def do_POST_check(parameter):
http_request_method = "POST"
# Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
parameter = checks.wildcard_character(parameter).replace("'","\"")
# Check if JSON Object.
if checks.is_JSON_check(parameter):
if not settings.IS_JSON:
checks.process_json_data()
settings.PARAMETER_DELIMITER = ","
# Check if XML Object.
elif checks.is_XML_check(parameter):
if not settings.IS_XML:
checks.process_xml_data()
settings.PARAMETER_DELIMITER = ""
else:
pass
parameters_list = []
# Split multiple parameters
if settings.IS_XML:
_ = []
parameters = re.findall(r'(.*)', parameter)
parameters = [param + "\n" for param in parameters if param]
for value in range(0,len(parameters)):
_.append(parameters[value])
multi_parameters = _
else:
try:
multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
multi_parameters = [x for x in multi_parameters if x]
except ValueError, err_msg:
print settings.print_critical_msg(err_msg)
raise SystemExit()
def specify_cookie_parameter(cookie):
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
cookie = checks.wildcard_character(cookie)
# Specify the vulnerable cookie parameter
if re.findall(r"" + settings.COOKIE_DELIMITER + "(.*)=" + settings.INJECT_TAG + "", cookie):
inject_cookie = re.findall(r"" + settings.COOKIE_DELIMITER + "(.*)=" + settings.INJECT_TAG + "", cookie)
inject_cookie = ''.join(inject_cookie)
inject_cookie = re.sub(r"(.*)=(.*)" + settings.COOKIE_DELIMITER, "", inject_cookie)
elif re.findall(r"(.*)=" + settings.INJECT_TAG + "", cookie):
inject_cookie = re.findall(r"(.*)=" + settings.INJECT_TAG + "", cookie)
inject_cookie = ''.join(inject_cookie)
else:
inject_cookie = cookie
return inject_cookie
def do_POST_check(parameter):
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
parameter = checks.wildcard_character(parameter)
# Check if valid JSON
def is_JSON_check(parameter):
try:
json_object = json.loads(parameter)
if re.search(settings.JSON_RECOGNITION_REGEX, parameter):
if settings.VERBOSITY_LEVEL >= 1 and not settings.IS_JSON:
success_msg = Style.BRIGHT + Style.UNDERLINE + "JSON data"
success_msg += Style.RESET_ALL + Style.BRIGHT
success_msg += " found in POST data"
success_msg += Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
except ValueError, err_msg:
if not "No JSON object could be decoded" in err_msg:
err_msg = "JSON " + str(err_msg) + ". "
print settings.print_error_msg(err_msg) + "\n"
sys.exit(0)
return False
else:
def do_check(request):
# Check if defined any HTTP Host header.
if menu.options.host:
request.add_header('Host', menu.options.host)
# Check if defined any HTTP User-Agent header.
if menu.options.agent:
request.add_header('User-Agent', menu.options.agent)
# Check if defined any HTTP Referer header.
if menu.options.referer and settings.REFERER_INJECTION == False:
request.add_header('Referer', menu.options.referer)
# Check if defined any HTTP Cookie header.
if menu.options.cookie and settings.COOKIE_INJECTION == False:
request.add_header('Cookie', menu.options.cookie)
# Check if defined any HTTP Authentication credentials.
# HTTP Authentication: Basic / Digest Access Authentication.
if not menu.options.ignore_401:
if menu.options.auth_cred and menu.options.auth_type:
try:
settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type)
if menu.options.auth_type == "basic":
b64_string = base64.encodestring(menu.options.auth_cred).replace('\n', '')
request.add_header("Authorization", "Basic " + b64_string + "")
elif menu.options.auth_type == "digest":
try:
url = menu.options.url
try:
response = urllib2.urlopen(url)
except urllib2.HTTPError, e:
try:
authline = e.headers.get('www-authenticate', '')
authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups()
realm = authobj[1].split(',')[0].replace("\"","")
user_pass_pair = menu.options.auth_cred.split(":")
username = user_pass_pair[0]
password = user_pass_pair[1]
authhandler = urllib2.HTTPDigestAuthHandler()
authhandler.add_password(realm, url, username, password)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
result = urllib2.urlopen(url)
except AttributeError:
pass
except urllib2.HTTPError, e:
pass
except ValueError:
err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
err_msg += " Try basic or digest HTTP authentication type."
print settings.print_critical_msg(err_msg)
sys.exit(0)
else:
pass
# The MIME media type for JSON.
if settings.IS_JSON:
request.add_header("Content-Type", "application/json")
# Check if defined any extra HTTP headers.
if menu.options.headers:
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
menu.options.headers = checks.wildcard_character(menu.options.headers)
extra_headers = menu.options.headers
extra_headers = extra_headers.split(":")
extra_headers = ':'.join(extra_headers)
extra_headers = extra_headers.split("\\n")
# Remove empty strings
extra_headers = [x for x in extra_headers if x]
for extra_header in extra_headers:
# Extra HTTP Header name
http_header_name = re.findall(r"(.*):", extra_header)
http_header_name = ''.join(http_header_name)
# Extra HTTP Header value
http_header_value = re.findall(r":(.*)", extra_header)
http_header_value = ''.join(http_header_value)
# Check if it is a custom header injection.
if settings.CUSTOM_HEADER_INJECTION == False and \
settings.INJECT_TAG in http_header_value:
settings.CUSTOM_HEADER_INJECTION = True
settings.CUSTOM_HEADER_NAME = http_header_name
request.add_header(http_header_name, http_header_value)
def do_GET_check(url):
http_request_method = "GET"
# Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
url = checks.wildcard_character(url)
# Check for REST-ful URLs format.
if "?" not in url:
if settings.INJECT_TAG not in url and not menu.options.shellshock:
if menu.options.level == 3 or menu.options.headers:
return False
if menu.options.level == 2 :
return False
else:
err_msg = "No parameter(s) found for testing in the provided data. "
err_msg += "You must specify the testable parameter or "
err_msg += "try to increase '--level' values to perform more tests."
print settings.print_critical_msg(err_msg)
raise SystemExit()
elif menu.options.shellshock:
return False
return url
else:
urls_list = []
if menu.options.shellshock:
urls_list.append(url)
else:
# Find the host part
url_part = get_url_part(url)
# Find the parameter part
parameters = url.split("?")[1]
# Split parameters
multi_parameters = parameters.split(settings.PARAMETER_DELIMITER)
# Check for inappropriate format in provided parameter(s).
if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)):
checks.inappropriate_format(multi_parameters)
# Check for empty values (in provided parameters).
checks.is_empty(multi_parameters, http_request_method)
# Grab the value of parameter.
_ = []
_.append(parameters)
parameters = ''.join(checks.check_similarities(_))
value = re.findall(r'=(.*)', parameters)
value = ''.join(value)
# Check if single parameter is supplied.
if len(multi_parameters) == 1:
# Replace the value of parameter with INJECT tag
inject_value = value.replace(value, settings.INJECT_TAG)
# Check if defined the INJECT_TAG
if settings.INJECT_TAG not in parameters:
# Ignoring the anti-CSRF parameter(s).
if checks.ignore_anticsrf_parameter(parameters):
return urls_list
if len(value) == 0:
parameters = parameters + settings.INJECT_TAG
else:
parameters = parameters.replace(value, inject_value)
else:
# Auto-recognize prefix / suffix
if settings.INJECT_TAG in value:
if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0:
menu.options.prefix = value.rsplit(settings.INJECT_TAG, 1)[0]
if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0:
menu.options.suffix = value.rsplit(settings.INJECT_TAG, 1)[1]
parameters = parameters.replace(value, inject_value)
# Reconstruct the URL
url = url_part + "?" + parameters
urls_list.append(url)
return urls_list
else:
# Check if multiple parameters are supplied without the "INJECT_HERE" tag.
all_params = settings.PARAMETER_DELIMITER.join(multi_parameters)
all_params = all_params.split(settings.PARAMETER_DELIMITER)
# Check for similarity in provided parameter name and value.
all_params = checks.check_similarities(all_params)
# Check if defined the "INJECT_HERE" tag
if settings.INJECT_TAG not in url:
for param in range(0,len(all_params)):
if param == 0 :
old = re.findall(r'=(.*)', all_params[param])
old = ''.join(old)
else :
old = value
# Grab the value of parameter.
value = re.findall(r'=(.*)', all_params[param])
value = ''.join(value)
# Ignoring the anti-CSRF parameter(s).
if checks.ignore_anticsrf_parameter(all_params[param]):
continue
# Replace the value of parameter with INJECT tag
inject_value = value.replace(value, settings.INJECT_TAG)
# Skip testing the parameter(s) with empty value(s).
if menu.options.skip_empty:
if len(value) == 0:
provided_value = re.findall(r'(.*)=', all_params[param])
provided_value = ''.join(provided_value)
else:
all_params[param] = all_params[param].replace(value, inject_value)
all_params[param-1] = all_params[param-1].replace(inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(all_params)
# Reconstruct the URL
url = url_part + "?" + parameter
urls_list.append(url)
else:
if len(value) == 0:
all_params[param] = all_params[param] + settings.INJECT_TAG
else:
all_params[param] = all_params[param].replace(value, inject_value)
all_params[param-1] = all_params[param-1].replace(inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(all_params)
# Reconstruct the URL
url = url_part + "?" + parameter
urls_list.append(url.replace(settings.IGNORE_TAG,""))
else:
for param in range(0,len(multi_parameters)):
# Grab the value of parameter.
value = re.findall(r'=(.*)', multi_parameters[param])
value = ''.join(value)
parameter = settings.PARAMETER_DELIMITER.join(multi_parameters)
# Reconstruct the URL
url = url_part + "?" + parameter
urls_list.append(url)
return urls_list
def do_GET_check(url):
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
url = checks.wildcard_character(url)
# Check for REST-ful URLs format.
if "?" not in url:
if settings.INJECT_TAG not in url and not menu.options.shellshock:
if menu.options.level == 3 or menu.options.headers:
return False
if menu.options.level == 2 :
return False
else:
err_msg = "No parameter(s) found for testing in the provided data. "
err_msg += "You must specify the testable parameter or "
err_msg += "try to increase '--level' values to perform more tests. "
print settings.print_critical_msg(err_msg) + "\n"
os._exit(0)
return url
urls_list = []
# Find the host part
url_part = get_url_part(url)
# Find the parameter part
parameters = url.split("?")[1]
# Split parameters
multi_parameters = parameters.split(settings.PARAMETER_DELIMITER)
# Check if single paramerter is supplied.
if len(multi_parameters) == 1:
# Check if defined the INJECT_TAG
if settings.INJECT_TAG not in parameters:
# Grab the value of parameter.
value = re.findall(r'=(.*)', parameters)
value = ''.join(value)
# Replace the value of parameter with INJECT tag
inject_value = value.replace(value, settings.INJECT_TAG)
parameters = parameters.replace(value, inject_value)
else:
# Grab the value of parameter.
value = re.findall(r'=(.*)', parameters)
value = ''.join(value)
# Auto-recognize prefix / suffix
if settings.INJECT_TAG in value:
if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0:
menu.options.prefix = value.rsplit(settings.INJECT_TAG, 1)[0]
if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0:
menu.options.suffix = value.rsplit(settings.INJECT_TAG, 1)[1]
# Replace the value of parameter with INJECT tag
inject_value = value.replace(value, settings.INJECT_TAG)
parameters = parameters.replace(value, inject_value)
# Reconstruct the url
url = url_part + "?" + parameters
urls_list.append(url)
return urls_list
else:
# Check if multiple paramerters are supplied without the "INJECT_HERE" tag.
all_params = settings.PARAMETER_DELIMITER.join(multi_parameters)
# Check if defined the "INJECT_HERE" tag
if settings.INJECT_TAG not in url:
all_params = all_params.split(settings.PARAMETER_DELIMITER)
for param in range(0,len(all_params)):
if param == 0 :
old = re.findall(r'=(.*)', all_params[param])
old = ''.join(old)
else :
old = value
# Grab the value of parameter.
value = re.findall(r'=(.*)', all_params[param])
value = ''.join(value)
if not value == "":
# Replace the value of parameter with INJECT tag
inject_value = value.replace(value, settings.INJECT_TAG)
all_params[param] = all_params[param].replace(value, inject_value)
all_params[param-1] = all_params[param-1].replace(inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(all_params)
# Reconstruct the url
url = url_part + "?" + parameter
urls_list.append(url)
else:
provided_value = re.findall(r'(.*)=', all_params[param])
provided_value = ''.join(provided_value)
warn_msg = "The '" + provided_value
warn_msg += "' parameter has been skipped from testing because the provided value is empty."
print settings.print_warning_msg(warn_msg)
else:
for param in range(0,len(multi_parameters)):
# Grab the value of parameter.
value = re.findall(r'=(.*)', multi_parameters[param])
value = ''.join(value)
parameter = settings.PARAMETER_DELIMITER.join(multi_parameters)
url = url_part + "?" + parameter
urls_list.append(url)
return urls_list
success_msg += Style.RESET_ALL + Style.BRIGHT
success_msg += " found in POST data"
success_msg += Style.RESET_ALL + "."
print settings.print_success_msg(success_msg)
except ValueError, err_msg:
if not "No JSON object could be decoded" in err_msg:
err_msg = "JSON " + str(err_msg) + ". "
print settings.print_critical_msg(err_msg) + "\n"
sys.exit(0)
return False
else:
return True
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
parameter = checks.wildcard_character(parameter).replace("'","\"")
# Check if JSON Object.
if is_JSON_check(parameter):
settings.IS_JSON = True
# Split parameters
if settings.IS_JSON:
settings.PARAMETER_DELIMITER = ","
paramerters_list = []
# Split multiple parameters
multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
# Check if single paramerter is supplied.
if len(multi_parameters) == 1:
def do_check(request):
# Check if defined any Host HTTP header.
if menu.options.host and settings.HOST_INJECTION == None:
request.add_header(settings.HOST, menu.options.host)
# Check if defined any User-Agent HTTP header.
if menu.options.agent:
request.add_header(settings.USER_AGENT, menu.options.agent)
# Check if defined any Referer HTTP header.
if menu.options.referer and settings.REFERER_INJECTION == None:
request.add_header(settings.REFERER, menu.options.referer)
# Check if defined any Cookie HTTP header.
if menu.options.cookie and settings.COOKIE_INJECTION == False:
request.add_header(settings.COOKIE, menu.options.cookie)
if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER):
request.add_header(settings.HTTP_ACCEPT_HEADER, settings.HTTP_ACCEPT_HEADER_VALUE)
# Appends a fake HTTP header 'X-Forwarded-For'
if settings.TAMPER_SCRIPTS["xforwardedfor"]:
from src.core.tamper import xforwardedfor
xforwardedfor.tamper(request)
# Check if defined any HTTP Authentication credentials.
# HTTP Authentication: Basic / Digest Access Authentication.
if menu.options.auth_cred and menu.options.auth_type:
try:
settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type)
if menu.options.auth_type == "basic":
b64_string = base64.encodestring(menu.options.auth_cred).replace('\n', '')
request.add_header("Authorization", "Basic " + b64_string + "")
elif menu.options.auth_type == "digest":
try:
url = menu.options.url
try:
response = urllib2.urlopen(url)
except urllib2.HTTPError, e:
try:
authline = e.headers.get('www-authenticate', '')
authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups()
realm = authobj[1].split(',')[0].replace("\"","")
user_pass_pair = menu.options.auth_cred.split(":")
username = user_pass_pair[0]
password = user_pass_pair[1]
authhandler = urllib2.HTTPDigestAuthHandler()
authhandler.add_password(realm, url, username, password)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
result = urllib2.urlopen(url)
except AttributeError:
pass
except urllib2.HTTPError, e:
pass
except ValueError:
err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
err_msg += " Try basic or digest HTTP authentication type."
print settings.print_critical_msg(err_msg)
raise SystemExit()
else:
pass
# The MIME media type for JSON.
if settings.IS_JSON:
request.add_header("Content-Type", "application/json")
# Check if defined any extra HTTP headers.
if menu.options.headers or menu.options.header:
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
if menu.options.headers:
menu.options.headers = checks.wildcard_character(menu.options.headers)
extra_headers = menu.options.headers
else:
menu.options.header = checks.wildcard_character(menu.options.header)
extra_headers = menu.options.header
extra_headers = extra_headers.replace(":",": ")
if ": //" in extra_headers:
extra_headers = extra_headers.replace(": //" ,"://")
if "\\n" in extra_headers:
extra_headers = extra_headers.split("\\n")
# Remove empty strings
extra_headers = [x for x in extra_headers if x]
if menu.options.header and not menu.options.headers and len(extra_headers) > 1:
warn_msg = "Swithing '--header' to '--headers' "
warn_msg += "due to multiple extra HTTP headers."
print settings.print_warning_msg(warn_msg)
else:
tmp_extra_header = []
tmp_extra_header.append(extra_headers)
extra_headers = tmp_extra_header
for extra_header in extra_headers:
# Extra HTTP Header name
http_header_name = re.findall(r"(.*): ", extra_header)
http_header_name = ''.join(http_header_name).strip()
# Extra HTTP Header value
http_header_value = re.findall(r":(.*)", extra_header)
http_header_value = ''.join(http_header_value).strip()
# Check if it is a custom header injection.
if settings.CUSTOM_HEADER_INJECTION == False and \
settings.INJECT_TAG in http_header_value:
settings.CUSTOM_HEADER_INJECTION = True
settings.CUSTOM_HEADER_NAME = http_header_name
request.add_header(http_header_name, http_header_value)
def do_GET_check(url):
http_request_method = "GET"
# Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
url = checks.wildcard_character(url)
# Check for REST-ful URLs format.
if "?" not in url:
if settings.INJECT_TAG not in url and not menu.options.shellshock:
if menu.options.level == 3 or menu.options.header or menu.options.headers:
return False
if menu.options.level == 2:
return False
else:
err_msg = "No parameter(s) found for testing in the provided data. "
err_msg += "You must specify the testable parameter or "
err_msg += "try to increase '--level' values to perform more tests."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
elif menu.options.shellshock:
return False
return url
else:
urls_list = []
if menu.options.shellshock:
urls_list.append(url)
else:
# Find the host part
url_part = get_url_part(url)
# Find the parameter part
parameters = url.split("?")[1]
# Split parameters
multi_parameters = parameters.split(settings.PARAMETER_DELIMITER)
# Check for inappropriate format in provided parameter(s).
if len([s for s in multi_parameters if "=" in s
]) != (len(multi_parameters)):
checks.inappropriate_format(multi_parameters)
# Check for empty values (in provided parameters).
checks.is_empty(multi_parameters, http_request_method)
# Grab the value of parameter.
_ = []
_.append(parameters)
parameters = ''.join(checks.check_similarities(_))
value = re.findall(r'=(.*)', parameters)
value = ''.join(value)
# Check if single parameter is supplied.
if len(multi_parameters) == 1:
if re.search(settings.VALUE_BOUNDARIES, value):
value = checks.value_boundaries(value)
# Replace the value of parameter with INJECT_HERE tag
inject_value = value.replace(value, settings.INJECT_TAG)
# Check if defined the INJECT_TAG
if settings.INJECT_TAG not in parameters:
# Ignoring the anti-CSRF parameter(s).
if checks.ignore_anticsrf_parameter(parameters):
return urls_list
if len(value) == 0:
parameters = parameters + settings.INJECT_TAG
else:
parameters = parameters.replace(value, inject_value)
else:
# Auto-recognize prefix / suffix
if settings.INJECT_TAG in value:
if len(value.rsplit(settings.INJECT_TAG, 0)[0]) > 0:
menu.options.prefix = value.rsplit(
settings.INJECT_TAG, 1)[0]
if len(value.rsplit(settings.INJECT_TAG, 1)[1]) > 0:
menu.options.suffix = value.rsplit(
settings.INJECT_TAG, 1)[1]
parameters = parameters.replace(value, inject_value)
# Reconstruct the URL
url = url_part + "?" + parameters
urls_list.append(url)
return urls_list
else:
# Check if multiple parameters are supplied without the "INJECT_HERE" tag.
all_params = settings.PARAMETER_DELIMITER.join(
multi_parameters)
all_params = all_params.split(settings.PARAMETER_DELIMITER)
# Check for similarity in provided parameter name and value.
all_params = checks.check_similarities(all_params)
# Check if defined the "INJECT_HERE" tag
if settings.INJECT_TAG not in url:
for param in range(0, len(all_params)):
if param == 0:
old = re.findall(r'=(.*)', all_params[param])
old = ''.join(old)
else:
old = value
# Grab the value of parameter.
value = re.findall(r'=(.*)', all_params[param])
value = ''.join(value)
# Ignoring the anti-CSRF parameter(s).
if checks.ignore_anticsrf_parameter(all_params[param]):
continue
if re.search(settings.VALUE_BOUNDARIES, value):
value = checks.value_boundaries(value)
# Replace the value of parameter with INJECT_HERE tag
inject_value = value.replace(value,
settings.INJECT_TAG)
# Skip testing the parameter(s) with empty value(s).
if menu.options.skip_empty:
if len(value) == 0:
provided_value = re.findall(
r'(.*)=', all_params[param])
provided_value = ''.join(provided_value)
else:
all_params[param] = all_params[param].replace(
value, inject_value)
all_params[param -
1] = all_params[param - 1].replace(
inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(
all_params)
# Reconstruct the URL
url = url_part + "?" + parameter
urls_list.append(url)
else:
if len(value) == 0:
all_params[param] = all_params[
param] + settings.INJECT_TAG
else:
all_params[param] = all_params[param].replace(
value, inject_value)
all_params[param -
1] = all_params[param - 1].replace(
inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(
all_params)
# Reconstruct the URL
url = url_part + "?" + parameter
urls_list.append(
url.replace(settings.RANDOM_TAG, ""))
else:
for param in range(0, len(multi_parameters)):
# Grab the value of parameter.
value = re.findall(r'=(.*)', multi_parameters[param])
value = ''.join(value)
parameter = settings.PARAMETER_DELIMITER.join(
multi_parameters)
# Reconstruct the URL
url = url_part + "?" + parameter
urls_list.append(url)
return urls_list
def do_POST_check(parameter):
http_request_method = "POST"
# Do replacement with the 'INJECT_HERE' tag, if the wild card char is provided.
parameter = checks.wildcard_character(parameter).replace("'", "\"")
# Check if JSON Object.
if checks.is_JSON_check(checks.check_quotes_json_data(parameter)):
parameter = checks.check_quotes_json_data(parameter)
if not settings.IS_JSON:
checks.process_json_data()
settings.PARAMETER_DELIMITER = ","
# Check if XML Object.
elif checks.is_XML_check(parameter):
if not settings.IS_XML:
checks.process_xml_data()
settings.PARAMETER_DELIMITER = ""
else:
pass
parameters_list = []
# Split multiple parameters
if settings.IS_XML:
_ = []
parameters = re.findall(r'(.*)', parameter)
parameters = [param + "\n" for param in parameters if param]
for value in range(0, len(parameters)):
_.append(parameters[value])
multi_parameters = _
else:
try:
multi_parameters = parameter.split(settings.PARAMETER_DELIMITER)
multi_parameters = [x for x in multi_parameters if x]
except ValueError as err_msg:
print(settings.print_critical_msg(err_msg))
raise SystemExit()
# Check for inappropriate format in provided parameter(s).
if len([s for s in multi_parameters if "=" in s]) != (len(multi_parameters)) and \
not settings.IS_JSON and \
not settings.IS_XML:
checks.inappropriate_format(multi_parameters)
# Check for empty values (in provided parameters).
# Check if single parameter is supplied.
if len(multi_parameters) == 1:
#Grab the value of parameter.
if settings.IS_JSON:
#Grab the value of parameter.
value = re.findall(r'\"(.*)\"', parameter)
value = ''.join(value)
if value != settings.INJECT_TAG:
value = re.findall(r'\s*\:\s*\"(.*)\"', parameter)
value = ''.join(value)
elif settings.IS_XML:
#Grab the value of parameter.
value = re.findall(r'>(.*)</', parameter)
value = ''.join(value)
else:
_ = []
_.append(parameter)
parameter = ''.join(checks.check_similarities(_))
value = re.findall(r'=(.*)', parameter)
value = ''.join(value)
if checks.is_empty(multi_parameters, http_request_method):
return parameter
else:
# Ignoring the anti-CSRF parameter(s).
if checks.ignore_anticsrf_parameter(parameter):
return parameter
if re.search(settings.VALUE_BOUNDARIES, value):
value = checks.value_boundaries(value)
# Replace the value of parameter with INJECT_HERE tag
inject_value = value.replace(value, settings.INJECT_TAG)
if len(value) == 0:
if settings.IS_JSON:
parameter = parameter.replace(
":\"\"", ":\"" + settings.INJECT_TAG + "\"")
else:
parameter = parameter + settings.INJECT_TAG
else:
parameter = parameter.replace(value, inject_value)
return parameter
else:
# Check if multiple parameters are supplied without the "INJECT_HERE" tag.
if settings.IS_XML:
all_params = multi_parameters
else:
all_params = settings.PARAMETER_DELIMITER.join(multi_parameters)
# Check for similarity in provided parameter name and value.
all_params = all_params.split(settings.PARAMETER_DELIMITER)
all_params = checks.check_similarities(all_params)
# Check if not defined the "INJECT_HERE" tag in parameter
if settings.INJECT_TAG not in parameter:
checks.is_empty(multi_parameters, http_request_method)
for param in range(0, len(all_params)):
if param == 0:
if settings.IS_JSON:
# old = re.findall(r'\:\"(.*)\"', all_params[param])
# old = ''.join(old)
old = re.findall(r'\:(.*)', all_params[param])
old = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '',
''.join(old))
elif settings.IS_XML:
old = re.findall(r'>(.*)</', all_params[param])
old = ''.join(old)
else:
old = re.findall(r'=(.*)', all_params[param])
old = ''.join(old)
else:
old = value
# Grab the value of parameter.
if settings.IS_JSON:
# Grab the value of parameter.
# value = re.findall(r'\:\"(.*)\"', all_params[param])
# value = ''.join(value)
value = re.findall(r'\:(.*)', all_params[param])
value = re.sub(settings.IGNORE_SPECIAL_CHAR_REGEX, '',
''.join(value))
elif settings.IS_XML:
value = re.findall(r'>(.*)</', all_params[param])
value = ''.join(value)
else:
value = re.findall(r'=(.*)', all_params[param])
value = ''.join(value)
# Ignoring the anti-CSRF parameter(s).
if checks.ignore_anticsrf_parameter(all_params[param]):
continue
if re.search(settings.VALUE_BOUNDARIES, value):
value = checks.value_boundaries(value)
# Replace the value of parameter with INJECT_HERE tag
inject_value = value.replace(value, settings.INJECT_TAG)
# Skip testing the parameter(s) with empty value(s).
if menu.options.skip_empty:
if len(value) == 0:
if settings.IS_JSON:
provided_value = re.findall(
r'\:(.*)', all_params[param])
provided_value = re.sub(
settings.IGNORE_SPECIAL_CHAR_REGEX, '',
''.join(value))
elif settings.IS_XML:
provided_value = re.findall(
r'>(.*)</', all_params[param])
provided_value = ''.join(provided_value)
else:
provided_value = re.findall(
r'(.*)=', all_params[param])
provided_value = ''.join(provided_value)
else:
all_params[param] = all_params[param].replace(
value, inject_value)
all_params[param - 1] = all_params[param - 1].replace(
inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(
all_params)
parameters_list.append(parameter)
parameter = parameters_list
else:
if len(value) == 0:
if settings.IS_JSON:
all_params[param] = all_params[param].replace(
":\"\"", ":\"" + settings.INJECT_TAG + "\"")
elif settings.IS_XML:
all_params[param] = all_params[param].replace(
"></", ">" + settings.INJECT_TAG + "</")
else:
all_params[param] = all_params[
param] + settings.INJECT_TAG
else:
all_params[param] = all_params[param].replace(
value, inject_value)
# if settings.IS_JSON and not "\"" + settings.INJECT_TAG + "\"" in all_params[param]:
# all_params[param] = all_params[param].replace(settings.INJECT_TAG, "\"" + settings.INJECT_TAG + "\"")
all_params[param - 1] = all_params[param - 1].replace(
inject_value, old)
parameter = settings.PARAMETER_DELIMITER.join(all_params)
parameters_list.append(
parameter.replace(settings.RANDOM_TAG, ""))
parameter = parameters_list
else:
for param in range(0, len(multi_parameters)):
# Grab the value of parameter.
if settings.IS_JSON:
value = re.findall(r'\"(.*)\"', multi_parameters[param])
value = ''.join(value)
if settings.IS_XML:
value = re.findall(r'>(.*)</', all_params[param])
value = ''.join(value)
else:
value = re.findall(r'=(.*)', multi_parameters[param])
value = ''.join(value)
parameter = settings.PARAMETER_DELIMITER.join(multi_parameters)
return parameter
def do_check(request):
# Check if defined any Host HTTP header.
if menu.options.host and settings.HOST_INJECTION == None:
requests.get(settings.HOST, menu.options.host)
# Check if defined any User-Agent HTTP header.
if menu.options.agent:
requests.Request('GET', settings.USER_AGENT, menu.options.agent)
# Check if defined any Referer HTTP header.
if menu.options.referer and settings.REFERER_INJECTION == None:
requests.get(settings.REFERER, menu.options.referer)
# Check if defined any Cookie HTTP header.
if menu.options.cookie and settings.COOKIE_INJECTION == False:
requests.get(settings.COOKIE, menu.options.cookie)
if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER):
requests.Request('GET', settings.HTTP_ACCEPT_HEADER,
settings.HTTP_ACCEPT_HEADER_VALUE)
# Appends a fake HTTP header 'X-Forwarded-For'
if settings.TAMPER_SCRIPTS["xforwardedfor"]:
from src.core.tamper import xforwardedfor
xforwardedfor.tamper(request)
# Check if defined any HTTP Authentication credentials.
# HTTP Authentication: Basic / Digest Access Authentication.
if menu.options.auth_cred and menu.options.auth_type:
try:
settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type)
if menu.options.auth_type == "basic":
b64_string = base64.encodestring(
menu.options.auth_cred).replace('\n', '')
request.add_header("Authorization", "Basic " + b64_string + "")
elif menu.options.auth_type == "digest":
try:
url = menu.options.url
try:
response = urllib.request.urlopen(url)
except urllib.error.HTTPError or e:
try:
authline = e.headers.get('www-authenticate', '')
authobj = re.match('''(\w*)\s+realm=(.*),''',
authline).groups()
realm = authobj[1].split(',')[0].replace("\"", "")
user_pass_pair = menu.options.auth_cred.split(":")
username = user_pass_pair[0]
password = user_pass_pair[1]
authhandler = urllib.request.HTTPDigestAuthHandler(
)
authhandler.add_password(realm, url, username,
password)
opener = urllib.request.build_opener(authhandler)
urllib.request.install_opener(opener)
result = urllib.request.urlopen(url)
except AttributeError:
pass
except urllib.error.HTTPError or e:
pass
except ValueError:
err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
err_msg += " Try basic or digest HTTP authentication type."
print((settings.print_critical_msg(err_msg)))
raise sys.exit()
else:
pass
# The MIME media type for JSON.
if settings.IS_JSON:
request.add_header("Content-Type", "application/json")
# Check if defined any extra HTTP headers.
if menu.options.headers or menu.options.header:
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
if menu.options.headers:
menu.options.headers = checks.wildcard_character(
menu.options.headers)
extra_headers = menu.options.headers
else:
menu.options.header = checks.wildcard_character(
menu.options.header)
extra_headers = menu.options.header
extra_headers = extra_headers.replace(":", ": ")
if ": //" in extra_headers:
extra_headers = extra_headers.replace(": //", "://")
if "\\n" in extra_headers:
extra_headers = extra_headers.split("\\n")
# Remove empty strings
extra_headers = [x for x in extra_headers if x]
if menu.options.header and not menu.options.headers and len(
extra_headers) > 1:
warn_msg = "Swithing '--header' to '--headers' "
warn_msg += "due to multiple extra HTTP headers."
print((settings.print_warning_msg(warn_msg)))
else:
tmp_extra_header = []
tmp_extra_header.append(extra_headers)
extra_headers = tmp_extra_header
for extra_header in extra_headers:
# Extra HTTP Header name
http_header_name = re.findall(r"(.*): ", extra_header)
http_header_name = ''.join(http_header_name).strip()
# Extra HTTP Header value
http_header_value = re.findall(r":(.*)", extra_header)
http_header_value = ''.join(http_header_value).strip()
# Check if it is a custom header injection.
if settings.CUSTOM_HEADER_INJECTION == False and \
settings.INJECT_TAG in http_header_value:
settings.CUSTOM_HEADER_INJECTION = True
settings.CUSTOM_HEADER_NAME = http_header_name
request.add_header(http_header_name, http_header_value)
def do_check(request):
# Check if defined any HTTP Host header.
if menu.options.host:
request.add_header('Host', menu.options.host)
# Check if defined any HTTP User-Agent header.
if menu.options.agent:
request.add_header('User-Agent', menu.options.agent)
# Check if defined any HTTP Referer header.
if menu.options.referer and settings.REFERER_INJECTION == False:
request.add_header('Referer', menu.options.referer)
# Check if defined any HTTP Cookie header.
if menu.options.cookie and settings.COOKIE_INJECTION == False:
request.add_header('Cookie', menu.options.cookie)
# Check if defined any HTTP Authentication credentials.
# HTTP Authentication: Basic / Digest Access Authentication.
if not menu.options.ignore_401:
if menu.options.auth_cred and menu.options.auth_type:
try:
settings.SUPPORTED_HTTP_AUTH_TYPES.index(
menu.options.auth_type)
if menu.options.auth_type == "basic":
b64_string = base64.encodestring(
menu.options.auth_cred).replace('\n', '')
request.add_header("Authorization",
"Basic " + b64_string + "")
elif menu.options.auth_type == "digest":
try:
url = menu.options.url
try:
response = urllib2.urlopen(url)
except urllib2.HTTPError, e:
try:
authline = e.headers.get(
'www-authenticate', '')
authobj = re.match('''(\w*)\s+realm=(.*),''',
authline).groups()
realm = authobj[1].split(',')[0].replace(
"\"", "")
user_pass_pair = menu.options.auth_cred.split(
":")
username = user_pass_pair[0]
password = user_pass_pair[1]
authhandler = urllib2.HTTPDigestAuthHandler()
authhandler.add_password(
realm, url, username, password)
opener = urllib2.build_opener(authhandler)
urllib2.install_opener(opener)
result = urllib2.urlopen(url)
except AttributeError:
pass
except urllib2.HTTPError, e:
pass
except ValueError:
err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
err_msg += " Try basic or digest HTTP authentication type."
print settings.print_critical_msg(err_msg)
sys.exit(0)
else:
pass
# The MIME media type for JSON.
if settings.IS_JSON:
request.add_header("Content-Type", "application/json")
# Check if defined any extra HTTP headers.
if menu.options.headers:
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
menu.options.headers = checks.wildcard_character(menu.options.headers)
extra_headers = menu.options.headers
extra_headers = extra_headers.split(":")
extra_headers = ':'.join(extra_headers)
extra_headers = extra_headers.split("\\n")
# Remove empty strings
extra_headers = [x for x in extra_headers if x]
for extra_header in extra_headers:
# Extra HTTP Header name
http_header_name = re.findall(r"(.*):", extra_header)
http_header_name = ''.join(http_header_name)
# Extra HTTP Header value
http_header_value = re.findall(r":(.*)", extra_header)
http_header_value = ''.join(http_header_value)
# Check if it is a custom header injection.
if settings.CUSTOM_HEADER_INJECTION == False and \
settings.INJECT_TAG in http_header_value:
settings.CUSTOM_HEADER_INJECTION = True
settings.CUSTOM_HEADER_NAME = http_header_name
request.add_header(http_header_name, http_header_value)
def do_check(request):
# Check if defined any Host HTTP header.
if menu.options.host and settings.HOST_INJECTION == None:
request.add_header(settings.HOST, menu.options.host)
# Check if defined any User-Agent HTTP header.
if menu.options.agent:
request.add_header(settings.USER_AGENT, menu.options.agent)
# Check if defined any Referer HTTP header.
if menu.options.referer and settings.REFERER_INJECTION == None:
request.add_header(settings.REFERER, menu.options.referer)
# Check if defined any Cookie HTTP header.
if menu.options.cookie and settings.COOKIE_INJECTION == False:
request.add_header(settings.COOKIE, menu.options.cookie)
if not checks.get_header(request.headers, settings.HTTP_ACCEPT_HEADER):
request.add_header(settings.HTTP_ACCEPT_HEADER, settings.HTTP_ACCEPT_HEADER_VALUE)
# The MIME media type for JSON.
if menu.options.data:
if re.search(settings.JSON_RECOGNITION_REGEX, menu.options.data) or \
re.search(settings.JSON_LIKE_RECOGNITION_REGEX, menu.options.data):
request.add_header("Content-Type", "application/json")
# Appends a fake HTTP header 'X-Forwarded-For'
if settings.TAMPER_SCRIPTS["xforwardedfor"]:
from src.core.tamper import xforwardedfor
xforwardedfor.tamper(request)
# Default value for "Accept-Encoding" HTTP header
request.add_header('Accept-Encoding', settings.HTTP_ACCEPT_ENCODING_HEADER_VALUE)
# Check if defined any HTTP Authentication credentials.
# HTTP Authentication: Basic / Digest Access Authentication.
if menu.options.auth_cred and menu.options.auth_type:
try:
settings.SUPPORTED_HTTP_AUTH_TYPES.index(menu.options.auth_type)
if menu.options.auth_type == "basic":
b64_string = encodebytes(menu.options.auth_cred.encode(settings.UNICODE_ENCODING)).decode().replace('\n', '')
request.add_header("Authorization", "Basic " + b64_string + "")
elif menu.options.auth_type == "digest":
try:
url = menu.options.url
try:
response = _urllib.request.urlopen(url, timeout=settings.TIMEOUT)
except _urllib.error.HTTPError as e:
try:
authline = e.headers.get('www-authenticate', '')
authobj = re.match('''(\w*)\s+realm=(.*),''',authline).groups()
realm = authobj[1].split(',')[0].replace("\"","")
user_pass_pair = menu.options.auth_cred.split(":")
username = user_pass_pair[0]
password = user_pass_pair[1]
authhandler = _urllib.request.HTTPDigestAuthHandler()
authhandler.add_password(realm, url, username, password)
opener = _urllib.request.build_opener(authhandler)
_urllib.request.install_opener(opener)
result = _urllib.request.urlopen(url, timeout=settings.TIMEOUT)
except AttributeError:
pass
except _urllib.error.HTTPError as e:
pass
except ValueError:
err_msg = "Unsupported / Invalid HTTP authentication type '" + menu.options.auth_type + "'."
err_msg += " Try basic or digest HTTP authentication type."
print(settings.print_critical_msg(err_msg))
raise SystemExit()
else:
pass
# Check if defined any extra HTTP headers.
if menu.options.headers or menu.options.header or len(settings.RAW_HTTP_HEADERS) >= 1:
if len(settings.RAW_HTTP_HEADERS) >= 1:
menu.options.headers = settings.RAW_HTTP_HEADERS
# Do replacement with the 'INJECT_HERE' tag, if the wildcard char is provided.
if menu.options.headers:
menu.options.headers = checks.wildcard_character(menu.options.headers)
extra_headers = menu.options.headers
else:
menu.options.header = checks.wildcard_character(menu.options.header)
extra_headers = menu.options.header
extra_headers = extra_headers.replace(":",": ")
if ": //" in extra_headers:
extra_headers = extra_headers.replace(": //" ,"://")
if "\\n" in extra_headers:
extra_headers = extra_headers.split("\\n")
# Remove empty strings and "Content-Length"
extra_headers = [x for x in extra_headers if "Content-Length" not in x]
else:
tmp_extra_header = []
tmp_extra_header.append(extra_headers)
extra_headers = tmp_extra_header
# Remove empty strings
extra_headers = [x for x in extra_headers if x]
for extra_header in extra_headers:
try:
# Extra HTTP Header name
http_header_name = extra_header.split(':', 1)[0]
http_header_name = ''.join(http_header_name).strip()
# Extra HTTP Header value
http_header_value = extra_header.split(':', 1)[1]
http_header_value = ''.join(http_header_value).strip().replace(": ",":")
# Check if it is a custom header injection.
if settings.CUSTOM_HEADER_INJECTION == False and \
settings.INJECT_TAG in http_header_value:
settings.CUSTOM_HEADER_INJECTION = True
settings.CUSTOM_HEADER_NAME = http_header_name
# Add HTTP Header name / value to the HTTP request
if http_header_name not in [settings.HOST, settings.USER_AGENT, settings.REFERER, settings.COOKIE]:
request.add_header(http_header_name.encode(settings.UNICODE_ENCODING), http_header_value.encode(settings.UNICODE_ENCODING))
except:
pass
# eof
