Commit af820a56 authored by fimap.dev@gmail.com's avatar fimap.dev@gmail.com

Header scanning and attacking preparation.

parent 6f3394c0
......@@ -23,6 +23,8 @@ from ftplib import FTP
from ftplib import error_perm
from config import settings
import xml.dom.minidom
from base64 import b64encode
import pickle
import ntpath
import baseTools
import shutil
......@@ -136,6 +138,12 @@ class baseClass (object):
self._setAttrib(elem_vuln, "kernel", "")
self._setAttrib(elem_vuln, "language", rep.getLanguage())
headers_pickle = pickle.dumps(rep.getHeader())
headers_pickle = b64encode(headers_pickle)
self._setAttrib(elem_vuln, "header_dict", headers_pickle)
self._setAttrib(elem_vuln, "header_vuln_key", rep.getVulnHeader())
os_ = "unix"
if (rep.isWindows()):
os_ = "win"
......@@ -152,10 +160,7 @@ class baseClass (object):
else:
self._setAttrib(elem_vuln, "blind", "0")
if (rep.isPost):
self._setAttrib(elem_vuln, "ispost", "1")
else:
self._setAttrib(elem_vuln, "ispost", "0")
self._setAttrib(elem_vuln, "ispost", str(rep.isPost))
self._appendXMLChild(elem, elem_vuln)
self._appendXMLChild(self.XML_RootItem, elem)
......@@ -512,6 +517,7 @@ class baseClass (object):
def doGetRequest(self, URL, additionalHeaders=None):
self._log("GET: %s"%URL, self.LOG_DEVEL)
self._log("HEADER: %s"%str(additionalHeaders), self.LOG_DEVEL)
self._log("TTL: %d"%baseClass.TIMEOUT, self.LOG_DEVEL)
result, headers = self.doRequest(URL, self.config["p_useragent"], additionalHeaders=additionalHeaders)
self._log("RESULT-HEADER: %s"%headers, self.LOG_DEVEL)
......@@ -519,10 +525,11 @@ class baseClass (object):
return result
def doPostRequest(self, URL, Post, additionalHeaders=None):
self._log("URL: %s"%URL, self.LOG_DEVEL)
self._log("POST: %s"%Post, self.LOG_DEVEL)
self._log("URL : %s"%URL, self.LOG_DEVEL)
self._log("POST : %s"%Post, self.LOG_DEVEL)
self._log("HEADER: %s"%str(additionalHeaders), self.LOG_DEVEL)
self._log("TTL: %d"%baseClass.TIMEOUT, self.LOG_DEVEL)
result, headers = self.doRequest(URL, self.config["p_useragent"], Post, additionalHeaders)
result, headers = self.doRequest(URL, self.config["p_useragent"], Post, additionalHeaders=additionalHeaders)
self._log("RESULT-HEADER: %s"%headers, self.LOG_DEVEL)
self._log("RESULT-HTML: %s"%result, self.LOG_DEVEL)
return result
......@@ -550,9 +557,9 @@ class baseClass (object):
b.headers.update(additionalHeaders)
if postData:
result, headers = b.get_page(URL, postData)
result, headers = b.get_page(URL, postData, additionalheader=additionalHeaders)
else:
result, headers = b.get_page(URL)
result, headers = b.get_page(URL, additionalheader=additionalHeaders)
finally:
del(b)
......@@ -599,7 +606,7 @@ class Browser(object):
'Accept-Language': 'en-us,en;q=0.5'}
self.proxy = proxystring
def get_page(self, url, data=None):
def get_page(self, url, data=None, additionalheader = None):
proxy_support = urllib2.ProxyHandler({})
if (self.proxy != None):
proxy_support = urllib2.ProxyHandler({'http': self.proxy, 'https': self.proxy})
......@@ -607,6 +614,10 @@ class Browser(object):
opener = urllib2.build_opener(*handlers)
if additionalheader != None:
for key, head in additionalheader.items():
opener.addheaders.append((key, head))
ret = None
headers = None
response = None
......
This diff is collapsed.
......@@ -69,6 +69,7 @@ def show_help(AndQuit=False):
print " tons of requests depending how you configure it."
print " By default this mode only tests windows servers."
print " Can be used with -s, -m or -g. Experimental."
print " -M , --multiply-term=X Multiply terminal symbols like '.' and '/' in the path by X."
print "## Variables:"
print " -u , --url=URL The URL you want to test."
print " Needed in single mode (-s)."
......@@ -91,6 +92,8 @@ def show_help(AndQuit=False):
print " in harvest mode (-H). Default is 1."
print " -P , --post=POSTDATA The POSTDATA you want to send. All variables inside"
print " will also be scanned for file inclusion bugs."
print " --cookie=COOKIE Define the cookie which should be send with each request."
print " Also the cookie will be scanned for file inclusion bugs."
print " --ttl=SECONDS Define the TTL (in seconds) for requests. Default is 30 seconds."
print " --no-auto-detect Use this switch if you don't want to let fimap automaticly detect"
print " the target language in blind-mode. In that case you will get some"
......@@ -231,8 +234,10 @@ if __name__ == "__main__":
config["p_color"] = False
config["p_mergexml"] = None
config["p_results_per_query"] = 100
config["p_googlesleep"] = 5;
config["p_tabcomplete"] = False;
config["p_googlesleep"] = 5
config["p_tabcomplete"] = False
config["p_multiply_term"] = 1
config["header"] = {}
doPluginsShow = False
doRFITest = False
doInternetInfo = False
......@@ -277,8 +282,8 @@ if __name__ == "__main__":
"show-my-ip" , "enable-blind", "http-proxy=" , "ttl=" , "post=" , "no-auto-detect",
"plugins" , "enable-color", "update-def" , "merge-xml=" , "install-plugins" , "results=",
"googlesleep=" , "dot-truncation", "dot-trunc-min=", "dot-trunc-max=", "dot-trunc-step=", "dot-trunc-ratio=",
"tab-complete" , "dot-trunc-also-unix"]
optlist, args = getopt.getopt(sys.argv[1:], "u:msl:v:hA:gq:p:sxHw:d:bP:CIDT", longSwitches)
"tab-complete" , "cookie=" , "dot-trunc-also-unix", "multiply-term="]
optlist, args = getopt.getopt(sys.argv[1:], "u:msl:v:hA:gq:p:sxHw:d:bP:CIDTM:", longSwitches)
startExploiter = False
......@@ -360,6 +365,10 @@ if __name__ == "__main__":
config["p_dot_trunc_only_win"] = False
if (k in ("-T", "--tab-complete")):
config["p_tabcomplete"] = True
if (k in ("-M", "--multiply-term")):
config["p_multiply_term"] = int(v)
if (k in ("--cookie",)):
config["header"]["Cookie"] = v
#if (k in("-f", "--exploit-filter")):
# config["p_exploit_filter"] = v
......
......@@ -696,8 +696,19 @@ class fiFile(baseTools):
def isWindows(self):
return(self.iswin)
def getBackSymbols(self):
def getBackSymbols(self, SeperatorAtFront=True):
if (SeperatorAtFront):
if (self.isUnix()):
return("/..")
else:
return("\\..")
else:
if (self.isUnix()):
return("../")
else:
return("..\\")
def getBackSymbol(self):
if (self.isUnix()):
return("/..")
return("/")
else:
return("\\..")
\ No newline at end of file
return("\\")
\ No newline at end of file
......@@ -40,10 +40,18 @@ class report:
self.isLinux = True
self.BlindDiscovered = False
self.PostData = None
self.isPost = False
self.isPost = 0
self.language = None
self.VulnHeaderKey = None
self.HeaderDict = None
def setVulnHeaderKey(self, headerkey):
self.VulnHeaderKey = headerkey
def setHeader(self, header):
self.HeaderDict = header
def setLanguage(self, lang):
self.language = lang
......@@ -62,6 +70,14 @@ class report:
def getPostData(self):
return(self.PostData)
def getVulnHeader(self):
if (self.VulnHeaderKey == None):
return("")
return(self.VulnHeaderKey)
def getHeader(self):
return(self.HeaderDict)
def isPost(self):
return(self.isPost)
......
......@@ -59,10 +59,19 @@ class singleScan(baseClass):
header = "[%d] Possible %s-File Inclusion"%(idx, report.getLanguage())
boxarr.append(" [URL] %s"%report.getURL())
if (report.getPostData() != None and report.getPostData() != ""): boxarr.append(" [POST] %s"%report.getPostData())
if (report.isPost):
if (report.isPost == 1):
boxarr.append(" [POSTPARM] %s"%report.getVulnKey())
else:
elif (report.isPost == 2):
modkeys = ",".join(report.getHeader().keys())
boxarr.append(" [HEAD SENT] %s"%(modkeys))
boxarr.append(" [VULN HEAD] %s"%report.getVulnHeader())
boxarr.append(" [VULN PARA] %s"%report.getVulnKey())
elif (report.isPost == 0):
boxarr.append(" [PARAM] %s"%report.getVulnKey())
if (report.isBlindDiscovered()):
boxarr.append(" [PATH] Not received (Blindmode)")
else:
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment