def run(self, url, method, headers=None, payload=None):
SelfThread.exit_flag = False
Log.debug(headers)
request_info = RequestInfo(url, method, headers, payload)
request_obj = Requests(IP=request_info.hostname, Port=request_info.port)
inject_config = {
'Headers': {
'enabled': eval(DefaultConfig.get_value('System', 'InjectHeaders')),
'inject_point_list': request_info.get_header_inject_point(),
'replace': request_info.header_replace
},
'Payloads': {
'enabled': eval(DefaultConfig.get_value('System', 'InjectPayloads')),
'inject_point_list': request_info.get_payload_inject_point(),
'replace': request_info.payload_replace
},
'Parameters': {
'enabled': eval(DefaultConfig.get_value('System', 'InjectParameters')),
'inject_point_list': request_info.get_parameter_inject_point(),
'replace': request_info.parameter_relpace
}
}
for inject_cls in InjectorBase.injectors:
injector = inject_cls(request_obj, request_info)
injector.do_injection(inject_config)
Log.report('Finish Command Injection Scan.')
def gen_calculate_cmd(self, separator, TAG, num1, num2):
USE_BACKTICKS = eval(DefaultConfig.get_value('Classic',
'UseBackticks'))
if USE_BACKTICKS: # using `
calculate_cmd = "`expr " + str(num1) + " + " + str(num2) + "`"
result = "{separator}echo {tag}{cmd}{tag}{tag}".format(
separator=separator, tag=TAG, cmd=calculate_cmd)
else:
calculate_cmd = "$((" + str(num1) + "+" + str(num2) + "))"
result = "{separator}echo {tag}$(echo {cmd}{tag}){tag}".format(
separator=separator, tag=TAG, cmd=calculate_cmd)
return result
def decision(self, inject_key):
for separator in self.SEPARATORS:
temp_path = DefaultConfig.get_value('TempfileBased', 'TmpFolder')
# change tag each round in case false positive
self.tag = ''.join(
random.choice(string.ascii_uppercase) for i in range(6))
tag_length = len(
self.tag) + 4 # need to figure out why commix do this
file = temp_path + self.tag + '.txt'
for length in xrange(tag_length):
# check exit flag
SelfThread.is_exit()
time.sleep(
eval(DefaultConfig.get_value('System', 'RequestDelay')))
Log.debug(
'Start to test with separator: %s, TAG: %s, length: %d, file: %s',
separator, self.tag, length, file)
cmd = self.gen_cmd_for_separator(separator, self.tag, length,
self.time_sec, file)
sent_data = self.replace_func(inject_key, cmd)
inject_info = {
'target': self.current_part,
'inject_method': self.__class__.__name__,
'inject_key': inject_key,
'seperator': separator,
'tag': self.tag,
'command': cmd
}
response_info = self.request_obj.serverRestAPI(
self.request_info)
if self.is_inject_success(response_info['res_time']):
inject_result = True
self.find_injectable(inject_key, cmd,
response_info['res_time'])
else:
inject_result = False
self.record_traffic_logs(self.request_info.get_record(),
inject_info, response_info,
inject_result)
def decision(self, inject_key):
for separator in self.SEPARATORS:
for length in xrange(6):
# check exit flag
SelfThread.is_exit()
time.sleep(
eval(DefaultConfig.get_value('System', 'RequestDelay')))
# change tag each round in case false positive
self.tag = ''.join(
random.choice(string.ascii_uppercase) for i in range(6))
Log.debug(
'Start to test with separator: %s, TAG: %s, length: %d',
separator, self.tag, length)
target_server_root = DefaultConfig.get_value(
'FileBased', 'ServerRootPath')
output_file = self.tag + '.txt'
cmd = self.gen_file_cmd(separator, self.tag,
target_server_root, output_file)
sent_data = self.replace_func(inject_key, cmd)
inject_info = {
'target': self.current_part,
'inject_method': self.__class__.__name__,
'inject_key': inject_key,
'seperator': separator,
'tag': self.tag,
'command': cmd
}
response_info = self.request_obj.serverRestAPI(
self.request_info)
if self.is_inject_success(response_info):
inject_result = True
self.find_injectable(inject_key, cmd,
response_info['res_body'])
else:
inject_result = False
self.record_traffic_logs(self.request_info.get_record(),
inject_info, response_info,
inject_result)
