def main():
try:
# Check if defined "--version" option.
if menu.options.version:
version.show_version()
sys.exit(0)
# Checkall the banner
menu.banner()
# Check python version number.
version.python_version()
# Check if defined "--dependencies" option.
# For checking (non-core) third party dependenices.
if menu.options.noncore_dependencies:
checks.third_party_dependencies()
sys.exit(0)
# Check if defined "--update" option.
if menu.options.update:
update.updater()
sys.exit(0)
# Check if defined "--install" option.
if menu.options.install:
install.installer()
sys.exit(0)
# Check arguments
if len(sys.argv) == 1:
menu.parser.print_help()
print ""
sys.exit(0)
if menu.options.level > 3:
err_msg = "The value for option '--level' "
err_msg += "must be an integer value from range [1, 3]."
print settings.print_error_msg(err_msg)
sys.exit(0)
# Parse target / data from HTTP proxy logs (i.e Burp / WebScarab).
if menu.options.logfile:
parser.logfile_parser()
# Modification on payload
if not menu.options.shellshock:
#settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")"
settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")"
settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")"
# Check provided parameters for tests
if menu.options.test_parameter:
if menu.options.test_parameter.startswith("="):
menu.options.test_parameter = menu.options.test_parameter[1:]
settings.TEST_PARAMETER = menu.options.test_parameter.split(",")
for i in range(0, len(settings.TEST_PARAMETER)):
if "=" in settings.TEST_PARAMETER[i]:
settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[
i].split("=")[0]
# Check if defined character used for splitting parameter values.
if menu.options.pdel:
settings.PARAMETER_DELIMITER = menu.options.pdel
# Check if defined character used for splitting cookie values.
if menu.options.cdel:
settings.COOKIE_DELIMITER = menu.options.cdel
# Check if specified wrong injection technique
if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES:
found_tech = False
# Convert injection technique(s) to lowercase
menu.options.tech = menu.options.tech.lower()
# Check if used the ',' separator
if "," in menu.options.tech:
split_techniques_names = menu.options.tech.split(",")
else:
split_techniques_names = menu.options.tech.split()
if split_techniques_names:
for i in range(0, len(split_techniques_names)):
if len(menu.options.tech) <= 4:
split_first_letter = list(menu.options.tech)
for j in range(0, len(split_first_letter)):
if split_first_letter[
j] in settings.AVAILABLE_TECHNIQUES:
found_tech = True
else:
found_tech = False
if split_techniques_names[i].replace(
' ', ''
) not in settings.AVAILABLE_TECHNIQUES and found_tech == False:
err_msg = "You specified wrong value '" + split_techniques_names[
i] + "' as injection technique. "
err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, "
err_msg += "(T)ime-based, (F)ile-based (with or without commas)."
print settings.print_error_msg(err_msg)
sys.exit(0)
# Check if specified wrong alternative shell
if menu.options.alter_shell:
if menu.options.alter_shell.lower(
) not in settings.AVAILABLE_SHELLS:
err_msg = "'" + menu.options.alter_shell + "' shell is not supported!"
print settings.print_error_msg(err_msg)
sys.exit(0)
# Check the file-destination
if menu.options.file_write and not menu.options.file_dest or \
menu.options.file_upload and not menu.options.file_dest:
err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)."
print settings.print_error_msg(err_msg)
sys.exit(0)
if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None:
err_msg = "You must enter the '--file-write' or '--file-upload' parameter."
print settings.print_error_msg(err_msg)
sys.exit(0)
# Check if defined "--file-upload" option.
if menu.options.file_upload:
# Check if not defined URL for upload.
if not re.match(settings.VALID_URL_FORMAT,
menu.options.file_upload):
err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. "
print settings.print_error_msg(err_msg)
sys.exit(0)
# Check if defined "--random-agent" option.
if menu.options.random_agent:
menu.options.agent = random.choice(settings.USER_AGENT_LIST)
# Check if defined "--url" option.
if menu.options.url:
url = menu.options.url
# Check if http / https
url = checks.check_http_s(url)
if menu.options.output_dir:
output_dir = menu.options.output_dir
else:
output_dir = settings.OUTPUT_DIR
# One directory up, if Windows or if the script is being run under "/src".
if settings.IS_WINDOWS or "/src" in os.path.dirname(
os.path.abspath(__file__)):
os.chdir("..")
output_dir = os.path.dirname(output_dir)
try:
os.stat(output_dir)
except:
os.mkdir(output_dir)
# The logs filename construction.
filename = logs.create_log_file(url, output_dir)
try:
# Check if defined POST data
if menu.options.data:
request = urllib2.Request(url, menu.options.data)
else:
request = urllib2.Request(url)
headers.do_check(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.do_check(url)
# Check if defined Tor (--tor option).
elif menu.options.tor:
tor.do_check()
info_msg = "Checking connection to the target URL... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
try:
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
response = proxy.use_proxy(request)
# Check if defined Tor (--tor option).
elif menu.options.tor:
response = tor.use_tor(request)
else:
try:
response = urllib2.urlopen(request)
except ValueError:
# Invalid format for the '--headers' option.
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' to provide an HTTP header or"
err_msg += " '--headers=\"HEADER_NAME:" + settings.INJECT_TAG + "\"' "
err_msg += "if you want to try to exploit the provided HTTP header."
print settings.print_error_msg(err_msg)
sys.exit(0)
except:
raise
html_data = content = response.read()
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
# Used a valid pair of valid credentials
if menu.options.auth_cred:
info_msg = "Identified a valid pair of credentials '" + Style.UNDERLINE
info_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print Style.BRIGHT + info_msg + Style.RESET_ALL
try:
if response.info()['server']:
server_banner = response.info()['server']
found_os_server = False
if menu.options.os and checks.user_defined_os():
user_defined_os = settings.TARGET_OS
for i in range(0, len(settings.SERVER_OS_BANNERS)):
if settings.SERVER_OS_BANNERS[i].lower(
) in server_banner.lower():
found_os_server = True
settings.TARGET_OS = settings.SERVER_OS_BANNERS[
i].lower()
if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft":
identified_os = "Windows"
if menu.options.os and user_defined_os != "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
settings.TARGET_OS = identified_os[:
3].lower(
)
if menu.options.shellshock:
err_msg = "The shellshock module is not available for " + identified_os + " targets."
print settings.print_critical_msg(
err_msg)
raise SystemExit()
else:
identified_os = "Unix-like (" + settings.TARGET_OS + ")"
if menu.options.os and user_defined_os == "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
found_server_banner = False
if menu.options.verbose:
info_msg = "Identifying the target server..."
print settings.print_info_msg(info_msg)
for i in range(0, len(settings.SERVER_BANNERS)):
if settings.SERVER_BANNERS[i].lower(
) in server_banner.lower():
if menu.options.verbose:
success_msg = "The server was identified as "
success_msg += Style.UNDERLINE + server_banner + Style.RESET_ALL + "."
print settings.print_success_msg(
success_msg)
settings.SERVER_BANNER = server_banner
found_server_banner = True
# Set up default root paths
if settings.SERVER_BANNERS[i].lower(
) == "apache":
if settings.TARGET_OS == "win":
settings.SRV_ROOT_DIR = "\\htdocs"
else:
settings.SRV_ROOT_DIR = "/var/www"
if settings.SERVER_BANNERS[i].lower(
) == "nginx":
settings.SRV_ROOT_DIR = "/usr/share/nginx"
if settings.SERVER_BANNERS[i].lower(
) == "microsoft-iis":
settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot"
break
if not found_server_banner:
warn_msg = "Heuristics have failed to identify server."
print settings.print_warning_msg(warn_msg)
# Store the Server's root dir
settings.DEFAULT_SRV_ROOT_DIR = settings.SRV_ROOT_DIR
# Retrieve everything from the supported enumeration options.
if menu.options.enum_all:
checks.enable_all_enumeration_options()
if menu.options.is_admin or menu.options.is_root and not menu.options.current_user:
menu.options.current_user = True
# Check for wrong flags.
if settings.TARGET_OS == "win":
if menu.options.is_root:
warn_msg = "Swithing '--is-root' to '--is-admin' because the target has been identified as windows."
print settings.print_warning_msg(warn_msg)
if menu.options.passwords:
warn_msg = "The '--passwords' option, is not yet available for Windows targets."
print settings.print_warning_msg(warn_msg)
if menu.options.file_upload:
warn_msg = "The '--file-upload' option, is not yet available for windows targets. "
warn_msg += "Instead, use the '--file-write' option."
print settings.print_warning_msg(warn_msg)
sys.exit(0)
else:
if menu.options.is_admin:
warn_msg = "Swithing the '--is-admin' to '--is-root' because "
warn_msg += "the target has been identified as unix-like. "
print settings.print_warning_msg(warn_msg)
if found_os_server == False and \
not menu.options.os:
# If "--shellshock" option is provided then,
# by default is a Linux/Unix operating system.
if menu.options.shellshock:
pass
else:
warn_msg = "Heuristics have failed to identify server's operating system."
print settings.print_warning_msg(warn_msg)
while True:
question_msg = "Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > "
got_os = raw_input(
settings.print_question_msg(
question_msg)).lower()
if got_os.lower() in settings.CHOICE_OS:
if got_os.lower() == "w":
settings.TARGET_OS = "win"
break
elif got_os.lower() == "u":
break
elif got_os.lower() == "q":
raise SystemExit()
else:
if got_os == "":
got_os = "enter"
err_msg = "'" + got_os + "' is not a valid answer."
print settings.print_error_msg(
err_msg) + "\n"
pass
if not menu.options.os:
if found_server_banner == False:
warn_msg = "The server which was identified as " + server_banner + " seems unknown."
print settings.print_warning_msg(warn_msg)
else:
found_os_server = checks.user_defined_os()
except KeyError:
pass
# Charset detection [1].
# [1] http://www.w3schools.com/html/html_charset.asp
# Check if HTML4 format
if menu.options.verbose:
info_msg = "Identifing the indicated web-page charset..."
print settings.print_info_msg(info_msg)
content = re.findall(r";charset=(.*)\"", html_data)
if len(content) != 0:
charset = content
else:
# Check if HTML5 format
charset = re.findall(r"charset=['\"](.*?)['\"]", html_data)
if len(charset) != 0:
settings.CHARSET = charset[len(charset) - 1]
if settings.CHARSET.lower() not in settings.CHARSET_LIST:
warn_msg = "The indicated web-page charset " + settings.CHARSET + " seems unknown."
print settings.print_warning_msg(warn_msg)
else:
if menu.options.verbose:
success_msg = "The indicated web-page charset appears to be "
success_msg += Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
except urllib2.HTTPError, e:
# Check the codes of responses
if e.getcode() == 500:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
content = e.read()
sys.exit(0)
# Check for HTTP Error 401 (Unauthorized).
elif e.getcode() == 401:
try:
# Get the auth header value
auth_line = e.headers.get('www-authenticate', '')
# Checking for authentication type name.
auth_type = auth_line.split()[0]
settings.SUPPORTED_HTTP_AUTH_TYPES.index(
auth_type.lower())
# Checking for the realm attribute.
try:
auth_obj = re.match('''(\w*)\s+realm=(.*)''',
auth_line).groups()
realm = auth_obj[1].split(',')[0].replace("\"", "")
except:
realm = False
except ValueError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The identified HTTP authentication type (" + auth_type + ") is not yet supported."
print settings.print_error_msg(err_msg) + "\n"
sys.exit(0)
except IndexError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The provided pair of " + menu.options.auth_type
err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'"
err_msg += " seems to be invalid."
print settings.print_error_msg(err_msg)
sys.exit(0)
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if menu.options.auth_type and menu.options.auth_type != auth_type.lower(
):
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(
url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
success_msg = "Identified a valid pair of credentials '" + Style.UNDERLINE
success_msg += menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'."
print settings.print_success_msg(success_msg)
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize(
) + ") "
warn_msg += "HTTP authentication credentials are required."
printprint_warning_msg(warn_msg)
while True:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > "
crack_creds = raw_input(
settings.print_question_msg(
question_msg)).lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(
url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
err_msg = "'" + crack_creds + "' is not a valid answer."
print settings.print_error_msg(
err_msg) + "\n"
pass
# Digest authentication
elif menu.options.auth_type == "digest":
if not menu.options.ignore_401:
warn_msg = "(" + menu.options.auth_type.capitalize(
) + ") "
warn_msg += "HTTP authentication credentials are required."
print settings.print_warning_msg(warn_msg)
# Check if heuristics have failed to identify the realm attribute.
if not realm:
warn_msg = "Heuristics have failed to identify the realm attribute."
print settings.print_warning_msg(
warn_msg)
while True:
question_msg = "Do you want to perform a dictionary-based attack? [Y/n/q] > "
crack_creds = raw_input(
settings.print_question_msg(
question_msg)).lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(
url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_err_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
err_msg = "'" + crack_creds + "' is not a valid answer."
print settings.print_error_msg(
err_msg) + "\n"
pass
else:
checks.http_auth_err_msg()
else:
pass
elif e.getcode() == 403:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "You don't have permission to access this page."
print settings.print_error_msg(err_msg)
sys.exit(0)
elif e.getcode() == 404:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The host seems to be down!"
print settings.print_error_msg(err_msg)
sys.exit(0)
else:
raise
except urllib2.URLError, e:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
err_msg = "The host seems to be down!"
print settings.print_error_msg(err_msg)
sys.exit(0)
def main(filename, url):
try:
# Ignore the mathematic calculation part (Detection phase).
if menu.options.skip_calc:
settings.SKIP_CALC = True
if menu.options.enable_backticks:
settings.USE_BACKTICKS = True
# Target URL reload.
if menu.options.url_reload and menu.options.data:
settings.URL_RELOAD = True
if menu.options.header is not None and settings.INJECT_TAG in menu.options.header or \
menu.options.headers is not None and settings.INJECT_TAG in menu.options.headers:
info_msg = "Injection marker found in option '--header(s)/--user-agent/--referer/--cookie'."
print(settings.print_info_msg(info_msg))
if menu.options.test_parameter:
err_msg = "The options '-p' and the injection marker cannot be used "
err_msg += "simultaneously (i.e. only one option must be set)."
print(settings.print_critical_msg(err_msg))
raise SystemExit
if menu.options.test_parameter and menu.options.skip_parameter:
if type(menu.options.test_parameter) is bool:
menu.options.test_parameter = None
else:
err_msg = "The options '-p' and '--skip' cannot be used "
err_msg += "simultaneously (i.e. only one option must be set)."
print(settings.print_critical_msg(err_msg))
raise SystemExit
if menu.options.ignore_session:
# Ignore session
session_handler.ignore(url)
# Check provided parameters for tests
if menu.options.test_parameter or menu.options.skip_parameter:
if menu.options.test_parameter != None:
if menu.options.test_parameter.startswith("="):
menu.options.test_parameter = menu.options.test_parameter[
1:]
settings.TEST_PARAMETER = menu.options.test_parameter.split(
settings.PARAMETER_SPLITTING_REGEX)
elif menu.options.skip_parameter != None:
if menu.options.skip_parameter.startswith("="):
menu.options.skip_parameter = menu.options.skip_parameter[
1:]
settings.TEST_PARAMETER = menu.options.skip_parameter.split(
settings.PARAMETER_SPLITTING_REGEX)
for i in range(0, len(settings.TEST_PARAMETER)):
if "=" in settings.TEST_PARAMETER[i]:
settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[
i].split("=")[0]
# Check injection level, due to the provided testable parameters.
if menu.options.level < 2 and menu.options.test_parameter != None:
checks.check_injection_level()
# Check if defined character used for splitting cookie values.
if menu.options.cdel:
settings.COOKIE_DELIMITER = menu.options.cdel
# Check for skipping injection techniques.
if menu.options.skip_tech:
if menu.options.tech:
err_msg = "The options '--technique' and '--skip-technique' cannot be used "
err_msg += "simultaneously (i.e. only one option must be set)."
print(settings.print_critical_msg(err_msg))
raise SystemExit
settings.SKIP_TECHNIQUES = True
menu.options.tech = menu.options.skip_tech
# Check if specified wrong injection technique
if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES:
found_tech = False
# Convert injection technique(s) to lowercase
menu.options.tech = menu.options.tech.lower()
# Check if used the ',' separator
if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech:
split_techniques_names = menu.options.tech.split(
settings.PARAMETER_SPLITTING_REGEX)
else:
split_techniques_names = menu.options.tech.split()
if split_techniques_names:
for i in range(0, len(split_techniques_names)):
if len(menu.options.tech) <= 4:
split_first_letter = list(menu.options.tech)
for j in range(0, len(split_first_letter)):
if split_first_letter[
j] in settings.AVAILABLE_TECHNIQUES:
found_tech = True
else:
found_tech = False
if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \
found_tech == False:
err_msg = "You specified wrong value '" + split_techniques_names[
i]
err_msg += "' as injection technique. "
err_msg += "The value for '"
if not settings.SKIP_TECHNIQUES:
err_msg += "--technique"
else:
err_msg += "--skip-technique"
err_msg += "' must be a string composed by the letters C, E, T, F. "
err_msg += "Refer to the official wiki for details."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check if specified wrong alternative shell
if menu.options.alter_shell:
if menu.options.alter_shell.lower(
) not in settings.AVAILABLE_SHELLS:
err_msg = "'" + menu.options.alter_shell + "' shell is not supported!"
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check the file-destination
if menu.options.file_write and not menu.options.file_dest or \
menu.options.file_upload and not menu.options.file_dest:
err_msg = "Host's absolute filepath to write and/or upload, must be specified (i.e. '--file-dest')."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None:
err_msg = "You must enter the '--file-write' or '--file-upload' parameter."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check if defined "--url" or "-m" option.
if url:
if menu.options.auth_cred and menu.options.auth_cred and settings.VERBOSITY_LEVEL >= 1:
success_msg = "Used a valid pair of " + menu.options.auth_type
success_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'."
print(settings.print_success_msg(success_msg))
# Load the crawler
if menu.options.crawldepth > 0 or menu.options.sitemap_url:
url = crawler.crawler(url)
try:
if menu.options.flush_session:
session_handler.flush(url)
# Check for CGI scripts on url
checks.check_CGI_scripts(url)
# Modification on payload
if not menu.options.shellshock:
if not settings.USE_BACKTICKS:
settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")"
settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")"
# Check if defined "--file-upload" option.
if menu.options.file_upload:
checks.file_upload()
try:
_urllib.request.urlopen(menu.options.file_upload)
except _urllib.error.HTTPError as err_msg:
print(settings.print_critical_msg(str(err_msg.code)))
raise SystemExit()
except _urllib.error.URLError as err_msg:
print(
settings.print_critical_msg(
str(err_msg.args[0]).split("] ")[1] + "."))
raise SystemExit()
try:
# Webpage encoding detection.
requests.encoding_detection(response)
if response.info()['server']:
server_banner = response.info()['server']
# Procedure for target server's operating system identification.
requests.check_target_os(server_banner)
# Procedure for target server identification.
requests.server_identification(server_banner)
# Procedure for target application identification
requests.application_identification(server_banner, url)
# Store the Server's root dir
settings.DEFAULT_WEB_ROOT = settings.WEB_ROOT
if menu.options.is_admin or menu.options.is_root and not menu.options.current_user:
menu.options.current_user = True
# Define Python working directory.
checks.define_py_working_dir()
# Check for wrong flags.
checks.check_wrong_flags()
else:
found_os_server = checks.user_defined_os()
except KeyError:
pass
# Load tamper scripts
if menu.options.tamper:
checks.tamper_scripts()
except _urllib.error.HTTPError as err_msg:
# Check the codes of responses
if str(err_msg.getcode()) == settings.INTERNAL_SERVER_ERROR:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
content = err_msg.read()
raise SystemExit()
# Invalid permission to access target URL page.
elif str(err_msg.getcode()) == settings.FORBIDDEN_ERROR:
if settings.VERBOSITY_LEVEL < 2:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL +
" ]")
err_msg = "You don't have permission to access this page."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# The target host seems to be down!
elif str(err_msg.getcode()) == settings.NOT_FOUND_ERROR:
if settings.VERBOSITY_LEVEL < 2:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL +
" ]")
err_msg = "The host seems to be down!"
print(settings.print_critical_msg(err_msg))
raise SystemExit()
else:
raise
# The target host seems to be down!
except _urllib.error.URLError as e:
if settings.VERBOSITY_LEVEL < 2:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
err_msg = "The host seems to be down"
try:
err_msg += " (" + str(e.args[0]).split("] ")[1] + ")."
except IndexError:
err_msg += "."
pass
print(settings.print_critical_msg(err_msg))
raise SystemExit()
except _http_client.BadStatusLine as err_msg:
if settings.VERBOSITY_LEVEL < 2:
print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
if len(err_msg.line) > 2:
print(err_msg.line, err_msg.message)
pass
except AttributeError:
pass
else:
err_msg = "You must specify the target URL."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Retrieve everything from the supported enumeration options.
if menu.options.enum_all:
checks.enable_all_enumeration_options()
# Launch injection and exploitation controller.
controller.do_check(url, filename)
return filename
# Accidental stop / restart of the target host server.
except _http_client.BadStatusLine as err_msg:
if err_msg.line == "" or err_msg.message == "":
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print("\n\n" + settings.print_critical_msg(err_msg))
logs.print_logs_notification(filename, url)
else:
err_msg = err_msg.line + err_msg.message
print(settings.print_critical_msg(err_msg) + "\n")
session_handler.clear(url)
raise SystemExit()
# Connection reset by peer
except SocketError as err_msg:
if settings.VERBOSITY_LEVEL >= 1:
print("")
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print("\n" + settings.print_critical_msg(err_msg))
logs.print_logs_notification(filename, url)
sys.exit(0)
except httplib.BadStatusLine, e:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
if len(e.line) > 2 :
print e.line, e.message
pass
else:
err_msg = "You must specify the target URL."
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Retrieve everything from the supported enumeration options.
if menu.options.enum_all:
checks.enable_all_enumeration_options()
# Launch injection and exploitation controller.
controller.do_check(url, filename)
except KeyboardInterrupt:
abort_msg = "Ctrl-C was pressed!"
print "\n" + settings.print_abort_msg(abort_msg)
if settings.SHOW_LOGS_MSG == True:
logs.logs_notification(filename)
print ""
if menu.options.url:
session_handler.clear(menu.options.url)
sys.exit(0)
except SystemExit:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
if len(err_msg.line) > 2 :
print err_msg.line, err_msg.message
pass
except AttributeError:
pass
else:
err_msg = "You must specify the target URL."
print settings.print_critical_msg(err_msg)
sys.exit(0)
# Retrieve everything from the supported enumeration options.
if menu.options.enum_all:
checks.enable_all_enumeration_options()
# Launch injection and exploitation controller.
controller.do_check(url, filename)
return filename
# Accidental stop / restart of the target host server.
except httplib.BadStatusLine, err_msg:
if err_msg.line == "" or err_msg.message == "":
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print "\n\n" + settings.print_critical_msg(err_msg)
logs.print_logs_notification(filename, url)
else:
err_msg = err_msg.line + err_msg.message
print settings.print_critical_msg(err_msg) + "\n"
def main():
try:
# Check if defined "--version" option.
if menu.options.version:
version.show_version()
sys.exit(0)
# Checkall the banner
menu.banner()
# Check python version number.
version.python_version()
# Check if defined "--dependencies" option.
# For checking (non-core) third party dependenices.
if menu.options.noncore_dependencies:
checks.third_party_dependencies()
sys.exit(0)
# Check if defined "--update" option.
if menu.options.update:
update.updater()
sys.exit(0)
# Check if defined "--install" option.
if menu.options.install:
install.installer()
sys.exit(0)
# Check arguments
if len(sys.argv) == 1:
menu.parser.print_help()
print ""
sys.exit(0)
# Parse target / data from HTTP proxy logs (i.e Burp / WebScarab).
if menu.options.logfile:
parser.logfile_parser()
# Modification on payload
if not menu.options.shellshock:
#settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")"
settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")"
settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")"
# Check if defined character used for splitting parameter values.
if menu.options.pdel:
settings.PARAMETER_DELIMITER = menu.options.pdel
# Check if defined character used for splitting cookie values.
if menu.options.cdel:
settings.COOKIE_DELIMITER = menu.options.cdel
# Check if specified wrong injection technique
if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES:
found_tech = False
# Convert injection technique(s) to lowercase
menu.options.tech = menu.options.tech.lower()
# Check if used the ',' separator
if "," in menu.options.tech:
split_techniques_names = menu.options.tech.split(",")
else:
split_techniques_names = menu.options.tech.split()
if split_techniques_names:
for i in range(0,len(split_techniques_names)):
if len(menu.options.tech) <= 4:
split_first_letter = list(menu.options.tech)
for j in range(0,len(split_first_letter)):
if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES:
found_tech = True
else:
found_tech = False
if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and found_tech == False:
error_msg = "You specified wrong value '" + split_techniques_names[i] + "' as injection technique. " \
"The value, must be a string composed by the letters (C)lassic, (E)val-based, " \
"(T)ime-based, (F)ile-based (with or without commas)."
print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL
sys.exit(0)
# Cookie Injection
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
settings.COOKIE_INJECTION = True
# User-Agent Injection
if menu.options.agent and settings.INJECT_TAG in menu.options.agent:
settings.USER_AGENT_INJECTION = True
# Referer Injection
if menu.options.referer and settings.INJECT_TAG in menu.options.referer:
settings.REFERER_INJECTION = True
# Check if specified wrong alternative shell
if menu.options.alter_shell:
if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS:
print Back.RED + settings.ERROR_SIGN + "'" + menu.options.alter_shell + "' shell is not supported!" + Style.RESET_ALL
sys.exit(0)
# Check the file-destination
if menu.options.file_write and not menu.options.file_dest or \
menu.options.file_upload and not menu.options.file_dest:
print Back.RED + settings.ERROR_SIGN + "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." + Style.RESET_ALL
sys.exit(0)
if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None :
print Back.RED + settings.ERROR_SIGN + "You must enter the '--file-write' or '--file-upload' parameter." + Style.RESET_ALL
sys.exit(0)
# Check if defined "--file-upload" option.
if menu.options.file_upload:
# Check if not defined URL for upload.
if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload):
print Back.RED + settings.ERROR_SIGN + "The '" + menu.options.file_upload + "' is not a valid URL. " + Style.RESET_ALL
sys.exit(0)
# Check if defined "--random-agent" option.
if menu.options.random_agent:
menu.options.agent = random.choice(settings.USER_AGENT_LIST)
# Check if defined "--url" option.
if menu.options.url:
url = menu.options.url
# Check if http / https
url = checks.check_http_s(url)
if menu.options.output_dir:
output_dir = menu.options.output_dir
else:
output_dir = settings.OUTPUT_DIR
# One directory up, if Windows or if the script is being run under "/src".
if settings.IS_WINDOWS or "/src" in os.path.dirname(os.path.abspath(__file__)):
os.chdir("..")
output_dir = os.path.dirname(output_dir)
try:
os.stat(output_dir)
except:
os.mkdir(output_dir)
# The logs filename construction.
filename = logs.create_log_file(url, output_dir)
try:
# Check if defined POST data
if menu.options.data:
request = urllib2.Request(url, menu.options.data)
else:
request = urllib2.Request(url)
headers.do_check(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.do_check(url)
# Check if defined Tor (--tor option).
elif menu.options.tor:
tor.do_check()
sys.stdout.write(settings.INFO_SIGN + "Checking connection to the target URL... ")
sys.stdout.flush()
try:
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
response = proxy.use_proxy(request)
# Check if defined Tor (--tor option).
elif menu.options.tor:
response = tor.use_tor(request)
else:
try:
response = urllib2.urlopen(request)
except ValueError:
# Invalid format for the '--headers' option.
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
error_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' to provide an HTTP header or '--headers=\"HEADER_NAME:" + settings.INJECT_TAG + "\"' if you want to try to exploit the provided HTTP header."
print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL
sys.exit(0)
except:
raise
html_data = response.read()
content = response.read()
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
# Used a valid pair of valid credentials
if menu.options.auth_cred:
print Style.BRIGHT + "(!) Identified a valid pair of credentials '" + Style.UNDERLINE + menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL
try:
if response.info()['server'] :
server_banner = response.info()['server']
found_os_server = False
if menu.options.os and checks.user_defined_os():
user_defined_os = settings.TARGET_OS
for i in range(0,len(settings.SERVER_OS_BANNERS)):
if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower():
found_os_server = True
settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower()
if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" :
identified_os = "Windows"
if menu.options.os and user_defined_os != "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
settings.TARGET_OS = identified_os[:3].lower()
if menu.options.shellshock:
print Back.RED + settings.CRITICAL_SIGN + "The shellshock module is not available for " + identified_os + " targets." + Style.RESET_ALL
raise SystemExit()
else:
identified_os = "Unix-like (" + settings.TARGET_OS + ")"
if menu.options.os and user_defined_os == "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
found_server_banner = False
for i in range(0,len(settings.SERVER_BANNERS)):
if settings.SERVER_BANNERS[i].lower() in server_banner.lower():
if menu.options.verbose:
print Style.BRIGHT + "(!) The server was identified as " + Style.UNDERLINE + server_banner + Style.RESET_ALL + "." + Style.RESET_ALL
settings.SERVER_BANNER = server_banner
found_server_banner = True
# Set up default root paths
if settings.SERVER_BANNERS[i].lower() == "apache":
if settings.TARGET_OS == "win":
settings.SRV_ROOT_DIR = "\\htdocs"
else:
settings.SRV_ROOT_DIR = "/var/www"
if settings.SERVER_BANNERS[i].lower() == "nginx":
settings.SRV_ROOT_DIR = "/usr/share/nginx"
if settings.SERVER_BANNERS[i].lower() == "microsoft-iis":
settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot"
break
if menu.options.is_admin or menu.options.is_root and not menu.options.current_user:
menu.options.current_user = True
# Check for wrong flags.
if settings.TARGET_OS == "win":
if menu.options.is_root :
print Fore.YELLOW + settings.WARNING_SIGN + "Swithing '--is-root' to '--is-admin' because the target has been identified as windows." + Style.RESET_ALL
error_msg = settings.WARNING_SIGN + "The '--passwords' option, is not yet available for Windows targets."
if menu.options.passwords:
print Fore.YELLOW + settings.WARNING_SIGN + "The '--passwords' option, is not yet available for Windows targets." + Style.RESET_ALL
if menu.options.file_upload :
print Fore.YELLOW + settings.WARNING_SIGN + "The '--file-upload' option, is not yet available for windows targets. Instead, use the '--file-write' option." + Style.RESET_ALL
sys.exit(0)
else:
if menu.options.is_admin :
print Fore.YELLOW + settings.WARNING_SIGN + "Swithing the '--is-admin' to '--is-root' because the target has been identified as unix-like. " + Style.RESET_ALL
if found_os_server == False and \
not menu.options.os:
# If "--shellshock" option is provided then,
# by default is a Linux/Unix operating system.
if menu.options.shellshock:
pass
else:
print Fore.YELLOW + settings.WARNING_SIGN + "Heuristics have failed to identify server's operating system." + Style.RESET_ALL
while True:
got_os = raw_input(settings.QUESTION_SIGN + "Do you recognise the server's operating system? [(W)indows/(U)nix/(q)uit] > ").lower()
if got_os.lower() in settings.CHOICE_OS :
if got_os.lower() == "w":
settings.TARGET_OS = "win"
break
elif got_os.lower() == "u":
break
elif got_os.lower() == "q":
raise SystemExit()
else:
if got_os == "":
got_os = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + got_os + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
if not menu.options.os:
if found_server_banner == False:
print Fore.YELLOW + settings.WARNING_SIGN + "The server which was identified as " + server_banner + " seems unknown." + Style.RESET_ALL
else:
found_os_server = checks.user_defined_os()
except KeyError:
pass
# Charset detection [1].
# [1] http://www.w3schools.com/html/html_charset.asp
# Check if HTML4 format
content = re.findall(r";charset=(.*)\"", html_data)
if len(content) != 0 :
charset = content
else:
# Check if HTML5 format
charset = re.findall(r"charset=['\"](.*?)['\"]", html_data)
if len(charset) != 0 :
settings.CHARSET = charset[len(charset)-1]
if settings.CHARSET.lower() not in settings.CHARSET_LIST:
print Fore.YELLOW + settings.WARNING_SIGN + "The indicated web-page charset " + settings.CHARSET + " seems unknown." + Style.RESET_ALL
else:
if menu.options.verbose:
print Style.BRIGHT + "(!) The indicated web-page charset appears to be " + Style.UNDERLINE + settings.CHARSET + Style.RESET_ALL + "." + Style.RESET_ALL
# Retrieve everything from the supported enumeration options.
if menu.options.enum_all:
checks.enable_all_enumeration_options()
except urllib2.HTTPError, e:
# Check the codes of responses
if e.getcode() == 500:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
content = e.read()
sys.exit(0)
# Check for HTTP Error 401 (Unauthorized).
elif e.getcode() == 401:
try:
# Get the auth header value
auth_line = e.headers.get('www-authenticate', '')
# Checking for authentication type name.
auth_type = auth_line.split()[0]
settings.SUPPORTED_HTTP_AUTH_TYPES.index(auth_type.lower())
# Checking for the realm attribute.
try:
auth_obj = re.match('''(\w*)\s+realm=(.*)''', auth_line).groups()
realm = auth_obj[1].split(',')[0].replace("\"", "")
except:
realm = False
except ValueError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
print Back.RED + settings.ERROR_SIGN + "The identified HTTP authentication type (" + auth_type + ") is not yet supported." + Style.RESET_ALL + "\n"
sys.exit(0)
except IndexError:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
error_msg = "The provided pair of " + menu.options.auth_type
error_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'"
error_msg += " seems to be invalid."
print Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL
sys.exit(0)
print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]"
if menu.options.auth_type and menu.options.auth_type != auth_type.lower():
if checks.identified_http_auth_type(auth_type):
menu.options.auth_type = auth_type.lower()
else:
menu.options.auth_type = auth_type.lower()
# Check for stored auth credentials.
if not menu.options.auth_cred:
try:
stored_auth_creds = session_handler.export_valid_credentials(url, auth_type.lower())
except:
stored_auth_creds = False
if stored_auth_creds:
menu.options.auth_cred = stored_auth_creds
print Style.BRIGHT + "(!) Identified a valid pair of credentials '" + Style.UNDERLINE + menu.options.auth_cred + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL
else:
# Basic authentication
if menu.options.auth_type == "basic":
if not menu.options.ignore_401:
print Fore.YELLOW + settings.WARNING_SIGN + "(" + menu.options.auth_type.capitalize() + ")" + " HTTP authentication credentials are required." + Style.RESET_ALL
while True:
crack_creds = raw_input(settings.QUESTION_SIGN + "Do you want to perform a dictionary-based attack? [Y/n/q] > ").lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_error_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + crack_creds + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
# Digest authentication
elif menu.options.auth_type == "digest":
if not menu.options.ignore_401:
print Fore.YELLOW + settings.WARNING_SIGN + "(" + menu.options.auth_type.capitalize() + ")" + " HTTP authentication credentials are required." + Style.RESET_ALL
# Check if heuristics have failed to identify the realm attribute.
if not realm:
warn_msg = "Heuristics have failed to identify the realm attribute."
print Fore.YELLOW + settings.WARNING_SIGN + warn_msg + Style.RESET_ALL
while True:
crack_creds = raw_input(settings.QUESTION_SIGN + "Do you want to perform a dictionary-based attack? [Y/n/q] > ").lower()
if crack_creds in settings.CHOICE_YES:
auth_creds = authentication.http_auth_cracker(url, realm)
if auth_creds != False:
menu.options.auth_cred = auth_creds
settings.REQUIRED_AUTHENTICATION = True
break
else:
sys.exit(0)
elif crack_creds in settings.CHOICE_NO:
checks.http_auth_error_msg()
elif crack_creds in settings.CHOICE_QUIT:
sys.exit(0)
else:
if crack_creds == "":
crack_creds = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + crack_creds + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
else:
checks.http_auth_error_msg()
else:
pass
elif e.getcode() == 403:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
print Back.RED + settings.ERROR_SIGN + "You don't have permission to access this page." + Style.RESET_ALL
sys.exit(0)
elif e.getcode() == 404:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
print Back.RED + settings.ERROR_SIGN + "The host seems to be down!" + Style.RESET_ALL
sys.exit(0)
else:
raise
except urllib2.URLError, e:
print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]"
print Back.RED + settings.ERROR_SIGN + "The host seems to be down!" + Style.RESET_ALL
sys.exit(0)
