def apache_struts(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTPS" and port == 443: # type == "HTTPS".
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
random_string = ''.join(random.choice(
'abcdefghijklmnopqrstuvwxyz') for i in range(7))
payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']."
payload += "addHeader('%s','%s')}.multipart/form-data" % (
random_string, random_string)
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Content-Type': str(payload),
'Accept': '*/*'
}
timeout = 3
resp = requests.get(
target, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
if ((random_string in list(resp.headers.keys())) and (resp.headers[random_string] == random_string)):
return True
else:
return False
except Exception as e:
# some error warning
return False
def xss_protection(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
regex = '1; report=' + 'https?:\/\/(www\.)?[-a-zA-Z0-9]{1,256}\.[-a-zA-Z0-9]{1,6}'
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
req = requests.get(target)
try:
if req.headers['X-XSS-Protection'] == '1; mode=block':
return False
elif req.header['X-XSS-Protection'] == '1':
return False
elif re.match(regex, req.header['X-XSS-Protection']):
return False
else:
return True
except:
return True
except Exception as e:
# some error warning
return False
def xmlrpc_bruteforce(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
headers = {}
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
headers['Content-Type'] = 'text/xml'
postdata = '''<methodCall><methodName>wp.getUsersBlogs</methodName><params>
<param><value><string>admin</string></value></param>
<param><value><string></string></value></param>
</params></methodCall>'''
req = requests.post(target + '/xmlrpc.php',
data=postdata,
headers=headers)
if re.search('<int>403</int>', req.text):
return True
else:
return False
except Exception as e:
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
http_methods = ["GET", "HEAD"]
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if extra_requirements["pma_scan_http_method"][0] not in http_methods:
warn(messages(language, "dir_scan_get"))
extra_requirements["pma_scan_http_method"] = ["GET"]
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
default_ports = [80, 443]
request = """{0} __target_locat_here__{{0}} HTTP/1.1\nUser-Agent: {1}\n\n""".format(
extra_requirements["pma_scan_http_method"][0],
random.choice(user_agents_list())
if extra_requirements["pma_scan_random_agent"][0].lower() == "true"
else
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5"
)
status_codes = [200, 401, 403]
condition = "response.status_code in {0}".format(status_codes)
message = messages(language, 'found')
sample_message = "\"" + message + "\"" + """.format(response.url, response.status_code, response.reason)"""
sample_event = {
'HOST': target_to_host(target),
'USERNAME': '',
'PASSWORD': '',
'PORT': 'PORT',
'TYPE': 'pma_scan',
'DESCRIPTION': sample_message,
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}
counter_message = messages(language, "phpmyadmin_dir_404")
__repeater(request, [extra_requirements["pma_scan_list"]], timeout_sec,
thread_number, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, scan_id, scan_cmd,
condition, thread_tmp_filename, sample_event,
sample_message, target, ports, default_ports,
counter_message)
else:
warn(
messages(language,
"input_target_error").format('pma_scan', target))
def drupal_version(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
req = requests.get(target + '/CHANGELOG.txt')
try:
regex = 'Drupal (\d+\.\d+),'
pattern = re.compile(regex)
version = re.findall(pattern, req.text)
if version:
return version[0]
else:
return False
except Exception:
return False
except Exception:
# some error warning
return False
def wp_user_enum(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
r = requests.get(target+'/?feed=rss2', verify = False)
r2 = requests.get(target+'/?author=', verify = False)
try:
global wp_users
wp_users_feed = re.findall("<dc:creator><!\[CDATA\[(.+?)\]\]></dc:creator>", r.text, re.IGNORECASE)
wp_users_admin = re.findall("author author-(.+?) ", r2.text, re.IGNORECASE)
wp_users_admin2 = re.findall("/author/(.+?)/feed/", r2.text, re.IGNORECASE)
wp_users = wp_users_feed + wp_users_admin + wp_users_admin2
wp_users = sorted(set(wp_users))
wp_users = ', '.join(wp_users)
if wp_users is not "":
return True
else:
return False
except:
return False
except Exception as e:
# some error warning
return False
def options_method(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
req = requests.options(target)
if req.status_code == 200:
try:
global header
header = req.headers['allow']
return True
except Exception:
return False
else:
return False
except Exception as e:
# some error warning
return False
def drupal_modules(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
req = requests.get(target)
try:
modules = re.findall("/modules/(.+?)/", req.text,
re.IGNORECASE)
if modules:
return ', '.join(list(set(modules)))
else:
return False
except Exception:
return False
except Exception:
# some error warning
return False
def joomla_template(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
r = requests.get(target, verify=False)
r2 = requests.get(target + '/administrator/', verify=False)
try:
global web_template
global admin_template
web_template = ''.join(
set(re.findall("/templates/(.+?)/", r.text,
re.IGNORECASE)))
admin_template = ''.join(
set(
re.findall("/administrator/templates/(.+?)/", r2.text,
re.IGNORECASE)))
if web_template is not "" or admin_template is not "":
return True
else:
return False
except Exception:
return False
except Exception as e:
# some error warning
return False
def joomla_version(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
req = requests.get(target + '/joomla.xml')
if req.status_code == 404:
req = requests.get(target +
'/administrator/manifests/files/joomla.xml')
try:
global version
regex = '<version>(.+?)</version>'
pattern = re.compile(regex)
version = re.findall(pattern, req.text)
version = ''.join(version)
return True
except:
return False
except Exception as e:
# some error warning
return False
def http_cors(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
headers = {
'Referer':
'http://example.foo/CORSexample1.html',
'Origin':
'http://example.foo',
'User-Agent':
'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Firefox/24.0'
}
req = requests.get(target, headers=headers)
if req.headers['Access-Control-Allow-Origin'] == "*":
return True
else:
return False
except Exception as e:
# some error warning
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, language, verbose_level, show_version,
socks_proxy, retries, ping_flag, scan_id, scan_cmd): # Main function
readDevices()
global debug
global scanid
global scancmd
global lang
global loginfile
scanid = scan_id
scancmd = scan_cmd
lang = language
loginfile = log_in_file
debug = verbose_level
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
threads = []
if ports is not None:
for port in ports:
t = threading.Thread(target=check,
args=(
{
'ip': target,
'stage': ''
},
port,
))
threads.append(t)
t.start()
else:
check({'ip': target, 'stage': ''}, httpPort)
for t in threads:
t.join()
def wordpress_version(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
try:
req = requests.get(target+'/wp-admin/')
except:
return False
try:
global version
regex = 'ver=.*\d'
pattern = re.compile(regex)
version = re.findall(pattern, req.text)
version = max(set(version), key=version.count).replace(
'ver=', '')
return True
except:
return False
except Exception as e:
# some error warning
return False
def connect(host, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_cmd, scan_id):
time.sleep(time_sleep)
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
if target_type(host) == "SINGLE_IPv6":
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0)
else:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if timeout_sec is not None:
s.settimeout(timeout_sec)
if target_type(host) == "SINGLE_IPv6":
s.connect((host, port, 0, 0))
else:
s.connect((host, port))
s.close()
info(messages(language, 80).format(host, port))
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST': host,
'USERNAME': '',
'PASSWORD': '',
'PORT': port,
'TYPE': 'tcp_connect_port_scan',
'DESCRIPTION': messages(language, 79),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + '\n')
save.close()
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('0')
thread_write.close()
return True
except:
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep,
language, verbose_level, show_version, check_update, socks_proxy, retries, ping_flag,
methods_args, scan_id, scan_cmd): # Main function
from core.targets import target_type
from core.targets import target_to_host
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
if target_type(target) == 'HTTP':
target = target_to_host(target)
if ping_flag and do_one_ping(target, timeout_sec, 8) is None:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith('socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
warn(messages(language, 100).format(target, 'subdomain_scan'))
return None
subs = __get_subs(target, timeout_sec, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries,
num, total, extra_requirements=extra_requirements)
info(messages(language, 135).format(len(subs), ', '.join(subs) if len(subs) > 0 else 'None'))
if len(subs) is not 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan',
'DESCRIPTION': messages(language, 135).format(len(subs), ', '.join(subs)
if len(subs) > 0 else 'None'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + '\n')
save.close()
if len(subs) is 0 and verbose_level is not 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan',
'DESCRIPTION': messages(language, 135).format(len(subs), ', '.join(subs)
if len(subs) > 0 else 'None'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + '\n')
save.close()
return subs
else:
warn(messages(language, 69).format('subdomain_scan', target))
return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd):
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
# warning for each target make the screen so messy in IP ranges
# warn(messages(language,"root_required"))
while 1:
r = do_one_ping(target, timeout_sec, 84)
if r is None:
n = n + 1
if n == retries:
if verbose_level > 3:
warn(messages(language, "host_down").format(target))
if verbose_level != 0:
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '',
'TYPE': 'icmp scan',
'DESCRIPTION': messages(language, "host_down").format(target),
'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
break
else:
pass
else:
info(messages(language, "host_up").format(
target, str(round(r * 1000, 2)) + "ms"))
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '',
'TYPE': 'icmp scan',
'DESCRIPTION': messages(language, "host_up").format(target,
str(round(r * 1000, 2)) + "ms"),
'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
break
else:
warn(messages(language, "input_target_error").format('icmp_scan', target))
def connect(host, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd, stealth_flag):
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(
socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
if target_type(host) == "SINGLE_IPv6":
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0)
else:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if timeout_sec is not None:
s.settimeout(timeout_sec)
try:
service_name = "/" + socket.getservbyport(port)
except Exception:
service_name = ""
if target_type(host) == "SINGLE_IPv6":
s.connect((host, port, 0, 0))
else:
s.connect((host, port))
info(messages(language, "port_found").format(host, str(port) + service_name, "TCP_CONNECT"), log_in_file,
"a", {'HOST': host, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'port_scan',
'DESCRIPTION': messages(language, "port/type").format(str(port) + service_name, "TCP_CONNECT"),
'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}, language,
thread_tmp_filename)
s.close()
return True
except socket.timeout:
try:
if filter_port(host, port):
info(messages(language, "port_found").format(host, str(port) + service_name, "TCP_CONNECT"))
data = json.dumps({'HOST': host, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'port_scan',
'DESCRIPTION': messages(language, "port/type").format(str(port) + service_name, "TCP_CONNECT"),
'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + '\n'
__log_into_file(log_in_file, 'a', data, language)
__log_into_file(thread_tmp_filename, 'w', '0', language)
except:
pass
except:
return False
def graphql(target, port, timeout_sec, socks_proxy):
try:
s = conn(target_to_host(target), port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
headers = {
"User-Agent": random.choice(useragents()),
"Accept":
"text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.9",
"Accept-Encoding": "gzip, deflate, br",
}
query = """{
__schema {
types {
name
}
}
}
"""
params = {"query": query, "variables": "{}"}
tempTarget = target
global final_endpoint
final_endpoint = ''
for endpoint in graphql_list():
tempTarget += endpoint
try:
req = requests.post(tempTarget,
json=params,
headers=headers,
verify=False,
timeout=timeout_sec)
tempTarget = target
except Exception:
return False
else:
if req.status_code == 200:
json_data = json.loads(req.text)
if json_data.get('data') or json_data.get('errors'):
return True
return False
except Exception:
# some error warning
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, methods_args, scan_id,
scan_cmd): # Main function
from core.targets import target_type
from core.targets import target_to_host
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[
extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
if target_type(target) == 'HTTP':
target = target_to_host(target)
subs = __get_subs(target, timeout_sec, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries,
num, total, extra_requirements=extra_requirements)
if len(subs) == 0:
info(messages(language, "no_subdomain_found"))
if len(subs) != 0:
info(messages(language, "len_subdomain_found").format(len(subs)))
for sub in subs:
if("<br>" in sub):
for i in sub.lower().split("<br>"):
if verbose_level > 2:
info(messages(language, "subdomain_found").format(sub))
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan',
'DESCRIPTION': i, 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
else:
if verbose_level > 2:
info(messages(language, "subdomain_found").format(sub))
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan',
'DESCRIPTION': sub, 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
if len(subs) == 0 and verbose_level != 0:
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'subdomain_scan',
'DESCRIPTION': messages(language, "subdomain_found").format(len(subs), ', '.join(subs)
if len(subs) > 0 else 'None'), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
return subs
else:
warn(messages(language, "input_target_error").format(
'subdomain_scan', target))
return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, language,
verbose_level, show_version , socks_proxy, retries, ping_flag, scan_id,
scan_cmd): # Main function
threads = []
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(target) != 'HTTP':
if ports is not None:
for port in ports:
t = threading.Thread(target=check, args=(target, int(port), language, scan_id, scan_cmd, log_in_file, timeout_sec,))
threads.append(t)
t.start()
else:
check(target, PORT, language, scan_id, scan_cmd, log_in_file, timeout_sec)
for t in threads:
t.join()
def cms_detection(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
try:
try:
s = conn(target, port, timeout_sec, socks_proxy)
except Exception:
return False
if not s:
return False
else:
global cms_name
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
req_url = target + "/N0WH3R3.php"
req_joomla_url = target + "/configuration.php"
req_wordpress_url = target + "/wp-config.php"
req_drupal_url = target + "/sites/default/settings.php"
try:
req = requests.get(req_url, timeout=10, headers=USER_AGENT)
code_for_404 = req.text
req_wordpress = requests.get(req_wordpress_url,
timeout=10,
headers=USER_AGENT)
req_joomla = requests.get(req_joomla_url,
timeout=10,
headers=USER_AGENT)
req_drupal = requests.get(req_drupal_url,
timeout=10,
headers=USER_AGENT)
except requests.exceptions.RequestException:
return False
if req_wordpress.text != code_for_404 or req_wordpress.status_code == 403:
cms_name = "Wordpress"
return True
elif req_drupal.status_code != code_for_404 or req_drupal.status_code == 403:
cms_name = "Drupal"
return True
elif req_joomla.status_code != code_for_404 or req_joomla.status_code == 403:
cms_name = "Joomla"
return True
else:
return False
except Exception as e:
#print(e)
return False
def new_scan():
"""
new scan through the API
Returns:
a JSON message with scan details if success otherwise a JSON error
"""
_start_scan_config = {}
__api_key_check(app, flask_request, __language())
targetValue = __get_value(flask_request, "targets")
if (target_type(targetValue) == "UNKNOWN"):
return jsonify({"error": "Please input correct target"}), 400
for key in _core_default_config():
if __get_value(flask_request, key) is not None:
_start_scan_config[key] = escape(__get_value(flask_request, key))
_start_scan_config["backup_ports"] = __get_value(flask_request, "ports")
_start_scan_config = __rules(
__remove_non_api_keys(
_builder(_start_scan_config,
_builder(_core_config(), _core_default_config()))),
_core_default_config(), __language())
_p = multiprocessing.Process(target=__scan, args=[_start_scan_config])
_p.start()
# Sometimes method_args is too big!
_start_scan_config["methods_args"] = {"as_user_set": "set_successfully"}
return jsonify(_start_scan_config), 200
def target_builder(target, ports, default_ports):
"""
build HTTP target type from host or any!
Args:
target: raw target
ports: ports array
default_ports: default ports in case user not entered, in array type
Returns:
[] if cannot open URL, otherwise a list of valid URLs
"""
methods = ["http", "https"]
if not ports:
ports = default_ports
URL = []
if target_type(target) != "HTTP":
for port in ports:
for method in methods:
if simple_test_open_url(method + "://" + target + ":" +
str(port) + "/"):
URL.append(method + "://" + target + ":" + str(port))
else:
if not simple_test_open_url(target):
return []
URL.append(target)
return URL
def check(user, passwd, target, port, headers, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
time.sleep(time_sleep)
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(
socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
target = target + '/xmlrpc.php'
postdata = '''<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>'''+ user +'''</string></value></param><param><value><string>'''+ passwd + '''</string></value></param></params></methodCall>'''
r = requests.post(
target, timeout = timeout_sec, headers = headers, data = postdata)
if "incorrect" not in r.text.lower() and user in r.text.lower():
info(messages(language, "user_pass_found").format(
user, passwd, target, port))
data = json.dumps({'HOST': target, 'USERNAME': user, 'PASSWORD': passwd, 'PORT': port, 'TYPE': 'wp_xmlrpc_brute',
'DESCRIPTION': messages(language, "login_successful"), 'TIME': now(), 'CATEGORY': "brute"}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
break
except:
n += 1
if n == retries:
warn(messages(language, "http_connection_timeout").format(target))
return 1
return True
except:
return False
def sub_takeover(
target,
port,
timeout_sec,
log_in_file,
language,
time_sleep,
thread_tmp_filename,
socks_proxy,
scan_id,
scan_cmd,
extra_requirement,
):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = "https://" + target
if target_type(target) != "HTTP" and port == 80:
target = "http://" + target
headers = {
"User-Agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 63.0.3239.132 Safari/537.36",
"Accept":
"text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.9",
"Accept-Encoding": "gzip, deflate, br",
}
req = requests.get(target,
headers=headers,
verify=False,
timeout=timeout_sec)
for key, value in extra_requirement[
"subdomain_takeover_list"].items():
if version() == 2:
if (value[0].decode('utf-8').lower()
in req.text.decode('utf-8').lower()):
return key
else:
if (value[0].lower() in req.text.lower()):
return key
return False
except Exception as e:
# some error warning
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level,
show_version, check_update, proxies, retries): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN':
threads = []
max = thread_number
total_req = len(users) * len(passwds)
for port in ports:
# test ssh
trying = 0
portflag = True
exit = 0
while 1:
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
if timeout_sec is not None:
ssh.connect(target,
username='',
password='',
timeout=timeout_sec)
else:
ssh.connect(target, username='', password='')
exit = 0
break
except paramiko.ssh_exception.AuthenticationException, ssherr:
if 'Authentication failed.' in ssherr:
break
else:
exit += 1
if exit is retries:
error(
messages(language,
77).format(target, port, str(num),
str(total)))
portflag = False
break
except:
exit += 1
if exit is 3:
error(
messages(language,
77).format(target, port, str(num),
str(total)))
portflag = False
break
def citrix_vuln(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
if verbose_level > 4:
warn('unable to connect to: {} on port: {} timeout: {}'.format(
target, port, timeout_sec))
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
user_agent_list = [
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04",
"Mozilla/5.0 (Linux; Android 9; Mi A3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Mobile Safari/537.36"
]
user_agent = {'User-agent': random.choice(user_agent_list)}
# as a pre-requisite check that CSS return the word citrix
req0_url = target + '/vpn/js/rdx/core/css/rdx.css'
req0 = requests.get(req0_url,
timeout=10,
headers=user_agent,
verify=False)
if req0.status_code == 200 and 'citrix' in req0.text.lower():
info('Citrix appliance detected: ' + target)
# now check if response code 200 is returned for the following url:
req_url = target + '/vpn/../vpns/cfg/smb.conf'
req = requests.get(req_url,
timeout=10,
headers=user_agent,
verify=False)
if req.status_code == 200 and 'lmhosts' in req.text.lower():
return True
else:
return False
else:
return False
except Exception as e:
# some error warning
return False
def content_policy(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd, check_source_flag):
try:
s = conn(target, port, timeout_sec, socks_proxy)
global weak
weak = False
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
headers = {'User-agent': random.choice(useragents.useragents())}
req = requests.get(target,
headers=headers,
timeout=timeout_sec,
verify=False)
try:
weak = False
csp = req.headers['Content-Security-Policy']
if 'unsafe-inline' in csp or 'unsafe-eval' in csp:
weak = True
return False
except Exception as e:
if check_source_flag:
soup = BeautifulSoup(req.text, "html.parser")
meta_tags = soup.find_all(
'meta', {'http-equiv': 'Content-Security-Policy'})
if len(meta_tags) == 0:
return True
directives = meta_tags[0].attrs['content']
if 'unsafe-inline' in directives or 'unsafe-eval' in directives:
weak = True
return False
else:
return True
except Exception as e:
# some error warning
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN':
threads = []
max = thread_number
total_req = len(users) * len(passwds)
for port in ports:
# test ssh
trying = 0
portflag = True
exit = 0
while 1:
try:
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
if timeout_sec is not None:
ssh.connect(target,
username='',
password='',
timeout=timeout_sec)
else:
ssh.connect(target, username='', password='')
exit = 0
break
except paramiko.ssh_exception.AuthenticationException, ssherr:
if 'Authentication failed.' in ssherr:
break
else:
exit += 1
if exit is 3:
error(
'ssh connection to %s:%s failed, skipping whole step [process %s of %s]! going to next step'
% (target, port, str(num), str(total)))
portflag = False
break
time.sleep(0.1)
except:
exit += 1
if exit is 3:
error(
'ssh connection to %s:%s failed, skipping whole step [process %s of %s]! going to next step'
% (target, port, str(num), str(total)))
portflag = False
break
time.sleep(0.1)
def test(target, port, retries, timeout_sec, headers, socks_proxy,
verbose_level, trying, total_req, total, num, language):
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
headers = {}
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
postdata = '''<methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>admin</string></value></param><param><value><string></string></value></param></params></methodCall>'''
try:
req = requests.post(target + '/xmlrpc.php',
data=postdata,
headers=headers)
#print (target)
if re.search('<int>403</int>', req.text):
return True
else:
return False
except:
return False
except Exception as err:
return False
