nil0x42/phpsploit

View on GitHub
src/core/session/settings/REQ_DEFAULT_METHOD.py

Summary

Maintainability
A
0 mins
Test Coverage
"""
Default HTTP method to use to communicate with TARGET.

The phpsploit framework supports both GET and POST methods
to send HTTP requests

* GET METHOD:
-------------
# BEHAVIOR:
    The PASSKEY payload stager is passed as a single HTTP header,
    and a set of HTTP headers are created, and fullfilled with
    a portion of the payload, respecting limitations imposed
    by REQ_MAX_HEADERS and REQ_MAX_HEADER_SIZE settings.
# PROS:
    This method is usually the stealthiest one, as common log
    analysis softwares don't analyse HTTP Headers at all.
# CONS:
    The amount of data that can be injected is limited by remote
    server's REQ_MAX_HEADERS and REQ_MAX_HEADER_SIZE.
    So phpsploit may need to run multi-request payloads more
    frequently.

* POST METHOD:
--------------
# BEHAVIOR:
    The PASSKEY payload stager is passed as a single HTTP header,
    and the final payload is sent as a big POSTDATA argument
    (named with PASSKEY), respecting limitations imposed
    by REQ_MAX_POST_SIZE setting.
# PROS:
    Remote server's REQ_MAX_POST_SIZE has generally a large value,
    So big payloads can be sent through a single HTTP request,
    instead of sending a lot of GET multi-requests.
# CONS:
    Triggering a lot of POST requests on TARGET url can raise
    suspicion, as this kind of request is not expected on
    most of URLs.
"""
import linebuf


linebuf_type = linebuf.RandLineBuffer


def validator(value):
    value = value.upper()
    if value not in ["GET", "POST"]:
        raise ValueError("available methods: GET/POST")
    return value


def default_value():
    return "GET"