def check_for_robots(url, ext="/robots.txt", data_sep="-" * 30):
"""
check if the URL has a robots.txt in it and collect `interesting` information
out of the page
"""
url = replace_http(url)
interesting = set()
full_url = "{}{}{}".format("http://", url, ext)
conn = requests.get(full_url)
data = conn.content
code = conn.status_code
if code == 404:
return False
for line in data.split("\n"):
if "Allow" in line:
interesting.add(line.strip())
if len(interesting) > 0:
create_tree(full_url, list(interesting))
else:
to_display = prompt(
"nothing interesting found in robots.txt would you like to display the entire page",
opts="yN")
if to_display.lower().startswith("y"):
print("{}\n{}\n{}".format(data_sep, data, data_sep))
logger.info(set_color("robots.txt page will be saved into a file..."))
write_to_log_file(data, ROBOTS_PAGE_PATH, "robots-{}.log".format(url))
def main_xss(start_url, verbose=False, proxy=None, agent=None, tamper=None):
"""
main attack method to be called
"""
if tamper:
logger.info(set_color(
"tampering payloads with '{}'...".format(tamper)))
find_xss_script(start_url)
logger.info(set_color("loading payloads..."))
payloads = __load_payloads()
if verbose:
logger.debug(
set_color("a total of {} payloads loaded...".format(len(payloads)),
level=10))
logger.info(
set_color(
"payloads will be written to a temporary file and read from there..."
))
filename = create_urls(start_url, payloads, tamper=tamper)
logger.info(
set_color("loaded URL's have been saved to '{}'...".format(filename)))
logger.info(
set_color("testing for XSS vulnerabilities on host '{}'...".format(
start_url)))
if proxy is not None:
logger.info(set_color("using proxy '{}'...".format(proxy)))
success = set()
with open(filename) as urls:
for i, url in enumerate(urls.readlines(), start=1):
url = url.strip()
result = scan_xss(url, proxy=proxy, agent=agent)
payload = find_xss_script(url)
if verbose:
logger.info(set_color(
"trying payload '{}'...".format(payload)))
if result[0] != "sqli" and result[0] is True:
success.add(url)
if verbose:
logger.debug(
set_color(
"payload '{}' appears to be usable...".format(
payload),
level=10))
elif result[0] is "sqli":
if i <= 1:
logger.error(
set_color(
"loaded URL '{}' threw a DBMS error and appears to be injectable, test for SQL injection, "
"backend DBMS appears to be '{}'...".format(
url, result[1]),
level=40))
else:
if verbose:
logger.error(
set_color("SQL error discovered...", level=40))
else:
if verbose:
logger.debug(
set_color(
"host '{}' does not appear to be vulnerable to XSS attacks with payload '{}'..."
.format(start_url, payload),
level=10))
if len(success) != 0:
logger.info(set_color("possible XSS scripts to be used:"))
create_tree(start_url, list(success))
else:
logger.error(
set_color(
"host '{}' does not appear to be vulnerable to XSS attacks...".
format(start_url)))
save = prompt("would you like to keep the URL's saved for further testing",
opts="yN")
if save.lower().startswith("n"):
os.remove(filename)
def check_for_admin_page(url, exts, protocol="http://", **kwargs):
verbose = kwargs.get("verbose", False)
show_possibles = kwargs.get("show_possibles", False)
possible_connections, connections = set(), set()
stripped_url = replace_http(str(url).strip())
for ext in exts:
ext = ext.strip()
true_url = "{}{}{}".format(protocol, stripped_url, ext)
if verbose:
logger.debug(set_color("trying '{}'...".format(true_url),
level=10))
try:
urlopen(true_url, timeout=5)
logger.info(
set_color(
"connected successfully to '{}'...".format(true_url)))
connections.add(true_url)
except HTTPError as e:
data = str(e).split(" ")
if verbose:
if "Access Denied" in str(e):
logger.warning(
set_color(
"got access denied, possible control panel found without external access on '{}'..."
.format(true_url),
level=30))
possible_connections.add(true_url)
else:
logger.error(
set_color(
"failed to connect got error code {}...".format(
data[2]),
level=40))
except Exception as e:
if verbose:
if "<urlopen error timed out>" or "timeout: timed out" in str(
e):
logger.warning(
set_color(
"connection timed out after five seconds "
"assuming won't connect and skipping...",
level=30))
else:
logger.exception(
set_color(
"failed to connect with unexpected error '{}'...".
format(str(e)),
level=50))
request_issue_creation()
possible_connections, connections = list(possible_connections), list(
connections)
data_msg = "found {} possible connections(s) and {} successful connection(s)..."
logger.info(
set_color(data_msg.format(len(possible_connections),
len(connections))))
if len(connections) != 0:
logger.info(set_color("creating connection tree..."))
create_tree(url, connections)
else:
logger.fatal(
set_color(
"did not receive any successful connections to the admin page of "
"{}...".format(url),
level=50))
if show_possibles:
if len(possible_connections) != 0:
logger.info(set_color("creating possible connection tree..."))
create_tree(url, possible_connections)
else:
logger.fatal(
set_color(
"did not find any possible connections to {}'s "
"admin page",
level=50))