def run(self, callback):
self.moduleName = "WFuzzModule"
# Callback access
self.callback = callback
for weburl in self.params:
# Check if ssl or not
if (self.checkSSL(weburl.host, weburl.port)):
hcCodes = [
self.detectErrorCode(weburl.host, weburl.port, True)
] # List for future manual setting
for r in wfuzz.fuzz(url="https://{}:{}{}/FUZZ".format(
weburl.host, weburl.port, weburl.path),
hc=hcCodes,
rleve=5,
payloads=[("file",
dict(fn="wordlists/common.txt"))
]):
# Mount response Object
newPath = "{}/{}".format(weburl.path, r.url.split("/")[-1])
extension = None
if ("." in newPath):
extension = newPath.split(".")[-1]
self.callback.update([
WebURL(weburl.serviceId, weburl.host, weburl.port,
newPath, extension, r.words, r.chars, r.code)
])
else:
hcCodes = [
self.detectErrorCode(weburl.host, weburl.port, False)
] # List for future manual setting
for r in wfuzz.fuzz(url="http://{}:{}{}/FUZZ".format(
weburl.host, weburl.port, weburl.path),
hc=hcCodes,
rleve=5,
payloads=[("file",
dict(fn="wordlists/common.txt"))
]):
# Mount response Object
newPath = "{}/{}".format(weburl.path, r.url.split("/")[-1])
extension = None
if ("." in newPath):
extension = newPath.split(".")[-1]
self.callback.update([
WebURL(weburl.serviceId, weburl.host, weburl.port,
newPath, extension, r.words, r.chars, r.code)
]) # End JOB
self.callback.finish(list())
def handler(event, context):
if "body" in event and event["body"]:
params = json.loads(event["body"])
else:
params = event
try:
fuzz_url = f"{params['wfuzz_url']}/FUZZ"
print(fuzz_url)
except KeyError:
return {
"body": json.dumps({"message": "wfuzz_url is not provided"}),
"headers": {"Content-Type": "application/json"},
"statusCode": 401,
}
try:
results = {}
for r in wfuzz.fuzz(url=fuzz_url, hc=[200], payloads=[("file",dict(fn="tests/payload.txt"))]):
if r.code == 200 or r.code == 301:
results[r.description] = [r.url,r.code]
return {
"body": {"message": results},
"headers": {"Content-Type": "application/json"},
"statusCode": 200,
}
except Exception as e:
message = e.message if hasattr(e,'message') else e
return {
"body": {"message": message},
"headers": {"Content-Type": "application/json"},
"statusCode": 200,
}
def do_search(self):
print "elo"
try:
for r in wfuzz.fuzz(url="https://"+self.host+"/FUZZ", hc=[404], payloads=[("file",dict(fn="wordlists/general/common.txt"))]):
print r
self.results += r
except Exception, e:
print e
def host_inspection(host, power):
# light, fast, normal, thorough are power choices
fuzzable_url = str(os.path.join(str(host), 'FUZZ'))
power = int(power)
print('trying to fuzz: {}'.format(fuzzable_url))
if power == 1:
filename = 'wl/light.txt'
elif power == 2:
filename = 'wl/fast.txt'
elif power == 3:
filename = 'wl/normal.txt'
elif power == 4:
filename = 'wl/thorough.txt'
else:
error = 'Incorrect power provided.'
return error
host_data = []
try:
url_placeholder = []
for r in wfuzz.fuzz(url=fuzzable_url,
follow=True,
hc=[404],
payloads=[('file', dict(fn=filename))]):
# Basic checking for redirects such as ones on login forms
if r.url in url_placeholder:
continue
url_placeholder.append(r.url)
a = [r.code, r.url]
host_data.append(a)
except Exception as e:
error = str(e)
return error
# Check to see if the results are somewhat valid by seeing if the first n results match the first n from the wordlist, otherwise return something else
n = 0
host_count = len(host_data)
sample_count = round(host_count / 5)
host_samples = host_data[:sample_count]
with open(filename) as file:
challenge_lines = file.readlines()[0:sample_count]
for i in range(0, sample_count - 1):
challenge = re.compile('/' + str(challenge_lines[i].strip('\n')) + '$')
for host in host_samples:
if challenge.findall(host[1]):
n += 1
print('total matches: {}'.format(str(n)))
print('total match percent: {}/{}'.format(n, sample_count))
if n > sample_count / 2:
# if more than half the results are trash we are assuming that it has a 404 redirect
error = 'Match sample count failed check.'
return error
return host_data
def do_search(self):
print('elo')
try:
for r in wfuzz.fuzz(url='https://'+self.host+'/FUZZ', hc=[404], payloads=[('file', dict(fn='wordlists/general/common.txt'))]):
print(r)
self.results += r
except Exception as e:
print(e)
self.totalresults += self.results
def do_search(self):
print('elo')
try:
for r in wfuzz.fuzz(url="https://" + self.host + "/FUZZ",
hc=[404],
payloads=[("file",
dict(fn=self.wordlists_dir +
"/general/common.txt"))]):
print(r)
self.results += r
except Exception as e:
print(e)
self.totalresults += self.results
def do_search(self):
print('elo')
try:
for r in wfuzz.fuzz(url=f'https://{self.host}/FUZZ',
hc=[404],
payloads=[
('file',
dict(fn='wordlists/general/common.txt'))
]):
print(r)
self.results += r
except Exception as e:
print(e)
self.totalresults += self.results
def attack_url(url):
"""
Gets an url
"""
# pattern = r"FUZZ"
print(f"\tUnknown Content discovery: {url}")
LOG.write(f"\tUnknown Content discovery: {url}\n")
i = 0
for r in wfuzz.fuzz(hc=[404], url=f"{url}", payloads=[("file", dict(fn="wordlist/general/common.txt"))]):
LOG.write(str(r) + "\n")
i += 1
# if i < 20:
print(r)
# url = re.sub(pattern, r.description, url)
return i
def getLinks(self):
"""Grab all links from web server homepage i.e. http://IP:PORT/ and look for .htb domain names.
If a .htb domain is found, add the hostname to the /etc/hosts file and then proceed to fuzz the hostname
for virtual hostname routing using wfuzz. If a valid sub-hostname is found, add the domain to the /etc/hosts file as
well using python_hosts library merge_names parameter.(Thanks for adding this feature! @jonhadfield)"""
def cmdline(command):
process = Popen(args=command, stdout=PIPE, shell=True)
return process.communicate()[0]
np = nmapParser.NmapParserFunk(self.target)
np.openPorts()
http_ports = np.http_ports
cmd_info = "[" + fg.li_green + "+" + fg.rs + "]"
cmd_info_orange = "[" + fg.li_yellow + "+" + fg.rs + "]"
c = config_parser.CommandParser(
f"{os.path.expanduser('~')}/.config/autorecon/config.yaml",
self.target)
if len(http_ports) != 0:
if not os.path.exists(c.getPath("web", "webDir")):
os.makedirs(c.getPath("web", "webDir"))
for hp in http_ports:
try:
url = f"""http://{self.target}:{hp}"""
wfuzzReport = c.getPath("web", "wfuzzReport", port=hp)
page = requests.get(url, verify=False, timeout=(5, 30))
data = page.text
soup = BeautifulSoup(data, "html.parser")
# links = []
htb = [".htb"]
source_domain_name = []
for link in soup.find_all(text=lambda x: ".htb" in x):
matches = re.findall(
r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3}",
link)
for x in matches:
if any(s in x for s in htb):
source_domain_name.append(x)
for link in soup.find_all('img'):
src_matches = link.get('src')
matches = re.findall(
r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3}",
src_matches)
for x in matches:
if any(s in x for s in htb):
source_domain_name.append(x)
except requests.exceptions.ConnectionError as ce_error:
print("Connection Error: ", ce_error)
continue
except requests.exceptions.Timeout as t_error:
print("Connection Timeout Error: ", t_error)
continue
except requests.exceptions.RequestException as req_err:
print("Some Ambiguous Exception:", req_err)
continue
if source_domain_name and self.hostnames:
all_hostnames = list(
set(source_domain_name).union(set(self.hostnames)))
if source_domain_name and not self.hostnames:
all_hostnames = source_domain_name
if self.hostnames and not source_domain_name:
all_hostnames = self.hostnames
if all_hostnames:
vhostnames = [
i.lower() for i in sorted(set(all_hostnames))
]
vhost_log = open(c.getPath("web", "vhostnames"), "a+")
for vh in vhostnames:
vhost_log.write(vh)
vhost_log.close()
print(
f"""{cmd_info_orange} {fg.li_magenta}Found{fg.rs} {fg.cyan}{vhostnames}{fg.rs} in {fg.li_red}The Source!{fg.rs} http://{self.target}:{hp}"""
)
print(
f"""{cmd_info} {fg.li_magenta}Adding{fg.rs} {fg.li_cyan} {vhostnames}{fg.rs} to /etc/hosts file"""
)
hosts = Hosts(path="/etc/hosts")
new_entry = HostsEntry(entry_type="ipv4",
address=self.target,
names=vhostnames)
hosts.add([new_entry], merge_names=True)
hosts.write()
base_domain_name = []
for d in vhostnames:
self.htb_source_domains.append(d)
if d.count('.') == 1:
base_domain_name.append(d)
try:
import wfuzz
from tqdm import tqdm
tk5 = c.getPath("wordlists", "top5Ksubs")
print(
f"""{cmd_info} wfuzz -z file,{tk5} -u {base_domain_name[0]}:{hp} -H 'Host: FUZZ.{base_domain_name[0]}:{hp}'"""
)
print(
f"{fg.li_yellow}Wfuzz's STDOUT is Hidden to prevent filling up Terminal. Desired Response Codes are unpredictable during initial fuzz session. {fg.rs} STDOUT will be written to {fg.li_magenta}{wfuzzReport}{fg.rs}"
)
str_domain = f"""{base_domain_name[0]}:{hp}"""
fuzz_domain = f"""FUZZ.{base_domain_name[0]}:{hp}"""
wordlist_lines = 4997
with tqdm(total=wordlist_lines) as pbar:
for r in wfuzz.fuzz(
url=str_domain,
hc=[404, 400],
payloads=[("file", dict(fn=tk5))],
headers=[("Host", fuzz_domain)],
printer=(wfuzzReport, "raw"),
):
# print(r)
pbar.update()
pbar.set_description_str(
desc=f"{fg.li_yellow}wfuzz{fg.rs}")
# pass
except Exception as e:
print(e)
if os.path.exists(wfuzzReport):
awk_print = "awk '{print $6}'"
check_occurances = f"""sed -n -e 's/^.*C=//p' {wfuzzReport} | grep -v "Warning:" | {awk_print} | sort | uniq -c"""
response_num = [
i.strip() for i in cmdline(
check_occurances).decode("utf-8").split("\n")
]
res_filt = [
i.split() for i in sorted(set(response_num))
]
filt2arr = [
c for c in res_filt
if len(c) != 0 and int(c[0]) < 5
]
status_code = []
if len(filt2arr) != 0 and (len(filt2arr) < 5):
# print(filt2arr)
for htprc in filt2arr:
status_code.append(htprc[1])
if len(status_code) != 0 and len(status_code) <= 5:
for _ in status_code:
# print(status_code)
awk_print = "awk '{print $9}'"
get_domain_cmd = f"""grep '{_} Ch' {wfuzzReport} | {awk_print}"""
get_domains = (check_output(
get_domain_cmd, shell=True,
stderr=STDOUT).rstrip().decode(
"utf-8").replace('"', ""))
subdomains = []
if get_domains is not None:
subdomains.append(get_domains)
sub_d = "{}.{}".format(
subdomains[0], base_domain_name[0])
print(
f"""{cmd_info_orange}{fg.li_blue} Found Subdomain!{fg.rs} {fg.li_green}{sub_d}{fg.rs}"""
)
print(
f"""{cmd_info}{fg.li_magenta} Adding{fg.rs} {fg.li_cyan}{sub_d}{fg.rs} to /etc/hosts file"""
)
hosts = Hosts(path="/etc/hosts")
new_entry = HostsEntry(
entry_type="ipv4",
address=self.target,
names=[sub_d],
)
hosts.add([new_entry], merge_names=True)
hosts.write()
self.htb_source_domains.append(sub_d)