def do_request(self):
while not self.STOP_ME:
try:
origin_params = params = self.queue.get(timeout=1.0)
except:
thread_exit(self)
return
if params is None:
self.queue.task_done()
thread_exit(self)
return
local_headers = copy.deepcopy(self.http_headers)
fake_ip(self, local_headers)
fake_session_id(self, local_headers)
data = self.args.query
params_dict = dict(urlparse.parse_qsl(data))
if self.args.basic:
local_headers['Authorization'] = 'Basic ' + base64.b64encode(
params)
elif self.args.checkproxy:
pass
else:
params = params.split(
'^^^') # e.g. params = ['test', '{user}123456']
i = 0
for key in self.selected_params_keys:
params_dict[key] = params[i]
i += 1
# replace placeholder like {user} to its value
for p in self.selected_params:
for p2 in params_dict:
params_dict[p] = params_dict[p].replace(
'{%s}' % p2, params_dict[p2])
for p in params_dict:
# hash support: MD5, MD5_16, SHA1
if self.args.md5.count(p) > 0:
params_dict[p] = hashlib.md5(params_dict[p]).hexdigest()
elif self.args.md5_16.count(p) > 0:
params_dict[p] = hashlib.md5(
params_dict[p]).hexdigest()[8:24]
elif self.args.sha1.count(p) > 0:
params_dict[p] = hashlib.sha1(params_dict[p]).hexdigest()
data = urllib.urlencode(params_dict)
data_print = dict((k, v) for k, v in params_dict.iteritems()
if k in self.selected_params)
data_print = urllib.urlencode(data_print)
data_print = urllib.unquote(data_print)
if not self.args.nov and not self.args.checkproxy:
self.print_s('[.]Scan %s' %
(params if self.args.basic else data_print))
max_err_count = 1 if self.args.checkproxy else 6
err_count = 0
while err_count < max_err_count:
try:
if self.args.proxy_on:
cur_proxy = get_proxy(self)
if self.args.checkproxy:
self.print_s('[.]Check proxy server %s' % cur_proxy)
conn = httplib.HTTPConnection(cur_proxy, timeout=30)
if self.args.debug: conn.set_debuglevel(1)
if self.args.get:
conn.request(method='GET',
url='%s://%s/%s?%s' %
(self.args.scm, self.args.netloc,
self.args.path, data),
headers=local_headers)
else:
conn.request(
method='POST',
url='%s://%s/%s' %
(self.args.scm, self.args.netloc, self.args.path),
body=data,
headers=local_headers)
else: # Proxy off
conn_func = httplib.HTTPSConnection if self.args.scm == 'https' else httplib.HTTPConnection
conn = conn_func(self.args.netloc, timeout=30)
if self.args.debug: conn.set_debuglevel(1)
if self.args.get:
conn.request(method='GET',
url='%s?%s' % (self.args.path, data),
headers=local_headers)
else:
conn.request(method='POST',
url=self.args.path,
body=data,
headers=local_headers)
response = conn.getresponse()
res_headers = str(response.getheaders())
res_status = str(response.status)
_ = re.search('charset=([^"^>^\']*)', res_headers)
charset = _.group(1).strip() if _ else None
html_doc = decode_response_text(response.read(), charset)
conn.close()
html_doc = html_doc.replace('\r', r'\r').replace(
'\n', r'\n').replace('\t', ' ')
html_doc = re.sub(' +', ' ', html_doc) # Leave one blank only
if self.args.debug:
self.lock.acquire()
print '*' * self.console_width
print '[Response headers and response text]\n'
print res_headers + '\n' + system_encode(html_doc)
print '\n' + '*' * self.console_width
self.lock.release()
if self.args.rtxt and html_doc.find(self.args.rtxt) >= 0:
raise Exception('Retry for <%s>' %
system_encode(self.args.rtxt))
if self.args.rntxt and html_doc.find(self.args.rntxt) < 0:
raise Exception('Retry for no <%s>' %
system_encode(self.args.rntxt))
if self.args.rheader and res_headers.find(
self.args.rheader) >= 0:
raise Exception('Retry for header <%s>' %
self.args.rheader)
if self.args.rnheader and res_headers.find(
self.args.rnheader) < 0:
raise Exception('Retry for no header <%s>' %
self.args.rnheader)
found_err_tag = False
for tag in self.args.err:
if html_doc.find(tag) >= 0:
found_err_tag = True
found_suc_tag = False
suc_tag_matched = ''
for tag in self.args.suc:
if html_doc.find(tag) >= 0:
suc_tag_matched += tag + ' '
found_suc_tag = True
suc_tag_matched = suc_tag_matched.strip()
data = urllib.unquote(data)
cracked_msg = ''
if (not self.args.no302 and response.status == 302):
cracked_msg = '[+]%s \t\t{302 redirect}' % data
if self.args.ssuc and res_status in self.args.ssuc:
cracked_msg = '[+]%s \t\t[Found %s in status]' % (
data, self.args.ssuc)
if response.status == 200 and self.args.err and not found_err_tag:
cracked_msg = '[+]%s \t\t{%s not found}' % (data,
self.args.err)
if self.args.suc and found_suc_tag:
cracked_msg = '[+]%s \t\t[Found %s]' % (data,
suc_tag_matched)
if self.args.herr and res_headers.find(self.args.herr) < 0:
cracked_msg = '[+]%s \t\t[%s not found in headers]' % (
data, self.args.herr)
if self.args.hsuc and res_headers.find(self.args.hsuc) >= 0:
cracked_msg = '[+]%s \t\t[Found %s in headers]' % (
data, self.args.hsuc)
if self.args.basic and response.status < 400:
local_headers['Authorization'] = ''
cracked_msg = '[+][Basic Auth] %s %s' % (params,
self.args.u)
if cracked_msg:
add_cracked_count(self)
if self.args.checkproxy:
self.print_s('[+OK] %s' % cur_proxy, color_red=True)
with open('001.proxy.servers.txt', 'a') as outFile:
outFile.write(cur_proxy + '\n')
else:
self.print_s(system_encode('[+OK]%s' % data_print),
color_red=True)
with open(self.args.o, 'a') as outFile:
outFile.write(cracked_msg + '\n')
if err_count == max_err_count:
self.queue.put(origin_params) # put in queue again
if self.args.sleep: time.sleep(float(self.args.sleep))
break
except Exception, e:
err_count += 1
if not self.args.checkproxy:
self.print_s('[Exception in do_request] %s' % e)
try:
conn.close()
except:
pass
time.sleep(3.0)
self.queue.task_done()
def do_request(self):
while not self.STOP_ME:
try:
origin_params = params = self.queue.get(timeout=1.0)
except:
thread_exit(self)
return
if params is None:
self.queue.task_done()
thread_exit(self)
return
local_headers = copy.deepcopy(self.http_headers)
fake_ip(self, local_headers)
fake_session_id(self, local_headers)
data = self.args.query
params_dict = dict(urlparse.parse_qsl(data))
if self.args.basic:
local_headers['Authorization'] = 'Basic ' + base64.b64encode(params)
elif self.args.checkproxy:
pass
else:
params = params.split('^^^') # e.g. params = ['test', '{user}123456']
i = 0
for key in self.selected_params_keys:
params_dict[key] = params[i]
i += 1
# replace placeholder like {user} to its value
for p in self.selected_params:
for p2 in params_dict:
params_dict[p] = params_dict[p].replace('{%s}' % p2, params_dict[p2])
for p in params_dict:
# hash support: MD5, MD5_16, SHA1
if self.args.md5.count(p) > 0:
params_dict[p] = hashlib.md5(params_dict[p]).hexdigest()
elif self.args.md5_16.count(p) > 0:
params_dict[p] = hashlib.md5(params_dict[p]).hexdigest()[8:24]
elif self.args.sha1.count(p) > 0:
params_dict[p] = hashlib.sha1(params_dict[p]).hexdigest()
data = urllib.urlencode(params_dict)
data_print = dict((k,v) for k,v in params_dict.iteritems() if k in self.selected_params)
data_print = urllib.urlencode(data_print)
data_print = urllib.unquote(data_print)
if not self.args.nov and not self.args.checkproxy:
self.print_s('[.]Scan %s' % (params if self.args.basic else data_print))
max_err_count = 1 if self.args.checkproxy else 6
err_count = 0
while err_count < max_err_count:
try:
if self.args.proxy_on:
cur_proxy = get_proxy(self)
if self.args.checkproxy:
self.print_s('[.]Check proxy server %s' % cur_proxy)
conn = httplib.HTTPConnection(cur_proxy, timeout=30)
if self.args.debug: conn.set_debuglevel(1)
if self.args.get:
conn.request(method='GET', url='%s://%s/%s?%s'% (self.args.scm, self.args.netloc, self.args.path, data),
headers=local_headers)
else:
conn.request(method='POST', url='%s://%s/%s' % (self.args.scm, self.args.netloc, self.args.path),
body=data, headers=local_headers)
else: # Proxy off
conn_func = httplib.HTTPSConnection if self.args.scm == 'https' else httplib.HTTPConnection
conn = conn_func(self.args.netloc, timeout=30)
if self.args.debug: conn.set_debuglevel(1)
if self.args.get:
conn.request(method='GET', url='%s?%s' % (self.args.path, data), headers=local_headers)
else:
conn.request(method='POST', url=self.args.path, body=data, headers=local_headers)
response = conn.getresponse(); res_headers = str(response.getheaders())
res_status = str(response.status)
_ = re.search('charset=([^"^>^\']*)', res_headers); charset = _.group(1).strip() if _ else None
html_doc = decode_response_text(response.read(), charset)
conn.close()
html_doc = html_doc.replace('\r', r'\r').replace('\n', r'\n').replace('\t', ' ')
html_doc = re.sub(' +', ' ', html_doc) # Leave one blank only
if self.args.debug:
self.lock.acquire()
print '*' * self.console_width
print '[Response headers and response text]\n'
print res_headers + '\n' + system_encode(html_doc)
print '\n' + '*' * self.console_width
self.lock.release()
if self.args.rtxt and html_doc.find(self.args.rtxt) >= 0:
raise Exception('Retry for <%s>' % system_encode(self.args.rtxt) )
if self.args.rntxt and html_doc.find(self.args.rntxt) < 0:
raise Exception('Retry for no <%s>' % system_encode(self.args.rntxt))
if self.args.rheader and res_headers.find(self.args.rheader) >= 0:
raise Exception('Retry for header <%s>' % self.args.rheader)
if self.args.rnheader and res_headers.find(self.args.rnheader) < 0:
raise Exception('Retry for no header <%s>' % self.args.rnheader)
found_err_tag = False
for tag in self.args.err:
if html_doc.find(tag) >= 0:
found_err_tag = True
found_suc_tag = False
suc_tag_matched = ''
for tag in self.args.suc:
if html_doc.find(tag) >= 0:
suc_tag_matched += tag + ' '
found_suc_tag = True
suc_tag_matched = suc_tag_matched.strip()
data = urllib.unquote(data)
cracked_msg = ''
if (not self.args.no302 and response.status == 302):
cracked_msg = '[+]%s \t\t{302 redirect}' % data
if self.args.ssuc and res_status in self.args.ssuc:
cracked_msg = '[+]%s \t\t[Found %s in status]' % (data, self.args.ssuc)
if response.status == 200 and self.args.err and not found_err_tag:
cracked_msg = '[+]%s \t\t{%s not found}' % (data, self.args.err)
if self.args.suc and found_suc_tag:
cracked_msg = '[+]%s \t\t[Found %s]' % (data, suc_tag_matched)
if self.args.herr and res_headers.find(self.args.herr) < 0:
cracked_msg = '[+]%s \t\t[%s not found in headers]' % (data, self.args.herr)
if self.args.hsuc and res_headers.find(self.args.hsuc) >=0:
cracked_msg = '[+]%s \t\t[Found %s in headers]' % (data, self.args.hsuc)
if self.args.basic and response.status < 400:
local_headers['Authorization'] = ''
cracked_msg = '[+][Basic Auth] %s %s' % (params, self.args.u)
if cracked_msg:
add_cracked_count(self)
if self.args.checkproxy:
self.print_s('[+OK] %s' % cur_proxy, color_red=True)
with open('001.proxy.servers.txt', 'a') as outFile:
outFile.write(cur_proxy + '\n')
else:
self.print_s(system_encode('[+OK]%s' % data_print), color_red=True)
with open(self.args.o, 'a') as outFile:
outFile.write(cracked_msg + '\n')
if err_count == max_err_count: self.queue.put(origin_params) # put in queue again
if self.args.sleep: time.sleep( float(self.args.sleep) )
break
except Exception, e:
err_count += 1
if not self.args.checkproxy: self.print_s('[Exception in do_request] %s' % e)
try:
conn.close()
except:
pass
time.sleep(3.0)
self.queue.task_done()