Commit 878bf9f6 authored by fimap.dev@gmail.com's avatar fimap.dev@gmail.com

Dot Truncation refined.

parent f2df44a1
......@@ -2,6 +2,8 @@ import urllib, httplib, copy, urllib2
import string,random,os,socket, os.path
import xml.dom.minidom
import shutil
from time import gmtime, strftime
class baseTools(object):
LOG_ERROR = 99
LOG_WARN = 98
......@@ -63,10 +65,11 @@ class baseTools(object):
def _log(self, txt, LVL):
if (4-self.config["p_verbose"] < LVL):
logline = "[%s] %s" %(self.log_lvl[LVL][0], txt)
t = strftime("%H:%M:%S", gmtime())
if (self.use_color):
print self.__getColorLine(logline, self.log_lvl[LVL][1])
print "[%s] %s" %(t, self.__getColorLine(logline, self.log_lvl[LVL][1]))
else:
print logline
print "[%s] %s" %(t, logline)
def __setColor(self, txt, style):
ret = self.CONST_COL + txt
......
......@@ -58,10 +58,9 @@ def show_help(AndQuit=False):
print " Needs a root url (-u) to start crawling there."
print " Also needs (-w) to write a URL list for mass mode."
print "## Techniques:"
#dot-truncation
print " -b , --enable-blind Enables blind FI-Bug testing when no error messages are printed."
print " Note that this mode will cause lots of requests compared to the"
print " default method. Can be used with -s, -m or -g. Experimental."
print " default method. Can be used with -s, -m or -g."
print " -D , --dot-truncation Enables dot truncation technique to get rid of the suffix if"
print " the default mode (nullbyte poison) failed. This mode can cause"
print " tons of requests depending how you configure it."
......@@ -92,6 +91,11 @@ def show_help(AndQuit=False):
print " --no-auto-detect Use this switch if you don't want to let fimap automaticly detect"
print " the target language in blind-mode. In that case you will get some"
print " options you can choose if fimap isn't sure which lang it is."
print " --dot-trunc-min=700 The count of dots to begin with in dot-truncation mode."
print " --dot-trunc-max=2000 The count of dots to end with in dot-truncation mode."
print " --dot-trunc-step=50 The step size for each round in dot-truncation mode."
print " --dot-trunc-ratio=0.095 The maximum ratio to detect if dot truncation was successfull."
print " --dot-trunc-also-unix Use this if dot-truncation should also be tested on unix servers."
print "## Attack Kit:"
print " -x , --exploit Starts an interactive session where you can"
print " select a target and do some action."
......@@ -202,6 +206,11 @@ if __name__ == "__main__":
config["p_skippages"] = 0
config["p_monkeymode"] = False
config["p_doDotTruncation"] = False
config["p_dot_trunc_min"] = 700
config["p_dot_trunc_max"] = 2000
config["p_dot_trunc_step"] = 50
config["p_dot_trunc_ratio"] = 0.095
config["p_dot_trunc_only_win"] = True
config["p_proxy"] = None
config["p_ttl"] = 30
config["p_post"] = ""
......@@ -230,7 +239,8 @@ if __name__ == "__main__":
"harvest" , "write=" , "depth=" , "greetings" , "test-rfi" , "skip-pages=",
"show-my-ip" , "enable-blind", "http-proxy=" , "ttl=" , "post=" , "no-auto-detect",
"plugins" , "enable-color", "update-def" , "merge-xml=" , "install-plugins" , "results=",
"googlesleep=" , "dot-truncation"]
"googlesleep=" , "dot-truncation", "dot-trunc-min=", "dot-trunc-max=", "dot-trunc-step=", "dot-trunc-ratio=",
"dot-trunc-also-unix"]
optlist, args = getopt.getopt(sys.argv[1:], "u:msl:v:hA:gq:p:sxHw:d:bP:CID", longSwitches)
startExploiter = False
......@@ -301,6 +311,16 @@ if __name__ == "__main__":
if (k in ("--merge-xml",)):
doMergeXML = True
config["p_mergexml"] = v
if (k in ("--dot-trunc-min",)):
config["p_dot_trunc_min"] = int(v)
if (k in ("--dot-trunc-max",)):
config["p_dot_trunc_max"] = int(v)
if (k in ("--dot-trunc-step",)):
config["p_dot_trunc_step"] = int(v)
if (k in ("--dot-trunc-ratio",)):
config["p_dot_trunc_ratio"] = float(v)
if (k in ("--dot-trunc-also-unix",)):
config["p_dot_trunc_only_win"] = False
#if (k in("-f", "--exploit-filter")):
# config["p_exploit_filter"] = v
......
......@@ -56,7 +56,7 @@ class plugininterface(baseClass):
for p in self.plugins:
p.plugin_loaded()
self._log("%d plugins loaded." %(x), self.LOG_INFO)
self._log("%d plugins loaded." %(x), self.LOG_DEBUG)
def requestPluginActions(self, langClass, isSystem, isUnix):
ret = []
......
......@@ -32,7 +32,8 @@ class report:
self.VulnKey = VulnKey
self.VulnKeyVal = None
self.Params = Params
self.NullbytePoison = None
self.SuffixBreakable = None
self.SuffixBreakTechName = None
self.ServerPath = None
self.ServerScript = None
self.RemoteInjectable = False
......@@ -141,12 +142,19 @@ class report:
def getParams(self):
return(self.Params)
def setNullBytePossible(self, NullByte):
self.NullbytePoison = NullByte
def setSuffixBreakable(self, isPossible):
self.SuffixBreakable = isPossible
def isNullbytePossible(self):
return(self.NullbytePoison)
def isSuffixBreakable(self):
return(self.SuffixBreakable)
def setSuffixBreakTechName(self, name):
self.SuffixBreakTechName = name
def getSuffixBreakTechName(self):
return(self.SuffixBreakTechName)
def getType(self):
ret = ""
......
......@@ -57,38 +57,38 @@ class singleScan(baseClass):
header = "[%d] Possible File Inclusion"%(idx)
if (report.getLanguage() != None):
header = "[%d] Possible %s-File Inclusion"%(idx, report.getLanguage())
boxarr.append(" [URL] %s"%report.getURL())
boxarr.append(" [URL] %s"%report.getURL())
if (report.getPostData() != None and report.getPostData() != ""): boxarr.append(" [POST] %s"%report.getPostData())
if (report.isPost):
boxarr.append(" [POSTPARM] %s"%report.getVulnKey())
boxarr.append(" [POSTPARM] %s"%report.getVulnKey())
else:
boxarr.append(" [PARAM] %s"%report.getVulnKey())
boxarr.append(" [PARAM] %s"%report.getVulnKey())
if (report.isBlindDiscovered()):
boxarr.append(" [PATH] Not received (Blindmode)")
boxarr.append(" [PATH] Not received (Blindmode)")
else:
boxarr.append(" [PATH] %s"%report.getServerPath())
boxarr.append(" [PATH] %s"%report.getServerPath())
if (report.isUnix()):
boxarr.append(" [OS] Unix")
boxarr.append(" [OS] Unix")
else:
boxarr.append(" [OS] Windows")
boxarr.append(" [OS] Windows")
boxarr.append(" [TYPE] %s"%report.getType())
boxarr.append(" [TYPE] %s"%report.getType())
if (not report.isBlindDiscovered()):
if (report.isNullbytePossible() == None):
boxarr.append(" [NULLBYTE] No Need. It's clean.")
if (report.isSuffixBreakable() == None):
boxarr.append(" [TRUNCATION] No Need. It's clean.")
else:
if (report.isNullbytePossible()):
boxarr.append(" [NULLBYTE] Works. :)")
if (report.isSuffixBreakable()):
boxarr.append(" [TRUNCATION] Works with '%s'. :)" %(report.getSuffixBreakTechName()))
else:
boxarr.append(" [NULLBYTE] Doesn't work. :(")
boxarr.append(" [TRUNCATION] Doesn't work. :(")
else:
if (report.isNullbytePossible()):
boxarr.append(" [NULLBYTE] Is needed.")
if (report.isSuffixBreakable()):
boxarr.append(" [TRUNCATION] Is needed.")
else:
boxarr.append(" [NULLBYTE] Not tested.")
boxarr.append(" [TRUNCATION] Not tested.")
boxarr.append(" [READABLE FILES]")
if (len(files) == 0):
boxarr.append(" No Readable files found :(")
boxarr.append(" No Readable files found :(")
else:
fidx = 0
for file in files:
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment