File: elza.txt

package info (click to toggle)
elza 1.4.3-3
links: PTS
area: main
in suites: woody
size: 232 kB
ctags: 20
sloc: perl: 1,308; makefile: 50; sh: 44
file content (1501 lines) | stat: -rw-r--r-- 44,657 bytes
parent folder | download | duplicates (7)
Welcome to the documentation of the ELZA scripting language.

====================================================================
----- } INTRODUCTION
====================================================================

The ELZA is a scripting language aimed at automating requests on web
pages.
 
Scripts written in ELZA are capable of mimicring browser behavoir almost
perfectly, making it extremely difficult for remote servers to distinguish
their activity from the activity generated by ordinary users and browsers.
This gives those scripts the opportunity to act upon servers that will not
respond to requests generated using netcat, gammaprog, rebol, or similar
tool.

Core features:

- Extraction of _dynamic_ URLs from links, frames, layers, image maps,
  applet parameters and other HTML elements, based on _static_ attributes
  of those elements, such as name, sequence number or the text visible to
  the user.

- Handling of forms, passing custom form fields and field values,
  collecting hidden form fields;

- Following redirects and refreshes;

- Proper handling of cookies, honoring their Path and Domain attributes;

- HTTP Referer, User-Agent, and other HTTP headers for perfect mimciry;

- Handling HTTP Basic and Digest authentication
  including dictionary attacks;

- Support for Keep-Alive connections.

- Quite sofisticated looping for repeated requesting or dictionary attacks;

- Conditional execution;

- HTTPS communication via a SSL tunnel;

- Arbitary changing of request destination;

- HTTP and SOCKS Proxy server support (including rotation);

- Pausing and resuming.

Scripts written in ELZA can be executed remotely via POST or forked.

Please read the sections below for more information.

---------- } WHAT ELZA IS NOT

Elza is NOT a fancy Win32 application written in MFC 2000, featuring:
	- Cool menu animations;
	- Cooler background textures;
	- Even cooler dialog boxes with irregular geometry.
	- Multithreading able to bring down Windows 95 kernel.

Elza is NOT a tool that will get you into an HTTP server through the front
door. If you want to attack somebody, you have to construct an attack first.
If you want to do dictionary attacks, you have to find a dictionary as well.

However, once you construct an attack, the ELZA is probably the tool that
will be able to carry it out.

---------- } BLACK HATS

--------------- } MAKE SERVERS TRUST YOU

I am positive that using "nc www.some-server.com 80" can go a long way,
if you want to talk to a web server, but I am also positive that nc does
not have cookie-handling capabilities.

The ELZA will try to make the HTTP daemon and its scripts trust you (as
much as they would trust any user browsing). To them will appear as a
valid person browsing around. The ELZA will:

	1. Follow a completely legitimate path through the server, instead
	of hammering directly at some URL deeply inside.

	2. Send valid REFERER and USER-AGENT request fields, along with some
	other for greater mimicry.
	
	3. Accept cookies and send them back, honoring 'path' and
	'domain' attributes of the cookie.

	4. Collect all HIDDEN fields from a page to send them with
	the next request.
	
	5. Determine valid URLs for objects, following dynamic links,
	redirects, refreshes, frames, layers, etc.

	6. Authenticate using forms or HTTP basic and Digest authentication.

To summarize, the ELZA places you in a position to make the requests you
want while being trusted by the server.

--------------- } DO WHATEVER YOU WANT

After you have established trust with the web server, you can do whatever
you want: automatically fill in heavily-protected forms (or make local
copies of those), do some buffer-overflowing or dictionary-attacks.

Want to create 1000 hotmail accounts? No problem, just execute hotadd.elz
and feed in a feed a list of usernames.

Want to hijack a heavily protected HTML form? Saving it locally will not
help - dynamic stuff (fields, cookies, URLs) is gone, and you now have an
ugly 'Referer: c:\hack\hackform.html'. Instead, script the steps needed to
get to the remote form and have HTMLELZA generate a local form that will
care about all those things.

--------------- } REMAIN UNNOTICED (until the end, probably)

	0. Every effort has been made to make your requests completely
	legitimate, thereby causing no suspicion to the remote web server
	and its CGI scripts. For example, no alarms will go off because
	you have made a request without a valid User-Agent, or because
	you are lacking a cookie site's logic requires you to have.
	
	1. Requests to the web server may not be issued quickly one after
	another, so that they do not appear as a bunch of consequtive
	lines in the log file, making them easier to spot.

	2. Requests can be rotated through different proxy servers.

	3. You are allowed to change your IP address between requests
	(dialdown/dialup/DHCP renew).

--------------- } OVERFLOWING CAPABILITIES

It is certainly possible to cause a buffer overflow in a badly written
script, such as one that stores a field value in a 10-byte
long string variable, expecting the JavaScript check on the form that 
posts to it to prevent the input of more than 8 bytes.

However, you will not be able to overflow this buffer, if there are
numerous cookie checks in the CGI script before the code that overflows.
If you hammer directly at such script, you will never get to the
overflowing part.

Here, the ELZA comes handy. It will make nice requests to the remote
web server, requests that have all the things they should have, except
for the element(s) you want to overflow.

--------------- } PASSWORD BRUTE-FORCING AND BLIND REQUESTING

The ELZA can take data from an external file and feed it to remote
servers in various ways.

For example, you can feed in a dictionary file and perform a dictionary
attack against web pages requiring authenticaton via HTTP or via a logon
CGI script. The ELZA supports MD5 Digest authentication.

Or, you can feed in a list of URLS and have the ELZA request them and see
if they exist.

You can do all this multitreaded in Keep-Alive using HEAD.
Feel the difference.

---------- } WHITE HATS

--------------- } SIMIULATIONS AND LOAD GENERATION

I am by no means a clustered web servers expert, but I do not think
that you can evaluate the performance of your server by sending in
a bunch of "GET /index.html HTTP/1.0\n\n" requests, if, for example,
your hyper-secure authentication scripts make 1000 SQL requests for
a single user and your hyper-cryptographically-robust cookie-generation
algorithm takes 10 minutes to complete. Using this script, you can both
force the hyper-secure authentication scripts to make the 1000 database
requests and the hyper-cryptographically-robust cookie-generator-validators
to generate and validate the 10-minute cookies.

The ELZA can help you answer the following basic questions:

1. How does your server react on dictionary attacks against your
authentication mechanisms. You see the log grow, and then what?

2. How does your server react on repeated requests for nonexisting URLs?
Do you consider this as somebody hammering on his keyboard and
pressing the ENTER key in Internet Explorer?

3. How long does it take for you to service 1000 legitimately filled
add-new-user registration forms?

--------------- } IMPROVING INTRUSION DETECTION AND
			AVOIDING RESPONDING TO MALICIOUS REQUESTS

If you currenty think that a valid REFERER and USER-AGENT in the
request guarantee that the request comes from some good guy with
a typical browser, I hope you will no more.

Recently, there was a post to BugTraq stating that one can fool
IE5 to send an arbitary REFERER header. Well, it is self-evident
no IE5 is needed. This script gives people enough of the
functionality of IE, plus a lot more.

---------- } REMOTE EXECUTION

The ELZA interpreter can be run as a CGI script, taking variables from
an HTML form and using those when performing it work.

For example, you can post a form on your site that creates valid hotmail
accounts, or does SMS messaging, or, whatever ... sky is the limit.

====================================================================
----- } INSTALLATION
====================================================================

---------- } REQUIREMENTS 

0. An operating system of some sort.
	
1. Perl
	Win32 - look at www.activestate.com
	Other - see your favorite distribution site.
	
2. The MIME:base64.pm perl module for password encoding

	http://amaunet.informatik.uni-dortmund.de/cgi-bin
	/CPAN/authors/id/GAAS/MIME-Base64-2.11.tar.gz

3. SSL tunnel for making HTTPS requests.

	Win32 - http://mike.daewoo.com.pl/computer/stunnel/
	Other - see your favorite distribution site

4. NET:SOCKS Perl module for SOCKS proxy support

	Get one from your local CPAN mirror.

4. Digest:MD5 module for MD5 Digest authentication.

---------- } INSTALLATION

1. Unzip the archive into a single directory. If you want to run ELZA
scripts remotely, place a copy in your favorite cgi-bin directory.

2. Edit elza.def and configure it for your operating system and
SSL tunnel.

3. Edit the first line elza.pl to point to the location of your Perl.

---------- } COMPATIBILITY
	
This script has been tested on the following platforms:

	1. Windows 95 B and C
		+ perl 5.003_07 Build 316
		+ apache 1.3.9 + stunnel i586-pc-mingw32-gnu WIN32
	2. DosLinux (Debian-derivative)
		+ perl	+ apache 1.3.3	+ stunnel
		(all coming from the respective debian packages)

	(both fitting on a single 200Mb hard drive)

==========================================================================
----- } COMMAND LINE INTERFACE
==========================================================================

The interpereter (elza.pl) has a relatively simple interface:

	perl elza.pl SCRIPT.elz

or

	./elza.pl SCRIPT.elz
	(if you have configured the first line of elza.pl)

or

	perl elza.pl
	(and then specify script file when prompted.

Variables are specified either in the .elz script, or in elza.def

If you want to run the ELZA as a CGI script, please read the corresponding
section below.

If you want to run multiple instances of ELZA, also see below.

==========================================================================
----- } SUBSTS AND VARIABLES
==========================================================================

---------- } GENERAL CONSIDERATIONS

The ELZA distinguishes between 'substs' and 'variables'.

Substs are things you set with the sole intent that when they are
encountered, they will be replaced with the content you specify. Until
statements act upon substs. So, if you have:

	subst foo = bar.html
	get url http://localhost/foo

	you will perform a GET on bar.html, because the subst foo was
	replaced with value bar.html

The %VARIABLE% subst contains the current value of the variable VARIABLE.
For example:

	print %body%

	will print the value of the variable 'body' for you.

Variables hold values set up by user, as well as things the ELZA set up,
such as the current host or port, the last HTML body returned, etc. 

---------- } SETTING SUBSTS

Any occurences of a subst in the command file from now on will be replaced
with VALUE, no metter where they are (except if on other subst lines).

subst SUBST = VALUE

	Sets SUBST to VALUE. 

subst SUBST c= COOKIE

	Sets SUBST to the current value of COOKIE.

subst SUBST f= FIELD

        Sets SUBST to the current value of the FIELD form field. 

subst SUBST ? DEFAULT VALUE

	This will prompt the user to enter value for SUBST.

	DEFAULT	VALUE is used if the user does not enter anything (i.e.
	just hits enter.
	
	NOTE: If no VALUE or DEFAULT VALUE is provided, the subst is set
	to an empty string, that is, any future occurences _are_ replaced
	with an empty string.

subst SUBST -

	Deletes SUBST and it is not substituted any more. If you want
	to set a subst to an empty string, do the following:

		subst SUBST =

subst SUBST random BEGIN END

	Will set SUBST to a random value somewhere in the range from BEGIN
	to END.

subst SUBST between BEGINHTML ENDHTML

	Will scan the last response received (or the current container) and
	will set SUBST to the first text that happens to be between BEGINHTML
	and ENDHTML. Case insensitive. For example:

		subst APACHE_ADDRESS betweeen <address> </address>

	will set APACHE_ADDRESS to whatever is between those tags, and this
	is the signature of the Apache server that has generated the HTML
	we are examining.

subst SUBST @ VALUE1 VALUE2 VALIE3

	Pushes all VALUEs in an array so that the first is substituted the
	first time the SUBST is encountered, the second - the second time
	and so on. After all VALUEs have been cycled, we start again from
	the first value. For example:

		subst BOZO @ one.html two.html three.html
		get url /BOZO
		get url /BOZO
		get url /BOZO
		get url /BOZO

	will make the following requests:

		GET /one.html
		GET /two.html
		GET /three.html
		GET /one.html

	NOTE: Using substs of this type in 'print' statements does not
	alter the counters, so you can print the current value of a
	subst, without fearing that you will print the next value in fact.
	For example, this is safe to do:

		subst BOZO @ one.html two.html three.html
		get url /BOZO
		print We just requested BOZO

	If you want to use the same value of a dynamic SUBST more than once,
	you either need to use a 'call PROCNAME SUBST ' construction, or
	assign the current value of the dynamic SUBST to a static one.
	For example:

		subst BOZO @ one two three

		# Those two requests will go to the 'one' directory

		subst DIRECTORY = BOZO

		get url /DIRECTORY/one.html
		get url /DIRECTORY/two.html

		# The next two requests will go to the 'two' directory

		subst DIRECTORY = BOZO

		get url /DIRECTORY/one.html
		get url /DIRECTORY/two.html

subst SUBST raw FILENAME

        Will take the first 100000 or less characters from FILENAME and
        will feed them into SUBST. You can possibly deliver payloads
        this way.

NOTEZ:

	A SUBST will not be substituted on lines beginning with
	'subst SUBST' (i.e. lines, pertaining to the same SUBST).
	That is, you can NOT (currently) do the following:

		subst foo = bar
		subst foo = bozo		

	and get subst bar = bozo

---------- } SETTING VARIABLES

var VARIABLE = VALUE

	This will set the VARIABLE variable to VALUE. For example, to
	turn on dumping, you will do the following:

		var rawfile = dump.raw

var VARIABLE from ATTRIBUTE @ TAGTYPE TAGMATCHATTRIB TAGMATCHVALUE

	This will set VARIABLE to ATTRIBUTE of the first tag of type
	TAGTYPE has TAGMATCHATTRIB equal to TAGMATCHVALUE.

	For example,

		var THELINK from text @ link number on
	
	will set THELINK to the visible text of the first link of the
	current html page.

		var ALTTEXT from alt @ img src foo.jpeg

	will set ALTTEXT to the alt attribute of the <IMG> tag that points
	to foo.jpeg.

var VARIABLE =

	Sets VARIABLE to an empty string.

var VARIABLE -

	Deletes VARIABLE.

var VARIABLE ? DEFAULT VALUE
	
	Prompts for value for VARIABLE.

var VARIABLE c= COOKIE

	Sets VARIABLE to the value of COOKIE.

Please note that setting an VARIABLE to an empty string is different from
deleting it entirely.

==========================================================================
----- } MAKING REQUESTS
==========================================================================

This is what the ELZA is all about - making requests.

(get|post|head) url URL

	Will perform a request directly on the URL. Use if you
	want to perform some action on a object that has fixed
	URL. Examples:

		get url http://www.some-server.com

		post url http://www.some-server.com/cgi-bin/phf

(get|post|head) TAG TAGATTRIBUTE ATTRIBUTEVALUE

	Will scan the last response received (or the container, see below)
	for a TAG with TAGATTRIBUTE equal to ATTRIBUTEVALUE will perform
	the request to the URL contained within the tag. Case sensitive.

	Examples:

		get link text Compose

	will scan for an <A> tag that has "Compose" as the tag-stripped
	text between <A> and </A> and will follow the URL specified in
	the HREF tag attribute.

		get link raw <B>Compose<B>
	
	Will do the same, but will do a match on the raw HTML between
	<A> and </A> as it is.		

	Use those if you want to go to a URL that changes with each
	session, such as the URL of the "Compose Message" page in
	Hotmail. The "Compose" text, however, is constant, and leads
	us to the HREF.

		post form name passwordform

	will scan for a <FORM> tag named "passwordform" and will do a
	POST against the URL in the ACTION atribute of the tag.

		get frame number 1

	will scan for the first <FRAME tag and GET the url from the SRC
	attribute of the tag.

(get|post|head) area coords COORDINATES
(get|post|head) area name AREANAME

	Will simulate a user clicking on the area of a client-side
	imagemap having this coordinates or name

	For example:	get area coords 0,19,68,50


(get|post|head) refresh

	Will scan for the first <META HTTP-EQUIV="Refresh"> tag and will
	follow the URL referenced in the CONTENT portion of the tag.

(get|post|head) %Location%

        Will follow a 30* Moved server response, if the autoredir variable
        is not set to 'on'. If it is set to 'on', such responses are
        processed automatically.

hostmap FROMHOST FROMPORT TOHOST TOPORT

        Creates a mapping so that every subsequent request destined to
        FROMHOST on FROMPORT will be sent to TOHOST on TOPORT. The request
        is preserved as it is and the 'host' and 'port' system variables
        do not change.

        If a proxy server is defined, the request will be piped through it
        unmodified, i.e. it will go to FROMHOST on FROMPORT. To avoid this,
        declare that FROMHOST on FROMPORT should not be accessed through
        a proxy:

                noproxy FROMHOST FROMPORT
                hostmap FROMHOST FROMPORT TOHOST TOPORT

hostmap FROMHOST FROMPORT -

        Deletes a previously created hostmap.

noproxy HOST PORT

        Specifies that from now on requests to HOST on PORT will not be
        piped through a proxy server, if one is defined, but will rather
        be requested directly.

noproxy HOST PORT -

        Removes the effect of a previously established 'noproxy' directive.

==========================================================================
----- } HANDLING FIELDS 
==========================================================================

All fields set within the script will be transmitted ONLY with the next
request performed.

field NAME = VALUE

	Sets field with name NAME to value.

field NAME ? DEFAULT VALUE

	Prompts the user to enter a value

field NAME $

	Scans the HTML for a HIDDEN field with name NAME and collects the
	value to send it with the next request.

field %ALL% $

	Collects all HIDDEN fields in the manner explained above.

field NAME > LENGTH

	Sets the NAME form field to a bogus value with a length of 
	LENGTH. Usefull if you try to overflow something.

field %BOGUS% NAMELENGTH VALUELENGTH

	Sets a bogus field with a name of NAMELENGTH characters
	long to a value VALUELENGTH characters long.

field NAME -

	Deletes field with name NAME from the list and it will not be
	sent with the next request. This is useful if you first collect
	all hidden fields, and then remove those you don't like.

		field %ALL% $
		field unwanted-field -

NOTEZ:

If you want to recycle field values, please set them as substs beforehand:

	subst SEARCHSTRING = foo bar
	field p = SEARCHSTRING
	get url http://search.yahoo.com/bin/search
	field q = SEARCHSTRING
	get url http://www.altavista.com/cgi-bin/query

==========================================================================
----- } MANIPULATING COOKIES 
==========================================================================

By default, the script will accumulate all cookies received and will
pass them with the next requests, honoring 'domain' and 'path' attributes.

If new value or attributes for existing cookie are received, they will
prevail over the old ones.

cookie COOKIENAME = COOKIEVALUE

	Adds a cookie named COOKIENAME with a value of COOKIEVALUE to the
	cookie list and transmits COOKIE as is with a Cookie: field in
	every request from now on.

	If you want to stop sending a cookie, delete it using - syntax.

cookie COOKIENAME path VALUE

cookie COOKIENAME domain VALUE

	Will set the 'path' or 'domain' attribute of COOKINAME to PATH. It
	will be much better if you do a 'cookie COOKIENAME = COOKIEVALUE'
	to add the cookie before specifying path or domain

cookie COOKIENAME > LENGTH

cookie COOKIENAME ? DEFAULT VALUE

cookie COOKIENAME -

	Those act in the manner described above (overflow,ask,delete)

cookie %ALL% -

	Deletes all cookies _currently_ available. Future accumulation of
	cookies will go as usual.

==========================================================================
----- } HTTP AUTHENTICATION 
==========================================================================

When the ELZA runs into an URL that requires authenticaton,
it will start trying a single password, or all passwords from the
dictionary file, if you have supplied one.

Once a valid pair is found, the ELZA will continue down
the script. If no pair from the database is accepted by the
remote server, the ELZA will give up the request.

Currently, only one user and realm are supported at a time.

NOTE: If you are trying to dictionary-attack a form with a username and
password text boxes, this is not "HTTP authentication".

var user = USERNAME

	Defines the USERNAME to be sent with passwords when authenticating.

var realm = REALM

	Defines the REALM the username and the passwords belong to. If
	authentication for a different realm is required, the ELZA will
	generate an error condition.

var password = PASSWORD

	Supplies a single password to be used when authenticating.
	If it does not work, the elza will give up the request.

var dictionary = FILE

	Uses FILE as a dictionary. Passwords are tried one after another
	with no need of looping.

==========================================================================
----- } PROCEDURES
==========================================================================

proc PROCNAME

	...

endproc PROCNAME

	Statements appearing within a proc are executed only if called
	with a 'call' statement.

	If you name your proc BEFOREREQUEST, it will be executed before
	each request. This is useful if you want to rotate each request
	through different proxy server:

		var proxyport = 8080
		subst PROXY @ proxy1 proxy2 proxy3

		proc BEFOREREQUEST
			var proxyhost = PROXY
		endproc BEFOREREQUEST

		get url url1
		get url url2
		get url url3
		
		...	...
	
		get url url9999


==========================================================================
----- } CONDITIONAL EXECUTION AND OTHER OPTIONS
==========================================================================

if SOMETHING == VALUE COMMAND

if SOMETHING != VALUE COMMAND

PROCNAME if SOMETHING > VALUE COMMAND

if SOMETHING < VALUE COMMAND

	Will make the ELZA execute COMMAND if the condition is met.

call PROCNAME

	Will make the ELZA interperter execute the PROCNAME procedure.

call PROCNAME if SOMETHING == VALUE

call PROCNAME if SOMETHING != VALUE

call PROCNAME if SOMETHING > VALUE

call PROCNAME if SOMETHING < VALUE

	Makes the ELZA execute PROCNAME if a condition is true.
	NOTE: Case-sensitive regexp is applied for '=='.

	Example:

		proc NOINDEX
			print This is not a directory index
			exit
		endproc NOINDEX

		get url http://localhost/
		call NOINDEX if %body% != index of
		print This is a directory index

label LABELNAME

	Defines a label to be used by the 'goto' directive.

goto LABEL

goto LABEL if SOMETHING (==|!=|>|<) VALUE

	Those act the way 'call' does, but instead of evoking a procedure,
	it jumps to the specified LABEL.

pause

	Will make the ELZA pause and wait for the ENTER key.
	This is useful if you want to enforce a dialup/dialdown or
	a DHCP release/renew to obtain a different IP address or
	use a different gateway.

sleep SECONDS

	Will make the script sleep for SECONDS seconds and then
	continue executing. This is useful if you do not want all
	your requests to appear on consequtive lines in the
	httpd or proxy files.

print TEXT

	Will print out "--- TEXT" plus a newline character.

printraw TEXT

	Will print out TEXT as it is. You can use \n  and \t .

exec EXPRESSION

	Will execute EXPRESSION as Perl code.

	For example:

	exec print "OUTPUT"

	is equvalent to

	print OUTPUT

exit

	Will end the script immediately.

continue

	Will do nothing. Used in 'var onerror = continue' statements.

stats

	Will print out the contents of the counters so far, without
	zeroing them. Please note that I do not know how to measure small
	intervals under Unix, so on such platforms, the times and the
	other calculations will not be very precise.

==========================================================================
----- } INPUTTING DATA FROM A FILE OR ARRAY 
==========================================================================

The ELZA can read data from external file and use it when making requests.
This is useful for brute-forcing passwords and CGI scanning.

call PROCNAME SUBST @ VALUE1 VALUE2 VALUE3 VALUE4 ...

        The ELZA will execute PROCNAME for every VALUE specified,
	each time setting SUBST to the respective VALUE from the array.

call PROCNAME SUBST % FILE

	The ELZA will open FILE and will perform PROCNAME for every line of
	FILE each time setting SUBST to the respective line from FILE.

call PROCNAME SUBST forked FILE

	This works exactly like the previous syntax. However, in forked
	environments (see below), this syntax will ensure that the children
	can successfully share a single FILE. That is, in a case of two
	children, the first child will take the first line of the FILE,
	the second - the second. The third line will be consumed by the
	first child and so on. Thus, you can fork a dictionary attack using
	a single dictionary and no word from the dictionary will be used
	more than once or not used at all.

call PROCNAME SUBST ?

	The elza will take accumulate values for SUBST from STDIN, until an
	empty line is received.

NOTE:

        Unlike the dynamic SUBSTs defined using 'subst SUBST @ ARRAY',
        the 'call' statement sets a value for SUBST just before executing
        the PROCNAME, and this value is _constant_ until the end of this
        PROCNAME and therefore can be used many times within the PROCNAME
        without fear.

---------- } EXAMPLES

	Example #1 (Dictionary attack)

		proc TRYONE
			field user = philip
			field passwd = PASSWORD
			get url http://127.0.0.1/cgi-bin/loginform.pl
		endproc TRYONE

		call TRYONE PASSWORD % passwd.txt
	
	Remember that fields are cleared after each HTTP request, so set
	all of them within the procedure.

	Example #2 (CGI Scanner)

		proc TRYONE
			get url http://127.0.0.1/cgi-bin/CGISCRIPTS
		endproc TRYONE

		call TRYONE CGISCRIPT % cgi-scripts.txt

	This will make the ELZA read cgi.txt and make one request against
	the cgi-bin directory for each script specified in cgi-scripts.txt

	Example #3 (Nesting)

		var onerror = continue

		proc TRYSCRIPT
			get url http//127.0.0.1/CGIDIR/CGISCRIPT
		endproc TRYSCRIPT

		proc TRYDIR
			call TRYSCRIPT CGISCRIPT % cgi-dirs.txt
		endproc TRYDIR

		call TRYDIR CGISCRIPT @ cgi-bin cgi-local win-cgi
		
	Here we make a request for every script for every directory.

==========================================================================
----- } HTML TAG ATTRIBUTES
==========================================================================

---------- } ATTRIBUTE REFERENCE

All tags have the attributes one can expect them to have (such as href,
src, name, etc.) plus some others:

text

	This attribute is the tag-stripped text between the tag and the
	respective close tag (only if a closing tag exists.

	For example, for the following HTML:

	<A name="foo" href="bar"> This is<B> the </B>text </A>
	<A name="foo2" href="bar2"> This is<B> another </B>text </A>

	the text attribute of the first <A> tag is 'This is the text'

raw

	This is the no-tag-stripped HTML between the open and the close tag.
	Therfore, for the above example, the raw attibute will be
	' This is<B> the </B>text '.

body

	This is the body of the tag from < to >. For the example, body will
	be '<A name="foo" href="bar">';

number

	This is the sequence number of the tag. For the example, number will
	be '1', because this is the first <A> tag in the HTML.

---------- } USING TAG ATTRIBUTES

	If you want to click on a link that says "Compose", you would use the
	following:

		get link text Compose

	If you want to click on the 31-st link on a web page:

		get link number 31

	If you want to restrict subsequent parsing to the body of a single
	<FORM> tag, you would do the following:

		var container from raw @ form name theform

	This will set your container (the HTML that is being parsed) to the
	HTML between <FORM> and </FORM> of a form named 'theform'. Thus, you
	will avoid parsing HIDDEN form fields located in other forms on the
	same page.


==========================================================================
----- } ELZA BUILTIN VARIABLES
==========================================================================

Variables are set with 'var VARIABLE = VALUE'

keepalive = on

	Will instruct ELZA to make Keep-Alive connections for much faster
	HTTP access. I have noticed that Apache often does not honor
	Keep-Alive if used with GET requests, because the length of the file
	is not always known. However, if you use with HEAD, it will work just
	fine, no matter what the server response is (200, 404, 401).

ses_rcv

ses_time

ses_speed

	Those hold the stats from the last request. Please note that I do not know how to measure small
	intervals under Unix, so on such platforms, the times and the
	other calculations will not be very precise.

	Speed is in bytes / sec. Time is in seconds.

container

	If this variable is set, any subsequent statements (until the next
	response from a server) will look for tags only within the contents
	of container, rather than the entire HTML received from the last
	response.

	This enables you to restrict operations within a specific section
	of the HTML, such as a <FORM>. For example:

		var container from raw @ form name theform

	will set the container to the HTML contained between <FORM> and
	</FORM> tags of the form named 'theform'. So, this directive

		field %ALL% $

	will examine only the contents of this <FORM> for hidden tags,
	and will not look into tags from other forms which may be present
	in the initial HTML.

proxy = PROXYHOST PORT
	
	From this line on, the script will pipe requests through
	PROXYHOST proxy server on the PORT port. Equivalent to:

		var proxyhost = PROXYHOST
		var proxyport = PORT

	NOTE:SSL requests are piped through the SSL tunnel, not
	the proxy.

proxyhost = HOST

	Sets the host part of a proxy definition to HOST

proxyport = PORT

	Sets the port part of a proxy definition to PORT

sockshost = HOST

socksPORT = PORT

socksversion = VERSION

	Set those three if you want to pipe requests through a SOCKS proxy.
	NOTE: SOCKS support requres the NET::SOCKS module from CPAN and a
	'$VAR{'sockssuport'} = 'on';' directive in elza.def

socksuser = USERNAME

sockspassword = PASSWORD

	Set those if you want to authenticate to the SOCKS server.

sendagent = (on|off)

	Enables or disables the sending of a User-Agent line in subsequent
	HTTP requests. The default is 'on'.

agent = USERAGENT

Sets the current User-Agent to USERAGENT.

debug = on

	Makes ELZA print an unacceptable amount of information about its guts.

silent = on

	If set, the ELZA will output only the initial banner and
	critical error messages. You have to produce the rest of the output
	(if you need one) yourself using 'print' and 'printraw'.

	If you want to suppress printing the banner, uncomment

		$VAR{'silent'} = on

	in the elza.def file.

	If you are calling ELZA via POST, and you have

		<INPUT TYPE="HIDDEN" NAME="silent" VALUE="on">

	line in your form HTML, the ELZA will run completely silent
	(no banner), which means that you have to construct a
	Content-type: HTTP header at the top of your script:

		printraw Content-type: text/plain\n\n

	All the output is up to you. The ELZA is dumb.

rawfile = FILENAME

	If set, the ELZA will dump to FILENAME communication with
	remote servers in both directions.

tempfile = FILENAME

	This is set in elza.def and controls the name of the temporary
	files used to store the progress of a dictionary attack if one
	is cancelled with Ctrl+C. If forking is used, the number of the
	instance is appended to FILENAME so that each instance has its
	own status file.	

dumprequest = 1

	Means that ELZA will dump the literal requests sent to servers.

dumprequest -

	Means that ELZA will not dump the requests sent to the servers.

dumpheaders = 1
dumpheaders -
dumpbody = 1
dumpbody -

	Those act in the manner described above, but on the header of
	the response received and on the body of that response, respectively.

onerror = COMMAND

	If an error condition occurs, the ELZA will perform COMMAND.

	The default is "onerror = exit" to prevent further noise in the log
	files of the remote server once you screw something up.

	If you plan to brute-guess URLs, you need to use 'onerror = contunue'
	otherwise the ELZA will give up after the first 404 Not Found error.

realm = REALM

	Sets the realm to which authentication is to be performed with the
	available passwords

user = USERNAME

	Sets the USERNAME the available the passwords belong to.

Referer = URL

	Sets the Referer to be sent with the next request (ONLY with the
	next request). Please note the capital 'R'.                                  

forcehead = on

	Will make the ELZA interpreter close the HTTP connection after
	receiving the header part. This is useful if you want to force
	a HEAD like behavoir when the server does not allow HEAD requests.

	This is useful if the server insists on sending very large
	request bodies, such as a deliberately constructed huge
	401 Authorization Required message to slow down dictionary attacks.

	See also the 'maxlines' variable.

binary = on

	Makes the ELZA treat the next server response as a binary file
	(download) and will save it to the rawfile intact.
	
	The dumpheaders, dumpbody, and dumprequest variables are not honored
	in such case.

sendreferer = no

	Instruct the ELZA not to send a Referer: with requests.

honorhttps = no

	Tells ELZA not to treat https:// URLs as SSL requests. So, it will
	not spawn an SSL tunnel but will rather request the URL as if it is
	an http:// one.

autoresume = on

	Will instruct the ELZA to keep track of the current position in a
	dictionary file. Thus, if you stop a dictionary attack with Ctrl-C,
	the next time you run the script, the attack will start from the
	position it was stopped on. This feature will only work properly
	if you use one and only one dictionary in your script file.

body

	Contains the body of the last HTTP response received (i.e. the HTML)

url

	Contains the complete URL of the last object requested.

base

	Contains the base for relative URLs in last HTML, as specified by
	the <BASE> tag. Used internally.

prefix

	Contains the prefix of the last URL requested. Either 'http://' or
	'https://'.

request

	Contains the part after the domain for the last URL requested.
	For 'url' = http://www.foo.com/bar/bozo, 'request' will be
	'/bar/bozo'

protoversion

	Contains the HTTP protocol version contained within the last response
	received;

retcode

	Contains the numerical return code of the last response received.
	E.g. '200'.

rettext

	Contains the textial return code of the last response received.
	E.g. 'OK'.

All HTTP headers received in last response are also stored as variables.
If you use those, make sure you manually reset them before the request,
to make sure they are holding current info, and not data from previous
responses. 

==========================================================================
----- } USING THE ELZA IN REMOTE MODE (CGI)
==========================================================================

You have a script (hotadd.elz) that will create an Hotmail
account for you and you want to execute this script eazily and remotely.

WARINIG: Adding a CGI script to your httpd path may become a security risk.

STEP 1. PREPARE HOTADD.ELZ FOR REMOTE EXECUTION

	1. In hotadd.elz, define ACCOUNT and PASSWORD as substs:

		subst ACCOUNT = defaultaccount
		subst PASSWORD = defaultpassword

	... and use them down the file to fill in the
	registration form ...

		field reglogin = ACCOUNT
		field passwd = PASSWORD
		field passwd1 = PASSWORD

	2. In hotadd.elz, add the following line

		elza-web-enabled

	... which instructs the ELZA that it is safe to execute this
	script when in CGI mode.

STEP 2. PREPARE THE ELZA FOR REMOTE EXECUTION

	1. Place elza.pl in a cgi-bin directory of yours. Defining
	access restrictions is always recommended.

	2. Edit the following line in htmlelza.pl to point to its URL
	
		$PathToElza = 'http://localhost/cgi-elza/elza.pl';

STEP 3. PREPARE AN HTML FORM FROM HOTADD.ELZ
	
		c:\elza> perl htmlelza.pl c:\elza\hotadd.elz hotadd.html

	... this will produce an HTML file with textboxes to enter values
	for the abovementioned substs ACCOUNT and PASSWORD, and a button
	to execute the hotadd.elz script.

	Note that the absolute path to hotadd.elz is stored within the form.

	See the HTML source to see how things are organised. Basically,
	the 'elza-web-script' form field contains the script to
	execute, while the other fields are treated as plain substs.	
	
	Upon clicking the button, the ELZA interperter will set the two
	substs to the values entered in the form, and execute the script.

NOTES:

	If you are calling ELZA via POST, and you have

		<INPUT TYPE="HIDDEN" NAME="silent" VALUE="on">

	line in your form HTML, the ELZA will run completely silent
	(no banner), which means that you have to construct a
	Content-type: HTTP header at the top of your script:

		printraw Content-type: text/plain\n\n

	The HTML line is inserted by HTMLELZA if you have

		var silent = on

	in your script.

==========================================================================
----- } ADDITIONAL NOTES
==========================================================================

Please see the file somecode.txt for more things one can play with.

---------- } FORKING

	If you ever need to spawn several incarnations of ELZA scripts
	simultaneously, use the following methods:

	Under Win32, use elzafork.pl

		perl elzafork.pl 5 hotadd.elz

	Will spawn 5 incarnations of hotadd.elz for you. Remember to look at
	elzafork.pl to adjust it to your configuration.

	If you want all the instances to share a single dictionary file, use
	the 'call PROC forked FILENAME' syntax described above. If you have
	5 children, each children will take every 5th line from the dictionary
	and use it as you see fit.

	Under Unix, you can use unixfork.pl and get the same result as above.

	Or, you can use use plain fork () in the first line of your script:

		exec fork () ;

	However, 'exec fork ()' does not care for proper handling of dictionary
	files between child processes, so should only be used for simple load
	generation.

	Note that different incarnations of the ELZA interpreter share only
	the console, and NOT cookies, fields, variables, or time counters.
	Using the same local port for SSL may also be an issue, so either
	randomize, or spawn the SSL tunnel beforehand.

---------- } PAUSING AND RESUMING DICTIONARY ATTACKS

	Place the statement

		var autoresume = on

	in the beginning of your script file. Thus, if you have an

		call PROC SUBST % FILENAME

	construction, you can interrupt the iteration with Ctrl+C and
	the next time the script is ran, it will start off from where it
	left off.

	ELZA accomplishes this by saving the current position in files,
	specified by the tempfile variable (by default 'elza.tmp' + instance
	number). If you have used ELZAFORK, when you resume, you must use the
	same number of incarnations. Otherwise, some of your dictionary file
	may never be processed.

	Please note that this will work properly if you have only one
	'call PROC SUBST % FILENAME' statement in your script. Since the
	temporary files where the status is stored may be shared, you may
	want to do something like

		var tempfile = my-script-name.tmp

	so that other scripts do not overwrite the temp files.

	Please note that the pause/resume functionality does not work with
	Authentication dictionaries defined with 'var dictionary'.

---------- } BACKGROUND EXECUTION UNDER WIN32

	Under Win32, you can use the following trick to make the ELZA
	interpreter run in background:

	1. Adjust elzafork.pl to your configuration.

	2. In elzafork.pl, uncomment this line:

		$ElzaFlags = 'background';

	3. Run

		perl elzafork.pl 1 hotadd.elz

	This will spawn one incarnation of the interperter running
	hotadd.elz running in the background. To kill it, you need to use
	Ctrl+Alt+Del , Ctrl+Esc, or some other process monitor.

---------- } SELECTIVE DUMPING

	If you just need to log communication that took place for a specific
	request(s) only, you can use the following syntax:

		get url http://localhost/FOO
		var rawfile = raw.out
		get url http://localhost/BOZO
		var rawfile -
		get url http://localhost/BAR

	Thus, only the /BOZO request will be dumped, not /FOO or /BAR.

	If you want to log only the HTML, set things this way:

		var rawfile = raw.out
		var dumprequest -
		var dumpheaders - 
		var dumpbody = 1

---------- } SECURITY CONSIDERATIONS

	Please, please review your .elz script before making it available
	for remote execution. Executing the ELZA interpreter via POST
	enables specifying alternative values for all substs defined with
	a 'subst' directive within the .elz script.

	Some effors have been made to make ELZA safe to execute as a CGI
	script. However, no guarantee is made that it does not contain
	security holes. If you find some, please, PLEASE, report those.

---------- } ABOUT THE AUTHOR

	This script was authored by Philip Stoev, who can be located
	on the following coordinates:

		web  : phiphi.hypermart.net
		email: philip_stoev@iname.com
		icq  : 23465869
		phone: (359 2) 71 59 49

	Feedback is always appreciated.

	Being currently underemployed, I have some free time to spare.
	Please feel free to request a part or all of it.

---------- } REQUESTING URLS ANONYMOUSLY

	From the multitude of options you have, here is one: use the
	Add-URL functionality in AltaVista or Lycos.

	This should be self explanatory if you look at the dump files:

	field q = http://www.yoursite.com/page.html
	field ad = 1
	get url http://add-url.altavista.com/cgi-bin/newurl

	or

	field query = URL
	field email = youremail@yourdomain.com
	get url http://www.lycos.com/cgi-bin/spider_now.pl

---------- } HTTP REFERER ISSUE

	Undoubtedly, many sites will not let you get a page or execute
	a script without a vaild Referer request field.

	However, if you request a non-existing object on some sites,
	www.cisco.com being one of them, and you have a Referer URL from
	the same domain, the server will think that you have been referenced
	by some page within the site that contains a broken link, and will
	sound an alarm to the webmaster to go and fix the link.
	This is may not be what you want.

---------- } CREDITS

	Special thanks go to the actual human Elza.

	Thanks go to the rain.forest.puppy (rfp@wiretrip.net) for the ideas
	I adopted from his excellent CGI scanner named whisker. Get it from:

		http://www.wiretrip.net/rfp

	Credits and thanks go to the following people:

	- The makers of the following PERL modules: win32, win32:proces,
	HTML:Parser, MIME::Base64, NET:SOCKS; Digest:MD5.

	- The Digest authentication code is based on a libwww post by
	Doug MacEachern (dougm@osf.org) from 10 Mar 1996 15:39:22 (wow, old).

	- The makers of stunnel, whoever they are.

---------- } DISCLAIMER AND COPYRIGHT

	Since the GPL means practically nothing in Bulgaria (Microsoft's
	EULA doesn't either), the ELZA interpreter is placed in the public
	domain.

	Yes, I do disclaim all responsibility for this script and any use
	or misuse thereof, but it is really not necessary. Those words have
	no value where I live.
=======================================================================END