Example #1
0
def checkResult(baseSize, respSize, index, uriArray):
    delta = abs(respSize - baseSize)
    if (delta >= 100) and (respSize != 0):
        if GlobalVar.get_verb() == "ON":
            print "Response varied " + str(
                delta) + " bytes from random parameter value! Injection works!"
        else:
            print "Successful injection!"

        if GlobalVar.get_httpMethod() == "GET":
            GlobalVar.get_vulnAddrs().append(uriArray[index])
        else:
            post = 0
            #post
        return

    elif (delta > 0) and (delta < 100) and (respSize != 0):
        if GlobalVar.get_verb() == "ON":
            print "Response variance was only " + str(
                delta
            ) + " bytes. Injection might have worked but difference is too small to be certain. "
        else:
            print "Possible injection."

        if GlobalVar.get_httpMethod() == "GET":
            GlobalVar.get_possAddrs().append(uriArray[index])
        else:
            post = 0
            # post
        return

    elif (delta == 0):
        if GlobalVar.get_verb() == "ON":
            print "Random string response size and not equals injection were the same. Injection did not work."
        else:
            print "Injection failed."
        return

    else:
        if GlobalVar.get_verb() == "ON":
            print "Injected response was smaller than random response.  Injection may have worked but requires verification."
        else:
            print "Possible injection."
        if GlobalVar.get_httpMethod() == "GET":
            GlobalVar.get_possAddrs.append(uriArray[index])
        else:
            post = 0
            # post
        return
Example #2
0
def checkResult(baseSize, respSize, index,uriArray):
    delta = abs(respSize - baseSize)
    if (delta >= 100) and (respSize != 0):
        if GlobalVar.get_verb() == "ON":
            print "Response varied " + str(delta) + " bytes from random parameter value! Injection works!"
        else:
            print "Successful injection!"

        if GlobalVar.get_httpMethod() == "GET":
            GlobalVar.get_vulnAddrs().append(uriArray[index])
        else:
           post = 0
            #post
        return

    elif (delta > 0) and (delta < 100) and (respSize != 0):
        if GlobalVar.get_verb() == "ON":
            print "Response variance was only " + str(
                delta) + " bytes. Injection might have worked but difference is too small to be certain. "
        else:
            print "Possible injection."

        if GlobalVar.get_httpMethod() == "GET":
            GlobalVar.get_possAddrs().append(uriArray[index])
        else:
            post = 0
            # post
        return

    elif (delta == 0):
        if GlobalVar.get_verb() == "ON":
            print "Random string response size and not equals injection were the same. Injection did not work."
        else:
            print "Injection failed."
        return

    else:
        if GlobalVar.get_verb() == "ON":
            print "Injected response was smaller than random response.  Injection may have worked but requires verification."
        else:
            print "Possible injection."
        if GlobalVar.get_httpMethod() == "GET":
            GlobalVar.get_possAddrs.append(uriArray[index])
        else:
            post = 0
            # post
        return
Example #3
0
def getApps():  #define the Attack method
    print "Web App Attacks (GET)"
    print "====================="
    #verify app is working
    print "checking to see if site at" + str(
        GlobalVar.get_victim()) + ":" + str(GlobalVar.get_webPort()) + str(
            GlobalVar.get_url()) + " is up..."
    appUp = False  #make flag of login successful
    if (GlobalVar.get_https() == "OFF"):
        appURL = "http://" + str(GlobalVar.get_victim()) + ":" + str(
            GlobalVar.get_webPort()) + str(GlobalVar.get_url())
    else:
        appURL = "https://" + str(GlobalVar.get_victim()) + ":" + str(
            GlobalVar.get_webPort()) + str(GlobalVar.get_url())
    requestHeaders = {}
    try:
        req = urllib2.Request(appURL, None, requestHeaders)
        appRespCode = urllib2.urlopen(req).getcode()
        if appRespCode == 200:
            normLength = int(len(urllib2.urlopen(req).read()))
            timeReq = urllib2.urlopen(req)
            start = time.time()
            page = timeReq.read()
            end = time.time()
            timeReq.close()
            timeBase = round((end - start), 3)

            if GlobalVar.get_verb() == "ON":
                print "App is up! Got response length of " + str(
                    normLength) + " and response time of " + str(
                        timeBase) + " seconds.  Starting injection test.\n"

            else:
                print "App is up!"
            appUp = True

        else:
            print "Got " + str(
                appRespCode) + "from the app, check your options."
    except Exception, e:
        print e
        print "Looks like the server didn't respond.  Check your options."
Example #4
0
def getApps():#define the Attack method
    print "Web App Attacks (GET)"
    print "====================="
    #verify app is working
    print "checking to see if site at"+ str(GlobalVar.get_victim()) + ":" + str(GlobalVar.get_webPort()) + str(GlobalVar.get_url()) + " is up..."
    appUp = False #make flag of login successful
    if(GlobalVar.get_https() == "OFF"):
        appURL = "http://" + str(GlobalVar.get_victim()) + ":" + str(GlobalVar.get_webPort()) + str(GlobalVar.get_url())
    else:
        appURL = "https://" + str(GlobalVar.get_victim()) + ":" + str(GlobalVar.get_webPort()) + str(GlobalVar.get_url())
    requestHeaders = {}
    try:
        req = urllib2.Request(appURL, None, requestHeaders)
        appRespCode = urllib2.urlopen(req).getcode()
        if appRespCode == 200:
            normLength = int(len(urllib2.urlopen(req).read()))
            timeReq = urllib2.urlopen(req)
            start = time.time()
            page = timeReq.read()
            end = time.time()
            timeReq.close()
            timeBase = round((end - start), 3)

            if GlobalVar.get_verb() == "ON":
                print "App is up! Got response length of " + str(normLength) + " and response time of " + str(
                    timeBase) + " seconds.  Starting injection test.\n"

            else:
                print "App is up!"
            appUp = True

        else:
            print "Got " + str(appRespCode) + "from the app, check your options."
    except Exception, e:
        print e
        print "Looks like the server didn't respond.  Check your options."
Example #5
0
def option():
    '''
    global victim
    global webPort
    global uri
    global https
    https = 1
    global platform
    global httpMethod
    global postData
    global myIP
    global myPort
    global verb
    global mmSelect
    global dbPort
    global requestHeaders#
    global optionSet
    optionSet = [False]*9
#    GlobalVar.set_optionSet(0,True);
#    print GlobalVar.get_optionSet(0);

    requestHeaders = {}
    '''
    optSelect = True
#print "test"
    if GlobalVar.get_optionSet(0) == False:
#    if optionSet[0] == False:
        GlobalVar.set_victim("Not Set")
    if GlobalVar.get_optionSet(1) == False:
        GlobalVar.set_webPort(80)
        GlobalVar.set_optionSet(1,True)
    if GlobalVar.get_optionSet(2) == False: #Set App Path (Current: Not Set)
        GlobalVar.set_url("Not Set")
    if GlobalVar.get_optionSet(3) == False:
        GlobalVar.set_httpMethod("GET")
    if GlobalVar.get_optionSet(4) == False:
        GlobalVar.set_myIP("127.0.0.1")
        GlobalVar.set_optionSet(4, True)
    if GlobalVar.get_optionSet(5) == False:
        GlobalVar.set_myPort("Not Set")
    if GlobalVar.get_optionSet(6) == False:
        GlobalVar.set_verb("OFF")
    if GlobalVar.get_optionSet(8) == False:
        GlobalVar.set_https("OFF")
        GlobalVar.set_optionSet(8, True)
    while optSelect:
        print "\n\n"
        print "Options"
        print "1-Set target host/IP (Current: " + str(GlobalVar.get_victim()) + ")"
        print "2-Set web app port (Current: " + str(GlobalVar.get_webPort()) + ")"
        print "3-Set App Path (Current: " + str(GlobalVar.get_url()) + ")"
        print "4-Toggle HTTPS (Current: " + str(GlobalVar.get_https()) + ")" # set http or https
        print "5-Set " + GlobalVar.get_platform() + " Port (Current : " + str(GlobalVar.get_dbPort()) + ")"
        print "6-Set HTTP Request Method (GET/POST) (Current: " + GlobalVar.get_httpMethod() + ")"
        print "7-Set my local " + GlobalVar.get_platform() + "/Shell IP (Current: " + str(GlobalVar.get_myIP()) + ")"
        print "8-Set shell listener port (Current: " + str(GlobalVar.get_myPort()) + ")"
        print "9-Toggle Verbose Mode: (Current: " + str(GlobalVar.get_verb()) + ")" # more detail infor while attacking
        print "x-Back to main menu"
        select = raw_input("Set an option:")

        if select == '1':
#            optionSet[0] = False
            GlobalVar.set_optionSet(0,False) #if reset host ip, optionSet[0] should be false again
            while GlobalVar.get_optionSet(0) == False:
                notDNS = True
                goodDigits = True
                victim = raw_input("Enter host or IP/DNS name:")
                octets = victim.split(".")
                if len(octets) != 4:
                    GlobalVar.set_optionSet(0,False)
                    notDNS = False
                else:
                    for item in octets:
                        try:
                            if int(item)<0 or int(item)>255:
                                print "Bad octets in IP address."
                                goodDigits = False
                        except:
                            notDNS = False
                if goodDigits == True or notDNS == False:
                    print "\nTarget set to:" + victim + "\n"
                    GlobalVar.set_victim(victim)
                    GlobalVar.set_optionSet(0,True)
        elif select == '3':
            url = raw_input("Enter URL path(Press enter for no URL):")
            print "\nHTTP port set to " + str(GlobalVar.get_webPort()) + "\n"
            GlobalVar.set_optionSet(2,True)
            GlobalVar.set_url(url)


        elif select == '7':
            GlobalVar.set_optionSet(4,False)
            while GlobalVar.get_optionSet(4) == False:
                goodLen = False
                goodDigits = True
                myIP = raw_input("Enter host IP for my "+ GlobalVar.get_platform() +"/Shells:")
                octets = myIP.split(".")
                if len(octets) != 4:
                    print "Invalid IP length."
                else:
                    goodLen = True
                    for item in octets:
                        try:
                            if int(item)<0 or int(item)>255:
                                print "Bad octets in IP address."
                                goodDigits = False
                        except:
                            goodDigits = False
                if goodDigits == True and goodLen == True:
                    print "\nShell/DB listener set to "+ myIP +"\n"
                    GlobalVar.set_myIP(myIP)
                    GlobalVar.set_optionSet(4,True)

        elif select == "9":
            if GlobalVar.get_verb() == "OFF":
                print "Verbose output enabled."
                GlobalVar.set_verb("ON")
                GlobalVar.set_optionSet(6,True)

            elif GlobalVar.get_verb() == "ON":
                print "Verbose output disabled."
                GlobalVar.set_verb("OFF")
                GlobalVar.set_optionSet(6, True)
        elif select == 'x':
            return
Example #6
0
def option():
    '''
    global victim
    global webPort
    global uri
    global https
    https = 1
    global platform
    global httpMethod
    global postData
    global myIP
    global myPort
    global verb
    global mmSelect
    global dbPort
    global requestHeaders#
    global optionSet
    optionSet = [False]*9
#    GlobalVar.set_optionSet(0,True);
#    print GlobalVar.get_optionSet(0);

    requestHeaders = {}
    '''
    optSelect = True
    #print "test"
    if GlobalVar.get_optionSet(0) == False:
        #    if optionSet[0] == False:
        GlobalVar.set_victim("Not Set")
    if GlobalVar.get_optionSet(1) == False:
        GlobalVar.set_webPort(80)
        GlobalVar.set_optionSet(1, True)
    if GlobalVar.get_optionSet(2) == False:  #Set App Path (Current: Not Set)
        GlobalVar.set_url("Not Set")
    if GlobalVar.get_optionSet(3) == False:
        GlobalVar.set_httpMethod("GET")
    if GlobalVar.get_optionSet(4) == False:
        GlobalVar.set_myIP("127.0.0.1")
        GlobalVar.set_optionSet(4, True)
    if GlobalVar.get_optionSet(5) == False:
        GlobalVar.set_myPort("Not Set")
    if GlobalVar.get_optionSet(6) == False:
        GlobalVar.set_verb("OFF")
    if GlobalVar.get_optionSet(8) == False:
        GlobalVar.set_https("OFF")
        GlobalVar.set_optionSet(8, True)
    while optSelect:
        print "\n\n"
        print "Options"
        print "1-Set target host/IP (Current: " + str(
            GlobalVar.get_victim()) + ")"
        print "2-Set web app port (Current: " + str(
            GlobalVar.get_webPort()) + ")"
        print "3-Set App Path (Current: " + str(GlobalVar.get_url()) + ")"
        print "4-Toggle HTTPS (Current: " + str(
            GlobalVar.get_https()) + ")"  # set http or https
        print "5-Set " + GlobalVar.get_platform() + " Port (Current : " + str(
            GlobalVar.get_dbPort()) + ")"
        print "6-Set HTTP Request Method (GET/POST) (Current: " + GlobalVar.get_httpMethod(
        ) + ")"
        print "7-Set my local " + GlobalVar.get_platform(
        ) + "/Shell IP (Current: " + str(GlobalVar.get_myIP()) + ")"
        print "8-Set shell listener port (Current: " + str(
            GlobalVar.get_myPort()) + ")"
        print "9-Toggle Verbose Mode: (Current: " + str(
            GlobalVar.get_verb()) + ")"  # more detail infor while attacking
        print "x-Back to main menu"
        select = raw_input("Set an option:")

        if select == '1':
            #            optionSet[0] = False
            GlobalVar.set_optionSet(
                0,
                False)  #if reset host ip, optionSet[0] should be false again
            while GlobalVar.get_optionSet(0) == False:
                notDNS = True
                goodDigits = True
                victim = raw_input("Enter host or IP/DNS name:")
                octets = victim.split(".")
                if len(octets) != 4:
                    GlobalVar.set_optionSet(0, False)
                    notDNS = False
                else:
                    for item in octets:
                        try:
                            if int(item) < 0 or int(item) > 255:
                                print "Bad octets in IP address."
                                goodDigits = False
                        except:
                            notDNS = False
                if goodDigits == True or notDNS == False:
                    print "\nTarget set to:" + victim + "\n"
                    GlobalVar.set_victim(victim)
                    GlobalVar.set_optionSet(0, True)
        elif select == '3':
            url = raw_input("Enter URL path(Press enter for no URL):")
            print "\nHTTP port set to " + str(GlobalVar.get_webPort()) + "\n"
            GlobalVar.set_optionSet(2, True)
            GlobalVar.set_url(url)

        elif select == '7':
            GlobalVar.set_optionSet(4, False)
            while GlobalVar.get_optionSet(4) == False:
                goodLen = False
                goodDigits = True
                myIP = raw_input("Enter host IP for my " +
                                 GlobalVar.get_platform() + "/Shells:")
                octets = myIP.split(".")
                if len(octets) != 4:
                    print "Invalid IP length."
                else:
                    goodLen = True
                    for item in octets:
                        try:
                            if int(item) < 0 or int(item) > 255:
                                print "Bad octets in IP address."
                                goodDigits = False
                        except:
                            goodDigits = False
                if goodDigits == True and goodLen == True:
                    print "\nShell/DB listener set to " + myIP + "\n"
                    GlobalVar.set_myIP(myIP)
                    GlobalVar.set_optionSet(4, True)

        elif select == "9":
            if GlobalVar.get_verb() == "OFF":
                print "Verbose output enabled."
                GlobalVar.set_verb("ON")
                GlobalVar.set_optionSet(6, True)

            elif GlobalVar.get_verb() == "ON":
                print "Verbose output disabled."
                GlobalVar.set_verb("OFF")
                GlobalVar.set_optionSet(6, True)
        elif select == 'x':
            return
Example #7
0
        return ()

    buildAttackSet = buildAttackUri(appURL, injectString)
    uriArray = buildAttackSet[0]
    attackDescriptionSet = buildAttackSet[1]
    for item in uriArray:
        print item
    for item in attackDescriptionSet:
        print item

    #This randomUri is same with URI which user input in option except parameter
    randomUri = uriArray[0]

    print "URI :" + randomUri
    req = urllib2.Request(randomUri, None, requestHeaders)
    if GlobalVar.get_verb() == "ON":
        print "Checking random injected parameter HTTP response size using " + randomUri + "...\n"
    else:
        print "Sending random parameter value..."
    randLength = int(len(urllib2.urlopen(req).read()))
    print "Got response length of " + str(randLength) + "."
    randNormDelta = abs(normLength - randLength)

    if randNormDelta == 0:
        print "No change in response size injecting a random parameter..\n"
    else:
        print "Random value variance: " + str(randNormDelta) + "\n"

    attackEffectiveSum = attackDescriptionSet[0]

    print "req:" + urllib2.urlopen(req).read()
Example #8
0
#        print "No change in response size injecting a random parameter..\n"
#    else:
#        print "Random value variance: " + str(differenceLength) + "\n"

#    print "req:" + urllib2.urlopen(req).read()

#    print "requestHeaders" + requestHeaders
    print "\n"
    print "Start injection:"
    for index in range(0,attackSum):
        print "injecting: " + uriArray[index]
#        if GlobalVar.get_verb() == "ON":
#            print "Checking random injected parameter HTTP response size using " + uriArray[index] + "...\n"
#        else:
#            print "Sending random parameter value..."
        if GlobalVar.get_verb() == "ON":
            print attackDescriptionSet[index]
        req = urllib2.Request(uriArray[index], None, requestHeaders)
        errorCheck = errorTest(str(urllib2.urlopen(req).read()), index, uriArray)

        if errorCheck == False:
            injLen = int(len(urllib2.urlopen(req).read()))
            checkResult(normLength, injLen, index, uriArray)
    print "\n"
    print "Vulnerable URLs:"
    print "\n".join(GlobalVar.get_vulnAddrs())
    print "\n"
    print "Possibly vulnerable URLs:"
    print"\n".join(GlobalVar.get_possAddrs())
    print "\n"
    print "Timing based attacks:"