def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen( menu.options.auth_url).read(): print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" if not settings.COOKIE_INJECTION \ and not settings.USER_AGENT_INJECTION \ and not settings.REFERER_INJECTION: url = parameters.do_GET_check(url) check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data parameter = parameters.do_POST_check(parameter) check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" settings.HTTP_HEADER = header_name[1:].lower() check_parameter = parameters.specify_cookie_parameter( menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" settings.HTTP_HEADER = header_name[1:].replace("-", "").lower() check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" settings.HTTP_HEADER = header_name[1:].lower() check_parameter = "" the_type = " HTTP header " if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check for session file if not menu.options.ignore_session: if os.path.isfile(settings.SESSION_FILE): if not menu.options.tech: menu.options.tech = session_handler.applied_techniques( url, http_request_method) if session_handler.check_stored_parameter(url, http_request_method): settings.LOAD_SESSION = True if menu.options.flush_session: session_handler.flush(url) if len(check_parameter) != 0: check_parameter = " '" + check_parameter + "'" print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time( url, http_request_method, delay) # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True else: classic_state = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech: if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: file_based_state = False if classic_state == eval_based_state == time_based_state == file_based_state == False: info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable." if not menu.options.alter_shell: info_msg += " Use the option '--alter-shell'" else: info_msg += " Remove the option '--alter-shell'" info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)." print Back.RED + info_msg + Style.RESET_ALL sys.exit(0)
def do_check(url, filename): check_http_headers = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read(): print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET. if not menu.options.data: # Enable Cookie Injection if menu.options.cookie and menu.options.level > 1: settings.COOKIE_INJECTION = True http_request_method = "GET" # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level > 2 : check_parameter = "" stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay) # Enable Cookie Injection if menu.options.cookie: settings.COOKIE_INJECTION = True if not settings.COOKIE_INJECTION: found_url = parameters.do_GET_check(url) if found_url != False: for i in range(0, len(found_url)): url = found_url[i] check_parameter = parameters.vuln_GET_param(url) # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: # Check for session file if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) else: if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) if not settings.LOAD_SESSION : for i in range(0, len(found_url)): url = found_url[i] check_parameter = parameters.vuln_GET_param(url) # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: injection_proccess(url, check_parameter, http_request_method, filename, delay) else: injection_proccess(url, check_parameter, http_request_method, filename, delay) # Check if HTTP Method is POST. else: http_request_method = "POST" # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level > 2 : check_parameter = "" stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay) # Check if HTTP Method is POST. parameter = menu.options.data found_parameter = parameters.do_POST_check(parameter) # Remove whitespaces # Check if singe entry parameter if type(found_parameter) is str: found_parameter_list = [] found_parameter_list.append(found_parameter) found_parameter = found_parameter_list # Remove whitespaces found_parameter = [x.replace(" ", "") for x in found_parameter] # Check if multiple parameters for i in range(0, len(found_parameter)): parameter = menu.options.data = found_parameter[i] check_parameter = parameters.vuln_POST_param(parameter, url) if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: # Check for session file if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) else: if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) if not settings.LOAD_SESSION : for i in range(0, len(found_parameter)): parameter = menu.options.data = found_parameter[i] check_parameter = parameters.vuln_POST_param(parameter, url) # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: injection_proccess(url, check_parameter, http_request_method, filename, delay) else: injection_proccess(url, check_parameter, http_request_method, filename, delay) # Enable Cookie Injection if menu.options.cookie and menu.options.level > 1: settings.COOKIE_INJECTION = True # Cookie Injection if settings.COOKIE_INJECTION == True: cookie_value = menu.options.cookie # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level > 2 : check_parameter = "" stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay) header_name = " Cookie" settings.HTTP_HEADER = header_name[1:].lower() cookie_parameters = parameters.do_cookie_check(menu.options.cookie) if type(cookie_parameters) is str: cookie_parameters_list = [] cookie_parameters_list.append(cookie_parameters) cookie_parameters = cookie_parameters_list # Remove whitespaces cookie_parameters = [x.replace(" ", "") for x in cookie_parameters] for i in range(0, len(cookie_parameters)): menu.options.cookie = cookie_parameters[i] check_parameter = parameters.specify_cookie_parameter(menu.options.cookie) if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: # Check for session file if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) else: if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) if not settings.LOAD_SESSION : for i in range(0, len(cookie_parameters)): menu.options.cookie = cookie_parameters[i] check_parameter = parameters.specify_cookie_parameter(menu.options.cookie) if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: injection_proccess(url, check_parameter, http_request_method, filename, delay) else: injection_proccess(url, check_parameter, http_request_method, filename, delay) if settings.COOKIE_INJECTION == True: # Restore cookie value menu.options.cookie = cookie_value # Disable cookie injection settings.COOKIE_INJECTION = False # Custom header Injection if settings.CUSTOM_HEADER_INJECTION == True: check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME settings.HTTP_HEADER = header_name[1:].lower() check_for_stored_sessions(url, http_request_method) injection_proccess(url, check_parameter, http_request_method, filename, delay) # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level > 2 : check_parameter = "" check_http_headers = True stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay) # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False : info_msg = settings.CRITICAL_SIGN + "All the tested (" + http_request_method + ") parameters appear to be not injectable." if not menu.options.alter_shell : info_msg += " Try to use the option '--alter-shell'" else: info_msg += " Try to remove the option '--alter-shell'" if menu.options.level < 3 : info_msg += " and/or try to increase '--level' values to perform more tests (i.e 'User-Agent', 'Referer', 'Cookie' etc)" info_msg += "." print Back.RED + info_msg + Style.RESET_ALL sys.exit(0) #eof
def perform_checks(url, filename): def basic_level_checks(): settings.PERFORM_BASIC_SCANS = False # Check if HTTP Method is GET. if not menu.options.data: get_request(url, http_request_method, filename, timesec) # Check if HTTP Method is POST. else: post_request(url, http_request_method, filename, timesec) timesec = settings.TIMESEC # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen( menu.options.auth_url).read(): err_msg = "It seems that the authentication procedure has failed." print settings.print_critical_msg(err_msg) sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: err_msg = "You must specify both login panel URL and login parameters." print settings.print_critical_msg(err_msg) sys.exit(0) else: pass # Check if HTTP Method is GET. if not menu.options.data: http_request_method = "GET" else: http_request_method = "POST" if menu.options.shellshock: menu.options.level = settings.HTTP_HEADER_INJECTION_LEVEL else: check_for_stored_levels(url, http_request_method) if settings.PERFORM_BASIC_SCANS: basic_level_checks() # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level >= settings.HTTP_HEADER_INJECTION_LEVEL: if settings.INJECTED_HTTP_HEADER == False: check_parameter = "" stored_http_header_injection(url, check_parameter, http_request_method, filename, timesec) else: # Enable Cookie Injection if menu.options.level > settings.DEFAULT_INJECTION_LEVEL: if menu.options.cookie: cookie_injection(url, http_request_method, filename, timesec) else: warn_msg = "The HTTP Cookie header is not provided, " warn_msg += "so this test is going to be skipped." print settings.print_warning_msg(warn_msg) else: # Custom header Injection if settings.CUSTOM_HEADER_INJECTION == True: check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME settings.HTTP_HEADER = header_name[1:].lower() check_for_stored_sessions(url, http_request_method) injection_proccess(url, check_parameter, http_request_method, filename, timesec) settings.CUSTOM_HEADER_INJECTION = None if settings.INJECTION_CHECKER == False: return False else: return True
def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read(): print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" if not settings.COOKIE_INJECTION \ and not settings.USER_AGENT_INJECTION \ and not settings.REFERER_INJECTION: url = parameters.do_GET_check(url) check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data parameter = parameters.do_POST_check(parameter) check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" settings.HTTP_HEADER = header_name[1:].lower() check_parameter = parameters.specify_cookie_parameter(menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" settings.HTTP_HEADER = header_name[1:].replace("-","").lower() check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" settings.HTTP_HEADER = header_name[1:].lower() check_parameter = "" the_type = " HTTP header " if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check for session file if not menu.options.ignore_session: if os.path.isfile(settings.SESSION_FILE): if not menu.options.tech: menu.options.tech = session_handler.applied_techniques(url, http_request_method) if session_handler.check_stored_parameter(url, http_request_method): settings.LOAD_SESSION = True if menu.options.flush_session: session_handler.flush(url) if len(check_parameter) != 0 : check_parameter = " '" + check_parameter + "'" print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay) # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True else: classic_state = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech: if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: file_based_state = False if classic_state == eval_based_state == time_based_state == file_based_state == False : info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable." if not menu.options.alter_shell : info_msg += " Use the option '--alter-shell'" else: info_msg += " Remove the option '--alter-shell'" info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)." print Back.RED + info_msg + Style.RESET_ALL sys.exit(0)
def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read(): print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" if not settings.COOKIE_INJECTION and not settings.USER_AGENT_INJECTION and not settings.REFERER_INJECTION: url = parameters.do_GET_check(url) check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data parameter = parameters.do_POST_check(parameter) check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" check_parameter = parameters.specify_cookie_parameter(menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" check_parameter = "" the_type = " HTTP header " else: pass if len(check_parameter) != 0: check_parameter = " '" + check_parameter + "'" print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay) # Check all injection techniques if not menu.options.tech: # Check if it is vulnerable to classic command injection technique. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True # Check if it is vulnerable to eval-based command injection technique. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True # Check if it is vulnerable to time-based blind command injection technique. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True # Check if it is vulnerable to file-based semiblind command injection technique. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: # Check if it is vulnerable to classic command injection technique. if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech: # Check if classic results-based command injection technique succeeds. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True elif menu.options.tech == "classic": cb_handler.exploitation(url, delay, filename, http_request_method) else: classic_state = False # Check if it is vulnerable to eval-based command injection technique. if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech: # Check if eval-based command injection technique succeeds. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True elif menu.options.tech == "eval-based": eb_handler.exploitation(url, delay, filename, http_request_method) else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech: # Check if time-based blind command injection technique succeeds. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True elif menu.options.tech == "time-based": tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech: # Check if file-based semiblind command injection technique succeeds. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True elif menu.options.tech == "file-based": fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: file_based_state = False if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False: info_msg = ( "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable." ) if not menu.options.alter_shell: info_msg += " Use the option '--alter-shell'" else: info_msg += " Remove the option '--alter-shell'" info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)." print Back.RED + info_msg + Style.RESET_ALL # else: # print "" sys.exit(0)
def do_check(url, filename): check_http_headers = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen( menu.options.auth_url).read(): print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET. if not menu.options.data: # Enable Cookie Injection if menu.options.cookie and menu.options.level > 1: settings.COOKIE_INJECTION = True http_request_method = "GET" # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level > 2: check_parameter = "" stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay) # Enable Cookie Injection if menu.options.cookie: settings.COOKIE_INJECTION = True if not settings.COOKIE_INJECTION: found_url = parameters.do_GET_check(url) if found_url != False: for i in range(0, len(found_url)): url = found_url[i] check_parameter = parameters.vuln_GET_param(url) # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: # Check for session file if check_for_stored_sessions( url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) else: if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) if not settings.LOAD_SESSION: for i in range(0, len(found_url)): url = found_url[i] check_parameter = parameters.vuln_GET_param(url) # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: injection_proccess(url, check_parameter, http_request_method, filename, delay) else: injection_proccess(url, check_parameter, http_request_method, filename, delay) # Check if HTTP Method is POST. else: http_request_method = "POST" # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level > 2: check_parameter = "" stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay) # Check if HTTP Method is POST. parameter = menu.options.data found_parameter = parameters.do_POST_check(parameter) # Remove whitespaces # Check if singe entry parameter if type(found_parameter) is str: found_parameter_list = [] found_parameter_list.append(found_parameter) found_parameter = found_parameter_list # Remove whitespaces found_parameter = [x.replace(" ", "") for x in found_parameter] # Check if multiple parameters for i in range(0, len(found_parameter)): parameter = menu.options.data = found_parameter[i] check_parameter = parameters.vuln_POST_param(parameter, url) if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: # Check for session file if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) else: if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) if not settings.LOAD_SESSION: for i in range(0, len(found_parameter)): parameter = menu.options.data = found_parameter[i] check_parameter = parameters.vuln_POST_param(parameter, url) # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: injection_proccess(url, check_parameter, http_request_method, filename, delay) else: injection_proccess(url, check_parameter, http_request_method, filename, delay) # Enable Cookie Injection if menu.options.cookie and menu.options.level > 1: settings.COOKIE_INJECTION = True # Cookie Injection if settings.COOKIE_INJECTION == True: cookie_value = menu.options.cookie # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level > 2: check_parameter = "" stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay) header_name = " Cookie" settings.HTTP_HEADER = header_name[1:].lower() cookie_parameters = parameters.do_cookie_check(menu.options.cookie) if type(cookie_parameters) is str: cookie_parameters_list = [] cookie_parameters_list.append(cookie_parameters) cookie_parameters = cookie_parameters_list # Remove whitespaces cookie_parameters = [x.replace(" ", "") for x in cookie_parameters] for i in range(0, len(cookie_parameters)): menu.options.cookie = cookie_parameters[i] check_parameter = parameters.specify_cookie_parameter( menu.options.cookie) if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: # Check for session file if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) else: if check_for_stored_sessions(url, http_request_method): injection_proccess(url, check_parameter, http_request_method, filename, delay) if not settings.LOAD_SESSION: for i in range(0, len(cookie_parameters)): menu.options.cookie = cookie_parameters[i] check_parameter = parameters.specify_cookie_parameter( menu.options.cookie) if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check if testable parameter(s) are provided if len(settings.TEST_PARAMETER) > 0: if check_parameter in settings.TEST_PARAMETER: injection_proccess(url, check_parameter, http_request_method, filename, delay) else: injection_proccess(url, check_parameter, http_request_method, filename, delay) if settings.COOKIE_INJECTION == True: # Restore cookie value menu.options.cookie = cookie_value # Disable cookie injection settings.COOKIE_INJECTION = False # Custom header Injection if settings.CUSTOM_HEADER_INJECTION == True: check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME settings.HTTP_HEADER = header_name[1:].lower() check_for_stored_sessions(url, http_request_method) injection_proccess(url, check_parameter, http_request_method, filename, delay) # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level > 2: check_parameter = "" check_http_headers = True stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay) # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: info_msg = settings.CRITICAL_SIGN + "All the tested (" + http_request_method + ") parameters appear to be not injectable." if not menu.options.alter_shell: info_msg += " Try to use the option '--alter-shell'" else: info_msg += " Try to remove the option '--alter-shell'" if menu.options.level < 3: info_msg += " and/or try to increase '--level' values to perform more tests (i.e 'User-Agent', 'Referer', 'Cookie' etc)" info_msg += "." print Back.RED + info_msg + Style.RESET_ALL sys.exit(0) #eof
def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen( menu.options.auth_url).read(): print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" if not settings.COOKIE_INJECTION \ and not settings.USER_AGENT_INJECTION \ and not settings.REFERER_INJECTION: url = parameters.do_GET_check(url) check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data parameter = parameters.do_POST_check(parameter) check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" check_parameter = parameters.specify_cookie_parameter( menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" check_parameter = "" the_type = " HTTP header " else: pass if len(check_parameter) != 0: check_parameter = " '" + check_parameter + "'" print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time( url, http_request_method, delay) # Check all injection techniques if not menu.options.tech: # Check if it is vulnerable to classic command injection technique. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True # Check if it is vulnerable to eval-based command injection technique. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True # Check if it is vulnerable to time-based blind command injection technique. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True # Check if it is vulnerable to file-based semiblind command injection technique. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: # Check if it is vulnerable to classic command injection technique. if "classic" in menu.options.tech or len( menu.options.tech) <= 4 and "c" in menu.options.tech: # Check if classic results-based command injection technique succeeds. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True elif menu.options.tech == "classic": cb_handler.exploitation(url, delay, filename, http_request_method) else: classic_state = False # Check if it is vulnerable to eval-based command injection technique. if "eval-based" in menu.options.tech or len( menu.options.tech) <= 4 and "e" in menu.options.tech: # Check if eval-based command injection technique succeeds. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True elif menu.options.tech == "eval-based": eb_handler.exploitation(url, delay, filename, http_request_method) else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if "time-based" in menu.options.tech or len( menu.options.tech) <= 4 and "t" in menu.options.tech: # Check if time-based blind command injection technique succeeds. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True elif menu.options.tech == "time-based": tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if "file-based" in menu.options.tech or len( menu.options.tech) <= 4 and "f" in menu.options.tech: # Check if file-based semiblind command injection technique succeeds. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True elif menu.options.tech == "file-based": fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: file_based_state = False if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False: info_msg = "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable." if not menu.options.alter_shell: info_msg += " Use the option '--alter-shell'" else: info_msg += " Remove the option '--alter-shell'" info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)." print Back.RED + info_msg + Style.RESET_ALL # else: # print "" sys.exit(0)
def perform_checks(url, filename): # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen( menu.options.auth_url).read(): err_msg = "It seems that the authentication procedure has failed." print settings.print_critical_msg(err_msg) sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: err_msg = "You must specify both login panel URL and login parameters." print settings.print_critical_msg(err_msg) sys.exit(0) else: pass # Check if HTTP Method is GET. if not menu.options.data: http_request_method = "GET" else: http_request_method = "POST" # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level >= 3: if settings.INJECTED_HTTP_HEADER == False: check_parameter = "" stored_http_header_injection(url, check_parameter, http_request_method, filename, delay) else: # Enable Cookie Injection if menu.options.cookie and menu.options.level > 1: cookie_injection(url, http_request_method, filename, delay) else: # Custom header Injection if settings.CUSTOM_HEADER_INJECTION == True: check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME settings.HTTP_HEADER = header_name[1:].lower() check_for_stored_sessions(url, http_request_method) injection_proccess(url, check_parameter, http_request_method, filename, delay) settings.CUSTOM_HEADER_INJECTION = None # Check if HTTP Method is GET. if not menu.options.data: get_request(url, http_request_method, filename, delay) # Check if HTTP Method is POST. else: post_request(url, http_request_method, filename, delay) if settings.INJECTION_CHECKER == False: return False else: return True
def perform_checks(url, filename): # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read(): err_msg = "It seems that the authentication procedure has failed." print settings.print_critical_msg(err_msg) sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: err_msg = "You must specify both login panel URL and login parameters." print settings.print_critical_msg(err_msg) sys.exit(0) else: pass # Check if HTTP Method is GET. if not menu.options.data: http_request_method = "GET" else: http_request_method = "POST" # Check for stored injections on User-agent / Referer headers (if level > 2). if menu.options.level >= 3: if settings.INJECTED_HTTP_HEADER == False : check_parameter = "" stored_http_header_injection(url, check_parameter, http_request_method, filename, delay) else: # Enable Cookie Injection if menu.options.cookie and menu.options.level > 1: cookie_injection(url, http_request_method, filename, delay) else: # Custom header Injection if settings.CUSTOM_HEADER_INJECTION == True: check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME settings.HTTP_HEADER = header_name[1:].lower() check_for_stored_sessions(url, http_request_method) injection_proccess(url, check_parameter, http_request_method, filename, delay) settings.CUSTOM_HEADER_INJECTION = None # Check if HTTP Method is GET. if not menu.options.data: get_request(url, http_request_method, filename, delay) # Check if HTTP Method is POST. else: post_request(url, http_request_method, filename, delay) if settings.INJECTION_CHECKER == False: return False else: return True
def perform_checks(url, http_request_method, filename): def basic_level_checks(): if not menu.options.bulkfile: settings.PERFORM_BASIC_SCANS = False else: settings.PERFORM_BASIC_SCANS = True settings.SKIP_CODE_INJECTIONS = False settings.SKIP_COMMAND_INJECTIONS = False settings.IDENTIFIED_WARNINGS = False settings.IDENTIFIED_PHPINFO = False # Check if HTTP Method is GET. if http_request_method != settings.HTTPMETHOD.POST: get_request(url, http_request_method, filename, timesec) # Check if HTTP Method is POST. else: post_request(url, http_request_method, filename, timesec) timesec = settings.TIMESEC # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() try: # Check if authentication page is the same with the next (injection) URL if _urllib.request.urlopen(url, timeout=settings.TIMEOUT).read() == _urllib.request.urlopen(menu.options.auth_url, timeout=settings.TIMEOUT).read(): err_msg = "It seems that the authentication procedure has failed." print(settings.print_critical_msg(err_msg)) raise SystemExit() except (_urllib.error.URLError, _urllib.error.HTTPError) as err_msg: print(settings.print_critical_msg(err_msg)) raise SystemExit() elif menu.options.auth_url or menu.options.auth_data: err_msg = "You must specify both login panel URL and login parameters." print(settings.print_critical_msg(err_msg)) raise SystemExit() else: pass if menu.options.shellshock: menu.options.level = settings.HTTP_HEADER_INJECTION_LEVEL else: check_for_stored_levels(url, http_request_method) if settings.PERFORM_BASIC_SCANS: basic_level_checks() # Check for stored injections on User-agent / Referer / Host HTTP headers (if level > 2). if menu.options.level >= settings.HTTP_HEADER_INJECTION_LEVEL: if settings.INJECTED_HTTP_HEADER == False : check_parameter = "" stored_http_header_injection(url, check_parameter, http_request_method, filename, timesec) else: # Enable Cookie Injection if menu.options.level > settings.DEFAULT_INJECTION_LEVEL: if menu.options.cookie: cookie_injection(url, http_request_method, filename, timesec) else: warn_msg = "The HTTP Cookie header is not provided, " warn_msg += "so this test is going to be skipped." print(settings.print_warning_msg(warn_msg)) else: # Custom header Injection if settings.CUSTOM_HEADER_INJECTION == True: check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME settings.HTTP_HEADER = header_name[1:].lower() check_for_stored_sessions(url, http_request_method) injection_proccess(url, check_parameter, http_request_method, filename, timesec) settings.CUSTOM_HEADER_INJECTION = None if settings.INJECTION_CHECKER == False: return False else: return True