STRLCPY/pentest-tools

■ ■ ■ ■ ■ ■

README.md

		skipped 89 lines
90	90		## mass-smtp-user-enum-check.sh
91	91		Tests if SMTP user enumeration is possible on a given list of IP address using [smtp-user-enum](https://github.com/pentestmonkey/smtp-user-enum).
92	92
93		-	## mput.py
94		-	Test PUT method issue on a given list of hosts.
	93	+	## myutils.sh
	94	+	Just few common Bash functions.
95	95
96	96		## node-uuid.js
97	97		Encode/Decode UUID using base36.
		skipped 7 lines
105	105		## pass-permut.php
106	106		Creates words permutation with different separators and output the hashes using about 40 algorithms.
107	107
	108	+	## pastebin.php
	109	+	Performs a string search on [pastebin.com](https://pastebin.com/).
108	110
109		-
110		-
	111	+	## phantom-xss.js
	112	+	See `xss.py`.
111	113
112	114		## ping-sweep-nc.sh
113		-	A script that try to determine what IP are alive in a given range of IP address using Netcat.
114		-
	115	+	Determines what IPs are alive in a given range of IPs addresses using `netcat`.
115	116
116	117		## ping-sweep-nmap.sh
117		-	A script that try to determine what IP are alive in a given range of IP address using Nmap.
118		-
	118	+	Determines what IPs are alive in a given range of IPs addresses using `nmap`.
119	119
120	120		## ping-sweep-ping.sh
121		-	A script that try to determine what IP are alive in a given range of IP address using Ping.
122		-
	121	+	Determines what IPs are alive in a given range of IPs addresses using `ping`.
123	122
124	123		## portscan-nc.sh
125		-	A script that try to determine the open ports of a given IP address using Netcat.
	124	+	Determines the open ports of a given IP address using `netcat`.
126	125
127		-
128		-	## screensite.sh
129		-	A script that take a screenshot of a given url+port using Xvfb.
130		-
131		-
132		-	## srv_reco.sh
133		-	A script that perform a very small test of a given IP address.
134		-
135		-
136		-	## ssh-timing-b4-pass.sh
137		-	???
	126	+	## quick-hits.php
	127	+	Tests a given list of path on a given list of hosts.
138	128
139		-
140		-	## ssrf-generate-ip.php
141		-	A script that generate random IP address inside private network range.
	129	+	## quickhits.py
	130	+	Same but but Python way. Tests a given list of path on a given list of hosts.
142	131
	132	+	## rce.py
	133	+	Test RCE issue on a given list of hosts.
143	134
144		-	## subdomains_finder.sh
145		-	A script that find subdomains using other well known programs ([TheHarvester](https://github.com/laramies/theHarvester), [DNSrecon](https://github.com/darkoperator/dnsrecon)...)
	135	+	## resolve.py
	136	+	Resolves a give list of hosts to check which ones are alive and which ones are dead.
146	137
	138	+	## screensite.sh
	139	+	Takes screenshots of a given url+port using `xvfb`.
147	140
148		-	## subthreat.php
149		-	A script that grab subdomains of a given domain from https://www.threatcrowd.org
	141	+	## shodan.php
	142	+	Performs searches on Shodan using their API.
150	143
	144	+	## smuggler.py
	145	+	Test HTTP request smuggling issue on a given list of hosts.
151	146
152		-	## testhttp.php
153		-	A script that test if an url (subdomain+port) is a web thing.
	147	+	## srv_reco.sh
	148	+	Perform very small tests of a given IP address.
154	149
	150	+	## ssh-timing-b4-pass.sh
	151	+	Tries to guess SSH users using timing attack.
155	152
156		-	## testhttp2.php
157		-	Same same but different.
	153	+	## ssrf-generate-ip.php
	154	+	Generate random IP address:port inside private network range for SSRF scans.
158	155
	156	+	## subalt.py
	157	+	Generates subdomains alterations and permutations.
159	158
160	159		## test-ip-wordlist.sh
161		-	???
	160	+	Brute force a wordlist on IPs range and ports list.
162	161
	162	+	## testhttp.php
	163	+	Tries to determine if an url (subdomain+port) is a web thing.
163	164
164	165		## testnc.sh
165		-	A script that fuzz a given IP address with Netcat.
166		-
167		-
168		-	## wayback-analyzer.php
169		-	A script that try to nicely display [waybackurls.py](https://gist.github.com/mhmdiaa/adf6bff70142e5091792841d4b372050) output.
	166	+	Performs fuzzing on a given IP address+port using `netcat`.
170	167
	168	+	## Utils.php
	169	+	Just few common PHP functions.
171	170
172	171		## webdav-bruteforce.sh
173		-	A script that perform brute force on a given url that use WebDav using [Davtest](https://github.com/cldrn/davtest)
	172	+	Perform brute force on a given url that use `WebDav` using [Davtest](https://github.com/cldrn/davtest).
	173	+
	174	+	## xss.py
	175	+	Test XSS issue on a given list of hosts using `phantomjs`.
174	176

■ ■ ■ ■ ■ ■

Utils.php

1	1		<?php
2	2
3		-	/**
4		-	* I don't believe in license
5		-	* You can do want you want with this program
6		-	* - gwen -
7		-	*/
8		-
9	3		class Utils
10	4		{
11	5		const TMP_DIR = '/tmp/';
		skipped 155 lines

codeshare.php | 100644 /~icons-ver-BEF942F0F42935333EFA072090F4E956.svg#arrow3 100755

Content is identical

■ ■ ■ ■ ■ ■

lfi.py

1	1		#!/usr/bin/python3
2	2
3		-	# I don't believe in license.
4		-	# You can do whatever you want with this program.
5		-
6	3		import os
7	4		import sys
8	5		import re
		skipped 590 lines

■ ■ ■ ■ ■ ■

mput.py

1	-	#!/usr/bin/python3
2	-
3	-	# I don't believe in license.
4	-	# You can do whatever you want with this program.
5	-
6	-	import os
7	-	import sys
8	-	import re
9	-	import time
10	-	import copy
11	-	import random
12	-	import argparse
13	-	import requests
14	-	import urllib.parse
15	-	from functools import partial
16	-	from threading import Thread
17	-	from queue import Queue
18	-	from multiprocessing.dummy import Pool
19	-	from colored import fg, bg, attr
20	-
21	-	MAX_EXCEPTION = 100
22	-	MAX_VULNERABLE = 100
23	-
24	-	# disable "InsecureRequestWarning: Unverified HTTPS request is being made."
25	-	from requests.packages.urllib3.exceptions import InsecureRequestWarning
26	-	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
27	-
28	-	t_history = []
29	-
30	-	def banner():
31	-	print("""
32	-	_
33	-	_ __ ___ _ __ _ _ \| \|_ _ __ _ _
34	-	\| '_ ` _ \ \| '_ \ \| \| \| \| \| __\| \| '_ \ \| \| \| \|
35	-	\| \| \| \| \| \| \| \|_) \| \| \|_\| \| \| \|_ _ \| \|_) \| \| \|_\| \|
36	-	\|_\| \|_\| \|_\| \| .__/ \__,_\| \__\| (_) \| .__/ \__, \|
37	-	\|_\| \|_\| \|___/
38	-
39	-	by @gwendallecoguic
40	-
41	-	""")
42	-	pass
43	-
44	-
45	-	def rebuiltQuery( t_params ):
46	-	query = ''
47	-	for pname,t_values in t_params.items():
48	-	for k in range(len(t_values)):
49	-	query = query + pname+'='+t_values[k] + '&'
50	-	return query.strip('&')
51	-
52	-
53	-	def _parse_qs( query ):
54	-	t_params = {}
55	-	tmptab = query.split('&')
56	-
57	-	for param in tmptab:
58	-	t_param = param.split('=')
59	-	pname = t_param[0]
60	-	if not pname in t_params:
61	-	t_params[pname] = []
62	-	pvalue = '' if len(t_param) < 2 else t_param[1]
63	-	t_params[pname].append( pvalue )
64	-
65	-	return t_params
66	-
67	-
68	-	def testPath( t_urlparse ):
69	-	path = ''
70	-	t_path = ['/'] + t_urlparse.path.split('/')
71	-	# print(t_urlparse)
72	-	# print(t_path)
73	-	# return
74	-	for dir in t_path:
75	-	# print("> "+dir)
76	-	if len(dir):
77	-	# print(dir)
78	-	if not dir == '/':
79	-	path = path + dir + '/'
80	-	else:
81	-	path = path + dir
82	-	# else:
83	-	# path = path.replace('//','/')
84	-
85	-	if '.' in dir and dir == t_path[len(t_path)-1]:
86	-	path = path.rstrip('/')
87	-
88	-	new_value = path
89	-	# new_value = path + '/'
90	-	# new_value = new_value.replace('//','/')
91	-	t_urlparse = t_urlparse._replace(path=new_value)
92	-	url = urllib.parse.urlunparse(t_urlparse)
93	-	doTest( url )
94	-
95	-
96	-	def testPayload( url, tmp ):
97	-	# print(url)
98	-	t_urlparse = urllib.parse.urlparse( url )
99	-
100	-	testPath( t_urlparse )
101	-
102	-
103	-	def testURL( url ):
104	-	time.sleep( 0.01 )
105	-	t_multiproc['n_current'] = t_multiproc['n_current'] + 1
106	-
107	-	if _verbose <= 1:
108	-	sys.stdout.write( 'progress: %d/%d\r' % (t_multiproc['n_current'],t_multiproc['n_total']) )
109	-	# t_multiproc['n_current'] = t_multiproc['n_current'] + 1
110	-
111	-	# testPayload(url,0)
112	-	pool = Pool( 1 )
113	-	pool.map( partial(testPayload,url), 'dummy' )
114	-	pool.close()
115	-	pool.join()
116	-
117	-
118	-	def doTest( url, method='GET', post_params='' ):
119	-
120	-	# with open('generated_urls', 'a+') as fp:
121	-	# fp.write(url+"\n")
122	-	# return
123	-
124	-	# t_realdotest.append( [url,method,post_params] )
125	-	realDoTest( [url,method,post_params] );
126	-	return
127	-
128	-
129	-	def realDoTest( t_params ):
130	-
131	-	vuln = '-'
132	-	status_code = 0
133	-	content_type = '-'
134	-	method_found = []
135	-	url = t_params[0]
136	-	# print(url)
137	-	method = t_params[1]
138	-	post_params = t_params[2]
139	-
140	-	if url in t_history:
141	-	return
142	-
143	-	t_history.append(url)
144	-
145	-	if _verbose <= 1:
146	-	sys.stdout.write( 'progress: %d/%d\r' % (t_multiproc['n_current'],t_multiproc['n_total']) )
147	-	# t_multiproc['n_current'] = t_multiproc['n_current'] + 1
148	-
149	-	t_urlparse = urllib.parse.urlparse(url)
150	-	u = t_urlparse.scheme + '_' + t_urlparse.netloc
151	-
152	-	# if not u in t_exceptions:
153	-	# t_exceptions[u] = 0
154	-	# if t_exceptions[u] >= MAX_EXCEPTION:
155	-	# if _verbose >= 3 and _verbose < 4:
156	-	# print("skip too many exceptions %s" % t_urlparse.netloc)
157	-	# return
158	-
159	-	# if not u in t_vulnerable:
160	-	# t_vulnerable[u] = 0
161	-	# if t_vulnerable[u] >= MAX_VULNERABLE:
162	-	# if _verbose >= 3 and _verbose < 4:
163	-	# print("skip already vulnerable %s" % t_urlparse.netloc)
164	-	# return
165	-
166	-	try:
167	-	r = requests.request( 'OPTIONS', url, data=post_params, headers=t_custom_headers, timeout=5, verify=False )
168	-	except Exception as e:
169	-	# t_exceptions[u] = t_exceptions[u] + 1
170	-	if _verbose >= 3 and _verbose < 4:
171	-	sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) )
172	-	return
173	-
174	-	status_code = r.status_code
175	-
176	-	# print(r.headers)
177	-	if 'Content-Type' in r.headers:
178	-	content_type = r.headers['Content-Type']
179	-
180	-	if 'Allow' in r.headers and 'PUT' in r.headers['Allow']:
181	-	r_fail = False
182	-	method_found.append('PUT')
183	-	post_params = 'test=test'
184	-	try:
185	-	r_put = requests.request( 'PUT', url, data=post_params, headers=t_custom_headers, timeout=5, verify=False )
186	-	except Exception as e:
187	-	# t_exceptions[u] = t_exceptions[u] + 1
188	-	r_fail = True
189	-	if _verbose >= 3 and _verbose < 4:
190	-	sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) )
191	-
192	-	if not r_fail:
193	-	# print(r_put.headers)
194	-	# print(r_put.status_code)
195	-	status_code = r_put.status_code
196	-
197	-	if 'Content-Type' in r_put.headers:
198	-	content_type = r_put.headers['Content-Type']
199	-	else:
200	-	content_type = '-'
201	-
202	-	if r_put.status_code >= 200 and r_put.status_code < 300:
203	-	vuln = 'VULNERABLE'
204	-
205	-	if 'Allow' in r.headers and 'DELETE' in r.headers['Allow']:
206	-	method_found.append('DELETE')
207	-
208	-	output = '%s\t\tC=%d\t\tT=%s\t\tM=%s\t\tV=%s\n' % (url,status_code,content_type,','.join(method_found),vuln)
209	-
210	-	fp = open( t_multiproc['f_output'], 'a+' )
211	-	fp.write( output )
212	-	fp.close()
213	-
214	-	if vuln == 'VULNERABLE' or (_verbose >= 2 and _verbose < 4):
215	-	if vuln == 'VULNERABLE':
216	-	sys.stdout.write( '%s%s%s' % (fg('light_red'),output,attr(0)) )
217	-	else:
218	-	if len(method_found):
219	-	sys.stdout.write( '%s%s%s' % (fg('light_yellow'),output,attr(0)) )
220	-	else:
221	-	sys.stdout.write( output )
222	-
223	-
224	-	parser = argparse.ArgumentParser()
225	-	parser.add_argument( "-a","--path",help="set paths list" )
226	-	parser.add_argument( "-d","--header",help="custom headers, example: cookie1=value1;cookie2=value2...", action="append" )
227	-	parser.add_argument( "-o","--hosts",help="set host list (required or -u)" )
228	-	# parser.add_argument( "-r","--redirect",help="follow redirection" )
229	-	parser.add_argument( "-s","--scheme",help="scheme to use, default=http,https" )
230	-	parser.add_argument( "-t","--threads",help="threads, default 10" )
231	-	parser.add_argument( "-u","--urls",help="set url list (required or -o)" )
232	-	parser.add_argument( "-v","--verbose",help="display output, 0=nothing, 1=only vulnerable, 2=all requests, 3=full debug, 4=only vulnerable,no extra text like banner, default: 1" )
233	-	parser.parse_args()
234	-	args = parser.parse_args()
235	-
236	-	if args.verbose:
237	-	_verbose = int(args.verbose)
238	-	else:
239	-	_verbose = 1
240	-
241	-	if _verbose < 4:
242	-	banner()
243	-
244	-	if args.scheme:
245	-	t_scheme = args.scheme.split(',')
246	-	else:
247	-	t_scheme = ['http','https']
248	-
249	-	t_custom_headers = {}
250	-	if args.header:
251	-	for header in args.header:
252	-	if ':' in header:
253	-	tmp = header.split(':')
254	-	t_custom_headers[ tmp[0].strip() ] = tmp[1].strip()
255	-
256	-	t_hosts = []
257	-	if args.hosts:
258	-	if os.path.isfile(args.hosts):
259	-	fp = open( args.hosts, 'r' )
260	-	t_hosts = fp.read().strip().split("\n")
261	-	fp.close()
262	-	else:
263	-	t_hosts.append( args.hosts )
264	-	n_hosts = len(t_hosts)
265	-	if _verbose < 4:
266	-	sys.stdout.write( '%s[+] %d hosts found: %s%s\n' % (fg('green'),n_hosts,args.hosts,attr(0)) )
267	-
268	-	t_urls = []
269	-	if args.urls:
270	-	if os.path.isfile(args.urls):
271	-	fp = open( args.urls, 'r' )
272	-	t_urls = fp.read().strip().split("\n")
273	-	fp.close()
274	-	else:
275	-	t_urls.append( args.urls )
276	-	else:
277	-	while True:
278	-	try:
279	-	url = input()
280	-	except EOFError:
281	-	break
282	-	else:
283	-	t_urls.append( url )
284	-
285	-	n_urls = len(t_urls)
286	-	if _verbose < 4:
287	-	sys.stdout.write( '%s[+] %d urls found: %s%s\n' % (fg('green'),n_urls,args.urls,attr(0)) )
288	-
289	-	if n_hosts == 0 and n_urls == 0:
290	-	parser.error( 'hosts/urls list missing' )
291	-
292	-	t_path = [ '' ]
293	-	if args.path:
294	-	if os.path.isfile(args.path):
295	-	fp = open( args.path, 'r' )
296	-	t_path = fp.read().strip().split("\n")
297	-	fp.close()
298	-	else:
299	-	t_path.append( args.path )
300	-	n_path = len(t_path)
301	-	if _verbose < 4:
302	-	sys.stdout.write( '%s[+] %d path found: %s%s\n' % (fg('green'),n_path,args.path,attr(0)) )
303	-
304	-	if args.threads:
305	-	_threads = int(args.threads)
306	-	else:
307	-	_threads = 10
308	-
309	-	t_totest = []
310	-	u_max_length = 0
311	-	d_output = os.getcwd()+'/mput'
312	-	f_output = d_output + '/' + 'output'
313	-	if not os.path.isdir(d_output):
314	-	try:
315	-	os.makedirs( d_output )
316	-	except Exception as e:
317	-	sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) )
318	-	exit()
319	-
320	-	if _verbose < 4:
321	-	sys.stdout.write( '%s[+] options are -> threads:%d, verbose:%d%s\n' % (fg('green'),_threads,_verbose,attr(0)) )
322	-
323	-	for scheme in t_scheme:
324	-	for host in t_hosts:
325	-	for path in t_path:
326	-	u = scheme + '://' + host.strip() + path
327	-	t_totest.append( u )
328	-	l = len(u)
329	-	if l > u_max_length:
330	-	u_max_length = l
331	-
332	-	for url in t_urls:
333	-	for path in t_path:
334	-	u = url.strip() + path
335	-	t_totest.append( u )
336	-	l = len(u)
337	-	if l > u_max_length:
338	-	u_max_length = l
339	-
340	-	n_totest = len(t_totest)
341	-
342	-	# random.shuffle(t_totest)
343	-	# print("\n".join(t_totest))
344	-	# exit()
345	-
346	-	t_realdotest = []
347	-	t_exceptions = {}
348	-	t_vulnerable = {}
349	-	t_multiproc = {
350	-	'n_current': 0,
351	-	'n_total': n_totest,
352	-	'u_max_length': u_max_length+5,
353	-	'd_output': d_output,
354	-	'f_output': f_output,
355	-	}
356	-
357	-	def doWork():
358	-	while True:
359	-	url = q.get()
360	-	testURL( url )
361	-	q.task_done()
362	-
363	-	q = Queue( _threads*2 )
364	-
365	-	for i in range(_threads):
366	-	t = Thread( target=doWork )
367	-	t.daemon = True
368	-	t.start()
369	-
370	-	try:
371	-	for url in t_totest:
372	-	q.put( url )
373	-	q.join()
374	-	except KeyboardInterrupt:
375	-	sys.exit(1)
376	-
377	-

■ ■ ■ ■ ■ ■

openredirect.py

1	1		#!/usr/bin/python3
2	2
3		-	# I don't believe in license.
4		-	# You can do whatever you want with this program.
5		-
6	3		import os
7	4		import sys
8	5		import re
		skipped 746 lines

■ ■ ■ ■ ■ ■

pastebin.php

		skipped 190 lines
191	191
192	192
193	193		function usage( $err=null ) {
194		-	echo "Usage: php pastebin.php -h <host> -f <file list> [OPTIONS]\n\n";
	194	+	echo "Usage: php pastebin.php -h <host> [OPTIONS]\n\n";
195	195		echo "Options:\n";
196	196		echo "\t-s\tstring to search\n";
197	197		echo "\t-t\tthreads, default 10\n";
198		-	echo "\nRecommended: php pastebin.php -s api_key -t 50";
	198	+	echo "\nRecommended: php pastebin.php -s 'tesla.com' -t 50";
199	199		echo "\n";
200	200		if( $err ) {
201	201		echo 'Error: '.$err."!\n";
		skipped 4 lines

■ ■ ■ ■ ■ ■

ping-sweep-nc.sh

		skipped 22 lines
23	23		fi
24	24
25	25		for i in $(seq $start $end); do
26		-	nc -n -v -z -w 1 $ip"."$i $port 2>&1 \|grep open
	26	+	# for linux
	27	+	nc -n -v -z -w 1 $ip"."$i $port 2>&1 \| egrep "open\|succeeded"
	28	+	# for macos
	29	+	# nc -n -v -z -w 1 -G 1 $ip"."$i $port 2>&1 \| egrep "open\|succeeded"
27	30		done
28	31
29		-	exit
30		-

■ ■ ■ ■ ■ ■

ping-sweep-nmap.sh

		skipped 26 lines
27	27
28	28		echo
29	29		echo $n" hosts are up."
30		-	exit
31	30

■ ■ ■ ■ ■ ■

ping-sweep-ping.sh

		skipped 17 lines
18	18		n=0
19	19
20	20		for i in $(seq $start $end); do
21		-	tmp=`ping -c 1 $ip"."$i \| grep 'bytes from' \| cut -d ' ' -f 4 \| cut -d ':' -f1 &`
	21	+	tmp=`ping -t 3 -c 1 $ip"."$i \| grep 'bytes from' \| cut -d ' ' -f 4 \| cut -d ':' -f1 &`
22	22		if [ -n "$tmp" ] ; then
23	23		echo $tmp
24	24		n=$[$n+1]
		skipped 2 lines
27	27
28	28		echo
29	29		echo $n" hosts are up."
30		-	exit
31	30

■ ■ ■ ■ ■ ■

portscan-nc.sh

		skipped 15 lines
16	16		ip=$1
17	17		start=$2
18	18		end=$3
	19	+	# linux
19	20		options="-n -v -z -w 1"
	21	+	# macos
	22	+	options="-n -v -z -w 1 -G 1"
20	23
21	24		if [ $# -eq 4 ] ; then
22	25		options=$options" -u"
		skipped 32 lines

■ ■ ■ ■ ■ ■

puppeteer-xss.js

1	-
2	-	const puppeteer = require('puppeteer');
3	-	var args = process.argv.slice(2);
4	-
5	-	if( args.length < 2 \|\| args.length > 5 ) {
6	-	console.log( 'Usage: node xss.js <method> <url> [<post_params>] [<cookies> <domain>]');
7	-	process.exit();
8	-	}
9	-
10	-	var method = Buffer.from(args[0], 'base64').toString()
11	-	var url = Buffer.from(args[1], 'base64').toString()
12	-
13	-	if( args.length > 3 ) {
14	-	var post = Buffer.from(args[2], 'base64').toString()
15	-	} else {
16	-	var post = '';
17	-	}
18	-
19	-	if( args.length >= 5 && args[3].length ) {
20	-	var cookies = Buffer.from(args[3], 'base64').toString().split(';');
21	-	var domain = Buffer.from(args[4], 'base64').toString()
22	-	var t_cookies = []
23	-
24	-	for( var i=0 ; i<cookies.length ; i++ ) {
25	-	c = cookies[i].trim().split( '=' );
26	-	t_cookies[i] = { 'domain':domain, 'name':c[0], 'value':c[1] }
27	-	}
28	-	} else {
29	-	var t_cookies = [];
30	-	var domain = '';
31	-	}
32	-
33	-	// console.log(method)
34	-	// console.log(url)
35	-	// console.log(post)
36	-	// console.log(t_cookies)
37	-	// console.log(domain)
38	-
39	-	setTimeout( run, 0, url, method, post, t_cookies );
40	-
41	-	setTimeout(function() {
42	-	process.exit();
43	-	}, 5000);
44	-
45	-
46	-	function run( url, method, post, t_cookies )
47	-	{
48	-	const options = {
49	-	args: [
50	-	'--no-sandbox',
51	-	'--disable-setuid-sandbox',
52	-	'--disable-dev-shm-usage',
53	-	'--disable-accelerated-2d-canvas',
54	-	'--no-first-run',
55	-	'--no-zygote',
56	-	'--single-process', // <- this one doesn't works in Windows
57	-	'--disable-gpu'
58	-	],
59	-	headless: true
60	-	};
61	-
62	-	puppeteer.launch(options).then(async browser => {
63	-	const page = await browser.newPage();
64	-	// await page.setUserAgent('Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/60.0');
65	-
66	-	if( t_cookies.length ) {
67	-	for( i=0 ; i<t_cookies.length ; i++ ) {
68	-	await page.setCookie( t_cookies[i] );
69	-	}
70	-	}
71	-
72	-	if( post.length ) {
73	-	await page.setRequestInterception( true );
74	-	page.on('request', interceptedRequest => {
75	-	interceptedRequest.continue({
76	-	method: 'POST',
77	-	postData: post,
78	-	headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
79	-	});
80	-	});
81	-	}
82	-
83	-	page.on('dialog', async dialog => {
84	-	console.log('dialog() called: '+dialog.message());
85	-	// await page.close()
86	-	// await browser.close();
87	-	process.exit();
88	-	});
89	-
90	-	await page.goto( url );
91	-	// debug
92	-	// console.log( await page.content() )
93	-	await page.close()
94	-	await browser.close();
95	-	process.exit();
96	-	});
97	-	}
98	-

■ ■ ■ ■ ■ ■

quickhits.py

1	1		#!/usr/bin/python3
2	2
3		-	# I don't believe in license.
4		-	# You can do whatever you want with this program.
5		-
6	3		import os
7	4		import sys
8	5		import re
		skipped 368 lines

■ ■ ■ ■ ■ ■

rce.py

1	1		#!/usr/bin/python3
2	2
3		-	# I don't believe in license.
4		-	# You can do whatever you want with this program.
5		-
6	3		import os
7	4		import sys
8	5		import re
		skipped 550 lines

■ ■ ■ ■ ■ ■

resolve.py

1	1		#!/usr/bin/python3
2	2
3		-	# I don't believe in license.
4		-	# You can do whatever you want with this program.
5		-
6	3		import os
7	4		import sys
8	5		import socket
		skipped 124 lines
133	130		# print( t_alive)
134	131		# print( t_dead)
135	132		sys.stdout.write( '%s[+] %d hosts alive, %d dead hosts%s\n' % (fg('green'),len(t_alive),len(t_dead),attr(0)) )
	133	+	sys.stdout.write( '%s[+] Output files hosts_alive and hosts_dead created%s\n' % (fg('green'),attr(0)) )
136	134
137	135		save( _store_ip )
138		-
139	136
140	137		exit()
141	138

■ ■ ■ ■ ■ ■

shodan.php

1	1		<?php
2	2
3	3		function usage( $err=null ) {
4		-	echo 'Usage: '.$_SERVER['argv'][0]." <search>\n";
5		-	if( $err ) {
6		-	echo 'Error: '.$err."\n";
7		-	}
8		-	exit();
	4	+	echo 'Usage: '.$_SERVER['argv'][0]." <search> [shodan_api_key]\n";
	5	+	if( $err ) {
	6	+	echo 'Error: '.$err."\n";
	7	+	}
	8	+	exit();
9	9		}
10	10
11		-	if( $_SERVER['argc'] != 2 ) {
12		-	usage();
	11	+	if( $_SERVER['argc']<2 \|\| $_SERVER['argc']>3 ) {
	12	+	usage();
13	13		}
14	14
15		-	$_api_key = 'xxxxxxxxxxxxxxxxxx';
	15	+	if( $_SERVER['argc'] == 3 ) {
	16	+	$_api_key = trim($_SERVER['argv'][2]);
	17	+	} else {
	18	+	$_api_key = getenv('SHODAN_KEY');
	19	+	}
	20	+	if( !$_api_key ) {
	21	+	usage('API key nmot found');
	22	+	}
	23	+
16	24		$search = urlencode( $_SERVER['argv'][1] );
17	25		$page = 1;
18	26		$run = true;
		skipped 5 lines
24	32		{
25	33		$url = 'https://api.shodan.io/shodan/host/search?query='.$search.'&page='.$page.'&key='.$_api_key;
26	34		echo $url."\n";
27		-	$c = file_get_contents( $url );
	35	+	$c = @file_get_contents( $url );
28	36		if( !$c ) {
29		-	exit( "Err: cannot connect to Shodan!" );
	37	+	exit( "Err: cannot connect to Shodan, check your API key!\n" );
30	38		}
31	39
32	40		$t_json = json_decode( $c, true );
		skipped 23 lines

■ ■ ■ ■ ■ ■

smuggler.py

1	1		#!/usr/bin/python3
2	2
3		-	# I don't believe in license.
4		-	# You can do whatever you want with this program.
5		-
6	3		# Based on the awesome James Kettle research
7	4		# https://twitter.com/albinowax
8	5		# https://portswigger.net/web-security/request-smuggling
		skipped 818 lines

■ ■ ■ ■ ■ ■

ssh-timing-b4-pass.sh

		skipped 1 lines
2	2
3	3
4	4		usage(){
5		-	echo "$0 <host> <user names file>"
	5	+	echo "$0 <host> <users.txt>"
6	6		exit 1
7	7		}
8	8
		skipped 3 lines
12	12		UFILE="$2"
13	13
14	14		if [ ! -f $UFILE ] ; then
15		-	usage
	15	+	usage
16	16		fi
17	17
18	18
		skipped 7 lines
26	26
27	27
28	28		for u in $(cat $UFILE) ; do
29		-	export SSHCMD="ssh "$u"@"$HOST
30		-	expasswd
31		-	a=`date +%s`
32		-	expect -f expasswd 1> /dev/null 2> /dev/null
33		-	b=`date +%s`
34		-	d=`echo $b - $a \| bc`
35		-	#echo $d
36		-	if [ $d -gt 5 ] ; then
37		-	echo $u" FOUND !"
38		-	#else
39		-	#echo $u" doesn't exist."
40		-	fi
	29	+	export SSHCMD="ssh "$u"@"$HOST
	30	+	expasswd
	31	+	a=`date +%s`
	32	+	expect -f expasswd 1> /dev/null 2> /dev/null
	33	+	b=`date +%s`
	34	+	d=`echo $b - $a \| bc`
	35	+	#echo $d
	36	+	if [ $d -gt 5 ] ; then
	37	+	echo $u" FOUND !"
	38	+	#else
	39	+	#echo $u" doesn't exist."
	40	+	fi
41	41		done
42	42
43	43		export SSHCMD=""
		skipped 2 lines

■ ■ ■ ■ ■ ■

ssrf-generate-ip.php

		skipped 43 lines
44	44		$ip .= ':'.$t_port[rand(0,$cnt_port)];
45	45		}
46	46		$t_ip[] = $ip;
	47	+	echo $ip."\n";
47	48		}
48	49		/*
49	50		for( $i=0 ; $i<$how_much ; $i++ ) {
		skipped 6 lines
56	57		$t_ip[] = $ip;
57	58		}
58	59		*/
	60	+
59	61		//var_dump( $t_ip );
60		-	file_put_contents( $file, implode("\n",$t_ip) );
	62	+	// file_put_contents( $file, implode("\n",$t_ip) );
61	63		exit();
62	64
63	65		?>
		skipped 1 lines

■ ■ ■ ■ ■ ■

subalt.py

1	+	#!/usr/bin/python
2	+
3	+	import os
4	+	import sys
5	+	import re
6	+	import argparse
7	+	import tldextract
8	+	import itertools
9	+
10	+
11	+	def unique( tab ):
12	+	final = []
13	+	for i in tab:
14	+	i = i.strip()
15	+	if len(i):
16	+	if not i in final:
17	+	final.append( i )
18	+	return final
19	+
20	+	def is_int( str ):
21	+	a = 'abcdefghijklmnopqrstuvwxyz'
22	+	for c in a:
23	+	if c in str:
24	+	return False
25	+	return True
26	+
27	+	def explode( str ):
28	+	tab = []
29	+	match = re.findall( '[a-zA-Z0-9]+', str )
30	+
31	+	for w in match:
32	+	if is_int(w):
33	+	min = int(w) - 10
34	+	if min < 0:
35	+	min = 0
36	+	max = int(w) + 11
37	+	for n in range(min,max):
38	+	tab.append( ('%d'%n) )
39	+	tab.append( ('%01d'%n) )
40	+	tab.append( ('%02d'%n) )
41	+	tab.append( ('%03d'%n) )
42	+	else:
43	+	tab.append( w )
44	+
45	+	return tab
46	+
47	+
48	+	parser = argparse.ArgumentParser()
49	+	parser.add_argument( "-s","--subdomains",help="subdomains file (requires)" )
50	+	parser.add_argument( "-w","--wordlist",help="wordlists for alteration (required)" )
51	+	parser.parse_args()
52	+	args = parser.parse_args()
53	+
54	+	subdomains = []
55	+
56	+	if args.subdomains:
57	+	if os.path.isfile( args.subdomains ):
58	+	fp = open( args.subdomains )
59	+	subdomains = fp.read().split("\n")
60	+	fp.close()
61	+	else:
62	+	parser.error( 'no subdomains found' )
63	+	else:
64	+	parser.error( 'no subdomains found' )
65	+
66	+	wordlist = []
67	+
68	+	if args.wordlist:
69	+	if os.path.isfile( args.wordlist ):
70	+	fp = open( args.wordlist )
71	+	wordlist = fp.read().split("\n")
72	+	fp.close()
73	+	else:
74	+	parser.error( 'no wordlist found' )
75	+	else:
76	+	parser.error( 'no wordlist found' )
77	+
78	+	done = []
79	+	wordlist_sudomains = []
80	+	new_subdomains = []
81	+
82	+	for sub in subdomains:
83	+
84	+	sub = sub.strip()
85	+	if not len(sub):
86	+	continue
87	+
88	+	t_parse = tldextract.extract( sub )
89	+
90	+	new_subdomain = t_parse.domain+'.'+t_parse.domain+'.'+t_parse.suffix
91	+	if not new_subdomain in new_subdomains:
92	+	new_subdomains.append( new_subdomain )
93	+
94	+	if not t_parse.subdomain in done:
95	+	done.append( t_parse.subdomain )
96	+	new_words = explode( t_parse.subdomain )
97	+	if type(new_words) is list and len(new_words):
98	+	wordlist_sudomains = wordlist_sudomains + new_words
99	+
100	+	if not t_parse.domain in done:
101	+	done.append( t_parse.domain )
102	+	new_words = explode( t_parse.domain )
103	+	if type(new_words) is list and len(new_words):
104	+	wordlist_sudomains = wordlist_sudomains + new_words
105	+
106	+	subdomains = subdomains + new_subdomains
107	+	wordlist_sudomains = unique( wordlist_sudomains )
108	+	# print('\n>>> wordlist: wordlist sudomains')
109	+	# print(wordlist_sudomains)
110	+	wordlist = wordlist + wordlist_sudomains
111	+	wordlist = unique( wordlist )
112	+	# print('\n>>> wordlist: wordlist')
113	+	# print(wordlist)
114	+
115	+
116	+
117	+	def create_alts( sub, wordlist ):
118	+
119	+	# print('\n>>> subdomain: %s' % sub)
120	+	t_parse = tldextract.extract( sub )
121	+	subdomain_words = re.findall( '[a-zA-Z0-9]+', t_parse.subdomain )
122	+
123	+	for w in wordlist:
124	+	t_words = subdomain_words + [w]
125	+	# print('>>> wordlist: subdomain words + word')
126	+	# print(t_words)
127	+
128	+	to_glue = []
129	+	for i in range(1,len(t_words)+1):
130	+	to_glue = to_glue + list( itertools.product(t_words,repeat=i) )
131	+
132	+	# print('\n>>> to glue')
133	+	# print(to_glue)
134	+
135	+	gluagisation( to_glue, t_parse.domain+'.'+t_parse.suffix )
136	+
137	+	# print()
138	+	# exit()
139	+
140	+
141	+	def gluagisation( words_perms, domain ):
142	+	# print('\n>>> permutations subdomain words + word')
143	+	# print(words_perms)
144	+
145	+	for one_perm in words_perms:
146	+	gluagisation_single( one_perm, domain )
147	+
148	+	def gluagisation_single( one_perm, domain ):
149	+	# print('\n\n>>> gluing:')
150	+	# print(one_perm)
151	+
152	+	l = len( one_perm )
153	+	# print('l= %d'%l)
154	+	ll = l - 1
155	+	# print('ll= %d'%ll)
156	+	# print('glue[%d]='%ll)
157	+	# print(t_glue_perms[ll])
158	+
159	+	if l == 1:
160	+	new_sub = one_perm[0]
161	+	new_sub = new_sub + '.' + domain
162	+	# print('[+] new sub: %s' % new_sub)
163	+	else:
164	+	for glue in t_glue_perms[ll]:
165	+	j = 0
166	+	k = 0
167	+	new_sub = one_perm[0]
168	+	# print('[*] %s'%new_sub)
169	+
170	+	# for i=l ; i<l ; i++:
171	+	for i in range(1,l):
172	+	# print(i)
173	+	# print(j)
174	+	new_sub = new_sub + glue[j] + one_perm[i]
175	+	j = j + 1
176	+
177	+	new_sub = new_sub + '.' + domain
178	+	if not new_sub in t_final:
179	+	print(new_sub)
180	+	t_final.append( new_sub )
181	+	# print('[+] new sub: %s' % new_sub)
182	+
183	+
184	+
185	+	# for i in range(1,1):
186	+	# print(i)
187	+	# exit()
188	+
189	+	glues = [ '', '.', '-' ]
190	+	t_final = []
191	+
192	+	t_glue_perms = { 0: [['']] }
193	+	for i in range(1,10):
194	+	t_glue_perms[i] = list( itertools.product(glues, repeat=i) )
195	+
196	+	# print(t_glue_perms[2])
197	+	# exit()
198	+
199	+	# print(len(subdomains))
200	+	# print(len(wordlist))
201	+
202	+	for sub in subdomains:
203	+
204	+	sub = sub.strip()
205	+	if not len(sub):
206	+	continue
207	+
208	+	create_alts( sub, wordlist )
209	+
210	+
211	+
212	+	for f in t_final:
213	+	print(f)
214	+
215	+
216	+	exit()
217	+
218	+

■ ■ ■ ■ ■ ■

subdomains_finder.sh

1	-	#!/bin/bash
2	-
3	-
4	-	function usage() {
5	-	echo "Usage: "$0" <domain> [<method (bzhs)>]"
6	-	if [ -n "$1" ] ; then
7	-	echo "Error: "$1"!"
8	-	fi
9	-	exit
10	-	}
11	-
12	-
13	-	if [ $# -lt 1 ] \|\| [ $# -gt 3 ] ; then
14	-	usage
15	-	fi
16	-
17	-	if [ $# -eq 2 ] ; then
18	-	method=$2
19	-	else
20	-	method="bzhs"
21	-	fi
22	-
23	-	domain=$1
24	-	output="/tmp/"$domain".txt"
25	-	#echo "" > $output
26	-	tmpfile="/tmp/"$domain".tmp"
27	-	#echo "" > $tmpfile
28	-	echo "Processing "$domain
29	-	echo
30	-
31	-	if $( echo $method \| grep --quiet 'h' ) ; then
32	-	echo "TheHarvester..."
33	-	th_limit=1000
34	-	th_se="all"
35	-	harvest=$(theharvester -l $th_limit -b $th_se -d $domain)
36	-	harv=$(echo $harvest \| grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' \| grep $domain)
37	-	echo $harv \| tr " " "\n" \| tr ":" "\n" \| grep $domain \| grep -v "@" >> $tmpfile
38	-	fi
39	-
40	-	if $( echo $method \| grep --quiet 'z' ) ; then
41	-	echo "dnsrecon (axfr)..."
42	-	axfr=$(dnsrecon -d $domain -t axfr \| grep $domain \| egrep "A\|CNAME" \| awk '{print $3}')
43	-	echo $axfr \| tr " " "\n" >> $tmpfile
44	-	fi
45	-
46	-	if $( echo $method \| grep --quiet 'b' ) ; then
47	-	echo "dnsrecon (brt)..."
48	-	brt_src="/opt/SecLists/Discovery/DNS/subdomains-top1mil-20000.txt"
49	-	#brt_src="/opt/SecLists/Discovery/DNS/namelist.txt"
50	-	brt=$(dnsrecon -d $domain -t brt -D $brt_src \| grep $domain \| egrep "A\|CNAME" \| awk '{print $3}')
51	-	echo $brt \| tr " " "\n" >> $tmpfile
52	-	fi
53	-
54	-	if $( echo $method \| grep --quiet 's' ) ; then
55	-	echo "subthreat..."
56	-	cmd_sub=$(subthreat $domain \| grep -iv "error")
57	-	echo $cmd_sub \| tr " " "\n" >> $tmpfile
58	-	fi
59	-
60	-	cat $tmpfile \| sort -fu > $output
61	-	rm $tmpfile
62	-	n=$(wc -l $output)
63	-	#n=$[$n-1]
64	-	echo
65	-	echo $n" subdomains found!"
66	-
67	-	exit
68	-

■ ■ ■ ■ ■ ■

subruten.py

1	-	#!/usr/bin/python3
2	-
3	-	# I don't believe in license.
4	-	# You can do whatever you want with this program.
5	-
6	-	def doWork():
7	-	while True:
8	-	host = q.get()
9	-	resolve( host )
10	-	q.task_done()
11	-
12	-
13	-	def resolve( host ):
14	-	if t_multiproc['n_current']%5000 == 0:
15	-	save(False)
16	-
17	-	sys.stdout.write( 'progress: %d/%d\r' % (t_multiproc['n_current'],t_multiproc['n_total']) )
18	-	t_multiproc['n_current'] = t_multiproc['n_current'] + 1
19	-
20	-	try:
21	-	ip = socket.gethostbyname( host )
22	-	t_alive[host] = ip
23	-	# print(ip)
24	-	except Exception as e:
25	-	t_dead.append( host )
26	-	# sys.stdout.write( "%s[-] error occurred: %s (%s)%s\n" % (fg('red'),e,host,attr(0)) )
27	-
28	-
29	-	def save(alts):
30	-	if alts:
31	-	fp = open( 'h_alts', 'w' )
32	-	for h in t_alts:
33	-	if len(h):
34	-	fp.write( "%s\n" % h )
35	-	fp.close()
36	-
37	-	fp = open( 'h_alive', 'w' )
38	-	for h in sorted(t_alive.keys()):
39	-	if len(h):
40	-	# fp.write( "%s:%s\n" % (h,t_alive[h]) )
41	-	fp.write( "%s\n" % h )
42	-	fp.close()
43	-
44	-	fp = open( 'h_dead', 'w' )
45	-	for h in t_dead:
46	-	if len(h):
47	-	fp.write( "%s\n" % h )
48	-	fp.close()
49	-
50	-
51	-
52	-	def occalts( t_array ):
53	-	t_occ = []
54	-	l = len(t_array)
55	-	# print(l)
56	-
57	-	for i in range(0,l):
58	-	for j in range(0,l):
59	-	if i == j:
60	-	continue
61	-	maxmax = t_array[i]
62	-	for nn in range(0,maxmax+1):
63	-	t_array2 = t_array.copy()
64	-	t_array2[i] = nn
65	-	max = t_array[j]
66	-	print(max)
67	-	for n in range(0,max+1):
68	-	for pad in range(1,2):
69	-	print(pad)
70	-	t_array3 = t_array2.copy()
71	-	t_array3[j] = str(n).rjust(pad,'0')
72	-	print(t_array3)
73	-	# print(t_array2)
74	-	t_occ.append( t_array3 )
75	-	# break
76	-	print(t_occ)
77	-	print(len(t_occ))
78	-	return t_occ
79	-
80	-
81	-	def generateAlts( host, current, minnum, multiplicator ):
82	-	index = 0
83	-	matches = re.compile( '[0-9]+' ).finditer( host )
84	-	temp = list(matches)
85	-	n_matches = len(temp)
86	-	matches = iter(temp)
87	-	# print("\nhost %s" % host)
88	-	# print("CURRENT %d" % current)
89	-	# print("n_matches %d" % n_matches)
90	-
91	-	t_alts.append( host )
92	-
93	-	for m in matches:
94	-	# print("INDEX %d" % index)
95	-	# print(m.group())
96	-	if index > current:
97	-	# print("index != current NO SKIP")
98	-	n_start = 0
99	-	n_end = int( int(m.group()) * multiplicator )
100	-	if n_end < minnum:
101	-	n_end = minnum
102	-	# n_end = int(m.group())
103	-	n_end = n_end
104	-	# print(n_end)
105	-
106	-	p_start = m.start()
107	-	p_end = m.end()
108	-	p_len = p_end - p_start
109	-	s_prefix = host[0:p_start]
110	-	s_suffix = host[p_end:]
111	-
112	-	for i in range(n_start,n_end):
113	-	new_h = s_prefix + str(i) + s_suffix
114	-	generateAlts( new_h, index, minnum, multiplicator )
115	-	# else:
116	-	# if not host in t_alts:
117	-	# print("index = current SKIP")
118	-
119	-	index = index + 1
120	-
121	-
122	-	def getAlts( minnum, multiplicator, host ):
123	-	sys.stdout.write( 'progress: %d/%d\r' % (t_multiproc['n_current'],t_multiproc['n_total']) )
124	-	t_multiproc['n_current'] = t_multiproc['n_current'] + 1
125	-
126	-	# for host in t_hosts:
127	-	generateAlts( host, -1, minnum, multiplicator )
128	-	# print(sorted(t_alts))
129	-	# print( len(t_alts) )
130	-	# exit()
131	-
132	-	import os
133	-	import sys
134	-	import re
135	-	import socket
136	-	import argparse
137	-	from functools import partial
138	-	from colored import fg, bg, attr
139	-	from threading import Thread
140	-	from queue import Queue
141	-	from multiprocessing.dummy import Pool
142	-
143	-
144	-	parser = argparse.ArgumentParser()
145	-	parser.add_argument( "-o","--host",help="set hosts file list" )
146	-	parser.add_argument( "-t","--threads",help="threads, default 10" )
147	-	parser.add_argument( "-n","--minnum",help="minimum n, default 10" )
148	-	parser.add_argument( "-m","--multi",help="multiplicator, default 1" )
149	-	parser.parse_args()
150	-	args = parser.parse_args()
151	-
152	-	if args.minnum:
153	-	_minnum = int(args.minnum)
154	-	else:
155	-	_minnum = 10
156	-
157	-	if args.multi:
158	-	_multiplicator = int(args.multi)
159	-	else:
160	-	_multiplicator = 1
161	-
162	-	if args.threads:
163	-	_threads = int(args.threads)
164	-	else:
165	-	_threads = 10
166	-
167	-	t_hosts = []
168	-	if args.host:
169	-	if os.path.isfile(args.host):
170	-	fp = open( args.host, 'r' )
171	-	t_hosts = fp.read().strip().split("\n")
172	-	fp.close()
173	-
174	-	n_host = len(t_hosts)
175	-
176	-	if not n_host:
177	-	parser.error( 'hosts list missing' )
178	-
179	-	sys.stdout.write( '%s[+] %d hosts loaded: %s%s\n' % (fg('green'),n_host,args.host,attr(0)) )
180	-	sys.stdout.write( '[+] generating alts...\n' )
181	-
182	-
183	-
184	-	t_alive = {}
185	-	t_dead = []
186	-	t_alts = []
187	-	t_multiproc = {
188	-	'n_current': 0,
189	-	'n_total': n_host
190	-	}
191	-
192	-	pool = Pool( 20 )
193	-	pool.map( partial(getAlts,_minnum,_multiplicator), t_hosts )
194	-	pool.close()
195	-	pool.join()
196	-
197	-	# getAlts( t_hosts )
198	-	n_alt = len(t_alts)
199	-	save(True)
200	-	sys.stdout.write( '%s[+] %d alts generated%s\n' % (fg('green'),n_alt,attr(0)) )
201	-	sys.stdout.write( '[+] resolving...\n' )
202	-
203	-
204	-
205	-	t_multiproc = {
206	-	'n_current': 0,
207	-	'n_total': n_alt
208	-	}
209	-
210	-	q = Queue( _threads*2 )
211	-
212	-	for i in range(_threads):
213	-	t = Thread( target=doWork )
214	-	t.daemon = True
215	-	t.start()
216	-
217	-	try:
218	-	for host in t_alts:
219	-	q.put( host )
220	-	q.join()
221	-	except KeyboardInterrupt:
222	-	sys.exit(1)
223	-
224	-
225	-	# print( t_alive)
226	-	# print( t_dead)
227	-	sys.stdout.write( '%s[+] %d hosts alive, %d dead hosts%s\n' % (fg('green'),len(t_alive),len(t_dead),attr(0)) )
228	-	save(False)
229	-
230	-
231	-	exit()
232	-
233	-

■ ■ ■ ■ ■ ■

subthreat.php

1	-	#!/usr/bin/php
2	-	<?php
3	-
4	-	function isSubdomain( $str )
5	-	{
6	-	$str = strtolower( $str );
7	-
8	-	if( preg_match('/[^0-9a-z_\-\.]/',$str) \|\| preg_match('/[^0-9a-z]/',$str[0]) \|\| preg_match('/[^a-z]/',$str[strlen($str)-1]) \|\| substr_count($str,'.')<2 ) {
9	-	return false;
10	-	} else {
11	-	return true;
12	-	}
13	-	}
14	-
15	-
16	-	function extractDomain( $host )
17	-	{
18	-	$tmp = explode( '.', $host );
19	-	$cnt = count( $tmp );
20	-
21	-	$domain = $tmp[$cnt-1];
22	-
23	-	for( $i=$cnt-2 ; $i>=0 ; $i-- ) {
24	-	$domain = $tmp[$i].'.'.$domain;
25	-	if( strlen($tmp[$i]) > 3 ) {
26	-	break;
27	-	}
28	-	}
29	-
30	-	return $domain;
31	-	}
32	-
33	-	function usage( $err=null ) {
34	-	echo 'Usage: '.$_SERVER['argv'][0]." <domain>\n";
35	-	if( $err ) {
36	-	echo 'Error: '.$err."\n";
37	-	}
38	-	exit();
39	-	}
40	-
41	-	if( $_SERVER['argc'] != 2 ) {
42	-	usage();
43	-	}
44	-
45	-	$t_host = [];
46	-	$domain = $_SERVER['argv'][1];
47	-	$src = 'https://www.threatcrowd.org/searchApi/v2/domain/report/?domain='.$domain;
48	-	$json = file_get_contents( $src );
49	-	//var_dump( $json );
50	-
51	-	$t_json = json_decode( $json, true );
52	-	//var_dump( $t_json);
53	-
54	-	if( $t_json['response_code'] != 1 ) {
55	-	echo 'Error: reponse_code='.$t_json['response_code']."\n";
56	-	exit(-1);
57	-	}
58	-
59	-	foreach( $t_json['subdomains'] as $h ) {
60	-	if( isSubdomain($h) && extractDomain($h) == $domain ) {
61	-	$t_host[] = $h;
62	-	}
63	-	}
64	-
65	-	if( count($t_host) )
66	-	{
67	-	$t_host = array_unique( $t_host );
68	-	sort( $t_host );
69	-
70	-	foreach( $t_host as $h ) {
71	-	echo $h."\n";
72	-	}
73	-	}
74	-
75	-	exit( 0 );
76	-
77	-	?>

■ ■ ■ ■ ■ ■

test-ip-wordlist.sh

		skipped 4 lines
5	5
6	6
7	7		function usage() {
8		-	echo "Usage: "$0" <ip start> <ip end> <wordlist> [<port>] [<force ssl>]"
	8	+	echo "Usage: "$0" <start ip> <end ip> <wordlist> [<port>] [<force ssl>]"
9	9		if [ -n "$1" ] ; then
10	10		echo "Error: "$1"!"
11	11		fi
		skipped 6 lines
18	18
19	19		# 0.0.0.0/0.255.255.255 , 10.0.0.0/10.255.255.255 , 172.16.0.0/172.31.255.255 , 192.168.0.0/192.168.255.255
20	20		if ( [ $i -ge 0 ] && [ $i -le 16777215 ] ) \|\| ( [ $i -ge 167772160 ] && [ $i -le 184549375 ] ) \|\| ( [ $i -ge 2886729728 ] && [ $i -le 2887778303 ] ) \|\| ( [ $i -ge 3232235520 ] && [ $i -le 3232301055 ] ) ; then
21		-	echo 0
22		-	return
	21	+	echo 0
	22	+	return
23	23		fi
24	24
25	25		ip2=$(echo $ip \| tr '.' ' ')
		skipped 16 lines
42	42		wordlist=$3
43	43
44	44		if [ ! -f $wordlist ] ; then
45		-	usage "File not found!"
	45	+	usage "File not found!"
46	46		fi
47	47
48	48		if [ $# -ge 4 ] ; then
		skipped 25 lines
74	74		fi
75	75
76	76		i=$(( $start_n - 1 ))
77		-	coption="-s --connect-timeout 2"
78	77
79	78		while [ $i -lt $end_n ] ; do
80	79		i=$(( $i + 1 ))
		skipped 2 lines
83	82		#isvalid=1
84	83
85	84		if [ $isvalid -eq 0 ] ; then
86		-	continue
	85	+	continue
87	86		fi
88	87
89	88		for p in $tport ; do
90		-	if [ $ssl -eq 0 ] && [ ! $p -eq 443 ] ; then
91		-	proto="http"
92		-	co=$coption
93		-	else
94		-	proto="https"
95		-	co="$coption --insecure"
96		-	fi
	89	+	if [ "$ssl" -eq "0" ] && [ ! "$p" -eq "443" ] ; then
	90	+	proto="http"
	91	+	else
	92	+	proto="https"
	93	+	fi
	94	+
	95	+	if [ "$p" -eq "80" ] \|\| [ "$p" -eq "443" ] ; then
	96	+	url="$proto://$ip"
	97	+	else
	98	+	url="$proto://$ip:$p"
	99	+	fi
97	100
98		-	url="$proto://$ip:$p"
99		-	output=`curl $co $url`
100		-	res=`echo $output \| grep 'html'`
101		-	echo "Connecting: $url"
	101	+	# echo $url
	102	+	output=`curl -k -s --connect-timeout 2 -I $url`
	103	+	res=`echo $output \| grep 'HTTP/1.1 200 OK'`
	104	+	echo "Connecting: $url"
102	105
103		-	if [ ! -n "$res" ] ; then
104		-	_print "Skipping..."
105		-	echo
106		-	else
	106	+	if [ ! -n "$res" ] ; then
	107	+	_print "Skipping..."
	108	+	echo
	109	+	else
107	110		for w in $(cat $wordlist) ; do
108		-	url="http://$ip:$p/$w"
109		-	output=`curl $co -I $url`
110		-	res=`echo $output \| grep 'HTTP/1.1 200 OK'`
111		-	_print "Testing: $url"
	111	+	w_url="$url/$w"
	112	+	output=`curl -k -s --connect-timeout 2 -I $w_url`
	113	+	res=`echo $output \| grep 'HTTP/1.1 200 OK'`
	114	+	_print "Testing: $w_url"
112	115
113		-	if [ -n "$res" ] ; then
114		-	_print " FOUND!" GREEN
115		-	fi
	116	+	if [ -n "$res" ] ; then
	117	+	_print " FOUND!" GREEN
	118	+	fi
116	119
117		-	echo
118		-	done
119		-	fi
	120	+	echo
	121	+	done
	122	+	fi
120	123		done
121	124
122	125		echo
		skipped 6 lines

■ ■ ■ ■ ■ ■

testall.sh

1	-	#!/bin/bash
2	-
3	-
4	-	function usage() {
5	-	echo "Usage: "$0" <url> [<rce:0\|1>] [<lfi:0\|1>] [<ti:0\|1>] [<xss:0\|1>] [<sqli:0\|1>] [<cookies>]"
6	-	if [ -n "$1" ] ; then
7	-	echo "Error: "$1"!"
8	-	fi
9	-	exit
10	-	}
11	-
12	-	if [ $# -lt 1 ] \|\| [ $# -gt 7 ] ; then
13	-	usage
14	-	fi
15	-
16	-
17	-	url=$1
18	-	color=1
19	-	verbose=2
20	-	sqlmap_smart=0
21	-
22	-
23	-	if [ $# -gt 1 ] ; then
24	-	rce=$2
25	-	else
26	-	rce=1
27	-	fi
28	-
29	-	if [ $# -gt 2 ] ; then
30	-	lfi=$3
31	-	else
32	-	lfi=1
33	-	fi
34	-
35	-	if [ $# -gt 3 ] ; then
36	-	ti=$4
37	-	else
38	-	ti=1
39	-	fi
40	-
41	-	if [ $# -gt 4 ] ; then
42	-	xss=$5
43	-	else
44	-	xss=1
45	-	fi
46	-
47	-	if [ $# -gt 5 ] ; then
48	-	sqli=$6
49	-	else
50	-	sqli=1
51	-	fi
52	-
53	-	if [ $# -gt 6 ] ; then
54	-	cookies=$7
55	-	else
56	-	cookies=''
57	-	fi
58	-
59	-
60	-	# RCE
61	-	if [ $rce -eq 1 ] ; then
62	-	echo
63	-	echo "####################### TEST Remote Command Execution #######################"
64	-	echo
65	-	cmd='testrce /home/gwen/SecLists/mine/payload-rce-ping.txt "'$1'" 2 "'$cookies'"'
66	-	echo $cmd
67	-	eval $cmd
68	-	fi
69	-
70	-	# LFI
71	-	if [ $lfi -eq 1 ] ; then
72	-	echo
73	-	echo "####################### TEST Local File Inclusion #######################"
74	-	echo
75	-	cmd='testxss --cookies "'$cookies'" --verbose '$verbose' --inject GP --replace GP --gpg --threads 5 --payload /home/gwen/SecLists/mine/payload-lfi-short.txt --prefix --suffix --single "'$1'" --wish "root:[0x]:\|\[boot loader"'
76	-	if [ $color -eq 0 ] ; then
77	-	cmd=$cmd" --no-color"
78	-	fi
79	-	echo $cmd
80	-	eval $cmd
81	-	fi
82	-
83	-	# Template Injection
84	-	if [ $ti -eq 1 ] ; then
85	-	echo
86	-	echo "####################### TEST Template Injection #######################"
87	-	echo
88	-	cmd='testxss --cookies "'$cookies'" --verbose '$verbose' --inject GP --gpg --threads 5 --payload /home/gwen/SecLists/mine/payload-ti-short-25536.txt --prefix --suffix --single "'$1'" --wish "25536"'
89	-	if [ $color -eq 0 ] ; then
90	-	cmd=$cmd" --no-color"
91	-	fi
92	-	echo $cmd
93	-	eval $cmd
94	-	fi
95	-
96	-	# XSS
97	-	if [ $xss -eq 1 ] ; then
98	-	echo
99	-	echo "####################### TEST Cross Site Scripting #######################"
100	-	echo
101	-	cmd='testxss --encode --cookies "'$cookies'" --verbose '$verbose' --gpg --threads 5 --phantom /usr/local/bin/phantomjs --payload /home/gwen/SecLists/mine/xss-mytop50.txt --prefix --suffix --sos --single "'$1'"'
102	-	if [ $color -eq 0 ] ; then
103	-	cmd=$cmd" --no-color"
104	-	fi
105	-	echo $cmd
106	-	eval $cmd
107	-	fi
108	-
109	-	# SQL Injection
110	-	if [ $sqli -eq 1 ] ; then
111	-	echo
112	-	echo "####################### TEST SQL Injection #######################"
113	-	echo
114	-	cmd='sqlmap --cookie="'$cookies'" --threads=5 --random-agent --dbms=mysql --batch -u "'$1'"'
115	-	if [ $sqlmap_smart -eq 1 ] ; then
116	-	cmd=$cmd" --smart"
117	-	fi
118	-	echo $cmd
119	-	eval $cmd
120	-	fi
121	-
122	-	echo
123	-	echo "####################### THE END #######################"
124	-	echo
125	-

■ ■ ■ ■ ■ ■

testhttp.php

		skipped 20 lines
21	21
22	22
23	23		// global vars
24		-	define( 'RESULT_SEP', ':' );
25	24		define( 'PORT_SEP', ',' );
26	25		define( 'HTTP_KO', 0 );
27	26		define( 'HTTP_OK', 1 );
28	27		define( 'HTTP_REDIR', 2 );
29		-	define( 'MAX_REDIR', 20 );
30		-	$t_result = [ 0=>'KO', 1=>'OK', 2=>'REDIR' ];
31	28
	29	+	$t_result = [ HTTP_KO=>'KO', HTTP_OK=>'OK', HTTP_REDIR=>'REDIR' ];
32	30
33	31		if( $_SERVER['argc']<2 \|\| $_SERVER['argc']>3 ) {
34	32		usage();
		skipped 9 lines
44	42		}
45	43		$t_port = explode( PORT_SEP, $port );
46	44
47		-	$t_headers = [];
48		-	$t_headers[0] = "Accept: text/xml,application/xml,application/xhtml+xml,";
49		-	$t_headers[0] .= "text/html;q=0.9,text/plain;q=0.8,image/png,/;q=0.5";
50		-	$t_headers[] = "Cache-Control: max-age=0";
51		-	$t_headers[] = "Connection: keep-alive";
52		-	$t_headers[] = "Keep-Alive: 300";
53		-	$t_headers[] = "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7";
54		-	$t_headers[] = "Accept-Language: en-us,en;q=0.5";
55		-	$t_headers[] = "Pragma: "; // browsers keep this blank.
	45	+	$flag_80 = false;
	46	+	$flag_443 = false;
	47	+
56	48
57	49		// main loop
58	50		foreach( $t_port as $port )
59	51		{
60		-	$t_details = [];
61		-	$port_is_http = HTTP_OK;
	52	+	$info = null;
62	53		$scheme = 'http';
63	54		if( $port == 443 ) {
64	55		$scheme .= 's';
65	56		}
66	57		$u = $scheme.'://'.$host.':'.$port;
67		-	$n_loop = 0;
	58	+	// var_dump( $u );
68	59
69		-	//echo 'Testing '.$u."\n";
	60	+	$c = curl_init();
	61	+	curl_setopt( $c, CURLOPT_URL, $u );
	62	+	curl_setopt( $c, CURLOPT_USERAGENT, 'Googlebot/2.1 (+http://www.google.com/bot.html)' );
	63	+	// curl_setopt( $c, CURLOPT_NOBODY, true );
	64	+	// curl_setopt( $c, CURLOPT_HTTPHEADER, $t_headers );
	65	+	curl_setopt( $c, CURLOPT_CONNECTTIMEOUT, 5 );
	66	+	curl_setopt( $c, CURLOPT_SSL_VERIFYHOST, false );
	67	+	curl_setopt( $c, CURLOPT_SSL_VERIFYPEER, false );
	68	+	curl_setopt( $c, CURLOPT_RETURNTRANSFER, true );
	69	+	// curl_setopt( $c, CURLOPT_FOLLOWLOCATION, true );
	70	+	$r = curl_exec( $c );
	71	+	$t_info = curl_getinfo( $c );
	72	+	// var_dump( $r );
	73	+	// var_dump( $t_info );
	74	+	curl_close( $c );
70	75
71		-	do
	76	+	if( $t_info['http_code'] == 0 )
	77	+	{
	78	+	$port_is_http = HTTP_KO;
	79	+	}
	80	+	else
72	81		{
73		-	$n_loop++;
74		-	$loop = false;
	82	+	$t_parse = parse_url( $t_info['url'] );
	83	+	//var_dump( $t_parse );
75	84
76		-	$c = curl_init();
77		-	curl_setopt( $c, CURLOPT_URL, $u );
78		-	curl_setopt( $c, CURLOPT_USERAGENT, 'Googlebot/2.1 (+http://www.google.com/bot.html)' );
79		-	//curl_setopt( $c, CURLOPT_NOBODY, true );
80		-	curl_setopt( $c, CURLOPT_HTTPHEADER, $t_headers );
81		-	curl_setopt( $c, CURLOPT_CONNECTTIMEOUT, 2 );
82		-	curl_setopt( $c, CURLOPT_SSL_VERIFYPEER, false );
83		-	curl_setopt( $c, CURLOPT_RETURNTRANSFER, true );
84		-	curl_exec( $c );
85		-	$t_info = curl_getinfo( $c );
86		-	//var_dump( $t_info );
87		-	curl_close( $c );
88		-
89		-	if( $t_info['http_code'] == 0 )
90		-	{
91		-	// http service NOT found
92		-	$port_is_http = HTTP_KO;
	85	+	if( $port == 80 ) {
	86	+	$flag_80 = true;
	87	+	} elseif( $port == 80 ) {
	88	+	$flag_443 = true;
93	89		}
94		-	else
95		-	{
96		-	// http service found
97		-	$r = $t_info['redirect_url'];
98		-	//var_dump( $r );
99	90
100		-	if( trim($r) != '' )
101		-	{
102		-	$tmp = parse_url( $r );
103		-	//var_dump($tmp);
104		-	$u = $r;
105		-	$port_is_http = HTTP_REDIR;
106		-	$t_details[] = $tmp['host'];
107		-
108		-	if( $n_loop <= MAX_REDIR ) {
109		-	$loop = true;
110		-	}
111		-	/*
112		-	// but it's a redirection!
113		-	if( isIp($r) ) {
114		-	$h = $r;
115		-	} else {
116		-	// extract scheme, host and port of the redirection
117		-	$tmp = parse_url( $r );
118		-	//var_dump( $tmp );
119		-	$s = $tmp['scheme'];
120		-	$h = $tmp['host'];
121		-	if( !isset($tmp['port']) ) {
122		-	$p = ($s=='https') ? 443 : 80;
123		-	}
124		-	}
125		-	if( $s == $scheme && $h == $host && $p == $port ) {
126		-	// the redirection point to the exact same scheme, host and port
127		-	// so we keep looping
128		-	$u = $r;
129		-	//$port_is_http = HTTP_REDIR;
130		-	//$t_details[] = $tmp['host'];
131		-	$loop = true;
132		-	} else {
133		-	// the redirection DO NOT point to the exact same scheme, host and port
134		-	// so we leave
135		-	$u = $r;
136		-	$port_is_http = HTTP_REDIR;
137		-	$t_details[] = $tmp['host'];
138		-	//$loop = true;
139		-	}
140		-	*/
141		-	}
	91	+	/*if( $port == 80 && $flag_443 ) {
	92	+	$port_is_http = HTTP_KO;
	93	+	} elseif( $port == 443 && $flag_80 ) {
	94	+	$port_is_http = HTTP_KO;
	95	+	} else*/if( $t_parse['host'] == $host && $t_info['primary_port'] == $port ) {
	96	+	$port_is_http = HTTP_OK;
	97	+	} else {
	98	+	$port_is_http = HTTP_REDIR;
	99	+	$info = $t_parse['host'];
142	100		}
143	101		}
144		-	while( $loop );
145	102
146		-	$cnt = count($t_details);
147		-	/* if( $port_is_http == HTTP_REDIR && $t_details[$cnt-1]==$host ) {
148		-	$port_is_http = HTTP_OK;
149		-	$t_details = [];
150		-	$cnt = 0;
151		-	}
152		-	*/
153		-	echo $port.RESULT_SEP.$t_result[$port_is_http];
154		-	if( $cnt ) {
155		-	for( $i=0,$p=null ; $i<$cnt ; $p=$t_details[$i],$i++ ) {
156		-	if( $t_details[$i] != $p ) {
157		-	echo RESULT_SEP.$t_details[$i];
158		-	}
159		-	}
	103	+	echo $port.':'.$t_result[$port_is_http];
	104	+	if( $info ) {
	105	+	echo ':'.$info;
160	106		}
161	107		echo "\n";
162	108		}
		skipped 6 lines

■ ■ ■ ■ ■ ■

testhttp2.php

1	-	#!/usr/bin/php
2	-	<?php
3	-
4	-	// usage function
5	-	function usage( $error='' )
6	-	{
7	-	echo "Usage: php testhttp.php <host\|ip> <port list>\n";
8	-
9	-	if( $error ) {
10	-	echo "Error: ".$error."!\n";
11	-	}
12	-
13	-	exit();
14	-	}
15	-
16	-	// test if a string is an IP address
17	-	function isIp( $str )
18	-	{
19	-	return preg_match( '/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', trim($str) );
20	-	}
21	-
22	-
23	-	// global vars
24	-	define( 'PORT_SEP', ',' );
25	-	define( 'HTTP_KO', 0 );
26	-	define( 'HTTP_OK', 1 );
27	-	define( 'HTTP_REDIR', 2 );
28	-
29	-	$t_result = [ HTTP_KO=>'KO', HTTP_OK=>'OK', HTTP_REDIR=>'REDIR' ];
30	-
31	-	if( $_SERVER['argc']<2 \|\| $_SERVER['argc']>3 ) {
32	-	usage();
33	-	}
34	-
35	-	$host = $_SERVER['argv'][1];
36	-
37	-	if( $_SERVER['argc'] == 3 ) {
38	-	$port = $_SERVER['argv'][2];
39	-	} else {
40	-	// default port
41	-	$port = '80,443';
42	-	}
43	-	$t_port = explode( PORT_SEP, $port );
44	-
45	-	$flag_80 = false;
46	-	$flag_443 = false;
47	-
48	-
49	-	// main loop
50	-	foreach( $t_port as $port )
51	-	{
52	-	$info = null;
53	-	$scheme = 'http';
54	-	if( $port == 443 ) {
55	-	$scheme .= 's';
56	-	}
57	-	$u = $scheme.'://'.$host.':'.$port;
58	-	//var_dump( $u );
59	-
60	-	$c = curl_init();
61	-	curl_setopt( $c, CURLOPT_URL, $u );
62	-	curl_setopt( $c, CURLOPT_USERAGENT, 'Googlebot/2.1 (+http://www.google.com/bot.html)' );
63	-	//curl_setopt( $c, CURLOPT_NOBODY, true );
64	-	//curl_setopt( $c, CURLOPT_HTTPHEADER, $t_headers );
65	-	curl_setopt( $c, CURLOPT_CONNECTTIMEOUT, 5 );
66	-	curl_setopt( $c, CURLOPT_SSL_VERIFYPEER, false );
67	-	curl_setopt( $c, CURLOPT_RETURNTRANSFER, true );
68	-	curl_setopt( $c, CURLOPT_FOLLOWLOCATION, true );
69	-	curl_exec( $c );
70	-	$t_info = curl_getinfo( $c );
71	-	//var_dump( $t_info );
72	-	curl_close( $c );
73	-
74	-	if( $t_info['http_code'] == 0 )
75	-	{
76	-	$port_is_http = HTTP_KO;
77	-	}
78	-	else
79	-	{
80	-	$t_parse = parse_url( $t_info['url'] );
81	-	//var_dump( $t_parse );
82	-
83	-	if( $port == 80 ) {
84	-	$flag_80 = true;
85	-	} elseif( $port == 80 ) {
86	-	$flag_443 = true;
87	-	}
88	-
89	-	/*if( $port == 80 && $flag_443 ) {
90	-	$port_is_http = HTTP_KO;
91	-	} elseif( $port == 443 && $flag_80 ) {
92	-	$port_is_http = HTTP_KO;
93	-	} else*/if( $t_parse['host'] == $host && $t_info['primary_port'] == $port ) {
94	-	$port_is_http = HTTP_OK;
95	-	} else {
96	-	$port_is_http = HTTP_REDIR;
97	-	$info = $t_parse['host'];
98	-	}
99	-	}
100	-
101	-	echo $port.':'.$t_result[$port_is_http];
102	-	if( $info ) {
103	-	echo ':'.$info;
104	-	}
105	-	echo "\n";
106	-	}
107	-
108	-
109	-	// the end
110	-	exit();
111	-
112	-	?>

■ ■ ■ ■ ■ ■

testrce.sh

1	-	#!/bin/bash
2	-
3	-	f_payload=$1
4	-	f_url=$2
5	-	rand1=$(tr -dc 'A-HJ-NP-Za-km-z2-9' < /dev/urandom \| dd bs=12 count=1 status=none)
6	-	rand2=$(tr -dc 'A-HJ-NP-Za-km-z2-9' < /dev/urandom \| dd bs=12 count=1 status=none)
7	-	tmpfile="/tmp/$rand1"
8	-	echo "tmpfile: $tmpfile"
9	-	subdomain=$rand2
10	-	echo "subdomain: $subdomain"
11	-
12	-	if [ $# -gt 2 ] ; then
13	-	verbose=$3
14	-	else
15	-	verbose=0
16	-	fi
17	-
18	-	if [ $# -gt 3 ] ; then
19	-	cookies=$4
20	-	else
21	-	cookies=''
22	-	fi
23	-
24	-
25	-	cp $f_payload $tmpfile
26	-	sed -i "s/__RANDOM_STR__/$subdomain/g" $tmpfile
27	-	cmd='testxss --cookies "'$cookies'" --no-color --threads 5 --payload $tmpfile --prefix --suffix --single "'$f_url'" --inject GP --gpg --encode --wish "QSDFGHJKLMNBVCXWAZERTYPOIU" --verbose '$verbose
28	-	echo $cmd
29	-	eval $cmd
30	-
31	-
32	-	sleep 5s
33	-	#rm $tmpfile
34	-

■ ■ ■ ■ ■ ■

wayback-analyzer.php

1	-	#!/usr/bin/php
2	-	<?php
3	-
4	-	/**
5	-	* I don't believe in license
6	-	* You can do want you want with this program
7	-	* - gwen -
8	-	*/
9	-
10	-	function usage( $err=null ) {
11	-	echo 'Usage: php '.$_SERVER['argv'][0]." -f <wayback output file> [OPTIONS]\n\n";
12	-	echo "Options:\n";
13	-	echo "\t-c\tapply urldecode\n";
14	-	echo "\t-d\tremove duplicates (you can miss data)\n";
15	-	echo "\t-e\textension you care, separated by comma (ex: js,php,bmp)\n";
16	-	echo "\t-f\tset json source file (required)\n";
17	-	echo "\t-i\textension you ignore, separated by comma (ex: gif,png,jpg)\n";
18	-	echo "\t-r\tprint only a resume\n";
19	-	echo "\t-s\tforce https if scheme not found\n";
20	-	echo "\t-l\tforce https even if scheme si found\n";
21	-	echo "\t-o\tfollow location\n";
22	-	echo "\t-t\ttest the urls found\n";
23	-	echo "\t-w\tdirectory to download the datas (only http code=200)\n";
24	-	echo "\n";
25	-	if( $err ) {
26	-	echo 'Error: '.$err."\n";
27	-	}
28	-	exit();
29	-	}
30	-
31	-
32	-	require_once( 'Utils.php' );
33	-
34	-	define( 'DEFAULT_COLOR', 'red' );
35	-
36	-	$t_colors = [
37	-	0 => 'dark_grey',
38	-	200 => 'light_green',
39	-	301 => 'light_cyan',
40	-	302 => 'light_cyan',
41	-	307 => 'light_cyan',
42	-	];
43	-
44	-	$options = '';
45	-	$options .= 'c'; // urldecode
46	-	$options .= 'd'; // remove duplicates
47	-	$options .= 'e:'; // extension to display
48	-	$options .= 'f:'; // json source file
49	-	$options .= 'i:'; // extension to ignore
50	-	$options .= 'r'; // print resume
51	-	$options .= 'o'; // follow location
52	-	$options .= 's'; // force ssl if no scheme
53	-	$options .= 'l'; // force ssl even if scheme
54	-	$options .= 't'; // test urls
55	-	$options .= 'w:'; // directory to download datas
56	-	$t_options = getopt( $options );
57	-	//var_dump( $t_options );
58	-
59	-	if( !count($t_options) ) {
60	-	usage();
61	-	}
62	-
63	-	if( isset($t_options['c']) ) {
64	-	$_urldecode = true;
65	-	} else {
66	-	$_urldecode = false;
67	-	}
68	-
69	-	if( isset($t_options['o']) ) {
70	-	$_location = true;
71	-	} else {
72	-	$_location = false;
73	-	}
74	-
75	-	if( isset($t_options['d']) ) {
76	-	$_duplicates = true;
77	-	} else {
78	-	$_duplicates = false;
79	-	}
80	-
81	-	if( isset($t_options['e']) ) {
82	-	$_extension_wish = explode( ',', $t_options['e'] );
83	-	} else {
84	-	$_extension_wish = null;
85	-	}
86	-
87	-	if( isset($t_options['f']) ) {
88	-	$f = $t_options['f'];
89	-	if( !is_file($f) ) {
90	-	usage( 'Source file not found!' );
91	-	} else {
92	-	$_source = $f;
93	-	}
94	-	} else {
95	-	usage( 'Source file not found!' );
96	-	}
97	-
98	-	if( isset($t_options['i']) ) {
99	-	$_extension_ignore = explode( ',', $t_options['i'] );
100	-	} else {
101	-	$_extension_ignore = [];
102	-	}
103	-
104	-	if( isset($t_options['r']) ) {
105	-	$_resume = true;
106	-	} else {
107	-	$_resume = false;
108	-	}
109	-
110	-	if( isset($t_options['s']) ) {
111	-	$_https = true;
112	-	} else {
113	-	$_https = false;
114	-	}
115	-
116	-	if( isset($t_options['l']) ) {
117	-	$_force_https = true;
118	-	} else {
119	-	$_force_https = false;
120	-	}
121	-
122	-	if( isset($t_options['t']) ) {
123	-	$_test = true;
124	-	} else {
125	-	$_test = false;
126	-	}
127	-
128	-	if( isset($t_options['w']) ) {
129	-	$_write = $t_options['w'];
130	-	if( !is_dir($_write) ) {
131	-	if( !@mkdir($_write) ) {
132	-	usage( 'Cannot create directory!' );
133	-	}
134	-	}
135	-	} else {
136	-	$_write = false;
137	-	}
138	-
139	-
140	-	function cleanContent( $str )
141	-	{
142	-	$str = str_replace( '%22http', '"],["http', $str );
143	-	$str = str_replace( '///', '/"],["//', $str );
144	-	$str = str_replace( '%22//', '"],["//', $str );
145	-	$str = str_replace( '/http', '/"],["http', $str );
146	-	return $str;
147	-	}
148	-
149	-	function cleanUrl( $str )
150	-	{
151	-	$str = preg_replace( '#/%22#', '/', $str );
152	-	$str = preg_replace( '#(http[s]?):/([^/])#', '\\1://\\2', $str );
153	-	return $str;
154	-	}
155	-
156	-	function cleanPath( $str )
157	-	{
158	-	$str = preg_replace( '#(\.[a-zA-Z0-9]{2,4})/#', '\\1', $str );
159	-	return $str;
160	-	}
161	-
162	-	function testUrl( $url, &$content, $_location )
163	-	{
164	-	$c = curl_init();
165	-	curl_setopt( $c, CURLOPT_URL, $url );
166	-	//curl_setopt( $c, CURLOPT_HEADER, true );
167	-	curl_setopt( $c, CURLOPT_SSL_VERIFYPEER, false );
168	-	//curl_setopt( $c, CURLOPT_NOBODY, true );
169	-	curl_setopt( $c, CURLOPT_CONNECTTIMEOUT, 3 );
170	-	if( $_location ) {
171	-	curl_setopt( $c, CURLOPT_FOLLOWLOCATION, true );
172	-	} else {
173	-	curl_setopt( $c, CURLOPT_FOLLOWLOCATION, false );
174	-	}
175	-	curl_setopt( $c, CURLOPT_RETURNTRANSFER, true );
176	-	$content = curl_exec( $c );
177	-
178	-	$t_info = curl_getinfo( $c );
179	-
180	-	return $t_info;
181	-	}
182	-
183	-	function createHash( $url, $t_parse )
184	-	{
185	-	$url = urldecode(urldecode(urldecode(urldecode(urldecode($url)))));
186	-	$new_parse = parse_url( $url );
187	-	//var_dump( $url );
188	-	//var_dump( $new_parse );
189	-
190	-	if( !isset($t_parse['port']) ) {
191	-	$new_parse['port'] = 80;
192	-	}
193	-
194	-	$str = '';
195	-
196	-	if( isset($new_parse['host']) ) {
197	-	$str = $new_parse['host'];
198	-	}
199	-	$str .= '\|\|';
200	-	if( isset($new_parse['path']) ) {
201	-	$str .= $new_parse['path'];
202	-	}
203	-	$str .= '\|\|';
204	-	if( isset($new_parse['port']) ) {
205	-	$str .= $new_parse['port'];
206	-	}
207	-	//var_dump($str);
208	-
209	-	return md5( $str );
210	-	}
211	-
212	-
213	-	$content = file_get_contents( $_source );
214	-	$content = cleanContent( $content );
215	-	$array = json_decode( $content, true );
216	-
217	-	$current = 0;
218	-	$limit = -1;
219	-	$t_hashes = [];
220	-
221	-	$t_result = [];
222	-	$t_domain = [];
223	-	$t_unknown = [];
224	-
225	-	foreach( $array as $v )
226	-	{
227	-	if( $limit > 0 && $current>$limit ) {
228	-	break;
229	-	}
230	-
231	-	$current++;
232	-	$url = $v[0];
233	-	$url = cleanUrl( $url );
234	-	if( $_urldecode ) {
235	-	$url = urldecode(urldecode(urldecode(urldecode(urldecode($url)))));
236	-	}
237	-	$t_parse = parse_url( $url );
238	-	if( !isset($t_parse['scheme']) ) {
239	-	$t_parse['scheme'] = 'http'.($_https?'s':'');
240	-	$url = $t_parse['scheme'].'://'.ltrim($url,'/');
241	-	}
242	-	if( $_force_https ) {
243	-	$url = str_replace( 'http://', 'https://', $url );
244	-	}
245	-	if( $_https \|\| $_force_https ) {
246	-	$url = str_replace( ':80', '', $url );
247	-	}
248	-	//var_dump( $t_parse );
249	-
250	-	if( $_duplicates ) {
251	-	$hash = createHash( $url, $t_parse );
252	-	if( !in_array($hash,$t_hashes) ) {
253	-	$t_hashes[] = $hash;
254	-	} else {
255	-	//echo "skip ".$url."\n";
256	-	continue;
257	-	}
258	-	}
259	-
260	-	if( !isset($t_parse['path']) \|\| $t_parse['path']=='/' )
261	-	{
262	-	$t_domain[] = $url;
263	-	}
264	-	else
265	-	{
266	-	$t_parse['path'] = cleanPath( $t_parse['path'] );
267	-	$ext = substr( $t_parse['path'], strrpos($t_parse['path'],'.')+1 );
268	-	//var_dump( $ext );
269	-
270	-	if( $ext == '' \|\| strlen($ext)<2 \|\| strlen($ext)>4 \|\| preg_match('#[^a-zA-Z0-9]#',$ext) ) {
271	-	$t_unknown[] = $url;
272	-	} else {
273	-	if( (is_null($_extension_wish) \|\| in_array($ext,$_extension_wish)) && !in_array($ext,$_extension_ignore) ) {
274	-	$t_result[ $ext ][] = $url;
275	-	}
276	-	}
277	-	}
278	-	}
279	-
280	-	$total = 0;
281	-	ksort( $t_result, SORT_STRING );
282	-
283	-	if( is_null($_extension_wish) \|\| in_array('domain',$_extension_wish) ) {
284	-	$t_result['domain'] = $t_domain;
285	-	}
286	-	if( is_null($_extension_wish) \|\| in_array('unknown',$_extension_wish) ) {
287	-	$t_result['unknown'] = $t_unknown;
288	-	}
289	-	//var_dump($t_result);
290	-
291	-
292	-	foreach( $t_result as $ext=>$t_url )
293	-	{
294	-	Utils::_print( 'Extension: '.$ext, 'yellow' );
295	-	$cnt = count( $t_url );
296	-	$total += $cnt;
297	-
298	-	if( $_resume )
299	-	{
300	-	echo " ".$cnt." urls found.\n";
301	-	}
302	-	else
303	-	{
304	-	echo "\n";
305	-
306	-	foreach( $t_url as $u )
307	-	{
308	-	echo $u;
309	-
310	-	if( ($_test\|\|$_write) && stripos('http',$u)==0 ) {
311	-	$t_info = testUrl( $u, $content, $_location );
312	-	//var_dump($t_info);
313	-	if( isset($t_colors[$t_info['http_code']]) ) {
314	-	$color = $t_colors[ $t_info['http_code'] ];
315	-	} else {
316	-	$color = DEFAULT_COLOR;
317	-	}
318	-	$txt = ' (C='.$t_info['http_code'].', L='.$t_info['size_download'].', T='.$t_info['content_type'].')';
319	-	Utils::_print( $txt, $color );
320	-	if( $_write && $t_info['http_code']>=200 && $t_info['http_code']<=299 ) {
321	-	$t_parse = parse_url( $u );
322	-	$f = $_write.'/'.str_replace('/','-',trim($t_parse['path'],'/'));
323	-	$r = file_put_contents( $f, $content );
324	-	if( $r !== false ) {
325	-	echo ' (downloaded)';
326	-	} else {
327	-	echo ' (error download)';
328	-	}
329	-	}
330	-	}
331	-	echo "\n";
332	-	}
333	-
334	-	echo $cnt." urls found!\n\n";
335	-	}
336	-	}
337	-
338	-	echo "\nTotal: ".$total." urls found!\n";
339	-
340	-	exit();
341	-
342	-

webdav-bruteforce.sh

Content is identical

■ ■ ■ ■ ■ ■

xss.py

1	1		#!/usr/bin/python3
2	2
3		-	# I don't believe in license.
4		-	# You can do whatever you want with this program.
5		-
6	3		import os
7	4		import sys
8	5		import re
		skipped 422 lines

review&readme&license