MalZilla

[sowhat-x]

Idea that came to mind while digging through stuff locally...

Both 'Cookies' and 'Links Parser' extraction are obviously already there....
what about a 'Forms' extraction tab maybe? 
I've also have a couple of Delphi sources archived here,
meant exactly for this feature/capability...

[bobby]

Hi sowhat-x,

Any examples of files with Forms that would need to be extracted?
I'm not some HTML guru, so I would need a couple of examples to see what needs to be done.
If it is a tag, Malzilla already has a tag extraction engine, I just need to tell it to extract this one too.

Please, write your suggestions here.
Day after tomorrow I'll have some time in the evening to code, so if anyone have a suggestion - please write it before that.

[MysteryFCM]

Standard code for forms is;

Code: [Select]

<form name="{VALUE}" action="{FILE}" method="{POST_OR_GET}">
{FIELDS}
</form>
Where {FIELDS} is typically one or more of the following;

Code: [Select]

<input type="text" ....>
<input type="hidden" ...>
<input type="checkbox" ....>
<input type="password" ....>
<input type="radio" .....>
<textarea .....>
<select ....>
The spec is available at;

http://www.w3.org/TR/html4/interact/forms.html

The spec mentions the use of LABEL for the field names;

Code: [Select]

<FORM action="http://somesite.com/prog/adduser" method="post">
    <P>
    <LABEL for="firstname">First name: </LABEL>
              <INPUT type="text" id="firstname"><BR>
    <LABEL for="lastname">Last name: </LABEL>
              <INPUT type="text" id="lastname"><BR>
    <LABEL for="email">email: </LABEL>
              <INPUT type="text" id="email"><BR>
    <INPUT type="radio" name="sex" value="Male"> Male<BR>
    <INPUT type="radio" name="sex" value="Female"> Female<BR>
    <INPUT type="submit" value="Send"> <INPUT type="reset">
    </P>
 </FORM>
... but I've never seen anyone use that ..... typically people use td's to seperate these, for example;

Code: [Select]

<form action="{file}" name="{VALUE}" method="{GET_OR_POST}">
<table>
<tr><td>Name:</td><td><input type="{TYPE}"></td></tr>
</table>
</form>

[bobby]

Ah, I got it now, thanks MysteryFCM.
I didn't realize it is about POST forms (thats what I call them, probably wrong but...)

@sowhat-x
Problem is, I don't get it what I should extract here?
You want me to render the form, so you can enter values and send the form data?
Malzilla intentionally does not have any rendering engine. That way it can stay away of being exploited in the same manner like browsers are exploited.

[MysteryFCM]

Malzilla intentionally does not have any rendering engine. That way it can stay away of being exploited in the same manner like browsers are exploited.

Same reason vURL DE doesn't

[sowhat-x]

...MysteryFCM was way faster than me in replying,he-he...
yes,it's 'post' forms I was talking about,and actually,
I was afraid of the term being confused with...Delphi 'forms' themselves,lol... 
Have a look at this python app called 'twill" for example,
among other things,the 'showforms' command can give the very exact idea of it:
http://twill.idyll.org/

Being able to fill in/send 'post' data is not of that much interest I guess,
it's not 'web application' testing after all...I mean,I have never seen some kind of infected page,
that 'rotates'/pushes different exploits and malware,depending on user's input on post forms...
Maybe others more experienced have,I certainly haven't though...brrr...nasty thought...

Simply listing them though,separated from the rest of the html code,would be quite nice...
ie.to have a more 'clean' idea of the html's structure...

[bobby]

I did saw some web sites that required POST data to get the process to continue.
In one such case I have worked together with MysteryFCM

The fact is, in last two years I have probably saw some 5 such cases.
Some kind of POST editor does exists on my ToDo list for Malzilla, but I didn't gave it any priority and I do not have a clear picture how it should look like.

I still do not have a clear picture what a form tab should show to the user...
List of forms (do every form in HTML have a unique identifier if more than one form is on the page)?
Separate tab for every form found which would show the code of that form?

[sowhat-x]

...or another one that came to mind,a really older vb-coded app,
that was called 'Form Scalpel'...it is still available from PacketStorm's repository:
http://packetstormsecurity.org/web/index2.html
Honestly though,don't really bother yourself much with it,
as this is something that simply helps in reading/breaking down the html structure,
ie.it certainly doesn't help in making the malware scripts themselves more 'readable' in any way...

I still do not have a clear picture what a form tab should show to the user...

Something somewhat similar to 'Judas' that I posted today in the forum,
or say like 'Form' came to mind...want me to upload somewhere else instead of Rapidshare?

[MysteryFCM]

Bobby,
Generally speaking, the form tag will include either "name", "id" or both (e.g. name="{NAME}" or id="{ID}"). However, as nested forms are very rare, it's generally just a case of parsing out everything between the opening and closing form tags (and where more than one form is present, then processing the second, third whatever form).

I'm not sure about Delphi, but with MS XML, it's simply a case of identifying which method it expects (GET or POST), then identifying the fields it is expecting (including the hidden one's), then sending the data it's expecting via an XML request.

To have this in Malzilla would probably be best by doing the following;

1. ID the form and it's action value
2. ID the fields within the form
3. Provide a string builder for the fields the form expects

Obviously it'll not be as simple as I've made it sound, but it's just a thought

[sowhat-x]

...quickly uploaded both 'Form' and 'Judas' to Googlepages as well,
password is simply 'password',without quotes...
http://sowhatx.googlepages.com/FormFinal.rar
http://sowhatx.googlepages.com/Judas.rar

Note that some AV products flag 'Form' as a 'Hacktool',
since it was meant for bruteforcing html pages,he-he... 

Edit:Uploaded 'Form Scalpel' as well,same password...
(the extra vb dlls might need regsvr32 first):
http://sowhatx.googlepages.com/FormScalpel.rar

[bobby]

Sorry for the late reply... I was pretty busy last couple of days.
New Malzilla uploaded:
https://sourceforge.net/project/showfiles.php?group_id=203466

We are now using hacked SpiderMonkey.
Please also take a look at the new tutorials.

@sowhat-x
Thanks for the uploads. Got them all

[MysteryFCM]

Nice one cheers

[sowhat-x]

Heh,compared with earlier v0.91/v0.92 builds,it's miles ahead... 

...made a single pdf from the first 3 Malzilla's tutorials for 'offline' usage:
now why would anyone need them if being offline in the first place,
that's something beyond my imagination,he-he...but anyway...
http://rapidshare.com/files/102201005/MalzillaIntro.pdf.html
Alternatively:
http://www.megaupload.com/?d=IFMPWEVK

Wasn't really sure on how to handle the scripts in the newest two documents:
on the one hand,I couldn't get them to properly fit as 'static' printed images,
and I also didn't really liked the idea of handling them as pdf 'attachments'.
I preferred to leave them out for the time being,if any other suggestions/ideas arise...

P.S:...ehmm...felt a bit embarrassed...i mean,regarding the 'about' box:
as it's JohnC that's doing all the 'real'/hard work...

[MysteryFCM]

Just got some time to look at the tutorials too and they're great dude (good to see the code I had problems with in there too as it may have confused others too  ).

[tjs]

Great stuff!

When you use malzilla on dual monitors, and malzilla is in focus on the secondary monitor the splash screen stays on top on the primary monitor.