Beispiel #1
0
def injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):

  # Execute shell commands on vulnerable host.
  if alter_shell :
    payload = fb_payloads.cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE) 
  else:
    payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE) 

  # Fix prefixes / suffixes
  payload = parameters.prefixes(payload, prefix)
  payload = parameters.suffixes(payload, suffix)

  if menu.options.base64:
    payload = base64.b64encode(payload)   

  # Check if defined "--verbose" option.
  if menu.options.verbose:
    payload_msg = payload.replace("\n", "\\n")
    if settings.COMMENT in payload_msg:
      payload_msg = payload_msg.split(settings.COMMENT)[0]
    sys.stdout.write("\n" + settings.print_payload(payload_msg))
  
  # Check if defined cookie with "INJECT_HERE" tag
  if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
    response = cookie_injection_test(url, vuln_parameter, payload)

  # Check if defined user-agent with "INJECT_HERE" tag
  elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
    response = user_agent_injection_test(url, vuln_parameter, payload)
    
  # Check if defined referer with "INJECT_HERE" tag
  elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
    response = referer_injection_test(url, vuln_parameter, payload)

  # Check if defined custom header with "INJECT_HERE" tag
  elif settings.CUSTOM_HEADER_INJECTION:
    response = custom_header_injection_test(url, vuln_parameter, payload)

  else:
    # Check if defined method is GET (Default).
    if http_request_method == "GET":

      # Check if its not specified the 'INJECT_HERE' tag
      #url = parameters.do_GET_check(url)

      payload = payload.replace(" ","%20")

      target = re.sub(settings.INJECT_TAG, payload, url)
      vuln_parameter = ''.join(vuln_parameter)
      request = urllib2.Request(target)
      
      # Check if defined extra headers.
      headers.do_check(request)        
        
      # Get the response of the request
      response = get_request_response(request) 

    else :
      # Check if defined method is POST.
      parameter = menu.options.data
      parameter = urllib2.unquote(parameter)

      # Check if its not specified the 'INJECT_HERE' tag
      parameter = parameters.do_POST_check(parameter)
      
      # Define the POST data  
      if settings.IS_JSON == False:
        data = re.sub(settings.INJECT_TAG, payload, parameter)
        request = urllib2.Request(url, data)
      else:
        payload = payload.replace("\"", "\\\"")
        data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
        try:
          data = json.loads(data, strict = False)
        except:
          pass
        request = urllib2.Request(url, json.dumps(data))
        
      # Check if defined extra headers.
      headers.do_check(request)        
        
      # Get the response of the request
      response = get_request_response(request)

  return response
Beispiel #2
0
  def check_injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
    
    # Execute shell commands on vulnerable host.
    if alter_shell :
      payload = fb_payloads.cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE) 
    else:
      payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE) 

    # Fix prefixes / suffixes
    payload = parameters.prefixes(payload, prefix)
    payload = parameters.suffixes(payload, suffix)

    # Whitespace fixation
    payload = payload.replace(" ", whitespace)

    # Perform payload modification
    payload = checks.perform_payload_modification(payload)

    # Check if defined "--verbose" option.
    if settings.VERBOSITY_LEVEL >= 1:
      payload_msg = payload.replace("\n", "\\n")
      if settings.COMMENT in payload_msg:
        payload = payload.split(settings.COMMENT)[0].strip()
        payload_msg = payload_msg.split(settings.COMMENT)[0].strip()
      info_msg = "Executing the '" + cmd.split(settings.COMMENT)[0].strip() + "' command... "
      sys.stdout.write(settings.print_info_msg(info_msg))
      sys.stdout.flush()
      output_payload = "\n" + settings.print_payload(payload)
      if settings.VERBOSITY_LEVEL >= 1:
        output_payload = output_payload + "\n" 
      sys.stdout.write(output_payload)

    # Check if defined cookie with "INJECT_HERE" tag
    if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
      response = cookie_injection_test(url, vuln_parameter, payload)

    # Check if defined user-agent with "INJECT_HERE" tag
    elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
      response = user_agent_injection_test(url, vuln_parameter, payload)
      
    # Check if defined referer with "INJECT_HERE" tag
    elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
      response = referer_injection_test(url, vuln_parameter, payload)

    # Check if defined host with "INJECT_HERE" tag
    elif menu.options.host and settings.INJECT_TAG in menu.options.host:
      response = host_injection_test(url, vuln_parameter, payload)

    # Check if defined custom header with "INJECT_HERE" tag
    elif settings.CUSTOM_HEADER_INJECTION:
      response = custom_header_injection_test(url, vuln_parameter, payload)

    else:
      # Check if defined method is GET (Default).
      if http_request_method == "GET":
        # Check if its not specified the 'INJECT_HERE' tag
        #url = parameters.do_GET_check(url)
        payload = payload.replace(" ","%20")
        target = url.replace(settings.INJECT_TAG, payload)
        vuln_parameter = ''.join(vuln_parameter)
        request = urllib2.Request(target)
        # Check if defined extra headers.
        headers.do_check(request)        
        # Get the response of the request
        response = requests.get_request_response(request) 

      else :
        # Check if defined method is POST.
        parameter = menu.options.data
        parameter = urllib2.unquote(parameter)
        # Check if its not specified the 'INJECT_HERE' tag
        parameter = parameters.do_POST_check(parameter)
        # Define the POST data  
        if settings.IS_JSON:
          payload = payload.replace("\"", "\\\"")
          data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload))
          try:
            data = json.loads(data, strict = False)
          except:
            pass
          request = urllib2.Request(url, json.dumps(data))
        else:
          if settings.IS_XML:
            data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload))  
          else:
            data = parameter.replace(settings.INJECT_TAG, payload)
          request = urllib2.Request(url, data)
          
        # Check if defined extra headers.
        headers.do_check(request)        
          
        # Get the response of the request
        response = requests.get_request_response(request)
    return response
Beispiel #3
0
    def check_injection(separator, payload, TAG, cmd, prefix, suffix,
                        whitespace, http_request_method, url, vuln_parameter,
                        OUTPUT_TEXTFILE, alter_shell, filename):

        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = fb_payloads.cmd_execution_alter_shell(
                separator, cmd, OUTPUT_TEXTFILE)
        else:
            payload = fb_payloads.cmd_execution(separator, cmd,
                                                OUTPUT_TEXTFILE)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        # Whitespace fixation
        payload = payload.replace(" ", whitespace)

        # Perform payload modification
        payload = checks.perform_payload_modification(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL >= 1:
            payload_msg = payload.replace("\n", "\\n")
            if settings.COMMENT in payload_msg:
                payload = payload.split(settings.COMMENT)[0].strip()
                payload_msg = payload_msg.split(settings.COMMENT)[0].strip()
            info_msg = "Executing the '" + cmd.split(
                settings.COMMENT)[0].strip() + "' command... "
            sys.stdout.write(settings.print_info_msg(info_msg))
            sys.stdout.flush()
            output_payload = "\n" + settings.print_payload(payload)
            if settings.VERBOSITY_LEVEL >= 1:
                output_payload = output_payload + "\n"
            sys.stdout.write(output_payload)

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            response = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            response = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            response = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined host with "INJECT_HERE" tag
        elif menu.options.host and settings.INJECT_TAG in menu.options.host:
            response = host_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
            response = custom_header_injection_test(url, vuln_parameter,
                                                    payload)

        else:
            # Check if defined method is GET (Default).
            if http_request_method == "GET":
                # Check if its not specified the 'INJECT_HERE' tag
                #url = parameters.do_GET_check(url)
                payload = payload.replace(" ", "%20")
                target = url.replace(settings.INJECT_TAG, payload)
                vuln_parameter = ''.join(vuln_parameter)
                request = _urllib.request.Request(target)
                # Check if defined extra headers.
                headers.do_check(request)
                # Get the response of the request
                response = requests.get_request_response(request)

            else:
                # Check if defined method is POST.
                parameter = menu.options.data
                parameter = _urllib.parse.unquote(parameter)
                # Check if its not specified the 'INJECT_HERE' tag
                parameter = parameters.do_POST_check(parameter)
                # Define the POST data
                if settings.IS_JSON:
                    data = parameter.replace(
                        settings.INJECT_TAG,
                        _urllib.parse.unquote(payload.replace("\"", "\\\"")))
                    try:
                        data = checks.json_data(data)
                    except ValueError:
                        pass
                elif settings.IS_XML:
                    data = parameter.replace(settings.INJECT_TAG,
                                             _urllib.parse.unquote(payload))
                else:
                    data = parameter.replace(settings.INJECT_TAG, payload)
                request = _urllib.request.Request(url, data)

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)
        return response
Beispiel #4
0
    def check_injection(separator, payload, TAG, cmd, prefix, suffix,
                        whitespace, http_request_method, url, vuln_parameter,
                        OUTPUT_TEXTFILE, alter_shell, filename):

        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = fb_payloads.cmd_execution_alter_shell(
                separator, cmd, OUTPUT_TEXTFILE)
        else:
            payload = fb_payloads.cmd_execution(separator, cmd,
                                                OUTPUT_TEXTFILE)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        # Whitespace fixation
        payload = re.sub(" ", whitespace, payload)

        if settings.TAMPER_SCRIPTS['base64encode']:
            from src.core.tamper import base64encode
            payload = base64encode.encode(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL >= 1:
            payload_msg = payload.replace("\n", "\\n")
            if settings.COMMENT in payload_msg:
                payload_msg = payload_msg.split(settings.COMMENT)[0]
            info_msg = "Executing the '" + cmd.split(
                settings.COMMENT)[0] + "' command "
            sys.stdout.write("\n" + settings.print_info_msg(info_msg))
            sys.stdout.flush()
            sys.stdout.write(
                "\n" +
                settings.print_payload(payload).split(settings.COMMENT)[0] +
                "\n")

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            response = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            response = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            response = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
            response = custom_header_injection_test(url, vuln_parameter,
                                                    payload)

        else:
            # Check if defined method is GET (Default).
            if http_request_method == "GET":

                # Check if its not specified the 'INJECT_HERE' tag
                #url = parameters.do_GET_check(url)

                payload = payload.replace(" ", "%20")

                target = re.sub(settings.INJECT_TAG, payload, url)
                vuln_parameter = ''.join(vuln_parameter)
                request = urllib2.Request(target)

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)

            else:
                # Check if defined method is POST.
                parameter = menu.options.data
                parameter = urllib2.unquote(parameter)

                # Check if its not specified the 'INJECT_HERE' tag
                parameter = parameters.do_POST_check(parameter)

                # Define the POST data
                if settings.IS_JSON == False:
                    data = re.sub(settings.INJECT_TAG, payload, parameter)
                    request = urllib2.Request(url, data)
                else:
                    payload = payload.replace("\"", "\\\"")
                    data = re.sub(settings.INJECT_TAG, urllib.unquote(payload),
                                  parameter)
                    try:
                        data = json.loads(data, strict=False)
                    except:
                        pass
                    request = urllib2.Request(url, json.dumps(data))

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)

        return response
Beispiel #5
0
def injection(separator, payload, TAG, cmd, prefix, suffix,
              http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
              alter_shell, filename):

    # Execute shell commands on vulnerable host.
    if alter_shell:
        payload = fb_payloads.cmd_execution_alter_shell(
            separator, cmd, OUTPUT_TEXTFILE)
    else:
        payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE)

    # Fix prefixes / suffixes
    payload = parameters.prefixes(payload, prefix)
    payload = parameters.suffixes(payload, suffix)

    if menu.options.base64:
        payload = base64.b64encode(payload)

    # Check if defined "--verbose" option.
    if menu.options.verbose:
        sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
                         payload.replace("\n", "\\n") + Style.RESET_ALL)

    # Check if defined cookie with "INJECT_HERE" tag
    if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
        response = cookie_injection_test(url, vuln_parameter, payload)

    # Check if defined user-agent with "INJECT_HERE" tag
    elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
        response = user_agent_injection_test(url, vuln_parameter, payload)

    # Check if defined referer with "INJECT_HERE" tag
    elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
        response = referer_injection_test(url, vuln_parameter, payload)

    else:
        # Check if defined method is GET (Default).
        if http_request_method == "GET":

            # Check if its not specified the 'INJECT_HERE' tag
            #url = parameters.do_GET_check(url)

            payload = payload.replace(" ", "%20")

            target = re.sub(settings.INJECT_TAG, payload, url)
            vuln_parameter = ''.join(vuln_parameter)
            request = urllib2.Request(target)

            # Check if defined extra headers.
            headers.do_check(request)

            # Get the response of the request
            response = get_request_response(request)

        else:
            # Check if defined method is POST.
            parameter = menu.options.data
            parameter = urllib2.unquote(parameter)

            # Check if its not specified the 'INJECT_HERE' tag
            parameter = parameters.do_POST_check(parameter)

            # Define the POST data
            if settings.IS_JSON == False:
                data = re.sub(settings.INJECT_TAG, payload, parameter)
                request = urllib2.Request(url, data)
            else:
                payload = payload.replace("\"", "\\\"")
                data = re.sub(settings.INJECT_TAG, urllib.unquote(payload),
                              parameter)
                data = json.loads(data, strict=False)
                request = urllib2.Request(url, json.dumps(data))

            # Check if defined extra headers.
            headers.do_check(request)

            # Get the response of the request
            response = get_request_response(request)

    return response
Beispiel #6
0
def injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):

  # Execute shell commands on vulnerable host.
  if alter_shell :
    payload = fb_payloads.cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE) 
  else:
    payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE) 

  # Fix prefixes / suffixes
  payload = parameters.prefixes(payload, prefix)
  payload = parameters.suffixes(payload, suffix)

  if menu.options.base64:
    payload = base64.b64encode(payload)   

  # Check if defined "--verbose" option.
  if menu.options.verbose:
    sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
  
  # Check if defined cookie with "INJECT_HERE" tag
  if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
    response = cookie_injection_test(url, vuln_parameter, payload)

  # Check if defined user-agent with "INJECT_HERE" tag
  elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
    response = user_agent_injection_test(url, vuln_parameter, payload)
    
  # Check if defined referer with "INJECT_HERE" tag
  elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
    response = referer_injection_test(url, vuln_parameter, payload)

  else:
    # Check if defined method is GET (Default).
    if http_request_method == "GET":

      # Check if its not specified the 'INJECT_HERE' tag
      #url = parameters.do_GET_check(url)

      payload = payload.replace(" ","%20")

      target = re.sub(settings.INJECT_TAG, payload, url)
      vuln_parameter = ''.join(vuln_parameter)
      request = urllib2.Request(target)
      
      # Check if defined extra headers.
      headers.do_check(request)        
        
      # Check if defined any HTTP Proxy.
      if menu.options.proxy:
        try:
          response = proxy.use_proxy(request)
        except urllib2.HTTPError, err:
          print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
          raise SystemExit() 

      # Check if defined Tor.
      elif menu.options.tor:
        try:
          response = tor.use_tor(request)
        except urllib2.HTTPError, err:
          print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
          raise SystemExit() 

      else: