예제 #1
0
def do_POST_check(parameter):
  http_request_method = "POST"
  # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
  parameter = checks.wildcard_character(parameter).replace("'","\"")
  # Check if JSON Object.
  if checks.is_JSON_check(parameter):
    if not settings.IS_JSON:
      checks.process_json_data()
      settings.PARAMETER_DELIMITER = ","
  # Check if XML Object.
  elif checks.is_XML_check(parameter): 
    if not settings.IS_XML:
      checks.process_xml_data()
      settings.PARAMETER_DELIMITER = ""
  else:
    pass
  parameters_list = []
  # Split multiple parameters
  if settings.IS_XML:
    _ = []
    parameters = re.findall(r'(.*)', parameter)
    parameters = [param + "\n" for param in parameters if param]
    for value in range(0,len(parameters)):
      _.append(parameters[value])
    multi_parameters = _
  else: 
    try:
      multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
      multi_parameters = [x for x in multi_parameters if x]
    except ValueError, err_msg:
      print settings.print_critical_msg(err_msg)
      raise SystemExit()
예제 #2
0
def specify_cookie_parameter(cookie):

  # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
  cookie = checks.wildcard_character(cookie)
  
  # Specify the vulnerable cookie parameter
  if re.findall(r"" + settings.COOKIE_DELIMITER + "(.*)=" + settings.INJECT_TAG + "", cookie):
    inject_cookie = re.findall(r"" + settings.COOKIE_DELIMITER + "(.*)=" + settings.INJECT_TAG + "", cookie)
    inject_cookie = ''.join(inject_cookie)
    inject_cookie = re.sub(r"(.*)=(.*)" + settings.COOKIE_DELIMITER, "", inject_cookie)

  elif re.findall(r"(.*)=" + settings.INJECT_TAG + "", cookie):
    inject_cookie = re.findall(r"(.*)=" + settings.INJECT_TAG + "", cookie)
    inject_cookie = ''.join(inject_cookie)

  else:
    inject_cookie = cookie

  return inject_cookie 
예제 #3
0
def do_POST_check(parameter):

    # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
  parameter = checks.wildcard_character(parameter)

  # Check if valid JSON
  def is_JSON_check(parameter):
    try:
      json_object = json.loads(parameter)
      if re.search(settings.JSON_RECOGNITION_REGEX, parameter):
        if settings.VERBOSITY_LEVEL >= 1 and not settings.IS_JSON:
          success_msg = Style.BRIGHT + Style.UNDERLINE + "JSON data" 
          success_msg += Style.RESET_ALL + Style.BRIGHT
          success_msg += " found in POST data" 
          success_msg += Style.RESET_ALL + "."
          print settings.print_success_msg(success_msg)
    
    except ValueError, err_msg:
      if not "No JSON object could be decoded" in err_msg:
        err_msg = "JSON " + str(err_msg) + ". "
        print settings.print_error_msg(err_msg) + "\n"
        sys.exit(0)
      return False
    else:  
예제 #4
0
파일: headers.py 프로젝트: BMaChina/commix
def do_check(request):
  
  # Check if defined any HTTP Host header.
  if menu.options.host:
    request.add_header('Host', menu.options.host)

  # Check if defined any HTTP User-Agent header.
  if menu.options.agent:
    request.add_header('User-Agent', menu.options.agent)

  # Check if defined any HTTP Referer header.
  if menu.options.referer and settings.REFERER_INJECTION == False:
    request.add_header('Referer', menu.options.referer)
        
  # Check if defined any HTTP Cookie header.
  if menu.options.cookie and settings.COOKIE_INJECTION == False:
    request.add_header('Cookie', menu.options.cookie)

  # Check if defined any HTTP Authentication credentials.
  # HTTP Authentication: Basic / Digest Access Authentication.
  if not menu.options.ignore_401:
    if menu.options.auth_cred and menu.options.auth_type:
      try:
        settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type)
        if menu.options.auth_type == "basic":
          b64_string = base64.encodestring(menu.options.auth_cred).replace('\n', '')
          request.add_header("Authorization", "Basic " + b64_string + "")
        elif menu.options.auth_type == "digest":
          try:
            url = menu.options.url
            try:
              response = urllib2.urlopen(url)
            except urllib2.HTTPError, e:
              try:
                authline = e.headers.get('www-authenticate', '')  
                authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups()
                realm = authobj[1].split(',')[0].replace("\"","")
                user_pass_pair = menu.options.auth_cred.split(":")
                username = user_pass_pair[0]
                password = user_pass_pair[1]
                authhandler = urllib2.HTTPDigestAuthHandler()
                authhandler.add_password(realm, url, username, password)
                opener = urllib2.build_opener(authhandler)
                urllib2.install_opener(opener)
                result = urllib2.urlopen(url)
              except AttributeError:
                pass
          except urllib2.HTTPError, e:
            pass
      except ValueError:
        err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
        err_msg += " Try basic or digest HTTP authentication type."
        print settings.print_critical_msg(err_msg)
        sys.exit(0)   
    else:
      pass        
    
  # The MIME media type for JSON.
  if settings.IS_JSON:
    request.add_header("Content-Type", "application/json")

  # Check if defined any extra HTTP headers.
  if menu.options.headers:
    # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
    menu.options.headers = checks.wildcard_character(menu.options.headers)
    extra_headers = menu.options.headers
    extra_headers = extra_headers.split(":")
    extra_headers = ':'.join(extra_headers)
    extra_headers = extra_headers.split("\\n")
    # Remove empty strings
    extra_headers = [x for x in extra_headers if x]
    for extra_header in extra_headers:
      # Extra HTTP Header name 
      http_header_name = re.findall(r"(.*):", extra_header)
      http_header_name = ''.join(http_header_name)
      # Extra HTTP Header value
      http_header_value = re.findall(r":(.*)", extra_header)
      http_header_value = ''.join(http_header_value)
      # Check if it is a custom header injection.
      if settings.CUSTOM_HEADER_INJECTION == False and \
         settings.INJECT_TAG in http_header_value:
        settings.CUSTOM_HEADER_INJECTION = True
        settings.CUSTOM_HEADER_NAME = http_header_name
      request.add_header(http_header_name, http_header_value)
예제 #5
0
def do_GET_check(url):
  http_request_method = "GET"
  # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
  url = checks.wildcard_character(url)

  # Check for REST-ful URLs format. 
  if "?" not in url:
    if settings.INJECT_TAG not in url and not menu.options.shellshock:
      if menu.options.level == 3 or menu.options.headers:
        return False
      if menu.options.level == 2 :
        return False
      else: 
        err_msg = "No parameter(s) found for testing in the provided data. "
        err_msg += "You must specify the testable parameter or "
        err_msg += "try to increase '--level' values to perform more tests." 
        print settings.print_critical_msg(err_msg)
        raise SystemExit()
    elif menu.options.shellshock:
      return False
    return url

  else:
    urls_list = []
    if menu.options.shellshock:
      urls_list.append(url)
    else:
      # Find the host part
      url_part = get_url_part(url)
      # Find the parameter part
      parameters = url.split("?")[1]
      # Split parameters
      multi_parameters = parameters.split(settings.PARAMETER_DELIMITER)
      # Check for inappropriate format in provided parameter(s).
      if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)):
        checks.inappropriate_format(multi_parameters)
      # Check for empty values (in provided parameters).
      checks.is_empty(multi_parameters, http_request_method)
      # Grab the value of parameter.
      _ = []
      _.append(parameters)
      parameters = ''.join(checks.check_similarities(_))
      value = re.findall(r'=(.*)', parameters)
      value = ''.join(value)
      # Check if single parameter is supplied.
      if len(multi_parameters) == 1:
        # Replace the value of parameter with INJECT tag
        inject_value = value.replace(value, settings.INJECT_TAG)
        # Check if defined the INJECT_TAG
        if settings.INJECT_TAG not in parameters:
          # Ignoring the anti-CSRF parameter(s).
          if checks.ignore_anticsrf_parameter(parameters):
            return urls_list
          if len(value) == 0:
            parameters = parameters + settings.INJECT_TAG
          else:
            parameters = parameters.replace(value, inject_value) 
        else:
          # Auto-recognize prefix / suffix
          if settings.INJECT_TAG in value:
            if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0:
              menu.options.prefix = value.rsplit(settings.INJECT_TAG, 1)[0]
            if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0:
              menu.options.suffix = value.rsplit(settings.INJECT_TAG, 1)[1]
          parameters = parameters.replace(value, inject_value) 
        # Reconstruct the URL
        url = url_part + "?" + parameters
        urls_list.append(url)
        return urls_list 

      else:
        # Check if multiple parameters are supplied without the "INJECT_HERE" tag.
        all_params = settings.PARAMETER_DELIMITER.join(multi_parameters)
        all_params = all_params.split(settings.PARAMETER_DELIMITER)
        # Check for similarity in provided parameter name and value.
        all_params = checks.check_similarities(all_params)
        # Check if defined the "INJECT_HERE" tag
        if settings.INJECT_TAG not in url:
          for param in range(0,len(all_params)):
            if param == 0 :
              old = re.findall(r'=(.*)', all_params[param])
              old = ''.join(old)
            else :
              old = value
            # Grab the value of parameter.
            value = re.findall(r'=(.*)', all_params[param])
            value = ''.join(value)
            # Ignoring the anti-CSRF parameter(s).
            if checks.ignore_anticsrf_parameter(all_params[param]):
              continue
            # Replace the value of parameter with INJECT tag
            inject_value = value.replace(value, settings.INJECT_TAG)
            # Skip testing the parameter(s) with empty value(s).
            if menu.options.skip_empty:
              if len(value) == 0:
                provided_value = re.findall(r'(.*)=', all_params[param])
                provided_value = ''.join(provided_value)
              else:
                all_params[param] = all_params[param].replace(value, inject_value)
                all_params[param-1] = all_params[param-1].replace(inject_value, old)
                parameter = settings.PARAMETER_DELIMITER.join(all_params)
                # Reconstruct the URL
                url = url_part + "?" + parameter  
                urls_list.append(url)
            else:
              if len(value) == 0:
                all_params[param] = all_params[param] + settings.INJECT_TAG
              else:
                all_params[param] = all_params[param].replace(value, inject_value)
              all_params[param-1] = all_params[param-1].replace(inject_value, old)
              parameter = settings.PARAMETER_DELIMITER.join(all_params)
              # Reconstruct the URL
              url = url_part + "?" + parameter
              urls_list.append(url.replace(settings.IGNORE_TAG,""))

        else:
          for param in range(0,len(multi_parameters)):
            # Grab the value of parameter.
            value = re.findall(r'=(.*)', multi_parameters[param])
            value = ''.join(value)
            parameter = settings.PARAMETER_DELIMITER.join(multi_parameters)
          # Reconstruct the URL  
          url = url_part + "?" + parameter  
          urls_list.append(url)

    return urls_list 
예제 #6
0
def do_GET_check(url):

  # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
  url = checks.wildcard_character(url)

  # Check for REST-ful URLs format. 
  if "?" not in url:
    if settings.INJECT_TAG not in url and not menu.options.shellshock:
      if menu.options.level == 3 or menu.options.headers:
        return False
      if menu.options.level == 2 :
        return False
      else:  
        err_msg = "No parameter(s) found for testing in the provided data. "
        err_msg += "You must specify the testable parameter or "
        err_msg += "try to increase '--level' values to perform more tests. " 
        print settings.print_critical_msg(err_msg) + "\n"
        os._exit(0)   
    return url

  urls_list = []
  # Find the host part
  url_part = get_url_part(url)
  # Find the parameter part
  parameters = url.split("?")[1]
  # Split parameters
  multi_parameters = parameters.split(settings.PARAMETER_DELIMITER)
  # Check if single paramerter is supplied.
  if len(multi_parameters) == 1:
    # Check if defined the INJECT_TAG
    if settings.INJECT_TAG not in parameters:
      # Grab the value of parameter.
      value = re.findall(r'=(.*)', parameters)
      value = ''.join(value)
      # Replace the value of parameter with INJECT tag
      inject_value = value.replace(value, settings.INJECT_TAG)
      parameters = parameters.replace(value, inject_value) 
    else:
      # Grab the value of parameter.
      value = re.findall(r'=(.*)', parameters)
      value = ''.join(value)
      # Auto-recognize prefix / suffix
      if settings.INJECT_TAG in value:
        if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0:
          menu.options.prefix = value.rsplit(settings.INJECT_TAG, 1)[0]
        if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0:
          menu.options.suffix = value.rsplit(settings.INJECT_TAG, 1)[1]
      # Replace the value of parameter with INJECT tag
      inject_value = value.replace(value, settings.INJECT_TAG)
      parameters = parameters.replace(value, inject_value) 
    # Reconstruct the url
    url = url_part + "?" + parameters
    urls_list.append(url)
    return urls_list 

  else:
    # Check if multiple paramerters are supplied without the "INJECT_HERE" tag.
    all_params = settings.PARAMETER_DELIMITER.join(multi_parameters)
    # Check if defined the "INJECT_HERE" tag
    if settings.INJECT_TAG not in url:
      all_params = all_params.split(settings.PARAMETER_DELIMITER)
      for param in range(0,len(all_params)):
        if param == 0 :
          old = re.findall(r'=(.*)', all_params[param])
          old = ''.join(old)
        else :
          old = value
        # Grab the value of parameter.
        value = re.findall(r'=(.*)', all_params[param])
        value = ''.join(value)
        if not value == "":
          # Replace the value of parameter with INJECT tag
          inject_value = value.replace(value, settings.INJECT_TAG)
          all_params[param] = all_params[param].replace(value, inject_value)
          all_params[param-1] = all_params[param-1].replace(inject_value, old)
          parameter = settings.PARAMETER_DELIMITER.join(all_params)
          # Reconstruct the url
          url = url_part + "?" + parameter  
          urls_list.append(url)
        else:
          provided_value = re.findall(r'(.*)=', all_params[param])
          provided_value = ''.join(provided_value)
          warn_msg = "The '" + provided_value 
          warn_msg += "' parameter has been skipped from testing because the provided value is empty."
          print settings.print_warning_msg(warn_msg)
    else:
      for param in range(0,len(multi_parameters)):
        # Grab the value of parameter.
        value = re.findall(r'=(.*)', multi_parameters[param])
        value = ''.join(value)
        parameter = settings.PARAMETER_DELIMITER.join(multi_parameters)
      url = url_part + "?" + parameter  
      urls_list.append(url)
    return urls_list 
예제 #7
0
          success_msg += Style.RESET_ALL + Style.BRIGHT
          success_msg += " found in POST data" 
          success_msg += Style.RESET_ALL + "."
          print settings.print_success_msg(success_msg)
    
    except ValueError, err_msg:
      if not "No JSON object could be decoded" in err_msg:
        err_msg = "JSON " + str(err_msg) + ". "
        print settings.print_critical_msg(err_msg) + "\n"
        sys.exit(0)
      return False
    else:  
      return True

  # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
  parameter = checks.wildcard_character(parameter).replace("'","\"")

  # Check if JSON Object.
  if is_JSON_check(parameter):
    settings.IS_JSON = True
    
  # Split parameters
  if settings.IS_JSON:
    settings.PARAMETER_DELIMITER = ","

  paramerters_list = []
  # Split multiple parameters
  multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)

  # Check if single paramerter is supplied.
  if len(multi_parameters) == 1:
예제 #8
0
def do_check(request):

  # Check if defined any Host HTTP header.
  if menu.options.host and settings.HOST_INJECTION == None:
    request.add_header(settings.HOST, menu.options.host)

  # Check if defined any User-Agent HTTP header.
  if menu.options.agent:
    request.add_header(settings.USER_AGENT, menu.options.agent)

  # Check if defined any Referer HTTP header.
  if menu.options.referer and settings.REFERER_INJECTION == None:
    request.add_header(settings.REFERER, menu.options.referer)
   
  # Check if defined any Cookie HTTP header.
  if menu.options.cookie and settings.COOKIE_INJECTION == False:
    request.add_header(settings.COOKIE, menu.options.cookie)
  
  if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER):
    request.add_header(settings.HTTP_ACCEPT_HEADER, settings.HTTP_ACCEPT_HEADER_VALUE)

  # Appends a fake HTTP header 'X-Forwarded-For'
  if settings.TAMPER_SCRIPTS["xforwardedfor"]:
    from src.core.tamper import xforwardedfor
    xforwardedfor.tamper(request)

  # Check if defined any HTTP Authentication credentials.
  # HTTP Authentication: Basic / Digest Access Authentication.
  if menu.options.auth_cred and menu.options.auth_type:
    try:
      settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type)
      if menu.options.auth_type == "basic":
        b64_string = base64.encodestring(menu.options.auth_cred).replace('\n', '')
        request.add_header("Authorization", "Basic " + b64_string + "")
      elif menu.options.auth_type == "digest":
        try:
          url = menu.options.url
          try:
            response = urllib2.urlopen(url)
          except urllib2.HTTPError, e:
            try:
              authline = e.headers.get('www-authenticate', '')  
              authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups()
              realm = authobj[1].split(',')[0].replace("\"","")
              user_pass_pair = menu.options.auth_cred.split(":")
              username = user_pass_pair[0]
              password = user_pass_pair[1]
              authhandler = urllib2.HTTPDigestAuthHandler()
              authhandler.add_password(realm, url, username, password)
              opener = urllib2.build_opener(authhandler)
              urllib2.install_opener(opener)
              result = urllib2.urlopen(url)
            except AttributeError:
              pass
        except urllib2.HTTPError, e:
          pass
    except ValueError:
      err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
      err_msg += " Try basic or digest HTTP authentication type."
      print settings.print_critical_msg(err_msg)
      raise SystemExit()   
  else:
    pass        
  
  # The MIME media type for JSON.
  if settings.IS_JSON:
    request.add_header("Content-Type", "application/json")

  # Check if defined any extra HTTP headers.
  if menu.options.headers or menu.options.header:
    # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
    if menu.options.headers:
      menu.options.headers = checks.wildcard_character(menu.options.headers)
      extra_headers = menu.options.headers 
    else:
      menu.options.header = checks.wildcard_character(menu.options.header) 
      extra_headers = menu.options.header
  
    extra_headers = extra_headers.replace(":",": ")
    if ": //" in extra_headers:
      extra_headers = extra_headers.replace(": //" ,"://")

    if "\\n" in extra_headers:
      extra_headers = extra_headers.split("\\n")
      # Remove empty strings
      extra_headers = [x for x in extra_headers if x]
      if menu.options.header and not menu.options.headers and len(extra_headers) > 1:
        warn_msg = "Swithing '--header' to '--headers' "
        warn_msg += "due to multiple extra HTTP headers."
        print settings.print_warning_msg(warn_msg)

    else:
      tmp_extra_header = []
      tmp_extra_header.append(extra_headers)
      extra_headers = tmp_extra_header

    for extra_header in extra_headers:
      # Extra HTTP Header name 
      http_header_name = re.findall(r"(.*): ", extra_header)
      http_header_name = ''.join(http_header_name).strip()
      # Extra HTTP Header value
      http_header_value = re.findall(r":(.*)", extra_header)
      http_header_value = ''.join(http_header_value).strip()
      # Check if it is a custom header injection.
      if settings.CUSTOM_HEADER_INJECTION == False and \
         settings.INJECT_TAG in http_header_value:
        settings.CUSTOM_HEADER_INJECTION = True
        settings.CUSTOM_HEADER_NAME = http_header_name
      request.add_header(http_header_name, http_header_value)
예제 #9
0
def do_GET_check(url):
    http_request_method = "GET"
    # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
    url = checks.wildcard_character(url)

    # Check for REST-ful URLs format.
    if "?" not in url:
        if settings.INJECT_TAG not in url and not menu.options.shellshock:
            if menu.options.level == 3 or menu.options.header or menu.options.headers:
                return False
            if menu.options.level == 2:
                return False
            else:
                err_msg = "No parameter(s) found for testing in the provided data. "
                err_msg += "You must specify the testable parameter or "
                err_msg += "try to increase '--level' values to perform more tests."
                print(settings.print_critical_msg(err_msg))
                raise SystemExit()
        elif menu.options.shellshock:
            return False
        return url

    else:
        urls_list = []
        if menu.options.shellshock:
            urls_list.append(url)
        else:
            # Find the host part
            url_part = get_url_part(url)
            # Find the parameter part
            parameters = url.split("?")[1]
            # Split parameters
            multi_parameters = parameters.split(settings.PARAMETER_DELIMITER)
            # Check for inappropriate format in provided parameter(s).
            if len([s for s in multi_parameters if "=" in s
                    ]) != (len(multi_parameters)):
                checks.inappropriate_format(multi_parameters)
            # Check for empty values (in provided parameters).
            checks.is_empty(multi_parameters, http_request_method)
            # Grab the value of parameter.
            _ = []
            _.append(parameters)
            parameters = ''.join(checks.check_similarities(_))
            value = re.findall(r'=(.*)', parameters)
            value = ''.join(value)
            # Check if single parameter is supplied.
            if len(multi_parameters) == 1:
                if re.search(settings.VALUE_BOUNDARIES, value):
                    value = checks.value_boundaries(value)
                # Replace the value of parameter with INJECT_HERE tag
                inject_value = value.replace(value, settings.INJECT_TAG)
                # Check if defined the INJECT_TAG
                if settings.INJECT_TAG not in parameters:
                    # Ignoring the anti-CSRF parameter(s).
                    if checks.ignore_anticsrf_parameter(parameters):
                        return urls_list
                    if len(value) == 0:
                        parameters = parameters + settings.INJECT_TAG
                    else:
                        parameters = parameters.replace(value, inject_value)
                else:
                    # Auto-recognize prefix / suffix
                    if settings.INJECT_TAG in value:
                        if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0:
                            menu.options.prefix = value.rsplit(
                                settings.INJECT_TAG, 1)[0]
                        if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0:
                            menu.options.suffix = value.rsplit(
                                settings.INJECT_TAG, 1)[1]
                    parameters = parameters.replace(value, inject_value)
                # Reconstruct the URL
                url = url_part + "?" + parameters
                urls_list.append(url)
                return urls_list

            else:
                # Check if multiple parameters are supplied without the "INJECT_HERE" tag.
                all_params = settings.PARAMETER_DELIMITER.join(
                    multi_parameters)
                all_params = all_params.split(settings.PARAMETER_DELIMITER)
                # Check for similarity in provided parameter name and value.
                all_params = checks.check_similarities(all_params)
                # Check if defined the "INJECT_HERE" tag
                if settings.INJECT_TAG not in url:
                    for param in range(0, len(all_params)):
                        if param == 0:
                            old = re.findall(r'=(.*)', all_params[param])
                            old = ''.join(old)
                        else:
                            old = value
                        # Grab the value of parameter.
                        value = re.findall(r'=(.*)', all_params[param])
                        value = ''.join(value)
                        # Ignoring the anti-CSRF parameter(s).
                        if checks.ignore_anticsrf_parameter(all_params[param]):
                            continue
                        if re.search(settings.VALUE_BOUNDARIES, value):
                            value = checks.value_boundaries(value)
                        # Replace the value of parameter with INJECT_HERE tag
                        inject_value = value.replace(value,
                                                     settings.INJECT_TAG)
                        # Skip testing the parameter(s) with empty value(s).
                        if menu.options.skip_empty:
                            if len(value) == 0:
                                provided_value = re.findall(
                                    r'(.*)=', all_params[param])
                                provided_value = ''.join(provided_value)
                            else:
                                all_params[param] = all_params[param].replace(
                                    value, inject_value)
                                all_params[param -
                                           1] = all_params[param - 1].replace(
                                               inject_value, old)
                                parameter = settings.PARAMETER_DELIMITER.join(
                                    all_params)
                                # Reconstruct the URL
                                url = url_part + "?" + parameter
                                urls_list.append(url)
                        else:
                            if len(value) == 0:
                                all_params[param] = all_params[
                                    param] + settings.INJECT_TAG
                            else:
                                all_params[param] = all_params[param].replace(
                                    value, inject_value)
                            all_params[param -
                                       1] = all_params[param - 1].replace(
                                           inject_value, old)
                            parameter = settings.PARAMETER_DELIMITER.join(
                                all_params)
                            # Reconstruct the URL
                            url = url_part + "?" + parameter
                            urls_list.append(
                                url.replace(settings.RANDOM_TAG, ""))

                else:
                    for param in range(0, len(multi_parameters)):
                        # Grab the value of parameter.
                        value = re.findall(r'=(.*)', multi_parameters[param])
                        value = ''.join(value)
                        parameter = settings.PARAMETER_DELIMITER.join(
                            multi_parameters)
                    # Reconstruct the URL
                    url = url_part + "?" + parameter
                    urls_list.append(url)

        return urls_list
예제 #10
0
def do_POST_check(parameter):
    http_request_method = "POST"
    # Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
    parameter = checks.wildcard_character(parameter).replace("'", "\"")
    # Check if JSON Object.
    if checks.is_JSON_check(checks.check_quotes_json_data(parameter)):
        parameter = checks.check_quotes_json_data(parameter)
        if not settings.IS_JSON:
            checks.process_json_data()
            settings.PARAMETER_DELIMITER = ","
    # Check if XML Object.
    elif checks.is_XML_check(parameter):
        if not settings.IS_XML:
            checks.process_xml_data()
            settings.PARAMETER_DELIMITER = ""
    else:
        pass
    parameters_list = []
    # Split multiple parameters
    if settings.IS_XML:
        _ = []
        parameters = re.findall(r'(.*)', parameter)
        parameters = [param + "\n" for param in parameters if param]
        for value in range(0, len(parameters)):
            _.append(parameters[value])
        multi_parameters = _
    else:
        try:
            multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
            multi_parameters = [x for x in multi_parameters if x]
        except ValueError as err_msg:
            print(settings.print_critical_msg(err_msg))
            raise SystemExit()
    # Check for inappropriate format in provided parameter(s).
    if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)) and \
       not settings.IS_JSON and \
       not settings.IS_XML:
        checks.inappropriate_format(multi_parameters)
    # Check for empty values (in provided parameters).
    # Check if single parameter is supplied.
    if len(multi_parameters) == 1:
        #Grab the value of parameter.
        if settings.IS_JSON:
            #Grab the value of parameter.
            value = re.findall(r'\"(.*)\"', parameter)
            value = ''.join(value)
            if value != settings.INJECT_TAG:
                value = re.findall(r'\s*\:\s*\"(.*)\"', parameter)
                value = ''.join(value)
        elif settings.IS_XML:
            #Grab the value of parameter.
            value = re.findall(r'>(.*)</', parameter)
            value = ''.join(value)
        else:
            _ = []
            _.append(parameter)
            parameter = ''.join(checks.check_similarities(_))
            value = re.findall(r'=(.*)', parameter)
            value = ''.join(value)
        if checks.is_empty(multi_parameters, http_request_method):
            return parameter
        else:
            # Ignoring the anti-CSRF parameter(s).
            if checks.ignore_anticsrf_parameter(parameter):
                return parameter
            if re.search(settings.VALUE_BOUNDARIES, value):
                value = checks.value_boundaries(value)
            # Replace the value of parameter with INJECT_HERE tag
            inject_value = value.replace(value, settings.INJECT_TAG)
            if len(value) == 0:
                if settings.IS_JSON:
                    parameter = parameter.replace(
                        ":\"\"", ":\"" + settings.INJECT_TAG + "\"")
                else:
                    parameter = parameter + settings.INJECT_TAG
            else:
                parameter = parameter.replace(value, inject_value)
            return parameter

    else:
        # Check if multiple parameters are supplied without the "INJECT_HERE" tag.
        if settings.IS_XML:
            all_params = multi_parameters
        else:
            all_params = settings.PARAMETER_DELIMITER.join(multi_parameters)
            # Check for similarity in provided parameter name and value.
            all_params = all_params.split(settings.PARAMETER_DELIMITER)
            all_params = checks.check_similarities(all_params)
        # Check if not defined the "INJECT_HERE" tag in parameter
        if settings.INJECT_TAG not in parameter:
            checks.is_empty(multi_parameters, http_request_method)
            for param in range(0, len(all_params)):
                if param == 0:
                    if settings.IS_JSON:
                        # old = re.findall(r'\:\"(.*)\"', all_params[param])
                        # old = ''.join(old)
                        old = re.findall(r'\:(.*)', all_params[param])
                        old = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '',
                                     ''.join(old))
                    elif settings.IS_XML:
                        old = re.findall(r'>(.*)</', all_params[param])
                        old = ''.join(old)
                    else:
                        old = re.findall(r'=(.*)', all_params[param])
                        old = ''.join(old)
                else:
                    old = value
                # Grab the value of parameter.
                if settings.IS_JSON:
                    # Grab the value of parameter.
                    # value = re.findall(r'\:\"(.*)\"', all_params[param])
                    # value = ''.join(value)
                    value = re.findall(r'\:(.*)', all_params[param])
                    value = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '',
                                   ''.join(value))
                elif settings.IS_XML:
                    value = re.findall(r'>(.*)</', all_params[param])
                    value = ''.join(value)
                else:
                    value = re.findall(r'=(.*)', all_params[param])
                    value = ''.join(value)
                # Ignoring the anti-CSRF parameter(s).
                if checks.ignore_anticsrf_parameter(all_params[param]):
                    continue
                if re.search(settings.VALUE_BOUNDARIES, value):
                    value = checks.value_boundaries(value)
                # Replace the value of parameter with INJECT_HERE tag
                inject_value = value.replace(value, settings.INJECT_TAG)
                # Skip testing the parameter(s) with empty value(s).
                if menu.options.skip_empty:
                    if len(value) == 0:
                        if settings.IS_JSON:
                            provided_value = re.findall(
                                r'\:(.*)', all_params[param])
                            provided_value = re.sub(
                                settings.IGNORE_SPECIAL_CHAR_REGEX, '',
                                ''.join(value))
                        elif settings.IS_XML:
                            provided_value = re.findall(
                                r'>(.*)</', all_params[param])
                            provided_value = ''.join(provided_value)
                        else:
                            provided_value = re.findall(
                                r'(.*)=', all_params[param])
                            provided_value = ''.join(provided_value)
                    else:
                        all_params[param] = all_params[param].replace(
                            value, inject_value)
                        all_params[param - 1] = all_params[param - 1].replace(
                            inject_value, old)
                        parameter = settings.PARAMETER_DELIMITER.join(
                            all_params)
                        parameters_list.append(parameter)
                        parameter = parameters_list
                else:
                    if len(value) == 0:
                        if settings.IS_JSON:
                            all_params[param] = all_params[param].replace(
                                ":\"\"", ":\"" + settings.INJECT_TAG + "\"")
                        elif settings.IS_XML:
                            all_params[param] = all_params[param].replace(
                                "></", ">" + settings.INJECT_TAG + "</")
                        else:
                            all_params[param] = all_params[
                                param] + settings.INJECT_TAG
                    else:
                        all_params[param] = all_params[param].replace(
                            value, inject_value)
                        # if settings.IS_JSON and not "\"" + settings.INJECT_TAG + "\"" in all_params[param]:
                        #   all_params[param] = all_params[param].replace(settings.INJECT_TAG, "\"" + settings.INJECT_TAG + "\"")
                    all_params[param - 1] = all_params[param - 1].replace(
                        inject_value, old)
                    parameter = settings.PARAMETER_DELIMITER.join(all_params)
                    parameters_list.append(
                        parameter.replace(settings.RANDOM_TAG, ""))
                    parameter = parameters_list

        else:
            for param in range(0, len(multi_parameters)):
                # Grab the value of parameter.
                if settings.IS_JSON:
                    value = re.findall(r'\"(.*)\"', multi_parameters[param])
                    value = ''.join(value)
                if settings.IS_XML:
                    value = re.findall(r'>(.*)</', all_params[param])
                    value = ''.join(value)
                else:
                    value = re.findall(r'=(.*)', multi_parameters[param])
                    value = ''.join(value)
                parameter = settings.PARAMETER_DELIMITER.join(multi_parameters)

        return parameter
예제 #11
0
def do_check(request):

    # Check if defined any Host HTTP header.
    if menu.options.host and settings.HOST_INJECTION == None:
        requests.get(settings.HOST, menu.options.host)

    # Check if defined any User-Agent HTTP header.
    if menu.options.agent:
        requests.Request('GET', settings.USER_AGENT, menu.options.agent)

    # Check if defined any Referer HTTP header.
    if menu.options.referer and settings.REFERER_INJECTION == None:
        requests.get(settings.REFERER, menu.options.referer)

    # Check if defined any Cookie HTTP header.
    if menu.options.cookie and settings.COOKIE_INJECTION == False:
        requests.get(settings.COOKIE, menu.options.cookie)

    if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER):
        requests.Request('GET', settings.HTTP_ACCEPT_HEADER,
                         settings.HTTP_ACCEPT_HEADER_VALUE)

    # Appends a fake HTTP header 'X-Forwarded-For'
    if settings.TAMPER_SCRIPTS["xforwardedfor"]:
        from src.core.tamper import xforwardedfor
        xforwardedfor.tamper(request)

    # Check if defined any HTTP Authentication credentials.
    # HTTP Authentication: Basic / Digest Access Authentication.
    if menu.options.auth_cred and menu.options.auth_type:
        try:
            settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type)
            if menu.options.auth_type == "basic":
                b64_string = base64.encodestring(
                    menu.options.auth_cred).replace('\n', '')
                request.add_header("Authorization", "Basic " + b64_string + "")
            elif menu.options.auth_type == "digest":
                try:
                    url = menu.options.url
                    try:
                        response = urllib.request.urlopen(url)
                    except urllib.error.HTTPError or e:
                        try:
                            authline = e.headers.get('www-authenticate', '')
                            authobj = re.match('''(\w*)\s+realm=(.*),''',
                                               authline).groups()
                            realm = authobj[1].split(',')[0].replace("\"", "")
                            user_pass_pair = menu.options.auth_cred.split(":")
                            username = user_pass_pair[0]
                            password = user_pass_pair[1]
                            authhandler = urllib.request.HTTPDigestAuthHandler(
                            )
                            authhandler.add_password(realm, url, username,
                                                     password)
                            opener = urllib.request.build_opener(authhandler)
                            urllib.request.install_opener(opener)
                            result = urllib.request.urlopen(url)
                        except AttributeError:
                            pass
                except urllib.error.HTTPError or e:
                    pass
        except ValueError:
            err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
            err_msg += " Try basic or digest HTTP authentication type."
            print((settings.print_critical_msg(err_msg)))
            raise sys.exit()
    else:
        pass

    # The MIME media type for JSON.
    if settings.IS_JSON:
        request.add_header("Content-Type", "application/json")

    # Check if defined any extra HTTP headers.
    if menu.options.headers or menu.options.header:
        # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
        if menu.options.headers:
            menu.options.headers = checks.wildcard_character(
                menu.options.headers)
            extra_headers = menu.options.headers
        else:
            menu.options.header = checks.wildcard_character(
                menu.options.header)
            extra_headers = menu.options.header

        extra_headers = extra_headers.replace(":", ": ")
        if ": //" in extra_headers:
            extra_headers = extra_headers.replace(": //", "://")

        if "\\n" in extra_headers:
            extra_headers = extra_headers.split("\\n")
            # Remove empty strings
            extra_headers = [x for x in extra_headers if x]
            if menu.options.header and not menu.options.headers and len(
                    extra_headers) > 1:
                warn_msg = "Swithing '--header' to '--headers' "
                warn_msg += "due to multiple extra HTTP headers."
                print((settings.print_warning_msg(warn_msg)))

        else:
            tmp_extra_header = []
            tmp_extra_header.append(extra_headers)
            extra_headers = tmp_extra_header

        for extra_header in extra_headers:
            # Extra HTTP Header name
            http_header_name = re.findall(r"(.*): ", extra_header)
            http_header_name = ''.join(http_header_name).strip()
            # Extra HTTP Header value
            http_header_value = re.findall(r":(.*)", extra_header)
            http_header_value = ''.join(http_header_value).strip()
            # Check if it is a custom header injection.
            if settings.CUSTOM_HEADER_INJECTION == False and \
               settings.INJECT_TAG in http_header_value:
                settings.CUSTOM_HEADER_INJECTION = True
                settings.CUSTOM_HEADER_NAME = http_header_name
            request.add_header(http_header_name, http_header_value)
예제 #12
0
def do_check(request):

    # Check if defined any HTTP Host header.
    if menu.options.host:
        request.add_header('Host', menu.options.host)

    # Check if defined any HTTP User-Agent header.
    if menu.options.agent:
        request.add_header('User-Agent', menu.options.agent)

    # Check if defined any HTTP Referer header.
    if menu.options.referer and settings.REFERER_INJECTION == False:
        request.add_header('Referer', menu.options.referer)

    # Check if defined any HTTP Cookie header.
    if menu.options.cookie and settings.COOKIE_INJECTION == False:
        request.add_header('Cookie', menu.options.cookie)

    # Check if defined any HTTP Authentication credentials.
    # HTTP Authentication: Basic / Digest Access Authentication.
    if not menu.options.ignore_401:
        if menu.options.auth_cred and menu.options.auth_type:
            try:
                settings.SUPPORTED_HTTP_AUTH_TYPES.index(
                    menu.options.auth_type)
                if menu.options.auth_type == "basic":
                    b64_string = base64.encodestring(
                        menu.options.auth_cred).replace('\n', '')
                    request.add_header("Authorization",
                                       "Basic " + b64_string + "")
                elif menu.options.auth_type == "digest":
                    try:
                        url = menu.options.url
                        try:
                            response = urllib2.urlopen(url)
                        except urllib2.HTTPError, e:
                            try:
                                authline = e.headers.get(
                                    'www-authenticate', '')
                                authobj = re.match('''(\w*)\s+realm=(.*),''',
                                                   authline).groups()
                                realm = authobj[1].split(',')[0].replace(
                                    "\"", "")
                                user_pass_pair = menu.options.auth_cred.split(
                                    ":")
                                username = user_pass_pair[0]
                                password = user_pass_pair[1]
                                authhandler = urllib2.HTTPDigestAuthHandler()
                                authhandler.add_password(
                                    realm, url, username, password)
                                opener = urllib2.build_opener(authhandler)
                                urllib2.install_opener(opener)
                                result = urllib2.urlopen(url)
                            except AttributeError:
                                pass
                    except urllib2.HTTPError, e:
                        pass
            except ValueError:
                err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
                err_msg += " Try basic or digest HTTP authentication type."
                print settings.print_critical_msg(err_msg)
                sys.exit(0)
        else:
            pass

    # The MIME media type for JSON.
    if settings.IS_JSON:
        request.add_header("Content-Type", "application/json")

    # Check if defined any extra HTTP headers.
    if menu.options.headers:
        # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
        menu.options.headers = checks.wildcard_character(menu.options.headers)
        extra_headers = menu.options.headers
        extra_headers = extra_headers.split(":")
        extra_headers = ':'.join(extra_headers)
        extra_headers = extra_headers.split("\\n")
        # Remove empty strings
        extra_headers = [x for x in extra_headers if x]
        for extra_header in extra_headers:
            # Extra HTTP Header name
            http_header_name = re.findall(r"(.*):", extra_header)
            http_header_name = ''.join(http_header_name)
            # Extra HTTP Header value
            http_header_value = re.findall(r":(.*)", extra_header)
            http_header_value = ''.join(http_header_value)
            # Check if it is a custom header injection.
            if settings.CUSTOM_HEADER_INJECTION == False and \
               settings.INJECT_TAG in http_header_value:
                settings.CUSTOM_HEADER_INJECTION = True
                settings.CUSTOM_HEADER_NAME = http_header_name
            request.add_header(http_header_name, http_header_value)
예제 #13
0
def do_check(request):

  # Check if defined any Host HTTP header.
  if menu.options.host and settings.HOST_INJECTION == None:
    request.add_header(settings.HOST, menu.options.host)

  # Check if defined any User-Agent HTTP header.
  if menu.options.agent:
    request.add_header(settings.USER_AGENT, menu.options.agent)

  # Check if defined any Referer HTTP header.
  if menu.options.referer and settings.REFERER_INJECTION == None:
    request.add_header(settings.REFERER, menu.options.referer)
   
  # Check if defined any Cookie HTTP header.
  if menu.options.cookie and settings.COOKIE_INJECTION == False:
    request.add_header(settings.COOKIE, menu.options.cookie)
  
  if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER):
    request.add_header(settings.HTTP_ACCEPT_HEADER, settings.HTTP_ACCEPT_HEADER_VALUE)

  # The MIME media type for JSON.
  if menu.options.data:
    if re.search(settings.JSON_RECOGNITION_REGEX, menu.options.data) or \
       re.search(settings.JSON_LIKE_RECOGNITION_REGEX, menu.options.data):
      request.add_header("Content-Type", "application/json")

  # Appends a fake HTTP header 'X-Forwarded-For'
  if settings.TAMPER_SCRIPTS["xforwardedfor"]:
    from src.core.tamper import xforwardedfor
    xforwardedfor.tamper(request)
  
  # Default value for "Accept-Encoding" HTTP header
  request.add_header('Accept-Encoding', settings.HTTP_ACCEPT_ENCODING_HEADER_VALUE)

  # Check if defined any HTTP Authentication credentials.
  # HTTP Authentication: Basic / Digest Access Authentication.
  if menu.options.auth_cred and menu.options.auth_type:
    try:
      settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type)
      if menu.options.auth_type == "basic":
        b64_string = encodebytes(menu.options.auth_cred.encode(settings.UNICODE_ENCODING)).decode().replace('\n', '')
        request.add_header("Authorization", "Basic " + b64_string + "")
      elif menu.options.auth_type == "digest":
        try:
          url = menu.options.url
          try:
            response = _urllib.request.urlopen(url, timeout=settings.TIMEOUT)
          except _urllib.error.HTTPError as e:
            try:
              authline = e.headers.get('www-authenticate', '')  
              authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups()
              realm = authobj[1].split(',')[0].replace("\"","")
              user_pass_pair = menu.options.auth_cred.split(":")
              username = user_pass_pair[0]
              password = user_pass_pair[1]
              authhandler = _urllib.request.HTTPDigestAuthHandler()
              authhandler.add_password(realm, url, username, password)
              opener = _urllib.request.build_opener(authhandler)
              _urllib.request.install_opener(opener)
              result = _urllib.request.urlopen(url, timeout=settings.TIMEOUT)
            except AttributeError:
              pass
        except _urllib.error.HTTPError as e:
          pass
    except ValueError:
      err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
      err_msg += " Try basic or digest HTTP authentication type."
      print(settings.print_critical_msg(err_msg))
      raise SystemExit()   
  else:
    pass        
  
  # Check if defined any extra HTTP headers.
  if menu.options.headers or menu.options.header or len(settings.RAW_HTTP_HEADERS) >= 1:
    if len(settings.RAW_HTTP_HEADERS) >= 1:
      menu.options.headers = settings.RAW_HTTP_HEADERS
    # Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
    if menu.options.headers:
      menu.options.headers = checks.wildcard_character(menu.options.headers)
      extra_headers = menu.options.headers 
    else:
      menu.options.header = checks.wildcard_character(menu.options.header) 
      extra_headers = menu.options.header
  
    extra_headers = extra_headers.replace(":",": ")
    if ": //" in extra_headers:
      extra_headers = extra_headers.replace(": //" ,"://")

    if "\\n" in extra_headers:
      extra_headers = extra_headers.split("\\n")
      # Remove empty strings and "Content-Length"
      extra_headers = [x for x in extra_headers if "Content-Length" not in x]
    else:
      tmp_extra_header = []
      tmp_extra_header.append(extra_headers)
      extra_headers = tmp_extra_header

    # Remove empty strings
    extra_headers = [x for x in extra_headers if x]
    
    for extra_header in extra_headers:
      try:
        # Extra HTTP Header name 
        http_header_name = extra_header.split(':', 1)[0]
        http_header_name = ''.join(http_header_name).strip()
        # Extra HTTP Header value
        http_header_value = extra_header.split(':', 1)[1]
        http_header_value = ''.join(http_header_value).strip().replace(": ",":")
        # Check if it is a custom header injection.
        if settings.CUSTOM_HEADER_INJECTION == False and \
           settings.INJECT_TAG in http_header_value:
          settings.CUSTOM_HEADER_INJECTION = True
          settings.CUSTOM_HEADER_NAME = http_header_name
        # Add HTTP Header name / value to the HTTP request
        if http_header_name not in [settings.HOST, settings.USER_AGENT, settings.REFERER, settings.COOKIE]:
          request.add_header(http_header_name.encode(settings.UNICODE_ENCODING), http_header_value.encode(settings.UNICODE_ENCODING))
      except:
        pass
        
# eof