16 16 except: 17 17 print "==== ERROR ====" + "\n\nFailed to load dependencies.\n" +str(sys.exc_info()[1]) +"\n\n==== ERROR ====\n\n" 18 18 19 - VERSION = "0.9 " 19 + VERSION = "0.95 " 20 20 21 21 class BurpExtender(IBurpExtender, ITab, IMessageEditorController, IContextMenuFactory): 22 22 35 35 callbacks.registerContextMenuFactory(self) 36 36 callbacks.issueAlert("The extension has been loaded.") 37 37 self.tableMatrixReset(self) 38 - print "Agartha(v" + VERSION + ") is a security tool for:\n\t\t* Local File Inclusion, Directory Traversal, \n\t\t* Command Injection, Code Execution , \n\t\t* SQL Injections, \n\t\t* Authentication/Authorization Access Matrix, \n\t\t* Http request to Javascript conversion. \n\nFor more information and tutorial how to use, please visit:\n\t\thttps://github.com/volkandindar/agartha\n\nAuthor:\tVolkan Dindar\n\t\t\t\[email protected] " 38 + print "Agartha(v" + VERSION + ") is a security tool for:\n\t\t* Local File Inclusion, Directory Traversal\n\t\t* Command Injection, RCE \n\t\t* SQL Injections\n\t\t* Access Violations , Authentication/Authorization Matrix\n\t\t* Http request to Javascript conversion\n\nFor more information and tutorial how to use, please visit:\n\t\thttps://github.com/volkandindar/agartha\n\nAuthor:\tVolkan Dindar\n\t\t\t\[email protected] " 39 39 return 40 40 41 41 def authMatrixThread(self, ev): 163 163 self.userNamesHttpUrls.append([]) 164 164 165 165 urlList = [] 166 - for x in range(0,self.tableMatrix.getRowCount()): 166 + for x in range(0, self.tableMatrix.getRowCount()): 167 167 urlList.append(str(self.tableMatrix.getValueAt(x, 0))) 168 - 169 168 for _url in set(self._tbAuthURL.getText().split('\n')): 170 169 _url = _url.strip() 171 - if _url and not any(re.findall(r'(log|sign).*(off|out)', _url, re.IGNORECASE)): 170 + _ext = os.path.splitext(urlparse.urlparse(_url).path)[1] 171 + if _url and not any(re.findall(r'(log|sign|time).*(off|out)', _url, re.IGNORECASE)) and not any(re.findall(r'^\.(gif|jpg|jpeg|png|css|js|ico|svg|eot|woff|woff2|ttf)$', _ext, re.IGNORECASE)): 172 172 # ignore logout, signoff, etc. paths 173 173 if _url not in self.userNamesHttpUrls[self.userCount]: 174 174 # check first if the url exist in user's url list 180 180 self._tbAuthURL.setText("") 181 181 self._btnAuthRun.setEnabled(True) 182 182 self._btnAuthReset.setEnabled(True) 183 - self._lblAuthNotification.text = self._tbAuthNewUser.text + " added successfully!" 183 + self._lblAuthNotification.text = self._tbAuthNewUser.text + " added successfully! Possible session terminators ( log | sign | time - off | out ) , and file extensions ( gif , jpg , jpeg , png , css , js , ico , svg , eot , woff , woff2 , ttf ) have been filtered out ! " 184 184 self._lblAuthNotification.setForeground (Color.black) 185 185 self._cbAuthColoring.setEnabled(True) 186 186 self._cbAuthGETPOST.setEnabled(True) 280 280 281 281 def funcCommandInj(self, ev): 282 282 listCommandInj = [] 283 - prefixes = ["", "\\n", "\\r\\n", "%0a", "%0d%0a"] 284 - escapeChars = ["", "'", "\\'", "\"", "\\\""] 283 + prefixes = ["", "\\n", "\\\ \ n " , " \ \ r\ \ n " , " \ \ \ \ r \ \ \\n", "%0a", "%0d%0a"] 284 + escapeChars = ["", "'", "\\'", "\\ \ \ ' " , " \ "", "\ \ \ " " , " \ \ \\\""] 285 285 separators = ["&", "&&", "|", "||", ";"] 286 286 287 287 for prefix in prefixes: 288 288 for separator in separators: 289 289 for escapeChar in escapeChars: 290 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 291 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 292 + continue 290 293 listCommandInj.append(prefix + escapeChar + separator + self._txtTargetPath.text + separator + escapeChar + "\n") 291 294 listCommandInj.append(prefix + escapeChar + separator + self._txtTargetPath.text + escapeChar + "\n") 292 295 listCommandInj.append(prefix + escapeChar + separator + escapeChar + self._txtTargetPath.text + "\n") 293 296 listCommandInj.append(prefix + escapeChar + separator + "`" + self._txtTargetPath.text + "`" + separator + escapeChar + "\n") 294 297 listCommandInj.append(prefix + escapeChar + separator + "`" + self._txtTargetPath.text + "`" + escapeChar + "\n") 295 - 296 298 listCommandInj.append(prefix + separator + "`" + self._txtTargetPath.text + "`" + separator + "\n") 297 299 listCommandInj.append(prefix + separator + "`" + self._txtTargetPath.text + "`" + "\n") 298 - 299 300 listCommandInj.append(prefix + self._txtTargetPath.text + "\n") 300 301 listCommandInj.append(prefix + "`" + self._txtTargetPath.text + "`" + "\n") 301 302 403 404 return 404 405 405 406 listSQLi = [] 406 - prefixes = ["", "\\n", "\\r\\n", "%0a", "0x0a", "%0d%0a", "0x0d0a", "%00", "0x00"] 407 - escapeChars = ["", "'", "\\'"] 407 + prefixes = ["", "\\n", "\\\ \ n " , " \ \ r\ \ n " , " \ \ \ \ r \ \ \\n", "%0a", "0x0a", "%0d%0a", "0x0d0a", "%00", "0x00"] 408 + escapeChars = ["", "'", "\\'", " \ \ \ \ ' " ] 408 409 if not self._cbSqlWafBypass.isSelected(): 409 410 prefixes = [""] 410 411 escapeChars = ["", "'"] 411 - 412 412 n1 = str(random.randint(10, 70)) 413 413 n2 = str(random.randint(71, 99)) 414 414 boolExpressions = [n1 + "=" + n1, n1 + "<" + n2] 420 420 for escapeChar in escapeChars: 421 421 for boolExpression in boolExpressions: 422 422 for suffix in suffixes[1:]: 423 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 424 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 425 + continue 423 426 listSQLi.append(prefix + escapeChar + " or " + boolExpression + suffix + "\n") 424 427 if not escapeChar: 425 428 listSQLi.append(prefix + " or " + boolExpression + "\n") 426 429 for prefix in prefixes: 427 430 for escapeChar in escapeChars[1:]: 428 431 for suffix in suffixes[1:]: 432 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 433 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 434 + continue 429 435 listSQLi.append(prefix + escapeChar + " or " + escapeChar + "xyz" + escapeChar + "=" + escapeChar + "xyz" + "\n") 430 436 listSQLi.append(prefix + escapeChar + " or " + escapeChar + "xyz" + escapeChar + "=" + escapeChar + "xyz" + escapeChar + suffix + "\n") 431 437 listSQLi.append(prefix + " or " + escapeChar + "xyz" + escapeChar + "=" + escapeChar + "xyz" + escapeChar + "\n") 432 438 listSQLi.append(prefix + " or " + escapeChar + "xyz" + escapeChar + "=" + escapeChar + "xyz" + escapeChar + suffix + "\n") 433 - 434 439 435 440 if self._cbOrderBased.isSelected(): 436 441 for prefix in prefixes: 437 442 for escapeChar in escapeChars: 438 443 for suffix in suffixes[1:]: 439 444 for i in range(int(self._cbOrderDepth.getSelectedItem())): 445 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 446 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 447 + continue 440 448 listSQLi.append(prefix + escapeChar + " order by " + str(i+1) + suffix + "\n") 441 449 if not escapeChar: 442 450 listSQLi.append(prefix + escapeChar + " order by " + str(i+1) + "\n") 447 455 for escapeChar in escapeChars: 448 456 for suffix in suffixes[1:]: 449 457 for union in unions: 458 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 459 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 460 + continue 450 461 unionPhrase = " union all select " 451 462 for i in range(int(self._cbUnionDepth.getSelectedItem())): 452 463 unionPhrase += union 518 529 for prefix in prefixes: 519 530 for escapeChar in escapeChars: 520 531 for suffix in suffixes[1:]: 532 + if (prefix[:2].count("\\")) and (escapeChar[:2].count("\\")): 533 + if (prefix[:2].count("\\") != escapeChar[:2].count("\\")): 534 + continue 521 535 if self._cbOracleBased.isSelected(): 522 536 if self._cbStackedSQL.isSelected(): 523 537 if escapeChar: 805 819 # panel center 806 820 self._lblAuthNotification = JLabel("", SwingConstants.LEFT) 807 821 self.tableMatrix = [] 808 - self.tableMatrix_DM = CustomDefaultTableModel(self.tableMatrix, ('URLS ','NoAuth')) 822 + self.tableMatrix_DM = CustomDefaultTableModel(self.tableMatrix, ('URLs ','NoAuth')) 809 823 self.tableMatrix = JTable(self.tableMatrix_DM) 810 824 self.tableMatrix.setAutoCreateRowSorter(False) 811 825 self.tableMatrix.setSelectionForeground(Color.red) 852 866 self.editorPaneInfo.setContentType("text/html"); 853 867 htmlString ="<html>" 854 868 htmlString +="<div><h3>Author: Volkan Dindar, Github Repo: https://github.com/volkandindar/agartha</h3>" 855 - htmlString +="<h1>Agartha { LFI | RCE | Auth | SQL Injection | Http->Js }</h1>" 869 + htmlString +="<h1>Agartha { LFI | RCE | SQLi | Auth | Http->Js }</h1>" 856 870 htmlString +="<p>Agartha is a penetration testing tool which creates dynamic payload lists and user access matrix to reveal injection flaws and authentication/authorization issues. There are many different attack payloads alredy exist, but Agartha creates run-time, systematic and vendor-neutral payloads with many different possibilities and bypassing methods. It also draws attention to user session and URL relationships, which makes easy to find user access violations. And additionally, it converts Http requests to JavaScript to help digging up XSS issues more. In summary:</p><ul>" 857 871 htmlString +="<li><strong>Payload Generator</strong>: It creates payloads/wordlists for different attack types.<ul>" 858 872 htmlString +="<li><strong>Local File Inclusion, Directory Traversal</strong>: It creates file dictionary lists with various encoding and escaping characters.</li>" 946 960 self._lblStatusLabel = JLabel() 947 961 self._lblStatusLabel.setText("Please provide a path for payload generation!") 948 962 self._txtTargetPath = JTextField(self._txtDefaultLFI, 30) 949 - self._rbDictLFI = JRadioButton('LFI/DT', True, itemStateChanged=self.funcRBSelection); 950 - self._rbDictLFI.setToolTipText("It generates payload for Local File Inclusion, Directory Traversal.") 963 + self._rbDictLFI = JRadioButton('LFI / DT', True, itemStateChanged=self.funcRBSelection); 964 + self._rbDictLFI.setToolTipText("Payload generation for Local File Inclusion, Directory Traversal.") 951 965 self._rbDictCommandInj = JRadioButton('Command Inj / RCE', itemStateChanged=self.funcRBSelection) 952 - self._rbDictCommandInj.setToolTipText("It generates payload for Command Injection, Remote Code Execution.") 966 + self._rbDictCommandInj.setToolTipText("Payload generation for Command Injection, Remote Code Execution.") 953 967 self._rbDictSQLi = JRadioButton('SQL Injection', itemStateChanged=self.funcRBSelection) 954 - self._rbDictSQLi.setToolTipText("It generates payload for various type of SQL attacks.") 968 + self._rbDictSQLi.setToolTipText("Payload generation for various type of SQL attacks.") 955 969 _rbDictCheatSheet = JRadioButton('Cheat Sheet', itemStateChanged=self.funcRBSelection) 956 970 _rbDictFuzzer = JRadioButton('Fuzzer', itemStateChanged=self.funcRBSelection) 957 971 _rbPanel = JPanel() 967 981 self._cbDictWafBypass = JCheckBox('Waf Bypass', True) 968 982 self._cbDictWafBypass.setToolTipText("It includes bypass techniques like null bytes, various type of encodings, different file extensions, etc.") 969 983 self._cbDictEquality = JCheckBox(')', False) 970 - self._cbDictEquality.setToolTipText("Generate payloads only for some certain folder depth.") 984 + self._cbDictEquality.setToolTipText("Generate payloads only for a specific depth.") 971 985 self._cbDictDepth = JComboBox(list(range(0, 20))) 972 986 self._cbDictDepth.setSelectedIndex(5) 973 - self._cbDictDepth.setToolTipText("How deep the folder depth should be ?") 987 + self._cbDictDepth.setToolTipText("Folder depth limit . How much folder above should it go ?") 974 988 _cbDictDepthPanel = JPanel(FlowLayout(FlowLayout.LEADING, 10, 0)) 975 989 _cbDictDepthPanel.add(self._cbDictDepth) 976 990 self._cbDictCommandInjEncoding = JCheckBox('URL Encoding', False) 987 1001 self._cbUnionDepth = JComboBox(list(range(1, 20))) 988 1002 self._cbUnionDepth.setSelectedIndex(4) 989 1003 self._cbUnionDepth.setEnabled(False) 990 - self._cbUnionDepth.setToolTipText("Generates payload till ") 1004 + self._cbUnionDepth.setToolTipText("Column numbers ") 991 1005 self._cbOrderBased = JCheckBox('Order-Based', False, itemStateChanged=self._cbOrderBasedFunc) 992 1006 self._cbOrderBased.setToolTipText("Order-Based SQL Injection") 993 1007 self._cbOrderDepth = JComboBox(list(range(1, 20))) 994 1008 self._cbOrderDepth.setSelectedIndex(4) 995 1009 self._cbOrderDepth.setEnabled(False) 996 - self._cbOrderDepth.setToolTipText("Generates payload till ") 1010 + self._cbOrderDepth.setToolTipText("Column numbers ") 997 1011 self._cbBooleanBased = JCheckBox('Boolean-Based', True) 998 1012 self._cbBooleanBased.setToolTipText("Boolean-Based SQL Injection") 999 1013 self._cbMssqlBased = JCheckBox('MSSQL', True) 1069 1083 1070 1084 def tableMatrixReset(self, ev): 1071 1085 self.tableMatrix = [] 1072 - self.tableMatrix_DM = CustomDefaultTableModel(self.tableMatrix, ('URLS ','NoAuth')) 1086 + self.tableMatrix_DM = CustomDefaultTableModel(self.tableMatrix, ('URLs ','NoAuth')) 1073 1087 self.tableMatrix = JTable(self.tableMatrix_DM) 1074 1088 self.tableMatrix_SP.getViewport().setView((self.tableMatrix)) 1075 1089 self.userCount = 0 1083 1097 self._requestViewer.setMessage("", False) 1084 1098 self._responseViewer.setMessage("", False) 1085 1099 self._lblAuthNotification.text = "Please add users to create an auth matrix" 1100 + self._lblAuthNotification.setForeground (Color.black) 1086 1101 self._tbAuthNewUser.setForeground (Color.black) 1087 1102 self._txtHeaderDefault = "GET /example HTTP/1.1\nHost: localhost.com\nAccept-Encoding: gzip,deflate\nConnection: close\nCookie: SessionID=......" 1088 1103 self._tbAuthHeader.setText(self._txtHeaderDefault)
Volkan Dindar
committed
with
GitHub
1 year ago
1 parent ee27b06e