From 59e0d2314c55e84138355eda246b0cae61c0d794 Mon Sep 17 00:00:00 2001 From: stasinopoulos Date: Thu, 30 Nov 2023 08:19:26 +0200 Subject: [PATCH] Minor update --- src/core/injections/controller/checks.py | 2 +- .../semiblind/techniques/file_based/fb_handler.py | 14 +++++++------- .../semiblind/techniques/file_based/fb_injector.py | 4 +++- src/core/main.py | 1 + src/core/requests/requests.py | 8 ++++---- src/utils/settings.py | 10 ++++++---- 6 files changed, 22 insertions(+), 17 deletions(-) diff --git a/src/core/injections/controller/checks.py b/src/core/injections/controller/checks.py index ac8c951fca..32e878fcfc 100755 --- a/src/core/injections/controller/checks.py +++ b/src/core/injections/controller/checks.py @@ -477,7 +477,7 @@ def page_encoding(response, action): pass if _: err_msg += "You are advised to rerun with" - err_msg += ('out', '')[menu.options.codec == None] + " the option '--codec'." + err_msg += ('out', '')[menu.options.codec == None] + " option '--codec'." print(settings.print_critical_msg(str(err_msg))) raise SystemExit() diff --git a/src/core/injections/semiblind/techniques/file_based/fb_handler.py b/src/core/injections/semiblind/techniques/file_based/fb_handler.py index 7054cdd02f..3156f34475 100755 --- a/src/core/injections/semiblind/techniques/file_based/fb_handler.py +++ b/src/core/injections/semiblind/techniques/file_based/fb_handler.py @@ -50,7 +50,7 @@ def tfb_controller(no_result, url, timesec, filename, tmp_path, http_request_method, url_time_response): if no_result == True: if settings.VERBOSITY_LEVEL != 0: - debug_msg = "Using '" + tmp_path + "' as temporary directory." + debug_msg = "Using '" + tmp_path + "' as temporary writable directory." print(settings.print_debug_msg(debug_msg)) info_msg = "Trying to create a file in temporary " info_msg += "directory ('" + tmp_path + "') for command execution output.\n" @@ -80,9 +80,9 @@ def delete_previous_shell(separator, payload, TAG, prefix, suffix, whitespace, h """ def custom_web_root(url, timesec, filename, http_request_method, url_time_response): if settings.TARGET_OS == settings.OS.WINDOWS : - example_root_dir = "\\inetpub\\wwwroot" + example_root_dir = settings.WINDOWS_DEFAULT_DOC_ROOTS[0] else: - example_root_dir = "/var/www" + example_root_dir = settings.LINUX_DEFAULT_DOC_ROOTS[0].replace(settings.DOC_ROOT_TARGET_MARK,settings.TARGET_URL) message = "Please provide web server document root directory (e.g. '" message += example_root_dir + "') > " settings.WEB_ROOT = common.read_input(message, default=example_root_dir, check_batch=True) @@ -216,9 +216,9 @@ def fb_injection_handler(url, timesec, filename, http_request_method, url_time_r if not settings.LOAD_SESSION or settings.RETEST == True: TAG = ''.join(random.choice(string.ascii_uppercase) for i in range(6)) if settings.VERBOSITY_LEVEL != 0: - debug_msg = "Using '" + settings.WEB_ROOT + "' as web server document root." + debug_msg = "Using '" + settings.WEB_ROOT + "' as writable directory." print(settings.print_debug_msg(debug_msg)) - info_msg = "Trying to create a file in '" + settings.WEB_ROOT + info_msg = "Trying to create a file in directory '" + settings.WEB_ROOT info_msg += "' for command execution output. " print(settings.print_info_msg(info_msg)) @@ -379,7 +379,7 @@ def fb_injection_handler(url, timesec, filename, http_request_method, url_time_r tmp_path = check_tmp_path(url, timesec, filename, http_request_method, url_time_response) sys.stdout.write("\r") message = "It seems that you don't have permissions to " - message += "read and/or write files in '" + settings.WEB_ROOT + "'." + message += "read and/or write files in directory '" + settings.WEB_ROOT + "'." if not menu.options.web_root: message += " You are advised to rerun with option '--web-root'." while True: @@ -431,7 +431,7 @@ def fb_injection_handler(url, timesec, filename, http_request_method, url_time_r except _urllib.error.URLError as e: warn_msg = "It seems that you don't have permissions to " - warn_msg += "read and/or write files in '" + settings.WEB_ROOT + "'." + warn_msg += "read and/or write files in directory '" + settings.WEB_ROOT + "'." sys.stdout.write("\r" + settings.print_warning_msg(warn_msg)) err_msg = str(e).replace(": "," (") + ")." if settings.VERBOSITY_LEVEL >= 2: diff --git a/src/core/injections/semiblind/techniques/file_based/fb_injector.py b/src/core/injections/semiblind/techniques/file_based/fb_injector.py index d6cd7c192c..3cebcda98e 100755 --- a/src/core/injections/semiblind/techniques/file_based/fb_injector.py +++ b/src/core/injections/semiblind/techniques/file_based/fb_injector.py @@ -269,10 +269,12 @@ def custom_web_root(url, OUTPUT_TEXTFILE): if not settings.DEFINED_WEBROOT or settings.MULTI_TARGETS: if menu.options.web_root: scheme = _urllib.parse.urlparse(url).scheme + hostname = _urllib.parse.urlparse(url).hostname netloc = _urllib.parse.urlparse(url).netloc output = scheme + "://" + netloc + "/" + OUTPUT_TEXTFILE for item in settings.LINUX_DEFAULT_DOC_ROOTS: + item = item.replace(settings.DOC_ROOT_TARGET_MARK, hostname) if item == menu.options.web_root: settings.DEFINED_WEBROOT = output break @@ -310,7 +312,7 @@ def custom_web_root(url, OUTPUT_TEXTFILE): output = settings.DEFINED_WEBROOT if settings.VERBOSITY_LEVEL != 0: - debug_msg = "Checking URL '" + output + "' for command execution output." + debug_msg = "Checking if the file is accessible from '" + output + "'." print(settings.print_debug_msg(debug_msg)) return output diff --git a/src/core/main.py b/src/core/main.py index 318ba0aa86..0ece63cce6 100644 --- a/src/core/main.py +++ b/src/core/main.py @@ -206,6 +206,7 @@ def url_response(url): print(settings.print_info_msg(info_msg)) # Check if http / https url = checks.check_http_s(url) + settings.TARGET_URL = _urllib.parse.urlparse(url).hostname # Check if defined Tor (--tor option). if menu.options.tor and settings.TOR_CHECK_AGAIN: tor.do_check() diff --git a/src/core/requests/requests.py b/src/core/requests/requests.py index 419d38f7bf..80dda10473 100755 --- a/src/core/requests/requests.py +++ b/src/core/requests/requests.py @@ -793,13 +793,13 @@ def server_identification(server_banner): # Set up default root paths if "apache" in settings.SERVER_BANNER.lower(): if settings.TARGET_OS == settings.OS.WINDOWS: - settings.WEB_ROOT = "\\htdocs" + settings.WEB_ROOT = settings.WINDOWS_DEFAULT_DOC_ROOTS[1] else: - settings.WEB_ROOT = "/var/www" + settings.WEB_ROOT = settings.LINUX_DEFAULT_DOC_ROOTS[0].replace(settings.DOC_ROOT_TARGET_MARK,settings.TARGET_URL) elif "nginx" in settings.SERVER_BANNER.lower(): - settings.WEB_ROOT = "/usr/share/nginx" + settings.WEB_ROOT = settings.WINDOWS_DEFAULT_DOC_ROOTS[6] elif "microsoft-iis" in settings.SERVER_BANNER.lower(): - settings.WEB_ROOT = "\\inetpub\\wwwroot" + settings.WEB_ROOT = settings.WINDOWS_DEFAULT_DOC_ROOTS[0] break else: if settings.VERBOSITY_LEVEL != 0: diff --git a/src/utils/settings.py b/src/utils/settings.py index 63a64eba15..d99920b0bf 100755 --- a/src/utils/settings.py +++ b/src/utils/settings.py @@ -241,7 +241,7 @@ def sys_argv_errors(): DESCRIPTION = "The command injection exploiter" AUTHOR = "Anastasios Stasinopoulos" VERSION_NUM = "3.9" -REVISION = "24" +REVISION = "25" STABLE_RELEASE = False VERSION = "v" if STABLE_RELEASE: @@ -1188,10 +1188,12 @@ class AUTH_TYPE(object): # Period after last-update to start nagging (about the old revision). NAGGING_DAYS = 31 -LINUX_DEFAULT_DOC_ROOTS = ["/var/www/", "/var/www/html", "/var/www/htdocs", "/usr/local/apache2/htdocs", "/usr/local/www/data", "/var/apache2/htdocs", "/var/www/nginx-default", "/srv/www/htdocs"] # Reference: https://wiki.apache.org/httpd/DistrosDefaultLayout -DEFINED_WEBROOT = RECHECK_FILE_FOR_EXTRACTION = False - +TARGET_URL = "" +DOC_ROOT_TARGET_MARK = "%TARGET%" +WINDOWS_DEFAULT_DOC_ROOTS = ["C:\\\\Inetpub\\wwwroot", "C:\\\\xampp\\htdocs", "C:\\\\wamp\\www"] +LINUX_DEFAULT_DOC_ROOTS = ["/var/www/" + DOC_ROOT_TARGET_MARK + "/public_html", "/var/www", "/var/www/html", "/var/www/htdocs", "/usr/local/apache2/htdocs", "/usr/local/www/data", "/var/apache2/htdocs", "/var/www/nginx-default", "/srv/www/htdocs"] # Reference: https://wiki.apache.org/httpd/DistrosDefaultLayout +DEFINED_WEBROOT = RECHECK_FILE_FOR_EXTRACTION = False # HTTP Headers COOKIE = "Cookie"