'],
247 |             #Fake.boolean,
248 |             #Fake.chrome,
249 |             #Fake.paragraph,
250 |             #Fake.ipv4,
251 |             #Fake.uuid4,
252 |         }
253 | 
254 |         columns = {}
255 |         col_patterns = NamePatterns()
256 | 
257 |         # get column names
258 |         for i in range(0, num_columns):
259 |             # get a random Faker data type
260 |             faker_type = random.choice(list(faker_types.keys()))
261 |             # get a random column_name
262 |             column_name = col_patterns.get_name(faker_types[faker_type])
263 |             # get a random sqlalchemy type
264 |             sqla_type = self._get_sqlalchemy_type(column_name)
265 |             # add a hook for the random_data function so we know
266 |             # what kind of random data to generate
267 |             sqla_type.faker_type = faker_type
268 |             columns[column_name] = sqla_type
269 | 
270 |         # add primary key
271 |         columns[table_name + '_id'] = self._get_sqlalchemy_type(
272 |                 table_name + '_id', primary_key=True)
273 |         return columns
274 | 
275 | class SchemaGen():
276 |     def __init__(self):
277 |         self.db_identifiers = string.ascii_letters# + '-_@#'
278 |         self.db_value_fuzz = 5893
279 |         self.db_value_max = 100000 + random.randrange(0, self.db_value_fuzz)
280 |         self.table_max = self.db_value_max * .03
281 |         self.table_fuzz = 500
282 |         self.table_name_max = 75
283 |         self.column_max = self.db_value_max * .07
284 |         self.column_fuzz = 500
285 |         self.column_name_max = 75
286 |         self.columns_per_table_max = 75
287 |         self.columns_per_table_min = 2
288 | 
289 |     def get_identifier_names(self, imax, ifuzz, iname_max):
290 |         names = []
291 |         # get a random value for the identifier range
292 |         irange = imax + random.randrange(0, ifuzz)
293 |         while irange > 0:
294 |             name = ''
295 |             for i in range(random.randrange(3, iname_max)):
296 |                 name = name + self.db_identifiers[random.randint(0,len(self.db_identifiers))-1]
297 |                 irange = irange - 1
298 |             names.append(''+name+'')
299 |         return names
300 | 
301 |     def gen_tdict(self):
302 |         '''
303 |         create the table dict with all columns and define
304 |         python classes for each table. each class inherits from
305 |         sqlalchemy Base and can be instantiated with sqlalchemy
306 |         [tnames]
307 |         [cnames]
308 |         tables = {"table_name": {column_name:random_type,
309 |                                     column_name:random_type,
310 |                                     column_name:random_type,
311 |                                     column_name:random_relationship}}
312 |         '''
313 |         tnames = self.get_identifier_names(
314 |                     self.table_max,
315 |                     self.table_fuzz,
316 |                     self.table_name_max)
317 |         cnames = self.get_identifier_names(
318 |                     self.column_max,
319 |                     self.column_fuzz,
320 |                     self.column_name_max)
321 |         tdict = {}
322 |         while len(tnames) > 0 and len(cnames) >= self.columns_per_table_min:
323 |             columns = {}
324 |             tname = tnames.pop()
325 |             self.db_value_max = self.db_value_max - len(tname)
326 |             for i in range(random.randrange(
327 |                     self.columns_per_table_min,
328 |                     self.columns_per_table_max)):
329 |                 if len(cnames) > 0:
330 |                     cname = cnames.pop()
331 |                     columns[cname] = self._get_sqlalchemy_type(cname) if i > 0 else self._get_sqlalchemy_type(cname, primary_key=True)
332 |                     # choose random faker_type for column
333 |                     self.db_value_max = self.db_value_max - len(cname)
334 |             tdict[tname] = columns
335 |         self.tdict = tdict
336 |         return self.tdict
337 | 
338 |     def gen(self):
339 |         self.gen_tdict()
340 |         for k,v in self.tdict.items():
341 |             v['__tablename__'] = k
342 |             type(k, (Base, ), v)
343 | 
344 |     def _get_sqlalchemy_type(self, cname, primary_key=False, relationship=None):
345 |         ''' returns a random sqlalchemy type, return str for now '''
346 |         if primary_key:
347 |             return Column(cname, Integer, primary_key=True, autoincrement=True)
348 |         else:
349 |             return Column(cname, String)
350 | 
351 |     def _create_database(self):
352 |         db_name = 'deephack'
353 |         conn = engine.connect()
354 |         Base.metadata.create_all(engine)
355 |         metadata = Base.metadata
356 | 
357 |         while self.db_value_max > 0:
358 |             tables = [i for i in metadata.tables]
359 |             cur_table = tables[random.randrange(0,
360 |                 len(tables)-1)]
361 |             cur_table = metadata.tables[cur_table]
362 |             # add 50 rows
363 |             rows = []
364 |             for i in range(3):
365 |                 row_dict = {}
366 |                 for column in cur_table.columns:
367 |                     if not column.primary_key:
368 |                         row_dict[str(column.name)] = self.random_data()
369 |                 rows.append(row_dict)
370 |             conn.execute(cur_table.insert(), rows)
371 |             self.db_value_max = self.db_value_max - 500
372 |         conn.close()
373 | 
374 |     def populate(self):
375 |         ''' populate the database '''
376 |         self._create_database()
377 | 
378 |     def select_table(self):
379 |         '''returns the table to use for selects for this episode,
380 |         only call this once per episode'''
381 |         tables = [i for i in Base.metadata.tables]
382 |         self.cur_table = Base.metadata.tables[random.choice(tables)]
383 |         self.pk = [i for i in self.cur_table.primary_key.columns][0]
384 |         return (self.cur_table, self.pk)
385 | 
386 |     def random_data(self):
387 |         rc = []
388 |         for x in range(random.randrange(0,200)):
389 |             rc.append(string.printable[random.randrange(len(string.printable)-1)])
390 |         return "".join(rc)
391 | 
392 |     def get_engine(self):
393 |         return engine
394 | 
395 | 
396 | class FakerSchema(SchemaGen):
397 |     '''uses faker to generate a table of all fake data'''
398 | 
399 |     def gen_tdict(self):
400 |         user = User()
401 |         self.tdict = user.get_tables()
402 | 
403 |     def _create_database(self):
404 |         db_name = 'deephack'
405 |         conn = engine.connect()
406 |         Base.metadata.create_all(engine)
407 |         self.metadata = Base.metadata
408 | 
409 |         while self.db_value_max > 0:
410 |             tables = [i for i in self.metadata.tables]
411 |             cur_table = random.choice(tables)
412 |             cur_table = self.metadata.tables[cur_table]
413 |             # add 50 rows
414 |             rows = []
415 |             for i in range(3):
416 |                 row_dict = {}
417 |                 for column in cur_table.columns:
418 |                     # add faker_type to column if not exists
419 |                     if not column.primary_key:
420 |                         row_dict[str(column.name)] = self.random_data(column.faker_type)
421 |                 rows.append(row_dict)
422 |             conn.execute(cur_table.insert(), rows)
423 |             self.db_value_max = self.db_value_max - 500
424 |         conn.close()
425 | 
426 |     def random_data(self, faker_func):
427 |         ''' create some random data based on the faker
428 |         type and return it'''
429 |         if faker_func == Fake.user_name:
430 |             return faker_func()
431 |         else:
432 |             return faker_func()
433 | 


--------------------------------------------------------------------------------
/vulnserver/lib/vroutes.py:
--------------------------------------------------------------------------------
 1 | import random
 2 | import os
 3 | 
 4 | from flask import Flask, request
 5 | import psycopg2
 6 | from sqlalchemy import create_engine, exc
 7 | from sqlalchemy.sql import text
 8 | from sqlalchemy.orm import sessionmaker
 9 | 
10 | from vulnserver.lib.models import FakerSchema, SchemaGen
11 | 
12 | schema = None
13 | schema_type = os.environ.get('VULNSERVER_SCHEMA_TYPE', '')
14 | if schema_type.lower().strip() == 'schemagen':
15 |     schema = SchemaGen()
16 | else:
17 |     schema = FakerSchema()
18 | schema.gen()
19 | schema.populate()
20 | select_table, select_table_pk = schema.select_table()
21 | engine = schema.get_engine()
22 | app = Flask(__name__)
23 | 
24 | @app.route("/")
25 | def index():
26 |     return 'vulnserver: /v0/sqli/select?user_id=1'
27 | 
28 | @app.route("/v0/sqli/select")
29 | def sqli_select():
30 |     sqltext = '''select * from {0} where {1}={2}'''.format(select_table,select_table_pk,request.args.get('user_id',1))
31 |     with engine.connect() as cursor:
32 |         return str([i for i in cursor.execute(sqltext).fetchmany(10)])
33 | 
34 | @app.route("/v0/sqli/insert")
35 | def sqli_insert():
36 |     return 'insert'
37 | 
38 | @app.route("/v0/sqli/shell")
39 | def sqli_shell():
40 |     sql = request.args.get('sql')
41 |     with engine.connect() as cursor:
42 |         return str(cursor.execute(sql).fetchall())
43 | 
44 | @app.route("/v0/sqli/update")
45 | def sqli_update():
46 |     return 'updated'
47 | 
48 | @app.route("/v0/sqli/delete")
49 | def sqli_delete():
50 |     return 'deleted'
51 | 
52 | @app.route("/v0/sqli/refresh")
53 | def sqli_refresh():
54 |     _create_database()
55 |     return 'refreshed'
56 | 


--------------------------------------------------------------------------------