0xInfection/TIDoS-Framework

[Bug] => Some anomaly

psychomad opened this issue · 10 comments

First of all Hi and thanks for great work.
Second:
I saw when tidos have error handling a response reset and bring back to the menù. Hard to analyze what the problem on the remote website. It happen to cookie automate xss test., but happened also in other modules and always when can't handle request.
Any hint?

Hi there,

This is a genuine issue and I was looking forward to this kind of issues since the very build of TIDoS is affected by these kinda bugs.

Thank you for issuing this bug. May I ask during running of which modules did you notice the bug repetitively? Hand me out a list and I will take a look at them.

Ok first session tested
OS: Kali 2018
Python version 2 & 3
update: last 15 August 2018

Tested Recon&OSINT menu
PASSIVE RECON
All tested passed

Actvive recon
[#] TID :> A

 [!] Type Selected : All Modules
 [*] Firing up module --> Ping Enum

   =============================================
    P I N G / N P I N G   E N U M E R A T I O N
   =============================================

 [!] Pinging website...
 [*] Using adaptative ping and debug mode with count 5...
 [!] Press Ctrl+C to stop

 [-] Unhandled runtime exception while execution...
 [-] Returning back to main menu...

this module stop all A

test3
active recon one by one

HTTP HEADER

 [!] Type Selected : Grab HTTP Headers

      ==================================
      G R A B   H T T P   H E A D E R S
     ===================================

 [!] Grabbing HTTP Headers...
 [-] Something went wrong...


Scrape comments from webpage
[-] Unhandled runtime exception while execution...
6
[-] Returning back to main menu...


find shared dns hosts
 [-] Outbound Query Exception!

CMS Detection
[-] Unhandled runtime exception while execution...

Apache status disclusre
[-] Unhandled runtime exception while execution...


    =========================================
     D A V   H T T P   E N U M E R A T I O N
    =========================================

 [!] Loading HTTP methods...

 [*] Initiating HTTP Search module...
 [!] Setting headers...
 [!] Setting buffers...
 [*] Setting the parameters...
 [*] Making the request...
 [-] Exception : HTTP Error 302: Found
 [+] Matching the signatures...
 [-] Unhandled runtime exception while execution...

PHP Info

 [!] Type Selected : PHPInfo Enumeration

    =============================
     P H P I N F O   F I N D E R
    =============================

 [*] Importing file paths...
 [!] Starting bruteforce...
 [*] Trying : https://xxxxxxxx.php/
 [-] Unhandled runtime exception while execution..

And finally all those answer

   ================================================
      P A T H   T R A V E R S A L  (Sensitive Paths)
     ================================================

 [!] Input the directory to be used... Final Url will be like "http://site.com/sensitive"
 [#] Enter directory asssociated (eg. /sensitive) [Enter for None] :>

 [#] Got cookies? [Enter if none] :>
 [!] Enter the filename containing paths (Default: files/pathtrav_paths.lst)
 [*] Custom filepath (press Enter for default) :>
 [*] Using default filepath...

 [+] Testing Url : https://disommadistefanolegali.it/etc/passwd
 [-] Problem connecting to the website...

 [+] Testing Url : https://-------.it/../logs/access_log
 [-] Problem connecting to the website...

 [+] Testing Url : https://------li.it/../logs/error_log
 [-] Problem connecting to the website...

 [+] Testing Url : https://-------.it/etc/shadow
 [-] Problem connecting to the website...

 [+] Testing Url : https://------.it/etc/group
 [-] Problem connecting to the website...

 [+] Testing Url : https://--------i.itproc/self/environ
 [-] Exception encountered during processing...
 [-] Error : HTTPSConnectionPool(host='disommadistefanolegali.itproc', port=443): Max retries exceeded with url: /self/environ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0e7427650>: Failed to establish a new connection: [Errno -2] Name or service not known',))



Cross site scripting Automated
User Agent Based)
    ===========================

 [*] Using payload :  <font style='color:expression(alert('XSS'))'>
 [*] Using !nfected UA : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) <font style='color:expression(alert('XSS'))'>
 [*] Using payload : ' onmouseover=alert(/Black.Spook/)
 [*] Using !nfected UA : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0)' onmouseover=alert(/Black.Spook/)
 [*] Using payload : ";eval(unescape(location))//#  %0Aalert(0)
 [*] Using !nfected UA : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0)";eval(unescape(location))//#  %0Aalert(0)
 [*] Using payload : "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
 [*] Using !nfected UA : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0)"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
 [-] Unhandled runtime exception while execution...
 [-] Returning back to main menu...


Cross site scripting Automated
Refeer  Based)

 [*] Using payload :  <font style='color:expression(alert('XSS'))'>
 [*] Using !nfected UA : http://xssing.pwn <font style='color:expression(alert('XSS'))'>
 [*] Using payload : ' onmouseover=alert(/Black.Spook/)
 [*] Using !nfected UA : http://xssing.pwn' onmouseover=alert(/Black.Spook/)
 [*] Using payload : ";eval(unescape(location))//#  %0Aalert(0)
 [*] Using !nfected UA : http://xssing.pwn";eval(unescape(location))//#  %0Aalert(0)
 [*] Using payload : "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
 [*] Using !nfected UA : http://xssing.pwn"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
 [-] Unhandled runtime exception while execution...

and come back to first menù, maybe can be good "press enter to return to previous menu"?

  ======================================
     S Q L i   H U N T E R (Auto Awesome)
    ======================================
  [It is recommended to run ScanEnum/Crawlers
          before using this module]

 [-] Path file not found!
 [*] Loading module SQLi...

    ==========================================
     S Q L   I N J E C T I O N  (Error Based)
    ==========================================

 [*] Importing error parameters...

 [#] Enter the type you want to proceed:

   [1] Manual Mode
   [2] Automatic Mode

 [#] TID :>


when this happen you enter in a loop of option 1 and 2 and no "return to previous menu"
you need to quit tool and restart


HTTP RESPONSE SPLITTING


[*] Initiating response check...
 [-] Exception encountered!
 [-] Error : local variable 'vuln' referenced before assignment
 [+] Using payload : %25%30%61Set-Cookie: Infected_by=Drake
 [+] Using !nfected Url : https://-----.it/=%25%30%61Set-Cookie: Infected_by=Drake
 [*] Requesting headers...
 [!] Headers obtained...
 [*] Initiating response check...
 [-] Exception encountered!
 [-] Error : local variable 'vuln' referenced before assignment
 [+] Using payload : %u000ASet-Cookie: Infected_by=Drake
 [+] Using !nfected Url : https://------.it/=%u000ASet-Cookie: Infected_by=Drake
 [*] Requesting headers...
 [!] Headers obtained...
 [*] Initiating response check...
 [-] Exception encountered!
 [-] Error : local variable 'vuln' referenced before assignment
 [+] Using payload : //www.google.com/%2F%2E%2E%0D%0ASet-Cookie: Infected_by=Drake
 [+] Using !nfected Url : https://------p.it/=//www.google.com/%2F%2E%2E%0D%0ASet-Cookie: Infected_by=Drake
 [*] Requesting headers...
 [!] Headers obtained...
 [*] Initiating response check...
 [-] Exception encountered!
 [-] Error : local variable 'vuln' referenced before assignment
 [+] Using payload : /www.google.com/%2E%2E%2F%0D%0ASet-Cookie: Infected_by=Drake
 [+] Using !nfected Url : https://------.it/=/www.google.com/%2E%2E%2F%0D%0ASet-Cookie: Infected_by=Drake
 [*] Requesting headers...
 [!] Headers obtained...
 [*] Initiating response check...
 [-] Exception encountered!
 [-] Error : local variable 'vuln' referenced before assignment
 [+] Using payload : /google.com/%2F..%0D%0ASet-Cookie: Infected_by=Drake
 [+] Using !nfected Url : https://-----.it/=/google.com/%2F..%0D%0ASet-Cookie: Infected_by=Drake
 [*] Requesting headers...
 [!] Headers obtained...
 [*] Initiating response check...
 [-] Exception encountered!
 [-] Error : local variable 'vuln' referenced before assignment


PHP CODE INJECTION 
stuck here
even if i write the path always ask for path and need restart tidos



 [#] Your input (Press Enter if default) :>
 [*] Importing payloads...
 [#] Enter path to file (default: files/payload-db/xpath_payloads.lst)...
 [#] Your input (Press Enter if default) :>
 [*] Importing payloads...
 [#] Enter path to file (default: files/payload-db/xpath_payloads.lst)...
 [#] Your input (Press Enter if default) :>
 [*] Importing payloads...
 [#] Enter path to file (default: files/payload-db/xpath_payloads.lst)...
 [#] Your input (Press Enter if default) :>
 [*] Importing payloads...

Unvalidate URL redirections

Unhandled runtime exception while execution...


Subdomain takeover: choosing all subddomain 

tarting enumeration...
 [+] Searching for subdomains file...
 [-] Subdomains file not found!
 [*] Initializing sub-domain gathering...
 [-] Exception occured!
 [-] Error : global name 'subdom0x00' is not defined
 [-] Unhandled runtime exception while execution...

Thank you for your awesome work 👌. I will go and get them fixing rightaway!

Update: I fixed all issues within Active Reconnaissance Phase in 57a8a8b. Can you confirm it?

Presently working on VulnLysis Phase

Hi
I will check asap...
I notice another thing... if i use tidos behind tor or ip2 Nmap have a prob:

sendto in send_ip_packet_sd: sendto(6, packet, 28, 0, IP, 16) => Operation not permitted
Offending packet: ICMP [source ip target ip Echo request (type=8/code=0) id=32539 seq=0] IP [ttl=54 id=32767 iplen=28 ]

I think is the built in kernel security or something else... i will check and i write here a possible solution

scrape comment from website still unhandled
CMS detection still unhandled
DAV HTTP unhandled

I am not being able to reproduce the issues with these modules, try it on any other website and see if it works. It should.

Yes it work on different website.. will be interesting what make crazy python, the answer from website, can be useful even to make some exploit

Okay so every bug in this issue has been fixed in 9268eec. Let me know if there are more. ;)

Thank you.