def init_request(url): # Check connection(s) checks.check_connection(url) # Define HTTP User-Agent header user_agent_header() # Check the internet connection (--check-internet switch). if menu.options.check_internet: check_internet(url) # Check if defined POST data if menu.options.data: settings.USER_DEFINED_POST_DATA = menu.options.data # Check if defined character used for splitting parameter values. if menu.options.pdel and menu.options.pdel in settings.USER_DEFINED_POST_DATA: settings.PARAMETER_DELIMITER = menu.options.pdel request = urllib2.Request(url, menu.options.data) else: # Check if defined character used for splitting parameter values. if menu.options.pdel and menu.options.pdel in url: settings.PARAMETER_DELIMITER = menu.options.pdel request = urllib2.Request(url) headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) if settings.VERBOSITY_LEVEL >= 1: info_msg = "Creating HTTP requests opener object." print settings.print_info_msg(info_msg) # Check for URL redirection if not menu.options.ignore_redirects: url = redirection.do_check(url) return request
def init_request(url): # Check connection(s) checks.check_connection(url) # Define HTTP User-Agent header user_agent_header() # Check the internet connection (--check-internet switch). if menu.options.check_internet: check_internet(url) # Check if defined POST data if menu.options.data: settings.USER_DEFINED_POST_DATA = menu.options.data # Check if defined character used for splitting parameter values. if menu.options.pdel and menu.options.pdel in settings.USER_DEFINED_POST_DATA: settings.PARAMETER_DELIMITER = menu.options.pdel try: request = _urllib.request.Request(url, menu.options.data.encode()) except SocketError as e: if e.errno == errno.ECONNRESET: error_msg = "Connection reset by peer." print(settings.print_critical_msg(error_msg)) elif e.errno == errno.ECONNREFUSED: error_msg = "Connection refused." print(settings.print_critical_msg(error_msg)) raise SystemExit() else: # Check if defined character used for splitting parameter values. if menu.options.pdel and menu.options.pdel in url: settings.PARAMETER_DELIMITER = menu.options.pdel try: request = _urllib.request.Request(url) except SocketError as e: if e.errno == errno.ECONNRESET: error_msg = "Connection reset by peer." print(settings.print_critical_msg(error_msg)) elif e.errno == errno.ECONNREFUSED: error_msg = "Connection refused." print(settings.print_critical_msg(error_msg)) raise SystemExit() headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) if settings.VERBOSITY_LEVEL >= 1: info_msg = "Creating HTTP requests opener object." print(settings.print_info_msg(info_msg)) # Check for URL redirection if not menu.options.ignore_redirects: url = redirection.do_check(url) # Used a valid pair of valid credentials if menu.options.auth_cred and menu.options.auth_type: info_msg = "Using '" + menu.options.auth_cred + "' pair of " + menu.options.auth_type info_msg += " HTTP authentication credentials." print(settings.print_info_msg(info_msg)) return request
def init_request(url): # Check connection(s) checks.check_connection(url) # Define HTTP User-Agent header user_agent_header() # Check the internet connection (--check-internet switch). if menu.options.check_internet: check_internet(url) # Check if defined POST data if menu.options.data: settings.USER_DEFINED_POST_DATA = menu.options.data # Check if defined character used for splitting parameter values. if menu.options.pdel and menu.options.pdel in settings.USER_DEFINED_POST_DATA: settings.PARAMETER_DELIMITER = menu.options.pdel try: request = urllib2.Request(url, menu.options.data) except SocketError as e: if e.errno == errno.ECONNRESET: error_msg = "Connection reset by peer." print settings.print_critical_msg(error_msg) elif e.errno == errno.WSAECONNRESET: error_msg = "An existing connection was forcibly closed by the remote host." print settings.print_critical_msg(error_msg) raise SystemExit() else: # Check if defined character used for splitting parameter values. if menu.options.pdel and menu.options.pdel in url: settings.PARAMETER_DELIMITER = menu.options.pdel try: request = urllib2.Request(url) except SocketError as e: if e.errno == errno.ECONNRESET: error_msg = "Connection reset by peer." print settings.print_critical_msg(error_msg) elif e.errno == errno.WSAECONNRESET: error_msg = "An existing connection was forcibly closed by the remote host." print settings.print_critical_msg(error_msg) raise SystemExit() headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) if settings.VERBOSITY_LEVEL >= 1: info_msg = "Creating HTTP requests opener object." print settings.print_info_msg(info_msg) # Check for URL redirection if not menu.options.ignore_redirects: url = redirection.do_check(url) # Used a valid pair of valid credentials if menu.options.auth_cred and menu.options.auth_type: info_msg = "Using '" + menu.options.auth_cred + "' pair of " + menu.options.auth_type info_msg += " HTTP authentication credentials." print settings.print_info_msg(info_msg) return request
def url_response(url): # Check if http / https url = checks.check_http_s(url) # Check if defined Tor (--tor option). if menu.options.tor and settings.TOR_CHECK_AGAIN: tor.do_check() if menu.options.bulkfile: settings.TOR_CHECK_AGAIN = False info_msg = "Setting URL '" + url + "' for tests. " print(settings.print_info_msg(info_msg)) request = init_request(url) if settings.CHECK_INTERNET: settings.CHECK_INTERNET = False if settings.INIT_TEST == True: info_msg = "Testing connection to the target URL. " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() # if settings.VERBOSITY_LEVEL >= 2: print("") response = examine_request(request) # Check for URL redirection if not menu.options.ignore_redirects: url = redirection.do_check(url) return response, url
def main(filename, url): try: # Ignore the mathematic calculation part (Detection phase). if menu.options.skip_calc: settings.SKIP_CALC = True if menu.options.enable_backticks: settings.USE_BACKTICKS = True # Target URL reload. if menu.options.url_reload and menu.options.data: settings.URL_RELOAD = True if menu.options.test_parameter and menu.options.skip_parameter: if type(menu.options.test_parameter) is bool: menu.options.test_parameter = None else: err_msg = "The options '-p' and '--skip' cannot be used " err_msg += "simultaneously (i.e. only one option must be set)." print settings.print_critical_msg(err_msg) raise SystemExit # Check provided parameters for tests if menu.options.test_parameter or menu.options.skip_parameter: if menu.options.test_parameter != None : if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split(settings.PARAMETER_SPLITTING_REGEX) elif menu.options.skip_parameter != None : if menu.options.skip_parameter.startswith("="): menu.options.skip_parameter = menu.options.skip_parameter[1:] settings.TEST_PARAMETER = menu.options.skip_parameter.split(settings.PARAMETER_SPLITTING_REGEX) for i in range(0,len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[i].split("=")[0] # Check injection level, due to the provided testable parameters. if menu.options.level < 2 and menu.options.test_parameter != None: checks.check_injection_level() # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check for skipping injection techniques. if menu.options.skip_tech: if menu.options.tech: err_msg = "The options '--technique' and '--skip-technique' cannot be used " err_msg += "simultaneously (i.e. only one option must be set)." print settings.print_critical_msg(err_msg) raise SystemExit settings.SKIP_TECHNIQUES = True menu.options.tech = menu.options.skip_tech # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split(settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[i] err_msg += "' as injection technique. " err_msg += "The value for '" if not settings.SKIP_TECHNIQUES : err_msg += "--technique" else: err_msg += "--skip-technique" err_msg += "' must be a string composed by the letters C, E, T, F. " err_msg += "Refer to the official wiki for details." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_critical_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (i.e. '--file-dest')." print settings.print_critical_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--url" or "-m" option. if url: # Load the crawler if menu.options.crawldepth > 0 or menu.options.sitemap_url: if menu.options.crawldepth > 0: menu.options.DEFAULT_CRAWLDEPTH_LEVEL = menu.options.crawldepth else: if menu.options.sitemap_url: while True: if not menu.options.batch: question_msg = "Do you want to change the crawling depth level? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) change_depth_level = sys.stdin.readline().replace("\n","").lower() else: change_depth_level = "" if len(change_depth_level) == 0: change_depth_level = "y" if change_depth_level in settings.CHOICE_YES or change_depth_level in settings.CHOICE_NO: break elif change_depth_level in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + change_depth_level + "' is not a valid answer." print settings.print_error_msg(err_msg) pass # Change the crawling depth level. if change_depth_level in settings.CHOICE_YES: while True: question_msg = "Please enter the crawling depth level (1-2) > " sys.stdout.write(settings.print_question_msg(question_msg)) depth_level = sys.stdin.readline().replace("\n","").lower() if len(depth_level) == 0: depth_level = 1 break elif str(depth_level) != "1" and str(depth_level) != "2": err_msg = "Depth level '" + depth_level + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: menu.options.DEFAULT_CRAWLDEPTH_LEVEL = depth_level break # Crawl the url. url = crawler.crawler(url) try: # Check for URL redirection if not menu.options.ignore_redirects: url = redirection.do_check(url) if menu.options.flush_session: session_handler.flush(url) # Check for CGI scripts on url checks.check_CGI_scripts(url) # Modification on payload if not menu.options.shellshock: if not settings.USE_BACKTICKS: settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Load tamper scripts if menu.options.tamper: checks.tamper_scripts() # Check if defined "--file-upload" option. if menu.options.file_upload: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): # Check if not defined URL for upload. while True: if not menu.options.batch: question_msg = "Do you want to enable an HTTP server? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) enable_HTTP_server = sys.stdin.readline().replace("\n","").lower() else: enable_HTTP_server = "" if len(enable_HTTP_server) == 0: enable_HTTP_server = "y" if enable_HTTP_server in settings.CHOICE_YES: # Check if file exists if not os.path.isfile(menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' file, does not exist." sys.stdout.write(settings.print_critical_msg(err_msg) + "\n") sys.exit(0) # Setting the local HTTP server. if settings.LOCAL_HTTP_IP == None: while True: question_msg = "Please enter your interface IP address > " sys.stdout.write(settings.print_question_msg(question_msg)) ip_addr = sys.stdin.readline().replace("\n","").lower() # check if IP address is valid ip_check = simple_http_server.is_valid_ipv4(ip_addr) if ip_check == False: err_msg = "The provided IP address seems not valid." print settings.print_error_msg(err_msg) pass else: settings.LOCAL_HTTP_IP = ip_addr break # Check for invalid HTTP server's port. if settings.LOCAL_HTTP_PORT < 1 or settings.LOCAL_HTTP_PORT > 65535: err_msg = "Invalid HTTP server's port (" + str(settings.LOCAL_HTTP_PORT) + ")." print settings.print_critical_msg(err_msg) sys.exit(0) http_server = "http://" + str(settings.LOCAL_HTTP_IP) + ":" + str(settings.LOCAL_HTTP_PORT) + "/" info_msg = "Setting the HTTP server on '" + http_server + "'. " print settings.print_info_msg(info_msg) menu.options.file_upload = http_server + menu.options.file_upload simple_http_server.main() break elif enable_HTTP_server in settings.CHOICE_NO: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_critical_msg(err_msg) sys.exit(0) break elif enable_HTTP_server in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + enable_HTTP_server + "' is not a valid answer." print settings.print_error_msg(err_msg) pass try: urllib2.urlopen(menu.options.file_upload) except urllib2.HTTPError, err_msg: print settings.print_critical_msg(str(err_msg.code)) sys.exit(0) except urllib2.URLError, err_msg: print settings.print_critical_msg(str(err_msg.args[0]).split("] ")[1] + ".") sys.exit(0) # Used a valid pair of valid credentials if menu.options.auth_cred: success_msg = Style.BRIGHT + "Identified a valid pair of credentials '" success_msg += menu.options.auth_cred + Style.RESET_ALL success_msg += Style.BRIGHT + "'." + Style.RESET_ALL print settings.print_success_msg(success_msg) try: if response.info()['server'] : server_banner = response.info()['server'] found_os_server = False if menu.options.os and checks.user_defined_os(): user_defined_os = settings.TARGET_OS if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target operating system... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() # Procedure for target OS identification. for i in range(0,len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower() if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" : identified_os = "Windows" if menu.options.os and user_defined_os != "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os settings.TARGET_OS = identified_os[:3].lower() if menu.options.shellshock: err_msg = "The shellshock module is not available for " err_msg += identified_os + " targets." print settings.print_critical_msg(err_msg) raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" if menu.options.os and user_defined_os == "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os if settings.VERBOSITY_LEVEL >= 1 : if found_os_server: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" success_msg = "The target operating system appears to be " success_msg += identified_os.title() + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) else: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify server's operating system." print settings.print_warning_msg(warn_msg) # Procedure for target server identification. found_server_banner = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target server... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() for i in range(0,len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower() in server_banner.lower(): if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" if settings.VERBOSITY_LEVEL >= 1: success_msg = "The target server was identified as " success_msg += server_banner + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower() == "apache": if settings.TARGET_OS == "win": settings.WEB_ROOT = "\\htdocs" else: settings.WEB_ROOT = "/var/www" if settings.SERVER_BANNERS[i].lower() == "nginx": settings.WEB_ROOT = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower() == "microsoft-iis": settings.WEB_ROOT = "\\inetpub\\wwwroot" break if not found_server_banner: if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify target server." print settings.print_warning_msg(warn_msg) # Procedure for target application identification found_application_extension = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target application ... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() root, application_extension = splitext(urlparse(url).path) settings.TARGET_APPLICATION = application_extension[1:].upper() if settings.TARGET_APPLICATION: found_application_extension = True if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" success_msg = "The target application was identified as " success_msg += settings.TARGET_APPLICATION + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) # Check for unsupported target applications for i in range(0,len(settings.UNSUPPORTED_TARGET_APPLICATION)): if settings.TARGET_APPLICATION.lower() in settings.UNSUPPORTED_TARGET_APPLICATION[i].lower(): err_msg = settings.TARGET_APPLICATION + " exploitation is not yet supported." print settings.print_critical_msg(err_msg) raise SystemExit() if not found_application_extension: if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify target application." print settings.print_warning_msg(warn_msg) # Store the Server's root dir settings.DEFAULT_WEB_ROOT = settings.WEB_ROOT if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Define Python working directory. if settings.TARGET_OS == "win" and menu.options.alter_shell: while True: if not menu.options.batch: question_msg = "Do you want to use '" + settings.WIN_PYTHON_DIR question_msg += "' as Python working directory on the target host? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) python_dir = sys.stdin.readline().replace("\n","").lower() else: python_dir = "" if len(python_dir) == 0: python_dir = "y" if python_dir in settings.CHOICE_YES: break elif python_dir in settings.CHOICE_NO: question_msg = "Please provide a custom working directory for Python (e.g. '" question_msg += settings.WIN_PYTHON_DIR + "') > " sys.stdout.write(settings.print_question_msg(question_msg)) settings.WIN_PYTHON_DIR = sys.stdin.readline().replace("\n","").lower() break else: err_msg = "'" + python_dir + "' is not a valid answer." print settings.print_error_msg(err_msg) pass settings.USER_DEFINED_PYTHON_DIR = True # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root : warn_msg = "Swithing '--is-root' to '--is-admin' because the " warn_msg += "target has been identified as windows." print settings.print_warning_msg(warn_msg) if menu.options.passwords: warn_msg = "The '--passwords' option, is not yet available for Windows targets." print settings.print_warning_msg(warn_msg) if menu.options.file_upload : warn_msg = "The '--file-upload' option, is not yet available for windows targets. " warn_msg += "Instead, use the '--file-write' option." print settings.print_warning_msg(warn_msg) sys.exit(0) else: if menu.options.is_admin : warn_msg = "Swithing the '--is-admin' to '--is-root' because " warn_msg += "the target has been identified as unix-like. " print settings.print_warning_msg(warn_msg) if found_os_server == False and not menu.options.os: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: if menu.options.batch: if not settings.CHECK_BOTH_OS: settings.CHECK_BOTH_OS = True check_type = "unix-based" elif settings.CHECK_BOTH_OS: settings.TARGET_OS = "win" settings.CHECK_BOTH_OS = False settings.PERFORM_BASIC_SCANS = True check_type = "windows-based" info_msg = "Setting the " + check_type + " payloads." print settings.print_info_msg(info_msg) else: while True: question_msg = "Do you recognise the server's operating system? " question_msg += "[(W)indows/(U)nix/(q)uit] > " sys.stdout.write(settings.print_question_msg(question_msg)) got_os = sys.stdin.readline().replace("\n","").lower() if got_os.lower() in settings.CHOICE_OS : if got_os.lower() == "w": settings.TARGET_OS = "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: err_msg = "'" + got_os + "' is not a valid answer." print settings.print_error_msg(err_msg) pass if not menu.options.os: if found_server_banner == False: warn_msg = "The server which was identified as " warn_msg += server_banner + " seems unknown." print settings.print_warning_msg(warn_msg) else: found_os_server = checks.user_defined_os() except KeyError: pass # Webpage encoding detection. requests.encoding_detection(response)