def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
settings.HTTP_HEADER = header_name[1:].replace("-", "").lower()
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = ""
the_type = " HTTP header "
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check for session file
if not menu.options.ignore_session:
if os.path.isfile(settings.SESSION_FILE):
if not menu.options.tech:
menu.options.tech = session_handler.applied_techniques(
url, http_request_method)
if session_handler.check_stored_parameter(url,
http_request_method):
settings.LOAD_SESSION = True
if menu.options.flush_session:
session_handler.flush(url)
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(
url, http_request_method, delay)
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
else:
classic_state = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
if tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
time_based_state = True
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech:
if fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
file_based_state = True
else:
file_based_state = False
if classic_state == eval_based_state == time_based_state == file_based_state == False:
info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
def do_check(url, filename):
check_http_headers = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET.
if not menu.options.data:
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
settings.COOKIE_INJECTION = True
http_request_method = "GET"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2 :
check_parameter = ""
stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)
# Enable Cookie Injection
if menu.options.cookie:
settings.COOKIE_INJECTION = True
if not settings.COOKIE_INJECTION:
found_url = parameters.do_GET_check(url)
if found_url != False:
for i in range(0, len(found_url)):
url = found_url[i]
check_parameter = parameters.vuln_GET_param(url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
if not settings.LOAD_SESSION :
for i in range(0, len(found_url)):
url = found_url[i]
check_parameter = parameters.vuln_GET_param(url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
# Check if HTTP Method is POST.
else:
http_request_method = "POST"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2 :
check_parameter = ""
stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)
# Check if HTTP Method is POST.
parameter = menu.options.data
found_parameter = parameters.do_POST_check(parameter)
# Remove whitespaces
# Check if singe entry parameter
if type(found_parameter) is str:
found_parameter_list = []
found_parameter_list.append(found_parameter)
found_parameter = found_parameter_list
# Remove whitespaces
found_parameter = [x.replace(" ", "") for x in found_parameter]
# Check if multiple parameters
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
if not settings.LOAD_SESSION :
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
settings.COOKIE_INJECTION = True
# Cookie Injection
if settings.COOKIE_INJECTION == True:
cookie_value = menu.options.cookie
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2 :
check_parameter = ""
stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
cookie_parameters = parameters.do_cookie_check(menu.options.cookie)
if type(cookie_parameters) is str:
cookie_parameters_list = []
cookie_parameters_list.append(cookie_parameters)
cookie_parameters = cookie_parameters_list
# Remove whitespaces
cookie_parameters = [x.replace(" ", "") for x in cookie_parameters]
for i in range(0, len(cookie_parameters)):
menu.options.cookie = cookie_parameters[i]
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
if not settings.LOAD_SESSION :
for i in range(0, len(cookie_parameters)):
menu.options.cookie = cookie_parameters[i]
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
if settings.COOKIE_INJECTION == True:
# Restore cookie value
menu.options.cookie = cookie_value
# Disable cookie injection
settings.COOKIE_INJECTION = False
# Custom header Injection
if settings.CUSTOM_HEADER_INJECTION == True:
check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
settings.HTTP_HEADER = header_name[1:].lower()
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method, filename, delay)
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2 :
check_parameter = ""
check_http_headers = True
stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False :
info_msg = settings.CRITICAL_SIGN + "All the tested (" + http_request_method + ") parameters appear to be not injectable."
if not menu.options.alter_shell :
info_msg += " Try to use the option '--alter-shell'"
else:
info_msg += " Try to remove the option '--alter-shell'"
if menu.options.level < 3 :
info_msg += " and/or try to increase '--level' values to perform more tests (i.e 'User-Agent', 'Referer', 'Cookie' etc)"
info_msg += "."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
#eof
def perform_checks(url, filename):
def basic_level_checks():
settings.PERFORM_BASIC_SCANS = False
# Check if HTTP Method is GET.
if not menu.options.data:
get_request(url, http_request_method, filename, timesec)
# Check if HTTP Method is POST.
else:
post_request(url, http_request_method, filename, timesec)
timesec = settings.TIMESEC
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
err_msg = "It seems that the authentication procedure has failed."
print settings.print_critical_msg(err_msg)
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
err_msg = "You must specify both login panel URL and login parameters."
print settings.print_critical_msg(err_msg)
sys.exit(0)
else:
pass
# Check if HTTP Method is GET.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
if menu.options.shellshock:
menu.options.level = settings.HTTP_HEADER_INJECTION_LEVEL
else:
check_for_stored_levels(url, http_request_method)
if settings.PERFORM_BASIC_SCANS:
basic_level_checks()
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level >= settings.HTTP_HEADER_INJECTION_LEVEL:
if settings.INJECTED_HTTP_HEADER == False:
check_parameter = ""
stored_http_header_injection(url, check_parameter,
http_request_method, filename,
timesec)
else:
# Enable Cookie Injection
if menu.options.level > settings.DEFAULT_INJECTION_LEVEL:
if menu.options.cookie:
cookie_injection(url, http_request_method, filename, timesec)
else:
warn_msg = "The HTTP Cookie header is not provided, "
warn_msg += "so this test is going to be skipped."
print settings.print_warning_msg(warn_msg)
else:
# Custom header Injection
if settings.CUSTOM_HEADER_INJECTION == True:
check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
settings.HTTP_HEADER = header_name[1:].lower()
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method,
filename, timesec)
settings.CUSTOM_HEADER_INJECTION = None
if settings.INJECTION_CHECKER == False:
return False
else:
return True
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
settings.HTTP_HEADER = header_name[1:].replace("-","").lower()
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = ""
the_type = " HTTP header "
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check for session file
if not menu.options.ignore_session:
if os.path.isfile(settings.SESSION_FILE):
if not menu.options.tech:
menu.options.tech = session_handler.applied_techniques(url, http_request_method)
if session_handler.check_stored_parameter(url, http_request_method):
settings.LOAD_SESSION = True
if menu.options.flush_session:
session_handler.flush(url)
if len(check_parameter) != 0 :
check_parameter = " '" + check_parameter + "'"
print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
else:
classic_state = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech:
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
file_based_state = False
if classic_state == eval_based_state == time_based_state == file_based_state == False :
info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell :
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION and not settings.USER_AGENT_INJECTION and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
check_parameter = ""
the_type = " HTTP header "
else:
pass
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
info_msg = (
"(x) Critical: The tested ("
+ http_request_method
+ ")"
+ check_parameter
+ " parameter appear to be not injectable."
)
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
# else:
# print ""
sys.exit(0)
def do_check(url, filename):
check_http_headers = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET.
if not menu.options.data:
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
settings.COOKIE_INJECTION = True
http_request_method = "GET"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2:
check_parameter = ""
stored_http_header_injection(url, check_parameter,
check_http_headers,
http_request_method, filename, delay)
# Enable Cookie Injection
if menu.options.cookie:
settings.COOKIE_INJECTION = True
if not settings.COOKIE_INJECTION:
found_url = parameters.do_GET_check(url)
if found_url != False:
for i in range(0, len(found_url)):
url = found_url[i]
check_parameter = parameters.vuln_GET_param(url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(
url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method,
filename, delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
if not settings.LOAD_SESSION:
for i in range(0, len(found_url)):
url = found_url[i]
check_parameter = parameters.vuln_GET_param(url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter,
http_request_method,
filename, delay)
else:
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
# Check if HTTP Method is POST.
else:
http_request_method = "POST"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2:
check_parameter = ""
stored_http_header_injection(url, check_parameter,
check_http_headers,
http_request_method, filename, delay)
# Check if HTTP Method is POST.
parameter = menu.options.data
found_parameter = parameters.do_POST_check(parameter)
# Remove whitespaces
# Check if singe entry parameter
if type(found_parameter) is str:
found_parameter_list = []
found_parameter_list.append(found_parameter)
found_parameter = found_parameter_list
# Remove whitespaces
found_parameter = [x.replace(" ", "") for x in found_parameter]
# Check if multiple parameters
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename, delay)
if not settings.LOAD_SESSION:
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
else:
injection_proccess(url, check_parameter,
http_request_method, filename, delay)
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
settings.COOKIE_INJECTION = True
# Cookie Injection
if settings.COOKIE_INJECTION == True:
cookie_value = menu.options.cookie
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2:
check_parameter = ""
stored_http_header_injection(url, check_parameter,
check_http_headers,
http_request_method, filename, delay)
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
cookie_parameters = parameters.do_cookie_check(menu.options.cookie)
if type(cookie_parameters) is str:
cookie_parameters_list = []
cookie_parameters_list.append(cookie_parameters)
cookie_parameters = cookie_parameters_list
# Remove whitespaces
cookie_parameters = [x.replace(" ", "") for x in cookie_parameters]
for i in range(0, len(cookie_parameters)):
menu.options.cookie = cookie_parameters[i]
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename, delay)
if not settings.LOAD_SESSION:
for i in range(0, len(cookie_parameters)):
menu.options.cookie = cookie_parameters[i]
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
else:
injection_proccess(url, check_parameter,
http_request_method, filename, delay)
if settings.COOKIE_INJECTION == True:
# Restore cookie value
menu.options.cookie = cookie_value
# Disable cookie injection
settings.COOKIE_INJECTION = False
# Custom header Injection
if settings.CUSTOM_HEADER_INJECTION == True:
check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
settings.HTTP_HEADER = header_name[1:].lower()
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method, filename,
delay)
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2:
check_parameter = ""
check_http_headers = True
stored_http_header_injection(url, check_parameter, check_http_headers,
http_request_method, filename, delay)
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
info_msg = settings.CRITICAL_SIGN + "All the tested (" + http_request_method + ") parameters appear to be not injectable."
if not menu.options.alter_shell:
info_msg += " Try to use the option '--alter-shell'"
else:
info_msg += " Try to remove the option '--alter-shell'"
if menu.options.level < 3:
info_msg += " and/or try to increase '--level' values to perform more tests (i.e 'User-Agent', 'Referer', 'Cookie' etc)"
info_msg += "."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
#eof
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
check_parameter = ""
the_type = " HTTP header "
else:
pass
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(
url, http_request_method, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(
menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename,
http_request_method,
url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename,
http_request_method,
url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
info_msg = "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
# else:
# print ""
sys.exit(0)
def perform_checks(url, filename):
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
err_msg = "It seems that the authentication procedure has failed."
print settings.print_critical_msg(err_msg)
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
err_msg = "You must specify both login panel URL and login parameters."
print settings.print_critical_msg(err_msg)
sys.exit(0)
else:
pass
# Check if HTTP Method is GET.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level >= 3:
if settings.INJECTED_HTTP_HEADER == False:
check_parameter = ""
stored_http_header_injection(url, check_parameter,
http_request_method, filename, delay)
else:
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
cookie_injection(url, http_request_method, filename, delay)
else:
# Custom header Injection
if settings.CUSTOM_HEADER_INJECTION == True:
check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
settings.HTTP_HEADER = header_name[1:].lower()
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method,
filename, delay)
settings.CUSTOM_HEADER_INJECTION = None
# Check if HTTP Method is GET.
if not menu.options.data:
get_request(url, http_request_method, filename, delay)
# Check if HTTP Method is POST.
else:
post_request(url, http_request_method, filename, delay)
if settings.INJECTION_CHECKER == False:
return False
else:
return True
def perform_checks(url, filename):
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
err_msg = "It seems that the authentication procedure has failed."
print settings.print_critical_msg(err_msg)
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
err_msg = "You must specify both login panel URL and login parameters."
print settings.print_critical_msg(err_msg)
sys.exit(0)
else:
pass
# Check if HTTP Method is GET.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level >= 3:
if settings.INJECTED_HTTP_HEADER == False :
check_parameter = ""
stored_http_header_injection(url, check_parameter, http_request_method, filename, delay)
else:
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
cookie_injection(url, http_request_method, filename, delay)
else:
# Custom header Injection
if settings.CUSTOM_HEADER_INJECTION == True:
check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
settings.HTTP_HEADER = header_name[1:].lower()
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method, filename, delay)
settings.CUSTOM_HEADER_INJECTION = None
# Check if HTTP Method is GET.
if not menu.options.data:
get_request(url, http_request_method, filename, delay)
# Check if HTTP Method is POST.
else:
post_request(url, http_request_method, filename, delay)
if settings.INJECTION_CHECKER == False:
return False
else:
return True
def perform_checks(url, http_request_method, filename):
def basic_level_checks():
if not menu.options.bulkfile:
settings.PERFORM_BASIC_SCANS = False
else:
settings.PERFORM_BASIC_SCANS = True
settings.SKIP_CODE_INJECTIONS = False
settings.SKIP_COMMAND_INJECTIONS = False
settings.IDENTIFIED_WARNINGS = False
settings.IDENTIFIED_PHPINFO = False
# Check if HTTP Method is GET.
if http_request_method != settings.HTTPMETHOD.POST:
get_request(url, http_request_method, filename, timesec)
# Check if HTTP Method is POST.
else:
post_request(url, http_request_method, filename, timesec)
timesec = settings.TIMESEC
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
try:
# Check if authentication page is the same with the next (injection) URL
if _urllib.request.urlopen(url, timeout=settings.TIMEOUT).read() == _urllib.request.urlopen(menu.options.auth_url, timeout=settings.TIMEOUT).read():
err_msg = "It seems that the authentication procedure has failed."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
except (_urllib.error.URLError, _urllib.error.HTTPError) as err_msg:
print(settings.print_critical_msg(err_msg))
raise SystemExit()
elif menu.options.auth_url or menu.options.auth_data:
err_msg = "You must specify both login panel URL and login parameters."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
else:
pass
if menu.options.shellshock:
menu.options.level = settings.HTTP_HEADER_INJECTION_LEVEL
else:
check_for_stored_levels(url, http_request_method)
if settings.PERFORM_BASIC_SCANS:
basic_level_checks()
# Check for stored injections on User-agent / Referer / Host HTTP headers (if level > 2).
if menu.options.level >= settings.HTTP_HEADER_INJECTION_LEVEL:
if settings.INJECTED_HTTP_HEADER == False :
check_parameter = ""
stored_http_header_injection(url, check_parameter, http_request_method, filename, timesec)
else:
# Enable Cookie Injection
if menu.options.level > settings.DEFAULT_INJECTION_LEVEL:
if menu.options.cookie:
cookie_injection(url, http_request_method, filename, timesec)
else:
warn_msg = "The HTTP Cookie header is not provided, "
warn_msg += "so this test is going to be skipped."
print(settings.print_warning_msg(warn_msg))
else:
# Custom header Injection
if settings.CUSTOM_HEADER_INJECTION == True:
check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
settings.HTTP_HEADER = header_name[1:].lower()
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method, filename, timesec)
settings.CUSTOM_HEADER_INJECTION = None
if settings.INJECTION_CHECKER == False:
return False
else:
return True
