def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'file_get_contents',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'fopen_stream_get_contents',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'fopen_fread',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_curl.tpl'),
name = 'php_curl',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_httprequest1.tpl'),
name = 'php_httprequest1',
),
ShellCmd(
payload = """curl -s -i ${ "-A '%s'" % user_agent if user_agent else "" } ${ '--connect-timeout %i' % connect_timeout } ${ '-X %s' % request if (not data and request) else '' } ${ " ".join([ "-H '%s'" % h for h in header ]) } ${ "-b '%s'" % cookie if cookie else '' } ${ ' '.join([ "-d '%s'" % d for d in data ]) } '${ url }'""",
name = 'sh_curl'
)
]
)
self.register_arguments([
{ 'name' : 'url' },
{ 'name' : '--header', 'dest' : 'header', 'action' : 'append', 'default' : [] },
{ 'name' : '-H', 'dest' : 'header', 'action' : 'append', 'default' : [] },
{ 'name' : '--cookie', 'dest' : 'cookie' },
{ 'name' : '-b', 'dest' : 'cookie' },
{ 'name' : '--data', 'dest' : 'data', 'action' : 'append', 'default' : [] },
{ 'name' : '-d', 'dest' : 'data', 'action' : 'append', 'default' : [] },
{ 'name' : '--user-agent', 'dest' : 'user_agent' },
{ 'name' : '-A', 'dest' : 'user_agent' },
{ 'name' : '--connect-timeout', 'type' : int, 'default' : 5, 'help' : 'Default: 2' },
{ 'name' : '--request', 'dest' : 'request', 'choices' : ( 'GET', 'HEAD', 'POST', 'PUT' ), 'default' : 'GET' },
{ 'name' : '-X', 'dest' : 'request', 'choices' : ( 'GET', 'HEAD', 'POST', 'PUT' ), 'default' : 'GET' },
{ 'name' : '--output', 'dest' : 'output' },
{ 'name' : '-o', 'dest' : 'output' },
{ 'name' : '-i', 'dest' : 'include_headers', 'help' : 'Include response headers', 'action' : 'store_true', 'default' : False },
{ 'name' : '-local', 'action' : 'store_true', 'default' : False, 'help' : 'Save file locally with -o|--output' },
{ 'name' : '-vector', 'choices' : self.vectors.get_names(), 'default' : 'file' }
])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
PhpFile(
payload_path=os.path.join(self.folder, 'php_bzip2.tpl'),
name='php_bzip2',
)
])
self.register_arguments([
{
'name': 'rpaths',
'help': 'Remote file paths',
'nargs': '+'
},
{
'name': '--decompress',
'action': 'store_true',
'default': False,
'help': 'Simulate gunzip'
},
{
'name': '--keep',
'action': 'store_true',
'default': False,
'help': 'Keep (don\'t delete) input files'
},
])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
PhpFile(
payload_path=os.path.join(self.folder, 'php_zip.tpl'),
name='php_zip',
)
])
self.register_arguments([
{
'name': 'rzip',
'help': 'Remote ZIP file'
},
{
'name': 'rfiles',
'help':
'Remote files to compress. If decompressing, set destination folder.',
'nargs': '+'
},
{
'name': '--decompress',
'action': 'store_true',
'default': False,
'help': 'Simulate unzip'
},
])
def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
ShellCmd(
payload = "mysqldump -h ${host} -u${user} -p${passwd} ${db} ${table} --single-transaction",
name = 'mysqldump_sh'
),
PhpFile(
payload_path = os.path.join(self.folder, 'mysqldump.tpl'),
name = 'mysqldump_php',
)
]
)
self.register_arguments([
{ 'name' : 'db', 'help' : 'Db to dump' },
{ 'name' : 'user', 'help' : 'SQL username' },
# Using passwd instead of pass to avoid rendering the `pass` keyword
{ 'name' : 'passwd', 'help' : 'SQL password' },
{ 'name' : '-dbms', 'help' : 'Db type. Vector \'mysqldump_sh\' supports only \'mysql\'.', 'choices' : ('mysql', 'pgsql', 'sqlite', 'dblib'), 'default' : 'mysql' },
{ 'name' : '-host', 'help' : 'Db host or host:port', 'nargs' : '?', 'default' : '127.0.0.1' },
{ 'name' : '-lpath', 'help' : 'Dump to local path (default: temporary file)' },
{ 'name' : '-vector', 'choices' : self.vectors.get_names(), 'default' : 'mysqldump_php' }
])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
PhpFile(
payload_path=os.path.join(self.folder, 'mysql.tpl'),
name='mysql',
),
PhpFile(
payload_path=os.path.join(self.folder, 'pgsql.tpl'),
name='pgsql',
)
])
self.register_arguments([{
'name': 'service',
'help': 'Service to bruteforce',
'choices': self.vectors.get_names()
}, {
'name': '-hostname',
'help': 'Hostname',
'default': 'localhost'
}, {
'name': '-users',
'help': 'Users',
'nargs': '*',
'default': []
}, {
'name': '-pwds',
'help': 'Passwords',
'nargs': '*',
'default': []
}, {
'name':
'-fusers',
'help':
'Local file path containing users list'
}, {
'name':
'-fpwds',
'help':
'Local file path containing password list'
}])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
PhpFile(
payload_path=os.path.join(self.folder, 'fsockopen.tpl'),
name='fsockopen',
)
])
self.register_arguments([
{
'name':
'addresses',
'help':
'IPs or interface e.g. 10.1.1.1,10.1.1.2 or 10.1.1.1-254 or 10.1.1.1/255.255.255.0 or eth0'
},
{
'name': 'ports',
'help': 'Ports e.g. 80,8080 or 80,8080-9090'
},
{
'name': '-timeout',
'help': 'Connection timeout',
'type': int,
'default': 1
},
{
'name': '-print',
'action': 'store_true',
'default': False,
'help': 'Print closed and filtered ports'
},
{
'name': '-addresses-per-request',
'help': SUPPRESS,
'type': int,
'default': 10
},
{
'name': '-ports-per-request',
'help': SUPPRESS,
'type': int,
'default': 5
},
])
def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
PhpFile(
payload_path = os.path.join(self.folder, 'bfs_walker.tpl'),
name = 'php_find',
),
ShellCmd(
# -print -quit must be at the end of the command
payload = """find ${rpath} ${ '-maxdepth 1' if no_recursion else '' } ${ '-writable' if writable else '' } ${ '-readable' if readable else '' } ${ '-executable' if executable else '' } ${ '-type %s' % (ftype) if (ftype == 'd' or ftype == 'f') else '' } ${ "-%sregex '.*%s.*'" % ( '' if case else 'i', expression) if expression else '' } ${ '-print -quit' if quit else '' }""",
name = "sh_find",
arguments = [
"-stderr_redirection",
" 2>/dev/null",
]
)
]
)
self.register_arguments([
{ 'name' : 'rpath', 'help' : 'Starting path' },
{ 'name' : 'expression', 'help' : 'Regular expression to match file name', 'nargs' : '?' },
{ 'name' : '-quit', 'action' : 'store_true', 'default' : False, 'help' : 'Quit at first result' },
{ 'name' : '-writable', 'action' : 'store_true' },
{ 'name' : '-readable', 'action' : 'store_true' },
{ 'name' : '-executable', 'action' : 'store_true' },
{ 'name' : '-ftype', 'help' : 'File type', 'choices' : ( 'f', 'd' ) },
{ 'name' : '-no-recursion', 'action' : 'store_true', 'default' : False },
{ 'name' : '-vector', 'choices' : self.vectors.get_names(), 'default' : 'php_find' },
{ 'name' : '-case', 'help' : 'Case sensitive', 'action' : 'store_true', 'default' : False },
])
def init(self):
self.register_info({'author': ['Emilio Pinna'], 'license': 'GPLv3'})
self.register_vectors([
PhpFile(
payload_path=os.path.join(self.folder, 'php_tar.tpl'),
name='php_tar',
)
])
self.register_arguments([
{
'name': 'rtar',
'help': 'Remote Tar file'
},
{
'name': 'rfiles',
'help':
'Remote files to compress. If decompressing, set destination folder.',
'nargs': '+'
},
{
'name': '--decompress',
'action': 'store_true',
'default': False,
'help': 'Simulate tar -x'
},
{
'name': '-z',
'action': 'store_true',
'default': False,
'help': 'Simulate tar -xz for gzip compressed archives'
},
{
'name': '-j',
'action': 'store_true',
'default': False,
'help': 'Simulate tar -xj for bzip2 compressed archives'
},
])
def init(self):
self.register_info(
{
'author': [
'Emilio Pinna'
],
'license': 'GPLv3'
}
)
self.register_vectors(
[
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'file_get_contents',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'fopen_stream_get_contents',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_context.tpl'),
name = 'fopen_fread',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_curl.tpl'),
name = 'php_curl',
),
PhpFile(
payload_path = os.path.join(self.folder, 'php_httprequest1.tpl'),
name = 'php_httprequest1',
),
# TODO: fix this, it fails the "POST request with binary string" test
# due to some bash limitation with null bytes.
# ShellCmd(
# payload = """curl -s -i ${ '-A "$(env echo -ne \"%s\")"' % user_agent if user_agent else "" } ${ '--connect-timeout %i' % connect_timeout } ${ '-X %s' % request if (not data and request) else '' } ${ " ".join([ '-H "$(env echo -ne \"%s\")"' % h for h in header ]) } ${ '-b "$(env echo -ne \"%s\")"' % cookie if cookie else '' } ${ '--data-binary $(env echo -ne "%s")' % ' '.join(data) if data else '' } ${ '$(env echo -ne "%s")' % url }""",
# name = 'sh_curl'
# )
]
)
self.register_arguments([
{ 'name' : 'url' },
{ 'name' : '--header', 'dest' : 'header', 'action' : 'append', 'default' : [] },
{ 'name' : '-H', 'dest' : 'header', 'action' : 'append', 'default' : [] },
{ 'name' : '--cookie', 'dest' : 'cookie' },
{ 'name' : '-b', 'dest' : 'cookie' },
{ 'name' : '--data', 'dest' : 'data', 'action' : 'append', 'default' : [] },
{ 'name' : '-d', 'dest' : 'data', 'action' : 'append', 'default' : [] },
{ 'name' : '--user-agent', 'dest' : 'user_agent' },
{ 'name' : '-A', 'dest' : 'user_agent' },
{ 'name' : '--connect-timeout', 'type' : int, 'default' : 5, 'help' : 'Default: 2' },
{ 'name' : '--request', 'dest' : 'request', 'choices' : ( 'GET', 'HEAD', 'POST', 'PUT', 'OPTIONS' ), 'default' : 'GET' },
{ 'name' : '-X', 'dest' : 'request', 'choices' : ( 'GET', 'HEAD', 'POST', 'PUT', 'OPTIONS' ), 'default' : 'GET' },
{ 'name' : '--output', 'dest' : 'output' },
{ 'name' : '-o', 'dest' : 'output' },
{ 'name' : '-i', 'dest' : 'include_headers', 'help' : 'Include response headers', 'action' : 'store_true', 'default' : False },
{ 'name' : '-local', 'action' : 'store_true', 'default' : False, 'help' : 'Save file locally with -o|--output' },
{ 'name' : '-vector', 'choices' : self.vectors.get_names(), 'default' : 'file_get_contents' }
])