Closed psychomad closed 5 years ago
0xInfection
commented
5 years ago Hi there,
This is a genuine issue and I was looking forward to this kind of issues since the very build of TIDoS is affected by these kinda bugs.
Thank you for issuing this bug. May I ask during running of which modules did you notice the bug repetitively? Hand me out a list and I will take a look at them.
psychomad
commented
5 years ago Ok first session tested OS: Kali 2018 Python version 2 & 3 update: last 15 August 2018
Tested Recon&OSINT menu PASSIVE RECON All tested passed
Actvive recon [#] TID :> A
[!] Type Selected : All Modules
[*] Firing up module --> Ping Enum
=============================================
P I N G / N P I N G E N U M E R A T I O N
=============================================
[!] Pinging website...
[*] Using adaptative ping and debug mode with count 5...
[!] Press Ctrl+C to stop
[-] Unhandled runtime exception while execution...
[-] Returning back to main menu...test3 active recon one by one
HTTP HEADER
[!] Type Selected : Grab HTTP Headers
==================================
G R A B H T T P H E A D E R S
===================================
[!] Grabbing HTTP Headers...
[-] Something went wrong...
Scrape comments from webpage
[-] Unhandled runtime exception while execution...
6
[-] Returning back to main menu...
find shared dns hosts
[-] Outbound Query Exception!
CMS Detection
[-] Unhandled runtime exception while execution...
Apache status disclusre
[-] Unhandled runtime exception while execution...
=========================================
D A V H T T P E N U M E R A T I O N
=========================================
[!] Loading HTTP methods...
[*] Initiating HTTP Search module...
[!] Setting headers...
[!] Setting buffers...
[*] Setting the parameters...
[*] Making the request...
[-] Exception : HTTP Error 302: Found
[+] Matching the signatures...
[-] Unhandled runtime exception while execution...
PHP Info
[!] Type Selected : PHPInfo Enumeration
=============================
P H P I N F O F I N D E R
=============================
[*] Importing file paths...
[!] Starting bruteforce...
[*] Trying : https://xxxxxxxx.php/
[-] Unhandled runtime exception while execution..And finally all those answer
================================================
P A T H T R A V E R S A L (Sensitive Paths)
================================================
[!] Input the directory to be used... Final Url will be like "http://site.com/sensitive"
[#] Enter directory asssociated (eg. /sensitive) [Enter for None] :>
[#] Got cookies? [Enter if none] :>
[!] Enter the filename containing paths (Default: files/pathtrav_paths.lst)
[*] Custom filepath (press Enter for default) :>
[*] Using default filepath...
[+] Testing Url : https://disommadistefanolegali.it/etc/passwd
[-] Problem connecting to the website...
[+] Testing Url : https://-------.it/../logs/access_log
[-] Problem connecting to the website...
[+] Testing Url : https://------li.it/../logs/error_log
[-] Problem connecting to the website...
[+] Testing Url : https://-------.it/etc/shadow
[-] Problem connecting to the website...
[+] Testing Url : https://------.it/etc/group
[-] Problem connecting to the website...
[+] Testing Url : https://--------i.itproc/self/environ
[-] Exception encountered during processing...
[-] Error : HTTPSConnectionPool(host='disommadistefanolegali.itproc', port=443): Max retries exceeded with url: /self/environ (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7ff0e7427650>: Failed to establish a new connection: [Errno -2] Name or service not known',))
Cross site scripting Automated
User Agent Based)
===========================
[*] Using payload : <font style='color:expression(alert('XSS'))'>
[*] Using !nfected UA : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) <font style='color:expression(alert('XSS'))'>
[*] Using payload : ' onmouseover=alert(/Black.Spook/)
[*] Using !nfected UA : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0)' onmouseover=alert(/Black.Spook/)
[*] Using payload : ";eval(unescape(location))//# %0Aalert(0)
[*] Using !nfected UA : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0)";eval(unescape(location))//# %0Aalert(0)
[*] Using payload : "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
[*] Using !nfected UA : Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0)"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
[-] Unhandled runtime exception while execution...
[-] Returning back to main menu...
Cross site scripting Automated
Refeer Based)
[*] Using payload : <font style='color:expression(alert('XSS'))'>
[*] Using !nfected UA : http://xssing.pwn <font style='color:expression(alert('XSS'))'>
[*] Using payload : ' onmouseover=alert(/Black.Spook/)
[*] Using !nfected UA : http://xssing.pwn' onmouseover=alert(/Black.Spook/)
[*] Using payload : ";eval(unescape(location))//# %0Aalert(0)
[*] Using !nfected UA : http://xssing.pwn";eval(unescape(location))//# %0Aalert(0)
[*] Using payload : "><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
[*] Using !nfected UA : http://xssing.pwn"><BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>
[-] Unhandled runtime exception while execution...
and come back to first menù, maybe can be good "press enter to return to previous menu"?
======================================
S Q L i H U N T E R (Auto Awesome)
======================================
[It is recommended to run ScanEnum/Crawlers
before using this module]
[-] Path file not found!
[*] Loading module SQLi...
==========================================
S Q L I N J E C T I O N (Error Based)
==========================================
[*] Importing error parameters...
[#] Enter the type you want to proceed:
[1] Manual Mode
[2] Automatic Mode
[#] TID :>
when this happen you enter in a loop of option 1 and 2 and no "return to previous menu"
you need to quit tool and restart
HTTP RESPONSE SPLITTING
[*] Initiating response check...
[-] Exception encountered!
[-] Error : local variable 'vuln' referenced before assignment
[+] Using payload : %25%30%61Set-Cookie: Infected_by=Drake
[+] Using !nfected Url : https://-----.it/=%25%30%61Set-Cookie: Infected_by=Drake
[*] Requesting headers...
[!] Headers obtained...
[*] Initiating response check...
[-] Exception encountered!
[-] Error : local variable 'vuln' referenced before assignment
[+] Using payload : %u000ASet-Cookie: Infected_by=Drake
[+] Using !nfected Url : https://------.it/=%u000ASet-Cookie: Infected_by=Drake
[*] Requesting headers...
[!] Headers obtained...
[*] Initiating response check...
[-] Exception encountered!
[-] Error : local variable 'vuln' referenced before assignment
[+] Using payload : //www.google.com/%2F%2E%2E%0D%0ASet-Cookie: Infected_by=Drake
[+] Using !nfected Url : https://------p.it/=//www.google.com/%2F%2E%2E%0D%0ASet-Cookie: Infected_by=Drake
[*] Requesting headers...
[!] Headers obtained...
[*] Initiating response check...
[-] Exception encountered!
[-] Error : local variable 'vuln' referenced before assignment
[+] Using payload : /www.google.com/%2E%2E%2F%0D%0ASet-Cookie: Infected_by=Drake
[+] Using !nfected Url : https://------.it/=/www.google.com/%2E%2E%2F%0D%0ASet-Cookie: Infected_by=Drake
[*] Requesting headers...
[!] Headers obtained...
[*] Initiating response check...
[-] Exception encountered!
[-] Error : local variable 'vuln' referenced before assignment
[+] Using payload : /google.com/%2F..%0D%0ASet-Cookie: Infected_by=Drake
[+] Using !nfected Url : https://-----.it/=/google.com/%2F..%0D%0ASet-Cookie: Infected_by=Drake
[*] Requesting headers...
[!] Headers obtained...
[*] Initiating response check...
[-] Exception encountered!
[-] Error : local variable 'vuln' referenced before assignment
PHP CODE INJECTION
stuck here
even if i write the path always ask for path and need restart tidos
[#] Your input (Press Enter if default) :>
[*] Importing payloads...
[#] Enter path to file (default: files/payload-db/xpath_payloads.lst)...
[#] Your input (Press Enter if default) :>
[*] Importing payloads...
[#] Enter path to file (default: files/payload-db/xpath_payloads.lst)...
[#] Your input (Press Enter if default) :>
[*] Importing payloads...
[#] Enter path to file (default: files/payload-db/xpath_payloads.lst)...
[#] Your input (Press Enter if default) :>
[*] Importing payloads...
Unvalidate URL redirections
Unhandled runtime exception while execution...
Subdomain takeover: choosing all subddomain
tarting enumeration...
[+] Searching for subdomains file...
[-] Subdomains file not found!
[*] Initializing sub-domain gathering...
[-] Exception occured!
[-] Error : global name 'subdom0x00' is not defined
[-] Unhandled runtime exception while execution...Thank you for your awesome work 👌. I will go and get them fixing rightaway!
0xInfection
commented
5 years ago Update: I fixed all issues within Active Reconnaissance Phase in 57a8a8b. Can you confirm it?
Presently working on VulnLysis Phase
psychomad
commented
5 years ago Hi I will check asap... I notice another thing... if i use tidos behind tor or ip2 Nmap have a prob:
sendto in send_ip_packet_sd: sendto(6, packet, 28, 0, IP, 16) => Operation not permitted Offending packet: ICMP [source ip target ip Echo request (type=8/code=0) id=32539 seq=0] IP [ttl=54 id=32767 iplen=28 ]
I think is the built in kernel security or something else... i will check and i write here a possible solution
psychomad
commented
5 years ago scrape comment from website still unhandled CMS detection still unhandled DAV HTTP unhandled
0xInfection
commented
5 years ago I am not being able to reproduce the issues with these modules, try it on any other website and see if it works. It should.
psychomad
commented
5 years ago Yes it work on different website.. will be interesting what make crazy python, the answer from website, can be useful even to make some exploit
0xInfection
commented
5 years ago Okay so every bug in this issue has been fixed in 9268eec. Let me know if there are more. ;)
Thank you.
First of all Hi and thanks for great work. Second: I saw when tidos have error handling a response reset and bring back to the menù. Hard to analyze what the problem on the remote website. It happen to cookie automate xss test., but happened also in other modules and always when can't handle request. Any hint?