def init_request(url):
# Check connection(s)
checks.check_connection(url)
# Define HTTP User-Agent header
user_agent_header()
# Check the internet connection (--check-internet switch).
if menu.options.check_internet:
check_internet(url)
# Check if defined POST data
if menu.options.data:
settings.USER_DEFINED_POST_DATA = menu.options.data
# Check if defined character used for splitting parameter values.
if menu.options.pdel and menu.options.pdel in settings.USER_DEFINED_POST_DATA:
settings.PARAMETER_DELIMITER = menu.options.pdel
request = urllib2.Request(url, menu.options.data)
else:
# Check if defined character used for splitting parameter values.
if menu.options.pdel and menu.options.pdel in url:
settings.PARAMETER_DELIMITER = menu.options.pdel
request = urllib2.Request(url)
headers.do_check(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.do_check(url)
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Creating HTTP requests opener object."
print settings.print_info_msg(info_msg)
# Check for URL redirection
if not menu.options.ignore_redirects:
url = redirection.do_check(url)
return request
def init_request(url):
# Check connection(s)
checks.check_connection(url)
# Define HTTP User-Agent header
user_agent_header()
# Check the internet connection (--check-internet switch).
if menu.options.check_internet:
check_internet(url)
# Check if defined POST data
if menu.options.data:
settings.USER_DEFINED_POST_DATA = menu.options.data
# Check if defined character used for splitting parameter values.
if menu.options.pdel and menu.options.pdel in settings.USER_DEFINED_POST_DATA:
settings.PARAMETER_DELIMITER = menu.options.pdel
try:
request = _urllib.request.Request(url, menu.options.data.encode())
except SocketError as e:
if e.errno == errno.ECONNRESET:
error_msg = "Connection reset by peer."
print(settings.print_critical_msg(error_msg))
elif e.errno == errno.ECONNREFUSED:
error_msg = "Connection refused."
print(settings.print_critical_msg(error_msg))
raise SystemExit()
else:
# Check if defined character used for splitting parameter values.
if menu.options.pdel and menu.options.pdel in url:
settings.PARAMETER_DELIMITER = menu.options.pdel
try:
request = _urllib.request.Request(url)
except SocketError as e:
if e.errno == errno.ECONNRESET:
error_msg = "Connection reset by peer."
print(settings.print_critical_msg(error_msg))
elif e.errno == errno.ECONNREFUSED:
error_msg = "Connection refused."
print(settings.print_critical_msg(error_msg))
raise SystemExit()
headers.do_check(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.do_check(url)
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Creating HTTP requests opener object."
print(settings.print_info_msg(info_msg))
# Check for URL redirection
if not menu.options.ignore_redirects:
url = redirection.do_check(url)
# Used a valid pair of valid credentials
if menu.options.auth_cred and menu.options.auth_type:
info_msg = "Using '" + menu.options.auth_cred + "' pair of " + menu.options.auth_type
info_msg += " HTTP authentication credentials."
print(settings.print_info_msg(info_msg))
return request
def init_request(url):
# Check connection(s)
checks.check_connection(url)
# Define HTTP User-Agent header
user_agent_header()
# Check the internet connection (--check-internet switch).
if menu.options.check_internet:
check_internet(url)
# Check if defined POST data
if menu.options.data:
settings.USER_DEFINED_POST_DATA = menu.options.data
# Check if defined character used for splitting parameter values.
if menu.options.pdel and menu.options.pdel in settings.USER_DEFINED_POST_DATA:
settings.PARAMETER_DELIMITER = menu.options.pdel
try:
request = urllib2.Request(url, menu.options.data)
except SocketError as e:
if e.errno == errno.ECONNRESET:
error_msg = "Connection reset by peer."
print settings.print_critical_msg(error_msg)
elif e.errno == errno.WSAECONNRESET:
error_msg = "An existing connection was forcibly closed by the remote host."
print settings.print_critical_msg(error_msg)
raise SystemExit()
else:
# Check if defined character used for splitting parameter values.
if menu.options.pdel and menu.options.pdel in url:
settings.PARAMETER_DELIMITER = menu.options.pdel
try:
request = urllib2.Request(url)
except SocketError as e:
if e.errno == errno.ECONNRESET:
error_msg = "Connection reset by peer."
print settings.print_critical_msg(error_msg)
elif e.errno == errno.WSAECONNRESET:
error_msg = "An existing connection was forcibly closed by the remote host."
print settings.print_critical_msg(error_msg)
raise SystemExit()
headers.do_check(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.do_check(url)
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Creating HTTP requests opener object."
print settings.print_info_msg(info_msg)
# Check for URL redirection
if not menu.options.ignore_redirects:
url = redirection.do_check(url)
# Used a valid pair of valid credentials
if menu.options.auth_cred and menu.options.auth_type:
info_msg = "Using '" + menu.options.auth_cred + "' pair of " + menu.options.auth_type
info_msg += " HTTP authentication credentials."
print settings.print_info_msg(info_msg)
return request
def url_response(url):
# Check if http / https
url = checks.check_http_s(url)
# Check if defined Tor (--tor option).
if menu.options.tor and settings.TOR_CHECK_AGAIN:
tor.do_check()
if menu.options.bulkfile:
settings.TOR_CHECK_AGAIN = False
info_msg = "Setting URL '" + url + "' for tests. "
print(settings.print_info_msg(info_msg))
request = init_request(url)
if settings.CHECK_INTERNET:
settings.CHECK_INTERNET = False
if settings.INIT_TEST == True:
info_msg = "Testing connection to the target URL. "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
# if settings.VERBOSITY_LEVEL >= 2:
print("")
response = examine_request(request)
# Check for URL redirection
if not menu.options.ignore_redirects:
url = redirection.do_check(url)
return response, url
def main(filename, url):
try:
# Ignore the mathematic calculation part (Detection phase).
if menu.options.skip_calc:
settings.SKIP_CALC = True
if menu.options.enable_backticks:
settings.USE_BACKTICKS = True
# Target URL reload.
if menu.options.url_reload and menu.options.data:
settings.URL_RELOAD = True
if menu.options.test_parameter and menu.options.skip_parameter:
if type(menu.options.test_parameter) is bool:
menu.options.test_parameter = None
else:
err_msg = "The options '-p' and '--skip' cannot be used "
err_msg += "simultaneously (i.e. only one option must be set)."
print settings.print_critical_msg(err_msg)
raise SystemExit
# Check provided parameters for tests
if menu.options.test_parameter or menu.options.skip_parameter:
if menu.options.test_parameter != None :
if menu.options.test_parameter.startswith("="):
menu.options.test_parameter = menu.options.test_parameter[1:]
settings.TEST_PARAMETER = menu.options.test_parameter.split(settings.PARAMETER_SPLITTING_REGEX)
elif menu.options.skip_parameter != None :
if menu.options.skip_parameter.startswith("="):
menu.options.skip_parameter = menu.options.skip_parameter[1:]
settings.TEST_PARAMETER = menu.options.skip_parameter.split(settings.PARAMETER_SPLITTING_REGEX)
for i in range(0,len(settings.TEST_PARAMETER)):
if "=" in settings.TEST_PARAMETER[i]:
settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[i].split("=")[0]
# Check injection level, due to the provided testable parameters.
if menu.options.level < 2 and menu.options.test_parameter != None:
checks.check_injection_level()
# Check if defined character used for splitting cookie values.
if menu.options.cdel:
settings.COOKIE_DELIMITER = menu.options.cdel
# Check for skipping injection techniques.
if menu.options.skip_tech:
if menu.options.tech:
err_msg = "The options '--technique' and '--skip-technique' cannot be used "
err_msg += "simultaneously (i.e. only one option must be set)."
print settings.print_critical_msg(err_msg)
raise SystemExit
settings.SKIP_TECHNIQUES = True
menu.options.tech = menu.options.skip_tech
# Check if specified wrong injection technique
if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES:
found_tech = False
# Convert injection technique(s) to lowercase
menu.options.tech = menu.options.tech.lower()
# Check if used the ',' separator
if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech:
split_techniques_names = menu.options.tech.split(settings.PARAMETER_SPLITTING_REGEX)
else:
split_techniques_names = menu.options.tech.split()
if split_techniques_names:
for i in range(0,len(split_techniques_names)):
if len(menu.options.tech) <= 4:
split_first_letter = list(menu.options.tech)
for j in range(0,len(split_first_letter)):
if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES:
found_tech = True
else:
found_tech = False
if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \
found_tech == False:
err_msg = "You specified wrong value '" + split_techniques_names[i]
err_msg += "' as injection technique. "
err_msg += "The value for '"
if not settings.SKIP_TECHNIQUES :
err_msg += "--technique"
else:
err_msg += "--skip-technique"
err_msg += "' must be a string composed by the letters C, E, T, F. "
err_msg += "Refer to the official wiki for details."
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Check if specified wrong alternative shell
if menu.options.alter_shell:
if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS:
err_msg = "'" + menu.options.alter_shell + "' shell is not supported!"
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Check the file-destination
if menu.options.file_write and not menu.options.file_dest or \
menu.options.file_upload and not menu.options.file_dest:
err_msg = "Host's absolute filepath to write and/or upload, must be specified (i.e. '--file-dest')."
print settings.print_critical_msg(err_msg)
sys.exit(0)
if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None :
err_msg = "You must enter the '--file-write' or '--file-upload' parameter."
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Check if defined "--url" or "-m" option.
if url:
# Load the crawler
if menu.options.crawldepth > 0 or menu.options.sitemap_url:
if menu.options.crawldepth > 0:
menu.options.DEFAULT_CRAWLDEPTH_LEVEL = menu.options.crawldepth
else:
if menu.options.sitemap_url:
while True:
if not menu.options.batch:
question_msg = "Do you want to change the crawling depth level? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
change_depth_level = sys.stdin.readline().replace("\n","").lower()
else:
change_depth_level = ""
if len(change_depth_level) == 0:
change_depth_level = "y"
if change_depth_level in settings.CHOICE_YES or change_depth_level in settings.CHOICE_NO:
break
elif change_depth_level in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + change_depth_level + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
# Change the crawling depth level.
if change_depth_level in settings.CHOICE_YES:
while True:
question_msg = "Please enter the crawling depth level (1-2) > "
sys.stdout.write(settings.print_question_msg(question_msg))
depth_level = sys.stdin.readline().replace("\n","").lower()
if len(depth_level) == 0:
depth_level = 1
break
elif str(depth_level) != "1" and str(depth_level) != "2":
err_msg = "Depth level '" + depth_level + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
menu.options.DEFAULT_CRAWLDEPTH_LEVEL = depth_level
break
# Crawl the url.
url = crawler.crawler(url)
try:
# Check for URL redirection
if not menu.options.ignore_redirects:
url = redirection.do_check(url)
if menu.options.flush_session:
session_handler.flush(url)
# Check for CGI scripts on url
checks.check_CGI_scripts(url)
# Modification on payload
if not menu.options.shellshock:
if not settings.USE_BACKTICKS:
settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")"
settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")"
# Load tamper scripts
if menu.options.tamper:
checks.tamper_scripts()
# Check if defined "--file-upload" option.
if menu.options.file_upload:
if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload):
# Check if not defined URL for upload.
while True:
if not menu.options.batch:
question_msg = "Do you want to enable an HTTP server? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
enable_HTTP_server = sys.stdin.readline().replace("\n","").lower()
else:
enable_HTTP_server = ""
if len(enable_HTTP_server) == 0:
enable_HTTP_server = "y"
if enable_HTTP_server in settings.CHOICE_YES:
# Check if file exists
if not os.path.isfile(menu.options.file_upload):
err_msg = "The '" + menu.options.file_upload + "' file, does not exist."
sys.stdout.write(settings.print_critical_msg(err_msg) + "\n")
sys.exit(0)
# Setting the local HTTP server.
if settings.LOCAL_HTTP_IP == None:
while True:
question_msg = "Please enter your interface IP address > "
sys.stdout.write(settings.print_question_msg(question_msg))
ip_addr = sys.stdin.readline().replace("\n","").lower()
# check if IP address is valid
ip_check = simple_http_server.is_valid_ipv4(ip_addr)
if ip_check == False:
err_msg = "The provided IP address seems not valid."
print settings.print_error_msg(err_msg)
pass
else:
settings.LOCAL_HTTP_IP = ip_addr
break
# Check for invalid HTTP server's port.
if settings.LOCAL_HTTP_PORT < 1 or settings.LOCAL_HTTP_PORT > 65535:
err_msg = "Invalid HTTP server's port (" + str(settings.LOCAL_HTTP_PORT) + ")."
print settings.print_critical_msg(err_msg)
sys.exit(0)
http_server = "http://" + str(settings.LOCAL_HTTP_IP) + ":" + str(settings.LOCAL_HTTP_PORT) + "/"
info_msg = "Setting the HTTP server on '" + http_server + "'. "
print settings.print_info_msg(info_msg)
menu.options.file_upload = http_server + menu.options.file_upload
simple_http_server.main()
break
elif enable_HTTP_server in settings.CHOICE_NO:
if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload):
err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. "
print settings.print_critical_msg(err_msg)
sys.exit(0)
break
elif enable_HTTP_server in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + enable_HTTP_server + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
try:
urllib2.urlopen(menu.options.file_upload)
except urllib2.HTTPError, err_msg:
print settings.print_critical_msg(str(err_msg.code))
sys.exit(0)
except urllib2.URLError, err_msg:
print settings.print_critical_msg(str(err_msg.args[0]).split("] ")[1] + ".")
sys.exit(0)
# Used a valid pair of valid credentials
if menu.options.auth_cred:
success_msg = Style.BRIGHT + "Identified a valid pair of credentials '"
success_msg += menu.options.auth_cred + Style.RESET_ALL
success_msg += Style.BRIGHT + "'." + Style.RESET_ALL
print settings.print_success_msg(success_msg)
try:
if response.info()['server'] :
server_banner = response.info()['server']
found_os_server = False
if menu.options.os and checks.user_defined_os():
user_defined_os = settings.TARGET_OS
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Identifying the target operating system... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
# Procedure for target OS identification.
for i in range(0,len(settings.SERVER_OS_BANNERS)):
if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower():
found_os_server = True
settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower()
if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" :
identified_os = "Windows"
if menu.options.os and user_defined_os != "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
settings.TARGET_OS = identified_os[:3].lower()
if menu.options.shellshock:
err_msg = "The shellshock module is not available for "
err_msg += identified_os + " targets."
print settings.print_critical_msg(err_msg)
raise SystemExit()
else:
identified_os = "Unix-like (" + settings.TARGET_OS + ")"
if menu.options.os and user_defined_os == "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
if settings.VERBOSITY_LEVEL >= 1 :
if found_os_server:
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
success_msg = "The target operating system appears to be "
success_msg += identified_os.title() + Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
else:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
warn_msg = "Heuristics have failed to identify server's operating system."
print settings.print_warning_msg(warn_msg)
# Procedure for target server identification.
found_server_banner = False
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Identifying the target server... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
for i in range(0,len(settings.SERVER_BANNERS)):
if settings.SERVER_BANNERS[i].lower() in server_banner.lower():
if settings.VERBOSITY_LEVEL >= 1:
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if settings.VERBOSITY_LEVEL >= 1:
success_msg = "The target server was identified as "
success_msg += server_banner + Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
settings.SERVER_BANNER = server_banner
found_server_banner = True
# Set up default root paths
if settings.SERVER_BANNERS[i].lower() == "apache":
if settings.TARGET_OS == "win":
settings.WEB_ROOT = "\\htdocs"
else:
settings.WEB_ROOT = "/var/www"
if settings.SERVER_BANNERS[i].lower() == "nginx":
settings.WEB_ROOT = "/usr/share/nginx"
if settings.SERVER_BANNERS[i].lower() == "microsoft-iis":
settings.WEB_ROOT = "\\inetpub\\wwwroot"
break
if not found_server_banner:
if settings.VERBOSITY_LEVEL >= 1:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
warn_msg = "Heuristics have failed to identify target server."
print settings.print_warning_msg(warn_msg)
# Procedure for target application identification
found_application_extension = False
if settings.VERBOSITY_LEVEL >= 1:
info_msg = "Identifying the target application ... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
root, application_extension = splitext(urlparse(url).path)
settings.TARGET_APPLICATION = application_extension[1:].upper()
if settings.TARGET_APPLICATION:
found_application_extension = True
if settings.VERBOSITY_LEVEL >= 1:
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
success_msg = "The target application was identified as "
success_msg += settings.TARGET_APPLICATION + Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
# Check for unsupported target applications
for i in range(0,len(settings.UNSUPPORTED_TARGET_APPLICATION)):
if settings.TARGET_APPLICATION.lower() in settings.UNSUPPORTED_TARGET_APPLICATION[i].lower():
err_msg = settings.TARGET_APPLICATION + " exploitation is not yet supported."
print settings.print_critical_msg(err_msg)
raise SystemExit()
if not found_application_extension:
if settings.VERBOSITY_LEVEL >= 1:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
warn_msg = "Heuristics have failed to identify target application."
print settings.print_warning_msg(warn_msg)
# Store the Server's root dir
settings.DEFAULT_WEB_ROOT = settings.WEB_ROOT
if menu.options.is_admin or menu.options.is_root and not menu.options.current_user:
menu.options.current_user = True
# Define Python working directory.
if settings.TARGET_OS == "win" and menu.options.alter_shell:
while True:
if not menu.options.batch:
question_msg = "Do you want to use '" + settings.WIN_PYTHON_DIR
question_msg += "' as Python working directory on the target host? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
python_dir = sys.stdin.readline().replace("\n","").lower()
else:
python_dir = ""
if len(python_dir) == 0:
python_dir = "y"
if python_dir in settings.CHOICE_YES:
break
elif python_dir in settings.CHOICE_NO:
question_msg = "Please provide a custom working directory for Python (e.g. '"
question_msg += settings.WIN_PYTHON_DIR + "') > "
sys.stdout.write(settings.print_question_msg(question_msg))
settings.WIN_PYTHON_DIR = sys.stdin.readline().replace("\n","").lower()
break
else:
err_msg = "'" + python_dir + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
settings.USER_DEFINED_PYTHON_DIR = True
# Check for wrong flags.
if settings.TARGET_OS == "win":
if menu.options.is_root :
warn_msg = "Swithing '--is-root' to '--is-admin' because the "
warn_msg += "target has been identified as windows."
print settings.print_warning_msg(warn_msg)
if menu.options.passwords:
warn_msg = "The '--passwords' option, is not yet available for Windows targets."
print settings.print_warning_msg(warn_msg)
if menu.options.file_upload :
warn_msg = "The '--file-upload' option, is not yet available for windows targets. "
warn_msg += "Instead, use the '--file-write' option."
print settings.print_warning_msg(warn_msg)
sys.exit(0)
else:
if menu.options.is_admin :
warn_msg = "Swithing the '--is-admin' to '--is-root' because "
warn_msg += "the target has been identified as unix-like. "
print settings.print_warning_msg(warn_msg)
if found_os_server == False and not menu.options.os:
# If "--shellshock" option is provided then,
# by default is a Linux/Unix operating system.
if menu.options.shellshock:
pass
else:
if menu.options.batch:
if not settings.CHECK_BOTH_OS:
settings.CHECK_BOTH_OS = True
check_type = "unix-based"
elif settings.CHECK_BOTH_OS:
settings.TARGET_OS = "win"
settings.CHECK_BOTH_OS = False
settings.PERFORM_BASIC_SCANS = True
check_type = "windows-based"
info_msg = "Setting the " + check_type + " payloads."
print settings.print_info_msg(info_msg)
else:
while True:
question_msg = "Do you recognise the server's operating system? "
question_msg += "[(W)indows/(U)nix/(q)uit] > "
sys.stdout.write(settings.print_question_msg(question_msg))
got_os = sys.stdin.readline().replace("\n","").lower()
if got_os.lower() in settings.CHOICE_OS :
if got_os.lower() == "w":
settings.TARGET_OS = "win"
break
elif got_os.lower() == "u":
break
elif got_os.lower() == "q":
raise SystemExit()
else:
err_msg = "'" + got_os + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
if not menu.options.os:
if found_server_banner == False:
warn_msg = "The server which was identified as "
warn_msg += server_banner + " seems unknown."
print settings.print_warning_msg(warn_msg)
else:
found_os_server = checks.user_defined_os()
except KeyError:
pass
# Webpage encoding detection.
requests.encoding_detection(response)
