def injection_proccess(url, check_parameter, http_request_method, filename, delay): # User-Agent Injection / Referer Injection / Custom header Injection if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header " else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter " check_parameter = " '" + check_parameter + "'" # Load modules modules_handler.load_modules(url, http_request_method, filename) if not settings.LOAD_SESSION: info_msg = "Setting the " + "(" + http_request_method info_msg += ")" + check_parameter + header_name + the_type + "for tests." print settings.print_info_msg(info_msg) # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay) # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: if cb_handler.exploitation(url, delay, filename, http_request_method) != False: settings.CLASSIC_STATE = True else: settings.CLASSIC_STATE = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: if eb_handler.exploitation(url, delay, filename, http_request_method) != False: settings.EVAL_BASED_STATE = True else: settings.EVAL_BASED_STATE = False # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: settings.TIME_BASED_STATE = True else: settings.TIME_BASED_STATE = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech: if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: settings.FILE_BASED_STATE = True else: settings.FILE_BASED_STATE = False # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False : warn_msg = "The tested (" + http_request_method + ")" warn_msg += check_parameter + header_name + the_type warn_msg += "seems to be not injectable." print settings.print_warning_msg(warn_msg)
def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen( menu.options.auth_url).read(): print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" if not settings.COOKIE_INJECTION \ and not settings.USER_AGENT_INJECTION \ and not settings.REFERER_INJECTION: url = parameters.do_GET_check(url) check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data parameter = parameters.do_POST_check(parameter) check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" settings.HTTP_HEADER = header_name[1:].lower() check_parameter = parameters.specify_cookie_parameter( menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" settings.HTTP_HEADER = header_name[1:].replace("-", "").lower() check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" settings.HTTP_HEADER = header_name[1:].lower() check_parameter = "" the_type = " HTTP header " if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check for session file if not menu.options.ignore_session: if os.path.isfile(settings.SESSION_FILE): if not menu.options.tech: menu.options.tech = session_handler.applied_techniques( url, http_request_method) if session_handler.check_stored_parameter(url, http_request_method): settings.LOAD_SESSION = True if menu.options.flush_session: session_handler.flush(url) if len(check_parameter) != 0: check_parameter = " '" + check_parameter + "'" print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time( url, http_request_method, delay) # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True else: classic_state = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech: if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: file_based_state = False if classic_state == eval_based_state == time_based_state == file_based_state == False: info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable." if not menu.options.alter_shell: info_msg += " Use the option '--alter-shell'" else: info_msg += " Remove the option '--alter-shell'" info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)." print Back.RED + info_msg + Style.RESET_ALL sys.exit(0)
def injection_proccess(url, check_parameter, http_request_method, filename, timesec): # Skipping specific injection techniques. if settings.SKIP_TECHNIQUES: menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES) for skip_tech_name in settings.AVAILABLE_TECHNIQUES: if skip_tech_name in menu.options.skip_tech: menu.options.tech = menu.options.tech.replace( skip_tech_name, "") if len(menu.options.tech) == 0: err_msg = "Detection procedure was aborted due to skipping all injection techniques." print settings.print_critical_msg(err_msg) raise SystemExit # User-Agent Injection / Referer Injection / Custom header Injection if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header" else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter" check_parameter = " '" + check_parameter + "'" # Load modules modules_handler.load_modules(url, http_request_method, filename) if not settings.LOAD_SESSION: info_msg = "Setting the" if not header_name == " cookie" and not the_type == " HTTP header": info_msg += " " + http_request_method + "" info_msg += the_type + header_name + check_parameter + " for tests." print settings.print_info_msg(info_msg) # Estimating the response time (in seconds) timesec, url_time_response = requests.estimate_response_time(url, timesec) skip_code_injections = False skip_command_injections = False # Procced with file-based semiblind command injection technique, # once the user provides the path of web server's root directory. if menu.options.web_root and not "f" in menu.options.tech: if not menu.options.web_root.endswith("/"): menu.options.web_root = menu.options.web_root + "/" if checks.procced_with_file_based_technique(): menu.options.tech = "f" # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: settings.CLASSIC_STATE = None if cb_handler.exploitation(url, timesec, filename, http_request_method) != False: if not menu.options.tech or "e" in menu.options.tech: if not menu.options.batch: settings.CLASSIC_STATE = True question_msg = "Due to results, " question_msg += "skipping of code injection checks is recommended. " question_msg += "Do you agree? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) procced_option = sys.stdin.readline().replace("\n", "").lower() else: procced_option = "" if len(procced_option) == 0: procced_option = "y" if procced_option in settings.CHOICE_YES: skip_code_injections = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + procced_option + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: settings.CLASSIC_STATE = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: if not skip_code_injections: settings.EVAL_BASED_STATE = None if eb_handler.exploitation(url, timesec, filename, http_request_method) != False: if not menu.options.batch: settings.EVAL_BASED_STATE = True question_msg = "Due to results, " question_msg += "skipping of further command injection checks is recommended. " question_msg += "Do you agree? [Y/n] > " sys.stdout.write(settings.print_question_msg(question_msg)) procced_option = sys.stdin.readline().replace("\n", "").lower() else: procced_option = "" if len(procced_option) == 0: procced_option = "y" if procced_option in settings.CHOICE_YES: skip_command_injections = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + procced_option + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: settings.EVAL_BASED_STATE = False if not skip_command_injections: # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: settings.TIME_BASED_STATE = None if tb_handler.exploitation(url, timesec, filename, http_request_method, url_time_response) != False: settings.TIME_BASED_STATE = True else: settings.TIME_BASED_STATE = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech and not skip_command_injections: settings.FILE_BASED_STATE = None if fb_handler.exploitation(url, timesec, filename, http_request_method, url_time_response) != False: settings.FILE_BASED_STATE = True else: settings.FILE_BASED_STATE = False # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: warn_msg = "The tested" if not header_name == " cookie" and not the_type == " HTTP header": warn_msg += " " + http_request_method + "" warn_msg += the_type + header_name + check_parameter warn_msg += " seems to be not injectable." print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
def injection_proccess(url, check_parameter, http_request_method, filename, delay): # User-Agent Injection / Referer Injection / Custom header Injection if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header" else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter" check_parameter = " '" + check_parameter + "'" # Load modules modules_handler.load_modules(url, http_request_method, filename) if not settings.LOAD_SESSION: info_msg = "Setting the" if not header_name == " cookie" and not the_type == " HTTP header": info_msg += " " + http_request_method + "" info_msg += the_type + header_name + check_parameter + " for tests." print settings.print_info_msg(info_msg) # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time( url, http_request_method, delay) # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: settings.CLASSIC_STATE = None if cb_handler.exploitation(url, delay, filename, http_request_method) != False: settings.CLASSIC_STATE = True else: settings.CLASSIC_STATE = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: settings.EVAL_BASED_STATE = None if eb_handler.exploitation(url, delay, filename, http_request_method) != False: settings.EVAL_BASED_STATE = True else: settings.EVAL_BASED_STATE = False # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: settings.TIME_BASED_STATE = None if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: settings.TIME_BASED_STATE = True else: settings.TIME_BASED_STATE = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech: settings.FILE_BASED_STATE = None if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: settings.FILE_BASED_STATE = True else: settings.FILE_BASED_STATE = False # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: warn_msg = "The tested" if not header_name == " cookie" and not the_type == " HTTP header": warn_msg += " " + http_request_method + "" warn_msg += the_type + header_name + check_parameter warn_msg += " seems to be not injectable." print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
def injection_proccess(url, check_parameter, http_request_method, filename, timesec): if menu.options.ignore_code: info_msg = "Ignoring '" + str( menu.options.ignore_code) + "' HTTP error code. " print(settings.print_info_msg(info_msg)) # Skipping specific injection techniques. if settings.SKIP_TECHNIQUES: menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES) for skip_tech_name in settings.AVAILABLE_TECHNIQUES: if skip_tech_name in menu.options.skip_tech: menu.options.tech = menu.options.tech.replace( skip_tech_name, "") if len(menu.options.tech) == 0: err_msg = "Detection procedure was aborted due to skipping all injection techniques." print(settings.print_critical_msg(err_msg)) raise SystemExit # User-Agent HTTP header / Referer HTTP header / # Host HTTP header / Custom HTTP header Injection(s) if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header" else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter" check_parameter = " '" + check_parameter + "'" # Estimating the response time (in seconds) timesec, url_time_response = requests.estimate_response_time(url, timesec) # Load modules modules_handler.load_modules(url, http_request_method, filename) # Check for identified warnings url = heuristic_basic(url, http_request_method) if settings.IDENTIFIED_WARNINGS: if not settings.SKIP_COMMAND_INJECTIONS: ci = "command injection techniques" ce = "code injection technique" if not menu.options.batch: question_msg = "Do you want to skip test payloads for " question_msg += ci + "? [Y/n] > " procced_option = _input( settings.print_question_msg(question_msg)) else: procced_option = "" if procced_option in settings.CHOICE_YES or len( procced_option) == 0: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Skipping " + ci + "." print(settings.print_debug_msg(debug_msg)) settings.CLASSIC_STATE = settings.TIME_BASED_STATE = settings.FILE_BASED_STATE = False settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = True elif procced_option in settings.CHOICE_NO: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Skipping " + ce + "." print(settings.print_debug_msg(debug_msg)) settings.SKIP_CODE_INJECTIONS = True settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = False elif procced_option in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + procced_option + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass if not settings.LOAD_SESSION: info_msg = "Setting the" if not header_name == " cookie" and not the_type == " HTTP header": info_msg += " " + http_request_method + "" info_msg += ('', ' (JSON)')[settings.IS_JSON] + ( '', ' (SOAP/XML)')[settings.IS_XML] if header_name == " cookie": info_msg += header_name + the_type + check_parameter + " for tests." else: info_msg += the_type + header_name + check_parameter + " for tests." print(settings.print_info_msg(info_msg)) if menu.options.failed_tries and \ menu.options.tech and not "f" in menu.options.tech and not \ menu.options.failed_tries: warn_msg = "Due to the provided (unsuitable) injection technique" warn_msg += "s"[len(menu.options.tech) == 1:][::-1] + ", " warn_msg += "the option '--failed-tries' will be ignored." print(settings.print_warning_msg(warn_msg)) + Style.RESET_ALL # Procced with file-based semiblind command injection technique, # once the user provides the path of web server's root directory. if menu.options.web_root and \ menu.options.tech and not "f" in menu.options.tech: if not menu.options.web_root.endswith("/"): menu.options.web_root = menu.options.web_root + "/" if checks.procced_with_file_based_technique(): menu.options.tech = "f" if not menu.options.tech: menu.options.tech = "" if len(menu.options.tech) == 0 or "c" in menu.options.tech: settings.CLASSIC_STATE = True if len(menu.options.tech) == 0 or "e" in menu.options.tech: settings.EVAL_BASED_STATE = True if len(menu.options.tech) == 0 or "t" in menu.options.tech: settings.TIME_BASED_STATE = True if len(menu.options.tech) == 0 or "f" in menu.options.tech: settings.FILE_BASED_STATE = True # Check if it is vulnerable to classic command injection technique. if not settings.SKIP_COMMAND_INJECTIONS and settings.CLASSIC_STATE: settings.CLASSIC_STATE = None if cb_handler.exploitation(url, timesec, filename, http_request_method) != False: if settings.EVAL_BASED_STATE: if not menu.options.batch: settings.CLASSIC_STATE = True question_msg = "Due to results, " question_msg += "skipping of code injection checks is recommended. " question_msg += "Do you agree? [Y/n] > " procced_option = _input( settings.print_question_msg(question_msg)) else: procced_option = "" if len(procced_option) == 0: procced_option = "Y" if procced_option in settings.CHOICE_YES: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Skipping code injection checks." print(settings.print_debug_msg(debug_msg)) settings.SKIP_CODE_INJECTIONS = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + procced_option + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass else: settings.CLASSIC_STATE = False # Check if it is vulnerable to eval-based code injection technique. if not settings.SKIP_CODE_INJECTIONS and settings.EVAL_BASED_STATE: settings.EVAL_BASED_STATE = None if eb_handler.exploitation(url, timesec, filename, http_request_method) != False: if not menu.options.batch: settings.EVAL_BASED_STATE = True question_msg = "Due to results, " question_msg += "skipping of further command injection checks is recommended. " question_msg += "Do you agree? [Y/n] > " procced_option = _input( settings.print_question_msg(question_msg)) else: procced_option = "" if len(procced_option) == 0: procced_option = "Y" if procced_option in settings.CHOICE_YES: if settings.VERBOSITY_LEVEL >= 1: debug_msg = "Skipping command injection checks." print(settings.print_debug_msg(debug_msg)) settings.SKIP_COMMAND_INJECTIONS = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + procced_option + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass else: settings.EVAL_BASED_STATE = False if not settings.SKIP_COMMAND_INJECTIONS: # Check if it is vulnerable to time-based blind command injection technique. if settings.TIME_BASED_STATE: settings.TIME_BASED_STATE = None if tb_handler.exploitation(url, timesec, filename, http_request_method, url_time_response) != False: settings.TIME_BASED_STATE = True else: settings.TIME_BASED_STATE = False # Check if it is vulnerable to file-based semiblind command injection technique. if settings.FILE_BASED_STATE: settings.FILE_BASED_STATE = None if fb_handler.exploitation(url, timesec, filename, http_request_method, url_time_response) != False: settings.FILE_BASED_STATE = True else: settings.FILE_BASED_STATE = False # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: warn_msg = "The tested" if not header_name == " cookie" and not the_type == " HTTP header": warn_msg += " " + http_request_method + "" warn_msg += the_type + header_name + check_parameter warn_msg += " seems to be not injectable." print(settings.print_warning_msg(warn_msg)) + Style.RESET_ALL
def injection_proccess(url, check_parameter, http_request_method, filename, timesec): if menu.options.ignore_code: info_msg = "Ignoring '" + str( menu.options.ignore_code) + "' HTTP error code. " print(settings.print_info_msg(info_msg)) # Skipping specific injection techniques. if settings.SKIP_TECHNIQUES: menu.options.tech = "".join(settings.AVAILABLE_TECHNIQUES) for skip_tech_name in settings.AVAILABLE_TECHNIQUES: if skip_tech_name in menu.options.skip_tech: menu.options.tech = menu.options.tech.replace( skip_tech_name, "") if len(menu.options.tech) == 0: err_msg = "Detection procedure was aborted due to skipping all injection techniques." print(settings.print_critical_msg(err_msg)) raise SystemExit # User-Agent HTTP header / Referer HTTP header / # Host HTTP header / Custom HTTP header Injection(s) if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header" else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter" check_parameter = " '" + check_parameter + "'" # Estimating the response time (in seconds) timesec, url_time_response = requests.estimate_response_time(url, timesec) # Load modules modules_handler.load_modules(url, http_request_method, filename) if not settings.LOAD_SESSION: if (len(menu.options.tech) == 0 or "e" in menu.options.tech): # Check for identified warnings url = heuristic_basic(url, http_request_method) if settings.IDENTIFIED_WARNINGS or settings.IDENTIFIED_PHPINFO: while True: if not menu.options.batch: question_msg = "Skipping of further command injection tests is recommended. " question_msg += "Do you agree? [Y/n] > " procced_option = _input( settings.print_question_msg(question_msg)) else: procced_option = "" if procced_option in settings.CHOICE_YES or len( procced_option) == 0: settings.CLASSIC_STATE = settings.TIME_BASED_STATE = settings.FILE_BASED_STATE = False settings.EVAL_BASED_STATE = settings.SKIP_COMMAND_INJECTIONS = True break elif procced_option in settings.CHOICE_NO: break elif procced_option in settings.CHOICE_QUIT: raise SystemExit() else: err_msg = "'" + procced_option + "' is not a valid answer." print(settings.print_error_msg(err_msg)) pass info_msg = "Setting the" if not header_name == " cookie" and not the_type == " HTTP header": info_msg += " " + str(http_request_method) + "" info_msg += ('', ' (JSON)')[settings.IS_JSON] + ( '', ' (SOAP/XML)')[settings.IS_XML] if header_name == " cookie": info_msg += str(header_name) + str(the_type) + str( check_parameter) + " for tests." else: info_msg += str(the_type) + str(header_name) + str( check_parameter) + " for tests." print(settings.print_info_msg(info_msg)) if menu.options.failed_tries and \ menu.options.tech and not "f" in menu.options.tech and not \ menu.options.failed_tries: warn_msg = "Due to the provided (unsuitable) injection technique" warn_msg += "s"[len(menu.options.tech) == 1:][::-1] + ", " warn_msg += "the option '--failed-tries' will be ignored." print(settings.print_warning_msg(warn_msg) + Style.RESET_ALL) # Procced with file-based semiblind command injection technique, # once the user provides the path of web server's root directory. if menu.options.web_root and \ menu.options.tech and not "f" in menu.options.tech: if not menu.options.web_root.endswith("/"): menu.options.web_root = menu.options.web_root + "/" if checks.procced_with_file_based_technique(): menu.options.tech = "f" if settings.SKIP_COMMAND_INJECTIONS: dynamic_code_evaluation_technique(url, timesec, filename, http_request_method) classic_command_injection_technique(url, timesec, filename, http_request_method) else: classic_command_injection_technique(url, timesec, filename, http_request_method) dynamic_code_evaluation_technique(url, timesec, filename, http_request_method) timebased_command_injection_technique(url, timesec, filename, http_request_method, url_time_response) filebased_command_injection_technique(url, timesec, filename, http_request_method, url_time_response) # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: warn_msg = "The tested" if header_name != " cookie" and the_type != " HTTP header": warn_msg += " " + str(http_request_method) + "" warn_msg += str(the_type) + str(header_name) + str(check_parameter) warn_msg += " seems to be not injectable." print(settings.print_warning_msg(warn_msg))
def injection_proccess(url, check_parameter, http_request_method, filename, delay): # User-Agent Injection / Referer Injection / Custom header Injection if check_parameter.startswith(" "): header_name = "" the_type = " HTTP header" else: if settings.COOKIE_INJECTION: header_name = " cookie" else: header_name = "" the_type = " parameter" check_parameter = " '" + check_parameter + "'" # Load modules modules_handler.load_modules(url, http_request_method, filename) if not settings.LOAD_SESSION: info_msg = "Setting the" if not header_name == " cookie" and not the_type == " HTTP header": info_msg += " " + http_request_method + "" info_msg += the_type + header_name + check_parameter + " for tests." print settings.print_info_msg(info_msg) # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, delay) skip_code_injections = False skip_command_injections = False # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: settings.CLASSIC_STATE = None if cb_handler.exploitation(url, delay, filename, http_request_method) != False: settings.CLASSIC_STATE = True question_msg = "Due to resuts " question_msg += "skipping of code injection checks is recommended. " question_msg += "Do you agree? [Y/n/q] > " sys.stdout.write(settings.print_question_msg(question_msg)) procced_option = sys.stdin.readline().replace("\n", "").lower() if len(procced_option) == 0: procced_option = "y" if procced_option in settings.CHOICE_YES: skip_code_injections = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + procced_option + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: settings.CLASSIC_STATE = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: if not skip_code_injections: settings.EVAL_BASED_STATE = None if eb_handler.exploitation(url, delay, filename, http_request_method) != False: settings.EVAL_BASED_STATE = True question_msg = "Due to resuts, " question_msg += "skipping of further command injection checks is recommended. " question_msg += "Do you agree? [Y/n/q] > " sys.stdout.write(settings.print_question_msg(question_msg)) procced_option = sys.stdin.readline().replace("\n", "").lower() if len(procced_option) == 0: procced_option = "y" if procced_option in settings.CHOICE_YES: skip_command_injections = True elif procced_option in settings.CHOICE_NO: pass elif procced_option in settings.CHOICE_QUIT: sys.exit(0) else: err_msg = "'" + procced_option + "' is not a valid answer." print settings.print_error_msg(err_msg) pass else: settings.EVAL_BASED_STATE = False if not skip_command_injections: # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: settings.TIME_BASED_STATE = None if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: settings.TIME_BASED_STATE = True else: settings.TIME_BASED_STATE = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech and not skip_command_injections: settings.FILE_BASED_STATE = None if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: settings.FILE_BASED_STATE = True else: settings.FILE_BASED_STATE = False # All injection techniques seems to be failed! if settings.CLASSIC_STATE == settings.EVAL_BASED_STATE == settings.TIME_BASED_STATE == settings.FILE_BASED_STATE == False: warn_msg = "The tested" if not header_name == " cookie" and not the_type == " HTTP header": warn_msg += " " + http_request_method + "" warn_msg += the_type + header_name + check_parameter warn_msg += " seems to be not injectable." print settings.print_warning_msg(warn_msg) + Style.RESET_ALL
def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Do authentication if needed. if menu.options.auth_url and menu.options.auth_data: authentication.auth_process() elif menu.options.auth_url or menu.options.auth_data: print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" if not settings.COOKIE_INJECTION and not settings.USER_AGENT_INJECTION and not settings.REFERER_INJECTION: url = parameters.do_GET_check(url) check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data parameter = parameters.do_POST_check(parameter) check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" check_parameter = parameters.specify_cookie_parameter(menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" check_parameter = "" the_type = " HTTP header " else: pass if len(check_parameter) != 0: check_parameter = " '" + check_parameter + "'" print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay) # Check all injection techniques if not menu.options.tech: # Check if it is vulnerable to classic command injection technique. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True # Check if it is vulnerable to eval-based command injection technique. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True # Check if it is vulnerable to time-based blind command injection technique. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True # Check if it is vulnerable to file-based semiblind command injection technique. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: # Check if it is vulnerable to classic command injection technique. if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech: # Check if classic results-based command injection technique succeeds. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True elif menu.options.tech == "classic": cb_handler.exploitation(url, delay, filename, http_request_method) else: classic_state = False # Check if it is vulnerable to eval-based command injection technique. if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech: # Check if eval-based command injection technique succeeds. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True elif menu.options.tech == "eval-based": eb_handler.exploitation(url, delay, filename, http_request_method) else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech: # Check if time-based blind command injection technique succeeds. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True elif menu.options.tech == "time-based": tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech: # Check if file-based semiblind command injection technique succeeds. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True elif menu.options.tech == "file-based": fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: file_based_state = False if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False: info_msg = ( "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable." ) if not menu.options.alter_shell: info_msg += " Use the option '--alter-shell'" else: info_msg += " Remove the option '--alter-shell'" info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)." print Back.RED + info_msg + Style.RESET_ALL # else: # print "" sys.exit(0)
def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen(menu.options.auth_url).read(): print Back.RED + settings.ERROR_SIGN + "It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + settings.ERROR_SIGN + "You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" if not settings.COOKIE_INJECTION \ and not settings.USER_AGENT_INJECTION \ and not settings.REFERER_INJECTION: url = parameters.do_GET_check(url) check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data parameter = parameters.do_POST_check(parameter) check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" settings.HTTP_HEADER = header_name[1:].lower() check_parameter = parameters.specify_cookie_parameter(menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" settings.HTTP_HEADER = header_name[1:].replace("-","").lower() check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" settings.HTTP_HEADER = header_name[1:].lower() check_parameter = "" the_type = " HTTP header " if len(check_parameter) > 0: settings.TESTABLE_PARAMETER = check_parameter # Check for session file if not menu.options.ignore_session: if os.path.isfile(settings.SESSION_FILE): if not menu.options.tech: menu.options.tech = session_handler.applied_techniques(url, http_request_method) if session_handler.check_stored_parameter(url, http_request_method): settings.LOAD_SESSION = True if menu.options.flush_session: session_handler.flush(url) if len(check_parameter) != 0 : check_parameter = " '" + check_parameter + "'" print settings.INFO_SIGN + "Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, http_request_method, delay) # Check if it is vulnerable to classic command injection technique. if not menu.options.tech or "c" in menu.options.tech: if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True else: classic_state = False # Check if it is vulnerable to eval-based code injection technique. if not menu.options.tech or "e" in menu.options.tech: if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if not menu.options.tech or "t" in menu.options.tech: if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if not menu.options.tech or "f" in menu.options.tech: if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: file_based_state = False if classic_state == eval_based_state == time_based_state == file_based_state == False : info_msg = settings.CRITICAL_SIGN + "The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable." if not menu.options.alter_shell : info_msg += " Use the option '--alter-shell'" else: info_msg += " Remove the option '--alter-shell'" info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)." print Back.RED + info_msg + Style.RESET_ALL sys.exit(0)
def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Check if authentication is needed. if menu.options.auth_url and menu.options.auth_data: # Do the authentication process. authentication.authentication_process() # Check if authentication page is the same with the next (injection) URL if urllib2.urlopen(url).read() == urllib2.urlopen( menu.options.auth_url).read(): print Back.RED + "(x) Error: It seems that the authentication procedure has failed." + Style.RESET_ALL sys.exit(0) elif menu.options.auth_url or menu.options.auth_data: print Back.RED + "(x) Error: You must specify both login panel URL and login parameters." + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" if not settings.COOKIE_INJECTION \ and not settings.USER_AGENT_INJECTION \ and not settings.REFERER_INJECTION: url = parameters.do_GET_check(url) check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data parameter = parameters.do_POST_check(parameter) check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" check_parameter = parameters.specify_cookie_parameter( menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" check_parameter = "" the_type = " HTTP header " else: pass if len(check_parameter) != 0: check_parameter = " '" + check_parameter + "'" print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time( url, http_request_method, delay) # Check all injection techniques if not menu.options.tech: # Check if it is vulnerable to classic command injection technique. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True # Check if it is vulnerable to eval-based command injection technique. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True # Check if it is vulnerable to time-based blind command injection technique. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True # Check if it is vulnerable to file-based semiblind command injection technique. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: # Check if it is vulnerable to classic command injection technique. if "classic" in menu.options.tech or len( menu.options.tech) <= 4 and "c" in menu.options.tech: # Check if classic results-based command injection technique succeeds. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True elif menu.options.tech == "classic": cb_handler.exploitation(url, delay, filename, http_request_method) else: classic_state = False # Check if it is vulnerable to eval-based command injection technique. if "eval-based" in menu.options.tech or len( menu.options.tech) <= 4 and "e" in menu.options.tech: # Check if eval-based command injection technique succeeds. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True elif menu.options.tech == "eval-based": eb_handler.exploitation(url, delay, filename, http_request_method) else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if "time-based" in menu.options.tech or len( menu.options.tech) <= 4 and "t" in menu.options.tech: # Check if time-based blind command injection technique succeeds. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True elif menu.options.tech == "time-based": tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if "file-based" in menu.options.tech or len( menu.options.tech) <= 4 and "f" in menu.options.tech: # Check if file-based semiblind command injection technique succeeds. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True elif menu.options.tech == "file-based": fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: file_based_state = False if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False: info_msg = "(x) Critical: The tested (" + http_request_method + ")" + check_parameter + " parameter appear to be not injectable." if not menu.options.alter_shell: info_msg += " Use the option '--alter-shell'" else: info_msg += " Remove the option '--alter-shell'" info_msg += " and/or try to audit the HTTP headers (i.e 'User-Agent', 'Referer', 'Cookie' etc)." print Back.RED + info_msg + Style.RESET_ALL # else: # print "" sys.exit(0)
def do_check(url, filename): classic_state = False eval_based_state = False time_based_state = False file_based_state = False # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Do authentication if needed. if menu.options.auth_url and menu.options.auth_data: authentication.auth_process() elif menu.options.auth_url or menu.options.auth_data: print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is GET or POST. header_name = "" if not menu.options.data: http_request_method = "GET" check_parameter = parameters.vuln_GET_param(url) the_type = " parameter " else: http_request_method = "POST" parameter = menu.options.data check_parameter = parameters.vuln_POST_param(parameter, url) the_type = " parameter " # Load modules modules_handler.load_modules(url, http_request_method, filename) # Cookie Injection if settings.COOKIE_INJECTION == True: header_name = " Cookie" check_parameter = parameters.specify_cookie_parameter(menu.options.cookie) the_type = " HTTP header " # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" check_parameter = "" the_type = " HTTP header " # Referer Injection elif settings.REFERER_INJECTION == True: header_name = " Referer" check_parameter = "" the_type = " HTTP header " else : pass if len(check_parameter) != 0 : check_parameter = " '" + check_parameter + "'" print "(*) Setting the " + "(" + http_request_method + ")" + check_parameter + header_name + the_type + "for tests." # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, delay) # Check all injection techniques if not menu.options.tech: # Check if it is vulnerable to classic command injection technique. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True # Check if it is vulnerable to eval-based command injection technique. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True # Check if it is vulnerable to time-based blind command injection technique. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True # Check if it is vulnerable to file-based semiblind command injection technique. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True else: # Check if it is vulnerable to classic command injection technique. if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech: # Check if classic results-based command injection technique succeeds. if cb_handler.exploitation(url, delay, filename, http_request_method) != False: classic_state = True elif menu.options.tech == "classic": cb_handler.exploitation(url, delay, filename, http_request_method) else: classic_state = False # Check if it is vulnerable to eval-based command injection technique. if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech: # Check if eval-based command injection technique succeeds. if eb_handler.exploitation(url, delay, filename, http_request_method) != False: eval_based_state = True elif menu.options.tech == "eval-based": eb_handler.exploitation(url, delay, filename, http_request_method) else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech: # Check if time-based blind command injection technique succeeds. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: time_based_state = True elif menu.options.tech == "time-based": tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech: # Check if file-based semiblind command injection technique succeeds. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) != False: file_based_state = True elif menu.options.tech == "file-based": fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) else: file_based_state = False if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False : if http_request_method == "GET": print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL else: print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL else: logs.logs_notification(filename) sys.exit(0) #eof
def do_check(url, filename): # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Do authentication if needed. if menu.options.auth_url and menu.options.auth_data: authentication.auth_process() elif menu.options.auth_url or menu.options.auth_data: print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is POST. if not menu.options.data: http_request_method = "GET" else: http_request_method = "POST" parameter = menu.options.data # Load modules modules_handler.load_modules(url, http_request_method, filename) # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, delay) # Check all injection techniques if not menu.options.tech: # Check if it is vulnerable to classic command injection technique. if cb_handler.exploitation(url, delay, filename, http_request_method) == False: classic_state = False else: classic_state = True # Check if it is vulnerable to eval-based command injection technique. if eb_handler.exploitation(url, delay, filename, http_request_method) == False: eval_based_state = False else: eval_based_state = True # Check if it is vulnerable to time-based blind command injection technique. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False: time_based_state = False else: time_based_state = True # Check if it is vulnerable to file-based semiblind command injection technique. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False: file_based_state = False else: file_based_state = True else: # Check if it is vulnerable to classic command injection technique. if "classic" in menu.options.tech or len( menu.options.tech) <= 4 and "c" in menu.options.tech: # Check if classic results-based command injection technique succeeds. if cb_handler.exploitation(url, delay, filename, http_request_method) == False: classic_state = False else: classic_state = True elif menu.options.tech == "classic": execute_classic_technique(url, delay, filename, http_request_method) else: classic_state = False # Check if it is vulnerable to eval-based command injection technique. if "eval-based" in menu.options.tech or len( menu.options.tech) <= 4 and "e" in menu.options.tech: # Check if eval-based command injection technique succeeds. if eb_handler.exploitation(url, delay, filename, http_request_method) == False: eval_based_state = False else: eval_based_state = True elif menu.options.tech == "eval-based": execute_eval_based_technique(url, delay, filename, http_request_method) else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if "time-based" in menu.options.tech or len( menu.options.tech) <= 4 and "t" in menu.options.tech: # Check if time-based blind command injection technique succeeds. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False: time_based_state = False else: time_based_state = True elif menu.options.tech == "time-based": execute_time_based_technique(url, delay, filename, http_request_method, url_time_response) else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if "file-based" in menu.options.tech or len( menu.options.tech) <= 4 and "f" in menu.options.tech: # Check if file-based semiblind command injection technique succeeds. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False: file_based_state = False else: file_based_state = True elif menu.options.tech == "file-based": execute_file_based_technique(url, delay, filename, http_request_method, url_time_response) else: file_based_state = False if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False: if http_request_method == "GET": print Back.RED + "(x) The url '" + url + "' appear to be not injectable." + Style.RESET_ALL else: print Back.RED + "(x) The '" + parameter + "' parameter appear to be not injectable." + Style.RESET_ALL else: logs.logs_notification(filename) sys.exit(0) #eof
def do_check(url): # The logs filename construction. filename = logs.create_log_file(url) # Check if defined "--delay" option. if menu.options.delay: delay = menu.options.delay else: delay = settings.DELAY # Do authentication if needed. if menu.options.auth_url and menu.options.auth_data: authentication.auth_process() elif menu.options.auth_url or menu.options.auth_data: print Back.RED + "(x) Error: You must specify both login panel URL and login parameters.\n" + Style.RESET_ALL sys.exit(0) else: pass # Check if HTTP Method is POST. if not menu.options.data: http_request_method = "GET" else: http_request_method = "POST" parameter = menu.options.data # Load modules modules_handler.load_modules(url, http_request_method) # Estimating the response time (in seconds) delay, url_time_response = requests.estimate_response_time(url, delay) # Check all injection techniques if not menu.options.tech: # Check if it is vulnerable to classic command injection technique. if cb_handler.exploitation(url, delay, filename, http_request_method) == False: classic_state = False else: classic_state = True # Check if it is vulnerable to eval-based command injection technique. if eb_handler.exploitation(url, delay, filename, http_request_method) == False: eval_based_state = False else: eval_based_state = True # Check if it is vulnerable to time-based blind command injection technique. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False: time_based_state = False else: time_based_state = True # Check if it is vulnerable to file-based semiblind command injection technique. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False: file_based_state = False else: file_based_state = True else: # Check if it is vulnerable to classic command injection technique. if "classic" in menu.options.tech or len(menu.options.tech) <= 4 and "c" in menu.options.tech: # Check if classic results-based command injection technique succeeds. if cb_handler.exploitation(url, delay, filename, http_request_method) == False: classic_state = False else: classic_state = True elif menu.options.tech == "classic": execute_classic_technique(url, delay, filename, http_request_method) else: classic_state = False # Check if it is vulnerable to eval-based command injection technique. if "eval-based" in menu.options.tech or len(menu.options.tech) <= 4 and "e" in menu.options.tech: # Check if eval-based command injection technique succeeds. if eb_handler.exploitation(url, delay, filename, http_request_method) == False: eval_based_state = False else: eval_based_state = True elif menu.options.tech == "eval-based": execute_eval_based_technique(url, delay, filename, http_request_method) else: eval_based_state = False # Check if it is vulnerable to time-based blind command injection technique. if "time-based" in menu.options.tech or len(menu.options.tech) <= 4 and "t" in menu.options.tech: # Check if time-based blind command injection technique succeeds. if tb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False: time_based_state = False else: time_based_state = True elif menu.options.tech == "time-based": execute_time_based_technique(url, delay, filename, http_request_method, url_time_response) else: time_based_state = False # Check if it is vulnerable to file-based semiblind command injection technique. if "file-based" in menu.options.tech or len(menu.options.tech) <= 4 and "f" in menu.options.tech: # Check if file-based semiblind command injection technique succeeds. if fb_handler.exploitation(url, delay, filename, http_request_method, url_time_response) == False: file_based_state = False else: file_based_state = True elif menu.options.tech == "file-based": execute_file_based_technique(url, delay, filename, http_request_method, url_time_response) else: file_based_state = False if classic_state == False and eval_based_state == False and time_based_state == False and file_based_state == False : if http_request_method == "GET": print Back.RED + "(x) The url '"+ url +"' appear to be not injectable." + Style.RESET_ALL else: print Back.RED + "(x) The '"+ parameter +"' parameter appear to be not injectable." + Style.RESET_ALL else: print "(*) The results can be found at '" + os.getcwd() + "/" + filename +".txt'" sys.exit(0) #eof