def do_POST_check(parameter): http_request_method = "POST" # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided. parameter = checks.wildcard_character(parameter).replace("'","\"") # Check if JSON Object. if checks.is_JSON_check(parameter): if not settings.IS_JSON: checks.process_json_data() settings.PARAMETER_DELIMITER = "," # Check if XML Object. elif checks.is_XML_check(parameter): if not settings.IS_XML: checks.process_xml_data() settings.PARAMETER_DELIMITER = "" else: pass parameters_list = [] # Split multiple parameters if settings.IS_XML: _ = [] parameters = re.findall(r'(.*)', parameter) parameters = [param + "\n" for param in parameters if param] for value in range(0,len(parameters)): _.append(parameters[value]) multi_parameters = _ else: try: multi_parameters = parameter.split(settings.PARAMETER_DELIMITER) multi_parameters = [x for x in multi_parameters if x] except ValueError, err_msg: print settings.print_critical_msg(err_msg) raise SystemExit()
def specify_cookie_parameter(cookie): # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. cookie = checks.wildcard_character(cookie) # Specify the vulnerable cookie parameter if re.findall(r"" + settings.COOKIE_DELIMITER + "(.*)=" + settings.INJECT_TAG + "", cookie): inject_cookie = re.findall(r"" + settings.COOKIE_DELIMITER + "(.*)=" + settings.INJECT_TAG + "", cookie) inject_cookie = ''.join(inject_cookie) inject_cookie = re.sub(r"(.*)=(.*)" + settings.COOKIE_DELIMITER, "", inject_cookie) elif re.findall(r"(.*)=" + settings.INJECT_TAG + "", cookie): inject_cookie = re.findall(r"(.*)=" + settings.INJECT_TAG + "", cookie) inject_cookie = ''.join(inject_cookie) else: inject_cookie = cookie return inject_cookie
def do_POST_check(parameter): # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. parameter = checks.wildcard_character(parameter) # Check if valid JSON def is_JSON_check(parameter): try: json_object = json.loads(parameter) if re.search(settings.JSON_RECOGNITION_REGEX, parameter): if settings.VERBOSITY_LEVEL >= 1 and not settings.IS_JSON: success_msg = Style.BRIGHT + Style.UNDERLINE + "JSON data" success_msg += Style.RESET_ALL + Style.BRIGHT success_msg += " found in POST data" success_msg += Style.RESET_ALL + "." print settings.print_success_msg(success_msg) except ValueError, err_msg: if not "No JSON object could be decoded" in err_msg: err_msg = "JSON " + str(err_msg) + ". " print settings.print_error_msg(err_msg) + "\n" sys.exit(0) return False else:
def do_check(request): # Check if defined any HTTP Host header. if menu.options.host: request.add_header('Host', menu.options.host) # Check if defined any HTTP User-Agent header. if menu.options.agent: request.add_header('User-Agent', menu.options.agent) # Check if defined any HTTP Referer header. if menu.options.referer and settings.REFERER_INJECTION == False: request.add_header('Referer', menu.options.referer) # Check if defined any HTTP Cookie header. if menu.options.cookie and settings.COOKIE_INJECTION == False: request.add_header('Cookie', menu.options.cookie) # Check if defined any HTTP Authentication credentials. # HTTP Authentication: Basic / Digest Access Authentication. if not menu.options.ignore_401: if menu.options.auth_cred and menu.options.auth_type: try: settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type) if menu.options.auth_type == "basic": b64_string = base64.encodestring(menu.options.auth_cred).replace('\n', '') request.add_header("Authorization", "Basic " + b64_string + "") elif menu.options.auth_type == "digest": try: url = menu.options.url try: response = urllib2.urlopen(url) except urllib2.HTTPError, e: try: authline = e.headers.get('www-authenticate', '') authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups() realm = authobj[1].split(',')[0].replace("\"","") user_pass_pair = menu.options.auth_cred.split(":") username = user_pass_pair[0] password = user_pass_pair[1] authhandler = urllib2.HTTPDigestAuthHandler() authhandler.add_password(realm, url, username, password) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) result = urllib2.urlopen(url) except AttributeError: pass except urllib2.HTTPError, e: pass except ValueError: err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'." err_msg += " Try basic or digest HTTP authentication type." print settings.print_critical_msg(err_msg) sys.exit(0) else: pass # The MIME media type for JSON. if settings.IS_JSON: request.add_header("Content-Type", "application/json") # Check if defined any extra HTTP headers. if menu.options.headers: # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. menu.options.headers = checks.wildcard_character(menu.options.headers) extra_headers = menu.options.headers extra_headers = extra_headers.split(":") extra_headers = ':'.join(extra_headers) extra_headers = extra_headers.split("\\n") # Remove empty strings extra_headers = [x for x in extra_headers if x] for extra_header in extra_headers: # Extra HTTP Header name http_header_name = re.findall(r"(.*):", extra_header) http_header_name = ''.join(http_header_name) # Extra HTTP Header value http_header_value = re.findall(r":(.*)", extra_header) http_header_value = ''.join(http_header_value) # Check if it is a custom header injection. if settings.CUSTOM_HEADER_INJECTION == False and \ settings.INJECT_TAG in http_header_value: settings.CUSTOM_HEADER_INJECTION = True settings.CUSTOM_HEADER_NAME = http_header_name request.add_header(http_header_name, http_header_value)
def do_GET_check(url): http_request_method = "GET" # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided. url = checks.wildcard_character(url) # Check for REST-ful URLs format. if "?" not in url: if settings.INJECT_TAG not in url and not menu.options.shellshock: if menu.options.level == 3 or menu.options.headers: return False if menu.options.level == 2 : return False else: err_msg = "No parameter(s) found for testing in the provided data. " err_msg += "You must specify the testable parameter or " err_msg += "try to increase '--level' values to perform more tests." print settings.print_critical_msg(err_msg) raise SystemExit() elif menu.options.shellshock: return False return url else: urls_list = [] if menu.options.shellshock: urls_list.append(url) else: # Find the host part url_part = get_url_part(url) # Find the parameter part parameters = url.split("?")[1] # Split parameters multi_parameters = parameters.split(settings.PARAMETER_DELIMITER) # Check for inappropriate format in provided parameter(s). if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)): checks.inappropriate_format(multi_parameters) # Check for empty values (in provided parameters). checks.is_empty(multi_parameters, http_request_method) # Grab the value of parameter. _ = [] _.append(parameters) parameters = ''.join(checks.check_similarities(_)) value = re.findall(r'=(.*)', parameters) value = ''.join(value) # Check if single parameter is supplied. if len(multi_parameters) == 1: # Replace the value of parameter with INJECT tag inject_value = value.replace(value, settings.INJECT_TAG) # Check if defined the INJECT_TAG if settings.INJECT_TAG not in parameters: # Ignoring the anti-CSRF parameter(s). if checks.ignore_anticsrf_parameter(parameters): return urls_list if len(value) == 0: parameters = parameters + settings.INJECT_TAG else: parameters = parameters.replace(value, inject_value) else: # Auto-recognize prefix / suffix if settings.INJECT_TAG in value: if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0: menu.options.prefix = value.rsplit(settings.INJECT_TAG, 1)[0] if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0: menu.options.suffix = value.rsplit(settings.INJECT_TAG, 1)[1] parameters = parameters.replace(value, inject_value) # Reconstruct the URL url = url_part + "?" + parameters urls_list.append(url) return urls_list else: # Check if multiple parameters are supplied without the "INJECT_HERE" tag. all_params = settings.PARAMETER_DELIMITER.join(multi_parameters) all_params = all_params.split(settings.PARAMETER_DELIMITER) # Check for similarity in provided parameter name and value. all_params = checks.check_similarities(all_params) # Check if defined the "INJECT_HERE" tag if settings.INJECT_TAG not in url: for param in range(0,len(all_params)): if param == 0 : old = re.findall(r'=(.*)', all_params[param]) old = ''.join(old) else : old = value # Grab the value of parameter. value = re.findall(r'=(.*)', all_params[param]) value = ''.join(value) # Ignoring the anti-CSRF parameter(s). if checks.ignore_anticsrf_parameter(all_params[param]): continue # Replace the value of parameter with INJECT tag inject_value = value.replace(value, settings.INJECT_TAG) # Skip testing the parameter(s) with empty value(s). if menu.options.skip_empty: if len(value) == 0: provided_value = re.findall(r'(.*)=', all_params[param]) provided_value = ''.join(provided_value) else: all_params[param] = all_params[param].replace(value, inject_value) all_params[param-1] = all_params[param-1].replace(inject_value, old) parameter = settings.PARAMETER_DELIMITER.join(all_params) # Reconstruct the URL url = url_part + "?" + parameter urls_list.append(url) else: if len(value) == 0: all_params[param] = all_params[param] + settings.INJECT_TAG else: all_params[param] = all_params[param].replace(value, inject_value) all_params[param-1] = all_params[param-1].replace(inject_value, old) parameter = settings.PARAMETER_DELIMITER.join(all_params) # Reconstruct the URL url = url_part + "?" + parameter urls_list.append(url.replace(settings.IGNORE_TAG,"")) else: for param in range(0,len(multi_parameters)): # Grab the value of parameter. value = re.findall(r'=(.*)', multi_parameters[param]) value = ''.join(value) parameter = settings.PARAMETER_DELIMITER.join(multi_parameters) # Reconstruct the URL url = url_part + "?" + parameter urls_list.append(url) return urls_list
def do_GET_check(url): # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. url = checks.wildcard_character(url) # Check for REST-ful URLs format. if "?" not in url: if settings.INJECT_TAG not in url and not menu.options.shellshock: if menu.options.level == 3 or menu.options.headers: return False if menu.options.level == 2 : return False else: err_msg = "No parameter(s) found for testing in the provided data. " err_msg += "You must specify the testable parameter or " err_msg += "try to increase '--level' values to perform more tests. " print settings.print_critical_msg(err_msg) + "\n" os._exit(0) return url urls_list = [] # Find the host part url_part = get_url_part(url) # Find the parameter part parameters = url.split("?")[1] # Split parameters multi_parameters = parameters.split(settings.PARAMETER_DELIMITER) # Check if single paramerter is supplied. if len(multi_parameters) == 1: # Check if defined the INJECT_TAG if settings.INJECT_TAG not in parameters: # Grab the value of parameter. value = re.findall(r'=(.*)', parameters) value = ''.join(value) # Replace the value of parameter with INJECT tag inject_value = value.replace(value, settings.INJECT_TAG) parameters = parameters.replace(value, inject_value) else: # Grab the value of parameter. value = re.findall(r'=(.*)', parameters) value = ''.join(value) # Auto-recognize prefix / suffix if settings.INJECT_TAG in value: if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0: menu.options.prefix = value.rsplit(settings.INJECT_TAG, 1)[0] if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0: menu.options.suffix = value.rsplit(settings.INJECT_TAG, 1)[1] # Replace the value of parameter with INJECT tag inject_value = value.replace(value, settings.INJECT_TAG) parameters = parameters.replace(value, inject_value) # Reconstruct the url url = url_part + "?" + parameters urls_list.append(url) return urls_list else: # Check if multiple paramerters are supplied without the "INJECT_HERE" tag. all_params = settings.PARAMETER_DELIMITER.join(multi_parameters) # Check if defined the "INJECT_HERE" tag if settings.INJECT_TAG not in url: all_params = all_params.split(settings.PARAMETER_DELIMITER) for param in range(0,len(all_params)): if param == 0 : old = re.findall(r'=(.*)', all_params[param]) old = ''.join(old) else : old = value # Grab the value of parameter. value = re.findall(r'=(.*)', all_params[param]) value = ''.join(value) if not value == "": # Replace the value of parameter with INJECT tag inject_value = value.replace(value, settings.INJECT_TAG) all_params[param] = all_params[param].replace(value, inject_value) all_params[param-1] = all_params[param-1].replace(inject_value, old) parameter = settings.PARAMETER_DELIMITER.join(all_params) # Reconstruct the url url = url_part + "?" + parameter urls_list.append(url) else: provided_value = re.findall(r'(.*)=', all_params[param]) provided_value = ''.join(provided_value) warn_msg = "The '" + provided_value warn_msg += "' parameter has been skipped from testing because the provided value is empty." print settings.print_warning_msg(warn_msg) else: for param in range(0,len(multi_parameters)): # Grab the value of parameter. value = re.findall(r'=(.*)', multi_parameters[param]) value = ''.join(value) parameter = settings.PARAMETER_DELIMITER.join(multi_parameters) url = url_part + "?" + parameter urls_list.append(url) return urls_list
success_msg += Style.RESET_ALL + Style.BRIGHT success_msg += " found in POST data" success_msg += Style.RESET_ALL + "." print settings.print_success_msg(success_msg) except ValueError, err_msg: if not "No JSON object could be decoded" in err_msg: err_msg = "JSON " + str(err_msg) + ". " print settings.print_critical_msg(err_msg) + "\n" sys.exit(0) return False else: return True # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. parameter = checks.wildcard_character(parameter).replace("'","\"") # Check if JSON Object. if is_JSON_check(parameter): settings.IS_JSON = True # Split parameters if settings.IS_JSON: settings.PARAMETER_DELIMITER = "," paramerters_list = [] # Split multiple parameters multi_parameters = parameter.split(settings.PARAMETER_DELIMITER) # Check if single paramerter is supplied. if len(multi_parameters) == 1:
def do_check(request): # Check if defined any Host HTTP header. if menu.options.host and settings.HOST_INJECTION == None: request.add_header(settings.HOST, menu.options.host) # Check if defined any User-Agent HTTP header. if menu.options.agent: request.add_header(settings.USER_AGENT, menu.options.agent) # Check if defined any Referer HTTP header. if menu.options.referer and settings.REFERER_INJECTION == None: request.add_header(settings.REFERER, menu.options.referer) # Check if defined any Cookie HTTP header. if menu.options.cookie and settings.COOKIE_INJECTION == False: request.add_header(settings.COOKIE, menu.options.cookie) if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER): request.add_header(settings.HTTP_ACCEPT_HEADER, settings.HTTP_ACCEPT_HEADER_VALUE) # Appends a fake HTTP header 'X-Forwarded-For' if settings.TAMPER_SCRIPTS["xforwardedfor"]: from src.core.tamper import xforwardedfor xforwardedfor.tamper(request) # Check if defined any HTTP Authentication credentials. # HTTP Authentication: Basic / Digest Access Authentication. if menu.options.auth_cred and menu.options.auth_type: try: settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type) if menu.options.auth_type == "basic": b64_string = base64.encodestring(menu.options.auth_cred).replace('\n', '') request.add_header("Authorization", "Basic " + b64_string + "") elif menu.options.auth_type == "digest": try: url = menu.options.url try: response = urllib2.urlopen(url) except urllib2.HTTPError, e: try: authline = e.headers.get('www-authenticate', '') authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups() realm = authobj[1].split(',')[0].replace("\"","") user_pass_pair = menu.options.auth_cred.split(":") username = user_pass_pair[0] password = user_pass_pair[1] authhandler = urllib2.HTTPDigestAuthHandler() authhandler.add_password(realm, url, username, password) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) result = urllib2.urlopen(url) except AttributeError: pass except urllib2.HTTPError, e: pass except ValueError: err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'." err_msg += " Try basic or digest HTTP authentication type." print settings.print_critical_msg(err_msg) raise SystemExit() else: pass # The MIME media type for JSON. if settings.IS_JSON: request.add_header("Content-Type", "application/json") # Check if defined any extra HTTP headers. if menu.options.headers or menu.options.header: # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. if menu.options.headers: menu.options.headers = checks.wildcard_character(menu.options.headers) extra_headers = menu.options.headers else: menu.options.header = checks.wildcard_character(menu.options.header) extra_headers = menu.options.header extra_headers = extra_headers.replace(":",": ") if ": //" in extra_headers: extra_headers = extra_headers.replace(": //" ,"://") if "\\n" in extra_headers: extra_headers = extra_headers.split("\\n") # Remove empty strings extra_headers = [x for x in extra_headers if x] if menu.options.header and not menu.options.headers and len(extra_headers) > 1: warn_msg = "Swithing '--header' to '--headers' " warn_msg += "due to multiple extra HTTP headers." print settings.print_warning_msg(warn_msg) else: tmp_extra_header = [] tmp_extra_header.append(extra_headers) extra_headers = tmp_extra_header for extra_header in extra_headers: # Extra HTTP Header name http_header_name = re.findall(r"(.*): ", extra_header) http_header_name = ''.join(http_header_name).strip() # Extra HTTP Header value http_header_value = re.findall(r":(.*)", extra_header) http_header_value = ''.join(http_header_value).strip() # Check if it is a custom header injection. if settings.CUSTOM_HEADER_INJECTION == False and \ settings.INJECT_TAG in http_header_value: settings.CUSTOM_HEADER_INJECTION = True settings.CUSTOM_HEADER_NAME = http_header_name request.add_header(http_header_name, http_header_value)
def do_GET_check(url): http_request_method = "GET" # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided. url = checks.wildcard_character(url) # Check for REST-ful URLs format. if "?" not in url: if settings.INJECT_TAG not in url and not menu.options.shellshock: if menu.options.level == 3 or menu.options.header or menu.options.headers: return False if menu.options.level == 2: return False else: err_msg = "No parameter(s) found for testing in the provided data. " err_msg += "You must specify the testable parameter or " err_msg += "try to increase '--level' values to perform more tests." print(settings.print_critical_msg(err_msg)) raise SystemExit() elif menu.options.shellshock: return False return url else: urls_list = [] if menu.options.shellshock: urls_list.append(url) else: # Find the host part url_part = get_url_part(url) # Find the parameter part parameters = url.split("?")[1] # Split parameters multi_parameters = parameters.split(settings.PARAMETER_DELIMITER) # Check for inappropriate format in provided parameter(s). if len([s for s in multi_parameters if "=" in s ]) != (len(multi_parameters)): checks.inappropriate_format(multi_parameters) # Check for empty values (in provided parameters). checks.is_empty(multi_parameters, http_request_method) # Grab the value of parameter. _ = [] _.append(parameters) parameters = ''.join(checks.check_similarities(_)) value = re.findall(r'=(.*)', parameters) value = ''.join(value) # Check if single parameter is supplied. if len(multi_parameters) == 1: if re.search(settings.VALUE_BOUNDARIES, value): value = checks.value_boundaries(value) # Replace the value of parameter with INJECT_HERE tag inject_value = value.replace(value, settings.INJECT_TAG) # Check if defined the INJECT_TAG if settings.INJECT_TAG not in parameters: # Ignoring the anti-CSRF parameter(s). if checks.ignore_anticsrf_parameter(parameters): return urls_list if len(value) == 0: parameters = parameters + settings.INJECT_TAG else: parameters = parameters.replace(value, inject_value) else: # Auto-recognize prefix / suffix if settings.INJECT_TAG in value: if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0: menu.options.prefix = value.rsplit( settings.INJECT_TAG, 1)[0] if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0: menu.options.suffix = value.rsplit( settings.INJECT_TAG, 1)[1] parameters = parameters.replace(value, inject_value) # Reconstruct the URL url = url_part + "?" + parameters urls_list.append(url) return urls_list else: # Check if multiple parameters are supplied without the "INJECT_HERE" tag. all_params = settings.PARAMETER_DELIMITER.join( multi_parameters) all_params = all_params.split(settings.PARAMETER_DELIMITER) # Check for similarity in provided parameter name and value. all_params = checks.check_similarities(all_params) # Check if defined the "INJECT_HERE" tag if settings.INJECT_TAG not in url: for param in range(0, len(all_params)): if param == 0: old = re.findall(r'=(.*)', all_params[param]) old = ''.join(old) else: old = value # Grab the value of parameter. value = re.findall(r'=(.*)', all_params[param]) value = ''.join(value) # Ignoring the anti-CSRF parameter(s). if checks.ignore_anticsrf_parameter(all_params[param]): continue if re.search(settings.VALUE_BOUNDARIES, value): value = checks.value_boundaries(value) # Replace the value of parameter with INJECT_HERE tag inject_value = value.replace(value, settings.INJECT_TAG) # Skip testing the parameter(s) with empty value(s). if menu.options.skip_empty: if len(value) == 0: provided_value = re.findall( r'(.*)=', all_params[param]) provided_value = ''.join(provided_value) else: all_params[param] = all_params[param].replace( value, inject_value) all_params[param - 1] = all_params[param - 1].replace( inject_value, old) parameter = settings.PARAMETER_DELIMITER.join( all_params) # Reconstruct the URL url = url_part + "?" + parameter urls_list.append(url) else: if len(value) == 0: all_params[param] = all_params[ param] + settings.INJECT_TAG else: all_params[param] = all_params[param].replace( value, inject_value) all_params[param - 1] = all_params[param - 1].replace( inject_value, old) parameter = settings.PARAMETER_DELIMITER.join( all_params) # Reconstruct the URL url = url_part + "?" + parameter urls_list.append( url.replace(settings.RANDOM_TAG, "")) else: for param in range(0, len(multi_parameters)): # Grab the value of parameter. value = re.findall(r'=(.*)', multi_parameters[param]) value = ''.join(value) parameter = settings.PARAMETER_DELIMITER.join( multi_parameters) # Reconstruct the URL url = url_part + "?" + parameter urls_list.append(url) return urls_list
def do_POST_check(parameter): http_request_method = "POST" # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided. parameter = checks.wildcard_character(parameter).replace("'", "\"") # Check if JSON Object. if checks.is_JSON_check(checks.check_quotes_json_data(parameter)): parameter = checks.check_quotes_json_data(parameter) if not settings.IS_JSON: checks.process_json_data() settings.PARAMETER_DELIMITER = "," # Check if XML Object. elif checks.is_XML_check(parameter): if not settings.IS_XML: checks.process_xml_data() settings.PARAMETER_DELIMITER = "" else: pass parameters_list = [] # Split multiple parameters if settings.IS_XML: _ = [] parameters = re.findall(r'(.*)', parameter) parameters = [param + "\n" for param in parameters if param] for value in range(0, len(parameters)): _.append(parameters[value]) multi_parameters = _ else: try: multi_parameters = parameter.split(settings.PARAMETER_DELIMITER) multi_parameters = [x for x in multi_parameters if x] except ValueError as err_msg: print(settings.print_critical_msg(err_msg)) raise SystemExit() # Check for inappropriate format in provided parameter(s). if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)) and \ not settings.IS_JSON and \ not settings.IS_XML: checks.inappropriate_format(multi_parameters) # Check for empty values (in provided parameters). # Check if single parameter is supplied. if len(multi_parameters) == 1: #Grab the value of parameter. if settings.IS_JSON: #Grab the value of parameter. value = re.findall(r'\"(.*)\"', parameter) value = ''.join(value) if value != settings.INJECT_TAG: value = re.findall(r'\s*\:\s*\"(.*)\"', parameter) value = ''.join(value) elif settings.IS_XML: #Grab the value of parameter. value = re.findall(r'>(.*)</', parameter) value = ''.join(value) else: _ = [] _.append(parameter) parameter = ''.join(checks.check_similarities(_)) value = re.findall(r'=(.*)', parameter) value = ''.join(value) if checks.is_empty(multi_parameters, http_request_method): return parameter else: # Ignoring the anti-CSRF parameter(s). if checks.ignore_anticsrf_parameter(parameter): return parameter if re.search(settings.VALUE_BOUNDARIES, value): value = checks.value_boundaries(value) # Replace the value of parameter with INJECT_HERE tag inject_value = value.replace(value, settings.INJECT_TAG) if len(value) == 0: if settings.IS_JSON: parameter = parameter.replace( ":\"\"", ":\"" + settings.INJECT_TAG + "\"") else: parameter = parameter + settings.INJECT_TAG else: parameter = parameter.replace(value, inject_value) return parameter else: # Check if multiple parameters are supplied without the "INJECT_HERE" tag. if settings.IS_XML: all_params = multi_parameters else: all_params = settings.PARAMETER_DELIMITER.join(multi_parameters) # Check for similarity in provided parameter name and value. all_params = all_params.split(settings.PARAMETER_DELIMITER) all_params = checks.check_similarities(all_params) # Check if not defined the "INJECT_HERE" tag in parameter if settings.INJECT_TAG not in parameter: checks.is_empty(multi_parameters, http_request_method) for param in range(0, len(all_params)): if param == 0: if settings.IS_JSON: # old = re.findall(r'\:\"(.*)\"', all_params[param]) # old = ''.join(old) old = re.findall(r'\:(.*)', all_params[param]) old = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '', ''.join(old)) elif settings.IS_XML: old = re.findall(r'>(.*)</', all_params[param]) old = ''.join(old) else: old = re.findall(r'=(.*)', all_params[param]) old = ''.join(old) else: old = value # Grab the value of parameter. if settings.IS_JSON: # Grab the value of parameter. # value = re.findall(r'\:\"(.*)\"', all_params[param]) # value = ''.join(value) value = re.findall(r'\:(.*)', all_params[param]) value = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '', ''.join(value)) elif settings.IS_XML: value = re.findall(r'>(.*)</', all_params[param]) value = ''.join(value) else: value = re.findall(r'=(.*)', all_params[param]) value = ''.join(value) # Ignoring the anti-CSRF parameter(s). if checks.ignore_anticsrf_parameter(all_params[param]): continue if re.search(settings.VALUE_BOUNDARIES, value): value = checks.value_boundaries(value) # Replace the value of parameter with INJECT_HERE tag inject_value = value.replace(value, settings.INJECT_TAG) # Skip testing the parameter(s) with empty value(s). if menu.options.skip_empty: if len(value) == 0: if settings.IS_JSON: provided_value = re.findall( r'\:(.*)', all_params[param]) provided_value = re.sub( settings.IGNORE_SPECIAL_CHAR_REGEX, '', ''.join(value)) elif settings.IS_XML: provided_value = re.findall( r'>(.*)</', all_params[param]) provided_value = ''.join(provided_value) else: provided_value = re.findall( r'(.*)=', all_params[param]) provided_value = ''.join(provided_value) else: all_params[param] = all_params[param].replace( value, inject_value) all_params[param - 1] = all_params[param - 1].replace( inject_value, old) parameter = settings.PARAMETER_DELIMITER.join( all_params) parameters_list.append(parameter) parameter = parameters_list else: if len(value) == 0: if settings.IS_JSON: all_params[param] = all_params[param].replace( ":\"\"", ":\"" + settings.INJECT_TAG + "\"") elif settings.IS_XML: all_params[param] = all_params[param].replace( "></", ">" + settings.INJECT_TAG + "</") else: all_params[param] = all_params[ param] + settings.INJECT_TAG else: all_params[param] = all_params[param].replace( value, inject_value) # if settings.IS_JSON and not "\"" + settings.INJECT_TAG + "\"" in all_params[param]: # all_params[param] = all_params[param].replace(settings.INJECT_TAG, "\"" + settings.INJECT_TAG + "\"") all_params[param - 1] = all_params[param - 1].replace( inject_value, old) parameter = settings.PARAMETER_DELIMITER.join(all_params) parameters_list.append( parameter.replace(settings.RANDOM_TAG, "")) parameter = parameters_list else: for param in range(0, len(multi_parameters)): # Grab the value of parameter. if settings.IS_JSON: value = re.findall(r'\"(.*)\"', multi_parameters[param]) value = ''.join(value) if settings.IS_XML: value = re.findall(r'>(.*)</', all_params[param]) value = ''.join(value) else: value = re.findall(r'=(.*)', multi_parameters[param]) value = ''.join(value) parameter = settings.PARAMETER_DELIMITER.join(multi_parameters) return parameter
def do_check(request): # Check if defined any Host HTTP header. if menu.options.host and settings.HOST_INJECTION == None: requests.get(settings.HOST, menu.options.host) # Check if defined any User-Agent HTTP header. if menu.options.agent: requests.Request('GET', settings.USER_AGENT, menu.options.agent) # Check if defined any Referer HTTP header. if menu.options.referer and settings.REFERER_INJECTION == None: requests.get(settings.REFERER, menu.options.referer) # Check if defined any Cookie HTTP header. if menu.options.cookie and settings.COOKIE_INJECTION == False: requests.get(settings.COOKIE, menu.options.cookie) if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER): requests.Request('GET', settings.HTTP_ACCEPT_HEADER, settings.HTTP_ACCEPT_HEADER_VALUE) # Appends a fake HTTP header 'X-Forwarded-For' if settings.TAMPER_SCRIPTS["xforwardedfor"]: from src.core.tamper import xforwardedfor xforwardedfor.tamper(request) # Check if defined any HTTP Authentication credentials. # HTTP Authentication: Basic / Digest Access Authentication. if menu.options.auth_cred and menu.options.auth_type: try: settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type) if menu.options.auth_type == "basic": b64_string = base64.encodestring( menu.options.auth_cred).replace('\n', '') request.add_header("Authorization", "Basic " + b64_string + "") elif menu.options.auth_type == "digest": try: url = menu.options.url try: response = urllib.request.urlopen(url) except urllib.error.HTTPError or e: try: authline = e.headers.get('www-authenticate', '') authobj = re.match('''(\w*)\s+realm=(.*),''', authline).groups() realm = authobj[1].split(',')[0].replace("\"", "") user_pass_pair = menu.options.auth_cred.split(":") username = user_pass_pair[0] password = user_pass_pair[1] authhandler = urllib.request.HTTPDigestAuthHandler( ) authhandler.add_password(realm, url, username, password) opener = urllib.request.build_opener(authhandler) urllib.request.install_opener(opener) result = urllib.request.urlopen(url) except AttributeError: pass except urllib.error.HTTPError or e: pass except ValueError: err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'." err_msg += " Try basic or digest HTTP authentication type." print((settings.print_critical_msg(err_msg))) raise sys.exit() else: pass # The MIME media type for JSON. if settings.IS_JSON: request.add_header("Content-Type", "application/json") # Check if defined any extra HTTP headers. if menu.options.headers or menu.options.header: # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. if menu.options.headers: menu.options.headers = checks.wildcard_character( menu.options.headers) extra_headers = menu.options.headers else: menu.options.header = checks.wildcard_character( menu.options.header) extra_headers = menu.options.header extra_headers = extra_headers.replace(":", ": ") if ": //" in extra_headers: extra_headers = extra_headers.replace(": //", "://") if "\\n" in extra_headers: extra_headers = extra_headers.split("\\n") # Remove empty strings extra_headers = [x for x in extra_headers if x] if menu.options.header and not menu.options.headers and len( extra_headers) > 1: warn_msg = "Swithing '--header' to '--headers' " warn_msg += "due to multiple extra HTTP headers." print((settings.print_warning_msg(warn_msg))) else: tmp_extra_header = [] tmp_extra_header.append(extra_headers) extra_headers = tmp_extra_header for extra_header in extra_headers: # Extra HTTP Header name http_header_name = re.findall(r"(.*): ", extra_header) http_header_name = ''.join(http_header_name).strip() # Extra HTTP Header value http_header_value = re.findall(r":(.*)", extra_header) http_header_value = ''.join(http_header_value).strip() # Check if it is a custom header injection. if settings.CUSTOM_HEADER_INJECTION == False and \ settings.INJECT_TAG in http_header_value: settings.CUSTOM_HEADER_INJECTION = True settings.CUSTOM_HEADER_NAME = http_header_name request.add_header(http_header_name, http_header_value)
def do_check(request): # Check if defined any HTTP Host header. if menu.options.host: request.add_header('Host', menu.options.host) # Check if defined any HTTP User-Agent header. if menu.options.agent: request.add_header('User-Agent', menu.options.agent) # Check if defined any HTTP Referer header. if menu.options.referer and settings.REFERER_INJECTION == False: request.add_header('Referer', menu.options.referer) # Check if defined any HTTP Cookie header. if menu.options.cookie and settings.COOKIE_INJECTION == False: request.add_header('Cookie', menu.options.cookie) # Check if defined any HTTP Authentication credentials. # HTTP Authentication: Basic / Digest Access Authentication. if not menu.options.ignore_401: if menu.options.auth_cred and menu.options.auth_type: try: settings.SUPPORTED_HTTP_AUTH_TYPES.index( menu.options.auth_type) if menu.options.auth_type == "basic": b64_string = base64.encodestring( menu.options.auth_cred).replace('\n', '') request.add_header("Authorization", "Basic " + b64_string + "") elif menu.options.auth_type == "digest": try: url = menu.options.url try: response = urllib2.urlopen(url) except urllib2.HTTPError, e: try: authline = e.headers.get( 'www-authenticate', '') authobj = re.match('''(\w*)\s+realm=(.*),''', authline).groups() realm = authobj[1].split(',')[0].replace( "\"", "") user_pass_pair = menu.options.auth_cred.split( ":") username = user_pass_pair[0] password = user_pass_pair[1] authhandler = urllib2.HTTPDigestAuthHandler() authhandler.add_password( realm, url, username, password) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) result = urllib2.urlopen(url) except AttributeError: pass except urllib2.HTTPError, e: pass except ValueError: err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'." err_msg += " Try basic or digest HTTP authentication type." print settings.print_critical_msg(err_msg) sys.exit(0) else: pass # The MIME media type for JSON. if settings.IS_JSON: request.add_header("Content-Type", "application/json") # Check if defined any extra HTTP headers. if menu.options.headers: # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. menu.options.headers = checks.wildcard_character(menu.options.headers) extra_headers = menu.options.headers extra_headers = extra_headers.split(":") extra_headers = ':'.join(extra_headers) extra_headers = extra_headers.split("\\n") # Remove empty strings extra_headers = [x for x in extra_headers if x] for extra_header in extra_headers: # Extra HTTP Header name http_header_name = re.findall(r"(.*):", extra_header) http_header_name = ''.join(http_header_name) # Extra HTTP Header value http_header_value = re.findall(r":(.*)", extra_header) http_header_value = ''.join(http_header_value) # Check if it is a custom header injection. if settings.CUSTOM_HEADER_INJECTION == False and \ settings.INJECT_TAG in http_header_value: settings.CUSTOM_HEADER_INJECTION = True settings.CUSTOM_HEADER_NAME = http_header_name request.add_header(http_header_name, http_header_value)
def do_check(request): # Check if defined any Host HTTP header. if menu.options.host and settings.HOST_INJECTION == None: request.add_header(settings.HOST, menu.options.host) # Check if defined any User-Agent HTTP header. if menu.options.agent: request.add_header(settings.USER_AGENT, menu.options.agent) # Check if defined any Referer HTTP header. if menu.options.referer and settings.REFERER_INJECTION == None: request.add_header(settings.REFERER, menu.options.referer) # Check if defined any Cookie HTTP header. if menu.options.cookie and settings.COOKIE_INJECTION == False: request.add_header(settings.COOKIE, menu.options.cookie) if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER): request.add_header(settings.HTTP_ACCEPT_HEADER, settings.HTTP_ACCEPT_HEADER_VALUE) # The MIME media type for JSON. if menu.options.data: if re.search(settings.JSON_RECOGNITION_REGEX, menu.options.data) or \ re.search(settings.JSON_LIKE_RECOGNITION_REGEX, menu.options.data): request.add_header("Content-Type", "application/json") # Appends a fake HTTP header 'X-Forwarded-For' if settings.TAMPER_SCRIPTS["xforwardedfor"]: from src.core.tamper import xforwardedfor xforwardedfor.tamper(request) # Default value for "Accept-Encoding" HTTP header request.add_header('Accept-Encoding', settings.HTTP_ACCEPT_ENCODING_HEADER_VALUE) # Check if defined any HTTP Authentication credentials. # HTTP Authentication: Basic / Digest Access Authentication. if menu.options.auth_cred and menu.options.auth_type: try: settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type) if menu.options.auth_type == "basic": b64_string = encodebytes(menu.options.auth_cred.encode(settings.UNICODE_ENCODING)).decode().replace('\n', '') request.add_header("Authorization", "Basic " + b64_string + "") elif menu.options.auth_type == "digest": try: url = menu.options.url try: response = _urllib.request.urlopen(url, timeout=settings.TIMEOUT) except _urllib.error.HTTPError as e: try: authline = e.headers.get('www-authenticate', '') authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups() realm = authobj[1].split(',')[0].replace("\"","") user_pass_pair = menu.options.auth_cred.split(":") username = user_pass_pair[0] password = user_pass_pair[1] authhandler = _urllib.request.HTTPDigestAuthHandler() authhandler.add_password(realm, url, username, password) opener = _urllib.request.build_opener(authhandler) _urllib.request.install_opener(opener) result = _urllib.request.urlopen(url, timeout=settings.TIMEOUT) except AttributeError: pass except _urllib.error.HTTPError as e: pass except ValueError: err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'." err_msg += " Try basic or digest HTTP authentication type." print(settings.print_critical_msg(err_msg)) raise SystemExit() else: pass # Check if defined any extra HTTP headers. if menu.options.headers or menu.options.header or len(settings.RAW_HTTP_HEADERS) >= 1: if len(settings.RAW_HTTP_HEADERS) >= 1: menu.options.headers = settings.RAW_HTTP_HEADERS # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided. if menu.options.headers: menu.options.headers = checks.wildcard_character(menu.options.headers) extra_headers = menu.options.headers else: menu.options.header = checks.wildcard_character(menu.options.header) extra_headers = menu.options.header extra_headers = extra_headers.replace(":",": ") if ": //" in extra_headers: extra_headers = extra_headers.replace(": //" ,"://") if "\\n" in extra_headers: extra_headers = extra_headers.split("\\n") # Remove empty strings and "Content-Length" extra_headers = [x for x in extra_headers if "Content-Length" not in x] else: tmp_extra_header = [] tmp_extra_header.append(extra_headers) extra_headers = tmp_extra_header # Remove empty strings extra_headers = [x for x in extra_headers if x] for extra_header in extra_headers: try: # Extra HTTP Header name http_header_name = extra_header.split(':', 1)[0] http_header_name = ''.join(http_header_name).strip() # Extra HTTP Header value http_header_value = extra_header.split(':', 1)[1] http_header_value = ''.join(http_header_value).strip().replace(": ",":") # Check if it is a custom header injection. if settings.CUSTOM_HEADER_INJECTION == False and \ settings.INJECT_TAG in http_header_value: settings.CUSTOM_HEADER_INJECTION = True settings.CUSTOM_HEADER_NAME = http_header_name # Add HTTP Header name / value to the HTTP request if http_header_name not in [settings.HOST, settings.USER_AGENT, settings.REFERER, settings.COOKIE]: request.add_header(http_header_name.encode(settings.UNICODE_ENCODING), http_header_value.encode(settings.UNICODE_ENCODING)) except: pass # eof