From 61e4f6e85e81c4f3499c135dd3be22a5011f8cc3 Mon Sep 17 00:00:00 2001
From: lanjelot <lanjelot@gmail.com>
Date: Fri, 29 Jun 2012 14:27:36 +1000
Subject: [PATCH] before_egrep now allows more than one expression

---
 patator.py | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/patator.py b/patator.py
index ebc4a8c..7a4de24 100755
--- a/patator.py
+++ b/patator.py
@@ -377,13 +377,13 @@ http_fuzz url='http://10.0.0.1/login?username=admin&password=_@@_FILE0_@@_' -e _
  0=words.txt -x ignore:'code=200|size=1500-|fgrep=Welcome, unauthenticated user' -X'|'
                 (b)                                                              (c)
 
-* Brute-force logon that enforces a random nonce to be submitted along every POST.
-  (a) Request page that provides the nonce as a hidden input field using GET.
-  (b) Use regex to extract the nonce that is to be submitted by the main request.
+* Brute-force logon that enforces two random nonces to be submitted along every POST.
+  (a) First, request the page that provides the nonces as hidden input fields.
+  (b) Use regular expressions to extract the nonces that are to be submitted along the main request.
 ---------
-http_fuzz url=http://10.0.0.1/login method=POST body='user=admin&pass=FILE0&nonce=_@@_' accept_cookie=1
- before_urls=http://10.0.0.1/index before_egrep=_@@_:'nput type="hidden" name="nonce" value="(\w+)"/>'
-           (a)                                    (b)
+http_fuzz url=http://10.0.0.1/login method=POST body='user=admin&pass=FILE0&nonce1=_N1_&nonce2=_N2_' 0=passwords.txt accept_cookie=1
+ before_urls=http://10.0.0.1/index before_egrep='_N1_:<input type="hidden" name="nonce1" value="(\w+)"|_N2_:name="nonce2" value="(\w+)"'
+           (a)                                (b)
 
 * Test the OPTIONS method against a list of URLs.
   (a) Ignore URLs that only allow the HEAD and GET methods.
@@ -2471,7 +2471,7 @@ class HTTP_fuzz(TCP_Cache):
     ('timeout_tcp', 'seconds to wait for a TCP handshake [10]'),
     ('timeout', 'seconds to wait for a HTTP response [20]'),
     ('before_urls', 'comma-separated URLs to query before the main request'),
-    ('before_egrep', 'extract substring from the before_urls responses to include it in the main request'),
+    ('before_egrep', 'extract data from the before_urls response to place in the main request'),
     ('after_urls', 'comma-separated URLs to query after the main request'),
     ('max_mem', 'store no more than N bytes of request+response data in memory [-1 (unlimited)]'), 
     )
@@ -2574,12 +2574,13 @@ class HTTP_fuzz(TCP_Cache):
         perform_fp(fp, 'GET', before_url)
 
       if before_egrep:
-        mark, regex = before_egrep.split(':', 1)
-        val = re.search(regex, response.getvalue(), re.M).group(1)
+        for be in before_egrep.split('|'):
+          mark, regex = be.split(':', 1)
+          val = re.search(regex, response.getvalue(), re.M).group(1)
 
-        header = header.replace(mark, val)
-        query = query.replace(mark, val)
-        body = body.replace(mark, val)
+          header = header.replace(mark, val)
+          query = query.replace(mark, val)
+          body = body.replace(mark, val)
 
     path = quote(path)
     query = urlencode(parse_qsl(query, True))