def test(target, retries, timeout_sec, user_agent, socks_proxy, verbose_level,
trying, total_req, total, num, language, dos_flag, log_in_file,
scan_id, scan_cmd, thread_tmp_filename):
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target_to_host(target), '',
'wordpress_dos_cve_2018_6389_vuln'))
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
r = requests.get(target, timeout=timeout_sec,
headers=user_agent).content
return 0
except:
n += 1
if n is retries:
if dos_flag:
__log_into_file(thread_tmp_filename, 'w', '0', language)
info(
messages(language, "vulnerable").format(
"wordpress_dos_cve_2018_6389_vuln"))
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wordpress_dos_cve_2018_6389_vuln',
'DESCRIPTION':
messages(language, "vulnerable").format(
"wordpress_dos_cve_2018_6389_vuln"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
return 1
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = useragents.useragents()
headers = {
'User-agent': random.choice(user_agent_list),
'Content-Type': 'text/xml'
}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
threads = []
if users is None:
users = extra_requirements["wp_users"]
if passwds is None:
passwds = extra_requirements["wp_passwds"]
if ports is None:
ports = extra_requirements["wp_xmlrpc_brute_ports"]
if verbose_level > 3:
total_req = len(users) * len(passwds) * len(ports)
else:
total_req = len(users) * len(passwds) * len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'https://' + target
for port in ports:
if test(str(target), port, retries, timeout_sec, headers,
socks_proxy, verbose_level, trying, total_req, total, num,
language) is True:
keyboard_interrupt_flag = False
for user in users:
for passwd in passwds:
#print(user + " " + passwd)
t = threading.Thread(
target=check,
args=(user, passwd, target, port, headers,
timeout_sec, log_in_file, language, retries,
time_sleep, thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total,
target_to_host(target), port,
'wp_xmlrpc_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec /
0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('wp_xmlrpc_brute', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
from core.targets import target_type
from core.targets import target_to_host
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if target_type(target) == 'HTTP':
target = target_to_host(target)
subs = __get_subs(target,
timeout_sec,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
num,
total,
extra_requirements=extra_requirements)
if len(subs) is 0:
info(messages(language, "no_subdomain_found"))
if len(subs) is not 0:
info(messages(language, "len_subdomain_found").format(len(subs)))
for sub in subs:
if verbose_level > 2:
info(messages(language, "subdomain_found").format(sub))
data = json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'subdomain_scan',
'DESCRIPTION': sub,
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
if len(subs) is 0 and verbose_level is not 0:
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'subdomain_scan',
'DESCRIPTION':
messages(language, "subdomain_found").format(
len(subs), ', '.join(subs) if len(subs) > 0 else 'None'),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
return subs
else:
warn(
messages(language,
"input_target_error").format('subdomain_scan', target))
return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if ports is None:
ports = extra_requirements["drupal_modules_ports"]
if target_type(target) == 'HTTP':
target = target_to_host(target)
threads = []
total_req = len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
port = int(port)
t = threading.Thread(target=__drupal_modules,
args=(target, int(port), timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language,
"trying_message").format(trying, total_req, num,
total, target, port,
'drupal_modules_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
info(messages(language, "not_found"))
data = json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'drupal_modules_scan',
'DESCRIPTION': messages(language, "not_found"),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('drupal_modules_scan',
target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
http_methods = ["GET", "HEAD"]
user_agent = {'User-agent': random.choice(user_agent_list)}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if extra_requirements["wp_plugin_scan_http_method"][
0] not in http_methods:
warn(messages(language, "wp_plugin_scan_get"))
extra_requirements["wp_plugin_scan_http_method"] = ["GET"]
random_agent_flag = True
if extra_requirements["wp_plugin_scan_random_agent"][0] == "False":
random_agent_flag = False
threads = []
if verbose_level > 3:
total_req = len(wp_plugins.wp_plugins())
else:
total_req = len(wp_plugins_small.wp_plugins())
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'https://' + target
if test(str(target), retries, timeout_sec, user_agent,
extra_requirements["wp_plugin_scan_http_method"][0],
socks_proxy, verbose_level, trying, total_req, total, num,
language) is 0:
keyboard_interrupt_flag = False
if verbose_level > 3:
scan_list = wp_plugins.wp_plugins()
else:
scan_list = wp_plugins_small.wp_plugins()
for idir in scan_list:
idir = "/wp-content/plugins/" + idir
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(
target=check,
args=(target + '/' + idir, user_agent, timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, retries,
extra_requirements["wp_plugin_scan_http_method"][0],
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total,
target_to_host(target), "default_port",
'wp_plugin_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(
messages(language,
"directory_file_404").format(target, "default_port"))
if verbose_level is not 0:
data = json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wp_plugin_scan',
'DESCRIPTION':
messages(language, "no_open_ports"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('wp_plugin_scan', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level,
show_version, check_update, proxies, retries, ping_flag,
methods_args): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
http_methods = ["GET", "HEAD"]
user_agent = {'User-agent': random.choice(user_agent_list)}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if extra_requirements["dir_scan_http_method"][0] not in http_methods:
warn(messages(language, 110))
extra_requirements["dir_scan_http_method"] = ["GET"]
if ports is None:
ports = extra_requirements["dir_scan_ports"]
random_agent_flag = True
if extra_requirements["dir_scan_random_agent"][0] == "False":
random_agent_flag = False
if ping_flag and do_one_ping(target_to_host(target), timeout_sec,
8) is None:
warn(
messages(language, 100).format(target_to_host(target),
'dir_scan'))
return None
threads = []
max = thread_number
total_req = len(extra_requirements["dir_scan_list"]) * len(ports)
thread_tmp_filename = 'tmp/thread_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('1')
thread_write.close()
trying = 0
for port in ports:
port = int(port)
if target_type(target) == 'SINGLE_IPv4' or target_type(
target) == 'DOMAIN':
url = 'http://{0}:{1}/'.format(target, str(port))
else:
if target.count(':') > 1:
error(messages(language, 105))
from core.color import finish
finish()
sys.exit(1)
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(
target.replace('http://', '').replace('https://',
'').rsplit('/')[1:])
url = http + '://' + host + ':' + str(port) + '/' + path
if test(url, retries, timeout_sec, user_agent,
extra_requirements["dir_scan_http_method"][0]) is 0:
for idir in extra_requirements["dir_scan_list"]:
# check target type
if target_type(target) == 'SINGLE_IPv4' or target_type(
target) == 'DOMAIN':
url = 'http://{0}:{1}/{2}'.format(
target, str(port), idir)
else:
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(
target.replace('http://',
'').replace('https://',
'').rsplit('/')[1:])
url = http + '://' + host + ':' + str(
port) + '/' + path + '/' + idir
if random_agent_flag is True:
user_agent = {
'User-agent': random.choice(user_agent_list)
}
t = threading.Thread(
target=check,
args=(url, user_agent, timeout_sec, log_in_file,
language, time_sleep, thread_tmp_filename,
retries,
extra_requirements["dir_scan_http_method"][0]))
threads.append(t)
t.start()
trying += 1
while 1:
n = 0
for thread in threads:
if thread.isAlive() is True:
n += 1
else:
threads.remove(thread)
if n >= max:
time.sleep(0.1)
else:
break
info(
messages(language,
72).format(trying, total_req, num, total,
target_to_host(target), port))
else:
warn(messages(language, 109).format(url))
# wait for threads
while 1:
n = True
for thread in threads:
if thread.isAlive() is True:
n = False
time.sleep(0.1)
if n is True:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(messages(language, 108).format(target, port))
if verbose_level is not 0:
_HOST = messages(language, 53)
_USERNAME = messages(language, 54)
_PASSWORD = messages(language, 55)
_PORT = messages(language, 56)
_TYPE = messages(language, 57)
_DESCRIPTION = messages(language, 58)
save = open(log_in_file, 'a')
save.write(
json.dumps({
_HOST: target,
_USERNAME: '',
_PASSWORD: '',
_PORT: '',
_TYPE: 'dir_scan',
_DESCRIPTION: messages(language, 94)
}) + '\n')
save.close()
os.remove(thread_tmp_filename)
else:
warn(messages(language, 69).format('dir_scan', target))
def __netcraft(target, timeout_sec, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, headers,
thread_tmp_filename):
try:
from core.targets import target_to_host
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
results = ''
url = 'https://searchdns.netcraft.com/?restriction=site+contains&host=*.{0}' \
'&lookup=wait..&position=limited'.format(target)
subs = []
while '<b>Next page</b></a>' not in results:
while 1:
try:
results = requests.get(url, headers=headers)
break
except:
n += 1
if n is 3:
break
break
if results.status_code is 200:
for l in re.compile(
'<a href="http://toolbar.netcraft.com/site_report\?url=(.*)">'
).findall(results.content):
if target_to_host(l).endswith(target) and target_to_host(
l) not in subs:
subs.append(target_to_host(l))
else:
# warn 403
break
try:
url = 'http://searchdns.netcraft.com' + re.compile(
'<A href="(.*?)"><b>Next page</b></a>').findall(
results.content)[0]
except:
break
f = open(thread_tmp_filename, 'a')
f.write('\n'.join(subs) + '\n')
f.close()
return subs
except:
return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if users is None:
users = extra_requirements["smtp_brute_users"]
if passwds is None:
passwds = extra_requirements["smtp_brute_passwds"]
if ports is None:
ports = extra_requirements["smtp_brute_ports"]
if extra_requirements["smtp_brute_split_user_set_pass"][0] not in [
"False", "True"
]:
extra_requirements["smtp_brute_split_user_set_pass"][0] = "False"
if target_type(target) == 'HTTP':
target = target_to_host(target)
threads = []
total_req = int(
len(users) * len(passwds) * len(ports) * len(extra_requirements["smtp_brute_split_user_set_pass_prefix"])) \
if extra_requirements["smtp_brute_split_user_set_pass"][0] == "False" \
else int(len(users) * len(ports) * len(extra_requirements["smtp_brute_split_user_set_pass_prefix"]))
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
ports_tmp_filename = '{}/tmp/ports_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
__log_into_file(ports_tmp_filename, 'w', '', language)
ports = test_ports(ports, timeout_sec, target, retries, language, num,
total, time_sleep, ports_tmp_filename,
thread_number, total_req, verbose_level,
socks_proxy)
trying = 0
if extra_requirements["smtp_brute_split_user_set_pass"][0] == "False":
for port in ports:
for user in users:
for passwd in passwds:
t = threading.Thread(
target=login,
args=(user, passwd, target, port, timeout_sec,
log_in_file, language, retries, time_sleep,
thread_tmp_filename, socks_proxy, scan_id,
scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target,
port, 'smtp_brute'))
while 1:
n = 0
for thread in threads:
if thread.isAlive():
n += 1
else:
threads.remove(thread)
if n >= thread_number:
time.sleep(0.01)
else:
break
else:
keyboard_interrupt_flag = False
for port in ports:
for user in users:
for prefix in extra_requirements[
"smtp_brute_split_user_set_pass_prefix"]:
t = threading.Thread(
target=login,
args=(user, user.rsplit('@')[0] + prefix, target,
port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target,
port, 'smtp_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
break
else:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec /
0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1 and verbose_level != 0:
data = json.dumps(
{
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'smtp_brute',
'DESCRIPTION': messages(language, "no_user_passwords"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(messages(language, "input_target_error").format(target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
headers = {'User-agent': random.choice(user_agent_list), 'Content-Type': 'text/xml'}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[
extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
threads = []
if users is None:
users = extra_requirements["wp_users"]
if passwds is None:
passwds = extra_requirements["wp_passwds"]
if ports is None:
ports = extra_requirements["wp_xmlrpc_brute_ports"]
if verbose_level > 3:
total_req = len(users) * len(passwds) * len (ports)
else:
total_req = len(users) * len(passwds) * len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'https://' + target
for port in ports:
if test(str(target), port, retries, timeout_sec, headers,
socks_proxy, verbose_level, trying, total_req, total, num, language) is True:
keyboard_interrupt_flag = False
for user in users:
for passwd in passwds:
#print(user + " " + passwd)
t = threading.Thread(target=check,
args=(
user, passwd, target, port, headers, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target),
port, 'wp_xmlrpc_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(
timeout_sec / 0.1) if int(timeout_sec / 0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
os.remove(thread_tmp_filename)
else:
warn(messages(language, "input_target_error").format(
'wp_xmlrpc_brute', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if ports is None:
ports = extra_requirements["Proftpd_vuln_ports"]
if target_type(target) == 'HTTP':
target = target_to_host(target)
threads = []
total_req = len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
port = int(port)
t = threading.Thread(target=__directory_traversal,
args=(target, int(port), timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target, port,
'Proftpd_directory_traversal_vuln'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
info(
messages(language, "no_vulnerability_found").format(
'Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command. CVE-2010-3867'
))
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'Proftpd_directory_traversal_vuln',
'DESCRIPTION':
messages(language, "no_vulnerability_found").format(
'Multiple directory traversal vulnerabilities in the mod_site_misc module in ProFTPD before 1.3.3c allow remote authenticated users to create directories, delete directories, create symlinks, and modify file timestamps via directory traversal sequences in a (1) SITE MKDIR, (2) SITE RMDIR, (3) SITE SYMLINK, or (4) SITE UTIME command. CVE-2010-3867'
),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language, "input_target_error").format(
'Proftpd_directory_traversal_vuln', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level,
show_version, check_update, socks_proxy, retries, ping_flag,
methods_args): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if users is None:
users = extra_requirements["smtp_brute_users"]
if passwds is None:
passwds = extra_requirements["smtp_brute_passwds"]
if ports is None:
ports = extra_requirements["smtp_brute_ports"]
if extra_requirements["smtp_brute_split_user_set_pass"][0] not in [
"False", "True"
]:
extra_requirements["smtp_brute_split_user_set_pass"][0] = "False"
if target_type(target) == 'HTTP':
target = target_to_host(target)
if ping_flag and do_one_ping(target, timeout_sec, 8) is None:
warn(messages(language, 100).format(target, 'smtp_brute'))
return None
threads = []
max = thread_number
total_req = int(
len(users) * len(passwds) * len(ports) * len(extra_requirements["smtp_brute_split_user_set_pass_prefix"])) \
if extra_requirements["smtp_brute_split_user_set_pass"][0] == "False" \
else int(len(users) * len(ports) * len(extra_requirements["smtp_brute_split_user_set_pass_prefix"]))
thread_tmp_filename = 'tmp/thread_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
ports_tmp_filename = 'tmp/ports_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('1')
thread_write.close()
ports_write = open(ports_tmp_filename, 'w')
ports_write.write('')
ports_write.close()
ports = test_ports(ports, timeout_sec, target, retries, language, num,
total, time_sleep, ports_tmp_filename,
thread_number, total_req, verbose_level,
socks_proxy)
trying = 0
if extra_requirements["smtp_brute_split_user_set_pass"][0] == "False":
for port in ports:
for user in users:
for passwd in passwds:
t = threading.Thread(
target=login,
args=(user, passwd, target, port, timeout_sec,
log_in_file, language, retries, time_sleep,
thread_tmp_filename, socks_proxy))
threads.append(t)
t.start()
trying += 1
if verbose_level is not 0:
info(
messages(language,
72).format(trying, total_req, num,
total, target, port))
while 1:
n = 0
for thread in threads:
if thread.isAlive() is True:
n += 1
else:
threads.remove(thread)
if n >= max:
time.sleep(0.01)
else:
break
else:
for port in ports:
for user in users:
for prefix in extra_requirements[
"smtp_brute_split_user_set_pass_prefix"]:
t = threading.Thread(
target=login,
args=(user, user.rsplit('@')[0] + prefix, target,
port, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename))
threads.append(t)
t.start()
trying += 1
if verbose_level is not 0:
info(
messages(language,
72).format(trying, total_req, num,
total, target, port))
while 1:
n = 0
for thread in threads:
if thread.isAlive() is True:
n += 1
else:
threads.remove(thread)
if n >= max:
time.sleep(0.01)
else:
break
# wait for threads
while 1:
n = True
for thread in threads:
if thread.isAlive() is True:
n = False
time.sleep(0.01)
if n is True:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
_HOST = messages(language, 53)
_USERNAME = messages(language, 54)
_PASSWORD = messages(language, 55)
_PORT = messages(language, 56)
_TYPE = messages(language, 57)
_DESCRIPTION = messages(language, 58)
save = open(log_in_file, 'a')
save.write(
json.dumps({
_HOST: target,
_USERNAME: '',
_PASSWORD: '',
_PORT: '',
_TYPE: 'smtp_brute',
_DESCRIPTION: messages(language, 95)
}) + '\n')
save.close()
os.remove(thread_tmp_filename)
else:
warn(messages(language, 69).format(target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level,
show_version, check_update, socks_proxy, retries, ping_flag,
methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# output format
time.sleep(time_sleep)
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
# set user agent
headers = {
"User-agent":
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0",
"Accept":
"text/javascript, text/html, application/xml, text/xml, */*",
"Accept-Language": "en-US,en;q=0.5"
}
# timeout check
if ping_flag and do_one_ping(target_to_host(target), timeout_sec,
8) is None:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
warn(
messages(language,
100).format(target_to_host(target),
'viewdns_reverse_ip_lookup_scan'))
return None
total_req = 1
trying = 1
info(
messages(language, 113).format(trying, total_req, num, total,
target, 'viewdns ip lookup'))
n = 0
while 1:
try:
res = requests.get(
'http://viewdns.info/reverseip/?host={0}&t=1'.format(
target),
timeout=timeout_sec,
headers=headers,
verify=True).text
break
except:
n += 1
if n is retries:
warn(messages(language, 106).format("viewdns.info"))
return 1
_values = []
try:
s = '<table>' + res.rsplit('''<table border="1">''')[1].rsplit(
"<br></td></tr><tr></tr>")[0]
table = ET.XML(s)
rows = iter(table)
headers = [col.text for col in next(rows)]
for row in rows:
values = [col.text for col in row]
_values.append(dict(zip(headers, values))["Domain"])
except:
pass
info(
messages(language, 114).format(
len(_values),
", ".join(_values) if len(_values) > 0 else "None"))
if len(_values) > 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'viewdns_reverse_ip_lookup_scan',
'DESCRIPTION':
messages(language, 114).format(
len(_values),
", ".join(_values) if len(_values) > 0 else "None"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n')
save.close()
if verbose_level is not 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'viewdns_reverse_ip_lookup_scan',
'DESCRIPTION':
messages(language, 114).format(
len(_values),
", ".join(_values) if len(_values) > 0 else "None"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n')
save.close()
else:
warn(
messages(language, 69).format('viewdns_reverse_ip_lookup_scan',
target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = useragents.useragents()
user_agent = {'User-agent': random.choice(user_agent_list)}
limit = 1000
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
random_agent_flag = True
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][
0] != "True":
random_agent_flag = False
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][
0] != "False":
limit = -1
threads = []
total_req = limit
filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) == 'SINGLE_IPv4' or target_type(
target) == 'DOMAIN':
url = 'http://{0}/'.format(target)
else:
if target.count(':') > 1:
__die_failure(messages(language, "insert_port_message"))
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(
target.replace('http://', '').replace('https://',
'').rsplit('/')[1:])
url = http + '://' + host + '/' + path
if test(url, retries, timeout_sec, user_agent, socks_proxy,
verbose_level, trying, total_req, total, num, language, False,
log_in_file, scan_id, scan_cmd, thread_tmp_filename) != 0:
warn(messages(language, "open_error").format(url))
return
info(messages(language, "DOS_send").format(target))
n = 0
t = threading.Thread(
target=test,
args=(url, retries, timeout_sec, user_agent, socks_proxy,
verbose_level, trying, total_req, total, num, language, True,
log_in_file, scan_id, scan_cmd, thread_tmp_filename))
t.start()
keyboard_interrupt_flag = False
while (n != limit):
n += 1
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(target=send_dos,
args=(url, user_agent, timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, retries,
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target_to_host(target),
port, 'wordpress_dos_cve_2018_6389_vuln'))
try:
if int(open(thread_tmp_filename).read().rsplit()[0]) == 0:
if limit != -1:
break
except Exception:
pass
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec /
0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 2 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1:
info(
messages(language, "no_vulnerability_found").format(
"wordpress_dos_cve_2018_6389_vuln"))
if verbose_level != 0:
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wordpress_dos_cve_2018_6389_vuln',
'DESCRIPTION':
messages(language, "no_vulnerability_found").format(
"wordpress_dos_cve_2018_6389_vuln"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language, "input_target_error").format(
'wordpress_dos_cve_2018_6389_vuln', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level,
show_version, check_update, proxies, retries,
ping_flag): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) == 'HTTP':
if target_type(target) == 'HTTP':
target = target_to_host(target)
if do_one_ping(target, timeout_sec, 8) is None:
warn(messages(language, 100).format(target, 'ssh_brute'))
return None
threads = []
max = thread_number
total_req = len(users) * len(passwds)
thread_tmp_filename = 'tmp/thread_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
ports_tmp_filename = 'tmp/ports_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('1')
thread_write.close()
ports_write = open(ports_tmp_filename, 'w')
ports_write.write('')
ports_write.close()
trying = 0
ports = test_ports(ports, timeout_sec, target, retries, language, num,
total, time_sleep, ports_tmp_filename,
thread_number, total_req)
for port in ports:
# test ssh
portflag = True
exit = 0
port = int(port)
for user in users:
for passwd in passwds:
t = threading.Thread(target=login,
args=(user, passwd, target, port,
timeout_sec, log_in_file,
language, retries, time_sleep,
thread_tmp_filename))
threads.append(t)
t.start()
trying += 1
info(
messages(language, 72).format(trying, total_req, num,
total, target, port))
while 1:
n = 0
for thread in threads:
if thread.isAlive() is True:
n += 1
else:
threads.remove(thread)
if n >= max:
time.sleep(0.1)
else:
break
# wait for threads
while 1:
n = True
for thread in threads:
if thread.isAlive() is True:
n = False
time.sleep(0.1)
if n is True:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
_HOST = messages(language, 53)
_USERNAME = messages(language, 54)
_PASSWORD = messages(language, 55)
_PORT = messages(language, 56)
_TYPE = messages(language, 57)
_DESCRIPTION = messages(language, 58)
save = open(log_in_file, 'a')
save.write(
json.dumps({
_HOST: target,
_USERNAME: '',
_PASSWORD: '',
_PORT: '',
_TYPE: 'ssh_brute',
_DESCRIPTION: messages(language, 95)
}) + '\n')
save.close()
os.remove(thread_tmp_filename)
else:
warn(messages(language, 69).format('ssh_brute', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
user_agent = {'User-agent': random.choice(user_agent_list)}
limit = 1000
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
random_agent_flag = True
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][
0] != "True":
random_agent_flag = False
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][
0] != "False":
limit = -1
threads = []
total_req = limit
filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) == 'SINGLE_IPv4' or target_type(
target) == 'DOMAIN':
url = 'http://{0}/'.format(target)
else:
if target.count(':') > 1:
__die_failure(messages(language, "insert_port_message"))
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(
target.replace('http://', '').replace('https://',
'').rsplit('/')[1:])
url = http + '://' + host + '/' + path
if test(url, retries, timeout_sec, user_agent, socks_proxy,
verbose_level, trying, total_req, total, num, language, False,
log_in_file, scan_id, scan_cmd, thread_tmp_filename) is not 0:
warn(messages(language, "open_error").format(url))
return
info(messages(language, "DOS_send").format(target))
n = 0
t = threading.Thread(
target=test,
args=(url, retries, timeout_sec, user_agent, socks_proxy,
verbose_level, trying, total_req, total, num, language, True,
log_in_file, scan_id, scan_cmd, thread_tmp_filename))
t.start()
keyboard_interrupt_flag = False
while (n != limit):
n += 1
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(target=send_dos,
args=(url, user_agent, timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, retries,
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target_to_host(target),
port, 'wordpress_dos_cve_2018_6389_vuln'))
try:
if int(open(thread_tmp_filename).read().rsplit()[0]) is 0:
if limit is not -1:
break
except:
pass
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 2 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(
messages(language, "no_vulnerability_found").format(
"wordpress_dos_cve_2018_6389_vuln"))
if verbose_level is not 0:
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wordpress_dos_cve_2018_6389_vuln',
'DESCRIPTION':
messages(language, "no_vulnerability_found").format(
"wordpress_dos_cve_2018_6389_vuln"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language, "input_target_error").format(
'wordpress_dos_cve_2018_6389_vuln', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level,
show_version, check_update, socks_proxy, retries, ping_flag,
methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if users is None:
users = extra_requirements["ftp_brute_users"]
if passwds is None:
passwds = extra_requirements["ftp_brute_passwds"]
if ports is None:
ports = extra_requirements["ftp_brute_ports"]
if target_type(target) == 'HTTP':
target = target_to_host(target)
if ping_flag and do_one_ping(target, timeout_sec, 8) is None:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
warn(messages(language, 100).format(target, 'ftp_brute'))
return None
threads = []
max = thread_number
total_req = len(users) * len(passwds) * len(ports)
thread_tmp_filename = 'tmp/thread_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
ports_tmp_filename = 'tmp/ports_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('1')
thread_write.close()
ports_write = open(ports_tmp_filename, 'w')
ports_write.write('')
ports_write.close()
trying = 0
ports = test_ports(ports, timeout_sec, target, retries, language, num,
total, time_sleep, ports_tmp_filename,
thread_number, total_req, verbose_level,
socks_proxy)
for port in ports:
for user in users:
for passwd in passwds:
t = threading.Thread(
target=login,
args=(user, passwd, target, port, timeout_sec,
log_in_file, language, retries, time_sleep,
thread_tmp_filename, socks_proxy))
threads.append(t)
t.start()
trying += 1
if verbose_level is not 0:
info(
messages(language,
72).format(trying, total_req, num, total,
target, port, 'ftp_brute'))
while 1:
try:
if threading.activeCount() >= max:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
break
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'ftp_brute',
'DESCRIPTION': messages(language, 95),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + '\n')
save.close()
os.remove(thread_tmp_filename)
else:
warn(messages(language, 69).format('ftp_brute', target))
def start(
target,
users,
passwds,
ports,
timeout_sec,
thread_number,
num,
total,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
methods_args,
scan_id,
scan_cmd,
): # Main function
if (target_type(target) != "SINGLE_IPv4" or target_type(target) != "DOMAIN"
or target_type(target) != "HTTP"):
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if ports is None:
ports = extra_requirements["whatcms_ports"]
if target_type(target) == "HTTP":
target = target_to_host(target)
threads = []
total_req = len(ports)
thread_tmp_filename = "{}/tmp/thread_tmp_".format(
load_file_path()) + "".join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, "w", "1", language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
port = int(port)
t = threading.Thread(
target=__whatcms,
args=(
target,
int(port),
timeout_sec,
log_in_file,
language,
time_sleep,
thread_tmp_filename,
socks_proxy,
scan_id,
scan_cmd,
extra_requirements["whatcms_api_key"][0],
),
)
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying,
total_req,
num,
total,
target,
port,
"whatcms_scan",
))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec /
0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1 and verbose_level != 0:
info(messages(language, "not_found"))
data = json.dumps({
"HOST": target,
"USERNAME": "",
"PASSWORD": "",
"PORT": "",
"TYPE": "whatcms_scan",
"DESCRIPTION": messages(language, "not_found"),
"TIME": now(),
"CATEGORY": "scan",
"SCAN_ID": scan_id,
"SCAN_CMD": scan_cmd,
})
__log_into_file(log_in_file, "a", data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format("whatcms_scan", target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, ping_flag, methods_args, scan_id,
scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# rand useragent
user_agent_list = [
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
"Googlebot/2.1 ( http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Ubuntu/10.04"
" Chromium/9.0.595.0 Chrome/9.0.595.0 Safari/534.13",
"Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)",
"Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51",
"Mozilla/5.0 (compatible; 008/0.83; http://www.80legs.com/webcrawler.html) Gecko/2008032620",
"Debian APT-HTTP/1.3 (0.8.10.3)",
"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)",
"Googlebot/2.1 (+http://www.googlebot.com/bot.html)",
"Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)",
"YahooSeeker/1.2 (compatible; Mozilla 4.0; MSIE 5.5; yahooseeker at yahoo-inc dot com ; "
"http://help.yahoo.com/help/us/shop/merchant/)",
"Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"msnbot/1.1 (+http://search.msn.com/msnbot.htm)"
]
http_methods = ["GET", "HEAD"]
user_agent = {'User-agent': random.choice(user_agent_list)}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if extra_requirements["dir_scan_http_method"][0] not in http_methods:
warn(messages(language, 110))
extra_requirements["dir_scan_http_method"] = ["GET"]
if ports is None:
ports = extra_requirements["dir_scan_ports"]
random_agent_flag = True
if extra_requirements["dir_scan_random_agent"][0] == "False":
random_agent_flag = False
if ping_flag:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
warn(messages(language, 100).format(target, 'heartbleed_vuln'))
if do_one_ping(target, timeout_sec, 8) is None:
return None
threads = []
max = thread_number
total_req = len(extra_requirements["dir_scan_list"]) * len(ports)
thread_tmp_filename = 'tmp/thread_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('1')
thread_write.close()
trying = 0
for port in ports:
port = int(port)
if target_type(target) == 'SINGLE_IPv4' or target_type(
target) == 'DOMAIN':
url = 'http://{0}:{1}/'.format(target, str(port))
else:
if target.count(':') > 1:
error(messages(language, 105))
from core.color import finish
finish()
sys.exit(1)
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(
target.replace('http://', '').replace('https://',
'').rsplit('/')[1:])
url = http + '://' + host + ':' + str(port) + '/' + path
if test(url, retries, timeout_sec, user_agent,
extra_requirements["dir_scan_http_method"][0], socks_proxy,
verbose_level, trying, total_req, total, num, port,
language) is 0:
for idir in extra_requirements["dir_scan_list"]:
# check target type
if target_type(target) == 'SINGLE_IPv4' or target_type(
target) == 'DOMAIN':
url = 'http://{0}:{1}/{2}'.format(
target, str(port), idir)
else:
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(
target.replace('http://',
'').replace('https://',
'').rsplit('/')[1:])
url = http + '://' + host + ':' + str(
port) + '/' + path + '/' + idir
if random_agent_flag:
user_agent = {
'User-agent': random.choice(user_agent_list)
}
t = threading.Thread(
target=check,
args=(url, user_agent, timeout_sec, log_in_file,
language, time_sleep, thread_tmp_filename,
retries,
extra_requirements["dir_scan_http_method"][0],
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level is not 0:
info(
messages(language,
72).format(trying, total_req, num, total,
target_to_host(target), port,
'dir_scan'))
while 1:
try:
if threading.activeCount() >= max:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
break
break
else:
warn(messages(language, 109).format(url))
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec / 0.1) if int(timeout_sec /
0.1) is not 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() is 1 or kill_switch is kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1:
info(messages(language, 108).format(target, ",".join(ports)))
if verbose_level is not 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'dir_scan',
'DESCRIPTION': messages(language, 94),
'TIME': now(),
'CATEGORY': "scan",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + '\n')
save.close()
os.remove(thread_tmp_filename)
else:
warn(messages(language, 69).format('dir_scan', target))
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, retries, http_method):
_HOST = messages(language, 53)
_USERNAME = messages(language, 54)
_PASSWORD = messages(language, 55)
_PORT = messages(language, 56)
_TYPE = messages(language, 57)
_DESCRIPTION = messages(language, 58)
status_codes = [200, 401, 403]
directory_listing_msgs = [
"<title>Index of /", "<a href=\"\\?C=N;O=D\">Name</a>",
"Directory Listing for", "Parent Directory</a>", "Last modified</a>",
"<TITLE>Folder Listing.", "- Browsing directory "
]
time.sleep(time_sleep)
try:
n = 0
while 1:
try:
if http_method == "GET":
r = requests.get(target,
timeout=timeout_sec,
headers=user_agent,
verify=True)
elif http_method == "HEAD":
r = requests.head(target,
timeout=timeout_sec,
headers=user_agent,
verify=True)
content = r.content
break
except:
n += 1
if n is retries:
warn(messages(language, 106).format(target))
return 1
if version() is 3:
content = content.decode('utf8')
if r.status_code in status_codes:
info(
messages(language, 38).format(target, r.status_code, r.reason))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('0')
thread_write.close()
save = open(log_in_file, 'a')
save.write(
json.dumps({
_HOST:
target_to_host(target),
_USERNAME:
'',
_PASSWORD:
'',
_PORT:
int(target.rsplit(':')[2].rsplit('/')[0]),
_TYPE:
'dir_scan',
_DESCRIPTION:
messages(language, 38).format(target, r.status_code,
r.reason)
}) + '\n')
save.close()
if r.status_code is 200:
for dlmsg in directory_listing_msgs:
if dlmsg in content:
info(messages(language, 104).format(target))
save = open(log_in_file, 'a')
save.write(
json.dumps({
_HOST:
target_to_host(target),
_USERNAME:
'',
_PASSWORD:
'',
_PORT:
int(target.rsplit(':')[1].rsplit('/')[0]),
_TYPE:
'dir_scan',
_DESCRIPTION:
messages(language, 104).format(target)
}) + '\n')
save.close()
break
return True
except:
return False
def check(target, user_agent, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, retries, http_method, socks_proxy, scan_id,
scan_cmd):
status_codes = [200, 401, 403]
directory_listing_msgs = [
"<title>Index of /", "<a href=\"\\?C=N;O=D\">Name</a>",
"Directory Listing for", "Parent Directory</a>", "Last modified</a>",
"<TITLE>Folder Listing.", "- Browsing directory "
]
time.sleep(time_sleep)
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
if http_method == "GET":
r = requests.get(target,
timeout=timeout_sec,
headers=user_agent,
verify=True)
elif http_method == "HEAD":
r = requests.head(target,
timeout=timeout_sec,
headers=user_agent,
verify=True)
content = r.content
break
except:
n += 1
if n is retries:
warn(messages(language, 106).format(target))
return 1
if version() is 3:
content = content.decode('utf8')
if r.status_code in status_codes:
info(
messages(language, 38).format(target, r.status_code, r.reason))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('0')
thread_write.close()
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
int(target.rsplit(':')[2].rsplit('/')[0]),
'TYPE':
'dir_scan',
'DESCRIPTION':
messages(language, 38).format(target, r.status_code,
r.reason),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n')
save.close()
if r.status_code is 200:
for dlmsg in directory_listing_msgs:
if dlmsg in content:
info(messages(language, 104).format(target))
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST':
target_to_host(target),
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
int(target.rsplit(':')[1].rsplit('/')[0]),
'TYPE':
'dir_scan',
'DESCRIPTION':
messages(language, 104).format(target),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n')
save.close()
break
return True
except:
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level,
show_version, check_update, socks_proxy, retries, ping_flag,
methods_args, scan_id, scan_cmd): # Main function
from core.targets import target_type
from core.targets import target_to_host
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if target_type(target) == 'HTTP':
target = target_to_host(target)
if ping_flag:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(
socks_version,
str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]),
username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version,
str(socks_proxy.rsplit(':')[0]),
int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
warn(messages(language, 100).format(target, 'heartbleed_vuln'))
if do_one_ping(target, timeout_sec, 8) is None:
return None
subs = __get_subs(target,
timeout_sec,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
num,
total,
extra_requirements=extra_requirements)
info(
messages(language,
135).format(len(subs),
', '.join(subs) if len(subs) > 0 else 'None'))
if len(subs) is not 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'subdomain_scan',
'DESCRIPTION':
messages(language, 135).format(
len(subs),
', '.join(subs) if len(subs) > 0 else 'None'),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n')
save.close()
if len(subs) is 0 and verbose_level is not 0:
save = open(log_in_file, 'a')
save.write(
json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'subdomain_scan',
'DESCRIPTION':
messages(language, 135).format(
len(subs),
', '.join(subs) if len(subs) > 0 else 'None'),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
}) + '\n')
save.close()
return subs
else:
warn(messages(language, 69).format('subdomain_scan', target))
return []
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd):
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if users is None:
users = extra_requirements["http_form_brute_users"]
if passwds is None:
passwds = extra_requirements["http_form_brute_passwds"]
if ports is None:
ports = extra_requirements["http_form_brute_ports"]
if target.lower().startswith('http://') or target.lower().startswith(
'https://'):
pass
else:
target = 'http://' + str(target)
threads = []
total_req = len(users) * len(passwds)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
keyboard_interrupt_flag = False
for port in ports:
if check("http://" + target_to_host(target), timeout_sec, language,
port):
target = target
elif check("https://" + target_to_host(target), timeout_sec,
language, port):
target = "https" + target[4:]
for user in users:
for passwd in passwds:
t = threading.Thread(target=login,
args=(user, passwd, target, port,
timeout_sec, log_in_file,
language, retries, time_sleep,
thread_tmp_filename,
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target, port,
'http_form_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
if keyboard_interrupt_flag:
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1:
break
except KeyboardInterrupt:
break
thread_write = int(
open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1 and verbose_level != 0:
data = json.dumps(
{
'HOST': target,
'USERNAME': '',
'PASSWORD': '',
'PORT': '',
'TYPE': 'http_form_brute',
'DESCRIPTION': messages(language,
"no_user_passwords"),
'TIME': now(),
'CATEGORY': "brute",
'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd
}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language,
"input_target_error").format('http_form_brute', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level,
show_version, check_update, proxies, retries, ping_flag,
methods_args): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(target) != 'HTTP':
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
if ports is None:
ports = extra_requirements["port_scan_ports"]
if target_type(target) == 'HTTP':
target = target_to_host(target)
if ping_flag and do_one_ping(target, timeout_sec, 8) is None:
warn(messages(language, 100).format(target, 'port_scan'))
return None
threads = []
max = thread_number
total_req = len(ports)
thread_tmp_filename = 'tmp/thread_tmp_' + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
thread_write = open(thread_tmp_filename, 'w')
thread_write.write('1')
thread_write.close()
trying = 0
for port in ports:
port = int(port)
t = threading.Thread(target=connect,
args=(target, int(port), timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename))
threads.append(t)
t.start()
trying += 1
if verbose_level is not 0:
info(
messages(language, 72).format(trying, total_req, num,
total, target, port))
while 1:
try:
n = 0
for thread in threads:
if thread.isAlive() is True:
n += 1
else:
threads.remove(thread)
if n >= max:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
break
break
# wait for threads
while 1:
try:
n = True
for thread in threads:
if thread.isAlive() is True:
n = False
time.sleep(0.01)
if n is True:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write is 1 and verbose_level is not 0:
_HOST = messages(language, 53)
_USERNAME = messages(language, 54)
_PASSWORD = messages(language, 55)
_PORT = messages(language, 56)
_TYPE = messages(language, 57)
_DESCRIPTION = messages(language, 58)
save = open(log_in_file, 'a')
save.write(
json.dumps({
_HOST: target,
_USERNAME: '',
_PASSWORD: '',
_PORT: '',
_TYPE: 'port_scan',
_DESCRIPTION: messages(language, 94)
}) + '\n')
save.close()
os.remove(thread_tmp_filename)
else:
warn(messages(language, 69).format('port_scan', target))
def test(target, retries, timeout_sec, user_agent, http_method, socks_proxy, verbose_level, trying, total_req, total,
num, language):
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target),
"default_port",
'wp_plugin_scan'))
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
socks.set_default_proxy(socks_version, str(socks_proxy.rsplit('@')[1].rsplit(':')[0]),
int(socks_proxy.rsplit(':')[-1]), username=socks_username,
password=socks_password)
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
else:
socks.set_default_proxy(socks_version, str(
socks_proxy.rsplit(':')[0]), int(socks_proxy.rsplit(':')[1]))
socket.socket = socks.socksocket
socket.getaddrinfo = getaddrinfo
n = 0
while 1:
try:
if http_method == "GET":
requests.get(target, timeout=timeout_sec,
headers=user_agent)
elif http_method == "HEAD":
requests.head(target, timeout=timeout_sec,
headers=user_agent)
return 0
except:
n += 1
if n is retries:
return 1
