def injection_proccess(url, check_parameter, http_request_method, filename, delay):
# User-Agent Injection / Referer Injection / Custom header Injection
if check_parameter.startswith(" "):
header_name = ""
the_type = " HTTP header "
else:
if settings.COOKIE_INJECTION:
header_name = " cookie"
else:
header_name = ""
the_type = " parameter "
check_parameter = " '" + check_parameter + "'"
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
if not settings.LOAD_SESSION:
info_msg = "Setting the " + "(" + http_request_method
info_msg += ")" + check_parameter + header_name + the_type + "for tests."
print settings.print_info_msg(info_msg)
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
settings.CLASSIC_STATE = True
else:
settings.CLASSIC_STATE = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
settings.EVAL_BASED_STATE = True
else:
settings.EVAL_BASED_STATE = False
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
settings.TIME_BASED_STATE = True
else:
settings.TIME_BASED_STATE = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech:
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
settings.FILE_BASED_STATE = True
else:
settings.FILE_BASED_STATE = False
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False :
warn_msg = "The tested (" + http_request_method + ")"
warn_msg += check_parameter + header_name + the_type
warn_msg += "seems to be not injectable."
print settings.print_warning_msg(warn_msg)
def execute_eval_based_technique(url, delay, filename, http_request_method):
if eb_handler.exploitation(url, delay, filename, http_request_method) == False:
if http_request_method == "GET":
print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable via "+ menu.options.tech + "." + Style.RESET_ALL
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + Style.RESET_ALL
sys.stdout.write(Style.BRIGHT + "\r(!) The process of testing the "+ menu.options.tech + " injection technique... " + Style.RESET_ALL + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
def execute_eval_based_technique(url, delay, filename, http_request_method):
if eb_handler.exploitation(url, delay, filename,
http_request_method) == False:
if http_request_method == "GET":
print Back.RED + "(x) The url '" + url + "' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '" + parameter + "' parameter appear to be not injectable via " + menu.options.tech + "." + Style.RESET_ALL
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + Style.RESET_ALL
sys.stdout.write(Style.BRIGHT + "\r(!) The process of testing the " +
menu.options.tech + " injection technique... " +
Style.RESET_ALL + "[ " + percent + " ]")
sys.stdout.flush()
logs.logs_notification(filename)
sys.exit(0)
def dynamic_code_evaluation_technique(url, timesec, filename,
http_request_method):
injection_type = "results-based dynamic code evaluation"
technique = "dynamic code evaluation technique"
if not settings.SKIP_CODE_INJECTIONS:
if (len(menu.options.tech) == 0 or "e"
in menu.options.tech) or settings.SKIP_COMMAND_INJECTIONS:
settings.EVAL_BASED_STATE = None
if eb_handler.exploitation(url, timesec, filename,
http_request_method, injection_type,
technique) != False:
while True:
if not menu.options.batch:
settings.EVAL_BASED_STATE = True
question_msg = "Skipping of further command injection checks is recommended. "
question_msg += "Do you agree? [Y/n] > "
procced_option = _input(
settings.print_question_msg(question_msg))
else:
procced_option = ""
if len(procced_option) == 0:
procced_option = "Y"
if procced_option in settings.CHOICE_YES:
settings.SKIP_COMMAND_INJECTIONS = True
break
elif procced_option in settings.CHOICE_NO:
if settings.SKIP_COMMAND_INJECTIONS:
settings.SKIP_COMMAND_INJECTIONS = False
break
elif procced_option in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + procced_option + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
else:
settings.EVAL_BASED_STATE = False
else:
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "Skipping test the " + "(" + injection_type.split(
" ")[0] + ") " + technique + ". "
print(settings.print_debug_msg(debug_msg))
else:
if settings.VERBOSITY_LEVEL != 0:
debug_msg = "Skipping test the " + "(" + injection_type.split(
" ")[0] + ") " + technique + ". "
print(settings.print_debug_msg(debug_msg))
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION and not settings.USER_AGENT_INJECTION and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
check_parameter = ""
the_type = " HTTP header "
else:
pass
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
info_msg = (
"(x) Critical: The tested ("
+ http_request_method
+ ")"
+ check_parameter
+ " parameter appear to be not injectable."
)
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
# else:
# print ""
sys.exit(0)
def do_check(url):
# Print the findings to log file.
parts = url.split('//', 1)
host = parts[1].split('/', 1)[0]
try:
os.stat(settings.OUTPUT_DIR + host + "/")
except:
os.mkdir(settings.OUTPUT_DIR + host + "/")
# The logs filename construction.
filename = settings.OUTPUT_DIR + host + "/" + settings.OUTPUT_FILE_NAME
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\nTime : " + datetime.datetime.fromtimestamp(time.time()).strftime('%H:%M:%S'))
output_file.write("\nDate : " + datetime.datetime.fromtimestamp(time.time()).strftime('%m/%d/%Y'))
output_file.write("\n---")
output_file.write("\nURL : " + url)
output_file.write("\n---")
output_file.close()
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print colors.BGRED + "(x) Error: You must specify both login panel URL and login parameters.\n" + colors.RESET
sys.exit(0)
else:
pass
# Check if HTTP Method is POST.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
parameter = menu.options.data
# Check if it is vulnerable to classic command injection technique.
if menu.options.tech == "classic":
if cb_handler.exploitation(url,delay,filename,http_request_method) == None:
if http_request_method == "GET":
print colors.BGRED + "(x) The url '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + colors.RESET
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + colors.RESET
sys.stdout.write(colors.BOLD + "\r(!) The process of testing the "+ menu.options.tech + " injection technique... " + colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
# Check if it is vulnerable to eval-based command injection technique.
elif menu.options.tech == "eval-based":
if eb_handler.exploitation(url,delay,filename,http_request_method) == None:
if http_request_method == "GET":
print colors.BGRED + "(x) The url '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + colors.RESET
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + colors.RESET
sys.stdout.write(colors.BOLD + "\r(!) The process of testing the "+ menu.options.tech + " injection technique... " + colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
# Check if it is vulnerable to time-based blind command injection technique.
elif menu.options.tech == "time-based":
if tb_handler.exploitation(url,delay,filename,http_request_method) == None:
if http_request_method == "GET":
print colors.BGRED + "(x) The url '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + colors.RESET
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + colors.RESET
sys.stdout.write(colors.BOLD + "\r(!) The process of testing the "+ menu.options.tech + " injection technique... " + colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
# Check if it is vulnerable to file-based semiblind command injection technique.
elif menu.options.tech == "file-based":
if fb_handler.exploitation(url,delay,filename,http_request_method) == None:
if http_request_method == "GET":
print colors.BGRED + "(x) The url '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + colors.RESET
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + colors.RESET
sys.stdout.write(colors.BOLD + "\r(!) The process of testing the "+ menu.options.tech + " injection technique... " + colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
else:
# Automated command injection and exploitation.
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url,delay,filename,http_request_method) == None:
classic_state = False
else:
classic_state = True
# Check if eval results-based command injection technique succeeds.
if eb_handler.exploitation(url,delay,filename,http_request_method) == None:
eval_based_state = False
else:
eval_based_state = True
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url,delay,filename,http_request_method) == None:
time_based_state = False
else:
time_based_state = True
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url,delay,filename,http_request_method) == None:
file_based_state = False
else:
file_based_state = True
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
if http_request_method == "GET":
print colors.BGRED + "(x) The url '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + colors.RESET
print "(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
#eof
def do_check(url):
# The logs filename construction.
filename = logs.create_log_file(url)
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is POST.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
parameter = menu.options.data
# Load modules
modules_handler.load_modules(url, http_request_method)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename, http_request_method) == False:
classic_state = False
else:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename, http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method) == False:
time_based_state = False
else:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method) == False:
file_based_state = False
else:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename, http_request_method) == False:
classic_state = False
else:
classic_state = True
elif menu.options.tech == "classic":
execute_classic_technique(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename, http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
elif menu.options.tech == "eval-based":
execute_eval_based_technique(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename, http_request_method) == False:
time_based_state = False
else:
time_based_state = True
elif menu.options.tech == "time-based":
execute_time_based_technique(url, delay, filename, http_request_method)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename, http_request_method) == False:
file_based_state = False
else:
file_based_state = True
elif menu.options.tech == "file-based":
execute_file_based_technique(url, delay, filename, http_request_method)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
if http_request_method == "GET":
print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL
else:
print "(*) The results can be found at '" + os.getcwd() + "/" + filename +".txt'"
sys.exit(0)
#eof
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is POST.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
parameter = menu.options.data
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
if http_request_method == "GET":
print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL
else:
logs.logs_notification(filename)
sys.exit(0)
#eof
def injection_proccess(url, check_parameter, http_request_method, filename,
timesec):
# Skipping specific injection techniques.
if settings.SKIP_TECHNIQUES:
menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES)
for skip_tech_name in settings.AVAILABLE_TECHNIQUES:
if skip_tech_name in menu.options.skip_tech:
menu.options.tech = menu.options.tech.replace(
skip_tech_name, "")
if len(menu.options.tech) == 0:
err_msg = "Detection procedure was aborted due to skipping all injection techniques."
print settings.print_critical_msg(err_msg)
raise SystemExit
# User-Agent Injection / Referer Injection / Custom header Injection
if check_parameter.startswith(" "):
header_name = ""
the_type = " HTTP header"
else:
if settings.COOKIE_INJECTION:
header_name = " cookie"
else:
header_name = ""
the_type = " parameter"
check_parameter = " '" + check_parameter + "'"
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
if not settings.LOAD_SESSION:
info_msg = "Setting the"
if not header_name == " cookie" and not the_type == " HTTP header":
info_msg += " " + http_request_method + ""
info_msg += the_type + header_name + check_parameter + " for tests."
print settings.print_info_msg(info_msg)
# Estimating the response time (in seconds)
timesec, url_time_response = requests.estimate_response_time(url, timesec)
skip_code_injections = False
skip_command_injections = False
# Procced with file-based semiblind command injection technique,
# once the user provides the path of web server's root directory.
if menu.options.web_root and not "f" in menu.options.tech:
if not menu.options.web_root.endswith("/"):
menu.options.web_root = menu.options.web_root + "/"
if checks.procced_with_file_based_technique():
menu.options.tech = "f"
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
settings.CLASSIC_STATE = None
if cb_handler.exploitation(url, timesec, filename,
http_request_method) != False:
if not menu.options.tech or "e" in menu.options.tech:
if not menu.options.batch:
settings.CLASSIC_STATE = True
question_msg = "Due to results, "
question_msg += "skipping of code injection checks is recommended. "
question_msg += "Do you agree? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
procced_option = sys.stdin.readline().replace("\n",
"").lower()
else:
procced_option = ""
if len(procced_option) == 0:
procced_option = "y"
if procced_option in settings.CHOICE_YES:
skip_code_injections = True
elif procced_option in settings.CHOICE_NO:
pass
elif procced_option in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + procced_option + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
settings.CLASSIC_STATE = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if not skip_code_injections:
settings.EVAL_BASED_STATE = None
if eb_handler.exploitation(url, timesec, filename,
http_request_method) != False:
if not menu.options.batch:
settings.EVAL_BASED_STATE = True
question_msg = "Due to results, "
question_msg += "skipping of further command injection checks is recommended. "
question_msg += "Do you agree? [Y/n] > "
sys.stdout.write(settings.print_question_msg(question_msg))
procced_option = sys.stdin.readline().replace("\n",
"").lower()
else:
procced_option = ""
if len(procced_option) == 0:
procced_option = "y"
if procced_option in settings.CHOICE_YES:
skip_command_injections = True
elif procced_option in settings.CHOICE_NO:
pass
elif procced_option in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + procced_option + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
settings.EVAL_BASED_STATE = False
if not skip_command_injections:
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
settings.TIME_BASED_STATE = None
if tb_handler.exploitation(url, timesec, filename,
http_request_method,
url_time_response) != False:
settings.TIME_BASED_STATE = True
else:
settings.TIME_BASED_STATE = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech and not skip_command_injections:
settings.FILE_BASED_STATE = None
if fb_handler.exploitation(url, timesec, filename,
http_request_method,
url_time_response) != False:
settings.FILE_BASED_STATE = True
else:
settings.FILE_BASED_STATE = False
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
warn_msg = "The tested"
if not header_name == " cookie" and not the_type == " HTTP header":
warn_msg += " " + http_request_method + ""
warn_msg += the_type + header_name + check_parameter
warn_msg += " seems to be not injectable."
print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
def injection_proccess(url, check_parameter, http_request_method, filename,
timesec):
if menu.options.ignore_code:
info_msg = "Ignoring '" + str(
menu.options.ignore_code) + "' HTTP error code. "
print(settings.print_info_msg(info_msg))
# Skipping specific injection techniques.
if settings.SKIP_TECHNIQUES:
menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES)
for skip_tech_name in settings.AVAILABLE_TECHNIQUES:
if skip_tech_name in menu.options.skip_tech:
menu.options.tech = menu.options.tech.replace(
skip_tech_name, "")
if len(menu.options.tech) == 0:
err_msg = "Detection procedure was aborted due to skipping all injection techniques."
print(settings.print_critical_msg(err_msg))
raise SystemExit
# User-Agent HTTP header / Referer HTTP header /
# Host HTTP header / Custom HTTP header Injection(s)
if check_parameter.startswith(" "):
header_name = ""
the_type = " HTTP header"
else:
if settings.COOKIE_INJECTION:
header_name = " cookie"
else:
header_name = ""
the_type = " parameter"
check_parameter = " '" + check_parameter + "'"
# Estimating the response time (in seconds)
timesec, url_time_response = requests.estimate_response_time(url, timesec)
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Check for identified warnings
url = heuristic_basic(url, http_request_method)
if settings.IDENTIFIED_WARNINGS:
if not settings.SKIP_COMMAND_INJECTIONS:
ci = "command injection techniques"
ce = "code injection technique"
if not menu.options.batch:
question_msg = "Do you want to skip test payloads for "
question_msg += ci + "? [Y/n] > "
procced_option = _input(
settings.print_question_msg(question_msg))
else:
procced_option = ""
if procced_option in settings.CHOICE_YES or len(
procced_option) == 0:
if settings.VERBOSITY_LEVEL >= 1:
debug_msg = "Skipping " + ci + "."
print(settings.print_debug_msg(debug_msg))
settings.CLASSIC_STATE = settings.TIME_BASED_STATE = settings.FILE_BASED_STATE = False
settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = True
elif procced_option in settings.CHOICE_NO:
if settings.VERBOSITY_LEVEL >= 1:
debug_msg = "Skipping " + ce + "."
print(settings.print_debug_msg(debug_msg))
settings.SKIP_CODE_INJECTIONS = True
settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = False
elif procced_option in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + procced_option + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
if not settings.LOAD_SESSION:
info_msg = "Setting the"
if not header_name == " cookie" and not the_type == " HTTP header":
info_msg += " " + http_request_method + ""
info_msg += ('', ' (JSON)')[settings.IS_JSON] + (
'', ' (SOAP/XML)')[settings.IS_XML]
if header_name == " cookie":
info_msg += header_name + the_type + check_parameter + " for tests."
else:
info_msg += the_type + header_name + check_parameter + " for tests."
print(settings.print_info_msg(info_msg))
if menu.options.failed_tries and \
menu.options.tech and not "f" in menu.options.tech and not \
menu.options.failed_tries:
warn_msg = "Due to the provided (unsuitable) injection technique"
warn_msg += "s"[len(menu.options.tech) == 1:][::-1] + ", "
warn_msg += "the option '--failed-tries' will be ignored."
print(settings.print_warning_msg(warn_msg)) + Style.RESET_ALL
# Procced with file-based semiblind command injection technique,
# once the user provides the path of web server's root directory.
if menu.options.web_root and \
menu.options.tech and not "f" in menu.options.tech:
if not menu.options.web_root.endswith("/"):
menu.options.web_root = menu.options.web_root + "/"
if checks.procced_with_file_based_technique():
menu.options.tech = "f"
if not menu.options.tech:
menu.options.tech = ""
if len(menu.options.tech) == 0 or "c" in menu.options.tech:
settings.CLASSIC_STATE = True
if len(menu.options.tech) == 0 or "e" in menu.options.tech:
settings.EVAL_BASED_STATE = True
if len(menu.options.tech) == 0 or "t" in menu.options.tech:
settings.TIME_BASED_STATE = True
if len(menu.options.tech) == 0 or "f" in menu.options.tech:
settings.FILE_BASED_STATE = True
# Check if it is vulnerable to classic command injection technique.
if not settings.SKIP_COMMAND_INJECTIONS and settings.CLASSIC_STATE:
settings.CLASSIC_STATE = None
if cb_handler.exploitation(url, timesec, filename,
http_request_method) != False:
if settings.EVAL_BASED_STATE:
if not menu.options.batch:
settings.CLASSIC_STATE = True
question_msg = "Due to results, "
question_msg += "skipping of code injection checks is recommended. "
question_msg += "Do you agree? [Y/n] > "
procced_option = _input(
settings.print_question_msg(question_msg))
else:
procced_option = ""
if len(procced_option) == 0:
procced_option = "Y"
if procced_option in settings.CHOICE_YES:
if settings.VERBOSITY_LEVEL >= 1:
debug_msg = "Skipping code injection checks."
print(settings.print_debug_msg(debug_msg))
settings.SKIP_CODE_INJECTIONS = True
elif procced_option in settings.CHOICE_NO:
pass
elif procced_option in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + procced_option + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
else:
settings.CLASSIC_STATE = False
# Check if it is vulnerable to eval-based code injection technique.
if not settings.SKIP_CODE_INJECTIONS and settings.EVAL_BASED_STATE:
settings.EVAL_BASED_STATE = None
if eb_handler.exploitation(url, timesec, filename,
http_request_method) != False:
if not menu.options.batch:
settings.EVAL_BASED_STATE = True
question_msg = "Due to results, "
question_msg += "skipping of further command injection checks is recommended. "
question_msg += "Do you agree? [Y/n] > "
procced_option = _input(
settings.print_question_msg(question_msg))
else:
procced_option = ""
if len(procced_option) == 0:
procced_option = "Y"
if procced_option in settings.CHOICE_YES:
if settings.VERBOSITY_LEVEL >= 1:
debug_msg = "Skipping command injection checks."
print(settings.print_debug_msg(debug_msg))
settings.SKIP_COMMAND_INJECTIONS = True
elif procced_option in settings.CHOICE_NO:
pass
elif procced_option in settings.CHOICE_QUIT:
raise SystemExit()
else:
err_msg = "'" + procced_option + "' is not a valid answer."
print(settings.print_error_msg(err_msg))
pass
else:
settings.EVAL_BASED_STATE = False
if not settings.SKIP_COMMAND_INJECTIONS:
# Check if it is vulnerable to time-based blind command injection technique.
if settings.TIME_BASED_STATE:
settings.TIME_BASED_STATE = None
if tb_handler.exploitation(url, timesec, filename,
http_request_method,
url_time_response) != False:
settings.TIME_BASED_STATE = True
else:
settings.TIME_BASED_STATE = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if settings.FILE_BASED_STATE:
settings.FILE_BASED_STATE = None
if fb_handler.exploitation(url, timesec, filename,
http_request_method,
url_time_response) != False:
settings.FILE_BASED_STATE = True
else:
settings.FILE_BASED_STATE = False
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
warn_msg = "The tested"
if not header_name == " cookie" and not the_type == " HTTP header":
warn_msg += " " + http_request_method + ""
warn_msg += the_type + header_name + check_parameter
warn_msg += " seems to be not injectable."
print(settings.print_warning_msg(warn_msg)) + Style.RESET_ALL
def do_check(url):
# The logs filename construction.
filename = logs.create_log_file(url)
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is POST.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
parameter = menu.options.data
# Load modules
modules_handler.load_modules(url, http_request_method)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename,
http_request_method) == False:
classic_state = False
else:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename,
http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename,
http_request_method) == False:
time_based_state = False
else:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename,
http_request_method) == False:
file_based_state = False
else:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(
menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename,
http_request_method) == False:
classic_state = False
else:
classic_state = True
elif menu.options.tech == "classic":
execute_classic_technique(url, delay, filename,
http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename,
http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
elif menu.options.tech == "eval-based":
execute_eval_based_technique(url, delay, filename,
http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename,
http_request_method) == False:
time_based_state = False
else:
time_based_state = True
elif menu.options.tech == "time-based":
execute_time_based_technique(url, delay, filename,
http_request_method)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename,
http_request_method) == False:
file_based_state = False
else:
file_based_state = True
elif menu.options.tech == "file-based":
execute_file_based_technique(url, delay, filename,
http_request_method)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
if http_request_method == "GET":
print Back.RED + "(x) The url '" + url + "' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '" + parameter + "' parameter appear to be not injectable." + Style.RESET_ALL
else:
print "(*) The results can be found at '" + os.getcwd(
) + "/" + filename + ".txt'"
sys.exit(0)
#eof
def do_check(url):
# Print the findings to log file.
parts = url.split('//', 1)
host = parts[1].split('/', 1)[0]
try:
os.stat(settings.OUTPUT_DIR + host + "/")
except:
os.mkdir(settings.OUTPUT_DIR + host + "/")
# The logs filename construction.
filename = settings.OUTPUT_DIR + host + "/" + settings.OUTPUT_FILE_NAME
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write("\nTime : " + datetime.datetime.fromtimestamp(time.time()).strftime('%H:%M:%S'))
output_file.write("\nDate : " + datetime.datetime.fromtimestamp(time.time()).strftime('%m/%d/%Y'))
output_file.write("\n---")
output_file.write("\nURL : " + url)
output_file.write("\n---")
output_file.close()
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is POST.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
parameter = menu.options.data
# Load modules
modules_handler.load_modules(url,http_request_method)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url,delay,filename,http_request_method) == False:
classic_state = False
else:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url,delay,filename,http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url,delay,filename,http_request_method) == False:
time_based_state = False
else:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url,delay,filename,http_request_method) == False:
file_based_state = False
else:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url,delay,filename,http_request_method) == False:
classic_state = False
else:
classic_state = True
elif menu.options.tech == "classic":
execute_classic_technique(url,delay,filename,http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url,delay,filename,http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
elif menu.options.tech == "eval-based":
execute_eval_based_technique(url,delay,filename,http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url,delay,filename,http_request_method) == False:
time_based_state = False
else:
time_based_state = True
elif menu.options.tech == "time-based":
execute_time_based_technique(url,delay,filename,http_request_method)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url,delay,filename,http_request_method) == False:
file_based_state = False
else:
file_based_state = True
elif menu.options.tech == "file-based":
execute_file_based_technique(url,delay,filename,http_request_method)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
if http_request_method == "GET":
print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL
else:
print "(*) The results can be found at '" + os.getcwd() + "/" + filename +".txt'"
sys.exit(0)
#eof
def do_check(url):
# Print the findings to log file.
parts = url.split('//', 1)
host = parts[1].split('/', 1)[0]
try:
os.stat(settings.OUTPUT_DIR + host + "/")
except:
os.mkdir(settings.OUTPUT_DIR + host + "/")
filename = datetime.datetime.fromtimestamp(time.time()).strftime('%Y_%m_%d_%H_%M_%S')
filename = settings.OUTPUT_DIR + host + "/" + filename
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Host : " + host)
output_file.write("\n(+) Date : " + datetime.datetime.fromtimestamp(time.time()).strftime('%m/%d/%Y'))
output_file.write("\n(+) Time : " + datetime.datetime.fromtimestamp(time.time()).strftime('%H:%M:%S'))
output_file.close()
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print colors.BGRED + "(x) Error: You must specify both login panel URL and login parameters.\n" + colors.RESET
sys.exit(0)
else:
pass
# Check if HTTP Method is POST.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
parameter = menu.options.data
# Check if it is vulnerable to classic command injection technique.
if menu.options.tech == "classic":
if cb_handler.exploitation(url,delay,filename,http_request_method) == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' appear to be not injectable." + colors.RESET
print "(*) The scan has finished successfully!"
print "(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
# Check if it is vulnerable to eval-based command injection technique.
elif menu.options.tech == "eval-based":
if eb_handler.exploitation(url,delay,filename,http_request_method) == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' appear to be not injectable." + colors.RESET
print "(*) The scan has finished successfully!"
print "(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
# Check if it is vulnerable to time-based blind command injection technique.
elif menu.options.tech == "time-based":
if tb_handler.exploitation(url,delay,filename,http_request_method) == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' appear to be not injectable." + colors.RESET
print "(*) The scan has finished successfully!"
print "(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
# Check if it is vulnerable to file-based semiblind command injection technique.
elif menu.options.tech == "file-based":
if fb_handler.exploitation(url,delay,filename,http_request_method) == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' appear to be not injectable." + colors.RESET
print "(*) The scan has finished successfully!"
print "(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
else:
# Automated command injection and exploitation.
if cb_handler.exploitation(url,delay,filename,http_request_method) == False:
classic_state = False
else:
classic_state = True
if eb_handler.exploitation(url,delay,filename,http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
if tb_handler.exploitation(url,delay,filename,http_request_method) == False:
time_based_state = False
else:
time_based_state = True
if fb_handler.exploitation(url,delay,filename,http_request_method) == False:
file_based_state = False
else:
file_based_state = True
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
if http_request_method == "GET":
print colors.BGRED + "(x) The '"+ url +"' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '"+ parameter +"' appear to be not injectable." + colors.RESET
print "\n(*) The scan has finished successfully!"
print "(*) Results can be found at : '" + os.getcwd() + "/" + filename +".txt' \n"
sys.exit(0)
#eof
def do_check(url):
# Print the findings to log file.
parts = url.split('//', 1)
host = parts[1].split('/', 1)[0]
try:
os.stat(settings.OUTPUT_DIR + host + "/")
except:
os.mkdir(settings.OUTPUT_DIR + host + "/")
filename = datetime.datetime.fromtimestamp(
time.time()).strftime('%Y_%m_%d_%H_%M_%S')
filename = settings.OUTPUT_DIR + host + "/" + filename
output_file = open(filename + ".txt", "a")
output_file.write("\n(+) Host : " + host)
output_file.write(
"\n(+) Date : " +
datetime.datetime.fromtimestamp(time.time()).strftime('%m/%d/%Y'))
output_file.write(
"\n(+) Time : " +
datetime.datetime.fromtimestamp(time.time()).strftime('%H:%M:%S'))
output_file.close()
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print colors.BGRED + "(x) Error: You must specify both login panel URL and login parameters.\n" + colors.RESET
sys.exit(0)
else:
pass
# Check if HTTP Method is POST.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
parameter = menu.options.data
# Check if it is vulnerable to classic command injection technique.
if menu.options.tech == "classic":
if cb_handler.exploitation(url, delay, filename,
http_request_method) == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '" + url + "' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '" + parameter + "' appear to be not injectable." + colors.RESET
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + colors.RESET
sys.stdout.write(colors.BOLD + "\r(*) The process of testing the " +
menu.options.tech + " injection technique... " +
colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd(
) + "/" + filename + ".txt' \n"
sys.exit(0)
# Check if it is vulnerable to eval-based command injection technique.
elif menu.options.tech == "eval-based":
if eb_handler.exploitation(url, delay, filename,
http_request_method) == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '" + url + "' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '" + parameter + "' appear to be not injectable." + colors.RESET
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + colors.RESET
sys.stdout.write(colors.BOLD + "\r(*) The process of testing the " +
menu.options.tech + " injection technique... " +
colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd(
) + "/" + filename + ".txt' \n"
sys.exit(0)
# Check if it is vulnerable to time-based blind command injection technique.
elif menu.options.tech == "time-based":
if tb_handler.exploitation(url, delay, filename,
http_request_method) == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '" + url + "' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '" + parameter + "' appear to be not injectable." + colors.RESET
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + colors.RESET
sys.stdout.write(colors.BOLD + "\r(*) The process of testing the " +
menu.options.tech + " injection technique... " +
colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd(
) + "/" + filename + ".txt' \n"
sys.exit(0)
# Check if it is vulnerable to file-based semiblind command injection technique.
elif menu.options.tech == "file-based":
if fb_handler.exploitation(url, delay, filename,
http_request_method) == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '" + url + "' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '" + parameter + "' appear to be not injectable." + colors.RESET
if menu.options.verbose:
print "\n"
percent = colors.PURPLE + "FINISHED" + colors.RESET
sys.stdout.write(colors.BOLD + "\r(*) The process of testing the " +
menu.options.tech + " injection technique... " +
colors.RESET + "[ " + percent + " ]")
sys.stdout.flush()
print "\n(*) Results can be found at : '" + os.getcwd(
) + "/" + filename + ".txt' \n"
sys.exit(0)
else:
# Automated command injection and exploitation.
if cb_handler.exploitation(url, delay, filename,
http_request_method) == False:
classic_state = False
else:
classic_state = True
if eb_handler.exploitation(url, delay, filename,
http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
if tb_handler.exploitation(url, delay, filename,
http_request_method) == False:
time_based_state = False
else:
time_based_state = True
if fb_handler.exploitation(url, delay, filename,
http_request_method) == False:
file_based_state = False
else:
file_based_state = True
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
if http_request_method == "GET":
print colors.BGRED + "(x) The '" + url + "' appear to be not injectable." + colors.RESET
else:
print colors.BGRED + "(x) The '" + parameter + "' appear to be not injectable." + colors.RESET
print "(*) Results can be found at : '" + os.getcwd(
) + "/" + filename + ".txt' \n"
sys.exit(0)
#eof
def injection_proccess(url, check_parameter, http_request_method, filename,
delay):
# User-Agent Injection / Referer Injection / Custom header Injection
if check_parameter.startswith(" "):
header_name = ""
the_type = " HTTP header"
else:
if settings.COOKIE_INJECTION:
header_name = " cookie"
else:
header_name = ""
the_type = " parameter"
check_parameter = " '" + check_parameter + "'"
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
if not settings.LOAD_SESSION:
info_msg = "Setting the"
if not header_name == " cookie" and not the_type == " HTTP header":
info_msg += " " + http_request_method + ""
info_msg += the_type + header_name + check_parameter + " for tests."
print settings.print_info_msg(info_msg)
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, delay)
skip_code_injections = False
skip_command_injections = False
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
settings.CLASSIC_STATE = None
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
settings.CLASSIC_STATE = True
question_msg = "Due to resuts "
question_msg += "skipping of code injection checks is recommended. "
question_msg += "Do you agree? [Y/n/q] > "
sys.stdout.write(settings.print_question_msg(question_msg))
procced_option = sys.stdin.readline().replace("\n", "").lower()
if len(procced_option) == 0:
procced_option = "y"
if procced_option in settings.CHOICE_YES:
skip_code_injections = True
elif procced_option in settings.CHOICE_NO:
pass
elif procced_option in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + procced_option + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
settings.CLASSIC_STATE = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if not skip_code_injections:
settings.EVAL_BASED_STATE = None
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
settings.EVAL_BASED_STATE = True
question_msg = "Due to resuts, "
question_msg += "skipping of further command injection checks is recommended. "
question_msg += "Do you agree? [Y/n/q] > "
sys.stdout.write(settings.print_question_msg(question_msg))
procced_option = sys.stdin.readline().replace("\n", "").lower()
if len(procced_option) == 0:
procced_option = "y"
if procced_option in settings.CHOICE_YES:
skip_command_injections = True
elif procced_option in settings.CHOICE_NO:
pass
elif procced_option in settings.CHOICE_QUIT:
sys.exit(0)
else:
err_msg = "'" + procced_option + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
else:
settings.EVAL_BASED_STATE = False
if not skip_command_injections:
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
settings.TIME_BASED_STATE = None
if tb_handler.exploitation(url, delay, filename,
http_request_method,
url_time_response) != False:
settings.TIME_BASED_STATE = True
else:
settings.TIME_BASED_STATE = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech and not skip_command_injections:
settings.FILE_BASED_STATE = None
if fb_handler.exploitation(url, delay, filename,
http_request_method,
url_time_response) != False:
settings.FILE_BASED_STATE = True
else:
settings.FILE_BASED_STATE = False
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
warn_msg = "The tested"
if not header_name == " cookie" and not the_type == " HTTP header":
warn_msg += " " + http_request_method + ""
warn_msg += the_type + header_name + check_parameter
warn_msg += " seems to be not injectable."
print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
check_parameter = ""
the_type = " HTTP header "
else :
pass
if len(check_parameter) != 0 :
check_parameter = " '" + check_parameter + "'"
print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False :
if http_request_method == "GET":
print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL
else:
logs.logs_notification(filename)
sys.exit(0)
#eof
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
check_parameter = ""
the_type = " HTTP header "
else:
pass
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(
url, http_request_method, delay)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(
menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
elif menu.options.tech == "classic":
cb_handler.exploitation(url, delay, filename, http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
elif menu.options.tech == "eval-based":
eb_handler.exploitation(url, delay, filename, http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename,
http_request_method,
url_time_response) != False:
time_based_state = True
elif menu.options.tech == "time-based":
tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename,
http_request_method,
url_time_response) != False:
file_based_state = True
elif menu.options.tech == "file-based":
fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
info_msg = "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
# else:
# print ""
sys.exit(0)
def injection_proccess(url, check_parameter, http_request_method, filename,
delay):
# User-Agent Injection / Referer Injection / Custom header Injection
if check_parameter.startswith(" "):
header_name = ""
the_type = " HTTP header"
else:
if settings.COOKIE_INJECTION:
header_name = " cookie"
else:
header_name = ""
the_type = " parameter"
check_parameter = " '" + check_parameter + "'"
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
if not settings.LOAD_SESSION:
info_msg = "Setting the"
if not header_name == " cookie" and not the_type == " HTTP header":
info_msg += " " + http_request_method + ""
info_msg += the_type + header_name + check_parameter + " for tests."
print settings.print_info_msg(info_msg)
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(
url, http_request_method, delay)
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
settings.CLASSIC_STATE = None
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
settings.CLASSIC_STATE = True
else:
settings.CLASSIC_STATE = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
settings.EVAL_BASED_STATE = None
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
settings.EVAL_BASED_STATE = True
else:
settings.EVAL_BASED_STATE = False
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
settings.TIME_BASED_STATE = None
if tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
settings.TIME_BASED_STATE = True
else:
settings.TIME_BASED_STATE = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech:
settings.FILE_BASED_STATE = None
if fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
settings.FILE_BASED_STATE = True
else:
settings.FILE_BASED_STATE = False
# All injection techniques seems to be failed!
if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False:
warn_msg = "The tested"
if not header_name == " cookie" and not the_type == " HTTP header":
warn_msg += " " + http_request_method + ""
warn_msg += the_type + header_name + check_parameter
warn_msg += " seems to be not injectable."
print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
settings.HTTP_HEADER = header_name[1:].replace("-","").lower()
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = ""
the_type = " HTTP header "
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check for session file
if not menu.options.ignore_session:
if os.path.isfile(settings.SESSION_FILE):
if not menu.options.tech:
menu.options.tech = session_handler.applied_techniques(url, http_request_method)
if session_handler.check_stored_parameter(url, http_request_method):
settings.LOAD_SESSION = True
if menu.options.flush_session:
session_handler.flush(url)
if len(check_parameter) != 0 :
check_parameter = " '" + check_parameter + "'"
print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay)
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
if cb_handler.exploitation(url, delay, filename, http_request_method) != False:
classic_state = True
else:
classic_state = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if eb_handler.exploitation(url, delay, filename, http_request_method) != False:
eval_based_state = True
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
time_based_state = True
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech:
if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False:
file_based_state = True
else:
file_based_state = False
if classic_state == eval_based_state == time_based_state == file_based_state == False :
info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell :
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
def do_check(url, filename):
classic_state = False
eval_based_state = False
time_based_state = False
file_based_state = False
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Check if authentication is needed.
if menu.options.auth_url and menu.options.auth_data:
# Do the authentication process.
authentication.authentication_process()
# Check if authentication page is the same with the next (injection) URL
if urllib2.urlopen(url).read() == urllib2.urlopen(
menu.options.auth_url).read():
print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL
sys.exit(0)
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is GET or POST.
header_name = ""
if not menu.options.data:
http_request_method = "GET"
if not settings.COOKIE_INJECTION \
and not settings.USER_AGENT_INJECTION \
and not settings.REFERER_INJECTION:
url = parameters.do_GET_check(url)
check_parameter = parameters.vuln_GET_param(url)
the_type = " parameter "
else:
http_request_method = "POST"
parameter = menu.options.data
parameter = parameters.do_POST_check(parameter)
check_parameter = parameters.vuln_POST_param(parameter, url)
the_type = " parameter "
# Load modules
modules_handler.load_modules(url, http_request_method, filename)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
the_type = " HTTP header "
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
settings.HTTP_HEADER = header_name[1:].replace("-", "").lower()
check_parameter = ""
the_type = " HTTP header "
# Referer Injection
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
settings.HTTP_HEADER = header_name[1:].lower()
check_parameter = ""
the_type = " HTTP header "
if len(check_parameter) > 0:
settings.TESTABLE_PARAMETER = check_parameter
# Check for session file
if not menu.options.ignore_session:
if os.path.isfile(settings.SESSION_FILE):
if not menu.options.tech:
menu.options.tech = session_handler.applied_techniques(
url, http_request_method)
if session_handler.check_stored_parameter(url,
http_request_method):
settings.LOAD_SESSION = True
if menu.options.flush_session:
session_handler.flush(url)
if len(check_parameter) != 0:
check_parameter = " '" + check_parameter + "'"
print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests."
# Estimating the response time (in seconds)
delay, url_time_response = requests.estimate_response_time(
url, http_request_method, delay)
# Check if it is vulnerable to classic command injection technique.
if not menu.options.tech or "c" in menu.options.tech:
if cb_handler.exploitation(url, delay, filename,
http_request_method) != False:
classic_state = True
else:
classic_state = False
# Check if it is vulnerable to eval-based code injection technique.
if not menu.options.tech or "e" in menu.options.tech:
if eb_handler.exploitation(url, delay, filename,
http_request_method) != False:
eval_based_state = True
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if not menu.options.tech or "t" in menu.options.tech:
if tb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
time_based_state = True
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if not menu.options.tech or "f" in menu.options.tech:
if fb_handler.exploitation(url, delay, filename, http_request_method,
url_time_response) != False:
file_based_state = True
else:
file_based_state = False
if classic_state == eval_based_state == time_based_state == file_based_state == False:
info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable."
if not menu.options.alter_shell:
info_msg += " Use the option '--alter-shell'"
else:
info_msg += " Remove the option '--alter-shell'"
info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)."
print Back.RED + info_msg + Style.RESET_ALL
sys.exit(0)
def do_check(url):
# Print the findings to log file.
parts = url.split('//', 1)
host = parts[1].split('/', 1)[0]
try:
os.stat(settings.OUTPUT_DIR + host + "/")
except:
os.mkdir(settings.OUTPUT_DIR + host + "/")
# The logs filename construction.
filename = settings.OUTPUT_DIR + host + "/" + settings.OUTPUT_FILE_NAME
output_file = open(filename + ".txt", "a")
output_file.write("\n---")
output_file.write(
"\nTime : " +
datetime.datetime.fromtimestamp(time.time()).strftime('%H:%M:%S'))
output_file.write(
"\nDate : " +
datetime.datetime.fromtimestamp(time.time()).strftime('%m/%d/%Y'))
output_file.write("\n---")
output_file.write("\nURL : " + url)
output_file.write("\n---")
output_file.close()
# Check if defined "--delay" option.
if menu.options.delay:
delay = menu.options.delay
else:
delay = settings.DELAY
# Do authentication if needed.
if menu.options.auth_url and menu.options.auth_data:
authentication.auth_process()
elif menu.options.auth_url or menu.options.auth_data:
print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL
sys.exit(0)
else:
pass
# Check if HTTP Method is POST.
if not menu.options.data:
http_request_method = "GET"
else:
http_request_method = "POST"
parameter = menu.options.data
# Load modules
modules_handler.load_modules(url, http_request_method)
# Check all injection techniques
if not menu.options.tech:
# Check if it is vulnerable to classic command injection technique.
if cb_handler.exploitation(url, delay, filename,
http_request_method) == False:
classic_state = False
else:
classic_state = True
# Check if it is vulnerable to eval-based command injection technique.
if eb_handler.exploitation(url, delay, filename,
http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
# Check if it is vulnerable to time-based blind command injection technique.
if tb_handler.exploitation(url, delay, filename,
http_request_method) == False:
time_based_state = False
else:
time_based_state = True
# Check if it is vulnerable to file-based semiblind command injection technique.
if fb_handler.exploitation(url, delay, filename,
http_request_method) == False:
file_based_state = False
else:
file_based_state = True
else:
# Check if it is vulnerable to classic command injection technique.
if "classic" in menu.options.tech or len(
menu.options.tech) <= 4 and "c" in menu.options.tech:
# Check if classic results-based command injection technique succeeds.
if cb_handler.exploitation(url, delay, filename,
http_request_method) == False:
classic_state = False
else:
classic_state = True
elif menu.options.tech == "classic":
execute_classic_technique(url, delay, filename,
http_request_method)
else:
classic_state = False
# Check if it is vulnerable to eval-based command injection technique.
if "eval-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "e" in menu.options.tech:
# Check if eval-based command injection technique succeeds.
if eb_handler.exploitation(url, delay, filename,
http_request_method) == False:
eval_based_state = False
else:
eval_based_state = True
elif menu.options.tech == "eval-based":
execute_eval_based_technique(url, delay, filename,
http_request_method)
else:
eval_based_state = False
# Check if it is vulnerable to time-based blind command injection technique.
if "time-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "t" in menu.options.tech:
# Check if time-based blind command injection technique succeeds.
if tb_handler.exploitation(url, delay, filename,
http_request_method) == False:
time_based_state = False
else:
time_based_state = True
elif menu.options.tech == "time-based":
execute_time_based_technique(url, delay, filename,
http_request_method)
else:
time_based_state = False
# Check if it is vulnerable to file-based semiblind command injection technique.
if "file-based" in menu.options.tech or len(
menu.options.tech) <= 4 and "f" in menu.options.tech:
# Check if file-based semiblind command injection technique succeeds.
if fb_handler.exploitation(url, delay, filename,
http_request_method) == False:
file_based_state = False
else:
file_based_state = True
elif menu.options.tech == "file-based":
execute_file_based_technique(url, delay, filename,
http_request_method)
else:
file_based_state = False
if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False:
if http_request_method == "GET":
print Back.RED + "(x) The url '" + url + "' appear to be not injectable." + Style.RESET_ALL
else:
print Back.RED + "(x) The '" + parameter + "' parameter appear to be not injectable." + Style.RESET_ALL
else:
print "(*) The results can be found at '" + os.getcwd(
) + "/" + filename + ".txt'"
sys.exit(0)
#eof
