Ejemplo n.º 1
0
def injection_proccess(url, check_parameter, http_request_method, filename, delay):

  # User-Agent Injection / Referer Injection / Custom header Injection 
  if check_parameter.startswith(" "):
    header_name = ""
    the_type = " HTTP header "
  else:
    if settings.COOKIE_INJECTION: 
      header_name = " cookie"
    else:
      header_name = ""
    the_type = " parameter "
    check_parameter = " '" + check_parameter + "'"

  # Load modules
  modules_handler.load_modules(url, http_request_method, filename)

  if not settings.LOAD_SESSION:
    info_msg = "Setting the " + "(" + http_request_method 
    info_msg += ")" + check_parameter + header_name + the_type + "for tests."
    print settings.print_info_msg(info_msg)

  # Estimating the response time (in seconds)
  delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)

  # Check if it is vulnerable to classic command injection technique.
  if not menu.options.tech or "c" in menu.options.tech:
    if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
      settings.CLASSIC_STATE = True
  else:
    settings.CLASSIC_STATE = False

  # Check if it is vulnerable to eval-based code injection technique.
  if not menu.options.tech or "e" in menu.options.tech:
    if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
      settings.EVAL_BASED_STATE = True
  else:
    settings.EVAL_BASED_STATE = False

  # Check if it is vulnerable to time-based blind command injection technique.
  if not menu.options.tech or "t" in menu.options.tech:
    if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      settings.TIME_BASED_STATE = True
  else:
    settings.TIME_BASED_STATE = False

  # Check if it is vulnerable to file-based semiblind command injection technique.
  if not menu.options.tech or "f" in menu.options.tech:
    if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      settings.FILE_BASED_STATE = True
  else:
    settings.FILE_BASED_STATE = False

  # All injection techniques seems to be failed!
  if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False :
    warn_msg = "The tested (" + http_request_method + ")" 
    warn_msg += check_parameter + header_name + the_type 
    warn_msg += "seems to be not injectable."
    print settings.print_warning_msg(warn_msg)  
Ejemplo n.º 2
0
def do_check(url, filename):

    classic_state = False
    eval_based_state = False
    time_based_state = False
    file_based_state = False

    # Check if defined "--delay" option.
    if menu.options.delay:
        delay = menu.options.delay
    else:
        delay = settings.DELAY

    # Check if authentication is needed.
    if menu.options.auth_url and menu.options.auth_data:
        # Do the authentication process.
        authentication.authentication_process()
        # Check if authentication page is the same with the next (injection) URL
        if urllib2.urlopen(url).read() == urllib2.urlopen(
                menu.options.auth_url).read():
            print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
            sys.exit(0)
    elif menu.options.auth_url or menu.options.auth_data:
        print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
        sys.exit(0)
    else:
        pass

    # Check if HTTP Method is GET or POST.
    header_name = ""
    if not menu.options.data:
        http_request_method = "GET"
        if not settings.COOKIE_INJECTION \
        and not settings.USER_AGENT_INJECTION \
        and not settings.REFERER_INJECTION:
            url = parameters.do_GET_check(url)
        check_parameter = parameters.vuln_GET_param(url)
        the_type = " parameter "

    else:
        http_request_method = "POST"
        parameter = menu.options.data
        parameter = parameters.do_POST_check(parameter)
        check_parameter = parameters.vuln_POST_param(parameter, url)
        the_type = " parameter "

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    # Cookie Injection
    if settings.COOKIE_INJECTION == True:
        header_name = " Cookie"
        settings.HTTP_HEADER = header_name[1:].lower()
        check_parameter = parameters.specify_cookie_parameter(
            menu.options.cookie)
        the_type = " HTTP header "

    # User-Agent Injection
    elif settings.USER_AGENT_INJECTION == True:
        header_name = " User-Agent"
        settings.HTTP_HEADER = header_name[1:].replace("-", "").lower()
        check_parameter = ""
        the_type = " HTTP header "

    # Referer Injection
    elif settings.REFERER_INJECTION == True:
        header_name = " Referer"
        settings.HTTP_HEADER = header_name[1:].lower()
        check_parameter = ""
        the_type = " HTTP header "

    if len(check_parameter) > 0:
        settings.TESTABLE_PARAMETER = check_parameter

    # Check for session file
    if not menu.options.ignore_session:
        if os.path.isfile(settings.SESSION_FILE):
            if not menu.options.tech:
                menu.options.tech = session_handler.applied_techniques(
                    url, http_request_method)
            if session_handler.check_stored_parameter(url,
                                                      http_request_method):
                settings.LOAD_SESSION = True

    if menu.options.flush_session:
        session_handler.flush(url)

    if len(check_parameter) != 0:
        check_parameter = " '" + check_parameter + "'"

    print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(
        url, http_request_method, delay)

    # Check if it is vulnerable to classic command injection technique.
    if not menu.options.tech or "c" in menu.options.tech:
        if cb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            classic_state = True
    else:
        classic_state = False

    # Check if it is vulnerable to eval-based code injection technique.
    if not menu.options.tech or "e" in menu.options.tech:
        if eb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            eval_based_state = True
    else:
        eval_based_state = False

    # Check if it is vulnerable to time-based blind command injection technique.
    if not menu.options.tech or "t" in menu.options.tech:
        if tb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            time_based_state = True
    else:
        time_based_state = False

    # Check if it is vulnerable to file-based semiblind command injection technique.
    if not menu.options.tech or "f" in menu.options.tech:
        if fb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            file_based_state = True
    else:
        file_based_state = False

    if classic_state == eval_based_state == time_based_state == file_based_state == False:
        info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
        if not menu.options.alter_shell:
            info_msg += " Use the option '--alter-shell'"
        else:
            info_msg += " Remove the option '--alter-shell'"
        info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
        print Back.RED + info_msg + Style.RESET_ALL

    sys.exit(0)
Ejemplo n.º 3
0
def injection_proccess(url, check_parameter, http_request_method, filename,
                       timesec):

    # Skipping specific injection techniques.
    if settings.SKIP_TECHNIQUES:
        menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES)
        for skip_tech_name in settings.AVAILABLE_TECHNIQUES:
            if skip_tech_name in menu.options.skip_tech:
                menu.options.tech = menu.options.tech.replace(
                    skip_tech_name, "")
        if len(menu.options.tech) == 0:
            err_msg = "Detection procedure was aborted due to skipping all injection techniques."
            print settings.print_critical_msg(err_msg)
            raise SystemExit

    # User-Agent Injection / Referer Injection / Custom header Injection
    if check_parameter.startswith(" "):
        header_name = ""
        the_type = " HTTP header"
    else:
        if settings.COOKIE_INJECTION:
            header_name = " cookie"
        else:
            header_name = ""
        the_type = " parameter"
        check_parameter = " '" + check_parameter + "'"

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    if not settings.LOAD_SESSION:
        info_msg = "Setting the"
        if not header_name == " cookie" and not the_type == " HTTP header":
            info_msg += " " + http_request_method + ""
        info_msg += the_type + header_name + check_parameter + " for tests."
        print settings.print_info_msg(info_msg)

    # Estimating the response time (in seconds)
    timesec, url_time_response = requests.estimate_response_time(url, timesec)

    skip_code_injections = False
    skip_command_injections = False

    # Procced with file-based semiblind command injection technique,
    # once the user provides the path of web server's root directory.
    if menu.options.web_root and not "f" in menu.options.tech:
        if not menu.options.web_root.endswith("/"):
            menu.options.web_root = menu.options.web_root + "/"
        if checks.procced_with_file_based_technique():
            menu.options.tech = "f"

    # Check if it is vulnerable to classic command injection technique.
    if not menu.options.tech or "c" in menu.options.tech:
        settings.CLASSIC_STATE = None
        if cb_handler.exploitation(url, timesec, filename,
                                   http_request_method) != False:
            if not menu.options.tech or "e" in menu.options.tech:
                if not menu.options.batch:
                    settings.CLASSIC_STATE = True
                    question_msg = "Due to results, "
                    question_msg += "skipping of code injection checks is recommended. "
                    question_msg += "Do you agree? [Y/n] > "
                    sys.stdout.write(settings.print_question_msg(question_msg))
                    procced_option = sys.stdin.readline().replace("\n",
                                                                  "").lower()
                else:
                    procced_option = ""
                if len(procced_option) == 0:
                    procced_option = "y"
                if procced_option in settings.CHOICE_YES:
                    skip_code_injections = True
                elif procced_option in settings.CHOICE_NO:
                    pass
                elif procced_option in settings.CHOICE_QUIT:
                    sys.exit(0)
                else:
                    err_msg = "'" + procced_option + "' is not a valid answer."
                    print settings.print_error_msg(err_msg)
                    pass
        else:
            settings.CLASSIC_STATE = False

    # Check if it is vulnerable to eval-based code injection technique.
    if not menu.options.tech or "e" in menu.options.tech:
        if not skip_code_injections:
            settings.EVAL_BASED_STATE = None
            if eb_handler.exploitation(url, timesec, filename,
                                       http_request_method) != False:
                if not menu.options.batch:
                    settings.EVAL_BASED_STATE = True
                    question_msg = "Due to results, "
                    question_msg += "skipping of further command injection checks is recommended. "
                    question_msg += "Do you agree? [Y/n] > "
                    sys.stdout.write(settings.print_question_msg(question_msg))
                    procced_option = sys.stdin.readline().replace("\n",
                                                                  "").lower()
                else:
                    procced_option = ""
                if len(procced_option) == 0:
                    procced_option = "y"
                if procced_option in settings.CHOICE_YES:
                    skip_command_injections = True
                elif procced_option in settings.CHOICE_NO:
                    pass
                elif procced_option in settings.CHOICE_QUIT:
                    sys.exit(0)
                else:
                    err_msg = "'" + procced_option + "' is not a valid answer."
                    print settings.print_error_msg(err_msg)
                    pass
            else:
                settings.EVAL_BASED_STATE = False

    if not skip_command_injections:
        # Check if it is vulnerable to time-based blind command injection technique.
        if not menu.options.tech or "t" in menu.options.tech:
            settings.TIME_BASED_STATE = None
            if tb_handler.exploitation(url, timesec, filename,
                                       http_request_method,
                                       url_time_response) != False:
                settings.TIME_BASED_STATE = True
            else:
                settings.TIME_BASED_STATE = False

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if not menu.options.tech or "f" in menu.options.tech and not skip_command_injections:
            settings.FILE_BASED_STATE = None
            if fb_handler.exploitation(url, timesec, filename,
                                       http_request_method,
                                       url_time_response) != False:
                settings.FILE_BASED_STATE = True
            else:
                settings.FILE_BASED_STATE = False

    # All injection techniques seems to be failed!
    if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
        warn_msg = "The tested"
        if not header_name == " cookie" and not the_type == " HTTP header":
            warn_msg += " " + http_request_method + ""
        warn_msg += the_type + header_name + check_parameter
        warn_msg += " seems to be not injectable."
        print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
Ejemplo n.º 4
0
def injection_proccess(url, check_parameter, http_request_method, filename,
                       delay):

    # User-Agent Injection / Referer Injection / Custom header Injection
    if check_parameter.startswith(" "):
        header_name = ""
        the_type = " HTTP header"
    else:
        if settings.COOKIE_INJECTION:
            header_name = " cookie"
        else:
            header_name = ""
        the_type = " parameter"
        check_parameter = " '" + check_parameter + "'"

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    if not settings.LOAD_SESSION:
        info_msg = "Setting the"
        if not header_name == " cookie" and not the_type == " HTTP header":
            info_msg += " " + http_request_method + ""
        info_msg += the_type + header_name + check_parameter + " for tests."
        print settings.print_info_msg(info_msg)

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(
        url, http_request_method, delay)

    # Check if it is vulnerable to classic command injection technique.
    if not menu.options.tech or "c" in menu.options.tech:
        settings.CLASSIC_STATE = None
        if cb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            settings.CLASSIC_STATE = True
        else:
            settings.CLASSIC_STATE = False

    # Check if it is vulnerable to eval-based code injection technique.
    if not menu.options.tech or "e" in menu.options.tech:
        settings.EVAL_BASED_STATE = None
        if eb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            settings.EVAL_BASED_STATE = True
        else:
            settings.EVAL_BASED_STATE = False

    # Check if it is vulnerable to time-based blind command injection technique.
    if not menu.options.tech or "t" in menu.options.tech:
        settings.TIME_BASED_STATE = None
        if tb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            settings.TIME_BASED_STATE = True
        else:
            settings.TIME_BASED_STATE = False

    # Check if it is vulnerable to file-based semiblind command injection technique.
    if not menu.options.tech or "f" in menu.options.tech:
        settings.FILE_BASED_STATE = None
        if fb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            settings.FILE_BASED_STATE = True
        else:
            settings.FILE_BASED_STATE = False

    # All injection techniques seems to be failed!
    if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
        warn_msg = "The tested"
        if not header_name == " cookie" and not the_type == " HTTP header":
            warn_msg += " " + http_request_method + ""
        warn_msg += the_type + header_name + check_parameter
        warn_msg += " seems to be not injectable."
        print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
Ejemplo n.º 5
0
def injection_proccess(url, check_parameter, http_request_method, filename,
                       timesec):

    if menu.options.ignore_code:
        info_msg = "Ignoring '" + str(
            menu.options.ignore_code) + "' HTTP error code. "
        print(settings.print_info_msg(info_msg))

    # Skipping specific injection techniques.
    if settings.SKIP_TECHNIQUES:
        menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES)
        for skip_tech_name in settings.AVAILABLE_TECHNIQUES:
            if skip_tech_name in menu.options.skip_tech:
                menu.options.tech = menu.options.tech.replace(
                    skip_tech_name, "")
        if len(menu.options.tech) == 0:
            err_msg = "Detection procedure was aborted due to skipping all injection techniques."
            print(settings.print_critical_msg(err_msg))
            raise SystemExit

    # User-Agent HTTP header / Referer HTTP header /
    # Host HTTP header / Custom HTTP header Injection(s)
    if check_parameter.startswith(" "):
        header_name = ""
        the_type = " HTTP header"
    else:
        if settings.COOKIE_INJECTION:
            header_name = " cookie"
        else:
            header_name = ""
        the_type = " parameter"
        check_parameter = " '" + check_parameter + "'"

    # Estimating the response time (in seconds)
    timesec, url_time_response = requests.estimate_response_time(url, timesec)
    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)
    # Check for identified warnings
    url = heuristic_basic(url, http_request_method)
    if settings.IDENTIFIED_WARNINGS:
        if not settings.SKIP_COMMAND_INJECTIONS:
            ci = "command injection techniques"
            ce = "code injection technique"
            if not menu.options.batch:
                question_msg = "Do you want to skip test payloads for "
                question_msg += ci + "? [Y/n] > "
                procced_option = _input(
                    settings.print_question_msg(question_msg))
            else:
                procced_option = ""
            if procced_option in settings.CHOICE_YES or len(
                    procced_option) == 0:
                if settings.VERBOSITY_LEVEL >= 1:
                    debug_msg = "Skipping " + ci + "."
                    print(settings.print_debug_msg(debug_msg))
                settings.CLASSIC_STATE = settings.TIME_BASED_STATE = settings.FILE_BASED_STATE = False
                settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = True
            elif procced_option in settings.CHOICE_NO:
                if settings.VERBOSITY_LEVEL >= 1:
                    debug_msg = "Skipping " + ce + "."
                    print(settings.print_debug_msg(debug_msg))
                settings.SKIP_CODE_INJECTIONS = True
                settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = False
            elif procced_option in settings.CHOICE_QUIT:
                raise SystemExit()
            else:
                err_msg = "'" + procced_option + "' is not a valid answer."
                print(settings.print_error_msg(err_msg))
                pass

    if not settings.LOAD_SESSION:
        info_msg = "Setting the"
        if not header_name == " cookie" and not the_type == " HTTP header":
            info_msg += " " + http_request_method + ""
        info_msg += ('', ' (JSON)')[settings.IS_JSON] + (
            '', ' (SOAP/XML)')[settings.IS_XML]
        if header_name == " cookie":
            info_msg += header_name + the_type + check_parameter + " for tests."
        else:
            info_msg += the_type + header_name + check_parameter + " for tests."
        print(settings.print_info_msg(info_msg))

    if menu.options.failed_tries and \
       menu.options.tech and not "f" in menu.options.tech and not \
       menu.options.failed_tries:
        warn_msg = "Due to the provided (unsuitable) injection technique"
        warn_msg += "s"[len(menu.options.tech) == 1:][::-1] + ", "
        warn_msg += "the option '--failed-tries' will be ignored."
        print(settings.print_warning_msg(warn_msg)) + Style.RESET_ALL

    # Procced with file-based semiblind command injection technique,
    # once the user provides the path of web server's root directory.
    if menu.options.web_root and \
       menu.options.tech and not "f" in menu.options.tech:
        if not menu.options.web_root.endswith("/"):
            menu.options.web_root = menu.options.web_root + "/"
        if checks.procced_with_file_based_technique():
            menu.options.tech = "f"

    if not menu.options.tech:
        menu.options.tech = ""
    if len(menu.options.tech) == 0 or "c" in menu.options.tech:
        settings.CLASSIC_STATE = True
    if len(menu.options.tech) == 0 or "e" in menu.options.tech:
        settings.EVAL_BASED_STATE = True
    if len(menu.options.tech) == 0 or "t" in menu.options.tech:
        settings.TIME_BASED_STATE = True
    if len(menu.options.tech) == 0 or "f" in menu.options.tech:
        settings.FILE_BASED_STATE = True

    # Check if it is vulnerable to classic command injection technique.
    if not settings.SKIP_COMMAND_INJECTIONS and settings.CLASSIC_STATE:
        settings.CLASSIC_STATE = None
        if cb_handler.exploitation(url, timesec, filename,
                                   http_request_method) != False:
            if settings.EVAL_BASED_STATE:
                if not menu.options.batch:
                    settings.CLASSIC_STATE = True
                    question_msg = "Due to results, "
                    question_msg += "skipping of code injection checks is recommended. "
                    question_msg += "Do you agree? [Y/n] > "
                    procced_option = _input(
                        settings.print_question_msg(question_msg))
                else:
                    procced_option = ""
                if len(procced_option) == 0:
                    procced_option = "Y"
                if procced_option in settings.CHOICE_YES:
                    if settings.VERBOSITY_LEVEL >= 1:
                        debug_msg = "Skipping code injection checks."
                        print(settings.print_debug_msg(debug_msg))
                    settings.SKIP_CODE_INJECTIONS = True
                elif procced_option in settings.CHOICE_NO:
                    pass
                elif procced_option in settings.CHOICE_QUIT:
                    raise SystemExit()
                else:
                    err_msg = "'" + procced_option + "' is not a valid answer."
                    print(settings.print_error_msg(err_msg))
                    pass
        else:
            settings.CLASSIC_STATE = False

    # Check if it is vulnerable to eval-based code injection technique.
    if not settings.SKIP_CODE_INJECTIONS and settings.EVAL_BASED_STATE:
        settings.EVAL_BASED_STATE = None
        if eb_handler.exploitation(url, timesec, filename,
                                   http_request_method) != False:
            if not menu.options.batch:
                settings.EVAL_BASED_STATE = True
                question_msg = "Due to results, "
                question_msg += "skipping of further command injection checks is recommended. "
                question_msg += "Do you agree? [Y/n] > "
                procced_option = _input(
                    settings.print_question_msg(question_msg))
            else:
                procced_option = ""
            if len(procced_option) == 0:
                procced_option = "Y"
            if procced_option in settings.CHOICE_YES:
                if settings.VERBOSITY_LEVEL >= 1:
                    debug_msg = "Skipping command injection checks."
                    print(settings.print_debug_msg(debug_msg))
                settings.SKIP_COMMAND_INJECTIONS = True
            elif procced_option in settings.CHOICE_NO:
                pass
            elif procced_option in settings.CHOICE_QUIT:
                raise SystemExit()
            else:
                err_msg = "'" + procced_option + "' is not a valid answer."
                print(settings.print_error_msg(err_msg))
                pass
        else:
            settings.EVAL_BASED_STATE = False

    if not settings.SKIP_COMMAND_INJECTIONS:
        # Check if it is vulnerable to time-based blind command injection technique.
        if settings.TIME_BASED_STATE:
            settings.TIME_BASED_STATE = None
            if tb_handler.exploitation(url, timesec, filename,
                                       http_request_method,
                                       url_time_response) != False:
                settings.TIME_BASED_STATE = True
            else:
                settings.TIME_BASED_STATE = False

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if settings.FILE_BASED_STATE:
            settings.FILE_BASED_STATE = None
            if fb_handler.exploitation(url, timesec, filename,
                                       http_request_method,
                                       url_time_response) != False:
                settings.FILE_BASED_STATE = True
            else:
                settings.FILE_BASED_STATE = False

    # All injection techniques seems to be failed!
    if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
        warn_msg = "The tested"
        if not header_name == " cookie" and not the_type == " HTTP header":
            warn_msg += " " + http_request_method + ""
        warn_msg += the_type + header_name + check_parameter
        warn_msg += " seems to be not injectable."
        print(settings.print_warning_msg(warn_msg)) + Style.RESET_ALL
Ejemplo n.º 6
0
def injection_proccess(url, check_parameter, http_request_method, filename,
                       timesec):

    if menu.options.ignore_code:
        info_msg = "Ignoring '" + str(
            menu.options.ignore_code) + "' HTTP error code. "
        print(settings.print_info_msg(info_msg))

    # Skipping specific injection techniques.
    if settings.SKIP_TECHNIQUES:
        menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES)
        for skip_tech_name in settings.AVAILABLE_TECHNIQUES:
            if skip_tech_name in menu.options.skip_tech:
                menu.options.tech = menu.options.tech.replace(
                    skip_tech_name, "")
        if len(menu.options.tech) == 0:
            err_msg = "Detection procedure was aborted due to skipping all injection techniques."
            print(settings.print_critical_msg(err_msg))
            raise SystemExit

    # User-Agent HTTP header / Referer HTTP header /
    # Host HTTP header / Custom HTTP header Injection(s)
    if check_parameter.startswith(" "):
        header_name = ""
        the_type = " HTTP header"
    else:
        if settings.COOKIE_INJECTION:
            header_name = " cookie"
        else:
            header_name = ""
        the_type = " parameter"
        check_parameter = " '" + check_parameter + "'"

    # Estimating the response time (in seconds)
    timesec, url_time_response = requests.estimate_response_time(url, timesec)
    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    if not settings.LOAD_SESSION:
        if (len(menu.options.tech) == 0 or "e" in menu.options.tech):
            # Check for identified warnings
            url = heuristic_basic(url, http_request_method)
            if settings.IDENTIFIED_WARNINGS or settings.IDENTIFIED_PHPINFO:
                while True:
                    if not menu.options.batch:
                        question_msg = "Skipping of further command injection tests is recommended. "
                        question_msg += "Do you agree? [Y/n] > "
                        procced_option = _input(
                            settings.print_question_msg(question_msg))
                    else:
                        procced_option = ""
                    if procced_option in settings.CHOICE_YES or len(
                            procced_option) == 0:
                        settings.CLASSIC_STATE = settings.TIME_BASED_STATE = settings.FILE_BASED_STATE = False
                        settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = True
                        break
                    elif procced_option in settings.CHOICE_NO:
                        break
                    elif procced_option in settings.CHOICE_QUIT:
                        raise SystemExit()
                    else:
                        err_msg = "'" + procced_option + "' is not a valid answer."
                        print(settings.print_error_msg(err_msg))
                        pass

        info_msg = "Setting the"
        if not header_name == " cookie" and not the_type == " HTTP header":
            info_msg += " " + str(http_request_method) + ""
        info_msg += ('', ' (JSON)')[settings.IS_JSON] + (
            '', ' (SOAP/XML)')[settings.IS_XML]
        if header_name == " cookie":
            info_msg += str(header_name) + str(the_type) + str(
                check_parameter) + " for tests."
        else:
            info_msg += str(the_type) + str(header_name) + str(
                check_parameter) + " for tests."
        print(settings.print_info_msg(info_msg))

    if menu.options.failed_tries and \
       menu.options.tech and not "f" in menu.options.tech and not \
       menu.options.failed_tries:
        warn_msg = "Due to the provided (unsuitable) injection technique"
        warn_msg += "s"[len(menu.options.tech) == 1:][::-1] + ", "
        warn_msg += "the option '--failed-tries' will be ignored."
        print(settings.print_warning_msg(warn_msg) + Style.RESET_ALL)

    # Procced with file-based semiblind command injection technique,
    # once the user provides the path of web server's root directory.
    if menu.options.web_root and \
       menu.options.tech and not "f" in menu.options.tech:
        if not menu.options.web_root.endswith("/"):
            menu.options.web_root = menu.options.web_root + "/"
        if checks.procced_with_file_based_technique():
            menu.options.tech = "f"

    if settings.SKIP_COMMAND_INJECTIONS:
        dynamic_code_evaluation_technique(url, timesec, filename,
                                          http_request_method)
        classic_command_injection_technique(url, timesec, filename,
                                            http_request_method)
    else:
        classic_command_injection_technique(url, timesec, filename,
                                            http_request_method)
        dynamic_code_evaluation_technique(url, timesec, filename,
                                          http_request_method)
    timebased_command_injection_technique(url, timesec, filename,
                                          http_request_method,
                                          url_time_response)
    filebased_command_injection_technique(url, timesec, filename,
                                          http_request_method,
                                          url_time_response)

    # All injection techniques seems to be failed!
    if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
        warn_msg = "The tested"
        if header_name != " cookie" and the_type != " HTTP header":
            warn_msg += " " + str(http_request_method) + ""
        warn_msg += str(the_type) + str(header_name) + str(check_parameter)
        warn_msg += " seems to be not injectable."
        print(settings.print_warning_msg(warn_msg))
Ejemplo n.º 7
0
def injection_proccess(url, check_parameter, http_request_method, filename,
                       delay):

    # User-Agent Injection / Referer Injection / Custom header Injection
    if check_parameter.startswith(" "):
        header_name = ""
        the_type = " HTTP header"
    else:
        if settings.COOKIE_INJECTION:
            header_name = " cookie"
        else:
            header_name = ""
        the_type = " parameter"
        check_parameter = " '" + check_parameter + "'"

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    if not settings.LOAD_SESSION:
        info_msg = "Setting the"
        if not header_name == " cookie" and not the_type == " HTTP header":
            info_msg += " " + http_request_method + ""
        info_msg += the_type + header_name + check_parameter + " for tests."
        print settings.print_info_msg(info_msg)

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(url, delay)

    skip_code_injections = False
    skip_command_injections = False

    # Check if it is vulnerable to classic command injection technique.
    if not menu.options.tech or "c" in menu.options.tech:
        settings.CLASSIC_STATE = None
        if cb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            settings.CLASSIC_STATE = True
            question_msg = "Due to resuts "
            question_msg += "skipping of code injection checks is recommended. "
            question_msg += "Do you agree? [Y/n/q] > "
            sys.stdout.write(settings.print_question_msg(question_msg))
            procced_option = sys.stdin.readline().replace("\n", "").lower()
            if len(procced_option) == 0:
                procced_option = "y"
            if procced_option in settings.CHOICE_YES:
                skip_code_injections = True
            elif procced_option in settings.CHOICE_NO:
                pass
            elif procced_option in settings.CHOICE_QUIT:
                sys.exit(0)
            else:
                err_msg = "'" + procced_option + "' is not a valid answer."
                print settings.print_error_msg(err_msg)
                pass
        else:
            settings.CLASSIC_STATE = False

    # Check if it is vulnerable to eval-based code injection technique.
    if not menu.options.tech or "e" in menu.options.tech:
        if not skip_code_injections:
            settings.EVAL_BASED_STATE = None
            if eb_handler.exploitation(url, delay, filename,
                                       http_request_method) != False:
                settings.EVAL_BASED_STATE = True
                question_msg = "Due to resuts, "
                question_msg += "skipping of further command injection checks is recommended. "
                question_msg += "Do you agree? [Y/n/q] > "
                sys.stdout.write(settings.print_question_msg(question_msg))
                procced_option = sys.stdin.readline().replace("\n", "").lower()
                if len(procced_option) == 0:
                    procced_option = "y"
                if procced_option in settings.CHOICE_YES:
                    skip_command_injections = True
                elif procced_option in settings.CHOICE_NO:
                    pass
                elif procced_option in settings.CHOICE_QUIT:
                    sys.exit(0)
                else:
                    err_msg = "'" + procced_option + "' is not a valid answer."
                    print settings.print_error_msg(err_msg)
                    pass
            else:
                settings.EVAL_BASED_STATE = False

    if not skip_command_injections:

        # Check if it is vulnerable to time-based blind command injection technique.
        if not menu.options.tech or "t" in menu.options.tech:
            settings.TIME_BASED_STATE = None
            if tb_handler.exploitation(url, delay, filename,
                                       http_request_method,
                                       url_time_response) != False:
                settings.TIME_BASED_STATE = True
            else:
                settings.TIME_BASED_STATE = False

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if not menu.options.tech or "f" in menu.options.tech and not skip_command_injections:
            settings.FILE_BASED_STATE = None
            if fb_handler.exploitation(url, delay, filename,
                                       http_request_method,
                                       url_time_response) != False:
                settings.FILE_BASED_STATE = True
            else:
                settings.FILE_BASED_STATE = False

    # All injection techniques seems to be failed!
    if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
        warn_msg = "The tested"
        if not header_name == " cookie" and not the_type == " HTTP header":
            warn_msg += " " + http_request_method + ""
        warn_msg += the_type + header_name + check_parameter
        warn_msg += " seems to be not injectable."
        print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
Ejemplo n.º 8
0
def do_check(url, filename):

    classic_state = False
    eval_based_state = False
    time_based_state = False
    file_based_state = False

    # Check if defined "--delay" option.
    if menu.options.delay:
        delay = menu.options.delay
    else:
        delay = settings.DELAY

    # Do authentication if needed.
    if menu.options.auth_url and menu.options.auth_data:
        authentication.auth_process()
    elif menu.options.auth_url or menu.options.auth_data:
        print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
        sys.exit(0)
    else:
        pass

    # Check if HTTP Method is GET or POST.
    header_name = ""
    if not menu.options.data:
        http_request_method = "GET"
        if not settings.COOKIE_INJECTION and not settings.USER_AGENT_INJECTION and not settings.REFERER_INJECTION:
            url = parameters.do_GET_check(url)
        check_parameter = parameters.vuln_GET_param(url)
        the_type = " parameter "

    else:
        http_request_method = "POST"
        parameter = menu.options.data
        parameter = parameters.do_POST_check(parameter)
        check_parameter = parameters.vuln_POST_param(parameter, url)
        the_type = " parameter "

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    # Cookie Injection
    if settings.COOKIE_INJECTION == True:
        header_name = " Cookie"
        check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
        the_type = " HTTP header "

    # User-Agent Injection
    elif settings.USER_AGENT_INJECTION == True:
        header_name = " User-Agent"
        check_parameter = ""
        the_type = " HTTP header "

    # Referer Injection
    elif settings.REFERER_INJECTION == True:
        header_name = " Referer"
        check_parameter = ""
        the_type = " HTTP header "

    else:
        pass

    if len(check_parameter) != 0:
        check_parameter = " '" + check_parameter + "'"

    print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)

    # Check all injection techniques
    if not menu.options.tech:
        # Check if it is vulnerable to classic command injection technique.
        if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
            classic_state = True

        # Check if it is vulnerable to eval-based command injection technique.
        if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
            eval_based_state = True

        # Check if it is vulnerable to time-based blind command injection technique.
        if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
            time_based_state = True

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
            file_based_state = True

    else:
        # Check if it is vulnerable to classic command injection technique.
        if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
            # Check if classic results-based command injection technique succeeds.
            if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
                classic_state = True
        elif menu.options.tech == "classic":
            cb_handler.exploitation(url, delay, filename, http_request_method)
        else:
            classic_state = False

        # Check if it is vulnerable to eval-based command injection technique.
        if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
            # Check if eval-based command injection technique succeeds.
            if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
                eval_based_state = True
        elif menu.options.tech == "eval-based":
            eb_handler.exploitation(url, delay, filename, http_request_method)
        else:
            eval_based_state = False

        # Check if it is vulnerable to time-based blind command injection technique.
        if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
            # Check if time-based blind command injection technique succeeds.
            if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
                time_based_state = True
        elif menu.options.tech == "time-based":
            tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
        else:
            time_based_state = False

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
            # Check if file-based semiblind command injection technique succeeds.
            if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
                file_based_state = True
        elif menu.options.tech == "file-based":
            fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
        else:
            file_based_state = False

    if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
        info_msg = (
            "(x) Critical: The tested ("
            + http_request_method
            + ")"
            + check_parameter
            + " parameter appear to be not injectable."
        )
        if not menu.options.alter_shell:
            info_msg += " Use the option '--alter-shell'"
        else:
            info_msg += " Remove the option '--alter-shell'"
        info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
        print Back.RED + info_msg + Style.RESET_ALL

    # else:
    #   print ""
    sys.exit(0)
Ejemplo n.º 9
0
def do_check(url, filename):

  classic_state = False
  eval_based_state = False
  time_based_state = False
  file_based_state = False

  # Check if defined "--delay" option.
  if menu.options.delay:
    delay = menu.options.delay
  else:
    delay = settings.DELAY

  # Check if authentication is needed.
  if menu.options.auth_url and menu.options.auth_data:
    # Do the authentication process.
    authentication.authentication_process()
    # Check if authentication page is the same with the next (injection) URL
    if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
      print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
      sys.exit(0)
  elif menu.options.auth_url or menu.options.auth_data: 
    print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
    sys.exit(0)
  else:
    pass

  # Check if HTTP Method is GET or POST.
  header_name = ""
  if not menu.options.data:
    http_request_method = "GET"
    if not settings.COOKIE_INJECTION \
    and not settings.USER_AGENT_INJECTION \
    and not settings.REFERER_INJECTION:
      url = parameters.do_GET_check(url)
    check_parameter = parameters.vuln_GET_param(url)
    the_type = " parameter "

  else:
    http_request_method = "POST"
    parameter = menu.options.data
    parameter = parameters.do_POST_check(parameter)
    check_parameter = parameters.vuln_POST_param(parameter, url)
    the_type = " parameter " 
  
  # Load modules
  modules_handler.load_modules(url, http_request_method, filename)

  # Cookie Injection
  if settings.COOKIE_INJECTION == True:
    header_name = " Cookie"
    settings.HTTP_HEADER = header_name[1:].lower()
    check_parameter  = parameters.specify_cookie_parameter(menu.options.cookie)
    the_type = " HTTP header "
            
  # User-Agent Injection
  elif settings.USER_AGENT_INJECTION == True:
    header_name = " User-Agent"
    settings.HTTP_HEADER = header_name[1:].replace("-","").lower()
    check_parameter  = ""
    the_type = " HTTP header "

  # Referer Injection
  elif settings.REFERER_INJECTION == True:
    header_name = " Referer"
    settings.HTTP_HEADER = header_name[1:].lower()
    check_parameter  = ""
    the_type = " HTTP header "

  if len(check_parameter) > 0:
    settings.TESTABLE_PARAMETER = check_parameter

  # Check for session file 
  if not menu.options.ignore_session:
    if os.path.isfile(settings.SESSION_FILE):
      if not menu.options.tech:
          menu.options.tech = session_handler.applied_techniques(url, http_request_method)
      if session_handler.check_stored_parameter(url, http_request_method):
        settings.LOAD_SESSION = True
        
  if menu.options.flush_session:
    session_handler.flush(url)

  if len(check_parameter) != 0 :
    check_parameter = " '" + check_parameter + "'"

  print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

  # Estimating the response time (in seconds)
  delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)

  # Check if it is vulnerable to classic command injection technique.
  if not menu.options.tech or "c" in menu.options.tech:
    if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
      classic_state = True
  else:
    classic_state = False

  # Check if it is vulnerable to eval-based code injection technique.
  if not menu.options.tech or "e" in menu.options.tech:
    if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
      eval_based_state = True
  else:
    eval_based_state = False

  # Check if it is vulnerable to time-based blind command injection technique.
  if not menu.options.tech or "t" in menu.options.tech:
    if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      time_based_state = True
  else:
    time_based_state = False

  # Check if it is vulnerable to file-based semiblind command injection technique.
  if not menu.options.tech or "f" in menu.options.tech:
    if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      file_based_state = True
  else:
    file_based_state = False

  if classic_state == eval_based_state == time_based_state == file_based_state == False :
    info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
    if not menu.options.alter_shell :
      info_msg += " Use the option '--alter-shell'"
    else:
      info_msg += " Remove the option '--alter-shell'"
    info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
    print Back.RED + info_msg + Style.RESET_ALL  

  sys.exit(0)
Ejemplo n.º 10
0
def do_check(url, filename):

    classic_state = False
    eval_based_state = False
    time_based_state = False
    file_based_state = False

    # Check if defined "--delay" option.
    if menu.options.delay:
        delay = menu.options.delay
    else:
        delay = settings.DELAY

    # Check if authentication is needed.
    if menu.options.auth_url and menu.options.auth_data:
        # Do the authentication process.
        authentication.authentication_process()
        # Check if authentication page is the same with the next (injection) URL
        if urllib2.urlopen(url).read() == urllib2.urlopen(
                menu.options.auth_url).read():
            print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL
            sys.exit(0)
    elif menu.options.auth_url or menu.options.auth_data:
        print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL
        sys.exit(0)
    else:
        pass

    # Check if HTTP Method is GET or POST.
    header_name = ""
    if not menu.options.data:
        http_request_method = "GET"
        if not settings.COOKIE_INJECTION \
        and not settings.USER_AGENT_INJECTION \
        and not settings.REFERER_INJECTION:
            url = parameters.do_GET_check(url)
        check_parameter = parameters.vuln_GET_param(url)
        the_type = " parameter "

    else:
        http_request_method = "POST"
        parameter = menu.options.data
        parameter = parameters.do_POST_check(parameter)
        check_parameter = parameters.vuln_POST_param(parameter, url)
        the_type = " parameter "

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    # Cookie Injection
    if settings.COOKIE_INJECTION == True:
        header_name = " Cookie"
        check_parameter = parameters.specify_cookie_parameter(
            menu.options.cookie)
        the_type = " HTTP header "

    # User-Agent Injection
    elif settings.USER_AGENT_INJECTION == True:
        header_name = " User-Agent"
        check_parameter = ""
        the_type = " HTTP header "

    # Referer Injection
    elif settings.REFERER_INJECTION == True:
        header_name = " Referer"
        check_parameter = ""
        the_type = " HTTP header "

    else:
        pass

    if len(check_parameter) != 0:
        check_parameter = " '" + check_parameter + "'"

    print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(
        url, http_request_method, delay)

    # Check all injection techniques
    if not menu.options.tech:
        # Check if it is vulnerable to classic command injection technique.
        if cb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            classic_state = True

        # Check if it is vulnerable to eval-based command injection technique.
        if eb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            eval_based_state = True

        # Check if it is vulnerable to time-based blind command injection technique.
        if tb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            time_based_state = True

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if fb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            file_based_state = True

    else:
        # Check if it is vulnerable to classic command injection technique.
        if "classic" in menu.options.tech or len(
                menu.options.tech) <= 4 and "c" in menu.options.tech:
            # Check if classic results-based command injection technique succeeds.
            if cb_handler.exploitation(url, delay, filename,
                                       http_request_method) != False:
                classic_state = True
        elif menu.options.tech == "classic":
            cb_handler.exploitation(url, delay, filename, http_request_method)
        else:
            classic_state = False

        # Check if it is vulnerable to eval-based command injection technique.
        if "eval-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "e" in menu.options.tech:
            # Check if eval-based command injection technique succeeds.
            if eb_handler.exploitation(url, delay, filename,
                                       http_request_method) != False:
                eval_based_state = True
        elif menu.options.tech == "eval-based":
            eb_handler.exploitation(url, delay, filename, http_request_method)
        else:
            eval_based_state = False

        # Check if it is vulnerable to time-based blind command injection technique.
        if "time-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "t" in menu.options.tech:
            # Check if time-based blind command injection technique succeeds.
            if tb_handler.exploitation(url, delay, filename,
                                       http_request_method,
                                       url_time_response) != False:
                time_based_state = True
        elif menu.options.tech == "time-based":
            tb_handler.exploitation(url, delay, filename, http_request_method,
                                    url_time_response)
        else:
            time_based_state = False

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if "file-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "f" in menu.options.tech:
            # Check if file-based semiblind command injection technique succeeds.
            if fb_handler.exploitation(url, delay, filename,
                                       http_request_method,
                                       url_time_response) != False:
                file_based_state = True
        elif menu.options.tech == "file-based":
            fb_handler.exploitation(url, delay, filename, http_request_method,
                                    url_time_response)
        else:
            file_based_state = False

    if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
        info_msg = "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
        if not menu.options.alter_shell:
            info_msg += " Use the option '--alter-shell'"
        else:
            info_msg += " Remove the option '--alter-shell'"
        info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
        print Back.RED + info_msg + Style.RESET_ALL

    # else:
    #   print ""
    sys.exit(0)
Ejemplo n.º 11
0
def do_check(url, filename):

  classic_state = False
  eval_based_state = False
  time_based_state = False
  file_based_state = False

  # Check if defined "--delay" option.
  if menu.options.delay:
    delay = menu.options.delay
  else:
    delay = settings.DELAY

  # Do authentication if needed.
  if menu.options.auth_url and menu.options.auth_data:
    authentication.auth_process()      
  elif menu.options.auth_url or menu.options.auth_data: 
    print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
    sys.exit(0)
  else:
    pass
  
  # Check if HTTP Method is GET or POST.
  header_name = ""
  if not menu.options.data:
    http_request_method = "GET"
    check_parameter  = parameters.vuln_GET_param(url)
    the_type = " parameter "

  else:
    http_request_method = "POST"
    parameter = menu.options.data
    check_parameter = parameters.vuln_POST_param(parameter, url)
    the_type = " parameter " 

  # Load modules
  modules_handler.load_modules(url, http_request_method, filename)

  # Cookie Injection
  if settings.COOKIE_INJECTION == True:
    header_name = " Cookie"
    check_parameter  = parameters.specify_cookie_parameter(menu.options.cookie)
    the_type = " HTTP header "
            
  # User-Agent Injection
  elif settings.USER_AGENT_INJECTION == True:
    header_name = " User-Agent"
    check_parameter  = ""
    the_type = " HTTP header "

  # Referer Injection
  elif settings.REFERER_INJECTION == True:
    header_name = " Referer"
    check_parameter  = ""
    the_type = " HTTP header "

  else : 
    pass

  if len(check_parameter) != 0 :
    check_parameter = " '" + check_parameter + "'"

  print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

  # Estimating the response time (in seconds)
  delay, url_time_response = requests.estimate_response_time(url, delay)

  # Check all injection techniques
  if not menu.options.tech:
    # Check if it is vulnerable to classic command injection technique.
    if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
      classic_state = True

    # Check if it is vulnerable to eval-based command injection technique.
    if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
      eval_based_state = True

    # Check if it is vulnerable to time-based blind command injection technique.
    if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      time_based_state = True

    # Check if it is vulnerable to file-based semiblind command injection technique.
    if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      file_based_state = True

  else:
    # Check if it is vulnerable to classic command injection technique.
    if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
      # Check if classic results-based command injection technique succeeds.
      if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
        classic_state = True
    elif menu.options.tech == "classic":
      cb_handler.exploitation(url, delay, filename, http_request_method)
    else:
      classic_state = False

    # Check if it is vulnerable to eval-based command injection technique.
    if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
      # Check if eval-based command injection technique succeeds.
      if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
        eval_based_state = True
    elif menu.options.tech == "eval-based":
      eb_handler.exploitation(url, delay, filename, http_request_method)
    else:
      eval_based_state = False

    # Check if it is vulnerable to time-based blind command injection technique.
    if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
      # Check if time-based blind command injection technique succeeds.
      if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
        time_based_state = True
    elif menu.options.tech == "time-based":
      tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
    else:
      time_based_state = False

    # Check if it is vulnerable to file-based semiblind command injection technique.
    if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
       # Check if file-based semiblind command injection technique succeeds.
      if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
        file_based_state = True
    elif menu.options.tech == "file-based":
      fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
    else:
      file_based_state = False

  if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
    if http_request_method == "GET":
      print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
    else:
      print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL
  else:
    logs.logs_notification(filename)
  sys.exit(0)
  
#eof
Ejemplo n.º 12
0
def do_check(url, filename):

    # Check if defined "--delay" option.
    if menu.options.delay:
        delay = menu.options.delay
    else:
        delay = settings.DELAY

    # Do authentication if needed.
    if menu.options.auth_url and menu.options.auth_data:
        authentication.auth_process()
    elif menu.options.auth_url or menu.options.auth_data:
        print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
        sys.exit(0)
    else:
        pass

    # Check if HTTP Method is POST.
    if not menu.options.data:
        http_request_method = "GET"
    else:
        http_request_method = "POST"
        parameter = menu.options.data

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(url, delay)

    # Check all injection techniques
    if not menu.options.tech:
        # Check if it is vulnerable to classic command injection technique.
        if cb_handler.exploitation(url, delay, filename,
                                   http_request_method) == False:
            classic_state = False
        else:
            classic_state = True
        # Check if it is vulnerable to eval-based command injection technique.
        if eb_handler.exploitation(url, delay, filename,
                                   http_request_method) == False:
            eval_based_state = False
        else:
            eval_based_state = True
        # Check if it is vulnerable to time-based blind command injection technique.
        if tb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) == False:
            time_based_state = False
        else:
            time_based_state = True
        # Check if it is vulnerable to file-based semiblind command injection technique.
        if fb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) == False:
            file_based_state = False
        else:
            file_based_state = True

    else:
        # Check if it is vulnerable to classic command injection technique.
        if "classic" in menu.options.tech or len(
                menu.options.tech) <= 4 and "c" in menu.options.tech:
            # Check if classic results-based command injection technique succeeds.
            if cb_handler.exploitation(url, delay, filename,
                                       http_request_method) == False:
                classic_state = False
            else:
                classic_state = True
        elif menu.options.tech == "classic":
            execute_classic_technique(url, delay, filename,
                                      http_request_method)
        else:
            classic_state = False

        # Check if it is vulnerable to eval-based command injection technique.
        if "eval-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "e" in menu.options.tech:
            # Check if eval-based command injection technique succeeds.
            if eb_handler.exploitation(url, delay, filename,
                                       http_request_method) == False:
                eval_based_state = False
            else:
                eval_based_state = True
        elif menu.options.tech == "eval-based":
            execute_eval_based_technique(url, delay, filename,
                                         http_request_method)
        else:
            eval_based_state = False

        # Check if it is vulnerable to time-based blind command injection technique.
        if "time-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "t" in menu.options.tech:
            # Check if time-based blind command injection technique succeeds.
            if tb_handler.exploitation(url, delay, filename,
                                       http_request_method,
                                       url_time_response) == False:
                time_based_state = False
            else:
                time_based_state = True
        elif menu.options.tech == "time-based":
            execute_time_based_technique(url, delay, filename,
                                         http_request_method,
                                         url_time_response)
        else:
            time_based_state = False

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if "file-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "f" in menu.options.tech:
            # Check if file-based semiblind command injection technique succeeds.
            if fb_handler.exploitation(url, delay, filename,
                                       http_request_method,
                                       url_time_response) == False:
                file_based_state = False
            else:
                file_based_state = True
        elif menu.options.tech == "file-based":
            execute_file_based_technique(url, delay, filename,
                                         http_request_method,
                                         url_time_response)
        else:
            file_based_state = False

    if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
        if http_request_method == "GET":
            print Back.RED + "(x) The url '" + url + "' appear to be not injectable." + Style.RESET_ALL
        else:
            print Back.RED + "(x) The '" + parameter + "' parameter appear to be not injectable." + Style.RESET_ALL
    else:
        logs.logs_notification(filename)
    sys.exit(0)


#eof
Ejemplo n.º 13
0
def do_check(url):
  # The logs filename construction.
  filename = logs.create_log_file(url)

  # Check if defined "--delay" option.
  if menu.options.delay:
    delay = menu.options.delay
  else:
    delay = settings.DELAY

  # Do authentication if needed.
  if menu.options.auth_url and menu.options.auth_data:
    authentication.auth_process()      
  elif menu.options.auth_url or menu.options.auth_data: 
    print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
    sys.exit(0)
  else:
    pass
  
  # Check if HTTP Method is POST.
  if not menu.options.data:
    http_request_method = "GET"
  else:
    http_request_method = "POST"
    parameter = menu.options.data
    
  # Load modules
  modules_handler.load_modules(url, http_request_method)

  # Estimating the response time (in seconds)
  delay, url_time_response = requests.estimate_response_time(url, delay)

  # Check all injection techniques
  if not menu.options.tech:
    # Check if it is vulnerable to classic command injection technique.
    if cb_handler.exploitation(url, delay, filename, http_request_method) == False:
      classic_state = False
    else:
      classic_state = True
    # Check if it is vulnerable to eval-based command injection technique.
    if eb_handler.exploitation(url, delay, filename, http_request_method) == False:
      eval_based_state = False
    else:
      eval_based_state = True
    # Check if it is vulnerable to time-based blind command injection technique.
    if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False:
      time_based_state = False
    else:
      time_based_state = True
    # Check if it is vulnerable to file-based semiblind command injection technique.
    if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False:
      file_based_state = False
    else:
      file_based_state = True

  else:
    # Check if it is vulnerable to classic command injection technique.
    if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
      # Check if classic results-based command injection technique succeeds.
      if cb_handler.exploitation(url, delay, filename, http_request_method) == False:
        classic_state = False
      else:
        classic_state = True
    elif menu.options.tech == "classic":
      execute_classic_technique(url, delay, filename, http_request_method)
    else:
      classic_state = False

    # Check if it is vulnerable to eval-based command injection technique.
    if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
      # Check if eval-based command injection technique succeeds.
      if eb_handler.exploitation(url, delay, filename, http_request_method) == False:
        eval_based_state = False
      else:
        eval_based_state = True
    elif menu.options.tech == "eval-based":
      execute_eval_based_technique(url, delay, filename, http_request_method)
    else:
      eval_based_state = False

    # Check if it is vulnerable to time-based blind command injection technique.
    if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
      # Check if time-based blind command injection technique succeeds.
      if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False:
        time_based_state = False
      else:
        time_based_state = True
    elif menu.options.tech == "time-based":
      execute_time_based_technique(url, delay, filename, http_request_method, url_time_response)
    else:
      time_based_state = False

    # Check if it is vulnerable to file-based semiblind command injection technique.
    if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
       # Check if file-based semiblind command injection technique succeeds.
      if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False:
        file_based_state = False
      else:
        file_based_state = True
    elif menu.options.tech == "file-based":
      execute_file_based_technique(url, delay, filename, http_request_method, url_time_response)
    else:
      file_based_state = False

  if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
    if http_request_method == "GET":
      print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
    else:
      print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL
  else:
    print "(*) The results can be found at '" + os.getcwd() + "/" + filename +".txt'"
  sys.exit(0)
  
#eof