def injection_proccess(url, check_parameter, http_request_method, filename, timesec): if menu.options.ignore_code: info_msg = "Ignoring '" + str( menu.options.ignore_code) + "' HTTP error code. " print(settings.print_info_msg(info_msg)) # Skipping specific injection techniques. if settings.SKIP_TECHNIQUES: menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES) for skip_tech_name in settings.AVAILABLE_TECHNIQUES: if skip_tech_name in menu.options.skip_tech: menu.options.tech = menu.options.tech.replace( skip_tech_name, "") if len(menu.options.tech) == 0: err_msg = "Detection procedure was aborted due to skipping all injection techniques." print(settings.print_critical_msg(err_msg)) raise SystemExit # User-Agent HTTP header / Referer HTTP header / # Host HTTP header / Custom HTTP header Injection(s) if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header" else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter" check_parameter = " '" + check_parameter + "'" # Estimating the response time (in seconds) timesec, url_time_response = requests.estimate_response_time(url, timesec) # Load modules modules_handler.load_modules(url, http_request_method, filename) # Check for identified warnings url = heuristic_basic(url, http_request_method) if settings.IDENTIFIED_WARNINGS: if not settings.SKIP_COMMAND_INJECTIONS: ci = "command injection techniques" ce = "code injection technique" if not menu.options.batch: question_msg = "Do you want to skip test payloads for " question_msg += ci + "? [Y/n] > " procced_option = _input( settings.print_question_msg(question_msg)) else: procced_option = "" if procced_option in settings.CHOICE_YES or len( procced_option) == 0: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Skipping " + ci + "." print(settings.print_debug_msg(debug_msg)) settings.CLASSIC_STATE = settings.TIME_BASED_STATE = settings.FILE_BASED_STATE = False settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = True elif procced_option in settings.CHOICE_NO: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Skipping " + ce + "." print(settings.print_debug_msg(debug_msg)) settings.SKIP_CODE_INJECTIONS = True settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = False elif procced_option in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + procced_option + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass if not settings.LOAD_SESSION: info_msg = "Setting the" if not header_name == " cookie" and not the_type == " HTTP header": info_msg += " " + http_request_method + "" info_msg += ('', ' (JSON)')[settings.IS_JSON] + ( '', ' (SOAP/XML)')[settings.IS_XML] if header_name == " cookie": info_msg += header_name + the_type + check_parameter + " for tests." else: info_msg += the_type + header_name + check_parameter + " for tests." print(settings.print_info_msg(info_msg)) if menu.options.failed_tries and \ menu.options.tech and not "f" in menu.options.tech and not \ menu.options.failed_tries: warn_msg = "Due to the provided (unsuitable) injection technique" warn_msg += "s"[len(menu.options.tech) == 1:][::-1] + ", " warn_msg += "the option '--failed-tries' will be ignored." print(settings.print_warning_msg(warn_msg)) + Style.RESET_ALL # Procced with file-based semiblind command injection technique, # once the user provides the path of web server's root directory. if menu.options.web_root and \ menu.options.tech and not "f" in menu.options.tech: if not menu.options.web_root.endswith("/"): menu.options.web_root = menu.options.web_root + "/" if checks.procced_with_file_based_technique(): menu.options.tech = "f" if not menu.options.tech: menu.options.tech = "" if len(menu.options.tech) == 0 or "c" in menu.options.tech: settings.CLASSIC_STATE = True if len(menu.options.tech) == 0 or "e" in menu.options.tech: settings.EVAL_BASED_STATE = True if len(menu.options.tech) == 0 or "t" in menu.options.tech: settings.TIME_BASED_STATE = True if len(menu.options.tech) == 0 or "f" in menu.options.tech: settings.FILE_BASED_STATE = True # Check if it is vulnerable to classic command injection technique. if not settings.SKIP_COMMAND_INJECTIONS and settings.CLASSIC_STATE: settings.CLASSIC_STATE = None if cb_handler.exploitation(url, timesec, filename, http_request_method) != False: if settings.EVAL_BASED_STATE: if not menu.options.batch: settings.CLASSIC_STATE = True question_msg = "Due to results, " question_msg += "skipping of code injection checks is recommended. " question_msg += "Do you agree? [Y/n] > " procced_option = _input( settings.print_question_msg(question_msg)) else: procced_option = "" if len(procced_option) == 0: procced_option = "Y" if procced_option in settings.CHOICE_YES: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Skipping code injection checks." print(settings.print_debug_msg(debug_msg)) settings.SKIP_CODE_INJECTIONS = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + procced_option + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass else: settings.CLASSIC_STATE = False # Check if it is vulnerable to eval-based code injection technique. if not settings.SKIP_CODE_INJECTIONS and settings.EVAL_BASED_STATE: settings.EVAL_BASED_STATE = None if eb_handler.exploitation(url, timesec, filename, http_request_method) != False: if not menu.options.batch: settings.EVAL_BASED_STATE = True question_msg = "Due to results, " question_msg += "skipping of further command injection checks is recommended. " question_msg += "Do you agree? [Y/n] > " procced_option = _input( settings.print_question_msg(question_msg)) else: procced_option = "" if len(procced_option) == 0: procced_option = "Y" if procced_option in settings.CHOICE_YES: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Skipping command injection checks." print(settings.print_debug_msg(debug_msg)) settings.SKIP_COMMAND_INJECTIONS = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + procced_option + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass else: settings.EVAL_BASED_STATE = False if not settings.SKIP_COMMAND_INJECTIONS: # Check if it is vulnerable to time-based blind command injection technique. if settings.TIME_BASED_STATE: settings.TIME_BASED_STATE = None if tb_handler.exploitation(url, timesec, filename, http_request_method, url_time_response) != False: settings.TIME_BASED_STATE = True else: settings.TIME_BASED_STATE = False # Check if it is vulnerable to file-based semiblind command injection technique. if settings.FILE_BASED_STATE: settings.FILE_BASED_STATE = None if fb_handler.exploitation(url, timesec, filename, http_request_method, url_time_response) != False: settings.FILE_BASED_STATE = True else: settings.FILE_BASED_STATE = False # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: warn_msg = "The tested" if not header_name == " cookie" and not the_type == " HTTP header": warn_msg += " " + http_request_method + "" warn_msg += the_type + header_name + check_parameter warn_msg += " seems to be not injectable." print(settings.print_warning_msg(warn_msg)) + Style.RESET_ALL
def injection_proccess(url, check_parameter, http_request_method, filename, timesec): # Skipping specific injection techniques. if settings.SKIP_TECHNIQUES: menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES) for skip_tech_name in settings.AVAILABLE_TECHNIQUES: if skip_tech_name in menu.options.skip_tech: menu.options.tech = menu.options.tech.replace( skip_tech_name, "") if len(menu.options.tech) == 0: err_msg = "Detection procedure was aborted due to skipping all injection techniques." print settings.print_critical_msg(err_msg) raise SystemExit # User-Agent Injection / Referer Injection / Custom header Injection if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header" else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter" check_parameter = " '" + check_parameter + "'" # Load modules modules_handler.load_modules(url, http_request_method, filename) if not settings.LOAD_SESSION: info_msg = "Setting the" if not header_name == " cookie" and not the_type == " HTTP header": info_msg += " " + http_request_method + "" info_msg += the_type + header_name + check_parameter + " for tests." print settings.print_info_msg(info_msg) # Estimating the response time (in seconds) timesec, url_time_response = requests.estimate_response_time(url, timesec) skip_code_injections = False skip_command_injections = False # Procced with file-based semiblind command injection technique, # once the user provides the path of web server's root directory. if menu.options.web_root and not "f" in menu.options.tech: if not menu.options.web_root.endswith("/"): menu.options.web_root = menu.options.web_root + "/" if checks.procced_with_file_based_technique(): menu.options.tech = "f" # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: settings.CLASSIC_STATE = None if cb_handler.exploitation(url, timesec, filename, http_request_method) != False: if not menu.options.tech or "e" in menu.options.tech: if not menu.options.batch: settings.CLASSIC_STATE = True question_msg = "Due to results, " question_msg += "skipping of code injection checks is recommended. " question_msg += "Do you agree? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) procced_option = sys.stdin.readline().replace("\n", "").lower() else: procced_option = "" if len(procced_option) == 0: procced_option = "y" if procced_option in settings.CHOICE_YES: skip_code_injections = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + procced_option + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: settings.CLASSIC_STATE = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: if not skip_code_injections: settings.EVAL_BASED_STATE = None if eb_handler.exploitation(url, timesec, filename, http_request_method) != False: if not menu.options.batch: settings.EVAL_BASED_STATE = True question_msg = "Due to results, " question_msg += "skipping of further command injection checks is recommended. " question_msg += "Do you agree? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) procced_option = sys.stdin.readline().replace("\n", "").lower() else: procced_option = "" if len(procced_option) == 0: procced_option = "y" if procced_option in settings.CHOICE_YES: skip_command_injections = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + procced_option + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: settings.EVAL_BASED_STATE = False if not skip_command_injections: # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: settings.TIME_BASED_STATE = None if tb_handler.exploitation(url, timesec, filename, http_request_method, url_time_response) != False: settings.TIME_BASED_STATE = True else: settings.TIME_BASED_STATE = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech and not skip_command_injections: settings.FILE_BASED_STATE = None if fb_handler.exploitation(url, timesec, filename, http_request_method, url_time_response) != False: settings.FILE_BASED_STATE = True else: settings.FILE_BASED_STATE = False # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: warn_msg = "The tested" if not header_name == " cookie" and not the_type == " HTTP header": warn_msg += " " + http_request_method + "" warn_msg += the_type + header_name + check_parameter warn_msg += " seems to be not injectable." print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
def injection_proccess(url, check_parameter, http_request_method, filename, timesec): if menu.options.ignore_code: info_msg = "Ignoring '" + str( menu.options.ignore_code) + "' HTTP error code. " print(settings.print_info_msg(info_msg)) # Skipping specific injection techniques. if settings.SKIP_TECHNIQUES: menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES) for skip_tech_name in settings.AVAILABLE_TECHNIQUES: if skip_tech_name in menu.options.skip_tech: menu.options.tech = menu.options.tech.replace( skip_tech_name, "") if len(menu.options.tech) == 0: err_msg = "Detection procedure was aborted due to skipping all injection techniques." print(settings.print_critical_msg(err_msg)) raise SystemExit # User-Agent HTTP header / Referer HTTP header / # Host HTTP header / Custom HTTP header Injection(s) if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header" else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter" check_parameter = " '" + check_parameter + "'" # Estimating the response time (in seconds) timesec, url_time_response = requests.estimate_response_time(url, timesec) # Load modules modules_handler.load_modules(url, http_request_method, filename) if not settings.LOAD_SESSION: if (len(menu.options.tech) == 0 or "e" in menu.options.tech): # Check for identified warnings url = heuristic_basic(url, http_request_method) if settings.IDENTIFIED_WARNINGS or settings.IDENTIFIED_PHPINFO: while True: if not menu.options.batch: question_msg = "Skipping of further command injection tests is recommended. " question_msg += "Do you agree? [Y/n] > " procced_option = _input( settings.print_question_msg(question_msg)) else: procced_option = "" if procced_option in settings.CHOICE_YES or len( procced_option) == 0: settings.CLASSIC_STATE = settings.TIME_BASED_STATE = settings.FILE_BASED_STATE = False settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = True break elif procced_option in settings.CHOICE_NO: break elif procced_option in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + procced_option + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass info_msg = "Setting the" if not header_name == " cookie" and not the_type == " HTTP header": info_msg += " " + str(http_request_method) + "" info_msg += ('', ' (JSON)')[settings.IS_JSON] + ( '', ' (SOAP/XML)')[settings.IS_XML] if header_name == " cookie": info_msg += str(header_name) + str(the_type) + str( check_parameter) + " for tests." else: info_msg += str(the_type) + str(header_name) + str( check_parameter) + " for tests." print(settings.print_info_msg(info_msg)) if menu.options.failed_tries and \ menu.options.tech and not "f" in menu.options.tech and not \ menu.options.failed_tries: warn_msg = "Due to the provided (unsuitable) injection technique" warn_msg += "s"[len(menu.options.tech) == 1:][::-1] + ", " warn_msg += "the option '--failed-tries' will be ignored." print(settings.print_warning_msg(warn_msg) + Style.RESET_ALL) # Procced with file-based semiblind command injection technique, # once the user provides the path of web server's root directory. if menu.options.web_root and \ menu.options.tech and not "f" in menu.options.tech: if not menu.options.web_root.endswith("/"): menu.options.web_root = menu.options.web_root + "/" if checks.procced_with_file_based_technique(): menu.options.tech = "f" if settings.SKIP_COMMAND_INJECTIONS: dynamic_code_evaluation_technique(url, timesec, filename, http_request_method) classic_command_injection_technique(url, timesec, filename, http_request_method) else: classic_command_injection_technique(url, timesec, filename, http_request_method) dynamic_code_evaluation_technique(url, timesec, filename, http_request_method) timebased_command_injection_technique(url, timesec, filename, http_request_method, url_time_response) filebased_command_injection_technique(url, timesec, filename, http_request_method, url_time_response) # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: warn_msg = "The tested" if header_name != " cookie" and the_type != " HTTP header": warn_msg += " " + str(http_request_method) + "" warn_msg += str(the_type) + str(header_name) + str(check_parameter) warn_msg += " seems to be not injectable." print(settings.print_warning_msg(warn_msg))