def addStartURL(self, url): if self.__checklink(url): print(_("Invalid link argument: {0}").format(url)) sys.exit(0) if self.__inzone(url) == 0: self.tobrowse.append(HTTP.HTTPResource(url)) else: self.out_of_scope_urls.append(HTTP.HTTPResource(url))
def attackGET(self, http_res): url = http_res.path resp_headers = http_res.headers referer = http_res.referer headers = {} if referer: headers["referer"] = referer if url not in self.attackedGET: if self.verbose == 2: print(u"+ {0}".format(url)) err1 = self.__returnErrorByCode(resp_headers["status_code"]) if err1 != "ok": test_req = HTTP.HTTPResource(url) data1 = self.HTTP.send(test_req, headers=headers).getPage() # .htaccess protection detected if self.verbose >= 1: self.log(_("HtAccess protection found: {0}"), url) evil_req = HTTP.HTTPResource(url, method="ABC") data2, code2 = self.HTTP.send(evil_req, headers=headers).getPageCode() err2 = self.__returnErrorByCode(code2) if err2 == "ok": # .htaccess bypass success if self.verbose >= 1: self.logC(_("|HTTP Code: {0} : {1}"), resp_headers["status_code"], err1) if self.verbose == 2: self.logY(_("Source code:")) self.logW(data1) self.logVuln(category=Vulnerability.HTACCESS, level=Vulnerability.HIGH_LEVEL, request=evil_req, info=_("{0} HtAccess").format(err1)) self.logR(_(" .htaccess bypass vulnerability: {0}"), evil_req.url) # print output informations by verbosity option if self.verbose >= 1: self.logC(_("|HTTP Code: {0}"), code2) if self.verbose == 2: self.logY(_("Source code:")) self.logW(data2) self.attackedGET.append(url)
def __init__(self, http, xmlRepGenerator): Attack.__init__(self, http, xmlRepGenerator) user_config_dir = os.getenv('HOME') or os.getenv('USERPROFILE') user_config_dir += "/config" if not os.path.isdir(user_config_dir): os.makedirs(user_config_dir) try: fd = open(os.path.join(user_config_dir, self.CONFIG_FILE)) reader = csv.reader(fd) self.nikto_db = [l for l in reader if l != [] and l[0].isdigit()] fd.close() except IOError: try: print(("Problem with local nikto database.")) print(("Downloading from the web...")) nikto_req = HTTP.HTTPResource("http://cirt.net/nikto/UPDATES/2.1.5/db_tests") resp = self.HTTP.send(nikto_req) page = resp.getRawPage() csv.register_dialect("nikto", quoting=csv.QUOTE_ALL, doublequote=False, escapechar="\\") reader = csv.reader(page.split("\n"), "nikto") self.nikto_db = [l for l in reader if l != [] and l[0].isdigit()] fd = open(os.path.join(user_config_dir, self.CONFIG_FILE), "w") writer = csv.writer(fd) writer.writerows(self.nikto_db) fd.close() except socket.timeout: print(("Error downloading Nikto database"))
def __end_element(self, name): if name == self.RESOURCE: http_res = HTTP.HTTPResource(self.path, method=self.method, encoding=self.encoding, referer=self.referer, get_params=self.get_params, post_params=self.post_params, file_params=self.file_params) http_res.setHeaders(self.headers) if self.array is self.to_browse: self.to_browse.append(http_res) else: if self.method == "GET": self.browsed_links.append(http_res) elif self.method == "POST": self.browsed_forms.append(http_res)
def attackGET(self, http_res): if http_res.file_name == "": return page = http_res.path headers = http_res.headers # Do not attack application-type files if not "content-type" in headers: # Sometimes there's no content-type... so we rely on the document extension if (page.split(".")[-1] not in self.allowed) and page[-1] != "/": return elif not "text" in headers["content-type"]: return for payload in self.payloads: payload = payload.replace("[FILE_NAME]", http_res.file_name) url = page.replace(http_res.file_name, payload) if self.verbose == 2: print(u"+ {0}".format(url)) if url not in self.attackedGET: self.attackedGET.append(url) try: evil_req = HTTP.HTTPResource(url) resp = self.HTTP.send(evil_req) data, code = resp.getPageCode() err = self.__returnErrorByCode(code) if err == "ok": self.logR(("Found backup file !")) self.logR(u" -> {0}".format(evil_req.url)) self.logVuln( category=Vulnerability.BACKUP, level=Vulnerability.HIGH_LEVEL, request=evil_req, info=("Backup file {0} found for {1}").format( url, page)) except socket.timeout: break
def __init__(self, root_url): self.target_url = root_url self.target_scope = "folder" server = urlparse.urlparse(root_url).netloc self.http_engine = HTTP.HTTP(server) self.myls = lswww.lswww(root_url, http_engine=self.http_engine) self.report_gen = None self.report_generator_type = "html" self.xml_rep_gen_parser = ReportGeneratorsXMLParser() self.xml_rep_gen_parser.parse(os.path.join(CONF_DIR, "config", "reports", "generators.xml")) self.output_file = "" self.urls = {} self.forms = [] self.attacks = [] self.color = 0 self.verbose = 0 self.options = None
def attack(self, get_resources, forms): """This method searches XSS which could be permanently stored in the web application""" for http_resource in get_resources: if http_resource.method != "GET": continue url = http_resource.url target_req = HTTP.HTTPResource(url) referer = http_resource.referer headers = {} if referer: headers["referer"] = referer if self.verbose >= 1: print(u"+ {0}".format(url)) try: resp = self.HTTP.send(target_req, headers=headers) data = resp.getPage() except requests.exceptions.Timeout, timeout: data = "" except socket.error, se: data = "" print(('error: {0} while attacking {1}').format(repr(str(se[1])), url))
def __init__(self, root, http_engine=None): self.h = http_engine if root.startswith("-"): print(_("First argument must be the root url !")) sys.exit(0) if not "://" in root: root = "http://" + root if self.__checklink(root): print(_("Invalid protocol: {0}").format(root.split("://")[0])) sys.exit(0) if root[-1] != "/" and not "/" in root.split("://")[1]: root += "/" self.out_of_scope_urls = [] self.browsed_links = [] self.proxies = {} self.excluded = [] self.browsed_forms = [] self.uploads = [] self.verbose = 0 self.auth_basic = [] self.bad_params = [] self.timeout = 6.0 self.global_headers = {} self.cookiejar = None self.scope = "folder" self.link_encoding = {} # 0 means no limits self.nice = 0 self.max_link_depth = 40 server = (root.split("://")[1]).split("/")[0] self.root = HTTP.HTTPResource(root) # Initial URL self.server = server # Domain (with potential :port) self.scope_url = root # Scope of the analysis self.tobrowse = [self.root] self.persister = CrawlerPersister()
flash_parser = swf_parser.swf_parser(data) swf_links = flash_parser.getLinks() except Exception, err_data: swf_links = err_data[1] elif "/x-javascript" in mime_type or "/x-js" in mime_type or "/javascript" in mime_type: js_links = lamejs.lamejs(data).getLinks() data = "" # Manage redirections if "location" in info: redir = self.correctlink(info["location"], current, current_full_url, currentdir, proto, None) if redir is not None: if self.__inzone(redir) == 0: self.link_encoding[redir] = self.link_encoding[url] redir = HTTP.HTTPResource(redir, link_depth=current_depth + 1) # Is the document not visited yet and not forbidden ? if (redir not in self.browsed_links and redir not in self.tobrowse and not self.isExcluded(redir)): self.tobrowse.append(redir) html_source = data bs = BeautifulSoup(html_source) # Look for a base tag with an href attribute if bs.head: for base in bs.head.findAll("base"): # BeautifulSoup doesn't work as excepted with the "in" statement, keep this: if "href" in base.attrs: # Found a base url, now set it as the current url current = base["href"].split("#")[0]
def attackPOST(self, form): """This method performs the file handling attack with method POST""" # copies get_params = form.get_params post_params = form.post_params file_params = form.file_params referer = form.referer err = "" for params_list in [get_params, post_params, file_params]: for i in xrange(len(params_list)): timeouted = False warn = 0 inc = 0 err500 = 0 saved_value = params_list[i][1] if saved_value is None: saved_value = "" param_name = self.HTTP.quote(params_list[i][0]) if params_list is file_params: params_list[i][1] = ["_FILE__", params_list[i][1][1]] else: params_list[i][1] = "__FILE__" attack_pattern = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params) if attack_pattern not in self.attackedPOST: self.attackedPOST.append(attack_pattern) for payload in self.payloads: payload = payload.replace('[FILE_NAME]', form.file_name) if params_list is file_params: payload = payload.replace('[VALUE]', saved_value[0]) payload = payload.replace( '[DIRVALUE]', saved_value[0].rsplit('/', 1)[0]) params_list[i][1][0] = payload else: payload = payload.replace('[VALUE]', saved_value) payload = payload.replace( '[DIRVALUE]', saved_value.rsplit('/', 1)[0]) params_list[i][1] = payload evil_req = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params, referer=referer) if self.verbose == 2: print(u"+ {0}".format(evil_req)) try: data, code = self.HTTP.send(evil_req).getPageCode() except requests.exceptions.Timeout: if timeouted: continue code = "408" self.logAnom(category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_TIMEOUT.format( param_name)) self.logO(Anomaly.MSG_TIMEOUT, evil_req.path) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') timeouted = True else: err, inc, warn = self.__findPatternInResponse( data, warn) if err != "": info_msg = ( "{0} via injection in the parameter {1}") self.logVuln(category=Vulnerability.FILE_HANDLING, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info=info_msg.format(err, param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, err, evil_req.url, param_name) self.logR(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') if inc: break else: if code == "500" and err500 == 0: err500 = 1 self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format( param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') params_list[i][1] = saved_value
def attackGET(self, http_res): """This method performs the cross site scripting attack (XSS attack) with method GET""" # copies page = http_res.path params_list = http_res.get_params resp_headers = http_res.headers referer = http_res.referer headers = {} http_code = "" if referer: headers["referer"] = referer param_name = "PHP_SELF" # Some PHP scripts doesn't sanitize data coming from $_SERVER['PHP_SELF'] if page not in self.PHP_SELF: evil_req = None if page.endswith("/"): evil_req = HTTP.HTTPResource(page + self.php_self_payload) elif page.endswith(".php"): evil_req = HTTP.HTTPResource(page + "/" + self.php_self_payload) if evil_req is not None: if self.verbose == 2: print(u"+ {0}".format(evil_req.url)) try: data, http_code = self.HTTP.send( evil_req, headers=headers).getPageCode() except requests.exceptions.Timeout: data = "" self.logO(Anomaly.MSG_TIMEOUT, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.logAnom( category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_TIMEOUT.format(param_name)) if self._validXSSContentType( evil_req) and self.php_self_check in data: self.logR(Vulnerability.MSG_PATH_INJECT, self.MSG_VULN, page) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) self.logVuln( category=Vulnerability.XSS, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info= ("XSS vulnerability found via injection in the resource path" )) elif http_code == "500": self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.PHP_SELF.append(page) timeouted = False returned500 = False # page is the url of the script # params_list is a list of [key, value] lists if not params_list: # Do not attack application-type files if not "content-type" in resp_headers: # Sometimes there's no content-type... so we rely on the document extension if (page.split(".")[-1] not in self.allowed) and page[-1] != "/": return elif not "text" in resp_headers["content-type"]: return url = page + "?__XSS__" if url not in self.attackedGET: self.attackedGET.append(url) code = self.random_string() test_req = HTTP.HTTPResource(page + "?" + code) self.GET_XSS[code] = (test_req, "QUERY_STRING") try: data, http_code = self.HTTP.send( test_req, headers=headers).getPageCode() except requests.exceptions.Timeout: data = "" if code in data: # Simple text injection worked, let's try with JS code payloads = self.generate_payloads(data, code) for payload in payloads: evil_req = HTTP.HTTPResource(page + "?" + self.HTTP.quote(payload)) if self.verbose == 2: print(u"+ {0}".format(evil_req)) try: dat, http_code = self.HTTP.send( evil_req, headers=headers).getPageCode() except requests.exceptions.Timeout: dat = "" if timeouted: continue self.logO(Anomaly.MSG_TIMEOUT, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.logAnom(category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_TIMEOUT.format( param_name)) timeouted = True param_name = "QUERY_STRING" if self._validXSSContentType( evil_req) and dat is not None and len(dat) > 1: if payload.lower() in dat.lower(): self.SUCCESSFUL_XSS[code] = payload self.logVuln( category=Vulnerability.XSS, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info= ("XSS vulnerability found via injection in the query string" )) self.logR(Vulnerability.MSG_QS_INJECT, self.MSG_VULN, page) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) # No more payload injection break elif http_code == "500" and not returned500: self.logAnom( category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') returned500 = True # URL contains parameters else: for i in xrange(len(params_list)): saved_value = params_list[i][1] if saved_value is None: saved_value = "" param_name = self.HTTP.quote(params_list[i][0]) params_list[i][1] = "__XSS__" url = page + "?" + self.HTTP.encode(params_list) if url not in self.attackedGET: self.attackedGET.append(url) code = self.random_string() params_list[i][1] = code test_req = HTTP.HTTPResource(page + "?" + self.HTTP.encode(params_list)) self.GET_XSS[code] = (test_req, param_name) try: data, http_code = self.HTTP.send( test_req, headers=headers).getPageCode() except requests.exceptions.Timeout: data = "" # is the random code on the webpage ? if code in data: # YES! But where exactly ? payloads = self.generate_payloads(data, code) for payload in payloads: params_list[i][1] = payload evil_req = HTTP.HTTPResource( page + "?" + self.HTTP.encode(params_list)) if self.verbose == 2: print(u"+ {0}".format(evil_req)) try: dat, http_code = self.HTTP.send( evil_req, headers=headers).getPageCode() except requests.exceptions.Timeout: dat = "" if timeouted: continue self.logO(Anomaly.MSG_TIMEOUT, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.logAnom( category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_TIMEOUT.format( param_name)) timeouted = True if self._validXSSContentType( evil_req ) and dat is not None and len(dat) > 1: if payload.lower() in dat.lower(): self.SUCCESSFUL_XSS[code] = payload self.logVuln( category=Vulnerability.XSS, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info= ("XSS vulnerability found via injection" " in the parameter {0}" ).format(param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, self.MSG_VULN, page, param_name) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) # stop trying payloads and jum to the next parameter break elif http_code == "500" and not returned500: self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format( param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') returned500 = True # Restore the value of this argument before testing the next one params_list[i][1] = saved_value
def attackGET(self, http_res): """This method performs the Blind SQL attack with method GET""" page = http_res.path params_list = http_res.get_params resp_headers = http_res.headers referer = http_res.referer headers = {} if referer: headers["referer"] = referer if not params_list: # Do not attack application-type files if not "content-type" in resp_headers: # Sometimes there's no content-type... so we rely on the document extension if (page.split(".")[-1] not in self.allowed) and page[-1] != "/": return elif not "text" in resp_headers["content-type"]: return pattern_url = page + "?__SQL__" if pattern_url in self.excludedGET: return if pattern_url not in self.attackedGET: self.attackedGET.append(pattern_url) err500 = 0 for payload in self.blind_sql_payloads: if "[VALUE]" in payload: continue payload = self.HTTP.quote(payload.replace("__TIME__", self.TIME_TO_SLEEP)) url = page + "?" + payload evil_req = HTTP.HTTPResource(url) if self.verbose == 2: print(u"+ {0}".format(evil_req.url)) try: resp = self.HTTP.send(evil_req, headers=headers) data, code = resp.getPageCode() except requests.exceptions.Timeout: self.logVuln(category=Vulnerability.BLIND_SQL_INJECTION, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter="QUERY_STRING", info=("{0} via injection in the query string").format(self.MSG_VULN)) self.logR(Vulnerability.MSG_QS_INJECT, self.MSG_VULN, page) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) break else: if code == "500" and err500 == 0: err500 = 1 self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter="QUERY_STRING", info=Anomaly.MSG_QS_500) self.logO(Anomaly.MSG_500, page) self.logO(Anomaly.MSG_EVIL_URL, evil_req.url) else: for i in range(len(params_list)): saved_value = params_list[i][1] if saved_value is None: saved_value = "" param_name = self.HTTP.quote(params_list[i][0]) params_list[i][1] = "__SQL__" pattern_url = page + "?" + self.HTTP.encode(params_list) # This field was successfully attacked with a non-blind SQL injection if pattern_url in self.excludedGET: params_list[i][1] = saved_value continue if pattern_url not in self.attackedGET: self.attackedGET.append(pattern_url) err500 = 0 for payload in self.blind_sql_payloads: payload = payload.replace("[VALUE]", saved_value) params_list[i][1] = self.HTTP.quote(payload.replace("__TIME__", self.TIME_TO_SLEEP)) url = page + "?" + self.HTTP.encode(params_list) evil_req = HTTP.HTTPResource(url) if self.verbose == 2: print(u"+ {0}".format(evil_req.url)) try: resp = self.HTTP.send(evil_req, headers=headers) data, code = resp.getPageCode() except requests.exceptions.Timeout: self.logVuln(category=Vulnerability.BLIND_SQL_INJECTION, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info=("{0} via injection in " "the parameter {1}").format(self.MSG_VULN, param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, self.MSG_VULN, page, param_name) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) # One payload worked. Now jum to next field break else: if code == "500" and err500 == 0: err500 = 1 self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, page) self.logO(Anomaly.MSG_EVIL_URL, evil_req.url) params_list[i][1] = saved_value
def attackPOST(self, form): """This method performs the Blind SQL attack with method POST""" # copies get_params = form.get_params post_params = form.post_params file_params = form.file_params referer = form.referer for params_list in [get_params, post_params, file_params]: for i in xrange(len(params_list)): saved_value = params_list[i][1] if saved_value is None: saved_value = "" param_name = self.HTTP.quote(params_list[i][0]) if params_list is file_params: params_list[i][1] = ["_SQL__", params_list[i][1][1]] else: params_list[i][1] = "__SQL__" attack_pattern = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params) if attack_pattern in self.excludedPOST: params_list[i][1] = saved_value continue err500 = 0 if attack_pattern not in self.attackedPOST: self.attackedPOST.append(attack_pattern) for payload in self.blind_sql_payloads: if params_list is file_params: payload = payload.replace("[VALUE]", saved_value[0]) params_list[i][1][0] = payload.replace("__TIME__", self.TIME_TO_SLEEP) else: payload = payload.replace("[VALUE]", saved_value) params_list[i][1] = payload.replace("__TIME__", self.TIME_TO_SLEEP) evil_req = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params, referer=referer) if self.verbose == 2: print(u"+ {0}".format(evil_req)) try: resp = self.HTTP.send(evil_req) data, code = resp.getPageCode() except requests.exceptions.Timeout: # Timeout means time-based SQL injection self.logVuln(category=Vulnerability.BLIND_SQL_INJECTION, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info=("{0} via injection in the " "parameter {1}").format(self.MSG_VULN, param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, self.MSG_VULN, evil_req.url, param_name) self.logR(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') break else: if code == "500" and err500 == 0: err500 = 1 self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') params_list[i][1] = saved_value
def attackGET(self, http_res): """This method performs the SQL Injection attack with method GET""" page = http_res.path params_list = http_res.get_params resp_headers = http_res.headers referer = http_res.referer headers = {} if referer: headers["referer"] = referer # about this payload : http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string payload = "\xBF'\"(" if not params_list: # Do not attack application-type files if not "content-type" in resp_headers: # Sometimes there's no content-type... so we rely on the document extension if (page.split(".")[-1] not in self.allowed) and page[-1] != "/": return elif not "text" in resp_headers["content-type"]: return payload = self.HTTP.quote(payload) url = page + "?" + payload if url not in self.attackedGET: self.attackedGET.append(url) evil_req = HTTP.HTTPResource(url) if self.verbose == 2: print(u"+ {0}".format(url)) try: resp = self.HTTP.send(evil_req, headers=headers) data, code = resp.getPageCode() except requests.exceptions.Timeout: # No timeout report here... launch blind sql detection later code = "408" err = "" else: err = self.__findPatternInResponse(data) if err != "": self.logVuln(category=Vulnerability.SQL_INJECTION, level=Vulnerability.HIGH_LEVEL, request=evil_req, info=_("{0} via injection in the query string").format(err)) self.logR(Vulnerability.MSG_QS_INJECT, err, page) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) self.vulnerableGET.append(page + "?" + "__SQL__") else: if code == "500": self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, info=Anomaly.MSG_QS_500) self.logO(Anomaly.MSG_500, page) self.logO(Anomaly.MSG_EVIL_URL, evil_req.url) else: for i in range(len(params_list)): param_name = self.HTTP.quote(params_list[i][0]) saved_value = params_list[i][1] if saved_value is None: saved_value = "" params_list[i][1] = "__SQL__" pattern_url = page + "?" + self.HTTP.encode(params_list) if pattern_url not in self.attackedGET: self.attackedGET.append(pattern_url) params_list[i][1] = self.HTTP.quote(payload) url = page + "?" + self.HTTP.encode(params_list) evil_req = HTTP.HTTPResource(url) if self.verbose == 2: print(u"+ {0}".format(evil_req.url)) try: resp = self.HTTP.send(evil_req, headers=headers) data, code = resp.getPageCode() except requests.exceptions.Timeout: # No timeout report here... launch blind sql detection later code = "408" err = "" else: err = self.__findPatternInResponse(data) if err != "": self.logVuln(category=Vulnerability.SQL_INJECTION, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info=_("{0} via injection in the parameter {1}").format(err, param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, err, page, param_name) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) self.vulnerableGET.append(pattern_url) elif code == "500": self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, page) self.logO(Anomaly.MSG_EVIL_URL, evil_req.url) params_list[i][1] = saved_value
def attackPOST(self, form): """This method performs the SQL Injection attack with method POST""" payload = "\xbf'\"(" filename_payload = "'\"(" err = "" # copies get_params = form.get_params post_params = form.post_params file_params = form.file_params referer = form.referer for params_list in [get_params, post_params, file_params]: for i in xrange(len(params_list)): saved_value = params_list[i][1] if saved_value is None: saved_value = "" if params_list is file_params: params_list[i][1] = ["_SQL__", params_list[i][1][1]] else: params_list[i][1] = "__SQL__" param_name = self.HTTP.quote(params_list[i][0]) attack_pattern = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params) if attack_pattern not in self.attackedPOST: self.attackedPOST.append(attack_pattern) if params_list is file_params: params_list[i][1][0] = filename_payload else: params_list[i][1] = payload evil_req = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params, referer=referer) if self.verbose == 2: print(u"+ {0}".format(evil_req)) try: resp = self.HTTP.send(evil_req) data, code = resp.getPageCode() except requests.exceptions.Timeout, timeout: # No timeout report here... launch blind sql detection later code = "408" else: err = self.__findPatternInResponse(data) if err != "": self.logVuln(category=Vulnerability.SQL_INJECTION, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info=_("{0} via injection in the parameter {1}").format(err, param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, err, evil_req.url, param_name) self.logR(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.vulnerablePOST.append(attack_pattern) else: if code == "500": self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') params_list[i][1] = saved_value
def attackPOST(self, form): """This method performs the command execution with method POST""" # copies get_params = form.get_params post_params = form.post_params file_params = form.file_params referer = form.referer for params_list in [get_params, post_params, file_params]: for i in xrange(len(params_list)): saved_value = params_list[i][1] if saved_value is None: saved_value = "" timeouted = False warned = 0 cmd = 0 err500 = 0 param_name = self.HTTP.quote(params_list[i][0]) if params_list is file_params: params_list[i][1] = ["_EXEC__", params_list[i][1][1]] else: params_list[i][1] = "__EXEC__" attack_pattern = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params) if attack_pattern not in self.attackedPOST: self.attackedPOST.append(attack_pattern) for payload in self.payloads: # no quoting: send() will do it for us if params_list is file_params: payload = payload.replace("[VALUE]", saved_value[0]) params_list[i][1][0] = payload else: payload = payload.replace("[VALUE]", saved_value) params_list[i][1] = payload evil_req = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params, referer=referer) if self.verbose == 2: print(u"+ {0}".format(evil_req)) err = "" try: data, code = self.HTTP.send(evil_req).getPageCode() except requests.exceptions.Timeout: if timeouted: continue code = "408" self.logO(Anomaly.MSG_TIMEOUT, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.logAnom(category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_TIMEOUT.format(param_name)) timeouted = True else: err, cmd, warned = self.__findPatternInResponse(data, warned) if err != "": self.logVuln(category=Vulnerability.EXEC, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info=("{0} via injection in the parameter {1}").format(err, param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, err, evil_req.url, param_name) self.logR(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') if cmd: # Successful command execution, go to the next field break else: if code == "500" and err500 == 0: err500 = 1 self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') params_list[i][1] = saved_value
def attackGET(self, http_res): """This method performs the command execution with method GET""" page = http_res.path params_list = http_res.get_params resp_headers = http_res.headers referer = http_res.referer headers = {} if referer: headers["referer"] = referer if not params_list: # Do not attack application-type files if not "content-type" in resp_headers: # Sometimes there's no content-type... so we rely on the document extension if (page.split(".")[-1] not in self.allowed) and page[-1] != "/": return elif not "text" in resp_headers["content-type"]: return timeouted = False warned = 0 cmd = 0 err500 = 0 for payload in self.payloads: if "[VALUE]" in payload: continue url = page + "?" + self.HTTP.quote(payload) if url not in self.attackedGET: evil_req = HTTP.HTTPResource(url) if self.verbose == 2: print(u"+ {0}".format(url)) self.attackedGET.append(url) try: data, code = self.HTTP.send(evil_req, headers=headers).getPageCode() except requests.exceptions.Timeout: if timeouted: continue code = "408" err = "" self.logO(Anomaly.MSG_TIMEOUT, page) self.logO(Anomaly.MSG_EVIL_URL, evil_req.url) self.logAnom(category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, info=Anomaly.MSG_QS_TIMEOUT) timeouted = True else: err, cmd, warned = self.__findPatternInResponse(data, warned) if err != "": self.logVuln(category=Vulnerability.EXEC, level=Vulnerability.HIGH_LEVEL, request=evil_req, info=Vulnerability.MSG_QS_INJECT.format(err, page)) self.logR(Vulnerability.MSG_QS_INJECT, err, page) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) else: if code == "500" and err500 == 0: err500 = 1 self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, info=Anomaly.MSG_QS_500) self.logO(Anomaly.MSG_500, page) self.logO(Anomaly.MSG_EVIL_URL, evil_req.url) if cmd: break for i in range(len(params_list)): timeouted = False warned = 0 cmd = 0 err500 = 0 saved_value = params_list[i][1] if saved_value is None: saved_value = "" params_list[i][1] = "__EXEC__" url = page + "?" + self.HTTP.encode(params_list) param_name = self.HTTP.quote(params_list[i][0]) if url not in self.attackedGET: self.attackedGET.append(url) for payload in self.payloads: payload = payload.replace("[VALUE]", saved_value) params_list[i][1] = self.HTTP.quote(payload) evil_req = HTTP.HTTPResource(page + "?" + self.HTTP.encode(params_list)) if self.verbose == 2: print(u"+ {0}".format(evil_req.url)) try: data, code = self.HTTP.send(evil_req, headers=headers).getPageCode() except requests.exceptions.Timeout: if timeouted: continue code = "408" err = "" self.logO(Anomaly.MSG_TIMEOUT, page) self.logO(Anomaly.MSG_EVIL_URL, evil_req.url) self.logAnom(category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_TIMEOUT.format(param_name)) timeouted = True else: err, cmd, warned = self.__findPatternInResponse(data, warned) if err != "": self.logVuln(category=Vulnerability.EXEC, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info=("{0} via injection in the parameter {1}").format(err, param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, err, page, param_name) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) if cmd: # Successful command execution, go to the next field break else: if code == "500" and err500 == 0: err500 = 1 self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, page) self.logO(Anomaly.MSG_EVIL_URL, evil_req.url) params_list[i][1] = saved_value
print(('error: {0} while attacking {1}').format(repr(str(e[0])), url)) continue # Search for permanent XSS vulns which were injected via GET if self.doGET == 1: for code in self.GET_XSS: if code in data: # code found in the webpage ! code_url = self.GET_XSS[code][0].url page = self.GET_XSS[code][0].path param_name = self.GET_XSS[code][1] if code in self.SUCCESSFUL_XSS: # is this an already known vuln (reflected XSS) if self.validXSS(data, code, self.SUCCESSFUL_XSS[code]): # if we can find the payload again, this is a stored XSS evil_req = HTTP.HTTPResource(code_url.replace(code, self.SUCCESSFUL_XSS[code])) if param_name == "QUERY_STRING": self.logR(Vulnerability.MSG_QS_INJECT, self.MSG_VULN, page) else: self.logR(Vulnerability.MSG_PARAM_INJECT, self.MSG_VULN, page, param_name) self.logR(Vulnerability.MSG_EVIL_URL, code_url) self.logVuln(category=Vulnerability.XSS, level=Vulnerability.HIGH_LEVEL, request=evil_req, info=("Found permanent XSS in {0}" " with {1}").format(page, self.HTTP.escape(evil_req.url))) # we reported the vuln, now search another code continue
def attack(self, urls, forms): junk_string = "w" + "".join([random.choice("0123456789abcdefghjijklmnopqrstuvwxyz") for __ in xrange(0, 5000)]) for l in self.nikto_db: match = match_or = match_and = False fail = fail_or = False osv_id = l[1] path = l[3] method = l[4] vuln_desc = l[10] post_data = l[11] path = path.replace("@CGIDIRS", "/cgi-bin/") path = path.replace("@ADMIN", "/admin/") path = path.replace("@NUKE", "/modules/") path = path.replace("@PHPMYADMIN", "/phpMyAdmin/") path = path.replace("@POSTNUKE", "/postnuke/") path = re.sub("JUNK\((\d+)\)", lambda x: junk_string[:int(x.group(1))], path) if path[0] == "@": continue if path[0] != "/": path = "/" + path try: url = "http://" + self.HTTP.server + path except UnicodeDecodeError: continue if method == "GET": evil_req = HTTP.HTTPResource(url) elif method == "POST": evil_req = HTTP.HTTPResource(url, post_params=post_data, method=method) else: evil_req = HTTP.HTTPResource(url, post_params=post_data, method=method) if self.verbose == 2: try: if method == "GET": print(u"+ {0}".format(evil_req.url)) else: print(u"+ {0}".format(evil_req.http_repr)) except Exception: continue try: resp = self.HTTP.send(evil_req) except Exception, e: # requests bug print(e) continue page, code = resp.getPageCode() encoding = BeautifulSoup(page).originalEncoding if encoding: page = unicode(page, encoding, errors='ignore') raw = " ".join([x + ": " + y for x, y in resp.getHeaders().items()]) raw += page # First condition (match) if len(l[5]) == 3 and l[5].isdigit(): if code == int(l[5]): match = True else: if l[5] in raw: match = True # Second condition (or) if l[6] != "": if len(l[6]) == 3 and l[6].isdigit(): if code == int(l[6]): match_or = True else: if l[6] in raw: match_or = True # Third condition (and) if l[7] != "": if len(l[7]) == 3 and l[7].isdigit(): if code == int(l[7]): match_and = True else: if l[7] in raw: match_and = True else: match_and = True # Fourth condition (fail) if l[8] != "": if len(l[8]) == 3 and l[8].isdigit(): if code == int(l[8]): fail = True else: if l[8] in raw: fail = True # Fifth condition (or) if l[9] != "": if len(l[9]) == 3 and l[9].isdigit(): if code == int(l[9]): fail_or = True else: if l[9] in raw: fail_or = True if ((match or match_or) and match_and) and not (fail or fail_or): print(url) print(vuln_desc) refs = [] if osv_id != "0": refs.append("http://osvdb.org/show/osvdb/" + osv_id) # CERT m = re.search("(CA\-[0-9]{4}-[0-9]{2})", vuln_desc) if m is not None: refs.append("http://www.cert.org/advisories/" + m.group(0) + ".html") # SecurityFocus m = re.search("BID\-([0-9]{4})", vuln_desc) if m is not None: refs.append("http://www.securityfocus.com/bid/" + m.group(1)) # Mitre.org m = re.search("((CVE|CAN)\-[0-9]{4}-[0-9]{4,})", vuln_desc) if m is not None: refs.append("http://cve.mitre.org/cgi-bin/cvename.cgi?name=" + m.group(0)) # CERT Incidents m = re.search("(IN\-[0-9]{4}\-[0-9]{2})", vuln_desc) if m is not None: refs.append("http://www.cert.org/incident_notes/" + m.group(0) + ".html") # Microsoft Technet m = re.search("(MS[0-9]{2}\-[0-9]{3})", vuln_desc) if m is not None: refs.append("http://www.microsoft.com/technet/security/bulletin/" + m.group(0) + ".asp") info = vuln_desc if refs: print(_("References:")) print(u" {0}".format(u"\n ".join(refs))) info += "\n" + _("References:") + "\n" info += "\n".join(['<a href="' + x + '">' + x + '</a>' for x in refs]) print('') self.logVuln(category=Vulnerability.NIKTO, level=Vulnerability.HIGH_LEVEL, request=evil_req, info=info)
def attackPOST(self, form): """This method performs the cross site scripting attack (XSS attack) with method POST""" page = form.url referer = form.referer headers = {} if referer: headers["referer"] = referer param_name = "PHP_SELF" if page not in self.PHP_SELF: evil_req = None if page.endswith("/"): evil_req = HTTP.HTTPResource(page + self.php_self_payload) elif page.endswith(".php"): evil_req = HTTP.HTTPResource(page + "/" + self.php_self_payload) if evil_req: if self.verbose == 2: print(u"+ {0}".format(evil_req.url)) try: data, http_code = self.HTTP.send( evil_req, headers=headers).getPageCode() except requests.exceptions.Timeout: data = "" self.logO(Anomaly.MSG_TIMEOUT, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.logAnom( category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_TIMEOUT.format(param_name)) if self._validXSSContentType( evil_req) and self.php_self_check in data: self.logR(Vulnerability.MSG_PATH_INJECT, self.MSG_VULN, page) self.logR(Vulnerability.MSG_EVIL_URL, evil_req.url) self.logVuln( category=Vulnerability.XSS, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info= ("XSS vulnerability found via injection in the resource path" )) elif http_code == "500": self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format(param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.PHP_SELF.append(page) timeouted = False returned500 = False # copies get_params = form.get_params post_params = form.post_params file_params = form.file_params for params_list in [get_params, post_params, file_params]: for i in xrange(len(params_list)): param_name = self.HTTP.quote(params_list[i][0]) saved_value = params_list[i][1] if saved_value is None: saved_value = "" if params_list is file_params: params_list[i][1] = ["_XSS__", params_list[i][1][1]] else: params_list[i][1] = "__XSS__" # We keep an attack pattern to be sure a given form won't be attacked on the same field several times attack_pattern = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params) if not attack_pattern in self.attackedPOST: self.attackedPOST.append(attack_pattern) code = self.random_string() if params_list is file_params: params_list[i][1][0] = code else: params_list[i][1] = code # will only memorize the last used payload (working or not) but the code will always be the good test_payload = HTTP.HTTPResource(form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params, referer=referer) self.POST_XSS[code] = (test_payload, param_name) try: data, http_code = self.HTTP.send( test_payload).getPageCode() except requests.exceptions.Timeout: data = "" # rapid search on the code to check injection if code in data: # found, now study where the payload is injected and how to exploit it payloads = self.generate_payloads(data, code) for payload in payloads: if params_list is file_params: params_list[i][1][0] = payload else: params_list[i][1] = payload evil_req = HTTP.HTTPResource( form.path, method=form.method, get_params=get_params, post_params=post_params, file_params=file_params, referer=referer) if self.verbose == 2: print(u"+ {0}".format(evil_req)) try: dat, http_code = self.HTTP.send( evil_req).getPageCode() except requests.exceptions.Timeout: dat = "" if timeouted: continue self.logO(Anomaly.MSG_TIMEOUT, evil_req.url) self.logO(Anomaly.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') self.logAnom( category=Anomaly.RES_CONSUMPTION, level=Anomaly.MEDIUM_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_TIMEOUT.format( param_name)) timeouted = True if self._validXSSContentType( evil_req ) and dat is not None and len(dat) > 1: if payload.lower() in dat.lower(): self.SUCCESSFUL_XSS[code] = payload self.logVuln( category=Vulnerability.XSS, level=Vulnerability.HIGH_LEVEL, request=evil_req, parameter=param_name, info= ("XSS vulnerability found via injection" " in the parameter {0}" ).format(param_name)) self.logR(Vulnerability.MSG_PARAM_INJECT, self.MSG_VULN, evil_req.url, param_name) self.logR(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') # Stop injecting payloads and move to the next parameter break elif http_code == "500" and not returned500: self.logAnom(category=Anomaly.ERROR_500, level=Anomaly.HIGH_LEVEL, request=evil_req, parameter=param_name, info=Anomaly.MSG_PARAM_500.format( param_name)) self.logO(Anomaly.MSG_500, evil_req.url) self.logO(Vulnerability.MSG_EVIL_REQUEST) self.logC(evil_req.http_repr) print('') returned500 = True # restore the saved parameter in the list params_list[i][1] = saved_value